UT-Battelle, which manages and operates Oak Ridge National Laboratory, has to take corrective actions and pay $120,000 for the unauthorized disclosure of classified information and the introduction of classified information into unapproved information systems at the lab, according to a settlement agreement with the U.S. Department of Energy that was approved in August.
The settlement agreement was for a security event discovered March 28, 2016. On that date, UT-Battelle discovered that presentations containing classified information had been processed on unapproved information systems during a roughly five-year period. The classified presentations were stored on unapproved servers, information systems, and removable electronic media, and transmitted by unauthorized means, according to the DOE Office of Enterprise Assessments’ Office of Enforcement.
In addition, classified information was visually presented to uncleared students on a specific program, including three foreign nationals from non-sensitive countries, DOE said.
The highest classification level and category of information contained in the presentations is Secret/Restricted Data, including No Foreign, said Steven C. Simonson, director of the Office of Enforcement.
“Although the classified information involved in this security event remained within the confines of the ORNL internal network and was visually accessible to uncleared individuals briefly during presentations held at ORNL, DOE considers this longstanding, preventable event to be security significant,” Simonson said in an August 2 letter to Thomas Zacharia, the new lab director. “UT-Battelle did not effectively implement controls to protect classified information from unauthorized disclosure through requisite classification reviews, even though the information was intended for public release. Furthermore, UT-Battelle’s initial response and inquiry process for this incident of security concern were not thorough.”
The Office of Enforcement said it documented potential noncompliances in an April 14 report and chose to resolve them through the settlement agreement.
“In deciding to enter this settlement agreement, DOE considered UT-Battelle’s proactive response to a self-identified negative trend regarding security incidents at ORNL, as well as UT-Battelle’s evaluation of its classified information security program elements to determine whether systemic weaknesses collectively contributed to this trend,” Simonson said. “DOE also placed considerable weight on the appropriate set of corrective actions that UT-Battelle identified through its common cause analysis and the re-evaluation of this event’s security incident inquiry.”
The settlement agreement between DOE and UT-Battelle was signed by Simonson and Zacharia in early August. It was issued August 16.
On Saturday, ORNL Communications Director David Keim issued a brief statement on the settlement agreement.
“We take our responsibility to protect classified information seriously,” Keim said. “This was a problem that shouldn’t have happened, we self-reported it, and we’re glad DOE supports our corrective measures. We have improved our communication of requirements, added training for staff who may handle classified materials, added reviews to our process, and added more staff to serve as reviewers.”
The settlement agreement said the classified information was initially contained in the “notes” section of one slide in 2011. Revisions in 2012 added two more slides that contained classified information, and a previous slide became classified due to new classification guidance. The classified information remained in subsequent presentations each year through 2016, DOE said.
The department said UT-Battelle believed the original 2011 presentation had been reviewed for classification and determined to be unclassified, which affected later decisions to handle the document as unclassified.
“However, there is no evidence that any version of this presentation was processed through a formal review and approval process that requires a classification review by the classification officer for information in a classified subject area prior to public release,” the settlement agreement said. “Given the audience for this presentation, such a process would have been required initially and each of the three times it was revised.”
DOE said UT-Battelle had noted in early 2016, before discovering this security event, that the number of security incidents at ORNL was increasing. The contractor had started evaluating internal processes and procedures that govern classified work to identify common causes of the security incidents.
That analysis of common causes was completed in June 2016, after the security event. The analysis identified “opportunities for UT-Battelle to be better prepared to identify and properly control potentially classified information,” DOE said, but it did not “address the programmatic deficiencies in the area of classification review and approval of information needed for public release.”
In its April 14 report, DOE said it found deficiencies in correctly identifying classified information, obtaining the required classification review, and appropriately marking the information; conducting an adequate and thorough security incident inquiry; using approved information systems to develop, store, and disseminate classified information; and protecting and controlling classified information from unauthorized disclosure.
UT-Battelle asked for the settlement agreement to resolve the potential noncompliances because, among other actions, it had identified the possible negative trend, completed an analysis of common causes, and developed an extensive corrective action plan; started corrective actions; analyzed classifiers to ensure that appropriate resources were available and that responsibilities and authorities were accurate and clearly defined; and developed and implemented a series of formal briefings and trainings to raise awareness and reinforce expectations. The settlement agreement is in lieu of an enforcement action.
Besides requiring the $120,000 payment, the settlement agreement requires UT-Battelle to ensure that:
- Corrective actions focus on more effective project execution related to the handling of classified information, including the identification, review, and marking of classified information; information protection and control; and enhanced classified cyber security.
- Corrective actions focus on a more thorough event response when necessary, such as enhancing classified cyber security through more effective and efficient cyber sanitization, security incident inquiries, causal analysis, and corrective actions.
DOE said it reserves the right to re-open the investigation if the department later becomes aware that UT-Battelle provided any false or materially inaccurate information, if there is a recurrence of classified information security deficiencies similar to those described in the settlement agreement, or if there is a delay in completing all actions prescribed in the settlement agreement.
“The Office of Enforcement, Office of Science, and Oak Ridge National Laboratory Site Office will continue to closely monitor UT-Battelle’s implementation of DOE classified information security requirements until the issues associated with this settlement agreement are fully resolved,” Simonson said.
You can see a summary of the settlement agreement here.
You can see Simonson’s letter to Zacharia along with a copy of the settlement agreement here.
More information will be added as it becomes available.
Do you appreciate this story or our work in general? If so, please consider a monthly subscription to Oak Ridge Today. See our Subscribe page here. Thank you for reading Oak Ridge Today.
Copyright 2017 Oak Ridge Today. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.