The National Nuclear Security Administration (NNSA), which delivers and maintains the stockpile of U.S. nuclear weapons and aims to prevent the spread of nuclear weapons around the world, plans to deploy commercial cloud-based technologies for their classified systems, according to a new GovFocus interview with GovCIO Media & Research.
One of the NNSA's top-level modernization priorities is to improve collaboration and interoperability with the help of commercial cloud services.
"Making the systems work together across the organization, not only from a business automation perspective … but we also need the functions and the mission to work together to share information and be collaborative across all mission areas," James Wolff, associate administrator for information management and CIO at NNSA, told GovCIO Media & Research during a December GovFocus interview.
Modernizing NNSA Classified Systems
While the agency already deploys a number of commercial cloud-based technologies such as analytics or collaboration tools, those capabilities reside on its unclassified systems. Now NNSA hopes to deploy commercial cloud-based technologies for classified data, an effort in very early stages.
"We're bringing in these technologies into both private clouds but also commercial clouds and introducing that innovation so that we've reaped the benefits of those technologies and the commercial nature of the systems for our classified missions," Wolff said. "And we can do things like mobility where we couldn't do it before. We can innovate on capability where we had to do that before instead of leveraging the commercial market."
One example of a program allowing NNSA employees to access classified networks and classified information over the public internet is CSSC, or Commercial Systems for Classifiers. While the program has been around for a long time, it was not widely adopted until the COVID-19 pandemic began.
"This has really changed everything, and it's changing everything, and how people access the data from where they access the data and their applications. But it goes deeper than that. It's actually enhanced the mission capabilities as well," Bryan Courtright, Vice President of Engineering at ID Technologies, told GovCIO Media & Research in a recent GovFocus interview. "Under certain circumstances, still, you can't be working in Starbucks and access a classified document. But if you're at home and you're working in the right environment, you can."
Joint Warfighting Cloud Capability (JWCC)
The Defense Department (DOD) aims to make the JWCC award at the end of the year, which will include the four largest cloud-provider platforms, including Amazon Web Services, Google, Microsoft, and Oracle.
These tech providers will produce "a multi-cloud effort that will provide enterprise cloud capabilities for the Defense Department at all three security classifications: unclassified, secret and top secret all the way from the continental United States out to the tactical edge," according to DOD CIO John Sherman.
NNSA already has several pilots in the works leveraging mobility options and bringing this capability to the agency's employees, but is also closely following the JWCC procurement efforts.
"One of the things I am really excited in this area is DOD has put incredible investment into classified systems that are commercial-based. We've been watching that with anticipation," Wolff said. "We actually have some pilot work that's starting to look at those systems, and then hopefully bring those into our environment to enable our workforce to be able to use those capabilities."
Cybersecurity Risk Management
NNSA operates within information technology (IT), operational technology (OT) and nuclear weapons IT (NW-IT) digital environments. The agency relies on computer modeling to design weapons and computer simulation to perform nuclear stockpile testing. As the agency scales up its use of advanced computers and digital systems, cybersecurity risk management becomes essential to protect one of the most sensitive missions in government from cyberattacks.
"We're in this world where everything is changing around us, and it doesn't help that the tools that we have are also changing, so it's a multi-dimensional problem that's really hard to manage," Wolff said.
The Government Accountability Office (GAO) recently released a report outlining foundational practices for establishing an organization-wide cybersecurity risk management program after finding the NNSA and its contractors still need to implement a number of foundational cybersecurity risk practices.
Some of the practices GAO recommended include developing and maintaining a strategy to monitor risks across the agency, identifying and assigning cybersecurity roles and responsibilities for risk management, and accessing and updating policies and plans for the cybersecurity program.
"All the different technology centers within the federal government have given us guidance on what kinds of investments we should be making to improve cybersecurity," Wolff said. "I look at that guidance and I see a lot of technology modernization in that guidance also, there's guidance around, you know, how do we manage the systems that are connecting to the network? How do we architect security from a cloud perspective?"
NNSA is in the process of working on an enterprise-scale endpoint detection response (EDR) capability based on the guidance it received from the Office of Management and Budget (OMB). Previously, each part of NNSA had its own EDR capability that reported to a centralized enterprise SOC. Some parts of the agency are in the process of acquiring the capability, while others are already in the deployment phase.
"Hopefully, next year, when we're sitting around talking about this, we will be in that common technology suite. Our security operations center will have a common picture and transparency across the organization," Wolff said. "I see a lot of opportunity in front of us to do things in common frameworks, but also sometimes in common technologies. That gives the entire organization the ability to be secure and understand security. In ways that we have never done it before."
NNSA faces the same technology, data and cybersecurity workforce challenges faced by other federal agencies. But NNSA faces a unique workforce challenge where parts of the organization have many new hires and other parts have many senior-level employees, while missing middle-level management employees.
"We're not doing as good of a job as we should about growing up that middle-level management and transitioning the new people, the most junior, into kind of that medium- or that mid-career expertise level," Wolff said. "So we're trying to pay a lot of attention to not only create paths for that, but to look at the overall — the recruiting, the retention, the development of the workforce, to make sure that the people that we have are fully supported in their careers also. We have incredible engineers, we have incredible scientists, we have smart people that are doing work every day. They are the ones that are using these tools. They're the ones that are re-architecting to me zero trust principles or to deploy these capabilities. It's how do we support them and doing it also, we need them to be successful."