REDACTED VERSION Interim Report
Special Review
Interim Report
to the
Secretary of Energy
on the
Control of Classified Weapons Data
Office of
at the National Weapons Laboratories
Independent Oversight and Performance AssuranceJune 2000
[REDACTED PARAGRAPH CONTINUED]
(U) As evidenced by the results of this review, LLNL has demonstrated strong management involvement in efforts to protect aspects of classified weapons data in its custody. While attention is warranted in a few areas, LLNL is adequately implementing important requirements for the protection and control of classified weapons data.
3.3 DOE Policy (U)
(U) As discussed in Section 2, DOE has a multi-faceted policy in place for protecting classified matter, including the most sensitive types of classified matter that were the focus of this review. The general principles (restricting access, ensuring trustworthy individuals, and need to know) are sound and are consistent with other U.S. government agencies. However, notwithstanding the aggressive instructions issued on June 21, 2000, the results of this review, in combination with the results of previous Independent Oversight inspections and reviews, indicate that there are weaknesses in policy that require significant and timely management attention. These weaknesses discussed under the five general categories of: Relaxation of accountability requirements, lack of specificity in DOE requirements, lack of direction regarding implementation of the need to know principle, over reliance on individual compliance, and inadequate definition of the graded approach.
Changes in Accountability Requirements (U)
(U) The relaxation of changes in the accountability requirements has resulted in some increase in operational efficiency and reduced costs. For example, laboratory personnel save time and effort because they no longer need to track each document (e.g., receipts) and are not required to perform certain administrative functions (e.g., obtaining permission to make copies and marking each copy). Similarly, DOE sites no longer have to expend resources conducting periodic inventories, which could encompass millions of documents at nuclear weapons laboratories.
(U) The increased operational convenience and reduced costs, however, came with a corresponding reduction in certain aspects of security. In the absence of a formal accountability system, DOE sites no longer have the capability to determine important information such as whether a document/item is missing, where specific documents are located, who has had access to those documents, who has responsibility for control and protection, and whether a document has been destroyed. In addition, DOE sites generally cannot track documents/items to determine who has responsibility for them in the event one is determined to be missing. DOE sites are also limited in their ability to ensure that individuals are held accountable for implementing security requirements because there is usually no way to determine who has direct responsibility for a missing document or who last had access to the document.
(U) After the LANL hard drive incident, DOE and LANL were severely criticized for LANL's lack of capability to detect a loss, determine who has been in a vault and when, or determine who has custody of a document/item at a given time. LANL did not have this capability even for hard drives that contained information that was among the most sensitive in the complex. Also, the LANL loss was discovered as a result of an unscheduled check because of a fire rather than as part of a systemic inventory. However, the situation at LANL is not unique to the LANL X Division vault. In fact, the same situation is evident at LLNL and SNL-NM and essentially every other DOE site as well as other government agencies. Within LLNL, for example, there are about a million classified documents, about five thousand of which are in a formal accountability system. Without systems in place to track and account for documents, the protection systern's ability to detect a loss or find the person who should have custody is limited.
(U) It is important to recognize that re-establishment of an accountability system does not eliminate the insider threat or the potential for compromise of information through errors or violations of procedures. Even with an accountability system in place, an insider (i.e., an authorized person intent on espionage) could still make unauthorized copies of documents or electronic media. However, strengthened systems for accountability and tracking, in combination with other measures (e.g., controlling access to copiers and data transfer devices), would strengthen individual accountability and improve security by increasing the deterrence factor and the likelihood of detecting an unauthorized act.
(U) DOE followed the Executive Orders and practices of other government agencies in deciding to relax accountability requirements. In some ways, DOE has comparable security concerns to other agencies and a common approach is warranted. For example, DOE sites have national security information that is similar to that possessed by other agencies. However, DOE sites and laboratories have unique concerns that other agencies do not face, most notably design information related to nuclear weapons and extremely sensitive information about use control and disablement of nuclear weapons. The DOE Headquarters Office of Defense Programs and SO have made some efforts to convince the Department of Defense (DOD) that some changes were needed to better protect sensitive classified matter (e.g., reevaluating classification and protection of certain types of information). However, those efforts have not been embraced by DOD.
