OCR of the Document

View the Document >>

Department of Energy (U.S.), Inspection Report: Internal Controls over Personal Computers at Los Alamos National Laboratory, August 2004

U S Department of Energy Office of Inspector General Office of Inspections and Special Inquiries Inspection Report Internal Controls Over Personal Computers at Los Alamos National Laboratory DOE IG-0656 August 2004 Department of Energy Washington DC 20585 August 10 2004 MEMORANDUM FOR TH FROM rego rie man Inspector General SUBJECT INFORMATION Inspection Report on Internal Controls Over Personal Computers at Los Alamos National Laboratory BACKGROUND The Of ce of Inspector General initiated an inspection to determine the adequacy of internal controls over the extensive inventory of laptop and desktop computers at Los Alamos National Laboratory LANL Computers are used in the full range of operations at LANL to include processing classi ed information Department of Energy DOE and LANL property policies identify computers as sensitive property due largely to their susceptibility to theft and misappropriation On April 24 2003 because of the signi cance of our preliminary ndings we issued an Interim Inspection Report entitled Inspection of Internal Controls Over Personal Computers at Los Alamos National Laboratory Our inspection has now been completed and the attached report addresses the nal results of our review Our work was completed prior to the current security stand-down at Los Alamos RESULTS OF INSPECTION Our interim report documented internal control weaknesses regarding LANL computers particularly classi ed and unclassi ed laptOp computers including accountability and accreditation issues This follow-on report identi es continuing internal control weaknesses that undermine con dence in ability to assure that 1 computers are appropriately controlled and safeguarded from loss or theft and 2 computers used to process and store classi ed information are controlled in accordance with existing property management and security requirements Speci cally we found that A number of classi ed desktop computers were not as required entered into the LANL property inventory and some were not assigned a property number 0 Of ce of Security Inquiries was not noti ed about a missing component of a computer system accredited for classi ed use as required and - listing of classi ed desktop and laptop Sensitive Compartmented Information Facility computers was not completely accurate and computer identi cation in accreditation paperwork did not always match the actual classi ed equipment Printed with soy ink on recycled paper In light of the designation of computers as sensitive property we believe that strict property controls need to be consistently applied to classi ed and unclassi ed computers at LANL and that a strong program of review and oversight needs to be in place to assure that all computing resources are properly accounted for and controlled Our report includes recommendations to management designed to enhance internal controls over its computer resources This inspection complements similar work performed by the Of ce of Inspector General at several other DOE sites as well as the Of ce of Inspector General s Special Inquiry on Operations at Los Alamos National Laboratory January 2003 which identi ed inadequate or untimely analysis of and inquiry into property loss or theft and security issues a lack of personal accountability for property and inadequate controls over property systems MANAGEMENT REACTION Management concurred with our recommendations Management s comments are provided in their entirety in Appendix of the report We found management s comments to be responsive to our report Attachment cc Deputy Secretary Administrator National Nuclear Security Administration Under Secretary for Energy Science and Environment Director Of ce of Security and Safety Performance Assurance Director Policy and Internal Controls Management Director Of ce of Program Liaison and Financial Analysis INTERNAL CONTROLS OVER PERSONAL COMPUTERS AT LOS ALAMOS NATIONAL LABORATORY TABLE OF CONTENTS OVERVIEW Introduction and Objective 1 Observations and Conclusions 2 DETAILS OF FINDINGS Computers Not in Property Inventory 3 Missing Central Processing Unit Not Reported 3 Discrepancies With Classified SCIF Computers 4 RECOMMENDATIONS 5 MANAGEMENT COMMENTS 5 INSPECTOR COMMENTS 5 APPENDICES A Scope and Methodology 6 B Management Comments 7 Overview INTRODUCTION AND OBJECTIVE Computers are used extensively in the full range of operations at the Los Alamos National Laboratory LANL including processing classi ed information LANL reported an inventory of approximately 5 000 laptop and nearly 40 000 desktop computers at the end of Fiscal Year 2002 Department of Energy DOE and LANL property policies identify computers as sensitive property due in part to their susceptibility to theft and potential for conversion to cash Therefore we believe that management controls over computers throughout the DOE complex must remain robust and consistent We initiated an inspection to determine the adequacy of internal controls over laptop and desktop computers at LANL Because of the signi cance of our preliminary ndings we issued an Interim Inspection Report titled Inspection of Internal Controls Over Personal Computers at Los Alamos National Laboratory 0597 April 2003 which identi ed signi cant weaknesses in LANL management controls over laptop computers Our inspection has now been completed and this report addresses the nal results of our review The primary focus of the work we conducted subsequent to the issuance of our Interim Report was the accountability of desktop computers This inspection complements similar work performed by the Of ce of Inspector General at other DOE sites the results of which may be found in the following reports Inspection of Internal