[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 
     CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY

=======================================================================




                                HEARINGS

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             FIRST SESSION

                               __________

                       JANUARY 30, APRIL 20, 2007

                               __________

                            Serial No. 110-1


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov




                      U.S. GOVERNMENT PRINTING OFFICE
35-446 PDF                    WASHINGTON  :  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government
Printing Office Internet:  bookstore.gpo.gov Phone:  toll free (866)
512-1800; DC area (202) 512-1800 Fax: (202)512-2250 Mail: Stop SSOP,
Washington, DC 20402-0001 



                    COMMITTEE ON ENERGY AND COMMERCE

                  JOHN D. DINGELL, Michigan, Chairman

HENRY A. WAXMAN, California          JOE BARTON, Texas
EDWARD J. MARKEY, Massachusetts          Ranking Minority Member
RICK BOUCHER, Virginia               RALPH M. HALL, Texas
EDOLPHUS TOWNS, New York             J. DENNIS HASTERT, Illinois
FRANK PALLONE, Jr., New Jersey       FRED UPTON, Michigan
BART GORDON, Tennessee               CLIFF STEARNS, Florida
BOBBY L. RUSH, Illinois              NATHAN DEAL, Georgia
ANNA G. ESHOO, California            ED WHITFIELD, Kentucky
BART STUPAK, Michigan                BARBARA CUBIN, Wyoming
ELIOT L. ENGEL, New York             JOHN SHIMKUS, Illinois
ALBERT R. WYNN, Maryland             HEATHER WILSON, New Mexico
GENE GREEN, Texas                    JOHN SHADEGG, Arizona
DIANA DeGETTE, Colorado              CHARLES W. ``CHIP'' PICKERING, 
    Vice Chairman                    Mississippi
LOIS CAPPS, California               VITO FOSSELLA, New York
MIKE DOYLE, Pennsylvania             STEVE BUYER, Indiana
JANE HARMAN, California              GEORGE RADANOVICH, California
TOM ALLEN, Maine                     JOSEPH R. PITTS, Pennsylvania
JAN SCHAKOWSKY, Illinois             MARY BONO, California
HILDA SOLIS, California              GREG WALDEN, Oregon
CHARLES A. GONZALEZ, Texas           LEE TERRY, Nebraska
JAY INSLEE, Washington               MIKE FERGUSON, New Jersey
TAMMY BALDWIN, Wisconsin             MIKE ROGERS, Michigan
MIKE ROSS, Arkansas                  SUE MYRICK, North Carolina
DARLENE HOOLEY, Oregon               JOHN SULLIVAN, Oklahoma
ANTHONY D. WEINER, New York          TIM MURPHY, Pennsylvania
JIM MATHESON, Utah                   MICHAEL C. BURGESS, Texas
G.K. BUTTERFIELD, North Carolina     MARSHA BLACKBURN, Tennessee
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana

                                 ______

                           Professional Staff

                 Dennis B. Fitzgibbons, Chief of Staff

                  Gregg A. Rothschild, General Counsel

                     Sharon E. Davis,  Chief Clerk

                 Bud Albright, Minority Staff Director

                                 ______

              Subcommittee on Oversight and Investigations

                    BART STUPAK, Michigan, Chairman

DIANA DeGETTE, Colorado              ED WHITFIELD, Kentucky
CHARLIE MELANCON, Louisiana              Ranking Minority Member
HENRY A. WAXMAN, California          GREG WALDEN, Oregon
GENE GREEN, Texas                    MIKE FERGUSON, New Jersey
MIKE DOYLE, Pennsylvania             TIM MURPHY, Pennsylvania
JAN SCHAKOWSKY, Illinois             MICHAEL C. BURGESS, Texas
JAY INSLEE, Washington               MARSHA BLACKBURN, Tennessee

                                  (ii)


                             C O N T E N T S

                              ----------                              

                            JANUARY 30, 2007

                                                                   Page
Barton, Hon. Joe, a Representative in Congress from the State of 
  Texas, opening statement.......................................     7
Burgess, Hon. Michael C., a Representative in Congress from the 
  State of Texas, opening statement..............................    11
DeGette, Hon. Diana, a Representative in Congress from the State 
  of Colorado, opening statement.................................     8
Dingell, Hon. John D., a Representative in Congress from the 
  State of Michigan, opening statement...........................     5
Green, Hon. Gene, a Representative in Congress from the State of 
  Texas, prepared statement......................................    13
Murphy, Hon. Tim, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................    13
Stupak, Hon. Bart, a Representative in Congress from the State of 
  Michigan, opening statement....................................     1
Walden, Hon. Greg, a Representative in Congress from the State of 
  Oregon, opening statement......................................    10
Whitfield, Hon. Ed, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................     4

                               Witnesses

Anastasio, Michael R., Director, Los Alamos National Laboratory..    56
    Prepared statement...........................................    73
    Answers to submittted questions..............................    96
Brian, Danielle, executive director, Project on Government 
  Oversight......................................................    19
    Prepared statement...........................................    98
D'Agostino, Hon. Thomas P., Acting Administrator, National 
  Nuclear Security Administration................................    51
    Prepared statement...........................................   111
Friedman, Gregory H., Inspector General, U.S. Department of 
  Energy.........................................................    15
    Prepared statement...........................................   119
Podonsky, Glenn S., Chief Health, Safety and Security Officer, 
  Office of Health, Safety and Security, U.S. Department of 
  Energy.........................................................    17
    Prepared statement...........................................   132
Pyke, Thomas N. Jr., Chief Information Officer, U.S. Department 
  of Energy......................................................    55
    Prepared statement...........................................   143
Sell, Hon. Clay, Deputy Secretary, U.S. Department of Energy.....    40
    Prepared statement...........................................   145
Wilbanks, Linda, Chief Information Officer, National Nuclear 
  Security Administration........................................    53
    Prepared statement...........................................   148

                             APRIL 20, 2007

Blackburn, Hon. Marsha, a Representative in Congress from the 
  State of Tennessee, opening statement..........................   164
Burgess, Hon. Michael C., a Representative in Congress from the 
  State of Texas, opening statement..............................   171
DeGette, Hon. Diana, a Representative in Congress from the State 
  of Colorado, prepared statement................................   166
Dingell, Hon. John D., a Representative in Congress from the 
  State of Michigan, opening statement...........................   161
Doyle, Hon. Mike, a Representative in Congress from the 
  Commonwealth of Pennsylvania, opening statement................   170
Green, Hon. Gene, a Representative in Congress from the State of 
  Texas, prepared statement......................................   163
Stupak, Hon. Bart, a Representative in Congress from the State of 
  Michigan, opening statement....................................   157
Walden, Hon. Greg, a Representative in Congress from the State of 
  Oregon, opening statement......................................   162
Whitfield, Hon. Ed, a Representative in Congress from the 
  Commonwealth of Kentucky, opening statement....................   160

                               Witnesses

Anastasio, Michael R., director, Los Alamos National Laboratory, 
  Los Alamos, NM.................................................   184
    Prepared statement...........................................   201
Bodman, Hon. Samuel, Secretary, U.S. Department of Energy........   172
    Prepared statement...........................................   198
Friedman, Hon. Gregory H., Inspector General, U.S. Department of 
  Energy.........................................................   182
    Prepared statement...........................................   202


     CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY

                              ----------                              


                       TUESDAY, JANUARY 30, 2007

                  House of Representatives,
                  Committee on Energy and Commerce,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:00 a.m., in 
room 2123, Rayburn House Office Building, Hon. Bart Stupak 
(chairman of the subcommittee) presiding.
    Present: Representatives Stupak, Degette, Melancon, Green, 
Dingell [ex officio], Whitfield, Walden, Burgess, Murphy, and 
Barton [ex officio].
    Also present: Representatives Udall of New Mexico and 
Wilson of New Mexico.
    Staff present: John F. Sopko, Christopher Knauer, Voncille 
T. Hines, Rachel Bleshman, Peter Goodloe, Christopher Treanor, 
Jodi Seth, Alec Gerlach, Alan Slobodin, Dwight Cates, and 
Matthew Johnson.