(U) The DOE decisions to eliminate formal accountability for Secret and Top Secret matter were controversial at the time and continue to be so. Some organizations, including the predecessor to Independent Oversight, commented on the inevitable degradation in rigor and formality of handling classified matter following the 1991 and 1992 decisions to relax accountability requirements. Similarly, the 1998 decision to eliminate formal accountability for Top Secret matter did not receive universal support. Although not mandated, all three national laboratories have retained some aspects of their accountability systems for Top Secret and SNL-NM has maintained a full formal accountability system.
(U) Various DOE elements and individuals have advocated re-establishment of a formal accountability system for Top Secret documents and/or Secret weapons data. Most notably, in March 1999, the Directors of the three nuclear weapons laboratories sent a joint recommendation to the DOE Under Secretary and the DOE Director of the Office of Counterintelligence in which they advocated that DOE reinstate accountability for documents that contain Secret Restricted Data and Top Secret Restricted Data. They indicated that, without formal accountability, counterintelligence reviews are much more difficult because it is not feasible to determine specifically who has had access to certain design information. They also cite the Cox Commission report as a basis for reinstating formal accountability.
(U) Although re-establishment of a requirement for an accountability system is an important step, additional actions will be needed to ensure that the accountability systems are effective. The current requirements for accountability are not sufficiently detailed to provide adequate direction to the field to ensure a complete chain of custody. In addition, accountability systems need to be viewed as one element of a viable and comprehensive graded approach to protection (as discussed later in this section, DOE has a graded approach concept but the current guidance is not adequate).
(U) As part of the June 21, 2000 Office of Defense Nuclear Security within the National Nuclear Security Administration (NNSA/DNS) implementing guidance for Secretary of Energy June 19, 2000 memorandum, direction has been provided to DOE field elements to place certain materials (i.e., computer media that have a compilation of nuclear weapons design and testing information that contains Sigma 1, 2, 14, or 15 information) into an accountability system. Specific methods for implementing the accountability system are included in the guidance.
Lack of Consistency and Specificity in DOE Requirements (U)
(U) As discussed in Section 3.1 and 3.2 and Appendices B and C, SNL-NM and LLNL generally comply with the minimum requirements specified in the DOE Order and Manual, although each site has some specific weaknesses that need to be addressed. However, the protection effectiveness for similar information varies considerably from place to place and does not provide a level of protection that is based on the sensitivity of the information.
(U) For example, at SNL-NM, some Secret Restricted Data documents containing weapons design information were stored in a GSA-approved container within a vault-type room where it is provided alarm protection with a protective force response time of 15 minutes or less. DOE policy would permit a copy of the same document to be stored in a GSA-approved security container equipped with a specified lock within the Sandia limited area (anywhere within the fenced area). In one case, a penetration of the vault-type room repository would be responded to within 15 minutes; in the other case, no alarm would sound and a penetration of the repository would not be noted until someone happened to inspect the container and notice a breach (there are no specific requirements for protective force patrols at any interval in this case). Both of these situations, however, comply with the requirements for storage of Secret matter as specified in DOE Manual 471.2-lB.
(U) As part of a DOE-wide effort to revise DOE orders to allow the field more flexibility in determining how to implement general requirements, the Information Security Program Order (DOE 471.2A) was revised in 1997. As part of the increased flexibility, the current Order contains only very general and vague requirements (e.g., "controls shall be established to detect and deter unauthorized access to classified matter"). For some aspects of protection, the associated Manual provides more detailed requirements. However, the Manual does not provide much information on important subjects such as access controls at vaults. In the absence of specific requirements, DOE sites, which are under continued pressure to reduce costs and/or justify expenditures based on DOE order requirements, often decide to implement only the minimum requirements as specified in the Order or Manual.
