A new report by the Government Accountability Office (GAO) found that the Department of Energy (DoE) hasn’t fully implemented its Insider Threat Program, more than eight years after it established the program in 2014.
The DoE has several programs to ensure proper access to and handling of the nation’s nuclear weapons and related information. In 2014, DoE established its Insider Threat Program to integrate its policies, procedures, and resources to further protect against insider threats from employees, contractors, and trusted visitors. The program also coordinates analysis, response, and mitigation actions among DoE organizations.
“Specifically, DoE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DoE fully implement its program,” the report states.
The report explains that multiple factors have inhibited DoE from fully implementing its Insider Threat Program.
First, the DoE has not integrated program effectively integrated Insider Threat Program responsibilities. Instead, the agency has divided significant responsibilities for its program between two offices – the program’s senior official resides within the security office, and the operational control for insider threat incident analysis and response resides within the Office of Counterintelligence. Each has differing lines of reporting to the Secretary of Energy.
According to the GAO report, DoE’s insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program “without better integration of insider threat responsibilities between these offices.”
Second, GAO found that DoE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers’ findings and recommendations. Therefore, the agency cannot ensure that it has fully addressed identified program deficiencies.
Third, DoE has not identified and assessed the resource needed to fully implement its Insider Threat Program. According to the report, DoE’s budget for the program does not account for all program responsibilities – including the human, financial, and technical resources needed.
“For example, DoE’s budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program,” the report states.
It continues to explain that unless DoE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.
GAO made seven recommendations to DoE, including tracking and reporting actions it takes to address reviewers’ findings and recommendations, establishing a process to better integrate program responsibilities, and assessing resources needed for the program.
DoE agreed with the recommendations.