GAO said in a report published Wednesday 75 percent of surveyed NIST personnel believe that agency leaders put “great” or “very great” importance on security matters, but employees showed varied levels of awareness on security responsibilities due to limited communication within the agency.
NIST should establish a comprehensive communication strategy, interim milestone dates and efficiency assessment methods to address security vulnerabilities that result from disparities between employees’ security awareness levels, GAO noted.
The report also found that NIST shares the management of its physical security program with the Commerce Department, which causes fragmentation in responsibilities.
The Commerce Department oversees security personnel that implement physical security policies, while NIST leads physical security countermeasures including access control technology.
NIST and its parent organization established the current organizational structure in October 2015 without evaluating its effect on NIST’s physical security efforts, GAO said.
Commerce and NIST most recently conducted risk management activities for NIST campuses in 2015 and 2017, but did not fully comply with the mandated federal risk management process developed by the Interagency Security Committee, the report revealed.
GAO revealed that the risk management efforts were executed without a sound risk assessment methodology; fully documented key risk management decisions; and appropriate stakeholder involvement.
NIST and Commerce also performed overlapping risk management activities that could lead to duplication, the congressional watchdog reported.
GAO recommended NIST to integrate elements of key practices into its security efforts; evaluate its current physical security management structure in coordination with Commerce; and work with the department on the implementation of coordinated risk management policies.