OCR of the Document

View the Document >>

Gregory H. Friedman, Inspector General, Memorandum for the Secretary, Subject: INFORMATION: Special Inquiry on "Selected Controls over Classified Information at the Los Alamos National Laboratory," November 27, 2006. Unclassified/For Official Use Only.

U S Department of Energy Office of Inspector General Office of Audit Services Special Inquiry Report to the Secretary Selected Controls over Classified Information at the Los Alamos National Laboratory Department of Energy Washington DC 20585 MEMORANDUM FOR Trp SECRE ARY 1 1edman FROM Inspector General SUBJECT INFORMATION Special Inquiry on Selected Controls over Classified Information at the Los Alamos National Laboratory INTRODUCTION AND BACKGROUND You asked that the Office of Inspector General ex amine the circumstances surrounding a recent incident at the National Nuclear Security Administration's Los A lamos National Laboratory concerning the possible compromise bf classified data Your request focused on what the · Department of Energy and it contrnctors did or did not do to protect classified infmmr tion specifically the steps that were taken to ensure that only properly qualified individuals had access to such info1mation This memorandum summmi zes our findings in this matter Because of cybcr security and Privacy Act considerations detailed findings are provided in a non-public attachment to this memorandum On October 17 2006 Los Alamos County Police responded to a call at the home of a f01mer employee of a Los Alamos National Laboratory subcontractor During a ubsequent scal'ch of that residence police seized a computer flash drive thac contained apparent images of classified documents from the Laboratory Also found were several hundred pages of what appeared to be Laboratory documents with classified markings The Federal Burcnu of Investigation was notified and immediately began a separate review of this matter which continues as of this date Further Laboratory and Dcpa1tmental personnel have been involved in a number of related factgathering effo1ts These matters have been widely publicized in local media Against this backdrop the Office of Inspector General initiated a review to address the concerns raised in your letter As part of this effort we interviewed over 80 Departmental Laboratory and subcontract personnel reviewed relevant security and cyber security guidance and procedures and examined numerous other documents OVERVIEW OF FINDINGS • We found that the security framework relating to this incident at Los Alamos was se1iously flawed Specifically our review disclosed that 1 In a number of key areas security policy was non-existent applied inconsistently or not followed 2 Critical cyber security internal controls and safeguards were not functioning as intended and 3 Monitoring by both Laboratory and Federal officials was inadequate -2Cybcr security has been an area of particular interest at Los Alan1os due in part to vcllpublicizcd prior security incidents In l 999 the then Secretary of Energy accepted a new plan fol' cyber security at Los Alamos comn1only referred to as the Nine-Point Plan - as a result of a high profile co1npronlise of classified data This plan specifically directed that safeguards be imple111ented to prevent the rnigration of classified information to unclassified systems In a subsequent Secretarial initiative called the Six Furtht r Enhancen1e11ts to DOE C'yberSecurity both contractor and 'cdcral officials Vere directed to take action to reduce the cyber security threat 11osed by insiders In 2004 to address additional weaknesses in this area the Director of the Laboratory ordered a lengthy security stand¥dO Vn to address and resolve such concerns That shutdown according to the U S Government Accounrability Office delayed in1po11ant national security York at a significant monetary cost to the tax payers Based on the pfoblems we observed clearly these efforts were not entirely successful and additional irnproven1ents are needed · ' 1 The physical and intellectual data that resides at the Loi Alu n1os National 1 aboratory reflects its preeminent national security mission Yet our revie v of matters-related to the most recent incident identified a cyber security environtncnt that was inadequate given the sensitivity of operations at the Laboratory This was especially troubling since the Depa11ment and the National Nuclear Security Adntinistration have expended tens of n1illions of dollars upgrading various components of the I aboratory's security apparatus including vast expenditures on cyber security In fact the cyber secutity events described previously Vere among the factors that caused the Department to rccompete the contract to operate Los Alamos While significant procedural vveaknesses Vere evident human failure whether Villful or not was the key component in this n1atter In our reporti we identified a number of specific actions associated Vith the 18tcst series of events thnt Vere in contravention of recognized security policies and procedures Our detailed report also includes specific recommendations to strengthen security policy and procedures at both the Department and the Laboratory On June I 2006 Los Alamos National Security LLC assumed responsibility as the operator of the Los Alamos National Laboratory Many of these recon1mendations require specific contractor actions to address the weaknesses noted in our special inquiry In this context the Department needs to hold the ne v contractor accoi1ntable for the refon11s needed co ensure a secure cyber security environment at Los Alaa1os Further Ve concluded that the lessons lcamcd from this incident should be applied throughout the Department of Energy con1plex Attachment cc Deputy Secretary Administrator National Nuclear Security Administration Chief of Staff SELECTED CONTROLS OVER CLASSIFIED INFORMATION AT THE LOS ALAMOS NATIONAL LABORATORY SPECIAL INQUIRY ON SELECTED CONTROLS OVER CLASSIFIED INFORMATION AT THE LOS ALAMOS NATIONAL LABORATORY TABLE OF CONTENTS Executive Summary 1 Detailed Results of Review Classified Network and Computer Security Controls 4 Computer Security-related Recommendations 13 Security Cleal'ancc Process 15 Clearance-related Reconunendations l 6 Appendices 1 Diagram of Vault Type Room 17 2 Related Photographs 18 3 Prior Reports 19 6FFICIAi USE Oi iLY 6FftCI AL U 6NL't' SELECTED CONTROLS OVER CLASSIFIED INFORMATION AT THE LOS ALAMOS NATIONAL LABORATORY EXECUTIVE SUMMARY BACKGROUND The J os Alamos National Laboratory LANL is operated by Los Alamos National Security LLC for the Depaitmenl of Energy's National Nuclear Security Administration NNSA Its more than l0 000 employees support various national security-related research and development activities These efforts range from ensming the safety and reliability of the Nation's nuclear stockpile and preventing the proliforation of weapons of mass destn1ctio11 to protecting the Nation from terrorist attacks To support its mission the Laboratory manages highly sensitive nuclear matel ials and classified information Clnssificd areas and processing focilities pervade much of the site with over 2 700 separate classified operations including 139 vault-type rooms Safeguarding information and materials requires that the Lahoratory establish and maintain effective se«urity controls Security both physical and cyber has been a long-standing concern at the Laboratory b 6 b 7 C b 6 b 7 C --01LOCJQ er 17 2006 evidence obtained during a drug-related investigation in the Los Alamos corunm1ui'y re'V'ealed that cla ifie l infomiation had been diverted from the laboratory Local law enforcement officers seiz id ivc-containin classified data as well as a large number of classified documents fron Because o t e seriousness o b 6 b 7J C b 6 b 7 C ·······- s -- c i7 ls - u e- s - a- n- -d- -i n 're ' ' - s p 'o n - se -t - o- a -r ' c ' 'q ue ' s tT y T't 1e c c r e a 'ry o Jncrgy the 0 ffice of Inspector _ ' 1- he ' ' · General initiated a review to detennine whether the Department and the Los Alamos National Lnboratory had adequately sified information in this instance and to examine the - circumstanccssunounding -- -l RES ULTS OF REVIEW Ow- review revealed a serious breakdown in core Laboratory security controls In many cases Laboratory management and staff did not enforce existing safeguards or they did not provide the