Information Security:

Actions Needed to Manage, Protect, and Sustain Improvements to Los Alamos National Laboratory's Classified Computer Network

GAO-10-28: Published: Oct 14, 2009. Publicly Released: Nov 13, 2009.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Los Alamos National Laboratory (LANL), which is overseen by the National Nuclear Security Administration (NNSA), has experienced a number of security lapses in controlling classified information stored on its classified computer network. GAO was requested to (1) assess the effectiveness of security controls LANL used to protect information on its classified network, (2) assess whether LANL had fully implemented an information security program to ensure that security controls were effectively established and maintained for its classified network, and (3) identify the expenditures used to operate and support its classified network from fiscal years 2001 through 2008. To carry out this work, GAO examined security policies and procedures and reviewed LANL's access controls for protecting information on its classified network.

LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory's classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance. A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained. Shortfalls in the program include, among other things, (1) the lack of comprehensive risk assessments to ensure that appropriate controls are in place to protect against unauthorized use, (2) not developing detailed implementation guidance for key control areas such as marking the classification level of information stored on the classified network, (3) inadequate specialized training for users with significant security responsibilities, and (4) not adequately developing and testing disaster recovery and contingency plans to mitigate the laboratory's chances of being unsuccessful at resuming normal operational standards after a service disruption. LANL's security plans and test plans were neither comprehensive nor detailed enough to identify certain critical weaknesses on the classified network. Furthermore, the laboratory's decentralized approach to information security program management has led to inconsistent implementation of policy, and although the laboratory has taken steps to address management weaknesses, its efforts may be limited because LANL has not demonstrated a consistent capacity to sustain security improvements over the long term. Since fiscal year 2001, the laboratory has spent approximately $433 million, in constant 2009 dollars, to operate and support its classified network. Between fiscal years 2001 and 2008, annual expenditures increased from about $20 million to $80 million. Expenditures for the core classified cyber security program, which serves as the foundation of LANL's protection strategy for the classified cyber security program, accounted for $45 million of total expenditures over the period. According to LANL, funding for its core classified cyber security program has been inadequate for implementing an effective program during fiscal years 2007 and 2008. However, according to NNSA, it funded programs based on available resources and risk evaluations conducted at both the enterprise and site levels.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We verified that LANL ensured that the risk assessments for systems connected to the classified computer network evaluated all known threats and vulnerabilities.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that the risk assessments for systems connected to the classified computer network evaluate all known threats and vulnerabilities.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  2. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that LANL effectively developed comprehensive cyber security policies and procedures for its classified computer network that contain specific instructions on how to implement federal and departmental requirements.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that cyber security policies and procedures applicable to the classified computer network are comprehensive and contain specific instructions on how to implement federal and departmental requirements.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  3. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that LANL developed and implemented a policy to mark the classification level of information in documents and files stored on the classified computer network.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop and implement a policy to mark the classification level of information in documents and files stored on the classified computer network.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  4. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that LANL implemented specialized training requirements for all users with significant security-related responsibilities on the classified computer network.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to implement specialized training requirements for all users with significant security-related responsibilities on the classified computer network.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  5. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that LANL ensured that security plans for systems connected to the classified computer network are revised to sufficiently document technical security controls.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that security plans for systems connected to the classified computer network are revised to sufficiently document technical security controls.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  6. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that LANL strengthened the security testing and evaluation process for the systems connected to the classified computer network by conducting comprehensive vulnerability scans and expanding technical testing to cover new areas that might be vulnerable.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to strengthen the security testing and evaluation process for the systems connected to the classified computer network by conducting comprehensive vulnerability scans and expanding technical testing to cover new areas that might be vulnerable.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  7. Status: Closed - Implemented

    Comments: In fiscal year 2012 we verified that LANL included system- and program-level cyber security weaknesses and required information in its plans of action and milestones.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that plans of action and milestones include all system- and program-level cyber security weaknesses and required information so that they are an effective management tool for tracking security weaknesses and identifying budgetary resources needed to protect the classified computer network.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  8. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that LANL, in response to our recommendation, developed comprehensive contingency plans for all computer systems connected to the classified computer network.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop comprehensive contingency plans for all computer systems connected to the classified computer network.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  9. Status: Closed - Implemented

    Comments: We verified that annually tested the contingency plans for the systems connected to the classified computer network to determine if the laboratory?s proposed actions will function as intended during emergency situations.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to annually test the contingency plans for the systems connected to the classified computer network to determine if the laboratory's proposed actions will function as intended during emergency situations.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  10. Status: Closed - Implemented

    Comments: We verified that LANL has taken steps to centralize security management of the classified computer network to enforce compliance with laboratory policies, procedures, and practices for each computer system connected to the classified computer network.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to take steps to centralize security management of the classified computer network to enforce compliance with laboratory policies, procedures, and practices for each computer system connected to the classified computer network.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  11. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that LANL, in response to our recommendation, developed plans to address sustainability in collaboration with NNSA, that detail, among other things, (l) how the laboratory plans to maintain recent cyber security improvements, (2) how these improvements will be supported on a long-term basis, and (3) the resource requirements needed to sustain and improve on recent cyber security improvements.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop a sustainability plan, in collaboration with NNSA, that details, among other things, (l) how the laboratory plans to maintain recent cyber security improvements, (2) how these improvements will be supported on a long-term basis, and (3) the resource requirements needed to sustain and improve on recent cyber security improvements.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  12. Status: Closed - Implemented

    Comments: In fiscal year 2014 we verified that LANL developed and implemented a policy to inventory documents and files stored on the classified computer network.

    Recommendation: To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop and maintain an inventory of documents and files stored on the network.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  13. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that NNSA, in response to our recommendation, undertook a comprehensive review of federal cyber security staffing requirements at the Los Alamos Site Office and determined that additional staff was needed. Funding was allocated for three contractor support personnel at LASO.

    Recommendation: To ensure sustainability efforts are properly implemented and effective federal oversight is provided, the Administrator of the National Nuclear Security Administration should undertake a comprehensive review of federal cyber security staffing requirements at the Los Alamos Site Office to determine if additional staff is needed. Should a determination be made that additional federal cyber security staff is needed, actions should be taken by the Manager of the Los Alamos Site Office to acquire sufficient cyber security staff, ensure that staff receive adequate training, and maintain the skills necessary to perform adequate oversight and enforce compliance with NNSA cyber security requirements.

    Agency Affected: Department of Energy: National Nuclear Security Administration

  14. Status: Closed - Implemented

    Comments: In fiscal year 2012, we verified that NNSA, in response to our recommendation, assessed LANL's sustainability capabilities and periodically reviewed LANL's sustainability plan in order to increase accountability for and improve performance of the laboratory's cyber security operations.

    Recommendation: To ensure sustainability efforts are properly implemented and effective federal oversight is provided, the Administrator of the National Nuclear Security Administration should assess LANL's sustainability capabilities 12 months after it implemented the Compliance Order, and periodically review LANL's sustainability plan in order to increase accountability for and improve performance of the laboratory's cyber security operations.

    Agency Affected: Department of Energy: National Nuclear Security Administration

 

Explore the full database of GAO's Open Recommendations »

Sep 16, 2014

Sep 8, 2014

Jul 17, 2014

Jun 25, 2014

May 30, 2014

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Looking for more? Browse all our products here