Alissa Tabirian
NS&D Monitor
6/5/2015
Sandia National Laboratories committed six violations of the Department of Energy’s classified information security requirements and is facing a proposed penalty of more than half a million dollars, according to a Preliminary Notice of Violation the DOE Office of Enforcement released this week. The security concern, discovered at SNL’s New Mexico site in July 2012, involved the unauthorized disclosure of classified information in an employee’s presentation. DOE found that the presentation was stored on an unclassified server and, following further investigation, discovered that “beginning as early as 1997 the author had developed approximately 47 separate variations of the 2012 presentation without obtaining requisite classification reviews.”
According to the notice, the presentation contained 13 slides with classified information, including Critical Nuclear Weapon Design Information, and was not submitted to Sandia’s classification office for review. Variations of the presentation were delivered “on at least three occasions at public venues” and to audiences that included those without security clearances. Additionally, “approximately 300 Sandia participants in a technical training program had access to electronic versions of the presentations,” the notice says. Some classified material also remained on a version of the presentation stored on an unclassified shared server, and Sandia’s investigation “confirmed that one of these contaminated Sandia unclassified servers was accessible to foreign nationals for over eight years,” the notice says. Sandia “sanitized” the contaminated server after discovering the incident, but “only searched for the author’s work by the title of the 2012 presentation and not his name,” leaving other versions of the presentation on the server, according to DOE.
Sandia’s corrective actions included “security awareness and lessons-learned activities and some procedural changes,” the notice says. Citing Sandia’s failure to conduct classification reviews and “protect and control classified information for more than a decade,” DOE has proposed a total penalty of $577,500. Sandia has been given 30 days to submit a response. In a written statement this week, Sandia spokesperson Nancy Salem said, "Sandia has taken this security issue seriously since becoming aware of it in 2012. After discovering and reporting the issue, Sandia analyzed the causes and identified, developed and carried out a series of improvements that will reduce the likelihood of security violations of this kind."
