The National Nuclear Security Administration and its contractors have not fully implemented recommended cybersecurity measures and monitoring of subcontractors’ cybersecurity is “inconsistent,” the U.S. Government Accountability Office said in a report Thursday.
The traditional IT environment includes computer systems used for weapons design, but both NNSA and its contractors have “not fully implemented a continuous monitoring strategy because their strategy documents lacked key recommended elements,” the report said.
“Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats,”; the report states.
“NNSA has not yet fully implemented any basic risk management practices in this environment and is still developing specific guidance for contractors,” the report said. “This is partly because NNSA has not yet determined the resources it needs to implement practices and develop guidance.”
Nor has it developed “a cyber risk management strategy to address IT-specific threats to nuclear weapons.”
Additionally, the report says, “NNSA’s cybersecurity directive requires contractors to monitor their subcontractors’ cybersecurity measures, but contractors’ efforts to provide such oversight are mixed, and three in seven contractors do not consider it a contractual responsibility.”
“These oversight gaps, both at the contractor and NNSA levels, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.”