GAO Issues ‘Wake-Up Call’ Report on Agencies’ Lax Supply Chain Security Management bookzv/Shutterstock.com
email December 16, 2020
The bottom line is that none of the 23 agencies audited fully implemented foundational risk management practices.
Days after news that sophisticated hackers exploited a flaw in the SolarWinds Orion software to breach a major security company and victimized several federal agencies, the Government Accountability Office made public a major audit showing federal civilian agencies are failing to manage risks in the information and communication technologies supply chain.
Though GAO finished its audit several months ago, the timing of the release of the public version which GAO shared Tuesday underscored the audit’s significance: ICT supply chains are targets for adversaries, and without implementing “foundational” supply chain risk management, or SCRM, practices, agencies risk exploitation.