The company chargeable for safeguarding the nation’s nuclear weapons didn’t totally implement key practices that handle cybersecurity dangers on its pc techniques, together with some used for weapons design, in response to a latest report. And neither did its contractors.
The Nationwide Nuclear Safety Administration and its contractors failed to totally implement six foundational cybersecurity threat practices in its IT environments, in response to a Authorities Accountability Workplace report launched on Thursday. That features customary and operational pc techniques for manufacturing tools, constructing management, and people which might be “in touch with” nuclear weapons.
The NNSA totally carried out 4 of six cybersecurity threat administration practices based mostly on steering from the Workplace of Administration and Finances, Nationwide Institute of Requirements and Know-how, and Committee on Nationwide Safety Programs, the GAO discovered. And it partially carried out two others—creating and sustaining an organization-wide steady monitoring technique and documenting cybersecurity program insurance policies and plans.
NNSA contractors are required to supervise their subcontractors’ cybersecurity measures, the efforts to do this had been “combined,” in response to the report, with three of the seven contractors denying that doing so was a contractual accountability.
“These oversight gaps, at each the contractor and NNSA degree, depart NNSA with little assurance that delicate info held by subcontractors is successfully protected,” the GAO reported.
The company upheld 4 foundational cybersecurity practices, together with assigning threat administration roles and obligations, sustaining an organization-wide cybersecurity threat administration technique, maintaining with cybersecurity dangers, and designating controls for info techniques.
The GAO additionally discovered that the NNSA didn’t have correct oversight of its contractors’ cybersecurity practices. Two of the seven contractors the GAO evaluated minimally carried out steady monitoring methods, with yet another doing so partially.
“By not creating and sustaining a complete steady monitoring technique that features all parts from NIST steering, the contractors on the Savannah River, Kansas Metropolis, and Nevada websites lack a transparent understanding of their site-wide cybersecurity postures and are restricted of their skill to reply to rising cyber threats in a well timed method,” the report states.
The report comes amid rising scrutiny of federal authorities subcontractors, significantly in protection and nationwide safety, as reliance on digital infrastructure grows and cybersecurity threats together with it. Excessive-profile cybersecurity assaults, equivalent to SolarWinds, Log4j, and Colonial pipeline have additionally heightened issues round cyber threats.
The GAO is recommending the NNSA implement a sequence of coverage adjustments, together with totally carried out IT steady monitoring and nuclear weapons threat administration methods. The report additionally recommends NNSA’s acquisition workplace make clear and reinforce coverage for contractors imposing their authority to observe subcontractor’s cybersecurity measures.