The GAO was asked to identify (1) the key risks associated with the IT supply chains used by federal agencies; (2) the extent to which selected national security-related departments have addressed such risks; and (3) the extent to which those departments have determined that their telecommunication networks contain foreign-developed equipment, software, or services.
The GAO found that reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actors — such as foreign intelligence services or counterfeiters — who may exploit vulnerabilities in the supply chain. This in turn can adversely affect an agency's ability to effectively carry out its mission.
IT supply chain-related threats can be introduced in the manufacturing, assembly, and distribution of hardware, software, and services. Moreover, these threats can appear at each phase of the system development life cycle, when an agency initiates, develops, implements, maintains, and disposes of an information system. As a result, the compromise of an agency's IT supply chain can degrade the confidentiality, integrity, and availability of its critical and sensitive networks, IT-enabled equipment, and data.