The National Institute of Standards and Technology boasts a history of bright minds contributing to everything from atomic clocks to the study of outer space fires, but while the institute is known for its research in safety and industry settings, the physical security of its facilities is falling short.
A new report from the Government Accountability Office recommends a transformation of NIST’s “fragmented” security program, and leaders from both NIST and the overarching Commerce Department tell Congress they are actively making improvements.
“Culture is driven by leadership and I need to take that responsibility to change the culture,” NIST acting Director Kent Rochford said during a Wednesday hearing before the House subcommittees on Oversight and Research and Technology. “We are developing training. We have what we call baseline requirements, which will be our first training set. We then have additional training for things like criminal behavior, action plans or training for an active shooter, other potential security issues. We have a security advisory board, we’re going to have an executive security committee so we can engage leadership on programmatic changes to ensure the culture sticks. We have a range of activities that we’ll be undertaking over the year.”
Those actions are the product of a security sprint NIST conducted as it works to strengthen the physical security of its Gaithersburg, Maryland, and Boulder, Colorado, campuses following two high-profile breaches.
In July 2015, a federal police officer caused an explosion while illegally making methamphetamine in a laboratory building in Maryland. In April 2016, officers at the Boulder facility found a man trespassing in one of the buildings.
GAO highlighted those breaches in its report, along with auditors’ successful covert surveillance attempts to gain access to authorized areas, and shared video evidence with the committees prior to the hearing. The committees held an executive session after the public hearing that was closed to media, to discuss sensitive security details with witnesses.
“Watching [the videos], observing them, my reaction is ‘disturbing,’ ‘alarming,’ particularly when you think about the work that goes on at the NIST campuses in Boulder and Gaithersburg; the sensitive work, the strategic work, the proprietary nature of what goes on at these facilities, much of what relates to national security,” said subcommittee Chairman Darin LaHood (R-Ill.).
Rep. Lamar Smith (R-Texas) asked whether the security measures put in place since the breaches would have retroactively prevented the unauthorized access incidents, but Rochford said: “We have not put in place something that would cause 100 percent improvement.”
Lisa Casias, deputy assistant secretary for administration for the Commerce Department, said the two agencies are working together to close security gaps, called the shortcomings highlighted in GAO’s report “absolutely unacceptable,” and said the department agreed with GAO’s recommendations.
The recommendations include:
establishing a comprehensive communication strategy for employees.
evaluating and identifying the effectiveness of the current NIST security management structure compared to a consolidated security structure managed by the Office of Security (OSY).
ensuring Commerce’s draft risk management policy is put into practice.
implementing risk management policies and procedures at NIST.
Commerce designated OSY to protect its various components, including NIST, explained Casias.
Casias said OSY has already implemented the requirement that all security specialists conducting facility security assessments be certified in the Interagency Security Committee’s (ISC) Risk Management Process (RMP) standard.
“To date, 19 of our security specialist staff have successfully completed the ISC’s RMP standard training, and all security specialists will be trained in early fiscal year ’18,” Casias said. “We’ve also scheduled new facility security assessments using those trained personnel at both campuses this fiscal year.”
OSY also completed a draft chapter for the Commerce Department’s manual on security policies and procedures, which is currently under review.
“We are also — as the GAO recommended — reviewing security structure at NIST,” Casias said. “This review involves all aspects of the relationship between OSY and NIST related to personnel assets and security and is part of a coordinated effort between the department and NIST to determine the best approach.”
Rep. Don Beyer (D-Va.) voiced his concern about the shared approach to NIST’s physical security.
“As a person interested in management and leadership, it seems pretty nonsensical, too many cooks in the kitchen,” Beyer said.
Seto Bagdoyan, director for audit services at GAO’s Forensic Audits & Investigative Service, said the split approach is not consistent with federal standards best practices; however, it came about in late 2015 when Commerce was delegated the authority for NIST police to act as federal law enforcement agents. In 2017, the American Innovation and Competitiveness Act directed Commerce to have the final say on setting security policy and practice, but the law also allowed NIST to perform security duties “as it saw fit,” Bagdoyan said.
“It does lead to inefficiencies especially when the two parties don’t really coordinate or collaborate,” Bagdoyan said.
Beyer asked whether that was something Congress could amend, and Bagdoyan said it was an option; however, GAO did not know of any plans by Commerce to go that route.
Rochford said along with working with Commerce and OSY, NIST is improving internal communication. Rochford said NIST developed an improved set of security requirements “designed to provide an unambiguous understanding of the security responsibilities of all individuals who work at NIST.”
Last month, Rochford met with NIST senior leaders and OSY to ensure those requirements were understood, and on Wednesday after the hearing he planed to meet with NIST management and supervisors to make sure they do the same before passing the new requirements on to all staff.
Rochford said training was a key part of preventing unauthorized access.
“We see security as a layered approach,” Rochford said. “The other layer is the employee. Part of what I need to do is make sure that NIST staff have a much greater awareness about these concerns and know at some level how these things can be spoofed, and through training and awareness have them also do a better job of making the appropriate checks to ensure security and avoid breaches.”
Bagdoyan said NIST and Commerce’s plans are a good first step in the right direction, however “we are probably playing a long game here in terms of getting things done.”
“Training is an absolute must,” Bagdoyan said. “To have a security culture, you have to train your people to take it seriously.”
GAO’s report was based in part on feedback from a survey of roughly 500 technical and scientific NIST workers, and according to the survey, about 75 percent said they believed NIST leadership holds physical security issues at a position of high importance.
“Is that 75 percent enough?” asked Rep. Daniel Lipinski (D-Ill.). “It sounds like there’s good work being done, we certainly need to follow up. The culture I think is certainly going to be a big issue.”