IG: Data on Nuclear Stockpile at RiskLivermore Labs Inconsistent in Managing IT Systems, Audit Says
"Without improvements, the weaknesses identified may limit program and site-level officials' ability to make informed risk-based decisions that support the protection of classified information and the systems on which it resides," Rickey R. Hass, deputy inspector general for audits and inspections, writes in the audit.
Specifically, Hass writes in the 20-page audit report, the inspector general audit found that:
- Three of four system security plans reviewed were incomplete and did not always sufficiently describe security controls and how they were implemented;
- Contractor officials made security-significant changes to national security systems that potentially increased the risk to those systems, without first obtaining approval from the federal authorizing official, the person ultimately responsible for accepting risks posed by changes to information systems; and
- The National Nuclear Security Administration, or NNSA, operated by the lab had not incorporated security controls established by the Committee on National Security Systems, the organization designated by executive order to develop policies and standards for protecting national security information systems, into its cybersecurity policy, creating a negative impact on the lab's ability to meet federal security requirements.
"These issues were due, at least in part, to inadequate program and site-level policies and procedures for protecting national security information systems," Hass says.
NNSA cybersecurity program policies had not been updated since May 2008, and weren't aligned with federal and department requirements, he says. "The problems identified persisted because of insufficient performance monitoring by headquarters and site office federal officials," Hass says.
As an example, Hass noted that federal officials responsible for oversight hadn't consistently ensured that changes to systems were appropriate and in accordance with risks identified and accepted as part of the systems' authorization to operate."
Lab managers generally agreed with the report, but contend the IG's conclusions do not reflect the lab's overall risk management program. "The findings in this report should only reflect issues surrounding the maintenance of security documenting and issues that the Livermore site office had already self identified within its accreditation and certification process," NNSA Associate Administrator Gerald Talbot Jr. writes in response to the audit. "The general recommendations by the IG were already in place, hence the corrective actions that are being performed at the site and department level."