attention or emphasis necessary to ensure a secure cyber environment Sorne of the policies Vere conflicting and were applied inconsjstently In olhcr cases necessary controls had not been developed or implemented We also fo und shortcomings in sccuiity policy formulation and monitoring activities by Federal officials Tn short these findings raised serious concerns about the Laooratory's ability to protect both classillcd and sensitive information systems b 6 b 7 C IWe also noted I that the NNSA failed to follow-up on issues relating toI ___ _ _ b 6 b 7 C l OFPIC1 L us ONLY p 6 b 7 b 6 b 7 C -· b 6 b 7 C ---- - OFfiliCfAI f JS E ONLY - -- --- - ---- ----- -- --- -- - ----- - -r- -_J appears to have vas exposed ovqp·i4 b 6 b 7 made a conscious decision to disregard the security training to which existing internal security controls and inappropriately remove classified material from the C Laboratory While the control problems we identified were serious and created envirnument in which the diversion could occur the clear violations of security procedures b If 6 b 7 appear to have been the root cause of the unauthorized removal of the classified material These events are the subject of an on-going investigation by the Federal Bureau of Investigation the results of which may ultimately provide additional information that should be considered in dete1mini ng cmTective actions Not withstanding the investigative effort our review found that a number of safeguards designed to protect classified information at LANL were not WOl'king as intended Classified Network and Computer Security Controls The Los Alamos National Laboratory had developed policies designed to protect classified information However in many instances·these policies and procedures were ineffective For example • b 6 b 7 C - b 6 b 7 C - -- Ports that could have been used to inappropriately migrate information from classified computers to unclassified devices and computers bad not been disabled LANL management acknowledged that this vulnerability was not limited to the area in which I vas working but also existed in a number of other classified computing faci Ii ties vas provided with direct physical access to classified computers and and was granted computer privileges th at were not required for the performance ·· ··ofLJdutics and - • ·· de s b 6 b 7 C • Program and security officials permitted the introduction of computers and peripherals scatlllers and a printer into a classified computing environment even though they were not approved Such devices could have been used to compromise network security These cyber security weaknesses resulted from control and management failures at multiple levels 1 n pa11icular we noted that policies designed to protect classified information were nonexistent not enforced or were inadeq11ate For example the Los Alamos National Laboratory failed to • Enforce in all cases controls designed to prevent the migration of classified data to unclassified systems • Develop policies requiring system administrators to take advantage of rcadi ly available • means to physicaJly secure cfassified computers and Ensure that incompatible functions were segregated and that related compensating controls were in place and operating as intended We also found other wealmesses that limited the effectiveness of the Laboratory's classified infotmation system protection program and may have contributed to the diversion of the classified i nfomrntion ju this case For example Federal review of the Laboratory's classified 2 Ofl'PICIA± USR 0 1 JY O'l'PICIAL OSE ONL ' i11fonnation systems was not as aggressive as it should have been Also we found that some of the Laboratory's policies for procuring classified information support services and for developing and administering system security plans were conflicting and inconsistent Further Federal policy design and implementation issues regarding mixed media vulnerabilities mingling classified and unclassified computers and or storage devices were not adequately addressed and could have implications for the entire Department of Energy complex Security C lear nce Process b 6 b 7 C Q 1-Going and Nee ied CotTcctive AcH ons After discovery of the incident management officials al various levels of the Depa11ment and at LANL launched an effo11 to identify and correct control deficiencies that caused or contributed to the unauthorized removal of classified info1111at ion The Deputy Secretary issued a memorandum directing that each laboratory and Federal facility operating a classified computer system conduct an immediate and thorough examination of the adequacy of its practices and procedures to ensure that classified infonnation is properly protected LANL officials also reported that they had taken actions designed to increase the security over classified information including securing open po11s Based on our preliminaTy review we believe these steps could if properly implemented help resolve many of the problems we fo und However additional action is necessary Consequently we made a number of specific recommendations designed to i increase the protection of classified info1m ation al LANT and other Dcpa11mental facilities and ii improve the integrity of the security clearance investigation and evaluation process 3 Of FICIA L l1S ONLi s Ot• l'ICIAL U l f'tLl DETAJLED RESULTS OF REVIEW Introduction and Scope b 6 b 7 C -·· During September 2005 LANL began a project to scan classified documents and create an electronic archive that could be searched by weapons developers and researchers To accomplish this the Laboratory tasked an existing subcontractor wilh providing some of the hardware needed for the project scaimers and the labor to actually perfom1 the scanning and indexing of the clussiftcd-mate1 ial one of the subcontractor s employees performed the majority of the scanning an m cxmg o aocumcnts in a vault-type room VTR in one of LANL's c assified facilities rhis VTR contained a classified removable electronic media b b c 6 CREM library a large classified document storage system a number of rack-mountecL-·-·· JLJ _ 7 classified computers and various other classified and unclass iJJ _d -peiipherals an·a devices See l vorked one of the 95 separate Appendices 1 and 2 The project on which I archiving efforts in progress at LANL was completed in J ngust 2006 b 61 b 7 C On October 17 2006 the Los Alamos Police seized a flash drive containiilg classified uring a druginformation and a number of classified documents relatcd investigation Subsequent analysis of the seized material revealed that tt constituted a po1tion of the material involved in the scanning project and had been divert_ed from the Laboratory Because of the seriousness of the diversion the Secretary of Energy requested that the Office of Inspector General initiate a review to determine whether the Depattmcnt and the ifi infi nnation in this instance Los Alamos National Laboratory had adequately l · mjne the circumstances surrounding the b i 6 b 7 L__J ln response to the request we I b 6 b 7 C • • • b 6 b 7 C Reviewed Depa11me11t of Energy and l os Alamos National Laboratory policies and procedures governing cyber and physical security over classified infonuation at the Laboratory Examined the perso1mel security adjudication process as it pe11ained to l _____ l- b Interviewed over 80 federal and contractor officials m·• m·Reviewedl · · jpcrsonnel security file and record of clearance adjudication • • Conducted a physical observation of the VTR in question and Pe1f0tmed limited tests of general controls over classified infonnation systems security at lhe Laboratory Classified Netwo1·k and Computer Security Controls Our examination disclosed that whi le the Los Alamos National Laboratory had developed policies designed to protect classified information in many instances they were not effective in preve11ting serious security weaknesses We identified deficiencies related to mixed media vulnerabilities unneeded access to computing resources as well as the failure to operate within classified infonnation system accreditation boundaries 4 OPFICIAL USE ONLY Ofi'fi'fCIAL US 6Nt ' Migration of Classified fnfom1 tion Following a major security compromise in 1999 the then Secretary of Energy ordered J ANL and other similarly situated facilities to implement controls and protections to make it physically