Full Title of Reference
Nuclear Security - Los Alamos National Laboratory Faces Challenges In Sustaining Physical and Cyber Security Improvements
Gene Aloise, Nabajyoti Barkakati, and Gregory C. Wilshusen (2008), Nuclear Security - Los Alamos National Laboratory Faces Challenges In Sustaining Physical and Cyber Security Improvements (2008). Testimony Before the Subcommittee on Oversight and Investigations, Committee on Energy and Commerce, House of Representatives.
Overview: Government Reports
Physical security at Los Alamos National Laboratory (LANL) is in a period of significant improvement, and LANL is implementing over two dozen initiatives to better protect its classified assets. However, while LANL’s current initiatives address many physical security problems previously identified in external security evaluations, other significant security problems have received insufficient attention. In addition, the management approaches that LANL and NNSA intend to use to sustain security improvements over the long term are in the early stages of development or contain weaknesses. Furthermore, LANL’s ability to sustain its improved physical security posture is unproven because (1) the laboratory appears not to have done so after a significant security incident in 2004, with another significant security breach in 2006, and (2) NNSA’s Los Alamos Site Office—which is responsible for overseeing security at LANL—may not have enough staff or the proper training to execute a fully effective security oversight program. GAO’s report made recommendations to help further improve physical security at LANL and ensure that these improvements are sustained over the long term.
As a result of poor performance on an April 2008 physical security evaluation conducted by the Department of Energy’s (DOE) Office of Independent Oversight, GAO is reviewing physical security at Lawrence Livermore National Laboratory (Livermore). GAO’s preliminary observations are that Livermore appears to experience difficulties similar to LANL’s in sustaining security performance. Furthermore, it appears that NNSA has not always provided effective oversight of Livermore. Specifically, an NNSA security survey conducted only 6 months prior to the April 2008 DOE evaluation gave Livermore the highest possible rating on its security program’s performance. These results differ markedly from those documented by DOE’s Office of Independent Oversight.
LANL has implemented measures to enhance cyber security, but weaknesses remain in protecting information on its unclassified network. This network possesses sensitive information such as unclassified controlled nuclear information, export control information, and personally identifiable information about LANL employees. GAO found vulnerabilities in critical areas, including (1) identifying and authenticating users, (2) encrypting sensitive information, and (3) monitoring and auditing security policy compliance. A key reason for these information security weaknesses is that the laboratory has not fully implemented an information security program to ensure that controls are effectively established and maintained. Furthermore, deficiencies in LANL’s policies and procedures raise additional concern, particularly with respect to foreign nationals’ accessing the network from the laboratory and remotely. Finally, LANL cyber security officials told GAO that funding to address some of their security concerns with the laboratory’s unclassified network has been inadequate. However, NNSA officials asserted that LANL had not adequately justified its requests for additional funds. GAO made 52 recommendations to help strengthen LANL’s information security program and controls over the unclassified network.