Physical Security: NIST and Commerce Need to Complete Efforts to Address Challenges

What GAO Found

GAO found that efforts to transform the physical security program at the National Institute of Standards and Technology (NIST) have incorporated some key practices, particularly with regard to leadership commitment to organizational change. For example, GAO estimates that, as of May 2017, 75 percent of staff GAO surveyed believe that NIST leadership places “great” or “very great” importance on security issues. However, staff awareness about security responsibilities varied, in part because of the limited effectiveness of NIST’s security-related communication efforts. Additionally, GAO agents gained unauthorized access to various areas of both NIST campuses in Gaithersburg, Maryland, and Boulder, Colorado. GAO found that ongoing efforts do not provide NIST with the tools needed to address security vulnerabilities. By incorporating elements of key practices, including a comprehensive communication strategy, interim milestone dates, and measures to assess effectiveness, NIST will be better positioned to address the security vulnerabilities caused by varied levels of security awareness among employees.

Management of NIST’s physical security program is fragmented between the Department of Commerce (Commerce) and NIST. This is inconsistent with the federal Interagency Security Committee’s (ISC) physical security best practices, which encourage agencies to centrally manage physical security. Commerce is responsible for overseeing security personnel who implement physical security policies, while NIST manages physical security countermeasures such as access control technology, leading to fragmentation in responsibilities. Before implementing the current organizational structure in October 2015, neither Commerce nor NIST assessed whether it was the most appropriate way to fulfill NIST’s physical security responsibilities. Without evaluating management options, the current organizational structure may be creating unnecessary inefficiencies, thereby inhibiting the effectiveness of the security program overall.

To help federal agencies protect and assess risks to their facilities, the ISC developed a risk management process standard (RMP Standard), with which federal agencies, including Commerce, generally must comply. Commerce and NIST most recently completed risk management steps for NIST campuses in 2015 and 2017, but GAO found that their efforts did not fully align with the RMP Standard. Neither Commerce nor NIST used a sound risk assessment methodology, fully documented key risk management decisions, or appropriately involved stakeholders, partly because these requirements were not in existing agency policy. Further, GAO found that Commerce and NIST had overlapping risk management activities, potentially leading to unnecessary duplication. According to officials, Commerce and NIST are separately drafting new risk management policies. Without ensuring that (1) these policies align with the RMP Standard and (2) the NIST policy contains a formal mechanism to coordinate with Commerce, future risk management activities may be limited in their usefulness and duplicative.

This report is a public version of a sensitive report that was also issued in October. Information that Commerce and the Department of Homeland Security deemed sensitive has been omitted.

Why GAO Did This Study

This testimony summarizes the information contained in GAO's October 2017 report, entitled Physical Security: NIST and Commerce Need to Complete Efforts to Address Persistent Challenges (GAO-18-95).

For more information, contact Seto J. Bagdoyan at (202) 512-6722 or bagdoyans@gao.gov.