Supply Chain Security

Effective April 1, 2020: The GTA Enterprise Supply Chain Security Controls Policy (PS-20-002) helps agencies identify, assess, select, and implement supply chain risk management processes and controls.

Risk increases with a lack of visibility across the supply chain, including how the acquired technology is developed, integrated, and deployed. Supply chain risks may include the insertion of counterfeit or malicious hardware and software components, device tampering, data/information theft, and poor manufacturing and development practices. Visibility into practices used to assure the integrity, security, resilience, and quality of the products and services helps reduce these risks.

GTA uses varied and standardized practices that make it easier to consistently measure and manage IT supply chain risks across different integrators, suppliers, and external service providers. Additional guidance on supply chain security controls is included in the resources listed below:

• GTA (PM-06-001) "Information Technology Review Policy"
• GTA (SS-08-028) "System Security Plans"
• NIST Special Publication 800-161 "Supply Chain Risk Management Practices for Federal Information Systems and Organizations"
• NIST Special Publication 800-53 Revision 4 "Security and Privacy Controls for Federal Information Systems and Organizations"
• U.S. Department of Defense Supply Chain Material Management Policy

The state of Georgia will consult the Federal Communications Commission, U.S. Department of Defense, and U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency for supply chain security guidance. Products that are determined to be a threat to national security by these entities will not be permitted for use by Georgia executive branch agencies.