The vSANS instrument at the NIST NCNR. Photo: Fran Webber/NIST

Covert security tests of the National Institute of Standards and Technology’s two campuses revealed potentially-dangerous gaps, according to a new federal report released Wednesday.

Access was gained to both the Maryland and Colorado NIST locations, according to the investigation by the Government Accountability Office. The locations house hazardous chemicals and even a nuclear reactor used for research.

“We identified security vulnerability through our covert vulnerability testing, during which GAO agents gained unauthorized access to various areas of both NIST campuses,” according to the public version of the report.

The report was discussed by some members of the House Committee on Science, Space and Technology on Wednesday. Behind closed doors, the members watched videos detailing the 15 separate breaches of parts of the facilities.

“The evidence produced in these videos shines a light on the porous nature of NIST’s physical security, and are particularly concerning to the Committee, especially in light of the fact that the July 2015 meth lab explosion served to put NIST on notice that its physical security program was flawed,” said Rep. Darin LaHood (R-Ill.).

The GAO tests involved federal agents using “very basic espionage techniques,” according to the proceedings. The methods used for access were not shown, or discussed publicly.

“GAO, as I understand it, remains concerned that the Police Services Group and the security structure within NIST has not received proper scrutiny,” said Rep. Lamar Smith (R-TX), chairman of the Committee. “A concern that is bolstered by the revelation that GAO agents successfully penetrated NIST campuses in 15 out of 15 attempts during their covert vulnerability testing.”

The in-depth look at security comes after two high-profile incidents, one at each of the NIST locations.

A federal police officer at the National Institute of Standards and Technology’s campus in Maryland caused an explosion while manufacturing methamphetamine in a partially-vacant facility two years ago. An unaffiliated person gained access to a secured facility at the NIST campus in Colorado last year, and required medical attention.

New safeguards have partly improved security, but more steps need to be taken, the report concluded. 

NIST and the U.S. Department of Commerce (its overseeing agency) prepared a joint statement for the record, presented by NIST’s acting director, Kent Rochford, and Lisa Casias, the deputy assistant secretary for administration at Commerce.

“NIST takes its responsibility to ensure the physical security of NIST’s two campuses very seriously,” said Rochford. “NIST is working with OSY to strengthen the security culture at NIST, which the GAO notes has already had some success, though there is still more work to be done.”

Rochford told the subcommittee improvements are in the works.

“NIST and the Department of Commerce are working together to foster a positive security culture,” he told the members.