Index

Nuclear Security: Improvements Needed in DOE's Safeguards and Security
Oversight (Letter Report, 02/24/2000, GAO/RCED-00-62).

Pursuant to a congressional request, GAO reviewed the Department of
Energy's (DOE) oversight activities for nuclear laboratories' safety and
security programs, focusing on: (1) the monitoring and tracking of
findings resulting from DOE's oversight activities; (2) the correction,
validation, and closing of findings resulting from such activities; and
(3) the consistency of various DOE assessments of the laboratories'
safeguard and security programs.

GAO noted that: (1) DOE's Office of Security and Emergency Operations
maintains a centralized management information system to track and
monitor safeguards and security findings and the related corrective
actions; (2) this system would be of more value if it contained
information on all security findings; (3) the findings developed from
1995-1998 by DOE's Office of Independent Oversight and Performance
Assurance (IOPA) are not included in the system nor are the findings and
recommendations developed by GAO and other outside organizations; (4)
the system is not directly accessible by safeguards and security staff
at DOE's area offices and the laboratories; (5) each laboratory has
developed its own information systems, which contain data on all the
findings that relate to it; (6) as a result, information about problems
at one location is not available to safeguards and security staff at
other locations; (7) DOE requires that the laboratories conduct a risk
assessment, a root cause analysis, and a cost-benefit analysis as part
of their process to correct safeguards and security problems found by
DOE's oversight activities; (8) these analyses help to ensure that
problems with safeguards and security are corrected in an economic and
efficient manner; (9) these assessments and analyses have not always
been conducted; (10) in the past, IOPA has generally not worked with the
laboratories to develop corrective plans for its safeguards and security
findings; (11) IOPA is not required to validate the corrective action,
verify that the problem was corrected, and certify that its findings
were closed and has not been formally involved in these activities; (12)
there was no assurance that the problem was understood, adequately
corrected, and closed; (13) during the past year, IOPA has worked with
the laboratories to develop corrective action plans and has conducted
follow-up reviews of its findings that are being corrected, validated,
verified, or closed by the operations offices; (14) IOPA still does not
become involved in validating and verifying corrective actions and
certifying that findings are closed; (15) from 1994-1999, the
laboratories' safeguards and security performance has received many
inconsistent ratings from oversight and other DOE organizations; (16)
this inconsistency can send a mixed or erroneous message to safeguards
and security policy makers and managers; (17) this inconsistency results
partially from various organizations' use of different criteria and the
timing of the rating; and (18) DOE has changed the rating criteria for
the safeguards and security contract performance rating for 2000, which
could decrease rating inconsistency in future years.

--------------------------- Indexing Terms -----------------------------

 REPORTNUM:  RCED-00-62
     TITLE:  Nuclear Security: Improvements Needed in DOE's Safeguards
	     and Security Oversight
      DATE:  02/24/2000
   SUBJECT:  Nuclear weapons
	     Nuclear facility security
	     Nuclear facility safety
	     Management information systems
	     Internal controls
	     Safety standards
	     Performance measures
IDENTIFIER:  DOE Safeguards and Security Information Management System
	     DOE Safeguards and Security Program
	     DOE Nuclear Weapons Program

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Testimony.                                               **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO/RCED-00-62

Appendix I: Comments From the Department of Energy

24

Table 1: Safeguards and Security Ratings for Los Alamos National Laboratory
From 1994 Through 1999 15

Table 2: Safeguards and Security Ratings for Lawrence Livermore National
Laboratory From 1994 Through 1999 15

Resources, Community, and
Economic Development Division

B-284303

February 24, 2000

The Honorable Thomas J. Bliley, Jr.
Chairman, Committee on Commerce
House of Representatives

Dear Mr. Chairman:

The Department of Energy (DOE) is responsible for the nation's nuclear
weapons program and owns a number of facilities to carry out classified
weapons-related activities. These facilities are operated for DOE by
contractors who are responsible for protecting classified information,
nuclear materials, nuclear weapons, and nuclear weapons components. DOE
provides oversight over the contractor's safeguards and security program to
ensure that protection is provided consistent with DOE's requirements and
standards. Over the past few years, a number of reports and incidents have
indicated that there are problems--including computer security and the
control of foreign visitors--at DOE's facilities and laboratories. Over the
years the laboratories have also been targets for espionage.

To ensure that problems are identified and promptly resolved, you requested
that we evaluate DOE's activities for safeguards and security oversight at
DOE's Los Alamos National Laboratory and Lawrence Livermore National
Laboratory. DOE's Office of Independent Oversight and Performance Assurance
and the Department's operations offices primarily conduct these activities.
As agreed with your office, this report discusses (1) the monitoring and
tracking of findings resulting from DOE's oversight activities; (2) the
correction, validation, and closing of findings resulting from such
activities; and (3) the consistency of various DOE assessments of the
laboratories' safeguards and security programs.