impossible to migrate classified info1mation to unclassified systems and devices While LANL had taken action to disable a number of devices in a significant number of instances it did not deactivate open computer pons that could be used to circumvent such controls In the pmticular 5 blE VTR to which lwas assigned none of the po11s in the classi fled rack-mounted computers tba pld he used to copy classified data had been disabled or secured Our review 5 b HD disclosedthat·LJhad been granted access to all of the open and unsecured USB and h gh speed serial firewire po11s on the classified computcrs n 1sed for scanning Such access would hav 6 b 7 b 5 b 7 --- permitte lO o create CREM by copying classifi'ed Tiuormation to high capacity and easily 1C C concealable devices such as flash and portable hard drives Infoi mation gathered by Laboratory line management officials inunediately following the seizme of · lt1ashdrjve fllrther b 6 b 7 disclosed that open po1ts that could be exploited existed in many of the over 2 700 classified C work environments in the LANL complex b 7 E Our examination also disclosed that mixed media weak nesses in the same VTR could have permitted the transfer of classified information to Hnclassified networks and or systems We b 7 E - found that at least one unclassified standalone computer had active and accessible USB and C b l 7 E firewil'e ports and also had access to the Labo1·atory's yellow work- used for rocessing sensitive but unclassified information - md to the Intemet review analysts told us ' 1- --------------------_J blassified information to the standalone unclassified computer's har I drive iransfcrred it LANL's unclassifie loaded such itiformatimno Hie tnternet I b 6 b 7 --· b 7 E C b 7 E Access to Resources In spite of controls and specific guidance by NNSA to the contrary as-granted b 5 b 7 access to a classified high-speed network printer even though not required by 'ob -A1nongJW 6 _ b 7 other measures the Laboratory developed safeguards designed to ensure that classified infotmation and computer resources are adequately protected For example Infotmation Systems Security Officers TSSO and or their alternates are among other responsibilities b 6 b 7 -required to emmre th us r access is a ro riate Tn this case however that control was not C did not believe that effective While the 6 Lm j 1ceded to prin 99 ltments Jractice was to prov1 e prm er access to all users regardless of heir duties· - LANL coutractmg program and subcontractor officials we spoke b 6 b With-stated that the subject's duties were confined to scam1ing and indexing documents and that C --O had no reason to and should not have been granted authotity to print documents b G b 7 b 6 7 C - LA NL officials confitmed through forensic analysis thatl lhad bee11 ·t d-- s e to the printer that was allegedly used for production of the hard-copy classified documents 5 0l PtCIM U 't 6NLt Ol'fflCIAI tJ8 E ONLY b 6 b 7 C b 6 b 7 C b 6 b 7 C --· -- b 6 b 7 C b 6 b 7 C b 6 b 7 C i W6 b L ultin1atcly sei zed fi'om O residence Co-workers told us that hecause of the location of the printer Appendix 1 and the high ambient noise level in the VTR they could not hear the printer operate and that the subject could have printed classified documents without being detected The I vho originally set up the scanning operation also - pemrittetd land other co-workers to physically access the classified computers contained in the VTR even though the were not authorized to perform systems administration tasks As noted by·tbe babotatorts such practices endanger security and are specifically prohibited Despite these risks workers in the VTR were pennitted routine access to the unlockf d racks to reset classified compulel's and vaf'ious devices w hen needed Wh the currettt L lindicate b 6 b 7 · thatO did not permit Sltcb access· - explained that Owasassig nedotherduti Jl l yot l 110 6 b have known whether these individua s continued to access the unlocked classified computer C -ra -s 1 1g_thc 5Q_p rc tJ of the time D stimated was away from_the VTR __ 6 b Operating Within Accreditati n Boundaries LA NL oF cjals also permitted the subcontractor to introduce unapproved devices into the VTR ---in-which_ vorked even though they were not included in the accredited security plan and could have compromised the classified network Although the sequence 0 1· timing of b 6 b 7 events could not be established with certainty we con finned that at some point during the C · - scanning and archiving project that began in September 2005 the subcontractor responsible for he projeel intrQ_duc d three of its own scanners into t 1e VTR While th se items were caJled f 6 b b 6 b 7 J1 the subcontract task ph'ln they were not addressed m the system security and· such C - pcver received authority to oi el·atc-fi onJ federal accrediting officials The b 6 b 7 I tated thut wh iie·O did not think that the particular scauner D · C 5 b -· installed posed-a security r isk 0 id not perfom1 any tests on it notify superiors prior to installing il or modify the sccul'ity plan to include it - all actions specifically required by LANl policy 5 b ran In addition to the sca1mi11g devices we also identified several unclnssificd computers and other peripherals that were present in the VTR bul bad not been included in its security p1an The most significant of these devices was the previously described classified high-speed printer to which the subject was inappropriately provided access That printer was capable of double-si 6 b 7 C printing - the format for many of the ltard copy classified documents seized during the L__J uivcstigation - and was com1ected to the Laboratory's classified network Several other devices - an apparently unused but still operational unclassified computer aud an additional government-owned scanner - were also present in the VTR but had not been included on the latest security plan As with the subcontractor-owned scanners omission from the plan effectively prevented security officials from evaluating the impact of these peripherals As a result they were uever rnviewed by Laboratory classified computer security officials or approved for operation by Federal accrediting officials The accreditation issues we identified arc parallel to problems that we identified during our annual F valuation Report on the Departmenr 's Unclassified Cyber Security Program - 2006 DOE OlG-0738 September 2006 Additionally our Draft Audit Report on '11te Department 's Certification and Accredilation ofI11formatio11 5 stems issued for comment on September 25 6 OFHCIAL U E ONLY 011 FICJAL tr o r t 2006 found that hardware inventories included in security plans were inadequate for vmious programs and sites As noted in guidance published hy the National fnstilutc of Standards and Technology NIST accurate inventories are a key initial step in determining what system elements ar e exposed to secu1ity risks Structural Control and Implementation Weaknesses These cyber security weaknesses resulted from control and management failures at multiple levels In particular we noted that policies designed to protect classified information were not enforced or were inadequate For example the Los Alamos National Laboratory had not • • • Taken adequate action in all cases to enforce controls designed to prevent the migration of classified data to unclassified systems Developed policy requiting system adm inistrators to take advan1agc of readily available means to physically secure classified computers and Ensured that incompatible functions were segregated a11d related compensating controls were in place and operational Migration Vulnerabilities b 6 b 7 C b 6 b 7 C b 7 E Although LANL had developed policies designed to prevent the nnauthoiized transfer of classified information to unclassified media or devices the policies and procedures were not properly implemented and were not always effective 11 i Jl L 6 b 7 I land various members of staff recognized that open p_ 1ts ip 6 b 7 mixed media environments posed a risk and that they ' s ould have paid better attention tp- C el1Sur ng that P licies de ign d to prevent n i ratl°n of classified ystems were enforced LJ f 6 _ b 7 explarnedthatu1many s1tuahons--sueh-as nt own office - action had been taken to secure µ01ts by covering them with tamper-indicating tape and in some other enviJonments po1is had b 