Energy CIO: Policies and procedures likely won't catch counterfeiters

The Government Accountability Office’s recommendations on toughen up agency-specific policies to detect supply chain threats may not work when dealing with today’s most sophisticated counterfeiters, according to the Energy Department's CIO.

“In the absence of improved technical means to identify and characterize these exploits, the value of focusing on compliance-driven administrative controls to mitigate supply chain risks at the individual agency level is questionable and likely counterproductive,” wrote Michael Locatis in a letter to GAO March 13. The letter was included in a new GAO report on supply chain risks.

He noted that GAO has written about the challenges and cost tradeoffs officials have to consider when dealing with supply chain management. In a past report on management in the intelligence community, the cost for agencies to protect themselves against threats outweighs the security benefits.

“We are therefore concerned that many of the GAO’s conclusions may significantly underestimate the deep complexities and interdependence posed by this threat,” he wrote.

Agencies rely extensively on computer-based information systems and electronic data to operate. However, counterfeiters are exploiting IT products and services through the global supply chain, and it’s become an emerging threat. The threat could degrade the integrity of critical and sensitive agency networks and data. On a broad scale, underhanded suppliers could disrupt production of critical products. But on a more complex level, they could put malicious or counterfeit logic on hardware and software, according to GAO.

To prepare for supply chain risks, GAO recommended that Energy officials develop departmental policies and send out those policies to their offices. Then they should set up systems to monitor the supply chain. GAO said defense officials have made progress through internal policies.

Locatis agreed with the spirit of GAO’s recommendations, although they didn’t match the administration’s initiative, according to his letter to GAO. Instead, Locatis wrote the government should work at the national level to coordinate policies and standards to address IT supply chain risk management. It should not be done independently through individual agencies.

In response to Locatis, GAO said it agreed that departments should work at the national level, but federal officials are responsible for developing departmental policies that are consistent and aligned with federal guidance.

GAO offered the same general recommendations to several other agencies, including the departments of Homeland Security and Justice.

DHS, which had worked closely DOD on supply chain issues in the past, said it will consider new security measures but will have to balance them against the costs, according to its letter to GAO.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group