Energy Department Revising Cybersecurity Requirements for Nuclear Administration Contractors

The Department of Energy will be updating its cybersecurity and information technology requirements according to a watchdog report about contractors who work on the security of the nation’s nuclear stockpile saying they’re too onerous to comply with. 

Cybersecurity and IT is one of four areas where Energy plans to revise rules governing contractors at the National Nuclear Security Administration, according to a June 16 Government Accountability Office report on the contractors’ perspective. 

The NNSA was one of several government agencies targeted in the hacking campaign where adversaries leveraged unauthorized access to IT management contractor SolarWinds to deliver trojanized software updates to tens of thousands of public and private entities. 

The SolarWinds event prompted Executive Order 14028, which calls for federal contractors eventually adhering to stricter cybersecurity standards. And the NNSA was in the news again in June after subcontractor Sol Oriens acknowledged it was responding to a cyber incident.

The company told CNBC it “recently determined that an unauthorized individual acquired certain documents from our systems. Those documents are currently under review, and we are working with a third-party technological forensic firm to determine the scope of potential data that may have been involved.”

NNSA did not respond to a request for comment by deadline and Sol Oriens said “no current indication that this incident involves client classified or critical security-related information.” But the attack was reportedly the work of ransomware gang REvil, which, according to Mother Jones, blogged that Sol Oriens “did not take all necessary action to protect personal data of their employees and software development for partner companies … We hereby keep a right (sic) to forward all of the relevant documentation and data to military agencies of our choise (sic), including all personal data of employees.”

That doesn’t bode well for future exploitation, one cybersecurity professional told Nextgov.

“REvil’s threat is a clear and long-term threat,” said Jim Gogolinski, vice president of research and intelligence at cyber company iboss. “In the short term, any classified data could be shared or sold to nations hostile to the United States. In the long term, the personnel information extracted could be used for targeting Sol Oriens’ employees through social engineering as well as classic espionage elicitation techniques.”

But just as the Biden administration looks to strengthen contractor requirements, Energy is under pressure to reduce what NNSA contractors interpret to be burdensome regulation in accordance with a congressional effort that began over a decade ago.

“Reports by congressionally mandated panels and commissions published in the past 10 years have found that the environment in which NNSA carried out its oversight of [management and operations] contractors was strained due, in part, to requirements perceived by the M&O contractors as unnecessarily burdensome,” according to the GAO report.

NNSA officials told the GAO the contractors may have misinterpreted some of the regulations over the years. GAO’s findings also reflect the possibility of such misinterpretations.

“While carrying out its own initiative looking into burdensome requirements, [one] contractor observed instances in which the burden of a requirement might have originated from the M&O contractor itself through its interpretation or implementation of the requirement,” GAO wrote.

A DOE spokesperson told Nextgov there are numerous other reasons for revising the regulations.

Editor's note: This story has been updated to reflect comments from the DOE.