Information Security
Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network Gao ID: GAO-08-1001 September 9, 2008The Los Alamos National Laboratory (LANL), which is operated by the National Nuclear Security Administration (NNSA), has experienced security lapses protecting information on its unclassified computer network. The unclassified network contains sensitive information. GAO (1) assessed the effectiveness of the security controls LANL has in place to protect information transmitted over its unclassified computer network, (2) assessed whether LANL had implemented an information security program for its unclassified network, and (3) examined expenditures to protect LANL's unclassified network from fiscal years 2001 through 2007. To carry out its work, GAO examined security policies and procedures and reviewed the laboratory's access controls for protecting information on the unclassified network.
LANL has implemented measures to enhance its information security, but weaknesses remain in protecting the confidentiality, integrity, and availability of information on its unclassified network. LANL has implemented a network security system that is capable of detecting potential intrusions. However, GAO found vulnerabilities in several critical areas, including (1) identifying and authenticating users, (2) encrypting sensitive information, and (3) monitoring and auditing compliance with security policies. For example, LANL had implemented strong authentication measures for accessing the network. However, once gaining this access, a user could create a simple password that would allow alternative access to certain sensitive information. Furthermore, LANL did not use encryption for authentication to certain internal services, which increased the risk that sensitive information transmitted over the unclassified network could be compromised. A key reason for the information security weaknesses is that the laboratory has not implemented an information security program to ensure that controls are effectively established and maintained. For example, LANL did not adequately assess information security risks or develop effective policies and procedures to govern the security of its computing environment. LANL's most recent risk assessment for the unclassified network generally identified and analyzed vulnerabilities, but did not account for risks identified by internal vulnerability testing. Deficiencies in LANL's policies and procedures have been the subject of reports by the Department of Energy's (DOE) Office of Independent Oversight and the Los Alamos Site Office, including foreign nationals' access to the unclassified network. GAO found that, as of May 2008, 301 (or 44 percent) of 688 foreign nationals, who had access to the unclassified network, were from countries classified as sensitive by DOE, such as China, India, and Russia. In addition, a significant number of foreign nationals from sensitive countries were authorized remote access to LANL's unclassified network. The number of foreign nationals with access has raised concerns among laboratory and NNSA officials because of the sensitive information contained on the unclassified network. In response, the laboratory has taken some measures to limit foreign nationals' access. From fiscal years 2001 through 2007, LANL spent approximately $51.4 million to protect its unclassified network. LANL cyber security officials told us that funding has been inadequate to address some of their security concerns. Specifically, there was a risk that unclassified network users would no longer receive cyber security training and that the laboratory would not be able to ensure that data containing sensitive unclassified information would be properly sanitized or destroyed. However, NNSA officials asserted that LANL has not adequately justified its requests for additional funds. NNSA is in the process of implementing a more systematic approach for developing budgets for cyber security activities across the nuclear weapons complex, including LANL.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-1001, Information Security: Actions Needed to Better Protect Los Alamos National Laboratory's Unclassified Computer Network
This is the accessible text file for GAO report number GAO-08-1001
entitled 'Information Security: Actions Needed to Better Protect Los
Alamos National Laboratory's Unclassified Computer Network' which was
released on September 26, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Committees:
United States Government Accountability Office:
GAO:
September 2008:
Information Security:
Actions Needed to Better Protect Los Alamos National Laboratory's
Unclassified Computer Network:
Information Security:
GAO-08-1001:
GAO Highlights:
Highlights of GAO-08-1001, a report to congressional committees.
Why GAO Did This Study:
The Los Alamos National Laboratory (LANL), which is operated by the
National Nuclear Security Administration (NNSA), has experienced
security lapses protecting information on its unclassified computer
network. The unclassified network contains sensitive information. GAO
(1) assessed the effectiveness of the security controls LANL has in
place to protect information transmitted over its unclassified computer
network, (2) assessed whether LANL had implemented an information
security program for its unclassified network, and (3) examined
expenditures to protect LANL‘s unclassified network from fiscal years
2001 through 2007. To carry out its work, GAO examined security
policies and procedures and reviewed the laboratory‘s access controls
for protecting information on the unclassified network.
What GAO Found:
LANL has implemented measures to enhance its information security, but
weaknesses remain in protecting the confidentiality, integrity, and
availability of information on its unclassified network. LANL has
implemented a network security system that is capable of detecting
potential intrusions. However, GAO found vulnerabilities in several
critical areas, including (1) identifying and authenticating users, (2)
encrypting sensitive information, and (3) monitoring and auditing
compliance with security policies. For example, LANL had implemented
strong authentication measures for accessing the network. However, once
gaining this access, a user could create a simple password that would
allow alternative access to certain sensitive information. Furthermore,
LANL did not use encryption for authentication to certain internal
services, which increased the risk that sensitive information
transmitted over the unclassified network could be compromised.
A key reason for the information security weaknesses is that the
laboratory has not implemented an information security program to
ensure that controls are effectively established and maintained. For
example, LANL did not adequately assess information security risks or
develop effective policies and procedures to govern the security of its
computing environment. LANL‘s most recent risk assessment for the
unclassified network generally identified and analyzed vulnerabilities,
but did not account for risks identified by internal vulnerability
testing. Deficiencies in LANL‘s policies and procedures have been the
subject of reports by the Department of Energy‘s (DOE) Office of
Independent Oversight and the Los Alamos Site Office, including foreign
nationals‘ access to the unclassified network. GAO found that, as of
May 2008, 301 (or 44 percent) of 688 foreign nationals, who had access
to the unclassified network, were from countries classified as
sensitive by DOE, such as China, India, and Russia. In addition, a
significant number of foreign nationals from sensitive countries were
authorized remote access to LANL‘s unclassified network. The number of
foreign nationals with access has raised concerns among laboratory and
NNSA officials because of the sensitive information contained on the
unclassified network. In response, the laboratory has taken some
measures to limit foreign nationals‘ access.
From fiscal years 2001 through 2007, LANL spent approximately $51.4
million to protect its unclassified network. LANL cyber security
officials told us that funding has been inadequate to address some of
their security concerns. Specifically, there was a risk that
unclassified network users would no longer receive cyber security
training and that the laboratory would not be able to ensure that data
containing sensitive unclassified information would be properly
sanitized or destroyed. However, NNSA officials asserted that LANL has
not adequately justified its requests for additional funds. NNSA is in
the process of implementing a more systematic approach for developing
budgets for cyber security activities across the nuclear weapons
complex, including LANL.
What GAO Recommends:
GAO recommends, among other things, that the Secretary of Energy and
the Administrator of NNSA require the Director of LANL to (1) ensure
that the risk assessment for the unclassified network evaluates all
known vulnerabilities and is revised periodically and (2) strengthen
policies with a view toward further reducing, as appropriate, foreign
nationals‘” particularly those from countries that DOE has identified
as sensitive”access to the unclassified network. NNSA did not
specifically comment on GAO‘s recommendations but agreed with the
conclusions.
To view the full product, including the scope and methodology, click on
[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-1001]. For more
information, contact Gene Aloise at (202) 512-3841, or aloisee@gao.gov;
Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov and Nabajyoti
Barkakati at (202) 512-6412 or barkakatin@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
LANL Has Information Security Controls in Place to Protect Its
Unclassified Network, but Weaknesses Remain:
LANL Has Not Fully Implemented Key Information Security Program
Activities for Its Unclassified Network:
LANL Has Spent Approximately $51.4 Million to Protect Its Unclassified
Network from Fiscal Years 2001 through 2007, but Future Resource
Requirements Need Better Justification:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the National Nuclear Security
Administration:
Appendix III: GAO Contacts and Staff Acknowledgments:
Related GAO Products:
Figures:
Figure 1: Percentage of Foreign Nationals from Sensitive and
Nonsensitive Countries at LANL with Unclassified Network Access, as of
May 2008:
Figure 2: Annual Expenditures on LANL's Unclassified Network, Fiscal
Years 2001-2007:
Abbreviations:
C&A: certification and accreditation:
DAA: Designated Approving Authority:
DOE: Department of Energy:
FISCAM: Federal Information System Controls Audit Manual:
FISMA: Federal Information Security Management Act:
FSU: former Soviet Union:
IT: information technology:
LANL: Los Alamos National Laboratory:
LANS: Los Alamos National Security, LLC:
LASO: Los Alamos Site Office:
NIST: National Institute of Standards and Technology:
NNSA: National Nuclear Security Administration:
OMB: Office of Management and Budget:
PIN: personal identification number:
SANS: System Administration, Networking, and Security:
United States Government Accountability Office:
Washington, DC 20548:
September 9, 2008:
The Honorable John D. Dingell:
Chairman:
The Honorable Joe Barton:
Ranking Member:
Committee on Energy and Commerce:
House of Representatives:
The Honorable Bart Stupak:
Chairman:
The Honorable John M. Shimkus:
Ranking Member:
Subcommittee on Oversight and Investigations:
Committee on Energy and Commerce:
House of Representatives:
The Los Alamos National Laboratory (LANL),[Footnote 1] which is
operated by the National Nuclear Security Administration
(NNSA),[Footnote 2] has experienced a number of security lapses in
protecting sensitive information. Over the last decade, these
information security lapses have included, but are not limited to, the
inability to accurately identify computer resources connected to the
unclassified network and to identify and correct computer network
vulnerabilities.
The unclassified network at LANL comprises over 25,000 devices, which
does not include supporting devices, such as servers, printers, and
scanners. It also contains about 51,000 active network ports, which
serve as the interface between computers and other devices on the
network, and provides service to over 13,000 users.
LANL's unclassified network is segmented into subnetworks and includes
the (1) protected-unclassified network, which is the default location
for unclassified computer systems at the laboratory and contains
sensitive unclassified data and information; (2) unclassified-open
network, which supports the laboratory's presence on the Internet and
is to contain no sensitive information; (3) collaboration network,
which supports external scientific collaboration involving high-
performance computing; and (4) visitor network, which provides an
outgoing connection to the Internet for visitors needing to check e-
mail. This report focuses on LANL's protected-unclassified network
because this network is designed to protect most of the laboratory's
networks and systems from unauthorized access and is the clear target
of sophisticated cyber attacks. For the purposes of this report, we
will refer to this network as the "unclassified" network.
LANL's unclassified network has faced a number of security challenges.