(U) The results of this review and recent inspections indicate that the lack of specificity and clarity in policy is a contributor to inconsistent protection effectiveness. Supporting examples include:
((U) The DOE Order and Manual require access controls but provide no specific information on requirements for access to vaults and vault-type rooms. For example, there is no information on requirements for logs of entry and exit times. The approaches varied considerably between the national laboratories and between different areas in the same laboratory. As noted in the LANL incident, no logs were kept at the X Division vault at for personnel on the access list. At SNL-NM, card reader systems were used at some areas such that there was a log of the entry but these systems were not implemented in a way that provided a comprehensive log (e.g., there were no mechanisms or procedures to prevent "piggy backing" in which additional personnel enter after one person opens the door) and there were no mechanisms to log when an authorized person exits. The Secretary's June 19, 2000 enhancements specifically require immediately implementing measures to record the time of entry and egress. The Secretary also directed a near-term comprehensive evaluation of existing vault procedures, revision of policies, and rapid implementation. LLNL and SNL-NM have taken some immediate actions to implement this direction and are aggressively working to address all the directed actions.
(U) Requirements for locks are not comprehensive. DOE requirements have provisions for changing repository lock combinations in certain conditions (e.g., when personnel with the combination are terminated). Previous versions of the orders included provisions for changing the locks on an annual basis; these requirements were dropped in the latest revision. The sites are not required to, and generally do not, have a program in place to change the lock combinations on a regular basis. The absence of a specific requirement creates the potential for a lock combination to go unchanged for many years, potentially compounding the damage associated with a compromised combination. In addition, DOE sites, including LLNL and SNL-NM, often use temporary measures (day locks or keypad locks instead of combination locks) for short time periods (e.g., up to an hour while the individual is on a break). There are few provisions in the Orders or Manuals that discuss how and when such alternative methods provide acceptable security. The recent Secretarial direction and NNSA/DNS implementing guidance place restrictions on this practice in vaults.
(U) DOE policies make no real distinction between documents electronic media with respect to storage and control. Most of the requirements in DOE orders were written before the advances in cyber technology and were primarily developed with paper documents in mind. For the purposes of protection of classified matter, an electronic media item (e.g., a hard drive or compact disk) is treated the same as a document. There has been little revision of the Orders or Manual that reflect technology advances (e.g., the fact that a single electronic media item can contain vast quantities of information, equivalent to thousands of documents). The Secretary's June 19, 2000 enhancements establishes a requirement for implementing encryption of certain high-density media, increased security requirements for certain classified data bases, and a DOE-wide inventory of electronic media that contains certain information. LLNL and SNL-NM are working aggressively to implement this new direction. Continued interaction between the NNSA/DNS and the laboratories will be needed to achieve implementation.
(U) The inconsistent approaches and levels of effectiveness described above products of the lack of specificity and minimal standards in DOE orders. In the absence of specific requirements, sites have too much flexibility to interpret the requirements and will often make security decisions based on operational convenience and available facilities, equipment, and resources.
(U) Compounding the lack of specificity in certain areas is the historically slow response from SO and its predecessor organizations. For example, SNL-NM has been implementing manpower-intensive compensatory measures since the July 1999 Independent Oversight inspection while awaiting SO guidance related to protection of classified parts. Similarly, there is insufficient DOE guidance for identifying what information is SUCI Sigma 14. This is a longstanding policy issue and the subject of requests for clarification from several sites.
Lack of Direction on Implementation of the Need to Know Principle (U)
(U) DOE has a general policy that requires limiting information to those with a valid, job-related need to know. However, there are few standards and expectations for implementing a need to know program. The methods and effectiveness varied widely between the two sites and within the same site. In some instances, large vaults containing many types of information had no additional partitioning such that anyone with access to the vault would have access to any of the information therein, with no explicit provisions for need to know. In other cases, there were separately locked areas/safes containing information from particular programs, Similarly, there were different approaches for determining who would be granted access on a need to know basis. For example, in some divisions, LLNL management made a blanket determination that everyone in the Division needed access to all information located in a large vault that had a wide variety of information on different programs. While a questionable practice, there are no specific provisions in the DOE order that explicitly preclude such a practice. Conversely, there were instances where the controls on need to know were very tight with only a very few authorized users and stringent procedures for granting access to information to other personnel who may need the information.
