IT supply chain is putting national security at risk

26 March 2012

More international articles

Want the latest procurement and supply chain news delivered straight to your inbox? Sign up for the Supply Management Daily

26 March 2012 | Adam Leach

Three US government agencies are putting national security at risk as a result of not developing IT security policies and procedures, according to a report by the country’s Government Accountability Office (GAO).

The Departments of Energy, Homeland Security and Justice are accused of failing to tackle IT security risks. IT Supply Chain: National Security-Related Agencies Need to Better Address Risks, published on Friday by the GAO, found that while four national security-related departments (including the Department of Defense), identified threats such as installation of malicious or counterfeit hardware or software onto government systems, three had not taken adequate measures to limit the risks.

The report concluded that poor inspection and testing of IT security measures or buying untested software or hardware can introduce serious threats to federal information systems. The report, said: “Should this occur on a critical information system, the potential exists for serious adverse impact on an agency’s operations, assets, or employees.”

The report found that while the Department of Justice had identified supply chain protection measures, it had not developed procedures to measure compliance or the effectiveness of such measures. More concerning however, was the finding that the neither the Department of Energy or the Department of Homeland Security have identified measures to protect themselves against IT security risks.

The report called for the Department of Energy and the Department of Homeland Security to: “Develop and document departmental policy that defines which security measures should be employed to protect against supply chain threats”.

Further, it called on all three departments to: “Develop, document and disseminate procedures to implement the supply chain protection security measures defined in departmental policy,” and “develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of supply chain measures”.

The report said the Department of Defense had both defined and implemented supply chain security measures.


Calderbridge, Seascale
£52,518 - £64,233
USD63000000 - USD69000000 per annum + Korean Won Salary
Bramwith Consulting
CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates