The National Institute of Standards and Technology’s physical security repeatedly failed to keep undercover agents out of restricted areas of NIST campuses, according to an assessment by the Government Accountability Office.

“GAO, as I understand it, remains concerned that the police services group and the security structure within NIST has not received proper scrutiny,” said Rep. Lamar Smith, R-Texas, at an Oct. 11 hearing on the report. “A concern that is bolstered by the revelation that GAO agents successfully penetrated NIST campuses in 15 out of 15 attempts during their covert vulnerability testing.”

According to the report, GAO undercover agents attempted to access restricted areas of NIST campuses in Gaithersburg, Maryland, and Boulder, Colorado, and provided video evidence of their efforts. Those videos were designated law enforcement sensitive and are not available to the public.

“These videos, captured as part of GAO’s covert vulnerability testing, reveal NIST employees adhere to established physical security policies,” said Rep. Darin LaHood, R-Ill. “One video in particular shows an undercover GAO agent subverting detection by security personnel by employing very basic espionage techniques.”

The GAO investigation was initially undertaken after physical security incidents occurred at both NIST campuses. In July 2015, a NIST security officer caused an explosion in a little used lab in Gaithersburg, Maryland, after attempting to create methamphetamine in the lab. In April 2015, an unauthorized person was found wandering around a restricted area of the Boulder, Colorado, campus.

These events resulted in NIST undertaking efforts to improve security, as well as a Congressional call for GAO to conduct the now-complete security assessment.

“Recent security incidents at NIST’s Gaithersburg and Boulder campuses highlighted vulnerabilities and raised questions about the agency’s physical security program, and our work shows that such questions persist,” the GAO report said. “To its credit, NIST has acknowledged its security issues, and leadership has taken steps to transform NIST’s physical security program, in part by beginning to address the organizational culture, policies, and risk management at its campuses.”

A GAO survey included in the report found that 75 percent of surveyed NIST employees said that their leadership placed a great or very great emphasis on security, but staff awareness about that security varied due to a failure in communication initiatives.

“It is particularly troubling that GAO’s efforts were successful even after NIST had taken efforts to improve security,” said Rep. Eddie Johnson, D-Texas.

According to NIST acting Director Kent Rochford, a resolution to many of these problems will likely come down to long-term training efforts and a culture change within the agency. In particular, Rochford characterized the onboarding training sessions for new employees as “simplistic” and said that this problem is currently being remedied.

“To have a security culture, you have to train your people to take it seriously,” said Seto Bagdoyan, director of audit services in the Forensic Audits & Investigative Service at GAO.

The report also found that the division of security responsibilities between NIST and the Department of Commerce could be causing security problems on the NIST campuses.

“Management of NIST’s physical security program is fragmented between the Department of Commerce (Commerce) and NIST,” the report said. “This is inconsistent with the federal Interagency Security Committee’s (ISC) physical security best practices, which encourage agencies to centrally manage physical security. Commerce is responsible for overseeing security personnel who implement physical security policies, while NIST manages physical security countermeasures such as access control technology, leading to fragmentation in responsibilities. Before implementing the current organizational structure in October 2015, neither Commerce nor NIST assessed whether it was the most appropriate way to fulfill NIST’s physical security responsibilities.”

“If they don’t talk with each other, they end up doing separate risk assessments, and so forth. That is definitely counterproductive,” said Bagdoyan.

The report made four recommendations for improving security:

  • NIST should incorporate elements of key practices into its ongoing security efforts;
  • Commerce, in coordination with NIST, should evaluate the current physical security management structure;
  • Commerce should finalize and implement coordinated risk management policies; and
  • NIST should finalize and implement coordinated risk management policies.

The Department of Commerce agreed with all four recommendations and Commerce Deputy Assistant Secretary for Administration Lisa Casias testified that “the findings revealed shortcomings that are absolutely unacceptable.”