The Los Alamos National Laboratory has taken steps to address concerns over its cyber security program but concerns remain related to the lab’s implementation of risk management, system security testing and vulnerability management practices, the Department of Energy’s inspector general has said.
Los Alamos, operated by the National Nuclear Security Administration on behalf of the Energy Department, had not always developed and implemented an effective risk management process consistent with federal requirements, had not always ensured that it had developed, tested and implemented adequate controls over its information systems, and had not always properly addressed critical and high-risk vulnerabilities, the IG said.
It said the issues identified occurred partly due to a lack of effective monitoring and oversight of LANL’s cyber security program by the site office, including approval of practices that were less rigorous than those required by federal directives.
Further, an upcoming transition to a risk management framework that relies heavily on continuous reporting could be hampered by a lack of understanding by responsible individuals of the total risks associated with the systems, according to the IG.
It said that without effective vulnerability scanning and remediation of identified weaknesses, LANL’s unclassified and classified networks face a higher than necessary risk of compromise.
The IG called for stronger controls over technical vulnerabilities, ensuring that all federal cyber security requirements are being met, particularly in the areas of system security control testing and risk assessments, and directing Los Alamos to modify internal procedures to include scanning processes designed to identify all internal vulnerabilities on the national security and unclassified computing environments.
NNSA management concurred with the recommendations and indicated that corrective actions would be taken, while management stated that LANL had taken aggressive measures to develop comprehensive cyber security procedures within the last five years.