Out of the four national security-related departments -- Defense, Justice, Energy and Homeland Security -- the Pentagon has made "the most progress" in addressing supply chain vulnerabilities, according to the Government Accountability Office.
Gregory Wilshusen, GAO's information security issues director, said in prepared testimony this morning at a joint hearing of the House Homeland Security counterterrorism and intelligence and oversight and management efficiency subcommittees that in March 2012, the Defense, Justice, Energy and Homeland Security departments "had acknowledged the risks presented by supply chain vulnerabilities. However, the agencies varied in the extent to which they had addressed these risks by (1) defining supply chain protection measures for department information systems, (2) developing implementing procedures for these measures, and (3) establishing capabilities for monitoring compliance with, and the effectiveness of, such measures."
Of those four agencies, the Defense Department "had made the most progress addressing the risks," Wilshusen's testimony states. "Specifically, the department's supply chain risk management efforts began in 2003 and included:
• "a policy requiring supply chain risk to be addressed early and across a system’s entire life cycle and calling for an incremental implementation of supply chain risk management through a series of pilot projects;
• "a requirement that every acquisition program submit and update a "program protection plan" that was to, among other things, help manage risks from supply chain exploits or design vulnerabilities;
• "procedures for implementing supply chain protection measures, such as an implementation guide describing 32 specific measures for enhancing supply chain protection and procedures for program protection plans identifying ways in which programs should manage supply chain risk; and
• "a monitoring mechanism to determine the status and effectiveness of supply chain protection pilot projects, as well as monitoring compliance with and effectiveness of program protection policies and procedures for several acquisition programs."