The Government Accountability Office has identified major cybersecurity failings at the agency responsible for overseeing the U.S. nuclear stockpile.
In an investigation published Thursday, the watchdog found that the National Nuclear Security Administration (NNSA) had fully implemented just four out of six foundational cybersecurity requirements within its traditional IT environment, which includes computer systems used for weapons design.
In particular, GAO found during its audit that both NNSA and its contractors had not fully implemented a continuous monitoring strategy because their strategy documents were missing key recommended elements.
“Without such elements, NNSA and its contractors lack a full understanding of their cybersecurity posture and are limited in their ability to effectively respond to emerging cyber threats,” GAO said in its report.
Within NNSA’s nuclear weapons IT environment, which refers to IT in or in constant contact with weapons systems, the watchdog found that the agency had not developed a cyber risk management strategy, which it said “likely constrains NNSA’s awareness of and responses to such threats.”
NNSA’s cybersecurity directive requires contractors to oversee their subcontractors’ cybersecurity measures.
However, three out of seven contractors did not believe this is a contractual responsibility when questioned by GAO.
“These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected,” the watchdog added in the report.