DOE's Office of Security and Emergency Operations--the safeguards and
security policy organization within DOE's headquarters--maintains a
centralized management information system to track and monitor safeguards
and security findings and the related corrective actions. This system would
be of more value if it contained information on all security findings. The
findings developed from 1995 through 1998 by the independent oversight
organization at DOE's headquarters--the Office of Independent Oversight and
Performance Assurance--are not included in the system nor are the findings
and recommendations developed by GAO and other outside organizations, such
as congressional committees and special review teams. In addition, the
system is not directly accessible by safeguards and security staff at DOE's
area offices and the laboratories. Each laboratory has developed its own
information system, which contains data on all the findings that relate to
it. As a result, information about problems at one location is not available
to safeguards and security staff at other locations. Such information would
help the staff avoid similar problems and improve their safeguards and
security.

DOE requires that the laboratories conduct a risk assessment, a root cause
analysis, and a cost-benefit analysis as part of their process to correct
safeguards and security problems found by DOE's oversight activities. These
analyses help to ensure that problems with safeguards and security are
corrected in an economic and efficient manner. Despite their importance,
these assessments and analyses have not always been conducted. While the
Lawrence Livermore National Laboratory generally complied with DOE's
requirements, the Los Alamos National Laboratory has historically not
conducted risk assessments and cost-benefit analyses at all and has
performed root cause analyses for only about two-thirds of the findings. In
1998, the Los Alamos National Laboratory began requiring formal, documented
root cause analyses for all findings. In addition, the Independent Oversight
Office is not required to and, in the past, has generally not worked with
the laboratories to develop corrective action plans for its safeguards and
security findings. Also, the Independent Oversight Office is not required to
validate the corrective action, verify that the problem was corrected, and
certify that its findings were closed and has not been formally involved in
these activities. As a result, there was no assurance that the problem was
understood, adequately corrected, and closed. During the past year, the
Independent Oversight Office has worked with the laboratories to develop
corrective action plans and has conducted follow-up reviews of its findings
that are being corrected, validated, verified, or closed by the operations
offices. However, the Independent Oversight Office still does not become
involved in validating and verifying corrective actions and certifying that
findings are closed.

From 1994 through 1999, the laboratories' safeguards and security
performance has received many inconsistent ratings from oversight and other
DOE organizations. During a given year, the Los Alamos National Laboratory
received ratings ranging from marginal to excellent, depending on the DOE
organization conducting the assessment. Likewise, the Lawrence Livermore
National Laboratory received ratings ranging from marginal to far exceeds
expectations. This inconsistency can send a mixed and/or erroneous message
to safeguards and security policy makers and managers. At least partially,
this inconsistency results from various organizations' use of different
criteria and the timing of the rating. DOE has changed the rating criteria
for the safeguards and security contract performance rating for 2000. These
changes could decrease rating inconsistency in future years.

We are making recommendations to improve the safeguards and securities
activities at DOE's laboratories and to formalize oversight improvements
that were made during 1999.

DOE has numerous contractor-operated facilities and laboratories that carry
out DOE's various programs and missions. The laboratories conduct some of
the nation's most sensitive activities, including designing, producing, and
maintaining the nation's nuclear weapons; conducting efforts for other
military or national security applications; and performing research and
development in advanced technologies for potential defense and commercial
applications. Because of these sensitive activities, these
facilities--especially the laboratories--are targets of foreign espionage
efforts.

Security concerns and problems have existed at many of these facilities
since they were created. Recent years have been no different. In 1997, DOE's
Office of Security Affairs issued a report that rated safeguards and
security at some facilities and laboratories as marginal and identified
problem areas that included physical security and accountability for special
nuclear material.1,2 In April 1999, all computer networks (except for those
performing critical safety or security functions) at the laboratories were
shut down because of concerns about inadequate security. During that same
month, we testified on numerous long-standing safeguards and security
problems, including ineffective controls over foreign visitors, weaknesses
in efforts to control and protect classified and sensitive information, lax
physical security controls, the ineffective management of personnel security
clearance programs, and weaknesses in tracking and controlling nuclear
materials.3 In December 1999, a scientist at the Los Alamos National
Laboratory was indicted on 59 felony counts of mishandling classified
information. The scientist was accused of transferring files from Los
Alamos' secure computer system to computer tapes, most of which cannot be
accounted for.

DOE is responsible for a security program that effectively protects against
theft, sabotage, espionage, terrorism, and other risks to national security
at its facilities. DOE has policies and procedures to protect its
facilities, classified documents, data stored in computers, nuclear
materials, nuclear weapons, and nuclear weapons components. The operating
contractors at DOE's facilities are responsible for implementing these
safeguards and security policies and procedures. To ensure that these
policies and procedures are followed and implemented, DOE's Office of
Independent Oversight and Performance Assurance (OA) provides independent
oversight of the effectiveness of policy and its implementation. The field
operations offices provide line management direction and assess compliance
with DOE's policy. These offices play a critical role in the early detection
of safeguards and security problems and can play a major role in the timely
resolution of those problems.

DOE's operations offices are the line organizations accountable for
evaluating the laboratories' safeguards and security activities. The reason
for this is that the operations offices are responsible for managing the
contracts for the operation of DOE's facilities and for ensuring that DOE's
policies, procedures, and requirements are followed. The operations offices
are required to conduct an annual survey of the adequacy of the operating
contractors' safeguards and security programs. DOE's Albuquerque Operations
Office is responsible for the Los Alamos National Laboratory and has
safeguards and security staff at a Los Alamos Area Office to provide on-site
management and oversight. DOE's Oakland Operations Office is responsible for
the Lawrence Livermore National Laboratory and has safeguards and security
staff located at the laboratory to provide a day-to-day presence.