Over-Reliance on Individual Compliance (U)
(U) Protection against the insider is the most challenging part of information security. Certain personnel need access to information to do the job we pay them to do -- such as designing nuclear weapons and serving on NEST teams to respond to a nuclear emergency. DOE has a personnel security program that requires all personnel to undergo background investigations and receive a Q clearance before being granted access to Secret Restricted Data. DOE also has programs, such as training and security awareness programs, that are intended to ensure that personnel are aware of their security responsibilities.
(U) No program, however, can provide full assurance against the determined insider, especially one that willingly disregards or circumvents procedures. If an individual has access to information, it can be compromised by various means, such as removing the materials, creating copies, or simply telling unauthorized personnel. Similarly, information can be compromised by careless mistakes, such as leaving documents unattended. DOE policy recognizes that some level of risk is inherent when individuals are allowed access to information and that the possibility of a trusted and authorized individual performing acts of espionage cannot be fully precluded.
(U) In addition, DOE sites must be vigilant to ensure compliance with DOE requirements. In any organization, especially ones that place a high value on the open exchange of ideas as an operational necessity in a research and development environment, there are likely to be individuals that view security measures as overly restrictive and will be tempted to disregard or shortcut requirements. The potential for such actions is heightened if requirements are not practical or require use of arcane technology or approaches (as has sometimes been the case). Such pockets of . resistance to security are a continuing concern at the national laboratories and will continue to be an area that requires attention for the foreseeable future. The national laboratories, particularly LANL and LLNL which are operated by a university, have a historical reputation of tolerance for non-compliance with procedures. However, the results of the 1999 Independent Oversight reviews and this special review indicate that, as a result of the previously discussed Secretarial initiatives and attention, senior managers at the laboratories are actively involved in promoting security and that security is receiving considerable support. Changing a "site culture" is a significant challenge and a long-term undertaking that requires continued and proactive management support and involvement, as well as clear and demonstrated individual and organizational accountability for compliance.
(U) Although progress is being made, DOE laboratories are still vulnerable to the actions of a single individual who is authorized access to sensitive classified information. For example, at LLNL and SNL-NM as well as most other DOE sites, there are few measures that would prevent individuals from making unauthorized copies of classified documents, including accountable documents. There are few provisions for random checks/searches of personnel or areas to determine if documents/items are being used and stored as required (e.g., to determine whether individuals are violating security procedures by storing classified documents in desk drawers). DOE laboratories rely primarily on compliance with DOE requirements and have not consistently and systematically attempted to identify and implement prudent measures that could reduce risks. The results of the reviews of LLNL and SNL-NM indicate that there are opportunities to further reduce risks by judiciously applying prudent measures like application of a two-person rule for certain activities, such as protection of high-density information on computer media.
(U) DOE has personnel security programs in place to lesson the risk of an insider and security awareness programs to encourage attention to security, The reduction in other security measures (e.g., the elimination of accountability requirements for Top Secret places increased emphasis on the personnel security program component.
(U) With some exceptions, DOE's human reliability programs do not currently encompass any classified information activities regardless of the sensitivity of the information (exceptions include those that also involve special nuclear material and downloading of unclassified information from classified computers). As part of the ongoing effort to revise 10 CFR 710 Subpart B and combine the PSAP and PAP into a single program, DOE is currently working to establish requirements and criteria for including personnel with access to certain types of information in the human reliability program. Also, DOE has recently initiated polygraph examinations for certain categories of employees that have access to sensitive classified information.
Inadequate Definition of the Graded Approach (U)
(U) DOE has a provision requiring a graded approach to protection of classified matter. The concept of a graded approach is appropriate; certain types of classified matter are more sensitive and warrant higher levels of protection than other types, However, the guidance related to the graded approach is minimal, consisting of only a few paragraphs of general guidance and examples that cite broad categories of information (e.g., "information useful in developing a nuclear weapon"). The guidance is not sufficient to allow sites to determine how to categorize security interests in a manner that would allow a graded protection strategy. Also, it does not include a methodology for identifying progressively higher levels of security.