  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Stupak. This meeting will come to order on the Energy 
and Commerce Committee, Subcommittee on Oversight and 
Investigations. This hearing, which will be the first of the 
110th Congress, is entitled, Continuing Security Concerns at 
Los Alamos National Laboratory.
    We will begin with the Members' opening statements.
    Los Alamos National Laboratory is a place of great history. 
It is home to many of our Nation's most secret of weapons 
development, and yet it is also home to some embarrassing lax 
security protocols.
    During my 12 years on the Oversight and Investigations 
Subcommittee, I have sat through far too many hearings 
detailing problem after problem at Los Alamos.
    Now as I take over as chairman of this distinguished 
subcommittee, I find myself presiding over yet another hearing 
about inadequate security at the lab. The latest security 
debacle begins in October 2006 when Los Alamos County Police 
responded to a call at a private residence and discovered 
several hundred pages of classified and unclassified materials 
as well as electronic files that were stolen from the Los 
Alamos National Laboratory.
    Documents were taken from the lab by a subcontract 
employee. The employee simply walked out of the lab with stolen 
documents in her purse or on a thumb drive which she easily 
inserted into open ports on classified computers.
    Over the last 8 years, this subcommittee has held 11 
hearings into various security lapses at Los Alamos. I have 
this chart which I will enter into the official record 
illustrating 11 hearings that this committee has held. These 
hearings have ranged from the Wen Ho Lee case in 1999 to the 
removal of Classified Removable Electronic Media, CREM, in 2005 
in the cyber security hearings we held in June 2006.
    Throughout these hearings, Members have heard time and 
again how the Department of Energy and the lab managers were 
going to improve security. We have heard excuse after excuse 
and plan after plan of how the lab would improve security. The 
DOE went so far as to competitively bid out the lab's operation 
in the hope that a new management team would bring about 
change, security and accountability.
    But DOE awarded the contract to a consortium that includes 
the previous contractor, the University of California. With 
this brilliant decision, did anyone really expect the laissez 
faire culture of Los Alamos to change?
    As a result of our investigation, I have a number of 
questions that need to be answered today. How and why did the 
October security breach occur? What is the potential and 
overall actual harm to national security as a result of the 
breach? Why do security breaches continue to plague Los Alamos? 
What plans do Los Alamos, DOE and the National Nuclear Security 
Administration have for preventing breaches at Los Alamos? Who 
is accountable for the most recent security breach at Los 
Alamos? What tools are available to the Federal Government to 
hold Los Alamos accountable for the latest security breach?
    For example, new accountability rules allow DOE to penalize 
contractors and their subcontractors for violations of DOE 
rules, regulations and orders regarding the safeguarding of 
restricted data and other classified information. Based upon 
our staff's investigation, my real concern here is whether DOE 
is using these tools, or is it just giving contractors a slap 
on the wrist for egregious security violations? Are the tools 
available for the Federal Government to adequately deter 
security breaches? This incident does raise serious questions 
about the manner and policies of the Department of Energy in 
granting the security clearances to employees. This question, 
as well as many others, will of course have to be answered in 
closed session due to their sensitivity.
    During the last hearing in 2006, I became so fed up that I 
asked the question, ``What do we do at Los Alamos that could 
not be done at our other National Laboratories?'' I was serious 
when I asked that question back then, and I must tell you I 
have been asking myself the same question again in recent 
months.
    I am a former police officer, and in Michigan, we like to 
use auto analogies. For far too long we have essentially been 
issuing parking tickets to Los Alamos. In July 2004, we 
essentially put a boot on the lab when it was shut down for 7 
months to clean up its act. This cost the American taxpayers 
more than $350 million and was supposed to result in a more 
secure facility. Unfortunately, there has been yet another 
breach not long after Los Alamos reopened. Los Alamos did not 
change after repeated tickets. It did not change after putting 
a boot on. And now, I am convinced that we may need just to tow 
the car.
    Something drastic must be done at Los Alamos in order to 
change the systemic security problems. The American people 
demand and deserve the highest level of protection of our 
national secrets. If the Department and the lab won't change, 
provide security at our labs, Congress must explore ways to 
protect our security. Therefore I will, in cooperation with my 
friends on the minority side, be asking the Government 
Accountability Office to perform a comprehensive audit of all 
services performed at Los Alamos.
    I will ask them to evaluate whether the footprint and 
mission at the lab is too large.
    I will also ask them to evaluate the possibility of 
consolidating and moving many of the classified operations at 
Los Alamos to another lab, such as Sandia where there is a 
willingness among the employees and management to heed our 
advice. I will not tolerate continued security lapses and 
thumbing of their nose at Congress.
    Finally, it is my understanding that Secretary Bodman has 
asked for additional reviews of Los Alamos's security and that 
the reports of the review are due at the end of February. It is 
our expectation that the Department will take these reviews 
seriously, provide concrete answers and submit detailed plans 
to remedy the security lapses.
    I fully expect Secretary Bodman will appear before this 
subcommittee to articulate what has and will be done to improve 
security at Los Alamos.
    In conclusion, I am pleased that the first hearing of the 
O&I Committee is truly a bipartisan effort by myself, the 
ranking member and our staffs. This is what I hope will be the 
first of many bipartisan efforts to make our country safer and 
our government more effective.
    Thoughtful and tough oversight is neither Republican nor 
Democratic. It is just good government. I salute the former 
chairman and his staff for all their work in this inquiry. I 
look forward to continuing to work with him.
    The Constitution entrusted Congress with a solemn duty to 
oversee the activities of the executive branch. Oversight is 
the only way Congress can assure that our laws are adequately 
and properly administered.
    Without effective oversight, how can Members of Congress 
truly determine with confidence what additional laws are 
needed? As chairman of the subcommittee, I plan to be 
persistent in our oversight responsibilities, fully realizing 
that Congress's power to probe is a necessary tool of our 
democracy that is best wielded in a nonpartisan manner.
    Again, I want to thank our former chairman, the gentleman 
from Kentucky. I look forward to working with all the members 
of the committee and the Subcommittee on Oversight and 
Investigations. With that, I would yield to Mr. Whitfield.

  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY

    Mr. Whitfield. Mr Chairman, thank you so much for holding 
this important hearing, and I certainly want to congratulate 
you on your new with your new responsibilities as chairman of 
this subcommittee.
    As you said, we have held several hearings to review 
ongoing security problems at Los Alamos over the last 3 or 4 
years.
    And as long as it is important that we continue to do, so I 
am delighted that we are continuing to hold these hearings.
    Prior investigations led by this subcommittee have 
uncovered the details of the 1999 Wen Ho Lee case, the 2000 
NEST team hard drive incident, and several incidents in 2003 
and 2004 relating to the improper handling and destruction of 
classified removable electronic media, and then, in 2004, 
operations at Los Alamos were shut down for a 6-month period in 
an attempt to deal with many of these problems.
    At each subcommittee hearing, Los Alamos officials have 
promised to solve ongoing security problems.
    But they have failed to follow through.
    I was pleased when the Department recently decided to 
compete the Los Alamos contract for the first time in over 60 
years.
    In June 2006, a new consortium named, Los Alamos National 
Security began operations at its site. In its contract, LANS 
has made several commitments to solve the security problems at 
Los Alamos. Unfortunately for LANS, only 4 months passed before 
the most recent security incident occurred. In October 2006, it 
was discovered that 1,588 pages of classified documents from a 
classified vault had been removed in paper form and also 
downloaded on to a portable thumb drive. The documents and the 
thumb drive showed up in the trailer home of a former LANL 
employee.
    Now, 1,588 pages--I just want to show you, this is 1,588 
pages. So it is really quite shocking that this is still going 
on in this magnitude.
    However unfortunate the time, LANS must be held accountable 
for compromising these documents, and it should pay a price. 
This incident demonstrates that the Department and LANS have 
failed to implement an effective security policy at Los Alamos.
    DOE must assert its contract and regulatory authorities to 
compel greater security performance.
    This most recent security incident demonstrates the same 
poor security management, lack of formality of operations, and 
insufficient oversight that has plagued the lab for decades. I 
do not think the security problems at Los Alamos can be solved 
with small changes on the margin.
    Dramatic, new ideas from the Department, from LANS and from 
Congress, are needed.
    I have co-signed legislation drafted by Mr. Barton to strip 
NNSA of its autonomy with respect to safeguards and security, 
worker health and safety and cyber security oversight, and 
understand that Chairman Dingell and Chairman Stupak have also 
cosponsored this important legislation. I would also note that 
we signed a co-letter last night along with Mr. Barton and 
Representative Hastert that asked the Department to take 
immediate steps to solve the security problems at Los Alamos.
    The letter has several recommendations and urges DOE to 
take action to reduce the volume of classified material across 
the laboratory. At Los Alamos, operations are spread out over a 
43-square mile area. The lab has approximately 15,000 
employees, 3,000 classified computers and 1,774 classified 
security areas. To give you some perspective, there are more 
classified security areas at Los Alamos than there are total 
rooms in the Rayburn, Cannon and Longworth House Office 
Buildings combined.
    And at this time, I would ask unanimous consent to 
introduce into the record the letter that we just referred to, 
that we had sent. Do they have a copy of it?
    Mr. Stupak. Without objection, it will be part of the 
record.
    Mr. Whitfield. LANL's volume of classified holdings is 
unnecessarily large, conducted in too many security areas and 
involves too many people. These factors, including the 
geographical dispersions of activities, make LANL susceptible 
to security failures. I hope this subcommittee can help 
identify the right solutions to fix this problem once and for 
all. Thank you.
    Mr. Stupak. I thank the gentleman from Kentucky.
    Next, the gentleman from Michigan, chairman of the full 
Energy and Commerce Committee, Mr. Dingell.

OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    The Chairman. Mr. Chairman, first, thank you for 
recognizing me, and second, congratulations to you on your 
becoming chairman of this subcommittee. You will do an 
outstanding job. You have been a superb member of the committee 
and superb ranking member, and I am delighted to see you 
sitting where you are.
    I want to also say, express my good wishes to the 
gentleman, Mr. Whitfield, who was so gracious and kind in his 
conduct in this subcommittee. We look forward to working with 
him, as I know we all do.
    I feel a little bit like this is the movie ``Groundhog 
Day''. All of us will remember that we seem to be waking up 
each morning to repeat the same events over and over with 
regard to security at the National Laboratories.
    As I recall, when the House turned in 1994, this 
subcommittee was preparing a set of hearings to go into the 
conduct of matters at DOE and how things were being done at 
that time with regard to the laboratories.
    There were all matters of difficulties, and I won't belabor 
the matter or delay the process by talking about it.
    But the events there with regard to security, security 
breaches at Los Alamos and the other laboratories, were very 
serious.
    And so I am reminded of what Yogi Berra used to say, this 
is like deja vu all over again. I am somewhat distressed that 
this subcommittee must convene to hear about security breaches 
at the National Energy Labs, Los Alamos in particular. We could 
drag out stacks of letters sent to the Department Secretaries 
and the Presidents over the past two decades on the issue we 
are reviewing today. We could also display a small tower of 
hearing records, many of which I chaired, relating to security 
breakdowns at DOE and at the Los Alamos National Laboratory in 
specific.
    This would be good drama in a movie. These, however, are 
security breaches and are deadly serious. They threaten our 
security to guard our Nation's military secrets, our nuclear 
secrets and other matters of importance. For some reason or 
another, DOE has proven itself incapable of managing this 
critical security and preventing recurring problems that we 
will discuss today.
    There is a new twist to this story, and I find it a 
worrisome development. Apparently, this latest security breach 
raises serious questions about DOE's process and procedures in 
granting security clearances and the adjudication of adverse 
information dealing with the suitability of employees and 
contractors.
    This appears to be, in part at least, a new issue. And it 
should be the subject--as it is going to be--of an executive 
session which is going to take place later today. We may very 
well need to expand the investigation of this subcommittee into 
DOE's personnel security system.
    Mr. Chairman, it is our joint concern that we will hear the 
same promises that we have heard in the past about how DOE will 
remedy the situation, how this lab is now going to take 
security matters seriously and how the lab will be reorganized, 
how some officers and officials and managers may be removed.
    I must confess that I have been hearing these promises for 
a long time, and I am beginning to find them somewhat tedious. 
The time has come to focus on the adequacy of the tools DOE 
possesses to effectively penalize the contractors and the lab 
for serious security failures, and whether DOE ever intends to 
use them or knows how to do so. There may be nothing in the 
Secretary's toolbox effective enough to turn this lab around. 
We will need to determine that in today's hearing and to find 
whether penalties are sufficient to effectively improve 
security at Los Alamos.
    I understand that Secretary Bodman, for whom I have 
considerable affection, is considering yet another security 
review regarding Los Alamos specifically and the Department in 
general. I look forward to his appearance before this 
subcommittee in February to learn what he intends to do to fix 
this mess. I support requesting the Government Accountability 
Office to conduct a comprehensive audit of Los Alamos 
operations in order to determine what functions need to be 
retained, there versus being moved to another government or 
private facility.
    It increasingly appears that the overall footprint of the 
lab may be too big in both physical scale and in the scope of 
its mission to be properly managed.
    At this point, all options should be open, on the table for 
consideration as to how we correct this intolerable situation.
    Again, Mr. Chairman, congratulations. Thank you for holding 
this hearing, and I look forward to hearing what will be said 
by our witnesses. But I hope you will forgive me, as I note in 
the case of Groundhog Day, we have seen all of this before.
    Thank you Mr. Chairman.
    Mr. Stupak. I thank the gentleman.
    Next turn to the distinguished former chairman of the full 
committee, Mr. Barton of Texas.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Mr. Chairman. I, too, want to 
congratulate you on the assumption of your new duties as the 
subcommittee chairman of Oversight and Investigations. I 
consider this subcommittee to be the heart of the full Energy 
and Commerce Committee.
    You are following in some big footsteps; in the prior 
Congress, Mr. Whitfield, but if you want to go back to when 
your party was last in the majority, the full committee 
chairman, Mr. Dingell, was also the subcommittee chairman, and 
this is where he gained his reputation for making sure that the 
ship of state was sailed straight.
    So, we are going to have a good relationship.
    I want to echo what Mr. Dingell just said, if there is 
nothing else to do on the Oversight and Investigation 
Subcommittee it seems you can also hold a hearing of security 
lapses at Los Alamos.
    I believe this is the 10th hearing in the last 4 years. I 
could be wrong about that. But I wouldn't be off by much; 2004 
the entire laboratory complex was shut down for 7 months; 2005, 
1,500 records--including Social Security numbers--some people 
hacked into the system, stole those numbers and the 
Administrator didn't even bother to tell the Secretary of 
Energy about it.
    This last October, approximately 1,600 documents were 
stolen and carried out of the complex and, if my memory is 
correct, were found in a mobile home when the local police 
responded to a domestic disturbance.
    Enough is enough.
    This is not a fast food restaurant on the corner somewhere. 
This is the crown jewel of our weapons complex.
    I don't have words to explain how frustrated I am, and I 
think my frustration is shared by every member of the 
committee.
    I am happy to report that last evening we introduced a 
bipartisan bill, Mr. Stupak and Mr. Dingell, original 
cosponsors, along with myself, Mr. Whitfield and Mr. Hastert, 
that strips the NNSA of its authority to manage some of these 
problems and gives it back to the Secretary of Energy to 
delegate as he sees fit. It is H.R. 703.
    And I hope that bill is given a hearing very quickly at 
subcommittee, or perhaps even at full committee and is moved to 
the floor. We need to do something about this problem.
    If there were a way to start over, I would say, shut down 
Los Alamos, fire everybody out there and build a new weapons 
laboratory somewhere else. That is not cost-effective. And 
obviously, there are many, many good people at the laboratory. 
But there is an absolute inability or unwillingness to address 
the most routine security issues at this laboratory.
     I have sent a letter to the Secretary of Energy, Mr. 
Bodman, today making him aware of this new legislation. But I 
have also asked him to immediately consider doing the following 
things by his authority as the senior executive officer of the 
Department of Energy. I have asked that he consider directing 
the Office of Health Safety and Security to conduct an 
immediate inspection at Los Alamos and to repeat it next 2 
years to report any problems and report any progress in 
security and worker safety.
    I have asked the Secretary to consider directing Los Alamos 
to dramatically reduce and consolidate the number of classified 
activities, the number of classified computers, the number of 
classified vaults. They have got classified material strewn all 
around the complex. I have visited Los Alamos, seen for myself 
some of these sites where they store classified material. I am 
not an expert on security, but I consider the current number of 
sites to be many, many more than is absolutely necessary. And 
one simple solution to the problem would be just to reduce the 
number of places they keep this material.
    I also think that the current contractor at Los Alamos 
apparently doesn't give a damn about this. And I hate to use 
that kind of language, but that is the way I feel.
    If it is contractually legal, I think part of their fee 
should be withheld, perhaps even forfeited. If the contract 
allows for civil penalties I would hope the Secretary would 
consider assessing those penalties. If you can't get somebody's 
attention any other way, sometimes you can get their attention 
by withholding financial assets.
    So it is obvious that we are not going to solve this 
problem with one hearing, Mr. Chairman. But I do want to 
commend you for being willing in your first hearing of all the 
things you could do, to tackle this issue. It is a very serious 
issue. And I will pledge to you that the minority is doing to 
continue to work on this problem. And now that you are the 
chairman and Mr. Dingell is a full committee chairman, you will 
have our full cooperation in trying to get on the bottom of it 
and rectify the situation if it is possible. And if it is not, 
if after a year or year and a half, if it doesn't look like any 
progress is being made, I do reserve the right to request that 
we consider shutting down this laboratory.
    If that is the only way to do it, and we have to start 
over, then so be it.
    But we ought to be able to get security right at Los 
Alamos.
    With that, I yield back.
    Mr. Stupak. I thank the gentleman, and we do anticipate at 
least one more hearing on this subject with Secretary Bodman 
probably in March. And with that, I would yield to the 
distinguished vice chair of the full committee, Ms. DeGette of 
Colorado.