OA provides oversight of laboratory safeguards and security activities from
DOE's headquarters. OA is an "independent" oversight organization that is
separate from the line management structure, conducts safeguards and
security inspections of DOE's facilities, and issues reports.4 OA has
existed in various forms since 1982. This Office was originally organized
under DOE's Office of the Assistant Secretary for Defense Programs. In 1990,
the Office of Security Evaluations was moved to DOE's Office of the
Assistant Secretary for Environment, Safety, and Health. In 1999, the Office
of Security Evaluations became OA, which reports directly to the Secretary
of Energy.

Additional organizations have provided safeguard and security oversight as
the need has occurred. For example, DOE's Office of Counterintelligence
evaluates counterintelligence activities at DOE's facilities, and DOE's
operating contractors at the laboratories conduct annual self-assessments of
the quality of their safeguards and security programs. In addition, the
contractors also have internal audit organizations that review aspects of
the safeguards and security programs. GAO and DOE's Office of Inspector
General also evaluate selected safeguards and security activities. Finally,
outside organizations have also reviewed the laboratories' safeguards and
security activities.5 However, OA and the operations offices are the only
DOE organizations responsible for continuing oversight of safeguards and
security activities at the laboratories.

Security Findings

DOE and the contractors that operate the Los Alamos National Laboratory and
the Lawrence Livermore National Laboratory use a number of information
systems to track safeguards and security findings that have been made by
DOE's oversight organizations. DOE headquarters' Office of Security and
Emergency Operations maintains the Safeguards and Security Information
Management System, and the contractors that operate the Los Alamos National
Laboratory and the Lawrence Livermore National Laboratory maintain their own
information systems. These systems, however, do not include information on
all the safeguards and security findings, are not accessible by all
necessary personnel, and/or are not capable of interfacing with each other.

No single information system maintained by DOE and the laboratories contains
information on all the safeguards and security findings at the laboratories.
DOE's Safeguards and Security Information Management System contained
information on all OA and operations office survey safeguards and security
findings and corrective action plans until 1995. Although a memo dated
August 15, 1995, from the Director of the Office of Safeguards and Security
required that OA's findings be entered in the system, from 1995 to 1998,
information on OA's findings and related corrective action plans was not
included in the system. Because OA did not highlight or number the findings
in its reports, the staff responsible for correcting safeguards and security
problems could not easily identify the findings and enter them into the
information systems. In 1999, OA changed its inspection report format to
more clearly identify its findings, and OA's findings are now being included
in the Safeguards and Security Information Management System. However, the
Safeguards and Security Information Management System has never included
information related to the findings made by organizations other than OA and
the operations offices, such as GAO, DOE's Office of Inspector General, and
DOE's Office of Counterintelligence.

At both the Los Alamos National Laboratory and Lawrence Livermore National
Laboratory, the operating contractors maintain their own computerized
information systems. These systems contain findings and corrective action
information for OA's findings (from 1995 through 1998, OA's findings that
the laboratories could identify were included in their systems), the
operations offices' survey findings, the findings from
self−assessments performed by the contractors or internal audits, and
the findings from any other source that the contractor is aware of. For
example, the Los Alamos National Laboratory's safeguards and security
officials informed us that because DOE lacked a comprehensive information
system, the laboratory developed its own information system. Los Alamos's
system includes virtually every known security problem at the laboratory and
provides a management tool to ensure that problems are addressed and tracked
to closure. However, the laboratories' information systems include only
those findings related to their laboratory and do not include findings for
other DOE facilities. In addition, these systems are not compatible with the
Safeguards and Security Information Management System, and information from
one system cannot be compared or downloaded between systems.

In addition to not including all findings, the Safeguards and Security
Information Management System is not readily available to all DOE and
contractor personnel that have a legitimate need to access information on
safeguards and security findings. The Safeguards and Security Information
Management System is available to the safeguards and security staff at DOE's
headquarters and to operations office personnel. DOE's area-office staff and
personnel working for the laboratories' operating contractor who work on
safeguards and security issues do not have direct access to the Safeguards
and Security Information Management System and must request information
through one of the organizations that does have direct access. Laboratory
officials believe that access to a centralized, comprehensive system would
facilitate tracking corrective actions and would enable the laboratories to
use information from other facilities to improve their safeguards and
security programs. Information about problems at one facility and their
resolution could allow managers at other facilities to avoid similar
problems. In addition, such a system could aid in the identification of the
most cost-effective actions to correct safeguards and security problems or
could be the basis for trend analyses across laboratories.

DOE and laboratory officials told us that they see a need for an improved
safeguards and security information system. OA officials informed us that
they have begun a dialogue with DOE's Office of Security and Emergency
Operations about the current capabilities and deficiencies of the system and
the needs for information from the system.

