Global Security Newswire

WASHINGTON -- The U.S. National Nuclear Security Agency yesterday released new rules for securing information and facilities in the U.S. atomic weapons complex, but at least one prominent critic is already raising doubts about whether the changes would bolster protection against spies or terrorists (see GSN, Nov. 17, 2009).

Agency Administrator Thomas D'Agostino on July 2 signed two lengthy policy letters, one on information security and another on physical protection. Both documents were publicly debuted Thursday.

They lay out detailed procedures that will allow the national laboratories, nuclear production and dismantlement facilities and other organizations under NNSA purview to use security procedures that are more consistent with "national standards," according to Brad Peterson, the agency's chief of defense nuclear security.

"These reforms will ultimately result in updated security policies and practices that will maintain a robust security posture at all of our sites and improve NNSA's ability to implement our vital national security mission," he said in a written announcement.

However, consistency with other federal agency practices should not be a primary objective in such matters, according to Peter Stockton, who served as special assistant to the energy secretary for cyber and nuclear security issues from 1999 to 2001. In his view, NNSA standards should be stricter.

"These facilities are different from most other federal facilities because they contain the most dangerous materials on the face of the planet -- not only weapons but the material to make a weapon in a matter of minutes," Stockton told Global Security Newswire in a written response to questions.

The changes are part of a Security Reform Initiative the nuclear security agency -- a semiautonomous arm of the Energy Department -- launched in June 2009, Peterson said during a telephone press conference.

His office has been collaborating "extensively" with NNSA field sites and the Energy Department's health, safety and security office to analyze the nuclear agency's security posture and determine appropriate policies for implementation, the release states.

Some of the new rules will strengthen controls while, under some circumstances, security could be relaxed in selected areas where it is deemed excessive, Peterson said. These "minor adjustments" would not heighten risks, he said.

For example, the agency will restore so-called "day-lock" procedures for classified information in use during working hours. A day-lock approach permits users to "temporarily leave classified matter in areas where access is controlled and limited to individuals with appropriate clearance and need-to-know," according to the new documents.

This change should allow more flexible access for legitimate users while preserving security in "a configuration virtually unpredictable for an adversary to exploit," according to the 83-page letter on physical protection.

Another new rule would allow facilities in the nuclear complex to use what are termed "closed areas" for storing sensitive items if vault-type rooms appear "unsuitable or impractical" in certain instances.

"The use of [closed areas] within NNSA provides a level of security consistent with national standards and allows increased flexibility in storage of classified matter," states the physical-protection document.

One facet of the initiative is to make the agency a more "responsible steward of tax dollars," according to the announcement, and Peterson said he anticipates that "tens of millions of dollars" could be saved over the next five years. Specifics were not immediately available, he said.

The National Nuclear Security Administration was established in 2000 after protective controls at the Los Alamos National Laboratory in New Mexico and other atomic weapons facilities were found to be too lax, allowing for the mishandling of classified information.

Even years after its formation, the nuclear agency has been criticized repeatedly by the Government Accountability Office and other watchdog organizations for fresh lapses, including a Los Alamos computer network that failed to limit access solely to authorized users. In a 2006 incident, one Los Alamos worker took home a flash drive and more than 200 pages in classified documents (see GSN, Dec. 20, 2007).

Los Alamos is not the only major facility to encounter problems. At the Y-12 National Security Complex in Oak Ridge, Tenn., security contractor Wackenhut has fired or disciplined workers following a variety of slip-ups, including napping on the job, bringing video games or recording equipment to work, and using anabolic steroids (see GSN, Aug. 21, 2009). The site is responsible for storing weapon-grade uranium and inspecting and assembling nuclear warheads, among other activities.

Over the past decade, NNSA officials have instituted a number of security improvements such as diskless computing, in which sensitive data is stored remotely in protected facilities, Peterson said.

More broadly, over time, there has been a "layering on of additional requirements," he said.

Now, two years into his job as head of defense nuclear security, Peterson said agency officials "haven't always been able to clearly articulate what was the real need" in terms of securing information systems or physical plants.

With the new reforms, the agency is "trying to make sure that what we are doing is absolutely necessary, we know where every dollar is going, and every dollar should be buying down some risk for the American people," he told reporters.

Yet, the policy letters do not spell out clearly what security improvements the changes can be expected to usher in, according to Stockton.

The newly released directives "[appear] to contain nothing but meaningless verbiage," he told GSN.

Stockton, now a senior investigator at the Project on Government Oversight, also questioned the process by which the nuclear agency formulated the documents. He finds NNSA-touted collaboration with the Energy Department's security office to be inappropriate.

"Strong security requires that HSS [the Energy Department's health, safety and security office] be independent from NNSA, and function as an overseer of NNSA policy by conducting independent performance tests of the physical and cyber security of the labs and production facilities," Stockton said.

He cited an unreleased draft report from the DOE inspector general asserting that similar NNSA partnering with department-level oversight offices had compromised safety at Los Alamos.

"Over the last several decades," Stockton said, "all of the studies of each security debacle within the nuclear weapons complex [concluded] that there is a lack of government oversight" over contractors that run the facilities.

Peterson -- who noted his team will likely fine-tune these policies and develop new ones for cyber security in the coming years -- said that any time humans are involved in an enterprise, there will be errors.

"We're going to have problems," he said at yesterday's press conference. "This is an environment with security [in which] we are very dependent on people, and people make mistakes. So we're going to watch carefully our implementation [and] see where we need to make adjustments."