Issues of internal communications and divided responsibility have raised the GAO’s concerns about physical security at National Institute of Standards and Technology facilities.

GAO said that while the agency has incorporated some key practices, and 75 percent of staff agree that leadership places “great” or “very great” importance on security issues, “, staff awareness about security responsibilities varied, in part because of the limited effectiveness of NIST’s security-related communication efforts.”

However, GAO said that “ongoing efforts do not provide NIST with the tools needed to address security vulnerabilities,” with one proof being that its agents were able to gain unauthorized access to various areas of NIST campuses in Maryland and Colorado.

Another issue is that the program is split between the agency, which manages physical security countermeasures such as access control technology, and its parent Commerce Department, which is responsible for overseeing security personnel who implement physical security policies. Such fragmentation is inconsistent with the Interagency Security Committee’s physical security best practices, which encourage agencies to centrally manage physical security, GAO said.

Commerce and NIST completed risk management assessments as called for in those standards in 2015 and again this year, but neither “used a sound risk assessment methodology, fully documented key risk management decisions, or appropriately involved stakeholders,” GAO added.

It said both Commerce and NIST are separately drafting new risk management policies but warned that unless those policies align with risk management practices and formally coordinate, they “may be limited in their usefulness and duplicative.”