GAO: Los Alamos Lab has cybersecurity gaps

By Alice Lipowicz, Federal Computer Week
Published on September 26, 2008

The Los Alamos National Laboratory suffers from cybersecurity weaknesses that affect how it protects information on its sensitive but unclassified network, according to a new report from the Government Accountability Office.

That network includes sensitive data such as controlled nuclear information, export control information, and personally identifiable information about employees of the national lab, the GAO report released Sept. 25 explained.

The nuclear weapons lab, in Los Alamos, N.M., has experienced breaches in its security in several incidents over the last decade. It was budgeted nearly $200 million in fiscal 2007 to provide for physical and cybersecurity. Despite improvements, the facility continues to have gaps in its physical security and cybersecurity, the GAO report concluded.

“Our review of cybersecurity at Los Alamos National Laboratory found that the laboratory has implemented measures to enhance its information security, but weaknesses remain in protecting the confidentiality, integrity and availability of information on its unclassified network,” the report said.

Vulnerabilities exist in identifying and authenticating users; encrypting sensitive information; and monitoring and auditing compliance with security policies. Furthermore, the lab has not fully implemented an information security program.

GAO made 52 recommendations to fix the lab’s cybersecurity gaps, some of which had been documented in prior years.

Lab officials have said that their cybersecurity funding amount is inadequate to address all the security concerns, but that assessment has been questioned by the National Nuclear Security Administration. From fiscal years 2001 through 2007, the lab spent $51.4 million to protect and maintain its unclassified network.

[Download the GAO report here.]