Alissa Tabirian
NS&D Monitor
6/12/2015
The National Nuclear Security Administration’s cybersecurity controls contain weaknesses that create vulnerabilities for the agency’s information systems, according to an audit report released this week by the Department of Energy’s Office of Inspector General. The audit found that federal requirements were not followed and “the system’s cybersecurity controls had not been adequately developed, documented, or implemented,” which caused gaps in access controls, database change management, configuration management, and monitoring.
According to the report, user passwords were not changed as often as required, and “more than 30 account passwords had not been changed in more than 1 year.” The audit also identified devices with “open ports or missing security patches,” increasing the system’s vulnerability to insider threats. Features meant to restrict access to personnel in specific roles were bypassed and the system lacked continuous monitoring, including “annual security control testing” and “vulnerability scanning,” the report said. It also noted that insider threat risk was being overlooked because some officials believed that “the isolated nature of the system” diminished the need for continuous monitoring.
The audit recommended that the NNSA implement any “mitigating controls” necessary to address these security gaps. NNSA management accepted the recommendations and reported that “automated password management controls” and other corrective actions were put into place, according to the report. The NNSA did not respond to a request for additional comment this week.
