Nuclear Security: DOE Should Take Actions to Fully Implement Insider Threat Program
Fast Facts
The Department of Energy has several programs to ensure proper access to and handling of the nation's nuclear weapons and related information. DOE started a program in 2014 to further protect against insider threats from employees, contractors, and trusted visitors.
But as of 2023, DOE hasn't fully implemented the program. For example, DOE doesn't ensure that employees are trained to identify and report potential insider threats. Also, the agency hasn't clearly defined contractors' responsibilities for this program.
DOE changed the program's leadership in February 2023, but there's more to do. We recommended ways to improve the program.
Highlights
What GAO Found
The Department of Energy (DOE) has not implemented all required measures for its Insider Threat Program more than 8 years after DOE established it in 2014, according to multiple independent assessments. Specifically, DOE has not implemented seven required measures for its Insider Threat Program, even after independent reviewers made nearly 50 findings and recommendations to help DOE fully implement its program (see fig. for examples). DOE does not formally track or report on its actions to implement them. Without tracking and reporting on its actions to address independent reviewers' findings and recommendations, DOE cannot ensure that it has fully addressed identified program deficiencies.
Examples of Selected Recommendations from Independent Assessments of DOE's Insider Threat Program
DOE has not fully implemented its Insider Threat Program due to multiple factors.
- DOE has not integrated program responsibilities. DOE has not effectively integrated Insider Threat Program responsibilities. Instead, DOE divided significant responsibilities for its program between two offices. Specifically, the program's senior official resides within the security office, while operational control for insider threat incident analysis and response resides within the Office of Counterintelligence—a part of the organization with its own line of reporting to the Secretary of Energy. Without better integrating insider threat responsibilities between these offices, DOE's insider threat program will continue to face significant challenges that preclude it from having an effective or fully operational program.
- DOE has not identified and assessed resource needs. DOE has not identified and assessed the human, financial, and technical resources needed to fully implement its Insider Threat Program. Program funding identified in DOE's budget does not account for all program responsibilities. For example, DOE's budget does not include dedicated funding for its contractor-run nuclear weapons production and research sites to carry out their responsibilities for implementing the program. Unless DOE identifies and assesses the resources needed to support the Insider Threat Program, it will be unable to fully ensure that components are equipped to respond to insider threat concerns, potentially creating vulnerabilities in the program.
Why GAO Did This Study
The theft of nuclear material and the compromise of information could have devastating consequences. Threats can come from external adversaries or from "insiders," including employees or visitors with trusted access. In 2014, DOE established its Insider Threat Program to integrate its policies, procedures, and resources. The program also coordinates analysis, response, and mitigation actions among DOE organizations.
The House report accompanying a bill for the National Defense Authorization Act for fiscal year 2022 includes a provision for GAO to review DOE's efforts to address insider threats with respect to the nuclear security enterprise. This report examines (1) the extent to which DOE has implemented required standards to protect the nuclear security enterprise from insider threats and (2) the factors that have affected DOE's ability to fully implement its Insider Threat Program.
GAO reviewed the minimum standards and best practices for federal insider threat programs, DOE documentation, and four assessments by independent reviewers. GAO also interviewed DOE and National Nuclear Security Administration officials and contractors.
Recommendations
GAO is making seven recommendations to DOE, including (1) to track and report on actions it takes to address reviewers' findings and recommendations, (2) to establish a process to better integrate program responsibilities, and (3) to assess resource needs for the program. DOE agreed with the recommendations and described plans to address them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Energy | The Insider Threat Program senior official should develop a mechanism to track actions taken in response to findings and recommendations it receives from independent assessments. (Recommendation 1) |
As of February 2025, DOE had developed a Near-Term Strategy that identified actions the agency plans to take in response to the findings and recommendations from the DOE Inspector General and GAO. DOE indicated in that strategic document that it planned to develop an additional mechanism that would track recommendations from all independent reviewers of the program, and which would be updated quarterly.
|
| Department of Energy | The Insider Threat Program senior official should resume annual reporting and include in those reports the actions the program has taken to address findings and recommendations it receives from independent assessments. (Recommendation 2) |
As of February 2025, DOE produced an annual report covering calendar year 2022. However, DOE indicated in a strategy document that it planned to set a recurring due date for future annual reports and that it would meet the annual deadline. An annual report covering calendar years 2023 or 2024 was not available as of February 2025.
|
| Department of Energy |
Priority Rec.
