Report: Los Alamos lab needs better hardware inventory

Computerworld - A U.S. Department of Energy (DOE) report on inadequate security controls on computers used for classified and unclassified research at the Los Alamos National Laboratory is calling on the facility to tighten the security of its hardware.
The 11-page report (download PDF), issued Wednesday, said inventory controls over the lab's approximately 5,000 laptop and 40,000 desktop computers weren't robust enough, with some machines never being entered into an inventory database. The report ends an investigation the agency began in 2002.
The lab keeps two separate inventories of its computers, according to the report. One property management system, called Sunflower, lists all machines used in the facility, while a second list tracks only the classified machines used in the lab's Sensitive Compartmented Information Facility (SCIF). Out of a sampling of 450 single-user, stand-alone classified desktop computers used at the lab, eight had valid property numbers but had never been entered into the Sunflower system, according to the report. Three other classified machines had never been issued property management numbers and were also not in the system.
Los Alamos' "listing of classified desktop and laptop SCIF computers was not completely accurate" and information identifying each machine "did not always match the actual classified equipment," said the DOE report, issued by the DOE's inspector general, Gregory Friedman.
The report recommends that the lab enter all classified desktop computers into its property management system and that missing classified machines be immediately reported as required. It also calls on the lab to maintain an accurate centralized listing of all computers used for classified work, and verify and match all property numbers for the classified machines.
Kevin Roark, a spokesman for the New Mexico lab, said today that the facility has already made most of the inventory tracking changes. "This issue is largely solved," Roark said. "This problem wasn't that we didn't have the ability to lay our hands on all of our equipment. This was a problem about accounting [for it], about paperwork. The fact is there were no missing computers."
Michael Kane, associate manager for management and administration at the DOE's National Nuclear Security Administration, said in a letter accompanying the DOE report that his agency concurs with the recommendations.
The lab has faced several security problems in recent years.
Last month, two removable computer disks containing classified nuclear weapons data were determined to be missing from the lab (see story), leading to the suspension of most activities there. E-mail security problems also were reported last month (see story).
Last December, poor record keeping atthe lab was blamed after nine classified computer floppy disks and a large-capacity storage disk were found to be missing during a routine inventory of classified electronic storage media at the facility.
Another incident occurred in June 2000 when computer disks containing classified nuclear information were found to be missing from one of the laboratory's most secure vaults (see story). They were later found behind a photocopier inside the lab (see story).
The Los Alamos lab is operated by the University of California for the National Nuclear Security Administration of the DOE.