From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Urgent Action Needed to Address the Threats to Federal
Information Technology Supply Chains

Description: The federal government relies heavily on information and
communication technology products and services to carry out day-to-day
operations. This dependency has increased the complexity, diversity, and
scale of the government supply chains--that is, the public and private
partnerships that make, implement, or use communication technology
solutions. However, in September of 2019, the Department of Homeland
Security reported about 180 different threats to the supply chain. We
talk with GAO's Carol Harris to find out more.

Related GAO Work: GAO-21-171, Information Technology: Federal Agencies
Need to Take Urgent Action to Manage Supply Chain Risks

Released: December 2020

[Intro Music]

[Carol Harris:] The threats are increasing, and the supply chains are
becoming increasingly complex. 

[Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report, your source for
news and information from the U.S. Government Accountability Office. I'm
Holly Hobbs. The federal government relies heavily on information and
communication technology products and services to carry out day-to-day
operations. This dependency has increased the complexity, diversity, and
scale of the government supply chains. That is, the public and private
partnerships that make, implement, or use communication technology
solutions. However, in September of 2019, the Department of Homeland
Security reported about 180 different threats to the supply chain. Today
we talk with Carol Harris--an expert on federal IT operations, and a
director in our Information Technology and Cybersecurity Team--about a
new report on the federal government's response to these threats. Thank
you for joining me, Carol. 

[Carol Harris:] Glad to be here, Holly. Thanks. 

[Holly Hobbs:] So, Carol can you give us some examples of the kind of
threats that were identified by the Department of Homeland Security? 

[Carol Harris:] These examples of threats include things like the
insertion of counterfeit, unauthorized production and tampering to name
a few. Counterfeiters like to insert malicious logic or backdoors into
replicas, or copies, that would be far more difficult to do in a secure
manufacturing facility. So, like, as an example, a U.S. citizen imported
and resold thousands of counterfeit integrated circuits from China and
Hong Kong to customers that included contractors for the DoD, and these
contractors were supplying the circuits for the U.S. Navy for use in
nuclear submarines. We have this vulnerability in our information and
communications technology supply chain, and they can be easily
infiltrated and why risk management's so important. 

[Holly Hobbs:] And what's the strategy for addressing these threats? 

[Carol Harris:] The supply chain risk management is a process where
agencies are expected to evaluate and mitigate the risks associated with
the global IT product and service supply chain that they have. They are
responsible for implementing 7 foundational practices that were
developed by NIST. Tnd these practices include things like developing an
agencywide risk management strategy, developing organizational
requirements for suppliers, procedures for detecting counterfeit and
compromised products, things like that. And the President's Budget for
FY2021 includes at least $18.8 billion for cybersecurity funding, which
supports the protection of our federal information systems. And so, when
we talk about what agencies can do, it's really focused on implementing
these 7 practices. 

[Holly Hobbs:] Do we know how that $18.8 billion is going to be spent? 

[Carol Harris:] It's the general bucket related to cybersecurity
funding. We don't have the breakout of that. We just know that it's a
major part of how agencies are expected to secure their systems and
their networks. 

[Holly Hobbs:] And did we find any weaknesses or gaps in the agencies'
ability to identify or respond to threats? 

[Carol Harris:] So, unfortunately, there were few of the 23 civilian
agencies that we reviewed that had implemented these 7 practices. None
of the agencies had fully implemented all of them, and 17 had not
implemented any of the 7 practices. So, there's a significant amount of
work that the civilian agencies need to do, in order to have a robust
supply chain risk management process. 

[Holly Hobbs:] Do the agencies tell us why they haven't implemented
those 7 risk management practices? 

[Carol Harris:] One of the main reasons the agencies cited as to why
they haven't implemented these processes is a lack of guidance from OMB.
And we just simply disagree with that. NIST has come out with these 7
practices a number of years back. And so, it's not as if this is a
surprise to the agencies. And I will give them this--when you look at the
NIST guidance, there's reams and reams of documentation; and granted,
it's a very complex topic. But those 7 practices are in there. And now I
think one of the things that agencies can take away from our report is
also the clarity in these 7 buckets that we pulled out from this NIST
guidance to help them better organize and better strategically align
their processes to ensure that they have a comprehensive approach to
supply chain risk management.

[ Music ]

[Holly Hobbs:] So it sounds like there are a number of significant
threats to the federal government's use of information and communication
technology supply chains, and that there is a process for monitoring,
assessing, and responding to these threats, but that there are also some
gaps in those efforts. Carol, did we make any recommendations to help
agencies better respond to these threats? 

[Carol Harris:] We did. We made a total of 145 recommendations to the 23
civilian agencies, and these were to fully implement the 7 foundational
practices. 

[Holly Hobbs:] And last question, Carol, what's the bottom line of this
report? 

[Carol Harris:] Agencies' the ability to effectively identify threats
and to respond to them will continue to be significantly hampered until
they take steps to close the gaps that we've identified. This should be
the top of their priority list, when it comes to securing their
networks. We're talking about the services and the products that they're
acquiring to keep their networks operational. The threats are
increasing, and the supply chains are becoming increasingly complex. So,
their resources should be focused on this, and then everything else will
fall in line as a result. 

[Holly Hobbs:] That was GAO's Carol Harris talking about a new report
reviewing the federal government's response to communications technology
supply chain threats. Thank you for your time, Carol. 

[Carol Harris:] You're welcome. 

[Holly Hobbs:] And thank you for listening to the Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, and make sure you
leave a rating and review to let others know about the work we're doing.
For more from the Congressional Watchdog, the U.S. Government
Accountability Office, visit us at GAO.gov.