During 2007, according to LANL officials, the firewalls and other
blocking mechanisms of the unclassified network deflected more than 10
million cyber probes every month. Cyber attacks include, among other
things, the use of information exploitation tools, such as computer
viruses, Trojan horses, and worms, that can destroy, intercept, and
degrade the integrity of or deny access to information on a computer
network. In addition, the unclassified network has voluminous e-mail
traffic, which makes the network potentially vulnerable to malicious
code designed to exploit e-mail services. The network receives
approximately 2 million e-mails per month, plus approximately 50,000 to
500,000 spam e-mails every day, and LANL employees send approximately 1
million e-mails every month.
LANL's large unclassified computer network contains sensitive
information, including business proprietary information; unclassified
controlled nuclear information; naval nuclear propulsion information;
export control information; nuclear reactor safeguards information; the
military critical technology list; confidential foreign government
information; and personally identifiable information, including names,
aliases, Social Security numbers, and biometric records of employees,
contractors, and visitors. Owing to the nature of the research and
development conducted at LANL, the information on the unclassified
network presents a valuable target for foreign governments, terrorists,
and industrial spies.
Recognizing the importance of securing information systems at federal
agencies, Congress enacted the Federal Information Security Management
Act (FISMA) in December 2002 to strengthen the security of information
and information systems across the federal government.[Footnote 3]
FISMA requires each agency to develop, document, and implement an
agency-wide information security program that supports the operations
and assets of the agency, including those provided or managed by
another agency or contractor on its behalf.
To ensure the confidentiality, integrity, and availability of critical
information and information systems used to support the operations and
assets of federal agencies, information security controls and
complementary program activities are required.[Footnote 4] Effective
information security controls are necessary to ensure the protection of
sensitive information contained and transmitted over computer networks.
In addition, certain program management activities, such as the
development, documentation, and implementation of policies and
procedures, are required to govern the protection of
information.[Footnote 5]
Information security controls are put in place to prevent, limit, and
detect unauthorized access, use, disclosure, modification,
distribution, or disruption to computing resources, programs, and
information. Examples of information security controls are as follows:
* User identification and authentication allows computer systems to
differentiate between users so that activities on the system can be
linked to specific individuals, and the claimed identity of users can
be verified.
* Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive
information.[Footnote 6]
* Audit and monitoring controls help establish individual
accountability and monitor compliance with security policies.
* Configuration management involves the identification and management
of security features for all hardware, software, and firmware
components of an information system and systematically controls changes
to that configuration throughout the development and operational life
cycle of the system.
* Physical controls restrict physical access to computer resources,
usually by limiting access to the buildings and rooms in which the
resources are housed and by periodically reviewing the access granted
in order to ensure that access continues to be appropriate.
A comprehensive information security program is the foundation of a
security control structure and a reflection of senior management's
commitment to addressing security risks. The program should establish a
framework and continuous cycle of activities for assessing risk,
developing and implementing effective security procedures, and
monitoring the effectiveness of these procedures.
Information security program activities govern the security protections
for the information and information systems that support the operations
and assets of the agency using a risk-based approach. These activities
include ensuring that an agency (1) periodically assesses the risk and
the magnitude of harm that could result from unauthorized access; (2)
develops, documents, and implements risk-based policies and procedures
to ensure that information security is addressed throughout the life
cycle of each system and ensures compliance with applicable
requirements; (3) develops, documents, and implements plans to provide
adequate information security for networks, systems, and facilities;
(4) provides security awareness training to inform personnel of
information security risks and of their responsibilities in complying
with agency policies and procedures; (5) periodically tests and
evaluates the effectiveness of information security policies,
procedures, and practices relating to management, operational, and
technical controls for every system--the frequency of such tests should
be based on risk but occur at least once per year; (6) has a process
for planning, implementing, evaluating, and documenting remedial action
to address deficiencies in information security policies, procedures,
or practices; (7) has procedures for detecting, reporting, and
responding to security incidents; and (8) documents, develops, and
implements plans and procedures to ensure continuity of operations for
information systems that support its operations and assets.
This report evaluates key elements of LANL's unclassified information
security program. Specifically, we (1) assessed the effectiveness of
security controls LANL has implemented to protect information
transmitted over its unclassified computer network, (2) assessed
whether LANL had implemented an information security program to ensure
that controls were effectively established and maintained for its
unclassified computer network, and (3) examined the expenditure of
funds used to protect LANL's unclassified computer network from fiscal
years 2001 through 2007.
We visited LANL to assess the effectiveness of security controls that
the laboratory had implemented for its unclassified computer network,
and we gained an understanding of the overall network control
environment and identified its interconnectivity and control points. We
performed vulnerability assessments to evaluate authentication and
authorization controls, encryption mechanisms, network monitoring
processes, and configuration management controls for the unclassified
network. We also reviewed the effectiveness of physical security
operations in preventing unauthorized access to cyber-related
resources. In addition, we obtained views from and documentation on
these issues from responsible security officials at the Department of
Energy (DOE), NNSA, the Los Alamos Site Office (LASO), and LANL.
To assess whether LANL had implemented an information security program
to ensure that controls were effectively established and maintained for
its unclassified computer network, we determined whether policies and
procedures adhered to NNSA, DOE, and the National Institute of
Standards and Technology (NIST) guidance, in areas such as security
awareness training, risk assessment, information security plans,
security testing and evaluation, corrective action plans, and
continuity of operations for information systems. In addition, we
obtained the views of and documentation on these issues from officials
responsible for information security management at DOE, NNSA, LASO, and
LANL. We also met with officials from DOE's Office of Independent
Oversight and its Office of Inspector General, regarding any related
prior, ongoing, or planned work in these areas.
To determine the expenditure of funds used to protect LANL's
unclassified computer network from fiscal years 2001 through 2007, we
obtained and analyzed documentation detailing program expenditures and
met with LANL officials to discuss the data. We chose this time period
because, beginning in fiscal year 2001, NNSA assumed programmatic
responsibility for the nuclear weapons complex. We obtained responses
to a series of data reliability questions, from responsible LANL
officials, covering issues such as data entry access, internal control
procedures, and the accuracy and completeness of the data. In addition,
we obtained written responses from LANL officials to clarify
discrepancies in the data we received. We determined that the data were
sufficiently reliable for the purposes of this report.
We conducted this performance audit from May 2007 to September 2008 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives. A more detailed description
of our objectives, scope, and methodology is contained in appendix I.
Results in Brief:
LANL has implemented measures to enhance its information security, but
weaknesses remain in protecting the confidentiality, integrity, and
availability of information on its unclassified network. In particular,
LANL has implemented a network security system that is capable of
detecting potential intrusions on the network. However, LANL has
vulnerabilities in several critical areas, including (1) identifying
and authenticating users of the network, (2) encrypting sensitive
information, (3) monitoring and auditing compliance with security
policies, (4) controlling and documenting changes to a computer
system's hardware and software, and (5) restricting physical access to
computing resources. For example, although LANL had implemented strong
authentication measures for accessing the network, these measures were
not always used. Once a user successfully accessed the network, the
user could create a separate simple password that would allow
alternative access to certain sensitive information. Furthermore, LANL
neither conducted comprehensive vulnerability scans of the unclassified
network nor did it include sensitive applications in these scans, thus
leaving the network at increased risk of compromise or disruption. In
addition to these weaknesses, LANL's computing facilities had physical
security weaknesses and could be vulnerable to intentional disruption.
Specifically, we observed lax restriction of vehicular traffic entering
the laboratory and inadequate fencing.
The laboratory has not yet implemented an information security program
to ensure that controls are effectively established and maintained--the
absence of such a program is a key reason for the information security
weaknesses we identified. Although LANL has implemented an effective
security awareness training program, we identified a number of
shortcomings in its overall information security management program.
For example, LANL did not adequately assess information security risks
or develop effective policies and procedures to govern the security of
its computing environment. LANL's most current risk assessment for the
unclassified network, completed in June 2007, generally identified and
analyzed vulnerabilities but did not account for risks identified by
internal vulnerability testing. We also identified shortcomings in
other information security policies and procedures. For example, LANL's
information security policies and procedures lacked specific
implementation guidance. Furthermore, LANL does not have a formal
contingency plan for its unclassified network that conforms to current
federal requirements to ensure continuous network operations. Many of
these cyber security deficiencies have been the subject of prior
reports by DOE's Office of Independent Oversight and LASO. The most
recent reports, covering fiscal years 2006 and 2007, documented
significant weaknesses with LANL's unclassified information security
program, including foreign nationals' access to the laboratory's
unclassified network. As of May 2008, LANL had granted unclassified
network access to 688 foreign nationals, including over 300 from
countries identified as sensitive by DOE, such as China, India, and
Russia. A country is identified as sensitive based on national
security, nuclear nonproliferation, or terrorism concerns. In addition,
foreign nationals from sensitive countries have been authorized remote
access to LANL's unclassified network. The number of foreign nationals
who have access to the unclassified network has raised security
concerns among some laboratory and NNSA officials because of the
sensitive information contained on the network. According to LANL, the
percentage of foreign nationals with authorized remote access to the
unclassified network has steadily declined over the last 5 years.
From fiscal years 2001 through 2007, LANL spent about $51.4 million to
protect and maintain its unclassified network. Although LANL cyber
security officials told us that funding has been inadequate to address
some of their security concerns, NNSA officials raised questions about
the basis for LANL's funding request for cyber security. NNSA's Chief
Information Officer told us that LANL has not adequately justified
requests for additional funds to address the laboratory's stated
shortfalls. In addition, NNSA officials informed us that LANL's past
budget requests were prepared on an ad hoc basis and were not based on
well-defined threat and risk assessments. In response to these
concerns, in fiscal year 2006, NNSA implemented a more systematic
approach to developing cyber security budgets across the nuclear
weapons complex, including LANL. This effort, however, does not provide
guidance that clearly lays out funding priorities. Furthermore, NNSA
does not consistently document resource allocation decisions and
identify how funding shortfalls affect critical cyber security issues.
To help strengthen information security controls over LANL's
unclassified network, we are making a series of recommendations to the
Secretary of Energy and the Administrator of NNSA that require the
Director of the Los Alamos National Laboratory to, among other things,
(1) ensure that the risk assessment for the unclassified network
evaluates all known vulnerabilities and is revised periodically and (2)
strengthen policies with a view toward further reducing, as
appropriate, foreign nationals'--particularly those countries
identified as sensitive by DOE--access to the unclassified network. We
also are making 41 recommendations in a separate report with limited
distribution. These recommendations consist of actions to be taken to
correct the specific information security weaknesses related to
identification and authentication, cryptography, audit and monitoring,
configuration management, and physical security.
We provided NNSA with a copy of this report for review and comment.
