IG: Data on Nuclear Stockpile at Risk

Livermore Labs Inconsistent in Managing IT Systems, Audit Says
IG: Data on Nuclear Stockpile at Risk
Classified information regarding the nation's nuclear stockpile, management of nuclear nonproliferation activities and operation of the naval reactor programs stored on computers at the government's Lawrence Livermore National Laboratory in California are at risk, the Energy Department's inspector general says.

"Without improvements, the weaknesses identified may limit program and site-level officials' ability to make informed risk-based decisions that support the protection of classified information and the systems on which it resides," Rickey R. Hass, deputy inspector general for audits and inspections, writes in the audit.

Specifically, Hass writes in the 20-page audit report, the inspector general audit found that:

  • Three of four system security plans reviewed were incomplete and did not always sufficiently describe security controls and how they were implemented;
  • Contractor officials made security-significant changes to national security systems that potentially increased the risk to those systems, without first obtaining approval from the federal authorizing official, the person ultimately responsible for accepting risks posed by changes to information systems; and
  • The National Nuclear Security Administration, or NNSA, operated by the lab had not incorporated security controls established by the Committee on National Security Systems, the organization designated by executive order to develop policies and standards for protecting national security information systems, into its cybersecurity policy, creating a negative impact on the lab's ability to meet federal security requirements.

"These issues were due, at least in part, to inadequate program and site-level policies and procedures for protecting national security information systems," Hass says.

NNSA cybersecurity program policies had not been updated since May 2008, and weren't aligned with federal and department requirements, he says. "The problems identified persisted because of insufficient performance monitoring by headquarters and site office federal officials," Hass says.

As an example, Hass noted that federal officials responsible for oversight hadn't consistently ensured that changes to systems were appropriate and in accordance with risks identified and accepted as part of the systems' authorization to operate."

Lab managers generally agreed with the report, but contend the IG's conclusions do not reflect the lab's overall risk management program. "The findings in this report should only reflect issues surrounding the maintenance of security documenting and issues that the Livermore site office had already self identified within its accreditation and certification process," NNSA Associate Administrator Gerald Talbot Jr. writes in response to the audit. "The general recommendations by the IG were already in place, hence the corrective actions that are being performed at the site and department level."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.