b'<html>\n<title> - CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n\n \n     CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY\n\n=======================================================================\n\n\n\n\n                                HEARINGS\n\n                               BEFORE THE\n\n              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                       JANUARY 30, APRIL 20, 2007\n\n                               __________\n\n                            Serial No. 110-1\n\n\n      Printed for the use of the Committee on Energy and Commerce\n\n                        energycommerce.house.gov\n\n\n\n\n                      U.S. GOVERNMENT PRINTING OFFICE\n35-446 PDF                    WASHINGTON  :  2007\n---------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government\nPrinting Office Internet:  bookstore.gpo.gov Phone:  toll free (866)\n512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,\nWashington, DC 20402-0001 \n\n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                  JOHN D. DINGELL, Michigan, Chairman\n\nHENRY A. WAXMAN, California          JOE BARTON, Texas\nEDWARD J. MARKEY, Massachusetts          Ranking Minority Member\nRICK BOUCHER, Virginia               RALPH M. HALL, Texas\nEDOLPHUS TOWNS, New York             J. DENNIS HASTERT, Illinois\nFRANK PALLONE, Jr., New Jersey       FRED UPTON, Michigan\nBART GORDON, Tennessee               CLIFF STEARNS, Florida\nBOBBY L. RUSH, Illinois              NATHAN DEAL, Georgia\nANNA G. ESHOO, California            ED WHITFIELD, Kentucky\nBART STUPAK, Michigan                BARBARA CUBIN, Wyoming\nELIOT L. ENGEL, New York             JOHN SHIMKUS, Illinois\nALBERT R. WYNN, Maryland             HEATHER WILSON, New Mexico\nGENE GREEN, Texas                    JOHN SHADEGG, Arizona\nDIANA DeGETTE, Colorado              CHARLES W. ``CHIP\'\' PICKERING, \n    Vice Chairman                    Mississippi\nLOIS CAPPS, California               VITO FOSSELLA, New York\nMIKE DOYLE, Pennsylvania             STEVE BUYER, Indiana\nJANE HARMAN, California              GEORGE RADANOVICH, California\nTOM ALLEN, Maine                     JOSEPH R. PITTS, Pennsylvania\nJAN SCHAKOWSKY, Illinois             MARY BONO, California\nHILDA SOLIS, California              GREG WALDEN, Oregon\nCHARLES A. GONZALEZ, Texas           LEE TERRY, Nebraska\nJAY INSLEE, Washington               MIKE FERGUSON, New Jersey\nTAMMY BALDWIN, Wisconsin             MIKE ROGERS, Michigan\nMIKE ROSS, Arkansas                  SUE MYRICK, North Carolina\nDARLENE HOOLEY, Oregon               JOHN SULLIVAN, Oklahoma\nANTHONY D. WEINER, New York          TIM MURPHY, Pennsylvania\nJIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas\nG.K. BUTTERFIELD, North Carolina     MARSHA BLACKBURN, Tennessee\nCHARLIE MELANCON, Louisiana\nJOHN BARROW, Georgia\nBARON P. HILL, Indiana\n\n                                 ______\n\n                           Professional Staff\n\n                 Dennis B. Fitzgibbons, Chief of Staff\n\n                  Gregg A. Rothschild, General Counsel\n\n                     Sharon E. Davis,  Chief Clerk\n\n                 Bud Albright, Minority Staff Director\n\n                                 ______\n\n              Subcommittee on Oversight and Investigations\n\n                    BART STUPAK, Michigan, Chairman\n\nDIANA DeGETTE, Colorado              ED WHITFIELD, Kentucky\nCHARLIE MELANCON, Louisiana              Ranking Minority Member\nHENRY A. WAXMAN, California          GREG WALDEN, Oregon\nGENE GREEN, Texas                    MIKE FERGUSON, New Jersey\nMIKE DOYLE, Pennsylvania             TIM MURPHY, Pennsylvania\nJAN SCHAKOWSKY, Illinois             MICHAEL C. BURGESS, Texas\nJAY INSLEE, Washington               MARSHA BLACKBURN, Tennessee\n\n                                  (ii)\n\n\n                             C O N T E N T S\n\n                              ----------                              \n\n                            JANUARY 30, 2007\n\n                                                                   Page\nBarton, Hon. Joe, a Representative in Congress from the State of \n  Texas, opening statement.......................................     7\nBurgess, Hon. Michael C., a Representative in Congress from the \n  State of Texas, opening statement..............................    11\nDeGette, Hon. Diana, a Representative in Congress from the State \n  of Colorado, opening statement.................................     8\nDingell, Hon. John D., a Representative in Congress from the \n  State of Michigan, opening statement...........................     5\nGreen, Hon. Gene, a Representative in Congress from the State of \n  Texas, prepared statement......................................    13\nMurphy, Hon. Tim, a Representative in Congress from the \n  Commonwealth of Pennsylvania, opening statement................    13\nStupak, Hon. Bart, a Representative in Congress from the State of \n  Michigan, opening statement....................................     1\nWalden, Hon. Greg, a Representative in Congress from the State of \n  Oregon, opening statement......................................    10\nWhitfield, Hon. Ed, a Representative in Congress from the \n  Commonwealth of Kentucky, opening statement....................     4\n\n                               Witnesses\n\nAnastasio, Michael R., Director, Los Alamos National Laboratory..    56\n    Prepared statement...........................................    73\n    Answers to submittted questions..............................    96\nBrian, Danielle, executive director, Project on Government \n  Oversight......................................................    19\n    Prepared statement...........................................    98\nD\'Agostino, Hon. Thomas P., Acting Administrator, National \n  Nuclear Security Administration................................    51\n    Prepared statement...........................................   111\nFriedman, Gregory H., Inspector General, U.S. Department of \n  Energy.........................................................    15\n    Prepared statement...........................................   119\nPodonsky, Glenn S., Chief Health, Safety and Security Officer, \n  Office of Health, Safety and Security, U.S. Department of \n  Energy.........................................................    17\n    Prepared statement...........................................   132\nPyke, Thomas N. Jr., Chief Information Officer, U.S. Department \n  of Energy......................................................    55\n    Prepared statement...........................................   143\nSell, Hon. Clay, Deputy Secretary, U.S. Department of Energy.....    40\n    Prepared statement...........................................   145\nWilbanks, Linda, Chief Information Officer, National Nuclear \n  Security Administration........................................    53\n    Prepared statement...........................................   148\n\n                             APRIL 20, 2007\n\nBlackburn, Hon. Marsha, a Representative in Congress from the \n  State of Tennessee, opening statement..........................   164\nBurgess, Hon. Michael C., a Representative in Congress from the \n  State of Texas, opening statement..............................   171\nDeGette, Hon. Diana, a Representative in Congress from the State \n  of Colorado, prepared statement................................   166\nDingell, Hon. John D., a Representative in Congress from the \n  State of Michigan, opening statement...........................   161\nDoyle, Hon. Mike, a Representative in Congress from the \n  Commonwealth of Pennsylvania, opening statement................   170\nGreen, Hon. Gene, a Representative in Congress from the State of \n  Texas, prepared statement......................................   163\nStupak, Hon. Bart, a Representative in Congress from the State of \n  Michigan, opening statement....................................   157\nWalden, Hon. Greg, a Representative in Congress from the State of \n  Oregon, opening statement......................................   162\nWhitfield, Hon. Ed, a Representative in Congress from the \n  Commonwealth of Kentucky, opening statement....................   160\n\n                               Witnesses\n\nAnastasio, Michael R., director, Los Alamos National Laboratory, \n  Los Alamos, NM.................................................   184\n    Prepared statement...........................................   201\nBodman, Hon. Samuel, Secretary, U.S. Department of Energy........   172\n    Prepared statement...........................................   198\nFriedman, Hon. Gregory H., Inspector General, U.S. Department of \n  Energy.........................................................   182\n    Prepared statement...........................................   202\n\n\n     CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY\n\n                              ----------                              \n\n\n                       TUESDAY, JANUARY 30, 2007\n\n                  House of Representatives,\n                  Committee on Energy and Commerce,\n              Subcommittee on Oversight and Investigations,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:00 a.m., in \nroom 2123, Rayburn House Office Building, Hon. Bart Stupak \n(chairman of the subcommittee) presiding.\n    Present: Representatives Stupak, Degette, Melancon, Green, \nDingell [ex officio], Whitfield, Walden, Burgess, Murphy, and \nBarton [ex officio].\n    Also present: Representatives Udall of New Mexico and \nWilson of New Mexico.\n    Staff present: John F. Sopko, Christopher Knauer, Voncille \nT. Hines, Rachel Bleshman, Peter Goodloe, Christopher Treanor, \nJodi Seth, Alec Gerlach, Alan Slobodin, Dwight Cates, and \nMatthew Johnson.\n\n  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Mr. Stupak. This meeting will come to order on the Energy \nand Commerce Committee, Subcommittee on Oversight and \nInvestigations. This hearing, which will be the first of the \n110th Congress, is entitled, Continuing Security Concerns at \nLos Alamos National Laboratory.\n    We will begin with the Members\' opening statements.\n    Los Alamos National Laboratory is a place of great history. \nIt is home to many of our Nation\'s most secret of weapons \ndevelopment, and yet it is also home to some embarrassing lax \nsecurity protocols.\n    During my 12 years on the Oversight and Investigations \nSubcommittee, I have sat through far too many hearings \ndetailing problem after problem at Los Alamos.\n    Now as I take over as chairman of this distinguished \nsubcommittee, I find myself presiding over yet another hearing \nabout inadequate security at the lab. The latest security \ndebacle begins in October 2006 when Los Alamos County Police \nresponded to a call at a private residence and discovered \nseveral hundred pages of classified and unclassified materials \nas well as electronic files that were stolen from the Los \nAlamos National Laboratory.\n    Documents were taken from the lab by a subcontract \nemployee. The employee simply walked out of the lab with stolen \ndocuments in her purse or on a thumb drive which she easily \ninserted into open ports on classified computers.\n    Over the last 8 years, this subcommittee has held 11 \nhearings into various security lapses at Los Alamos. I have \nthis chart which I will enter into the official record \nillustrating 11 hearings that this committee has held. These \nhearings have ranged from the Wen Ho Lee case in 1999 to the \nremoval of Classified Removable Electronic Media, CREM, in 2005 \nin the cyber security hearings we held in June 2006.\n    Throughout these hearings, Members have heard time and \nagain how the Department of Energy and the lab managers were \ngoing to improve security. We have heard excuse after excuse \nand plan after plan of how the lab would improve security. The \nDOE went so far as to competitively bid out the lab\'s operation \nin the hope that a new management team would bring about \nchange, security and accountability.\n    But DOE awarded the contract to a consortium that includes \nthe previous contractor, the University of California. With \nthis brilliant decision, did anyone really expect the laissez \nfaire culture of Los Alamos to change?\n    As a result of our investigation, I have a number of \nquestions that need to be answered today. How and why did the \nOctober security breach occur? What is the potential and \noverall actual harm to national security as a result of the \nbreach? Why do security breaches continue to plague Los Alamos? \nWhat plans do Los Alamos, DOE and the National Nuclear Security \nAdministration have for preventing breaches at Los Alamos? Who \nis accountable for the most recent security breach at Los \nAlamos? What tools are available to the Federal Government to \nhold Los Alamos accountable for the latest security breach?\n    For example, new accountability rules allow DOE to penalize \ncontractors and their subcontractors for violations of DOE \nrules, regulations and orders regarding the safeguarding of \nrestricted data and other classified information. Based upon \nour staff\'s investigation, my real concern here is whether DOE \nis using these tools, or is it just giving contractors a slap \non the wrist for egregious security violations? Are the tools \navailable for the Federal Government to adequately deter \nsecurity breaches? This incident does raise serious questions \nabout the manner and policies of the Department of Energy in \ngranting the security clearances to employees. This question, \nas well as many others, will of course have to be answered in \nclosed session due to their sensitivity.\n    During the last hearing in 2006, I became so fed up that I \nasked the question, ``What do we do at Los Alamos that could \nnot be done at our other National Laboratories?\'\' I was serious \nwhen I asked that question back then, and I must tell you I \nhave been asking myself the same question again in recent \nmonths.\n    I am a former police officer, and in Michigan, we like to \nuse auto analogies. For far too long we have essentially been \nissuing parking tickets to Los Alamos. In July 2004, we \nessentially put a boot on the lab when it was shut down for 7 \nmonths to clean up its act. This cost the American taxpayers \nmore than $350 million and was supposed to result in a more \nsecure facility. Unfortunately, there has been yet another \nbreach not long after Los Alamos reopened. Los Alamos did not \nchange after repeated tickets. It did not change after putting \na boot on. And now, I am convinced that we may need just to tow \nthe car.\n    Something drastic must be done at Los Alamos in order to \nchange the systemic security problems. The American people \ndemand and deserve the highest level of protection of our \nnational secrets. If the Department and the lab won\'t change, \nprovide security at our labs, Congress must explore ways to \nprotect our security. Therefore I will, in cooperation with my \nfriends on the minority side, be asking the Government \nAccountability Office to perform a comprehensive audit of all \nservices performed at Los Alamos.\n    I will ask them to evaluate whether the footprint and \nmission at the lab is too large.\n    I will also ask them to evaluate the possibility of \nconsolidating and moving many of the classified operations at \nLos Alamos to another lab, such as Sandia where there is a \nwillingness among the employees and management to heed our \nadvice. I will not tolerate continued security lapses and \nthumbing of their nose at Congress.\n    Finally, it is my understanding that Secretary Bodman has \nasked for additional reviews of Los Alamos\'s security and that \nthe reports of the review are due at the end of February. It is \nour expectation that the Department will take these reviews \nseriously, provide concrete answers and submit detailed plans \nto remedy the security lapses.\n    I fully expect Secretary Bodman will appear before this \nsubcommittee to articulate what has and will be done to improve \nsecurity at Los Alamos.\n    In conclusion, I am pleased that the first hearing of the \nO&I Committee is truly a bipartisan effort by myself, the \nranking member and our staffs. This is what I hope will be the \nfirst of many bipartisan efforts to make our country safer and \nour government more effective.\n    Thoughtful and tough oversight is neither Republican nor \nDemocratic. It is just good government. I salute the former \nchairman and his staff for all their work in this inquiry. I \nlook forward to continuing to work with him.\n    The Constitution entrusted Congress with a solemn duty to \noversee the activities of the executive branch. Oversight is \nthe only way Congress can assure that our laws are adequately \nand properly administered.\n    Without effective oversight, how can Members of Congress \ntruly determine with confidence what additional laws are \nneeded? As chairman of the subcommittee, I plan to be \npersistent in our oversight responsibilities, fully realizing \nthat Congress\'s power to probe is a necessary tool of our \ndemocracy that is best wielded in a nonpartisan manner.\n    Again, I want to thank our former chairman, the gentleman \nfrom Kentucky. I look forward to working with all the members \nof the committee and the Subcommittee on Oversight and \nInvestigations. With that, I would yield to Mr. Whitfield.\n\n  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN \n           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY\n\n    Mr. Whitfield. Mr Chairman, thank you so much for holding \nthis important hearing, and I certainly want to congratulate \nyou on your new with your new responsibilities as chairman of \nthis subcommittee.\n    As you said, we have held several hearings to review \nongoing security problems at Los Alamos over the last 3 or 4 \nyears.\n    And as long as it is important that we continue to do, so I \nam delighted that we are continuing to hold these hearings.\n    Prior investigations led by this subcommittee have \nuncovered the details of the 1999 Wen Ho Lee case, the 2000 \nNEST team hard drive incident, and several incidents in 2003 \nand 2004 relating to the improper handling and destruction of \nclassified removable electronic media, and then, in 2004, \noperations at Los Alamos were shut down for a 6-month period in \nan attempt to deal with many of these problems.\n    At each subcommittee hearing, Los Alamos officials have \npromised to solve ongoing security problems.\n    But they have failed to follow through.\n    I was pleased when the Department recently decided to \ncompete the Los Alamos contract for the first time in over 60 \nyears.\n    In June 2006, a new consortium named, Los Alamos National \nSecurity began operations at its site. In its contract, LANS \nhas made several commitments to solve the security problems at \nLos Alamos. Unfortunately for LANS, only 4 months passed before \nthe most recent security incident occurred. In October 2006, it \nwas discovered that 1,588 pages of classified documents from a \nclassified vault had been removed in paper form and also \ndownloaded on to a portable thumb drive. The documents and the \nthumb drive showed up in the trailer home of a former LANL \nemployee.\n    Now, 1,588 pages--I just want to show you, this is 1,588 \npages. So it is really quite shocking that this is still going \non in this magnitude.\n    However unfortunate the time, LANS must be held accountable \nfor compromising these documents, and it should pay a price. \nThis incident demonstrates that the Department and LANS have \nfailed to implement an effective security policy at Los Alamos.\n    DOE must assert its contract and regulatory authorities to \ncompel greater security performance.\n    This most recent security incident demonstrates the same \npoor security management, lack of formality of operations, and \ninsufficient oversight that has plagued the lab for decades. I \ndo not think the security problems at Los Alamos can be solved \nwith small changes on the margin.\n    Dramatic, new ideas from the Department, from LANS and from \nCongress, are needed.\n    I have co-signed legislation drafted by Mr. Barton to strip \nNNSA of its autonomy with respect to safeguards and security, \nworker health and safety and cyber security oversight, and \nunderstand that Chairman Dingell and Chairman Stupak have also \ncosponsored this important legislation. I would also note that \nwe signed a co-letter last night along with Mr. Barton and \nRepresentative Hastert that asked the Department to take \nimmediate steps to solve the security problems at Los Alamos.\n    The letter has several recommendations and urges DOE to \ntake action to reduce the volume of classified material across \nthe laboratory. At Los Alamos, operations are spread out over a \n43-square mile area. The lab has approximately 15,000 \nemployees, 3,000 classified computers and 1,774 classified \nsecurity areas. To give you some perspective, there are more \nclassified security areas at Los Alamos than there are total \nrooms in the Rayburn, Cannon and Longworth House Office \nBuildings combined.\n    And at this time, I would ask unanimous consent to \nintroduce into the record the letter that we just referred to, \nthat we had sent. Do they have a copy of it?\n    Mr. Stupak. Without objection, it will be part of the \nrecord.\n    Mr. Whitfield. LANL\'s volume of classified holdings is \nunnecessarily large, conducted in too many security areas and \ninvolves too many people. These factors, including the \ngeographical dispersions of activities, make LANL susceptible \nto security failures. I hope this subcommittee can help \nidentify the right solutions to fix this problem once and for \nall. Thank you.\n    Mr. Stupak. I thank the gentleman from Kentucky.\n    Next, the gentleman from Michigan, chairman of the full \nEnergy and Commerce Committee, Mr. Dingell.\n\nOPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    The Chairman. Mr. Chairman, first, thank you for \nrecognizing me, and second, congratulations to you on your \nbecoming chairman of this subcommittee. You will do an \noutstanding job. You have been a superb member of the committee \nand superb ranking member, and I am delighted to see you \nsitting where you are.\n    I want to also say, express my good wishes to the \ngentleman, Mr. Whitfield, who was so gracious and kind in his \nconduct in this subcommittee. We look forward to working with \nhim, as I know we all do.\n    I feel a little bit like this is the movie ``Groundhog \nDay\'\'. All of us will remember that we seem to be waking up \neach morning to repeat the same events over and over with \nregard to security at the National Laboratories.\n    As I recall, when the House turned in 1994, this \nsubcommittee was preparing a set of hearings to go into the \nconduct of matters at DOE and how things were being done at \nthat time with regard to the laboratories.\n    There were all matters of difficulties, and I won\'t belabor \nthe matter or delay the process by talking about it.\n    But the events there with regard to security, security \nbreaches at Los Alamos and the other laboratories, were very \nserious.\n    And so I am reminded of what Yogi Berra used to say, this \nis like deja vu all over again. I am somewhat distressed that \nthis subcommittee must convene to hear about security breaches \nat the National Energy Labs, Los Alamos in particular. We could \ndrag out stacks of letters sent to the Department Secretaries \nand the Presidents over the past two decades on the issue we \nare reviewing today. We could also display a small tower of \nhearing records, many of which I chaired, relating to security \nbreakdowns at DOE and at the Los Alamos National Laboratory in \nspecific.\n    This would be good drama in a movie. These, however, are \nsecurity breaches and are deadly serious. They threaten our \nsecurity to guard our Nation\'s military secrets, our nuclear \nsecrets and other matters of importance. For some reason or \nanother, DOE has proven itself incapable of managing this \ncritical security and preventing recurring problems that we \nwill discuss today.\n    There is a new twist to this story, and I find it a \nworrisome development. Apparently, this latest security breach \nraises serious questions about DOE\'s process and procedures in \ngranting security clearances and the adjudication of adverse \ninformation dealing with the suitability of employees and \ncontractors.\n    This appears to be, in part at least, a new issue. And it \nshould be the subject--as it is going to be--of an executive \nsession which is going to take place later today. We may very \nwell need to expand the investigation of this subcommittee into \nDOE\'s personnel security system.\n    Mr. Chairman, it is our joint concern that we will hear the \nsame promises that we have heard in the past about how DOE will \nremedy the situation, how this lab is now going to take \nsecurity matters seriously and how the lab will be reorganized, \nhow some officers and officials and managers may be removed.\n    I must confess that I have been hearing these promises for \na long time, and I am beginning to find them somewhat tedious. \nThe time has come to focus on the adequacy of the tools DOE \npossesses to effectively penalize the contractors and the lab \nfor serious security failures, and whether DOE ever intends to \nuse them or knows how to do so. There may be nothing in the \nSecretary\'s toolbox effective enough to turn this lab around. \nWe will need to determine that in today\'s hearing and to find \nwhether penalties are sufficient to effectively improve \nsecurity at Los Alamos.\n    I understand that Secretary Bodman, for whom I have \nconsiderable affection, is considering yet another security \nreview regarding Los Alamos specifically and the Department in \ngeneral. I look forward to his appearance before this \nsubcommittee in February to learn what he intends to do to fix \nthis mess. I support requesting the Government Accountability \nOffice to conduct a comprehensive audit of Los Alamos \noperations in order to determine what functions need to be \nretained, there versus being moved to another government or \nprivate facility.\n    It increasingly appears that the overall footprint of the \nlab may be too big in both physical scale and in the scope of \nits mission to be properly managed.\n    At this point, all options should be open, on the table for \nconsideration as to how we correct this intolerable situation.\n    Again, Mr. Chairman, congratulations. Thank you for holding \nthis hearing, and I look forward to hearing what will be said \nby our witnesses. But I hope you will forgive me, as I note in \nthe case of Groundhog Day, we have seen all of this before.\n    Thank you Mr. Chairman.\n    Mr. Stupak. I thank the gentleman.\n    Next turn to the distinguished former chairman of the full \ncommittee, Mr. Barton of Texas.\n\n   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN \n                CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Barton. Thank you, Mr. Chairman. I, too, want to \ncongratulate you on the assumption of your new duties as the \nsubcommittee chairman of Oversight and Investigations. I \nconsider this subcommittee to be the heart of the full Energy \nand Commerce Committee.\n    You are following in some big footsteps; in the prior \nCongress, Mr. Whitfield, but if you want to go back to when \nyour party was last in the majority, the full committee \nchairman, Mr. Dingell, was also the subcommittee chairman, and \nthis is where he gained his reputation for making sure that the \nship of state was sailed straight.\n    So, we are going to have a good relationship.\n    I want to echo what Mr. Dingell just said, if there is \nnothing else to do on the Oversight and Investigation \nSubcommittee it seems you can also hold a hearing of security \nlapses at Los Alamos.\n    I believe this is the 10th hearing in the last 4 years. I \ncould be wrong about that. But I wouldn\'t be off by much; 2004 \nthe entire laboratory complex was shut down for 7 months; 2005, \n1,500 records--including Social Security numbers--some people \nhacked into the system, stole those numbers and the \nAdministrator didn\'t even bother to tell the Secretary of \nEnergy about it.\n    This last October, approximately 1,600 documents were \nstolen and carried out of the complex and, if my memory is \ncorrect, were found in a mobile home when the local police \nresponded to a domestic disturbance.\n    Enough is enough.\n    This is not a fast food restaurant on the corner somewhere. \nThis is the crown jewel of our weapons complex.\n    I don\'t have words to explain how frustrated I am, and I \nthink my frustration is shared by every member of the \ncommittee.\n    I am happy to report that last evening we introduced a \nbipartisan bill, Mr. Stupak and Mr. Dingell, original \ncosponsors, along with myself, Mr. Whitfield and Mr. Hastert, \nthat strips the NNSA of its authority to manage some of these \nproblems and gives it back to the Secretary of Energy to \ndelegate as he sees fit. It is H.R. 703.\n    And I hope that bill is given a hearing very quickly at \nsubcommittee, or perhaps even at full committee and is moved to \nthe floor. We need to do something about this problem.\n    If there were a way to start over, I would say, shut down \nLos Alamos, fire everybody out there and build a new weapons \nlaboratory somewhere else. That is not cost-effective. And \nobviously, there are many, many good people at the laboratory. \nBut there is an absolute inability or unwillingness to address \nthe most routine security issues at this laboratory.\n     I have sent a letter to the Secretary of Energy, Mr. \nBodman, today making him aware of this new legislation. But I \nhave also asked him to immediately consider doing the following \nthings by his authority as the senior executive officer of the \nDepartment of Energy. I have asked that he consider directing \nthe Office of Health Safety and Security to conduct an \nimmediate inspection at Los Alamos and to repeat it next 2 \nyears to report any problems and report any progress in \nsecurity and worker safety.\n    I have asked the Secretary to consider directing Los Alamos \nto dramatically reduce and consolidate the number of classified \nactivities, the number of classified computers, the number of \nclassified vaults. They have got classified material strewn all \naround the complex. I have visited Los Alamos, seen for myself \nsome of these sites where they store classified material. I am \nnot an expert on security, but I consider the current number of \nsites to be many, many more than is absolutely necessary. And \none simple solution to the problem would be just to reduce the \nnumber of places they keep this material.\n    I also think that the current contractor at Los Alamos \napparently doesn\'t give a damn about this. And I hate to use \nthat kind of language, but that is the way I feel.\n    If it is contractually legal, I think part of their fee \nshould be withheld, perhaps even forfeited. If the contract \nallows for civil penalties I would hope the Secretary would \nconsider assessing those penalties. If you can\'t get somebody\'s \nattention any other way, sometimes you can get their attention \nby withholding financial assets.\n    So it is obvious that we are not going to solve this \nproblem with one hearing, Mr. Chairman. But I do want to \ncommend you for being willing in your first hearing of all the \nthings you could do, to tackle this issue. It is a very serious \nissue. And I will pledge to you that the minority is doing to \ncontinue to work on this problem. And now that you are the \nchairman and Mr. Dingell is a full committee chairman, you will \nhave our full cooperation in trying to get on the bottom of it \nand rectify the situation if it is possible. And if it is not, \nif after a year or year and a half, if it doesn\'t look like any \nprogress is being made, I do reserve the right to request that \nwe consider shutting down this laboratory.\n    If that is the only way to do it, and we have to start \nover, then so be it.\n    But we ought to be able to get security right at Los \nAlamos.\n    With that, I yield back.\n    Mr. Stupak. I thank the gentleman, and we do anticipate at \nleast one more hearing on this subject with Secretary Bodman \nprobably in March. And with that, I would yield to the \ndistinguished vice chair of the full committee, Ms. DeGette of \nColorado.\n\n  OPENING STATMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF COLORADO\n\n    Ms. DeGette. Thank you very much, Mr. Chairman. It is good \nto see you in that chair after all these years working with you \non this subcommittee, which I consider to be the best \nsubcommittee in the House.\n    And I also want to add my congratulations to the new vice \nchairman of the subcommittee, Mr. Melancon. He is going to have \na great time.\n    One thing that is so great about this subcommittee is, when \nwe get mad, we get really mad in a bipartisan way. And I want \nto echo what former chairman Barton said, because I have been \non this subcommittee during my 10 years in Congress, and you \nare exactly right, we have had about six to 10 hearings in the \nlast few years alone on this subject. And we have been told \nrepeatedly in every single hearing that this problem would be \nfixed.\n    In 2004, then-Chairman Barton and I visited Los Alamos, and \nthis was akin to a state visit for Los Alamos I guess. We went \nin; there was tremendous local interest. There was tremendous, \ntremendous effort to brief us and show us what was going on. \nThe deputy secretary was there. The new director was there. \nEverybody was there. We toured the facility. We had some very \ntough conversations. We were told that this situation was going \nto be fixed and that this situation was going to be fixed \nimmediately.\n    And subsequently, that director who was with us was drummed \nout, and nothing happened, as we have new seen. Mr. Dingell \ntalked about Groundhog Day, and this week, in fact, is \nGroundhog Day, so it is appropriate that we are having these \nhearings this week, but it is not funny about these security \nbreaches. The lab is home to some of the most confidential and \nimportant data in the Nation, weapons development, security of \nour nuclear stockpile, the development of technology to protect \nus from terrorist attacks. And it is not the first time either \nthat we seem to be dependent on dumb luck to discover a breach \nof security.\n    If it hadn\'t been for the vigilance of police officers in \ninvestigating unrelated drug charges, this classified data \nwould still be sitting at the home of a former subcontractor \nfor a yet to be discovered purpose. And so, really, the issue \nis so much broader than just this single incident.\n    And as we will hear today, the Department of Energy\'s \nInspector General recently found that physical and cyber \nsecurity at the lab have been consistently compromised. We keep \nsaying to ourselves, why does this happen time after time, year \nafter year? And we haul everybody in, and we rant and rave, and \nthen it happens again.\n    I think there are two problems. There is the oft discussed \nculture at Los Alamos where people really think themselves \nbeyond the requirements of true security measures. But there is \nanother problem, and former chairman Barton alluded to this. It \nis such a large site and with so many different areas that \ncontain this data, that it is very difficult to secure it.\n    And in addition, when I visited, I found, 3 years ago, some \nof the security measures being implemented would be just \nroutine security measures at a private facility, and so you \nhave got to wonder, do these Government facilities think that \nthey have to comply with lower standards than in private \nindustry? So, really, I think the questions that former \nChairman Barton and Chairman Stupak and Chairman Dingell are \nasking are the right questions.\n    And I cannot stress enough to the witnesses today and to \nthose who care about this facility, we are really serious and \nwe are really serious this time, I think the legislation that \nwas introduced is drastic, but that is the direction we are \ngoing to have to go unless we can get some clear answers of how \nwe are going to fix this problem.\n    With that, Mr. Chairman, I yield back.\n    Mr. Stupak. Before the gentle lady leaves, if we can do \nhousekeeping. I notice there is a majority of the committee \npresent, and we are going to have to take a vote to move into \nclassified or executive session later. We won\'t do it--so \nbefore we continue, all those in favor of moving to an \nexecutive session later, please just raise your hand or \nindicate aye.\n    Any opposition? Hearing none, at the appropriate time, we \nwill move into executive session later in this hearing. With \nthat, we will continue with the opening statements, next \nturning to Mr. Walden.\n\n   OPENNG STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. Thank you, very much, Mr. Chairman, and I think \npeople who have come before me have laid it out pretty clearly \nand forcefully. There are just few things as important to our \nNation\'s security as maintaining the security of our classified \ndata in our National Labs. I think my colleagues have made that \nclear. You have heard it from me before in these hearings we \nhave had in the past. The chairman said, these are the crown \njewels of our weapons systems. And I guess what strikes me is, \nwe have got employees who still are walking out the front door \nwith the diamonds out of the crown jewel set. And that is a \nproblem. That is a very serious problem and one that this \nsubcommittee has railed on before in public and in private \nsessions, perhaps even more so than what people are hearing in \nthe public session. There are some fundamental questions that \nwe will have for all of you today that will come in both \nsessions, including access to these computers once again, how \nis that controlled, how does somebody walk out with a thumb \ndrive? I understand you are now using a product like this, J-B \nWeld, the world\'s finest cold weld, to actually seal up the USB \nand FireWire ports so that somebody can\'t use one of these \nthumb devices.\n    It is great. It works for engine blocks, and it works for \nfaucets, and I guess it works to plug leaks in our national \nsecurity system, too, but why do we even order computers that \nhave those ports in them? It would seem to me that Government \ncould work out a contract to get a computer that doesn\'t have \nthem. I am glad you now sealed up 7,200 of these ports or \nwhatever the actual count is. Perhaps we will learn later \ntoday. But it strikes me as a bit strange that we are relying \non J-B Welds to protect leaks of our national security.\n    With that, Mr. Chairman, I will yield back.\n    Mr. Stupak. I thank the gentleman. Next, I turn to the vice \nchair of the subcommittee, Mr. Melancon.\n    Mr. Melancon. Thank you, Mr. Chairman. I don\'t have any \nwritten statements. I would like to move as quickly as we can \ninto testimony.\n    Being new on the committee and just picking up the gist of \nwhat has been said about Los Alamos, and in looking at the \nconcerns that we have about nuclear proliferation around the \nworld, and we are not even protecting our own, it seems so. \nWith that, I\'d just like to thank you for allowing me to be \npart of the committee and the ranking member and the members of \nthe committee. Thank you.\n    Mr. Stupak. Thank the gentleman.\n    Next, I turn to Mr. Burgess, Dr. Burgess.\n\nOPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE \n              IN CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Burgess. Thank you, Chairman Stupak and Ranking Member \nWhitfield for continuing this committee\'s important oversight \nover Los Alamos. Chairman Stupak, I appreciate the bipartisan \nnature of this hearing, and I hope it is a sign of how you will \nhandle hearings in the months to come. You and your staff are \nto be commended for your preparation and your willingness to \nshare relevant information with members across the aisle.\n    Mr. Chairman, it is my sincere hope that we have your \ncommitment to continue this collegial and bipartisan \ndisposition throughout all the hearings of this congress. And I \nwould also like to take a minute and thank Ranking Member \nWhitfield for his investigation of Los Alamos throughout the \nyears. Clearly, today\'s hearing builds upon the hard work and \nthe determination that you and your staff have displayed on \nthis crucial matter of national security. I thank you for your \nleadership on this important issue.\n    Today we have three panels before us that will hopefully be \nable to explain to us not only what exactly happened in October \nbut also what has been done to prevent another recurrence. I \nwelcome you all here today and hope we can get to the bottom of \nthis continuing problem at Los Alamos once and for all. I would \nespecially like to welcome my fellow Texan, Deputy Secretary \nClay Sell. Thank you for being here with us today and sharing \nyour valuable insight into the Department of Energy.\n    In the post-9/11 world in which we live today, our national \nsecurity has become the most important issue facing our Nation. \nWe must do everything within our power to ensure that we do not \nbecome the victims of terrorism again. As terrorists become \nmore and more sophisticated, we must continue to implement and \nmaintain comprehensive measures to secure our safety. While we \noften think of terrorists of being from foreign lands, it is \neasily plausible that people living on American soil can \ncompromise our country\'s national security interests. The fact \nthat someone can walk out of an institution that developed the \natomic bomb with a disk full of classified information is \ndeeply disturbing. This is absolutely indefensible.\n    Los Alamos has some of the smartest minds, people of almost \nimmeasurable brilliance, working on the facility, and the \nreoccurrence of so many security breaches is simply \ninexcusable. I was taught that people should be held \naccountable for their actions. While there are many \norganizational changes that can be made to better ensure the \nsecurity of our country\'s classified information, one of the \neasiest and most effective remedies is to make the contractor \nin charge of security pay a step penalty. As a steward of the \ntaxpayer dollar, I fully support this idea. If the contractor \nis penalized, millions upon millions of dollars maybe, then \nthey will finally realize how serious the problem is and that \nit must be stopped.\n    While there is clearly an institutional problem at Los \nAlamos, we must also remember that there are thousands, 15,000, \nhardworking employees at the lab who make a remarkable \ncontribution to science in this country on a daily basis. I had \nthe pleasure--the honor of visiting the lab in July 2005, and I \nmet many of those hardworking and dedicated men and women. I \nwas impressed by their dedication. I was impressed by the \noverall intellect of the individuals involved.\n    In preparation for this hearing, I came across a posting on \na well known blog of Los Alamos employees. The posting was \naddressed to members of this committee and ended with this \nthought: ``Don\'t give up on us just yet. Please be careful with \nyour words. Direct them at those who are truly at fault and \navoid belittling comments directed against the whole workforce \nand against the vital work that we can do to help this country. \nAnd one more thing, yes, you do need Los Alamos--a well \nfunctioning Los Alamos\'\'.\n    I completely agree with this employee. The country needs a \nwell functioning Los Alamos. And that is why we are here today, \nto protect what is a national treasure.\n    And I would oppose any diminution of that mission or \nrelocation of the resources, but oversight is our obligation.\n    Mr. Chairman, I have several questions that I hope we will \nget answered, and one of those questions deals with the RFP \nprocess that the lab went through just a little over a year \nago. Was it a fair process? Was the University and the \ncontractor that was not selected, were they given a fair shake? \nWere they given a fair chance to compete for that contract?\n    It seems as if the embedded culture at Los Alamos is \nincapable of change. Perhaps that is reason enough that we \nshould reopen the RFP process.\n    Mr. Chairman, I again thank you for the bipartisan hearing \nin which we can further address this troubling issue and what \nneeds to be accomplished with this dismal and depressing cycle \nof security breaches at Los Alamos.\n    And I feel it is important that we continue to work on this \nproblem so that we do not risk the welfare of our Nation and \nsucceeding generations who will either benefit from our \ndecisions or inherit the failings of our security lapses. With \nthat, I will yield back.\n    Mr. Stupak. I thank the gentleman.\n    The gentleman from Texas, Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman, and I am glad to be \nback on the subcommittee although following our chairman, when \nit is his deja vu, I have been off this subcommittee for I \nthink three terms, and it seems like we ended and that last \nterm with Los Alamos obviously back then much more serious \nallegations than we have today.\n    But, Mr. Chairman, I have a statement I would like to place \ninto the record and express the same frustration I think \neveryone has heard on a bipartisan basis, but I would like for \nus to get moving and see what we can do. But also I am thankful \nthat we have local law enforcement who were sharp enough to \npick that up, but hopefully we can stop it before it actually \nleaves the lab. With that I will submit my statement for the \nrecord and yield back.\n    [The prepared statement of Mr. Green follows:]\n\n  Prepared Statement of Hon. Gene Green, a Representative in Congress \n                        from the State of Texas\n\n    Mr. Chairman, I am privileged to be back on the Oversight \nSubcommittee, but it looks like not a whole lot has changed, we \nare still looking into security problems at Los Alamos.\n    Everyone up here and all our witnesses are upset, but I do \nnot think anyone has made the point that since our intelligence \noverseas has not been as good as it could be, we cannot afford \nnuclear security mistakes here at home.\n    The risk of international nuclear proliferation is bad \nenough with Iran and North Korea without having to worry about \nrisks in our own backyard.\n    Some members of this committee criticized the previous \nadministration for security lapses that occurred in the years \nafter the cold war and rightfully so.\n    But now, more than 5 years after 9/11, this administration \nhas still not resolved many of the same issues. It looks like \n9/11 led to increased security everywhere but Los Alamos.\n    The National Nuclear Security Administration imposed \nmillions in financial penalties against the University of \nCalifornia for problems at Los Alamos in past years, and the \nnew contractor could be liable for even larger penalties.\n    I notice that we have some new faces in charge, and some \nformer officials are pursuing other opportunities. I certainly \nhope the changes are noticed on the ground as well.\n    However, I have to say I am somewhat bothered by much of \nthe testimony here today.\n    The testimony contains lots of findings from internal \ninvestigations and a great deal of new and updated directives \nand procedures.\n    We\'ve heard this same song about security breaches before-\nwith similar findings of root causes and similar new \nprocedures. In fact, DOE and Los Alamos just keep re-releasing \nthe same album.\n    Instead of more studies and procedures, I think the problem \nmay be a lack of actual leadership and people who will \nimplement the procedures in a coherent way.\n    So I hope our new faces here are not just interested in \nmore studies, more investigations, and more new set of rules.\n    Instead I hope they and their managers get out there and \nwork with the subcontractors, security personnel, scientists, \nand employees and change the situation on the ground.