Atlas VPN reports: US Nuclear Security body fail in security measures
A recent document acquired by Atlas VPN reveals that a federal watchdog chastised the US agency in charge of maintaining and modernizing the country's nuclear arsenal for lax cybersecurity procedures that jeopardise both IT and operational technology networks.
The United States Government Accountability Office (GAO) issued an 81-page report on September 24th, 2022, outlining the National Nuclear Security Administration's (NNSA) cybersecurity failings.
The NNSA is a separate agency within the Department of Energy (DOE) tasked with managing U.S. nuclear weapons at eight laboratory and production sites across the country.
According to the GAO, the NNSA and its contractors have not completely adopted six legally mandated cybersecurity standards, including basic risk management techniques and others.
NNSA failed to fully implement two out of six mandatory cybersecurity measures, including the development and maintenance of an organization-wide continuous monitoring strategy as well as the documentation of cybersecurity policies and plans.
NNSA contractors responsible for the management and operational activities have to adhere to the same strict standards, but they failed on multiple fronts as well. Most notably, they were unable to implement the same organization-wide monitoring strategy that NNSA struggled with.
Out of seven M&O (management and operating) contractors, four implemented the monitoring policy substantially, one partially, and two barely improved the cybersecurity measure.
Unlike NNSA, all contractors were able to document and maintain cybersecurity policies and plans according to the outlined standards.
However, four contractors assigned most, but not all, cybersecurity management roles and responsibilities. One M&O partner assigned only about half of the roles and duties.
The last area where some M&O contractors struggled was the establishment and maintenance of a cybersecurity strategy for the organization. Two partners implemented the measure substantially, while one only partially, which is around 50%.