Review – GAO Reports NNSA Cybersecurity Concerns

This week the Government Accountability Office published a report on the cybersecurity efforts at the National Nuclear Security Administration. According to the web site for this report: “The National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. NNSA also has not fully implemented these practices in its operational technology and nuclear weapons IT environments.”

The GAO report recommends (pgs 42-3) that NNSA should:

• Promptly finalize its planned revision of Supplemental Directive 205.1, Baseline Cybersecurity Program, to include the most relevant federal cybersecurity requirements and review the directive at least every 3 years.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to develop and maintain cybersecurity continuous monitoring strategies that address all elements from NIST guidance.

• Direct NNSA’s Office of Information Management, and the site contractors that have not done so, to identify and assign all risk management roles and responsibilities called for in NIST guidance.

• Direct that the site contractors that have not done so maintain a site-wide cybersecurity risk management strategy that addresses all elements from NIST guidance and perform periodic reviews at least annually.

• Direct the Office of Information Management to identify the needed resources to implement foundational practices for the OT environment, such as by developing an OT activity business case for consideration in NNSA’s planning, programming, budgeting, and evaluation process.

• Establish a cybersecurity risk management strategy for nuclear weapons information

Read more

Explore the site

More from the blog

Latest News