NNSA did not specifically comment on our recommendations. However, NNSA
agreed with our general conclusion that LANL has taken steps to protect
sensitive information and acknowledged that there was considerable work
yet to be done. NNSA also stated that LANL is currently responding to a
DOE Secretarial Compliance Order requiring the laboratory contractor to
take comprehensive steps to ensure that it identifies and addresses,
among other things, critical cyber security deficiencies. The July 2007
Compliance Order requires LANL to submit an integrated corrective
action plan to address critical security issues. These steps must be
completed by December 2008. NNSA noted that responding to the issues
identified in this report--as well as more technical issues included in
a limited official use only version of this report--will extend beyond
the completion of the Compliance Order since the actions we recommend
are more complex. We would expect that our recommendations, when
implemented, would complement and be consistent with other remedial
actions taken to improve LANL's cyber security posture as part of the
Secretarial Compliance Order.
Background:
LANL is responsible for planning and executing all facets of stockpile
stewardship, including assessing, refurbishing, and certifying nuclear
weapons. The laboratory operates and manages numerous nuclear
facilities. Critical activities include plutonium, uranium, and tritium
processing; research and development on special nuclear material; high-
energy radiography; radiation measurement; packaging of nuclear
materials; and the management of radioactive and hazardous waste. To
help carry out these critical missions, LANL uses its unclassified and
classified computer networks to manage its business operations, conduct
nonnuclear experiments, and analyze nuclear weapons and their delivery
systems to meet requirements established by the Department of Defense.
Protecting the computer systems that support LANL's operations has
never been more important. Government officials are increasingly
concerned about attacks from individuals and groups with malicious
intent, such as terrorists and foreign intelligence agencies. These
concerns are well-founded for a number of reasons, including the
dramatic increase in the reports of security incidents in the United
States and the steady advance in the sophistication and effectiveness
of attack technologies. As the nation's defense and intelligence
communities increasingly rely on commercially available information
technology, the likelihood increases that information attacks will
threaten vital national interests.
A basic management objective for any organization is to protect the
resources that support its critical operations from unauthorized
access, use, destruction, or disruption. Organizations accomplish this
objective by designing and implementing controls that are intended to,
among other things, prevent, limit, and detect unauthorized access to
computing resources, programs, information, and facilities. Inadequate
security controls diminish the reliability of computerized information
and increase the risk of unauthorized disclosure, modification, and
destruction of sensitive information and disruption of service.
Security controls include those related to user identification and
authentication, cryptography, audit and monitoring, configuration
management, and physical security.
LANL Has Information Security Controls in Place to Protect Its
Unclassified Network, but Weaknesses Remain:
LANL has implemented measures to enhance its information security, but
weaknesses remain. In particular, LANL has implemented a network
security system that can detect potential intrusions on the network.
However, LANL has vulnerabilities in several critical areas, including
(1) identifying and authenticating users, (2) encrypting sensitive
information, (3) monitoring and auditing compliance with security
policies, (4) controlling and documenting changes to a computer
system's hardware and software, and (5) restricting physical access to
computing resources.
Strong Authentication Was Implemented but Not Always Used:
A computer system must be able to identify and authenticate different
users so that activities on the system can be linked to specific
individuals. When an organization assigns unique user accounts to
specific users, the system is able to distinguish one user from
another--a process called identification. The system also must
establish the validity of a user's claimed identity by requesting some
kind of information, such as a password, that is known only by the
user--a process known as authentication. The combination of
identification and authentication--such as user account/password
combinations--provides the basis for establishing individual
accountability and for controlling access to the system. As NIST notes,
multifactor authentication schemes are stronger than single factor
authentication.[Footnote 7] In keeping with this standard, LANL's
password policy requires that one-time passcodes (using token cards and
personal identification numbers (PIN), i.e., two-factor authentication)
be used whenever possible or practical. It further states that users
are not to share passwords and that vendor-supplied default passwords
must be changed immediately.
LANL had implemented a strong authentication solution for its network
through the use of two-factor authentication with a one-time password-
-use of a token (cryptocard); a PIN; and a one-time number code.
However, strong authentication was not always used. Once a user
successfully accessed the network, the user could create a separate
login password that would allow alternative access to sensitive
information on the unclassified network. Such access was allowed for
file sharing and e-mail. Furthermore, users shared default
identifications and passwords for managing certain network devices. As
a result, LANL was at increased risk that unauthorized users could
access sensitive information in files and e-mails, as well as obtain
access to network devices.
Cryptography Was Not Always Effectively Used:
Cryptography underlies many of the mechanisms used to enforce the
confidentiality and integrity of critical and sensitive information. A
basic element of cryptography is encryption. The National Security
Agency recommends disabling protocols that do not encrypt information,
such as user identification and password combinations transmitted
across the network.
Although LANL had implemented cryptography, it was not always effective
or used in transmitting sensitive information. LANL integrated Kerberos
with its authentication process.[Footnote 8] Kerberos is designed to
provide strong authentication for client/server applications by using
secret-key cryptography so that each party can prove its identity
across an insecure network connection. However, the laboratory relied
on a Kerberos implementation that uses a weak and outdated encryption
algorithm. Furthermore, LANL neither uses encryption to protect certain
network management connections, nor requires encryption for
authentication to certain internal services. Instead, the laboratory
used clear text protocols (i.e., unencrypted) to manage key network
devices, such as internal firewalls and switches. As a result,
sensitive data transmitted through the unclassified network is at an
increased risk of being compromised.
Network Monitoring Was Performed Regularly but Was Not Comprehensive:
To establish individual accountability, monitor compliance with
security policies, and investigate security violations, it is crucial
to determine who has taken actions on the system, what these actions
were, and when they were taken. According to NIST, when performing
vulnerability scans, greater emphasis should be placed upon systems
that are accessible from the Internet (e.g., Web and e-mail servers);
systems that house important or sensitive applications or data (e.g.,
databases); or network infrastructure components (e.g., routers,
switches, and firewalls). In addition, according to commercial vendors,
running scanning software in an authenticated mode allows the software
to detect additional vulnerabilities. NIST also states that the use of
secure software development techniques, including source code review,
is essential to preventing a number of vulnerabilities from being
introduced into items such as a Web service.
Although LANL regularly monitored its unclassified network for security
vulnerabilities, the monitoring is not comprehensive. LANL frequently
scans its network using multiple software tools that search for known
vulnerabilities on various network devices. However, the scans were not
comprehensive. For example, at the time of our review, the laboratory's
vulnerability scan neither included sensitive applications such as
databases, nor did it run in an authenticated mode. In addition, LANL
did not conduct source code reviews. As a result, the laboratory may
not detect certain vulnerabilities, leaving the network at increased
risk of compromise or disruption.
Although LANL Uses Innovative Techniques for Configuration Management,
It Does Not Consistently Implement Software Patches:
The purpose of configuration management is to establish and maintain
the integrity of an organization's work products. Organizations can
better ensure that only authorized applications and programs are placed
into operation by establishing and maintaining baseline configurations
and monitoring changes to these configurations. Configuration
management involves ensuring the correctness of the security settings
in the operating systems, applications, or computing and network
devices, and securely maintaining operations. Patch management, a
component of configuration management, is important for mitigating
software vulnerability risks. When software vulnerabilities are
discovered, the software vendor may develop and distribute a patch or
work-around to mitigate the vulnerability. NIST recommends that
organizations have an explicit and documented patching policy and a
systematic, accountable, and documented process for installing and
testing patches. In addition, LANL policy requires that all Windows-
based systems on the unclassified network participate in a patch
management system. In addition to patch management, to further protect
an organization's systems, such as from malicious e-mails, NIST states
that organizations should determine which types of attachments to allow
and to block potentially dangerous ones.
Although LANL had implemented innovative techniques to maintain its
system configuration and install patches, shortcomings existed in the
patch process. The laboratory used an automated tool to configure and
maintain its Unix servers, and deployed a tool to its Windows systems
to track and implement patches on the majority of systems we reviewed.
It also used its vulnerability scanning tools to verify the latest
patch levels of Windows systems. However, LANL did not always
consistently implement or appropriately test these patches. For
example, LANL had not applied a critical operating system patch or
patches for a number of general third-party applications. As a result,
LANL cannot ensure that all needed patches are applied to critical
system resources or that untested patches will not have unintentional
consequences, increasing the risk of exposing critical and sensitive
unclassified data to unauthorized access. Furthermore, although the
laboratory had configured its e-mail system to prevent many common
cyber attacks, it was still vulnerable to attack because the system
allowed various file types as e-mail attachments. These files could be
used to install malicious software onto an unsuspecting user's
workstation, potentially compromising the unclassified network.
Physical Security Controls May Leave the Unclassified Network
Vulnerable to Disruption:
Physical security controls are important for protecting computer
facilities and resources from espionage, sabotage, damage, and theft.
These controls restrict physical access to computer resources, usually
by limiting access to the buildings and rooms in which the resources
are housed and by periodically reviewing the access granted in order to
ensure that it continues to be appropriate. NIST requires that federal
organizations control all physical access points (including designated
entry/exit points) to facilities containing information systems (except
for those areas within the facilities officially designated as publicly
accessible) and verify individual access authorizations before granting
access to the facilities. In addition, NIST requires that federal
agencies control physical access to information system transmission
lines to prevent eavesdropping, in-transit modification, disruption, or
physical tampering, and that these agencies protect power equipment for
information systems from damage or destruction. Furthermore, LANL
policy requires that access to exclusion areas that house sensitive
information technology (IT) resources and the equipment that supports
these resources be limited to authorized personnel.
LANL has various protections in place for its IT resources. It
effectively secures many of its sensitive areas and computer equipment
and takes other steps to provide physical security. For example, LANL
issued electronic badges and employed hand geometry devices to help
control access to many of its sensitive and restricted areas. It also
maintains liaisons with law enforcement agencies to help ensure
additional backup security if necessary and to facilitate the accurate
flow of timely security information among appropriate government
agencies.
However, LANL's computing facilities may be vulnerable to attack
because of weaknesses in its controls over physical access points,
including the lax control of vehicular traffic, inadequate fencing,
unsecured buildings housing computer network equipment, and signs
visible from the street that indicate what these buildings contain. In
addition, LANL did not effectively control access to a (1)
telecommunications room that houses transmission lines and equipment
and (2) utility room that provides heating and air conditioning for
sensitive IT equipment. These weaknesses in physical security increased
the risk that sensitive computing resources and data could be
inadvertently or deliberately misused or destroyed. In response to our
observations, LANL corrected the control issues associated with the
telecommunications and utility rooms before the end of our site visits.
Regarding control of vehicular traffic, LANL's former Chief of Security
told us that the laboratory was willing to accept the level of risk
because it was infeasible to check every car entering the laboratory.
