This is the accessible text file for GAO report number GAO-08-1001 
entitled 'Information Security: Actions Needed to Better Protect Los 
Alamos National Laboratory's Unclassified Computer Network' which was 
released on September 26, 2008. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office: 

GAO: 

September 2008: 

Information Security: 

Actions Needed to Better Protect Los Alamos National Laboratory's 
Unclassified Computer Network: 

Information Security: 

GAO-08-1001: 

GAO Highlights: 

Highlights of GAO-08-1001, a report to congressional committees. 

Why GAO Did This Study: 

The Los Alamos National Laboratory (LANL), which is operated by the 
National Nuclear Security Administration (NNSA), has experienced 
security lapses protecting information on its unclassified computer 
network. The unclassified network contains sensitive information. GAO 
(1) assessed the effectiveness of the security controls LANL has in 
place to protect information transmitted over its unclassified computer 
network, (2) assessed whether LANL had implemented an information 
security program for its unclassified network, and (3) examined 
expenditures to protect LANL’s unclassified network from fiscal years 
2001 through 2007. To carry out its work, GAO examined security 
policies and procedures and reviewed the laboratory’s access controls 
for protecting information on the unclassified network. 

What GAO Found: 

LANL has implemented measures to enhance its information security, but 
weaknesses remain in protecting the confidentiality, integrity, and 
availability of information on its unclassified network. LANL has 
implemented a network security system that is capable of detecting 
potential intrusions. However, GAO found vulnerabilities in several 
critical areas, including (1) identifying and authenticating users, (2) 
encrypting sensitive information, and (3) monitoring and auditing 
compliance with security policies. For example, LANL had implemented 
strong authentication measures for accessing the network. However, once 
gaining this access, a user could create a simple password that would 
allow alternative access to certain sensitive information. Furthermore, 
LANL did not use encryption for authentication to certain internal 
services, which increased the risk that sensitive information 
transmitted over the unclassified network could be compromised. 

A key reason for the information security weaknesses is that the 
laboratory has not implemented an information security program to 
ensure that controls are effectively established and maintained. For 
example, LANL did not adequately assess information security risks or 
develop effective policies and procedures to govern the security of its 
computing environment. LANL’s most recent risk assessment for the 
unclassified network generally identified and analyzed vulnerabilities, 
but did not account for risks identified by internal vulnerability 
testing. Deficiencies in LANL’s policies and procedures have been the 
subject of reports by the Department of Energy’s (DOE) Office of 
Independent Oversight and the Los Alamos Site Office, including foreign 
nationals’ access to the unclassified network. GAO found that, as of 
May 2008, 301 (or 44 percent) of 688 foreign nationals, who had access 
to the unclassified network, were from countries classified as 
sensitive by DOE, such as China, India, and Russia. In addition, a 
significant number of foreign nationals from sensitive countries were 
authorized remote access to LANL’s unclassified network. The number of 
foreign nationals with access has raised concerns among laboratory and 
NNSA officials because of the sensitive information contained on the 
unclassified network. In response, the laboratory has taken some 
measures to limit foreign nationals’ access. 

From fiscal years 2001 through 2007, LANL spent approximately $51.4 
million to protect its unclassified network. LANL cyber security 
officials told us that funding has been inadequate to address some of 
their security concerns. Specifically, there was a risk that 
unclassified network users would no longer receive cyber security 
training and that the laboratory would not be able to ensure that data 
containing sensitive unclassified information would be properly 
sanitized or destroyed. However, NNSA officials asserted that LANL has 
not adequately justified its requests for additional funds. NNSA is in 
the process of implementing a more systematic approach for developing 
budgets for cyber security activities across the nuclear weapons 
complex, including LANL. 

What GAO Recommends: 

GAO recommends, among other things, that the Secretary of Energy and 
the Administrator of NNSA require the Director of LANL to (1) ensure 
that the risk assessment for the unclassified network evaluates all 
known vulnerabilities and is revised periodically and (2) strengthen 
policies with a view toward further reducing, as appropriate, foreign 
nationals’— particularly those from countries that DOE has identified 
as sensitive—access to the unclassified network. NNSA did not 
specifically comment on GAO’s recommendations but agreed with the 
conclusions. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1001]. For more 
information, contact Gene Aloise at (202) 512-3841, or aloisee@gao.gov; 
Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov and Nabajyoti 
Barkakati at (202) 512-6412 or barkakatin@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

LANL Has Information Security Controls in Place to Protect Its 
Unclassified Network, but Weaknesses Remain: 

LANL Has Not Fully Implemented Key Information Security Program 
Activities for Its Unclassified Network: 

LANL Has Spent Approximately $51.4 Million to Protect Its Unclassified 
Network from Fiscal Years 2001 through 2007, but Future Resource 
Requirements Need Better Justification: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the National Nuclear Security 
Administration: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Related GAO Products: 

Figures: 

Figure 1: Percentage of Foreign Nationals from Sensitive and 
Nonsensitive Countries at LANL with Unclassified Network Access, as of 
May 2008: 

Figure 2: Annual Expenditures on LANL's Unclassified Network, Fiscal 
Years 2001-2007: 

Abbreviations: 

C&A: certification and accreditation: 

DAA: Designated Approving Authority: 

DOE: Department of Energy: 

FISCAM: Federal Information System Controls Audit Manual: 

FISMA: Federal Information Security Management Act: 

FSU: former Soviet Union: 

IT: information technology: 

LANL: Los Alamos National Laboratory: 

LANS: Los Alamos National Security, LLC: 

LASO: Los Alamos Site Office: 

NIST: National Institute of Standards and Technology: 

NNSA: National Nuclear Security Administration: 

OMB: Office of Management and Budget: 

PIN: personal identification number: 

SANS: System Administration, Networking, and Security: 

United States Government Accountability Office: 

Washington, DC 20548: 

September 9, 2008: 

The Honorable John D. Dingell: 
Chairman: 
The Honorable Joe Barton: 
Ranking Member: 
Committee on Energy and Commerce: 
House of Representatives: 

The Honorable Bart Stupak: 
Chairman: 
The Honorable John M. Shimkus: 
Ranking Member: 
Subcommittee on Oversight and Investigations: 
Committee on Energy and Commerce: 
House of Representatives: 

The Los Alamos National Laboratory (LANL),[Footnote 1] which is 
operated by the National Nuclear Security Administration 
(NNSA),[Footnote 2] has experienced a number of security lapses in 
protecting sensitive information. Over the last decade, these 
information security lapses have included, but are not limited to, the 
inability to accurately identify computer resources connected to the 
unclassified network and to identify and correct computer network 
vulnerabilities. 

The unclassified network at LANL comprises over 25,000 devices, which 
does not include supporting devices, such as servers, printers, and 
scanners. It also contains about 51,000 active network ports, which 
serve as the interface between computers and other devices on the 
network, and provides service to over 13,000 users. 

LANL's unclassified network is segmented into subnetworks and includes 
the (1) protected-unclassified network, which is the default location 
for unclassified computer systems at the laboratory and contains 
sensitive unclassified data and information; (2) unclassified-open 
network, which supports the laboratory's presence on the Internet and 
is to contain no sensitive information; (3) collaboration network, 
which supports external scientific collaboration involving high- 
performance computing; and (4) visitor network, which provides an 
outgoing connection to the Internet for visitors needing to check e- 
mail. This report focuses on LANL's protected-unclassified network 
because this network is designed to protect most of the laboratory's 
networks and systems from unauthorized access and is the clear target 
of sophisticated cyber attacks. For the purposes of this report, we 
will refer to this network as the "unclassified" network. 

LANL's unclassified network has faced a number of security challenges. 
During 2007, according to LANL officials, the firewalls and other 
blocking mechanisms of the unclassified network deflected more than 10 
million cyber probes every month. Cyber attacks include, among other 
things, the use of information exploitation tools, such as computer 
viruses, Trojan horses, and worms, that can destroy, intercept, and 
degrade the integrity of or deny access to information on a computer 
network. In addition, the unclassified network has voluminous e-mail 
traffic, which makes the network potentially vulnerable to malicious 
code designed to exploit e-mail services. The network receives 
approximately 2 million e-mails per month, plus approximately 50,000 to 
500,000 spam e-mails every day, and LANL employees send approximately 1 
million e-mails every month. 

LANL's large unclassified computer network contains sensitive 
information, including business proprietary information; unclassified 
controlled nuclear information; naval nuclear propulsion information; 
export control information; nuclear reactor safeguards information; the 
military critical technology list; confidential foreign government 
information; and personally identifiable information, including names, 
aliases, Social Security numbers, and biometric records of employees, 
contractors, and visitors. Owing to the nature of the research and 
development conducted at LANL, the information on the unclassified 
network presents a valuable target for foreign governments, terrorists, 
and industrial spies. 

Recognizing the importance of securing information systems at federal 
agencies, Congress enacted the Federal Information Security Management 
Act (FISMA) in December 2002 to strengthen the security of information 
and information systems across the federal government.[Footnote 3] 
FISMA requires each agency to develop, document, and implement an 
agency-wide information security program that supports the operations 
and assets of the agency, including those provided or managed by 
another agency or contractor on its behalf. 

To ensure the confidentiality, integrity, and availability of critical 
information and information systems used to support the operations and 
assets of federal agencies, information security controls and 
complementary program activities are required.[Footnote 4] Effective 
information security controls are necessary to ensure the protection of 
sensitive information contained and transmitted over computer networks. 
In addition, certain program management activities, such as the 
development, documentation, and implementation of policies and 
procedures, are required to govern the protection of 
information.[Footnote 5] 

Information security controls are put in place to prevent, limit, and 
detect unauthorized access, use, disclosure, modification, 
distribution, or disruption to computing resources, programs, and 
information. Examples of information security controls are as follows: 

* User identification and authentication allows computer systems to 
differentiate between users so that activities on the system can be 
linked to specific individuals, and the claimed identity of users can 
be verified. 

* Cryptography underlies many of the mechanisms used to enforce the 
confidentiality and integrity of critical and sensitive 
information.[Footnote 6] 

* Audit and monitoring controls help establish individual 
accountability and monitor compliance with security policies. 

* Configuration management involves the identification and management 
of security features for all hardware, software, and firmware 
components of an information system and systematically controls changes 
to that configuration throughout the development and operational life 
cycle of the system. 

* Physical controls restrict physical access to computer resources, 
usually by limiting access to the buildings and rooms in which the 
resources are housed and by periodically reviewing the access granted 
in order to ensure that access continues to be appropriate. 

A comprehensive information security program is the foundation of a 
security control structure and a reflection of senior management's 
commitment to addressing security risks. The program should establish a 
framework and continuous cycle of activities for assessing risk, 
developing and implementing effective security procedures, and 
monitoring the effectiveness of these procedures. 

