Nuclear Security:

DOE Needs to Improve Control Over Classified Information

GAO-01-806: Published: Aug 24, 2001. Publicly Released: Aug 31, 2001.

Additional Materials:

Contact:

Robin M. Nazzaro
(202) 512-6246
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Energy (DOE) maintains millions of classified documents containing highly sensitive nuclear weapons design and production information. Allegations that the Peoples Republic of China obtained nuclear warhead designs from an employee of DOE's Los Alamos National Laboratory, as well as the disappearance of two computer hard drives containing highly sensitive weapons information from that same laboratory, have raised concerns about how effectively DOE protects classified information, particularly the most sensitive classified information that is contained in vaults and computer systems. DOE's security program consists of many strategies for protecting and controlling classified information, such as controlling access to classified information through physical and administrative barriers and determining whether a person's work requires a "need to know" the information. DOE has recently increased protection for top-secret documents by revising its Classified Matter Protection and Control Manual, which provides detailed requirements for the protection and control of classified matter. This report reviews the (1) extent to which DOE's Sandia and Los Alamos National Laboratories have implemented DOE's established access controls and need-to-know requirements for classified vaults and computer systems containing the most sensitive classified information as well as the adequacy of these requirements and (2) steps DOE is taking to upgrade the protection of its classified information. GAO found that the Los Alamos and Sandia National Laboratories have implemented DOE's access controls and need-to-know requirements for both vaults and classified computer systems containing the most sensitive classified information. However, DOE's requirements for documenting need to know lack specificity, allowing laboratory managers wide variations in interpretation and implementation and. DOE has recently taken, and continues to take, steps to upgrade protection and control over its classified information, but additional steps are needed.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Our review of DOE's control over classified information resulted from allegations that the Peoples Republic of China obtained nuclear warhead designs from an employee of Los Alamos National Laboratory. We found that DOE's order and manual for controlling classified matter lacked specific need-to-know requirements for access to classified removable electronic media (CREM--including computer hard drives and disks) and classified documents at Los Alamos and Sandia National Laboratories. In 2004, Los Alamos severely restricted access to classified information by (1) establishing 19 centralized CREM vaults; (2) reducing the number of staff with direct access to CREM by 99 percent to only 50 people; and (3) tightening controls by requiring the line supervisor to approve access by certifying that the employee has the appropriate clearance, training, and need to know. Los Alamos has also reduced its total CREM inventory from 80,000 pieces to 20,000 pieces. The Los Alamos actions fulfill the intent of our recommendation.

    Recommendation: To improve classified document security and accountability, the Secretary of Energy should issue more specific requirements for documenting need-to-know determinations.

    Agency Affected: Department of Energy

  2. Status: Closed - Not Implemented

    Comments: In its August 2001 report entitled "Nuclear Security: DOE Needs to Improve Control Over Classified Information," GAO made a number of recommendations to improve classified document security and accountability. Among other things, GAO recommended that the Secretary of Energy provide guidance on when the use of "blanket" need-to-know approvals for large numbers of employees is appropriate and how it should be documented. In November 2001, the Department issued a letter to the Chairman, Committee on Appropriations, United States Senate regarding GAO's recommendation, which stated that if their review of this issue found that clarification on the roles and responsibilities for the use of blanket authorizations was necessary, then clarification would be issued in the first quarter of fiscal year 2002. According to DOE's lead information security specialist, this review was completed, but the Department's current guidance (DOE M 471.2-1C Classification Matter Protection and Control), which was revised in July 2004, does not explicitly address the blanket need-to-know because policy associated with this issue is made on the local level and is approved on a case-by-case basis. DOE is currently streamlining its security directives, including those related to need-to-know authorizations. The draft manual (DOE M 470.S-4 Information Security) associated with the streamlining process does set the boundaries for protecting classified information, but does not address GAO's recommendation regarding blanket need-to-know approvals. Therefore, this recommendation is being closed as not implemented.

    Recommendation: To improve classified document security and accountability, the Secretary of Energy should provide guidance on 2when the use of "blanket" need-to-know approvals for large numbers of employees is appropriate and how it should be documented.

    Agency Affected: Department of Energy

  3. Status: Closed - Not Implemented

    Comments: DOE is not responsive. DOE did not agree with the recommendation to conduct a formal cost-benefit analysis for the reinstitution of the requirement regarding specific top secret control, top secret access lists and pre-approval for the reproduction of top secret information. DOE stated that current policy reasonably and responsibly defined the objectives and requirements for protecting classified information, including top secret, as defined in all applicable laws, regulations, and Executive Orders. DOE believes that these objectives and requirements have been promulgated in departmental policy, and the program offices and individual sites understand their responsibilities in executing these policies.

    Recommendation: To improve classified document security and accountability, the Secretary of Energy should conduct cost-benefit analyses for reinstituting the requirements for top secret control officers, top secret access lists and approval for reproduction of top secret documents.

    Agency Affected: Department of Energy

  4. Status: Closed - Implemented

    Comments: DOE agreed with the recommendation and, in early 2002, issued its Control of Weapon Data policy that established Sigma 16.

    Recommendation: To improve classified document security and accountability, the Secretary of Energy should ensure the issuance of the revised Control of Weapon Data order establishing Sigma 16 by fall 2001.

    Agency Affected: Department of Energy

 

Explore the full database of GAO's Open Recommendations »

Sep 29, 2016

Sep 20, 2016

Sep 15, 2016

Jun 29, 2016

Jun 21, 2016

Apr 28, 2016

Apr 14, 2016

Apr 12, 2016

Mar 23, 2016

Dec 17, 2015

Looking for more? Browse all our products here