LANL Has Not Fully Implemented Key Information Security Program
Activities for Its Unclassified Network:
The information security weaknesses in LANL's unclassified network that
we identified have occurred, in large part, because the laboratory has
not yet fully implemented an information security program to ensure
that controls are effectively established and maintained. Although LANL
has implemented an effective security awareness training program, we
identified a number of shortcomings in its overall information security
management program, including risk assessments, policies and
procedures, network security plan, security testing and evaluation,
remedial action plans, and contingency planning and testing. Many of
these cyber security deficiencies have been the subject of prior
reports by DOE's Office of Independent Oversight and LASO. The most
recent report, issued by the Office of Independent Oversight in
February 2008, also documented significant weaknesses with LANL's
unclassified information security program, including foreign nationals'
access to the unclassified network. During our review, we found that
LANL had granted over 300 foreign nationals access to its unclassified
network from countries identified as sensitive by DOE, including China,
India, and Russia. Some LANL and NNSA officials raised security
concerns about the level of access given to foreign nationals from
sensitive countries because of the valuable scientific and
technological information contained on the laboratory's unclassified
network.
Security Awareness Training Program Is in Place:
People are one of the weakest links in attempts to secure systems and
networks. Therefore, an important component of an information security
program is providing required training so that users understand a
system's security risks and their own role in implementing related
policies and controls to mitigate those risks. As defined by the System
Administration, Networking, and Security (SANS) Institute,[Footnote 9]
security awareness training is designed to educate users on the
appropriate use, protection, and security of information; individual
users' responsibilities; and ongoing maintenance necessary to protect
the confidentiality, integrity, and availability of information assets,
resources, and systems from unauthorized access, use, misuse,
disclosure, destruction, or disruption. FISMA requires each agency to
develop, document, and implement an information security program that
includes security awareness training to inform personnel of information
security risks and of their responsibilities in complying with agency
policies and procedures, as well as training personnel with significant
security responsibilities for information security. LANL policy
requires that all employees complete an initial computer security
briefing prior to being granted access to the laboratory's information
system resources, and it requires that employees complete annual
refresher training. According to laboratory officials, each employee is
required to have a training plan highlighting all of the training
courses the employee is to receive for his or her job function.
According to LANL officials, there are several controls in place to
ensure that individuals receive adequate computer security awareness
and training that will help them develop and maintain their technical
skills. For example, according to LANL officials, if employees do not
complete their security awareness training on an annual basis, LANL
suspends their access to security areas until they have taken the
required training. LANL officials stated the badge identification
system is linked to the security awareness course, and those
individuals who return to the laboratory each succeeding year must take
the annual computer security refresher so that they can retain access
to building facilities. If individuals do not complete the course by
their renewal date, LANL deactivates their badge, denies their access
to LANL facilities, and directs them to report to the badge office to
retake the computer security refresher course. The laboratory has also
ensured that all employees have and complete training plans unique to
their specific roles and responsibilities within the organization. For
example, of the 20 training plans for organizational unit
administrators we reviewed, all had completed their computer security
training courses, and their training plans were up to date. Because
LANL has established a security awareness and training program, the
unclassified network is at decreased risk that and individual
employee's responsibilities for the safety and security of the
information system will be unclear, misunderstood, or improperly
implemented.
Information Security Program Activities Have Numerous Shortcomings:
LANL's information security program has not been fully implemented.
Specifically, (1) its risk assessment was not comprehensive, (2)
specific guidance was missing from policies and procedures, (3) the
network security plan was incomplete, (4) system testing had
shortcomings, (5) remedial action plans were incomplete and corrective
actions were not always timely, and (6) the network contingency plan
was incomplete and inadequately tested. Until LANL ensures that the
information security program associated with its unclassified network
is fully implemented, it will have limited assurance that sensitive
data are adequately protected against unauthorized disclosure or
modification or that network services will not be interrupted.
Although a Risk Assessment Was Completed, It Was Not Comprehensive:
Identifying and assessing information security risks are essential
steps in determining what controls are required. Moreover, by
increasing awareness of risks, these assessments can generate support
for the policies and controls that are adopted in order to help ensure
that these policies and controls operate as intended. FISMA requires
each agency to develop, document, and implement an information security
program that includes periodic assessments of the risk and magnitude of
harm that could result from the unauthorized access, use, disclosure,
disruption, modification, or destruction of information and information
systems. NIST guidelines state that the identification of risk for an
IT system requires an understanding of the system's processing
environment, including data and information, system and data
criticality, and system and data sensitivity. Furthermore, according to
NIST, risk management should identify threats and vulnerabilities, set
priorities for actions to reduce risks, identify new controls or
countermeasures, and determine risks remaining after implementing the
new control, also known as residual risk. Office of Management and
Budget (OMB) Circular A-130, appendix III, prescribes, as does DOE
policy, that risk be reassessed when significant changes are made to
computerized systems--or at least every 3 years.
Although the laboratory updated its risk assessment in June 2007 for
the unclassified network, this assessment was not comprehensive but
provided a general identification and analysis of threats,
vulnerabilities, and countermeasures and included a residual risk for
most vulnerabilities. However, it did not fully characterize risks to
the network. For example, the risk assessment did not identify risks
for vulnerabilities exposed by previous DOE internal findings and LANL
vulnerability testing. Also, we found vulnerabilities during our
analysis that LANL had not previously addressed in its risk assessment.
For example, strong authentication was often not required for internal
network services such as e-mail and database logins. Risks associated
with this vulnerability were not assessed. Without comprehensive risk
assessments, risks to certain systems may be unknown and appropriate
controls may not be in place to protect against unauthorized access or
disclosure, or system disruption.
LANL is taking steps to strengthen its risk management program that
improves identification and assessment of potential threats,
vulnerabilities, assets, and information system controls. For example,
in January 2008, LANL issued a new risk management procedure describing
the detailed methodology. In addition, LANL developed a new
comprehensive methodology to aid in conducting risk assessments and
provided training on this new methodology. According to LANL officials,
this new program is in compliance with both NIST and NNSA policies and
guidance.
Policies and Procedures Have Shortcomings:
Another key task in developing an effective information security
program is to establish and implement risk-based policies, procedures,
and technical standards that govern security over an agency's computing
environment. If properly implemented, policies and procedures should
help reduce the risk that could come from unauthorized access or
disruption of services. Because security policies and procedures are
the primary mechanisms through which management communicates views and
requirements, it is important that these policies and procedures be
established and documented. FISMA requires agencies to develop and
implement policies and procedures to support an effective information
security program. NIST issued security standards and related guidance
to help agencies implement security controls, including appropriate
information security policy and procedures. The DOE Chief Information
Officer has also issued guidance on management, operational, and
technical controls implementing the NIST security control requirements.
Shortcomings existed in LANL's information security policies and
procedures. Although the laboratory developed and documented many
information security policies and procedures, it did not always have
specific guidance for implementing federal and departmental
requirements in the network environment. The laboratory had issued a
local cyber security policy describing the cyber security program
framework and an implementation procedure describing roles,
responsibilities, authorities, and accountability. Furthermore, it had
issued specific guidance on user passwords, use of nongovernmental
computers on the network, and the configuration of computers using
Microsoft Windows that are connected to the network. However, the cyber
security guidance the laboratory used did not follow guidance issued by
DOE's Chief Information Officer or NIST standards and guidance for
categorizing information systems and developing minimum security
controls. In addition, the policy was not always comprehensive. For
example, LANL implemented a policy requiring centralized configuration
management for its Windows environment, but the policy did not address
other systems the laboratory uses, such as Macintosh and Linux. At the
time of our site visits, the laboratory had drafted, but not issued,
specific policies and procedures on topics such as cyber security risk
management, certification and accreditation, access control, and
incident management. Without effectively developing, documenting, and
implementing timely policies, procedures and standards, the laboratory
has less assurance that its systems and information are protected from
unauthorized access.
LANL was making an effort to improve its information security policies
and procedures. During our site visits, the laboratory's Cyber Security
group was undertaking a policy development and publication effort to
review, revise, and issue policies as necessary to ensure compliance
with DOE and NNSA policy. However, until LANL completes this effort,
its information security program will not be fully effective.
Network Security Plan Was Incomplete:
An information system security plan should provide a complete and up-
to-date overview of a system's security requirements and describe the
controls that are in place or planned to meet those requirements. OMB
Circular A-130 specifies that agencies develop and implement system
security plans for major applications and for general support systems
and that these plans address policies and procedures for providing
management, operational, and technical controls. In addition, NIST
recommends that security plans include, among other topics, existing or
planned security controls, the individual responsible for the security
of the system, description of the system and its interconnected
environment, and rules of behavior. NIST also requires federal agencies
to document minimum security controls. Furthermore, DOE and NNSA policy
requires that LANL develop an overall cyber security program plan, and
specific system security plans as part of its certification and
accreditation (C&A) process. NNSA policy further states that all
documentation relevant to the system C&A should be referenced or
included in the system security plan; this includes the risk assessment
results, security test and evaluation plan, and procedures and
contingency plan(s).
The laboratory had documented an overall cyber security program plan
and a security plan for the unclassified network infrastructure, but
the network security plan was incomplete and not up-to-date. The
laboratory-wide plan followed DOE policy guidance, and the network
security plan addressed certain security controls recommended by NIST,
such as the description of individuals responsible for security and
rules of behavior. However, the network security plan had not been
updated to address many of the controls NIST recommended. For example,
the network security plan only partially addressed access controls and
system communication protection controls and was incomplete because it
did not include or reference some key security activities, such as the
risk assessment results and security test plans, as stated in NNSA
policy guidance.
Although DOE had issued guidance implementing FISMA and related NIST
requirements, a laboratory cyber security official said LANL was
waiting on detailed implementation instructions from NNSA and that it
intends to revise the security plan by October 2008 to use controls
from NIST guidance. Unless it uses the most current guidance on
security controls, the laboratory cannot ensure that appropriate
controls are documented in a security plan and in place to protect its
systems and critical information.
Security Testing and Evaluation Process Has Shortcomings:
Another key element of an information security program is testing and
evaluating system controls to ensure they are appropriate and effective
and comply with policies. FISMA requires each agency to develop,
document, and implement an information security program that includes
periodic testing and evaluation of the effectiveness of information
security policies, procedures, and practices, performed with a
frequency depending on risk, but no less than annually. The program is
to include testing of management, operational, and technical controls
for every system identified in the agency's required inventory of major
information systems. NIST provides guidance to agencies for assessing
security control effectiveness and for performing network security
testing, and states that security test results should be appropriately
documented. Similarly, DOE guidance specifies that all controls
identified in the security plan are subject to assessment procedures,
and that the breadth and depth of testing activities should be
documented.
