The laboratory's left hand doesn't appear to know what the right hand is doing in terms of inormation security, according to the Government Accountability Office report, entitled Actions Needed to Better Manage, Protect, and Sustain Improvements to Los Alamos National Laboratory’s Classified Computer Network, which criticized a decentralized approach to information security program management.
This decentralized information security approach "led to inconsistent implementation of policy and contributed to both technical weaknesses and security program shortfalls", the report said.
Specific failings in information security included mismanagement of passwords on the classified network, meaning that malicious insiders could guess the passwords of others. Additionally, the National Nuclear Security Administration (NNSA's) recommendation that employees be given least-privilege access has not been followed, the report said.
"LANL provided users with more access than needed to perform their duties and configure classified systems with more capabilities and services than required", it warned. "As a result, there is an increased risk that users could access classified data they do not need to perform their duties."
Network monitoring was also inadequate, according to the report, which said that critical information security events were not being captured. And software was not always configured securely. Information security risk assessments for the classified computer network were not comprehensive, there were gaps in policies and procedures, and individuals with significant network security responsibilities were not adequately trained in information security.
Disaster recovery was also sorely lacking, according to the report, which said that only one of five plans reviewed had addressed all topics outlined by the laboratory's policy, including an up-to-date information security test plan, and recent testing.
This is not the first time that the laboratory, which is overseen by the NNSA, has come under fire for lax information security. In 2008, the GAO issued a report making 52 recommendations to correct deficiencies, and the NNSA agreed with all of them. In 2007, the Department of Energy also served the laboratory with a compliance order forcing it to implement specific action items by December last year.
"DOE and NNSA officials told us they were concerned about LANL's ability to sustain security improvements over the long term," the GAO report said.