The process is too time-consuming and narrow to be effective, according to officials at the National Nuclear Security Administration.
The Energy Department is relying increasingly on foreign companies to build components for nuclear weapons, but it’s never once used its authority to exclude risky tech vendors from the supply chain, according to a congressional watchdog.
In 2013, Congress authorized the energy secretary to prohibit vendors that “present a significant supply chain risk” from winning contracts related to the country’s nuclear weapons programs. However, the Government Accountability Office found legal limitations and excessive bureaucracy have kept officials from excluding any vendors for nearly six years, despite growing risks to the country’s nuclear supply chain.
Those enhanced procurement authorities will likely continue to go unused unless Congress amends the law, leaving the door open for adversaries to “introduce into the components malicious code or malware that could … undermin[e] confidence in the nuclear weapons systems and their operational effectiveness,” auditors said in a report published last week.
Though the energy secretary makes the final decision to blacklist risky vendors, the National Nuclear Security Administration is responsible for determining when that authority should be used.
In 2018, NNSA officials told GAO there are multiple foreign tech companies that “present potential security vulnerabilities that could allow for unauthorized access to sensitive information.” Still, they said they likely won’t use enhanced procurement authorities to exclude those vendors because of multiple concerns with the statute.
Specifically, they told GAO the process for blacklisting vendors takes too long. Because so many officials needed to review security information, it could take more than six months for the energy secretary to approve the ban, leading to significant delays in the procurement schedule, NNSA officials said. Additionally, the secretary can only issue bans for one-off procurements, meaning risky vendors would be legally eligible to compete for future contracts.
Instead of using the authorities, which they don’t see as efficient or scalable, NNSA officials told GAO they lean on other measures to exclude risky vendors from contracts, like competitive procurement exceptions or governmentwide prohibitions.
Still, GAO urged officials to call on Congress to make their existing authorities easier to use. NNSA is currently drafting a report that suggests delegating the enhanced procurement authority to a lower-ranking official, which would shorten the approval process, and allowing blanket bans on specific contractors.
NNSA expected to send their suggestions to Congress by October 2018, but the process was significantly delayed. Officials told GAO they are now shooting to have the report submitted by the end of fiscal 2019.
The GAO report comes as the government works to create a more scalable and sustainable process for addressing supply chain threats. While one-off bans on companies like Huawei and Kaspersky Lab can help reduce security risks, federal cyber leaders see them as too narrow to keep compromised software out of the government’s IT ecosystem.