Information security program activities govern the security protections 
for the information and information systems that support the operations 
and assets of the agency using a risk-based approach. These activities 
include ensuring that an agency (1) periodically assesses the risk and 
the magnitude of harm that could result from unauthorized access; (2) 
develops, documents, and implements risk-based policies and procedures 
to ensure that information security is addressed throughout the life 
cycle of each system and ensures compliance with applicable 
requirements; (3) develops, documents, and implements plans to provide 
adequate information security for networks, systems, and facilities; 
(4) provides security awareness training to inform personnel of 
information security risks and of their responsibilities in complying 
with agency policies and procedures; (5) periodically tests and 
evaluates the effectiveness of information security policies, 
procedures, and practices relating to management, operational, and 
technical controls for every system--the frequency of such tests should 
be based on risk but occur at least once per year; (6) has a process 
for planning, implementing, evaluating, and documenting remedial action 
to address deficiencies in information security policies, procedures, 
or practices; (7) has procedures for detecting, reporting, and 
responding to security incidents; and (8) documents, develops, and 
implements plans and procedures to ensure continuity of operations for 
information systems that support its operations and assets. 

This report evaluates key elements of LANL's unclassified information 
security program. Specifically, we (1) assessed the effectiveness of 
security controls LANL has implemented to protect information 
transmitted over its unclassified computer network, (2) assessed 
whether LANL had implemented an information security program to ensure 
that controls were effectively established and maintained for its 
unclassified computer network, and (3) examined the expenditure of 
funds used to protect LANL's unclassified computer network from fiscal 
years 2001 through 2007. 

We visited LANL to assess the effectiveness of security controls that 
the laboratory had implemented for its unclassified computer network, 
and we gained an understanding of the overall network control 
environment and identified its interconnectivity and control points. We 
performed vulnerability assessments to evaluate authentication and 
authorization controls, encryption mechanisms, network monitoring 
processes, and configuration management controls for the unclassified 
network. We also reviewed the effectiveness of physical security 
operations in preventing unauthorized access to cyber-related 
resources. In addition, we obtained views from and documentation on 
these issues from responsible security officials at the Department of 
Energy (DOE), NNSA, the Los Alamos Site Office (LASO), and LANL. 

To assess whether LANL had implemented an information security program 
to ensure that controls were effectively established and maintained for 
its unclassified computer network, we determined whether policies and 
procedures adhered to NNSA, DOE, and the National Institute of 
Standards and Technology (NIST) guidance, in areas such as security 
awareness training, risk assessment, information security plans, 
security testing and evaluation, corrective action plans, and 
continuity of operations for information systems. In addition, we 
obtained the views of and documentation on these issues from officials 
responsible for information security management at DOE, NNSA, LASO, and 
LANL. We also met with officials from DOE's Office of Independent 
Oversight and its Office of Inspector General, regarding any related 
prior, ongoing, or planned work in these areas. 

To determine the expenditure of funds used to protect LANL's 
unclassified computer network from fiscal years 2001 through 2007, we 
obtained and analyzed documentation detailing program expenditures and 
met with LANL officials to discuss the data. We chose this time period 
because, beginning in fiscal year 2001, NNSA assumed programmatic 
responsibility for the nuclear weapons complex. We obtained responses 
to a series of data reliability questions, from responsible LANL 
officials, covering issues such as data entry access, internal control 
procedures, and the accuracy and completeness of the data. In addition, 
we obtained written responses from LANL officials to clarify 
discrepancies in the data we received. We determined that the data were 
sufficiently reliable for the purposes of this report. 

We conducted this performance audit from May 2007 to September 2008 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. A more detailed description 
of our objectives, scope, and methodology is contained in appendix I. 

Results in Brief: 

LANL has implemented measures to enhance its information security, but 
weaknesses remain in protecting the confidentiality, integrity, and 
availability of information on its unclassified network. In particular, 
LANL has implemented a network security system that is capable of 
detecting potential intrusions on the network. However, LANL has 
vulnerabilities in several critical areas, including (1) identifying 
and authenticating users of the network, (2) encrypting sensitive 
information, (3) monitoring and auditing compliance with security 
policies, (4) controlling and documenting changes to a computer 
system's hardware and software, and (5) restricting physical access to 
computing resources. For example, although LANL had implemented strong 
authentication measures for accessing the network, these measures were 
not always used. Once a user successfully accessed the network, the 
user could create a separate simple password that would allow 
alternative access to certain sensitive information. Furthermore, LANL 
neither conducted comprehensive vulnerability scans of the unclassified 
network nor did it include sensitive applications in these scans, thus 
leaving the network at increased risk of compromise or disruption. In 
addition to these weaknesses, LANL's computing facilities had physical 
security weaknesses and could be vulnerable to intentional disruption. 
Specifically, we observed lax restriction of vehicular traffic entering 
the laboratory and inadequate fencing. 

The laboratory has not yet implemented an information security program 
to ensure that controls are effectively established and maintained--the 
absence of such a program is a key reason for the information security 
weaknesses we identified. Although LANL has implemented an effective 
security awareness training program, we identified a number of 
shortcomings in its overall information security management program. 
For example, LANL did not adequately assess information security risks 
or develop effective policies and procedures to govern the security of 
its computing environment. LANL's most current risk assessment for the 
unclassified network, completed in June 2007, generally identified and 
analyzed vulnerabilities but did not account for risks identified by 
internal vulnerability testing. We also identified shortcomings in 
other information security policies and procedures. For example, LANL's 
information security policies and procedures lacked specific 
implementation guidance. Furthermore, LANL does not have a formal 
contingency plan for its unclassified network that conforms to current 
federal requirements to ensure continuous network operations. Many of 
these cyber security deficiencies have been the subject of prior 
reports by DOE's Office of Independent Oversight and LASO. The most 
recent reports, covering fiscal years 2006 and 2007, documented 
significant weaknesses with LANL's unclassified information security 
program, including foreign nationals' access to the laboratory's 
unclassified network. As of May 2008, LANL had granted unclassified 
network access to 688 foreign nationals, including over 300 from 
countries identified as sensitive by DOE, such as China, India, and 
Russia. A country is identified as sensitive based on national 
security, nuclear nonproliferation, or terrorism concerns. In addition, 
foreign nationals from sensitive countries have been authorized remote 
access to LANL's unclassified network. The number of foreign nationals 
who have access to the unclassified network has raised security 
concerns among some laboratory and NNSA officials because of the 
sensitive information contained on the network. According to LANL, the 
percentage of foreign nationals with authorized remote access to the 
unclassified network has steadily declined over the last 5 years. 

From fiscal years 2001 through 2007, LANL spent about $51.4 million to 
protect and maintain its unclassified network. Although LANL cyber 
security officials told us that funding has been inadequate to address 
some of their security concerns, NNSA officials raised questions about 
the basis for LANL's funding request for cyber security. NNSA's Chief 
Information Officer told us that LANL has not adequately justified 
requests for additional funds to address the laboratory's stated 
shortfalls. In addition, NNSA officials informed us that LANL's past 
budget requests were prepared on an ad hoc basis and were not based on 
well-defined threat and risk assessments. In response to these 
concerns, in fiscal year 2006, NNSA implemented a more systematic 
approach to developing cyber security budgets across the nuclear 
weapons complex, including LANL. This effort, however, does not provide 
guidance that clearly lays out funding priorities. Furthermore, NNSA 
does not consistently document resource allocation decisions and 
identify how funding shortfalls affect critical cyber security issues. 

To help strengthen information security controls over LANL's 
unclassified network, we are making a series of recommendations to the 
Secretary of Energy and the Administrator of NNSA that require the 
Director of the Los Alamos National Laboratory to, among other things, 
(1) ensure that the risk assessment for the unclassified network 
evaluates all known vulnerabilities and is revised periodically and (2) 
strengthen policies with a view toward further reducing, as 
appropriate, foreign nationals'--particularly those countries 
identified as sensitive by DOE--access to the unclassified network. We 
also are making 41 recommendations in a separate report with limited 
distribution. These recommendations consist of actions to be taken to 
correct the specific information security weaknesses related to 
identification and authentication, cryptography, audit and monitoring, 
configuration management, and physical security. 

We provided NNSA with a copy of this report for review and comment. 
NNSA did not specifically comment on our recommendations. However, NNSA 
agreed with our general conclusion that LANL has taken steps to protect 
sensitive information and acknowledged that there was considerable work 
yet to be done. NNSA also stated that LANL is currently responding to a 
DOE Secretarial Compliance Order requiring the laboratory contractor to 
take comprehensive steps to ensure that it identifies and addresses, 
among other things, critical cyber security deficiencies. The July 2007 
Compliance Order requires LANL to submit an integrated corrective 
action plan to address critical security issues. These steps must be 
completed by December 2008. NNSA noted that responding to the issues 
identified in this report--as well as more technical issues included in 
a limited official use only version of this report--will extend beyond 
the completion of the Compliance Order since the actions we recommend 
are more complex. We would expect that our recommendations, when 
implemented, would complement and be consistent with other remedial 
actions taken to improve LANL's cyber security posture as part of the 
Secretarial Compliance Order. 

Background: 

LANL is responsible for planning and executing all facets of stockpile 
stewardship, including assessing, refurbishing, and certifying nuclear 
weapons. The laboratory operates and manages numerous nuclear 
facilities. Critical activities include plutonium, uranium, and tritium 
processing; research and development on special nuclear material; high- 
energy radiography; radiation measurement; packaging of nuclear 
materials; and the management of radioactive and hazardous waste. To 
help carry out these critical missions, LANL uses its unclassified and 
classified computer networks to manage its business operations, conduct 
nonnuclear experiments, and analyze nuclear weapons and their delivery 
systems to meet requirements established by the Department of Defense. 

Protecting the computer systems that support LANL's operations has 
never been more important. Government officials are increasingly 
concerned about attacks from individuals and groups with malicious 
intent, such as terrorists and foreign intelligence agencies. These 
concerns are well-founded for a number of reasons, including the 
dramatic increase in the reports of security incidents in the United 
States and the steady advance in the sophistication and effectiveness 
of attack technologies. As the nation's defense and intelligence 
communities increasingly rely on commercially available information 
technology, the likelihood increases that information attacks will 
threaten vital national interests. 

A basic management objective for any organization is to protect the 
resources that support its critical operations from unauthorized 
access, use, destruction, or disruption. Organizations accomplish this 
objective by designing and implementing controls that are intended to, 
among other things, prevent, limit, and detect unauthorized access to 
computing resources, programs, information, and facilities. Inadequate 
security controls diminish the reliability of computerized information 
and increase the risk of unauthorized disclosure, modification, and 
destruction of sensitive information and disruption of service. 
Security controls include those related to user identification and 
authentication, cryptography, audit and monitoring, configuration 
management, and physical security. 

