The National Nuclear Security Administration and its contractors have not fully implemented recommended cybersecurity measures and oversight of subcontractors’ cybersecurity is “inconsistent,” the U.S. Government Accountability Office said in a report Thursday.
The traditional IT environment includes computer systems used for weapons design, but both the NNSA and its contractors have “not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements,” the report said.
“Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats,” the report says.
“NNSA has not yet fully implemented any foundational risk management practices in this environment, and it is still developing specific guidance for contractors,” the report says. “This is partially because NNSA has not yet determined the resources it needs to implement practices and develop guidance.”
It has also not developed “a cyber risk management strategy to address nuclear weapons IT-specific threats.”
In addition, the report says, “NNSA’s cybersecurity directive requires contractors to oversee their subcontractors’ cybersecurity measures but contractors’ efforts to provide such oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility.”
“These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.”