The agency responsible for safeguarding the nation’s nuclear weapons has not fully implemented basic cybersecurity risk management practices in its computer systems, including some used for weapons development, according to a recent report. Like his contractors.
The National Nuclear Security Administration and its contractors have failed to fully implement six key cybersecurity practices in their IT environments, according to a report by the Government Accountability Office. released on Thursday. This includes standard and operational computer systems for manufacturing equipment, building control and those in “contact” with nuclear weapons.
NNSA has fully implemented four of six cybersecurity risk management practices based on recommendations from the Office of Management and Budget, the National Institute of Standards and Technology, and the Committee on National Security Systems, the GAO found. And he partially implemented two others — developing and maintaining an organization-wide continuous monitoring strategy and documenting cybersecurity program policies and plans.
NNSA contractors are required to monitor the cybersecurity measures of their subcontractors. According to the report, efforts to do so were “mixed,” with three of the seven contractors denying it was a contractual obligation.
“These gaps in oversight at both the contractor and NNSA levels leave NNSA with little confidence that sensitive information held by subcontractors is effectively protected,” GAO reported.
The agency supported four key cybersecurity practices, including assigning risk management roles and responsibilities, maintaining an enterprise-wide cybersecurity risk management strategy, managing cybersecurity risks, and assigning controls to information systems.
The GAO also found that the NNSA failed to adequately monitor its contractors’ cybersecurity practices. Two of the seven contractors GAO evaluated had minimally implemented continuous monitoring strategies, and one had partially implemented them.
“By not developing and maintaining a comprehensive continuous monitoring strategy that includes all elements of NIST guidance, contractors at the Savannah River, Kansas City, and Nevada sites lack a clear understanding of their site-wide cybersecurity posture and are limited in their ability to respond in a timely manner to emerging cyber threats,” the report said.
The report comes amid growing scrutiny of federal government subcontractors, particularly in defense and homeland security, as reliance on digital infrastructure and cybersecurity threats grow with it. High-profile cyber security attacks, for example SolarWinds, Log4jand Colonial pipeline have also heightened concerns about cyber threats.
GAO recommends that NNSA implement a number of policy changes, including fully implementing continuous IT monitoring and nuclear weapons risk management strategies. The report also recommends that the NNSA’s acquisition division clarify and strengthen contractor policies that enforce its authority to oversee the cybersecurity measures of subcontractors.
https://www.defenseone.com/threats/2022/09/oversight-nuclear-weapons-contractors-cyber-practices-has-been-inconsistent-gao/377711/ Oversight of nuclear contractors’ cyber practices was ‘inconsistent’: GAO