Statement of Secretary Samuel Bodman
Chairman Stupak, Congressman Whitfield, and Members of the Subcommittee, I'm pleased to appear before you to discuss what I consider to be one of the most pressing management issues confronting the Department of Energy (DOE). Since coming to the Department, one of my top goals has been to institute a safer, more secure work environment across the DOE complex. And I have meant this to include physical safety and security as well as cyber security. I want to be absolutely clear here: the protection of sensitive information is essential to our ability to meet our mission as a Department.
This testimony is intended to describe the steps that we have taken to improve security within the Department of Energy following last year's incident at Los Alamos National Laboratory (LANL). In particular, I will discuss improvements that have occurred since Deputy Secretary Sell last testified before you in January of this year. I would preface this discussion with two over-arching points: first, we have made significant progress over the past few months, and I am confident that we are on the right track. But, we are not satisfied. We are staying on top of this issue, and we continue to look for ways to identify and correct any potential weaknesses.
And I hasten to add that the entire senior leadership team at DOE - including myself, Deputy Secretary Sell, and National Nuclear Security Administration (NNSA) Acting Administrator Tom D'Agostino - remain strongly committed to improving security at the entire DOE complex and to keeping this Committee closely informed of our progress.
Senior Management Changes and DOE Oversight Actions
First, let me describe the senior management and oversight changes that we have made at the Department level. In January, I made the difficult decision to replace the Under Secretary for Nuclear Security, and Thomas D'Agostino was named as the Acting Under Secretary and NNSA Administrator. In addition, NNSA has reassigned the Los Alamos Site Office (LASO) Manager and has put one of its strongest managers, Daniel Glenn - formerly of the Pantex Site Office, in place as Acting Manager. We are making changes to the Los Alamos National Security, LLC (LANS) contract to mandate further improvements, and we have increased the planned fiscal year 2008 investment in cyber security significantly.
In addition, following the event at LANL this past October, I formed two teams consisting of the Department's three Under Secretaries, the Chief of Health, Safety, and Security, and the Chief Information Officer: a Personnel Security Task Force and a Cyber Security Review Team. I asked them to make specific recommendations based on the Department's Inspector General report on the LANL incident.
The Personnel Security Task Force submitted its report on February 28, 2007. It recommended improvement in several areas. I have accepted their recommendations and have directed implementation to begin immediately of the following:
- Enhanced mandatory training for those involved in the granting of security clearances,
- Strengthened Departmental policy on drug testing for those that hold security clearances,
- Enhanced quality assurance oversight to increase confidence in the suitability of those granted a security clearance; and
- Revised the personnel security organizational structure to increase the authority and ensure greater accountability for the Personnel Security Program.
I have also directed that all of the recommendations made by the Cyber Security Review Team that have not already been implemented, be implemented immediately. To that end, issuance of a revised cyber security policy [DOE Order 205.1A] was completed on December 4, 2006. And, the new National Security Manual was issued on March 8, 2007. The Cyber Security Task Force also recommended the following, which we are in the process of implementing:
- Mandatory separation of duties for key positions, such as Information System Security Officers and System Administrators,
- Improved training for all individuals with cyber security responsibilities; and
- Improved line management oversight of cyber security.
We are also taking steps to further strengthen the oversight by NNSA of LASO. The NNSA Acting Administrator has directed the NNSA Chief Information Officer to work very closely with Site Office management to ensure cyber security requirements are implemented by LANL. To ensure that these requirements are fully implemented, the Designated Approval Authority position for cyber security has been strengthened within the LASO management structure. This position will report directly to the Site Office Manager and is in the process of being filled. Working in concert with the Site Office and NNSA management additional cyber security personnel will be hired to bolster the cyber security staff and program within the Site Office.
Further, Acting Administrator D'Agostino has requested that DOE's Office of Health, Safety and Security conduct annual inspections at Los Alamos for the next three years. This month, both NNSA's Office of Defense Nuclear Security and CIO will inspect LANL for the cyber and physical security programs. The Site Office will conduct annual surveys - and regular observations - of the Lab's security programs.
We are also exercising the Department's new authorities under 10 CFR 824, Procedural Rules for the Assessment of Civil Penalties for Classified Information Security Violations. The DOE Office of Enforcement has completed its review of the LANL incident and last week the Department held an enforcement conference with the Lab's current management and operating contractor, LANS, and with the former contractor, the University of California. Similar to the process we use for Price-Anderson enforcement, both contractors now have the opportunity to respond before we make a decision regarding a Preliminary Notice of Violation.
Finally, I would just add that I continue to be in close contact with the senior leadership of the Laboratory and the LANS Board.
Corrective Actions by LANL Management & Operating Contractor LANS, LLC
Even while these Departmental reviews and changes have been underway, LANS has moved ahead with corrective actions. Following the incident, LANS immediately strengthened its escorting procedures, initiated mandatory entry and exit inspections of vault-type room visitors, and increased the number of exit inspections at other security boundaries ten-fold.
One of the issues identified as a contributing cause to this incident was the span of classified activities. LANS continues on schedule to move to a diskless environment, reducing the number of pieces of classified removable electronic media (CREM) and the number of classified paper documents. LANL recognizes their volume of classified holdings is unnecessarily large, conducted in too many security areas, involves too many people, and is spread out over too large of an area. As a result, LANS is aggressively reducing the number of locations where they hold and process classified matter. LANS will more closely scrutinize the continued need for existing security operations or the establishment of a new security area. This will enable them to better focus professional security resources to provide stronger management and oversight of classified operations.
To achieve this reduction, LANS has proposed, and NNSA has approved, a new consolidated vault-type room (VTR) concept to create classified matter storage and processing centers that will reduce the number of security areas and enhance the accountability and control of classified matter. The first "Super" VTR is planned to open on June 1, 2007.
The Weapons Engineering Division at LANL plans to close three VTRs immediately, three more by the end of April, and another five by the end of FY 2007, a reduction of 50%. This division also plans to further reduce its CREM holdings by 90%, from 364 to a dozen or so pieces in the near term. Another division within LANL, the Weapons Physics Division, currently has six VTRs; it will close three by the end of FY 2007. The classified materials in these VTRs will be archived, destroyed, or re-located as appropriate. These reductions are just examples of progress that will reduce security risk without reducing the productivity of our scientists and engineers.
While this incident occurred during the early stage of LANS' contract, I hold it accountable for the incident, and for rectifying the situation, just as I would at any DOE site managed by any contractor.
The LANS Board of Governors has also taken an active role in reviewing and validating the adequacy of LANL's corrective actions. The Board is closely monitoring the Laboratory's integrated corrective action plan which was developed to address the root causes of the incident identified during the incident inquiry. LANS has reassigned cyber security responsibilities to the Chief Security Officer who reports directly to the Laboratory Director. The Board has also made a significant effort to employ the collective power of the LANS member companies through the use of Assess, Improve, and Modernize, or AIM Teams from the member companies to conduct oversight assessments and make recommendations for improvement. The Board has taken a leadership role in numerous other ways as well, but most importantly, it has opened a clear line of communication with me and the Acting NNSA Administrator. I talk to the Chairman of the LANS Board of Governors, Gerald Parsky on a regular basis. In fact, we met with the Chairman and Vice Chairman of the Board of Governors in person two weeks ago.
While we have made significant improvements and changes in personnel and cyber security programs, I believe that in order to guard against future incidents, we must continually improve the security culture across the DOE complex. And we will.
In closing, let me just say this: the men and women who work at LANL and all our National Laboratories are among the world's most talented scientists and engineers. Since their founding, these Laboratories have demonstrated again and again the tremendous power - and promise - of science to help our nation solve its greatest challenges. But such a system cannot tolerate any lapses in security - be they in the physical or cyber realm. Protecting critical information and maintaining a vibrant, collaborative scientific culture are not mutually exclusive goals. Quite the opposite is true. In this case, you absolutely cannot achieve one without the other. And, you continue to have my word that I will do everything in my power to support both objectives. The American people deserve no less.
This concludes my statement. I will be pleased to respond to your questions. Thank you.
Location: House Subcommittee on Oversight and Investigations of the Committee on Energy and Commerce