As federal organizations look to adopt the most state-of-the-art IT tools and technologies, federal IT supply chains have grown more complex and decentralized. Suppliers within the chain itself have multiplied and become part of a global system. As a result, government agencies are increasingly vulnerable to a variety of security threats.
To learn more about the ability of federal agencies to manage threats to the IT supply chain, Government Business Council (GBC) released a flash poll in September 2016 on the following question:
The delivery of IT products relies on an ecosystem of organizations, individuals, information, and resources: the IT supply chain. However, the growing complexity of this supply chain leaves products open to a host of potential risks: theft, tampering, counterfeit materials, malware insertion, and other harmful elements.
How confident are you in your organization’s ability to manage IT supply chain risks?
The 166 responses GBC received indicate federal leaders have mixed feelings on their agencies’ management of IT supply chain risks: 33 percent of respondents feel confident or very confident in their organization’s ability to manage IT supply chain risks, 23 percent feel somewhat confident, and 34 percent are not very confident or not at all confident. Overall, federal leaders are not fully assured of the security of the supply chain.
Insecurities over federal IT supply chain processes have been identified as a source of concern for federal agencies. A 2012 GAO report found that the Department of Justice had not implemented measures to protect information systems from supply chain risks. Even more concerning, the report found that the Departments of Energy and Homeland Security had not identified measures they could take to protect information systems.
This does not mean that the federal government has been inactive in addressing threats to the supply chain. In February 2013, the President issued Executive Order 13636, ordering the Department of Defense and the General Services Administration to improve cybersecurity for acquisition planning and contract administration. The National Institute of Standards and Technology and Office of Management and Budget have similarly taken steps to secure their supply chains, while Congress has directed legislation at increasing federal IT supply chain security more generally.
Despite these efforts, the flash poll indicates that federal leaders are still uncertain about IT supply chain security; moreover, advancements in technology will only further diversify the supply chain, thereby multiplying the risks to federal IT systems and tools. Future policies need to address the global nature of IT supply chains and develop a comprehensive solution in collaboration with industry partners. Cooperation and information sharing between the public and private sectors can enable the development and voluntary adoption of lasting solutions by both parties.
By implementing such policies, federal agencies can increase their employees’ confidence in the management of IT supply chain risks and reduce threats to the security of their organization.