Controls Over Classi ed Computers and Classified Removable Media at the Lawrence Livermore National Laboratory December 2003 Inspection of Internal Controls Over Laptop and Desktop Computers at the Savannah River Site INS-L-03-09 July 29 2003 and Management of Sensitive Equipment at Selected Locations June 2003 This inspection also complements the Of ce of Inspector General s Special Inquiry on Operations at Los Alamos National Laboratory 84 January 2003 which identi ed inadequate or untimely analysis of and inquiry into property loss or theft and security issues a lack of personal accountability for property and inadequate controls over property systems Page 1 Internal Controls Over Personal Computers at Los Alamos National Laboratory OBSERVATIONS AND CONCLUSIONS In our interim report we found that internal controls over classi ed and unclassi ed laptop computers at LANL were inadequate We identi ed several weaknesses including poor accountability and accreditation of classi ed laptop computers Accreditation is the authorization by a designated approval authority that a computer can be used to process classi ed information in a speci c environment based on the computer meeting pre speci ed technical requirements for achieving adequate data security This follow-on report identi es continuing control weaknesses that undermine con dence in ability to assure that 1 computers are appropriately controlled and safeguarded from loss or theft and 2 computers used to process and store classi ed information are controlled in accordance with existing property management and security requirements Speci cally we found that A number of classi ed desktop computers were not as required entered into the LANL property inventory and some were not assigned a property number 0 Of ce of Security Inquiries was not noti ed about a missing component of a computer system authorized to process classi ed information as required and listing of classi ed desktop and laptop Sensitive Compartmented Information Facility SCIF computers was not completely accurate and computer identi cation in accreditation paperwork did not always match the actual classi ed equipment As previously noted and as discussed in our interim report DOE and LANL identify computers as sensitive property In this regard we believe that strict property controls need to be consistently applied to classi ed and unclassi ed computers at LANL and that a strong program of review and oversight needs to be in place to assure that all computing resources are accounted for and controlled Page 2 Observations and Conclusions Details of Findings COMPUTERS NOT IN PROPERTY INVENTORY MISSING CENTRAL PROCESSING UNIT NOT REPORTED I As used herein central processing A number of classi ed desktop computers were not entered into the LANL property inventory and some were not assigned a property number LANL provided us a listing of its 450 single user standalone classi ed desktop computers and we compared this listing to property management system Sun ower We identi ed discrepancies with 11 of the classi ed desktop computers Speci cally 0 Although eight of the classi ed desktop computers had valid property numbers they were not entered into Sun ower and a Three of the classi ed desktop computers were not assigned property numbers and therefore were not entered into Sun ower A missing central processing unit that was part of a computer system authorized for classi ed processing was not reported to Of ce of Security Inquiries as required The CPU utilized a removable hard drive and LANL documentation showed that the hard drive had been destroyed However LANL did not have a record of the nal disposition of the CPU This classi ed CPU was last inventoried on August 13 2002 The CPU was moved on August 26 2002 along with other property that was to be salvaged However after it was moved there was no record that it had been taken to salvage and the CPU was determined to be missing Check List for Missing Lost Stolen Damaged or Destroyed Property requires that missing automated information systems authorized for classi ed processing be immediately reported to the LANL Of ce of Security Inquiries by secure means in accordance with the General Security Los Alamos Internal Requirement LIR 406 00 01 0 Att 14 Reporting Safeguards and Security Incidents We were told by a LANL of cial that this missing CPU had not been reported to the Of ce of Security Inquiries as required While there is no evidence that classi ed information was on the missing CPU it should have been reported to the Of ce of Security Inquiries because the CPU was part of an automated information system authorized for classi ed processing LANL unit refers to a computer unit which is the structure that houses the main electrical components of a computer also known as the tower or desk top Page 3 Details of Findings Details of Findings DISCREPANCIES WITH CLASSIFIED SCIF COMPUTERS policy requires that a security inquiry then be conducted However this inquiry was not performed because the reporting process was not followed listing of classi ed desktop and laptop SCIF computers was not completely accurate and computer identi cation in accreditation paperwork did not always match the actual classi ed equipment Of ce of Cyber Security provided us a listing of 65 SCIF computers accredited to process classi ed information We sampled 14 of the 65 classi ed SCIF computers to determine if the computers on the list could be accounted for had valid property numbers and had appropriate accreditation paperwork We identi ed two classi ed desktop computers with property numbers that did not match the accreditation paperwork In addition we identi ed a laptop computer that did not belong on the SCIF classi ed computer listing Although this laptop had been accredited for classi ed use in February 2003 we determined that it was not labeled