\n    Hopefully Congress does not have to remind the \nadministration that several countries opposed to the United \nStates are currently seeking nuclear weapons.\n    We need to keep our technologies out of these nations\' hand \nand we need to be dead serious about it.\n    Thank you Mr. Chairman and I yield back.\n\n    Mr. Stupak. Without objection, and welcome the gentleman \nback to this subcommittee.\n    Mr. Murphy from Pennsylvania, any opening statement?\n\n   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN \n         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA\n\n    Mr. Murphy. Thank you, Mr. Chairman, and it is a pleasure \nto be joining you on this committee. Mr. Chairman we are about \nto hear about these appalling violations and blatant disregard \nto national security safeguards at Los Alamos National \nLaboratory, and they warrant intense scrutiny of this facility. \nThe unauthorized removal of any classified materials is, of \ncourse, a grave matter. But the frequency at which classified \nmaterials seem to be removed at Los Alamos National Laboratory \nindicates a careless attitude towards our national security and \ndeserves the intense scrutiny of this committee.\n    One such display of this disregard for national security \noccurred in 2005, as referenced by the members here, when the \nformer administrator of the National Nuclear Security \nAdministration Linton Brooks--for 9 months, Administrator \nBrooks refused to report computer hackers\' theft of 1,500 \nSocial Security numbers and personal information of employees \nof the NNSA. Another instance, in October 2006, we know police \nfound a flash drive and hundreds of pages of classified \ndocuments at the home of a former subcontractor, the content of \nwhich is so classified it can\'t be released to the public, but \nnonetheless it raises our concerns deeply.\n    For the sake of our national security, we must determine \nhow they were removed and take immediate steps to prevent this \nfrom occurring in the future. We need to prevent breaches \nthrough better security systems on computers and hardware, to \nthoroughly screen everyone, especially contractors at Los \nAlamos, to fully inspect those materials that come in and out \nof the facility, and to prosecute to the fullest extent of the \nlaw and give stern penalties for those who breach that \nsecurity.\n    As our society is growing more dependent on technology, we \nhave seen a disturbing trend in the theft or loss of personal \ninformation from Government agencies, such as the VA and large \ncorporations, that at times are used for malicious intent.\n    What has been the consequence of the theft of this material \nand who is responsible for their loss or misuse? We need \nanswers to these questions, and we need ideas on how to prevent \nthis in the future.\n    Misuse of personal information must have consequences. For \nexample, in the 109th Congress, I introduced the SERVE Act \nwhich would physically secure all sensitive personal \ninformation and all equipment containing such information \nprocessed and maintained by the Department of Veterans\' \nAffairs. But I also would have also required the VA and its \ncontractors to encrypt sensitive personal information. The \nSERVE Act also imposed criminal penalties for unauthorized \ndisclosure of sensitive personal information.\n    But we are here not to address just one or two of these \nproblems but to find a way to address a chronic failure to \nfollow national security procedures in guarding classified \nmaterials. I look forward to this hearing, and I yield back.\n    Mr. Stupak. I thank the gentleman. We should note that Mr. \nUdall is here. He is not a member of the committee, but Los \nAlamos is in his district. He is very concerned about it and \nhas always been a strong advocate for Los Alamos. You can see \nthe concerns of members, Tom, but welcome, and I look forward.\n    Mr. Udall. Thank you and a pleasure to join you today, Mr. \nChairman. Thank you.\n    Mr. Stupak. We are in recess until noon so we should be \nable to get hopefully most of this hearing in. It is the policy \nof the subcommittee to take all testimony under oath.\n     Please be advised that witnesses have the rights under the \nRules of the House of Representatives to be advised by counsel \nduring their testimony.\n    Do you desire to be advised by counsel at this time? If so, \nplease introduce your counsel. Seeing no reaction, I advise, we \ndo swear in witnesses. Would you please rise and raise your \nright hand?\n    [Witnesses sworn.]\n    Mr. Stupak. Let the of record state an affirmative response \nof the witnesses. Witnesses are now under oath. You have 5 \nminutes for an opening statement. Witnesses may, at the \ndiscretion of the committee, submit brief and pertinent sworn \nstatements for inclusion in the hearing record.\n    Let me now start with Mr. Friedman please.\n\n   TESTIMONY OF GREGORY H. FRIEDMAN, INSPECTOR GENERAL, U.S. \n                      DEPARTMENT OF ENERGY\n\n    Mr. Friedman. Mr. Chairman and members of the subcommittee, \nI am pleased to be here at your request to testify on the \nOffice of Inspector General\'s review of the recent compromise \nof classified data at the Department of Energy Los Alamos \nNational Laboratory. Los Alamos, as has been stated earlier \ntoday, has been at the forefront of our Nation\'s security \nrelated research and development enterprise for over 60 years. \nThere have been a number of highly publicized incidences that \nhave cast doubt on the laboratory\'s ability to protect national \nsecurity.\n    The Office of Inspector General has performed numerous \naudits, inspections and investigations of physical, and cyber \nsecurity related issues at the laboratory.\n    Our reviews have covered diverse areas such as the \nimplementation of design bases threat, safe guards over \nclassified material and property and security of information \nsystems. I have been asked to testify before this subcommittee \nand other congressional panels on several occasions regarding \nmanagement of security interest issues at Los Alamos.\n    No doubt the subcommittee is fully aware of the \ncircumstances surrounding the recent seizure of classified \ninformation from a residence by the Los Alamos county police \ndepartment. Shortly after the material was seized, Secretary \nBodman requested that the Office of Inspector General begin a \nreview of the compromise of classified data.\n    The Secretary also asked that we evaluate certain aspects \nof the Department\'s security clearance process, the results of \nwhich can be discussed in closed session.\n    Our special inquiry disclosed that, despite the expenditure \nof tens of millions of dollars by the National Nuclear Security \nAdministration to upgrade various components of the laboratory \nsecurity apparatus, the security environment was inadequate.\n    Specifically, our special inquiry revealed that, first, \ncertain computer ports which could have been used \ninappropriately to migrate information from classified systems \nto unclassified devices and computers had not been disabled.\n    Second, classified computer racks were not locked.\n    Third, certain individuals were inappropriately granted \naccess to classified computers and equipment to which they were \nnot entitled.\n    Fourth, computers and peripherals that could have been used \nto compromise network security were introduced into a \nclassified computing environment without approval, and finally \ncritical security functions had not been adequately separated, \nessentially permitting systems administrators to supervise \nthemselves when it came to security and to override controls.\n    In many instances, laboratory management and staff had not \ndeveloped policies necessary to protect classified information, \nhad not enforced existing safeguards or had not provided the \nemphasis necessary to ensure protective measures were adequate. \nSome of the security policies were conflicting or applied \ninconsistently. Also, both laboratory and Federal officials \nwere not as aggressive as they should have been in conducting \nsecurity reviews and inspections. Our findings raised concerns \nabout the laboratory\'s ability to protect both classified and \nsensitive information.\n    The picture before you right now depicts the rack of \nclassified computers at Los Alamos from which the diverted \nclassified information originated. As you can see, the rack \nthat held the computers was unlocked, a condition that \npermitted access and exploitation of the open ports. And I know \nyou all are familiar--this is a thumb drive similar to the one \nwhich in fact was used to divert the material from the \nlaboratory. This is a 1 gigabyte thumb drive, and this can \ncontain the equivalent of two file cabinets full of information \nto show you how powerful this little item is.\n    Any diversion of classified material creates a potentially \nserious national security situation. The full extent of the \ndamage related to the removal of classified information in this \ncase may never be fully known. A criminal investigation of this \nmatter by the FBI continues.\n    We made a number of recommendations to correct identified \ndeficiencies.\n    For example, we recommended the Department take immediate \naction to disable unneeded computer ports, secure classified \ncomputer racks, segregate critical security functions and limit \nclassified computer access and privileges to those who \nspecifically require it.\n    In response to our report, Secretary of Bodman established \ntwo high-level task forces to address our findings, and Deputy \nSecretary Sell directed an immediate review of policies and \npractices related to computer ports in each of the Department\'s \nfacilities.\n    The subcommittee requested that we identify other actions \nthat could improve security at the laboratory. In short, we \nconcluded that the Department should first establish an up-to-\ndate, unified, coherent, risk-based security policy that flows \nthroughout all elements of the Department. It is essential this \npolicy be applied consistently and that all aspects of \nsecurity, physical, cyber and personnel be integrated to ensure \na seamless system.\n    Second, the Department should aggressively hold individuals \nand institutions at both the Federal and contractor levels \naccountable for failure to follow established security \npolicies. Penalties should include meaningful reductions in \ncontractor fees, personnel reassignments and terminations, \ncivil penalties, program redirection and ultimately--should it \nbe needed--contract termination.\n    One final note, one of the most disturbing aspects of this \nevent is the fact that it was not discovered by the laboratory \nbut by local police during an offsite investigation unrelated \nto laboratory activities. Without this inadvertent discovery, \nthe diversion of classified material may never have been \ndisclosed. And in that light, the Department and Los Alamos \nneed to strengthen efforts to proactively detect and prevent \nsecurity breakdowns. This might include, for instance, first \nimproving the level of monitoring of classified computer use \nthrough the application of specialized software which is \ncurrently available; two, enhancing computer activity logging; \nand three, initiating a program of unannounced security checks \nbeyond routine inspections.\n    Admittedly there is a cost involved with such undertakings, \nbut it is a cost that may be necessary given the pattern of \nsecurity issues that we have seen at the laboratory.\n    Mr. Chairman, this concludes my statement. I would be \npleased to answer any questions that you may have.\n    [The prepared statement of Mr. Friedman follows appears at \nthe conclusion of the hearing.]\n    Mr. Stupak. Thank you, Mr. Friedman, and I should have \nproperly introduced you as the Inspector General for the \nDepartment of Energy. I appreciate your work.\n    Mr. Podonsky is the chief health safety and security \nofficer at the U.S. Department of Energy.\n    Mr. Podonsky, your opening statement please.\n\nTESTIMONY OF GLENN PODONSKY, CHIEF HEALTH, SAFETY, AND SECURITY \n     OFFICER, OFFICE OF HEALTH, SAFETY, AND SECURITY, U.S. \n                      DEPARTMENT OF ENERGY\n\n    Mr. Podonsky. Thank you, Mr. Chairman, and Mr. Whitfield, \nand members of the subcommittee, I appreciate the opportunity \nto testify today regarding the improper removal of classified \ninformation from the Los Alamos National Laboratory.\n    At the time of this incident, when it was discovered, our \nOffice of Independent Oversight was conducting scheduled \ninspections at the laboratory\'s security, cyber security and \nemergency management programs.\n    As we heard from my colleague, Mr. Friedman, his office \nconducted the inquiry into the circumstances surrounding the \nincident.\n    Therefore, I will focus my remarks on our inspection of the \nlaboratory in terms appropriate for this unclassified hearing. \nOur independent oversight inspection just completed resulted in \nthe lowest set of performance ratings for security and \nemergency management topics that we have seen at Los Alamos \nsince 1999.\n    That, combined with the history of security problems at Los \nAlamos, is of great concern to everyone.\n    However, these ratings should not leave this committee to \nconclude that the laboratory is not protecting their most \nimportant national security asset. This inspection concluded \nthat special nuclear material, an area with historically \nsignificant weakness, is adequately protected.\n    Additionally, the ratings in part reflect the fact that our \nindependent oversight inspection process has become more \ntechnically enhanced and increasingly focused on performance-\nprotection-based activities, especially in the area of cyber \nsecurity and protection of classified matter.\n    We note some improvements. However, we continue to conclude \nthat extensive work remains to ensure that Los Alamos fully \nmeets Department\'s expectations. While special nuclear \nmaterials were adequately protected and overall performance of \nthe protective force was considered effective, we identified a \nnumber of significant problems with the protection of \nclassified documents and materials and with the configuration \nof vault-type rooms. It was evident that the site is overly \ndependent on the use of nonstandard storage configurations for \nthe protection of many of its classified weapons parts. \nCompensatory measures, established to support approval of the \nnonstandard storage configurations, were found to be \ninconsistent and not performing according to plans.\n    The overall impact of the deficiencies related to the \nprotection of classified matter is substantial.\n    Also, while some cyber security enhancements have been \nmade, the laboratory\'s cyber security policies are not \ncomprehensive and not up-to-date with DOE and NNSA \nrequirements, and they do not sufficiently address threats \nposed by emerging technologies.\n    Additionally, risk management processes are insufficient, \nresulting in risk acceptance decisions being made by lower \nstaff members, which is inappropriate.\n    In many cases, the protection of classified systems is \noverly dependent on administrator controls to mitigate \npotential insider activity rather than more robust controls and \nbarriers. As a result, Los Alamos National Laboratory systems \ncontinue to operate at increased risk from malicious insiders \nintent on subverting established departmental requirements.\n    Another area of concern is the certification and \naccreditation of both classified and unclassified information \nsystems. The Los Alamos certification and accreditation process \nhas not kept up with current methodologies, and existing \nprocesses do not ensure a consistent approach for applying \ntesting necessary security controls. For example over 25,000 \nexisting unclassified work stations in service at Los Alamos \nwere not certified and accredited. Self assessment processes \nare weak, and very few systems actually are being tested as \npart of these assessments.\n    Moreover, deficiencies identified during self-assessments \nare not always reported to the Los Alamos site office or NNSA, \nand development of corrective action plans to address them \nseems to be optional. Consequently, there is little in-depth \nunderstanding of program weaknesses. Considering the progress \nmade to date balanced against the cyber security issues that \nremain, we conclude that strong and aggressive management \naction is required.\n    There does need to be sound new laboratory plans for \nconducting self-assessments and implementing a contractor \nperformance assurance program as part of the contract \ntransition. However, the plans are not yet fully implemented.\n    In addition, the laboratory does not have an effective \nprocess for identifying actions for identified deficiencies. \nSimilarly, the NNSA site office security survey program is \ninadequate. In a few cases, the laboratory has decided not to \ncomply with departmental requirements, and the laboratory and \nNNSA did not utilize the Department\'s mandated deviation \nprocess to fully assess and accept risks associated with these \ndecisions.\n    The recent inspection results illustrate some improvement. \nHowever, the most important national security asset at Los \nAlamos must be recognized to be protected, and that is the \nspecial nuclear material.\n    Nevertheless, significant and disturbing protection and \nemergency management program deficiencies continue to exist at \nLos Alamos that require prompt attention, forceful and \nsustained management actions, and corrective actions to be \nfollowed.\n    We have heard all too often from a long line of DOE \nmanagers how serious LANL issues are and changes are needed. \nHowever, Mr. Chairman, it is my professional opinion that no \none now or previously in the Department has had the commitment, \nthe dedication, and absolute resolve to change the way this \ndepartment is managed and the way this laboratory is managed \nthan Secretary Bodman and Deputy Secretary Sell. It is \nimperative that the NNSA and the Los Alamos site office in \nparticular follow the leadership of the Secretary and the \nDeputy Secretary and must immediately enhance NNSA capabilities \nto effectively oversee the contractor performance now and in \nthe future.\n    Mr. Chairman, one other note, in the course of this \nhearing, there may be privacy issues that arise, and I would \nlike just to recognize that Eric Fygi from General Counsel is \nhere and representing the Department.\n    [The prepared statement of Mr. Podonsky appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you.\n     Before we move to our next witness, we should note that \nCongresswoman Heather Wilson from New Mexico is a member of the \nfull committee, but not on the subcommittee, but we welcome her \nparticipation here today. Thank you.\n    With that, we will next hear from Ms. Danielle Brian, \nexecutive director of Project on Government Oversight.\n    Ms. Brian.\n\n  TESTIMONY OF DANIELLE BRIAN, EXECUTIVE DIRECTOR, PROJECT ON \n                      GOVERNMENT OVERSIGHT\n\n    Ms. Brian. Thank you for inviting me to testify today.\n    I am Danielle Brian, executive director of the Project on \nGovernment Oversight. We have been investigating and exposing \nsecurity failures in the nuclear weapons complex since 2001.\n    Despite the creation of NNSA, security failures have \ncontinued to plague the complex, especially at Los Alamos. Now \nNNSA Administrator Linton Brooks has been asked to resign, and \nour Nation\'s secrets have been mishandled by Los Alamos again. \nNot only have NNSA and U.C. failed to correct security issues, \nbut now there will be even less oversight of Los Alamos as a \nnew pilot program has been implemented at Los Alamos in which \noversight has been handed over to the contractor themselves. \nPerhaps this new legislation that Congressman Barton has \nintroduced could help turn the tide on this disregard for \nFederal oversight.\n    Since 2001, there have been at least seven instances in \nwhich classified information was mishandled at Los Alamos, and \nI suspect there were many others that have simply flown below \nthe radar. Classified computer disks have gone missing. \nComputers that may have contained classified information have \nsomehow disappeared from lab property, either having been \nstolen or lost. Classified information has been transmitted \nthrough unsecured e-mail, and the list goes on.\n    The cybersecurity episode has occurred on average nearly \nonce a year since POGO began its investigations, and all of \nthese instances occurred after the infamous episode of the two \nmissing hard drives which were later discovered behind the \nXerox machine.\n    Now, in the recent incident, a subcontractor employee \nfreely took over 200 pages of hard-copy, classified documents \nand over 400 classified documents on flash drives to her home, \nwhich she shared with a drug dealer. This could only have \nhappened if there were a complete collapse of multiple \nsupervisory and security systems. It was only by happenstance \nthat she was caught, not because an effective security system \nwas in place. We would never have known about the security \nbreach if it hadn\'t been for a domestic disturbance.\n    Furthermore, we have no way of knowing how many other \ninstances like this there are out there that we don\'t know \nabout. It is important to remember that NNSA attempted to keep \nthis incident secret from Congress and the public until POGO \nlearned about it 8 days after the local police raid.\n    After the most recent security incident, a cybersecurity \naudit was launched, and according to a lab e-mail from just a \nfew days ago that I asked to be submitted for the record, \nquote, ``As a result of the preliminary findings of the \ncybersecurity audit\'\'--this is just a week and a half ago--\n``LANL has agreed to suspend all nonessential classified, \ncomputing activities for at least the next 48 hours by the \nclose of business today.\'\'\n    And this is not the first time security failures have \nsignificantly impacted operations at the lab. In 2000, then-\nSecretary Bill Richardson announced a new system so that there \nwould no longer be classified, removable electronic media to be \nlost or stolen. The labs essentially ignored the order. In May \n2004, then-Secretary Abraham announced that the complex was \ngoing to have a new system doing essentially the same thing. \nAgain, the labs essentially ignored the order. I suspect \nSecretary Bodman will soon be announcing a new initiative to \nsolve cybersecurity problems, and I am sure he is genuine in \nhis beliefs that his directives will fix the problems, but \nthose of us who have been around for a while have reason to be \nskeptical.\n    In addition to cybersecurity failures, Los Alamos continues \nto suffer from a litany of other problems, and while Los Alamos \nis a big problem, it is by no means the only problem in the \nnuclear weapons complex as other sites are also currently \nfacing their share of serious problems.\n    Despite these other sites that urgently need attention, Los \nAlamos does stick out as the bad child. Why? There is a joke \naround the complex that goes something like this: The Secretary \nof Energy tells the three national labs to jump. Sandia asks, \nhow high? Livermore makes an excuse for why it is too busy to \njump, and Los Alamos asks who the Secretary of Energy is.\n    Los Alamos sticks out as the bad child because of its \nconsistent and utter disregard for Federal oversight. At this \nrate, as was mentioned before, we can all schedule next year\'s \nhearing right now given the likelihood we will still be \ndiscussing problems at Los Alamos unless the entire incentive \nsystem is reversed.\n    I have enumerated in my written testimony a number of \nspecific recommendations, but in the interest of time, to \nhighlight them, first is that NNSA, or perhaps simply the \nDepartment of Energy, needs to make it a priority to fund \noversight and promote Federal employees who are thorough in \ntheir oversight work. In its current state, the Los Alamos site \noffice is nonfunctional. There are over 20 vacant Federal \npositions in that office.\n    Officials should also be held accountable if they do not \nimplement the recommendations made by the two gentlemen who are \nsitting at the witness table, the Department of Energy\'s \nInspector General and the Office of Health, Safety, and \nSecurity. As we have mentioned before, there are numerous \nreports that have been issued on these issues, but no one gets \nin trouble when they don\'t do anything about what these people \nhave recommended.\n    The Performance Incentive Fee in the Los Alamos contract \nshould be recalculated and equally weighted to reflect the \nequal importance of accomplishing the mission with ensuring \nsecurity and doing so safely. Of the $51 million that is \ncurrently on the table for fiscal year 2007 in the performance \nfee for the Los Alamos budget, only 6 percent, or $3 million of \nthat amount, is tied to security. Fortunately, that small \npercent is not set in stone and should certainly be revisited \nand dramatically increased. At the very least, DOE should cut \nthe Performance Incentive Fee for the most security--for the \nmost recent security debacle at Los Alamos.\n    DOE should also be disallowing costs--this is a cost-\nreimbursable contract, so they should be disallowing costs with \nLos Alamos\' as failure to perform adequately.\n    POGO also recommends that the ``at will\'\' employment \nprovision at Los Alamos be changed for their employees because \ncurrently, if an employee is the bearer of bad news to \nmanagement, the employee can be fired at will, creating exactly \nthe wrong incentives. This is an important issue for the \ncommittee to be conscious of as it is of particular concern for \nLivermore employees who are not currently operating under this \ncondition, but, as you see, appears to be poised to retain the \ncontract at Livermore. There is, in fact, concern that this \nwill now affect or be affected for the Livermore employees as \nwell.\n    I am thrilled that the committee has already undertaken our \nnext recommendation to audit the missions currently being \nconducted at Los Alamos. I think that\'s a very important effort \nthe committee is undertaking.\n    In closing, DOE will soon be submitting a request of $150 \nbillion to fund a wildly ambitious project to revamp the \nnuclear weapons complex known as Complex 2030. Before any \nfunding for further expansion is approved, I respectfully \nsuggest that Congress must have confidence in the mission and \nin the ability of the complex to carry out that mission safely \nand securely.\n    Thank you.\n    [The prepared statement of Ms. Brian appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you.\n     We will begin questioning.\n    Mr. Friedman, your investigation of the recent incident at \nLos Alamos revealed the lab security framework was seriously \nflawed.\n    For example, is it true that a number of key areas, \nincluding security policy, was nonexistent, applied \ninconsistently or not followed?\n    Mr. Friedman. That is correct, Mr. Chairman.\n    Mr. Stupak. In 2004, the lab was shut down when we did this \nmassive review. Wasn\'t that one of the recommendations in 2004?\n    Mr. Friedman. It was, and actually you could trace it back \nto 1999, in essence.\n    Mr. Stupak. Then what is it? Why are we having such \nproblems with Los Alamos? As Ms. Brian says, Secretary \nRichardson gave an order, Secretary Abraham, now Secretary \nBodman, and we have been reassured by Mr. Podonsky that things \nare going to change. For instance, in 1999--that\'s, what, 8 \nyears now--there have been 11, 12 hearings. Any answers?\n    Mr. Friedman. Well, I use--I thought the ultimate question \nwould come a little bit later. I didn\'t expect it on the third \nquestion, Mr. Chairman.\n    Mr. Stupak. I\'ve only got 8 more years to mess around, but \nwe don\'t with this lab.\n    Mr. Friedman. Of course, it is an issue that we have \nthought about a great deal. We devote a lot of resources to Los \nAlamos, and you and I have had this discussion before, \nobviously.\n    I think one of the problems that we\'ve found consistently \nis the question of sustainability, Mr. Chairman, if I can put \nit that way, use that term. There are a lot of good intentions. \nPeople start off with the right set of principles. They have \nnew policies, new procedures that they begin to implement, and \nthe implementation begins, but there is not the stay with it, \nthe closing the deal, the sustainability that is necessary to \ngo from a good idea to implementation, to execution, and to \nconsistency, and I tend to think that\'s one of the fundamental \nproblems that we have seen at Los Alamos over time. I said \nthere are good starting principles, but no follow-through, a \nlack of follow-through.\n    Mr. Stupak. There is a lack of follow-through because of \nturnover in personnel, or we lose interest in the principles \nthat we are supposed to put forth?\n    Mr. Friedman. I think it\'s the latter rather than the \nformer. Certainly there is a turnover in personnel, but I don\'t \nthink--my sense is that is not the heart of the problem.\n    Mr. Stupak. Well, in your recently released report on Los \nAlamos, in doing your work your team uncovered a number of much \nbroader concerns than merely the concerns related to the \nOctober incident. Let me read from your report, and I am \nquoting now.\n    It says, ``Our review revealed a serious breakdown in core \nlaboratory security controls,\'\' and your report reached the \nconclusion, and it states, ``In short, your findings raise \nserious concerns about the laboratory\'s ability to protect both \nclassified and sensitive information systems.\'\'\n    I presume you still stand by that report and that \nconclusion?\n    Mr. Friedman. Yes. Yes, we do.\n    Mr. Stupak. There has been a lot of talk this morning about \nmaybe we should just change the focus of this lab, or some of \nthe missions must be shifted to other labs like Sandia. It is a \nvery, very large complex.\n    Your thoughts on that suggestion.\n    Mr. Friedman. Well, I am not here, Mr. Chairman, as a shill \nfor the laboratory, but as a number of members of the sub \ncommittee have identified this morning, it is an extraordinary \ninstitution. Sixty-three percent of the people there or \nthereabouts have postgraduate degrees. They\'re eminent \nscientists. Last year lab personnel won, I believe, five R&D \n100 awards. There are 28 E.O. Lawrence Award winners there.\n    It is an extraordinary institution, and I caution, if I \nmight, that before we do anything truly radical--and I \nunderstand the motivation and where it\'s coming from--that we \nmake sure we balance so that we don\'t throw out the baby with \nthe bath water, if I can put it that way. So I hope that we \ngive the new contractor--I mean, after all, this took place 2 \nmonths ago. When we last spoke, Mr. Stupak, we agreed that the \nnew contractor was coming on board, and they deserved an \nopportunity to turn the situation around. This series of events \noccurred within 2 months or 3 months after they took over. They \nidentified a number of preconditions--preexisting conditions \nthat concerned them before they assumed responsibility, and \ncybersecurity was one of those preconditions.\n    I am hopeful that we can give them a chance, with increased \nFederal intervention and oversight, to do what they were hired \nto do, which was to enhance dramatically the management of the \nlaboratory, including better security and better cybersecurity \nspecifically.\n    So I understand, at some point down the road, a more \ndramatic, a more radical departure may be warranted \nconceivably, but at this point I hope we give them the benefit \nof the doubt, at least for a period of time, recognizing that \nthe problem that we face here is a very, very serious national \nsecurity problem.\n    Mr. Stupak. Sure, but if it wasn\'t for the Los Alamos \nCounty Police Department, we would not even know about this \nincident. How many other breaches are out there that we do not \nknow about because there has been no mechanism in place to \ndetect it, or even if it was detected, from your testimony, no \none at the lab seems to want to follow up on it?\n    Mr. Friedman. I said in my testimony that one of the most \nfrightening parts of this whole incident is that, had it not \nbeen for an inadvertent set of circumstances totally unrelated \nto this issue, we might not have known about it today. We might \nnever have known about it, and that is a frightening thought. \nAnd we have identified a couple of suggestions of a more \nintense activity logging at the laboratory and monitorship with \nnew software that can be costly, but may be necessary to make \nsure that other breaches, other similar breaches, are not \noccurring. Prevention is the key, in my view.\n    Mr. Stupak. OK. My time is up. Hopefully we will go around \nfor a second round.\n    Next let me turn to the ranking member, Mr. Whitfield from \nKentucky.\n    Mr. Whitfield. Thank you very much, Mr. Chairman, and I \nthank the witnesses for their testimony this morning.\n    All three of you have extensive experience in this area, \nand the consensus appears to be that Los Alamos is sort of, for \nlack of a better term, the problem child. All of these weapons \nlabs have had some problems, but the Los Alamos problems seem \nto be more serious and certainly more frequent. And I know that \nthe University of California does manage the Lawrence \nLivermore--has the contract for that, and for 60-some years had \nthe contract at Los Alamos and now is a 50-percent participant \nin the new consortium.\n    That\'s correct, isn\'t it?\n    Mr. Friedman. That is roughly correct, yes.\n    Mr. Whitfield. OK. Now, just from your personal experience, \nhow would you explain if you were talking to a Rotary Club in \nHopkinsville, KY, what your theory is as to why Los Alamos has \nso many breaches when you have had, for many years, the same \nmanagement contract responsibility at both Los Alamos and \nLivermore?\n    I would like to ask each one of you to just give me your \nimpressions as to why that is the case.\n    Mr. Friedman. Well, I don\'t, Mr. Whitfield, have a good \nanswer for that question. I mean, it is an extremely important \nquestion, and despite spending years at looking at all of the \nlaboratories, I don\'t have a good answer. I wish I did. I think \nit would get to the heart of the cure.\n    But what I would say is that Los Alamos is slightly \ndifferent. I think Livermore--and I might be wrong about this--\nis essentially located on 1 square mile of territory. Sandia is \nlarger, but I think none of them have the diversity, the \ngeographic diversity, if nothing else, and that may be a \ncontributing factor to the problem. I mean, as we have pointed \nout in the testimony, and as has been discussed earlier, we \nfound, I believe, 2,700 classified computing environments. We \nhave long taken the position that closing, reducing the \nfootprint is the way to go, and it may well be that the number \nof classified computing environments, the number of classified \nmaterials that are there in sheer numbers, may be part of the \nproblem.\n    Mr. Whitfield. What about you, Mr. Podonsky? What would be \nyour thought.\n    Mr. Podonsky. Well, sir, to put it in context, we\'ve been \ninspecting independently the operations of this lab as well as \nthe entire complex now since 1984, and our observations and \ncontinuing issues that have developed is the lack of \naccountability, which is why I say in my opening testimony and \nwhy the committee here all talks about the preceding managers \nthat have come up and make the statements about, now we did it, \nnow we are serious, which is why I made a very poignant \nstatement that I do believe that Secretary Bodman and Deputy \nSecretary Sell not only are as committed as previously, but \nthey are taking action. I have been through a number of \nprevious Secretaries through all of these incidences and come \nup with great plans, but they don\'t get converted into action.\n    Mr. Whitfield. OK.\n    Mr. Podonsky. So, specifically to your question, sir, I \nwould say that it\'s accountability and holding people \nresponsible for the jobs that they have out there, and we have \nnot seen that consistently at Los Alamos through the years and \nat some other places, but predominantly at Los Alamos.\n    Mr. Whitfield. Can I assume that you and Mr. Sell and Mr. \nBodman are supporting the Barton-Dingell-Stupak-Whitfield \nlegislation to remove NNSA from the equation.\n    Mr. Podonsky. I can\'t speak for the Secretary or for the \nDeputy Secretary. I can only speak for myself, and I have not \nseen that correspondence.\n    Mr. Whitfield. OK.\n    Ms. Brian, what about the question?\n    Ms. Brian. I have been struggling with this question for a \nwhile myself. I think it is a combination, as I mentioned in \nthe joke that goes around, that there is a different attitude \nat Los Alamos, and I think because of that different attitude, \nthey are more difficult at the Federal level to manage. And I \nthink the bottom line is when you get the push-back from Los \nAlamos, and the Federal structure is not there, really, with \nthe willingness to stick with them and demand change, I think \nthat is where there is really the breakdown that I think we can \nbe enforcing on.\n    Mr. Whitfield. OK.\n    Mr. Podonsky, let me ask a question. In 2004, Los Alamos \nwas closed down for 6 months because of security breaches. What \nwas the dollar amount of the penalty that the University of \nCalifornia system had to pay at that time for that breach?\n    Mr. Podonsky. I am not aware of what the penalty was, sir.\n    Mr. Whitfield. Who would know that.\n    Mr. Podonsky. I believe the next panel--or the third panel \nwould.\n    Mr. Whitfield. OK.\n    Mr. Barton. Would the gentleman yield on that?\n    Mr. Whitfield. Yes, sir.\n    Mr. Barton. Was there any penalty?\n    Mr. Podonsky. Mr. Barton, I\'m not aware of any penalty that \nwas associated with this shutdown.\n    Mr. Barton. So there was zero penalty then?\n    Mr. Stupak. If the gentleman would yield, it cost the \ntaxpayers $350 million. Who paid for that other than the \ntaxpayers? Are we back with the same problems?\n    Mr. Whitfield. My time has expired.\n    Mr. Stupak. I thank the gentleman.\n    Mr. Dingell, questions? We are doing 5 minutes now, and \nwe\'ll go another round.\n    The Chairman. Mr. Chairman, thank you for the courtesy.\n    I find this again, as I indicated, sort of a Groundhog Day \nor perhaps deja vu all over again.\n    Mr. Podonsky and Mr. Friedman, I would like to summarize \nsome of the key findings of your recent work at Los Alamos.\n    Mr. Friedman, isn\'t it correct that your team went out to \ninvestigate the event, and that you, in fact, spent a \nrelatively short period of time on the ground, yet in that \nshort period you found a lot of serious problems at the site? \nIs that correct?\n    Mr. Friedman. That\'s correct, Mr. Chairman.\n    The Chairman. Mr. Friedman, in fact, didn\'t your \ninvestigation of the recent incident reveal that in a number of \nkey areas that security plans and policies were either applied \ninconsistently or not followed in some cases or, in others, \nnonexistent?\n    Mr. Friedman. That is correct.\n    The Chairman. Mr. Friedman, isn\'t it true that your audit \nrevealed that the critical cybersecurity internal controls and \nsafeguards were not functioning as intended at various places \nacross the LANL?\n    Mr. Friedman. Yes, sir.\n    The Chairman. Now, Mr. Friedman, isn\'t it also correct that \nmonitoring by both the laboratory and Federal officials was \nalso found to be inadequate or, in other cases, nonexistent?\n    Mr. Friedman. It was.\n    The Chairman. Isn\'t it correct also, Mr. Friedman, that \neven though the network engineering officials and others within \nthe lab\'s Chief of Information Office expressed concerns about \nopen ports and problems with managing tamper-indicating \ndevices, and these concerns were largely ignored by LANL \nofficials?\n    Mr. Friedman. Yes. And can I elaborate on my answer on that \none, Mr. Chairman?\n    The Chairman. Now, Mr. Podonsky, I believe your testimony \nalso says that Los Alamos received the lowest set of \nperformance ratings for security and emergency management since \n1999; is that correct?\n    Mr. Podonsky. Yes, sir.\n    The Chairman. Now, Mr. Friedman and Mr. Podonsky, both of \nyou know that I\'ve been working at this security problem for \nmore than a little while.\n    Mr. Podonsky, you indicated Los Alamos received some of the \nlowest scores since 1999 on security issues.\n    Mr. Friedman, your report found that there was a core \nbreakdown of Los Alamos\' ability to protect classified \ninformation.\n    That\'s correct, is it not, gentlemen?\n    Mr. Friedman. Yes.\n    Mr. Podonsky. Yes, sir.\n    The Chairman. Would you like to tell us what is going on \nhere? And we are going to ask the Secretary why we need to keep \non having these hearings.\n    What comments do you have, gentlemen?\n    Mr. Friedman. Well, I think your series of questions, Mr. \nChairman, from my perspective, basically outline--as you say, \nwe have been on the ground for a relatively short period of \ntime, although we have a resident staff at Los Alamos who spend \na lot of time there, but to say that the system we found in \nplace was inadequate to protect the material is an accurate \nreflection of what we found.\n    The Chairman. Mr. Podonsky, are you going to comment?\n    Mr. Podonsky. Yes, sir. I do not disagree with your \nstatements. The only thing I would like to again point out to \nthe committee is that, when our inspection team was at the \nsite, we again did determine that the nuclear material was \nprotected, and that\'s not insignificant. That is something, Mr. \nChairman, as you\'ll recall back in the 1980\'s we paid a lot of \nattention to. That doesn\'t make it a good story, because the \nclassified matter is something of grave concern to all of us, \nand as my colleague Mr. Friedman has talked about, we do \nbelieve that Los Alamos has a mission to perform for the \ncountry, but the security performance that they\'ve demonstrated \ninspection after inspection continues to leave us concerned and \nbaffled.\n    The Chairman. Now, I would like to direct this to the \npanel, but with particular emphasis to Danielle Brian.\n    A statement here says this,\n\n    Now, in the most recent incident, a subcontractor employee \nfreely took over 200 pages of hard-copy, classified documents \nand over 400 classified documents on flash drives to her home, \nwhich she shared with a drug dealer. This could only have \nhappened if there was a complete collapse of multiple \nsupervisory and security systems. It is only by happenstance \nthat she was caught, not because of an effective security \nsystem in place. We never know--we would never have known about \nthis security breach if it hadn\'t been for a domestic \ndisturbance.\n\n    Then she goes on to say this,\n\n    Furthermore, we have no way of knowing how many other \nincidences like this are out there or have flown below the \nradar. It is important to remember that NNSA attempted to keep \nthis incident secret from Congress and the public until POGO \nlearned about it about--learned about it 8 days after a local \npolice raid.\n\n    Then here, as a side note,\n\n    If media reports and statements by investigators are \naccurate, this most recent case points to extraordinary \nfailures in the personnel security clearance process in \naddition to cybersecurity failures at the lab.\n\n    Now, my concern here is we seem to have a situation where \nthe process has broken down, whether there just is a lack of \nwill or there isn\'t a competence on the part of the agency to \ndo what needs to be done. Would you each like to tell us what \nyour feelings are on this matter?\n    Could I just ask for 1 minute more, Mr. Chairman, please?\n    Mr. Stupak. Without objection.\n    The Chairman. What do you have to say, ladies and \ngentlemen?\n    Ms. Brian. Well, that is what I had to say.\n    I think the problem here is a combination of extraordinary \nbreakdowns. Maybe the systems aren\'t even there, and it\'s not a \ncase of broken systems, but I am also equally concerned that at \nthe time this was becoming known at Los Alamos, there was a \nreal effort to make sure that people in the Congress didn\'t \nknow about it. They were hoping they would make this go away.\n    The Chairman. Thank you.\n    Mr. Podonsky and Mr. Friedman.\n    Mr. Podonsky. We did not investigate the actual \ncircumstances. As I said in my testimony, Mr. Friedman did the \ninvestigation. We were there doing a comprehensive safeguard \nsecurity inspection which gave us an overall, comprehensive \nreview of the various topics, but we did see clearly the \nlaboratory suffering from a lack of policies, procedures, \nadequate management, adequate oversight--both contractor and \nFederal--and all of that would contribute, we believe, to the \nincident that the Inspector General investigated.\n    The Chairman. Thank you.\n    Mr. Friedman.\n    Mr. Friedman. Mr. Chairman, you made a point in your \nearlier questioning that I wanted to comment on which I think \nwould respond to this question as well.\n    You pointed out, which was a good read of our report if I \nmay say so, that we found that, I think it was in the March \n2006 time frame, there was e-mail communication, within the \nlaboratory about the concern about open ports. So, in other \nwords, the institution itself identified that as a problem, and \nthere was a fair amount of traffic, e-mail traffic, on that \nissue.\n    And it gets to the point that I was trying to make earlier \nabout closing the deal, sustainability and the ultimate fix, \nand that is that, tragically, even though it was discussed \nextensively--and I think it was in March 2006, and I don\'t have \nthat instant recall. I think that\'s the right date--no one took \nit to the next step, which is to make sure that the proper fix \nwas implemented to address the concern. Now, it was not of \nuniversal concern. There were people at the laboratory who \ndidn\'t think the open ports were a serious problem, but there \nwere enough people who did, and it would seem to me--and I \nthink this is, perhaps, revealing as to the essence of the \nproblem--that they didn\'t address the problem then and resolve \nit.\n    The Chairman. Your comments earlier in response to a \nquestion were that we ought to give the laboratory the benefit \nof the doubt. I wonder if, after this commentary, you are in \nagreement that we ought to give them the benefit of the doubt.\n    Mr. Friedman. Well, I think I\'m the one who said it, Mr. \nChairman, so I will stand by the statement.\n    First of all, I think the laboratory is an extraordinary \ninstitution, and second, I think that in fairness--and believe \nme, I am not here--I probably write more critical reports about \nLos Alamos than anyone, but in fairness, I think the new \ncontractor is really brand new, was brand new when this \noccurred, and they deserve an opportunity to try to fix the \nproblem, and if they can\'t fix the problem, I\'d be the first \none to sit before you and tell you that a much more radical \nsolution needs to be tried.\n    The Chairman. Thank you, Mr. Chairman.\n    Mr. Stupak. Next, Mr. Barton from Texas.\n    Mr. Barton. Thank you. Some of the statements just kind of \nstrain credulity.\n    Mr. Friedman, who was the old contractor?\n    Mr. Friedman. The University of California.\n    Mr. Barton. Who is the new contractor?\n    Mr. Friedman. I think it\'s a consortium. I believe it\'s a \nlimited----\n    Mr. Barton. Come on. Who is the new contractor? It is the \nUniversity of California. They\'ve got a consortium, and there \nmay be some different players, but the University of California \nhas had this contract for 60 years. They were the old \ncontractor; they are the new contractor; is that not correct?\n    Mr. Friedman. Well, I----\n    Mr. Barton. Yes or no?