Following the July 28, 2012, security breach at the Y-12 National Security Complex (Y-12), the Department of Energy's (Department) Office of Health, Safety and Security (HSS) was tasked with conducting a comprehensive inspection of the site's security organization. The inspection, initiated on August 27, 2012, included both practical exercises and tests designed to evaluate the knowledge, skills and abilities of the site's Protective Force. In our continued monitoring of the situation, the Office of Inspector General initiated a special review into alleged compromise of the HSS inspection.
Our inquiry confirmed that the security knowledge test, including answers to the test questions, had been compromised and that it had been distributed in advance of the test to numerous WSI-Oak Ridge (WSI-OR) Captains, Lieutenants, and Security Police Officers (SPO), the very people whose knowledge was to have been evaluated as part of this process. Specifically, despite the fact that the document was labeled as a test and was initially distributed via encrypted email to individuals appointed as "Trusted Agents," WSI-OR officials treated the document as if it were a training aid, mentioned its receipt at daily Protective Force supervisor meetings, and widely distributed it to a variety of officers.
While we do not believe that they excuse actions taken in this case, we observed several opportunities to improve the integrity and transparency of the knowledge testing process. Although the Federal official who initially distributed the test took action to protect its contents by encrypting the email used to transmit it and sending it only to "Trusted Agents," the email did not contain specific instructions for protecting the test against compromise. The transmitting email only asked for comments on the applicability of the security questions to the Y-12 environment. The lack of detailed instructions is particularly relevant in that the Department Order regarding the designation of "Trusted Agents" does not specifically mention that the practice is also applicable to security knowledge tests. In addition, as with the recent intrusion at the Highly Enriched Uranium Materials Facility described in our Special Report on Inquiry into the Security Breach at the National Nuclear Security Administration's Y-12 National Security Complex (DOE/IG-0868, August 2012), problems with the administration of the National Nuclear Security Administration's contractor governance system appeared to have had a role in the compromise of the test materials at Y-12, certainly, the assurance system did not prevent the compromise. Therefore, we made several recommendations that, if fully implemented, should help restore confidence in the integrity of the Department's protective forces.
Management did not agree that its implementation of the governance process was a contributory cause of the knowledge test compromise. We recognize that there was a breakdown of controls at the contractor level regarding the Trusted Agent concept. However, our analysis also led us to conclude that there was a more fundamental issue involving the lack of in-depth security knowledge and involvement of Federal oversight officials. Management agreed to implement our recommendations regarding the integrity of security testing at all sites.
"After publication of our report, Babcock and Wilcox Technical Services Y-12 (B&W Y-12) sent the Office of Inspector General a letter asking us to clarify one aspect of the report. Specifically, B&W Y-12 believed that a reader could incorrectly conclude from our report that one of its management officials routinely distributed proposed tests to security police officers prior to the test being administered. As our reports notes, however, the B&W Y-12 official told us that the test was distributed to “protective force management” for validation prior to administration. B&W Y-12's correspondence can be found by clicking on the below document titled, "B&W Y-12 Correspondence"