LANL Has Information Security Controls in Place to Protect Its 
Unclassified Network, but Weaknesses Remain: 

LANL has implemented measures to enhance its information security, but 
weaknesses remain. In particular, LANL has implemented a network 
security system that can detect potential intrusions on the network. 
However, LANL has vulnerabilities in several critical areas, including 
(1) identifying and authenticating users, (2) encrypting sensitive 
information, (3) monitoring and auditing compliance with security 
policies, (4) controlling and documenting changes to a computer 
system's hardware and software, and (5) restricting physical access to 
computing resources. 

Strong Authentication Was Implemented but Not Always Used: 

A computer system must be able to identify and authenticate different 
users so that activities on the system can be linked to specific 
individuals. When an organization assigns unique user accounts to 
specific users, the system is able to distinguish one user from 
another--a process called identification. The system also must 
establish the validity of a user's claimed identity by requesting some 
kind of information, such as a password, that is known only by the 
user--a process known as authentication. The combination of 
identification and authentication--such as user account/password 
combinations--provides the basis for establishing individual 
accountability and for controlling access to the system. As NIST notes, 
multifactor authentication schemes are stronger than single factor 
authentication.[Footnote 7] In keeping with this standard, LANL's 
password policy requires that one-time passcodes (using token cards and 
personal identification numbers (PIN), i.e., two-factor authentication) 
be used whenever possible or practical. It further states that users 
are not to share passwords and that vendor-supplied default passwords 
must be changed immediately. 

LANL had implemented a strong authentication solution for its network 
through the use of two-factor authentication with a one-time password-
-use of a token (cryptocard); a PIN; and a one-time number code. 
However, strong authentication was not always used. Once a user 
successfully accessed the network, the user could create a separate 
login password that would allow alternative access to sensitive 
information on the unclassified network. Such access was allowed for 
file sharing and e-mail. Furthermore, users shared default 
identifications and passwords for managing certain network devices. As 
a result, LANL was at increased risk that unauthorized users could 
access sensitive information in files and e-mails, as well as obtain 
access to network devices. 

Cryptography Was Not Always Effectively Used: 

Cryptography underlies many of the mechanisms used to enforce the 
confidentiality and integrity of critical and sensitive information. A 
basic element of cryptography is encryption. The National Security 
Agency recommends disabling protocols that do not encrypt information, 
such as user identification and password combinations transmitted 
across the network. 

Although LANL had implemented cryptography, it was not always effective 
or used in transmitting sensitive information. LANL integrated Kerberos 
with its authentication process.[Footnote 8] Kerberos is designed to 
provide strong authentication for client/server applications by using 
secret-key cryptography so that each party can prove its identity 
across an insecure network connection. However, the laboratory relied 
on a Kerberos implementation that uses a weak and outdated encryption 
algorithm. Furthermore, LANL neither uses encryption to protect certain 
network management connections, nor requires encryption for 
authentication to certain internal services. Instead, the laboratory 
used clear text protocols (i.e., unencrypted) to manage key network 
devices, such as internal firewalls and switches. As a result, 
sensitive data transmitted through the unclassified network is at an 
increased risk of being compromised. 

Network Monitoring Was Performed Regularly but Was Not Comprehensive: 

To establish individual accountability, monitor compliance with 
security policies, and investigate security violations, it is crucial 
to determine who has taken actions on the system, what these actions 
were, and when they were taken. According to NIST, when performing 
vulnerability scans, greater emphasis should be placed upon systems 
that are accessible from the Internet (e.g., Web and e-mail servers); 
systems that house important or sensitive applications or data (e.g., 
databases); or network infrastructure components (e.g., routers, 
switches, and firewalls). In addition, according to commercial vendors, 
running scanning software in an authenticated mode allows the software 
to detect additional vulnerabilities. NIST also states that the use of 
secure software development techniques, including source code review, 
is essential to preventing a number of vulnerabilities from being 
introduced into items such as a Web service. 

Although LANL regularly monitored its unclassified network for security 
vulnerabilities, the monitoring is not comprehensive. LANL frequently 
scans its network using multiple software tools that search for known 
vulnerabilities on various network devices. However, the scans were not 
comprehensive. For example, at the time of our review, the laboratory's 
vulnerability scan neither included sensitive applications such as 
databases, nor did it run in an authenticated mode. In addition, LANL 
did not conduct source code reviews. As a result, the laboratory may 
not detect certain vulnerabilities, leaving the network at increased 
risk of compromise or disruption. 

Although LANL Uses Innovative Techniques for Configuration Management, 
It Does Not Consistently Implement Software Patches: 

The purpose of configuration management is to establish and maintain 
the integrity of an organization's work products. Organizations can 
better ensure that only authorized applications and programs are placed 
into operation by establishing and maintaining baseline configurations 
and monitoring changes to these configurations. Configuration 
management involves ensuring the correctness of the security settings 
in the operating systems, applications, or computing and network 
devices, and securely maintaining operations. Patch management, a 
component of configuration management, is important for mitigating 
software vulnerability risks. When software vulnerabilities are 
discovered, the software vendor may develop and distribute a patch or 
work-around to mitigate the vulnerability. NIST recommends that 
organizations have an explicit and documented patching policy and a 
systematic, accountable, and documented process for installing and 
testing patches. In addition, LANL policy requires that all Windows- 
based systems on the unclassified network participate in a patch 
management system. In addition to patch management, to further protect 
an organization's systems, such as from malicious e-mails, NIST states 
that organizations should determine which types of attachments to allow 
and to block potentially dangerous ones. 

Although LANL had implemented innovative techniques to maintain its 
system configuration and install patches, shortcomings existed in the 
patch process. The laboratory used an automated tool to configure and 
maintain its Unix servers, and deployed a tool to its Windows systems 
to track and implement patches on the majority of systems we reviewed. 
It also used its vulnerability scanning tools to verify the latest 
patch levels of Windows systems. However, LANL did not always 
consistently implement or appropriately test these patches. For 
example, LANL had not applied a critical operating system patch or 
patches for a number of general third-party applications. As a result, 
LANL cannot ensure that all needed patches are applied to critical 
system resources or that untested patches will not have unintentional 
consequences, increasing the risk of exposing critical and sensitive 
unclassified data to unauthorized access. Furthermore, although the 
laboratory had configured its e-mail system to prevent many common 
cyber attacks, it was still vulnerable to attack because the system 
allowed various file types as e-mail attachments. These files could be 
used to install malicious software onto an unsuspecting user's 
workstation, potentially compromising the unclassified network. 

Physical Security Controls May Leave the Unclassified Network 
Vulnerable to Disruption: 

Physical security controls are important for protecting computer 
facilities and resources from espionage, sabotage, damage, and theft. 
These controls restrict physical access to computer resources, usually 
by limiting access to the buildings and rooms in which the resources 
are housed and by periodically reviewing the access granted in order to 
ensure that it continues to be appropriate. NIST requires that federal 
organizations control all physical access points (including designated 
entry/exit points) to facilities containing information systems (except 
for those areas within the facilities officially designated as publicly 
accessible) and verify individual access authorizations before granting 
access to the facilities. In addition, NIST requires that federal 
agencies control physical access to information system transmission 
lines to prevent eavesdropping, in-transit modification, disruption, or 
physical tampering, and that these agencies protect power equipment for 
information systems from damage or destruction. Furthermore, LANL 
policy requires that access to exclusion areas that house sensitive 
information technology (IT) resources and the equipment that supports 
these resources be limited to authorized personnel. 

LANL has various protections in place for its IT resources. It 
effectively secures many of its sensitive areas and computer equipment 
and takes other steps to provide physical security. For example, LANL 
issued electronic badges and employed hand geometry devices to help 
control access to many of its sensitive and restricted areas. It also 
maintains liaisons with law enforcement agencies to help ensure 
additional backup security if necessary and to facilitate the accurate 
flow of timely security information among appropriate government 
agencies. 

However, LANL's computing facilities may be vulnerable to attack 
because of weaknesses in its controls over physical access points, 
including the lax control of vehicular traffic, inadequate fencing, 
unsecured buildings housing computer network equipment, and signs 
visible from the street that indicate what these buildings contain. In 
addition, LANL did not effectively control access to a (1) 
telecommunications room that houses transmission lines and equipment 
and (2) utility room that provides heating and air conditioning for 
sensitive IT equipment. These weaknesses in physical security increased 
the risk that sensitive computing resources and data could be 
inadvertently or deliberately misused or destroyed. In response to our 
observations, LANL corrected the control issues associated with the 
telecommunications and utility rooms before the end of our site visits. 
Regarding control of vehicular traffic, LANL's former Chief of Security 
told us that the laboratory was willing to accept the level of risk 
because it was infeasible to check every car entering the laboratory. 

LANL Has Not Fully Implemented Key Information Security Program 
Activities for Its Unclassified Network: 

The information security weaknesses in LANL's unclassified network that 
we identified have occurred, in large part, because the laboratory has 
not yet fully implemented an information security program to ensure 
that controls are effectively established and maintained. Although LANL 
has implemented an effective security awareness training program, we 
identified a number of shortcomings in its overall information security 
management program, including risk assessments, policies and 
procedures, network security plan, security testing and evaluation, 
remedial action plans, and contingency planning and testing. Many of 
these cyber security deficiencies have been the subject of prior 
reports by DOE's Office of Independent Oversight and LASO. The most 
recent report, issued by the Office of Independent Oversight in 
February 2008, also documented significant weaknesses with LANL's 
unclassified information security program, including foreign nationals' 
access to the unclassified network. During our review, we found that 
LANL had granted over 300 foreign nationals access to its unclassified 
network from countries identified as sensitive by DOE, including China, 
India, and Russia. Some LANL and NNSA officials raised security 
concerns about the level of access given to foreign nationals from 
sensitive countries because of the valuable scientific and 
technological information contained on the laboratory's unclassified 
network. 

Security Awareness Training Program Is in Place: 

People are one of the weakest links in attempts to secure systems and 
networks. Therefore, an important component of an information security 
program is providing required training so that users understand a 
system's security risks and their own role in implementing related 
policies and controls to mitigate those risks. As defined by the System 
Administration, Networking, and Security (SANS) Institute,[Footnote 9] 
security awareness training is designed to educate users on the 
appropriate use, protection, and security of information; individual 
users' responsibilities; and ongoing maintenance necessary to protect 
the confidentiality, integrity, and availability of information assets, 
resources, and systems from unauthorized access, use, misuse, 
disclosure, destruction, or disruption. FISMA requires each agency to 
develop, document, and implement an information security program that 
includes security awareness training to inform personnel of information 
security risks and of their responsibilities in complying with agency 
policies and procedures, as well as training personnel with significant 
security responsibilities for information security. LANL policy 
requires that all employees complete an initial computer security 
briefing prior to being granted access to the laboratory's information 
system resources, and it requires that employees complete annual 
refresher training. According to laboratory officials, each employee is 
required to have a training plan highlighting all of the training 
courses the employee is to receive for his or her job function. 

