Summary
The Los Alamos National Laboratory (LANL), which is operated by the National Nuclear Security Administration (NNSA), has experienced security lapses protecting information on its unclassified computer network. The unclassified network contains sensitive information. GAO (1) assessed the effectiveness of the security controls LANL has in place to protect information transmitted over its unclassified computer network, (2) assessed whether LANL had implemented an information security program for its unclassified network, and (3) examined expenditures to protect LANL's unclassified network from fiscal years 2001 through 2007. To carry out its work, GAO examined security policies and procedures and reviewed the laboratory's access controls for protecting information on the unclassified network.
LANL has implemented measures to enhance its information security, but weaknesses remain in protecting the confidentiality, integrity, and availability of information on its unclassified network. LANL has implemented a network security system that is capable of detecting potential intrusions. However, GAO found vulnerabilities in several critical areas, including (1) identifying and authenticating users, (2) encrypting sensitive information, and (3) monitoring and auditing compliance with security policies. For example, LANL had implemented strong authentication measures for accessing the network. However, once gaining this access, a user could create a simple password that would allow alternative access to certain sensitive information. Furthermore, LANL did not use encryption for authentication to certain internal services, which increased the risk that sensitive information transmitted over the unclassified network could be compromised. A key reason for the information security weaknesses is that the laboratory has not implemented an information security program to ensure that controls are effectively established and maintained. For example, LANL did not adequately assess information security risks or develop effective policies and procedures to govern the security of its computing environment. LANL's most recent risk assessment for the unclassified network generally identified and analyzed vulnerabilities, but did not account for risks identified by internal vulnerability testing. Deficiencies in LANL's policies and procedures have been the subject of reports by the Department of Energy's (DOE) Office of Independent Oversight and the Los Alamos Site Office, including foreign nationals' access to the unclassified network. GAO found that, as of May 2008, 301 (or 44 percent) of 688 foreign nationals, who had access to the unclassified network, were from countries classified as sensitive by DOE, such as China, India, and Russia. In addition, a significant number of foreign nationals from sensitive countries were authorized remote access to LANL's unclassified network. The number of foreign nationals with access has raised concerns among laboratory and NNSA officials because of the sensitive information contained on the unclassified network. In response, the laboratory has taken some measures to limit foreign nationals' access. From fiscal years 2001 through 2007, LANL spent approximately $51.4 million to protect its unclassified network. LANL cyber security officials told us that funding has been inadequate to address some of their security concerns. Specifically, there was a risk that unclassified network users would no longer receive cyber security training and that the laboratory would not be able to ensure that data containing sensitive unclassified information would be properly sanitized or destroyed. However, NNSA officials asserted that LANL has not adequately justified its requests for additional funds. NNSA is in the process of implementing a more systematic approach for developing budgets for cyber security activities across the nuclear weapons complex, including LANL.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
Eugene E. Aloise
Government Accountability Office: Natural Resources and Environment
(202) 512-6870
Recommendations for Executive Action
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to ensure that the risk assessment for the unclassified network evaluates all known vulnerabilities and is revised periodically.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to strengthen policies with a view toward further reducing, as appropriate, foreign nationals'--particularly those from countries identified by DOE as sensitive--access to the unclassified network.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to ensure that the new set of cyber security policies and procedures applicable to the unclassified network are comprehensive, including centralized configuration management for all types of systems, and contain specific instructions on how to implement federal requirements and guidance.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to ensure that the network security plan for the unclassified network is revised to document security controls using federal guidance and that this plan also includes or references key security activities, such as risk assessment development and the evaluation of security test results.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to strengthen the security test and evaluation process for the unclassified network by expanding technical testing to cover new areas that might be vulnerable, such as those disclosed in our report, and ensure that testing adequately considers federal guidance for evaluating security controls and determining their effectiveness.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to ensure that milestones in corrective action plans are met or that new milestones are established to remediate security weaknesses for the unclassified network in a timely manner.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to ensure that the related plan of action and milestones used for Federal Information Security Management Act (FISMA) reporting includes all LANL security weaknesses and required information so that it is an effective management tool for tracking security weaknesses and identifying budgetary resources needed to protect the unclassified network.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To improve LANL's information security program for its unclassified network, the Secretary of Energy and the Administrator of NNSA should require the Director of Los Alamos National Laboratory to develop and maintain a comprehensive continuity of operations plan that addresses the current unclassified network environment and periodically test the plan for restoring operations.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that NNSA has a clear and consistent strategy to determine resource requirements for the laboratory's unclassified network, the Secretary of Energy and the Administrator of NNSA should develop, document, and implement a process that clearly links resource requirements and funding decisions to risk assessments for the unclassified network.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that NNSA has a clear and consistent strategy to determine resource requirements for the laboratory's unclassified network, the Secretary of Energy and the Administrator of NNSA should implement a process that provides a rationale for approving or denying resource requests for the unclassified network.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Recommendation: To ensure that NNSA has a clear and consistent strategy to determine resource requirements for the laboratory's unclassified network, the Secretary of Energy and the Administrator of NNSA should establish and implement procedures to monitor critical program activities that are unfunded or underfunded in order to improve management accountability and transparency in determining how best to fund the most critical program requirements.
Agency Affected: Department of Energy
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Agency Affected: Department of Energy: National Nuclear Security Administration
Status: In process
Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