The Insider Threat Program senior official should establish a process to better integrate insider threat responsibilities, ensuring that the senior official can centrally manage all aspects of the Insider Threat Program. (Recommendation 3) |
In December 2024, DOE revised its Insider Threat Program order--DOE Order 470.5A--which calls for better integration of insider threat responsibilities. For example, new language in the order directs the Insider Threat Program senior official to provide direction and oversight for a single and centralized Analysis and Referral Center, in coordination with the DOE Director of Intelligence, to ensure the program's access to information. The revised DOE order also places the Analysis and Referral Center within the Insider Threat Program and directs the center to report to the program's senior official. DOE is still completing other actions in response to this recommendation. In its Near-Term Strategy document, DOE identified several actions yet to be completed, including: (1) the Insider Threat Program Senior official producing a series of memoranda to clarify program roles and responsibilities; and (2) hiring a liaison to better coordinate referrals between the Analysis and Referral Center and the Office of Environment, Health, Safety, and Security through a to-be completed memorandum of agreement or memorandum of understanding. We will continue to monitor the implementation of these planned actions.
|
| Department of Energy |
Priority Rec.
The Secretary of Energy should ensure that the Insider Threat Program achieves a single, department-wide approach to managing insider risk. (Recommendation 4) |
In December 2024, DOE revised its Insider Threat Program Order--DOE Order 470.5A--which establishes a "comprehensive" Insider Threat Program for the agency. The revised order provides direction to all departmental and field elements on their specific responsibilities for supporting the program. This includes clearer and more consistent direction on the establishment and operation of Local Insider Threat Working Groups across the agency, as well as improved guidance for incident reporting from DOE sites. The previous DOE order identified only four responsibilities for the local working groups using vague and non-specific language. The revised order identifies fourteen responsibilities in detail, including requirements for receiving and communicating insider threat issues with the Analysis and Referral Center and Insider Threat Program senior official. The Secretary of Energy had previously designated a new senior official for the program and directed all DOE elements to support the senior official in their responsibilities. With the new leadership and revised DOE order, DOE is better positioned to centrally manage insider risk at the agency.
|
| Department of Energy | The Insider Threat Program senior official should work with DOE program offices and NNSA, in coordination with contracting officers, as appropriate, to ensure that contractors' specific Insider Threat Program responsibilities are clearly stated and consistently applied across the sites by, for example, reviewing and, if necessary, revising contract requirements to include responsibilities such as insider threat response actions. (Recommendation 5) |
In December 2024, DOE issued its revised Insider Threat Program order--DOE Order 470.5A--which provides clearer and more consistent direction to contractors on their insider threat program responsibilities. The order revised the Contractor Requirements Document by appending two attachments that provide detailed direction to contractors on (1) Insider Threat Program baseline requirements and (2) Local Insider Threat Working Group reporting guidelines.
|
| Department of Energy | The Insider Threat Program senior official should work with Insider Threat Program stakeholders to identify all departmental resources that support the Insider Threat Program. (Recommendation 6) |
In December 2024, DOE issued its revised Insider Threat Program Order--DOE Order 470.5A--which directs the Insider Threat Program senior official to ensure that the heads of all departmental elements identify resources to support the program.
|
| Department of Energy | The Insider Threat Program senior official should work with stakeholders to assess the program's human, financial, and technical resource needs and make recommendations to the Secretary on where resources should be allocated so that the program is positioned to achieve minimum standards. (Recommendation 7) |
In December 2024, DOE issued its revised Insider Threat Program order--DOE Order 470.5A--which directs the program's senior official to make recommendations on the program's resource and budgetary needs to the Secretary of Energy. It also directs the program's Executive Steering Committee to make recommendations to the Secretary on resource allocation throughout the agency so that the program is positioned to achieve minimum standards. Each departmental element is responsible for ensuring that it has the requisite resources to fulfill its obligations to the program. According to DOE, program elements and NNSA, having governance and oversight responsibilities for specific insider threat functions, will communicate resource needs through established budget channels and will also inform the Insider Threat Program senior official of resource needs specific to insider threat operations. Additionally, the Executive Steering Committee, chaired by the senior official, will annually review program requirements identified in the revised order and provide recommendations for accomplishing national standards. Given the recent issuance of the revised order, we are following closely to see what recommendations are made to the Secretary and to document any additional resources that have been provided to help the program meet minimum standards.
|