According to LANL officials, there are several controls in place to 
ensure that individuals receive adequate computer security awareness 
and training that will help them develop and maintain their technical 
skills. For example, according to LANL officials, if employees do not 
complete their security awareness training on an annual basis, LANL 
suspends their access to security areas until they have taken the 
required training. LANL officials stated the badge identification 
system is linked to the security awareness course, and those 
individuals who return to the laboratory each succeeding year must take 
the annual computer security refresher so that they can retain access 
to building facilities. If individuals do not complete the course by 
their renewal date, LANL deactivates their badge, denies their access 
to LANL facilities, and directs them to report to the badge office to 
retake the computer security refresher course. The laboratory has also 
ensured that all employees have and complete training plans unique to 
their specific roles and responsibilities within the organization. For 
example, of the 20 training plans for organizational unit 
administrators we reviewed, all had completed their computer security 
training courses, and their training plans were up to date. Because 
LANL has established a security awareness and training program, the 
unclassified network is at decreased risk that and individual 
employee's responsibilities for the safety and security of the 
information system will be unclear, misunderstood, or improperly 
implemented. 

Information Security Program Activities Have Numerous Shortcomings: 

LANL's information security program has not been fully implemented. 
Specifically, (1) its risk assessment was not comprehensive, (2) 
specific guidance was missing from policies and procedures, (3) the 
network security plan was incomplete, (4) system testing had 
shortcomings, (5) remedial action plans were incomplete and corrective 
actions were not always timely, and (6) the network contingency plan 
was incomplete and inadequately tested. Until LANL ensures that the 
information security program associated with its unclassified network 
is fully implemented, it will have limited assurance that sensitive 
data are adequately protected against unauthorized disclosure or 
modification or that network services will not be interrupted. 

Although a Risk Assessment Was Completed, It Was Not Comprehensive: 

Identifying and assessing information security risks are essential 
steps in determining what controls are required. Moreover, by 
increasing awareness of risks, these assessments can generate support 
for the policies and controls that are adopted in order to help ensure 
that these policies and controls operate as intended. FISMA requires 
each agency to develop, document, and implement an information security 
program that includes periodic assessments of the risk and magnitude of 
harm that could result from the unauthorized access, use, disclosure, 
disruption, modification, or destruction of information and information 
systems. NIST guidelines state that the identification of risk for an 
IT system requires an understanding of the system's processing 
environment, including data and information, system and data 
criticality, and system and data sensitivity. Furthermore, according to 
NIST, risk management should identify threats and vulnerabilities, set 
priorities for actions to reduce risks, identify new controls or 
countermeasures, and determine risks remaining after implementing the 
new control, also known as residual risk. Office of Management and 
Budget (OMB) Circular A-130, appendix III, prescribes, as does DOE 
policy, that risk be reassessed when significant changes are made to 
computerized systems--or at least every 3 years. 

Although the laboratory updated its risk assessment in June 2007 for 
the unclassified network, this assessment was not comprehensive but 
provided a general identification and analysis of threats, 
vulnerabilities, and countermeasures and included a residual risk for 
most vulnerabilities. However, it did not fully characterize risks to 
the network. For example, the risk assessment did not identify risks 
for vulnerabilities exposed by previous DOE internal findings and LANL 
vulnerability testing. Also, we found vulnerabilities during our 
analysis that LANL had not previously addressed in its risk assessment. 
For example, strong authentication was often not required for internal 
network services such as e-mail and database logins. Risks associated 
with this vulnerability were not assessed. Without comprehensive risk 
assessments, risks to certain systems may be unknown and appropriate 
controls may not be in place to protect against unauthorized access or 
disclosure, or system disruption. 

LANL is taking steps to strengthen its risk management program that 
improves identification and assessment of potential threats, 
vulnerabilities, assets, and information system controls. For example, 
in January 2008, LANL issued a new risk management procedure describing 
the detailed methodology. In addition, LANL developed a new 
comprehensive methodology to aid in conducting risk assessments and 
provided training on this new methodology. According to LANL officials, 
this new program is in compliance with both NIST and NNSA policies and 
guidance. 

Policies and Procedures Have Shortcomings: 

Another key task in developing an effective information security 
program is to establish and implement risk-based policies, procedures, 
and technical standards that govern security over an agency's computing 
environment. If properly implemented, policies and procedures should 
help reduce the risk that could come from unauthorized access or 
disruption of services. Because security policies and procedures are 
the primary mechanisms through which management communicates views and 
requirements, it is important that these policies and procedures be 
established and documented. FISMA requires agencies to develop and 
implement policies and procedures to support an effective information 
security program. NIST issued security standards and related guidance 
to help agencies implement security controls, including appropriate 
information security policy and procedures. The DOE Chief Information 
Officer has also issued guidance on management, operational, and 
technical controls implementing the NIST security control requirements. 

Shortcomings existed in LANL's information security policies and 
procedures. Although the laboratory developed and documented many 
information security policies and procedures, it did not always have 
specific guidance for implementing federal and departmental 
requirements in the network environment. The laboratory had issued a 
local cyber security policy describing the cyber security program 
framework and an implementation procedure describing roles, 
responsibilities, authorities, and accountability. Furthermore, it had 
issued specific guidance on user passwords, use of nongovernmental 
computers on the network, and the configuration of computers using 
Microsoft Windows that are connected to the network. However, the cyber 
security guidance the laboratory used did not follow guidance issued by 
DOE's Chief Information Officer or NIST standards and guidance for 
categorizing information systems and developing minimum security 
controls. In addition, the policy was not always comprehensive. For 
example, LANL implemented a policy requiring centralized configuration 
management for its Windows environment, but the policy did not address 
other systems the laboratory uses, such as Macintosh and Linux. At the 
time of our site visits, the laboratory had drafted, but not issued, 
specific policies and procedures on topics such as cyber security risk 
management, certification and accreditation, access control, and 
incident management. Without effectively developing, documenting, and 
implementing timely policies, procedures and standards, the laboratory 
has less assurance that its systems and information are protected from 
unauthorized access. 

LANL was making an effort to improve its information security policies 
and procedures. During our site visits, the laboratory's Cyber Security 
group was undertaking a policy development and publication effort to 
review, revise, and issue policies as necessary to ensure compliance 
with DOE and NNSA policy. However, until LANL completes this effort, 
its information security program will not be fully effective. 

Network Security Plan Was Incomplete: 

An information system security plan should provide a complete and up- 
to-date overview of a system's security requirements and describe the 
controls that are in place or planned to meet those requirements. OMB 
Circular A-130 specifies that agencies develop and implement system 
security plans for major applications and for general support systems 
and that these plans address policies and procedures for providing 
management, operational, and technical controls. In addition, NIST 
recommends that security plans include, among other topics, existing or 
planned security controls, the individual responsible for the security 
of the system, description of the system and its interconnected 
environment, and rules of behavior. NIST also requires federal agencies 
to document minimum security controls. Furthermore, DOE and NNSA policy 
requires that LANL develop an overall cyber security program plan, and 
specific system security plans as part of its certification and 
accreditation (C&A) process. NNSA policy further states that all 
documentation relevant to the system C&A should be referenced or 
included in the system security plan; this includes the risk assessment 
results, security test and evaluation plan, and procedures and 
contingency plan(s). 

The laboratory had documented an overall cyber security program plan 
and a security plan for the unclassified network infrastructure, but 
the network security plan was incomplete and not up-to-date. The 
laboratory-wide plan followed DOE policy guidance, and the network 
security plan addressed certain security controls recommended by NIST, 
such as the description of individuals responsible for security and 
rules of behavior. However, the network security plan had not been 
updated to address many of the controls NIST recommended. For example, 
the network security plan only partially addressed access controls and 
system communication protection controls and was incomplete because it 
did not include or reference some key security activities, such as the 
risk assessment results and security test plans, as stated in NNSA 
policy guidance. 

Although DOE had issued guidance implementing FISMA and related NIST 
requirements, a laboratory cyber security official said LANL was 
waiting on detailed implementation instructions from NNSA and that it 
intends to revise the security plan by October 2008 to use controls 
from NIST guidance. Unless it uses the most current guidance on 
security controls, the laboratory cannot ensure that appropriate 
controls are documented in a security plan and in place to protect its 
systems and critical information. 

Security Testing and Evaluation Process Has Shortcomings: 

Another key element of an information security program is testing and 
evaluating system controls to ensure they are appropriate and effective 
and comply with policies. FISMA requires each agency to develop, 
document, and implement an information security program that includes 
periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, performed with a 
frequency depending on risk, but no less than annually. The program is 
to include testing of management, operational, and technical controls 
for every system identified in the agency's required inventory of major 
information systems. NIST provides guidance to agencies for assessing 
security control effectiveness and for performing network security 
testing, and states that security test results should be appropriately 
documented. Similarly, DOE guidance specifies that all controls 
identified in the security plan are subject to assessment procedures, 
and that the breadth and depth of testing activities should be 
documented. 

The laboratory had various initiatives under way to test and evaluate 
system controls in its unclassified network at the time of our review, 
but we found shortcomings in the testing process. In fiscal year 2007, 
LANL conducted a self-assessment of the unclassified security program 
using NIST's specified security controls. However, most controls were 
not assessed at a very detailed level--with only 3 of the 17 control 
areas being assessed in more detail using certain questions and 
security performance tests derived from NIST guidance. The laboratory 
also annually tests the controls in the security plan and conducts 
continuous automated testing to detect network vulnerabilities. 
However, this testing was limited because the controls identified in 
the security plan were not developed using NIST guidance. For example, 
the NIST control for configuration settings was not documented in the 
network security plan. Furthermore, although testing requirements were 
stated in the test documentation, officials said that the breadth and 
depth of the testing, as well as the results of the tests, were not 
always documented and available for examination. Furthermore, the 
automated testing was not comprehensive. LANL did not use an automated 
scanning tool to detect vulnerabilities in databases, and virtual web 
hosts or source code. Our tests identified vulnerabilities such as 
outdated database software and unpatched third-party applications. 
Without appropriate tests and evaluations of system controls, the 
laboratory has limited assurance that policies and controls are 
appropriate and working as intended. Additionally, without these tests 
and evaluations, there is a higher risk that undetected vulnerabilities 
could be exploited to allow unauthorized access to sensitive 
information. 

