NIST’s Physical Security Falls Short, Undercover Audit Finds

Maksim Kabakou/

Auditors gained unauthorized access to secured parts of NIST buildings where they could have infected computers or caused physical damage.

Undercover federal auditors were able to gain unauthorized access to secured areas in both the Maryland and Colorado campuses of the government’s science and technology standards agency, according to a report released Wednesday.

The report doesn’t describe which areas of the Commerce Department’s National Institute of Standards and Technology campuses the investigators accessed.

Videos documenting the security breaches that were shown to members of the House Science Committee are also not being disclosed to the public.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The Commerce Department is concerned that copycats might use the Government Accountability Office investigators’ tactics to sneak into NIST’s buildings or other federal buildings, Deputy Assistant Secretary Lisa Casias told committee members during a hearing Wednesday.

Members including House Science Chairman Lamar Smith, R-Texas, criticized that decision, suggesting the GAO’s tactics were pretty run of the mill.

“My suspicion is that you all may be overly cautious,” Smith said. “Having seen those videos, it’s pretty obvious as to what might cause breaches and what did cause breaches in this case. You’re not revealing much to acknowledge that.”

It’s not clear what damage nefarious trespassers might have been able to do if they had the same access as the government auditors.

Rep. Clay Higgins, R-La., who also viewed the videos and criticized Commerce for not releasing them, repeatedly asked the official who managed the undercover operation whether investigators could have inserted malware-laden thumb drives into NIST computers.

Seto Bagdoyan, who directs GAO’s forensic audit services, declined to answer those questions in an open hearing but acknowledged that most NIST offices contain computers.

NIST publishes standards and best practices guides for the private sector in numerous areas including cybersecurity and information security, so its work products might be highly interesting to U.S. adversaries. Federal agencies are also required to follow NIST cybersecurity standards based on an executive order President Donald Trump issued earlier this year.

A malware infection in one agency’s computers might also give an adversary nation or hacking group a jumping off point to steal information from other government agencies.

Congress requested the GAO investigation after two separate security breaches. In 2015, a federal police officer caused an explosion when he was trying to illegally manufacture methamphetamine on NIST’s Maryland campus. In 2016, a non-NIST employee who was delirious wandered onto the institute’s Colorado campus.

NIST has made several improvements since then, the institute’s acting director Kent Rochford told lawmakers, including requiring advanced certifications for NIST security staff and mandatory security training for all other NIST employees.

The institute also created a security advisory board.

“We’ve developed training that’s very explicit, very unambiguous and actually includes various scenarios so people know precisely what would be expected,” Rochford said.

The GAO report also included a standard audit and a survey of NIST employees.

The audit found significant improvements in NIST security but also found varied levels of security awareness among employees. It also found NIST leaders were not following some key practices in their security improvements including not having a communications strategy.

As of May, about three-fourths of NIST’s scientific and technical staff believed agency leaders placed “great” or “very great” importance on physical security, the survey found.