In the report (PDF) published in April and unearthed by ZDNet, the Inspector General detailed the flaws it found in five random locations where the Missile Defense Agency installed ballistic missiles as part of the program. One of the most common issues it came across was lax enforcement when it comes to multi-factor authentication.

Apparently, many users/employees who have access to the BMDS’ network in three of the five locations haven’t even switched on multi-factor. Instead, they continue to use only their access cards and passwords for entry. And that’s probably not secure enough, since, you know, the system was designed to launch ballistic missiles in order to intercept enemy nuclear rockets and defend US territories.

The auditors also found that three of the five missile locations didn’t apply patches for vulnerabilities discovered years and years ago, even as far back as 1990.