FAS | Government Secrecy | News ||| Index | Search | Join FAS


FOR IMMEDIATE RELEASE
May 11, 1999

Richardson Unveils Security Reform Package

Includes Security Management & Oversight Overhaul,
New Counterintelligence & Cyber-Security Measures,
Cyber-Threat Training and Zero-Tolerance Security Policy

U.S. Secretary of Energy Bill Richardson today unveiled the largest, most sweeping reform of security programs in the department's history. The announcement includes the creation of a new high-level Office of Security and Emergency Operations and improved oversight, increased nuclear materials inventory accountability, additional cyber-security improvements, a zero-tolerance security policy, new counterintelligence measures, accelerated safeguard and security improvement goals, more physical upgrades, cyber-threat training, and an extension of the executive order on automatic declassification. Richardson's initiative is aimed at correcting long-standing bureaucratic problems and resource deficiencies and brings more accountability to the Department of Energy's (DOE) security programs.

"This security reform plan gives DOE the tools and authority we need to detect security infractions, correct institutional problems and protect America's nuclear secrets," said Secretary Richardson. "Coupled with previous counterintelligence and security measures we have already implemented, we are bringing more responsibility and accountability and high-level attention to these important matters."

Richardson's plan is as follows:

1. New Office of Security and Emergency Operations

A key component of Richardson's plan is a comprehensive security reorganization at the Department of Energy and its national laboratories. The plan calls for the creation of a new office, the Office of Security and Emergency Operations. It will be responsible for all safeguards and security policy, cyber-security, and emergency operations functions throughout the DOE complex.

The new office will oversee all security-related functions which previously were handled by different DOE program offices. Unfortunately, due to other demands placed on the program offices, security did not always receive the high-level consideration and focus it requires.

"By creating a consolidated security budget, where security funds are clearly separated from program funds, we ensure that security needs and priorities will not be compromised because of competing program requirements," said Secretary Richardson. "This new office which will report directly to me will strengthen and consolidate the management of our various security programs and will ensure the proper implementation of the many new counterintelligence and security measures I have ordered."

This new office will be compromised of several important components including:

2. Office of Independent Oversight and Performance Assurance

Richardson is creating a new office to independently evaluate security and emergency operations functions throughout the department. This new Office of Independent Oversight and Performance Assurance will provide independent analysis of the performance of safeguards and security and other critical functions from across the department. The new office will report directly to the Office of the Secretary.

As the case with other security-related issues, while security oversight has been an important departmental function, it was not the primary purpose of its umbrella office. By elevating and expanding the oversight functions for safeguards and security, special nuclear materials accountability, and other related areas to one new independent office, the department will ensure that any security problems can be quickly raised at the highest levels.

3. Cyber-security improvement Richardson will ask Congress for an additional $50 million over the next two fiscal years (2000 and 2001) to support additional cyber-security improvements. The funding will implement additional upgrades in electronic and physical protection to ensure the continual monitoring of DOE computers for unauthorized and non-secure use. The enhanced program also will include random audits of individual computer users to ensure compliance with property security procedures. New requirements will be established that place stringent controls on computers and workstations, including controls on removable media, removable drives, and other devices that could be used to download files. The new funding request is in addition to the $8 million in cyber-security funds Richardson announced on March 17.

4. Zero-Tolerance Security Policy

The Richardson plan establishes a "Zero Tolerance Security Policy." Under this new policy, he is sending a signal that no security infractions are acceptable. Penalties will be strengthened, including immediate suspension for verified breaches that risk a significant national security compromise, or display a willful disregard for security procedures.

5. Counterintelligence Measures

Richardson also detailed several new security related measures to continue to strengthen the department's improved counterintelligence program.

These measures are in addition to a 46-point plan Richardson approved for implementation in the fall of 1998. The recommendations were created as a result of President Clinton's signing of Presidential Decision Directive (PDD) 61 in February 1998.

6. Strengthen the Security Management Board

The administration will submit to the Congress legislation that will strengthen the charter of the Security Management Board that oversees the Department of Energy's safeguards and security. The board is comprised of Department of Defense, Central Intelligence Agency and Federal Bureau of Investigation security experts that will continuously review DOE's safeguards and security.

7. Accelerate 'Goal Posts Plan'

To improve security at the Department of Energy nuclear sites, the Richardson plan accelerates the "Goal Posts Plan." The "Goal Posts Plan" is a statement of those specific actions that must be taken by DOE nuclear sites to remedy less than satisfactory ratings that were reported in the 1997/1998 Annual Report to the President on Safeguards and Security at Defense Nuclear Facilities. By the end of this calendar year, under the accelerated plan, the laboratories and facilities should have taken the corrective actions necessary for them to meet the highest security ratings.

8. Accelerate Upgrades to Physical Safeguards and Security

The department will seek significantly increased funding to ensure the physical safeguard and security of DOE nuclear sites. The plan also calls for the application of new technologies and capabilities, including the installation of explosive detection devices and chem-bio protection capabilities at sensitive laboratories.

9. Cyber-Security Training Program

The plan establishes an aggressive department-wide cyber-security training program using mobile training teams. By the end of this year, 1,000 computer security and system administrators from across the DOE complex will be trained in the use of cutting-edge cyber-security tools and procedures. The managers will be briefed on specific cyber-security threats, their responsibility to defend against it, and countermeasures available for implementation.