(U) LLNL and SNL-NM each have some examples of implementing measures beyond those specific minimum mandates, such as tracking systems for documents. However, neither LLNL nor SNL-NM has a systematic method for implementing a graded approach. The examples in which additional measures are implemented largely reflect a piecemeal application of professional judgment and resource and equipment availability rather than a systematic, top-down approach that involves defining policy, establishing protection objectives and requirements, and then determining resources needed to meet the requirements.
(U) In general, the classified matter protection Manual places the onus on line management and the field to develop and justify a graded approach. According to the Manual, the Heads of Departmental Elements are required to provide a risk-management-based framework for making security-related decisions and the sites are required to develop plans that describe, justify, and document the graded protection approach. Although this delegation of responsibility provides flexibility to the field, it has not proven effective. For LLNL and SNL-NM, the Head of the Departmental Element has historically been the Office of Defense Programs and, since March 2000, has been the Administrator of the National Nuclear Security Administration (NNSA). Neither the Head of the Departmental Elements nor the respective operations offices (AL for SNL-NM and OAK for LLNL) have provided formal direction for implementing a risk-based approach. The laboratories have little in their security plans about a graded approach for protection of information.
(U) Further, DOE policy currently does not provide sufficient guidance to enable sites to systematically and consistently identify the assets that warrant additional protection. Other than the classification levels and categories (Confidential, Secret. and Top Secret, and Restricted Data, Formerly Restricted Data, and National Security Information) and certain special information (a few documents are identified by Sigma subcategories), there is little policy for establishing the relative importance of various types of information. There are two significant problems that need to be addressed in this regard:
(U) Currently, the Secret Restricted Data category covers a wide range of information, some of which is particularly sensitive. However, the protection requirements for Secret Restricted Data matter in DOE orders make no distinction between the highly sensitive Secret Restricted Data (such as use control information and design of the most advanced nuclear weapons) and information of lesser sensitivity. DP and SO have attempted to work with DoD to assign higher classification levels (Top Secret) to certain types of data, particularly high density electronic media that include large amounts of data related to nuclear weapons systems design and testing (encyclopedic data). What is needed is a clear set of criteria for determining which information requires enhanced protection and a corresponding set of standards for protection measures. Such criteria should consider factors such as the subcategory of the information (e.g., Sigma level), the density of information (large amounts of data on a single media item would require additional protection), the value of the information to an adversary, comprehensiveness (documents with complete design information for a weapon system should receive additional protection) and other such factors.
(U) Although there are some differences (e.g., storage and transmittal), the minimum protection requirements for Top Secret are not significantly more stringent than those for Secret or Confidential. According to DOE orders, Top Secret could be stored in a GSA-approved security container anywhere in a limited area, with no requirements for alarm protection or protective force patrols, as long as the container has a specific type of lock. These minimum requirements are not much different than those for Secret; the only difference being that Secret would only require a standard combination lock. As currently defined, these minimum requirements provide only slightly more protection to the higher value Top Secret matter (the loss of which could cause "grave damage" to the national security). An effective graded approach needs to identify a progressively more stringent set of controls (addressing logs, need to know, access controls, encryption, and other measures in addition to storage).
(U) Overall, the graded approach is not adequately defined and does not provide sufficient guidance to facilitate effective implementation by DOE sites. The Secretary of Energy, in his June 19, 2000 memorandum, has outlined certain immediate and near-term measures and the NNSA/DNS has developed implementing guidance. These measures are consistent with a graded approach in that they identify specific actions for certain types of classified matter. While an appropriate interim step, the longer-term approach needs to address other repositories in addition to vaults and needs to include practical guidelines related to categorizing the relative importance of security interests.
