The audit, requested by the House Committee on Energy and Commerce, cites Los Alamos' management as saying funding for its core classified cybersecurity program has been inadequate for implementing an effective program during fiscal years 2007 and 2008.
"LANL's security plans and test plans were neither comprehensive nor detailed enough to identify certain critical weaknesses on the classified network," the GAO said in its 39-page report.
The Energy Department-run laboratory in Los Alamos, N.M., also known as LANL, is among the world's largest science and technology institutions that conduct multidisciplinary research for fields such as national security, outer space, renewable energy, medicine, nanotechnology and supercomputing. Along with the Lawrence Livermore National Laboratory, LANL is one of two labs in the United States where classified work designing nuclear weapons takes place.
GAO identified several critical areas where vulnerabilities surfaced, including uniquely identifying and authenticating the identity of users, authorizing user access, encrypting classified information, monitoring and auditing compliance with security policies and maintaining software configuration assurance.
A key reason for the information security weaknesses was that the laboratory had not fully implemented an information security program to ensure that controls were effectively established and maintained, the congressional auditors said.
Among the program's shortfalls identified by the GAO:
- Lack of comprehensive risk assessments to ensure that appropriate controls are in place to protect against unauthorized use,
- Not developing detailed implementation guidance for key control areas such as marking the classification level of information stored on the classified network,
- Inadequate specialized training for users with significant security responsibilities and
- Insufficiently developing and testing disaster recovery and contingency plans to mitigate the laboratory's chances of being unsuccessful at resuming normal operational standards after a service disruption.
"The laboratory's decentralized approach to information security program management has led to inconsistent implementation of policy, and although the laboratory has taken steps to address management weaknesses, its efforts may be limited because LANL has not demonstrated a consistent capacity to sustain security improvements over the long term," the GAO said.
Among GAO's recommendations: The laboratory fully implement its information security program, centralize management of the classified network and develop a sustainability plan that details how it plans to strengthen recent cybersecurity improvements over the long term.
The National Nuclear Security Administration, the Energy Department unit responsible for the safety of government nuclear sites, generally concurred with the GAO recommendations.
Editor's Note: An earlier posting of this story incorrectly stated that the Los Alamos Laboratory spent $433 million to secure its classified network. That figure represents the amount spent to operate and support lab's classified network from fiscal years 2001 through 2008. We regret that error.