US agencies lack supply chain best practices post-SolarWinds

Six months after the SolarWinds breach, few U.S. federal agencies have followed any of the supply chain best practices put forth by the Government Accountability Office last year. These include standards like developing methods to document risk and establishing executive oversight. 

This information came during a joint hearing Tuesday by the U.S. House of Representatives Committee on Science, Space, and Technology about the SolarWinds supply chain attacks and improving supply chain cybersecurity.

One of the witnesses during the hearing was Vijay D'Souza, director of IT and cybersecurity at the Government Accountability Office (GAO). D'Souza made multiple references during his testimony to a Dec. 2020 report by the GAO about managing supply chain risks.

The report, which is based on a more specific, classified report given to agencies in October, lists a number of recommendations and "foundational practices" that the examined 23 federal agencies should use to minimize the threat of supply chain attacks. Examples of these practices include developing approaches to document supply chains and designating someone to be in charge of supply chain risk management.

At the time of the report, D'Souza said, was that "most agencies were not following even foundational practices in this area.

For the 23 agencies we had examined, none had implemented all of the practices, and 14 hadn't implemented any of the practices.

"For the 23 agencies we had examined, none had implemented all of the practices, and 14 hadn't implemented any of the practices," he said. "Given what we now know about the threats we face, this is concerning."

Even now, six months later, there hasn't been much progress on the guidelines. GAO has received "updates" from six agencies on their progress, but to date, "none of the agencies have fully implemented our recommendations."

Agencies told the GAO at the time of last year's report that many practices weren't implemented because they were awaiting additional guidance, specifically from the Federal Acquisition Security Council, D'Souza said. He stressed the importance "to not let perfect be the enemy of the good in this case," and that the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) have had guidance on the issue for at least the past five years.

However, D'Souza said that there are "a lot of federal activities underway looking at IT supply chain security," mentioning an update to existing guidance from NIST expected to be issued next year as well as a CISA task force.

The GAO elaborated on D'Souza's points on its website.

CrowdStrike senior vice president of intelligence Adam Meyers told SearchSecurity that while there's room for improvement on this front, federal agencies are taking steps to improve their cyberdefenses. Moreover, he said that six months is not a long period of time when considering various circumstances.

"To say that since December, agencies haven't been all over this is probably not surprising, just because they're operating in the COVID environment, they're operating at the speed of how things advance in terms of government procurement," Meyers said. "I think it's not surprising didn't turn on a dime in six months."

Multiple sectors of the U.S. government have begun addressing major security issues in recent weeks. President Biden signed an executive order to modernize cybersecurity defenses earlier this month, and the U.S. Department of Justice established the Ransomware and Digital Extortion Task Force back in April.

And on Tuesday, The Washington Post reported that the Department of Homeland Security was going to issue a directive instructing pipeline companies to report cybersecurity breaches.

A spokesperson with the DHS shared a statement with SearchSecurity that was light on specifics, while promising "additional details in the days ahead."

"The Biden Administration is taking further action to better secure our nation's critical infrastructure. [The Transportation Security Administration], in close collaboration with CISA, is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems. We will release additional details in the days ahead," the quote read.

Alexander Culafi is a writer, journalist and podcaster based in Boston.