The National Nuclear Security Administration should fully implement foundational cybersecurity practices to protect its digital environments from malicious actors, the Government Accountability Office said.
In a report released Thursday, GAO found that while NNSA has been digitizing and automating its services and equipment, there were gaps in the latter’s cybersecurity policies as well as those of its contractors and subcontractors.
Federal laws require the agency to follow six key principles to mitigate IT security risk. These include assigning risk management roles and responsibilities, establishing an organization-wide risk management strategy, and creating and maintaining cybersecurity program policies.
The government watchdog found that NNSA only partially implemented the foundational practices across its traditional IT, operational technology and nuclear weapons IT environments.
GAO’s audit came after a Senate committee called for a review of the NNSA’s cybersecurity “posture”. As a result, the office issued nine recommended actions, including involving the NNSA Office of Information Management in monitoring strategies, and revising and reviewing its baseline IT security program directive at least every three years.