Lax Contractor Cybersecurity Oversight
The GAO report also found gaping holes around how cybersecurity measures are enforced and assessed when it comes to the contractors that manage and operate its nuclear security enterprise sites.
NNSA, which has over 50,000 federal and contract employees at labs, plants, and sites nationwide, requires contractors to document how their subcontractors are complying with security standards through its Baseline Cybersecurity Program, which is incorporated into NNSA contracts. However, contractors’ efforts to provide this type of oversight are mixed, and three of seven contractors do not believe it is a contractual responsibility, according to GAO.
“Representatives from each of the M&O [management and operating] contractors told us that they complied with the requirement by including cybersecurity provisions in their subcontracts,” according to the GAO report. “However, through interviews and written responses from representatives of each of the seven M&O contractors, we found that once a subcontract was awarded, M&O contractors’ monitoring of such measures was inconsistent among the sites.”
Another challenge inherent in the Baseline Cybersecurity Program is that the onus for cybersecurity oversight falls on the contractors, and no further supervision from the NNSA exists. The GAO said that while an NNSA official had proposed adding an evaluation of such oversight to its annual contractor performance evaluation process, there was no evidence that the NNSA had applied this measure.
“In light of the increasing threat to systems with federal information, NNSA needs to have greater assurance that contractors and subcontractors are implementing a standardized cybersecurity framework,” according to the GAO report. “These oversight gaps, at both the contractor and NNSA level, leave NNSA with little assurance that sensitive information held by subcontractors is effectively protected.”
