November 15, 2016

Management of Brookhaven National Laboratory’s Cybersecurity Program

Brookhaven National Laboratory (Brookhaven) is a multipurpose research institution funded primarily by the Department of Energy and operated by Brookhaven Science Associates.  Brookhaven employs almost 3,000 individuals and hosts over 4,000 visiting researchers each year.  To support its research mission, Brookhaven makes extensive use of information technology resources for scientific and business computing related to high-speed network infrastructure, data management, and Web applications.  As a management and operating contractor, Brookhaven is responsible for meeting various Federal cybersecurity requirements.  The challenges related to cybersecurity management have become even more important with recent cybersecurity incidents in the Federal Government and the compromised sensitive information of millions of individuals.  Furthermore, the range of cyber threat actors, methods of attack, targeted systems, and victims continue to expand.  

Our review of Brookhaven determined that it had not implemented a fully effective cybersecurity program.  We identified weaknesses related to vulnerability and configuration management, physical and logical access controls, security planning and assessments, and contingency planning and data retention.

The identified weaknesses occurred, in part, because Brookhaven officials had not fully implemented applicable requirements related to cybersecurity.  We also found that Brookhaven Site Office and laboratory officials had not always effectively monitored the cybersecurity program.  Similarly, we noted that Brookhaven contractor officials had not adequately monitored their cybersecurity program to ensure that they corrected vulnerabilities in a timely manner.

Without improvements that fully implement cybersecurity policies and procedures, Brookhaven’s information and systems will continue to be at a higher-than-necessary risk of compromise, loss, or modification.  Furthermore, the weaknesses identified related to contingency planning may hinder Brookhaven’s ability to complete essential mission functions in the event of a significant disruption. 

Topic: Management & Administration