An unsecured nuclear weapons arsenal is the sort of thing that is likely to keep Americans up at night. Now, a new government report is raising the alarm.
The Government Accountability Office has issued a report, “Nuclear Weapons Cybersecurity: NNSA Should Fully Implement Foundational Cybersecurity Risk Management Practices,” that says the National Nuclear Security Administration (NNSA) has not implemented all of the recommended measures.
“The National Nuclear Security Administration (NNSA) is increasingly relying on advanced computers and integrating digital systems into weapons and manufacturing equipment. But, these systems could be hacked,” the report said. “Federal laws and policies suggest 6 key practices to set up a cybersecurity management program, such as assigning risk management responsibilities. However, NNSA and its contractors haven’t fully implemented these practices.”
The six “foundational cybersecurity risk practices” are the following: “Identify and assign cybersecurity roles and responsibilities for risk management,” “Establish and maintain a cybersecurity risk management strategy for the organization,” “Document and maintain policies and plans for the cybersecurity program,” “Assess and update organization-wide cybersecurity risks,” “Designate controls that are available for information systems or programs to inherit,” and “Develop and maintain a strategy to monitor risks continuously across the organization.”
“Both NNSA and its contractors had not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements,” the report said. “Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats.”
There’s one strategy, per the report, that has not been fully implemented.
“NNSA has not developed a cyber risk management strategy to address nuclear weapons IT-specific threats. The absence of such a strategy likely constrains NNSA’s awareness of and responses to such threats,” GAO said.
“An NNSA official proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, but NNSA could not provide evidence that it had done so. These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected,” the report concluded.
