As the National Nuclear Security Administration and its contractors increasingly utilize advanced computers and digital systems to “integrate information systems into nuclear weapons, automate manufacturing equipment and rely on computer modeling to design weapons,” it needs to implement foundational cybersecurity risk management because these systems can be targets of cybersecurity attacks, according to a report released on Thursday.
The Government Accountability Office report noted that federal law and policies identify six practices for a cybersecurity management program. These practices are as follows: “identify and assign cybersecurity roles and responsibilities for risk management”; “establish and maintain a cybersecurity risk management strategy for the organization”; “document and maintain policies and plans for the cybersecurity program”; assess and update organization-wide cybersecurity risks”; designate controls that are available for information systems or programs to inherit”; and “develop and maintain a strategy to monitor risks continuously across the organization.”
However, GAO found that NNSA and its contractors have not fully implemented these key cybersecurity practices. NNSA has three types of technology or digital environments: traditional informational technology, operational technology and nuclear weapons information technology. GAO stated that NNSA has not fully implemented the cybersecurity practices in its operational technology and nuclear weapons information technology environments.
The report noted that in the traditional IT environment, which includes computer systems to design weapons, NNSA fully implemented four out of the six practices and partially implemented two practices. Meanwhile, NNSA contractors fully implemented three practices. Specifically, both the agency and its contractors did not fully implement a continuous monitoring strategy, which prevents them from having a complete understanding of their cybersecurity posture, GAO stated.
According to the report, the operational technology environment consists of manufacturing equipment and building control systems that have software embedded in them to monitor the devices or processes. GAO found that NNSA has not fully implemented any of the key practices and is still in the process of creating guidance for contractors in part because the agency is still figuring out the resources it needs for key practice implementation and guidance development.
Meanwhile, the nuclear weapons IT environment includes IT in or in contact with nuclear weapons. The agency has implemented or taken steps to implement most of these practices in addition to developing contractor guidelines, but it has not developed a cyber risk management strategy to address IT-specific threats to nuclear weapons. GAO indicated that this is hindering NNSA’s awareness of threats and ability to respond.
Another issue, according to the report, is that NNSA and its contractors also use subcontractors, but there was inconsistent oversight of subcontractors’ cybersecurity. While, contractors are required to oversee contractors’ cybersecurity measures as per NNSA’s cybersecurity directive, in practice, contractors had mixed oversight efforts, GAO found. Moreover, GAO stated that three out of seven contractors did not believe they were contractually required to do so. As a result, GAO noted that this does not ensure that the sensitive information held by subcontractors are properly protected.
GAO made nine recommendations for NNSA. For example, GAO suggested that the agency should fully implement a continuous cybersecurity monitoring strategy; determine the resources needed for operational technology efforts; delegate risk management roles and responsibilities; develop a nuclear weapons risk strategy; enhance oversight and monitoring of subcontractor cybersecurity.
NNSA concurred with the recommendations.