Remedial Actions Were Not Taken in a Timely Manner and Plans Were 
Incomplete: 

Remedial action plans, also known as plans of actions and milestones, 
can help agencies identify and assess security weaknesses in 
information systems and set priorities and monitor progress in 
correcting them. FISMA requires each agency to develop, document, and 
implement an information security program that includes a process for 
planning, implementing, evaluating, and documenting remedial action to 
address any deficiencies in its information security policies, 
procedures, or practices. According to OMB Circular A-123, agencies 
should take timely and effective action to correct deficiencies that 
they have identified through a variety of information sources. To 
accomplish this, agencies should develop remedial action plans and 
track progress for correcting each deficiency. A plan should detail the 
resources required to carry out the plan, any milestones in meeting the 
tasks, and scheduled completion dates for those milestones. OMB also 
states that the resource estimates should include the anticipated 
source of funding and whether the reallocation of resources or a 
request for new funding is anticipated. DOE requires that plans of 
action and milestones serve as a management tool for tracking 
corrective actions associated with program and system-level weaknesses. 

Although the laboratory had a management process for identifying, 
evaluating, and documenting issues and tracking corrective actions, it 
did not always take actions in a timely manner and the plans were 
incomplete. For example, the laboratory's plan of actions and 
milestones addressed findings for eight weaknesses identified by DOE's 
Office of Independent Oversight in December 2006 by establishing 63 
milestones. In August 2007, LANL's tracking report showed that tasks 
associated with 26 of these milestones were past due. Although a 
tracking report completed a month later indicated that only 11 
milestones were still past due, evidence had not been submitted to 
validate that the recently completed milestones had been satisfactorily 
met. An additional 6 milestones had no completion dates in these 
tracking reports so their status could be determined and effectively 
monitored. In addition, the plans did not include estimated resources 
required to correct weaknesses. Finally, several findings from the 
laboratory's self-assessment were not included in the plan. Without an 
effective remediation program, identified vulnerabilities may not be 
resolved in a timely manner, thereby allowing continuing opportunities 
for unauthorized individuals to exploit these weaknesses to gain access 
to sensitive information and systems. 

Network Contingency Plan Was Incomplete and Testing Was Inadequate: 

Contingency planning is a critical component of information protection. 
If normal operations are interrupted, network managers must be able to 
detect, mitigate, and recover from service disruptions while preserving 
access to vital information. Therefore, a contingency plan details 
emergency response, backup operations, and disaster recovery for 
information systems. It is important that these plans be clearly 
documented, communicated to potentially affected staff, and updated to 
reflect current operations. In addition, testing contingency plans is 
essential to determine whether the plans will function as intended in 
an emergency situation. 

FISMA, NIST, DOE, and NNSA require contingency plans. FISMA requires 
each agency to develop, document, and implement an information security 
program that includes plans and procedures to ensure continuity of 
operations for information systems that support the agency's operations 
and assets. NIST requires that all agencies' systems have a contingency 
plan and that the plans address, at a minimum, identification, and 
notification of key personnel, plan activation, system recovery, and 
system reconstitution. In addition, the process should include a 
business impact assessment to determine what recovery strategies should 
be implemented to ensure availability and to fully characterize the 
system's requirements, processes, and interdependencies to determine 
contingency requirements and priorities. Furthermore, NIST requires 
that the plan be reviewed for accuracy and completeness at least 
annually and that testing occur annually and when significant changes 
are made to the IT system, supported business processes, or the 
contingency plan. DOE and NNSA also require contingency plans to ensure 
that the department can continue to perform and support functions in 
the event of a service disruption, and these plans must be updated and 
tested annually. 

The contingency plan LANL has implemented for its unclassified network 
is incomplete, outdated, and testing is inadequate. The laboratory had 
drafted a disaster recovery and contingency planning procedural 
document that details how the laboratory should prepare a contingency 
plan and testing procedures, and it notes the importance of contingency 
planning and testing. However, at the time of our site visits, the 
document had not been made final or provided to employees for review. 
In addition, at the time of our site visits, the most current 
contingency plan was over 4 years old and did not include key elements, 
such as identification and notification of key personnel, plan 
activation, system recovery, and system reconstitution. Also, LANL had 
not completed a business impact assessment to determine what recovery 
strategies should be implemented at the laboratory to ensure 
availability of system resources during a service disruption. LANL had 
also not tested the contingency plan annually. Furthermore, the test 
plan that was used was inadequate. The test plan was a checklist of 
regulatory questions that were checked-off and then signed and dated by 
an approving official. This generic checklist laid out several areas to 
review and provided an associated testing procedure, but did not 
adequately follow the contingency plan. Until LANL identifies the 
essential processes that should be included in a contingency plan and 
sufficiently tests the plans, it faces higher risk that the 
unclassified network infrastructure will not be able to effectively 
recover and resume normal operations after a disruption. 

DOE Assessments Have Identified Significant Management Weaknesses 
Governing the Unclassified Network: 

DOE's Office of Independent Oversight and LASO have prepared reports 
identifying weaknesses with the management of LANL's unclassified cyber 
security program. These reports have surfaced numerous problems that 
can be traced to management deficiencies at NNSA, LASO, and the 
laboratory itself. The most recent reports, covering 2006 and 2007, 
identified problems in several specific areas: risk assessment; 
leadership; certification and accreditation; security testing; and 
policies and procedures. Key findings in each of these areas included 
the following: 

* Risk assessment. LANL's risk assessment methodology is not 
comprehensive enough to address system-specific risks and does not 
provide LASO with an appropriate appraisal of the risk in the 
unclassified environment. It also does not identify residual risks for 
acceptance or the development of appropriate mitigation strategies. As 
a result, the threats, vulnerabilities, and consequently the risks to 
LANL's unclassified systems cannot be quantified. 

* Leadership. NNSA has not exercised management and oversight 
responsibilities so that LANL ensures effective implementation of the 
unclassified cyber security program. Furthermore, LASO has not 
exercised its oversight responsibilities for managing and accepting 
risks for the laboratory's unclassified cyber security program and has 
not provided sufficient leadership to resolve LANL performance problems 
and establish a clear set of management priorities. Finally, LANL has 
not exercised sufficient leadership within the unclassified program to 
ensure effective implementation of management and technical processes. 
In a 2007 follow-up report, the Office of Independent Oversight found 
that NNSA and/or the contractor, Los Alamos National Security, LLC 
(LANS),[Footnote 10] had taken steps to improve leadership, including 
(1) hiring a new Chief Information Officer at LANL who reports directly 
to the laboratory Director, (2) allocating additional funding to 
establish increased federal oversight activities at LASO, and (3) 
creating cyber security advisors to assist the laboratory's 
directorates. 

* Certification and accreditation. LANL's C&A process is significantly 
deficient and cannot certify that unclassified systems and information 
are appropriately protected. The current process is based on security 
directives and guidance that are obsolete, rather than on NNSA, DOE, or 
national policies. In addition, neither the LANL unclassified network 
security plan nor any other security plan addresses the accreditation 
of servers, workstations, firewalls, routers, and other IT resources 
that LANL personnel use to process all levels of unclassified 
information. Furthermore, the laboratory's cyber security program plan 
gives a broad range of the possible number of systems on the 
unclassified network (25,000 to 35,000) on a daily basis, which 
contributes to the perception that LANL cannot accurately identify its 
unclassified assets. According to the Office of Independent Oversight's 
most recent assessment, LANL has made little or no progress to correct 
the identified deficiencies. 

* Security testing. LANL's security testing and evaluation is not 
robust enough to ensure the security of the unclassified network. While 
security tests have been prepared, there is little actual testing of 
the controls associated with the unclassified network. Rather, 
individual tests are used to validate security plan statements. As a 
result, the security testing process does not demonstrate that the 
management, operational, and technical controls function as intended. 

* Policies and procedures. LANL's policies and procedures have not been 
updated to address changing management, operational, and technical 
needs in the unclassified environment. While the unclassified cyber 
security program had been implemented within the framework of 
overarching policy provided by DOE, a serious weakness of LANL's 
unclassified cyber security program is that its policies were based on 
obsolete directives and had not fully implemented all NNSA and DOE 
policies concerning cyber security. In addition, LANL has not 
established a comprehensive set of policies, plans, and procedures for 
managing cyber security within LANL organizations. According to the 
Office of Independent Oversight, most aspects of weaknesses relating to 
formal cyber security policies, plans, and procedures have yet to be 
resolved, which places sensitive unclassified information at greater 
risk. 

DOE's Office of Independent Oversight and LASO Have Also Raised 
Concerns about Foreign Nationals' Access to LANL's Unclassified 
Network: 

DOE's Office of Independent Oversight and LASO also reported that LANL 
had not fully implemented DOE policies and procedures for protecting 
sensitive but unclassified information from foreign nationals who have 
access to information technology resources.[Footnote 11] The Office of 
Independent Oversight and LASO noted, among other things, that: 

* foreign nationals' use of this information has not been fully 
evaluated for risk or information sensitivity. As a result, the 
laboratory does not have adequate assurance that foreign nationals pose 
no risk to sensitive unclassified computer systems; 

* the only risk assessment specific to foreign nationals' access to the 
site pertains to "benefit of work to home country;" 

* LANL does not have specific procedures that describe policies and 
processes for managing foreign nationals' access and a method to allow 
LANL's cyber security site manager to know what foreign nationals are 
on the network; and: 

* LANL has installed an additional 10 firewalls and improved firewall 
rules to enhance network segmentation, which allows better control of 
foreign nationals who have access to the unclassified network. However, 
LANL still needs to strengthen controls to further restrict access of 
those foreign nationals who are "scattered across the (unclassified) 
network and cannot be controlled by firewalls." 

We reviewed the status of foreign nationals' access to LANL's 
unclassified network. LANL policy states that foreign nationals working 
at the laboratory may have access to the information and administrative 
controls needed to perform authorized work. However, this policy has 
resulted in foreign nationals having widespread access to LANL's 
unclassified network and has raised concerns among some laboratory and 
NNSA officials about potential security risks. As of May 2008, LANL 
reported that 688 foreign nationals from 64 countries were authorized 
access to the unclassified network in their capacity as visitors, 
postdoctoral students, or permanent staff. Of the 688 foreign 
nationals, 301 (or 44 percent) were from countries classified as 
sensitive by DOE.[Footnote 12] As figure 1 shows, 22 percent of all 
foreign nationals at the laboratory who were authorized access to the 
unclassified network were from China--one of the sensitive countries. 
Foreign nationals from other sensitive countries that had access to the 
unclassified network included India, Russia and other countries of the 
former Soviet Union (FSU), and Israel. 

Figure 1: Percentage of Foreign Nationals from Sensitive and 
Nonsensitive Countries at LANL with Unclassified Network Access, as of 
May 2008: 

This figure is a pie chart showing the percentage of foreign nationals 
from sensitive and nonsensitive countries at LANL with unclassified 
access, as of May 2008. 

