A recent Government Accountability Office report raised concerns about the risk of adversaries infiltrating the National Nuclear Security Administration’s (NNSA) digital environments.
The Federal watchdog found that there are six key practices NNSA has neglected fully to implement, despite cybersecurity management is an indispensable practice in computer-operated military applications.
The report found that NNSA has been inconsistent with overseeing the cybersecurity of its contractors – whom they heavily rely on. All traditional, nuclear weapons and operational technology IT environments must execute all the following six steps to mitigate cybersecurity risks:
- Assign cybersecurity roles and responsibilities for risk management;
- Maintain a cybersecurity risk management strategy;
- Document policies for the cybersecurity program;
- Assess organization-wide cybersecurity risks;
- Designate controls that are available for information systems to inherit; and
- Develop a strategy to monitor risks.
These six standards were adopted by guidance from the Office of Management and Budget, the National Institute of Standards and Technology, and the Committee on National Security Systems.
“NNSA and its site contractors integrate information systems into nuclear weapons, automate manufacturing equipment, and rely on computer modeling to design weapons,” the report said. “However, cyber systems are targets of malicious actors. To protect against such threats, federal law and policies require that NNSA establish a program to manage cybersecurity risk.”
The report followed a request from the National Defense Authorization Act for the Fiscal Year 2020 to review NNSA’s cybersecurity practices and policies.
The GAO has made nine recommendations to the agency, including that it implements an IT monitoring strategy; determines resources needed for operational technology efforts; creates a nuclear weapons risk strategy; and enhances monitoring of contractor cybersecurity.
NNSA agreed with all of GAO’s recommendations.