The laboratory had various initiatives under way to test and evaluate
system controls in its unclassified network at the time of our review,
but we found shortcomings in the testing process. In fiscal year 2007,
LANL conducted a self-assessment of the unclassified security program
using NIST's specified security controls. However, most controls were
not assessed at a very detailed level--with only 3 of the 17 control
areas being assessed in more detail using certain questions and
security performance tests derived from NIST guidance. The laboratory
also annually tests the controls in the security plan and conducts
continuous automated testing to detect network vulnerabilities.
However, this testing was limited because the controls identified in
the security plan were not developed using NIST guidance. For example,
the NIST control for configuration settings was not documented in the
network security plan. Furthermore, although testing requirements were
stated in the test documentation, officials said that the breadth and
depth of the testing, as well as the results of the tests, were not
always documented and available for examination. Furthermore, the
automated testing was not comprehensive. LANL did not use an automated
scanning tool to detect vulnerabilities in databases, and virtual web
hosts or source code. Our tests identified vulnerabilities such as
outdated database software and unpatched third-party applications.
Without appropriate tests and evaluations of system controls, the
laboratory has limited assurance that policies and controls are
appropriate and working as intended. Additionally, without these tests
and evaluations, there is a higher risk that undetected vulnerabilities
could be exploited to allow unauthorized access to sensitive
information.
Remedial Actions Were Not Taken in a Timely Manner and Plans Were
Incomplete:
Remedial action plans, also known as plans of actions and milestones,
can help agencies identify and assess security weaknesses in
information systems and set priorities and monitor progress in
correcting them. FISMA requires each agency to develop, document, and
implement an information security program that includes a process for
planning, implementing, evaluating, and documenting remedial action to
address any deficiencies in its information security policies,
procedures, or practices. According to OMB Circular A-123, agencies
should take timely and effective action to correct deficiencies that
they have identified through a variety of information sources. To
accomplish this, agencies should develop remedial action plans and
track progress for correcting each deficiency. A plan should detail the
resources required to carry out the plan, any milestones in meeting the
tasks, and scheduled completion dates for those milestones. OMB also
states that the resource estimates should include the anticipated
source of funding and whether the reallocation of resources or a
request for new funding is anticipated. DOE requires that plans of
action and milestones serve as a management tool for tracking
corrective actions associated with program and system-level weaknesses.
Although the laboratory had a management process for identifying,
evaluating, and documenting issues and tracking corrective actions, it
did not always take actions in a timely manner and the plans were
incomplete. For example, the laboratory's plan of actions and
milestones addressed findings for eight weaknesses identified by DOE's
Office of Independent Oversight in December 2006 by establishing 63
milestones. In August 2007, LANL's tracking report showed that tasks
associated with 26 of these milestones were past due. Although a
tracking report completed a month later indicated that only 11
milestones were still past due, evidence had not been submitted to
validate that the recently completed milestones had been satisfactorily
met. An additional 6 milestones had no completion dates in these
tracking reports so their status could be determined and effectively
monitored. In addition, the plans did not include estimated resources
required to correct weaknesses. Finally, several findings from the
laboratory's self-assessment were not included in the plan. Without an
effective remediation program, identified vulnerabilities may not be
resolved in a timely manner, thereby allowing continuing opportunities
for unauthorized individuals to exploit these weaknesses to gain access
to sensitive information and systems.
Network Contingency Plan Was Incomplete and Testing Was Inadequate:
Contingency planning is a critical component of information protection.
If normal operations are interrupted, network managers must be able to
detect, mitigate, and recover from service disruptions while preserving
access to vital information. Therefore, a contingency plan details
emergency response, backup operations, and disaster recovery for
information systems. It is important that these plans be clearly
documented, communicated to potentially affected staff, and updated to
reflect current operations. In addition, testing contingency plans is
essential to determine whether the plans will function as intended in
an emergency situation.
FISMA, NIST, DOE, and NNSA require contingency plans. FISMA requires
each agency to develop, document, and implement an information security
program that includes plans and procedures to ensure continuity of
operations for information systems that support the agency's operations
and assets. NIST requires that all agencies' systems have a contingency
plan and that the plans address, at a minimum, identification, and
notification of key personnel, plan activation, system recovery, and
system reconstitution. In addition, the process should include a
business impact assessment to determine what recovery strategies should
be implemented to ensure availability and to fully characterize the
system's requirements, processes, and interdependencies to determine
contingency requirements and priorities. Furthermore, NIST requires
that the plan be reviewed for accuracy and completeness at least
annually and that testing occur annually and when significant changes
are made to the IT system, supported business processes, or the
contingency plan. DOE and NNSA also require contingency plans to ensure
that the department can continue to perform and support functions in
the event of a service disruption, and these plans must be updated and
tested annually.
The contingency plan LANL has implemented for its unclassified network
is incomplete, outdated, and testing is inadequate. The laboratory had
drafted a disaster recovery and contingency planning procedural
document that details how the laboratory should prepare a contingency
plan and testing procedures, and it notes the importance of contingency
planning and testing. However, at the time of our site visits, the
document had not been made final or provided to employees for review.
In addition, at the time of our site visits, the most current
contingency plan was over 4 years old and did not include key elements,
such as identification and notification of key personnel, plan
activation, system recovery, and system reconstitution. Also, LANL had
not completed a business impact assessment to determine what recovery
strategies should be implemented at the laboratory to ensure
availability of system resources during a service disruption. LANL had
also not tested the contingency plan annually. Furthermore, the test
plan that was used was inadequate. The test plan was a checklist of
regulatory questions that were checked-off and then signed and dated by
an approving official. This generic checklist laid out several areas to
review and provided an associated testing procedure, but did not
adequately follow the contingency plan. Until LANL identifies the
essential processes that should be included in a contingency plan and
sufficiently tests the plans, it faces higher risk that the
unclassified network infrastructure will not be able to effectively
recover and resume normal operations after a disruption.
DOE Assessments Have Identified Significant Management Weaknesses
Governing the Unclassified Network:
DOE's Office of Independent Oversight and LASO have prepared reports
identifying weaknesses with the management of LANL's unclassified cyber
security program. These reports have surfaced numerous problems that
can be traced to management deficiencies at NNSA, LASO, and the
laboratory itself. The most recent reports, covering 2006 and 2007,
identified problems in several specific areas: risk assessment;
leadership; certification and accreditation; security testing; and
policies and procedures. Key findings in each of these areas included
the following:
* Risk assessment. LANL's risk assessment methodology is not
comprehensive enough to address system-specific risks and does not
provide LASO with an appropriate appraisal of the risk in the
unclassified environment. It also does not identify residual risks for
acceptance or the development of appropriate mitigation strategies. As
a result, the threats, vulnerabilities, and consequently the risks to
LANL's unclassified systems cannot be quantified.
* Leadership. NNSA has not exercised management and oversight
responsibilities so that LANL ensures effective implementation of the
unclassified cyber security program. Furthermore, LASO has not
exercised its oversight responsibilities for managing and accepting
risks for the laboratory's unclassified cyber security program and has
not provided sufficient leadership to resolve LANL performance problems
and establish a clear set of management priorities. Finally, LANL has
not exercised sufficient leadership within the unclassified program to
ensure effective implementation of management and technical processes.
In a 2007 follow-up report, the Office of Independent Oversight found
that NNSA and/or the contractor, Los Alamos National Security, LLC
(LANS),[Footnote 10] had taken steps to improve leadership, including
(1) hiring a new Chief Information Officer at LANL who reports directly
to the laboratory Director, (2) allocating additional funding to
establish increased federal oversight activities at LASO, and (3)
creating cyber security advisors to assist the laboratory's
directorates.
* Certification and accreditation. LANL's C&A process is significantly
deficient and cannot certify that unclassified systems and information
are appropriately protected. The current process is based on security
directives and guidance that are obsolete, rather than on NNSA, DOE, or
national policies. In addition, neither the LANL unclassified network
security plan nor any other security plan addresses the accreditation
of servers, workstations, firewalls, routers, and other IT resources
that LANL personnel use to process all levels of unclassified
information. Furthermore, the laboratory's cyber security program plan
gives a broad range of the possible number of systems on the
unclassified network (25,000 to 35,000) on a daily basis, which
contributes to the perception that LANL cannot accurately identify its
unclassified assets. According to the Office of Independent Oversight's
most recent assessment, LANL has made little or no progress to correct
the identified deficiencies.
* Security testing. LANL's security testing and evaluation is not
robust enough to ensure the security of the unclassified network. While
security tests have been prepared, there is little actual testing of
the controls associated with the unclassified network. Rather,
individual tests are used to validate security plan statements. As a
result, the security testing process does not demonstrate that the
management, operational, and technical controls function as intended.
* Policies and procedures. LANL's policies and procedures have not been
updated to address changing management, operational, and technical
needs in the unclassified environment. While the unclassified cyber
security program had been implemented within the framework of
overarching policy provided by DOE, a serious weakness of LANL's
unclassified cyber security program is that its policies were based on
obsolete directives and had not fully implemented all NNSA and DOE
policies concerning cyber security. In addition, LANL has not
established a comprehensive set of policies, plans, and procedures for
managing cyber security within LANL organizations. According to the
Office of Independent Oversight, most aspects of weaknesses relating to
formal cyber security policies, plans, and procedures have yet to be
resolved, which places sensitive unclassified information at greater
risk.
DOE's Office of Independent Oversight and LASO Have Also Raised
Concerns about Foreign Nationals' Access to LANL's Unclassified
Network:
DOE's Office of Independent Oversight and LASO also reported that LANL
had not fully implemented DOE policies and procedures for protecting
sensitive but unclassified information from foreign nationals who have
access to information technology resources.[Footnote 11] The Office of
Independent Oversight and LASO noted, among other things, that:
* foreign nationals' use of this information has not been fully
evaluated for risk or information sensitivity. As a result, the
laboratory does not have adequate assurance that foreign nationals pose
no risk to sensitive unclassified computer systems;
* the only risk assessment specific to foreign nationals' access to the
site pertains to "benefit of work to home country;"
* LANL does not have specific procedures that describe policies and
processes for managing foreign nationals' access and a method to allow
LANL's cyber security site manager to know what foreign nationals are
on the network; and:
* LANL has installed an additional 10 firewalls and improved firewall
rules to enhance network segmentation, which allows better control of
foreign nationals who have access to the unclassified network. However,
LANL still needs to strengthen controls to further restrict access of
those foreign nationals who are "scattered across the (unclassified)
network and cannot be controlled by firewalls."
