In December 2020, the US Government Accounting Office (GAO) made 145 recommendations to 23 federal agencies relating to supply chain risks. In May 2021, the GAO’s director of information technology and cybersecurity, Vijay A. D’Souza, testified before Congress on supply chain risks. His testimony was not pretty and highlighted that “none of the 23 reviewed agencies had fully adopted identified practices to reduce supply chain risks.”
In a nutshell, GAO had identified the existence of the threat to supply chains early on, issued recommendations, and when they came back to check on progress, they found holes in the risk mitigation, many of which had previously been identified. December 2020 was also the month when the SolarWinds compromise was publicly revealed.