\n    Mr. Friedman. No, actually.\n    Mr. Barton. It\'s not?\n    Mr. Friedman. No.\n    Mr. Barton. They are not part of it?\n    Mr. Friedman. They are the primary science player, there is \nno question about that, but the whole concept, as I understand \nit----\n    Mr. Barton. They have 50 percent of the contract.\n    Mr. Friedman. That\'s true, but it----\n    Mr. Barton. The person who has been moved to the new--who \nis the new lab director is a University of California employee.\n    Mr. Friedman. That is correct.\n    Mr. Barton. The Bechtel individual, who is the top person, \nhas already left; is that correct?\n    Mr. Friedman. That is correct, yes.\n    Mr. Barton. Now at least be honest with the committee.\n    Mr. Friedman. Well, I have tried to be honest, Mr. \nChairman.\n    Mr. Barton. This semantics about old and new is an affront \nat least to me. My gosh. Is it not true that under the new \ncontract the performance part of it is at risk if there is a \nsecurity lapse?\n    Mr. Friedman. Well, let me give you the read of the \ncontract as I understand it, Mr. Barton, and there are people \nat least on the third panel who are the negotiators of the \ncontract who can give you more detail.\n    In its full bloom, my understanding is there\'s about a $70 \nmillion-a-year potential award fee, 30 percent of which, as I \nunderstand it, is----\n    Mr. Barton. It is $73,280,000 to be exact.\n    Mr. Friedman. As I understand it, 30 percent of it is \nfixed, and 70 percent is at risk. That\'s the way I understand \nthe formulation of the contract. I believe there also is a \nprovision--and I\'m not an expert on the contract. There are \npeople here who are. I believe there are provisions that, in \nextraordinary circumstances, at least the entire at-risk \nportion can be withheld from the contract.\n    Mr. Barton. Is it not true that, in your testimony, you \nsuggested that there\'d be a serious withholding of the \nincentive part of the contract?\n    Mr. Friedman. Yes, sir, I did.\n    Mr. Barton. Do you want to put a number on that? How \nserious is ``serious\'\'? The safeguard and security execution \npart of the mission success is $3 million.\n    Mr. Friedman. Yes.\n    Mr. Barton. Is that serious, or do you think ``serious\'\' \nwould be $10 million?\n    Mr. Friedman. No, I think it may be $3.8 million, Mr. \nChairman, but I don\'t think that\'s serious money.\n    Mr. Barton. Mr. Stupak is the chairman. I am the ranking \nmember.\n    Mr. Friedman. Mr. Ranking Member then. I apologize.\n    Mr. Barton. I\'m just at a loss here.\n    I\'m going to ask Mr. Podonsky something.\n    The gentle lady next to you indicated that the contractor \nat the site office has 20 vacancies. Is that your \nunderstanding?\n    Mr. Podonsky. I do not know the exact number, but, yes, I \ndo know that they are short.\n    Mr. Barton. What is the number--what would be the full \ncomplement? Is it like 40 people at the site office, 100 \npeople?\n    Mr. Podonsky. Mr. Barton, I do not have that number. That \nwould be--the NNSA would have that number, but I would just \ntell you that I do know that they\'re short on qualified Federal \nstaff.\n    Mr. Barton. OK.\n    Ms. Brian, do you know how many people would be the full \ncomplement if they were fully manned at the site office?\n    Ms. Brian. I don\'t know. I do know that of the 20 \nvacancies, a large percentage of them are in the security and \nsafety area for the site office.\n    Mr. Barton. Does that, to you, indicate that the Department \nis serious and the new contractor is serious about this?\n    Ms. Brian. Well, that\'s actually the Federal Government.\n    Mr. Barton. I understand that.\n    Ms. Brian. So my worry is that DOE isn\'t serious or NNSA.\n    Mr. Barton. OK. Could we get that information, what the \ntotal staffing is and what these vacancies are?\n     Mr. Podonsky, do you think that we ought to fill those \nslots?\n    Mr. Podonsky. Yes, sir. I think that they need to be filled \nwith the right qualified people because this laboratory needs \nappropriate Federal oversight from the NNSA.\n    Mr. Barton. My time has expired, Mr. Stupak.\n    Mr. Stupak. I thank the gentleman.\n    Ms. DeGette.\n    Ms. DeGette. Thank you very much, Mr. Chairman.\n    Mr. Friedman, I wanted to ask you some questions about what \nyou had said in response to several of the other Members\' \nquestions.\n    The first thing is you said that we really need to give \nthis new contractor a chance, and that we need to--if we need \nto do something dramatic, we should do it down the road. So I\'m \nkind of wondering how long is that road, because I\'ve been \nsitting here in this subcommittee since 1999 hearing these \nassurances. I understand what you\'re saying about the quality \nof people that we have there and the high-level work that\'s \ngoing on, but how much longer do you think we need to be \npatient? How much longer do we need to give these folks to fix \nthese problems?\n    Mr. Friedman. Well, my view is, from the start date, it \nshould be probably 1 year.\n    Ms. DeGette. One year from June? So until this June?\n    Mr. Friedman. This June, yes.\n    Ms. DeGette. And do you think that--and my second question \nis how will we know if the new contractors have fixed the \nproblem? Will we know that if the local law enforcement \nauthorities bust some people or if the local newspapers have an \nexpose? How are we going to know if the problem\'s been fixed?\n    Mr. Friedman. Well, with 12,000 people there, you may never \nknow for sure. I understand that, but I think in the next 6 \nmonths\' time what will be devoted by the Department is an \nintensive examination of all aspects of the function of the lab \nto make sure that the problems have been addressed.\n    Ms. DeGette. Well, do you think we haven\'t had that \nintensive examination in the many past times that we\'ve worked \non this?\n    Mr. Friedman. I do not think we\'ve had that intensive \nexamination.\n    Ms. DeGette. That\'s just appalling to me because they \nclosed down the lab after we visited in 2004, and you don\'t \nthink they did that intensive examination?\n    Mr. Friedman. Well, I think they did an intensive \nexamination, but the point I\'ve been trying to make is that, \nonce they did the intensive examination, did they sustain an \naggressive program to address the problems that were \nidentified, and that\'s the concern that I\'m expressing today.\n    Ms. DeGette. Do you have some specific recommendations as \nto what the Department can do to do this intensive examination \nwithin the next 6 months?\n    Mr. Friedman. Yes.\n    Ms. DeGette. Would you mind supplementing your responses by \ndelineating those specific things that the Department can do?\n    Mr. Friedman. Certainly.\n    Ms. DeGette. Thank you.\n    Ms. Brian, what is your view about all of this that we \nshould give some time for the Department to clean this up, and \nthen it\'ll be fixed?\n    Ms. Brian. I respectfully disagree with Mr. Friedman.\n    I think that the first thing is that the DOE needs to get \nits house in order and NNSA, and then I think the contractor \nwill ultimately follow in line. I just think that the \nGovernment hasn\'t been doing its end of the job.\n    Ms. DeGette. And what do you think the Government can do?\n    Ms. Brian. I think we need to have sincere--well, one of \nthe things that I think is really important is that a lot of \nthese issues, as I discussed in my written testimony, are \ninfuriatingly familiar.\n    Ms. DeGette. Right.\n    Ms. Brian. We\'ve known about these problems before. We\'ve \nhad IG and various iterations of Mr. Podonsky\'s office make \nrecommendations, and nothing has--no one has required the \npeople at NNSA to actually implement these recommendations. \nWe\'ve had Secretaries--in fact, the issues that--I think it was \nMr. Walden who was raising them with the glue sticks. Those \nwere the kinds of things that were supposed to have been dealt \nwith back with Secretary Richardson----\n    Ms. DeGette. Right.\n    Ms. Brian [continuing]. And they\'ve been buying new \ncomputers for the last 10 years with the USB ports because, as \nI learned, the people who were in charge of buying the \ncomputers at Los Alamos weren\'t really talking to the \ncybersecurity people to realize that they didn\'t want to have \ncomputers with USB ports.\n    Ms. DeGette. Mr. Podonsky, do you have a view on that? Do \nyou think this problem can be fixed in 6 months without any \nsubstantial changes?\n    Mr. Podonsky. No. We do believe that there needs to be \nsubstantial changes, and we do believe that this Secretary and \nthe Deputy Secretary are moving towards that direction. They\'re \nnot just promissory notes of the past. We\'ve seen actions taken \nthat we have never seen in 25 years of this Department where \npeople were actually held accountable.\n    You do need to have performance measures that the \ncontractor\'s held accountable against. We also have an \nenforcement function within the office that we also need to \nemploy.\n    So there are a lot of--a lot of tools for the Department to \nexercise now and get on with fixing the laboratory together \nwith fixing the NNSA and the policy of the Department.\n    Ms. DeGette. Do you think, Mr. Friedman, that the physical \nsize of Los Alamos is a problem?\n    Mr. Friedman. Yes, I think it\'s a challenge.\n    Ms. DeGette. And what can we do to deal with that \nchallenge, do you think?\n    Mr. Friedman. Well, first of all, we can make a concerted \neffort to consolidate functions, reduce the number of vaults, \nreduce the number of classified computing environments. I don\'t \nknow how practical that is. I think it\'s something that we need \nto look at very carefully.\n    Ms. DeGette. Thank you.\n    Mr. Friedman. Second, I think we need to enclose the \nfootprint so that the security perimeter is reduced so physical \nsecurity will be--will be somewhat easier.\n    Ms. DeGette. Mr. Chairman, I think a good time for a \nfollow-up hearing--I mean, we should have some interim ones, \nbut we also need to have one in June to mark the 1-year \nanniversary and see how they fixed all these problems.\n    Mr. Stupak. Mr. Burgess, questions?\n    Mr. Burgess. Thank you, Mr. Chairman.\n    Mr. Podonsky, we have been through--I have been through at \nleast 2 years of these travails, and it seems like every \nsecurity incident that has been reviewed has been by an \nemployee who has received a security clearance; is that \ncorrect?\n    Mr. Podonsky. My recollection is that predominantly cleared \nindividuals have been violating DOE\'s requirements.\n    Mr. Burgess. Was that the case in this most recent event in \nOctober?\n    Mr. Podonsky. I believe so.\n    Mr. Burgess. OK. And the individual who claimed assault at \nthe bar a couple of years ago, was that also an individual who \nhad been cleared?\n    Mr. Podonsky. I believe that is the case.\n    Mr. Burgess. Is there a problem with how we\'re granting \nclearances to--how NNSA is granting security clearances?\n    Mr. Podonsky. The personnel security process is one of--the \ntask force that the Secretary initiated at the beginning of \nthis event after Mr. Friedman\'s report was to look at personnel \nsecurity, specifically at the case in question as well as DOE-\nwide. Concurrently there was a review that had begun by Deputy \nSecretary Sell in May of last year where we were looking at \npersonnel security processes.\n    So the short answer is, yes, we do believe that personnel \nsecurity processes within the Department and, in fact, the \nentire executive branch which are being looked at by the OMB \nright now are something that we need to get on with, and that\'s \nwhat we\'re doing, and we\'re going to be making recommendations \nto the Secretary and the Deputy Secretary at the end of \nFebruary of what to do with the personnel security program \nwithin the Department of Energy.\n    Mr. Burgess. Will that include any type of program that \nlooks at cleared individuals in an ongoing fashion?\n    When I was there in July 2005, it was right after the \ncredit card abuses came to light, and it appeared, as I recall, \nthat those were cleared individuals who had then subsequently \ndeveloped either domestic problems or substance abuse problems \nthat led them to misuse the credit cards, and you can just \nimagine that other things may have happened also as a result.\n    So will there be an ongoing evaluation?\n    Mr. Podonsky. The recommendations that, I believe, are \ncoming out of the task force will be covering both from the \nbeginning of hiring all the way through current employees so \nthat we have an ongoing review of people holding clearances.\n    Mr. Burgess. Inspector Friedman, do you think, in \nretrospect--I reference the RFP process that the lab just went \nthrough. Chairman Barton also referenced the contractor. Do you \nthink that was an open and fair process?\n    Mr. Friedman. Frankly, Dr. Burgess, I have no information \nthat it was not. Unfortunately, there were two proposals, as I \nunderstand it, in the final field, but I have no reason to \nbelieve it was not open and fair. I have no information to that \neffect.\n    Mr. Burgess. Would that be in the purview of the Inspector \nGeneral\'s Office to know that, or is that outside your \ncapabilities?\n    Mr. Friedman. No, it\'s not outside our capabilities, and, \nby the way, if there had been concerns by proposers that were \nnot considered, it would not be unusual for us to get \ncomplaints about that, and to the best of my recollection, and \nI could be wrong about this, I don\'t think we received any \ncomplaints along those lines.\n    Mr. Burgess. And yet some of just the traffic from the \nbloggers on line--and I realize that that carries its own \ninherent dangers, but there is some question as to whether or \nnot the current contractor was, in fact, the best one and is \nthe best one going forward.\n    Again, I don\'t know whether it\'s the purview of this \ncommittee to investigate that process, but, Mr. Chairman, I for \none certainly wonder if we oughtn\'t to look at that.\n    Ranking Member Barton asked about the fines. The amount of \nmoney levied so far against the current contractor, do we have \na dollar figure on that?\n    Mr. Friedman. Are you referring that question to me?\n    Mr. Burgess. Yes, sir.\n    Mr. Friedman. I do not have a number on that, no.\n    Mr. Burgess. Is there a way to--for anyone, is there a way \nto get that dollar figure on the fines levied against the \ncontractor?\n    Mr. Friedman. Well, respectfully, the third panel, I think, \nincludes people who would have that information.\n    Mr. Burgess. Does the contractor recognize the amount of \ndollars that they are putting at risk?\n    Mr. Friedman. I suspect they know the contract intimately.\n    Mr. Burgess. OK.\n    Mr. Friedman, just to finish up, your statement said the \ncriminal investigation into the matter last fall is ongoing and \nmay yet reveal additional security problems.\n    In an open session can you expand on that statement?\n    Mr. Friedman. Well, simply, the FBI has been conducting a \ncriminal investigation from the get-go, and the purpose of that \nstatement in my testimony--and I think it\'s in our report as \nwell if I\'m not mistaken--is that until their investigation is \ncomplete, we don\'t know what will turn up. There may be more.\n    Mr. Burgess. What would be a reasonable time frame for this \ncommittee to expect that that investigation will take?\n    Mr. Friedman. That\'s within the purview of the FBI, sir, \nand I have no idea.\n    Mr. Burgess. Mr. Chairman, will we be privy to that report \nwhen the Department of Justice completes that?\n    Mr. Stupak. That\'s a good question. We\'ll double check on \nit. I don\'t see why not, but let\'s double check first.\n    Mr. Burgess. All right. My time has expired.\n    Mr. Stupak. The gentleman from Louisiana Mr. Melancon.\n    Mr. Melancon. Thank you, Mr. Chairman.\n    I guess, Mr. Friedman, one of the first things when you \nlook at--and I understand there\'s a problem with the drug use, \napparently, with this one particular breach, but apparently \nthere\'s some additional problems out there within.\n    Does the staff or the security people require or do the \nrandom drug sampling, the urine test, at all on the employees, \nor is it ``you\'re hired\'\'?\n    Mr. Friedman. I\'m in open session. Part of your question I \nthink I can address, but part of it I would prefer not to \naddress.\n    My understanding is--and, again, there are people who are \non the third panel who can address the issue of the current \npolicy. My understanding is that they have implemented a random \ndrug test for all Los Alamos employees, but I may be wrong \nabout that, and you\'ll need to ask the third panel, sir.\n    Mr. Melancon. And have you just done that just recently?\n    Mr. Friedman. Fairly recently, yes.\n    Mr. Melancon. With the time that\'s transpired with the \nissue of security breaches and you\'ve replaced the chain of \ncommand, the latest chain of command replacement took place \nwhen, how long ago?\n    Mr. Friedman. June 1.\n    Mr. Melancon. June 1 of last year?\n    Mr. Friedman. Correct.\n    Mr. Melancon. And that was subsequent of the close-down for \n7 months in 2004?\n    Mr. Friedman. Well, the contract changed hands on or about \nJune 1, 2006, and, yes, it was subsequent to the 2004 shutdown.\n    Mr. Melancon. OK. So somewhere between 2004 and last year, \nwhich was 2006, how was the lab run? Who was in charge?\n    Mr. Friedman. The University of California was the prime \ncontractor.\n    Mr. Melancon. And the on-site security?\n    Mr. Friedman. They ultimately were responsible for the on-\nsite security.\n    Mr. Melancon. Who did they subcontract out for the \nsecurity? I don\'t think the University of California is a \nsecurity company.\n    Mr. Friedman. Well, they are at some locations, \ninterestingly enough, and I forget the name of the contractor, \nto be honest with you; the subcontractor, I should say.\n    Mr. Melancon. The diversity of the science--and this is, of \ncourse, somewhat new to me--that\'s out there or the regimens \nthat you have out there of the different scientists, is there \nsome way--and I think maybe you spoke to it earlier. Is there \nsome way to isolate these and provide better security on each \nsector rather than just have these--and I haven\'t been to the \nfacility--12,000 people just coming and going wherever they \nwant to go?\n    Mr. Friedman. Well, there are a number of secure areas at \nthe facility, and it\'s worthwhile going to see it. It\'s quite \nimpressive. So I wouldn\'t say there are 12,000 people running \nback and forth at will. It\'s much more systematic and \ncontrolled than that. I\'m not sure if there\'s a practical way \nof doing it by discipline, but I haven\'t thought that through, \nI can\'t give you a good answer.\n    Mr. Melancon. Yes, I\'d like to go and see it. The only view \nI\'ve had of it was from across the valley at a friend\'s house \nat night with the lights, so getting in there and looking at \nit, I guess, close-hand would do me a whole lot of good.\n    I listened to the frustration of Ranking Member Barton and \nChairman Stupak and others who have been here and gone through \nthis for a period of time, and I guess to--we\'re to June.\n    Why did it take so long from the 7-month shutdown--and \nthat\'s another year, year and a half--before we got the new \ncontract in, and now we\'re waiting a year to see if we\'re going \nto get--what\'s the problems with moving this thing quicker? I \nmean, I know the numbers are big, but----\n    Mr. Friedman. Well, yes. I\'m not sure I can give you the \nprecise timeline, but in the general sense, the recompetition \nof this contract was a very turbulent issue. It was a very \ncostly issue. It was a very labor-intensive issue, and it was a \ntime--a time issue as well. It takes a long time to prepare the \nRFP, to address, hopefully, the issues that have been resident \nat Los Alamos for 64 years, and to go to the street, give \npeople time to propose, to evaluate the proposals, and to move \nforward.\n    So I don\'t know if that answers your question, but it is a \nvery time-consuming task.\n    Mr. Melancon. I\'m from south Louisiana. I\'ve seen inside \nbaseball, and they\'re getting plagued down in recovery efforts, \nso I think I can understand some of it.\n    Thank you. I have no more questions.\n    Mr. Stupak. Mr. Murphy.\n    Mr. Murphy. Thank you, Mr. Chairman.\n    Mr. Friedman, do we have information yet on what was the \nmotive for this theft?\n    Mr. Friedman. Mr. Murphy, It would be inappropriate--first \nof all, I don\'t know the answer to the question. It perhaps \nresides with the FBI, but at this point I don\'t know.\n    Mr. Murphy. Do we know yet--and I guess I would open this \nto all of you--what, if anything, was--I know there was also \ntalk about printers being bought and things like that--about to \nwhat extent things were copied, distributed and sold or who \nthese documents also went to?\n    Mr. Friedman. If you\'re directing that to me, I\'ll give you \nthe same answer. The FBI really, ultimately, will have to \naddress that.\n    Mr. Murphy. The same with Mr. Podonsky and Ms. Brian. Does \nanybody know yet?\n    Mr. Podonsky. I would say the same thing as Mr. Friedman. \nWe don\'t have the answers to that.\n    Ms. Brian. I can speak to the press reports from her \nattorney, which were that she was taking the work home to get \nextra work done, that she was behind.\n    Mr. Murphy. OK. Has anybody determined if there has been--\nif any of these contents have appeared anywhere else besides \njust there?\n    I guess what I\'m getting to here is, with regard to this \ninformation, that even though we\'re waiting for further details \nfrom the FBI, have we learned anything from this yet that can \nbe used to take other steps other than just blocking some of \nthe ways you can put in a thumb drive or something; but have we \nlearned how it affects security, of how it will affect hardware \nand software inspections, how people come on and off the site, \ntheir security clearances? Have we learned things from this, \nunique to this, that has affected what we\'re doing overall and \nwhat\'s been implemented, or are we still going to wait for the \nFBI reports on this?\n    Mr. Podonsky. I would start, first of all, Congressman, \nwith a task force that we are heading up on the personnel \nsecurity piece. We believe there is going to be a lot of \nserious lessons learned that are going to come out of the \nspecifics to the case as well as the broader issue on personnel \nsecurity that one of the members of the committee asked \nearlier.\n    We believe that, in terms of cybersecurity as well, there \nare also lessons learned that we know that the CIOs for both \nNNSA as well as the Department are looking at, and we also know \nthat the third panel will--has, in fact, done a damage \nassessment that they could probably talk about in executive \nsession.\n    Mr. Murphy. And I will look forward to that part.\n    I was just wondering here, while we\'re still in a public \nhearing, what we can assure the American public with regard to \nsome lessons learned, because it concerns me that this \nsubcommittee has looked at these issues for a long time. Your \ninspections give us pretty solid, yet frightening information \non the levels of breach of security, and we\'re still awaiting \nanother review before we determine what else we need to do when \nso much has been out there for a while, and so it\'s just \nsomething I just have to continue to raise the question of. \nWhat more do we need to know before we really put the heel down \non this?\n    Ms. Brian. Congressman, if I could answer one question, I\'m \nhoping by the end of this hearing that one thing that could \nchange is NNSA\'s pilot program at Los Alamos, which is \nessentially self-policing for safety and cybersecurity. I\'m \ngenerally not a big fan of self-policing as a rule, and I think \nthat a facility like Los Alamos hasn\'t earned the trust of the \nCongress or the public to be essentially left up to themselves \nto report when they have problems, and I think that\'s something \nthat should be changed immediately.\n    Mr. Murphy. Anybody else on that issue?\n    Mr. Friedman, do you have something on that?\n    Mr. Friedman. I did want to point out to you, Mr. Murphy, \nthat our report--and I think we have 14 recommendations for \ncorrective actions. They\'re not all-encompassing, all-\ninclusive, but we think it\'s a good start. The Secretary, as I \nindicated in my testimony, has a task force looking at those, \nand we\'ll be interested to see what their report says in \nFebruary in terms of how to convert those ideas into reality at \nthe laboratory, both at the Federal level and the contractor \nlevel.\n    Mr. Murphy. Mr. Podonsky.\n    Mr. Podonsky. As the independent overseer for the Secretary \nand the Deputy Secretary, I would just tell you that I have a \nprejudicial answer, and that is we don\'t think that self-\nassessment, by itself, is good, and the contractor should have \nFederal oversight. That\'s why we have contractors and the Feds \nmanaging them or should be managing them. So, while the NNSA \nhas this pilot proposed, we don\'t think it\'s ready for prime \ntime as exemplified by their performance to date.\n    Mr. Murphy. And I would add to that. We\'re waiting for \nfurther investigations. We\'re reviewing these 14 \nrecommendations. It seems to me a lot of time is ticking by, \nand I\'m just frightened, and I shudder to think what is out \nthere and what else could be happening while all these breaches \nhave occurred and continue to occur. So we will hopefully speed \nup this whole process.\n    Thank you, Mr. Chairman.\n    Mr. Stupak. I thank the gentleman.\n    Mr. Green from Texas, questions?\n    Mr. Green. Thank you, Mr. Chairman.\n    Mr. Podonsky, you state in your testimony that 25,000 \nunclassified workstations and servers were not certified or \naccredited. What does that actually mean? Are they unprotected \nworkstations?\n    Mr. Podonsky. No, sir. I should--I should clarify that the \ncertification and accreditation process makes sure that \nsecurity features are in place and operating as designed. When \nyou didn\'t--when they didn\'t do the accreditation of the 25,000 \nunclassified workstations, they did do a network accreditation. \nOur cyber experts tell me that that\'s not sufficient, because \nyou don\'t know if you have individual vulnerabilities on those \n25,000 computer workstations. So that\'s something that--what we \nbelieve should be done and should be included in their \ncertification and accreditation process.\n    Mr. Green. It seems like--and, again, you\'ve heard it from \nevery Member up here for the last at least 8 years, I guess--\nwe\'ve identified problems time and time again and identified \nsolutions, but for some reason there\'s no follow-through on \nclosing the deal. I know it\'s a great task to do--to just deal \nwith those 25,000 workstations and servers, but why wasn\'t that \ndone before this particular person walked out with the disk? It \nseemed like that would have come up in the last 8 years before, \nat least before this committee, and is there a problem, and \nnobody knows how to implement the solutions to it?\n    Mr. Podonsky. Well, sir, we\'ve identified that the lab has \ninadequate cyber plans, policies and procedures; incomplete \nrisk management processes; weak self-assessment. So there\'s a \nwhole litany of things that the laboratory could do to fix \nthis.\n    Mr. Green. OK. I imagine this is not news to anyone sitting \non this panel for the last 8 years. As I said, I just came back \nafter 6 years off of it.\n    Why can\'t it be fixed? Why can\'t we have this? Since it\'s a \nnew contract, I assume when it went out for bids, this new \ncontractor was security-conscious, and is it just not an issue \nthat makes it to the floor of the actual Los Alamos?\n    Mr. Podonsky. Sir, if you\'re addressing that to me, I would \nanswer it can be fixed, and I believe, under the current \nleadership of the Department, it will be fixed. As I said for \nmy third time now, having listened to all the plans before, to \nanswer your question specifically, it is that the contractors \nin years past have not been held accountable to do what the \nDepartment has expected them to do.\n    Mr. Green. Mr. Friedman, do you have a comment on that?\n    Mr. Friedman. Well, a number of failures that we identified \nin our report, Mr. Green, are low-hanging fruit: plug the holes \nwhere they should be, the ports where they should be plugged, \nessentially segregate duties where they need to be segregated, \nensure that there\'s adequate monitoring. I mean, these are not \nhigh-tech, costly, time-consuming, difficult things to do, and \nthey should be done--they should have been done \ninstantaneously, and if the lab has not taken steps to do those \nat this point, I would be very discouraged and very \ndisappointed.\n    Mr. Green. Well, Mr. Chairman, it seems like I\'m refreshing \nmy memory on this. I remember, over the years, we\'ve had--this \nis really a college campus. The security is mostly research, \nwhat they\'re doing, and they\'re more interested in that. And it \nseems like, since the last time I was on the committee, we \nhaven\'t seen any changes even though it went out for bid, and I \nhope the next panel, even in closed session, will show us what \ncan be done from--to make sure that this oversight \ninvestigation committee doesn\'t continue to be dealing with \nwhat\'s happening at Los Alamos for almost a decade now, so--and \nI yield back my time.\n    Mr. Stupak. I thank the gentleman.\n    The Members have just a couple of quick follow-ups. We\'re \ngoing to switch to 2 minutes and just a quick follow-up with \nthis panel, and then we\'re going to ask Mr. Friedman and Mr. \nPodonsky to stay because we will go to executive session a \nlittle bit later, but we\'d like to get the other panels done \nbefore we move to executive session.\n    So, with that, for 2 minutes, I\'ll just recognize myself \nfor 2 minutes.\n    In questions Mr. Green put forth and throughout the \ntestimony today, we\'ve heard that the system breaks down; \nthere\'s broken systems; it\'s inadequate.\n    In July 2004, the lab was shut down. They were doing this \nextensive review. Everything was supposed to be fixed up for \nthat. It cost the taxpayers $350 million.\n    So what happened? The $350 million and the 6-month shutdown \ndidn\'t accomplish anything? The systems weren\'t updated? The \nholes weren\'t plugged? What happened? What did we get for $350 \nmillion besides a shut-down lab for 6 months?\n    Mr. Friedman. Are you directing that to me?\n    Mr. Stupak. Sure, Mr. Friedman.\n    Mr. Friedman. Look, Mr. Chairman, if I gave anybody the \nimpression by my earlier testimony that I think that the \nsituation you find now is OK and it will get better \nautomatically, I left the wrong impression, and I apologize for \nthat.\n    I am extremely discouraged and disappointed that after the \nlitany of reports and the series of unsettling events that have \ntaken place, that the simple fixes that are obviously readily \navailable have not been in place, regardless of whether there \nis a new contractor or not.\n    So if you are asking what we got for our own money, it \nseems to me if this is the result, we did not get a lot for our \nmoney.\n    Mr. Stupak. As I stated earlier, Mr. Friedman, in your \nreport you said. Reviewing serious breakdown in the core \nlaboratory security controls. Core. Their very basic, \nfundamental security is broken down. If we couldn\'t fix it \nafter shutting it down for 6 months and $350 million, how do we \nfix it now other than we have a new person coming on board?\n    Mr. Friedman. Well, I think I tried to lay it out. As I \nsaid, we have 14 recommendations in our report, and I try to \nlay out some bigger-picture items that we talked about. One is \nthe question of real accountability, significant material \nimpact on award fees, reassignments, terminations; perhaps a \nchange of the mix of the mission of the lab is a possibility. \nSo I think there needs to be some really fundamental changes to \nshake up the system to ensure that there is a sincere \ndedication to fixing these problems. We haven\'t seen it yet.\n    Mr. Stupak. My time has expired. Let me ask one question if \nI may.\n    Los Alamos has a great record. They have great people \nthere, top scientists, some of our best, most sensitive work \nthere, no doubt about that. But I asked a question last hearing \nand never really got an answer. Maybe you can answer it now \nafter some time reflecting upon it.\n    What do we do at Los Alamos that cannot be duplicated or \ndone at the other labs? Is there anything so unique that can \nonly be done at Los Alamos and not at the other labs?\n    Mr. Friedman. Well, let me try to answer it this way. You \ndid ask that question in a hearing that I participated.\n    Mr. Stupak. And no one has come can up with a unique \nmission.\n    Mr. Friedman. It seems to me once you get past the \nfacilities, the physical plant, and there are unique aspects of \nthe physical plant that would cost hundreds of millions, if \nperhaps billions, to replicate, once you get past the core of \nthe extraordinary intellectual invigoration that exists there, \nthe people with the unique talents, it seems to that--the \nfundamental issues that go on there could be done someplace \nelse. I think the answer to your question is yes.\n    Mr. Stupak. Mr. Whitfield.\n    Mr. Whitfield. Thank you, Mr. Stupak.\n    Mr. Podonsky, under the terms of the new contract with LANS \nat Los Alamos, and when it comes time to assess penalties or \nfees which we had discussed a number of times today, does the \nNational Nuclear Security Administration have the primary \nresponsibility of enforcing the contract?\n    Mr. Podonsky. For enforcing the contract, yes, sir.\n    Mr. Whitfield. And could you just briefly explain the \nprocess that would be entailed in assessing a penalty under the \ncontract?\n    Mr. Podonsky. Not under the contract. I would have to \nrequest that you defer that to the third panel.\n    Mr. Whitfield. So you are not involved in that at all?\n    Mr. Podonsky. Not in that type of enforcement.\n    Mr. Whitfield. Thank you.\n    Mr. Stupak. Mr. Melancon, any questions to follow?\n    Seeing no other Members present, we will dismiss this \npanel.\n    Mr. Friedman and Mr. Podonsky, we would ask you to stay.\n    Ms. Brian, thank you.\n    Mr. Stupak. Our next panel, if we may, would consist of the \nHonorable Clay Sell, Deputy Secretary of the Department of \nEnergy.\n    Mr. Sell, again, I have to ask you to since we take all \ntestimony under oath, and did you bring a legal counsel with \nyou?\n    Mr. Sell. I would just note, Mr. Chairman, the presence of \nour Deputy General Counsel from the Department of Energy.\n    Mr. Stupak. Very good.\n    OK, sir, I would ask you to please raise your right hand.\n    [Witness sworn.]\n    Mr. Stupak. The record should reflect the witness has \naffirmatively stated that his testimony would be under oath.\n    Mr. Deputy Secretary, please, if you want to give an \nopening statement.\n\nTESTIMONY OF HON. CLAY SELL, DEPUTY SECRETARY, U.S. DEPARTMENT \n                           OF ENERGY\n\n    Mr. Sell. Chairman Stupak, Congressman Whitfield, members \nof the subcommittee, I welcome this opportunity to appear \nbefore you today to discuss security within the Department of \nEnergy and the recent security incident at Los Alamos National \nLab.\n    The national security responsibilities entrusted to Los \nAlamos are our Nation\'s most important. The successes that have \nsprung forth from this great lab in years past and today are \nproperly a source of great pride and great power in our \ncountry. The capabilities of the men and women of Los Alamos \ncontinue today to make this lab the only place to go for many \nnational security requirements. And, of course, the secrets \nentrusted to this lab are among the Nation\'s most sensitive.\n    These are among the reasons that the facts of the most \nrecent security incident at Los Alamos are so troubling and the \nsource of such tremendous frustration and concern to the \nSecretary, to me and to many others throughout the DOE \nenterprise.\n    And now, despite years of focused attention and the \nexpenditure of millions of dollars, we are confronted again \nwith the security failure, the facts of which suggest we still \nhave a much larger and a much deeper problem.\n    As has been alluded to, many well-intentioned leaders have \nworked to improve security at Los Alamos over the last few \nyears, and in many key areas the Department has made \nsubstantial progress. But Secretary Bodman and I are less \ninterested in effort, process and good intentions and more \ninterested in results. The results on matters of security at \nLos Alamos National Laboratory remain unacceptable.\n    You have already heard from earlier witnesses; in fact, you \neach have made statements about what have led to the problems \nand what happened in this recent matter.\n    Later today you will hear from the Acting Administrator of \nthe NNSA, our Department\'s Chief Information Officer and the \nDirector of Los Alamos National Laboratory in more detail. \nTherefore, I intend to focus the balance of my remarks on what \nthe Secretary and I are doing to fix the problems and move \nforward.\n    First, in the immediate aftermath of learning about the \nsecurity breach at Los Alamos, we acted immediately to assess \nthe situation and understand the facts. The NNSA Administrator \ndispatched the Chief of Defense Nuclear Security and the \nCybersecurity Team to the site to begin an immediate review of \nthe incident. On October 26, the Secretary ordered the \nInspector General to investigate. And on October 30, I \npersonally traveled to the lab to meet directly with those on \nthe ground and to gain firsthand knowledge of the incident and \nremedial actions to address the problems.\n    Second, we took quick action to address realized \nvulnerabilities. On November 8, I issued a memorandum to \nimprove cybersecurity protection for classified computer \nsystems throughout the DOE complex. That memo included \nimmediate direction to every lab and every facility operating a \nclassified system to conduct an examination of the adequacy of \nits practices and procedures to ensure that classified \ninformation is protected using multiple layers of cybersecurity \nprotection including protection against potential insider \nthreats. Also, the memo required an accounting by each lab and \nfacility throughout our complex for full implementation by \nJanuary 15 of this year. Today I am informed that the entire \ncomplex is in compliance. The line managers will be responsible \nfor ensuring continued adherence to this policy.\n    Third, in response to findings contained within the \nInspector General\'s report issued on November 27, the Secretary \ndirected two specific actions: first the creation of a senior-\nlevel ad hoc committee to review all of the recommendations in \nthe IG\'s report except those concerning the Department\'s \nsecurity clearance process; second, the establishment of a task \nforce to review the personnel security programs throughout the \nentire DOE complex.\n    Both reviews will conclude and provide recommendations to \nthe Secretary no later than February 28 of this year. Once we \nhave reviewed the results of the laboratory\'s actions, \ncorporate and Federal validation activities, the Secretary\'s \ntwo task force recommendations and other actions that have been \ndirected, we will follow up--we will follow up and develop \nadditional improvements and additional reviews as necessary.\n    We will be pleased to discuss with the subcommittee the \nadditional actions the Secretary decides to take once he has \nreceived and reviewed the task force recommendations.\n    Fourth, during numerous occasions, meetings and \nconversations with the NNSA, with the NNSA Administrator and \nhis team, with the Los Alamos Director, and with members of the \nExecutive Board, the new contractor at Los Alamos, the \nSecretary and I have expressed our depth of concern, our sense \nof urgency and clear expectations for accountability from the \ntop of the Department to the bottom of the laboratory, and that \nthese continuing security problems must be addressed, \nrectified, and prevented in the future.\n    Fifth, even before the recent incident at Los Alamos, the \nDepartment had substantially increased focus and attention to \nmatters of cybersecurity including hiring of a new Chief \nInformation Officer in November 2005 to reinvigorate and \nstrengthen our efforts. Among other things, he accelerated our \nefforts to update our cybersecurity order and National Security \nSystems Control Manual, and has taken numerous actions to \nimprove our Department\'s cybersecurity posture. We also brought \nin a new Chief of Counterintelligence and reorganized the \noffice to improve its performance.\n    Sixth, the Department also previously recognized--and I \nwould add with strong urging from the Congress--that the \nleadership of the laboratory could be strengthened by competing \nthe M&O contract. And last June a new corporate leadership team \ntook over management of the laboratory for the first time in \nits 64-year history.\n    Seventh and finally, because it is our view that we are--\nthat we, the Department, the Secretary and I, are accountable \nto the President, the Congress, and the American people not \njust for efforts, but for results, the Secretary and I made the \nextremely difficult decision to replace the Administrator of \nthe NNSA and bring in new leadership.\n    Now, only time will tell if we are to be successful, if we \nare to distinguish ourselves from our predecessors. But the \nSecretary and I are committed to making the tough decisions \nrequired to lead our Department to a level of security \nperformance befitting the great missions the country has asked \nus to carry out. We have made progress in improving the \nsecurity across the Department and at Los Alamos, but as the \nlatest incident indicates, we have much more work to do. We \nremain committed to the task.\n    I am happy to answer your questions at this time.\n    [The prepared statement of Mr. Sell appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you, Mr. Secretary.\n     You indicated that only time will tell whether or not we \nare going to be successful, and I say this politely, but one of \nthe problems, I think there is a turnover we see at the lab and \nadministration and things like that. Secretary Bodman, with an \nupcoming Presidential election, will only be there 2 years. \nThose problems that we see, the problems, the constant problems \nwe see, won\'t be resolved in 2 years, will they?\n    Mr. Sell. The efforts to resolve these problems, in my \njudgment, take continuous effort over the course of the next 2 \nyears and in the years thereafter. Threats evolve, technologies \nevolve, and require constant vigilance.\n    Mr. Stupak. Wouldn\'t it be easy for folks in Los Alamos to \nsay, well, there is that directive; we have seen that directive \nfor 2 years. A new set of people come in, and we can sit back?\n    Mr. Sell. Mr. Chairman, that is certainly a limitation of \nthe manner in which the executive branch of our Government \noperates. I will be gone in 2 years as will the senior \nleadership of this Department, as will the President, so we are \ntaking great effort to institutionalize the changes that we are \nmaking, and I will give you an example.\n    After a previous incident in 1999, then-Secretary \nRichardson issued a substantial press release announcing a \nnumber of changes to correct the then-perceived security \nproblems at the lab. Those announcements that were made were \nnever put into the directives which actually govern the \nrelationship between the Department and its contractors.\n    Mr. Stupak. We have just seen a $350 million review, and \nthings that were supposed to be done were never implemented at \nLos Alamos.\n    Mr. Sell. What we are doing, with the changes that we have \nmade, is putting them into the directives which actually govern \nthe contractual relationship so----\n    Mr. Stupak. Let\'s talk about the directives though. You \npersonally travel to Los Alamos. You did a memo on November 8 \ndirecting each laboratory and DOE facility operating a \nclassified computer--didn\'t do anything about unclassified--but \nclassified computer system to conduct an immediate and thorough \nexamination to ensure that classified information is protected \nusing multiple layers of cybersecurity. But isn\'t it also true \nthat in this memo you set forth minimum standards that must be \nmet by January 15, 2007; is that correct?\n    Mr. Sell. That is correct.\n    Mr. Stupak. Were these minimum standards accomplished by \nJanuary 15?\n    Mr. Sell. Not in all cases.\n    Mr. Stupak. Not in all cases.\n    Your memo also says steps are to be taken--I am looking at \nyour memo. I am sure you have one there in front of you. Steps \nto be taken are to include at a minimum those in the attached \nguidance prepared by DOE Chief Information Officer. There it \nis. So these were the minimum things.\n    Did anyone at Los Alamos come back to you and say, Mr. \nSecretary, you asked for the minimum. We went over and above; \nwe went beyond the minimum. Did they do anything beyond the \nminimum? Any recommendations going beyond the minimum?\n    Mr. Sell. Yes, Mr. Chairman. The lab is doing a number of \nthings beyond what was addressed in the memo. The memo that I \nput out was based on the immediate recognition that we had a \nreal problem----\n    Mr. Stupak. Sure.\n    Mr. Sell. Specifically with ports; I wanted to take the \nlesson that we had learned under very unfortunate circumstances \nat Los Alamos----\n    Mr. Stupak. But you said part of it was complied by or \ncomplied with your request by January 15; other parts were not, \ncorrect?\n    Mr. Sell. To clarify completely, Los Alamos was the last of \nour labs and facilities to come into compliance, and that \noccurred on January 22. But that is a report that I have.\n    Mr. Stupak. Well, let me ask you this question then. Your \nChief Information Officer of NNSA in staff interviews said that \nshe sent the team out on January 8 to see whether Los Alamos \nwas complying with your directive. They found widespread \nnoncompliance with your directive; isn\'t that correct?\n    Mr. Sell. I know as of January 8 the lab was not in \ncompliance.\n    Mr. Stupak. OK. Isn\'t it also true that even in the face of \nall the publicity of the most recent security lapse, that NNSA \nhad to pull the entire team back from the lab because they \neither could not understand your directives or simply were \nincapable of responding to your directives of securing the very \nareas and items that were under question as a result of the \nOctober 6 event? Why did NNSA have to pull back its teams?\n    Mr. Sell. Mr. Chairman, we are trying to deal in a very \nserious way; I gave out in this case very clear guidance as to \nwhat was to be accomplished. I could have just given clear \nguidance and gone on and done something else, but we followed \nup on that clear guidance by sending a team out.\n    Mr. Stupak. And have you pulled back?\n    Mr. Sell. We sent the team out even before the deadline for \ncompliance, and we found out when the team was out there that \nwe weren\'t making progress----\n    Mr. Stupak. We were not making progress?\n    Mr. Sell. We were not making progress at a sufficient pace \nto accomplish what needed to be accomplished by January 15. \nThat came to our attention. We gave further direction. I \nclarified. I talked to the lab Director. They understood what \ntheir requirements were. We sent a team back out shortly after \nJanuary 15 and concluded approximately January 22 that they had \ncomplied with the directive.