U.S. nuclear safety agency unveils new data, physical security controls

Published 12 July 2010

NNSA the rollout of new information and physical security controls aimed at balancing efficiency and safety; officials said, though, that the implementation of cybersecurity improvements is about a year behind the progress the agency has made on physical protection

The agency that oversees the U.S.’s nuclear weapons stockpile announced last week the rollout of new information and physical security controls aimed at balancing efficiency and safety. Officials said, though, that the implementation of cybersecurity improvements is about a year behind the progress the agency has made on physical protection.

The National Nuclear Security Administration (NNSA) adopted on 2 July new policies on information and physical security that replace existing rules. The changes were prompted by a yearlong review of the agency’s security posture.

Completion of the overhaul is not expected for several years. During the past decade, NNSA has suffered a series of high-profile data breaches.

We’re really just beginning our security reform initiatives,” said Brad Peterson, chief of Defense nuclear security at NNSA, during a call with reporters. “We’ve had a lot of success in the physical protection realm. … We’re probably a year behind where we are in our [cybersecurity] reform efforts compared to physical.”

Nextgov’s Aliya Sternstein writes that one of the key information security changes is a standard rule on what types of data formats must be handled as “accountable matter,” or material that is so secret it requires a complex audit trail. Under the new guidelines, accountability applies to all Top Secret information, regardless of whether the material is stored electronically or on paper. “We’re making it consistent for how we treat paper and electronic media,” Peterson said.

Simultaneously, the agency decided to exclude removable media devices such as thumb drives that contain only secret-level information from accountability.

The removal of accountable classified removable electronic media carefully weighed cost versus benefits and restores conformity with the National Industrial Security Program,” the new info policy document stated. “The National Industrial Security Program operating manual does not require the accounting of information classified at the secret level.”

The policies come on the heels of a number of embarrassing episodes going back to 1999, when classified NNSA data was compromised. The Los Alamos National Laboratory, which NNSA oversees, had at least five security lapses during a 10-year period. For instance, in October 2006, evidence obtained during a drug-related investigation in Los Alamos, New Mexico, revealed that classified information on a thumb drive had been improperly removed from the lab. In 2003 and 2004, the lab could not account for classified removable electronic media, including compact discs and removable hard drives. In 1999 a scientist transferred classified information from lab computer systems onto unmarked discs and then removed the discs from the site.

In 2009 the Government Accountability Office (GAO) found significant weaknesses remain in protecting the confidentiality and integrity of information stored and transmitted over the lab’s classified computer networks.

“We really see this as a beginning,” Peterson said of the new security initiative. “It’s going to change the way that we do business. It’s going to take us years to make the changes.”

 

He said the agency already has drastically reduced its inventory of removable drives to minimize the risk of losing critical information. Personnel now rely more on a closed classified network to remotely and securely access internal networks, Peterson added.