Before buying technology, NNSA performs a cyber checkup


Before the National Nuclear Security Administration decides to install any hardware or software on its networks, the technology gets the once-over—a couple of times.

The Energy Department’s largest bureau is applying a more strenuous review of the technology it wants to use than most of its civilian agency counterparts.

Wayne Jones, the chief information officer at the NNSA, said this approach to supply chain risk management aims to reduce the cyber threats his network faces.

Wayne Jones is the National Nuclear Security Administration CIO and associate administrator for information management.

“We have a supply chain management contractor that we work with. We get them to look at some of the applications, companies or technologies that we are looking at,” said Jones on Ask the CIO. “Then we make a decision on what best fits into the NNSA environment, and how that fit will work with our managing and operating partners that we work with on a daily basis.”

Jones said once NNSA identifies the technology or vendor it wants to use, the supply chain contractor analyzes the company or product based on existing data.

Then NNSA conducts a similar review with its intelligence community and decides whether or not to implement a tool.

NNSA is one of the few civilian agencies to have this type of capability in-house. The Homeland Security Department, the Office of Management and Budget and the General Services Administration are working with other agencies to increase the scrutiny on the contractors and products they use through an enterprise risk management approach.

Experts say ensuring supply chain integrity through the acquisition process may be the one way agencies can protect themselves.

Of course, NNSA has plenty of reasons to be concerned about its supply chain as it guards and manages the nation’s nuclear weapons.

These concerns also have slowed the agency’s move to the cloud and other commercial technologies.

But Jones said that is about to change.

“There some applications that we believe that can be put into a public cloud,” he said. “Then there are also those applications that we have to hold internal to our organization. Those applications will go into a hybrid cloud, which is an on-premises version of a cloud implementation that we have complete control over. That gives our employees an opportunity to work in a cloud environment on-premises and off-premise.”

He said the on-premises hybrid cloud will rely on the Microsoft Azure stack.

NNSA prepared for the move to the cloud by first rationalizing its applications to better understand which ones are ready and able to move off-premises, and which ones need to use the hybrid environment.

Jones said one of the reasons NNSA is more comfortable in moving applications to the cloud is the implementation of a virtual desktop infrastructure (VDI) throughout most of the agency and parts of the Energy Department more broadly.

“It’s an environment that allows us to do a lot of different things to protect our applications and our employees by protecting the application at the back end and allow the employee to access the application through the VDI instead of using a thick client environment to attach to the application by having the application running on his desktop,” Jones said. “It allows us take care of the cybersecurity stuff on the back end while still protecting the application at the desktop. By pushing it in the back end of the cloud solution, it allows us to wrap the security tools around the application, around the actual cloud environment and gives us a better sense of security in place.”

Jones said one big benefit of the VDI and cloud is NNSA employees will be able to work from anywhere, at any time whether in the office or at home or on travel.

“The big difference or benefit with the cloud solution is our ability to wrap the security tools a little tighter,” he said.

Another big priority related to cloud is the move to unified communications. Jones said NNSA already moved to voice-over-internet protocol (VOIP) and now wants to tie all the capabilities together, including Skype for business.

And related to all of these IT modernization efforts is ensuring NNSA employees have mobile computing capabilities.

“In our unclassified environment, it’s heavily used as related to NNSA and the work we do,” he said. “But on the classified side, while we do have some mobility, it’s not a great deal because the products and services are not quite secure enough. But with some work on Defense Department side of the house, we will someday be able to take advantage of the hardened technology.”