Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, Report to Congressional Requesters [open pdf - 3MB]
From the Highlights: "Federal agencies rely extensively on ICT [information and communications technology] products and services (e.g., computing systems, software, and networks) to carry out their operations. However, agencies face numerous ICT supply chain risks, including threats posed by counterfeiters who may exploit vulnerabilities in the supply chain and, thus, compromise the confidentiality, integrity, or availability of an organization's systems and the information they contain. For example, in September 2019, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency reported that federal agencies faced approximately 180 different ICT supply chain-related threats. To address threats such as these, agencies must make risk-based ICT supply chain decisions about how to secure their systems. GAO [Government Accountability Office] was asked to conduct a review of federal agencies' ICT SCRM [supply chain risk management] practices. The specific objective was to determine the extent to which federal agencies have implemented foundational ICT SCRM practices."
Government Accountability Office: https://www.gao.gov/