  OPENING STATMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you very much, Mr. Chairman. It is good 
to see you in that chair after all these years working with you 
on this subcommittee, which I consider to be the best 
subcommittee in the House.
    And I also want to add my congratulations to the new vice 
chairman of the subcommittee, Mr. Melancon. He is going to have 
a great time.
    One thing that is so great about this subcommittee is, when 
we get mad, we get really mad in a bipartisan way. And I want 
to echo what former chairman Barton said, because I have been 
on this subcommittee during my 10 years in Congress, and you 
are exactly right, we have had about six to 10 hearings in the 
last few years alone on this subject. And we have been told 
repeatedly in every single hearing that this problem would be 
fixed.
    In 2004, then-Chairman Barton and I visited Los Alamos, and 
this was akin to a state visit for Los Alamos I guess. We went 
in; there was tremendous local interest. There was tremendous, 
tremendous effort to brief us and show us what was going on. 
The deputy secretary was there. The new director was there. 
Everybody was there. We toured the facility. We had some very 
tough conversations. We were told that this situation was going 
to be fixed and that this situation was going to be fixed 
immediately.
    And subsequently, that director who was with us was drummed 
out, and nothing happened, as we have new seen. Mr. Dingell 
talked about Groundhog Day, and this week, in fact, is 
Groundhog Day, so it is appropriate that we are having these 
hearings this week, but it is not funny about these security 
breaches. The lab is home to some of the most confidential and 
important data in the Nation, weapons development, security of 
our nuclear stockpile, the development of technology to protect 
us from terrorist attacks. And it is not the first time either 
that we seem to be dependent on dumb luck to discover a breach 
of security.
    If it hadn't been for the vigilance of police officers in 
investigating unrelated drug charges, this classified data 
would still be sitting at the home of a former subcontractor 
for a yet to be discovered purpose. And so, really, the issue 
is so much broader than just this single incident.
    And as we will hear today, the Department of Energy's 
Inspector General recently found that physical and cyber 
security at the lab have been consistently compromised. We keep 
saying to ourselves, why does this happen time after time, year 
after year? And we haul everybody in, and we rant and rave, and 
then it happens again.
    I think there are two problems. There is the oft discussed 
culture at Los Alamos where people really think themselves 
beyond the requirements of true security measures. But there is 
another problem, and former chairman Barton alluded to this. It 
is such a large site and with so many different areas that 
contain this data, that it is very difficult to secure it.
    And in addition, when I visited, I found, 3 years ago, some 
of the security measures being implemented would be just 
routine security measures at a private facility, and so you 
have got to wonder, do these Government facilities think that 
they have to comply with lower standards than in private 
industry? So, really, I think the questions that former 
Chairman Barton and Chairman Stupak and Chairman Dingell are 
asking are the right questions.
    And I cannot stress enough to the witnesses today and to 
those who care about this facility, we are really serious and 
we are really serious this time, I think the legislation that 
was introduced is drastic, but that is the direction we are 
going to have to go unless we can get some clear answers of how 
we are going to fix this problem.
    With that, Mr. Chairman, I yield back.
    Mr. Stupak. Before the gentle lady leaves, if we can do 
housekeeping. I notice there is a majority of the committee 
present, and we are going to have to take a vote to move into 
classified or executive session later. We won't do it--so 
before we continue, all those in favor of moving to an 
executive session later, please just raise your hand or 
indicate aye.
    Any opposition? Hearing none, at the appropriate time, we 
will move into executive session later in this hearing. With 
that, we will continue with the opening statements, next 
turning to Mr. Walden.

   OPENNG STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Thank you, very much, Mr. Chairman, and I think 
people who have come before me have laid it out pretty clearly 
and forcefully. There are just few things as important to our 
Nation's security as maintaining the security of our classified 
data in our National Labs. I think my colleagues have made that 
clear. You have heard it from me before in these hearings we 
have had in the past. The chairman said, these are the crown 
jewels of our weapons systems. And I guess what strikes me is, 
we have got employees who still are walking out the front door 
with the diamonds out of the crown jewel set. And that is a 
problem. That is a very serious problem and one that this 
subcommittee has railed on before in public and in private 
sessions, perhaps even more so than what people are hearing in 
the public session. There are some fundamental questions that 
we will have for all of you today that will come in both 
sessions, including access to these computers once again, how 
is that controlled, how does somebody walk out with a thumb 
drive? I understand you are now using a product like this, J-B 
Weld, the world's finest cold weld, to actually seal up the USB 
and FireWire ports so that somebody can't use one of these 
thumb devices.
    It is great. It works for engine blocks, and it works for 
faucets, and I guess it works to plug leaks in our national 
security system, too, but why do we even order computers that 
have those ports in them? It would seem to me that Government 
could work out a contract to get a computer that doesn't have 
them. I am glad you now sealed up 7,200 of these ports or 
whatever the actual count is. Perhaps we will learn later 
today. But it strikes me as a bit strange that we are relying 
on J-B Welds to protect leaks of our national security.
    With that, Mr. Chairman, I will yield back.
    Mr. Stupak. I thank the gentleman. Next, I turn to the vice 
chair of the subcommittee, Mr. Melancon.
    Mr. Melancon. Thank you, Mr. Chairman. I don't have any 
written statements. I would like to move as quickly as we can 
into testimony.
    Being new on the committee and just picking up the gist of 
what has been said about Los Alamos, and in looking at the 
concerns that we have about nuclear proliferation around the 
world, and we are not even protecting our own, it seems so. 
With that, I'd just like to thank you for allowing me to be 
part of the committee and the ranking member and the members of 
the committee. Thank you.
    Mr. Stupak. Thank the gentleman.
    Next, I turn to Mr. Burgess, Dr. Burgess.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. Thank you, Chairman Stupak and Ranking Member 
Whitfield for continuing this committee's important oversight 
over Los Alamos. Chairman Stupak, I appreciate the bipartisan 
nature of this hearing, and I hope it is a sign of how you will 
handle hearings in the months to come. You and your staff are 
to be commended for your preparation and your willingness to 
share relevant information with members across the aisle.
    Mr. Chairman, it is my sincere hope that we have your 
commitment to continue this collegial and bipartisan 
disposition throughout all the hearings of this congress. And I 
would also like to take a minute and thank Ranking Member 
Whitfield for his investigation of Los Alamos throughout the 
years. Clearly, today's hearing builds upon the hard work and 
the determination that you and your staff have displayed on 
this crucial matter of national security. I thank you for your 
leadership on this important issue.
    Today we have three panels before us that will hopefully be 
able to explain to us not only what exactly happened in October 
but also what has been done to prevent another recurrence. I 
welcome you all here today and hope we can get to the bottom of 
this continuing problem at Los Alamos once and for all. I would 
especially like to welcome my fellow Texan, Deputy Secretary 
Clay Sell. Thank you for being here with us today and sharing 
your valuable insight into the Department of Energy.
    In the post-9/11 world in which we live today, our national 
security has become the most important issue facing our Nation. 
We must do everything within our power to ensure that we do not 
become the victims of terrorism again. As terrorists become 
more and more sophisticated, we must continue to implement and 
maintain comprehensive measures to secure our safety. While we 
often think of terrorists of being from foreign lands, it is 
easily plausible that people living on American soil can 
compromise our country's national security interests. The fact 
that someone can walk out of an institution that developed the 
atomic bomb with a disk full of classified information is 
deeply disturbing. This is absolutely indefensible.
    Los Alamos has some of the smartest minds, people of almost 
immeasurable brilliance, working on the facility, and the 
reoccurrence of so many security breaches is simply 
inexcusable. I was taught that people should be held 
accountable for their actions. While there are many 
organizational changes that can be made to better ensure the 
security of our country's classified information, one of the 
easiest and most effective remedies is to make the contractor 
in charge of security pay a step penalty. As a steward of the 
taxpayer dollar, I fully support this idea. If the contractor 
is penalized, millions upon millions of dollars maybe, then 
they will finally realize how serious the problem is and that 
it must be stopped.
    While there is clearly an institutional problem at Los 
Alamos, we must also remember that there are thousands, 15,000, 
hardworking employees at the lab who make a remarkable 
contribution to science in this country on a daily basis. I had 
the pleasure--the honor of visiting the lab in July 2005, and I 
met many of those hardworking and dedicated men and women. I 
was impressed by their dedication. I was impressed by the 
overall intellect of the individuals involved.
    In preparation for this hearing, I came across a posting on 
a well known blog of Los Alamos employees. The posting was 
addressed to members of this committee and ended with this 
thought: ``Don't give up on us just yet. Please be careful with 
your words. Direct them at those who are truly at fault and 
avoid belittling comments directed against the whole workforce 
and against the vital work that we can do to help this country. 
And one more thing, yes, you do need Los Alamos--a well 
functioning Los Alamos''.
    I completely agree with this employee. The country needs a 
well functioning Los Alamos. And that is why we are here today, 
to protect what is a national treasure.
    And I would oppose any diminution of that mission or 
relocation of the resources, but oversight is our obligation.
    Mr. Chairman, I have several questions that I hope we will 
get answered, and one of those questions deals with the RFP 
process that the lab went through just a little over a year 
ago. Was it a fair process? Was the University and the 
contractor that was not selected, were they given a fair shake? 
Were they given a fair chance to compete for that contract?
    It seems as if the embedded culture at Los Alamos is 
incapable of change. Perhaps that is reason enough that we 
should reopen the RFP process.
    Mr. Chairman, I again thank you for the bipartisan hearing 
in which we can further address this troubling issue and what 
needs to be accomplished with this dismal and depressing cycle 
of security breaches at Los Alamos.
    And I feel it is important that we continue to work on this 
problem so that we do not risk the welfare of our Nation and 
succeeding generations who will either benefit from our 
decisions or inherit the failings of our security lapses. With 
that, I will yield back.
    Mr. Stupak. I thank the gentleman.
    The gentleman from Texas, Mr. Green.
    Mr. Green. Thank you, Mr. Chairman, and I am glad to be 
back on the subcommittee although following our chairman, when 
it is his deja vu, I have been off this subcommittee for I 
think three terms, and it seems like we ended and that last 
term with Los Alamos obviously back then much more serious 
allegations than we have today.
    But, Mr. Chairman, I have a statement I would like to place 
into the record and express the same frustration I think 
everyone has heard on a bipartisan basis, but I would like for 
us to get moving and see what we can do. But also I am thankful 
that we have local law enforcement who were sharp enough to 
pick that up, but hopefully we can stop it before it actually 
leaves the lab. With that I will submit my statement for the 
record and yield back.
    [The prepared statement of Mr. Green follows:]