10. Declassification Deadline Extension

At Richardson's request, President Clinton will extend by 18 months the automatic declassification deadline of Executive Order 12958. Under the existing Executive Order, all classified documents over 25 years old will be automatically declassified in April 2000. The Department of Energy will use the 18-month extension to ensure that all documents released by the Executive Order will have been properly declassified and searched for inadvertently commingled nuclear design information. This step will help ensure the administration's openness initiatives don't jeopardize security concerns.

"It is clear that over the past several decades, security and counterintelligence at the nuclear weapons laboratories has not been given the necessary priority and attention," explained Secretary Richardson. "Senior officials at DOE did not do enough to counteract the lab culture which tended to resist adequate security efforts."

"As a result of work by DOE and FBI investigations, it became clear by the summer of 1997 that there were systemic problems that required an aggressive and systematic response," added Richardson. "This culminated in PDD-61 (issued in February 1998) which we are now aggressively implementing with priority on appropriate oversight and accountability."

[Fact Sheets and an Organization Chart that describe and illustrate the Secretary Richardson's security and oversight reforms accompany this news release. Additional information can be located on the World Wide Web (the URL address is http://www.doe.gov).]

- DOE -

R-99-111


Department of Energy Security Reform Package

Status of DOE Counterintelligence Plan Implementation (PDD-61)

Six Further Enhancements to DOE Cyber Security

Seven Counterintelligence Measures

Organization Chart


Department of Energy Security Reform Package

Safeguards and Security, Oversight, Cyber-Security,
Counterintelligence, Counterterrorism

1. Create a New Office of Security and Emergency Operations to oversee Safeguards and Security, Cyber-Security, and Emergency Operations functions.

2. Will create a new Office Of Independent Oversight and Performance Assurance which will report directly to the Office of the Secretary

3. Establish new Office of Plutonium, Uranium and Special Material Inventory.

4. Cyber-security improvements supported by a significant budget increase.

5. Establish a "Zero Tolerance Security Policy." That sets the standard that no security infractions are acceptable.

6. Counterintelligence Improvements. Secretary Richardson has already significantly rebuilt the DOE CI program. To ensure it is as effective as possible, DOE is undertaking seven new initiatives.

7. Strengthen the "Security Management Board" that oversees the Department's Safeguards and Security. (This is a board of DOD, CIA, FBI security experts that review DOE's safeguards and security.)

8. Accelerate the "Goal Posts Plan" to improve security at the Department of Energy nuclear sites, so that by the end of this calendar year, they meet the highest security ratings.

9. Accelerate Upgrades to Physical Safeguards and Security.

10. Establish an Aggressive Department-wide cyber-security training program using mobile training teams.

11. Extend the automatic declassification deadline of Executive Order 12958 by 18 months.


Status of DOE Counterintelligence Plan
Implementation (PDD-61)

To enhance counterintelligence capabilities at DOE, President Clinton directed in February, 1998 a major reorganization and reform of the DOE Counterintelligence Program. A key element of the President's directive was the establishment of an independent Office of Counterintelligence at the DOE that reports directly to the Secretary of Energy.

The new Director of the Office of Counterintelligence was also directed to prepare a strategic plan, with recommendations for strengthening counterintelligence at DOE and its laboratories. That plan was approved by the Secretary in November 1998, and the following recommendations have been implemented to date:

Recommendations to be Implemented by August 31, 1999


SIX FURTHER ENHANCEMENTS TO DOE CYBER SECURITY

DOE will take the following near-term actions to further enhance cyber security:

1)DOE sites will establish a program to continually monitor computer systems for security

2) DOE will establish an aggressive Department-wide cyber-security training program using mobile training teams.

3)DOE will conduct random audits of individual computer users to ensure compliance with proper security procedures

4) The New Office of Oversight and Performance Assurance will establish a program of continuous independent oversight of cyber security with support from the Office of Counterintelligence

5) DOE sites will make better use of technology to combat the hacker and espionage threats.

6) DOE orders regulating downloads from classified computer systems will be enforced and compliance will be verified


Seven Counterintelligence Measures

To ensure that the Department of Energy's improved counterintelligence program is as effective as possible, Secretary Richardson is implementing several new security related measures, to include:

1. Ask the FBI to conduct all DOE "Q clearance" background investigations. End the backlog of DOE background reinvestigations.

2. Make necessary changes to regulations to allow auditing of all official government computers across the DOE complex. Mandate the use of "banners."

3. Establish a counterintelligence vulnerability assessment group reporting to the Department of Energy Office of Counterintelligence

4. Require all DOE Facilities to use intrusion detection tools, and to report all intrusions (root-level compromise) to the DOE Office of Counterintelligence and the FBI's National Infrastructure Protection Center for investigation and analysis.

5. DOE and FBI have signed a Memorandum of Understanding which ensures better coordination between the DOE Office of Counterintelligence and the FBI National Security Division.

6. Positive Reporting Requirement for counterintelligence threats.

7. Create a special set of Security and Counterintelligence requirements for all DOE and DOE contractor employees who have access to nuclear information. To include:





FAS | Government Secrecy | News ||| Index | Search | Join FAS