We reviewed the status of foreign nationals' access to LANL's
unclassified network. LANL policy states that foreign nationals working
at the laboratory may have access to the information and administrative
controls needed to perform authorized work. However, this policy has
resulted in foreign nationals having widespread access to LANL's
unclassified network and has raised concerns among some laboratory and
NNSA officials about potential security risks. As of May 2008, LANL
reported that 688 foreign nationals from 64 countries were authorized
access to the unclassified network in their capacity as visitors,
postdoctoral students, or permanent staff. Of the 688 foreign
nationals, 301 (or 44 percent) were from countries classified as
sensitive by DOE.[Footnote 12] As figure 1 shows, 22 percent of all
foreign nationals at the laboratory who were authorized access to the
unclassified network were from China--one of the sensitive countries.
Foreign nationals from other sensitive countries that had access to the
unclassified network included India, Russia and other countries of the
former Soviet Union (FSU), and Israel.
Figure 1: Percentage of Foreign Nationals from Sensitive and
Nonsensitive Countries at LANL with Unclassified Network Access, as of
May 2008:
This figure is a pie chart showing the percentage of foreign nationals
from sensitive and nonsensitive countries at LANL with unclassified
access, as of May 2008.
Nonsensitive: 56%;
China: 22%;
India: 11%;
Russia/FSA: 8%;
Other sensitive [A]: 2%;
Israel: 1%.
[See PDF for image]
[A] Algeria, Hong Kong, and Taiwan comprise the "other sensitive"
category.
[End of figure]
In addition, a significant number of foreign nationals from sensitive
countries have been authorized remote access to LANL's unclassified
network.[Footnote 13] LANL's Chief Information Officer told us that the
security risks associated with granting this level of access to foreign
nationals from sensitive countries has been far too great in the past
and had reached an unacceptable level because of the valuable
scientific and technological information contained on the laboratory's
unclassified network. As a result, LANL has reduced the number of
foreign nationals from sensitive countries that have been granted
remote access.
LANL's former Chief of Security and LANL's Chief Information Officer
told us they were concerned about the large number of foreign nationals
at the laboratory who have access to the unclassified network through
remote or other means. In particular, the former Chief of Security
asserted that it was a "bad idea" to have foreign nationals on the
unclassified network. NNSA's Deputy Chief of Information Security
questioned why any foreign nationals were authorized access to the
network. In his view, all of their work should be done in a highly
controlled cyber environment, with exceptions being granted on a very
selective case-by-case basis.
LANL officials told us that unclassified network access for foreign
nationals from both sensitive and nonsensitive countries is "a given."
Foreign nationals employed at the laboratory require access to the
unclassified network in order to carry out their duties and meet
mission requirements. In fact, the foreign nationals in certain cases
possess unique skills in science that cannot easily be found in the
United States. The laboratory has seen a significant increase in
foreign nationals' visit and assignment activities over the past 10
years. According to LANL, much of this increase in foreign national
population is due to an increase in the foreign student population in
U.S. graduate programs and a marked increase in foreign postdoctoral
students, which is the laboratory's key source of its technical staff.
LANL Has Spent Approximately $51.4 Million to Protect Its Unclassified
Network from Fiscal Years 2001 through 2007, but Future Resource
Requirements Need Better Justification:
From fiscal years 2001 through 2007, LANL spent approximately $51.4
million to protect its unclassified network. Nevertheless, LANL cyber
security officials told us that funding has been inadequate to address
some of their security concerns, such as the potential compromise or
modification of sensitive unclassified data and a shutdown of computer
systems and networks processing sensitive unclassified data. In
response, NNSA's Chief Information Officer told us that LANL has not
adequately justified its request for additional funds to address the
laboratory's stated shortfalls. NNSA is now implementing a more
systematic approach for developing information security budgets at
LANL.
LANL Officials Assert That Resources Are Inadequate to Protect the
Unclassified Network:
LANL spent approximately $51.4 million from fiscal years 2001 through
2007 to protect and maintain the unclassified network.[Footnote 14] The
unclassified network expenditures have primarily been directed toward
C&A and technical activities. LANL's C&A costs for the unclassified
network cover such items as security plan development and maintenance,
self-assessments, training, education, and awareness, media, and
oversight of foreign nationals' access to the unclassified network.
Technical costs involve items such as intrusion detection systems,
network monitoring, antivirus services, e-mail monitoring, evaluating
and testing security software before deployment, and incident
cleanup.[Footnote 15] Figure 2 depicts LANL expenditures for the
unclassified network over the period. As shown, LANL's overall security
expenditures for the unclassified network increased from about $2.3
million to $9.1 million between fiscal years 2001 to 2007, with a peak
of approximately $11.5 million in fiscal year 2005. A reduction in
spending occurred in fiscal year 2006, followed by a modest increase
again in fiscal year 2007. The unclassified network expenditures for
C&A activities have remained relatively stable around $1 million from
fiscal years 2002 to 2007, with the majority of unclassified network
funds going toward technical activities.
Figure 2: Annual Expenditures on LANL's Unclassified Network, Fiscal
Years 2001-2007:
This figure is a combination bar graph showing annual expenditures on
LANL's unclassified network, fiscal year 2001-2007. The bars represent
expenditures for certification and accreditation, expenditures for
technical services, and total expenditures. The X axis represents
fiscal year, and the Y axis represents dollars in millions.
Year: 2001;
Expenditures for certification and accreditation: 0;
Expenditures for technical services: 2;
Total expenditures: 2.
Year: 2002;
Expenditures for certification and accreditation: 1;
Expenditures for technical services: 5;
Total expenditures: 6.
Year: 2003;
Expenditures for certification and accreditation: 1;
Expenditures for technical services: 5;
Total expenditures: 6.
Year: 2004;
Expenditures for certification and accreditation: 1;
Expenditures for technical services: 8;
Total expenditures: 10.
Year: 2005;
Expenditures for certification and accreditation: 1;
Expenditures for technical services: 11;
Total expenditures: 12.
Year: 2006;
Expenditures for certification and accreditation: 1;
Expenditures for technical services: 6;
Total expenditures: 7.
Year: 2007;
Expenditures for certification and accreditation: 1;
Expenditures for technical services: 8;
Total expenditures: 9.
[See PDF for image]
Source: GAO analysis of LANL budget data.
[End of figure]
Although cyber security expenditures increased from fiscal years 2001
to 2007, LANL officials told us this funding has been inadequate to
protect the unclassified network and overall cyber security program. In
a September 27, 2006, letter to the NNSA Administrator, the Directors
of LANL, Lawrence Livermore National Laboratory, and Sandia National
Laboratories stated that proposed reductions in the cyber security
budget would expose the laboratories and NNSA to an unacceptable level
of security and operational risk. The laboratory Directors emphasized
that the inevitable effect of cuts in cyber security funding would be
to forgo improvements in the classified network while also reducing
support for the unclassified network. The lack of funding would be
particularly harmful to the unclassified network because it is
essential to productivity, a key factor in transforming the nuclear
weapons complex, and is clearly a target for external attack. According
to LANL's fiscal year 2008 budget request to NNSA, the laboratory
needed approximately $1 million more than the $7.7 million it was
allocated to implement an effective program for its unclassified
network. NNSA's allocation and LANL's request represent an approximate
11 percent difference for the unclassified network in fiscal year 2008.
According to a LASO analysis identifying the impacts of failing to
fully fund the LANL cyber security program, the shortage of funding
exposes the unclassified network to several potential risks, including
the following:
* the compromise, inappropriate access, or modification of sensitive
unclassified data;
* a shutdown of computer systems and networks processing sensitive
unclassified data, without additional systems or networks being
approved to process these data;
* placement of LANL in noncompliance with DOE guidance;
* a significant gap in the laboratory's information protection
capabilities (i.e., virus scans and firewalls);
* the severe hampering of laboratory efforts to identify the devices
and levels of sensitivity of information on the unclassified network;
* impaired ability to verify the secure configuration of systems on the
unclassified network; and:
* the hampering of the laboratory's efforts to follow up on computer
compromises.
LANL officials also told us that due to staffing and funding
constraints, the laboratory could not provide all of the security
measures that it determined necessary for an effective cyber security
program, and, therefore, individuals or groups might be able to
penetrate LANL's networks and gain access to sensitive information. In
its analysis of the potential consequences of unfunded unclassified
network activities for fiscal year 2007, LANL asserted that because of
a lack of funding to perform self-assessments, there was a risk that
the laboratory's ability to discover and address cyber deficiencies
would be weakened. In addition, there was a risk that unclassified
network users could not receive cyber security training, which creates
serious potential for user-introduced vulnerabilities to the
unclassified network. Moreover, there was risk that LANL could not
ensure that media (e.g., disks) containing sensitive unclassified
information would be properly sanitized or destroyed.
NNSA officials told us that they strongly disagreed with LANL's
assertion that the laboratory does not have adequate funding for
unclassified network activities. According to NNSA's Chief Information
Officer, LANL's requests for additional funds to meet the laboratory's
stated shortfalls have not been adequately justified. NNSA also found
the claims made by the laboratory Directors about funding shortfalls in
their 2006 letter to be unsubstantiated. In addition, NNSA officials
stated that the laboratories were inconsistent in how they reported
cyber security funding requests to NNSA. For example, prior to fiscal
year 2006, LANL produced budget requests using terminology not
sanctioned or used by NNSA budget processes by categorizing funding
levels for cyber security activities as "minimal," "effective," and
"essential." Furthermore, NNSA officials stated that LANL's past cyber
budget requests were prepared on an ad hoc basis and were not based on
well-defined threat and risk assessments.
NNSA Is Attempting to Implement a More Systematic Approach for
Developing Information Security Budgets at LANL:
Since 2006, NNSA has been developing a more systematic approach for
developing cyber security budgets at LANL and the other national
laboratories. NNSA officials in the Chief Information Office told us
that because of the shortcomings in LANL's cyber security budget
preparation process, NNSA has developed standard budget guidance and
terminology. NNSA and the laboratories worked together to create a
standard budget template--a work breakdown structure--for the
laboratories to use in requesting and allocating cyber security
funding. The work breakdown structure is to be used for both the
classified and unclassified networks. More specifically, NNSA cyber
security officials told us that this structure provides a framework for
LANL to use in determining what cyber security activities it will fund,
how much it will give to each activity, and how it will set priorities
for funding activities and assessing unfunded activities.[Footnote 16]
In addition, NNSA's Chief Information Office has identified a
Designated Approving Authority (DAA), a federal official at each
national laboratory site office, to determine site risks and approve
budgets. Individual program officials at each laboratory provide budget
information and risk assessments to their respective DAA to weigh the
risks and weaknesses of the cyber security program to determine how to
allocate funds.