7 E · bled throu software controls In response to our inquiry While network engineering officials and others within the LANL Chief Infonnation Officer's organ ization expressed concems with open po1is and problems with managing tamper-indicating devices a Laboratory-wide solution was ucvcr developed or deployed As evidenced by a series of e-mail exchanges between members of a «diskless computer discussion group during the March-April 2006 timeframe with copies pl'ovided to the NNSA 's Los Alamos Site Office group members responsible for configuring computel's were coucemed that a common technical solution to address the control of USB Firewirc pmts in mixed media enviro1unents had not heen developed In discussing the secmity challenges associated with modem multi-po1t computers one member of the group recognized that it would be a simple matter to plug some recording device into one of these open ports and write to it ' LANL management officials acknowledged dming security briefings related to the discovery of the diversion of classified inf01mation that the actions to disable USB pmts in mixed media environments had not been completely effective in the past They noted that after the recent diversion of classified infonnation they had identified a number of environments where po1ts 7 OFFICli 1 US S ONV' OFJi'ICl2tt U8' lt NL t remained accessible As part of its remediation effort initiated after the cut1'ent problem was discovered Laboratory management reported that it had required each user to re rcview classified i1tfonnation security requirements had seemed virtually all vulnerable USD ports and had directed that all flash diives be collected and controlled We were unable to verify in the available timcframe that the actions described by management had actually been completed Security of Rack Mouutcd Computer§ LANL also failed to take advantage of readily available security measures that in this case would most likely have prevented the unauthorized removal of the electronic classified material found on the seized flash drive A senior laboratory management official told us that as part of its initiative_to secure CREM following a major security event in 2002 they had acquired locking racks that were to be used to secure most rack-mounted classified computer systems Although uncertain of the timing that official explained that at some point the decision was made that these rack mounted systems did not contain CREM and that there was no need to secure them if they were located in vaults or VTRs Both computer security and management officials that we consulted at the Laboratory informed us that securing these racks would have dcnjed access to the enabled USB ports in the VTR in question and that such action could have prevented the download of the diverted classified information See Appendix 2 After discussing this issue with Laboratory management officials these officials indicated that they have now directed that all classified computer racks be locked regardless of their location Segregation of Tncompatiblc Function The assigmnent of incompatible functions by LANL to a single individual might have contributed to the unauthorized removal of classified information in this case As specified by b 6 b NNSA policy mcasmes must be implemented to ensure the management control and separation of security critical functions In this case however LANL did not always provide C - · b 6 b for such separation and prnvided a single individual with unfettered authority to override __ · C -- -- --safe uards designed to protect classified S_YStems FOl' example the original I L - 6 b ' - -- - -- ---- -- u ·a n t ed physical access to classified co1 wnters to unautho-nzed b 6 b 7 individualsincludin and several ofOco woi·k it-s The successor L __ b § b 7 C was also provided with the same authority and ove1rnde controls C 5 b --- ·designed to prevent peripherals that were not owned by the govemment and or had not been evaluated for security impacts from being introduced into the classified computing environment Bs cntially these individuals were given the authority to supervise and approv their own __ b 7 6 _ _ ___act10ns The actions were arllcularly important m tins case because these actions may have desensitized co-workers to presence in and b 6 b 7 around the classified computer racks - a situation that could have pemlitled to complete ffie C alleged insertion and removal of the flash drive from the classified computer without detection m b 6 b 7 C b 6 b 7 C --- - Because of the extent to which ISSOs are assigned as system administrators in other organizations the same or similar problems ma exist at a number of other LANL facili ties ·· · · · r' -the Laborntor 's I • could not easily d - d' 'd etemune 11ow many m lVl uals were servmg m dua -roe capac1ttes explained thalline J 6 b 7 managers selected and appointed the ISSOs that ISSOs were authorize o appoint alternates i C - 8 Ofi'fi'fCfAL tJSE 6NL · b 6 b 7 C b 6 b 7 C b 6 b 7 C b 6 b 7 C m ·some areas and that the-only·wayO could quantify the incompatible assignment issue was to put out a data call Although the data collection effort had not heen concluded at the time our field work was completed we did Icam that with about 80 percent of organizations reporting 62 percent of the individuals identified could be in the position of supervising their own work --While the-Laborato1y 's indicated thatO was b 6 Jb 7 aware of the benef f segregation of duties in preventing or detecting security problems C -involving insidcrs LJlid not believe that re ulatons required such separation and stated that funding was in ltftl« ienUo accommodat it - explained that the Laboratory interpreted the ·ncpa11ment's Classified Information Systems Security Manual DOE M 471 2-2 of August 3 1999 as not requiring that the JSSO and the system administrator functions be separated for protection levels such as those employed at LANL We found however that the cited manual is inconsistent with current NNSA guidance The Depa1tment's Manual also does not comport with guidance established by the NIST and the Office of Management and Budget OMB that stress the need for separation of incompatible functions and when such separation is not practical the requirement to employ strong compensating controls Compensating Controls b 6 b 7 C b 6 b 7 C · - b 6 b 7 C b 6 b 7 C b 6 b 7 C While the Laboratory developed a mechanism designed to help ensure that the actions of those b 6 b 7 who administer classified infomrntion systems were appropriate it was not effective and C - · potentially contributed to the unauthorized removal of classified material Every TSSO is _ - b 6 b 7 --chat'gcd th the responsibility of ensuring that actions of their alternates are approp a ll d' C - -consis tenith· isting p_olicy After detailing the managem nt J d review role exp·e·c e of b 6 b those m i os1t1on I stated that O was unable to properly fulfiU 0 dnhes j C ·' because wo_tkfoad w as just-too large indicated thatG asresponsibleJbr a_9J § ified · b 6 b 7 net vork that spanned 22 square mites serving ahout 150 active users As such O told usO ·· · tcr -was forced to delegate virtually all of the ISSO functions to Alternate ISSO Systcm · - Administrators who he believed to be inexperienced in the requirements of administering and g -6li_ b 7 securing classified networks indicated that O was--0nly_able to visit the particular VTR in whiehl lwas work U1g infrequently was completely unaware oP lc scanning projcct Jg l b 7 did not perform testing or reviews of controls during those visits and thatLJhad JlOt detected ·· ···· b 9 b 7 any of the particular control overrides we identified 0 0 C LANL management indicated that it hied to compensate for segregation of duty problems by requiting the participation of others in the testing of security plans Computer security officials indicated that olher system administrators often from different organizations participated in testing security plans to detennine their viability While they conceded that the same individual that pre1lared the plans was sometimes responsible for testing they also stated that from t vo to five separate individuals experienced in systems administration were often involved in testing In this instance however the compensating control was not effective in that the other testers involved in a June 2006 test did not