DOE Order 470.1 requires that when a DOE operations office or OA reports a
finding that raises a significant security vulnerability, immediate interim
actions must be taken to temporarily mitigate identified risks. After such
interim actions are taken, the laboratories analyze the finding and, within
15 days, develop a corrective action plan to permanently correct the
findings. As part of the permanent corrective action plan's development, the
laboratory must conduct a risk assessment, root cause analysis, and
cost-benefit analysis. The operations office validates and verifies that the
survey findings have been corrected and certifies closure of the finding. We
found that the Lawrence Livermore National Laboratory was either conducting
the required analyses or providing a justification of why the analyses were
not conducted. The Los Alamos National Laboratory, on the other hand, was
not conducting formal risk assessments or cost-benefit analyses at all and
was conducting root cause analyses in only about two-thirds of the findings
we reviewed. In addition, until recently, OA was not formally involved in
the development of corrective action plans for OA's safeguard and security
findings. While follow-up inspections are now being conducted, OA has not
been involved in the validation, verification, and closure of those
findings.

Performed

DOE Order 470.1 requires that corrective actions developed for operations
offices' survey findings should be based on documented risk assessment, root
cause analysis, and cost-benefit analysis. Risk assessment is essential to
determine the risk associated with an identified deficiency in prioritizing
its correction. Root cause analysis ensures a determination of the
fundamental and contributing causes of a deficiency. Cost-benefit analysis
is important in determining whether correcting a security risk is worth the
cost of corrective action. Risk assessments, cost-benefit analyses, and root
cause analyses are not always warranted (as explained in this section).
However, the corrective action plan process should include a formal
determination of whether these analyses are warranted.

We reviewed 15 findings related to safeguards and security problems at the
Los Alamos National Laboratory and 13 findings related to safeguards and
security problems at the Lawrence Livermore National Laboratory. At the
Lawrence Livermore National Laboratory, risk assessments, root cause
analyses, and cost-benefit analyses had been performed as required.6
However, we found that at the Los Alamos National Laboratory, not all the
required analyses have historically been performed during the corrective
action process.

Of the 15 findings at the Los Alamos National Laboratory, 10 were from the
Albuquerque Operations Office's surveys, and 5 were from OA's inspections.
These findings were developed from 1994 through 1999. The Los Alamos
National Laboratory's safeguards and security staff did not perform root
cause analyses for 5 of the 15 findings. A root cause analysis was not
conducted for one finding because the finding was closed while the
Albuquerque Operation Office was conducting the survey. For the other four
findings, laboratory safeguards and security officials said that root cause
analyses were not conducted because the findings occurred before the
laboratory required that root cause analysis be documented in 1998. Our
review of the four findings indicated that none of those specific problems
were identified as recurring problems in subsequent inspections and surveys.
We also found that since the 1998 requirement, Los Alamos was documenting
root cause analyses for all findings.

Formal risk assessments (or justifications for not doing formal risk
assessments) were not completed for any of the 15 Los Alamos National
Laboratory findings that we reviewed. The Los Alamos National Laboratory's
safeguards and security officials told us that formal risk assessments are
not conducted because the laboratory does not require them. They said that
risk assessments have been conducted informally immediately upon learning
that a safeguards and security problem has been discovered but that these
assessments are not documented. If classified information or nuclear
material is at risk, the official's first priority is to ensure that
adequate compensatory measures are put into place. The laboratory's
safeguards and security officials informed us that they rely heavily on risk
determinations made by DOE's inspectors during the course of the audit.
Since we completed our review, laboratory officials informed us that they
have required that formal risk assessments be completed and documented for
all findings.

Cost-benefit analyses were also not completed for any of the 15 Los Alamos
National Laboratory's findings that we reviewed. The Los Alamos National
Laboratory's safeguards and security officials told us that they did not
perform any cost-benefit analyses for these findings because the majority of
the findings involve compliance with DOE's regulations and must be corrected
(e.g., marking of documents and submission of required paperwork). While
formal cost-benefit analyses were not performed, the safeguards and security
officials said that they informally consider the cost-benefit of a
corrective action for all findings. Exemptions are often requested to
eliminate the need for expensive corrective actions that do not
significantly improve security.

An example of how these analyses can benefit the corrective action process
involves a 1999 OA finding that appeared to require the replacement of doors
to special nuclear material vaults at the Lawrence Livermore National
Laboratory. DOE requires that the doors and walls to a vault containing
special nuclear material provide the same protection from unauthorized
entry. For this finding, Lawrence Livermore National Laboratory officials
conducted root cause, cost-benefit, and risk analyses and determined that
the new vault doors would cost about $200,000 and that installing them would
cost an additional $1 million, without providing a significant increase in
security. As a result, instead of proceeding with the upgrade to close the
finding, in November 1999, Lawrence Livermore National Laboratory officials
requested a variance from the DOE requirement.

DOE's operations offices follow a process for closure of safeguard and
security findings resulting from their annual surveys. The process involves
the operations offices in the development, validation, and verification of
the corrective action and the closure of the finding. OA is not required to
follow and has not followed a similar process for safeguards and security
findings resulting from its inspections. Until 1999, OA was not formally
involved in the development, validation, and verification of the corrective
actions resulting from its inspections and did not certify that the findings
were closed. The operations offices performed these functions. OA officials
told us that they believe the operations offices--as line managers--are the
appropriate organizations for conducting these functions and that, in most
cases, OA (1) was aware of the status of a finding, (2) was aware of whether
or not a laboratory was formally addressing it, and (3) would evaluate the
effectiveness of the corrective action during the next inspection of the
facility. We believe that by not being formally involved in the corrective
action process, OA was not able to ensure that the safeguards and security
finding was understood, adequately corrected, and closed.