Nevertheless, NNSA officials could not provide us with guidance
documenting how the laboratories should set budget priorities for cyber
security activities. An NNSA official acknowledged that the agency has
not yet produced any guidance on how to set funding priorities for the
unclassified network but that NNSA is working on a plan to document the
methodology it uses to approve and deny funding requests based on
comprehensive assessments of risks and threats for specific work
breakdown structure activities. Furthermore, NNSA does not consistently
document its resource allocation decisions for cyber security or
identify how funding shortfalls affect critical cyber security issues.
NNSA cyber security officials stated that the laboratories estimate the
impact of the failure to fund cyber security activities but
acknowledged the need for NNSA to develop a process to better track
activities that do not receive funding. NNSA officials believe that
implementing a complex-wide approach to documenting budget decisions
will help the agency develop a more systematic, transparent approach
for determining appropriate cyber security funding levels.
Conclusions:
Ensuring the confidentiality, integrity, and availability of sensitive
information transmitted over LANL's unclassified network is a national
security priority because the unauthorized disclosure of sensitive
information or data from the unclassified network could have serious
consequences. While the laboratory has taken steps to protect sensitive
information, a number of weaknesses in security controls raise
concerns. These weaknesses include, among other things, keeping
information on the unclassified network out of the reach of
unauthorized users.
Securing sensitive information on LANL's unclassified network requires
that the laboratory's management establish, implement, and reinforce
policies, procedures, and guidance for its employees to follow. In our
view, these policies and procedures lay the foundation for an effective
and sustainable security culture. While LANL has instituted components
of a laboratory-wide information security program, key activities, such
as the assessment of information security risks, and the development of
policies and procedures that adhere to federal requirements, were not
fully implemented or were absent. Furthermore, until LANL fully
implements a laboratory-wide information security program that includes
comprehensive risk assessments, risk-based policies and procedures,
security plans, and a continuity of operations process, it has limited
assurance that its sensitive data on the unclassified network will be
adequately protected. For example, the large number of foreign
nationals--particularly those from countries identified as sensitive by
DOE--who have access to the laboratory's unclassified network raises
serious security concerns. While there can be a legitimate need for
foreign nationals to have access to LANL's unclassified network to
carry out mission-related responsibilities we believe it is prudent to
control and restrict this level of access, whenever possible. To that
end, we believe the laboratory has taken a positive step by
significantly reducing the number of foreign nationals from sensitive
countries that are authorized to have remote access to the unclassified
network.
Establishing a comprehensive information security program requires a
well thought out process for determining resource requirements, based
on risk. We are concerned that neither NNSA nor LANL has developed a
satisfactory approach to address this matter. In our view, the lack of
a systematic process for identifying and allocating resources for those
areas deemed to be highest risk can be traced directly to the absence
of well-documented procedures and guidelines. Without a rigorous and
disciplined approach, it is difficult to determine what the
laboratory's true resource requirements are to implement a
comprehensive information security program for the unclassified
network.
Recommendations for Executive Action:
To improve LANL's information security program for its unclassified
network, we recommend that the Secretary of Energy and the
Administrator of NNSA require the Director of Los Alamos National
Laboratory to take the following eight actions:
* Ensure that the risk assessment for the unclassified network
evaluates all known vulnerabilities and is revised periodically;
* Strengthen policies with a view toward further reducing, as
appropriate, foreign nationals'--particularly those from countries
identified by DOE as sensitive--access to the unclassified network;
* Ensure that the new set of cyber security policies and procedures
applicable to the unclassified network are comprehensive, including
centralized configuration management for all types of systems, and
contain specific instructions on how to implement federal requirements
and guidance;
* Ensure that the network security plan for the unclassified network is
revised to document security controls using federal guidance and that
this plan also includes or references key security activities, such as
risk assessment development and the evaluation of security test
results;
* Strengthen the security test and evaluation process for the
unclassified network by expanding technical testing to cover new areas
that might be vulnerable, such as those disclosed in our report, and
ensure that testing adequately considers federal guidance for
evaluating security controls and determining their effectiveness;
* Ensure that milestones in corrective action plans are met or that new
milestones are established to remediate security weaknesses for the
unclassified network in a timely manner.
* Ensure that the related plan of action and milestones used for FISMA
reporting includes all LANL security weaknesses and required
information so that it is an effective management tool for tracking
security weaknesses and identifying budgetary resources needed to
protect the unclassified network; and:
* Develop and maintain a comprehensive continuity of operations plan
that addresses the current unclassified network environment and
periodically test the plan for restoring operations.
To ensure that NNSA has a clear and consistent strategy to determine
resource requirements for the laboratory's unclassified network, we
recommend that the Secretary of Energy and the Administrator of NNSA
take the following three actions:
* Develop, document, and implement a process that clearly links
resource requirements and funding decisions to risk assessments for the
unclassified network;
* Implement a process that provides a rationale for approving or
denying resource requests for the unclassified network; and:
* Establish and implement procedures to monitor critical program
activities that are unfunded or underfunded in order to improve
management accountability and transparency in determining how best to
fund the most critical program requirements.
We are also making 41 detailed recommendations in a separate report
with limited distribution. These recommendations consist of actions to
be taken to correct the specific information security weaknesses
related to identification and authentication, cryptography, audit and
monitoring, configuration management, and physical security.
Agency Comments and Our Evaluation:
We provided NNSA with a copy of this report for review and comment.
NNSA did not specifically comment on our recommendations. However, NNSA
agreed with our general conclusion that LANL has taken steps to protect
sensitive information and acknowledged that there was considerable work
yet to be done. NNSA also stated that LANL is currently responding to a
DOE Secretarial Compliance Order requiring the laboratory contractor to
take comprehensive steps to ensure that it identifies and addresses,
among other things, critical cyber security deficiencies. The July 2007
Compliance Order was issued after a subcontractor employee removed
classified information from LANL without authorization. The Order
requires LANL to submit an integrated corrective action plan to address
critical security issues. These steps must be completed by December
2008, and violations of the Compliance Order would subject the
laboratory's contractor to civil penalties of up to $100,000 per
violation per day until compliance is reached.
NNSA noted that responding to the issues identified in this report--as
well as more technical issues included in a limited official use only
version of this report--will extend beyond the completion of the
Compliance Order since the actions we recommend are sufficiently more
complex. We would expect that our recommendations, when implemented,
would complement and be consistent with other remedial actions taken to
improve LANL's cyber security posture as part of the Secretarial
Compliance Order. Furthermore, NNSA stated that it will exercise the
leadership necessary to correct the deficiencies identified in our
report and will implement controls and processes complex-wide to
demonstrate that it is successfully managing risk. NNSA's comments on
our draft report are presented in appendix II.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to interested congressional committees; the Secretary of Energy; the
Administrator of NNSA; the Director of LANL; and other interested
parties. We will also make copies available to others upon request. In
addition, this report will be made available at no charge on the GAO
Web site at [hyperlink, http://www.gao.gov].
If you or your staff have any questions about this report, please
contact Gene Aloise at (202) 512-3841 or aloisee@gao.gov; Greg
Wilshusen at (202) 512-6244 or wilshuseng@gao.gov; or Nabajyoti
Barkakati at (202) 512-6412 or barkakatin@gao.gov. Contact points for
our Office of Congressional Relations and Public Affairs may be found
on the last page of this report. Major contributors to this report are
included in appendix III.
Signed by:
Gene Aloise Director, Natural Resources and Environment:
Signed by:
Gregory C. Wilshusen Director, Information Security Issues:
Signed by:
Nabajyoti Barkakati Director, Center for Technology and Engineering:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objectives of our review were to (1) assess the effectiveness of
the security controls the Los Alamos National Laboratory (LANL) has
implemented to protect information transmitted over its unclassified
computer network; (2) assess whether LANL had fully implemented an
information security program to ensure that controls were established
and maintained for its unclassified computer network; and (3) examine
the expenditure of funds used to protect LANL's unclassified network
from fiscal years 2001 through 2007.
To determine the effectiveness of the security controls LANL had
implemented to protect information transmitted over its unclassified
computer network, we gained an understanding of the overall network
control environment and identified its interconnectivity and control
points. Our evaluation was based on our Federal Information System
Controls Audit Manual (FISCAM),[Footnote 17] which provides guidance
for reviewing information system controls that affect the
confidentiality, integrity, and availability of computerized
information.
Using National Institute of Standards and Technology (NIST) standards
and guidance, and Department of Energy (DOE) and National Nuclear
Security Administration (NNSA) policies, procedures, practices, and
standards, we:
* developed an accurate understanding of the overall network
architecture and examined routers, network management servers,
switches, and firewalls;
* analyzed the effectiveness of controls used to establish individual
accountability and control network access;
* observed methods for providing secure data transmissions across the
unclassified network to determine whether sensitive data was being
encrypted;
* evaluated controls intended to limit, detect, and monitor electronic
access to sensitive computing resources and the effectiveness of these
controls in protecting computing resources from unauthorized disclosure
and modification;
* evaluated control configurations of selected servers and database
management systems to assess the management of security features for
network components; and:
* observed and tested physical access controls to determine if computer
facilities and resources were being protected from espionage, sabotage,
damage, and theft;
In addition, we obtained views and documentation on these issues from
security officials at DOE, NNSA, the Los Alamos Site Office (LASO), and
LANL.
To assess whether LANL had fully implemented an information security
program to ensure that controls were established and maintained for its
unclassified computer network, we used the requirements identified by
FISMA, which establishes key elements for an effective information
security program. We:
* examined training records for personnel with significant security
responsibilities to determine if they received training commensurate
with those responsibilities;
* reviewed LANL's risk assessment process and risk assessments for the
unclassified network to determine whether risks and threats were
documented consistent with federal guidance;
* analyzed LANL's policies, procedures, practices, and standards to
determine their effectiveness in providing guidance to personnel
responsible for securing information and information systems;
* analyzed security plans to determine if management, operational, and
technical controls were in place or planned and that security plans
were updated;
* analyzed security testing and evaluation results for the unclassified
network to determine whether management, operational, and technical
controls were tested at least annually and based on risk;
* examined remedial action plans to determine whether they addressed
vulnerabilities identified in LANL's security testing and evaluations;
and:
* examined contingency plans for the unclassified network to determine
whether those plans had been tested or updated.
