According to the U.S. Government Accountability Office (GAO), reliance on a global supply chain introduces multiple risks to federal information systems and underscores the importance of threat assessments and mitigation. In a recent report, supply chain threats are present at various phases of a system’s development life cycle and could create an unacceptable risk to federal agencies. Key supply chain-related threats include:

• installation of intentionally harmful hardware or software (i.e., containing “malicious logic”);
• installation of counterfeit hardware or software;
• failure or disruption in the production or distribution of critical products;
• reliance on malicious or unqualified service providers for the performance of technical services; and
• installation of hardware or software containing unintentional vulnerabilities, such as defective code.

These threats can have a range of impacts, including allowing attackers to take control of systems or decreasing the availability of critical materials needed to develop systems. These threats can be introduced by exploiting vulnerabilities that could exist at multiple points in the supply chain.

Examples of such vulnerabilities include acquisition of products or parts from unauthorized distributors; application of untested updates and software patches; acquisition of equipment, software, or services from suppliers without knowledge of their past performance or corporate structure; and use of insecure delivery or storage mechanisms. These vulnerabilities could by exploited by malicious actors, leading to the loss of the confidentiality, integrity, or availability of federal systems and the information they contain.

More information can be found on GAO's website, including a 14 page copy of the report.