Nuclear Security: DOE Should Take Actions to Fully Implement Insider Threat Program
Fast Facts
The Department of Energy has several programs to ensure proper access to and handling of the nation's nuclear weapons and related information. DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors.
But as of 2023, DOE hasn't fully implemented the program. For example, DOE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.
DOE changed the program's leadership in February 2023, but there's more to do. We recommended ways to improve the program.
Highlights
What GAO Found
The Department of Energy (DOE) has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments. Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program (see fig. for examples). DOE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers' findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.
Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program
DOE has not fully implemented its Insider Threat Program due to multiple factors.
- DOE has not integrated program responsibilities. DOE has not effectively integrated Insider Threat Program responsibilities. Instead, DOE divided significant responsibilities for its program between two offices. Specifically, the program's senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, DOE's insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.
- DOE has not identified and assessed resource needs. DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE's budget does not account for all program responsibilities. For example, DOE's budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.
Why GAO Did This Study
The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from "insiders," including employees or visitors with trusted access. In 2014, DOE established its Insider Threat Program to integrate its policies, procedures, and resources. The program also coordinates analysis, response, and mitigation actions among DOE organizations.
The House report accompanying a bill for the National Defense Authorization Act for fiscal year 2022 includes a provision for GAO to review DOE's efforts to address insider threats with respect to the nuclear security enterprise. This report examines (1) the extent to which DOE has implemented required standards to protect the nuclear security enterprise from insider threats and (2) the factors that have affected DOE's ability to fully implement its Insider Threat Program.
GAO reviewed the minimum standards and best practices for federal insider threat programs, DOE documentation, and four assessments by independent reviewers. GAO also interviewed DOE and National Nuclear Security Administration officials and contractors.
Recommendations
GAO is making seven recommendations to DOE, including (1) to track and report on actions it takes to address reviewers' findings and recommendations, (2) to establish a process to better integrate program responsibilities, and (3) to assess resource needs for the program. DOE agreed with the recommendations and described plans to address them.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Energy | The Insider Threat Program senior official should develop a mechanism to track actions taken in response to findings and recommendations it receives from independent assessments. (Recommendation 1) |
As of April 2024, DOE developed a Near-Term Strategy that identifies actions the agency plans to take in response to the findings and recommendations from the DOE Inspector General and GAO. DOE indicated in that strategic document that it planned to develop an additional mechanism that would track recommendations from all independent reviewers of the program, and which would be updated quarterly.
|
Department of Energy | The Insider Threat Program senior official should resume annual reporting and include in those reports the actions the program has taken to address findings and recommendations it receives from independent assessments. (Recommendation 2) |
As of April 2024, DOE produced an annual report covering calendar year 2022. However, DOE indicated in a strategy document that it planned to set a recurring due date for future annual reports and that it would meet the annual deadline. An annual report covering calendar year 2023 was not available as of April 2024.
|
Department of Energy |
Priority Rec.
The Insider Threat Program senior official should establish a process to better integrate insider threat responsibilities, ensuring that the senior official can centrally manage all aspects of the Insider Threat Program. (Recommendation 3)
|
As of April 2024, DOE produced a Near-Term Strategy that identified a number of actions to be taken in response to this recommendation. Key actions to be completed include: (1) the Insider Threat Program Senior official producing a series of memoranda to clarify program roles and responsibilities; (2) hiring a liaison to better coordinate referrals between the Analysis and Referrals Center and the Office of Environment, Health, Safety, and Security through a to-be completed memorandum of agreement or memorandum of understanding; and (3) revising DOE Order 470.5 for the program. We will continue to monitor the implementation of these planned actions.
|
Department of Energy |
Priority Rec.
The Secretary of Energy should ensure that the Insider Threat Program achieves a single, department-wide approach to managing insider risk. (Recommendation 4)
|
As of April 2024, the Secretary of Energy had designated a new senior official for the program and directed all DOE elements to support the senior official in their responsibilities. DOE also produced a Near-Term Strategy that identified a number of actions DOE plans to take to achieve a single, department-wide approach to managing insider risk. One key action to be completed is the revision to DOE Order 470.5 for the program. We will continue to monitor the implementation of these planned actions.
|
Department of Energy | The Insider Threat Program senior official should work with DOE program offices and NNSA, in coordination with contracting officers, as appropriate, to ensure that contractors' specific Insider Threat Program responsibilities are clearly stated and consistently applied across the sites by, for example, reviewing and, if necessary, revising contract requirements to include responsibilities such as insider threat response actions. (Recommendation 5) |
As of April 2024, DOE plans to update and revise the existing DOE Order 470.5, Insider Threat Program, to include specific responsibilities for senior officials, program stakeholders, program offices, and other relevant activities. The revised DOE Order will provide direction for contractors through a Contractor Requirements Document, consistent with the structure of DOE's Directives program. DOE expects updates to the order by September 2024.
|
Department of Energy | The Insider Threat Program senior official should work with Insider Threat Program stakeholders to identify all departmental resources that support the Insider Threat Program. (Recommendation 6) |
As of April 2024, DOE plans to analyze and identify the necessary capabilities, resources, and other supporting elements as it updates DOE Order 470.5, Insider Threat Program. DOE anticipates updates to the order by September 2024.
|
Department of Energy | The Insider Threat Program senior official should work with stakeholders to assess the program's human, financial, and technical resource needs and make recommendations to the Secretary on where resources should be allocated so that the program is positioned to achieve minimum standards. (Recommendation 7) |
As of April 2024, DOE plans to identify the program's human, financial, and technical resource needs as it updates DOE Order 470.5, Insider Threat Program. Each departmental element will perform an impact assessment and implementation plan that will detail the added resources needed for program implementation. Program elements and NNSA, having governance and oversight responsibilities for specific insider threat functions, will communicate resource needs through established budget channels and will also inform the Insider Threat Program senior official of resource needs specific to Insider Threat Operations. Additionally, the Executive Steering Committee, chaired by the senior official, will annually review program requirements identified in the revised order and provide recommendations for accomplishing national standards. DOE anticipates updates to the order by September 2024.
|