Because OA did not get involved in the correction of findings, the
laboratories were not always aware of what findings existed. In addition,
some findings were never corrected, and a laboratory corrected a "finding"
that OA did not make. For example, in 1998, OA issued a report on its review
of aspects of safeguards and security at the Lawrence Livermore National
Laboratory that OA believed contained eight findings. However, these
findings were not clearly identified. Of those eight findings, six were
identified by the laboratory when it reviewed the report. The two findings
identified by OA and not by the laboratory concerned protective force and
personnel security issues. For these two findings, no corrective action
plans were developed, and they were never closed. In addition, in the
laboratory's review of OA's report, the laboratory identified what it
thought was an OA finding concerning nuclear material inventories. However,
this was not one of the eight findings that OA made. As a result, the
Lawrence Livermore National Laboratory corrected and closed a finding that
OA never made.

In its 1999 inspections at the Los Alamos National Laboratory and the
Lawrence Livermore National Laboratory, OA changed its processes. The
inspection report clearly identified and numbered (for use in the Safeguards
and Security Information Management System) the findings. In addition, OA
worked with the laboratories in developing a corrective action plan to
assure that the planned corrective action adequately addressed the
appropriate issues. However, OA does not plan to validate or verify the
corrective action and certify closure of the findings because the cognizant
secretarial offices and the operations offices will continue to perform
these functions. OA conducted follow-up reviews to evaluate the adequacy of
corrective actions and associated closure documentation. The changes in OA's
involvement in the corrective action process were included in an August 31,
1999, protocol issued by the Deputy Secretary.

Are Inconsistent

During a single year, the Los Alamos National Laboratory and Lawrence
Livermore National Laboratory receive ratings on their safeguards and
security performance from several sources that can range from
"unsatisfactory" to "far exceeds expectations." Safeguards and security
ratings have the potential to provide managers and policymakers with a
"report card" on the effectiveness of safeguards and security at a given
facility and throughout the complex. In recent years, however, ratings have
provided conflicting information on the effectiveness of safeguards and
security or, in cases where the ratings were not reported, provided no
information on the effectiveness of safeguards and security.

Over the past 6 years, the Los Alamos National Laboratory and the Lawrence
Livermore National Laboratory each received 15 safeguards and security
ratings in OA reports, operations office survey reports, DOE contract
performance ratings, and reports to the President. The ratings contained in
OA and operations office reports are based on the inspections and surveys of
safeguards and security programs at the facilities. Contract performance
ratings are based on annual assessments conducted by the contractor and the
operations office of how well a contractor met the safeguards and security
criteria contained in the contract. The rating contained in the annual
report to the President is a composite rating derived from reviews of
information contained in OA inspections, operations office surveys,
contractor self-assessments, and other sources. Tables 1 and 2 show these
ratings for the Los Alamos and the Lawrence Livermore national laboratories.

Table 1: Safeguards and Security Ratings for Los Alamos National Laboratory
From 1994 Through 1999

                       Albuquerque     Safeguards and
 Year OA               Operations      security contract   Annual report to
                       Office          performance         the President

 1994 No overall site  Marginal        Exceeds             Marginal
      rating givena                    expectations

 1995 Inspection not   Satisfactory    Far exceeds         Satisfactory
      conducted                        expectations

 1996 Inspection not   Survey not      Far exceeds         Satisfactory
      conducted        conducted       expectations

 1997 No rating given  Marginal        Meets expectations  Report not
                                                           issuedb

 1998 No overall site  Marginal        Excellent           Marginalb
      rating givenc
 1999 Satisfactory     Marginal        To be determined    To be determined

a OA did not give the site an overall rating but did provide eight ratings
of specific safeguards and security areas. Three were rated satisfactory,
four were marginal, and one was unsatisfactory.

b Reports for 1997 and 1998 were combined.

c OA did not give the site an overall rating but did provide a "marginal"
rating for each of the main elements of the laboratory's safeguards and
security program.

Table 2: Safeguards and Security Ratings for Lawrence Livermore National
Laboratory From 1994 Through 1999

                     Oakland          Safeguards and
 Year OA             Operations       security contract   Annual report to
                     Office           performance         the President

 1994 Inspection     Survey not       Excellent           Satisfactory
      not conducted  conducted

 1995 Inspection     Satisfactory     Far exceeds         Satisfactory
      not conducted                   expectations

 1996 Inspection     Satisfactory     Far exceeds         Marginal
      not conducted                   expectations

 1997 No rating      Satisfactory     Far exceeds         Report not
      given                           expectations        issueda

 1998 No rating      Marginal         Good                Marginala
      given
 1999 Marginal       Marginal         To be determined    To be determined

a Reports for 1997 and 1998 were combined.

As shown in these tables, the ratings assigned to safeguards and security
can vary widely during a given year. For example, at Lawrence Livermore
National Laboratory in 1996, the Oakland Operations Office's safeguards and
security survey rated the laboratory as "satisfactory," the safeguards and
security contract performance rating was "far exceeds expectations," and the
annual report to the President assigned a "marginal" rating. A similar
situation occurred at the Los Alamos National Laboratory in 1998. In that
year, both the Albuquerque Operations Office's safeguards and security
survey and the annual report to the President rated the laboratory as
"marginal," while the safeguards and security contract performance rating
was "excellent."

