NDAA provision looks to close cybersecurity gaps in nuclear weapons systems

A bipartisan proposal in the recently passed defense policy bill will establish a working group tasked with mitigating previously identified cybersecurity gaps in the nation’s nuclear weapons systems.

The provision — first introduced in June by Reps. Salud Carbajal, D-Calif., Don Bacon, R-Neb., and Mike Gallagher, R-Wis. — was included in the fiscal year 2024 National Defense Authorization Act, which is headed to President Joe Biden’s desk following its passage in the Senate on Wednesday and in the House on Thursday. 

The measure will create a “Cybersecurity, Risk Inventory, Assessment and Mitigation Working Group” within the Department of Defense charged with developing a “comprehensive strategy for inventorying the range of systems of the [National Nuclear Security Administration] that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk based on mission impact and implementing risk mitigation actions.”

The National Nuclear Security Administration — or NNSA — is a component of the Energy Department that works to safeguard the nation's stockpile of nuclear weapons. NNSA’s deputy administrator for defense programs is tasked with chairing the new working group, although they retain the right to designate another member of the group as chairperson.

In an interview with Nextgov/FCW, Carbajal said previous oversight of NNSA’s cybersecurity practices conducted by the Government Accountability Office “gave us an opportunity to be at the forefront of understanding our weaknesses” when it comes to better securing the U.S. nuclear stockpile from outside threats.

A September 2022 GAO report found that NNSA and its contractors had not fully implemented “foundational cybersecurity risk practices,” including in the agency’s traditional IT environment and “in its operational technology and nuclear weapons IT environments.” The congressional watchdog made nine recommendations for the agency to enhance its cyber standards.

A subsequent GAO report released in June 2023 also found that “NNSA's efforts to identify, assess and mitigate cyber risks — to specific weapons or manufacturing equipment — are still in the early stages of development,” and noted that the agency “is still trying to inventory systems with potential cybersecurity vulnerabilities.”

Allison Bawden — a director of GAO's natural resources and environment team who co-authored the previous NNSA-focused reports — said the watchdog was “happy to see the congressional attention to and support for improvements in NNSA’s cybersecurity practices.”

“The working group that the legislation creates will help to strategically drive progress on the critical activities to inventory systems potentially at risk and move the agency toward achieving foundational cybersecurity risk practices,” she added.

Within 120 days of the NDAA’s enactment, the working group must brief relevant congressional defense committees on its plan for addressing identified cybersecurity gaps within NNSA’s nuclear systems. The group’s plan will be required to “incorporate key elements of effective cybersecurity risk management strategies” that were identified by GAO. The working group will also be required to submit its completed strategy to the congressional defense committees no later than April 1, 2025.

Carbajal said the working group-based approach to enhancing NNSA’s cybersecurity practices will provide “collaborative expertise that will ensure that we have the framework moving forward, and the milestones and timelines to effectively — and sooner rather than later — be successful in achieving the objective” of better securing U.S. nuclear weapons from potential risks. 

The congressman added that growing cyber threats to U.S. critical infrastructure services and sensitive weapons capabilities necessitate the need for stricter security standards, particularly when those shortcomings have already been pointed out. 

“We've already seen threats to essential infrastructure throughout our country by other actors — in some cases, countries; in some cases, terrorist groups — that do want to infiltrate and disrupt, destroy and hurt the American people,” Carbajal said, adding that “I'm just glad that this was identified and I was able to move it forward in a bipartisan fashion.”

An NNSA spokesperson said the agency “continually collaborates across the Nuclear Security Enterprise on cybersecurity-related matters,” referencing the national network of labs, testing facilities and other sites involved in researching, developing and overseeing the U.S. nuclear stockpile.

“NNSA intends to comply with the NDAA and ensure this foundational work will continue to mature and develop into a comprehensive strategy for inventorying and assessing systems, particularly for operational technology and nuclear weapons information technology environments,” the spokesperson added.