A Government Accountability Office (GAO) report says few of the 23 Chief Financial Officers Act agencies had implemented seven fundamental practices for managing risks to the information and communications technology (ICT) supply chain.
GAO said in a report published Tuesday that none of the 23 CFO Act agencies fully implemented all the supply chain risk management (SCRM) practices and 14 those civilian agencies had not adopted any of the seven practices.
Those ICT SCRM practices are establishing executive oversight of ICT SCRM activities; developing an agencywide ICT SCRM strategy; establishing an approach to identify and document agency ICT supply chain; coming up with a process to carry out agencywide reviews of ICT supply chain risks; establishing a process to implement a SCRM review of a potential supplier; developing organizational ICT SCRM requirements for suppliers; and developing organizational procedures to detect compromised and counterfeit ICT products prior to deployment.
The report noted that agencies cited the lack of federal guidance on SCRM as one of the factors that limited their implementation of the basic practices for handling supply chain risks.
"Until agencies implement all of the foundational ICT SCRM practices, they will be limited in their ability to address supply chain risks across their organizations effectively,” the report reads.
