Energy CIO: Policies and procedures likely won't catch counterfeiters

The Government Accountability Office’s recommendations on toughen up agency-specific policies to detect supply chain threats may not work when dealing with today’s most sophisticated counterfeiters, according to the Energy Department's CIO.

“In the absence of improved technical means to identify and characterize these exploits, the value of focusing on compliance-driven administrative controls to mitigate supply chain risks at the individual agency level is questionable and likely counterproductive,” wrote Michael Locatis in a letter to GAO March 13. The letter was included in a new GAO report on supply chain risks.

He noted that GAO has written about the challenges and cost tradeoffs officials have to consider when dealing with supply chain management. In a past report on management in the intelligence community, the cost for agencies to protect themselves against threats outweighs the security benefits.

“We are therefore concerned that many of the GAO’s conclusions may significantly underestimate the deep complexities and interdependence posed by this threat,” he wrote.

Agencies rely extensively on computer-based information systems and electronic data to operate. However, counterfeiters are exploiting IT products and services through the global supply chain, and it’s become an emerging threat. The threat could degrade the integrity of critical and sensitive agency networks and data. On a broad scale, underhanded suppliers could disrupt production of critical products. But on a more complex level, they could put malicious or counterfeit logic on hardware and software, according to GAO.

To prepare for supply chain risks, GAO recommended that Energy officials develop departmental policies and send out those policies to their offices. Then they should set up systems to monitor the supply chain. GAO said defense officials have made progress through internal policies.

Locatis agreed with the spirit of GAO’s recommendations, although they didn’t match the administration’s initiative, according to his letter to GAO. Instead, Locatis wrote the government should work at the national level to coordinate policies and standards to address IT supply chain risk management. It should not be done independently through individual agencies.

In response to Locatis, GAO said it agreed that departments should work at the national level, but federal officials are responsible for developing departmental policies that are consistent and aligned with federal guidance.

GAO offered the same general recommendations to several other agencies, including the departments of Homeland Security and Justice.

DHS, which had worked closely DOD on supply chain issues in the past, said it will consider new security measures but will have to balance them against the costs, according to its letter to GAO.