This disparity occurs for several reasons. One reason is that the purpose
and the criteria for the ratings are not the same. In their surveys, the
operations offices use DOE's policies, procedures, requirements, and orders
designed to protect classified information and material to measure the
laboratories' safeguards and security performance. The ratings assigned for
contract performance are based on a different set of criteria, which are
negotiated between DOE and the contractors operating the laboratories. In
the past, the contract performance criteria have often been oriented toward
quantifiable tasks that may not have a significant impact on the
effectiveness of the safeguards and security program. For example,
performance criteria for 1998 in the Los Alamos National Laboratory's
contract included the percentage of corrective action plans completed on
time, the number of self-assessments completed, and the percentage of time
that nuclear material is properly labeled and stored. The contract
performance criteria do not include safeguards and security ratings from OA
and the Albuquerque Operations Office. In contrast, OA's and the operations
offices' inspections and surveys are based on criteria designed to determine
the laboratory's effectiveness in protecting classified information and
nuclear material.

To some extent, another reason for the disparity in the ratings can be the
timing of the inspection or survey. For example, the Albuquerque Operations
Office conducted its annual survey of the Los Alamos National Laboratory in
May 1999. This survey rated safeguards and security at the laboratory as
"marginal." OA conducted its 1999 inspection of safeguards and security at
the Los Alamos National Laboratory in August 1999 and rated Los Alamos'
safeguards and security as "satisfactory," noting improvements in the
program since OA's 1998 inspection and the operations office's 1999 survey.
A third explanation for the disparate safeguards and security ratings can be
the scope of the reviews conducted. For example, in 1996, the report to the
President rated the Lawrence Livermore National Laboratory "marginal," while
the Oakland Operations Office rated the laboratory "satisfactory." However,
the scope of the report to the President included only the performance of
the special response team, while the Oakland Operations Office survey
included all five major safeguards and security topical areas.

While several factors may explain the disparate ratings, the wide variance
in the ratings in a single year raises questions about the credibility of
the rating process. The ratings could also provide government managers and
policymakers with distorted views of the effectiveness of safeguards and
security at the laboratories and could allow developing problems to be
overlooked. A logical assumption for a manager or policymaker would be that
if an operating contractor is receiving ratings of "far exceeds
expectations" and near maximum contract performance awards for safeguards
and security, then the safeguards and security program must be doing a good
job of meeting the requirements to protect classified information and
material. However, an OA inspection or operations office survey for the same
laboratory, for the same year, could reveal a marginal rating with numerous
findings of noncompliance with safeguards and security policies and
requirements.

DOE is working to correct this situation, and the ratings given for contract
performance and inspections and surveys may not be as disparate in future
years. Seventy-five percent of the contract performance ratings for
safeguards and security for the Los Alamos National Laboratory and the
Lawrence Livermore National Laboratory for 2000 will be based on OA's
inspection and operations offices' survey ratings. The remaining 25 percent
of the contract performance rating will be based on the laboratories'
ability to produce corrective action plans within the designated time
frames.

The criteria included in the 2000 contract for the Los Alamos National
Laboratory and the Lawrence Livermore National Laboratory are unique to
these laboratories and can be different from the criteria used at other DOE
facilities. For example, the 2000 contract for DOE's Sandia National
Laboratory allows for the consideration of OA's ratings in the performance
rating but does not specify that they have to be considered. In addition,
the contract performance criteria for the Sandia National Laboratory contain
process-oriented criteria such as the completion of corrective action plan
milestones and the percentage of security guards that can pass firearms
proficiency tests.

Operations office surveys are required to be performed annually unless an
exemption is granted, and the report to the President is to be an annual
summary of the status of safeguards and security. There is no requirement
for OA to perform annual inspections at the laboratories; however, periodic
reviews of safeguards are essential to ensure that safeguards and security
programs are effective. As shown in tables 1 and 2, only the contract
performance ratings were completed in each of the past 6 years for the Los
Alamos National Laboratory and the Lawrence Livermore National Laboratory.
OA did not conduct inspections at the Los Alamos National Laboratory in 1995
and 1996 and at the Lawrence Livermore National Laboratory in 1994, 1995,
and 1996. OA did not assign overall ratings in the site profiles issued in
1997 and 1998. The Albuquerque Operations Office did not assign a rating for
safeguards and security for the Los Alamos National Laboratory in 1996, and
the Oakland Operations Office did not assign a safeguards and security
rating for the Lawrence Livermore National Laboratory in 1994. Finally, the
report to the President was not issued in 1997 but, instead, was issued as a
combined 1997/1998 report.

The capability to obtain complete, accurate information on safeguards and
security findings is critical to ensure that DOE's findings are corrected
and do not occur at other DOE facilities. DOE's information system, however,
is incomplete, not accessible by all security staff, and not compatible with
contractor information systems. Several safeguards and security
organizations are beginning to individually look at the needs and
capabilities of the safeguards and security information system. However, in
our view, real progress on this issue will depend on a more systematic and
structured look at the information needs of all users to maximize the
efficiency and effectiveness of such a system.

