What GAO’s Work Shows
GAO has long reported on the importance of supply chain risk management, testing, contingency planning, and information sharing to help manage and mitigate cybersecurity vulnerabilities.
- Supply chain risk management.Organizations have increased their reliance on complex, interconnected, and global supply chains that can include multiple tiers of outsourcing. The exploitation of IT products and services through the supply chain is an emerging threat.
➢ In 2020, we identified seven practices to manage and protect federal IT against these risks. We made recommendations for improving supply chain risk management practices including detecting counterfeit and compromised technology products prior to their deployment.
- Testing. Testing and approving new and modified systems and software (including critical security patches) before their implementation are essential to help ensure systems’ hardware and programs operate as intended and that no unauthorized changes are introduced. Our work has found that federal agencies do not always adequately address issues found in testing before deploying new systems or software. This makes it more difficult to protect against cyber risks and system failure.
➢ In 2021, we recommended that the Departments of Defense and Veterans Affairs improve testing processes for their electronic health records systems to verify the systems perform as intended and meet users’ needs.
- Contingency planning. Contingency planning helps ensure that if operations are interrupted, organizations are able to detect, mitigate, and recover from a service disruption while preserving access to vital information. However, our work has shown that federal agencies do not always plan for and test their plans for contingencies.
➢ In 2023, we recommended that the State Department annually test its contingency plans for its systems that have significant impact to the United States’ national security interests so the department can better prepare for and respond to incidents when they occur.
- Cybersecurity information sharing. Cyber threats to the nation’s critical infrastructure continue to increase and represent a significant national security challenge. As these threats become more complex, it is increasingly important that federal agencies and critical infrastructure owners and operators share cyber threat information. Federal agencies are often challenged in sharing cyber threat information due to lack of voluntary sharing by non-federal entities and actionable information, among others.
