DOE, GAO clash over classified systems

The Energy Department is on the right path in upgrading its protection and control over classified information, but there is still much work to be done, according to General Accounting Office report released late last month.

The GAO report found that the Los Alamos and Sandia national laboratories had implemented DOE's access controls and need-to-know requirements for the classified computer systems containing the most sensitive information. However, GAO noted that the department's "requirements for documenting need-to-know [access] lack specificity, allowing laboratory managers wide variation in interpretation and implementation."

The need-to-know decisions varied from detailed, individual reviews to blanket approvals for hundreds of staff members for all classified data in a computer system, and often did not include time period limits or re-evaluation requirements, according to the report.

In order to improve classified document security and accountability, GAO recommended that the secretary of Energy:

* Issue more specific requirements for documenting need-to-know determinations.

* Provide guidance on when the use of "blanket" need-to-know approvals for large numbers of employees is appropriate and how it should be documented.

DOE received a draft of the GAO report and disagreed with the findings.

In an Aug. 13 letter, Joseph Mahaley, director of DOE's Office of Security and Emergency Operations, said broad need-to-know access is limited to "very specific situations" at the labs, such as efforts that have a common theme and include tens of thousands of documents.

DOE also disagreed with the recommendation that called for more specific requirements.

"DOE's rules provide the freedom necessary for line managers to exercise the appropriate control over classified information, while allowing for the operational flexibility absolutely necessary to carry out our programmatic mission of advancing national security," according to the Mahaley letter.

For its part, the GAO said DOE misunderstood its recommendations and that it was not suggesting "more stringent rules for granting need-to-know," but asserting its belief that "DOE needs to require better documentation of the analysis and justifications for granting need-to-know."