The Government Accountability Office (GAO) released a new report finding that the Department of Energy (DoE) has failed to fully implement a program to protect against insider threats to the agency’s nuclear weapons and related secret information.
DoE “has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments,” GAO said.
“Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program,” GAO said.
Further, GAO said DOE “does not formally track or report on its actions to implement” the program, and warned that “without tracking and reporting on its actions to address independent reviewers’ findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.”
“The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from ‘insiders,’ including employees or visitors with trusted access,” GAO said.
One culprit cited by GAO is DoE’s decision to divide responsibilities for the program.“DOE divided significant responsibilities for its program between two offices. Specifically, the program’s senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence,” GAO said.
The report also finds that the Department has not “identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program.”
GAO providing seven recommendations, which DoE officials concurred with:
- Senior officials at the Insider Threat Program should create a tool in which to track actions taken from recommendations of independent assessments;
- Senior officials should resume annual reporting and include in those reports the actions the program has taken to address findings and recommendations it receives from independent assessments;
- Senior officials should establish a process to integrate insider threat responsibilities better, ensuring that the senior official can centrally manage all aspects of the Insider Threat Program;
- The Secretary of Energy should ensure that the Insider Threat Program achieves a single, department-wide approach to managing insider risk;
- Officials at the Insider Threat Program must work with DoE officials to achieve consistency with contracts and their responsibilities;
- Officials at the Insider Threat Program should work with stakeholders to identify all departmental resources that support the Insider Threat Program; and
- The Insider Threat Program senior official should work with stakeholders to assess the program’s human, financial, and technical resource needs and make recommendations to the Secretary on where resources should be allocated so that the program is positioned to achieve minimum standards.