Energy CIO: Policies and procedures likely won't catch counterfeiters

The Government Accountability Office’s recommendations on toughen up agency-specific policies to detect supply chain threats may not work when dealing with today’s most sophisticated counterfeiters, according to the Energy Department's CIO.

“In the absence of improved technical means to identify and characterize these exploits, the value of focusing on compliance-driven administrative controls to mitigate supply chain risks at the individual agency level is questionable and likely counterproductive,” wrote Michael Locatis in a letter to GAO March 13. The letter was included in a new GAO report on supply chain risks.

He noted that GAO has written about the challenges and cost tradeoffs officials have to consider when dealing with supply chain management. In a past report on management in the intelligence community, the cost for agencies to protect themselves against threats outweighs the security benefits.

“We are therefore concerned that many of the GAO’s conclusions may significantly underestimate the deep complexities and interdependence posed by this threat,” he wrote.

Agencies rely extensively on computer-based information systems and electronic data to operate. However, counterfeiters are exploiting IT products and services through the global supply chain, and it’s become an emerging threat. The threat could degrade the integrity of critical and sensitive agency networks and data. On a broad scale, underhanded suppliers could disrupt production of critical products. But on a more complex level, they could put malicious or counterfeit logic on hardware and software, according to GAO.

To prepare for supply chain risks, GAO recommended that Energy officials develop departmental policies and send out those policies to their offices. Then they should set up systems to monitor the supply chain. GAO said defense officials have made progress through internal policies.

Locatis agreed with the spirit of GAO’s recommendations, although they didn’t match the administration’s initiative, according to his letter to GAO. Instead, Locatis wrote the government should work at the national level to coordinate policies and standards to address IT supply chain risk management. It should not be done independently through individual agencies.

In response to Locatis, GAO said it agreed that departments should work at the national level, but federal officials are responsible for developing departmental policies that are consistent and aligned with federal guidance.

GAO offered the same general recommendations to several other agencies, including the departments of Homeland Security and Justice.

DHS, which had worked closely DOD on supply chain issues in the past, said it will consider new security measures but will have to balance them against the costs, according to its letter to GAO.

About the Author

Matthew Weigelt is a freelance journalist who writes about acquisition and procurement.

The Fed 100

Read the profiles of all this year's winners.

Featured

  • Shutterstock image (by wk1003mike): cloud system fracture.

    Does the IRS have a cloud strategy?

    Congress and watchdog agencies have dinged the IRS for lacking an enterprise cloud strategy seven years after it became the official policy of the U.S. government.

  • Shutterstock image: illuminated connections between devices.

    Who won what in EIS

    The General Services Administration posted detailed data on how the $50 billion Enterprise Infrastructure Solutions contract might be divvied up.

  • Wikimedia Image: U.S. Cyber Command logo.

    Trump elevates CyberCom to combatant command status

    The White House announced a long-planned move to elevate Cyber Command to the status of a full combatant command.

  • Photo credit: John Roman Images / Shutterstock.com

    Verizon plans FirstNet rival

    Verizon says it will carve a dedicated network out of its extensive national 4G LTE network for first responders, in competition with FirstNet.

  • AI concept art

    Can AI tools replace feds?

    The Heritage Foundation is recommending that hundreds of thousands of federal jobs be replaced by automation as part of a larger government reorganization strategy.

  • DOD Common Access Cards

    DOD pushes toward CAC replacement

    Defense officials hope the Common Access Card's days are numbered as they continue to test new identity management solutions.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group