June 3, 2015

Cybersecurity Controls Over a Major National Nuclear Security Administration Information System

The National Nuclear Security Administration (NNSA) was established by Congress in 2000 as a semiautonomous agency within the Department of Energy (Department).  It is responsible for some of the Department's most sensitive programs, including the management and security of the Nation's nuclear weapons inventory.  NNSA's missions require a secure production and laboratory infrastructure meeting immediate and long-term needs. 

Our audit revealed that the system's cybersecurity controls had not been adequately developed, documented, or implemented.  Specifically, we identified weaknesses related to the implementation of access controls and the development and implementation of effective database change management, configuration management, and continuous monitoring processes.

The weaknesses identified occurred, at least in part, because site officials did not ensure that Federal security requirements were fully implemented to protect the system. Contrary to applicable requirements promulgated by the National Institute of Standards and Technology, the system was put into operation by the site's contractor, as allowed by the site's approved Risk Management Framework, even though various security risks had not been adequately mitigated.  In addition, site officials had not established a formal service level agreement with the system's vendor to define ongoing support requirements for the system.  As a result, we concluded that the system was at an increased risk of loss of availability and compromise of data integrity.

Topic: Management & Administration