The National Nuclear Security Administration (NNSA) and its contractors have not fully implemented foundational cybersecurity risk practices in its traditional IT environment, according to a new study by the Government Accountability Office (GAO).
Current U.S. nuclear weapons were developed during the Cold War, when computer capabilities were in their infancy and little consideration was given to cyber vulnerabilities. Weapons currently in the U.S. nuclear stockpile contain relatively little digital technology. Over the coming two decades, however, the NNSA will continue to maintain and modernize the stockpile. As it does so, NNSA plans to increasingly integrate digital systems into nuclear weapons, automate manufacturing processes and equipment, and rely on advanced computer processing capabilities to assess weapons and predict performance. Digital systems such as these can be hacked, corrupted, or subverted by malicious actors. They also can be subject to equipment failures, software coding errors, or the accidental actions of employees.
Federal laws and policies suggest six key practices to set up a cybersecurity management program:
- Identify and assign cybersecurity roles and responsibilities for risk management.
- Establish and maintain a cybersecurity risk management strategy for the organization.
- Document and maintain policies and plans for the cybersecurity program.
- Assess and update organization-wide cybersecurity risks.
- Designate controls that are available for information systems or programs to inherit.
- Develop and maintain a strategy to monitor risks continuously across the organization.
GAO has found that NNSA and its contractors have not fully implemented these risk practices in its traditional IT, operational technology and nuclear weapons IT environments.
GAO found that NNSA has fully implemented four of six practices and partially implemented two in its traditional IT environment, which includes computer systems used for weapons design. In this environment, NNSA contractors had fully implemented three of six practices and did not fully implement three. For example, both NNSA and its contractors had not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements. Without such elements, GAO says NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats.
The operational technology (OT) environment includes manufacturing equipment and building control systems with embedded software to monitor physical devices or processes. GAO found that NNSA has not yet fully implemented any foundational risk management practices in this environment, and it is still developing specific guidance for contractors. GAO determined that this is partially because NNSA has not yet determined the resources it needs to implement practices and develop guidance. NNSA officials told GAO that they did not have an overall plan or roadmap to guide its future actions on OT cybersecurity.
Conversely, NNSA has implemented or taken action consistent with implementing most of the practices in the nuclear weapons IT environment and is developing specific guidance for contractors. GAO found however that NNSA has not developed a cyber risk management strategy to address nuclear weapons IT-specific threats.
In NNSA’s fiscal year 2023 budget request to Congress, NNSA requested funding of $48.9 million for a new subprogram, stating that it would be used to prevent, detect, and mitigate subversion risks to the nuclear weapons stockpile and associated design, production, and testing capabilities. If funded, the division would use this funding line to implement planned NW-IT activities and nuclear weapon-related OT activities, NNSA officials told GAO.
NNSA’s cybersecurity directive requires contractors to oversee their subcontractors’ cybersecurity measures, but GAO found that contractors’ efforts to provide such oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility. An NNSA official proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, but NNSA could not provide evidence to GAO that it had done so. The government watchdog is concerned that such oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.
Despite the progress made in the traditional IT cybersecurity environment, GAO is unsurprisingly making a raft of recommendations to help NNSA improve its cybersecurity in OT and nuclear weapons IT. These include requirements to develop and maintain continuous monitoring strategies for cybersecurity, identifying the needed resources to implement foundational practices for the OT environment, and establishing a cybersecurity risk management strategy for nuclear weapons information technology that includes all elements from National Institute of Standards and Technology guidance. NNSA agreed with the recommendations and acknowledged there are gaps, which it attributes mostly to lack of resources and other mission requirements.