identify mjxcd media vulnerabilities problems associated with the omission of peripherals from the security plan or the introduction of subcontractorowned and other equipment LANL relied completely on this compensating control and did not require its Classified Infonna1ion Systems Security Manager charged wi1h reviewing security plans and submitting them to Federal officials for accreditation to visit locations to verify that both plans and testing were appropriate 9 OFfillCfsA L l JSS 01'lL¥ - ' Ji'Ji'fCIAL us ONt t' Contdbnting Factors We also found other weaknesses that in our opinion limited the effectiveness of the Laboratory's classified info rmation system protection program and contributed to the unauthorized diversion of classified infonnation in this case These included inadequate Federal review and inspection of the Laboratory's classified irtformation systems conflicting and inconsistent policy for procuring classified information support services and for adequately maintaining system security plans and Federal policy design and implementation issues thut could have implications for the entire Department of Energy complex f ederal Management and Review Activities The failure of Feclcrnl security officials to perform verification activities may have adversely affecled the classified security climate at the Laboratory and contributed to the recent removal of classified material The Los Alamos Site Office LASO pcrfom1ed a number of management activities however it did not complete needed field activity reviews of the Laborntory's classified information systems Accrediting officials at LASO told us that they placed a great deal of emphasis on reviewing security plans aml accrediting systems but because of resource constraints they were unable to perfonn physical inspection of systems to vaJidatc that the plans were accurate and were heing en forced During Fiscal Years 2005 and 2006 LASO officials reported that they had only 1 5 full time equivalents available for review of contractor systems and that lhey simply did not bavc time to visit system locations Our cmTent observations al LASO arc consistent with findings we issued in connectjon with our Evaluation Report on the Department's UnclassffJed Cyher Security Pro ram - 2006 DOE 1G 0738 September 2006 in which we expressed our view that NNSA site offices did not adequately manage cyber security by ensuring that contractors implemented NIST and OMB cyber security requirements In response to our 2006 finding NNSA indicated that it did not concur with our view and noted that existing mechanisms were sufficient to meet requirements Following the incident under review LASO officials told us that they had reevaluated resource allocations in this area and planned to begin a series of field activity reviews in the near future Problems with the timely completion of classified information system inspections may have also been a factor in conditions we identified Except for an armual review conducted by a senior cyher security specialist from its Service Center NNSA relied on the Office ofTndepen lent Oversight Office of Health Safety and Security to conduct detailed reviews of LANL's classi tied information systems Although no1mally completed once every two years this inspection had not been performed for about fow· years because of a variety of factors Office of Independent Oversight officials told us that a significant po1tion of the delay Vas caused by the security stand down at LANL in 2004 a moratorium placed on revjcws during the period that the contract was transitjoncd from the University of California to Los Alamos National Security LLC LA NS and finally their participation in a number ofSite Assistcd Visits as part of the Depa11ment's Cyber Sccm ity Revitalization Plan It should be noted that the Office of Independent Oversight began a previously scheduled review of LANL's classified information systems at about the same time the diversion of classified information was discovered 10 O FMCIAL t JS 6Nf y OtlFICl tlJ USE ONLY Security Planning and Acquisition Policy Issues We found conflicting direction regarding what items to include in security plans a facto I' that may have impacted cyber security al LANL For example the Laboratory's I 1-- --· ___j _b b 7 b 6 7 _j ltold us that a l lfrom Jhe l' NSA_ b 6 - b 7 C Sc1vice Center had directed that peripheral devices not be included in security plans Based on c gr b - that directian O advised ISSOs to only include peripherals if their cost was equal to or more than the property accountability threshold for the Laboratory Jn contrast LANL's l I b Jb 7 b 6 b 7 __ I ltold us that all peripherals except for small items that had no memory or C C ability to read or write information ·- items such as a mouse or keyboard - were to be included and their impact evaluated in security plans The Federal official I _ L m b 6 b 7 fgHsMJill L c J linclicated that 0 had heard something aboutll the dll'ecflon rcgardin ·mm peripherals but had not veri fied the direction or evaluated its impact The NNSA Service Center official to whom the statement regarding peripherals was attributed lolcl us that0 had-noL __ b 6 J b 7 provided such guidance C -- A Jack of knowledge of policy regarding the introduction of equipment following completion of security plans could also have impacted classified infonnation systems security at some of the 104 sin1ilarly sih1ated VTRs located across LANL As identified in LANL guidance ISSOs are required to update security plans and seek reaccreditation whenever significant changes to the configuration of a system occurred When queried as to why the security plan for the VTR in b 6 b 7 __ which worked was not updated when new devices or systems were introduced the b 6 b 7 lij' 6 b 7 _ _ -------------- J toJd us that the Laboratory has n ecific _ C ··· C -·policy regarding events that could lligger the requirement to update security plans LJtelied on b e b individual ISSOs to make their owu dctem1ination as to what is si ificant and whether au _ ct b 7 E update was required and as we noted earlier it was not b 7 EL I l We observed that the Lab _o_ra- -to-1-·y- l-ta d' 'i-ss _u-e d_p_oT '1-cy- m - T-u-gu-s - J 2002 which specifically described events that would tdgger a change to security - several of which appeared to be directly applicable in th is ase Inconsistent and conflicting policy regarding the acquisition of computer support services also impacted security u1 classi fied computing environments at the T ahoratory For the task under which the classified scanning took place as well as for a number of others procurement officials required that the subcontractor furnish peripherals such as scanners and software This requirement was incorporated into the task even though the NNSA Policy Letter NAPS governing classified computer security and the local classified system security plan for the VTR in question specifically prohibited the connection of non-govenuuent owned equipment to the classified local area network Several months before our review LANL issued a policy inconsistent with the NAPS in that it pennitted the usc of non-govenunent prope1iy if it was properly reviewed an l sanitized upon removal Feder l Policy Design Issues Om review disclosed at least one pmticularly significant instance where classified computer policies had not beeu dcvelo1 ed or properly formalized Afler a major hreach involving the removal of classified material from LANL in L999 the then Secretary of Energy directed that 11 ' f'PIClAt t J ONLY safeguards be developed and implemented to prevent the migration of classified data to unclassified systems and decrease the potential for insiders to exploit security vulnerabilities This direction specifically required that organizations estahlisb requirements that place stringent controls on computers and work stations iucluding controls on po11s that could be used to down load files ' While ordered and implemented for the three laboratories under the cognh ancc of the then Albuquerque Operations Office the requirement was never included in the Department's or the NNSA's cybcr security policy Despite efforts by the Dcpa1iment's Chief blfonnation Officer and various working groups chattered by that organ ization this and other policies related to national secmity systems ii cluding many of those required by the Federal