The departments of Energy and Homeland Security haven’t defined “supply...

or monitoring capabilities to verify compliance with and effectiveness of any such measures,” the report said. GAO identified as risks installation of “malicious logic” on hardware or software, installation of counterfeits, failure or disruption in the production or distribution of a “critical” product or service, reliance on “malicious or unqualified” service providers, and installation of “unintentional vulnerabilities.” Among other national security-related departments, Justice has identified protection measures but has no monitoring capabilities. “Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks,” the report said. The Defense Department was the only one of the four to have “made great progress” through an “incremental approach” to supply-chain risk management, by defining protection measures and procedures for monitoring them. None of the four has “determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services,” which isn’t required by law and which officials say would “provide minimal security value relative to cost,” GAO said. The report was requested by Senate Homeland Security and Governmental Affairs Committee Ranking Member Susan Collins, R-Maine, and Government Information Subcommittee Chairman Tom Carper, D-Del.; Senate Commerce Committee Ranking Member Kay Bailey Hutchison, R-Texas; Senate Crime and Terrorism Subcommittee Chairman Jon Kyl, R-Ariz.; Sen. Kirsten Gillibrand, D-N.Y.; and House Commerce Committee Chairman Fred Upton, R-Mich.