Using tools like risk assessment, root cause analysis, and cost-benefit
analysis can aid in identifying why a problem has occurred, identifying the
best method of correcting the problem, and ensuring that the problem does
not reoccur. The Los Alamos National Laboratory has recently begun to
conduct formal risk assessments and root cause analyses for all findings but
is not formally conducting and documenting cost-benefit analyses. In
correcting the findings identified during the safeguards and security
surveys conducted by DOE's operations offices, the laboratories and the
operations offices coordinate and cooperate in developing, validating, and
verifying corrective actions and certifying closure of the findings. Until
1999, the Independent Oversight Office was not formally involved in the
corrective action process for the problems found during its inspections. In
1999, the Independent Oversight Office began to work with the laboratories
during the development of corrective action plans and conducted follow-up
reviews of the findings but still is not required to and does not formally
validate and verify the corrective actions and certify closure of the
findings.

Over the past 6 years, managers and policymakers could have been lead to
believe that the adequacy of security programs at Los Alamos and Lawrence
Livermore national laboratories was anywhere from "marginal" to "far exceeds
expectations," depending on which report and rating was being relied on.
Indications are that some of the conditions that led to this situation are
present at other DOE facilities. A consistent approach to rating safeguards
and security activities is necessary. Furthermore, all required inspections
must be performed to facilitate funding and policy decisions for two
reasons: (1) to improve the credibility of the safeguards and security
oversight process and (2) to ensure that problems are not overlooked or that
their importance is minimized. Increased attention to performing required
oversight because of recent security breaches and recent changes to the
rating criteria for safeguards and security contract performance for the Los
Alamos and Lawrence Livermore national laboratories are steps in the right
direction. Such attention must be maintained, and rating criteria should be
monitored to ensure adequate safeguards and security at nuclear facilities
in the future.

To improve the oversight of safeguards and security activities at DOE's
laboratories, we recommend that the Secretary of Energy do the following:

 Require that DOE's safeguards and security information system contain the
Independent Oversight Office's and operations offices' safeguards and
security findings. To the extent practical, the key findings of other
organizations, such as DOE's Inspector General, should be included.

 Provide for access to the system by DOE's area-office and laboratory
safeguards and security staff with a legitimate need. Such access should be
in accordance with DOE's security restrictions.

 Require the Independent Oversight Office to verify and validate correction
of its findings and continue its current involvement in developing
corrective actions for findings resulting from its inspections. The
Secretary should also make these responsibilities binding by incorporating
them into the DOE directives system.

 Ensure, to the extent possible, that rating criteria used by the various
safeguards and security oversight organizations are more consistent and
accurately reflect the effectiveness of safeguards and security at all DOE's
nuclear facilities.

We provided DOE with a draft of this report for its review and comment.
Overall, DOE stated that the report was objective and generally accurate but
noted a number of areas where it thought that clarification was needed.
Those areas related to the closure of safeguards and security findings, the
safeguards and security information management system, and the title of the
report.

In commenting on our discussion of the closure of safeguards and security
findings, DOE stated that line management--in this case, the operations
offices--is responsible for ensuring that identified security deficiencies
are adequately corrected. It believes the closing of findings is a line
management function and that OA is responsible for follow-up inspections
when the significance of the deficiency warrants. It stated that this
approach is consistent with what is commonly done in government and
industry. Accordingly, DOE made a number of suggested changes to the report
to reflect this view.

We agree that line management is responsible for taking the necessary
corrective actions to close a finding and that making decisions for
follow-up inspections that are based on the significance of the deficiency
is acceptable. However, because of the problems identified in this
report--such as the difficulty in identifying findings and the 2- or 3-year
lapse between inspections--we continue to believe that OA should be
responsible for validating and verifying that the corrective action taken
does, in fact, eliminate the problem identified. Because OA is the
originator of the finding, it is in the best position not only to be
involved in reviewing the corrective action plans, but also to verify and
validate that the corrective actions have been taken and to ensure that the
finding was corrected to its satisfaction. While we acknowledge that OA is
following up on its 1999 reviews, this was not done previously. After
considering DOE's comments, we added to our recommendations that DOE should
incorporate OA's verification and validation of corrective actions into the
DOE directives system.

In commenting on our description of DOE's Safeguards and Security
Information Management System, DOE stated that the report gave readers a
distorted impression of the System. DOE commented that the report did not
clearly identify that the Safeguards and Security Information Management
System is operated by the Office of Security and Emergency Operations.
Although the Office of Security and Emergency Operations is clearly
identified as the operator of the System in the appropriate section of the
report, we have added that clarification to the Results in Brief section as
DOE suggested. DOE also commented that the report did not recognize that the
System has been capable of including OA's, GAO's, and the Inspector
General's findings since 1988. We do not dispute the System's capability.
However, our focus was on the System's use--what findings were actually
entered into the System. Our recommendations are not entered in the system,
OA's findings were not entered in the System from 1995 through 1998, and the
Inspector General's recommendations were not entered in the System until
late 1999. Regardless of the System's capabilities, as long as these
findings are not entered into the System, DOE has no centralized means to
track the findings and their correction. As a result, we did not make DOE's
suggested change. Relatedly, DOE commented on our discussion of the
inadequate access to the Safeguards and Security Information Management
System. DOE stated that it does not restrict access to the System. However,
in its comments, the Department conceded that the configuration of the
System limits access to headquarters and the operations offices. We believe
this is a significant limitation. We do not advocate vast increases in the
number of personnel with access to the System. However, we believe that area
office and national laboratory personnel with appropriate clearances and a
legitimate need to use the System should have direct access to the System to
facilitate the correction of safeguards and security problems. As a result,
we did not make DOE's suggested change.

