At the National Nuclear Security Administration (NNSA), information technology is embedded in more than computers—it's in equipment used to produce nuclear weapon components and in nuclear weapons themselves. Federal law requires NNSA to manage cybersecurity risks. NNSA has been developing risk management policies and practices for both of these IT environments.
However, NNSA's efforts to identify, assess, and mitigate cyber risks—to specific weapons or manufacturing equipment—are still in the early stages of development. For instance, NNSA is still trying to inventory systems with potential cybersecurity vulnerabilities.
What GAO Found
The National Nuclear Security Administration (NNSA) and its contractors who operate its laboratory and production sites are increasingly integrating digital systems into nuclear weapons and into manufacturing and industrial control processes and operations at sites across the nuclear security enterprise. These digital systems could be targeted by malicious actors, and NNSA has stated that securing its digital assets is an agency priority. To protect against such threats, federal law and policies require that NNSA establish a program to manage cybersecurity risk.
NNSA and its contractors remain in the early stages of efforts—even after several years—to address cybersecurity at the system level in its operational technology (OT) and nuclear weapons IT environments.
- The operational technology environment includes manufacturing equipment and industrial control systems with embedded IT. NNSA has estimated that there could be hundreds of thousands of OT systems at sites across the nuclear security enterprise. NNSA is taking some steps as a precursor to creating an inventory of systems in its OT environment and assessing and mitigating the risks to such systems. Such steps include developing an OT-specific guidebook for assessing risk to OT systems and creating and conducting OT training for NNSA and site contractors. NNSA's efforts to create an inventory of OT systems across all its sites and to assess and mitigate risks to them, however, are still in very early stages and limited in scope. NNSA's main actions include working with the sites to identify the most critical OT capability at each and having them conduct an assessment of a single OT system or component as a learning exercise.
- The nuclear weapons IT environment includes IT within or in contact with weapons. NNSA officials do not have an estimate of the number of nuclear weapons IT systems, but they told us that the number is smaller compared with the OT environment. NNSA has begun a number of efforts to facilitate the creation of an inventory of nuclear weapon IT systems and to assess and mitigate the cyber risks to such systems, but these efforts are not yet complete. Such steps are intended to result in creating a formal definition of nuclear weapons IT, developing a cybersecurity risk management framework, analyzing gaps between NNSA's cybersecurity risk management framework and existing engineering processes, and revising internal guidance.
NNSA officials told us that cyber risks vary from one nuclear weapon type to another. NNSA officials said that they have conducted preliminary reviews and determined that current nuclear weapons generally contain little IT that is at risk due to their age and reliance on older technology. Newer and more modern weapons are slated to begin entering the stockpile after 2030 and may contain more IT, however. For these weapons, NNSA officials said that each program is still considering approaches to managing cybersecurity risks as part of the weapon design and development process.
Why GAO Did This Study
The classified annex to Senate Report 116-48 accompanying the National Defense Authorization Act for Fiscal Year 2020 includes a provision for GAO to review NNSA's practices and policies for the cybersecurity of nuclear weapons, and we were asked to perform related work. In September 2022, we issued a report that assessed NNSA's nuclear weapon cybersecurity efforts from a broad organizational and planning perspective in these two environments. This report describes the steps that NNSA has taken to inventory the range of systems in the OT and nuclear weapons IT environments and to assess and mitigate the cyber risks to such systems.
We reviewed NNSA directives and guidance that direct NNSA and its site contractors to establish cybersecurity risk management frameworks. We also reviewed NNSA and contractor documents, such as OT assessment reports and program protection plans for certain weapons. We also interviewed NNSA officials and evaluated responses to written questions sent to contractor representatives at each of the sites.