Physical Security:

NIST and Commerce Need to Complete Efforts to Address Persistent Challenges

GAO-18-95: Published: Oct 11, 2017. Publicly Released: Oct 11, 2017.

Additional Materials:

Contact:

Seto J. Bagdoyan
(202) 512-6722
bagdoyans@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

GAO found that efforts to transform the physical security program at the National Institute of Standards and Technology (NIST) have incorporated some key practices, particularly with regard to leadership commitment to organizational change. For example, GAO estimates that, as of May 2017, 75 percent of staff GAO surveyed believe that NIST leadership places “great” or “very great” importance on security issues. However, staff awareness about security responsibilities varied, in part because of the limited effectiveness of NIST's security-related communication efforts. Additionally, GAO agents gained unauthorized access to various areas of both NIST campuses in Gaithersburg, Maryland, and Boulder, Colorado. GAO found that ongoing efforts do not provide NIST with the tools needed to address security vulnerabilities. By incorporating elements of key practices, including a comprehensive communication strategy, interim milestone dates, and measures to assess effectiveness, NIST will be better positioned to address the security vulnerabilities caused by varied levels of security awareness among employees.

Management of NIST's physical security program is fragmented between the Department of Commerce (Commerce) and NIST. This is inconsistent with the federal Interagency Security Committee's (ISC) physical security best practices, which encourage agencies to centrally manage physical security. Commerce is responsible for overseeing security personnel who implement physical security policies, while NIST manages physical security countermeasures such as access control technology, leading to fragmentation in responsibilities. Before implementing the current organizational structure in October 2015, neither Commerce nor NIST assessed whether it was the most appropriate way to fulfill NIST's physical security responsibilities. Without evaluating management options, the current organizational structure may be creating unnecessary inefficiencies, thereby inhibiting the effectiveness of the security program overall.

To help federal agencies protect and assess risks to their facilities, the ISC developed a risk management process standard (RMP Standard), with which federal agencies, including Commerce, generally must comply. Commerce and NIST most recently completed risk management steps for NIST campuses in 2015 and 2017, but GAO found that their efforts did not fully align with the RMP Standard. Neither Commerce nor NIST used a sound risk assessment methodology, fully documented key risk management decisions, or appropriately involved stakeholders, partly because these requirements were not in existing agency policy. Further, GAO found that Commerce and NIST had overlapping risk management activities, potentially leading to unnecessary duplication. According to officials, Commerce and NIST are separately drafting new risk management policies. Without ensuring that (1) these policies align with the RMP Standard and (2) the NIST policy contains a formal mechanism to coordinate with Commerce, future risk management activities may be limited in their usefulness and duplicative.

This report is a public version of a sensitive report that was also issued in October. Information that Commerce and the Department of Homeland Security deemed sensitive has been omitted.

Why GAO Did This Study

NIST is the United States' national physical laboratory, which among other matters is responsible for developing measurement standards. In 2017, NIST, located within Commerce, employed approximately 3,500 federal personnel and hosted about 4,000 associates, who include guest researchers and facility users, among others. Assessments in 2015 found issues with NIST's security culture.

GAO was asked to conduct a comprehensive review of the physical security of NIST's campuses. This report examines the extent to which: (1) NIST incorporated key practices to transform the security program and address security vulnerabilities; (2) the security program's organizational structure reflects best practices; and (3) the risk management process aligns with ISC standards.

GAO reviewed risk assessments and related documents; interviewed officials from Commerce and NIST; conducted a generalizable survey of NIST staff; and performed covert vulnerability testing, which provided illustrative examples.

What GAO Recommends

GAO is making four recommendations: NIST should incorporate elements of key practices into its ongoing security efforts; Commerce, in coordination with NIST, should evaluate the current physical security management structure; and Commerce and NIST should both finalize and implement coordinated risk management policies. Commerce concurred with all four recommendations.

For more information, contact Seto J. Bagdoyan at (202) 512-6722 or bagdoyans@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The NIST Director should incorporate elements of key practices into the implementation of the Security Sprint action plans, by establishing a comprehensive communication strategy for employees; interim milestone dates; and measures to assess effectiveness. (Recommendation 1)

    Agency Affected: Department of Commerce: National Institute of Standards and Technology

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of the Office of Security (OSY), in coordination with the NIST Director, should conduct an evaluation of the effectiveness of the current security management structure as compared to a consolidated security structure, centrally managed by OSY, to identify the most effective and feasible approach to physical security at NIST. (Recommendation 2)

    Agency Affected: Department of Commerce: Office of Security

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of OSY should ensure that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC's RMP Standard, by requiring the following: (1) Use and documentation of a sound risk assessment methodology that assesses the threats, vulnerabilities, and consequences for each of the undesirable events required by the RMP Standard, and use of these three factors to measure risk. (2) Documentation of key risk management decisions, such as justification and tenants' approval for facility security level (FSL) determinations, justification for deviation from baseline levels of risk or protection, as well as risk acceptance and consideration of alternative countermeasures. (3) Establishment of a facility security committee (FSC) at multitenant facilities and campuses, including locations such as the NIST Boulder campus. (4) ISC training for all OSY assessors and the individuals responsible for deciding to implement countermeasures and accepting risk. (Recommendation 3)

    Agency Affected: Department of Commerce: Office of Security

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: The NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce's revised risk management policy, particularly with regard to establishing FSCs. (Recommendation 4)

    Agency Affected: Department of Commerce: National Institute of Standards and Technology

 

Explore the full database of GAO's Open Recommendations »

Nov 21, 2017

Nov 20, 2017

Nov 8, 2017

Oct 31, 2017

Oct 26, 2017

Oct 17, 2017

Oct 12, 2017

Oct 11, 2017

Oct 10, 2017

Looking for more? Browse all our products here