Nonsensitive: 56%; 
China: 22%; 
India: 11%; 
Russia/FSA: 8%; 
Other sensitive [A]: 2%; 
Israel: 1%. 

[See PDF for image] 

[A] Algeria, Hong Kong, and Taiwan comprise the "other sensitive" 
category. 

[End of figure] 

In addition, a significant number of foreign nationals from sensitive 
countries have been authorized remote access to LANL's unclassified 
network.[Footnote 13] LANL's Chief Information Officer told us that the 
security risks associated with granting this level of access to foreign 
nationals from sensitive countries has been far too great in the past 
and had reached an unacceptable level because of the valuable 
scientific and technological information contained on the laboratory's 
unclassified network. As a result, LANL has reduced the number of 
foreign nationals from sensitive countries that have been granted 
remote access. 

LANL's former Chief of Security and LANL's Chief Information Officer 
told us they were concerned about the large number of foreign nationals 
at the laboratory who have access to the unclassified network through 
remote or other means. In particular, the former Chief of Security 
asserted that it was a "bad idea" to have foreign nationals on the 
unclassified network. NNSA's Deputy Chief of Information Security 
questioned why any foreign nationals were authorized access to the 
network. In his view, all of their work should be done in a highly 
controlled cyber environment, with exceptions being granted on a very 
selective case-by-case basis. 

LANL officials told us that unclassified network access for foreign 
nationals from both sensitive and nonsensitive countries is "a given." 
Foreign nationals employed at the laboratory require access to the 
unclassified network in order to carry out their duties and meet 
mission requirements. In fact, the foreign nationals in certain cases 
possess unique skills in science that cannot easily be found in the 
United States. The laboratory has seen a significant increase in 
foreign nationals' visit and assignment activities over the past 10 
years. According to LANL, much of this increase in foreign national 
population is due to an increase in the foreign student population in 
U.S. graduate programs and a marked increase in foreign postdoctoral 
students, which is the laboratory's key source of its technical staff. 

LANL Has Spent Approximately $51.4 Million to Protect Its Unclassified 
Network from Fiscal Years 2001 through 2007, but Future Resource 
Requirements Need Better Justification: 

From fiscal years 2001 through 2007, LANL spent approximately $51.4 
million to protect its unclassified network. Nevertheless, LANL cyber 
security officials told us that funding has been inadequate to address 
some of their security concerns, such as the potential compromise or 
modification of sensitive unclassified data and a shutdown of computer 
systems and networks processing sensitive unclassified data. In 
response, NNSA's Chief Information Officer told us that LANL has not 
adequately justified its request for additional funds to address the 
laboratory's stated shortfalls. NNSA is now implementing a more 
systematic approach for developing information security budgets at 
LANL. 

LANL Officials Assert That Resources Are Inadequate to Protect the 
Unclassified Network: 

LANL spent approximately $51.4 million from fiscal years 2001 through 
2007 to protect and maintain the unclassified network.[Footnote 14] The 
unclassified network expenditures have primarily been directed toward 
C&A and technical activities. LANL's C&A costs for the unclassified 
network cover such items as security plan development and maintenance, 
self-assessments, training, education, and awareness, media, and 
oversight of foreign nationals' access to the unclassified network. 
Technical costs involve items such as intrusion detection systems, 
network monitoring, antivirus services, e-mail monitoring, evaluating 
and testing security software before deployment, and incident 
cleanup.[Footnote 15] Figure 2 depicts LANL expenditures for the 
unclassified network over the period. As shown, LANL's overall security 
expenditures for the unclassified network increased from about $2.3 
million to $9.1 million between fiscal years 2001 to 2007, with a peak 
of approximately $11.5 million in fiscal year 2005. A reduction in 
spending occurred in fiscal year 2006, followed by a modest increase 
again in fiscal year 2007. The unclassified network expenditures for 
C&A activities have remained relatively stable around $1 million from 
fiscal years 2002 to 2007, with the majority of unclassified network 
funds going toward technical activities. 

Figure 2: Annual Expenditures on LANL's Unclassified Network, Fiscal 
Years 2001-2007: 

This figure is a combination bar graph showing annual expenditures on 
LANL's unclassified network, fiscal year 2001-2007. The bars represent 
expenditures for certification and accreditation, expenditures for 
technical services, and total expenditures. The X axis represents 
fiscal year, and the Y axis represents dollars in millions. 

Year: 2001; 
Expenditures for certification and accreditation: 0; 
Expenditures for technical services: 2; 
Total expenditures: 2. 

Year: 2002; 
Expenditures for certification and accreditation: 1; 
Expenditures for technical services: 5; 
Total expenditures: 6. 

Year: 2003; 
Expenditures for certification and accreditation: 1; 
Expenditures for technical services: 5; 
Total expenditures: 6. 

Year: 2004; 
Expenditures for certification and accreditation: 1; 
Expenditures for technical services: 8; 
Total expenditures: 10. 

Year: 2005; 
Expenditures for certification and accreditation: 1; 
Expenditures for technical services: 11; 
Total expenditures: 12. 

Year: 2006; 
Expenditures for certification and accreditation: 1; 
Expenditures for technical services: 6; 
Total expenditures: 7. 

Year: 2007; 
Expenditures for certification and accreditation: 1; 
Expenditures for technical services: 8; 
Total expenditures: 9. 

[See PDF for image] 

Source: GAO analysis of LANL budget data. 

[End of figure] 

Although cyber security expenditures increased from fiscal years 2001 
to 2007, LANL officials told us this funding has been inadequate to 
protect the unclassified network and overall cyber security program. In 
a September 27, 2006, letter to the NNSA Administrator, the Directors 
of LANL, Lawrence Livermore National Laboratory, and Sandia National 
Laboratories stated that proposed reductions in the cyber security 
budget would expose the laboratories and NNSA to an unacceptable level 
of security and operational risk. The laboratory Directors emphasized 
that the inevitable effect of cuts in cyber security funding would be 
to forgo improvements in the classified network while also reducing 
support for the unclassified network. The lack of funding would be 
particularly harmful to the unclassified network because it is 
essential to productivity, a key factor in transforming the nuclear 
weapons complex, and is clearly a target for external attack. According 
to LANL's fiscal year 2008 budget request to NNSA, the laboratory 
needed approximately $1 million more than the $7.7 million it was 
allocated to implement an effective program for its unclassified 
network. NNSA's allocation and LANL's request represent an approximate 
11 percent difference for the unclassified network in fiscal year 2008. 
According to a LASO analysis identifying the impacts of failing to 
fully fund the LANL cyber security program, the shortage of funding 
exposes the unclassified network to several potential risks, including 
the following: 

* the compromise, inappropriate access, or modification of sensitive 
unclassified data; 

* a shutdown of computer systems and networks processing sensitive 
unclassified data, without additional systems or networks being 
approved to process these data; 

* placement of LANL in noncompliance with DOE guidance; 

* a significant gap in the laboratory's information protection 
capabilities (i.e., virus scans and firewalls); 

* the severe hampering of laboratory efforts to identify the devices 
and levels of sensitivity of information on the unclassified network; 

* impaired ability to verify the secure configuration of systems on the 
unclassified network; and: 

* the hampering of the laboratory's efforts to follow up on computer 
compromises. 

LANL officials also told us that due to staffing and funding 
constraints, the laboratory could not provide all of the security 
measures that it determined necessary for an effective cyber security 
program, and, therefore, individuals or groups might be able to 
penetrate LANL's networks and gain access to sensitive information. In 
its analysis of the potential consequences of unfunded unclassified 
network activities for fiscal year 2007, LANL asserted that because of 
a lack of funding to perform self-assessments, there was a risk that 
the laboratory's ability to discover and address cyber deficiencies 
would be weakened. In addition, there was a risk that unclassified 
network users could not receive cyber security training, which creates 
serious potential for user-introduced vulnerabilities to the 
unclassified network. Moreover, there was risk that LANL could not 
ensure that media (e.g., disks) containing sensitive unclassified 
information would be properly sanitized or destroyed. 

NNSA officials told us that they strongly disagreed with LANL's 
assertion that the laboratory does not have adequate funding for 
unclassified network activities. According to NNSA's Chief Information 
Officer, LANL's requests for additional funds to meet the laboratory's 
stated shortfalls have not been adequately justified. NNSA also found 
the claims made by the laboratory Directors about funding shortfalls in 
their 2006 letter to be unsubstantiated. In addition, NNSA officials 
stated that the laboratories were inconsistent in how they reported 
cyber security funding requests to NNSA. For example, prior to fiscal 
year 2006, LANL produced budget requests using terminology not 
sanctioned or used by NNSA budget processes by categorizing funding 
levels for cyber security activities as "minimal," "effective," and 
"essential." Furthermore, NNSA officials stated that LANL's past cyber 
budget requests were prepared on an ad hoc basis and were not based on 
well-defined threat and risk assessments. 

NNSA Is Attempting to Implement a More Systematic Approach for 
Developing Information Security Budgets at LANL: 

Since 2006, NNSA has been developing a more systematic approach for 
developing cyber security budgets at LANL and the other national 
laboratories. NNSA officials in the Chief Information Office told us 
that because of the shortcomings in LANL's cyber security budget 
preparation process, NNSA has developed standard budget guidance and 
terminology. NNSA and the laboratories worked together to create a 
standard budget template--a work breakdown structure--for the 
laboratories to use in requesting and allocating cyber security 
funding. The work breakdown structure is to be used for both the 
classified and unclassified networks. More specifically, NNSA cyber 
security officials told us that this structure provides a framework for 
LANL to use in determining what cyber security activities it will fund, 
how much it will give to each activity, and how it will set priorities 
for funding activities and assessing unfunded activities.[Footnote 16] 
In addition, NNSA's Chief Information Office has identified a 
Designated Approving Authority (DAA), a federal official at each 
national laboratory site office, to determine site risks and approve 
budgets. Individual program officials at each laboratory provide budget 
information and risk assessments to their respective DAA to weigh the 
risks and weaknesses of the cyber security program to determine how to 
allocate funds. 

Nevertheless, NNSA officials could not provide us with guidance 
documenting how the laboratories should set budget priorities for cyber 
security activities. An NNSA official acknowledged that the agency has 
not yet produced any guidance on how to set funding priorities for the 
unclassified network but that NNSA is working on a plan to document the 
methodology it uses to approve and deny funding requests based on 
comprehensive assessments of risks and threats for specific work 
breakdown structure activities. Furthermore, NNSA does not consistently 
document its resource allocation decisions for cyber security or 
identify how funding shortfalls affect critical cyber security issues. 
NNSA cyber security officials stated that the laboratories estimate the 
impact of the failure to fund cyber security activities but 
acknowledged the need for NNSA to develop a process to better track 
activities that do not receive funding. NNSA officials believe that 
implementing a complex-wide approach to documenting budget decisions 
will help the agency develop a more systematic, transparent approach 
for determining appropriate cyber security funding levels. 

