The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from “insiders,” including employees or visitors with trusted access.
The Department of Energy (DOE) has several programs to ensure proper access to and handling of the nation’s nuclear weapons and related information. For example, DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors. But the Government Accountability Office (GAO) has found that DOE hasn’t fully implemented the program.
GAO’s review determined that DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program. The government watchdog is also concerned that DOE does not formally track or report on its actions to implement them.
Rather than effectively integrating Insider Threat Program responsibilities, GAO found that DOE has instead divided significant responsibilities for its program between two offices. Specifically, the program’s senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, GAO says DOE’s insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.
GAO also found that DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE’s budget does not account for all program responsibilities. For example, DOE’s budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, GAO believes it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.
In February 2023, the Secretary of Energy directed the designated senior official to integrate DOE’s many capabilities into a single, comprehensive, risk management framework. DOE’s Insider Threat Program had previously set this goal in its 2017-2020 Strategic Plan. However, according to independent reviewers, organizational barriers and a lack of support from DOE senior leadership had prevented the designated senior official from carrying out the official’s authorities. For example, according to its March 2022 memo to the Secretary of Energy, the Director of National Intelligence found that the designated senior official lacked support throughout the department to establish a dedicated Insider Threat Program.
Another independent review team GAO spoke with observed that DOE senior leadership has been unreceptive to addressing the “cultural stovepipes” in the program’s structure and that program officials were hesitant to carry out the authorities provided in DOE’s Insider Threat Program order because of a lack of organizational support for a stronger role for the program.
GAO is making seven recommendations to DOE, including to track and report on actions it takes to address reviewers’ findings and recommendations, to establish a process to better integrate program responsibilities, and to assess resource needs for the program. DOE agreed with the recommendations and has set out plans to address them.