for classi ed use was not intended to be used for classi ed processing and had never been used for that purpose Page 4 Details of Findings RECOMMENDATIONS MANAGEMENT COMMENTS INSPECTOR COMMENTS We recommend that the Manager Los Alamos Site Of ce take appropriate action to ensure that l LANL enters all classi ed desktop computers into its property management system LANL properly reports missing classi ed computers and investigates them including the instance identi ed in this report LANL maintains an accurate centralized listing of all computers used for classi ed processing LANL veri es that property numbers for classi ed computers match the property numbers on the accreditation paperwork and The issues raised in this report are considered in the next Site Of ce evaluation of property management and security performance measures In comments on our draft report NNSA concurred with our recommendations comments are provided in their entirety in Appendix of this report We found management s comments to be responsive to our report Page 5 Recommendations Management and Inspector Comments Appendix A SCOPE AND The eldwork for this inspection was conducted from METHODOLOGY December 2002 to March 2004 This review included interviews with DOE of cials from the National Nuclear Security Administration Service Center and of cials from LANL and its subcontractors We reviewed applicable policies and procedures pertaining to sensitive property and property management In addition we conducted inventory veri cation of a judgmental sample of laptop and desktop computers This inspection was conducted in accordance with the Quality Standards for IHSpections issued by the President s Council on Integrity and Ef ciency Page 6 Scope and Methodology Appendix in 1 30 Department of Energy a 33 lg v a National Nuclear Security Administratlon c Nu dnl'we v ammonium- min x J Washington Db 20585 Him AUG 0 4 2004 MEMORANDUM FOR Alfred K Walter Acting Assistant Inspector for ctions and Sicciai Inquiries FROM Michael L Karma Associate Administratm- for Management and Administration SUBIECT Comments to Draft Inspection Report on Personal Computers at Los Alamos $033016 2004w26043 The National Nuclear Securi ty Administration appreciates the opportunity to have reviewed the Inspector General s 1G draft Inspection report Internal Controls Over Parsorml Computers at Los Alamos National Laboratory Wc understand that this inspection was initiated to determine the adequacy of internal controls over both laptop and desktop computers at the Laboratory The inspectors concluded that a number of clasci cd desktop computers were not entered into the Laboratory s property inventory and some computers were not assigned a property number Thom was a missing unit that was accredited for classified use which was not reported to the Laboratory's Of ce of Security Inquiries as missing Additionally the inSpoctorS concluded that the listing of Laboratory s classi ed desktop and laptop special purpose computers was not completely accurate and that tho accreditation paperwork did not always match the actual classi ed equipment As you arc aware the Los Alamos National Laboratory has suspended all operations until each business and programmatic element can be rccorti od for safe scourc operationc Therefore since we agree with the recommendations NNSA will provide our action plan for each ot'thc recommendations after the Laboratory has been to a safe secure operational state Should you have any questions about this response please contact Richard Speidel Director Policy and Internal Controls Management He may be contacted at 202 5862 5009 cc Robert Braden Senior Procurement Exccutivc Edwin Vilmm Manager Los Alamos Site Of ce William Desmond Acting Associatc Administratm- for Defense Nuclear Security Karen Boardman Director Scrvicc Center Plinlad with 04 MI nn pann- Page 7 Management Comments IG Report No CUSTOMER RESPONSE FORM The Of ce of Inspector General has a continuing interest in improving the usefulness of its products We wish to make our reports as responsive as possible to our customers requirements and therefore ask that you consider sharing your thoughts with us On the back of this form you may suggest improvements to enhance the effectiveness of future reports Please include answers to the following questions if they are applicable to you 1 What additional background information about the selection scheduling scope or procedures of the inspection would have been helpful to the reader in understanding this report 2 What additional information related to ndings and recommendations could have been included in the report to assist management in implementing corrective actions 3 What format stylistic or organizational changes might have made this report s overall message clearer to the reader 4 What additional actions could the Of ce of Inspector General have taken on the issues discussed in this report which would have been helpful 5 Please include your name and telephone number so that we may contact you should we have any questions about your comments Name Date Telephone Organization When you have completed this form you may telefax it to the Of ce of Inspector General at 202 586 0948 or you may mail it to Of ce of Inspector General Department of Energy Washington DC 20585 ATTN Customer Relations If you wish to discuss this report or your comments with a staff member of the Of ce of Inspector General please contact Wilma Slaughter at 202 586-1924 The Of ce of Inspector General wants to make the distribution of its reports as customer friendly and cost effective as possible Therefore this report will be available electronically through the Internet at the following address US Department of Energy Of ce of Inspector General Home Page Your comments would be appreciated and can be provided on the Customer Response Form attached to the report