Weaknesses in Classified Information Security Controls at DOE's Nuclear Weapon Laboratories.
Subcommittee on Oversight & Investigations
Committee on Commerce
U.S. House of Representatives
July 11, 2000
Prepared Statement of Glenn S. Podonsky
Office of Independent Oversight and Performance Assurance
U.S. Department of Energy
Washington, D.C. 20585
Panel 1, Witness 2
Thank you Mr. Chairman. I appreciate the opportunity to appear before this subcommittee to discuss classified information security controls at DOE's nuclear weapons laboratories. As you are aware, my office provides the Secretary of Energy with an independent view of the effectiveness of departmental policies, programs, and procedures in the areas of safeguards and security, emergency management, and cyber security.
At the outset of my statement, I believe it is particularly important to inform you about some significant aspects of DOE's current administrative requirements for protecting classified information and how those requirements came about.
Ten years ago, DOE required a formal accountability system for all Secret and Top Secret information. Each document or item was accounted for from origination to destruction, and each was identified by a unique number, page count, and various other specific markings. A chain of custody was maintained throughout the item's life. Additionally, periodic inventories were required to ensure that all documents or items were present or accounted for.
In early 1991 DOE began modifying its requirements for classified matter accountability. This action was in response to a government-wide initiative that had as its foundation a 1990 National Security Council assessment intended to establish a single efficient national industrial security program that could be applied to both industry and government.
Consequently, in February 1991 DOE modified its policy to eliminate the requirement to account for Secret level information that was categorized as National Security Information -- that is, information that could impact national security but was not directly related to nuclear weapons design or nuclear material production.
In May 1992, DOE again modified its requirements based on the provisions of Part 2001of Title 32 of the Code of Federal Regulations, this time eliminating formal accountability requirements for Secret Restricted Data -- that is, nuclear weapons-related information.
In January 1998, under the authority of Executive Order 12958 of April 1995, DOE eliminated accountability requirements for all Top Secret information.
With these modifications, current DOE policy only requires sites to individually account for certain types of documents, such as sensitive compartmented information, foreign government information, some sensitive (nuclear weapons) use control information, and some special access program information.
These reductions of accountability requirements were part of a general trend toward reduction in security that occurred in the early to mid 1990s, partly as the result of the end of the cold war. During that period DOE initiatives were aimed at reducing security costs, declassifying information, and increasing "openness" at DOE sites to promote interactions with local communities and with industry. That general trend included DOE's encouragement for sites to reduce security costs through such actions as downsizing protective forces, downgrading clearances, and eliminating or consolidating security areas, all elements of the overall program for protecting classified information.
In response to the 1999 allegations of espionage at Los Alamos, Secretary Richardson took some extensive and unprecedented actions. Security within DOE, and particularly at the three national weapons laboratories, received high-level management attention. Secretary Richardson directed the implementation of an extensive set of cyber security enhancements, strengthened DOE's security manacgement organization through functional reorganization and addition of personnel and expertise, elevated the oversight function to a direct report to his office, implemented a polygraph program, and issued a zero tolerance policy for security violations. At the same time, the Headquarters Office of Defense Programs published a "goal post" document that established expectations for near-term improvements that would enable each size to achieve a satisfactory security program. Under these initiatives, DOE sites took aggressive action and strengthened their secunty programs and practices in several areas, including cyber secunity, control of foreign national visitors, and storage of classified weapons components. However, since these efforts were initiated within DOE, they did not address the government-wide policy deficiencies associated with the control of Secret and Top Secret classified information. Minimal security requirements that are subject to a wide range of interpretations for the purpose of implementation do not, as we have seen, enhance the security posture of our government.
DOE is unique in that it possesses and is responsible for safeguarding certain types of information that no other agencies possess -- specifically, information categorized as Restricted Data that deals with nuclear weapons design, manufacture, and testing, and includes information about disabling or enabling nuclear weapons. Such information merits a higher degree of protection than other types of classified information (categorized as National Security Information.).
Consequently, at the direction of Secretary Richardson, DOE is currently evaluating and/or implementing four Department-wide recommendations:
When the Secretary was informed in June 2000 of the security incident at Los Alamos involving missing classified hard drives, he demanded to get to the bottom of the situation and, once again, he took a number of aggressive steps to increase the control and protection of particularly sensitive weapons-related data. The Secretary directed immediate implementation of several recommendations. Other recommended changes, including the four I specifically mentioned, should be incorporated into DOE orders as soon as possible to ensure that they are institutionalized and become part of a permanent policy base.
- First, re-institute requirements for a formal accountability system for certain types of information (i.e., Top Secret and Secret Weapons-Related Data).
- Second, establish a clear and comprehensive graded approach for information protection and issue appropriate implementing guidance. This approach should include practical guidelines for determining relative importance of information; provide more sensitive information greater protection; and apply recent enhanced requirements for vaults to other storage containers.
- Third, clarify the need-to-know policy. In order to better limit access to information, DOE needs to determine prudent measures for identifying specific need-to-know for access to information and establish expectations for partitioning information stored in large repositories.
- Fourth, continue efforts to expand the human reliability programs. DOE's human reliability program, which includes drug testing and regular medical evaluations and ensuring that personnel who handle nuclear weapons and special nuclear material are rehable and fit for duty, should be expanded to include personnel with access to the most sensitive nuclear secrets.
Additionally, he directed my office to make an immediate assessment, on an expedited basis, of the adequacy of security procedures and administrative controls for such information at Los Alamos, Lawrence Livermore, and Sandia National Laboratories. We completed reviews of Lawrence Livermore and Sandia, and we will conduct a similar review at Los Alamos after the FBI has completed its criminal investigation surrounding the classified hard drives.
That concludes my comments. Thank you, Mr. Chairman.