Infonnation Systems Secmity Management Act FlSMA have yet to be inco1vorated in Department policy A senior official with the Office of Independent Oversight indicated thatO organization had t 6 b reported 0 11 the Department's failure to update its cJassified computer security policy As noted in its Report on the Status ofthe Department of Energy's lJ' onnation Security Programfo1· National Security Systems September 2006 issued to satisfy FTSMA evaluation requirements the Office of Independent Oversight repo11ed that policies for protecting national security systems had not been updated since 1999 and were seriously out of date The inspectors concluded that policy weaknesses conllibuted to a number of FISMA implementation b E vulnerabilities that could ifnot corrected endanger classified systems Most no tably I Cyher Security Program Implementation IsslJles Lahoratory officials including the Director and his senior staff infonned us that they were couunittcd to providing a multilayered defense against both internal aud external parties that may wish to damage computer systems or compromise infom1ation While these officials indicated that they have recently strengthened their resolve to achieve this goal in response to the recent diversion of classified information they identified what they believed to be significant strnctural issues that have frnstrated their effo1ts in this regard Specifically during the transition of the operating contract from the University of California in mid-2006 LANS identified cyber security as a preexisting condition one that they lacked the resources to address in the short ruu b 6 b 7 C The preexisting condition related to cybcr security one of several identified during the contract b 6 b 7 transition pl se was based primarily on the fact that the Universi ty of California had not r-- inmlemented most of the NNSA cyber security implementing guidance The Laboratory'sL__J r jindicated that funding was insufficient to implement the majority of NNSA' s cyber security requirements as specified in the NAPS and provided infonnation that indicated that only a small fraction of those requirements bad been implemented to date In addition to the preexisting condition identified prior to contract transition LANL also told us that planned funding reductions could further impact their ability to safeguard classified information On September 27 2006 the Laboratory Director in a joint letter with the Directors of the Lawrence Live1more and Sandia National Laboratories reiterated his concern that a forthcoming 30 percent reduction in cyber security funding would endanger hoth unclassified and classified 12 OF PICIXL USE UN I ¥ OFMCIAL CISJt orqLf b 6 b 7 C informatiun sysrcms -i INS s-1 hold us that eff011s were underway to identify additional fund ing for cyber security at the national defense laboratories Ongoing Reviews and Corrective Actions Management officials at various levels of the Depru1ment and at LANL promptly launched an ef1'01t to identify and con·ect control deficiencies that cm1sed or contributed to the unauthorized removal of classified infommtiou The Deputy Secretary also issued a memorandum directing that each laboratory and Federal facility operating a classified computer system conduct an inunediate and thorough examination of the adequacy of its practices and procedures to ensure that classified infonnation is properly protected LANL officials also reported that they had taken actions designed to secure open po1is and increase security over classified information To facilitate this work and provide technical assistance the Dcpaitment's Chief Information Officer told us that his office had conunissioned a study to identify and evaluate the relative strengths and weaknesses of the various hardware and software methods of securing computer po1ts and is working to update classified cyber securi ty policy National Security Impacts The seriousness of the theft or di version of classified material could have a significant impact on U S national security Ifexploited such information contd he used to damage critical facilities and disrnpt Govcnunent O erations For th is event in particular the full extent of damage or b E dispersi n the classified material removed b U1e alleged pe1petr ltQr may never be fully b E RECOMMENDATIONS Although a number of cyber security initiatives are undc1way we concluded that the Department needs to reemphasize its commitment to cybcr security In addition to address the weaknesses desclibed in our report we recommend that the Under Secretary for Nuclear Security Administrator of National Nuclear Security Administration working with the Chief Jnfom1ation Officer and the Chief Health Safety and Secmity Officer complete the following detailed actions all of which may have applicability across the complex 1 Ensure that classified cyber security policies and implementing instructions are updated to address noted deficiencies 2 Disable utmecdcd active USB and other system po1ts that could pennit the unauthorized diversion or theft of classified information 3 Secmc classified compute1· racks 13 Ofi'PfCIA L tf'Sl 6NLY Oli'f t IAL tJ I 6NI t 4 Ensure that incompatible duties supervision and actual pcrfonnance of tasks are not performed by the same individual 5 Limit classified computer access and ptivileges to those who specifically require it 6 Require that classified iufonnation security plans be complete and accurate be updated for changes and that accreditations arc obtained p1ior to operation 7 Conduct both contractor and Federal reviews and physical inspections of systems prior to granting authority to operate and periodically throughout the accreditation period 8 Reevaluate cyber secmity fonding using a risk-hnsed approach and 9 Review activities by Federal and contractor management and staff to determine whether administrative action is appropriate To further reduce risks at LANL and other Depatiment facilities we rcconunend that the Under Secretary for Nuclear Security Administrator National Nuclear Security Administration I0 Monitol' on-going classified cyher security eff01is to ensure that all needed correctivc actions are tracked to resolution 11 Share the lessons learned in this case with cnch of the Depa11ment's facilities and 12 Coordinate with the Chief Health Safety and Security Officer Office of Jn lepcndcnt Oversight to ensure that a follow-up inspection to validate the efficacy of each corrective action and the overall viability of LANL's classified cyher security protection program is perfonned In addition evaluate inspection protocols to ensure that the vulnerabilities cited in this repo1t are tested periodically On June 1 2006 Los Alamos National Security LLC assumed responsibility as the operator of the Los Alamos National Laboratory Many of the recommendations noted above require specific contractor actions to address the weaknesses noted iu this report Jn this context the Deprutment needs to hold the new contractor accountable for the refonns needed to ensure a secure cyber security environment at Los Alamos 14 OFFICIAL l JSE ONLY b 6 b 7 ---OJll' ICIAl US ti C l L i Security Clearance Process I i I I I I 15 'fPICIAL USR ffPHN J b 6 b 7 C · · · ' '• ·· RECOMMENDATIONS b 6 b 7 C ' 16 OFFIC tA L USE O a y APPENDIX l DIAGRAM ffFVAULT-TYPR ROOM b E · • 'C 'O 0 -· -· 3 Q r D cu -r t cu 6Ff 'ICI AL U J 6MUt APPENDIX 2 RELATED PHOTOGRAPHS b 7 E ' · '· '• 18 'fi'ICIAL USE 6NLY 8F'FfCIATs UBH 0 ILY APPRNDTX 3 PRIOR REPORTS • • Audit Report on the Department ofF 11ergy's Fiscal Year 2006 Consolidated Fi11a11cia Stateme11ts OAS-FS-07-02 November 2006 Vulnerabilities and weaknesses continued to exist in the Department's network and information systems for access and other security controls Specifically the National Nuclear Security Administration NNSA failed to ensure that Federal Departmental and NNSA cyber security requirements policies and controls were always properly implemented by field organizations and facilities contractors Program officials had not ensmcd that facil ity operating contracts were modified to incorporate all Federal cyber security requirements further many systems' ce11ifications and accreditations C A had not been perfo1med lacked essential clements such as indcpcndenl testing of the effectiveness of security conlrols or were not adequately documented In addition cerlain