  Prepared Statement of Hon. Gene Green, a Representative in Congress 
                        from the State of Texas

    Mr. Chairman, I am privileged to be back on the Oversight 
Subcommittee, but it looks like not a whole lot has changed, we 
are still looking into security problems at Los Alamos.
    Everyone up here and all our witnesses are upset, but I do 
not think anyone has made the point that since our intelligence 
overseas has not been as good as it could be, we cannot afford 
nuclear security mistakes here at home.
    The risk of international nuclear proliferation is bad 
enough with Iran and North Korea without having to worry about 
risks in our own backyard.
    Some members of this committee criticized the previous 
administration for security lapses that occurred in the years 
after the cold war and rightfully so.
    But now, more than 5 years after 9/11, this administration 
has still not resolved many of the same issues. It looks like 
9/11 led to increased security everywhere but Los Alamos.
    The National Nuclear Security Administration imposed 
millions in financial penalties against the University of 
California for problems at Los Alamos in past years, and the 
new contractor could be liable for even larger penalties.
    I notice that we have some new faces in charge, and some 
former officials are pursuing other opportunities. I certainly 
hope the changes are noticed on the ground as well.
    However, I have to say I am somewhat bothered by much of 
the testimony here today.
    The testimony contains lots of findings from internal 
investigations and a great deal of new and updated directives 
and procedures.
    We've heard this same song about security breaches before-
with similar findings of root causes and similar new 
procedures. In fact, DOE and Los Alamos just keep re-releasing 
the same album.
    Instead of more studies and procedures, I think the problem 
may be a lack of actual leadership and people who will 
implement the procedures in a coherent way.
    So I hope our new faces here are not just interested in 
more studies, more investigations, and more new set of rules.
    Instead I hope they and their managers get out there and 
work with the subcontractors, security personnel, scientists, 
and employees and change the situation on the ground.
    Hopefully Congress does not have to remind the 
administration that several countries opposed to the United 
States are currently seeking nuclear weapons.
    We need to keep our technologies out of these nations' hand 
and we need to be dead serious about it.
    Thank you Mr. Chairman and I yield back.

    Mr. Stupak. Without objection, and welcome the gentleman 
back to this subcommittee.
    Mr. Murphy from Pennsylvania, any opening statement?

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. Thank you, Mr. Chairman, and it is a pleasure 
to be joining you on this committee. Mr. Chairman we are about 
to hear about these appalling violations and blatant disregard 
to national security safeguards at Los Alamos National 
Laboratory, and they warrant intense scrutiny of this facility. 
The unauthorized removal of any classified materials is, of 
course, a grave matter. But the frequency at which classified 
materials seem to be removed at Los Alamos National Laboratory 
indicates a careless attitude towards our national security and 
deserves the intense scrutiny of this committee.
    One such display of this disregard for national security 
occurred in 2005, as referenced by the members here, when the 
former administrator of the National Nuclear Security 
Administration Linton Brooks--for 9 months, Administrator 
Brooks refused to report computer hackers' theft of 1,500 
Social Security numbers and personal information of employees 
of the NNSA. Another instance, in October 2006, we know police 
found a flash drive and hundreds of pages of classified 
documents at the home of a former subcontractor, the content of 
which is so classified it can't be released to the public, but 
nonetheless it raises our concerns deeply.
    For the sake of our national security, we must determine 
how they were removed and take immediate steps to prevent this 
from occurring in the future. We need to prevent breaches 
through better security systems on computers and hardware, to 
thoroughly screen everyone, especially contractors at Los 
Alamos, to fully inspect those materials that come in and out 
of the facility, and to prosecute to the fullest extent of the 
law and give stern penalties for those who breach that 
security.
    As our society is growing more dependent on technology, we 
have seen a disturbing trend in the theft or loss of personal 
information from Government agencies, such as the VA and large 
corporations, that at times are used for malicious intent.
    What has been the consequence of the theft of this material 
and who is responsible for their loss or misuse? We need 
answers to these questions, and we need ideas on how to prevent 
this in the future.
    Misuse of personal information must have consequences. For 
example, in the 109th Congress, I introduced the SERVE Act 
which would physically secure all sensitive personal 
information and all equipment containing such information 
processed and maintained by the Department of Veterans' 
Affairs. But I also would have also required the VA and its 
contractors to encrypt sensitive personal information. The 
SERVE Act also imposed criminal penalties for unauthorized 
disclosure of sensitive personal information.
    But we are here not to address just one or two of these 
problems but to find a way to address a chronic failure to 
follow national security procedures in guarding classified 
materials. I look forward to this hearing, and I yield back.
    Mr. Stupak. I thank the gentleman. We should note that Mr. 
Udall is here. He is not a member of the committee, but Los 
Alamos is in his district. He is very concerned about it and 
has always been a strong advocate for Los Alamos. You can see 
the concerns of members, Tom, but welcome, and I look forward.
    Mr. Udall. Thank you and a pleasure to join you today, Mr. 
Chairman. Thank you.
    Mr. Stupak. We are in recess until noon so we should be 
able to get hopefully most of this hearing in. It is the policy 
of the subcommittee to take all testimony under oath.
     Please be advised that witnesses have the rights under the 
Rules of the House of Representatives to be advised by counsel 
during their testimony.
    Do you desire to be advised by counsel at this time? If so, 
please introduce your counsel. Seeing no reaction, I advise, we 
do swear in witnesses. Would you please rise and raise your 
right hand?
    [Witnesses sworn.]
    Mr. Stupak. Let the of record state an affirmative response 
of the witnesses. Witnesses are now under oath. You have 5 
minutes for an opening statement. Witnesses may, at the 
discretion of the committee, submit brief and pertinent sworn 
statements for inclusion in the hearing record.
    Let me now start with Mr. Friedman please.

   TESTIMONY OF GREGORY H. FRIEDMAN, INSPECTOR GENERAL, U.S. 
                      DEPARTMENT OF ENERGY

    Mr. Friedman. Mr. Chairman and members of the subcommittee, 
I am pleased to be here at your request to testify on the 
Office of Inspector General's review of the recent compromise 
of classified data at the Department of Energy Los Alamos 
National Laboratory. Los Alamos, as has been stated earlier 
today, has been at the forefront of our Nation's security 
related research and development enterprise for over 60 years. 
There have been a number of highly publicized incidences that 
have cast doubt on the laboratory's ability to protect national 
security.
    The Office of Inspector General has performed numerous 
audits, inspections and investigations of physical, and cyber 
security related issues at the laboratory.
    Our reviews have covered diverse areas such as the 
implementation of design bases threat, safe guards over 
classified material and property and security of information 
systems. I have been asked to testify before this subcommittee 
and other congressional panels on several occasions regarding 
management of security interest issues at Los Alamos.
    No doubt the subcommittee is fully aware of the 
circumstances surrounding the recent seizure of classified 
information from a residence by the Los Alamos county police 
department. Shortly after the material was seized, Secretary 
Bodman requested that the Office of Inspector General begin a 
review of the compromise of classified data.
    The Secretary also asked that we evaluate certain aspects 
of the Department's security clearance process, the results of 
which can be discussed in closed session.
    Our special inquiry disclosed that, despite the expenditure 
of tens of millions of dollars by the National Nuclear Security 
Administration to upgrade various components of the laboratory 
security apparatus, the security environment was inadequate.
    Specifically, our special inquiry revealed that, first, 
certain computer ports which could have been used 
inappropriately to migrate information from classified systems 
to unclassified devices and computers had not been disabled.
    Second, classified computer racks were not locked.
    Third, certain individuals were inappropriately granted 
access to classified computers and equipment to which they were 
not entitled.
    Fourth, computers and peripherals that could have been used 
to compromise network security were introduced into a 
classified computing environment without approval, and finally 
critical security functions had not been adequately separated, 
essentially permitting systems administrators to supervise 
themselves when it came to security and to override controls.
    In many instances, laboratory management and staff had not 
developed policies necessary to protect classified information, 
had not enforced existing safeguards or had not provided the 
emphasis necessary to ensure protective measures were adequate. 
Some of the security policies were conflicting or applied 
inconsistently. Also, both laboratory and Federal officials 
were not as aggressive as they should have been in conducting 
security reviews and inspections. Our findings raised concerns 
about the laboratory's ability to protect both classified and 
sensitive information.
    The picture before you right now depicts the rack of 
classified computers at Los Alamos from which the diverted 
classified information originated. As you can see, the rack 
that held the computers was unlocked, a condition that 
permitted access and exploitation of the open ports. And I know 
you all are familiar--this is a thumb drive similar to the one 
which in fact was used to divert the material from the 
laboratory. This is a 1 gigabyte thumb drive, and this can 
contain the equivalent of two file cabinets full of information 
to show you how powerful this little item is.
    Any diversion of classified material creates a potentially 
serious national security situation. The full extent of the 
damage related to the removal of classified information in this 
case may never be fully known. A criminal investigation of this 
matter by the FBI continues.
    We made a number of recommendations to correct identified 
deficiencies.
    For example, we recommended the Department take immediate 
action to disable unneeded computer ports, secure classified 
computer racks, segregate critical security functions and limit 
classified computer access and privileges to those who 
specifically require it.
    In response to our report, Secretary of Bodman established 
two high-level task forces to address our findings, and Deputy 
Secretary Sell directed an immediate review of policies and 
practices related to computer ports in each of the Department's 
facilities.
    The subcommittee requested that we identify other actions 
that could improve security at the laboratory. In short, we 
concluded that the Department should first establish an up-to-
date, unified, coherent, risk-based security policy that flows 
throughout all elements of the Department. It is essential this 
policy be applied consistently and that all aspects of 
security, physical, cyber and personnel be integrated to ensure 
a seamless system.
    Second, the Department should aggressively hold individuals 
and institutions at both the Federal and contractor levels 
accountable for failure to follow established security 
policies. Penalties should include meaningful reductions in 
contractor fees, personnel reassignments and terminations, 
civil penalties, program redirection and ultimately--should it 
be needed--contract termination.
    One final note, one of the most disturbing aspects of this 
event is the fact that it was not discovered by the laboratory 
but by local police during an offsite investigation unrelated 
to laboratory activities. Without this inadvertent discovery, 
the diversion of classified material may never have been 
disclosed. And in that light, the Department and Los Alamos 
need to strengthen efforts to proactively detect and prevent 
security breakdowns. This might include, for instance, first 
improving the level of monitoring of classified computer use 
through the application of specialized software which is 
currently available; two, enhancing computer activity logging; 
and three, initiating a program of unannounced security checks 
beyond routine inspections.
    Admittedly there is a cost involved with such undertakings, 
but it is a cost that may be necessary given the pattern of 
security issues that we have seen at the laboratory.
    Mr. Chairman, this concludes my statement. I would be 
pleased to answer any questions that you may have.
    [The prepared statement of Mr. Friedman follows appears at 
the conclusion of the hearing.]
    Mr. Stupak. Thank you, Mr. Friedman, and I should have 
properly introduced you as the Inspector General for the 
Department of Energy. I appreciate your work.
    Mr. Podonsky is the chief health safety and security 
officer at the U.S. Department of Energy.
    Mr. Podonsky, your opening statement please.

TESTIMONY OF GLENN PODONSKY, CHIEF HEALTH, SAFETY, AND SECURITY 
     OFFICER, OFFICE OF HEALTH, SAFETY, AND SECURITY, U.S. 
                      DEPARTMENT OF ENERGY

    Mr. Podonsky. Thank you, Mr. Chairman, and Mr. Whitfield, 
and members of the subcommittee, I appreciate the opportunity 
to testify today regarding the improper removal of classified 
information from the Los Alamos National Laboratory.
    At the time of this incident, when it was discovered, our 
Office of Independent Oversight was conducting scheduled 
inspections at the laboratory's security, cyber security and 
emergency management programs.
    As we heard from my colleague, Mr. Friedman, his office 
conducted the inquiry into the circumstances surrounding the 
incident.
    Therefore, I will focus my remarks on our inspection of the 
laboratory in terms appropriate for this unclassified hearing. 
Our independent oversight inspection just completed resulted in 
the lowest set of performance ratings for security and 
emergency management topics that we have seen at Los Alamos 
since 1999.
    That, combined with the history of security problems at Los 
Alamos, is of great concern to everyone.
    However, these ratings should not leave this committee to 
conclude that the laboratory is not protecting their most 
important national security asset. This inspection concluded 
that special nuclear material, an area with historically 
significant weakness, is adequately protected.
    Additionally, the ratings in part reflect the fact that our 
independent oversight inspection process has become more 
technically enhanced and increasingly focused on performance-
protection-based activities, especially in the area of cyber 
security and protection of classified matter.
    We note some improvements. However, we continue to conclude 
that extensive work remains to ensure that Los Alamos fully 
meets Department's expectations. While special nuclear 
materials were adequately protected and overall performance of 
the protective force was considered effective, we identified a 
number of significant problems with the protection of 
classified documents and materials and with the configuration 
of vault-type rooms. It was evident that the site is overly 
dependent on the use of nonstandard storage configurations for 
the protection of many of its classified weapons parts. 
Compensatory measures, established to support approval of the 
nonstandard storage configurations, were found to be 
inconsistent and not performing according to plans.
    The overall impact of the deficiencies related to the 
protection of classified matter is substantial.
    Also, while some cyber security enhancements have been 
made, the laboratory's cyber security policies are not 
comprehensive and not up-to-date with DOE and NNSA 
requirements, and they do not sufficiently address threats 
posed by emerging technologies.
    Additionally, risk management processes are insufficient, 
resulting in risk acceptance decisions being made by lower 
staff members, which is inappropriate.
    In many cases, the protection of classified systems is 
overly dependent on administrator controls to mitigate 
potential insider activity rather than more robust controls and 
barriers. As a result, Los Alamos National Laboratory systems 
continue to operate at increased risk from malicious insiders 
intent on subverting established departmental requirements.
    Another area of concern is the certification and 
accreditation of both classified and unclassified information 
systems. The Los Alamos certification and accreditation process 
has not kept up with current methodologies, and existing 
processes do not ensure a consistent approach for applying 
testing necessary security controls. For example over 25,000 
existing unclassified work stations in service at Los Alamos 
were not certified and accredited. Self assessment processes 
are weak, and very few systems actually are being tested as 
part of these assessments.
    Moreover, deficiencies identified during self-assessments 
are not always reported to the Los Alamos site office or NNSA, 
and development of corrective action plans to address them 
seems to be optional. Consequently, there is little in-depth 
understanding of program weaknesses. Considering the progress 
made to date balanced against the cyber security issues that 
remain, we conclude that strong and aggressive management 
action is required.
    There does need to be sound new laboratory plans for 
conducting self-assessments and implementing a contractor 
performance assurance program as part of the contract 
transition. However, the plans are not yet fully implemented.
    In addition, the laboratory does not have an effective 
process for identifying actions for identified deficiencies. 
Similarly, the NNSA site office security survey program is 
inadequate. In a few cases, the laboratory has decided not to 
comply with departmental requirements, and the laboratory and 
NNSA did not utilize the Department's mandated deviation 
process to fully assess and accept risks associated with these 
decisions.
    The recent inspection results illustrate some improvement. 
However, the most important national security asset at Los 
Alamos must be recognized to be protected, and that is the 
special nuclear material.
    Nevertheless, significant and disturbing protection and 
emergency management program deficiencies continue to exist at 
Los Alamos that require prompt attention, forceful and 
sustained management actions, and corrective actions to be 
followed.
    We have heard all too often from a long line of DOE 
managers how serious LANL issues are and changes are needed. 
However, Mr. Chairman, it is my professional opinion that no 
one now or previously in the Department has had the commitment, 
the dedication, and absolute resolve to change the way this 
department is managed and the way this laboratory is managed 
than Secretary Bodman and Deputy Secretary Sell. It is 
imperative that the NNSA and the Los Alamos site office in 
particular follow the leadership of the Secretary and the 
Deputy Secretary and must immediately enhance NNSA capabilities 
to effectively oversee the contractor performance now and in 
the future.
    Mr. Chairman, one other note, in the course of this 
hearing, there may be privacy issues that arise, and I would 
like just to recognize that Eric Fygi from General Counsel is 
here and representing the Department.
    [The prepared statement of Mr. Podonsky appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you.
     Before we move to our next witness, we should note that 
Congresswoman Heather Wilson from New Mexico is a member of the 
full committee, but not on the subcommittee, but we welcome her 
participation here today. Thank you.
    With that, we will next hear from Ms. Danielle Brian, 
executive director of Project on Government Oversight.
    Ms. Brian.

  TESTIMONY OF DANIELLE BRIAN, EXECUTIVE DIRECTOR, PROJECT ON 
                      GOVERNMENT OVERSIGHT

    Ms. Brian. Thank you for inviting me to testify today.
    I am Danielle Brian, executive director of the Project on 
Government Oversight. We have been investigating and exposing 
security failures in the nuclear weapons complex since 2001.
    Despite the creation of NNSA, security failures have 
continued to plague the complex, especially at Los Alamos. Now 
NNSA Administrator Linton Brooks has been asked to resign, and 
our Nation's secrets have been mishandled by Los Alamos again. 
Not only have NNSA and U.C. failed to correct security issues, 
but now there will be even less oversight of Los Alamos as a 
new pilot program has been implemented at Los Alamos in which 
oversight has been handed over to the contractor themselves. 
Perhaps this new legislation that Congressman Barton has 
introduced could help turn the tide on this disregard for 
Federal oversight.
    Since 2001, there have been at least seven instances in 
which classified information was mishandled at Los Alamos, and 
I suspect there were many others that have simply flown below 
the radar. Classified computer disks have gone missing. 
Computers that may have contained classified information have 
somehow disappeared from lab property, either having been 
stolen or lost. Classified information has been transmitted 
through unsecured e-mail, and the list goes on.
    The cybersecurity episode has occurred on average nearly 
once a year since POGO began its investigations, and all of 
these instances occurred after the infamous episode of the two 
missing hard drives which were later discovered behind the 
Xerox machine.
    Now, in the recent incident, a subcontractor employee 
freely took over 200 pages of hard-copy, classified documents 
and over 400 classified documents on flash drives to her home, 
which she shared with a drug dealer. This could only have 
happened if there were a complete collapse of multiple 
supervisory and security systems. It was only by happenstance 
that she was caught, not because an effective security system 
was in place. We would never have known about the security 
breach if it hadn't been for a domestic disturbance.
    Furthermore, we have no way of knowing how many other 
instances like this there are out there that we don't know 
about. It is important to remember that NNSA attempted to keep 
this incident secret from Congress and the public until POGO 
learned about it 8 days after the local police raid.
    After the most recent security incident, a cybersecurity 
audit was launched, and according to a lab e-mail from just a 
few days ago that I asked to be submitted for the record, 
quote, ``As a result of the preliminary findings of the 
cybersecurity audit''--this is just a week and a half ago--
``LANL has agreed to suspend all nonessential classified, 
computing activities for at least the next 48 hours by the 
close of business today.''
    And this is not the first time security failures have 
significantly impacted operations at the lab. In 2000, then-
Secretary Bill Richardson announced a new system so that there 
would no longer be classified, removable electronic media to be 
lost or stolen. The labs essentially ignored the order. In May 
2004, then-Secretary Abraham announced that the complex was 
going to have a new system doing essentially the same thing. 
Again, the labs essentially ignored the order. I suspect 
Secretary Bodman will soon be announcing a new initiative to 
solve cybersecurity problems, and I am sure he is genuine in 
his beliefs that his directives will fix the problems, but 
those of us who have been around for a while have reason to be 
skeptical.
    In addition to cybersecurity failures, Los Alamos continues 
to suffer from a litany of other problems, and while Los Alamos 
is a big problem, it is by no means the only problem in the 
nuclear weapons complex as other sites are also currently 
facing their share of serious problems.
    Despite these other sites that urgently need attention, Los 
Alamos does stick out as the bad child. Why? There is a joke 
around the complex that goes something like this: The Secretary 
of Energy tells the three national labs to jump. Sandia asks, 
how high? Livermore makes an excuse for why it is too busy to 
jump, and Los Alamos asks who the Secretary of Energy is.
    Los Alamos sticks out as the bad child because of its 
consistent and utter disregard for Federal oversight. At this 
rate, as was mentioned before, we can all schedule next year's 
hearing right now given the likelihood we will still be 
discussing problems at Los Alamos unless the entire incentive 
system is reversed.
    I have enumerated in my written testimony a number of 
specific recommendations, but in the interest of time, to 
highlight them, first is that NNSA, or perhaps simply the 
Department of Energy, needs to make it a priority to fund 
oversight and promote Federal employees who are thorough in 
their oversight work. In its current state, the Los Alamos site 
office is nonfunctional. There are over 20 vacant Federal 
positions in that office.
    Officials should also be held accountable if they do not 
implement the recommendations made by the two gentlemen who are 
sitting at the witness table, the Department of Energy's 
Inspector General and the Office of Health, Safety, and 
Security. As we have mentioned before, there are numerous 
reports that have been issued on these issues, but no one gets 
in trouble when they don't do anything about what these people 
have recommended.
    The Performance Incentive Fee in the Los Alamos contract 
should be recalculated and equally weighted to reflect the 
equal importance of accomplishing the mission with ensuring 
security and doing so safely. Of the $51 million that is 
currently on the table for fiscal year 2007 in the performance 
fee for the Los Alamos budget, only 6 percent, or $3 million of 
that amount, is tied to security. Fortunately, that small 
percent is not set in stone and should certainly be revisited 
and dramatically increased. At the very least, DOE should cut 
the Performance Incentive Fee for the most security--for the 
most recent security debacle at Los Alamos.
    DOE should also be disallowing costs--this is a cost-
reimbursable contract, so they should be disallowing costs with 
Los Alamos' as failure to perform adequately.
    POGO also recommends that the ``at will'' employment 
provision at Los Alamos be changed for their employees because 
currently, if an employee is the bearer of bad news to 
management, the employee can be fired at will, creating exactly 
the wrong incentives. This is an important issue for the 
committee to be conscious of as it is of particular concern for 
Livermore employees who are not currently operating under this 
condition, but, as you see, appears to be poised to retain the 
contract at Livermore. There is, in fact, concern that this 
will now affect or be affected for the Livermore employees as 
well.
    I am thrilled that the committee has already undertaken our 
next recommendation to audit the missions currently being 
conducted at Los Alamos. I think that's a very important effort 
the committee is undertaking.
    In closing, DOE will soon be submitting a request of $150 
billion to fund a wildly ambitious project to revamp the 
nuclear weapons complex known as Complex 2030. Before any 
funding for further expansion is approved, I respectfully 
suggest that Congress must have confidence in the mission and 
in the ability of the complex to carry out that mission safely 
and securely.
    Thank you.
    [The prepared statement of Ms. Brian appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you.
     We will begin questioning.
    Mr. Friedman, your investigation of the recent incident at 
Los Alamos revealed the lab security framework was seriously 
flawed.
    For example, is it true that a number of key areas, 
including security policy, was nonexistent, applied 
inconsistently or not followed?
    Mr. Friedman. That is correct, Mr. Chairman.
    Mr. Stupak. In 2004, the lab was shut down when we did this 
massive review. Wasn't that one of the recommendations in 2004?
    Mr. Friedman. It was, and actually you could trace it back 
to 1999, in essence.
    Mr. Stupak. Then what is it? Why are we having such 
problems with Los Alamos? As Ms. Brian says, Secretary 
Richardson gave an order, Secretary Abraham, now Secretary 
Bodman, and we have been reassured by Mr. Podonsky that things 
are going to change. For instance, in 1999--that's, what, 8 
years now--there have been 11, 12 hearings. Any answers?
    Mr. Friedman. Well, I use--I thought the ultimate question 
would come a little bit later. I didn't expect it on the third 
question, Mr. Chairman.
    Mr. Stupak. I've only got 8 more years to mess around, but 
we don't with this lab.
    Mr. Friedman. Of course, it is an issue that we have 
thought about a great deal. We devote a lot of resources to Los 
Alamos, and you and I have had this discussion before, 
obviously.
    I think one of the problems that we've found consistently 
is the question of sustainability, Mr. Chairman, if I can put 
it that way, use that term. There are a lot of good intentions. 
People start off with the right set of principles. They have 
new policies, new procedures that they begin to implement, and 
the implementation begins, but there is not the stay with it, 
the closing the deal, the sustainability that is necessary to 
go from a good idea to implementation, to execution, and to 
consistency, and I tend to think that's one of the fundamental 
problems that we have seen at Los Alamos over time. I said 
there are good starting principles, but no follow-through, a 
lack of follow-through.
    Mr. Stupak. There is a lack of follow-through because of 
