IT supply chains produce value and they are inherently difficult to secure, making every IT procurement by a government agency a de facto security decision. Although threats to the security of IT supply chains can never be fully eliminated, agencies should adopt practices and policies for minimizing their exposure to potential breaches.