GAO Cyber Concerns in NNSA IT Environments

In a recently issued report, the Government Accountability Office (GAO) took a detailed look at the cyber practices of the organization responsible for managing U.S. nuclear weapons. The GAO found that the National Nuclear Security Administration (NNSA) and seven, contractor-operated NNSA sites have not fully implemented cybersecurity requirements outlined by several federal laws, executive orders and policies.

Specifically, the GAO examined six cyber practices across three NNSA digital environments: traditional IT (IT), operational technology (OT) and nuclear weapons IT (NW-IT), to determine the strength of the agency’s cybersecurity program. The IT environment includes computer systems used for weapons design, while OT includes manufacturing equipment and building control systems with embedded software to monitor physical devices. The NW-IT environment includes any IT in, or in contact with, weapons.

In its examination, the federal watchdog found that NNSA and its contractors were further along in implementing foundational cyber risk management practices in the Traditional IT environment over the other environments:

Note: The “x” in the above chart represents the cyber practice NOT implemented or PARTIALLY implemented by NNSA or its contractors.

The GAO found that NNSA has made little progress on any of the risk management practices in the OT environment due its size and complexity of systems. In other words, the agency is unable to identify resources for full implementation of practices in the environment. NNSA is currently managing OT cybersecurity with the risk management program developed for traditional IT, though NIST requires different approaches for OT systems. NNSA began the Operational Technology Assurance (OTA) initiative in 2018 to implement risk management practices in the OT environment. Nonetheless, the OTA initiative is still considered in its infancy after three years. NNSA requested funding for OT cybersecurity  in FY 2023. Though personnel training and technical tools for the OTA initiative seem likely to get funded in FY 2023, NNSA plans to request additional funding in FY 2024 towards conducting an inventory and categorization of OT systems, procuring additional tools and storage capacity, and hiring additional staff to progress the initiative.

In the NW-IT environment, NNSA officials shared with the GAO that activities are underway to complete four the remaining five practices. In particular, the agency created the Nuclear Digital Assurance (NWDA) initiative in 2019 to implement a NIST-aligned risk management framework for the NW-IT environment. In October 2021, NNSA established the Nuclear Enterprise Assurance (NEA) division to manage the NWDA. NNSA requested nearly $49M to fund the NEA and if funded, NNSA will implement planned cyber risk practices for both NW-IT and nuclear weapon-related OT activities.

Accordingly, the GAO made seven recommendations to the above findings for the NNSA and its contractors to address these identified cyber concerns:

• Finalize the planned revision of Supplemental Directive 205.1, Baseline Cybersecurity Program to incorporate the latest cyber directives.
• Develop and maintain cybersecurity continuous monitoring strategies that align with all NIST guidance.
• Assign all risk management and responsibilities per NIST guidance.
• Maintain a site-wide cybersecurity risk management strategy and perform at least annual periodic reviews.
• Identify the resources needed to implement foundational practices for the OT environment, including developing a business case for OT activity in NNSA’s budget process.
• Establish a cybersecurity risk management strategy for NW-IT to align with all NIST guidance.

Overall, NNSA agreed with the recommendations, citing the completion of Supplemental Directive 205.1, Baseline Cybersecurity Program as helping to fulfill some of the recommendations. Moreover, the agency stated that resources to develop an OT business case is planned for completion by April 2023, and a cyber risk management strategy for NW-IT under the NEA division is anticipated by September 2023.