Skip to main content

Nuclear Security: DOE Should Take Actions to Fully Implement Insider Threat Program

GAO-23-105576 Published: May 24, 2023. Publicly Released: May 24, 2023.
Jump To:

Fast Facts

The Department of Energy has several programs to ensure proper access to and handling of the nation's nuclear weapons and related information. DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors.

But as of 2023, DOE hasn't fully implemented the program. For example, DOE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.

DOE changed the program's leadership in February 2023, but there's more to do. We recommended ways to improve the program.

A digital screen with various icons on it and a hand touching it, leaving a fingerprint

Skip to Highlights

Highlights

What GAO Found

The Department of Energy (DOE) has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments. Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program (see fig. for examples). DOE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers' findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.

Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program

Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program

DOE has not fully implemented its Insider Threat Program due to multiple factors.

  • DOE has not integrated program responsibilities. DOE has not effectively integrated Insider Threat Program responsibilities. Instead, DOE divided significant responsibilities for its program between two offices. Specifically, the program's senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, DOE's insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.
  • DOE has not identified and assessed resource needs. DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE's budget does not account for all program responsibilities. For example, DOE's budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.

Why GAO Did This Study

The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from "insiders," including employees or visitors with trusted access. In 2014, DOE established its Insider Threat Program to integrate its policies, procedures, and resources. The program also coordinates analysis, response, and mitigation actions among DOE organizations.

The House report accompanying a bill for the National Defense Authorization Act for fiscal year 2022 includes a provision for GAO to review DOE's efforts to address insider threats with respect to the nuclear security enterprise. This report examines (1) the extent to which DOE has implemented required standards to protect the nuclear security enterprise from insider threats and (2) the factors that have affected DOE's ability to fully implement its Insider Threat Program.

GAO reviewed the minimum standards and best practices for federal insider threat programs, DOE documentation, and four assessments by independent reviewers. GAO also interviewed DOE and National Nuclear Security Administration officials and contractors.

Recommendations

GAO is making seven recommendations to DOE, including (1) to track and report on actions it takes to address reviewers' findings and recommendations, (2) to establish a process to better integrate program responsibilities, and (3) to assess resource needs for the program. DOE agreed with the recommendations and described plans to address them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Energy The Insider Threat Program senior official should develop a mechanism to track actions taken in response to findings and recommendations it receives from independent assessments. (Recommendation 1)
Open
As of December 2023, DOE is conducting a review of referenced independent assessments and analyzing the findings and recommendations to determine the current status of the recommendations and applicability for implementation. DOE is developing a Near-Term Strategy to develop a tracking mechanism.
Department of Energy The Insider Threat Program senior official should resume annual reporting and include in those reports the actions the program has taken to address findings and recommendations it receives from independent assessments. (Recommendation 2)
Open
As of December 2023, DOE is drafting an annual report to address and identify the previous year's progress toward developing and implementing a viable program and plans to include updates and status for accomplishing recommendations identified through independent assessments of the program.
Department of Energy
Priority Rec.
The Insider Threat Program senior official should establish a process to better integrate insider threat responsibilities, ensuring that the senior official can centrally manage all aspects of the Insider Threat Program. (Recommendation 3)
Open
As of December 2023, the Insider Threat Program senior official is leading a strategic review to identify any additional needed process changes.
Department of Energy
Priority Rec.
The Secretary of Energy should ensure that the Insider Threat Program achieves a single, department-wide approach to managing insider risk. (Recommendation 4)
Open
As of December 2023, the Insider Threat Program senior official is conducting an assessment of current strategies focused on reviewing the multidisciplinary governance group's composition to better address insider threat concerns.
Department of Energy The Insider Threat Program senior official should work with DOE program offices and NNSA, in coordination with contracting officers, as appropriate, to ensure that contractors' specific Insider Threat Program responsibilities are clearly stated and consistently applied across the sites by, for example, reviewing and, if necessary, revising contract requirements to include responsibilities such as insider threat response actions. (Recommendation 5)
Open
As of December 2023, DOE plans to update and revise the existing DOE Order 470.5, Insider Threat Program, to include specific responsibilities for senior officials, program stakeholders, program offices, and other relevant activities. The revised DOE Order will provide direction for contractors through a Contractor Requirements Document, consistent with the structure of DOE's Directives program. DOE expects updates to the order by September 2024.
Department of Energy The Insider Threat Program senior official should work with Insider Threat Program stakeholders to identify all departmental resources that support the Insider Threat Program. (Recommendation 6)
Open
As of December 2023, DOE plans to analyze and identify the necessary capabilities, resources, and other supporting elements as it updates DOE Order 470.5, Insider Threat Program. DOE anticipates updates to the order by September 2024.
Department of Energy The Insider Threat Program senior official should work with stakeholders to assess the program's human, financial, and technical resource needs and make recommendations to the Secretary on where resources should be allocated so that the program is positioned to achieve minimum standards. (Recommendation 7)
Open
As of December 2023, DOE plans to identify the program's human, financial, and technical resource needs as it updates DOE Order 470.5, Insider Threat Program. Each departmental element will perform an impact assessment and implementation plan that will detail the added resources needed for program implementation. Program elements and NNSA, having governance and oversight responsibilities for specific insider threat functions, will communicate resource needs through established budget channels and will also inform the Insider Threat Program senior official of resource needs specific to Insider Threat Operations. Additionally, the Executive Steering Committee, chaired by the senior official, will annually review program requirements identified in the revised order and provide recommendations for accomplishing national standards. DOE anticipates updates to the order by September 2024.

Full Report

Office of Public Affairs

Topics

Best practicesClassified informationProgram implementationCompliance oversightHuman capital managementMilitary intelligenceNational securityNuclear securityProgram managementReferral centersRisk managementSecurity assessmentsStrategic planSystems verification and validation