From the U.S. Government Accountability Office, www.gao.gov Transcript for: Urgent Action Needed to Address the Threats to Federal Information Technology Supply Chains Description: The federal government relies heavily on information and communication technology products and services to carry out day-to-day operations. This dependency has increased the complexity, diversity, and scale of the government supply chains--that is, the public and private partnerships that make, implement, or use communication technology solutions. However, in September of 2019, the Department of Homeland Security reported about 180 different threats to the supply chain. We talk with GAO's Carol Harris to find out more. Related GAO Work: GAO-21-171, Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks Released: December 2020 [Intro Music] [Carol Harris:] The threats are increasing, and the supply chains are becoming increasingly complex. [Holly Hobbs:] Hi, and welcome to GAO's Watchdog Report, your source for news and information from the U.S. Government Accountability Office. I'm Holly Hobbs. The federal government relies heavily on information and communication technology products and services to carry out day-to-day operations. This dependency has increased the complexity, diversity, and scale of the government supply chains. That is, the public and private partnerships that make, implement, or use communication technology solutions. However, in September of 2019, the Department of Homeland Security reported about 180 different threats to the supply chain. Today we talk with Carol Harris--an expert on federal IT operations, and a director in our Information Technology and Cybersecurity Team--about a new report on the federal government's response to these threats. Thank you for joining me, Carol. [Carol Harris:] Glad to be here, Holly. Thanks. [Holly Hobbs:] So, Carol can you give us some examples of the kind of threats that were identified by the Department of Homeland Security? [Carol Harris:] These examples of threats include things like the insertion of counterfeit, unauthorized production and tampering to name a few. Counterfeiters like to insert malicious logic or backdoors into replicas, or copies, that would be far more difficult to do in a secure manufacturing facility. So, like, as an example, a U.S. citizen imported and resold thousands of counterfeit integrated circuits from China and Hong Kong to customers that included contractors for the DoD, and these contractors were supplying the circuits for the U.S. Navy for use in nuclear submarines. We have this vulnerability in our information and communications technology supply chain, and they can be easily infiltrated and why risk management's so important. [Holly Hobbs:] And what's the strategy for addressing these threats? [Carol Harris:] The supply chain risk management is a process where agencies are expected to evaluate and mitigate the risks associated with the global IT product and service supply chain that they have. They are responsible for implementing 7 foundational practices that were developed by NIST. Tnd these practices include things like developing an agencywide risk management strategy, developing organizational requirements for suppliers, procedures for detecting counterfeit and compromised products, things like that. And the President's Budget for FY2021 includes at least $18.8 billion for cybersecurity funding, which supports the protection of our federal information systems. And so, when we talk about what agencies can do, it's really focused on implementing these 7 practices. [Holly Hobbs:] Do we know how that $18.8 billion is going to be spent? [Carol Harris:] It's the general bucket related to cybersecurity funding. We don't have the breakout of that. We just know that it's a major part of how agencies are expected to secure their systems and their networks. [Holly Hobbs:] And did we find any weaknesses or gaps in the agencies' ability to identify or respond to threats? [Carol Harris:] So, unfortunately, there were few of the 23 civilian agencies that we reviewed that had implemented these 7 practices. None of the agencies had fully implemented all of them, and 17 had not implemented any of the 7 practices. So, there's a significant amount of work that the civilian agencies need to do, in order to have a robust supply chain risk management process. [Holly Hobbs:] Do the agencies tell us why they haven't implemented those 7 risk management practices? [Carol Harris:] One of the main reasons the agencies cited as to why they haven't implemented these processes is a lack of guidance from OMB. And we just simply disagree with that. NIST has come out with these 7 practices a number of years back. And so, it's not as if this is a surprise to the agencies. And I will give them this--when you look at the NIST guidance, there's reams and reams of documentation; and granted, it's a very complex topic. But those 7 practices are in there. And now I think one of the things that agencies can take away from our report is also the clarity in these 7 buckets that we pulled out from this NIST guidance to help them better organize and better strategically align their processes to ensure that they have a comprehensive approach to supply chain risk management. [ Music ] [Holly Hobbs:] So it sounds like there are a number of significant threats to the federal government's use of information and communication technology supply chains, and that there is a process for monitoring, assessing, and responding to these threats, but that there are also some gaps in those efforts. Carol, did we make any recommendations to help agencies better respond to these threats? [Carol Harris:] We did. We made a total of 145 recommendations to the 23 civilian agencies, and these were to fully implement the 7 foundational practices. [Holly Hobbs:] And last question, Carol, what's the bottom line of this report? [Carol Harris:] Agencies' the ability to effectively identify threats and to respond to them will continue to be significantly hampered until they take steps to close the gaps that we've identified. This should be the top of their priority list, when it comes to securing their networks. We're talking about the services and the products that they're acquiring to keep their networks operational. The threats are increasing, and the supply chains are becoming increasingly complex. So, their resources should be focused on this, and then everything else will fall in line as a result. [Holly Hobbs:] That was GAO's Carol Harris talking about a new report reviewing the federal government's response to communications technology supply chain threats. Thank you for your time, Carol. [Carol Harris:] You're welcome. [Holly Hobbs:] And thank you for listening to the Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts, and make sure you leave a rating and review to let others know about the work we're doing. For more from the Congressional Watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.