The National Nuclear Security Administration \u2014 or NNSA \u2014 is a component of the Energy Department that works to safeguard the nation’s stockpile of nuclear weapons. NNSA\u2019s deputy administrator for defense programs is tasked with chairing the new working group, although they retain the right to designate another member of the group as chairperson.<\/p>\n
In an interview with\u00a0Nextgov\/FCW<\/em>, Carbajal said previous oversight of NNSA\u2019s cybersecurity practices conducted by the Government Accountability Office \u201cgave us an opportunity to be at the forefront of understanding our weaknesses\u201d when it comes to better securing the U.S. nuclear stockpile from outside threats.<\/p>\n A September 2022 GAO\u00a0report<\/a>\u00a0found that NNSA and its contractors had not fully implemented \u201cfoundational cybersecurity risk practices,\u201d including in the agency\u2019s traditional IT environment and \u201cin its operational technology and nuclear weapons IT environments.\u201d The congressional watchdog made nine recommendations for the agency to enhance its cyber standards.<\/p>\n A subsequent GAO\u00a0report<\/a> released in June 2023 also found that \u201cNNSA’s efforts to identify, assess and mitigate cyber risks \u2014 to specific weapons or manufacturing equipment \u2014 are still in the early stages of development,\u201d and noted that the agency \u201cis still trying to inventory systems with potential cybersecurity vulnerabilities.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n Allison Bawden \u2014 a director of GAO’s natural resources and environment team who co-authored the previous NNSA-focused reports \u2014 said the watchdog was \u201chappy to see the congressional attention to and support for improvements in NNSA\u2019s cybersecurity practices.\u201d<\/p>\n \u201cThe working group that the legislation creates will help to strategically drive progress on the critical activities to inventory systems potentially at risk and move the agency toward achieving foundational cybersecurity risk practices,\u201d she added.<\/p>\n Within 120 days of the NDAA\u2019s enactment, the working group must\u00a0brief relevant congressional defense committees on its plan for addressing identified cybersecurity gaps within NNSA\u2019s nuclear systems. The group\u2019s plan will be required to \u201cincorporate key elements of effective cybersecurity risk management strategies\u201d that were identified by GAO. The working group will also be required to submit its completed strategy to the congressional defense committees no later than April 1, 2025.<\/p>\n Carbajal said the working group-based approach to enhancing NNSA\u2019s cybersecurity practices will provide \u201ccollaborative expertise that will ensure that we have the framework moving forward, and the milestones and timelines to effectively \u2014 and sooner rather than later \u2014 be successful in achieving the objective\u201d of better securing U.S. nuclear weapons from potential risks.<\/p>\n The congressman added that growing cyber threats to U.S. critical infrastructure services and sensitive weapons capabilities necessitate the need for stricter security standards, particularly when those shortcomings have already been pointed out.<\/p>\n \u201cWe’ve already seen threats to essential infrastructure throughout our country by other actors \u2014 in some cases, countries; in some cases, terrorist groups \u2014 that do want to infiltrate and disrupt, destroy and hurt the American people,\u201d Carbajal said, adding that \u201cI’m just glad that this was identified and I was able to move it forward in a bipartisan fashion.\u201d<\/p>\n An NNSA spokesperson said the agency \u201ccontinually collaborates across the Nuclear Security Enterprise on cybersecurity-related matters,\u201d referencing\u00a0the national network<\/a>\u00a0of labs, testing facilities and other sites involved in researching, developing and overseeing the U.S. nuclear stockpile.<\/p>\n \u201cNNSA intends to comply with the NDAA and ensure this foundational work will continue to mature and develop into a comprehensive strategy for inventorying and assessing systems, particularly for operational technology and nuclear weapons information technology environments,\u201d the spokesperson added.<\/p>\n<\/div>\n<\/div>\n<\/div>\n