sites incotTectly used an overly broad grouping or enc lave 11 approach to completing the C A of their systems Vulnerabilities and weaknesses continued to exist in access and otber security controls which increased the risk that malicious destrnction alteration of data or unauthorized processing could occur Evaluation Report 011 the Department's Unclassified Cyber Sec11ri v Program - 2006 DOE IG-0738 September 2006 The evaluation identified continued deficiencies in the Department's cyber security program that exposed its critical systems to an increased risk of compromise The report cited weaknesses in the following areas systems inventory system ce1tifications and accreditations contingency planning physical and logical access controls configuration management and change controls Problems occmTed at least in pai1 because Departmental organb ations had not always ensmed that Federal requirements Department policies and cyber security controls were adequately implemented and conformed to Federal requirements most notably by field organizations and facility contrnctOl's NNSA site officials indicated that they were l'equired to comply with NNSA cyher security policy as opposed to meeting NIST requirements Accordingly no NNSA site had fully implemented the NNSA cyber security policy In fact many NNSA field sites were permitted to follow a less thorough cc1tiflcation and accreditation process that did not incorporate all NIST or N1 1SA requirements As a result the Dcpa1tment's iufonnation systems networks and the in fonnation they contain remain at risk of compromise • Special Tnquby Report Refoting to the Department of Enerf y's Response to a Compmmise of Personnel Data OIG Case No I06IG001 July 2006 The inquiry found that a hacker bad ex filtrated a file containing the names and socia l security numbers of 1 502 Federal and contractor employees working at NNSA 's Servjce Center in Albuquerque New Mexico Neither the employees affected nor appropriate officials wore properly notified ahout the compromise until ahout ten months afier the successful intrnsion had been detected Jn addition there was a lengthy delay in the Depa1tmcnt's completion of an impact assessment on the intnision The Depatimcnt's handling of this matter was largely dysfunctional and the operational and procedural breakdowns were caused by questionable managerial judgments significant confusion by key decision makers as to lines of authority responsibility and 19 OFPICIMs l JSE om y F telAI USE 6NL'i' accountabilily poor internal conununications including a lack of coordination and a failure lo share essential information among key officials and insufficient follow-up on critically important issues and decisions Additionally the Department lacked clear guidance on procedures for notifying employees when personnel data is compromised The bifurcated organizational structure of NNSA within the Depattmcnt complicated the situation • Inspcctiou Report on B ldge Retrieval and Security Clearance Ter111i11atio11 al Sandia National Laborato1J1 - New Mexico DO E IG-0724 April 2006 Sandia National Laboratory's intcmal controls were not adequate to ensure that in accordance with applicable policies and procedures security badges assigned to terminating Sandia and subcontractor employees were retrieved at the lime of depurture or that security clearances of tenni nating Sandia and subcontractor employees were tenninatcd iu a timely maimer Specifically from the same sample of 182 employees 47 did not have complete Security Termination Slatements as required Thus there was no assurance these individuals had received the required Security Tem1ination Briefing at the time of their termination Given the similarity of the findings at the three National Laboratories reviewed senior Dcpa11ment management should consider taking broader action within the Department to ensure that all Department sites are adequately addressing the areas of badge retrieval and sccu1ity clearance tcrmfoation These areas are critical to the Department's program to control access to sensitive and classified information and facilities • Audit Report 011 the Dapartme11t of Energy's F scal Year 2005 Cv11solidated Fi11a11cial Statements OAS-FS-06-01 November 2005 Network and information system security weaknesses continue to be idet tified at sites and the freque11cy and severity of those weaknesses remained consistent with prior year findings The Department recognizes these weaknesses and has classified cyber security as a significant issue in its Federal Managers' Finandal 11tegri1y Act assurance statement for fiscal year 2005 Significant improvements are still needed in the areas of password management configuration management and restriction of network services These findings remain open as of the issuance of the Audit Report 011 he Department ofE11ergy 1s Fiscal Year 2006 Consolidated Fi11a11cial St l ements OAS-FS-07-02 November 2006 • Inspection Report 0 11 Security and Other Issues Related to Out-Processing of Employees at l os Alamos Na1io11al l aboratory DOE IG-0677 Febrnary 2005 The Los Alamos Nalional Laborator·y LANL directly employed about 7 500 University of California employees of which approximately 800 terminate their employment each year LJ Nf out-processing procedures were nol followed by more than 40 percent of the 305 tem1inating employees included in the selected sample during the pe1iod under review Consequently Prope11y Administrators Classified Document Custodians and Radgc Office personnel frequently did nol receive timely notification that employees were tetminating Given this and the results of additional sampling there was no assurnnce that piior to departure LAN1 tenninating employees turned in security badges completed the required Security Tem1ination Statcmcnl or had their security clearances and access authorizations to classified matler and or special nuclear mate1ial tem1inated in a timely manner 20 OfffCIAL USE ONI 7't ' • J11spectio11 Report on Internal Controls over Personal Computers at Los Alamos Nationa Laborato1J DOE IG-0656 August 2004 An interim inspection report DOE IG-0597 April 2003 on the same subject documented intemal control weaknesses regarding LANL computers particularly classified and unclassified laptop computers including accountability and accreditation issues Th is follow-on repo11 identified continuing internal control weaknesses that undermined confidence in LANL's ability to assure that l computers arc approp1iately controlled and safeguarded from loss or theft and 2 computers used lo process and storn classified information are controlled in accordance with existing property management and security requirements Specifically a number of classified desktop computers were not entered into the LANL prnperty inventory as required and some were not assigned a prope11y number In addition LA i l'L's listing of classified desktop and laptop computers was not completely accurate aud computer identificatio11 in accrediration paperwork did not always match the actual classified equipment • 111spec1io11 Report on I11temal Controls Over Cfossijied Computers md Classified Removable lvfedia at tlte Lawrence Livermore National Laborato1y DOE G-0628 December 2003 Cct1ain internal control weaknesses were identi iied in Livermore's administration of its classified computer and classified removnble media inventories increasing the vulnerability of these items to loss abuse and theft Specifically Classified Nuclear Emergency Search Team computer equipment and removable media were not subjected to required inventoties six classified desktop computers that had been shipped permanently to other Depaitment sites remained in Livermore's prope1ty invent01·y and a classified removable hard drive was not entered into Live1more's classified removable media tracking and accounting system as required Given current national security concerns the Depruiment and its contracto rs should make a maximum effo11 to safeguard classified computers and classified media to reduce the possibility of loss abuse and theft • Special Inquby 011 Opemt i 11s at Los Alamos National Lahoralo1J1 DOE TG-0584 January 2003 The OIG conducted a fact finding inquiry into tho allegations that senior management of LANL engaged in a deliberate cover-up of sccmity hreachcs and illegal activities in particular with respect to rep01ted