\n    I think it is indicative that unfortunately ensuring \ncompliance and making progress requires continued effort. It \nrequires vigilance. It requires follow-up. It will require that \nlong after I am gone. I only have control of the 2 years that I \nremain in my position, and that is the way I intend to deal. \nAnd I hope we can also institutionalize the progress that we \nare making, and there are a number of means within our disposal \nto help do that, through the contract, through the outstanding \ncareer staff that we have in our Department, through a number \nof the individuals and leaders of the laboratory that will \nremain into the next administration.\n    But it is difficult. There are reasons sufficient progress \nhas not been made in previous years, and the only thing I can \ncommit to you is that I am trying to deal in a way which is \ndistinct and different and distinguishable from the ways that \nfolks have dealt in the past.\n    I believe the Secretary and I have taken more aggressive \naction, and because I believe we are acting differently, at \nleast I have some reasonable expectation that this time we will \nget different results, but only time will tell.\n    Mr. Stupak. All right. My time has expired.\n    Mr. Whitfield for 5 minutes.\n    Mr. Whitfield. Thank you, Mr. Chairman.\n    And, Secretary Sell, we enjoyed your testimony today and \nappreciate your being here. It seems to me the years that I \nhave been on this subcommittee and this issue of security \nbreaches has been a subject that ultimately the effectiveness \nof really dealing with this is through the M&O contract. And \nyou were involved in preparing or negotiating this most recent \nM&O contract with the consortium that is now operating LANS; is \nthat correct or not correct?\n    Mr. Sell. I am happy to have the opportunity to tell you my \nexact level of involvement.\n    When I came to the Department in March 2005, the \nprocurement work was already well under way. But certainly I \nknew it to be and believed it to be the most important \nprocurement--and I said this--in the history of the Department \nto date.\n    I am not the selecting official.\n    Mr. Whitfield. Who is the selecting official?\n    Mr. Sell. The selecting official at the time, I believe, \nand I will ask was Tom D\'Agostino, who is not yet confirmed as \nthe Deputy Administrator for Defense Programs. He has been a \ncareer member of our NNSA team for a number of years.\n    Mr. Whitfield. So was he within the NNSA at that time?\n    Mr. Sell. Yes, sir.\n    Mr. Whitfield. So the NNSA has the responsibility for \nselecting?\n    Mr. Sell. The NNSA had the responsibility; Mr. D\'Agostino, \nI believe, was the selecting officer. But the Secretary and I \ndid spend time--once the decision had been made, after the \ndecision had been made, we met by video teleconference with the \nSource Selection Advisory Board. We met at length with Mr. \nD\'Agostino, and it is my view that the decision that the \nDepartment made was absolutely the correct one.\n    Mr. Whitfield. Now what is the length of the contract?\n    Mr. Sell. The length of the contract, I believe, Mr. \nWhitfield, is a 7-year initial period but could be extended to \n20 years. And I may be off 1 or 2 years.\n    Mr. Whitfield. What is the approximate total value per year \nto the consortium for being awarded the contract?\n    Mr. Sell. The total value, in rough order, about $2 \nbillion, or $1\\1/2\\ to $2 billion a year flow through the \ncontractor.\n    Mr. Whitfield. One and a half to $2 billion?\n    Mr. Sell. The fee available to the contractor is on rough \norder $70 million a year. So that is the potential net to the \ncontractor.\n    Mr. Whitfield. So would I be accurate or inaccurate to \ndescribe the $70 million as incentive pay that they can receive \nin addition to the base amount?\n    Mr. Sell. The $70 million, Mr. Whitfield, includes both the \nbase amount and the incentive portion. I think that is the \ntotal fee, roughly, that is available to be paid to the \ncontractor.\n    Mr. Whitfield. OK. Now, you would think that since the real \nproblem is safety and security, that is one of the major \nproblems, that the incentives apportioned to do that would be \ngreater than $3 million out of a total of $73-some million \nincentives. What would be the explanation for not making that a \ngreater amount?\n    Mr. Sell. Mr. Whitfield, I don\'t think I can say anything \nthat you would find to be a great explanation. Although the \nnext panel--and I don\'t mean to just kick this to Mr. \nD\'Agostino, I do think he is more informed on that. But I will \nalso state my belief that we have a greater authority to \nrestrict and pull back award fee for failures beyond just the \n$3 to $6 million for the security.\n    Mr. Whitfield. Are you aware, yourself, of the amount of \npenalty assessed in the 2004 6-month shutdown or not?\n    Mr. Sell. I am aware that it was generally in the \nneighborhood of around $3 million for the failures in 2004.\n    Mr. Whitfield. So that was a penalty that University of \nCalifornia paid?\n    Mr. Sell. That was a fee reduction in the amount that \nthey----\n    Mr. Whitfield. A fee reduction. OK.\n    Now, it is my understanding that in the most recent \ncontract that the consortium agreed that the 21 key personnel \ncommitted--that they committed to stay for a minimum of 2 \nyears, and after 6 months the Deputy Director has already left; \nis that true?\n    Mr. Sell. Yes, sir.\n    Mr. Whitfield. Has anyone else left of those 21 key people?\n    Mr. Sell. To my knowledge none of the other 21 key \nindividuals have left.\n    Mr. Whitfield. But you all do have authority to assess a \nfee for the breach of that aspect of the contract, I would \nassume?\n    Mr. Sell. I believe we do. And the only reason I hesitate \nis these are actual decisions that must be made by the \ncontracting officer of whom I am not. I am trying to state as \nclearly as possible my expectation and belief.\n    Mr. Whitfield. My time has expired.\n    Mr. Stupak. The gentleman from Louisiana Mr. Melancon.\n    Mr. Melancon. Thank you, Mr. Chairman.\n    Mr. Sell, I was just wondering if Los Alamos or your \nchildren are causing this premature gray hair.\n    Mr. Sell. Both.\n    Mr. Melancon. Some of the thoughts that have run through my \nmind, is the DOE team, is it on site, or was it just sent and \ncame back and made a report? And how long were they on site \nwhen they were there?\n    Mr. Sell. We have a Federal site presence of around 120 \nindividuals that live there, work there, and deal every day as \nthe Federal representative at Los Alamos. But there have been \ntens and tens of individuals from headquarters, from other \nlocations around the complex, outside experts that have come \nfor the various reviews and evaluations and recommendations \nsince this most recent incident in October.\n    Mr. Melancon. Is it feasible or possible--we are looking at \na June deadline, I think Mr. Friedman had said, to try to \nascertain where we were in compliance--that--do you think it \nwould make any difference if we put the team back down there \nseveral days a week between now and that time to monitor it, to \nmake it progress faster, to maybe sometimes even point out \ntheir deficiencies, which apparently they are not seeing \nreadily?\n    Mr. Sell. Well, I think it may well help, but I want to \nemphasize that we have a team there that worked for me. I mean, \nthey worked for the Secretary and I and the Administrator and \non down the chain. And their responsibility is to ensure that \nthe contractor is performing pursuant to the terms of their \ncontract.\n    And in addition to that, we have other oversight groups \nfrom headquarters. And we have other oversight groups from the \ncontractor that they have hired, and they will continue to go--\nI mean, it is going to take continuous vigilance and \nmonitoring, and perhaps other groups consistent with your \nsuggestion would be helpful as well in ensuring that we make an \ninstitutionalized progress at the lab.\n    Mr. Melancon. The people that are on the DOE team or the \npeople that are responsible from DOE to monitor security, are \nthey the same people that are there when the first breaches \noccurred and subsequent breaches?\n    Mr. Sell. Some of them. But we have made a change at the \ntop of the NNSA. The new Acting Administrator then subsequently \nmade a change in the person that is heading the site office at \nLos Alamos. And so we are trying to find the right kind of \nleadership that can ensure much higher levels of performance at \nthe lab.\n    Mr. Melancon. I have a general in Louisiana I can suggest, \nbecause it sounds like it is going to take more than just a \nmanager out there.\n    And I guess that is the concern that I have is it appears \nto me--and this is new to me--that we have rolled a head or \ntwo, but the problem is the tail is wagging this dog. And I \njust--do you have any comments? I mean, how deep is our \nproblem, or is our problem--is the problem at the upper levels \nor security at the lower levels?\n    Mr. Sell. Well, it has been suggested, Mr. Melancon, that \nwe should shoot the dog, and I have to reject that suggestion \nin the strongest possible terms. We do have 12,000 individuals \nat Los Alamos that were there under the University of \nCalifornia. They are there under LANS and will continue to be \nthere. They are the core capability of that laboratory. And I \ndo believe that we have deep-seated issues that are going to \ntake time. And I would suggest, with all due respect to our \nInspector General, it will take longer than a year. It is going \nto take time to change.\n    But we do have an outstanding new leadership team in place, \nand I believe the LANS team is the right team to lead the lab. \nI believe Mike Anastasio is the right Director to lead the lab.\n    I believe we have a new Federal lead there on an acting \nbasis, Dan Glenn. We have an Acting Administrator, in Tom \nD\'Agostino. We are putting in place new policies that will \nactually be incorporated in the terms of the contract by which \nwe can hold the contractor accountable, and we intend to use \nthe authorities in that contract to the greatest extent \npossible to ensure compliance and institutionalization of \nprogress.\n    That is our approach going forward, and if the tail \ncontinues to wag the dog, then the committee may properly \nquestion whether I am the right one to continue to provide \nleadership. But I have laid out our path as to how we are \nproceeding, and I am confident that we can make real progress.\n    Mr. Melancon. Mr. Chairman, if I could be allowed one more.\n    Mr. Sell, I guess the last question that I have is when do \nyou think we are going to get this dog into the kennel?\n    Mr. Sell. We have made in the last few months substantial \nprogress. Just for example, we had--there were thousands of \nopen ports on classified computers when this--the day this \nthing came to light.\n    I have some level of confidence, not supreme confidence, \nbut some level of confidence that that situation has been \nrectified; it will stay rectified at Los Alamos. We are \nchanging our processes, but it will take--so we will continue \nto make progress. But the nature of security, particularly at a \nplace as dynamic as Los Alamos, is constantly evolving, and I \ndon\'t think there is ever a point where we will reach where we \nsay--where we can say we are done and we need not worry about \nsecurity anymore. We will have to be constantly tending the \nkennel door to make sure we have got the dog contained.\n    Mr. Melancon. Thank you.\n    Mr. Stupak. Mr. Secretary, let me assure you no one wants \nto shoot the dog. We want to put that dog on a diet and put him \nin a new kennel.\n    Mr. Melancon. He needs to be trained.\n    Mr. Stupak. Mr. Burgess, questions?\n    Mr. Burgess. Thank you, Mr. Chairman.\n    Mr. Secretary, good to see you again. You mentioned in your \ntestimony, or I think in response to a question, that you were \nnot the selector in the process of going through the RFP last \nyear. I have asked this question of other witnesses, but in \nyour opinion the process was fair and open and above board?\n    Mr. Sell. Yes.\n    Mr. Burgess. Let me ask you this: At Los Alamos what \nmeasures are being taken to ensure the laptops and removable \nmedia are being encrypted or sequestered so that sensitive data \nis not leaving your site unprotected?\n    Mr. Sell. Just so I understand, this is a different set of \nvulnerabilities as to the encryption of data that is then--you \nmean when it is communicated across open lines, or when it is \nin laptops?\n    Mr. Burgess. Yes. Is it encrypted in laptops to reduce \nsusceptibility to theft?\n    Mr. Sell. The encryption of classified material on laptops \nwhen they are at a secure facility is a matter that is covered \nunder our policies, and those policies are those directives \nthat--the manual which governs that is being updated and will \nbe finalized in the course of the next few weeks. That governs \nthe exact terms under which laptops have to be encrypted. But I \nam sorry, Dr. Burgess, I can\'t give a more exact recitation as \nto exactly how that is carried out.\n    Mr. Burgess. And will that be something that is universal \nacross the Department of Energy, or will that be specific for \nLos Alamos?\n    Mr. Sell. It will be universal across the Department.\n    Mr. Burgess. We heard previous testimony from the other \npanel that the concept of at will employment be curtailed, but \nthat really is not something that is within the purview of the \nDepartment of Energy, is it? That is up to the individual \ncontractor involved?\n    Mr. Sell. That is something I believe that we largely leave \nto the contractor as to the negotiation of employment terms \nwith their employees.\n    Mr. Burgess. When the contract was awarded to LANS a year \nago, it was done so in a belief that it could substantially \nimprove security at Los Alamos. Do we still believe that?\n    Mr. Sell. I do.\n    Mr. Burgess. And we believe we have in place the metrics by \nwhich we are going to be able to show not just this committee, \nbut America at large that is indeed the case?\n    Mr. Sell. We have some metrics, and we are developing \nadditional metrics, and we will develop even further ways of \nmeasuring progress once we have the full recommendations from \nour two groups that are reviewing the IG\'s report and once we \nput in place all of the policies going forward. But certainly \nour ability to measure progress and understand when there are \nfailures or when there are potential failures before they \nactually happen or before they get outside the gates of the \nlaboratory is a very important management tool that we must \nhave, and I will ensure that we will have it.\n    Mr. Burgess. So in your opinion that is what real progress \nwill look like? Hopefully to us it will look like the absence \nof breaches, and we won\'t be back here every 6 months covering \none of these incidents.\n    Mr. Sell. It is--a much higher level of performance must be \nrequired. But I would like to just take a moment. I think some \ncontext about what our lab does. They generate many secrets. \nThat is the nature of their business. That is the tools of \ntheir trade. And we talk about 139 vault-type rooms and 3,000 \nclassified computers. That is the nature of the work that we \ndo. And in order to print something or to move it around the \nlab or to store it, it requires lots of computer capability. It \nrequires ports. It is a very complex manner dealing with our \nbusiness. Vault-type rooms----\n    Mr. Burgess. Can you then reduce the number of computers \nwithout compromising your business?\n    Mr. Sell. I don\'t know that we can. That is certainly \nsomething we are looking at, and I think it is a sound \nsuggestion. It is a suggestion that has been made internally. \nBut I have not received a recommendation that we, in fact, can \ndo that. If we can, we will. But our business at Los Alamos is \nnational security matters. Almost all of it is classified.\n    And so I just want to try to put this into context that it \nmay not be as simple as taking 139 vault-type rooms and going \nto 100. That may mean that a third of the work that we would \nlike to do can\'t get done.\n    Mr. Burgess. Thank you, Mr. Chairman. I will yield back.\n    Mr. Stupak. Mr. Sell, if I may, let me just ask you \nquickly, hopefully we are going to have the Secretary here in \nMarch to answer some questions, but he put out a memo on \nNovember 28 after this incident came to light, and he states \nthat the recent incident at Los Alamos and the findings of the \nInspector General report indicate there may be significant \ndeficiencies involving the application of personnel security \npolicies and standards within the Department. What were those \nsignificant deficiencies?\n    Mr. Sell. Mr. Chairman, I don\'t know that I can get into \nthe details of the deficiencies without treading into areas \nwhich are governed by the Privacy Act in the instant case.\n    Mr. Stupak. Will you stay for the executive session then? \nWe can ask you the questions then?\n    Mr. Sell. I will accommodate the committee and you, Mr. \nChairman, however you would like.\n    Mr. Stupak. OK, because I had a couple of follow-up \nquestions on that. So allow me to do that in closed session. \nThank you.\n    Anyone else have questions? Mr. Whitfield.\n    Mr. Whitfield. Just one additional quick question. Mr. \nBurgess was asking questions about the number of computers. \nThis is a similar question relating to the separate security \narea, over 1,700 of them, and I was just wondering have you \nyourself formed any opinions about to believe that such a large \nnumber of geographically dispersed and classified areas \nincreases the vulnerability of operations? And do you think the \nareas should be reduced? And your views on that.\n    Mr. Sell. Mr. Whitfield, I believe that there may be \nbenefits from those, and certainly instinctively I would think \nthat we could perhaps do that. I know that there are views \ninside our Department that we can do that. We are looking at \nit. And I know in your letter of last night you suggested also \nthat we look at it, and we will do that. We are looking for \nsuggestions and good ideas from any corners from which they \ncome.\n    I have not made a conclusion that is going to be possible. \nBut it may well be.\n    Mr. Whitfield. Thank you.\n    Mr. Stupak. Thank you, Mr. Secretary. And, yes, sir. You \nwant to clarify something?\n    Mr. Sell. Well, Mr. Chairman, I wanted to take an \nopportunity to answer a question which you posed to other \nwitnesses but you did not pose to me: What is unique about Los \nAlamos?\n    Mr. Stupak. The unique mission that they do there. What is \nthe unique mission that cannot be duplicated at any of our \nnational labs?\n    Mr. Sell. Los Alamos National Laboratory and the men and \nwomen of that lab invented and designed and are responsible for \ncertifying to this day two-thirds of our strategic nuclear \nweapons stockpile. They are the only place in the country today \nwhere we can build a plutonium pit, which is the trigger, in \nlayman\'s terms, for a nuclear weapon. They have many, many \nother unique capabilities beyond that.\n    But it is my view that we have to have Los Alamos, and we \nhave to be successful, but more importantly that we can be \nsuccessful. We are not destined to failure. We can be \nsuccessful, but it is--we must have it.\n    Mr. Stupak. No doubt men and women at Los Alamos are \nunique. Whether they work in Sandia, Los Alamos, or Lawrence \nLivermore, they are all unique and all talented people, and we \nhave no problem with that. But we are not going to continue to \nhave lapse after lapse. They owe it to the American people, not \nthis committee, but the American people, to guard.\n    You tell about the most sensitive things that are going on \nnot only for nuclear or antiterrorism or anywhere else. We \ncannot have it going on at the same time going out the back \ndoor. That is what we want to impress upon not only you, but \nthe Secretary and everybody else.\n    Look at the list here, how many hearings we have had here? \n350 million taxpayer dollars spent; the fine was $3 million, \nless than 1 percent? No wonder there is no accountability. They \nwill just ignore it and continue.\n    We just want things done and done properly. American people \ndeserve it. It is the American people who pay for those \nweapons, American people that have developed this. And we \nappreciate everyone who works at those labs, but it is not \ngoing to continue like it has been.\n    With that, if you have any further comment?\n    Mr. Sell. Mr. Chairman, I agree with your final statement \ncompletely, and you have my full commitment for as long as I am \nin my position.\n    Mr. Stupak. We appreciate that, and we look forward to \ntalking to you a little bit more in executive session. Thank \nyou.\n    Mr. Stupak. We have our third panel. Our final panel \nconsists of five people: Mr. Thomas D\'Agostino, Acting \nAdministrator, National Nuclear Security Administration; Ms. \nLinda Wilbanks, Chief Information Officer, National Nuclear \nSecurity Administration; Michael R. Anastasio, Director, Los \nAlamos National Laboratory; Mr. William Desmond, Associate \nAdministrator and Chief for Defense Nuclear Security; and Mr. \nThomas Pyke, Jr., Chief Information Officer, Department of \nEnergy.\n    It is the policy of this subcommittee to take all testimony \nunder oath.\n    Please be advised the witnesses have a right under the \nrules of the House to be advised by counsel during testimony. \nDo any of the witnesses desire to be advised by counsel at this \ntime? If so, would you please introduce your counsel?\n    Hearing nothing in the affirmative, I take it you do not \nhave counsel with you.\n    Please rise and raise your right hand to take the oath.\n    [Witnesses sworn.]\n    Mr. Stupak. Let the record reflect all witnesses answered \nin the affirmative.\n    Mr. D\'Agostino, sir, is going to start, please.\n\n   TESTIMONY OF THOMAS P. D\'AGOSTINO, ACTING ADMINISTRATOR, \n            NATIONAL NUCLEAR SECURITY ADMINISTRATION\n\n    Mr. D\'Agostino. Thank you, Mr. Chairman. My name is Thomas \nD\'Agostino, and I am the Acting Administrator of the National \nNuclear Security Administration within the U.S. Department of \nEnergy, a position I have held since January 20, 2007. I am \nalso the Deputy Administrator for Defense Programs.\n    I want to personally assure you that with respect to the \ncurrent issue of security at Los Alamos National Laboratory, \nthat we are committed to providing the most effective security \npossible for nuclear weapons, nuclear material and classified \ninformation both at the laboratory and at each of our NNSA \nfacilities.\n    The primary reason I am acting as Administrator is because \nof the Secretary of Energy\'s dissatisfaction with the \ncontinuing series of security incidents. When the Secretary \ndoes not see results he expects, he takes action. The most \nrecent of these was his request for the resignation of the \nformer NNSA Administrator, Linton Brooks.\n    Mr. Chairman, the Secretary and the Deputy Secretary expect \nme to be active in running the NNSA and to be accountable for \nour performance and make decisions when they need to be made. \nThat is exactly what I am doing.\n    I have made it clear to Los Alamos National Security, or \nLANS, the contractor who manages the laboratory, that we are \nexpecting them to take appropriate action against any LANS \nemployees determined to be accountable for most recent security \nincident. LANS has reported that formal disciplinary action \nwill be taken against 24 employees.\n    I have decided to spend my first 2 days on the job as \nActing Administrator in New Mexico both visiting the laboratory \nitself and the Federal site office responsible for overseeing \nthe laboratory to get firsthand, upfront and personal \ninformation that I can use. I did that last Monday and Tuesday.\n    I stressed to them my expectations concerning oversight of \nthe laboratory activities and the importance of accountability \nand meeting our commitments.\n    I\'ve directed that Dan Glenn, one of the Department\'s most \nexperienced site office managers from the Pantex site in Texas, \nto serve as the acting Federal site office manager until a \npermanent replacement is found. Mr. Glenn has extensive nuclear \nsafety and security experience at our most sensitive site. In \nfact, Pantex is the only NNSA facility where we have complete \nnuclear weapons on site. Dan has my complete confidence.\n    Dan spent last Thursday and Friday at Los Alamos assessing \ncurrent activities and operations at the Los Alamos site \noffice, and he is assembling a team to aggressively oversee \nlaboratory security and safety programs and to recommend not \nonly immediate, but near-term fixes, fixes that we can \nimplement and take action on right away. Dan will take over Los \nAlamos site office on February 5.\n    With respect to our specific interactions with LANS, \nmanagement and operating contractor on the latest security \nincident, all contractual options for both penalties and \nmotivation are under consideration and on the table. I want to \nassure you that this is not an academic exercise. With a \nnominal fee at stake, the maximum available annual fee with \nsecurity and safety as key factors is over $70 million. The \nmajority of LANS\'s fee is at risk, as is their ability to earn \nadditional award terms--or years--added on to the contract. The \ncombination of award fee and award term are very powerful \nincentives on performance, and I intend to fully utilize these \ntools that are available to me in managing this contractor.\n    The Department is also conducting a review of the incident \nto determine whether notice of violation will be issued, as was \ndiscussed earlier.\n    Finally, the contract has a clause called Conditional \nPayment of Fee, Profits, and Incentives. This clause allows for \nthe complete elimination of fee in the event of serious safety \nor security events that result in a loss of life and \nirrecoverable harm to the security of the United States.\n    On January 3, 2007, we took further direct action and \nunilaterally notified the LANS Board of Governors Executive \nCommittee that I was calling a session in Washington the \nfollowing week. On January 10, I met with the executive \ncommittee and told them of my specific concerns on how they \nhave handled the current security incident at Los Alamos and my \nexpectations for performance. The Secretary and the Deputy \nSecretary joined me to emphasize the seriousness of the \nsituation.\n    The executive committee will provide me with their plans on \nhow they will address the current situation and improve the \nculture at the laboratory. In the coming months I will be \nroutinely meeting with members of the executive committee to \nhear how they are progressing with their plans. Additionally, I \nhave asked the chairman of the committee, Mr. Gerald Parsky, to \ncall the Secretary on a regular basis, probably monthly, maybe \nmore like on a 5-week basis, to update him personally on the \nactions that the board is taking to reach back to the corporate \nparents and to support improvements at the laboratory.\n    In closing, Mr. Chairman, I commit to you that if the \ncurrent laboratory management team is unable or unwilling to \nchange the security culture at Los Alamos, I will use every \ntool available to me consistent with the terms of the contract \nto effect the kind of positive changes I expect and we deem \nnecessary for our taxpayers.\n    Thank you, and I would be pleased to take any questions the \ncommittee may have.\n    [The prepared statement of Mr. D\'Agostino appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Mr. Desmond, your opening statement.\n    Mr. Desmond. Mr. Chairman, I do not have an opening \nstatement.\n    Mr. Stupak. Ms. Wilbanks, opening statement.\n\nTESTIMONY OF LINDA WILBANKS, CHIEF INFORMATION OFFIER, NATIONAL \n                NUCLEAR SECURITY ADMINISTRATION\n\n    Ms. Wilbanks. Chairman Stupak, Ranking Member Whitfield and \nmembers of the committee, good afternoon. I am Dr. Linda \nWilbanks, the National Nuclear Security Administration Chief \nInformation Officer.\n    Thank you for the opportunity to discuss the cybersecurity \nincident at Los Alamos National Laboratory and the actions NNSA \nhas taken to prevent similar incidents. As CIO, I am \nresponsible to the Administrator for cybersecurity, \nspecifically policies and procedures to ensure the security of \nthe information and technology as it relates to the NNSA \nmission and to enhance our ability to protect the classified, \nsensitive and unclassified information systems.\n    I came to NNSA after almost 3 years at Goddard Space Flight \nCenter as a CIO. I have over 30 years experience in information \ntechnology, a bachelor\'s degree in mathematics, a master\'s \ndegree in engineering and a doctorate in computer science.\n    When the recent incident was reported, at my direction the \nNNSA Cybersecurity Program Manager and the Director of the \nDiskless Workstation Task Force immediately flew to Los Alamos \nwith two members of the DOE cybersecurity team. Their objective \nwas to learn as much as possible about the incident from the \ncybersecurity perspective and determine if any of the \ncontributing factors could put LANL at further risk or they \ncould take place at other NNSA sites.\n    I also traveled to Los Alamos and met with the \ncybersecurity personnel responsible for the Los Alamos computer \nsystems to further understand the issues. We quickly identified \ntwo issues: the accessible USB ports and the cybersecurity plan \nthat did not address the specific risks of the system and was \nincomplete, which contributed to the system\'s vulnerabilities.\n    The Los Alamos incident occurred when a trusted insider \nmaliciously decided to use a personal device to electronically \nremove classified material. The cybersecurity plan allowed for \nthe cages to be unlocked with exposed USB ports because the \nservers were in a secure room with limited access by people \nwith clearances to access the classified material.\n    As a result of this incident, we have taken a number of \nactions to strengthen the cybersecurity at Los Alamos and all \nNNSA sites addressing the cybersecurity root causes that \nallowed this incident to occur.\n    As a result of the incident, I immediately required that \nall NNSA sites identify the open ports on classified systems \nand determine if they needed to be open or could be permanently \ndisabled.\n    We purchased an enterprise license for software to monitor \nopen port activity. All sites, including Los Alamos, are now in \ncompliance with any ports that can be used to transmit data \nbeing sealed or monitored.\n    The Designated Approving Authority, the DAA, is responsible \nfor approving an IT system for operations by signing the \ncybersecurity plan that states how the system will be in \ncompliance with DOE and NNSA policy. I have temporarily \nreassigned the DAA from the Sandia site office to Los Alamos to \nstrengthen the cybersecurity there. I have directed the DAAs at \nall NNSA sites to review the cybersecurity plans, and I hold \nthem accountable to ensure that those plans now address the \nspecific risk of each system and to identify and rewrite the \nplans with omissions such as those that allowed the incident at \nLos Alamos.\n    I have increased the funding to Los Alamos to hire three \ncybersecurity experts to support the Federal activity there. I \nhave assembled a team of eight cybersecurity experts from \nheadquarters and NNSA and had them inspect all the vaults at \nLos Alamos to determine if they were in compliance with the \nDepartment\'s directive to close ports. The team initially found \nareas of noncompliance; however, when reconvened on the site \nthis past week, they inspected all vaults and are now in \ncompliance.\n    I further directed the team to inspect the cybersecurity \nimplementation at all NNSA sites. Those inspections will start \nin February and conclude in April when the team revisits Los \nAlamos.\n    My office has worked with the DOE CIO, Mr. Tom Pyke, to \nidentify areas where policies and procedures are needed to \nstrengthen cybersecurity and to aggressively implement them as \nquickly as possible. NNSA is responsible for over 70 percent of \nthe classified networks within the Department. We take this \nresponsibility very seriously, and maintaining the security of \nthe classified networks is our highest priority.\n    Because of the dynamic nature of cybersecurity, no one can \nguarantee there will never be another cybersecurity incident at \nany NNSA site. It is not possible to have perfect and complete \nsecurity. We live in a world where hacking into Federal systems \nis a hobby of many students and many highly paid professionals. \nWe are using every tool available and have put in place strong \ncybersecurity policies to ensure this type of event does not \nhappen again.\n    NNSA is working very diligently to maintain a secure \nenvironment for our information and that of the Department. We \nwork closely with our sites to identify the risks, and we are \nmoving ahead in many areas, and we are making progress.\n    I am happy to answer your questions, sir.\n    [The prepared statement of Ms. Wilbanks appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you.\n     Mr. Pyke.\n\n TESTIMONY OF THOMAS N. PYKE, JR., CHIEF INFORMATION OFFICER, \n                   U.S. DEPARTMENT OF ENERGY\n\n    Mr. Pyke. Good afternoon, Mr. Chairman. My name is Tom \nPyke. I am the Chief Information Officer at the Department of \nEnergy. I came to the Department in November 2005 and have \ngiven a high priority to revitalizing the management of \ncybersecurity within the Department.\n    Over the last year, DOE has undertaken a major effort to \nimprove our cybersecurity. We developed a plan to update \ndepartmental cybersecurity directives and to issue guidance in \nspecific high-priority areas. In December 2006, the Deputy \nSecretary signed a new DOE cybersecurity departmental order \nwhich established a new governance structure for cybersecurity \nprogram manager. The order directs the use of a risk-based \nmanagement approach and makes clear assignment of \nresponsibility to the Under Secretaries and other senior \nofficials to oversee cybersecurity management within their \norganizations, including the field organizations under their \njurisdiction.\n     The Under Secretaries have accepted this enhanced role and \nare working hard to strengthen the management of cybersecurity. \nThis order is a key part of the institutionalization of \nforceful new direction to the Department. As referred to \nearlier by Deputy Secretary Clay Sell.\n    The new order provides for timely issuance of urgently \nneeded cybersecurity guidance. To date, I have issued 20 \ncybersecurity guidance documents, and the Office of the Chief \nInformation Officer continues to develop guidance in accordance \nwith the plan developed last year. I have already issued \nguidance on certification and accreditation of systems and on \nsystem configuration management, both directly relevant to the \nrecent Los Alamos incident. We have also issued special \nguidance on the protection of personally identifiable \ninformation and on the disposal of disk drives.\n    Finally, directly to the concerns being addressed at this \nhearing, we have recently completed a planned DOE National \nSecurity Systems Controls Manual. It is now in final review in \nthe Department. We have been able to incorporate actions in the \nmanual based on a number of the lessons learned from this \nincident.\n    I would be pleased to respond to any questions you may \nhave.\n    [The prepared statement of Mr. Pyke appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Mr. Anastasio.\n\n TESTIMONY OF MICHAEL ANASTASIO, DIRECTOR, LOS ALAMOS NATIONAL \n                           LABORATORY\n\n    Mr. Anastasio. Chairman Stupak, Ranking Member Whitfield \nand other members of the subcommittee, I thank you for the \nopportunity to speak with you today.\n    I\'m Michael Anastasio, and since June 1, 2006, I have been \nthe Director of the Los Alamos National Laboratory. I am also \nPresident of the laboratory\'s new management company, the Los \nAlamos National Security, LLC, often referred to as LANS. \nPreviously, I served our country for over 25 years at the \nLawrence Livermore National Laboratory, first as a scientist \nand ultimately as the director of that institution.\n    The security breach at Los Alamos National Laboratory is \ndeeply troubling. I want to make it absolutely clear to all of \nyou that my board and I personally find this incident totally \nunacceptable. It is precisely because of such incidents that \nthe DOE made its decision to recompete the contract at the \nlaboratory.\n    I want to talk with you today in my opening comments about \nfour main points: First, that we take this incident very \nseriously, that we took immediate action upon learning about \nthe issues, that we bring a different approach to running this \nlaboratory, and that this incident accelerates our plans to \ndevelop a robust security system that handles today\'s issues \nand anticipates the future.\n    Although this incident occurred only weeks after we took \ncontrol of the laboratory, I am responsible for this incident. \nBut even more importantly, we are responsible for the solution \nto fix the laboratory with regard to security and other \nmatters. I have detailed in my written testimony a number of \ncorrective actions that we\'ve taken, and I would just like to \ncover six of those right now.\n    We have tightened controls on the ports on all the \nclassified computers. Through our parent organizations, we have \ntapped into independent security expertise from across the \ncountry. We have established a new cybersecurity organization \nthat reports directly to me. Our guard force has significantly \nincreased the number of searches of laboratory personnel as \nthey leave the site. We terminated the relationship with the \nscanning subcontractor, and I have disciplined 24 employees of \nthe laboratory as a result of this incident. We are \nprescreening for illegal drugs of all new hires and will be \nrandomly testing the existing workforce.\n    These steps have already proven effective as we heard DOE \nand NNSA have certified last week that all the vault-type rooms \nthat we have at the laboratory with classified computing are \nnow compliant. But these initial actions aren\'t sufficient. We \nmust move beyond the quick-fix, Band-Aid approach that\'s been \nused in the past, and that means we must now have--address \nsecurity in a comprehensive and integrated manner that \nanticipates risks associated with the inexorable advancement of \ntechnology.\n    There will not be a silver-bullet solution because there \nare none, but we have developed a forward-looking approach \naddressing all of the elements of enhancements to the security \nthat needs to be done and do them simultaneously. We will \nquickly put in place demonstration projects that create a test \nbed to try out all these new security approaches that we have \nin mind. We will consolidate 10 to 20 of our existing vault-\ntype rooms into one overall facility. In there, we will \nimplement clear policies with advanced technologies and proven \nbehavioral methods. In this way, we will have a plan that we \nhave demonstrated will work and that we can then implement \nacross the entire laboratory.\n    So, Mr. Chairman, in conclusion, the steps that I and the \nboard are taking are a fundamental break from the past. The \nLANS partnership brings together expertise and successful \nperformance from across the Federal and the commercial sectors.\n    As president of LANS, I report to a very demanding board, a \nboard that provides a level of oversight, engagement and rigor \nthat this laboratory has not seen before. I have a brand new \nmanagement team that I, personally, selected from across our \nparent companies. The partnership of these four companies gives \nme a deep bench of capabilities and personnel that I\'m already \ntapping into.\n    I\'m already seeing evidence of positive change at the \nlaboratory, and in time these steps will lead to dramatic \nimprovement in the overall performance of the laboratory. We \nhave taken immediate action. We have an ambitious and \ncomprehensive plan. We have extraordinary capabilities to draw \nupon, and we are working aggressively to execute our plan. All \nof my leadership team and I, personally, are deeply committed \nto the Los Alamos National Laboratory\'s success and its \nessential role in protecting our country\'s national security.\n    Thank you, Mr. Chairman, and I look forward to answering \nall of your questions.\n    [The prepared statement of Mr. Anastasio appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you. And thank you all for your \ntestimony.\n    Mr. Anastasio, you said you are responsible for what \nhappened at Los Alamos. Then what\'s been the consequences of \naccepting that responsibility? Has anything happened to you?\n    Mr. Anastasio. Has anything happened to me?\n    Mr. Stupak. Yes.\n    Mr. Anastasio. I\'ve been working a lot longer hours, sir. \nDo you mean if I\'ve been disciplined in any way?\n    Mr. Stupak. Yes.\n    Mr. Anastasio. I\'ve been certainly in contact with my board \nfrom the very beginning of this incident, and they\'ve made \ntheir expectations very clear to me. The board also talked with \nNNSA and the Secretary, and based on that conversation, they\'ve \npassed along those expectations, and I\'ve heard the same from \nthe Department as well, personally. It\'s been very clear to me \nwhat everyone expects of us at the laboratory, and----\n    Mr. Stupak. Well, what are the lessons you have learned \nsince then, and what is being done to ensure this incident \ndoesn\'t happen again?\n    Mr. Anastasio. Well, as I tried to detail for you a little \nbit in my oral testimony and more so in the written, it\'s that \nwe\'ve taken a number of aggressive actions.\n    Mr. Stupak. Such as?\n    Mr. Anastasio. As soon as I learned about this incident, \nwithin hours we had already started to control the ports on \nclassified computers. We started taking that action \nimmediately.\n    Mr. Stupak. We\'ve heard that since 2000. We\'ve had eight \nhearings on cybersecurity since we first brought it up in 2000, \nso excuse me, but I don\'t--what\'s going to be different? We\'ve \nheard all this before. This is my eighth hearing now on this.\n    Mr. Anastasio. We have actually succeeded in doing that, \nand the recent audit confirms that, in fact, we have complied \nwith all the direction we\'ve been given.\n    Mr. Stupak. The audit from the Inspector General, Mr. \nFriedman, said the core security at Los Alamos is in shambles, \nthe core security. I\'ll read it for you exactly if you want it, \nbecause I asked him about it, and it was the very basis of Los \nAlamos; the very core of their security was not good.\n    Mr. Anastasio. Mr. Chairman, I find this incident and the \nissues around it totally unacceptable. My board finds that \ntotally unacceptable. They\'re going to hold me accountable to \nfix this.\n    Mr. Stupak. And we find it totally unacceptable.\n    What are we going to do to fix it?\n    Mr. Anastasio. I understand that, and we are in the process \nof doing that. And so we\'ve taken a series of immediate actions \nwhich, I think, address the immediate concerns and risks at the \nlaboratory; and, at the same time, we have a long-term plan \nthat will get us to a point where we can be out in front of \nthese issues--not always playing catch-up that we\'ve done in \nthe past--and that will allow me and the American people and \nyou, the Congress, to have confidence in this laboratory again.\n    The Department recompeted this contract, we understand, \nvery well. They recompeted this contract because of these \nissues, and I understand that the reason I\'ve been brought in \nand my team and this new contractor is that we need to fix \nthese and the other issues that are going on at the laboratory. \nAnd that\'s what I\'m here to commit to you to do.\n    Mr. Stupak. The Inspector General\'s report I will quote \nnow,\n\n    Our review revealed a serious breakdown in core laboratory \nsecurity controls. In short, these findings raise serious \nconcerns about the laboratory\'s ability to protect both \nclassified and sensitive information systems.\n\n    So that\'s the challenge you have.\n    Ms. Wilbanks, at Los Alamos, sensitive, unclassified \ncomputer systems, are they adequately protected from today\'s \nthreat? You mentioned hackers always trying to get in.\n    Ms. Wilbanks. The unclassified, sir?\n    Mr. Stupak. The unclassified. ``Sensitive, unclassified,\'\' \nthey\'re called.\n    Ms. Wilbanks. While we do not put as much attention on \nthose systems as we do the classified systems, sir, I do \nbelieve they are adequately protected. The 25,000 systems that \nwere referred to by Mr. Podonsky, they are C&A\'d under the NIST \nprovisions.\n    Mr. Stupak. Sure. Would you bet your job on that all 25,000 \nare secure?\n    Ms. Wilbanks. I can\'t guarantee what a hacker will do and \nwhat the new technology will be, sir.\n    Mr. Stupak. OK.\n    Ms. Wilbanks. I am doing everything in my power, sir, to \nmake that guarantee to Mr. D\'Agostino.\n    Mr. Stupak. OK. In your testimony, you state ``We have \nsince secured all USB ports at all NNSA sites and are reviewing \nall cybersecurity plans to ensure they address the specific \nrisks for that system. This type of incident, the undetected \ntransfer of classified information to a portable device, could \nno longer occur at any NNSA site.\'\'\n    So let me ask you: Why wasn\'t all of this fixed prior to \nthis incident?\n    Ms. Wilbanks. Actually, at some of our sites, sir, it was \nfixed.\n    Mr. Stupak. Right. But not at all of them, obviously.\n    Ms. Wilbanks. That is correct, sir. At a meeting of all of \nthe DAAs from the sites in November, the ``open ports fine\'\' \nissue was brought up.\n    Mr. Stupak. Sure, that\'s November, but wasn\'t that really \none of the primary reasons the lab was shut down in July 2004?\n    Ms. Wilbanks. I was not here then, sir. I\'m sorry.\n    Mr. Stupak. Did you ever review the report in 2004 and see \nwhat was required for cybersecurity at the lab\'s computers?\n    Ms. Wilbanks. Yes, I did, sir, and there was very minimal \nin there for cybersecurity.\n    Mr. Stupak. OK. Hopefully, I\'ll have some time for some \nfollow-up because I would follow that up, but my time is up.\n     Mr. Whitfield.\n    Mr. Whitfield. Thank you, Mr. Chairman, and I thank the \nwitnesses for their testimony today.\n    Mr. Anastasio, you were the Director of Lawrence Livermore, \nI think you said in your testimony.\n    Mr. Anastasio. That\'s correct, sir.\n    Mr. Whitfield. For how many years?\n    Mr. Anastasio. Almost 4 years.\n    Mr. Whitfield. And you\'ve been here now for about 7 months \nat Los Alamos?\n    Mr. Anastasio. Since June 1, that\'s correct.\n    Mr. Whitfield. Well, you might have some unique \nperspectives on this that we\'ve been asking a lot of people, \nand I read this comment that said LANS\' volume of classified \nholdings is unnecessarily large, conducted in too many security \nareas, involving too many people, and is spread out over too \nlarge of an area.\n    Would you agree that that assessment may give a synopsis of \nthe primary differences in Los Alamos and Lawrence Livermore \nand would explain why security is such a challenge at Los \nAlamos?\n    Mr. Anastasio. Well, I would agree those factors add a \nchallenge to Los Alamos, but I believe the--one of the \nfundamental issues at the laboratory right now is that there is \nunclear, complicated policies which are inconsistently applied \nacross the laboratory. And of course one of the reasons for \ninconsistency is the fact that there are so many different \nlocations. But in the past, the laboratory has--each \norganization has implemented their own version of the overall \npolicies, which led to inconsistency; and I would also argue \nthat the policies are overcomplicated and sometimes \ninconsistent, so we have not been enabling our employees to be \na success. What they see is confusing. They don\'t know what is \nallowed and what\'s not allowed. So that\'s one of the things \nthat was in the core approach that we\'ve taken to fix the \nlaboratory. But at the same time, we are also looking to \nconsolidate the number of vaults, to bring those down. The \nlaboratory, before we arrived, has done a lot to reduce the \ntotal number of accountable, removable, electronic media, a \nnumber of documents, so I think these are all approaches to an \noverall plan that we\'re putting together.