GAO: Security Weaknesses at Los Alamos Lab's Classified NetworkNovember 13, 2009 - Eric Chabrow, Managing Editor - GovInfoSecurity.com
Los Alamos National Laboratory has spent $433 million to secure its classified computer network between fiscal years 2001 and 2008, according to a report issued Friday by the Government Accountability Office, yet significant weaknesses remain in safeguarding the confidentiality, integrity and availability of information stored on and transmitted over its classified computer network.
The audit, requested by the House Committee on Energy and Commerce, cites Los Alamos' management as saying funding for its core classified cybersecurity program has been inadequate for implementing an effective program during fiscal years 2007 and 2008.
"LANL's security plans and test plans were neither comprehensive nor detailed enough to identify certain critical weaknesses on the classified network," the GAO said in its 39-page report.
The Energy Department-run laboratory in Los Alamos, N.M., also known as LANL, is among the world's largest science and technology institutions that conduct multidisciplinary research for fields such as national security, outer space, renewable energy, medicine, nanotechnology and supercomputing. Along with the Lawrence Livermore National Laboratory, LANL is one of two labs in the United States where classified work designing nuclear weapons takes place.
GAO identified several critical areas where vulnerabilities surfaced, including uniquely identifying and authenticating the identity of users, authorizing user access, encrypting classified information, monitoring and auditing compliance with security policies and maintaining software configuration assurance.
A key reason for the information security weaknesses was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained, the congressional auditors said.
Among the program's shortfalls identified by the GAO:
- Lack of comprehensive risk assessments to ensure that appropriate controls are in place to protect against unauthorized use,
- Not developing detailed implementation guidance for key control areas such as marking the classification level of information stored on the classified network,
- Inadequate specialized training for users with significant security responsibilities and
- Insufficiently developing and testing disaster recovery and contingency plans to mitigate the laboratory's chances of being unsuccessful at resuming normal operational standards after a service disruption.
Among GAO's recommendations: The laboratory fully implement its information security program, centralize management of the classified network and develop a sustainability plan that details how it plans to strengthen recent cybersecurity improvements over the long term.
The National Nuclear Security Administration, the Energy Department unit responsible for the safety of government nuclear sites, generally concurred with the GAO recommendations.