DOE’s Office of the Inspector General (IG) found that outside contractors had made significant information security changes to the lab’s nuclear explosion monitoring system that could have increased the risks to that system without first obtaining approval from proper federal officials.
In addition, three of four security plans for national security information systems were incomplete, failing to sufficiently describe security controls and how they were implemented, an audit by the IG found.
Also, the lab failed to incorporate security controls mandated by the Committee on National Security Systems, which the president set up to develop policies and standards for protecting national security information systems. This could result in the lab not meeting federal information security requirements.
The audit noted that the lab’s information security program policies had not been updated since May 2008 and were not consistent with federal and DoE requirements.
"Without improvements, the weaknesses identified may limit program and site-level officials' ability to make informed risk-based decisions that support the protection of classified information and the systems on which it resides”, the IG concluded.
The National Nuclear Security Administration (NNSA), which overseas Lawrence Livermore, said the IG failed to carry out a thorough review of the the lab’s information security policies and procedures.
“The IG review was based on a paper-based compliance review assessing system level and some site level documentation. It appears there were inadequate discussions/reviews of mitigation strategies/activities, technologies and mission/business processes of each system to include the current state of departmental policies”, the NNSA response said.