\n    Mr. Whitfield. So, the confusion in policy, is that partly \nthe responsibility of the Government and the holder of the M&O \ncontract?\n    Mr. Anastasio. Well, certainly, we are driven by the \npolicies that come from the Department through our contract, \nbut I believe my responsibility goes beyond that.\n    My job is to make sure the laboratory is secure. I have to \nbe compliant with the policies, but if that is not sufficient, \nI have to take further action. I believe that----\n    Mr. Whitfield. But you found a lot of things wrong with the \npolicy and the confusion in the policy when you arrived there. \nI mean there obviously was room for improvement.\n    Mr. Anastasio. Yes, there\'s certainly room for improvement, \nand we\'re off dealing with that and trying to----\n    Mr. Whitfield. Now, why would we expect that there would \nreally be a great improvement when the University of California \nhad responsibility for 64 years prior to the new M&O contract, \nand now they are a 50-percent stakeholder in the new contract?\n    Mr. Anastasio. Well, I think there\'s a number of reasons \nwhy you should have confidence.\n    This is a new team. First, we have a board of directors \nthat we\'ve never had before who are very demanding.\n    Mr. Whitfield. And who is on the board of directors?\n    Mr. Anastasio. There are 11 members of the board of \ndirectors--six from the parent companies and five from the \noutside--outside world.\n    Mr. Whitfield. And the parent companies would be the \nUniversity of California, Bechtel, and who else?\n    Mr. Anastasio. BWX Technologies and Washington Group \nInternational.\n    Mr. Whitfield. Now, what is the Washington Group \nInternational? Who is that?\n    Mr. Anastasio. I\'m sorry. I\'m not sure what you mean by \nthat.\n    Mr. Whitfield. I\'m not familiar with that.\n    Mr. Anastasio. The president of that is Presray.\n    Mr. Whitfield. What is the experience of that company? \nWhere does that come from?\n    Mr. Anastasio. Oh, they are involved, for instance, with \nthe Savannah River site. They are a major part of that \ncontract. They are at the WIPP site. Those are a couple of \nplaces. They have a lot of expertise in nuclear--nuclear \nfacility management.\n    Mr. Whitfield. But the board is composed of six members \nfrom those four entities?\n    Mr. Anastasio. That\'s correct, sir.\n    Mr. Whitfield. And then five members outside of those?\n    Mr. Anastasio. That\'s correct.\n    Mr. Whitfield. Who selected the board members, the five \nthat are outside?\n    Mr. Anastasio. The six members on the inside from the \ncompanies, yes.\n    Mr. Whitfield. OK, and those five, what companies do they \nrepresent?\n    Mr. Anastasio. We have one for oversight from \nPricewaterhouseCoopers for financial oversight. We have someone \nfrom Stanford. We have a former admiral, et cetera.\n    Mr. Whitfield. And the board meets how often?\n    Mr. Anastasio. The board normally meets quarterly but \nwhenever they need to. So we\'ve had quite a number of meetings, \nboth formal meetings--but I\'m in constant conversation on the \ntelephone with the key members of the board whenever that\'s \nnecessary.\n    Mr. Whitfield. Now my time has expired. I just have one \nquick question.\n    As a result of the most recent breach, the 1,500 and some \ndocuments that were a problem, as the director of Los Alamos, \nrepresenting the president of the new consortium, would you \nexpect that the Government would penalize your company \nfinancially for that breach?\n    Mr. Anastasio. Oh, I certainly understand that part of our \nfee or, ultimately, all of our fee could be at risk for this or \nany other incidents that go on at the laboratory. We understand \nthat very well.\n    Mr. Whitfield. OK. Thank you.\n    Mr. Stupak. The gentlewoman from Colorado.\n    Ms. DeGette. Thank you very much, Mr. Chairman.\n    Mr. Anastasio, I wanted to follow up on some of the ranking \nmember\'s questions because you successfully ran Lawrence \nLivermore for a good number of years, and I\'m wondering if you \ncould just tell me very briefly what is it that\'s so different \nat this facility. You said a minute ago there\'s unclear \ncompeting policies that are applied inconsistently. Are there \nother things?\n    Mr. Anastasio. Certainly things that the ranking member \nidentified are issues as well, the fact that it\'s physically \nspread out----\n    Ms. DeGette. The physical layout.\n    Mr. Anastasio. Also, there\'s a history at the site of each \norganization having a lot of autonomy to implement the \nspecifics in their own work area. All of these things lead to \nsome of these challenges that we face.\n    Ms. DeGette. How\'s the morale out there?\n    Mr. Anastasio. Well, the morale of the employees--they are \nreally--I think it\'s improving. They\'ve been through a lot of \ncontroversy over the last years. They understand, because of \nthe contract competition, that change is happening and it needs \nto happen, and I think they\'re very, very committed to their \nmission.\n    Ms. DeGette. Do you think that they\'re committed to \ncomplying with security procedures?\n    Mr. Anastasio. I think the employees are very committed to \ndo their job very well, including their security \nresponsibilities.\n    Ms. DeGette. And is that a change in attitude? Well, you\'ve \nonly been there since June.\n    Mr. Anastasio. Yes. I can\'t say how much there\'s been a \nchange in attitude.\n    Ms. DeGette. I\'ll be frank. When we were out there a couple \nyears ago, when Mr. Barton and I were there, we got the sense \nthat part of the problem was that many of these high-level \nemployees felt like these were--these security procedures were \nridiculous, and they didn\'t really want to comply. Have you \nfound some of that attitude?\n    Mr. Anastasio. The attitude I found is, first, a very loyal \ncommitment to their country and their mission but also a \nconfusion about what standard they\'re being held to. And so \nthey want to comply, but they\'re not clear what they\'re \nsupposed to----\n    Ms. DeGette. And this is what you were talking about, the \nunclear, competing policies applied inconsistently?\n    Mr. Anastasio. Yes. And I think one of the things we\'re \ntrying to do is, as we define the overall goal and policy we \nwant them to achieve, we\'re trying--we\'re involving some of the \nemployees in developing the implementation plan. That way, \nthey\'re there from the beginning. Now, they don\'t get the final \nchoice of what that plan is, but they\'re part of that \ndiscussion so they understand why the policy is in place and \nhow it\'s implemented.\n    Ms. DeGette. Right. Let me ask you this. Mr. Friedman said \nthat he felt like we should give the agency until June, which \nwould be your 1-year anniversary, to fix this.\n    Can you fix all of these problems by June, and are you \nwilling to commit to that today?\n    Mr. Anastasio. I would agree with the deputy director that \nwe are off fixing them right now. We have been fixing these \nproblems ever since the incident occurred, that we are making \nprogress every day.\n    Ms. DeGette. OK. My question is can you do it by June, \n``yes\'\' or ``no.\'\'\n    Mr. Anastasio. I think this is a continuous challenge that \nwe have to be on top of every day from now until----\n    Ms. DeGette. Can you make substantial progress by June?\n    Mr. Anastasio. Absolutely, we can make substantial progress \nby June.\n    Ms. DeGette. OK. Thanks. I just have a quick question for \nyou, Mr. D\'Agostino.\n    In the binders of this Fiscal Year 2000 Performance \nEvaluation Plan--I\'m sure you\'re familiar with that plan----\n    Mr. D\'Agostino. Yes, ma\'am.\n    Ms. DeGette. In part of that plan on page 5 is performance-\nbased incentives. We\'re a little confused up here. Mr. \nD\'Agostino testified about everybody now understands that there \nare incentives under this new contract.\n    We\'re a little concerned about, if we wanted to take some \nkind of punitive action if these problems aren\'t fixed, how \nmuch we could penalize the management by. Is it the entire \n$73,280,000 or some other number of that?\n    Maybe you can quickly explain that to me.\n    Mr. D\'Agostino. Yes, ma\'am. Thank you for the opportunity \nto do that. A couple of points.\n    The one is there\'s the clause I mentioned during my oral \ntestimony, conditional payment of fee. It puts that whole $73 \nmillion at risk.\n    Ms. DeGette. OK. So, if we wanted to, we could penalize \nthem that whole amount?\n    Mr. D\'Agostino. Yes, ma\'am, but there are conditions \nassociated with the contract, associated with the level of \nseverity and----\n    Ms. DeGette. Whose department is that?\n    Mr. D\'Agostino. I would go through the contracting officer, \nis my----\n    Ms. DeGette. Who determines the level of severity?\n    Mr. D\'Agostino. There would be an analysis done. The damage \nassessment, for example, in this particular incident will be \nlooked at. If there are further safety and security problems \nthat happen, those would get added up into the problem, if you \nwill, when we look at fee determination at the end of the \nfiscal year.\n    So what we will do at the end of the fiscal year, which is \nSeptember 30 of this year, take a look at the laboratory\'s \nperformance not only on this particular security incident but \non whether there have been any safety issues associated with \nthe laboratory, and look at whether that conditional payment of \nfee clause actually applies here.\n    In addition, your question, ma\'am, was referring to this \nparticular page which which broke down the $70-plus million. \nThere is the fixed fee: 30 percent of about $22 million; and \nthe incentive fee. Within the incentive fee that you call out \n``performance-based incentives\'\'. There are very specific \nmeasures and deliverables under each one of those performance-\nbased incentives 1 through 13. PBI No. 5 applies to safeguards \nand security, which was pointed out earlier that, if it\'s only \n$3 million of the whole 70, why is that--why should we feel----\n    Ms. DeGette. Right. So do you think we can only penalize \nthem $3 million or $73 million?\n    Mr. D\'Agostino. No, ma\'am. All of the $73 million is at \nstake. I wanted to get to a point. I did spend the first few \ndays of this job at Los Alamos last week. I got a chance to see \nfirsthand the conditions that we\'ve talked about earlier in the \nhearing.\n    Based on that, I directed the manager at the site office, \nworking with Mr. Desmond, to reevaluate, and we are \nunilaterally reevaluating this fee allocation within this \nparticular plan. So we have two approaches, and we will--as I \nmentioned in my testimony, I\'m going to make full use of the \ncontract because that is the main tool. It is the tool that we \nshould use and will use in order to make sure that the message \ngets across to the contractor.\n    Ms. DeGette. OK.\n    Mr. D\'Agostino. I apologize for taking so long. We are \ngoing to conduct a reevaluation of this allocation, and we will \nbe working with LANS on that reallocation, but if we don\'t come \nto agreement, the Federal Government has the ability to \nunilaterally impose a change on this allocation.\n    Ms. DeGette. Thank you.\n    Mr. Stupak. Mr. Burgess.\n    Mr. Burgess. Thank you, Mr. Chairman.\n    Mr. D\'Agostino, just so I\'m clear on this, I think Deputy \nSecretary Sell testified that you were the selector in the RFP \nprocess a little over a year ago; is that correct?\n    Mr. D\'Agostino. Yes sir, that is correct.\n    Mr. Burgess. You mentioned in your testimony about \nrecompeting the contract. I\'m assuming there you were talking \nabout the recompeting of the contract that happened a year ago, \nnot a recompete that\'s at some point in the future.\n    Mr. D\'Agostino. I\'m actually referring to a recompete if it \nshould come to this point. If it should come to the point where \nmyself as the Acting Administrator of the NNSA feels that we \nhave a material breach of the contract or we have a situation \nwhere it\'s in the best interest of the Government, I, as the \nAdministrator, through my contracting officer, have an ability \nto recompete.\n    That is not the case right now. I want to make that clear \nbecause I do believe we don\'t have--we don\'t have all of the \nanalysis together as a result of the current criminal \ninvestigation that\'s underway.\n    Mr. Burgess. But you do have the ability, then, to \nrecompete the contract.\n    Mr. D\'Agostino. The contract allows me to terminate for \ncause of the existing contract.\n    Mr. Burgess. Without waiting the 7 years to do so?\n    Mr. D\'Agostino. That\'s right. Yes, sir.\n    Mr. Burgess. Well, let me just ask you a question then.\n    We\'ve heard all kinds of testimony about the fines levied, \nwhether it\'s $3 million or $73 million; and $73 million would \nbe a significant fine to levy against the contractor.\n    Would they be able to continue in their mission if they \nwere hit with that level of fine? Would that damage their \nability to provide the services, the security that we\'re going \nto demand of them?\n    Mr. D\'Agostino. I believe that if I were to decide today \nthat I wanted to levy, and I had all of the data with me today \nthat it would be a bad management decision to make that move \nright now before the fiscal year is over. I have complete faith \nand confidence in Dr. Anastasio. I understand the plans he\'s \nputting in place. He does take this seriously. He has taken \nspecific steps. There are obligations on the part of the \nFederal Government as well, and I\'m making changes on that \nparticular side. But I do believe that it would be \nirresponsible and a bad management move from my years of \nmanaging organizations, before the fiscal year is actually \nover, to make that decision.\n    So, to answer your question, I wouldn\'t do it at this \npoint, but what\'s clear is the fee is an amount of resources \nthat are set aside.\n    Mr. Burgess. Well, let me just interrupt you then.\n    As far as just the management aspects of it, we had a team \nthat was on site for over 60 years. I\'m relatively new, but it \nsounds like, on this committee, we\'ve been dealing with the \nsame sort of problem over and over again. I don\'t know whether \nthey\'re interrelated or not. I\'ve got to assume that a laser \ninjury of the eye is not related to the removal of a thumb \ndrive, is not related to the guy getting beat up at the bar, \nbut still there are all these things that keep coming up.\n    How good a management decision is it to continue on with \nthe same group that has brought you these troubles in the past, \nand should we not have been able to anticipate a subsequent \nbreach because of the behavior that at least has been exhibited \nsince 1999?\n    Mr. D\'Agostino. Sir, I\'d like to address that in two ways. \nOne is to make sure that it\'s clear that the same organization \nis not running this laboratory. It\'s clear that the proposal \nthat I reviewed----\n    Mr. Burgess. Has the culture actually changed then since \nthe awarding of the contract?\n    Mr. D\'Agostino. I would say I don\'t know the answer to that \nquestion, but here\'s what I will----\n    Mr. Burgess. I hope you find out quickly.\n    Mr. D\'Agostino. That\'s exactly right.\n    The LANS executive committee knows. The Executive Board of \nGovernors, the executive committee on the board, truly \nunderstands, because I put this in writing, that I don\'t \nbelieve this is just a matter of, well, let\'s straighten out \nour policies and procedures, do a couple of checks and follow \nup, and everything will be all right.\n    My job as a manager is to set expectations, to man \nperformance and then follow up and use the tools that I have. \nThis structure actually allows me the opportunity to do that. \nNever before has the Department had this much money on a \ncontract.\n    Mr. Burgess. And I hope you have the courage to enforce \nthat.\n    Ms. Wilbanks, let me just ask you briefly. You used the \nword ``malicious\'\' in your testimony. Did I understand that \naccurately?\n    Ms. Wilbanks. Yes, sir.\n    Mr. Burgess. So this person willfully downloaded material, \ntook it back to her living quarters. What would be the--if I\'m \ngoing to do something maliciously, presumably I have a reason \nfor doing it. Have you explored that? Do we know what that \nanswer is or is that still locked up in the FBI report?\n    Ms. Wilbanks. I believe it\'s part of the FBI investigation, \nsir.\n    Mr. Burgess. And at some point, again, Mr. Chairman, that \ninformation is going to be shared with us?\n    Mr. Anastasio. Mr. Chairman, Congressman, if I could try to \nanswer that briefly, in all the conversations that I\'ve had \nwith the FBI, they\'ve given me no evidence that anything\'s \nhappened beyond taking that material to her home.\n    Mr. Burgess. But there must have been some financial \nincentive or wanting to damage someone. I mean you don\'t just \ndo something like that on a whim, or at least I can\'t believe \nthat you would.\n    Mr. Anastasio. Certainly, the FBI is the one that can \nanswer that in better detail, but what they\'ve expressed to me \nin my variety of discussions with them is they have no \nindication that she did anything beyond what was reported in \nthe press.\n    Mr. Burgess. But, again, the motive--I mean the laser \ninjury to the eye, OK, that was an accident; getting beat up in \na bar, that\'s bad judgment; but taking material from the server \nback to your living quarters--I mean there\'s got to be a reason \nwhy someone would engage in that type of activity. It was \neither for sale or to damage someone else. But again, we don\'t \nknow the answer to that at this point.\n    Mr. Anastasio. But what we are working hard to do is make \nsure that never happens again.\n    Mr. Burgess. And I would very much like an answer as to why \nit happened in the first place.\n    Do we get another round?\n    Mr. Stupak. We\'ll just do one more question or so.\n    To get back to the FBI, we talked a little bit off the \nrecord there. We\'ll try to have them come in and give us a \nbriefing, a members\' briefing, on the status there to answer \nsome of your questions.\n    Mr. Melancon.\n    Mr. Melancon. Thank you, Mr. Chairman.\n    Mr. Anastasio, you talked earlier about disciplining about \n20-some-odd people. What were the violations that you \ndisciplined them for?\n    Mr. Anastasio. We did a very extensive review with a \ndetailed look at all the incidents going back to over a year \nand a half ago when this project was first set up. The \nconditions of security that were built into the planning that \nthey did, all the way through the activities, up until--up \nuntil the recent times, and in that, there were a variety of \npeople that were disciplined, either removed from their job or \nother forms of discipline for all of the different sorts of \nthings that went on, which were bad judgment on the part of \nemployees, bad policies and procedures that were in place and \nthings of that nature.\n    Mr. Melancon. Can you give me an illustration of what, \nmaybe, the worst one was or one of the worst ones?\n    Mr. Anastasio. I think the worst problem was the way the \nsecurity was set up for this particular project. The people who \nset it up actually were trying hard to be very conscious of \nsecurity, but they didn\'t--they didn\'t make a plan that \naddressed all of the potential risks, and the people that were \nresponsible for that security plan in that vault-type room, I \nthink, were the ones that got the most severe penalty. And then \nthe second-most, I would say, was the--was the cybersecurity \nteam that was responsible for the overall policies of the \ninstitution.\n    Mr. Melancon. Of the 20-some-odd, how many did you fire?\n    Mr. Anastasio. Three were removed from their assignments. \nMany of the people who were responsible for this activity were \nno longer in the same assignment when we came on board, so they \nhad been moved out of their job for a variety of reasons before \nwe even got there, even though they were responsible a year and \na half ago for--for overall security things.\n    Mr. Melancon. Have you been--I don\'t know if you\'ve been \nthere shortly, but has the process been to try and ferret out \nall of these people from as far back--of course, I don\'t know \nhow far back you go.\n    Mr. Anastasio. Yes, we went back to the very beginning when \nthe project was set up. We identified all the people who were \nresponsible. The organization itself that was responsible at \nthe time doesn\'t any longer exist. We\'ve reorganized, et \ncetera, but we went and identified all of the individuals who \nhave been involved over this entire period of time and, again, \nwent through a very detailed effort to examine all the issues \nand who was responsible for them, and that led to the 24 \ndifferent disciplinary actions.\n    Mr. Melancon. You ran Lawrence Livermore; is that correct?\n    Mr. Anastasio. Yes, sir.\n    Mr. Melancon. How many employees are there at Lawrence \nLivermore?\n    Mr. Anastasio. Oh, I guess I don\'t remember offhand. I\'d \nsay about 8,000 to 9,000.\n    Mr. Melancon. So about two-thirds to three-quarters of what \nyou have at----\n    Mr. Anastasio. That\'s approximately right.\n    Mr. Melancon. Yes, and there\'s not any security problems \nthat you experienced there, cyber or otherwise?\n    Mr. Anastasio. There were some security problems at \nLawrence Livermore while I was there. One incident that got \nquite a lot of attention was some security keys that got lost. \nAnd the approach I\'m taking to the incidence here is the same I \ntook there, which is to act very quickly and decisively, to \nfind out those who were responsible and make sure that they\'re \nproperly held accountable, and to go build a system that \naddresses the issues. And I would say--I\'d defer to others, but \nI\'ve been told that Lawrence Livermore now has the model \nsecurity program for keys in the complex, and in fact, the lab \ngoes around and briefs the other sites on the lessons learned \nand how to do a better job. So I think we responded very \ndecisively there, and that\'s been my intent to do here at Los \nAlamos.\n    Mr. Melancon. Yes. I guess the thing that I\'m having \nproblems getting my arms around is that this country--of \ncourse, I guess, when you look at Homeland Security, maybe we \nreally do have a problem, but it\'s not at your level. But when \nyou look at the security that is provided in this country and \nother places by our Government, why is there not some type of \nguideline, some type of program that we can model after? I mean \nthis is--are we making it up as we go when we brought these new \ncontractors in?\n    Mr. Anastasio. Well, certainly, there\'s an element that\'s \nvery clear on how to do this that has the behavioral issues \ninvolved, that has issues of policies and procedures, \ninfrastructure that we\'ve talked about, how big is your \ninfrastructure, et cetera. But there\'s another piece which I \nthink is a very large challenge for the country and us at the \nlaboratory, which is the advance of technology.\n    The last time the laboratory reviewed its policies--and we \ncould argue they should have done it much sooner--these little \nmemory stick, thumb drives were not in common usage, and yet \nnow that they are, it\'s quite obvious what a risk they are for \nsecurity. And so what\'s going to be the challenge we have 2 \nyears from now is we really need to develop a system in place \nthat\'s robust against the future advancement of technology so \nwe don\'t have to fix it after the fact like we\'re doing now. \nAnd that\'s the plan we\'re off doing.\n    Now, I would argue that, as one of the previous witnesses \nhas testified, there are a lot of nefarious people out there \nwho are very sophisticated who are always looking to get \naccess, and that also concerns me very much. And finding a way \nto defend ourselves from those kinds of attacks as well as the \nkind we\'re talking about here is a deep concern to me.\n    Mr. Melancon. Thank you, sir.\n    My time has expired.\n    Mr. Stupak. We\'ll move quickly and see if any members have \nfurther follow-up. There\'s been some expression of wanting to \nfollow up. If I may, just two questions.\n    Mr. Anastasio, you indicated the thumb drives--when that \ncybersecurity was done, thumb drives weren\'t in use, but if \nyou\'ll look after January 2005, after they shut down the lab \nfor a while, five out of 14 points dealt with cybersecurity, \ndealt with the fact that these things are accessible. So I \nwould suggest that maybe a good place to start for security is \ngo back and look--after we shut down the lab that cost $350 \nmillion, that we look at the recommendations that were made and \nimplement those procedures.\n    Mr. Anastasio. I can\'t speak to exactly what happened \nduring--during that shutdown and why they did it.\n    I can say that we have looked at and have, in fact, \ndeveloped plans for all the issues that came up associated with \nthat shutdown, and the corrective actions in place. We have a \nvery effective system in place now to keep track of those about \nwho\'s responsible to----\n    Mr. Stupak. Sure, but in Mr. Melancon\'s answer, you said \nthe last time you had a security review like that, thumb drives \nweren\'t being used. They were certainly in use in 2005 and long \nbefore that.\n    Mr. Anastasio. Yes, sir, and I guess what I was--maybe to \nbe clearer, the policies that the laboratory has for \ncybersecurity were not changed to be cognizant of the new \ntechnology that was available, and that was a mistake on the \nlaboratory\'s part, and we\'re all fixing that.\n    Mr. Stupak. Ms. Wilbanks, I was asking you some questions \nabout the cybersecurity and the computer systems, and I\'ll ask \nyou the same thing. Had you reviewed the 2004--or after the \n2004 report--recommendations made, and you indicated that there \nwasn\'t much in there about cybersecurity, but yet five of the \n14 recommendations deal with cybersecurity. In fact, as you are \nthe Chief Information Officer, it even states--and I\'m looking \nat the January 2005 memo. It says that the Office of Chief \nInformation Officer is leading the effort to implement a \ncybersecurity enhancement plan to protect the confidentiality, \nintegrity and availability of all DOE information systems.\n    So you certainly, as the Chief Information Officer, have a \nhuge role to play in shoring up all the classified and \nunclassified systems, including cyber; is that correct?\n    Ms. Wilbanks. Yes, sir.\n    Mr. Stupak. OK, and with that, Mr. Whitfield.\n    Mr. Whitfield. Thank you, Mr. Chairman.\n    Just a couple more questions.\n    Mr. Anastasio, what is--do you have a policy on \nwhistleblowers?\n    Mr. Anastasio. Yes, sir, we do.\n    Mr. Whitfield. OK, and I\'m assuming you encourage----\n    Mr. Anastasio. Absolutely. And we have a number of \nmechanisms in place to allow anybody at the laboratory who has \na concern that they feel they can\'t discuss with their line \nmanagement, they had, as a confidentiality process, a separate \ngroup of people to--to--we also have an ombudsman program. We \nhave a variety of mechanisms that employees have available to \nthem.\n    Mr. Whitfield. OK, and then as a result of the deputy lab \ndirector announcing his retirement, which basically was in \nviolation of the contract, the contract administrator or \ncontracting officer, Edwin Wilmot, wrote a letter to you on \nDecember 6, requesting a briefing on what steps you all \nintended to take to ensure the retention of all key personnel.\n    Now, have you all had that briefing yet or----\n    Mr. Anastasio. I have not formally responded to his letter, \nbut he and I, in fact, just last week talked about this very \nsubject on the phone, and I gave him an update, and he \nrequested me to send him some more information which I promised \nto do right after this hearing.\n    Mr. Whitfield. OK. And then just one other comment. Ms. \nDeGette\'s questions made me think of this a little bit.\n    The base contract, Mr. D\'Agostino, is $1.5 billion to $2 \nbillion; is that correct, roughly?\n    Mr. D\'Agostino. It\'s roughly $2 billion, sir.\n    Mr. Whitfield. And that\'s basically for managing the site?\n    Mr. D\'Agostino. That\'s right. It\'s for managing the site. \nThere\'s a fee element associated with that. That\'s right.\n    Mr. Whitfield. And then, on top of that, we have a $73 \nmillion pool that can be given for extraordinary performance or \nincentives or whatever; is that correct?\n    Mr. D\'Agostino. As a subset, sir, not on top. It\'s roughly \n$2 billion. It depends on how much work we allocate to Los \nAlamos National Laboratory and the amount of work they have. \nThe laboratory gets its resources from a number of different \nareas within the Department and across the Federal Government. \nAbout 60 percent of it, maybe closer to 70 percent of it, \nactually comes from the NNSA. Probably about 15 percent of it \ncomes from other elements of the Department of Energy, and \nabout 15 percent comes from what we call ``work for others,\'\' \nwhich is work for other Federal agencies, the Department of \nDefense and other intelligence agencies.\n    Mr. Whitfield. But the $1.5 billion to $2 billion, that \nactually is paid to the M&O contract holder?\n    Mr. D\'Agostino. Right. That\'s the sum total of that text \nthat I just described to you earlier, and the fee element is \nessentially an indirect charge that we allow the laboratory and \npart of its management to make it an allowable cost, and it\'s \nset aside in a specific account within the indirect pool, so \nit\'s not in addition to on top of, sir.\n    Mr. Whitfield. OK.\n    Mr. Anastasio. Excuse me, Congressman, but that $2 billion \nis to execute work. That\'s well----\n    Mr. Whitfield. OK.\n    Mr. Anastasio. That\'s well defined by Congress and by the \nDepartment that here\'s a set of work activities for us to go \nand do.\n    Mr. Whitfield. OK. Thank you.\n    Mr. Stupak. Ms. DeGette, any follow-up?\n    Ms. DeGette. Ms. Wilbanks, when I was at the facility in \n2004, we were told that all of these ports were going to be \nsecured then. And then in your testimony today, you said that \nsince this incident, you\'ve secured all USB ports at all NNSA \nsites and are reviewing all cybersecurity plans to ensure that \nthey address the specific risks for the system. This type of \nincident, the undetected transfer of classified information to \na portable device, could no longer occur at any NNSA site.\n    I guess my great frustration here and, I think, the \nfrustration of the rest of the committee is that we keep trying \nto close the barn door after the horse escapes. Mr. Anastasio \nsays, well, now we\'re drug testing the employees before they \nget through the security system. Now you\'re in here saying that \nthe ports have been secured.\n    Why didn\'t that happen before this incident? If we knew the \nproblem existed several years ago, why didn\'t it happen?\n    Ms. Wilbanks. I did not come to the Department of Energy \nuntil the end of October 2004, so I can\'t speak to the comment \nthat was made before I was there.\n    I can tell you that the ports have been in the process of \nbeing closed, and the sites have been working on it. I don\'t \nhave any other----\n    Ms. DeGette. It took 2\\1/2\\ years to do that?\n    Ms. Wilbanks. I don\'t know, ma\'am.\n    Ms. DeGette. OK. When did you say you came?\n    Ms. Wilbanks. October 31st, 2004.\n    Ms. DeGette. OK. So that was right after we were there, and \nso when you came, and then in October of this year, that was 2 \nyears, and the ports still weren\'t closed in that time, right?\n    Ms. Wilbanks. Yes, ma\'am. There was no policy or procedure \nin place to require the port closure. It was not identified as \na high risk is my assumption.\n    Ms. DeGette. OK. So, if we were told--you would have no \nknowledge--so no one told you that that was a high priority?\n    Ms. Wilbanks. No, ma\'am. I was not aware of it.\n    Ms. DeGette. OK. See, that\'s why we\'re so frustrated is \nbecause, when we were there earlier that year, we were told \nthat that was a high priority.\n    I guess this is what you\'re talking about, Mr. Anastasio, \nabout the unclear competing policies.\n    Thanks. This is what they secure it with, this JB Weld.\n    Ms. Wilbanks. Yes, ma\'am.\n    Ms. DeGette. So how would that take 2 years? Because it \nwasn\'t a high priority, I guess.\n    Ms. Wilbanks. That would be my answer, ma\'am.\n    Ms. DeGette. I\'ll yield to you, Mr. Stupak, for the JB Weld \nquestion.\n    Mr. Stupak. Thanks for yielding.\n    I mean, wouldn\'t you anticipate--if you\'re security \nexperts, wouldn\'t you anticipate that someone\'s going to take a \nthumb drive and put it in these computers?\n    Ms. Wilbanks. No, sir. She was in a classified environment \nthat only cleared----\n    Mr. Stupak. No. No. No. I\'m not saying this lady.\n    You\'ve got 25,000 computers out there that you say contain \nsensitive information. If anyone can just take a thumb drive--\nand I think Mr. Friedman held it up earlier and said you could \ntake two file cabinets full of information off of it--wouldn\'t \nyou so-called ``security experts\'\' think of that? I mean \nsomeone thought of it in 04 and told us when we were out there. \nThat\'s the part that\'s baffling.\n    I yield back.\n    Ms. DeGette. I just think, Mr. Anastasio, that you really \nhave a job ahead of you, and I hope that you and your team can \ndo that job because I don\'t think there\'s very long for that to \nhappen before we do take really drastic changes. We\'ve been \nsitting here for 8 years doing this, and this is a perfect--\ndrug testing is another example. I\'m assuming at Lawrence \nLivermore and at other labs that drug testing for high-level \nsecurity clearances is pro forma, wouldn\'t it be?\n    Mr. Anastasio. There was not a policy for drug testing at \nLawrence Livermore when I was there. We have a requirement for \ncertain specific activities, the handling of nuclear material, \nfor example, that the Department requires us to have a drug \ntesting program for, and of course those are in place all \nacross all the sites.\n    What I\'ve done at Los Alamos is to say that, actually, I\'m \ngoing to have drug testing for all employees whether they have \na top-level security clearance or not.\n    Ms. DeGette. And just----\n    Mr. Anastasio. For anybody who comes to work at my site, I \nwon\'t stand for people using illegal drugs.\n    Ms. DeGette. Well, that\'s good. But even under the previous \nstandards, this gal who was cleared probably shouldn\'t have had \nthat level of security clearance, wouldn\'t you agree?\n    Mr. Anastasio. I can\'t speak to that. I don\'t know. I don\'t \nknow all the background that she had and that led to her--the \ndecision about the clearance.\n    Ms. DeGette. Thank you.\n    Thank you. I yield back.\n    Mr. Stupak. Mr. Burgess.\n    Mr. Burgess. Thank you. And Mr. Anastasio, it just seems \nincredible that we will drug test our athletes. In fact, we\'ve \nhad hearings in this very room about that. We\'ll drug test our \nathletes, and we\'re not drug testing at Lawrence Livermore. I \ndon\'t see that as good information.\n    Mr. Pyke, let me ask you a question.\n    The designation of an ``official use only\'\' document, what \nwould be the reason to designate something as ``official use \nonly\'\'? Would that mean that we shouldn\'t be distributing it, \nsay, around in this room for everyone to look at?\n    Mr. Pyke. My understanding is that the ``official use \nonly\'\' designation is given when someone has reason to believe \nthere\'s sensitive information in there that should not be \ndisseminated broadly.\n    Mr. Burgess. Then, of course, you\'re aware that one of our \nstaff members this morning downloaded a document from your Web \nsite that\'s marked ``official use only\'\'.\n    Mr. Pyke. His report to me, late morning, is very \ndisturbing to me, and in fact, I would appreciate it very \nmuch--he reported something similar last year, and I\'m told \nthat our staff went out and assured that the offending material \nhad been taken down immediately, that very day, off of the Web. \nI gave directions right after I heard from him this morning \nthat if, in fact, that information is still on the Web, that it \nbe taken down immediately.\n    We have a clear directive to the Department that not only \nis OUO and other sensitive, unclassified information not to be \nplaced on the Web, to say nothing of classified information not \nto be placed on the Web, but there is to be a process in place \nto ensure regular monitoring of Web sites to ensure that such \ninformation has not crept onto the Web by mistake or otherwise.\n    Mr. Burgess. Or otherwise. With all of the talk that we\'ve \nhad this morning, you do have to worry about the ``otherwise\'\'. \nFortunately for you, I\'m not smart enough to understand what \nI\'m holding in front of me. I don\'t know that I can say the \nsame about the staff member who downloaded it, and if it\'s not \noff the Web site, I do encourage that you do that.\n    Just as a final thought on everything we\'ve been talking \nabout this morning, I hope we don\'t focus on so much the \nindividual worker at Los Alamos, the person who may have given \nin to a moment of human frailty, but we really have to put \nthose procedures and the culture in place that just does not \nallow this to happen in the future. And heaven help us all if \nwe\'re back here doing this same thing in 6 months\' time.\n    I yield back, Mr. Chairman.\n    Mr. Stupak. OK. Our witnesses, nothing else?\n    OK. Well, thank you and you\'re excused.\n    We will go into executive session in 2218, Room 2218, in 15 \nminutes, 2:05, Mr. Friedman, Mr. Podonsky and Deputy Secretary \nSell, if you would, please.\n    This record will remain open for 30 days. If members have \nquestions they\'d like to submit to any of the witnesses, that \nrecord will remain open for 30 days for those questions.\n    [Whereupon, at 1:51 p.m., the subcommittee proceeded in \nexecutive session in room 2218.]\n    [Material submitted for inclusion in the record follows:]\n    [GRAPHIC] [TIFF OMITTED] 35446.001\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.002\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.003\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.004\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.005\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.006\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.007\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.008\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.009\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.010\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.011\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.012\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.013\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.014\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.015\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.016\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.017\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.018\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.019\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.020\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.021\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.022\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.023\n    \n                     Answers to Submitted Questions\n\n    Please identify exactly how many classified computers there \nare at Los Alamos National Laboratory (LANL). Please also \ndescribe in how many different locations these computers \nreside, and how many computers have open Universal Serial Bus \n(USB) or firewire ports. Please describe why each computer is \nessential and whether there are opportunities to reduce and \nconsolidate the number of classified computers.\n\n    The Los Alamos National Laboratory occupies 43 separate \ntechnical areas spread across an approximate 40-square-mile \nsite. When Director Anastasio testified in January, we reported \nan inventory of 3,310 classified systems, 2,990 (89 percent) of \nwhich were networked and 320 (11percent) were non-networked. Of \nthe networked systems, 430 were servers and 2,560 were user \nsystems. The non-networked systems consisted of 240 desktop \nsystems and 80 laptop systems. Non-networked systems are \ngenerally utilized in areas where classified network \nconnections are not available or to address information \nprotection requirements. Laptop systems are needed for \nexperiments conducted in remote regions of the LANL site and to \nwhich data acquisition equipment must often be transported, and \nalso are an essential component for nuclear emergency response \nactivities. When not in use, the non-networked laptop systems \nare protected as accountable CREM by storing them in a \nclassified media library.\n    As of the time of this response, LANL has 2,912 classified \nsystems, of which 2,653 (91 percent) are networked computers \nand 259 (9 percent) are non-networked. Of the networked \nsystems, 450 are servers, and 2,203 are user systems. The non-\nnetworked systems include 54 laptops, 198 desktops, and seven \ncustom experimental devices. The reduction is due both to \nconscious decisions made to reduce the total number of systems \n(for instance 94 non-networked systems were decommissioned in \nthe first quarter of this year) and changes in our programmatic \nactivities and their associated needs for classified computing.\n    Only seven of Los Alamos\'s 43 technical areas house \nclassified networked computers. Sixty percent of our networked \nclassified computers are located in a single technical area. \nTwenty-seven percent are located in two other technical areas \nand the remaining systems are found at four other technical \nareas. Non-networked systems are found at 14 technical areas; \n50 percent at a single technical area, seven percent at another \ntechnical area, and the remaining systems are scattered between \nthe other 12 technical areas. Nine of the 14 technical areas do \nnot house any networked computers. Twelve classified media \nlibraries currently store the non-networked classified laptops \nwhen they are not in use.\n    All classified computing is performed in security areas.\n    As with the above reductions made in the number of \nclassified systems, LANL has also made major changes in the \ncontrol of USB and firewire ports since the time of the \nincident last Fall. Currently, there are no "open" USB or \nfirewire ports on classified systems (with the exception of \nsystems used by the nuclear emergency response teams, which \nconstitute a very small percentage of Los Alamos\' total \nclassified computing resources). All USB and firewire ports \nhave been protected by one or more methods that have been \napproved by the NNSA Los Alamos Site Office.\n    The number of computers at LANL varies with changes in our \nprogrammatic efforts. Expenditures for classified computers, as \nwith other equipment, are appropriately justified based on \nprogrammatic need. Specific discussion about why each program \nrequires the specific computers supporting it would render this \nresponse classified. In general, the classified computers at \nLANL support the following areas:\n\n    <bullet> Nuclear weapons design\n    <bullet> Stockpile stewardship\n    <bullet> Pit production\n    <bullet> Homeland security and threat reduction\n    <bullet> Nuclear emergency response\n    <bullet> Intelligence community support\n\n    LANL is taking a number of actions to further reduce risks. \nFor instance, LANL is emphasizing standardizing the types of \nsystems used, networking as many of those as possible to permit \nconsistent system administration, reducing accountable CREM, \nmonitoring computer activity, and consolidating locations where \nsuch services as classified printing, media generation, and \nmatter storage are available to improve the control of system \noutput mechanisms. As an example, the Super VTR prototype is \nexpected to eliminate at least six other vault-type rooms and \nfive classified media libraries.\n\n     Please identify exactly how many classified security areas \nthere are at LANL. Please describe why each classified security \narea is essential and whether there are opportunities to reduce \nand consolidate the number of classified security areas.\n\n    Currently there are 1,372 distinct and separate buildings \nwhere classified activities occur and where the appropriate \nlevels of security are provided. These 1,372 buildings are \nlocated within 108 ``Security Areas,\'\' each enclosed by \nsecurity fences and access gates. Each building/area where a \nclassified activity occurs has a unique significance relative \nto national security that is mission-specific to those \nlocations. The majority of these buildings contain classified \nrepositories that reduce the necessity and frequency (and \nresultant risk) of transporting classified documents/materials \nbetween locations.\n    We are continuing our comprehensive review of locations and \nholdings to ensure this number is reduced to the absolute \nminimum consistent with operational requirements.\n\n     Please identify exactly how many classified vaults there \nare at LANL. Please describe why each classified vault is \nessential and whether there are opportunities to reduce and \nconsolidate the number of classified vaults.\n\n    There are currently 129 Vaults and Vault Type Rooms at \nLANL. Of that, 11 of those facilities are true vaults. Each \nVault or Vault Type Room has a unique significance relative to \nnational security that is mission-specific to the location. \nSince October 1, 2006 LANL has embarked on a continuing process \nto consolidate and reduce the number of these types of \nfacilities. Since then, LANL has successfully reduced the \nnumber of Vaults and Vault Type Rooms from 142 to 129 using the \nfollowing criteria:\n\n    <bullet> Wherever possible and when programmatic \ncompartmentalization responsibilities allow, remove classified \nmaterial and consolidate into existing Vaults and Vault Type \nRooms.\n    <bullet> In cases where aging infrastructure make \ncompliance with physical security standards and maintenance of \nintrusion detection systems cost prohibitive, classified assets \nare to be consolidated into newer, compliant Vaults and Vault \nType Rooms.\n    <bullet> Those existing Vaults and Vault Type Rooms that \nonly house classified computing infrastructure like server \nracks and networking systems hardware are to be given a \npriority for review for consolidation and reduction.\n    <bullet> LANS is piloting a Super Vault Type Room project \nwhere similar classified processing activities are to be \nconsolidated into a single facility. The first Super VTR will \ncombine at least six Vault Type Rooms into one. As funding \nbecomes available for additional Super VTRs, additional \nconsolidation will be possible.\n\n    These efforts are ongoing and should lead to future further \nreductions in the number of Vaults and Vault Type Rooms at \nLANL. To put our efforts in context with the DOE complex, \nLawrence Livermore National Laboratory, Sandia National \nLaboratory and the Pantex Plant currently manage over 200 \nVaults and Vault Type Rooms each.