We also discussed with key security representatives and officials
responsible for information security management at DOE, NNSA, LASO, and
LANL, whether information security controls were in place, adequately
designed, and operating effectively. In addition, we met with officials
from DOE's Office of Independent Oversight and its Office of Inspector
General, regarding any related prior, ongoing, or planned work in these
areas.
To determine the amount of funds LANL spent to protect its unclassified
network from fiscal years 2001 to 2007, we obtained and analyzed
documentation on the LANL cyber security program and budget, such as
the LANL Cyber Security Program Office Roles and Responsibilities;
LASO's Annual Cyber Survey Report Activity for fiscal year 2007;
National Nuclear Security Administration's cyber security policies; and
LANL risk assessments. We also obtained and analyzed financial data on
LANL's cyber security program and unclassified network from fiscal
years 2001 to 2007. In addition, we met with cyber security officials
from NNSA, LASO, and LANL. To assess the reliability of funding data,
we (1) reviewed quality control procedures used to report funding
information; (2) interviewed knowledgeable officials; and (3) based on
document reviews, ensured that we had received all available
information. We determined that the data were sufficiently reliable for
the purposes of this report.
We conducted this performance audit from May 2007 to September 2008 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
[End of section]
Appendix II: Comments from the National Nuclear Security
Administration:
Department of Energy:
National Nuclear Security Administration:
Washington, DC 20585:
August 19, 2008:
Office Of The Administrator:
Mr. Gene Aloise
Director, Natural Resources and Environment:
Government Accountability Office:
Washington, D.C. 20548:
Dear Mr. Aloise:
The National Nuclear Security Administration (NNSA) appreciates the
opportunity to review the Government Accountability Office's (GAO)
draft report, GAO-08-1001, "Information Security: Actions Needed to
Better Protect Los Alamos National Laboratory's Unclassified Computer
Network." We understand that this report is the result of an audit
requested by the House's Committee on Energy and Commerce and the
Subcommittee on Oversight and Investigations to determine security
controls effectiveness, implementation of programs, and expenditures at
Los Alamos.
NNSA agrees with the draft report's conclusion that in general, the
Laboratory has taken steps to protect sensitive information but that
more work needs to be done. As you are aware, the Laboratory is
responding to a Secretarial Compliance Order that is designed to
address a majority of the issues identified in this report and a
subsequent report more technically focused, Responding to these reports
will extend beyond the completion of the Secretarial Compliance Order
requirements since the GAO's recommendations are sufficiently more
complex.
NNSA will exercise the leadership necessary to correct deficiencies
noted and to implement a dynamic framework of controls and processes
that can be implemented complex-wide that will provide a level of
confidence that NNSA is successfully managing risk. NNSA will provide
detailed corrective actions to Congressional Committees through our
formal Management Decision process. Printed with soy Ink on recycled
paper
Should you have any questions about this response, please contact
Richard Speidel, Director, Policy and Internal Controls Management. He
may be contacted at 202-586-5009.
Sincerely,
Signed by:
William C. Ostendorff:
Principal Deputy Administrator:
cc: Robert Smolen, Deputy Administrator for Defense Programs David
Boyd, Senior Procurement Executive Bradley Peterson, Chief, Defense
Nuclear Security Donald Winchell, Revitalization Manager, Los Alamos
Site Office Linda Wilbanks, Chief Information Officer Karen Boardman,
Director, Service Center:
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Gene Aloise, (202) 512-3841, or aloisee@gao.gov:
Gregory C. Wilshusen, (202) 512-6244, or wilshuseng@gao.gov:
Nabajyoti Barkakati, (202) 512-6412, or barkakatin@gao.gov:
Staff Acknowledgments:
In addition to the individuals named above, Edward R. Alexander, Jr;
West E. Coile; Edward M. Glagola, Jr; Jeffrey L. Knott; Glen Levis; Duc
M. Ngo (Assistant Directors); Debra Conner; Kirk J. Daubenspeck,
Jennifer R. Franks; Eugene H. Gray; Rosanna Guerrero; Preston S. Heard;
Lisa N. Henson; Nicole Jarvis; John A. Spence; and Christoper J. Warweg
made key contributions to this report. Other technical assistance was
provided by Omari A. Norman, Rebecca Shea, and Carol Herrnstadt
Shulman.
[End of section]
Related GAO Products:
Information Security: TVA Needs to Address Weaknesses in Control
Systems and Networks. GAO-08-526. Washington, D.C.: May 21, 2008.
Information Security: Progress Reported, but Weaknesses at Federal
Agencies Persist. GAO-08-571T. Washington, D.C.: March 12, 2008.
Information Security: Securities and Exchange Commission Needs to
Continue to Improve Its Program. GAO-08-280. Washington, D.C.: February
29, 2008.
Information Security: Although Progress Reported, Federal Agencies Need
to Resolve Significant Deficiencies. GAO-08-496T. Washington, D.C.:
February 14, 2008.
Information Security: IRS Needs to Address Pervasive Weaknesses. GAO-
08-211. Washington, D.C.: January 8, 2008.
Information Security: Selected Departments Need to Address Challenges
in Implementing Statutory Requirements. GAO-07-528. Washington, D.C.:
August 31, 2007.
Information Security: Despite Reported Progress, Federal Agencies Need
to Address Persistent Weaknesses. GAO-07-837. Washington, D.C.: July
27, 2007.
Information Security: Homeland Security Needs to Immediately Address
Significant Weaknesses in Systems Supporting the US-VISIT Program. GAO-
07-870. Washington, D.C.: July 13, 2007.
Information Security: Homeland Security Needs to Enhance Effectiveness
of Its Program. GAO-07-1003T. Washington, D.C.: June 20, 2007.
Information Security: Agencies Report Progress, but Sensitive Data
Remain at Risk. GAO-07-935T. Washington, D.C.: June 7, 2007.
Information Security: Federal Deposit Insurance Corporation Needs to
Sustain Progress Improving Its Program. GAO-07-351. Washington, D.C.:
May 18, 2007.
Information Security: FBI Needs to Address Weaknesses in Critical
Network. GAO-07-368. Washington, D.C.: April 30, 2007.
Information Security: Persistent Weaknesses Highlight Need for Further
Improvement. GAO-07-751T. Washington, D.C.: April 19, 2007.
Information Security: Further Efforts Needed to Address Significant
Weaknesses at the Internal Revenue Service. GAO-07-364. Washington,
D.C.: March 30, 2007.
Information Security: Sustained Progress Needed to Strengthen Controls
at the Securities and Exchange Commission. GAO-07-256. Washington,
D.C.: March 27, 2007.
[End of section]
Footnotes:
[1] The laboratory is a multidisciplinary national security laboratory
whose core missions are to ensure the safety and reliability of the
nuclear weapons stockpile and to conduct research and development that
supports that mission and other homeland security-related initiatives.
The laboratory covers 40 square miles, with 2,700 buildings covering
9.4 million square feet, employs more than 12,000 personnel, and has an
annual operating budget of approximately $2 billion. LANL operates 15
divisions that are responsible for carrying out its programmatic
mission, including nuclear weapons engineering, nuclear weapons
stockpile manufacturing and support, nuclear weapons physics, and
nuclear weapons threat reduction. The laboratory also has a Chief
Security Officer, Chief Information Security Officer, and Chief
Information Officer who are responsible for overseeing information
security, including protecting cyber security assets. In addition,
federal oversight for information security at LANL, including cyber
security, is provided by the Los Alamos Site Office.
[2] NNSA was established in 2000 in response to management difficulties
with the Department of Energy's nuclear weapons programs. These
difficulties included security programs at the department's national
laboratories and significant cost overruns in the management of
projects. NNSA is a separately organized agency within the department
with the responsibility for the nation's nuclear weapons,
nonproliferation, and naval reactors programs.
[3] FISMA was enacted as title III, E-Government Act of 2002, Pub. L.
No. 107-347, 116 Stat. 2946 (Dec. 17, 2002).
[4] GAO has issued a series of reports that address federal agencies'
information security programs and activities. See Related GAO products.
[5] For the purpose of this report, we are including LANL's "cyber" and
computer network security programs as a key component of the
laboratory's overall information security program.
[6] Encryption can be used to provide basic data confidentiality and
integrity by transforming plain text into cipher text using a special
value known as a key and a mathematical process known as an algorithm.
[7] According to NIST, authentication mechanisms can be based on three
categories of information or "factors" something the user knows, such
as a password; something the user possesses, such as a token; and some
physical characteristic (biometric) of the user, such as a fingerprint.
Authentication methods employing a token or biometric can provide a
significantly higher level of security than passwords alone.
Multifactor authentication mechanisms, such as those involving tokens
and biometric data are considered strong authentication mechanisms.
[8] Kerberos is a widely used authentication protocol developed at the
Massachusetts Institute of Technology.
[9] SANS was established in 1989 as a cooperative research and
education organization.
[10] LANS, LLC is a consortium of contractors that includes Bechtel
National, Inc; the University of California; BWX Technologies, Inc; and
the Washington Group International, Inc. In June 2006, LANS replaced
the University of California, which had been the exclusive management
and operating contractor of LANL since the 1940s.
[11] According to LANL, a foreign national is anyone who is not a U.S.
citizen. Immigrant aliens are considered foreign nationals.
[12] A country is identified as sensitive based on national security,
nuclear nonproliferation, or terrorism concerns.
[13] Access to computer systems is granted using a standardized form
that enables the approving official--either a laboratory Associate
Director or Deputy Director--to authorize the type of computer
resources provided to the foreign national such as unclassified
network, visitor network, or remote unclassified network. In those
instances where the laboratory division sponsoring the foreign national
wants the individual to have remote access, the division must provide a
justification statement. LANL policy, effective January 30, 2004,
states that ample and sufficient justification for remote access must
be provided to allow a cognizant laboratory group leader, division
leader, and Associate Director to approve or disapprove.
[14] According to LANL, the laboratory spent approximately $87.7
million from fiscal years 2001 through 2007 to protect and maintain the
classified network.
[15] LANL officials explained to us that the cyber security budget is
also broken down into C&A and technical activities for the classified
network as well.
[16] LANL officials told us that the laboratory began tracking cyber
security financial figures toward the work breakdown structure in
fiscal year 2006, but added that the unclassified network funding
figures cannot be broken down into all the cyber security program
activities listed in the work breakdown structure because some
expenditures, such as "program management" and "incident response"
cover both the classified and unclassified networks.
[17] GAO, Federal Information System Controls Audit Manual, GAO/AIMD-
12.19.6 (Washington, D.C.: January 1999).
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
