The Cybersecurity and Infrastructure Security Agency’s guidelines on information and communications technology (ICT) supply chain risk management (SCRM) are necessary to preventing such breaches like the one seen last week.

On the heels of FireEye’s discovery of a SolarWinds software supply chain breach, which cascaded into a cyberattack exposing multiple federal agencies, government contractors and state governments, the Government Accountability Office identified most federal civilian agencies are not implementing ICT SCRM practices according to CISA’s guidelines.

“The practice with the highest rate of implementation was implemented by only six agencies,” GAO said in its Dec. 15 report. “Without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply…