FAS | Government Secrecy | Other Gov Docs ||| Index | Search | Join FAS


DOE/IG-0488

U.S. DEPARTMENT OF ENERGY
OFFICE OF INSPECTOR GENERAL
OFFICE OF INSPECTIONS

INSPECTION OF
SELECTED ASPECTS OF
THE DEPARTMENT OF ENERGY'S
CLASSIFIED DOCUMENT
TRANSMITTAL PROCESS

NOVEMBER 2000


Department of Energy
Washington, DC 20585

November 20, 2000

MEMORANDUM FOR THE SECRETARY

FROM:

SUBJECT:

BACKGROUND

In view of recent concerns regarding the security of Department of Energy (DOE) classified information, including nuclear weapons information, we initiated an inspection to determine whether officials of the Department and its contractors, including officials of the National Nuclear Security Administration (NNSA) and its contractors, followed the Departmentís policies and procedures when transmitting classified documents to entities outside the Department.

RESULTS OF INSPECTION

We found that three DOE/NNSA laboratories sent classified documents to addresses outside the Department that were not listed in the Departmentís database of approved recipients of such documents. We reviewed a judgmental sample of classified document transmittals during calendar year 1999 by selected Department Headquarters and field organizations and three Department laboratories. We found that approximately 15 percent of the transmittals in our sample had been sent by the three laboratories to addresses that were not listed in the Departmentís database. These transmittals were either made to an address other than the classified mailing address listed in the database, or were made to facilities that were not registered in the database at the time of the transmittal.

The Departmentís policy is very clear on the transmittal of classified material. Specifically, it provides that classified matter shall be addressed only to approved classified addresses, and all such addresses must be verified through the database. When we brought this matter to the attention of the Director, Office of Security and Emergency Operations, he acknowledged that the Departmentís policy had been violated, but concluded that there was no compromise of classified information. We did not independently confirm that no compromise took place. However, we concluded that actions were required by the Department to ensure that policies and procedures relating to transmittal of classified documents are precisely executed and that officials of the Department and its contractors are held accountable when the policies and procedures are not followed.

MANAGEMENT REACTION

Management concurred with our findings and described corrective actions to implement our recommendations. The Deputy Secretaryís response is set out in full in Appendix B of the report.

Attachment

cc: Deputy Secretary
Under Secretary for Nuclear Security/Administrator for Nuclear Security
Under Secretary for Energy, Science and Environment
Director, Office of Security and Emergency Operations
Director, Office of Defense Nuclear Security


INSPECTION OF SELECTED ASPECTS OF THE DEPARTMENT OF ENERGY'S
CLASSIFIED DOCUMENT TRANSMITTAL PROCESS

TABLE OF CONTENTS


Overview

Introduction and Objective

In view of recent concerns regarding the security of Department of Energy (DOE) classified information, including nuclear weapons information, we initiated an inspection to determine whether classified documents are being transmitted by DOE and DOE contractor personnel, including National Nuclear Security Administration (NNSA) and NNSA contractor personnel, to entities outside the Department in accordance with the Departmentís policies and procedures. Specific concerns regarding the Departmentís mailing of classified material were expressed by a member of the Senate Armed Services Committee during a June 21, 2000, hearing on security failures at the NNSAís Los Alamos National Laboratory (LANL).

Observations and Conclusions

We found that the three Department laboratories included in our review did not always adhere to the Departmentís safeguards and security policies and procedures for the transmittal of classified documents to entities outside the Department. Specifically, we found that classified documents were transmitted to entities that were not listed in the Departmentís database of approved recipients of such documents. When we brought this matter to the attention of the Director, Office of Security and Emergency Operations (SO), he acknowledged that the Departmentís policy had been violated, but concluded that there was no compromise of classified information. While we did not independently confirm that no compromise took place, we believe that the Department needs to take prompt action to ensure that policies and procedures relating to transmittal of classified documents are precisely executed and that officials of the Department and its contractors are held accountable when the policies and procedures are not followed.


Details of Findings

Details of Findings

We reviewed a judgmental sample of 177 transmittals of classified documents during calendar year 1999 by selected Department Headquarters and field organizations and three Department laboratories: the NNSA Lawrence Livermore National Laboratory (LLNL), the DOE Pacific Northwest National Laboratory (PNNL), and LANL. We found that 27 of the transmittals, or approximately 15 percent of the transmittals we reviewed, were sent by the three laboratories to addresses that were not listed in the Departmentís Safeguards and Security Information Management System (SSIMS). These transmittals were either made to an address other than the classified mailing address listed in SSIMS, or were made to facilities that were not registered in SSIMS at the time of the transmittal. Although contractor access to SSIMS is limited, the Departmentís policy is very clear on the transmittal of classified material. Specifically, it provides that classified matter shall be addressed only to approved classified addresses, and all such addresses must be verified through SSIMS (DOE Manual 471.2B, "Classified Matter Protection and Control Manual," dated January 6, 1999). By requiring the use of SSIMS to obtain approved mailing addresses for classified documents, SSIMS serves as a gatekeeper to prevent such documents from being transmitted to unapproved sources. In short, the Departmentís policy is that, if the address is not in SSIMS, the document should not be transmitted.

Management Alert Issued

Because of the time sensitive nature of our findings, on May 12, 2000, we issued a Management Alert to the Office of Security Affairs (OSA) entitled "Inspection of Classified Information Transmittals." The purpose of the Management Alert was to advise OSA of preliminary findings from our review that might require immediate attention by appropriate security personnel. We provided background information on the 27 classified document transmittals by the three Department laboratories that were sent to addresses that were not in SSIMS. The security classification for the transmitted documents ranged from "SECRET" to "SECRET RD [Restricted Data]." Our objective was to ensure that OSA would take appropriate action to evaluate the security of the classified matter in the transmittals and to investigate the circumstances surrounding the transmittals.

Department Action

In a July 6, 2000, memorandum to the Office of Inspector General on this subject, the SO Director concluded that classified documents had, in fact, been transmitted in a manner inconsistent with the Departmentís policy. Nonetheless, it was the SO Directorís conclusion that there was no compromise of classified information. We did not conduct an independent review to determine whether there was a compromise of classified information in the 27 transmittals.

In his July 6, 2000, memorandum, the SO Director stated that SO issued a May 26, 2000, memorandum to the Safeguards and Security Directors and the Lead Program Secretarial Officers reiterating the established policies and procedures regarding the verification of classified mailing addresses. The SO Director expressed the view that the root cause of the mishandling of the transmission of classified information was the limited access to SSIMS provided to the Departmentís contractors for verification of approved classified mailing addresses. The SO Director stated, however, that expanding the accessibility of SSIMS to allow contractor personnel access to the database creates a number of security-related (need-to-know) concerns. According to the SO Director, the Office of Safeguards and Security is conducting an evaluation to "compare the cost of compartmentalizing the system to control need-to-know versus the benefits of the change."

Based on the results of our review, we are not convinced that the lack of contractor access to SSIMS is the root cause of the problems identified. Specifically, we found that classified document transmittals were mishandled by PNNL, which had direct access to SSIMS. Instead, we believe there was a breakdown in the execution of internal controls designed to prevent transmittal of classified documents to inappropriate recipients. The recommendations for corrective actions that follow are intended to address this problem.

Management Comments on Initial Draft Report

On August 23, 2000, we issued an initial draft report for Comments on Initial management comments that contained four recommendations Draft Report to the SO Director for corrective actions. In comments dated September 18, 2000, the SO Director agreed with the recommendations. However, he believed that two of the four recommendations are the responsibility of the Lead Program Secretarial Offices and not SO. To ensure full implementation of the two recommendations Department-wide, we have redirected the two recommendations to the Departmentís Deputy Secretary for corrective actions.


Recommendations

We recommend that the Deputy Secretary:

We also recommend that the Director, Office of Security and Emergency Operations:


Management Comments

In comments dated November 14, 2000, the Deputy Secretary concurred with the findings in our draft report and described corrective actions to be implemented in response to our recommendations. Regarding recommendations 1 and 2, he said that the Department will publish an award fee clause that will allow the Department to withhold award fee dollars for violations of security directives regarding the protection of classified information. He also said that a civil penalties regulation is being developed to impose civil penalties up to one hundred thousand dollars for the failure to protect classified information. The estimated publication date of the award fee clause and the civil penalties regulation is May 31, 2001.

Regarding recommendation 3, the Deputy Secretary stated that the Department will increase the level of security awareness throughout the Department. He said that special publications focusing on this issue are being developed and additional security education resources are being allocated. The estimated completion date is February 28, 2001.

Regarding recommendation 4, the Deputy Secretary said that, due to the significant volumes of sensitive information in SSIMS and the associated need-to-know concerns, efforts are underway in the Department to modify SSIMS to provide a read only capability of selected facility information. This will allow more organizations to access those portions of the system relative to their specific operation, without the threat of being able to modify or delete information contained in the system. The estimated implementation date for the revised system is December 1, 2000.

The Deputy Secretaryís response is set out in full in Appendix B.

Inspector Comments

We consider managementís comments to be responsive.


Appendix A

Scope and Methodology

Our inspection included interviews of Department of Energy (DOE) and DOE contractor employees, to include National Nuclear Security Administration (NNSA) and NNSA contractor employees, at the Departmentís Headquarters and field organizations, and at three Department laboratories: the NNSA Lawrence Livermore National Laboratory, the NNSA Los Alamos National Laboratory, and the DOE Pacific Northwest National Laboratory. We also reviewed pertinent Department policies and procedures and analyzed a judgmental sample of the documentation for transmittals of classified documents. Our inspection was conducted in accordance with the "Quality Standards for Inspections" issued by the Presidentís Council on Integrity and Efficiency.


Appendix B

The Deputy Secretary of Energy
Washington, DC 20585

November 14, 2000

MEMORANDUM FOR THE INSPECTOR GENERAL

FROM: T.J. GLAUTHIER

SUBJECT:

Attached is the Department's response to your draft report on Inspection of Selected Aspects of the Department of Energy's Classified Document Transmittal Process. The response provides our concurrence with your findings and action plans to implement each finding.

Attachment


MANAGEMENT DECISION ON INSPECTOR GENERAL'S DRAFT
REPORT
ON
"INSPECTION OF SELECTED ASPECTS OF THE DEPARTMENT OF
ENERGY'S CLASSIFIED DOCUMENT TRANSMITTAL PROCESS"

Finding 1: Ensure that the Department's policies and procedures for the transmittal of classified material are precisely executed.

Response: The Department concurs with this finding.

Action Plan to Implement:

Publish award fee clause. This contractual language will allow the Department to withhold award fee dollars for violations of security directives regarding the protection of classified information. Estimated publication date: May 31, 2001.

Publish civil penalties regulation. A rule is being developed which will allow the Department to impose civil penalties up to one hundred thousand dollars for the failure to protect classified information. Estimated publication date: May 31, 2001.

Finding 2: Ensure that DOE and DOE contractor officials are held accountable for management failures that result in the improper transmittal of classified material.

Response: The Department concurs with this finding.

Action Plan to Implement:

Publish award fee clause. This contractual language will allow the Department to withhold award fee dollars for violations of security directives regarding the protection of classified information. Estimated publication date: May 31, 2001.

Publish civil penalties regulation. A rule is being developed which will allow the Department to impose civil penalties up to one hundred thousand dollars for the failure to protect classified information. Estimated publication date: May 31, 2001.

Finding 3: Ensure that DOE and DOE contractor officials are knowledgeable of the Department's policies and procedures for the transmittal of classified material.

Response: The Department concurs with this finding.

Action Plan to Implement:

Increase the level of security awareness throughout the Department. Special publications focusing on this issue are being developed and additional security education resources are being allocated (e.g., posters, incorporation into refresher training, etc.)

Estimated completion date: February 28, 2001.

Finding 4: Establish a mechanism for DOE contractors to obtain approval of, and to verify mailing addresses for transmittal of classified information.

Response: The Department concurs with this finding.

The Safeguards and Security Information Management System is a complex-wide database of safeguards and security information. As indicated in the report, access to the system was deliberately limited due to the significant volumes of sensitive information contained on the system and the associated need-to-know concerns. As a result of this report, efforts are currently underway to modify this system to provide a read only capability of selected facility information. This will allow more organizations to access those portions of the system relative to their specific operation, without the threat of being able to modify or delete information contained on the system.

Estimated implementation date for the revised system: December 1, 2000.




FAS | Government Secrecy | Other Gov Docs ||| Index | Search | Join FAS