DOE's last major concern involved the title of the report. DOE stated that
our use of the word "oversight" in the title could lead readers to the
conclusion that the report was only about OA. Our report clearly states that
we reviewed oversight functions of two organizations--OA and the operations
offices. We agree that the operations offices are the line managers for the
laboratories and that their survey responsibilities constituted oversight of
the security situation at the laboratories. We did not change the report's
title. DOE also provided a number of technical comments that we addressed as
appropriate. The full text of DOE's comments is included in appendix I.

To obtain information on the monitoring and tracking of findings resulting
from DOE's oversight activities, we held discussions with officials in DOE's
Office of Defense Programs, Office of Independent Oversight and Performance
Assurance, and Albuquerque and Oakland Operations Offices. We also held
discussions with contractor officials at the Lawrence Livermore National
Laboratory and the Los Alamos National Laboratory on their monitoring and
tracking of DOE's oversight findings. In addition, we examined tracking and
monitoring reports from the Albuquerque and Oakland Operations Office.

To determine the consistency of safeguards and security ratings, we examined
the oversight reports of the Office of Independent Oversight and Performance
Assurance and DOE's Albuquerque and Oakland Operations Offices as well as
the Lawrence Livermore National Laboratory's and Los Alamos National
Laboratory's contractor performance ratings.

To determine the identification, correction, validation, and closing of
findings resulting from DOE's oversight activities, we (1) examined the
oversight reports of the Office of Independent Oversight and Performance
Assurance and DOE's Albuquerque and Oakland Operations Offices and the
corrective action plans of the Lawrence Livermore National Laboratory and
the Los Alamos National Laboratory taken in response to DOE's findings and
(2) examined the records documenting closure and validation of the findings
from DOE's oversight activities. We visited the Lawrence Livermore National
Laboratory and the Los Alamos National Laboratory to validate that actions
were taken to close a sampling of oversight findings. These findings were
selected judgmentally to provide a variety of findings from different
sources and to allow for the physical inspection of the corrective action.
Our work was performed from June through December 1999 in accordance with
generally accepted government auditing standards.

As arranged with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days after
the date of this letter. At that time, we will send copies of the report to
the Honorable Bill Richardson, Secretary of Energy, and the Honorable Jacob
J. Lew, Director, Office of Management and Budget. We will make copies
available to others on request.

If you or your staff have any questions about this report, please call me at
(202) 512-3841. Major contributors to this report included William F.
Fenzel, Assistant Director; Kenneth E. Lightner, Jr., Senior Evaluator;
Ilene Pollack, Senior Evaluator; and Susan W. Irwin, Senior Attorney.

Sincerely yours,

(Ms.) Gary L. Jones
Associate Director, Energy,
Resources, and Science Issues

Comments From the Department of Energy

(141348)

Table 1: Safeguards and Security Ratings for Los Alamos National Laboratory
From 1994 Through 1999 15

Table 2: Safeguards and Security Ratings for Lawrence Livermore National
Laboratory From 1994 Through 1999 15
  

1. See Status of Safeguards and Security for 1996 (Jan. 27, 1997).

2. The Office of Security Affairs is a DOE headquarters organization whose
functions include establishing safeguards and security policies and
providing advice and assistance concerning safeguards and security programs.

3. See Department of Energy: Key Factors Underlying Security Problems at DOE
Facilities , (GAO/T-RCED-99-159 , Apr. 20, 1999).

4. The findings in OA reports have been referred to as "issues" in some OA
reports. In this report, we refer to all OA findings as "findings." OA has
also used different terms for the reviews it conducts, including
"inspections," "evaluations," and "site profiles." In this report we refer
to all OA reviews as "inspections."

5. In January 1999, a special security review team issued an Internal Report
to the Secretary, Special Security Review . Also, in January 1999, a House
of Representatives Select Committee issued a report that dealt with security
at DOE's facilities entitled U.S. National Security and Military/Commercial
Concerns With the People's Republic of China .

6. Safeguards and security staff at the Lawrence Livermore National
Laboratory did not perform risk assessment, root cause analyses, and
cost-benefit analyses for three of the findings we reviewed because they
were findings contained in OA's 1997 Site Profile, and laboratory staff
believed that the issues raised were not formal findings and that corrective
action plans were not required. In addition, a cost-benefit analysis was not
performed for one Oakland survey finding that involved the use of a certain
kind of lock on a room that contained classified printers. The laboratory's
safeguards and security staff conducted a risk assessment and a root cause
analysis for this finding but did not conduct a cost-benefit analysis
because the printer room had been eliminated shortly after completion of the
survey and the finding was no longer applicable.
*** End of document. ***