GAO to Suggest More than 100 Ways to Secure Federal IT Supply Chains

A pending report from the Government Accountability Office will outline more than 100 recommendations describing how federal agencies should mitigate risks in their information and communications technology supply chains associated with foreign suppliers.

The report, which is expected to be issued in September, is the first comprehensive look at whether agencies have processes in place to address the potential vulnerabilities created by global, distributed supply chains, Carol Harris, the director of GAO's IT and cybersecurity team, told Nextgov. GAO analyzed the supply chains of the 23 civilian agencies at the behest of the House Committee on Oversight and Reform. 

“The vast majority of agencies lack comprehensive processes in order to effectively manage their supply chains,” Harris said.

Harris called the results of the report “stunning,” and indicated supply chain risk management may be another area that should be added to future FITARA scorecards. She added supply chain risk management is not an area federal agencies are prioritizing. 

“It’s kind of mind-boggling to me,” she said.

China is a major concern when it comes to supply chain security, particularly because of documented instances of intellectual property theft. At the August 3 House hearing on the Federal Information Technology Acquisition Reform Act, or FITARA, scorecard hearing, Rep. Gary Palmer, R-Ala., questioned Harris directly about China’s position in IT supply chains. 

Palmer referenced a study from the U.S.-China Economic and Security Review Commission that found an average of 51% of shipments to seven leading federal information and communications technology providers came from China between 2012 and 2017. 

Harris told lawmakers this dependency represents a “significant risk” to national security. But in an interview with Nextgov Friday, Harris emphasized China is not the only country of concern in the upcoming report. Other Asian countries, like Japan, South Korea and India, as well as European countries such as the U.K., Germany and France are included in the analysis as well.

“It’s really all over the place,” Harris said. “So it’s really critical for agencies to have these supply chain risk management practices in place.” 

One area the report doesn’t touch is the cost of reshoring, which means bringing the supply chain back to the U.S. Palmer asked about the budgetary implications of shifting federal technology acquisitions away from China at the FITARA hearing, but answers aren’t yet available there. He said he wants GAO or the Office of Management and Budget to estimate for lawmakers. 

Supply chain security is a hot-button item right now. The Defense Department’s acquisition chief Ellen Lord said in a webinar last month the COVID-19 pandemic exposed vulnerabilities in the department’s supply chains. Lord said she wants to see more support from the government behind bringing supply chains back to the U.S. 

And on Monday, the Federal Communications Commission issued a request for comment on a proposed rule related to the 2019 Secure Networks Act, which prevents federal entities from purchasing communications equipment or services that pose national security risks.