Organizations within the National Nuclear Security Administration (NNSA) bureaucracy are reviewing a draft cybersecurity directive the agency wrote after a third-party review, the weapons steward told the Government Accountability Office last week.

The semiautonomous Department of Energy weapons agency planned to issue a final supplemental directive, titled Baseline Cybersecurity Program, by April 30, according to the agency’s response to recent Government Accountability Office (GAO) findings, published Thursday.

NNSA wrote a draft directive after the Institute for Defense Analyses reviewed the agency’s compliance with federal cybersecurity requirements, according to the GAO report, “Nuclear Weapons Cybersecurity: NNSA Should Fully Implement Foundational Cybersecurity Risk Management Practices.”

In 2020, the NNSA’s business operations database was breached by hackers who exploited a weakness in software provided by the company SolarWinds. The hack also hit other Department of Energy networks. News of the hack broke a few days before Congress passed the fiscal year 2020 National Defense Authorization Act, as part of which lawmakers ordered the GAO investigation that led to Thursday’s report and recommendations.