Energy CIO: Policies and procedures likely won't catch counterfeiters

The Government Accountability Office’s recommendations on toughen up agency-specific policies to detect supply chain threats may not work when dealing with today’s most sophisticated counterfeiters, according to the Energy Department's CIO.

“In the absence of improved technical means to identify and characterize these exploits, the value of focusing on compliance-driven administrative controls to mitigate supply chain risks at the individual agency level is questionable and likely counterproductive,” wrote Michael Locatis in a letter to GAO March 13. The letter was included in a new GAO report on supply chain risks.

He noted that GAO has written about the challenges and cost tradeoffs officials have to consider when dealing with supply chain management. In a past report on management in the intelligence community, the cost for agencies to protect themselves against threats outweighs the security benefits.

“We are therefore concerned that many of the GAO’s conclusions may significantly underestimate the deep complexities and interdependence posed by this threat,” he wrote.

Agencies rely extensively on computer-based information systems and electronic data to operate. However, counterfeiters are exploiting IT products and services through the global supply chain, and it’s become an emerging threat. The threat could degrade the integrity of critical and sensitive agency networks and data. On a broad scale, underhanded suppliers could disrupt production of critical products. But on a more complex level, they could put malicious or counterfeit logic on hardware and software, according to GAO.

To prepare for supply chain risks, GAO recommended that Energy officials develop departmental policies and send out those policies to their offices. Then they should set up systems to monitor the supply chain. GAO said defense officials have made progress through internal policies.

Locatis agreed with the spirit of GAO’s recommendations, although they didn’t match the administration’s initiative, according to his letter to GAO. Instead, Locatis wrote the government should work at the national level to coordinate policies and standards to address IT supply chain risk management. It should not be done independently through individual agencies.

In response to Locatis, GAO said it agreed that departments should work at the national level, but federal officials are responsible for developing departmental policies that are consistent and aligned with federal guidance.

GAO offered the same general recommendations to several other agencies, including the departments of Homeland Security and Justice.

DHS, which had worked closely DOD on supply chain issues in the past, said it will consider new security measures but will have to balance them against the costs, according to its letter to GAO.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.