\n                              ----------                              \n\n[GRAPHIC] [TIFF OMITTED] 35446.024\n\n[GRAPHIC] [TIFF OMITTED] 35446.025\n\n[GRAPHIC] [TIFF OMITTED] 35446.026\n\n[GRAPHIC] [TIFF OMITTED] 35446.027\n\n[GRAPHIC] [TIFF OMITTED] 35446.028\n\n[GRAPHIC] [TIFF OMITTED] 35446.029\n\n[GRAPHIC] [TIFF OMITTED] 35446.030\n\n[GRAPHIC] [TIFF OMITTED] 35446.031\n\n[GRAPHIC] [TIFF OMITTED] 35446.032\n\n[GRAPHIC] [TIFF OMITTED] 35446.033\n\n[GRAPHIC] [TIFF OMITTED] 35446.034\n\n[GRAPHIC] [TIFF OMITTED] 35446.035\n\n[GRAPHIC] [TIFF OMITTED] 35446.036\n\n[GRAPHIC] [TIFF OMITTED] 35446.037\n\n[GRAPHIC] [TIFF OMITTED] 35446.038\n\n[GRAPHIC] [TIFF OMITTED] 35446.039\n\n[GRAPHIC] [TIFF OMITTED] 35446.040\n\n[GRAPHIC] [TIFF OMITTED] 35446.041\n\n[GRAPHIC] [TIFF OMITTED] 35446.042\n\n[GRAPHIC] [TIFF OMITTED] 35446.043\n\n[GRAPHIC] [TIFF OMITTED] 35446.044\n\n[GRAPHIC] [TIFF OMITTED] 35446.045\n\n[GRAPHIC] [TIFF OMITTED] 35446.046\n\n[GRAPHIC] [TIFF OMITTED] 35446.047\n\n[GRAPHIC] [TIFF OMITTED] 35446.048\n\n[GRAPHIC] [TIFF OMITTED] 35446.049\n\n[GRAPHIC] [TIFF OMITTED] 35446.050\n\n[GRAPHIC] [TIFF OMITTED] 35446.051\n\n[GRAPHIC] [TIFF OMITTED] 35446.052\n\n[GRAPHIC] [TIFF OMITTED] 35446.053\n\n[GRAPHIC] [TIFF OMITTED] 35446.054\n\n[GRAPHIC] [TIFF OMITTED] 35446.055\n\n[GRAPHIC] [TIFF OMITTED] 35446.056\n\n[GRAPHIC] [TIFF OMITTED] 35446.057\n\n[GRAPHIC] [TIFF OMITTED] 35446.058\n\n[GRAPHIC] [TIFF OMITTED] 35446.059\n\n[GRAPHIC] [TIFF OMITTED] 35446.060\n\n[GRAPHIC] [TIFF OMITTED] 35446.061\n\n[GRAPHIC] [TIFF OMITTED] 35446.062\n\n[GRAPHIC] [TIFF OMITTED] 35446.063\n\n[GRAPHIC] [TIFF OMITTED] 35446.064\n\n[GRAPHIC] [TIFF OMITTED] 35446.065\n\n[GRAPHIC] [TIFF OMITTED] 35446.066\n\n[GRAPHIC] [TIFF OMITTED] 35446.067\n\n[GRAPHIC] [TIFF OMITTED] 35446.068\n\n[GRAPHIC] [TIFF OMITTED] 35446.069\n\n[GRAPHIC] [TIFF OMITTED] 35446.070\n\n[GRAPHIC] [TIFF OMITTED] 35446.071\n\n[GRAPHIC] [TIFF OMITTED] 35446.072\n\n[GRAPHIC] [TIFF OMITTED] 35446.073\n\n[GRAPHIC] [TIFF OMITTED] 35446.074\n\n[GRAPHIC] [TIFF OMITTED] 35446.075\n\n[GRAPHIC] [TIFF OMITTED] 35446.076\n\n[GRAPHIC] [TIFF OMITTED] 35446.077\n\n[GRAPHIC] [TIFF OMITTED] 35446.078\n\n[GRAPHIC] [TIFF OMITTED] 35446.079\n\n[GRAPHIC] [TIFF OMITTED] 35446.080\n\n[GRAPHIC] [TIFF OMITTED] 35446.081\n\n[GRAPHIC] [TIFF OMITTED] 35446.082\n\n\n\n     CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY\n\n                              ----------                              \n\n\n                         FRIDAY, APRIL 20, 2007\n\n                  House of Representatives,\n                  Committee on Energy and Commerce,\n              Subcommittee on Oversight and Investigations,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 9:30 a.m., in \nroom 2123 of the Rayburn House Office Building, Hon. Bart \nStupak (chairman of the subcommittee) presiding.\n    Members present: Representatives DeGette, Green, Doyle, \nInslee, Dingell [ex officio], Udall, Whitfield, Walden, Murphy, \nBurgess, Barton [ex officio], and Wilson.\n    Staff present: Chris Knauer, Richard Miller, Scott \nSchloegel, Rachel Bleshman, Lauren Bloomberg, Jodi Seth, Bud \nAlbright, Alan Slobodin, Dwight Cates, and Matt Johnson.\n\n  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    Mr. Stupak. This meeting will come to order. Today we have \na hearing on DOE\'s response to ongoing mismanagement at the Los \nAlamos National Labs. Each member will be recognized for 5 \nminutes for their opening statement, and I will begin.\n    Los Alamos National Laboratories is home to many of our \nNation\'s most secretive weapons program, yet it is also home to \nsome of the worst security breaches in our Nation\'s history. \nThis is our 13th hearing on security problems at Los Alamos in \njust the past 8 years.\n     For 63 years, the University of California operated Los \nAlamos; but after numerous high-profile security lapses, the \nDepartment of Energy was urged to competitively bid the \ncontract for operation of LANL. In June of last year, \nUniversity of California was again awarded the contract under a \nlimited liability consortium known as Los Alamos National \nSecurity, or LANS. This committee anxiously awaits proof that \nthis new contractor will result in significant changes in Los \nAlamos and not just put new drapes over a broken window.\n    At our January 30 hearing, we investigated the October 2006 \ncase of classified documents that were removed from Los Alamos \nby a contractor. We learned at that hearing that the security \nlapse would probably have not been discovered if it had not \nbeen for a domestic disturbance at the contract employee\'s \nhome. The resulting investigation led to the discovery of drug \nparaphernalia and the discovery of classified paper and \nelectronic files at the residence. The female contract employee \nwas not adequately watched by her escort. The employee also had \naccess to open ports on classified computers which enabled her \nto download and remove classified documents.\n    We heard the Department of Energy\'s Inspector General \ntestify in January that they do not know how much other \nclassified information may have been removed using this gaping \nhole in security. We don\'t know where this classified material \nhas ended up. We hope to learn the answers to these questions \nfrom the FBI\'s investigation, but they will not brief members \nuntil their investigation is complete.\n    Many of the members of this committee were shocked that the \nNational Nuclear Security Administration, NNSA, approved a \nsecurity clearance for this employee, even though she admitted \nusing illegal drugs within 30 days of her security clearance \nbeing approved. We were equally shocked at the fact that there \nwas no follow-up evaluation or testing of this individual after \nshe was granted her security clearance. Apparently, her promise \nnot to use drugs in the future was good enough for NNSA.\n    This security breakdown took place against a backdrop of \npreviously degraded security performance. In 2006, the \nDepartment of Energy, Office of Health, Safety, and Security, \ndocumented substantial substandard-to-failing performance in 14 \nof 17 key security areas at Los Alamos. You can see the 2006 \nreport right over there. The poor grades were in categories \nsuch as classified matter, protections and control, cyber \nsecurity, and emergency management. Performance in 2006 had \nsharply deteriorated since the previous review in 2002 which \nhad cited serious problems. I will be placing into the records \nsummaries of these oversight reports. You can see them up on \nthe screen now.\n    [Slide shown.]\n    In today\'s hearing, I hope to focus on a number of issues \nincluding what is the Department of Energy\'s system to issue \nclassified security clearances? What led DOE to grant security \nclearance to an individual who admitted using illegal drugs \nwithin 30 days of her clearance being issued? What lessons are \nlearned from this security lapse? What steps have been taken to \ncorrect the security deficiencies in the Department of Energy \nand at Los Alamos so that we do not have to hold our 14th \nhearing later this year?\n    At the January 30 hearing, DOE testified that the Secretary \nconvened two task forces, one to examine cyber security and a \nsecond task force to look at personnel security issues raised \nby the latest security breach. Today we will hear the results \nof these task force reports. A key finding by the personnel \nsecurity task force was that at least two additional employees \nadmitted to illegal drug use in the 30 days prior to security \nclearance approval. Eighteen other employees had similar \ninformation in this 12-month period between 2001 and 2002 \nthereby causing DOE to re-examine their security clearances.\n    We look forward to hearing what Secretary Bodman plans to \ndo about this and other security problems his task force has \nuncovered. We also look forward to hearing how he plans to hold \nthe contractors accountable.\n    The Department of Energy has various tools, including \nenforcement action and reducing award fees to hold its \ncontractors accountable. Nonetheless, this committee was \ndisturbed to learn just this week that the Department of Energy \napparently forgot to put legal requirements in its contract \nwith the lab operator, the Los Alamos National Security. These \nlegal requirements would have obligated the contractor to \ncomply with DOE\'s stringent safeguards and security order known \nas DOE Order 470. This omission was discovered after the \nOctober 2006 incident which leaves open the question of whether \nthe Department of Energy contracting officer may have handed \nLos Alamos National Security, the partner here, a get-out-of-\njail-free card if and when DOE attempts to bring in enforcement \naction for multiple security violations associated with the \nOctober 6th incident.\n    The committee wants to know when the Department of Energy \nlearned of this contract omission. Was it before last hearing \nwhere DOE officials swore they had all the necessary tools to \nenforce this new security standard? If so, why weren\'t we \ninformed of this problem? When was the committee going to be \ntold about this issue and what plans has the Department made to \nfix it?\n    After our January hearing, I, along with my Republican \ncolleagues, asked the Government Accountability Office to \nevaluate whether the security footprint at Los Alamos is simply \ntoo large to manage the classified information effectively. We \nalso asked GAO to evaluate the possibility of consolidating and \nmoving classified operations at Los Alamos to another lab such \nas Sandia where security is managed more effectively. GAO is \nmoving forward on this evaluation despite requests by some \nlegislators to do an analysis.\n    In addition, the committee is reviewing H.R. 703, \nlegislation introduced on a bipartisan basis with my \ncolleagues, Mr. Barton and Mr. Whitfield, to move \nresponsibility for safety and security out of NNSA and place it \nunder the direct control of Secretary of Energy. We would \nwelcome hearing the Secretary\'s view on this legislation. \nSecretary Bodman and his predecessors have come before this \ncommittee with commitments to improve the security culture at \nLos Alamos. Despite the creation of security czars and task \nforces, the end result has been a litany of security breaches \nand mismanagement. To say the least, the committee is \nskeptical.\n    Today, Mr. Secretary, we want to know, what is different? \nWhy are your proposals more likely to succeed when your \npredecessor\'s proposals have not? What assurances can DOE give \nus that these new reforms will work? What resources, and from \nwhom, will DOE look to pay for these new security measures at \nLos Alamos? I can assure you, Secretary Bodman and the American \npublic, that the committee will continue its oversight at Los \nAlamos. I can also assure you that this oversight will continue \njust as it has in the past in a truly bipartisan basis. When it \ncomes to Los Alamos and security at nuclear labs, this \ncommittee is united in its oversight.\n    I appreciate the assistance and cooperation of my \nRepublican colleagues led by my friend, Mr. Whitfield, and his \nable staff.\n     And with that, I would yield to the ranking member, my \nfriend from Kentucky, Mr. Whitfield, for his opening statement, \nplease.\n\n  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN \n           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY\n\n    Mr. Whitfield. Thank you, Chairman Stupak, and for today\'s \nhearing to review ongoing security mismanagement at Los Alamos.\n    Over the past decade, this subcommittee has established a \nrigorous tradition of strong, bipartisan oversight on DOE \nsecurity matters, and I am pleased that this committee has \ncontinued this tradition with its close attention to ongoing \nmismanagement at Los Alamos.\n    The most recent security incident, which occurred last \nOctober, resulted in the loss of over 1,500 classified \ndocuments. As I pointed out at the January hearing, this \nincident demonstrates poor security management, lack of \nformality of operations, and insufficient oversight that has \nplagued the lab for decades. Dramatic new ideas from the \nDepartment, from LANS, and from Congress are needed.\n    At Los Alamos, the security environment is certainly \nchallenging. Operations are spread out over a 43-square-mile \narea. The lab has approximately 15,000 employees. There are \nmore than 2,000 classified computers and 1,774 separate \nsecurity areas. To give perspective, there are more classified \nsecurity areas at Los Alamos than there are total rooms in the \nRayburn, Cannon, and Longworth House Office Buildings combined. \nLos Alamos has an unnecessarily large volume of classified \ninformation and conducts classified activities in too many \nareas involving too many people. These factors, including the \ngeographical dispersions of activities, continue to make LANL \nsusceptible to security failures.\n    At the last hearing, I stated that LANS must be held \naccountable for the loss of classified documents last October \nand that it should pay a price. The Department of Energy must \nassert its contract and regulatory authorities to compel \ngreater security performance. The Department has three primary \ntools to help compel performance, the enforcement of new \ninformation security relations with strong, civil penalties; \nthe withholding of incentive pay associated with security \nperformance; and three, the use of the conditional payment of \nfee clause in the contract that allows the Department to \nwithhold up to 100 percent of the award fee.\n    The Department has not yet finalized how they will use \nthese enforcement tools, but I know members of the committee \nand in the Congress will be quite interested in what the final \ndecision will be.\n    Six months have elapsed since the October 2006 security \nincident. That is a reasonable amount of time to allow NNSA and \nLANS to formulate a plan to help improve security at the site. \nLater today, we will hear from Lab Director Michael Anastasio \non the remedial actions he has taken to correct security \nfailures. I think Director Anastasio\'s efforts to date appear \nto be more responsive than what we\'ve seen in the past. I am \nencouraged by his initial steps to reduce the number of \nclassified vaults at Los Alamos, and I think LANS has already \nimplemented a few valuable cyber security improvements at the \nsite. However, it is too soon to say whether these actions are \nsimply short-term fixes or a commitment to long-term security \nimprovements. I am delighted Secretary Bodman has joined us \ntoday, and we certainly look forward to his views on this very \nimportant issue. And thank you, Mr. Chairman. I yield back my 1 \nminute.\n    Mr. Stupak. Thank you, Mr. Whitfield. Next, turn to the \nChairman of the full committee, Mr. Dingell, for an opening \nstatement, please.\n    The Chairman. Mr. Chairman, I thank you, and I commend you \nfor holding this hearing. Mr. Secretary, welcome.\n    Secretary Bodman. Thank you.\n    The Chairman. I hope your visit here is pleasant here \ntoday.\n    Secretary Bodman. So do I.\n\nOPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF MICHIGAN\n\n    The Chairman. Mr. Secretary and my colleagues, today\'s \ntopic is sort of as what is observed as deja vu all over again. \nThe security at the Energy Department labs, in particular the \none we are discussing today, Los Alamos National Laboratory, is \nan issue with which this committee has been involved for more \nthan two decades. Our colleagues on this committee and I could \nproduce stacks of letters and piles of hearing documents \nrelative to the question of security breakdowns at the \nDepartment of Energy and at this unfortunate laboratory in \nparticular. Likewise, we could display a small mountain of \nproposals and promises made by lab directors, blue-ribbon \npanels, task forces, Secretaries of Energy, and yes, even a few \nPresidents to fix the security problems at the labs.\n    You, Mr. Secretary, are no different than your \npredecessors, and you inherited a fine mess out there. You have \nproposed a number of changes and recommendations to fix the \nproblems, and we commend you for that; and you\'ve convened \nblue-ribbon task forces to make these recommendations. For that \nwe are appreciative. I am sure that we will hear about how \neveryone takes this matter of security seriously. I am sure \nthat in fact everyone is sincere about improving security; and \nI am certain that you, Mr. Secretary, will propose changes that \nwill make sense.\n    But before we claim victory in our battle to improve Los \nAlamos, we need to look closely at what is being proposed and \nwhether in fact it differs from what has happened before or \nwhat has come before. As President Reagan used to say, trust \nbut verify. As my old daddy used to tell me, trust everybody \nbut cut the cards. I would urge my colleagues to do that today. \nIn this regard, I recommend you pay particular attention to the \ntools that you, Mr. Secretary of DOE, actually have to enforce \nthe new security proposals.\n    I understand that the Department\'s ability to assess an \neffective fine has come into question in the light of \ninformation provided to the committee this week. The DOE \nofficials who reviewed and signed the contract on behalf of the \nU.S. Government were the new contractors, Los Alamos National \nSecurity, apparently omitted the applicable safeguards and \nsecurity orders for 13 months. This is hardly an auspicious way \nto start new reforms. Although legal implications of this \nomission are still unclear, it appears there is a serious \nquestion as to whether DOE is unable to cite the contractor for \neach and every violation of its security requirements. \nApparently, applicable security requirements under DOE Order \n470 were not inserted into the contract until after the \nviolations were discovered. In fact, these requirements were \nnot included in the contract until after January 25, 2007, a \nmere 5 days before our last hearing on Los Alamos. I am curious \nto know why this information was withheld from the committee \nuntil now. This is certainly not trusting and verifying.\n    I hope the Secretary abides by this maxim, too. Mr. \nSecretary, do not trust everything that you are told. I would \nobserve that we have been working on Los Alamos for a long \ntime, and our problems with security there have been \nsubstantial and have run all the way from penetrations by \nforeign countries into the security there to loss of valuable \nGovernment property to problems with regard to stings that were \nsupposed to be held to address problems of narcotics sales \ninside the facility and, very frankly, also two other things \nincluding a curious event involving fornication in the guard \ntowers out there.\n    Mr. Secretary, I note with both respect and affection that \nyou are not only requiring briefings from your staff regarding \nsecurity and safety issues when you were there but that you \nalso poked around the basements and nooks and crannies to \nassure that the situation with regard to security was going \nproperly. Certainly, Mr. Secretary, we need that kind of \napproach today. I think we have to look beyond fines and \npenalties to fix the problems at Los Alamos. For that reason, \nalong with my good friend, the chairman of the subcommittee, \nour good friends and colleagues in the minority, we have \nrequested that the Government Accountability Office, GAO, \nconduct a comprehensive audit of Los Alamos to determine what \nfunctions are essential at that laboratory. Their report will \ninform us of the options available.\n    Mr. Secretary, I hope that you will assist the committee \nand the GAO in this important study and in our efforts to \nimprove security at Los Alamos and throughout your Department. \nI thank you for your presence here. I express to you my \naffection and respect and also the hope that you will have \nsuccess in straightening up something which has defied your \npredecessors in office in this matter.\n    I want to thank all of our witnesses for appearing before \nus today; and you, Mr. Chairman Stupak, I want to express my \nparticular respect and gratitude to you for what you are doing. \nThank you, Mr. Chairman.\n    Mr. Stupak. Thank you, Mr. Dingell. Next we go to Mr. \nWalden from Oregon for opening statement, please.\n\n  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN \n               CONGRESS FROM THE STATE OF OREGON\n\n    Mr. Walden. Thank you very much, Mr. Chairman. And I, too, \nappreciate the continuing efforts in a bipartisan manner of \nthis subcommittee to try to figure out how to provide full \nsecurity at these labs. And Secretary, I want to welcome you as \nmy colleagues have done and appreciate the work you\'re doing on \nthis.\n    I noted in your testimony that you indicate that you feel \nlike that significant progress has been made in security at Los \nAlamos and yet then you go on to say you\'re still not \nsatisfied. I would be curious to know with only 20 months left \nin office, provided you\'re there to the end, how are we going \nto get this thing resolved and do you think it is possible? We \nhave had, as you know, multiple hearings over multiple years in \nboth classified settings and non-classified settings and \ncontinue to chase this. And if anybody can get this fixed, I \nhave confidence that you certainly have the commitment and the \nability to get it done. So I will look forward to hearing that. \nBefore I have held up the J. B. Weld which is the world\'s \nfinest cold glue I guess for households and hobbies. It is \ngreat for farm machinery and equipment. It is also $4.99 at \nWal-Mart and was used I believe to plug something in the order \nof 7,200 USB ports at Los Alamos but only after there had been \nabout a year of security breach. It seems to me that for $4.99 \nyou can fix this problem. Maybe it wouldn\'t cost that much more \nto fix the whole thing. But it has been very disturbing that \ndata can come and go in and out of the lab, and the most recent \nexamples are very frustrating for us and I am sure for you, Mr. \nSecretary.\n    So we welcome you here today. We look forward to hearing \nyour comments, and unfortunately they tell us we are going to \nhave a long series of votes beginning in about 9 minutes. So I \nam going to quit and return the balance of my time and look \nforward to your comments. Thank you, sir.\n    Secretary Bodman. Thank you, sir.\n    Mr. Stupak. Thank you. Mr. Green from Texas, opening \nstatement?\n    Mr. Green. Mr. Chairman, I\'ll just welcome the Secretary \nand submit an opening statement for the record.\n\n  Prepared Statement of Hon. Gene Green, a Representative in Congress \n                        from the State of Texas\n\n    Mr. Chairman thank you for calling this hearing.\n    I would also like to thank our witnesses, including \nSecretary Bodman and Los Alamos Director Anastasio for \nreturning here a couple months after our last hearing to \nprovide us with a status report on ongoing security measures at \nLos Alamos National Lab.\n    Given the situation at the national laboratory system, \ncongressional oversight is a necessity.\n    Security can be high tech, involving counter-measures for \ncomputer hackers and electronic warfare, or it can be very low-\ntech, such as old-fashioned human intelligence.\n    The national laboratories, particularly Los Alamos, have \nhad problems with both issues, as we see in the reports on \nPersonnel Security and Cyber Security that the Inspector \nGeneral has produced.\n    On the personnel front, this committee is going to be very \ninterested in the ongoing review of security clearances and \nbackground checks for all employees in the DOE national \nsecurity complex.\n    We are pleased to see a full review over issues like drug \nhistory and the implementation of new drug testing measures.\n    In addition, we need to ensure the security clearance \nreview is not only looking at narcotics, since there can be \nmany other security risks as well.\n    If people working on sensitive national security projects \nhave any kind of major criminal activity or other issues that \ncould make them a security risk, then DOE needs to know about \nthat.\n    Often the lab has taken a reactive security approach, going \nfrom one crisis to another trying to prevent the same thing \nfrom happening again.\n    We need a proactive approach that thinks ahead to what \nother kinds of security breaches COULD happen, but haven\'t \nhappened yet.\n    On the cyber security front, our committee is looking for a \nfull update on issues like sealing open USB ports in lab \ncomputers, disabling dual use computer ports, and securing \nracks of computers with sensitive national security \ninformation.\n    Personnel security and cyber security are related, because \nsometimes it is just as important to know who is on the \ncomputer system as it is to know who is actually handling bomb-\ngrade radioactive materials.\n    Mr. Chairman, with that I would like to yield back so that \nwe may get to the question time for the witnesses. Thank you.\n\n    Mr. Stupak. Mrs. Blackburn from Tennessee.\n\nOPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF TENNESSEE\n\n    Mrs. Blackburn. Thank you, Mr. Chairman. I do want to thank \nyou for holding the hearing and thank you and our ranking \nmember, Mr. Whitfield, for the work on the issue; and I want to \nthank our participants for being here on what looks like is \ngoing to be an interrupted day. And before we begin the \nhearing, I do want to give a little bit of an overview of how I \nsee things and how I think a lot of people that are looking at \nthis with us see things.\n    It seems that, and we all know and it is frustrating, there \nis a systemic problem with management at Los Alamos, and for \nseveral years the culture of--has seemed to persist. It has \ngone on without seeming to have a lot done about it, and I see \nno significant efforts by NNSA or the DOE to change the \nculture; and I come to this decision by reading the reports \nthat you have given us. I am partially relieved to see that the \nprevious organization which appeared to be incompetent in so \nmany different areas, that they have been replaced; and I have \nseveral concerns about the new operator and we will address \nthose in questions. And from time to time, I think we see new \npolicies that are brought forward; and Mr. Secretary, we hold \ngreat hope for you that new policies this time are actually \ngoing to do something to correct the problem, that there will \nbe timelines, that there will be guidelines and some \naccountability measures that are there. I think all too often \nwe see that people admit there is a problem, they find the \nproblem; but unfortunately, they do not seem to have the desire \nto correct the problems, and that is the situation in which we \nfind ourselves right now. Not correcting the problems it \nappears to me to each employee would be a disservice to their \npersonal record, it would be a disservice to the \nadministration, it is definitely a disservice to the American \npeople. It is something that I hope we hear from the director \nand also from you, Mr. Secretary, that it is no longer going to \nbe tolerated and that you can give us some measureables and \nsome quantitative data that will prove to us that changes are \nindeed taking place.\n    We are hopeful for your progress, and I yield the balance \nof my time.\n    Mr. Stupak. I thank the gentlewoman. We will next move to \nthe gentlewoman from Colorado, Ms. DeGette.\n\n OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF COLORADO\n\n    Ms. DeGette. Thank you very much, Mr. Chairman. We were \ntrying to count the number of these Los Alamos hearings that--\n--\n    Mr. Stupak. Thirteen.\n    Ms. DeGette. Thirteen? And those are all the ones we have \nbeen sitting in together plus the visit down there. Secretary \nBodman, I am delighted to see you today; and I am really glad \nyou came because I think that resolving these problems is going \nto have to come from your level, and I know you have got that \ncommitment. So I am pleased.\n    I am going to submit my whole statement for the record \nbecause frankly I am really tired of saying the same thing over \nand over again and emoting about what a disaster it is down \nthere, and this latest incident with the employee who \napparently had problems with her security credentials and then \nshe takes critical documents on a flash drive and then she gets \nbusted for drugs, it just boggles the mind. And it goes on and \non.\n    But there are some really important legal questions that we \nhave heard about in recent days that add yet a new dimension \nthat I haven\'t even whined about once because they just came to \nlight and that is about the contracting procedures at the \nDepartment of Energy. The committee has learned that the \nmanagement contract signed by the Department and with great \nfanfare I may add lacked key components that allow penalties to \nbe assessed when DOE security procedures are not followed; and \nbecause those orders were inadvertently omitted from the \ncontract, so have the security breaches we have seen could go \nunpunished which frankly just underscores the cavalier attitude \nreally that a lot of people take toward security at what should \nbe frankly our most secure facility.\n    So here is the big picture. The American people need to \nknow that management at Los Alamos, which comes from a \nlucrative, multi-million dollar contract, is top notch. That \nhasn\'t been the case, far from it. And all of our constituents \nneed to have the confidence that if managerial negligence is \nfound, if security breaches do occur, and if specific DOE \nprocedures are not followed, then there will be severe \nconsequences. That hasn\'t been the case, either. Enforcement so \nfar has amounted to a slap on the wrist, and I think we all \nagree that is not acceptable. So there will be several \nquestions I will be exploring today, what went wrong with the \ncontracting procedures at DOE, how could these omissions have \noccurred, has this compromised the Department\'s ability to \nenforce its rules and assess penalties, and what is being done \nto ensure that this does not happen again?\n    Thank you, Mr. Chairman. I look forward to this hearing, \nand I am sure there will be many more. I yield back.\n    [The prepared statement of Ms. DeGette follows:]\n    [GRAPHIC] [TIFF OMITTED] 35446.083\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.084\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.085\n    \n    [GRAPHIC] [TIFF OMITTED] 35446.086\n    \n    Mr. Stupak. I hope not but I am afraid there will be. Mr. \nMurphy, opening statement, please.\n    Mr. Murphy. Thank you, Mr. Chairman. I will waive in \ninterest of time, but I would like to welcome the Secretary for \nbeing here. Thank you.\n    Mr. Stupak. Thank you. Mr. Doyle from Pennsylvania, opening \nstatement, please?\n\n   OPENING STATEMENT OF HON. MIKE DOYLE, A REPRESENTATIVE IN \n            CONGRESS FROM THE STATE OF PENNSYLVANIA\n\n    Mr. Doyle. Thank you, Mr. Chairman. I want to commend you \nfor your continued vigilance on this important matter.\n    The protection of classified documents and information at \nour national labs, especially at Los Alamos National Lab, is \ncritical to ensuring that we are able to protect the American \npublic against those who may intend to do us harm. The frequent \nsecurity breaches at this and other labs are completely \nunacceptable. I am looking forward to hearing the testimony of \nSecretary Bodman and his colleagues as we work together to \nensure our nation\'s classified nuclear information remains \nprotected.\n    It is no secret that there are and have been over a number \nof years serious security questions at the Los Alamos National \nLab. Thankfully, most of these breaches have been of an \naccidental nature due to inadequate security breaches being in \nplace. In essence, the breaches have served as a wake-up call \nto all of us. I shudder to think what may have occurred had the \nbreaches been the result of a well-thought-out and intentional \nplan to secure classified information for sale on the black \nmarket. We have been lucky so far. But if security there is not \nmade ironclad, our luck will surely run out.\n    I am looking forward to hearing about the improvements that \nhave been made since October 2006 investigation, as well as \nwhat improvements have been made since our last hearing on this \nmatter in January. I am so very interested in being able to \njudge the level of commitment to security improvements, not \nonly on the ground at the site but all the way to the \nSecretary\'s office. I believe it is critical that the Secretary \nmaintains his vigilance, not only on this particular incident \nbut on the entire security systems under his prevue.\n    One thing is clear, when it comes to the long history of \nviolations at Los Alamos, an intensive, short-term focus which \ntrails off once the media focuses on another subject, will only \nlead to future concerns at the lab. We on this committee, those \nin the administration, and those on the ground at the labs must \ncontinue to shine a light on security while working together to \nensure that procedures are updated so that the facilities are \nnot only more secure today but will become even more secure \nwith the passage of time.\n    Former Secretaries of Energy have come before Congress with \npromises of new security; but for one reason or another, they \nhave fallen short and violations have continued. Now this \nmatter falls to you, Secretary Bodman. We on this committee \nhope to work closely with you so that you will succeed where \nyour predecessors have failed. Security, especially nuclear \nsecurity, is not a Democratic or Republican issue, it is an \nAmerican issue in which all branches of Government and both \npolitical parties must work hand in hand to ensure that the \nAmerican people have the protections in place they deserve. We \nmust renew this focus today and continue to fully and \ncompletely protect our facilities and the critical information \nthey possess at both the physical and cyber levels. Anything \nless opens our nation to dangers that none of us even want to \nbelieve could happen.\n    So again, Mr. Chairman, I commend you for your continued \nvigilance. I will look forward to hearing the testimony of our \ndistinguished panelists, and I yield back the balance of my \ntime.\n    Mr. Stupak. Mr. Burgess.\n\nOPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE \n              IN CONGRESS FROM THE STATE OF TEXAS\n\n    Mr. Burgess. Thank you, Mr. Chairman. I guess I am glad we \nare here today. Like everyone else, I am frustrated that we \nnever seem to make any forward motion on this. It is a \nbipartisan issue. We all share the same concern and anxiety \nregarding security at the lab. I appreciate the aggressive \nnature the committee has taken on the crucial issue of national \nsecurity.\n    We have three witnesses today that can provide insight into \nthe problems and hopefully solutions to the Los Alamos \nproblems. Secretary Bodman, Inspector Friedman, Director \nAnastasio, gentlemen, I welcome you all here today and I look \nforward to entering into a constructive discussion with each of \nyou. I understand that there have been improvements made, but \nthere are still many, many challenges ahead of both you and us.\n    Today we are going to be reviewing the findings of both the \npersonnel security task force and the cyber security task \nforce. I am encouraged by reading about the task forces, but \nunfortunately, we have been told in the past that actions and \nrepercussions will occur but they never do. That is why we have \nheld hearing after hearing, year after year, on Los Alamos. To \nquote the Inspector General in his written statement, ``Many of \nthe actions are in process and the key to the successful \nresolution of the matter is detailed in our November report, \nits implementation and execution.\'\' Implementation and \nexecution. You all have good ideas that will significantly \naffect the security of Los Alamos, but it is not enough for us \nto come here and hold these hearings and talk and talk and talk \nabout it. One of these days someone is going to have to walk \nthe walk. I am still not completely comfortable with using \nbasically the same contractor for operating Los Alamos. I do \nbelieve that Director Anastasio was capable and qualified to \nhelp turn things around but also mentioned during the last \nhearing, you have some of the most intelligent minds in the \nworld at work at Los Alamos. While there is clearly an \ninstitutional problem, we must also remember that there are \nthousands of hard-working employees at the lab who make a \nremarkable contribution to science and the country on a daily \nbasis.\n    Also at the last hearing, we discussed the issue of \naccountability. It is appropriate to readdress that issue \ntoday. While there are many organizational changes that can be \nmade to better ensure the security of our country\'s classified \ninformation, one of the easiest and most effective remedies is \nto make the contractor in charge of security pay a steep and \ndeep penalty. As a steward of the taxpayer dollar, I fully \nsupport this idea. If the contractor is penalized substantial \nsums, and in Washington substantial sums are substantial sums \nof dollars, maybe then they will finally recognize how serious \nof a problem this is and must be stopped at all costs.\n    One of the other things we learned at our hearing earlier \nthis year was the fact that although the contract for the lab \nhad been rebid and re-awarded, that that process could be \nopened again if there were substantial problems encountered. I \nwould submit to you that it appears that there are substantial \nproblems, but I would like an update on whether or not the \nDepartment of Energy is going to hold the contractor \naccountable for his actions or lack thereof, if there is going \nto be a reopening of the contract that was awarded the past \nyear.\n    I have also another issue within the Department of Energy \nthat I think is appropriate to briefly mention and discuss. I \nunderstand that there is a strike occurring at a nuclear \nsecurity weapons plant in my home State of Texas, the Pantex \nfacility, and I would appreciate it if Secretary Bodman would \ngive us a brief update on that issue and the impact of security \nat the plant.\n    Again, Mr. Chairman, thank you for holding this bipartisan \nhearing in which we can further address the security at Los \nAlamos. We are all committed to continuing these hearings until \nthis cycle of security breaches at Los Alamos is over once and \nfor all.\n    I yield back.\n    Mr. Stupak. That concludes the opening statements. For the \nrecord, Mrs. Wilson is here from New Mexico and so is Mr. \nUdall, not members of the subcommittee but we welcome you, and \nI know you have been at every hearing we have had on this, Tom; \nand you certainly can be here when we go to the questions, and \nwe will certainly give you an opportunity to ask questions if \nyou like.\n    So that concludes the opening statements by members of the \nsubcommittee. I will now call our first witness to come \nforward. Our first panel we have The Honorable Sam Bodman, \nSecretary of the U.S. Department of Energy. Secretary Bodman, \nit is the policy of the subcommittee to take all testimony \nunder oath. Please be advised that witnesses have the right \nunder the rules of the House to be advised by counsel during \nthe testimony. Do you wish to be represented by counsel?\n    Secretary Bodman. No, sir.\n    Mr. Stupak. OK.\n    [Witness sworn.]\n    Mr. Stupak. Mr. Secretary, you are under oath. You may \nbegin your opening statement, please.\n\n STATEMENT OF HON. SAMUEL W. BODMAN, SECRETARY, DEPARTMENT OF \n                     ENERGY, WASHINGTON, DC\n\n    Secretary Bodman. Mr. Chairman, Ranking Member Whitfield, \nmembers of the subcommittee, I am very pleased to be here to \ndiscuss what I consider to be one of the most pressing \nmanagement issues confronting my Department.\n    Since coming to the Department, one of my top goals has \nbeen to institute a safer, more secure work environment across \nthe DOE complex, and I have meant this to include physical \nsafety and security as well as cyber security. I want to be \nabsolutely clear with all of you, the protection of sensitive \ninformation is essential to our ability to meet the mission of \nthis Department. Without it, we can\'t do it.\n    What I would like to do today is to briefly outline the \nsteps that we have taken since the Deputy Secretary testified \nbefore you in January. In summary, I would make two points. \nFirst, we have made significant progress in my judgment, and I \nam confident that we are on the right track. That being said, \nwe are not satisfied with where we find ourselves today. We are \nsitting on top of this issue, we continue to look for ways to \nidentify and correct any potential weaknesses. If I may, I \nwould like to now describe some of the improvements and also \nnote that more details appear in my written testimony which \nwill be submitted for the record, if that is acceptable to the \nChairman.\n    First, we have made some senior management and oversight \nchanges in response to the security breaches at Los Alamos. In \nJanuary, I made what for me has been a very difficult decision \nand that is to replace the Under Secretary for Nuclear \nSecurity. Tom D\'Agostino is the Acting Under Secretary and NNSA \nAdministrator. In addition, NNSA has reassigned the Los Alamos \nsite office manager and has put one of its strongest managers, \nDaniel Glenn, in place as the Acting Manager.\n    Further, Tom D\'Agostino has requested that DOE\'s Office of \nHealth, Safety, and Security conduct annual inspections at Los \nAlamos for the next 3 years. This month, both NNSA\'s Office of \nDefense Nuclear Security and CIO will inspect LANL for cyber \nand physical security problems. In fact, the CIO has already \nbeen there and conducted her inspection. The site office will \nconduct annual and regular observations of the laboratory\'s \nsecurity program.\n    I would just add that I continue to be in close contact \nwith the senior leadership of the laboratory. In fact, I met \nwith all of the national laboratory directors just last week in \nChicago. At a department level, I have formed two teams of \nsenior officials, including Under Secretaries, the Chief of \nSecurity, and our Chief Information Officer and asked them to \nmake specific recommendations based on the report of the \nDepartment\'s Inspector General who conducted his report at my \nrequest. I have directed that these recommendations be \nimplemented department-wide, including enhanced mandatory \ntraining for those involved in granting of security clearances; \na strengthened departmental policy on drug testing that hold \nsecurity clearances, everyone; better quality assurance \noversight for granting security clearances; and a revised \norganizational structure for our personnel security program \nthat will ensure accountability.\n    We are also taking actions based on the recommendations \nfrom our cyber security team. Those include mandatory \nseparation of duties for critical positions, improved training \nfor all individuals with cyber security responsibilities, and \nimproved line management oversight. We are carrying out the \nDepartment\'s new authorities related to assessing civil \npenalties for classified information security violations. At \nthe same time, the laboratory\'s current management contractor, \nLANS, is also taking corrective action of their own. Among \nother issues, LANS recognizes that the lab\'s volume of \nclassified holdings is unnecessarily large, it is conducting in \ntoo many security areas, involves too many people, and is too \nspread out. As a result and with the approval of NNSA, they are \naggressively reducing the number of locations where they hold \nand process classified matter.\n    In closing, Mr. Chairman, let me say this. The men and \nwomen who work at our national laboratories are among the \nworld\'s most talented scientists and engineers. Since their \nfounding, these laboratories have demonstrated again and again \nthe tremendous power and terrific promise of science to help \nour nation solve our greatest challenges. But such a system \ncannot tolerate the kind of lapses in security that we have \nseen, be they in the physical or cyber realm. Protecting \ncritical information and maintaining a vibrant collaborative \nscience culture are not in my judgment mutually exclusive. \nQuite the opposite is true. In this case, you absolutely cannot \nachieve one without the other; and you continue to have my word \nthat I will do everything in my power to support both \nobjectives. The American people deserve no less.\n    I would like to say, sir, that in my view, the objectives \nof this committee and all of the statements that I have heard \nmade by the members of the committee are very consistent with \nmy own feelings. We have a real problem here, and I think we \nhave the opportunity of working together to try to deal with \nit. Thank you very much.\n    [The prepared statement Secretary Bodman appears at the \nconclusion of the hearing.]\n    Mr. Whitfield. Mr. Chairman, may I ask a procedural \nquestion before we begin our questioning? I know that we do \nhave some information, Official Use Only information, \nparticularly relating to the rating summary for the Los Alamos \nplant and various areas, and in the past, whenever we\'ve \ndiscussed Official Use Only information, we have either gone \ninto executive session or a closed session or we have worked \nwith the Department to agree on redacted material before we \nrelease anything to the public. I mean, that is one of the \ndocuments there. I know it has been partially redacted, but I \nwould ask the chairman what his intent is on this issue \nrelating to Official Use Only.\n    Mr. Stupak. Well, I thank the gentleman for posing the \nquestion. As you can see on the ratings summary, and we had it \nup during my opening statement, that was the most recent Los \nAlamos site office and lab rating summary. The broad categories \nare there, but the detailed areas of security have been \nredacted at the request of the minority and the majority; and \nthe documents with more detailed information in there will not \nbe released and have no intentions of being released, even the \nones I think we have in Secretary Bodman\'s book up there is all \nredacted. For the audience, the yellow part there is probably \nabout a C-minus if we are grading this. Green is maybe a B. \nThat\'s good. R is really bad. I guess that is what R stands \nfor, really bad. In 1999, the report was better than this and \nwe seem to be on a downhill slope. So I am sure there will be \nquestions about it, but there are no details in there. What \ndoes emergency management, that is the broad category or cyber \nsecurity, but we do not have any details in there nor do we \nintend to release any of those details. As you have said, they \nare for official use, even though this committee or any member \nwould have a right to release it I believe in a hearing in the \ncontext of their official duties, but we are going to leave it \nlike it is.\n    Mr. Whitfield. Well, I appreciate----\n    Mr. Stupak. Not to hold you up.\n    Mr. Whitfield. Yes, I appreciate that, Mr. Chairman. And I \nthink all of us would stipulate that the grades that the \nDepartment has received on this are not particularly good, but \nI really appreciate your conveying that information. And I am \nassuming that is the only Official Use document that we have. \nSo thank you very much.\n    Mr. Stupak. If it would have had the details in, it would \nhave been Official Use. Since it has been redacted, it is my \nunderstanding it is no longer Official Use. That document can \nbe released. The ones that say Official Use with the details, \nthere is no intention that I know of of anyone on this \ncommittee or myself or staffs of releasing that. Thank you.\n    In order to proceed in a more orderly and efficient manner, \nI would like to propose and set up 5 minutes for each member \nfor questions, that each member will have 10 minutes to use for \nquestioning during this hearing. Any objection? I see ranking \nmember of the full committee, Mr. Barton, has just arrived. \nBefore we go into questions, would you care to make an opening \nstatement, sir?\n    Mr. Barton. Thank you, Mr. Chairman, but I am a little bit \nlate so to expedite the hearing, I know we have got some votes, \nso I will put my statement in the record.