February 11, 2013

Management of Los Alamos National Laboratory's Cyber Security Program

The Los Alamos National Laboratory (LANL), operated by the National Nuclear Security Administration (NNSA) on behalf of the Department of Energy, is one of the world's largest multi-disciplinary laboratories and is primarily responsible for helping to ensure the safety and reliability of the Nation's nuclear stockpile as part of the Department's Stockpile Stewardship Program.  To accomplish program goals and objectives, LANL operates and manages numerous information systems and networks to support the research, business and communication needs of its users.  Although LANL spends a significant amount of funds on information technology (IT) activities, we were unable to obtain an accurate amount due to the Laboratory's limited ability to track its IT spending.  The audit found that while additional action is needed, LANL had taken steps to address concerns regarding its cyber security program raised in prior evaluations.  However, our audit identified continuing concerns related to LANL's implementation of risk management, system security testing and vulnerability management practices.  For instance, LANL had not always developed and implemented an effective risk management process consistent with Federal requirements; had not always ensured that it had developed, tested and implemented adequate controls over its information systems; and had not always properly addressed critical and high-risk vulnerabilities.  The issues identified occurred, in part, because of a lack of effective monitoring and oversight of LANL's cyber security program by the Los Alamos Site Office, including approval of practices that were less rigorous than those required by Federal directives.  In response, NNSA management concurred with the findings and recommendations and agreed to take necessary corrective actions. 

Topic: National Security & Safety