Review - GAO Reports NNSA Cybersecurity Concerns

This week the Government Accountability Office published a report on the cybersecurity efforts at the National Nuclear Security Administration. According to the web site for this report: “The National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. NNSA also has not fully implemented these practices in its operational technology and nuclear weapons IT environments.”

The GAO report recommends (pgs 42-3) that NNSA should:

• Promptly finalize its planned revision of Supplemental Directive 205.1, Baseline Cybersecurity Program, to include the most relevant federal cybersecurity requirements and review the directive at least every 3 years.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to develop and maintain cybersecurity continuous monitoring strategies that address all elements from NIST guidance.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to identify and assign all risk management roles and responsibilities called for in NIST guidance.

• Direct that the site contractors that have not done so maintain a site-wide cybersecurity risk management strategy that addresses all elements from NIST guidance and perform periodic reviews at least annually.

• Direct the Office of Information Management to identify the needed resources to implement foundational practices for the OT environment, such as by developing an OT activity business case for consideration in NNSA’s planning, programming, budgeting, and evaluation process.

• Establish a cybersecurity risk management strategy for nuclear weapons information technology that includes all elements from NIST guidance.

• Clarify and reinforce to the M&O contractors, such as by a policy flash or other communication, that they are required to monitor subcontractor’s cybersecurity measures.

Include performance criteria evaluating contractor oversight of subcontractor cybersecurity measures in the annual M&O contractor performance evaluation process.

• Direct Information Management and the Office of Acquisition and Project Management to ensure that Supplemental Directive 205.1 contains language requiring third-party validation of contractor and subcontractor cybersecurity measures.

 

For a more detailed look at the GAO Report, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/gao-reports-nnsa-cybersecurity-concerns - subscription required.