The federal official responsible for authorizing systems to operate on the Lawrence Livermore National Laboratory network wasn't always notified of significant cybersecurity changes to the systems he is responsible for, finds an Energy Department inspector general audit.

The report, dated April 15, finds that contractors made four "significant" changes since 2007 to the Ground-Based Nuclear Explosion Monitoring system--changes which the federal official who signed the system's authorizing document was unaware of until auditors notified him of them.

In all, contractors made 10 changes to the system, none of which were reviewed or approved by the authorizing official.

Auditors also criticize National Nuclear Security Administration officials for not performing sufficient monitoring of activities involving national security systems at the lab. System security plans did not follow NNSA policy requiring a thorough description of minimum security controls. The authorizing official told auditors that security documentation didn't need that information, since lab officials were intimately familiar with the systems--an argument auditors reject, since anyone unfamiliar with the system environment would need to see the missing details.

For more:
- download the report, OAS-M-11-03 (.pdf)

Related Articles:
GAO reproaches NNSA for nuclear simulation supercomputer disaster recovery plans 
Disused hard drives strewn about Oak Ridge laboratory, says IG