4.0 Conclusions and Recommendations (U)
(U) In general, LLNL and SNL-NM meet the minimum DOE requirements for control of classified matter in the areas reviewed by the Independent Oversight team. While some specific improvements are warranted, no significant unmitigated deficiencies were identified. However, the current requirements for controlling classified matter are not as stringent or clear as needed in light of DOE's particularly sensitive nuclear-weapons-related information. Improvements to policy are needed to ensure that DOE expectations are clearly defined. Particular attention is needed to more clearly define protection requirements in areas such as need to know and establishment of a graded approach that are clearly understood and can be effectively implemented to enhance protection of DOE's most critical assets.(U) Appendices B and C provide specific opportunities to improve the classified matter protection programs at SNL-NM and LLNL, respectively. This section provides Independent Oversight recommendations for actions to be taken by DOE Headquarters to improve DOE policy. In developing the recommendations below, Independent Oversight recognizes that the NNSA/DNS developed guidance for implementing the Secretary's June 19, 2000 direction to enhance protection measures. NNSA/DNS is working with the field to ensure that questions are resolved and additional guidance is developed as needed. Independent Oversight believes that the enhanced protection measures and the recent implementing guidance provide a good framework for improving protection on an immediate and near-term basis. The recommendations below are intended to complement the recent direction and implementing guidance by identifying additional areas that should be considered for near-term and longer-term action.
1. (U) Re-institute requirements for a formal accountability system for certain types of information. The current requirements for accountability need to be strengthened and clarified. Top Secret and Secret Restricted Data related to nuclear weapons should be included. An evaluation should be conducted to determine whether other Secret Restricted Dam (related to production of special nuclear materials and nuclear energy) should be included. Various methods to apply commercially available technologies (e.g., databases, bar codes, using badge swipes to check out documents) should be explored to facilitate implementation and make the system user friendly and useful for operations as well as security (e.g., data searches and data mining). Lessons learned from sites currently using accountability systems should be solicited and utilized to facilitate the reinstatement of formal accountability.
2. (U) Establish a clear and comprehensive graded approach and issue appropriate implementing guidance. An effective graded protection approach needs to incorporate additional measures for accounting for and tracking the more sensitive types of documents/items, including more stringent measures for controlling and recording access to repositories. The recent Secretarial direction for enhanced protection measures and NNSA/DNS implementing guidance provide a good start. This initiative needs to be expanded to include other storage repositories (in addition to vaults). It also needs to include practical guidelines for categorizing the relative importance of security interests, and include a methodology for systematically identifying priorities and protection measures for various types of security interests.
3. (U) Clarify the need to know policy. Clear policy and criteria are needed to ensure that DOE sites strengthen implementation of the need to know principle. Specific areas that need to be addressed are expectations for partitioning information within large storage areas and prudent measures to restrict access to those with a specific need to know (rather than unilateral decisions that an entire Division has a need to know all information in a vault or program).
4. (U) Continue efforts to expand the human reliability programs. The NNSA/NSD effort to include personnel in positions with access to certain types of nuclear weapons information are noteworthy and should be finalized and implemented. DOE's graded approach should explicitly consider participation in the human reliability program as a control in a graded approach to protection. The parameters of the program should also be re-evaluated to ensure that it is designed to provide assurance of an individual's trustworthiness (e.g., polygraph examinations).
5. (U) Conduct a review of special access programs and sensitive compartmented information. These program include highly sensitive information and only a few individuals are authorized access to areas where special access programs are conducted or to sensitive compartmented information facilities. These programs should be reviewed in a manner similar to this review, either by the Office of Independent Oversight and Performance Assurance or the organizations that are responsible for direction and oversight of sensitive compartmented information and special access programs.
6. (U) Develop a plan and milestones for revising and reissuing the DOE orders and manual to reflect recent and planned policy changes. The changes directed by Secretary Richardson and further defined by the NNSA/NSD need to be refined and then incorporated into the applicable DOE orders and manuals (those for classified matter protection and computer security) on an expedited basis to ensure that they are institutionalized and incorporated into contracts with DOE site contractors. Other modifications to the classified matter protection order and manual, such as clarifying requirements for a graded approach, need to know, and accountability, should also be made as soon as possible. Also, SO should accelerate efforts to develop and issue guidance regarding protection of classified parts.