Inspection Report on "Internal Controls over Accountable Classified Removable Electronic Media at Oak Ridge National Laboratory"
The Department of Energy's Oak Ridge National Laboratory (ORNL) conducts cutting edge scientific research. ORNL utilizes removable electronic media, such as computer hard drives, compact disks, data tapes, etc., to store vast amounts of classified information. Incidents involving breakdowns in controls over classified removable electronic media have been a continuous challenge for the Department. The loss of even one piece of such media can have serious national security implications. In 2004, the Department had a complex-wide 'stand-down' of all activities using classified removable electronic media, and such media containing Secret/Restricted Data or higher classified data was designated 'Accountable Classified Removable Electronic Media' (ACREM). As part of the stand-down, sites were required to conduct a 100 percent physical inventory of all ACREM; enter it all into accountability; and conduct security procedure reviews and training. Further, the Department implemented a series of controls, including conducting periodic inventories, utilizing tamper proof devices on ACREM safes, and appointing trained custodians to be responsible for the material. After performance testing and validation that the required accountability systems were in place, ACREM operations at ORNL were approved for restart on August 10, 2004. We conducted a review at ORNL and associated facilities to determine whether ACREM is managed, protected, and controlled consistent with applicable requirements. We found that: (1) Eight pieces of Secret/Restricted Data media had not been identified as ACREM and placed into a system of accountability. Consequently, the items were not subject to all required protections and controls, such as periodic accountability inventories, oversight by a trained custodian, or storage in a designated ACREM safe. (However, the items were secured in safes approved for classified material.) (2) Other required ACREM protections and controls were not implemented as follows: a tamper indicating device was not being used on an ACREM safe; records documenting when a certain safe was opened did not support that a purported inventory had been conducted; and a safe inventory had not been completed in a timely manner. (3) A Personal Digital Assistant and a thumb drive, both capable of recording or transmitting data, were stored in a security area without an analysis to identify vulnerabilities and compensatory measures having been conducted, as required. We also found that an ORNL Cooperative Research and Development Agreement partner had not disabled classified computer ports at the partner's site that were capable of writing classified information to external or removable media, as required. We made several recommendations designed to enhance the security of ACREM, security areas, and computers.
- Research Organization:
- DOEIG (USDOE Office of the Inspector General (IG) (United States))
- Sponsoring Organization:
- USDOE
- OSTI ID:
- 963953
- Report Number(s):
- INS-O-09-02; TRN: US200919%%171
- Country of Publication:
- United States
- Language:
- English
Similar Records
Inspection Report "Personal Property Management at Lawrence Livermore National Laboratory"
CREM monitoring: A wireless RF application