instances of property loss and theft The repmt disclosed a se1ies of actions by Laboratory officials that had the effect of obscuring serious property and procurement management problems and weakened or ove odc relevant internal controls These actions created an atmosphere in which Los Alamos employees were discouraged from or had reason to believe they were discouraged from raising concerns to approp1iate authorities In sho11 management's actions - wt1ether intended as a cover-up or not resulted in delayed identification and resolution of the underlying property and procurement weaknesses and related sccmity concerns Although our inquiry did not substantiate the allegation that Laboratory management deliberately bid ctim i nal activity we found that Laboratory management failed to take approp1iate or timely action with respect to a number of identified property control weaknesses and related security concerns Specifically there was a lack of personal accountability for prope11y and inadequate controls over procurement and property systems Pl'ior Independent Oversight Reports 21 OFMCLAL USR 0NLY OFFICl1 ' L us O L t • Independent Oversight Rcpo11 on the Status ofthe Depar me111 ofEnergy's btformatio11 Security Program for National Security Systems September 2006 • l ndcpendent Oversight Cyber Security J11spectio11 ofthe Los Alamos Site Office and Los Alamos National Laborato1J1 Volume II January 2003 Priol' Government Accountability Office GAO Repo1·ts • Stand-Down ofLos Alamos National Laborat01y Total Casis Uncertain Almost All Mission-Critical Programs Were Affected bul Have Recovered GA0 -06-83 November 2005 On July 16 2004 the Director of LA NL suspended all activities except those specifically designated as critical citing a pattern of safety and security incidents that occmTed over the course of a year Specifically in the weeks prior to the stand-down an undergraduate student was paiiially blinded in a laser accident and two classified computer disks were reported missing In both cases laboratory employees disregarded established procedures and then attempted to cover up the incident On July 23 2004 the Deputy Secretary of Energy ordered a Department-wide stand-down of operations that used accountable classified removable electronic media These media include computer disks removable hard drives and compact discs read-only memory CD ROM that contain information classified as secret restricted data top secret or specially sensitive information Almost all Department facilities resumed operations within 6 weeks once they had certified that these media wore accounted for and posed no secrnity risk Neither LANL's $121 million estimate nor NNSA's $370 milJlon estimate which it considers an upper bound accurately captures the total cost of the LANL stand-down LANL did not establish separate stand-down activity codes to track the actual time spent on stand-down activities snch as safety reviews and training As a result neither NNSA nor GAO can calculate actual stan ldown costs • Nuclear Security f essons to Be Learnedfrom Implementing NNSA 's Security Enhancemems GA0-02-358 March 2002 Several security incidents in the late 1990s highlighted the need for improvements at the Department of Energy For example the possible loss of nuclear weapons design information and the missing computer hard drives at LANT revealed important weaknesses in security More broadly many reports have criticized Departmental security the President's Foreign Intelligence Advisory Boaa·d rep01t the Cox Committee repmt and a number of other GAO reports on particular aspects of the Depa1tme11Cs security program In response to individual events and repo1ts the Department and later NNSA developed initiatives intended to address nuclear security problems Numerous initiatives were unde11aken to strengthen among other things personnel physical infonnation and cyber security as well as the Depmtmcnl's counterintelligence program Successful implementation of the initiatives should reduce the likelihood of security problems and therefore enhance sccmity at NNSA facilities For example the Depaa1mcnt has eliminated the backlog of security clearance investigations and reinvestigations of employees with access to classified information Eliminating this backlog ensures that those employees with access to classified information have had their backgrounds checked and that cleared pcrsom1el needed in impotiant mission-related areas are available for work Other initiatives can strengthen controls over cyber secmity The Depa1tment had published 29 cyher security directives fo r classified and unclassified systems and bud provided cyber 22 OfPlClAL tJSl O t -· security training for system administrators and managers However initiatives should be clearly conummicated to the field Contractor officials at one national laboratory r ceived guidance on some cyber security initiatives from multiple offices within the Department and NNSA often tlu·ough iufonnal means such as web site postings or verbal communication This lack of clear communication produced confusion at sites about which requirements they needed to implement • Nuclear Security DOE Needs to Tmprove Comrol Over Classified Information GA0-01806 August 24 2001 The Los Alamos and Sandia National Laboratories have implemented Department of Energy's access controls and need-lo-know requirements for both vaults and classified computer systems containing the most sensitive classified information IIowevel' t11e Department's requirements for documenting need to know lack specificity allowing laboratory managers wide variation in interpretation and implementation Need-to-know dctenninations made by laboratory managers vary from detailed specific individual justifications to long-term blanket approvals for hundreds of staff for all classified infonnation in a vault or computer system More specific requirements and guidance for documenting need-to-know determinations would help ensure that only persons who require access to specific classified information to conduct their cmrent work are granted access to that infomrntion The Department had taken steps to upgrade protection and control over its classi fled infonnation but additional steps arc needed The Depm1mcnt 's recent revision of its Classified Matter Protection and Control Manual adds several security requirements for top secret infonnation However the revised manual docs not reinstitute several top secret security requirements in effect prior to 1998 that would enhance the protection of top secret inf0tmation by providing a more traceable record of the document if it were to be lost In addition the Department was rnvising its Control of Weapon Data order to increase the security of documents that contain compilations of highly sensitive nuclear weapons infonnation Th is effort to upgrade security for the most sensitive weapons documents has already been under way for almost eight years Until the order is issued and implemented these documents will have a Jower degree of protection • Department of Energy Key Factors Under vi11g Security Problems at DOE Facilities GAO T-RCED 99 159 April 1999 The repot1 disclosed secmity-rellltcd problems with controlling foreign visitors protectiJ1g classified and sensitive infonuation maintaining physical security over facilities and property ensuring the trnstwmthincss of employees and accounting for nuclear materials Among others problems included 1 weaknesses in efforts to control and protect classified and sensitive information where one instance a facility could not account for 10 000 classified documents 2 Lax physical sccmity controls such as security personnel and fences to protect facilities and property Our reviews of security persom1el have shown that these personnel have been unable to demonstrate basic skiJls such as arresting intruders or shooting accurately at one facility 78 percent of the security personnel failed a test of required skills Fu11hennore GAO found that equipment and property wo1th minions of dollars was missing at some facilities 3 Ineffective management of personnel security clearance programs has been a problem since the early 1980s Backlogs were occurring in conducting security investigations and later when the hack logs were reduced and some contractors were not verifying infonnation on prospective employees 23 61 M CL L UStt ONLY