Physical Security: NIST and Commerce Need to Complete Efforts to Address Persistent Challenges [Reissued with Revisions Mar. 14, 2018]
Highlights
What GAO Found
GAO found that efforts to transform the physical security program at the National Institute of Standards and Technology (NIST) have incorporated some key practices, particularly with regard to leadership commitment to organizational change. For example, GAO estimates that, as of May 2017, 75 percent of staff GAO surveyed believe that NIST leadership places “great” or “very great” importance on security issues. However, staff awareness about security responsibilities varied, in part because of the limited effectiveness of NIST's security-related communication efforts. Additionally, GAO agents gained unauthorized access to various areas of both NIST campuses in Gaithersburg, Maryland, and Boulder, Colorado. GAO found that ongoing efforts do not provide NIST with the tools needed to address security vulnerabilities. By incorporating elements of key practices, including a comprehensive communication strategy, interim milestone dates, and measures to assess effectiveness, NIST will be better positioned to address the security vulnerabilities caused by varied levels of security awareness among employees.
Management of NIST's physical security program is fragmented between the Department of Commerce (Commerce) and NIST. This is inconsistent with the federal Interagency Security Committee's (ISC) physical security best practices, which encourage agencies to centrally manage physical security. Commerce is responsible for overseeing security personnel who implement physical security policies, while NIST manages physical security countermeasures such as access control technology, leading to fragmentation in responsibilities. Before implementing the current organizational structure in October 2015, neither Commerce nor NIST assessed whether it was the most appropriate way to fulfill NIST's physical security responsibilities. Without evaluating management options, the current organizational structure may be creating unnecessary inefficiencies, thereby inhibiting the effectiveness of the security program overall.
To help federal agencies protect and assess risks to their facilities, the ISC developed a risk management process standard (RMP Standard), with which federal agencies, including Commerce, generally must comply. Commerce and NIST most recently completed risk management steps for NIST campuses in 2015 and 2017, but GAO found that their efforts did not fully align with the RMP Standard. Neither Commerce nor NIST used a sound risk assessment methodology, fully documented key risk management decisions, or appropriately involved stakeholders, partly because these requirements were not in existing agency policy. Further, GAO found that Commerce and NIST had overlapping risk management activities, potentially leading to unnecessary duplication. According to officials, Commerce and NIST are separately drafting new risk management policies. Without ensuring that (1) these policies align with the RMP Standard and (2) the NIST policy contains a formal mechanism to coordinate with Commerce, future risk management activities may be limited in their usefulness and duplicative.
This report is a public version of a sensitive report that was also issued in October. Information that Commerce and the Department of Homeland Security deemed sensitive has been omitted.
Why GAO Did This Study
NIST is the United States' national physical laboratory, which among other matters is responsible for developing measurement standards. In 2017, NIST, located within Commerce, employed approximately 3,500 federal personnel and hosted about 4,000 associates, who include guest researchers and facility users, among others. Assessments in 2015 found issues with NIST's security culture.
GAO was asked to conduct a comprehensive review of the physical security of NIST's campuses. This report examines the extent to which: (1) NIST incorporated key practices to transform the security program and address security vulnerabilities; (2) the security program's organizational structure reflects best practices; and (3) the risk management process aligns with ISC standards.
GAO reviewed risk assessments and related documents; interviewed officials from Commerce and NIST; conducted a generalizable survey of NIST staff; and performed covert vulnerability testing, which provided illustrative examples.
Reissued with Revisions Mar. 14, 2018
This report was revised on March 14, 2018 to clarify information on pages 3, 6, 42, and 43 about the population included in the report’s generalizable survey. This clarification had no impact on the conclusions of our report.Recommendations
GAO is making four recommendations: NIST should incorporate elements of key practices into its ongoing security efforts; Commerce, in coordination with NIST, should evaluate the current physical security management structure; and Commerce and NIST should both finalize and implement coordinated risk management policies. Commerce concurred with all four recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
National Institute of Standards and Technology | The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1) |
In January 2018, NIST revised its draft Security Sprint Priority Action Plan to include interim milestone dates for action items. Also in January 2018, NIST finalized a physical security communication strategy, which outlines goals, audiences, communication channels, strategies, and tactics. By incorporating elements of key practices, including a comprehensive communication strategy and interim milestone dates, NIST will be better positioned to address the security vulnerabilities caused by the varied levels of security awareness among employees.
|
Office of Security |
Priority Rec.
The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)
|
In January 2020, OSY and NIST completed their evaluation and determined that the current management structure for security roles and responsibilities is the most effective means to implement the security program at NIST. In making the determination, OSY and NIST recognized that ineffective communication between NIST, the OSY located on-site at NIST, and OSY headquarters had resulted in physical security risks. However, since 2018, OSY and NIST have established an integrated partnership and coordinated to improve communication. According to both offices, this improved inclusive structure has created a positive physical security culture and reduced NIST's physical security risks.
|
Office of Security |
Priority Rec.
The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)
|
In June 2019, OSY finalized changes to Commerce's Manual of Security Policies and Procedures to better align with the ISC's RMP Standard. Specifically, the changes require Commerce to use a sound risk assessment methodology, document risk acceptance and consider alternatives, and establish FSCs at multitenant facilities and campuses. The changes also require ISC training for all OSY assessors and individuals responsible for deciding to implement countermeasures and accept risk. According to an OSY official, assessors also use supplemental resources when completing risk assessments, including an FSL form, a facility security assessment template developed by OSY, and an RMP tool developed by ISC. These resources guide assessors to document sound risk assessments, justification and tenants' approval for FSL determinations, and deviation from baseline levels of risk. The changes to Commerce's manual do not specifically require assessors to use these resources, but an OSY official said in August 2019 that all assessors use them and provided samples of their use thus far. The changes to Commerce's manual and use of supplemental resources help OSY have better assurance that Commerce's risk-management processes mitigate security vulnerabilities department-wide.
|
National Institute of Standards and Technology |
Priority Rec.
The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)
|
In March 2019, the NIST Director issued an updated Physical Security Program Directive that aligned NIST's risk management policy with Commerce's risk management policy, and included a coordination mechanism between NIST and the Commerce Office of Security, as GAO recommended in October 2017. Through this updated Directive, NIST can help ensure that it addresses the weaknesses GAO identified in its previous risk management activities and reduce the possible negative effects associated with potential duplication with Commerce.
|