Lawmakers propose shoring up nuclear cyber standards ahead of NDAA markup
Rep. Salud Carbajal, shown here after a vote in 2022, teamed up with two Republican lawmakers on a bill to tighten cyber standards at the agency that safeguards the U.S. nuclear arsenal. Bill Clark/CQ-Roll Call, Inc via Getty Images
The bipartisan proposal, which could be added to the FY2024 defense policy bill, would establish a federal working group to help address gaps in the cyber practices securing the nation’s nuclear weapons stockpile.
A bipartisan trio of lawmakers on the House Armed Services Committee unveiled a measure on Thursday that would address security risks to the nation’s nuclear weapons systems by creating a federal working group to help mitigate previously identified cybersecurity gaps.
The proposal — from Reps. Salud Carbajal, D-Calif., Don Bacon, R-Neb. and Mike Gallagher, R-Wis. — would establish a Cybersecurity, Risk Inventory, Assessment and Mitigation Working Group within the Department of Defense that is tasked with creating “a comprehensive strategy for inventorying the range of National Nuclear Security Administration systems that are potentially at risk in the operational technology and nuclear weapons information technology environments, assessing the systems at risk and implementing risk mitigation actions.”
The lawmakers are looking to include the measure in the 2024 National Defense Authorization Act. The committee's markup of the must-pass defense policy bill is taking place June 21.
A September 2022 report issued by the Government Accountability Office found that the National Nuclear Security Administration — the federal agency tasked with safeguarding the nation’s nuclear weapons stockpile — failed to fully implement “foundational cybersecurity risk practices” across its systems, including in its “operational technology and nuclear weapons IT environments.”
The strategy created by the working group would be required to “incorporate key elements of effective cybersecurity risk management strategies” previously recommended by GAO in last year’s report. Within 120 days of the measure’s enactment, the working group would be required to brief congressional defense committees about its plan for implementing the strategy. The proposal calls for a completed strategy to be submitted to the House and Senate defense panels by April 1, 2025.
“A ready and resilient nuclear force is critical to American deterrence,” Gallagher — who chairs the Select Committee on China — said in a statement. “I am proud to co-sponsor this bipartisan effort to ensure that the systems keeping our nuclear forces capable are cyber secure — free from adversarial interference and prepared for action at all times.”
Carbajal told Nextgov/FCW via email that “GAO has already outlined the roadmap for where potential vulnerabilities are in our systems,” which has enabled lawmakers “to see such gaps before they're exploited.”
"This is certainly about more than just implementing good operational standards though,” he added. “This is about getting the right people together to close these gaps and perhaps identify other improvements along the way."
Carbajal said that creating a working group was the best approach for addressing these cybersecurity gaps because “we don't need to create a new position to carry out these improvements, or put this on one person's plate.”
“A working group puts the right people already tasked with these missions in a room together for as long as it takes to complete this task,” he said.