Conclusions: 

Ensuring the confidentiality, integrity, and availability of sensitive 
information transmitted over LANL's unclassified network is a national 
security priority because the unauthorized disclosure of sensitive 
information or data from the unclassified network could have serious 
consequences. While the laboratory has taken steps to protect sensitive 
information, a number of weaknesses in security controls raise 
concerns. These weaknesses include, among other things, keeping 
information on the unclassified network out of the reach of 
unauthorized users. 

Securing sensitive information on LANL's unclassified network requires 
that the laboratory's management establish, implement, and reinforce 
policies, procedures, and guidance for its employees to follow. In our 
view, these policies and procedures lay the foundation for an effective 
and sustainable security culture. While LANL has instituted components 
of a laboratory-wide information security program, key activities, such 
as the assessment of information security risks, and the development of 
policies and procedures that adhere to federal requirements, were not 
fully implemented or were absent. Furthermore, until LANL fully 
implements a laboratory-wide information security program that includes 
comprehensive risk assessments, risk-based policies and procedures, 
security plans, and a continuity of operations process, it has limited 
assurance that its sensitive data on the unclassified network will be 
adequately protected. For example, the large number of foreign 
nationals--particularly those from countries identified as sensitive by 
DOE--who have access to the laboratory's unclassified network raises 
serious security concerns. While there can be a legitimate need for 
foreign nationals to have access to LANL's unclassified network to 
carry out mission-related responsibilities we believe it is prudent to 
control and restrict this level of access, whenever possible. To that 
end, we believe the laboratory has taken a positive step by 
significantly reducing the number of foreign nationals from sensitive 
countries that are authorized to have remote access to the unclassified 
network. 

Establishing a comprehensive information security program requires a 
well thought out process for determining resource requirements, based 
on risk. We are concerned that neither NNSA nor LANL has developed a 
satisfactory approach to address this matter. In our view, the lack of 
a systematic process for identifying and allocating resources for those 
areas deemed to be highest risk can be traced directly to the absence 
of well-documented procedures and guidelines. Without a rigorous and 
disciplined approach, it is difficult to determine what the 
laboratory's true resource requirements are to implement a 
comprehensive information security program for the unclassified 
network. 

Recommendations for Executive Action: 

To improve LANL's information security program for its unclassified 
network, we recommend that the Secretary of Energy and the 
Administrator of NNSA require the Director of Los Alamos National 
Laboratory to take the following eight actions: 

* Ensure that the risk assessment for the unclassified network 
evaluates all known vulnerabilities and is revised periodically; 

* Strengthen policies with a view toward further reducing, as 
appropriate, foreign nationals'--particularly those from countries 
identified by DOE as sensitive--access to the unclassified network; 

* Ensure that the new set of cyber security policies and procedures 
applicable to the unclassified network are comprehensive, including 
centralized configuration management for all types of systems, and 
contain specific instructions on how to implement federal requirements 
and guidance; 

* Ensure that the network security plan for the unclassified network is 
revised to document security controls using federal guidance and that 
this plan also includes or references key security activities, such as 
risk assessment development and the evaluation of security test 
results; 

* Strengthen the security test and evaluation process for the 
unclassified network by expanding technical testing to cover new areas 
that might be vulnerable, such as those disclosed in our report, and 
ensure that testing adequately considers federal guidance for 
evaluating security controls and determining their effectiveness; 

* Ensure that milestones in corrective action plans are met or that new 
milestones are established to remediate security weaknesses for the 
unclassified network in a timely manner. 

* Ensure that the related plan of action and milestones used for FISMA 
reporting includes all LANL security weaknesses and required 
information so that it is an effective management tool for tracking 
security weaknesses and identifying budgetary resources needed to 
protect the unclassified network; and: 

* Develop and maintain a comprehensive continuity of operations plan 
that addresses the current unclassified network environment and 
periodically test the plan for restoring operations. 

To ensure that NNSA has a clear and consistent strategy to determine 
resource requirements for the laboratory's unclassified network, we 
recommend that the Secretary of Energy and the Administrator of NNSA 
take the following three actions: 

* Develop, document, and implement a process that clearly links 
resource requirements and funding decisions to risk assessments for the 
unclassified network; 

* Implement a process that provides a rationale for approving or 
denying resource requests for the unclassified network; and: 

* Establish and implement procedures to monitor critical program 
activities that are unfunded or underfunded in order to improve 
management accountability and transparency in determining how best to 
fund the most critical program requirements. 

We are also making 41 detailed recommendations in a separate report 
with limited distribution. These recommendations consist of actions to 
be taken to correct the specific information security weaknesses 
related to identification and authentication, cryptography, audit and 
monitoring, configuration management, and physical security. 

Agency Comments and Our Evaluation: 

We provided NNSA with a copy of this report for review and comment. 
NNSA did not specifically comment on our recommendations. However, NNSA 
agreed with our general conclusion that LANL has taken steps to protect 
sensitive information and acknowledged that there was considerable work 
yet to be done. NNSA also stated that LANL is currently responding to a 
DOE Secretarial Compliance Order requiring the laboratory contractor to 
take comprehensive steps to ensure that it identifies and addresses, 
among other things, critical cyber security deficiencies. The July 2007 
Compliance Order was issued after a subcontractor employee removed 
classified information from LANL without authorization. The Order 
requires LANL to submit an integrated corrective action plan to address 
critical security issues. These steps must be completed by December 
2008, and violations of the Compliance Order would subject the 
laboratory's contractor to civil penalties of up to $100,000 per 
violation per day until compliance is reached. 

NNSA noted that responding to the issues identified in this report--as 
well as more technical issues included in a limited official use only 
version of this report--will extend beyond the completion of the 
Compliance Order since the actions we recommend are sufficiently more 
complex. We would expect that our recommendations, when implemented, 
would complement and be consistent with other remedial actions taken to 
improve LANL's cyber security posture as part of the Secretarial 
Compliance Order. Furthermore, NNSA stated that it will exercise the 
leadership necessary to correct the deficiencies identified in our 
report and will implement controls and processes complex-wide to 
demonstrate that it is successfully managing risk. NNSA's comments on 
our draft report are presented in appendix II. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to interested congressional committees; the Secretary of Energy; the 
Administrator of NNSA; the Director of LANL; and other interested 
parties. We will also make copies available to others upon request. In 
addition, this report will be made available at no charge on the GAO 
Web site at [hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact Gene Aloise at (202) 512-3841 or aloisee@gao.gov; Greg 
Wilshusen at (202) 512-6244 or wilshuseng@gao.gov; or Nabajyoti 
Barkakati at (202) 512-6412 or barkakatin@gao.gov. Contact points for 
our Office of Congressional Relations and Public Affairs may be found 
on the last page of this report. Major contributors to this report are 
included in appendix III. 

Signed by: 

Gene Aloise Director, Natural Resources and Environment: 

Signed by: 

Gregory C. Wilshusen Director, Information Security Issues: 

Signed by: 

Nabajyoti Barkakati Director, Center for Technology and Engineering: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to (1) assess the effectiveness of 
the security controls the Los Alamos National Laboratory (LANL) has 
implemented to protect information transmitted over its unclassified 
computer network; (2) assess whether LANL had fully implemented an 
information security program to ensure that controls were established 
and maintained for its unclassified computer network; and (3) examine 
the expenditure of funds used to protect LANL's unclassified network 
from fiscal years 2001 through 2007. 

To determine the effectiveness of the security controls LANL had 
implemented to protect information transmitted over its unclassified 
computer network, we gained an understanding of the overall network 
control environment and identified its interconnectivity and control 
points. Our evaluation was based on our Federal Information System 
Controls Audit Manual (FISCAM),[Footnote 17] which provides guidance 
for reviewing information system controls that affect the 
confidentiality, integrity, and availability of computerized 
information. 

Using National Institute of Standards and Technology (NIST) standards 
and guidance, and Department of Energy (DOE) and National Nuclear 
Security Administration (NNSA) policies, procedures, practices, and 
standards, we: 

* developed an accurate understanding of the overall network 
architecture and examined routers, network management servers, 
switches, and firewalls; 

* analyzed the effectiveness of controls used to establish individual 
accountability and control network access; 

* observed methods for providing secure data transmissions across the 
unclassified network to determine whether sensitive data was being 
encrypted; 

* evaluated controls intended to limit, detect, and monitor electronic 
access to sensitive computing resources and the effectiveness of these 
controls in protecting computing resources from unauthorized disclosure 
and modification; 

* evaluated control configurations of selected servers and database 
management systems to assess the management of security features for 
network components; and: 

* observed and tested physical access controls to determine if computer 
facilities and resources were being protected from espionage, sabotage, 
damage, and theft; 

In addition, we obtained views and documentation on these issues from 
security officials at DOE, NNSA, the Los Alamos Site Office (LASO), and 
LANL. 

To assess whether LANL had fully implemented an information security 
program to ensure that controls were established and maintained for its 
unclassified computer network, we used the requirements identified by 
FISMA, which establishes key elements for an effective information 
security program. We: 

* examined training records for personnel with significant security 
responsibilities to determine if they received training commensurate 
with those responsibilities; 

* reviewed LANL's risk assessment process and risk assessments for the 
unclassified network to determine whether risks and threats were 
documented consistent with federal guidance; 

* analyzed LANL's policies, procedures, practices, and standards to 
determine their effectiveness in providing guidance to personnel 
responsible for securing information and information systems; 

* analyzed security plans to determine if management, operational, and 
technical controls were in place or planned and that security plans 
were updated; 

* analyzed security testing and evaluation results for the unclassified 
network to determine whether management, operational, and technical 
controls were tested at least annually and based on risk; 

* examined remedial action plans to determine whether they addressed 
vulnerabilities identified in LANL's security testing and evaluations; 
and: 

* examined contingency plans for the unclassified network to determine 
whether those plans had been tested or updated. 

We also discussed with key security representatives and officials 
responsible for information security management at DOE, NNSA, LASO, and 
LANL, whether information security controls were in place, adequately 
designed, and operating effectively. In addition, we met with officials 
from DOE's Office of Independent Oversight and its Office of Inspector 
General, regarding any related prior, ongoing, or planned work in these 
areas. 

