Report: US Nuclear Security body failed to implement cybersecurity measures
A recent document acquired by Atlas VPN reveals that a federal watchdog chastised the US agency in charge of maintaining and modernizing the country's nuclear arsenal for lax cybersecurity procedures that jeopardize both IT and operational technology networks.
The United States Government Accountability Office (GAO) issued anon September 24th, 2022, outlining the National Nuclear Security Administration's (NNSA) cybersecurity failings.
The NNSA is a separate agency within the Department of Energy (DOE) tasked with managing U.S. nuclear weapons at eight laboratory and production sites across the country.
According to the GAO, the NNSA and its contractors have not completely adopted six legally mandated cybersecurity standards, including basic risk management techniques and others.
NNSA failed to fully implement two out of six mandatory cybersecurity measures, including the development and maintenance of an organization-wide continuous monitoring strategy as well as the documentation of cybersecurity policies and plans.
NNSA contractors responsible for the management and operational activities have to adhere to the same strict standards, but they failed on multiple fronts as well. Most notably, they were unable to implement the same organization-wide monitoring strategy that NNSA struggled with.
Out of seven M&O (management and operating) contractors, four implemented the monitoring policy substantially, one partially, and two barely improved the cybersecurity measure.
Unlike NNSA, all contractors were able to document and maintain cybersecurity policies and plans according to the outlined standards.
However, four contractors assigned most, but not all, cybersecurity management roles and responsibilities. One M&O partner assigned only about half of the roles and duties.
The last area where some M&O contractors struggled was the establishment and maintenance of a cybersecurity strategy for the organization. Two partners implemented the measure substantially, while one only partially, which is around 50%.
Why GAO did this study
NNSA and its site contractors incorporate information systems into nuclear weapons, automate production equipment, and develop warheads using computer modeling.
However, threat actors attack cyber systems. To guard against such risks, federal law and rules require the NNSA to build a cybersecurity risk management program that involves the deployment of the six aforementioned basic principles.
NNSA contractors are expected to monitor the cybersecurity of their subcontractors.
NNSA promises to improve its cybersecurity
A draft of the study was first provided to the Defense and Energy Secretaries, as well as the Administrator of the National Nuclear Security Administration.
GAO makes nine suggestions to NNSA, including that it completely execute a continuous monitoring approach, establish the resources required for operational technology activities, develop a nuclear weapons risk strategy, and improve monitoring of subcontractor cybersecurity.
GAO notes: “In its comments, reproduced in appendix IX, NNSA agreed with our recommendations and described planned actions to address them."