Nuclear Security:

Improving Correction of Security Deficiencies at DOE's Weapons Facilities

RCED-93-10: Published: Nov 16, 1992. Publicly Released: Jan 29, 1993.

Additional Materials:

Contact:

Victor S. Rezendes
(202) 512-6082
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the efforts of: (1) Department of Energy (DOE) contractors to correct security deficiencies found at contractor-operated nuclear weapons facilities; and (2) DOE to ensure that contractors adequately corrected deficiencies.

GAO found that: (1) contractors could not demonstrate that they had considered risk assessment, root cause, or cost-benefit analyses that DOE required them to conduct for security deficiencies; (2) although there is no explicit requirement that contractors verify corrective actions, the contractors conducted adequate verification in most of the 20 cases reviewed; (3) DOE field offices and contractors had developed or were developing automated systems to track safeguards and security weaknesses, but system incompatibilities prohibited electronic information sharing and retrieval, automated data entry, and pattern and trend analysis; (4) DOE field offices did not always submit quarterly status reports on deficiencies to update tracking systems; (5) DOE field offices did not timely review contractors' proposed corrective action plans for identified deficiencies, citing shortages of skilled personnel; and (6) DOE field offices did not always adequately validate corrective actions or document their validation of corrective actions, citing staff shortages and heavy workloads.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: Performance testing is recommended to ensure that the vulnerability analysis is still valid. According to DOE Order 5630.16A, any time there are situations that change a site's security status, field offices are required to ensure that corrective actions or commensurate measures are implemented. Also, site safeguards and security plans are required to be reviewed and updated on a regular basis. The provisions of this order are being implemented.

    Recommendation: To improve DOE oversight of contractors' deficiency correction activities, the Secretary of Energy should validate, through performance testing, that the corrective actions taken are effective and complete and adequately document the validation actions taken.

    Agency Affected: Department of Energy

  2. Status: Closed - Implemented

    Comments: DOE Order 5634.1B requires field offices to verify the completion of corrective actions. With the new computer mainframe system at DOE headquarters, accuracy and timeliness of corrective actions are more susceptible to management control. Training has been conducted to emphasizes this requirement.

    Recommendation: To improve DOE oversight of contractors' deficiency correction activities, the Secretary of Energy should ensure that DOE field offices review and respond to contractors' corrective action plans within the DOE-required time and document their review and response.

    Agency Affected: Department of Energy

  3. Status: Closed - Implemented

    Comments: DOE 5634.1B requires contractors to take corrective action and field offices to verify that corrective action has been taken. Training has been provided to the field offices on the safeguards and security management information system. Management control and verification of corrective action have been implemented.

    Recommendation: To improve contractor compliance with DOE requirements for correcting security deficiencies, the Secretary of Energy should assess the extent of inadequate verification and, if verification is a problem, require that contractors verify and document that corrective actions are complete and adequate.

    Agency Affected: Department of Energy

  4. Status: Closed - Implemented

    Comments: DOE Order 5634.1B requires contractors to submit a response identifying corrective actions for each finding within 30 days after receiving documents noting the deficiency. DOE has modified this order to more clearly state the requirements for the conduct of root cause analysis, risk assessment, and cost-benefit analysis.

    Recommendation: To improve contractor compliance with DOE requirements for correcting security deficiencies, the Secretary of Energy should ensure that contractors conduct and document the required analyses (root cause, risk assessment, and cost-benefit) or, when contractors have decided that the deficiency is such that it is unnecessary to conduct one or more of these analyses, that they document the justification for their decision.

    Agency Affected: Department of Energy

  5. Status: Closed - Implemented

    Comments: DOE Order 5630.15, "Safeguards and Security Training Program," places standardized training with the Central Training Academy. The Academy staff have completed a professional development program for security disciplines at all levels. They also assist new employees with training on the safeguards and security management information system. By using the security affairs training program, field offices are now assured that their staff are qualified in several security disciplines.

    Recommendation: To improve DOE oversight of contractors' deficiency correction activities, the Secretary of Energy should assess field office staffing to ensure that sufficient qualified staff are available to effectively carry out safeguard and security requirements.

    Agency Affected: Department of Energy

 

Explore the full database of GAO's Open Recommendations »

Sep 14, 2016

Sep 8, 2016

Aug 11, 2016

Aug 9, 2016

Aug 4, 2016

Jul 15, 2016

Jul 14, 2016

Jun 20, 2016

Mar 3, 2016

Looking for more? Browse all our products here