To determine the amount of funds LANL spent to protect its unclassified 
network from fiscal years 2001 to 2007, we obtained and analyzed 
documentation on the LANL cyber security program and budget, such as 
the LANL Cyber Security Program Office Roles and Responsibilities; 
LASO's Annual Cyber Survey Report Activity for fiscal year 2007; 
National Nuclear Security Administration's cyber security policies; and 
LANL risk assessments. We also obtained and analyzed financial data on 
LANL's cyber security program and unclassified network from fiscal 
years 2001 to 2007. In addition, we met with cyber security officials 
from NNSA, LASO, and LANL. To assess the reliability of funding data, 
we (1) reviewed quality control procedures used to report funding 
information; (2) interviewed knowledgeable officials; and (3) based on 
document reviews, ensured that we had received all available 
information. We determined that the data were sufficiently reliable for 
the purposes of this report. 

We conducted this performance audit from May 2007 to September 2008 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

[End of section] 

Appendix II: Comments from the National Nuclear Security 
Administration: 

Department of Energy: 
National Nuclear Security Administration: 

Washington, DC 20585: 

August 19, 2008: 

Office Of The Administrator: 

Mr. Gene Aloise
Director, Natural Resources and Environment: 
Government Accountability Office: 
Washington, D.C. 20548: 

Dear Mr. Aloise: 

The National Nuclear Security Administration (NNSA) appreciates the 
opportunity to review the Government Accountability Office's (GAO) 
draft report, GAO-08-1001, "Information Security: Actions Needed to 
Better Protect Los Alamos National Laboratory's Unclassified Computer 
Network." We understand that this report is the result of an audit 
requested by the House's Committee on Energy and Commerce and the 
Subcommittee on Oversight and Investigations to determine security 
controls effectiveness, implementation of programs, and expenditures at 
Los Alamos. 

NNSA agrees with the draft report's conclusion that in general, the 
Laboratory has taken steps to protect sensitive information but that 
more work needs to be done. As you are aware, the Laboratory is 
responding to a Secretarial Compliance Order that is designed to 
address a majority of the issues identified in this report and a 
subsequent report more technically focused, Responding to these reports 
will extend beyond the completion of the Secretarial Compliance Order 
requirements since the GAO's recommendations are sufficiently more 
complex. 

NNSA will exercise the leadership necessary to correct deficiencies 
noted and to implement a dynamic framework of controls and processes 
that can be implemented complex-wide that will provide a level of 
confidence that NNSA is successfully managing risk. NNSA will provide 
detailed corrective actions to Congressional Committees through our 
formal Management Decision process. Printed with soy Ink on recycled 
paper

Should you have any questions about this response, please contact 
Richard Speidel, Director, Policy and Internal Controls Management. He 
may be contacted at 202-586-5009. 

Sincerely, 

Signed by: 

William C. Ostendorff: 
Principal Deputy Administrator: 

cc: Robert Smolen, Deputy Administrator for Defense Programs David 
Boyd, Senior Procurement Executive Bradley Peterson, Chief, Defense 
Nuclear Security Donald Winchell, Revitalization Manager, Los Alamos 
Site Office Linda Wilbanks, Chief Information Officer Karen Boardman, 
Director, Service Center: 

[End of section] 

Appendix III: GAO Contacts and Staff Acknowledgments: 

GAO Contacts: 

Gene Aloise, (202) 512-3841, or aloisee@gao.gov: 

Gregory C. Wilshusen, (202) 512-6244, or wilshuseng@gao.gov: 

Nabajyoti Barkakati, (202) 512-6412, or barkakatin@gao.gov: 

Staff Acknowledgments: 

In addition to the individuals named above, Edward R. Alexander, Jr; 
West E. Coile; Edward M. Glagola, Jr; Jeffrey L. Knott; Glen Levis; Duc 
M. Ngo (Assistant Directors); Debra Conner; Kirk J. Daubenspeck, 
Jennifer R. Franks; Eugene H. Gray; Rosanna Guerrero; Preston S. Heard; 
Lisa N. Henson; Nicole Jarvis; John A. Spence; and Christoper J. Warweg 
made key contributions to this report. Other technical assistance was 
provided by Omari A. Norman, Rebecca Shea, and Carol Herrnstadt 
Shulman. 

[End of section] 

Related GAO Products: 

Information Security: TVA Needs to Address Weaknesses in Control 
Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008. 

Information Security: Progress Reported, but Weaknesses at Federal 
Agencies Persist. GAO-08-571T. Washington, D.C.: March 12, 2008. 

Information Security: Securities and Exchange Commission Needs to 
Continue to Improve Its Program. GAO-08-280. Washington, D.C.: February 
29, 2008. 

Information Security: Although Progress Reported, Federal Agencies Need 
to Resolve Significant Deficiencies. GAO-08-496T. Washington, D.C.: 
February 14, 2008. 

Information Security: IRS Needs to Address Pervasive Weaknesses. GAO- 
08-211. Washington, D.C.: January 8, 2008. 

Information Security: Selected Departments Need to Address Challenges 
in Implementing Statutory Requirements. GAO-07-528. Washington, D.C.: 
August 31, 2007. 

Information Security: Despite Reported Progress, Federal Agencies Need 
to Address Persistent Weaknesses. GAO-07-837. Washington, D.C.: July 
27, 2007. 

Information Security: Homeland Security Needs to Immediately Address 
Significant Weaknesses in Systems Supporting the US-VISIT Program. GAO- 
07-870. Washington, D.C.: July 13, 2007. 

Information Security: Homeland Security Needs to Enhance Effectiveness 
of Its Program. GAO-07-1003T. Washington, D.C.: June 20, 2007. 

Information Security: Agencies Report Progress, but Sensitive Data 
Remain at Risk. GAO-07-935T. Washington, D.C.: June 7, 2007. 

Information Security: Federal Deposit Insurance Corporation Needs to 
Sustain Progress Improving Its Program. GAO-07-351. Washington, D.C.: 
May 18, 2007. 

Information Security: FBI Needs to Address Weaknesses in Critical 
Network. GAO-07-368. Washington, D.C.: April 30, 2007. 

Information Security: Persistent Weaknesses Highlight Need for Further 
Improvement. GAO-07-751T. Washington, D.C.: April 19, 2007. 

Information Security: Further Efforts Needed to Address Significant 
Weaknesses at the Internal Revenue Service. GAO-07-364. Washington, 
D.C.: March 30, 2007. 

Information Security: Sustained Progress Needed to Strengthen Controls 
at the Securities and Exchange Commission. GAO-07-256. Washington, 
D.C.: March 27, 2007. 

[End of section] 

Footnotes: 

[1] The laboratory is a multidisciplinary national security laboratory 
whose core missions are to ensure the safety and reliability of the 
nuclear weapons stockpile and to conduct research and development that 
supports that mission and other homeland security-related initiatives. 
The laboratory covers 40 square miles, with 2,700 buildings covering 
9.4 million square feet, employs more than 12,000 personnel, and has an 
annual operating budget of approximately $2 billion. LANL operates 15 
divisions that are responsible for carrying out its programmatic 
mission, including nuclear weapons engineering, nuclear weapons 
stockpile manufacturing and support, nuclear weapons physics, and 
nuclear weapons threat reduction. The laboratory also has a Chief 
Security Officer, Chief Information Security Officer, and Chief 
Information Officer who are responsible for overseeing information 
security, including protecting cyber security assets. In addition, 
federal oversight for information security at LANL, including cyber 
security, is provided by the Los Alamos Site Office. 

[2] NNSA was established in 2000 in response to management difficulties 
with the Department of Energy's nuclear weapons programs. These 
difficulties included security programs at the department's national 
laboratories and significant cost overruns in the management of 
projects. NNSA is a separately organized agency within the department 
with the responsibility for the nation's nuclear weapons, 
nonproliferation, and naval reactors programs. 

[3] FISMA was enacted as title III, E-Government Act of 2002, Pub. L. 
No. 107-347, 116 Stat. 2946 (Dec. 17, 2002). 

[4] GAO has issued a series of reports that address federal agencies' 
information security programs and activities. See Related GAO products. 

[5] For the purpose of this report, we are including LANL's "cyber" and 
computer network security programs as a key component of the 
laboratory's overall information security program. 

[6] Encryption can be used to provide basic data confidentiality and 
integrity by transforming plain text into cipher text using a special 
value known as a key and a mathematical process known as an algorithm. 

[7] According to NIST, authentication mechanisms can be based on three 
categories of information or "factors" something the user knows, such 
as a password; something the user possesses, such as a token; and some 
physical characteristic (biometric) of the user, such as a fingerprint. 
Authentication methods employing a token or biometric can provide a 
significantly higher level of security than passwords alone. 
Multifactor authentication mechanisms, such as those involving tokens 
and biometric data are considered strong authentication mechanisms. 

[8] Kerberos is a widely used authentication protocol developed at the 
Massachusetts Institute of Technology. 

[9] SANS was established in 1989 as a cooperative research and 
education organization. 

[10] LANS, LLC is a consortium of contractors that includes Bechtel 
National, Inc; the University of California; BWX Technologies, Inc; and 
the Washington Group International, Inc. In June 2006, LANS replaced 
the University of California, which had been the exclusive management 
and operating contractor of LANL since the 1940s. 

[11] According to LANL, a foreign national is anyone who is not a U.S. 
citizen. Immigrant aliens are considered foreign nationals. 

[12] A country is identified as sensitive based on national security, 
nuclear nonproliferation, or terrorism concerns. 

[13] Access to computer systems is granted using a standardized form 
that enables the approving official--either a laboratory Associate 
Director or Deputy Director--to authorize the type of computer 
resources provided to the foreign national such as unclassified 
network, visitor network, or remote unclassified network. In those 
instances where the laboratory division sponsoring the foreign national 
wants the individual to have remote access, the division must provide a 
justification statement. LANL policy, effective January 30, 2004, 
states that ample and sufficient justification for remote access must 
be provided to allow a cognizant laboratory group leader, division 
leader, and Associate Director to approve or disapprove. 

[14] According to LANL, the laboratory spent approximately $87.7 
million from fiscal years 2001 through 2007 to protect and maintain the 
classified network. 

[15] LANL officials explained to us that the cyber security budget is 
also broken down into C&A and technical activities for the classified 
network as well. 

[16] LANL officials told us that the laboratory began tracking cyber 
security financial figures toward the work breakdown structure in 
fiscal year 2006, but added that the unclassified network funding 
figures cannot be broken down into all the cyber security program 
activities listed in the work breakdown structure because some 
expenditures, such as "program management" and "incident response" 
cover both the classified and unclassified networks. 

[17] GAO, Federal Information System Controls Audit Manual, GAO/AIMD- 
12.19.6 (Washington, D.C.: January 1999). 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability.  

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates."  

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to:  

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548:  

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061:  

To Report Fraud, Waste, and Abuse in Federal Programs:  

Contact:  

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470:  

Congressional Relations:  

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548:  

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: