Information Security: Actions Needed to Manage, Protect, and Sustain Improvements to Los Alamos National Laboratory's Classified Computer Network
Highlights
The Los Alamos National Laboratory (LANL), which is overseen by the National Nuclear Security Administration (NNSA), has experienced a number of security lapses in controlling classified information stored on its classified computer network. GAO was requested to (1) assess the effectiveness of security controls LANL used to protect information on its classified network, (2) assess whether LANL had fully implemented an information security program to ensure that security controls were effectively established and maintained for its classified network, and (3) identify the expenditures used to operate and support its classified network from fiscal years 2001 through 2008. To carry out this work, GAO examined security policies and procedures and reviewed LANL's access controls for protecting information on its classified network.
LANL has implemented measures to enhance its information security controls, but significant weaknesses remain in protecting the confidentiality, integrity, and availability of information stored on and transmitted over its classified computer network. The laboratory's classified computer network had vulnerabilities in several critical areas, including (1) uniquely identifying and authenticating the identity of users, (2) authorizing user access, (3) encrypting classified information, (4) monitoring and auditing compliance with security policies, and (5) maintaining software configuration assurance. A key reason for the information security weaknesses GAO identified was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained. Shortfalls in the program include, among other things, (1) the lack of comprehensive risk assessments to ensure that appropriate controls are in place to protect against unauthorized use, (2) not developing detailed implementation guidance for key control areas such as marking the classification level of information stored on the classified network, (3) inadequate specialized training for users with significant security responsibilities, and (4) not adequately developing and testing disaster recovery and contingency plans to mitigate the laboratory's chances of being unsuccessful at resuming normal operational standards after a service disruption. LANL's security plans and test plans were neither comprehensive nor detailed enough to identify certain critical weaknesses on the classified network. Furthermore, the laboratory's decentralized approach to information security program management has led to inconsistent implementation of policy, and although the laboratory has taken steps to address management weaknesses, its efforts may be limited because LANL has not demonstrated a consistent capacity to sustain security improvements over the long term. Since fiscal year 2001, the laboratory has spent approximately $433 million, in constant 2009 dollars, to operate and support its classified network. Between fiscal years 2001 and 2008, annual expenditures increased from about $20 million to $80 million. Expenditures for the core classified cyber security program, which serves as the foundation of LANL's protection strategy for the classified cyber security program, accounted for $45 million of total expenditures over the period. According to LANL, funding for its core classified cyber security program has been inadequate for implementing an effective program during fiscal years 2007 and 2008. However, according to NNSA, it funded programs based on available resources and risk evaluations conducted at both the enterprise and site levels.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that the risk assessments for systems connected to the classified computer network evaluate all known threats and vulnerabilities. |
Closed – Implemented
We verified that LANL ensured that the risk assessments for systems connected to the classified computer network evaluated all known threats and vulnerabilities.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that cyber security policies and procedures applicable to the classified computer network are comprehensive and contain specific instructions on how to implement federal and departmental requirements. |
Closed – Implemented
In fiscal year 2012 we verified that LANL effectively developed comprehensive cyber security policies and procedures for its classified computer network that contain specific instructions on how to implement federal and departmental requirements.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop and implement a policy to mark the classification level of information in documents and files stored on the classified computer network. |
Closed – Implemented
In fiscal year 2014 we verified that LANL developed and implemented a policy to mark the classification level of information in documents and files stored on the classified computer network.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to implement specialized training requirements for all users with significant security-related responsibilities on the classified computer network. |
Closed – Implemented
In fiscal year 2014 we verified that LANL implemented specialized training requirements for all users with significant security-related responsibilities on the classified computer network.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that security plans for systems connected to the classified computer network are revised to sufficiently document technical security controls. |
Closed – Implemented
In fiscal year 2014 we verified that LANL ensured that security plans for systems connected to the classified computer network are revised to sufficiently document technical security controls.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to strengthen the security testing and evaluation process for the systems connected to the classified computer network by conducting comprehensive vulnerability scans and expanding technical testing to cover new areas that might be vulnerable. |
Closed – Implemented
In fiscal year 2014 we verified that LANL strengthened the security testing and evaluation process for the systems connected to the classified computer network by conducting comprehensive vulnerability scans and expanding technical testing to cover new areas that might be vulnerable.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to ensure that plans of action and milestones include all system- and program-level cyber security weaknesses and required information so that they are an effective management tool for tracking security weaknesses and identifying budgetary resources needed to protect the classified computer network. |
Closed – Implemented
In fiscal year 2012 we verified that LANL included system- and program-level cyber security weaknesses and required information in its plans of action and milestones.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop comprehensive contingency plans for all computer systems connected to the classified computer network. |
Closed – Implemented
In fiscal year 2014 we verified that LANL, in response to our recommendation, developed comprehensive contingency plans for all computer systems connected to the classified computer network.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to annually test the contingency plans for the systems connected to the classified computer network to determine if the laboratory's proposed actions will function as intended during emergency situations. |
Closed – Implemented
We verified that annually tested the contingency plans for the systems connected to the classified computer network to determine if the laboratory?s proposed actions will function as intended during emergency situations.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to take steps to centralize security management of the classified computer network to enforce compliance with laboratory policies, procedures, and practices for each computer system connected to the classified computer network. |
Closed – Implemented
We verified that LANL has taken steps to centralize security management of the classified computer network to enforce compliance with laboratory policies, procedures, and practices for each computer system connected to the classified computer network.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop a sustainability plan, in collaboration with NNSA, that details, among other things, (l) how the laboratory plans to maintain recent cyber security improvements, (2) how these improvements will be supported on a long-term basis, and (3) the resource requirements needed to sustain and improve on recent cyber security improvements. |
Closed – Implemented
In fiscal year 2012, we verified that LANL, in response to our recommendation, developed plans to address sustainability in collaboration with NNSA, that detail, among other things, (l) how the laboratory plans to maintain recent cyber security improvements, (2) how these improvements will be supported on a long-term basis, and (3) the resource requirements needed to sustain and improve on recent cyber security improvements.
|
| National Nuclear Security Administration | To improve LANL's information security program for its classified computer network, the Administrator for the National Nuclear Security Administration should direct the Director of Los Alamos National Laboratory to develop and maintain an inventory of documents and files stored on the network. |
Closed – Implemented
In fiscal year 2014 we verified that LANL developed and implemented a policy to inventory documents and files stored on the classified computer network.
|
| National Nuclear Security Administration | To ensure sustainability efforts are properly implemented and effective federal oversight is provided, the Administrator of the National Nuclear Security Administration should undertake a comprehensive review of federal cyber security staffing requirements at the Los Alamos Site Office to determine if additional staff is needed. Should a determination be made that additional federal cyber security staff is needed, actions should be taken by the Manager of the Los Alamos Site Office to acquire sufficient cyber security staff, ensure that staff receive adequate training, and maintain the skills necessary to perform adequate oversight and enforce compliance with NNSA cyber security requirements. |
Closed – Implemented
In fiscal year 2012, we verified that NNSA, in response to our recommendation, undertook a comprehensive review of federal cyber security staffing requirements at the Los Alamos Site Office and determined that additional staff was needed. Funding was allocated for three contractor support personnel at LASO.
|
| National Nuclear Security Administration | To ensure sustainability efforts are properly implemented and effective federal oversight is provided, the Administrator of the National Nuclear Security Administration should assess LANL's sustainability capabilities 12 months after it implemented the Compliance Order, and periodically review LANL's sustainability plan in order to increase accountability for and improve performance of the laboratory's cyber security operations. |
Closed – Implemented
In fiscal year 2012, we verified that NNSA, in response to our recommendation, assessed LANL's sustainability capabilities and periodically reviewed LANL's sustainability plan in order to increase accountability for and improve performance of the laboratory's cyber security operations.
|