Nuclear Security:
DOE Needs to Improve Control Over Classified Information
GAO-01-806: Published: Aug 24, 2001. Publicly Released: Aug 31, 2001.
Additional Materials:
- Full Report:
Contact:
(202) 512-6246
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Department of Energy (DOE) maintains millions of classified documents containing highly sensitive nuclear weapons design and production information. Allegations that the Peoples Republic of China obtained nuclear warhead designs from an employee of DOE's Los Alamos National Laboratory, as well as the disappearance of two computer hard drives containing highly sensitive weapons information from that same laboratory, have raised concerns about how effectively DOE protects classified information, particularly the most sensitive classified information that is contained in vaults and computer systems. DOE's security program consists of many strategies for protecting and controlling classified information, such as controlling access to classified information through physical and administrative barriers and determining whether a person's work requires a "need to know" the information. DOE has recently increased protection for top-secret documents by revising its Classified Matter Protection and Control Manual, which provides detailed requirements for the protection and control of classified matter. This report reviews the (1) extent to which DOE's Sandia and Los Alamos National Laboratories have implemented DOE's established access controls and need-to-know requirements for classified vaults and computer systems containing the most sensitive classified information as well as the adequacy of these requirements and (2) steps DOE is taking to upgrade the protection of its classified information. GAO found that the Los Alamos and Sandia National Laboratories have implemented DOE's access controls and need-to-know requirements for both vaults and classified computer systems containing the most sensitive classified information. However, DOE's requirements for documenting need to know lack specificity, allowing laboratory managers wide variations in interpretation and implementation and. DOE has recently taken, and continues to take, steps to upgrade protection and control over its classified information, but additional steps are needed.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: Our review of DOE's control over classified information resulted from allegations that the Peoples Republic of China obtained nuclear warhead designs from an employee of Los Alamos National Laboratory. We found that DOE's order and manual for controlling classified matter lacked specific need-to-know requirements for access to classified removable electronic media (CREM--including computer hard drives and disks) and classified documents at Los Alamos and Sandia National Laboratories. In 2004, Los Alamos severely restricted access to classified information by (1) establishing 19 centralized CREM vaults; (2) reducing the number of staff with direct access to CREM by 99 percent to only 50 people; and (3) tightening controls by requiring the line supervisor to approve access by certifying that the employee has the appropriate clearance, training, and need to know. Los Alamos has also reduced its total CREM inventory from 80,000 pieces to 20,000 pieces. The Los Alamos actions fulfill the intent of our recommendation.
Recommendation: To improve classified document security and accountability, the Secretary of Energy should issue more specific requirements for documenting need-to-know determinations.
Agency Affected: Department of Energy
Status: Closed - Not Implemented
Comments: In its August 2001 report entitled "Nuclear Security: DOE Needs to Improve Control Over Classified Information," GAO made a number of recommendations to improve classified document security and accountability. Among other things, GAO recommended that the Secretary of Energy provide guidance on when the use of "blanket" need-to-know approvals for large numbers of employees is appropriate and how it should be documented. In November 2001, the Department issued a letter to the Chairman, Committee on Appropriations, United States Senate regarding GAO's recommendation, which stated that if their review of this issue found that clarification on the roles and responsibilities for the use of blanket authorizations was necessary, then clarification would be issued in the first quarter of fiscal year 2002. According to DOE's lead information security specialist, this review was completed, but the Department's current guidance (DOE M 471.2-1C Classification Matter Protection and Control), which was revised in July 2004, does not explicitly address the blanket need-to-know because policy associated with this issue is made on the local level and is approved on a case-by-case basis. DOE is currently streamlining its security directives, including those related to need-to-know authorizations. The draft manual (DOE M 470.S-4 Information Security) associated with the streamlining process does set the boundaries for protecting classified information, but does not address GAO's recommendation regarding blanket need-to-know approvals. Therefore, this recommendation is being closed as not implemented.
Recommendation: To improve classified document security and accountability, the Secretary of Energy should provide guidance on 2when the use of "blanket" need-to-know approvals for large numbers of employees is appropriate and how it should be documented.
Agency Affected: Department of Energy
Status: Closed - Not Implemented
Comments: DOE is not responsive. DOE did not agree with the recommendation to conduct a formal cost-benefit analysis for the reinstitution of the requirement regarding specific top secret control, top secret access lists and pre-approval for the reproduction of top secret information. DOE stated that current policy reasonably and responsibly defined the objectives and requirements for protecting classified information, including top secret, as defined in all applicable laws, regulations, and Executive Orders. DOE believes that these objectives and requirements have been promulgated in departmental policy, and the program offices and individual sites understand their responsibilities in executing these policies.
Recommendation: To improve classified document security and accountability, the Secretary of Energy should conduct cost-benefit analyses for reinstituting the requirements for top secret control officers, top secret access lists and approval for reproduction of top secret documents.
Agency Affected: Department of Energy
Status: Closed - Implemented
Comments: DOE agreed with the recommendation and, in early 2002, issued its Control of Weapon Data policy that established Sigma 16.
Recommendation: To improve classified document security and accountability, the Secretary of Energy should ensure the issuance of the revised Control of Weapon Data order establishing Sigma 16 by fall 2001.
Agency Affected: Department of Energy
Explore the full database of GAO's Open Recommendations
»
Oct 9, 2020
-
Aviation Cybersecurity:
FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics RisksGAO-21-86: Published: Oct 9, 2020. Publicly Released: Oct 9, 2020.
Sep 22, 2020
-
Cybersecurity:
Clarity of Leadership Urgently Needed to Fully Implement the National StrategyGAO-20-629: Published: Sep 22, 2020. Publicly Released: Sep 22, 2020.
Sep 21, 2020
-
Information Security and Privacy:
HUD Needs a Major Effort to Protect Data Shared with External EntitiesGAO-20-431: Published: Sep 21, 2020. Publicly Released: Sep 21, 2020.
Sep 17, 2020
-
Critical Infrastructure Protection:
Treasury Needs to Improve Tracking of Financial Sector Cybersecurity Risk Mitigation EffortsGAO-20-631: Published: Sep 17, 2020. Publicly Released: Sep 17, 2020.
Sep 16, 2020
-
Veterans Affairs:
VA Needs to Address Persistent IT Modernization and Cybersecurity ChallengesGAO-20-719T: Published: Sep 16, 2020. Publicly Released: Sep 16, 2020.
Aug 18, 2020
-
Cybersecurity:
DHS and Selected Agencies Need to Address Shortcomings in Implementation of Network Monitoring ProgramGAO-20-598: Published: Aug 18, 2020. Publicly Released: Aug 18, 2020.
May 27, 2020
-
Cybersecurity:
Selected Federal Agencies Need to Coordinate on Requirements and Assessments of StatesGAO-20-123: Published: May 27, 2020. Publicly Released: May 27, 2020.
May 13, 2020
-
Management Report:
Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security ControlsGAO-20-411R: Published: May 13, 2020. Publicly Released: May 13, 2020.
Apr 24, 2020
-
Information Security:
FCC Made Significant Progress, but Needs to Address Remaining Control Deficiencies and Improve Its ProgramGAO-20-265: Published: Mar 25, 2020. Publicly Released: Apr 24, 2020.
Apr 13, 2020
-
Cybersecurity:
DOD Needs to Take Decisive Actions to Improve Cyber HygieneGAO-20-241: Published: Apr 13, 2020. Publicly Released: Apr 13, 2020.
Looking for more? Browse all our products here