The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products - used by federal agencies - that are currently being exploited by malicious actors. Image: University of College/Shutterstock.com
By: FEDweek StaffFederal agencies need to pay more attention to risks in the supply chain for the information and communications technology (ITC) that is crucial to their operations, GAO has said.
The report coincides with the massive Solar Winds supply chain hack that saw numerous federal agency networks compromised in recent days, and prompted key intelligence agencies to form a joint task force to try to corral the problem.
“As the lead for threat response, the FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors. The FBI is engaging with known and suspected victims, and information gained through FBI’s efforts will provide indicators to network defenders and intelligence to our government partners to enable further action,” DHS announced on Thursday.
“As the lead for asset response activities, CISA took immediate action and issued an Emergency Directive instructing federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products from their network.”
One reason why the Solar Winds intrusion was so pervasive is that it targeted a well known, widely used and trusted network management framework, developed and managed in Texas. However, according to GAO, many IT products and services “originate from a variety of sources throughout the world,” GAO said, giving as examples cloud computing services hosted in countries ranging from the Netherlands to South Africa to Singapore, and suppliers of computer chips ranging from the Czech Republic to Malta to Vietnam.
Potential threats include those “posed by counterfeiters who may exploit vulnerabilities in the supply chain and, thus, compromise the confidentiality, integrity, or availability of an organization’s systems and the information they contain,” it said in the publicly released version of a sensitive report it issued in October.
GAO said that of the two dozen largest departments and agencies, none had carried out all of seven basic risk-management processes in that area and 14 had carried out none of the seven. Those practices involve executive oversight, agency-wide strategy, identifying and documenting current and potential suppliers, assessments of risks, and steps to detect counterfeit or compromised products prior to deployment.
“As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property,” it said. “Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.”
Several agencies told GAO that they were waiting for federal guidance to be issued from the Federal Acquisition Security Council on supply chain risk management, but GAO said that they could be taking actions under existing guidance from OMB and the National Institute of Standards and Technology.
Another Shutdown Deadline Approaching; Likely Veto Fight over Defense Bill Adds to Complications
