National Nuclear Security Administration Made ‘Limited Progress,’ Says GAO
Operation technology security is underfunded at the federal agency that oversees the safety and security of the U.S. nuclear arsenal, a congressional watchdog says.
The National Nuclear Security Administration has recognized since at least 2018 that the manufacturing environment for nuclear weapon components needs a different approach to cybersecurity than the information technology network. In the years since, the agency has “made limited progress” in implementing what the Government Accountability Office calls foundational risk management practices at an organizational level.
NNSA officials told the GAO for a report that more than 200,000 unique pieces of operational technology are deployed across nuclear weapon component manufacturing sites in the United States. Those include national laboratories such as Los Alamos in New Mexico and centers such as the Y-12 National Security Complex in Tennessee.
Through an initiative now known as Operational Technology Assurance, government officials have sought to close the OT security gap by identifying high-priority functions and best practices for securing industrial systems, which differ markedly from ordinary cybersecurity. OT devices lack features IT personnel take for granted, such as encryption, error logging and passwords. Their management typically falls to control engineers, making IT risk management frameworks a poor fit for securing OT.
Officials responsible for OT security told auditors they lack resources to “support a robust OT cybersecurity risk management program.”
They even told auditors they hoped the report would be impetus for additional funding although they also anticipate diminished budget in coming federal fiscal years. Written answers from the agency indicated that the Department of Defense could use some of its funding to assist with NNSA OT security efforts.
Foundational security practices identified by the GAO include identifying and assigning cybersecurity risk roles, maintaining a risk management strategy, documenting and maintaining policies, assessing risks; choosing controls and the ongoing monitoring of risk.
The GAO says the agency is “making progress” in implementing most foundational risk management practices when it comes to the IT contained within a warhead itself that pertain to activities such as stockpile surveillance and flight testing. IT for the broader weapon system comes under the DOD’s purview.
It also says the agency has fully or partially implemented foundational risk activities pertaining to the IT network while the seven contractors charged with operating nuclear sites have implemented them in degrees ranging from fully to minimally. It assesses that contractors do an inconsistent job of monitoring the cybersecurity programs of their subcontractors. The NNSA has not made subcontractor oversight part of its performance criteria to assess contractor performance.
The report makes nine recommendations, and NNSA Administrator Jill Hruby concurred with all of them.