A GAO report has found that the National Institute of Standards and Technology needs to address persistent challenges with regards to physical security.
According to the report, GAO agents were able to gain unauthorized access to various areas of both NIST campuses in Gaithersburg, Md., and Boulder, Colo. GAO found that ongoing efforts from NIST do not provide the tools needed to address security vulnerabilities and staff awareness about responsibilities varied, partly because of the limited effectiveness of NIST’s security-related communication efforts. “By incorporating elements of key practices, including a comprehensive communication strategy, interim milestone dates, and measures to assess effectiveness, NIST will be better positioned to address the security vulnerabilities caused by varied levels of security awareness among employees,” states the report.
Management of NIST’s physical security program is fragmented between the Department of Commerce and NIST, which is inconsistent with the federal Interagency Security Committee’s (ISC) physical security best practices, which encourage agencies to centrally manage physical security. GAO found that before implementing this system in 2015, neither Commerce nor NIST assessed whether it was the most appropriate way to fulfill NIST’s physical security responsibilities and the current system could be creating inefficiencies and inhibiting security program effectiveness.
The report also found that Commerce and NIST’s risk management process does not comply with the ISC’s RMP standard as it does not use a sound risk assessment methodology, fully documented key risk management decisions, or appropriately involved stakeholders. GAO also found that Commerce and NIST had overlapping risk management activities, potentially leading to unnecessary duplication and that the two agencies are separately drafting new risk management policies.
GAO recommends that a comprehensive communication strategy for employees should be established, and that an evaluation of the current management structure should also be conducted. It also recommends that the draft Commerce risk management policy is finalized and implemented in accordance with the ISC’s RMP Standard and that the NIST Director should finalize and implement risk management policies and procedures, ensuring that they contain a formal coordination mechanism between OSY and NIST and are aligned with Commerce’s revised risk management policy, particularly with regard to establishing FSCs.