\n    Mr. Stupak. Yes, we have nine votes coming up here. I don\'t \nknow if you want to do an opening before we do the votes and I \ndon\'t know if we want to get halfway through the questions and \nhave to stop.\n    Mr. Barton. No.\n    Mr. Stupak. OK. Then we will proceed to questions. I will \nstart off.\n    Mr. Secretary, the Cyber Security Task Force calls for an \nindependent oversight review of cyber security at Los Alamos \nthis year. Your testimony calls for annual reviews. Is Los \nAlamos in compliance with all DOE directives regarding security \nas we sit here today?\n    Secretary Bodman. No.\n    Mr. Stupak. In what areas are they still deficient?\n    Secretary Bodman. Well, we have a number of recommendations \nthat have been put in place in the cyber security area, most \nnotably a systems manual that was delivered and made available \nto the contractors and with the stipulation that these be \nentered into the agreements with each contract.\n    Mr. Stupak. So it is not entered into the contract?\n    Secretary Bodman. They are in the process of being entered \ninto it. I think it was on the date of March 8 that the \nsecurity manual was issued. They have 90 days in which to \naccomplish that, and we expect them to accomplish that by June \n8. Now that will then put it in being a part of the contract.\n    Mr. Stupak. Correct.\n    Secretary Bodman. There will then be a period of time. I \ncan read through the various issues if you would like.\n    Mr. Stupak. When do you think the implementation will be?\n    Secretary Bodman. It is going to be a couple of years, sir, \nbefore all of this is done because this calls for training, it \ncalls for a change in the way we manage the entire cyber \nsecurity responsibilities of the Department.\n    Mr. Stupak. If it is going to be a couple of years, I think \nwe will be having a 14th, 15th, and 16th hearing then. In \nsummary, you were summing up and you said LANS, the new \ncontractor who is in charge of this lab----\n    Secretary Bodman. Yes.\n    Mr. Stupak. You see them, might as well call them, 60 \npercent of LANS is University of California----\n    Secretary Bodman. No, sir, it is not, sir.\n    Mr. Stupak. OK.\n    Secretary Bodman. Sir, it is not. The 60 percent is not \nCalifornia.\n    Mr. Stupak. OK. LANS is now in charge.\n    Secretary Bodman. That is correct.\n    Mr. Stupak. Sixty-three years of U.C., now we got LANS.\n    Secretary Bodman. That is correct.\n    Mr. Stupak. OK. LANS, if I heard you correctly at the end, \nLANS agrees that Los Alamos is too large, too many people, and \ntoo spread out is what you said at the end, correct?\n    Secretary Bodman. They believe that the use of classified \ninformation, that there are too many centers, we have too many \nclassified retrievable electronic media that are being used, \nand there is a specific program that I am sure Director \nAnastasio will review with you for reducing those.\n    Mr. Stupak. OK. As you know, we have asked the GAO to take \na look at this.\n    Secretary Bodman. Yes, sir.\n    Mr. Stupak. Not just in the cyber security but the whole \nfootprint out there because many of us feel the repeated \nsecurity breaches at Los Alamos, because it is too large, too \nmany people, too spread out, and when it takes years to \nimplement policy, we do not feel real confident that the \nimplementation and the policy will be completed in a timely \nmanner and we will be back here again with more breaches. So if \nit going to take years to implement security agreements, that \nreally bothers us.\n    Secretary Bodman. Well, some of it, sir, depends on \nbudgets. In other words, these will be costly, they will \nrequire the approval of this Congress in order to get \nsufficient funds to do what needs to be done.\n    Mr. Stupak. So the taxpayers are going to pay for all these \nnew security measures?\n    Secretary Bodman. It will be perhaps shifted around from \none part of the organization to another, so I am not saying \nthere will be a total increase in the budget but I am saying \nthere will be a funding for this that is required.\n    Mr. Stupak. Well, I don\'t want to throw good money after \nbad, but we are a little concerned here when we learned this \npast week that the enforcement mechanism for LANS wasn\'t even \nin the contract. Now, 13 months later I guess it is inserted. \nSo when I said get-out-of-jail-free card, that is from the game \nMonopoly and this is real money, not paper money.\n    Secretary Bodman. I understand that.\n    Mr. Stupak. You have a monopoly when one entity you see has \nmanaged this lab for 63 years and still is part of LANS. And so \nwe can\'t be giving out get-out-of-jail-free, using taxpayer \nmoney, and a management monopoly and we are back here all the \ntime doing the same thing.\n    Let me ask you this question. The Inspector General\'s \ntestimony said the Federal and contract managers need to manage \nthe lab more aggressively and the Department and the lab must \ndevelop a regiment of compliance testing. However, it appears \nyou are going in the opposite direction by using a pilot \nprogram at Los Alamos which is based on reduced Federal \noversight and increased contractor self-assessment. Given the \ncore weaknesses in security, safety, and the history of \nmismanagement, do you believe that reduced Federal oversight is \nappropriate model at this time especially when it is going to \ntake near 3 or 4 years?\n    Secretary Bodman. Of course not.\n    Mr. Stupak. Then why would you propose a test pilot program \nat Los Alamos?\n    Secretary Bodman. I don\'t understand what that is. I never \nheard of it.\n    Mr. Stupak. You have no idea? OK. All right. Secretary, is \nit true that during the investigation of the security incident \nthe Department learned the subcontractor employee had taken an \nunsecure cell phone into the vault at Los Alamos?\n    Secretary Bodman. Yes, I heard that yesterday in \npreparation for this hearing that there was some allegation of \nthat, but I do not know anything about that.\n    Mr. Stupak. We heard that some time ago. From the January \nhearing to now, we heard about this. We heard about the \nenforcement part of the contract not being there, now we hear \nabout a cell phone. What are we going to hear about next? I \nthought we had this thing.\n    Secretary Bodman. Mr. Chairman, I will repeat for you, sir.\n    Mr. Stupak. Sure.\n    Secretary Bodman. I do have a record of truthfulness and \nintegrity in handling management matters. I do have a record of \nsome competence in handling management matters. Now, some of \nyour statements, sir, in my judgment are not correct. They have \nthe wrong premise.\n     And I have attempted to correct those as we have gone \nalong.\n    Mr. Stupak. What is not correct?\n    Secretary Bodman. So I will tell you, sir, that we are \ncommitted, I am personally committed, to trying to improve the \nsecurity situation at Los Alamos. I frankly find myself in a \nposition of some embarrassment. Why? Because I did not \npersonally ask the right questions in the early days of my \ntenure in this job, and the questions might have been something \nalong the line have all past Declarations of Secretaries been \nincluded in the policy that has been included in the contracts \nbetween this Department or between the NNSA and the contractor? \nThe answer is no, they have not been. And so there are many \nthings. Why haven\'t we had a compulsory drug testing program \nfor all members who are cleared? We have not had. We will now \nto the extent that we are able to do it. And so I am just \nsaying that there are number of things that have been done, and \nI am here to tell you that I am committed to trying to get it \ndone but I also repeat I am somewhat embarrassed I didn\'t ask \nall the right questions in the beginning.\n    Mr. Stupak. Let me ask you, the January 30 hearing, did the \nDepartment of Energy know that they didn\'t put the enforcement \nmechanisms, the DOE Order 470, in the LANS contract in January?\n    Secretary Bodman. I don\'t know, sir.\n    Mr. Stupak. All right.\n    Secretary Bodman. I learned about it about that time.\n    Mr. Stupak. About that time?\n    Secretary Bodman. Yes, sir.\n    Mr. Stupak. And no one told us about it until last week?\n    Secretary Bodman. That was about the time we learned about \nit. I may have been a week or two earlier, but I just don\'t \nknow.\n    Mr. Stupak. Well, last week is a lot different from January \n30. That is quite a bit of timeframe. What about the cell phone \nincident in the vault? You just learned about that, too?\n    Secretary Bodman. I just learned that the allegation of the \ncell phone in the vault. I don\'t know of the truth. This is an \ninvestigation, sir, that is still ongoing; and I would remind \nyou on that, and so I am unable to comment on anything specific \nthat I have heard. But I just tell you with respect to any \nquestions about the cell phone, I have not heard about it \nbefore.\n    Mr. Stupak. Well, when is your investigation anticipated \nthen to be done?\n    Secretary Bodman. It is not my investigation, sir. This is \nsomething being handled by the FBI.\n    Mr. Stupak. OK.\n    Secretary Bodman. So I can\'t answer for them.\n    Mr. Stupak. So after the FBI is done and after they brief \nthis committee, are you going to come back up to this committee \nthen and tell us the facts of the investigation as you know it?\n    Secretary Bodman. We will report to you the facts.\n    Mr. Stupak. Well, we would just as soon get them on the \nrecord so we don\'t have to have more hearings, but this \ninformation keep dribbling out is not good.\n    Mr. Secretary, let me ask you this. Was it a violation of \nDOE policy, I am talking about DOE policy now, to approve a \nsecurity clearance for an employee who admits to using illegal \ndrugs in the 30-day period prior to the approval of their \nsecurity clearance?\n    Secretary Bodman. I don\'t know if it was a violation of DOE \npolicy, but it didn\'t make any sense to do that, sir.\n    Mr. Stupak. OK. And in review, we have seen at least two \nother employees and 18 others who have what you call derogatory \ninformation in it who have received security clearance that \nprobably based on derogatory information should not have \nreceived it or had used drugs within 30 days of receiving that \nclearance?\n    Secretary Bodman. I don\'t know what those were. I can tell \nyou that part of the recommendation on the improvements in the \nsecurity system for the Department involves a review of all of \nthe clearances that were provided----\n    Mr. Walden. Mr. Chairman, can I ask a point of \nparliamentary inquiry? I thought you moved that we would reduce \nthe amount of time for questions to 5 minutes?\n    Mr. Stupak. Ten minutes we said.\n    Mr. Walden. Ten minutes? OK.\n    Mr. Stupak. Go ahead, Mr. Secretary. I think where you are \ngoing is the question I was trying to ask. The Department is \ngoing to implement the task force\'s recommendation to review \nall 4,360 security clearances----\n    Secretary Bodman. There are some 4,000 that we are in the \nprocess of doing, and I expect to have that done during the \nbalance of this season. I would guess during the summertime.\n    Mr. Stupak. Thank you, Mr. Secretary. Mr. Whitfield for \nquestioning? We have 6 minutes left.\n    Mr. Whitfield. I am going to take 5 minutes and then come \nback when--Mr. Secretary, before you came to the Department of \nEnergy, and I know you have other Government experience, but \nyou certainly had a reputation in the private sector as being a \nstrong executive. And when you look at this situation, you hear \na lot of comparison about Lawrence Livermore and Los Alamos; \nand we know that the University of California has been involved \nin the management of both of them for many, many years, for \nabout 63 years or so, and yet there doesn\'t seem to be the \nproblems at Lawrence Livermore as there is at Los Alamos.\n    From your position as Secretary of Energy and experiences \nrunning business, as a strong executive, why do you feel that \nthere has been so much problems at one of these labs but not \nthe other?\n    Secretary Bodman. That is sort of a speculation on my part. \nI guess I would cite for you, sir, there are significant \ndifferences between the two institutions as to where they are \nlocated, geographic location, and getting the right management. \nIn San Francisco is a very different matter than getting the \nright people to move to Los Alamos and to take on that \nassignment. So that would be one comment.\n    Comment two, I think it goes back to the very history of \nthe laboratory. There have been issues of security, if you read \nback the history of this, for 60 years and there has been a \nvery challenging environment there because of the preeminence \nof science and less interest apparently at times in security \nresponsibilities. The one you should really ask that question \nof is Mr. Anastasio who will testify next. And if I had to \nanswer that question, he is the person I would ask.\n    Mr. Whitfield. OK.\n    Secretary Bodman. He has been at both places.\n    Mr. Whitfield. Who at the Department was responsible for \noverseeing the contract letting that LANS recently won and the \nsecurity requirements were omitted from that contract? Who in \nthe Department was really responsible for negotiating that \ncontract?\n    Secretary Bodman. Ultimately, I am responsible, Mr. \nWhitfield for the contract. You then go down through Linton \nBrooks who was the Administrator and oversaw the activity that \nhad that responsibility, Tom D\'Agostino who oversaw it. A lot \nof things went on if I may say at that point in time. I also \nwould add, this is the world according to Sam and not anything \nelse, I think that there will be ample opportunity whether or \nnot there is the specific inclusion of specific arrangements in \nthere for whatever penalties are deemed desirable by the \nenforcement actions to be implemented.\n    Mr. Whitfield. Some people feel like the University of \nCalifornia has been involved in the management of this plant \nfor 63 years; and there was a strong argument that maybe we \nneed to just change it completely, and I know they are still a \npart of LANS.\n    Secretary Bodman. Right.\n    Mr. Whitfield. Was there any discussion of that at the \nDepartment about maybe just a complete culture change by \nchanging the major----\n    Secretary Bodman. Yes, there certainly was a discussion, \nand I think that first of all it is important to recognize that \nthere are very specific Federal procurement rules that apply \nthat involve a Source Selection Officer and a Source Evaluation \nCommittee that provides information for the Source Selection \nOfficer, and these are all career employees. And so it is \nsomething that is done in order to prevent political \ninterference with the ultimate decision.\n    So I know there was a discussion of this general matter, \nbut I would think that it is important to recognize that the \nteam was recognized for the combined scientific excellence in \nthe University of California and the management expertise of \nboth Bechtel as well as BWXT and the Washington Group.\n    Mr. Whitfield. Right.\n    Secretary Bodman. Now, this group I will tell you, I have \npersonally dealt with this board on a one-on-one basis meeting \nwith both the chairman and the vice-chairman of the Board since \nthis event occurred, I think it is fair to say this event \ncaught them by surprise just as to how serious this matter was \nand is. They immediately dispatched their own people--I am sure \nDr. Anastasio will review that with you--in order to review the \nsituation. They found a very glaring failure in cyber security \nprograms, they said about their own programs, over and beyond \nanything we are doing in order to try and deal with this.\n    Mr. Whitfield. Well, Mr. Secretary thank you. We have about \na minute left so I guess we need to get over and vote.\n    Mr. Stupak. OK. So we have seven votes, so let us adjourn. \nWe should be back 11:15 or so. We will adjourn the hearing \nuntil then. How is that with you, Mr. Secretary?\n    Secretary Bodman. Whatever you say, sir. I will be happy \nto----\n    Mr. Stupak. Well, you got to remember----\n    Secretary Bodman. I got a limit as to how long I can stay \nthe rest of the day.\n    Mr. Stupak. Yes, and unfortunately they give us seven votes \nright now.\n    Secretary Bodman. I understand that and I honor that. I \nwant you to honor what time pressures I have, sir.\n    Mr. Stupak. I understand.\n    Secretary Bodman. Thank you.\n    Mr. Stupak. Thank you. The subcommittee stands recessed \nuntil 11:15.\n    [Recess.]\n    Mr. Stupak. A lot longer than we all thought. We thought we \nhad seven votes and it ended up being nine plus motions to \nrecommit.\n    Unfortunately, the Secretary, as he indicated, had a noon \nappointment that he had to make and so we dismissed him. We may \ncall him back at some time in the future. But had he been here \nI would have asked him again about DOE\'s pilot oversight model \nat Los Alamos that he seemed to know nothing about. I would for \nthe record like to read the general question I asked the \nSecretary about this pilot. My question was, Mr. Secretary, the \nInspector General\'s testimony said the Federal and contract \nmanagers need to manage the lab more aggressively in the \nDepartment and the lab must develop a regiment of compliance \ntesting. However, DOE is going in the opposite direction by \nusing a pilot program at Los Alamos which is based on reduced \nFederal oversight and increased contractor self-assessment. \nGiven the core weaknesses in security, safety, and the history \nof mismanagement, do you believe that reduced Federal oversight \nis the appropriate model at this time? If so, why? The \nSecretary claimed he did not know anything about this pilot. In \nfact, our staff has provided an official Department of Energy \nmemorandum establishing this pilot specifically for Los Alamos.\n    It is also my understanding that this pilot is well-known \nby other key officials including the Inspector General who is \nrather critical of it. I intend to ask the Inspector General, \nour next panel here, (a), if they know about the pilot and, \n(b), what concerns does he have about it. But now perhaps more \nimportantly, I intend to ask the IGY when this memo was signed \nby the former NNSA Chief, Ambassador Linton Brooks, the \nSecretary would apparently know nothing of it. I find that \ntroubling unto itself, and we will ask the Secretary in writing \nthe same questions.\n    We have had problems as you all know in the past with the \nhead of the National Nuclear Security Administration not \nconveying key management information related to the Secretary. \nI wonder if this is yet another example.\n    So we can move to our second panel so we can get these \nquestions out. I will now call our second panel of witnesses, \nthe Honorable Gregory Friedman, Inspector General for the \nDepartment of Energy, and Mr. Michael Anastasio, Director of \nthe Los Alamos Nuclear Laboratory.\n    It is the policy of this subcommittee, gentlemen, to take \nall testimony under oath. Please be advised witnesses have the \nright under the rules of the House to be advised by counsel \nduring their testimony. Do any of you wish to be represented by \ncounsel? Mr. Friedman?\n    Mr. Friedman. No.\n    Mr. Anastasio. No.\n    [Witnesses sworn.]\n    Mr. Stupak. Thank you. The record should reflect the \nwitnesses have replied in the affirmative. You are now under \noath. Mr. Friedman, we will start with you. Five-minute opening \nstatement, sir.\n\nSTATEMENT OF HON. GREGORY H. FRIEDMAN, INSPECTOR GENERAL, U.S. \n              DEPARTMENT OF ENERGY, WASHINGTON, DC\n\n    Mr. Friedman. Mr. Chairman and members of the subcommittee, \nI am pleased to be here at your request to testify in the \nconcerns expressed in your April 5 letter regarding operations \nat the Los Alamos National Laboratory.\n    In January 2007 I testified before this subcommittee on the \nspecial inquiry conducted by my office regarding the diversion \nof classified data from Los Alamos. Specifically at the request \nof the Secretary of Energy, we examined the efforts of the \nDepartment and its contractors to protect classified \ninformation and the steps that were taken to assure that only \nauthorized individuals had access to such information. Our \nreport on this matter was issued on November 27, 2007. The \nOffice of Inspector General found the security environment at \nLos Alamos is inadequate despite the expenditure of millions of \ndollars by the National Nuclear Administration to upgrade \nvarious components of the laboratory\'s security apparatus. In \nparticular to the cyber security control structure we found \nthat certain computer ports had not been disabled, classified \ncomputer racks were not locked, and some individuals were \ninappropriately granted access to classified computers and \nequipment to which they were not entitled.\n    In many cases, laboratory management staff had not \ndeveloped policies necessary to protect classified information, \nenforce existing safeguards, or provided the attention or \nemphasis necessary to ensure protective measures were adequate.\n    Some of the security policies were conflicting or applied \ninconsistently. We also found the laboratory and Federal \nofficials were not as aggressive as they should have been in \nconducting security reviews and physical inspections. In short, \nour findings raise serious concerns about the laboratory\'s \nability to protect both classified and sensitive information \nsystems.\n    The OIG also reviewed certain aspects of the security \nclearance process in place for laboratory employees. We \nidentified particular weaknesses associated with this program \nwhich were discussed in a closed-session of this subcommittee \nin January 2007.\n    After this incident was discovered, Department and \nlaboratory management officials launched several efforts to \nidentify and correct and control deficiencies that certainly \ncontributed to an environment which classified information \ncould be removed without authorization. In particular, the \nDeputy Secretary directed an immediate review of policies and \npractices related to computer ports at each of the Departments\' \nfacilities. Further, the Secretary established two high-level \ntask forces to address our findings. The reports of the \nSecretary\'s task forces and a list of the proposed directive \nactions were provided to my office last week. Many of the \ncorrective actions outlined by the two task forces are in \nprogress. Implementation, deployment, and execution are key. If \nproperly carried out, the corrective actions should improve \nclassified operations at Los Alamos and could help prevent \nsimilar incidents at departmental facilities throughout the \ncomplex.\n    As I have testified on several occasions, the Department \nmust do a better job addressing the recurring challenges it \nfaces, and I have four or five specific suggestions. Number 1, \nwith regard to the current matter, the Department must ensure \nthat all actions and recommendations outlined in the Task Force \nReports are formalized into policy and adopted as practice \nthroughout the Department. As part of that effort, these \npolicies should be incorporated into all facility contracts.\n    Two, to achieve the recommended reforms, the Department \nmust establish firm schedules with specific implementation \ntimelines and performance metrics. No. 3 both Federal and \ncontractor officials need to manage more aggressively. As part \nof that process, the Department needs to ensure that its \nFederal contract management function is adequately staffed with \nthe appropriate skill mix. In addition, Department and \nlaboratory officials must develop a more comprehensive regimen \nof compliance testing and follow up to ensure that security \npolicies and procedures are rigorously followed. Individuals \nand institutions, both Federal and contracted, must be held \naccountable for failure to follow established security \nmeasures. As it has begun to do so in response to the most \nrecent Los Alamos incident, the Department should emphasize \nthat the failure to properly protect classified information and \nmaterials will have meaningful consequences.\n    Finally, consistent with our 2006 recommendation, we \ncontinue to believe the Department should perform a risk-based \nevaluation of cyber security funding at Los Alamos. The \nobjective of this evaluation would be to ensure that the \nresources are available for complete implementation of the \nrevised cyber security policies and procedures.\n    For the past 5 years we have identified both cyber and \nphysical security as pressing management challenges. For these \nreasons and because of the recent incidents, the Office of \nInspector General continues to be concerned about the security \nacross the Department of Energy complex. We have ongoing \nactivities to examine information technology and system \nsecurity, implementation to revise security measures, disposal \nof sensitive property, and issues related to protective force \ntraining.\n    In addition to our ongoing work, the full committee in \nJanuary 2007 requested that the GAO examine the security of the \nDepartment\'s unclassified and classified information networks \nand its cyber security programs. My office coordinates closely \nwith GAO on reviews of the Department, and we are hopeful that \nhe assessment requested by the committee will provide \nrecommendations leading to a strengthened agency-wide security \nposture. My office continues to conduct audit inspection \ninvestigative work that complements the reviews requested by \nthe committee.\n    Mr. Chairman, this concludes my statement. I would be \npleased to answer any questions you may have.\n    [The prepared statement of Mr. Friedman appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you, sir. Next we will hear from Mr. \nAnastasio for 5 minutes.\n\n    STATEMENT OF MICHAEL R. ANASTASIO, DIRECTOR, LOS ALAMOS \n                      NATIONAL LABORATORY\n\n    Mr. Anastasio. Good afternoon, Chairman Stupak, Ranking \nMember Whitfield, and other members of the committee. Thank you \nfor the opportunity to update you on our progress.\n    As you know, I am Michael Anastasio, Director of the Los \nAlamos National Laboratory since June 2006 and president of the \nLos Alamos National Security, LLC.\n    I am pleased to report that we have continued to make \nsignificant progress on many fronts since I last addressed this \nsubcommittee 11 weeks ago. Today, in keeping with the subject \nof this hearing, I will focus on security; and I want to \nreiterate what I said at the last hearing, that I personally \ntake the issue of security at Los Alamos very, very seriously.\n    First, we have significantly reduced risks in both cyber \nand physical security, and this includes reducing and \nconsolidating classified holdings, per the subcommittee\'s \nstated concerns. Second, we have taken actions to make policy \nclear and consistent and to change employee behaviors. And \nthird, we are putting in place comprehensive corrective actions \nwith a major focus on long-term sustainability.\n    Here are some examples of the specific actions my \nmanagement team, my Board of Governors, and I myself personally \nare taking to reduce risk. Starting with cyber security, we now \nhave positive control over all our classified computer ports \nusing a combination of software, physical locks, and tamper-\nindicating devices. All of our classified systems have been \ninspected and found to be compliant, and we have reduced the \nnumber of stand-alone classified systems by 28 percent.\n    As for physical security improvements, we have made our \nvault escort requirements clearer and tougher, for example, \nrequiring the search of all belongings carried by those \nescorted both in and out of the vaults. By December, we will \nhave reduced our accountable classified removable electronic \nmedia, known as ACREM, by 50 percent. We have destroyed almost \n1,500 classified parts and 500 boxes of classified documents \nthat we inherited. We have eliminated 14 vault-type rooms, a \nreduction of 10 percent, with more to come.\n    In the area of policy and behaviors, we have uniformly \ntrained our Information Systems Security Officers, our ISSOs, \nand are hiring senior ISSOs in all key organizations to provide \nconsistency across the laboratory.\n    We are clarifying and simplifying security policy. In \naddition to mandatory training, we will promote the right \nbehaviors through active employee participation. For example, \nwe have directly involved employees and worker-led security \nteams at multiple levels in our line organizations.\n    On March 5, we launched and enhanced substance abuse \nprogram where every newly hired employee is tested for illegal \ndrugs and every badge holder is now subject to random testing, \nregardless of his or her clearance level.\n    For long-term effectiveness and sustainability, we have \nbegun constructing a super vault-type room, the first of its \nkind. This will allow us to consolidate and uniformly control \nclassified information managed by security professionals. At \nthe same time, it will give authorized users efficient access \nto this information. I expect to complete construction of the \nfirst functional prototype this June. This project will \ninitially allow us to close six additional vault-type rooms and \nreduce our ACREM libraries by one-third. By constructing \nadditional super vault-type rooms, we will reduce the number of \nclassified vaults to an absolute minimum consistent with our \noperational and mission requirements.\n    We have also been careful to embed validation and \nverification regimes into our corrective action plans in order \nto sustain all of these efforts and to prevent any backsliding. \nMoreover, everything we are doing is being closely scrutinized, \nnot only by Congress but by my own Board of Governors, by the \nDOE, NNSA, and other oversight bodies. I welcome that \ncontinuing scrutiny. It validates that we are heading in the \nright direction and keeps our eye on the ball.\n    So in conclusion, Mr. Chairman, as I have testified \npreviously on this issue, there are no silver bullets where \nsecurity is concerned, but with these security enhancements and \nBoard of Governors\' support and oversight, we are aggressively \nmoving Los Alamos in the right direction as we are in many \nother fronts vital to our success as a national security \nscience laboratory.\n    Thank you again for the opportunity to testify, and I am \nhappy to take your questions.\n    [The prepared statement of Mr. Anastasio appears at the \nconclusion of the hearing.]\n    Mr. Stupak. Thank you both for being here, and we will \nstart with questioning that will go for 10 minutes. I am glad \nto see Mr. Udall is still here. It is Friday, the votes are \nover for the week, everyone has taken off, but Mr. Udall has \ngreat interest in this. He remains with us. Thank you again, \nTom.\n    Before we begin, Mr. Friedman, I indicated I was going to \nask you the same question I put to the Secretary about your \ntestimony that the Federal and contractor managers need to be \nmore aggressive. In fact, you said that in your opening \nstatement and the Department must develop a regimen in \ncompliance. However, we seem to have this pilot program at Los \nAlamos which really would reduce Federal oversight increase, \ncontractor self-assessment. Do you believe that reduced Federal \noversight is the appropriate model at this time? If so or if \nno, why not?\n    Mr. Friedman. I do not, Mr. Stupak. We have been following \nthis proposal for several years.\n    Mr. Stupak. So you are familiar with this pilot project?\n    Mr. Friedman. Yes.\n    Mr. Stupak. And it has been around for a number of years?\n    Mr. Friedman. Yes.\n    Mr. Stupak. It is it site-specific to Los Alamos?\n    Mr. Friedman. Well, I am not the expert as to how they are \nruling it out, but it seemed to me it may have initiated at \nSandia and it has some relationship to the Kansas City plant; \nbut certainly it is contemplated for Los Alamos as well.\n    Mr. Stupak. Right, the document I held up, the memo, was \nfrom Linton F. Brooks, the Administrator, and former \nambassador. It\'s the pilot of the new National Nuclear Security \nAdministration, oversight model for Los Alamos. This is the \ndocument you are speaking of?\n    Mr. Friedman. I assume it is.\n    Mr. Stupak. While we are here, I will wait until Ed gets \nback, but I would like to move for admission in the record. It \nactually says in December 2002 we announced a new approach to \noversight with the National Nuclear Security Administration. So \nthis is the pilot program we have been speaking about?\n    Mr. Friedman. Yes, this memo is not dated and I am not sure \nwhen I did see it.\n    Mr. Stupak. It is signed by Ambassador Brooks?\n    Mr. Friedman. It does appear to be, yes.\n    Mr. Stupak. Why would a Secretary not know about a memo \ndealing with Los Alamos as to a pilot of the new National \nNuclear Security Administration oversight model for Los Alamos?\n    Mr. Friedman. I certainly cannot testify on behalf of the \nSecretary on that. I really don\'t know.\n    Mr. Stupak. Should the Secretary be made aware of it?\n    Mr. Friedman. The span of activities in the Department of \nEnergy is enormous, and perhaps he was aware of it under some \nother name. I just can\'t speak for him.\n    Mr. Stupak. OK. I also asked the Secretary about the cell \nphone in a vault. Do you have any knowledge of that in your \noverview about this employee had a cell phone in a vault?\n    Mr. Friedman. Mr. Stupak, as I recall your background, I \nthink you have a law enforcement background.\n    Mr. Stupak. Yes.\n    Mr. Friedman. And I am ill at ease answering your question. \nThere is an ongoing FBI investigation with deep involvement of \nthe Justice Department and the question of the individual\'s \nbackground, and what is in her investigative file is certainly \npart of that investigation. And I would not want to say \nanything inadvertently in response to your question that would \ncompromise that. I am familiar with at least one incident, and \nthere was an allegation of a second incident.\n    Mr. Stupak. Of a cell phone in a vault?\n    Mr. Friedman. Right.\n    Mr. Stupak. It is an unsecured cell phone in a secured \nvault?\n    Mr. Friedman. Essentially that is correct.\n    Mr. Stupak. OK. And is this a----\n    Mr. Friedman. I should say I think it is a personal cell \nphone.\n    Mr. Stupak. Right. Personal or departmental but it was an \nunsecured cell phone. And is this a breach or violation of \nsecurity at Los Alamos?\n    Mr. Friedman. My understanding it most certainly is or was.\n    Mr. Stupak. OK. And again, if the Secretary is briefed \nabout an investigation, if there are these allegations, he \ncertainly should be made aware of it. You see, my problem is \nthe last time we testified here in January we had the breach \nabout the employee\'s personal information being put out on the \nweb inadvertently, and the Secretary didn\'t seem to know about \nthat or DOE Order 470, we don\'t seem to know anything about \nthat, we don\'t seem to know anything about the cell phone. It \nseems like not only is there structural problems within Los \nAlamos and DOE but it seems like there is a communication \nproblem, too.\n    Mr. Friedman. Well, I think that the people most directly \nresponsible for operations of the laboratory and the Federal \nsite were aware of the incidents as best I could determine, and \ncertainly we were aware of them. So the fact that the Secretary \nwas not aware of them given the, again, the scope of his \nactivities, I am not sure it is all that surprising.\n    Mr. Stupak. The fact that you\'re aware of it, someone in \nDOE should be made aware of it.\n    Mr. Friedman. Yes, absolutely.\n    Mr. Stupak. What\'s the problem with this pilot program \nhere? What are your concerns specifically? Does it lead to less \nFederal oversight and more self-assessment by the contractor?\n    Mr. Friedman. I am not the best person to testify on the \nprogram itself, but the essence of it is as you characterized \nit, reliance on self-assessment with a third-party review of \nthe assessments, similar to commercial standards. I mean, \nthat\'s basically what we\'re talking about.\n    We have for many years been concerned, we have expressed \nthis in a number of forums, about the effectiveness of the \nDepartment\'s administration of its contracts. And it is our \nview that sort of stepping back, while it may be satisfying for \nthe contractors because it means less reports, less intrusive \nreviews, less evaluations, is not the approach that we should \ntake.\n    Mr. Stupak. It is not the aggressive approach that you\'ve \nbeen suggesting?\n    Mr. Friedman. No, it is not.\n    Mr. Stupak. OK. The 550 security police officers went on \nstrike at Pantex. I think Mr. Burgess mentioned it on the first \nspan on his opening there, and there is a force of about 211 to \nreplace them. Given your reduction in force size, and I \nunderstand some people have to work up to 84-hour workweeks, \ncan you give an opinion whether the Nation\'s most valuable \nnuclear assets are being protected at a level that is \nsufficient to meet Department requirements?\n    Mr. Friedman. I don\'t know how many people and I accept \nyour numbers, Mr. Chairman, and I don\'t quarrel with them. We \nissued a report I think last year at the Oak Ridge complex in \nwhich we were concerned about the amount of overtime, that it \nwas excessive and it would lead to a degradation of the ability \nof the guard force. And I take it that the guards that have \nbeen sent to Pantex have been sent from other locations \nthroughout the Department complex. So certainly to the extent \nthat we have been concerned historically about overtime and the \nimpact of the overtime on the ability of the guards to do their \njob, there is that concern.\n    Mr. Stupak. Well, besides the drawing of personnel from \nother areas of the other sites to beef up Pantex while we have \nthis security police that went on strike there, what would be \nthe longer-term consequences to the Pantex site operations if \nthis dispute goes on for a protracted period of time? I guess \nmy concern is Pantex, where we assemble everything and \ndisassemble, seems like it is one of the more sensitive sites. \nSo if this goes on for a protracted period of time, that is \ngoing to lessen our security I would think overall.\n    Mr. Friedman. Let me divert for just 1 second. I should \ntell you that in the interest of full disclosure that there are \nfive or six points that have been expressed to us by the guards \nthemselves and other individuals, and we are pursuing those \naggressively. Now, we have an open inspections on those \nfundamental issues. And they do deal with core safety and \nsecurity. I am not in the position to evaluate what the short-\nterm, mid-term, or long-term impact of a strike would be. I \nthink it is pretty clear that this is one of the most sensitive \nsites that the U.S. Government has in the continental United \nStates, and it is a situation which needs to be resolved as \nsoon as possible or there will be potential consequences.\n    Mr. Stupak. Thank you. Mr. Anastasio, I was a little \nconcerned when the Secretary testified, and I think you were in \nthe room then, about the memo here to do the implementation of \nyour cyber security I believe it was, that the booklet was \ngiven to your organization right around March 8, you have 90 \ndays to comment on it, you send it back to the Department, and \nthen he said it would be years to implement it. Why would it \ntake years to implement the policy?\n     You get 90 days, why would it take years to implement it.\n    Mr. Anastasio. Well, it is a complicated set of \nrequirements that takes----\n    Mr. Stupak. It is complicated to digest and 90 days to----\n    Mr. Anastasio. Excuse me? I am sorry, I didn\'t hear it.\n    Mr. Stupak. You have 90 days to digest it.\n    Mr. Anastasio. Ninety days to comment and then we will have \nto put in place a plan that will do the implementation over a \nspecific period of time; and then of course, we will have lots \nof oversight and the effectiveness of carrying out that plan, \nboth to put it in place and to make sure that we have an \neffective plan in place as we do that.\n    Mr. Stupak. I mentioned and the Secretary objected to this, \nyour new organization managing Los Alamos, is made up of UC \npeople. What percentage? I said 60, he said it was not 60. What \nis it, do you know?\n    Mr. Anastasio. The management is an equal partnership of \nthe two major partners of the UC and the Bechtel National.\n    Mr. Stupak. So if it is equal, is it 50 percent then?\n    Mr. Anastasio. Yes, so as an example, the executive \ncommittee of the board has six members, three from the \nuniversity and three from the industrial partners, so in that \nsense it is----\n    Mr. Stupak. OK. What about the board makeup then?\n    Mr. Anastasio. There is the executive committee as I said \nand then there are an additional five members from outside any \nof the partner companies. Overall 11, but let us say the \nbusiness decisions of the LLC are made by the Executive \nCommittee. That is three and three.\n    Mr. Stupak. OK. And that is 50 percent then basically?\n    Mr. Anastasio. Yes, sir.\n    Mr. Stupak. OK. I guess my time has expired. Mr. Walden for \nquestions?\n    Mr. Walden. Thank you, Mr. Chairman. I appreciate that. \nDirector Anastasio, in your testimony you pointed to progress \nat the site by stating, and I quote, ``we have destroyed 500 \nboxes of classified documents we inherited at Los Alamos.\'\' \nSounds like a lot of documents. However, I am told when the \ncommittee staff asked about how many classified documents there \nare at Los Alamos, to try and put this in perspective, the \nlab\'s response was there is no requirement to maintain strict \naccountability of each classified document. We cannot tell you \nhow many classified documents we have which leaves some of us \nwondering, do you know how many classified documents you have \nand there is no system in place to monitor those?\n    Mr. Anastasio. There is a set of specific kinds of \nclassified documents that we are required to keep in an \naccountability system where we have a strict numbering system \non every individual document, and we track those. But the \ngeneral large collection of documents that we have, there is \nnot a requirement to keep it in strict accountability system.\n    We do protect those documents in a very rigorous way.\n    Mr. Walden. I understand the need to do that. I guess I am \njust trying to put your comment in perspective because I don\'t \nknow how big the boxes are.\n    Mr. Anastasio. Oh, I am sorry. So we have probably I would \nestimate, I don\'t have an exact count, but I would estimate \nthat we have several million classified documents.\n    Mr. Walden. And so I guess the question is I have heard \nestimates of up to 30 million classified documents?\n    Mr. Anastasio. That sounds high to me, but again, I don\'t \nhave an exact number.\n    Mr. Walden. When you say you have destroyed 500 boxes of \nclassified documents, is that 1,000 documents or is that 10,000 \ndocuments?\n    Mr. Anastasio. There are, kind of----\n    Mr. Walden. Just sort of file folder box documents?\n    Mr. Anastasio. Yes, file folder boxes, yes, sir.\n    Mr. Walden. So it wouldn\'t be that many then?\n    Mr. Anastasio. Not in relation to the total number. All I \nwas----\n    Mr. Walden. That is what I am trying to do is get it in \nperspective.\n    Mr. Walden. Yes, sir.\n    Mr. Anastasio. All I was trying to express is that we are \nactively in just the last 11 weeks off working down the large \nvolume of both documents, parts, removable media, vault-type \nrooms and so forth. We have a concerted effort we have moved \nout on, and there is really concrete progress that we have made \njust the last 11 weeks.\n    Mr. Walden. And I appreciate that. I think that is a good \nthing. How many boxes would normally be destroyed in a given \nyear? I assume this is like my business where you are always \nshredding things from the prior year, and you are kind of \nkeeping the shelving available as you move forward another \nyear.\n    Mr. Anastasio. Unfortunately, my impression at Los Alamos \nis they have not destroyed many things very often.\n    Mr. Walden. Classified as pack rats then?\n    Mr. Anastasio. So they keep labeling things and store them \nand to keep good records. Now we have good computer systems \nthat we can scan and upload documents into a computer system \nthat we can actually use the information more effectively that \nway because you can search it just like you would information \non the Internet but in a classified network, in a classified \ncomputer, protected. Then that obviates the need for the \ndocument and we can start getting rid of documents. So there is \na very active program and a very active desire on our \nemployees, in fact, to move that way because it is easier to \nmanage.\n    Mr. Walden. Sure. We obviously, and I have, made reference \nto the J.B. Weld project of security enhancement at the labs, \nand I have had our prop here to point out a simple solution. I \nsuppose the more simple solution would have been to order \ncomputers that don\'t have USB ports to begin with, rather than \nglue these shut.\n    As you replace computers, which I assume the lab is doing, \nare they ordering computers with USB ports in them or are they \nordering them without USB ports in them?\n    Mr. Anastasio. Most computers have a USB port as an example \nto plug the keyboard in. That is through USB port, and of \ncourse, you need a keyboard on the computer. In some cases some \ncomputer you actually want to get information off the computers \nand you need a mechanism to do that. But what we have done is \nwe have put controls in place that, for instance, even if you \nhave a keyboard with a USB port plugged in, you can put \nsoftware in place as an example that makes sure that that port \nonly recognizes the keyboard.\n    Mr. Walden. Right.\n    Mr. Anastasio. If you try to put a fun drive or the \nequivalent into it, the computer doesn\'t recognize what it is, \nit is incapable of reading that. When we move to this super \nvault-type rooms that I alluded to in my testimony, what we are \nlooking at right now as part of this prototype is to have what \nI like to call an idiot savant computer, a computer that is \nvery, very capable at displaying data but is very stupid at \ndoing anything else. And so it doesn\'t have the operating \nsystem capability to recognize ports to do anything. So there \nis a keyboard, there is a mouse, and it can display 3-D very \nrapidly, high-resolution data, but it can\'s process the data. \nThat is done on the server that is locked up in this vault, \nprotected by people who are security professionals with a \ndifferent approach to security when done in the past.\n    So that is the direction we are trying to move to really \nmove away from being even concerned about whether you have a \nport or not, you are just going to disable it so that it can\'t \nfunction at all.\n    Mr. Walden. And clearly it is not really our job to \nmicromanage the security of your labs, but it is our job to \nmake sure somebody is doing that. And so I know we have all \ngotten to know each other all too well in the last few months \nand years. We couldn\'t spend this time on every agency, but I \ncan\'t think of one that is more important to American security \nin many respects than the one that you are in charge of. And so \nI just still struggle at how these opportunities to lose data \noccur as we saw I think it was last fall with the woman who \ntook the data home and was working out of her home and then got \ncaught. And I guess I just still struggle, wondering how is it \nso hard to fix? I mean, you were at Lawrence Livermore before, \nright?\n    Mr. Anastasio. That is correct.\n    Mr. Walden. And you didn\'t see these kinds of breaches of \nsecurity at Lawrence Livermore, did we? Did you?\n    Mr. Anastasio. Not of this nature, no.