Oversight Of Nuclear-Weapons Contractors' Cyber Practices Has Been ‘Inconsistent’: GAO

The agency responsible for safeguarding the nation’s nuclear weapons didn’t fully implement key practices that manage cybersecurity risks on its computer systems, including some used for weapons design, according to a recent report. And neither did its contractors.

The National Nuclear Security Administration and its contractors failed to fully implement six foundational cybersecurity risk practices in its IT environments, according to a Government Accountability Office report released on Thursday. That includes standard and operational computer systems for manufacturing equipment, building control, and those that are “in contact with” nuclear weapons.

The NNSA fully implemented four of six cybersecurity risk management practices based on guidance from the Office of Management and Budget, National Institute of Standards and Technology, and Committee on National Security Systems, the GAO found. And it partially implemented two others—developing and maintaining an organization-wide continuous monitoring strategy and documenting cybersecurity program policies and plans. 

NNSA contractors are required to oversee their subcontractors’ cybersecurity measures, the efforts to do that were “mixed,” according to the report, with three of the seven contractors denying that doing so was a contractual responsibility.

“These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected,” the GAO reported. 

The agency upheld four foundational cybersecurity practices, including assigning risk management roles and responsibilities, maintaining an organization-wide cybersecurity risk management strategy, keeping up with cybersecurity risks, and designating controls for information systems. 

The GAO also found that the NNSA didn’t have proper oversight of its contractors’ cybersecurity practices. Two of the seven contractors the GAO evaluated minimally implemented continuous monitoring strategies, with one more doing so partially. 

“By not developing and maintaining a comprehensive continuous monitoring strategy that includes all elements from NIST guidance, the contractors at the Savannah River, Kansas City, and Nevada sites lack a clear understanding of their site-wide cybersecurity postures and are limited in their ability to respond to emerging cyber threats in a timely manner,” the report states. 

The report comes amid growing scrutiny of federal government subcontractors, particularly in defense and national security, as reliance on digital infrastructure grows and cybersecurity threats along with it. High-profile cybersecurity attacks, such as SolarWinds, Log4j, and Colonial pipeline have also heightened concerns around cyber threats. 

The GAO is recommending the NNSA implement a series of policy changes, including fully implemented IT continuous monitoring and nuclear weapons risk management strategies. The report also recommends NNSA’s acquisition office clarify and reinforce policy for contractors enforcing their authority to monitor subcontractor's cybersecurity measures.