\n    Mr. Walden. So what is different here? I mean, you have \nbeen there a while now. What is going on? I mean, you got good \npeople, I\'m sure, at both labs, top-notch brains, scientists, \nbut the security function just seems to be a problem.\n    Mr. Anastasio. Well, I think there is a variety of issues. \nI think having the right leadership team and the people who are \nfocused on this, to bring a system-level approach to it, to \nhave consistency and simplicity so the employees can \nunderstand, actually making systems so that employees can \nsucceed, people are human. They are fallible. People make \nmistakes. So we need to put in place a system so that if there \nis a mistake that we contain any potential impact of the \nmistake. This is standard but kind of safety approached in \nhuman performance from the nuclear power industry, as an \nexample. These are systems that so if you start to drift off, \nthere is something to remind you, hey, you are starting to make \na mistake, you need to stop. And that happens before there is \nany significant consequence.\n    So these are the kinds of systems we are trying to put in \nplace to really make sure the employees can be a success, they \nare very committed to our national security, they are very \nconscious and conscientious about security in this sense. And \nso my job is to make sure that I give them all the tools they \ncan have to be a success and at the same time hold them \naccountable for my expectations of them. And if they really \nintentionally violate the rules, then there are severe \nconsequences for that.\n     Do you find many who intentionally violate the rules?\n    Mr. Anastasio. No, sir. Since June if I remember correctly, \nI think we terminated one employee for violating security \nrules. That is my memory, on the order of one or two.\n    So it does happen. We will take the action to terminate \nsomeone, but it is not very frequent at all.\n    Mr. Walden. Mr. Friedman, are you comfortable with what I \nam hearing here today from your independent perspective that \nthings are going to turn around soon?\n    Mr. Friedman. Mr. Walden, I guess that is the question that \nI hope I wasn\'t asked.\n    Mr. Walden. Now I am doing my job.\n    Mr. Friedman. Einstein, I think, said that insanity is \ndoing the same thing over and over and expecting a different \nresult.\n    Mr. Walden. Expect a different result.\n    Mr. Friedman. As I testified in January, I am really \nhopeful that the new management team at Los Alamos and the \nDepartment\'s aggressiveness will result in a meaningful change \nin the way they view security and safety and the other \noperational issues that have been a problem there for so many \nyears. Can I give you a level of guarantee? No. I hope it is \nthe case, and it would serve everyone if that is the case.\n    Mr. Walden. So we need to plan on another hearing in a \ncouple of months at which time you should be able to give us \nthat certainty, correct?\n    Mr. Friedman. Only if you serve lunch for the next hearing.\n    Mr. Walden. Yes, well, hopefully it won\'t be a barbecue. \nWith that, I yield back my time, Mr. Chairman.\n    Mr. Stupak. I thank the gentleman from Oregon. The \ngentleman from Washington, Mr. Inslee for questions?\n    Mr. Inslee. Thank you. Mr. Friedman, I have missed some of \nthis but I wanted to ask you, what could you tell us \nspecifically needs to be done that is not currently being done \nat the lab so that you can control classified and unclassified, \nsensitive information?\n    Mr. Friedman. Well, I think as the Secretary testified this \nmorning that many of the corrective actions are a work in \nprogress, and that has been historically one of the problems it \nseems to me that we get off to a good start, we have good \nideas, we try to implement good fixes, but they lose steam, the \nmomentum is lost. So one of the important things that has to be \ndone is that all of the good things that have been proposed, \ndiscussed here today, and have been reduced to writing in \nvarious forms are, in fact, implemented and they flow down to \nthe entire organization. Again, one of the historic problems we \nfound is that the upper levels frequently got it but it didn\'t \nalways make it down to the 10,000 or so other people who work \nat Los Alamos. So that is one.\n    Second, I think we need to ensure that we overcome the \nresistance to change. Change is difficult for all of us but we \nthe question was posed previously about the difference between \nLos Alamos and Livermore as an example. We have found \nhistorically that there has been strong resistance to change at \nLos Alamos. As much as I admire the laboratory and the work \nthat they do and the people that are there, there is that \nresistance. And that has to be overcome. We have to make sure \nthat the attempt to reduce the footprint that Dr. Anastasio \ndescribed today, that is, reduce the number of vaults, \nconsolidate, actually takes place. We have been advocating that \nfrankly for a long, long time, and our recommendations simply \nhave never been accepted. So there are some common-sense sorts \nof things that I think need to be done and can be done, and \ncertainly the secretary has committed to it, as has Dr. \nAnastasio. And with the right set of oversight principles, I \nthink we can hopefully make progress.\n    Mr. Inslee. I want to ask Dr. Anastasio, I have been told \nthat the DOE failed to incorporate the current safeguards and \nsecurity requirements contained in Order 470 in its contract \nwith LANS when the contract was signed in December 2005. Is \nthat accurate?\n    Mr. Anastasio. My understanding is that the orders that \nwere included did not include the appropriate language that \ncivil penalties could result per the new 10 C.F.R. 824 order. \nSo I believe, and I am not the expert on this, but I believe \nthey were in the contract but it wasn\'t done in the right way \nto make them subject to this new order. But my understand is \nthat has now been fixed.\n    Mr. Inslee. Well, has that been fixed? Are those new orders \ncontractually binding on the contractor now?\n    Mr. Anastasio. My understanding is that is the case right \nnow, yes, sir.\n    Mr. Inslee. OK. Thank you.\n    Mr. Stupak. Mr. Whitfield for questions?\n    Mr. Whitfield. Thank you. Mr. Friedman, they didn\'t give \nyou lunch today, is that my understanding?\n    Mr. Friedman. It doesn\'t show but no I didn\'t.\n    Mr. Whitfield. When we talk about Los Alamos, we are always \ntalking about two basic issues, one, the footprint is way too \nbug, and then second, the culture, what I refer to as culture. \nAnd people keep talking about this resistance to change, and \nMr. Anastasio, you have been at Lawrence Livermore and now you \nare at Los Alamos. How do you characterize this resistance to \nchange? Is that something that is real or is this just \nsomething we just talk about?\n    Mr. Anastasio. I think it is real. I think there is a \nresistance to change, and I think all organizations have \nresistance to change, all individuals do. The employees at Los \nAlamos have been through very tumultuous times over the last \nmany years, and there has been a lot of things happened to \nthem. I think there is a lot of anxiety in the workforce, and \nthat is one of my goals, of course, to stabilize the morale and \nget us focused on the future. And part of that is change, and I \nthink the laboratory has not been through as much change at Los \nAlamos as I experienced at Livermore, having to face during my \ncareer there. But the goal I set out with the laboratory, I \nsaid let us think about it as improvement. It is not change to \nmake your life worse, let us go decide what laboratory we want \nto be that is going to achieve all these goals that are hard to \ndeny, and let us go create that laboratory, the laboratory we \nwant to have, the kind that will serve us in the 21st century. \nAnd I find that employees are responding very much to that. But \nwe have to take them through change. Change is a process, we \nall know, and we are in the middle of that process. We are not \ndone yet. But I feel the laboratory has been very responsive. \nPeople want that kind of leadership, they want to move forward, \nthey don\'t like the fact that they get talked about in hearings \nlike this, and they are very receptive to doing the things they \nneed to do to go forward for the future.\n    Mr. Whitfield. What are the total number of employees, \nincluding independent contractors?\n    Mr. Anastasio. I don\'t have an exact number off the top of \nmy head, but around 13,000.\n    Mr. Whitfield. Right. But the morale has been low just \nbecause of this constant barrage of bad publicity and security \nleaks?\n    Mr. Anastasio. The constant barrage, the change of \ncontractors, the change of directors. Los Alamos is used to \nhaving a director for 10 years, 20 years at a time; and over \nthe last 5 years, maybe we have had three or four different \ndirectors. I mean, there is just this kind of change that has \ngone on that they are not used to, and so we have to move the \nemployees through that.\n    Mr. Whitfield. Of course, you are the one responsible for \ndoing this. How do you feel yourself about the progress that \nyou\'re making right now?\n    Mr. Anastasio. I think we have made some really good \nprogress as I tried to outline in my testimony, some examples \nof very concrete things that we have accomplished. I would be \nanxious to be able to do it even faster than we are doing. That \nwould be my desire, so I am pushing the system. But on the \nother hand, it is very important that we don\'t do this the way \nsome things have been done in the past as well where you do \nBand-Aids because I think Mr. Friedman\'s comment, can we \nsustain this? If it is just one Band-Aid here and the next \nthing comes, there is another Band-Aid there. You are just \nmoving from issue to issue. We need to put in place a system \nthat is sustainable, that puts us not to catch up with the \nthreat that we have but gets in front of it so that we can \nrespond to the future threats. Cyber security is so difficult \nbecause computer technology advances so rapidly, and as that \nadvances, that generates different kinds of threats. So we have \nto put into place a system that is really sustainable for the \nlong term that puts us out in front, as well as putting in \nplace the risk reductions immediately to handle the problems \nthat we have today in trying to catch up to that. We are also \ntrying to build a system that will serve us well into the \nfuture.\n    Mr. Whitfield. Well, we wish you the very best in this, and \nI think everyone in the country is really tired of the issue \nand hope to get it resolved; and I wish you the very best and \nlook forward to continue working with you. I yield back the \nbalance of my time.\n    Mr. Anastasio. Thank you, and we know that we have a \nspecial responsibility for the country; and we are taking that \nvery seriously.\n    Mr. Stupak. Mr. Anastasio, I have got a few questions if I \nmay. Mr. Friedman, could you give him that memo that you were \nlooking at earlier? The second paragraph of this memo from \nLinton Brooks, subject, Pilot of the New National Nuclear \nSecurity Administration Oversight Model at Los Alamos. The \nsecond line says, the arrival of a new management team at Los \nAlamos is an opportunity to take that action. Therefore, you \nare directed to move immediately into a 2-year pilot of our new \noversight model once you have concurred in the Los Alamos \nNational Security, LLC (LANS) Contractor Assurance System. Now \nthat is your group, right?\n    Mr. Anastasio. Yes, sir.\n    Mr. Stupak. So this pilot would apply to your group coming \nin to Los Alamos?\n    Mr. Anastasio. Yes, sir.\n    Mr. Stupak. OK. So you would be familiar with this memo?\n    Mr. Anastasio. I am familiar with this, and I would like to \njust clarify one thing about this pilot and I do know about it, \nof course, and we are off doing our part. This of course is a \nmemo to the site manager to the Federal workforce, not to us. \nBut one thing to be clear on, it was very clear to me and still \nis that this is something that does not apply to security, it \nis something that does not apply to nuclear safety and \nbiohazard facilities. This is something that applies----\n    Mr. Stupak. It deals with the overall management of this \nsite.\n    Mr. Anastasio. It deals with overall management.\n    Mr. Stupak. And look what it says.\n    Mr. Anastasio. The oversight model of security and of \nnuclear operations has not changed because of this pilot. This \npilot is about other things like----\n    Mr. Stupak. Mismanagement of this site. It is totally \nrelated, whether you are dealing with classified, unclassified, \nemployees using drugs, not using drugs, cell phones, not using \ncell phones. It is the whole thing. And it says right here, the \narrival of a new management team. You alluded to it, Mr. \nFriedman alluded to it. You come into a new management team, \nyou are all fired up here to do something but then 6 months we \nlose the enthusiasm, nothing filters down. So instead of having \nmore Federal oversight we are having less Federal oversight \nwith self-assessment by the new management team, the new \nmanagement team which has financial incentives to do well in \ntheir assessment. It seems like the fox is guarding the hen \nhouse in a way.\n    Mr. Anastasio. Just to clarify again, sir, that there is \ntwo issues. There is the management system I use inside the \nlaboratory and how we manage the laboratory and what tools we \nuse to do that----\n    Mr. Stupak. Right, and we are trying to get at how are you \ngoing to be different from the other teams.\n    Mr. Anastasio. That is our Contractor Assurance System that \nis outlined here. This is the management tool I use for all \nactivities.\n    Mr. Stupak. OK.\n    Mr. Anastasio. That management system is transparent to the \nFederal Government so that they can see my dashboard, how I am \ndoing against metrics. There is a second issue which is how \ndoes the Government provide oversight. In this pilot, the \nGovernment will maintain the same level of oversight, if not \nenhance it as what is going on now in things like security and \nlike nuclear safety. The pilot is to try to change the \noversight model for things that aren\'t that. So there is a \nmanagement system which is our Contractor Assurance System \nwhich is my system----\n    Mr. Stupak. And the pilot provides less oversight from a \nFederal point of view, from a DOE point of view?\n    Mr. Anastasio. But not for security.\n    Mr. Stupak. OK. Then let us look at our dashboard, the \nfigure we have looked at today, these charts we have had up \nonce or twice from opening that.\n    Mr. Anastasio. Yes, sir.\n    Mr. Stupak. In 2006, DOE\'s Office of Health, Safety, and \nSecurity found failing or substandard security performance in \n14 of the 17 key areas--that is the chart over there--including \nclassified material protection and control, cyber security, and \nemergency management. The trend was negative compared to 2002. \nMr. Podonsky, the head of that office, testified on January 30, \nour last hearing, that ``Los Alamos received the lowest set of \nperformance ratings for security and emergency management since \n1999.\'\' As you are looking at your dashboard, what explains it? \nWhy are we going downward in our performance, security, cyber \nsecurity?\n    Mr. Anastasio. Just to recall that audit was done last \nfall, between October and December of last year. Of course, I \nam very aware of it and was very concerned by it. We have taken \na number of specific actions to address those issues. I have \noutlined a few of the concrete results of that. The other thing \nI would say is that many audits and reviews have been done \nsince Mr. Podonsky\'s review that you are referring to, and just \nover the last few weeks, Mr. Pike, the DOE CIO, was here----\n    Mr. Stupak. Right.\n    Mr. Anastasio. Not here, was at the laboratory as well as \nthe NNSA CIO; and in talking to those folks after the review, \nthey believe that in fact we have made very significant \nprogress, that we have improved relative to----\n    Mr. Stupak. So what changed the colors on that chart? What \nchanged the red to something other than red, the yellow to at \nleast green, and maybe we can get a blue one on there some day. \nHow do we do it?\n    Mr. Anastasio. Well, I think those are the steps that we \nhave been taking that I have outlined for you today and that I \nbelieve that I have tried to demonstrate that we are very \nserious about this, that we are taking very specific actions, \nthat they are very concrete. Some have resulted in very \ndemonstrable improvement, that we are continuing to focus on \nmaking those improvements, and at that same time getting it in \na way that is sustainable, that we don\'t have to be back here--\n--\n    Mr. Stupak. Look at your dashboard, look at your \nspeedometer. You got another one of these reviews coming up I \nbelieve this fall.\n    Mr. Anastasio. Yes, sir.\n    Mr. Stupak. How fast are we going to be going? What colors \nare we going to see on there?\n    Mr. Anastasio. Well, I want as many greens up there as I \ncan get. That is my goal.\n    Mr. Stupak. OK. On March 28 an employee discovered that 550 \nemployee names and Social Security numbers were posted on the \nWeb site of a former subcontractor and worked for the former \ncompany, Lujan Software Service, to remove this information. Do \nyou have any idea how long that information about these \nemployees were on the Web site?\n    Mr. Anastasio. We are still investigating that issue right \nnow, Mr. Chairman, so I don\'t know for sure how long it has \nbeen there. We believe the data is from the 1998 period is how \nlong it has actually been up on the Web site, we have been \nworking with Mr. Lujan and his company to try to do some \nforensics on the Web site to see if we can understand----\n    Mr. Stupak. Right. It didn\'t have a counter, so we don\'t\' \nknow how many hits it has had.\n    Mr. Anastasio. We are working that. We don\'t have an answer \nto that.\n    Mr. Stupak. It is from 1998 personnel records and was just \ndiscovered in 2007, so it has been there maybe 9 years?\n    Mr. Anastasio. It is potentially that. On the other hand, \nthe information was a name and a Social Security number.\n    Mr. Stupak. Right.\n    Mr. Anastasio. That information was buried in several \nlayers down inside that Web site of a relatively small company. \nSo we are hopeful that there has been little opportunity to \ncompromise it. The second thing that we have done, of course, \nmy first concern in this whole incident was for the employees \nthemselves and we have taken a number of actions to support the \nemployees. And I could go through those, but my point was going \nto be that in fact we have informed all the employees who were \naffected. We have heard back from none of them that say that \nthey had a concern that they think that their information might \nhave been compromised.\n    Mr. Stupak. From this side I tell you, it would be a \nviolation of the contract or subcontract to have this \ninformation out there.\n    Mr. Anastasio. Certainly part of his subcontract was to \nprotect the personal information.\n    Mr. Stupak. Then what action or accountability has been \ntaken for Lujan Software Services?\n    Mr. Anastasio. Well, certainly we have made sure that we \ntook down that information off that Web site. The lawyers and \nworking with the IG, we are doing the investigation to \nunderstand what the----\n    Mr. Stupak. So no enforcement action then?\n    Mr. Anastasio. Have yet but we are still in the middle of \nthe investigation.\n    Mr. Stupak. OK. The Inspector General testimony calls for a \nrisk-based evaluation of cyber security funding at Los Alamos \nto make sure that the resources are available for revised cyber \nsecurity policies. Has your organization undertaken this \nevaluation? When will it be complete? And do you have an \nestimate of that potential cost?\n    Mr. Anastasio. Yes, every year of course we given input to \nthe Department on our funding requirements to meet the goals \nthat they set out for us. So we do that every year. In \naddition, we have been in discussion with the Department about \nextending this idea of super vault-type rooms and made some \nestimates of what that might cost to--if this works like we \nhope, which we will learn as we run this pilot. We have been \ndiscussing with them as well what it would take to propagate \nthat through the site in the way we would like over several \nyears.\n    Mr. Stupak. Do you have any numbers or anything for us?\n    Mr. Anastasio. I think it is premature to tell you what the \nnumber is. I think we have made some very simple estimate. Let \nme just say many tens of millions of dollars.\n    Mr. Stupak. OK.\n    Mr. Anastasio. I hope that is useful.\n    Mr. Stupak. Well, I said earlier, it is not get out of jail \nfree, it is not Monopoly, it is not paper money, it is \ntaxpayers\' money and the monopoly--let me ask you a little bit \nabout that. You are at Sandia. Did you have the contract at \nSandia, too? Did you manage that lab?\n    Mr. Anastasio. No, it does not.\n    Mr. Stupak. Is this the only lab where for 63 years, \nbasically the life of this lab, one entity has had \nresponsibility there?\n    Mr. Anastasio. It is certainly the only one in 63 years \nbecause Los Alamos was the first lab, of course, of that \nnature. The Lawrence Berkley Lab also has been under the UC \ncontract. It is not a national security site but it is a DOE \nlaboratory. But then the PNL Lab up in Washington has been \nunder the same contractor, and I think that is coming up for \ncompetition and I don\'t remember exactly when but in the near \nterm. So there are other sites that have had one contractor for \nmany decades but----\n    Mr. Stupak. Well, if you have open contractor, we have \nSecretaries come and go and members come and go and there is \nreally no incentive to make that change, to bring forth any \nkind of change it seems like if you are always getting the same \ncontract and no matter how many hearings we have and things \nlike this. And your board is still 50 percent UC.\n    Mr. Anastasio. But as you said to me or the committee or \nsubcommittee said to me earlier in a question, why didn\'t we \nsee these problems at Livermore, and I spent most of my career \nat Livermore which was under UC contract, too. So I don\'t think \nthese problems are fundamentally an issue of the contractor per \nse, I think it is about the local situation more than it is the \nfundamental issue of the contractor. That is my personal view. \nBut I would also say that I am very personally motivated to \nmake Los Alamos a success. This is certainly something that I \nbelieve is very important for the country, and I can certainly \nspeak for all the employees there, that they are very concerned \nabout their role in these turbulent times the country faces to \nfulfill their role, to help the country\'s security.\n    Mr. Stupak. No one questions your commitment to the \nprocess, but as we have heard over and over again from many, \nmany people sitting in those chairs, they are all enthused, \nthey are all excited, it goes for a while, it fizzes out, and \nit never seems to get down to the other 13,000 employees. We \nhave the guards striking at places, performance reviews seem to \ngo from bad to worse, and believe me, we don\'t like being here \nanymore than you do and having to got through these hearings.\n    Any further questions for anyone? I ask that the memo be \nmade a part of the record, that our discovery book that we all \nagreed upon earlier be made part of the record except for the \nOfficial Use ones we will not make a part of the official \nrecord. We won\'t put the OU documents in.\n     With that we will keep the record open for 30 days and for \nfollow-up questions for Secretary Bodman. I am sorry he had to \nleave. I am sure we will catch him back at another time, \nhopefully not in the real near future. And with that, we will \nlet you go, Mr. Friedman. Get lunch and thank you for your time \nand effort. The hearing is adjourned.\n    [Whereupon, at 1:10 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n                    Testimony of Hon. Samuel Bodman\n\n    Chairman Stupak, Congressman Whitfield, and Members of the \nSubcommittee, I\'m pleased to appear before you to discuss what \nI consider to be one of the most pressing management issues \nconfronting the Department of Energy (DOE). Since coming to the \nDepartment, one of my top goals has been to institute a safer, \nmore secure work environment across the DOE complex. And I have \nmeant this to include physical safety and security as well as \ncyber security. I want to be absolutely clear here: the \nprotection of sensitive information is essential to our ability \nto meet our mission as a Department.\n    This testimony is intended to describe the steps that we \nhave taken to improve security within the Department of Energy \nfollowing last year\'s incident at Los Alamos National \nLaboratory (LANL). In particular, I will discuss improvements \nthat have occurred since Deputy Secretary Sell last testified \nbefore you in January of this year. I would preface this \ndiscussion with two over-arching points: first, we have made \nsignificant progress over the past few months, and I am \nconfident that we are on the right track. But, we are not \nsatisfied. We are staying on top of this issue, and we continue \nto look for ways to identify and correct any potential \nweaknesses.\n    And I hasten to add that the entire senior leadership team \nat DOE--including myself, Deputy Secretary Sell, and National \nNuclear Security Administration (NNSA) Acting Administrator Tom \nD\'Agostino--remain strongly committed to improving security at \nthe entire DOE complex and to keeping this Committee closely \ninformed of our progress.\n\n          Senior Management Changes and DOE Oversight Actions\n\n    First, let me describe the senior management and oversight \nchanges that we have made at the Department level. In January, \nI made the difficult decision to replace the Under Secretary \nfor Nuclear Security, and Thomas D\'Agostino was named as the \nActing Under Secretary and NNSA Administrator. In addition, \nNNSA has reassigned the Los Alamos Site Office (LASO) Manager \nand has put one of its strongest managers, Daniel Glenn--\nformerly of the Pantex Site Office, in place as Acting Manager. \nWe are making changes to the Los Alamos National Security, LLC \n(LANS) contract to mandate further improvements, and we have \nincreased the planned fiscal year 2008 investment in cyber \nsecurity significantly.\n    In addition, following the event at LANL this past October, \nI formed two teams consisting of the Department\'s three Under \nSecretaries, the Chief of Health, Safety, and Security, and the \nChief Information Officer: a Personnel Security Task Force and \na Cyber Security Review Team. I asked them to make specific \nrecommendations based on the Department\'s Inspector General \nreport on the LANL incident.\n    The Personnel Security Task Force submitted its report on \nFebruary 28, 2007. It recommended improvement in several areas. \nI have accepted their recommendations and have directed \nimplementation to begin immediately of the following:\n    <bullet> Enhanced mandatory training for those involved in \nthe granting of security clearances,\n    <bullet> Strengthened Departmental policy on drug testing \nfor those that hold security clearances,\n    <bullet> Enhanced quality assurance oversight to increase \nconfidence in the suitability of those granted a security \nclearance; and\n    <bullet> Revised the personnel security organizational \nstructure to increase the authority and ensure greater \naccountability for the Personnel Security Program.\n    I have also directed that all of the recommendations made \nby the Cyber Security Review Team that have not already been \nimplemented, be implemented immediately. To that end, issuance \nof a revised cyber security policy [DOE Order 205.1A] was \ncompleted on December 4, 2006. And, the new National Security \nManual was issued on March 8, 2007. The Cyber Security Task \nForce also recommended the following, which we are in the \nprocess of implementing:\n    <bullet> Mandatory separation of duties for key positions, \nsuch as Information System Security Officers and System \nAdministrators,\n    <bullet> Improved training for all individuals with cyber \nsecurity responsibilities; and\n    <bullet> Improved line management oversight of cyber \nsecurity.\n    We are also taking steps to further strengthen the \noversight by NNSA of LASO. The NNSA Acting Administrator has \ndirected the NNSA Chief Information Officer to work very \nclosely with Site Office management to ensure cyber security \nrequirements are implemented by LANL. To ensure that these \nrequirements are fully implemented, the Designated Approval \nAuthority position for cyber security has been strengthened \nwithin the LASO management structure. This position will report \ndirectly to the Site Office Manager and is in the process of \nbeing filled. Working in concert with the Site Office and NNSA \nmanagement additional cyber security personnel will be hired to \nbolster the cyber security staff and program within the Site \nOffice.\n    Further, Acting Administrator D\'Agostino has requested that \nDOE\'s Office of Health, Safety and Security conduct annual \ninspections at Los Alamos for the next three years. This month, \nboth NNSA\'s Office of Defense Nuclear Security and CIO will \ninspect LANL for the cyber and physical security programs. The \nSite Office will conduct annual surveys--and regular \nobservations--of the Lab\'s security programs.\n    We are also exercising the Department\'s new authorities \nunder 10 CFR 824, Procedural Rules for the Assessment of Civil \nPenalties for Classified Information Security Violations. The \nDOE Office of Enforcement has completed its review of the LANL \nincident and last week the Department held an enforcement \nconference with the Lab\'s current management and operating \ncontractor, LANS, and with the former contractor, the \nUniversity of California. Similar to the process we use for \nPrice-Anderson enforcement, both contractors now have the \nopportunity to respond before we make a decision regarding a \nPreliminary Notice of Violation.\n    Finally, I would just add that I continue to be in close \ncontact with the senior leadership of the Laboratory and the \nLANS Board.\n\n Corrective Actions by LANL Management & Operating Contractor LANS, LLC\n\n    Even while these Departmental reviews and changes have been \nunderway, LANS has moved ahead with corrective actions. \nFollowing the incident, LANS immediately strengthened its \nescorting procedures, initiated mandatory entry and exit \ninspections of vault-type room visitors, and increased the \nnumber of exit inspections at other security boundaries ten-\nfold.\n    One of the issues identified as a contributing cause to \nthis incident was the span of classified activities. LANS \ncontinues on schedule to move to a diskless environment, \nreducing the number of pieces of classified removable \nelectronic media (CREM) and the number of classified paper \ndocuments. LANL recognizes their volume of classified holdings \nis unnecessarily large, conducted in too many security areas, \ninvolves too many people, and is spread out over too large of \nan area. As a result, LANS is aggressively reducing the number \nof locations where they hold and process classified matter. \nLANS will more closely scrutinize the continued need for \nexisting security operations or the establishment of a new \nsecurity area. This will enable them to better focus \nprofessional security resources to provide stronger management \nand oversight of classified operations.\n    To achieve this reduction, LANS has proposed, and NNSA has \napproved, a new consolidated vault-type room (VTR) concept to \ncreate classified matter storage and processing centers \nthatwill reduce the number of security areas and enhance the \naccountability and control of classified matter. The first \n"Super" VTR is planned to open on June 1, 2007.\n    The Weapons Engineering Division at LANL plans to close \nthree VTRs immediately, three more by the end of April, and \nanother five by the end of fiscal year 2007, a reduction of 50 \npercent. This division also plans to further reduce its CREM \nholdings by 90 percent, from 364 to a dozen or so pieces in the \nnear term. Another division within LANL, the Weapons Physics \nDivision, currently has six VTRs; it will close three by the \nend of fiscal year 2007. The classified materials in these VTRs \nwill be archived, destroyed, or re-located as appropriate. \nThese reductions are just examples of progress that will reduce \nsecurity risk without reducing the productivity of our \nscientists and engineers.\n    While this incident occurred during the early stage of \nLANS\' contract, I hold it accountable for the incident, and for \nrectifying the situation, just as I would at any DOE site \nmanaged by any contractor.\n    The LANS Board of Governors has also taken an active role \nin reviewing and validating the adequacy of LANL\'s corrective \nactions. The Board is closely monitoring the Laboratory\'s \nintegrated corrective action plan which was developed to \naddress the root causes of the incident identified during the \nincident inquiry. LANS has reassigned cyber security \nresponsibilities to the Chief Security Officer who reports \ndirectly to the Laboratory Director. The Board has also made a \nsignificant effort to employ the collective power of the LANS \nmember companies through the use of Assess, Improve, and \nModernize, or AIM Teams from the member companies to conduct \noversight assessments and make recommendations for improvement. \nThe Board has taken aleadership role in numerous other ways as \nwell, but most importantly, it has opened a clear line of \ncommunication with me and the Acting NNSA Administrator. I talk \nto the Chairman of the LANS Board of Governors, Gerald Parsky \non a regular basis. In fact, we met with the Chairman and Vice \nChairman of the Board of Governors in person two weeks ago.\n\n                        Concluding Observations\n\n    While we have made significant improvements and changes in \npersonnel and cyber security programs, I believe that in order \nto guard against future incidents, we must continually improve \nthe security culture across the DOE complex. And we will.\n    In closing, let me just say this: the men and women who \nwork at LANL and all our National Laboratories are among the \nworld\'s most talented scientists and engineers. Since their \nfounding, these Laboratories have demonstrated again and again \nthe tremendous power--and promise--of science to help our \nnation solve its greatest challenges. But such a system cannot \ntolerate any lapses in security--be they in the physical or \ncyber realm. Protecting critical information and maintaining a \nvibrant, collaborative scientific culture are not mutually \nexclusive goals. Quite the opposite is true. In this case, you \nabsolutely cannot achieve one without the other. And, you \ncontinue to have my word that I will do everything in my power \nto support both objectives. The American people deserve no \nless.\n    This concludes my statement. I will be pleased to respond \nto your questions. Thank you.\n                              ----------                              \n\n\n                   Testimony of Michael R. Anastasio\n\n    Good morning Chairman Stupak, Ranking Member Whitfield, and \nMembers of the Subcommittee. Thank you for the opportunity to \nupdate you on our progress.\n    I am Michael Anastasio, director of Los Alamos National \nLaboratory since June 2006, and president of Los Alamos \nNational Security, LLC.\n    I am pleased to report that we have continued to make \nsignificant progress on many fronts since I last addressed this \nSubcommittee 11 weeks ago. Today, in keeping with the subject \nof this hearing, I will focus on security. As I expressed at \nthe last hearing, I personally take the issue of security at \nLos Alamos very seriously. We are entrusted with some of the \nNation\'s most important secrets and I view their safeguarding \nas one of my most significant responsibilities.\n    First, we have significantly cut our risks in both cyber \nand physical security. This includes reducing and consolidating \nour classified holdings, per the subcommittee\'s stated concern. \nSecond, we are taking additional actions to make policy clear \nand consistent--and to change employee behavior. Third, we are \nputting in place comprehensive corrective actions with a major \nfocus on long-term sustainability.\n    My management team, my Board of Governors, and I are taking \na number of specific actions to reduce risk.\n    Cyber security.  We now have positive control over both our \nclassified computer ports, using a combination of software, \nphysical locks, and tamper-indicating devices. All of our \nclassified systems have been inspected and found to be \ncompliant. We have reduced the number of stand-alone classified \nsystems by 28 percent.\n    Physical security. We have made our vault escort \nrequirements clearer and much tougher, requiring the search of \nall belongings carried by those escorted in and out of vaults. \nBy December, we will have reduced our accountable classified \nremovable electronic media (known as ACREM) by 50 percent. We \nhave destroyed almost 1,500 classified parts and 500 boxes of \nclassified documents that we inherited. We have eliminated 14 \nvault-type rooms, a reduction of 10 percent--with more to come.\n    Policy and behaviors. In the area of policy and behaviors, \nwe have uniformly trained our Information Systems Security \nOfficers (ISSOs) and are hiring senior ISSOs in all key \norganizations to provide consistency throughout the Laboratory.\n    We are making our cyber security policy clearer and \nsimpler. In addition to mandatory training, we will promote the \nright behavior through active employee participation. For \nexample, we will directly involve employees through worker-led \nsecurity teams at multiple levels.\n    On March 5, we launched an enhanced substance abuse \nprogram. Every newly hired employee is tested for illegal \ndrugs, and every badgeholder is now subject to random testing, \nregardless of his or her clearance level.\n    New type of vault-type room. For long-term effectiveness \nand sustainability, we have begun constructing a super vault-\ntype room, the first of its kind. This will allow us to \nconsolidate and control classified information uniformly. At \nthe same time, it will give authorized users efficient access.\n    I expect to complete construction of the first functional \nprototype by June. This project will initially allow us to \nclose at least six more vault-type rooms and reduce our ACREM \nlibraries by nearly one-third.\n    By constructing additional super vault-type rooms, we will \nreduce the number of classified vaults to an absolute minimum, \nconsistent with our operational requirements.\n    Validation, verification & oversight. We have been careful \nto embed validation and verification into our corrective action \nplans to sustain all these efforts and to prevent backsliding. \nMoreover, everything we\'re doing is being closely scrutinized \nonly by Congress but by my own Board of Governors and by DOE, \nNNSA, and other oversight bodies. I welcome that continuing \nscrutiny. It validates that we\'re heading in the right \ndirection--and keeps our eye on the ball.\n    As I testified previously on this issue, there are no \n``silver bullets\'\' where security is concerned. But, with these \nsecurity enhancements, and Board of Governors support and \noversight, we are aggressively moving Los Alamos in the right \ndirection, as we are on many other fronts vital to the Lab\'s \nmission.\n    Thank you again for the opportunity to testify. I would be \npleased to answer any questions you may have.\n                              ----------                              \n\n\n                    Statement of Gregory H. Friedman\n\n    Mr. Chairman and members of the Subcommittee, I am pleased \nto be here at your request to testify on the concerns expressed \nin your April 5 letter regarding operations at the Los Alamos \nNational Laboratory.\n\n                               Background\n\n    In January of this year, I testified before this \nsubcommittee on the special inquiry conducted by my office \nregarding the diversion of classified data from the Los Alamos \nNational Laboratory. Specifically, at the request of the \nSecretary of Energy, we examined the efforts of the Department \nand its contractors to protect classified information and the \nsteps that were taken to ensure that only authorized \nindividuals had access to such information. Our report on this \nmatter was issued on November 27, 2006.\n\n                   Office of Inspector General Review\n\n    The Office of Inspector General (OIG) found that the \nsecurity environment at Los Alamos was inadequate, despite the \nexpenditure of millions of dollars by the National Nuclear \nSecurity Administration to upgrade various components of the \nLaboratory\'s security apparatus.\n    In particular, related to the cyber security control \nstructure, we found that:\n    <bullet> Certain computer ports, which could have been used \nto inappropriately migrate information from classified systems \nto unclassified devices and computers, had not been disabled;\n    <bullet> Classified computer racks were not locked;\n    <bullet> Certain individuals were inappropriately granted \naccess to classified computers and equipment to which they were \nnot entitled;\n    <bullet> Computers and peripherals that could have been \nused to compromise network security were introduced into a \nclassified computing environment without approval; and,\n    <bullet> Critical security functions had not been \nadequately separated, essentially permitting system \nadministrators to supervise themselves and override controls.\n    In many cases, Laboratory management and staff had not: \ndeveloped policies necessary to protect classified information, \nenforced existing safeguards, or provided the attention or \nemphasis necessary to ensure protective measures were adequate. \nSome of the security policies were conflicting or applied \ninconsistently. We also found that Laboratory and Federal \nofficials were not as aggressive as they should have been in \nconducting security reviews and physical inspections. In short, \nour findings raised serious concerns about the Laboratory\'s \nability to protect both classified and sensitive information \nsystems.\n    The OIG also reviewed certain aspects of the security \nclearance process in place for Laboratory employees. We \nidentified particular weaknesses associated with this program \nwhich were discussed in a closed session of this subcommittee \nin January of this year.\n\n                         Departmental Response\n\n    After this incident was discovered, Department and \nLaboratory management officials launched several efforts to \nidentify and correct control deficiencies that contributed to \nan environment in which classified information could be removed \nwithout authorization. In particular, the Deputy Secretary \ndirected an immediate review of policies and practices related \nto computer ports at each of the Department\'s facilities. \nFurther, the Secretary established two high-level Task Forces \nto address our findings. The reports of the Secretary\'s Task \nForces and a list of the proposed corrective actions were \nprovided to my office last week.\n    The report from the Department\'s Committee to Review the \nCyber Security-related Recommendations indicated concurrence \nwith the OIG\'s report and specified that the Department had \ninitiated corrective actions that involved revising policy, \nsecuring unneeded ports, limiting access and privileges, and \nmaintaining separation of duties. The report also indicated \nthat controls over security planning and accreditation and \nphysical inspections were to be strengthened and that \ncorrective actions would be tracked to resolution.\n    The Personnel Security Program Review Task Force analyzed \nthe OIG report and agreed that there were personnel security \nprogram weaknesses. The Task Force addressed the security \nclearance issues raised in our November 2006 report. \nSpecifically, it identified and developed recommendations for \nimproving Department-wide training, policy, quality assurance \nand oversight, and organizational structure. Additional details \nare contained in the Task Force\'s report, which has been marked \nby the Department as "Official Use Only."\n    Many of the corrective actions outlined by the two Task \nForces are in progress. However, implementation and execution \nare key. If properly carried out, the corrective actions should \nimprove classified operations at Los Alamos and could help \nprevent similar incidents at Departmental facilities around the \ncomplex.\n\n                 Issues Requiring Continuing Attention\n\n    As I have testified on several occasions, the Department \nmust do a better job addressing the recurring challenges it \nfaces. Specifically:\n      1. With regard to the current matter, the Department must \nensure that all actions and recommendations outlined in the \nTask Force Reports are formalized into policy and adopted as \npractice throughout the Department. As part of that effort, \nthese policies should be incorporated into all facility \ncontracts.\n      2. To achieve the recommended reforms, the Department \nmust establish firm schedules with specific implementation \ntimelines and performance metrics.\n      3. Both Federal and contractor officials need to manage \nmore aggressively. As part of that process, the Department \nneeds to ensure that its Federal contract management function \nis adequately staffed and that the skill mix is appropriate. In \naddition, Department and Laboratory officials must develop a \nmore comprehensive regimen of compliance testing and follow-up \nto ensure that security policies and procedures are rigorously \nfollowed.\n      4. Individuals and institutions, both Federal and \ncontractor, must be held accountable for failure to follow \nestablished security measures. As it has begun to do in its \nresponse to the recent Los Alamos incident, the Department \nshould emphasize that the failure to properly protect \nclassified information and materials will have meaningful \nconsequences.\n    Finally, consistent with our November 2006 recommendation, \nwe continue to believe that the Department should perform a \nrisk-based evaluation of cyber security funding at Los Alamos. \nThe objective of this evaluation would be to ensure that the \nresources are available for complete implementation of the \nrevised cyber security policies and procedures.\n\n                   Ongoing Inspector General Efforts\n\n    For the past 5 years, we have identified both cyber and \nphysical security as pressing management challenges. For these \nreasons, and because of the recent incidents, the Office of \nInspector General continues to be concerned about security \nacross the complex. We have ongoing activities to examine \ninformation technology and systems security; implementation of \nrevised security measures; disposal of sensitive property; and, \nissues related to protective force training.\n    In addition to our on-going work, the full Committee, in \nJanuary 2007, requested that the Government Accountability \nOffice (GAO) examine the security of the Department\'s \nunclassified and classified information networks and its cyber \nsecurity programs. My office coordinates closely with GAO on \nreviews of the Department, and we believe that the assessment \nrequested by the Committee will lead to a strengthened agency-\nwide security posture. My office will continue to conduct \naudit, inspection, and investigative work that will complement \nthe review requested by the Committee.\n    Mr. Chairman, this concludes my statement and I would be \npleased to answer any questions you may have.\n\n                                 <all>\n\x1a\n</pre></body></html>\n'