turnover in personnel, or we lose interest in the principles 
that we are supposed to put forth?
    Mr. Friedman. I think it's the latter rather than the 
former. Certainly there is a turnover in personnel, but I don't 
think--my sense is that is not the heart of the problem.
    Mr. Stupak. Well, in your recently released report on Los 
Alamos, in doing your work your team uncovered a number of much 
broader concerns than merely the concerns related to the 
October incident. Let me read from your report, and I am 
quoting now.
    It says, ``Our review revealed a serious breakdown in core 
laboratory security controls,'' and your report reached the 
conclusion, and it states, ``In short, your findings raise 
serious concerns about the laboratory's ability to protect both 
classified and sensitive information systems.''
    I presume you still stand by that report and that 
conclusion?
    Mr. Friedman. Yes. Yes, we do.
    Mr. Stupak. There has been a lot of talk this morning about 
maybe we should just change the focus of this lab, or some of 
the missions must be shifted to other labs like Sandia. It is a 
very, very large complex.
    Your thoughts on that suggestion.
    Mr. Friedman. Well, I am not here, Mr. Chairman, as a shill 
for the laboratory, but as a number of members of the sub 
committee have identified this morning, it is an extraordinary 
institution. Sixty-three percent of the people there or 
thereabouts have postgraduate degrees. They're eminent 
scientists. Last year lab personnel won, I believe, five R&D 
100 awards. There are 28 E.O. Lawrence Award winners there.
    It is an extraordinary institution, and I caution, if I 
might, that before we do anything truly radical--and I 
understand the motivation and where it's coming from--that we 
make sure we balance so that we don't throw out the baby with 
the bath water, if I can put it that way. So I hope that we 
give the new contractor--I mean, after all, this took place 2 
months ago. When we last spoke, Mr. Stupak, we agreed that the 
new contractor was coming on board, and they deserved an 
opportunity to turn the situation around. This series of events 
occurred within 2 months or 3 months after they took over. They 
identified a number of preconditions--preexisting conditions 
that concerned them before they assumed responsibility, and 
cybersecurity was one of those preconditions.
    I am hopeful that we can give them a chance, with increased 
Federal intervention and oversight, to do what they were hired 
to do, which was to enhance dramatically the management of the 
laboratory, including better security and better cybersecurity 
specifically.
    So I understand, at some point down the road, a more 
dramatic, a more radical departure may be warranted 
conceivably, but at this point I hope we give them the benefit 
of the doubt, at least for a period of time, recognizing that 
the problem that we face here is a very, very serious national 
security problem.
    Mr. Stupak. Sure, but if it wasn't for the Los Alamos 
County Police Department, we would not even know about this 
incident. How many other breaches are out there that we do not 
know about because there has been no mechanism in place to 
detect it, or even if it was detected, from your testimony, no 
one at the lab seems to want to follow up on it?
    Mr. Friedman. I said in my testimony that one of the most 
frightening parts of this whole incident is that, had it not 
been for an inadvertent set of circumstances totally unrelated 
to this issue, we might not have known about it today. We might 
never have known about it, and that is a frightening thought. 
And we have identified a couple of suggestions of a more 
intense activity logging at the laboratory and monitorship with 
new software that can be costly, but may be necessary to make 
sure that other breaches, other similar breaches, are not 
occurring. Prevention is the key, in my view.
    Mr. Stupak. OK. My time is up. Hopefully we will go around 
for a second round.
    Next let me turn to the ranking member, Mr. Whitfield from 
Kentucky.
    Mr. Whitfield. Thank you very much, Mr. Chairman, and I 
thank the witnesses for their testimony this morning.
    All three of you have extensive experience in this area, 
and the consensus appears to be that Los Alamos is sort of, for 
lack of a better term, the problem child. All of these weapons 
labs have had some problems, but the Los Alamos problems seem 
to be more serious and certainly more frequent. And I know that 
the University of California does manage the Lawrence 
Livermore--has the contract for that, and for 60-some years had 
the contract at Los Alamos and now is a 50-percent participant 
in the new consortium.
    That's correct, isn't it?
    Mr. Friedman. That is roughly correct, yes.
    Mr. Whitfield. OK. Now, just from your personal experience, 
how would you explain if you were talking to a Rotary Club in 
Hopkinsville, KY, what your theory is as to why Los Alamos has 
so many breaches when you have had, for many years, the same 
management contract responsibility at both Los Alamos and 
Livermore?
    I would like to ask each one of you to just give me your 
impressions as to why that is the case.
    Mr. Friedman. Well, I don't, Mr. Whitfield, have a good 
answer for that question. I mean, it is an extremely important 
question, and despite spending years at looking at all of the 
laboratories, I don't have a good answer. I wish I did. I think 
it would get to the heart of the cure.
    But what I would say is that Los Alamos is slightly 
different. I think Livermore--and I might be wrong about this--
is essentially located on 1 square mile of territory. Sandia is 
larger, but I think none of them have the diversity, the 
geographic diversity, if nothing else, and that may be a 
contributing factor to the problem. I mean, as we have pointed 
out in the testimony, and as has been discussed earlier, we 
found, I believe, 2,700 classified computing environments. We 
have long taken the position that closing, reducing the 
footprint is the way to go, and it may well be that the number 
of classified computing environments, the number of classified 
materials that are there in sheer numbers, may be part of the 
problem.
    Mr. Whitfield. What about you, Mr. Podonsky? What would be 
your thought.
    Mr. Podonsky. Well, sir, to put it in context, we've been 
inspecting independently the operations of this lab as well as 
the entire complex now since 1984, and our observations and 
continuing issues that have developed is the lack of 
accountability, which is why I say in my opening testimony and 
why the committee here all talks about the preceding managers 
that have come up and make the statements about, now we did it, 
now we are serious, which is why I made a very poignant 
statement that I do believe that Secretary Bodman and Deputy 
Secretary Sell not only are as committed as previously, but 
they are taking action. I have been through a number of 
previous Secretaries through all of these incidences and come 
up with great plans, but they don't get converted into action.
    Mr. Whitfield. OK.
    Mr. Podonsky. So, specifically to your question, sir, I 
would say that it's accountability and holding people 
responsible for the jobs that they have out there, and we have 
not seen that consistently at Los Alamos through the years and 
at some other places, but predominantly at Los Alamos.
    Mr. Whitfield. Can I assume that you and Mr. Sell and Mr. 
Bodman are supporting the Barton-Dingell-Stupak-Whitfield 
legislation to remove NNSA from the equation.
    Mr. Podonsky. I can't speak for the Secretary or for the 
Deputy Secretary. I can only speak for myself, and I have not 
seen that correspondence.
    Mr. Whitfield. OK.
    Ms. Brian, what about the question?
    Ms. Brian. I have been struggling with this question for a 
while myself. I think it is a combination, as I mentioned in 
the joke that goes around, that there is a different attitude 
at Los Alamos, and I think because of that different attitude, 
they are more difficult at the Federal level to manage. And I 
think the bottom line is when you get the push-back from Los 
Alamos, and the Federal structure is not there, really, with 
the willingness to stick with them and demand change, I think 
that is where there is really the breakdown that I think we can 
be enforcing on.
    Mr. Whitfield. OK.
    Mr. Podonsky, let me ask a question. In 2004, Los Alamos 
was closed down for 6 months because of security breaches. What 
was the dollar amount of the penalty that the University of 
California system had to pay at that time for that breach?
    Mr. Podonsky. I am not aware of what the penalty was, sir.
    Mr. Whitfield. Who would know that.
    Mr. Podonsky. I believe the next panel--or the third panel 
would.
    Mr. Whitfield. OK.
    Mr. Barton. Would the gentleman yield on that?
    Mr. Whitfield. Yes, sir.
    Mr. Barton. Was there any penalty?
    Mr. Podonsky. Mr. Barton, I'm not aware of any penalty that 
was associated with this shutdown.
    Mr. Barton. So there was zero penalty then?
    Mr. Stupak. If the gentleman would yield, it cost the 
taxpayers $350 million. Who paid for that other than the 
taxpayers? Are we back with the same problems?
    Mr. Whitfield. My time has expired.
    Mr. Stupak. I thank the gentleman.
    Mr. Dingell, questions? We are doing 5 minutes now, and 
we'll go another round.
    The Chairman. Mr. Chairman, thank you for the courtesy.
    I find this again, as I indicated, sort of a Groundhog Day 
or perhaps deja vu all over again.
    Mr. Podonsky and Mr. Friedman, I would like to summarize 
some of the key findings of your recent work at Los Alamos.
    Mr. Friedman, isn't it correct that your team went out to 
investigate the event, and that you, in fact, spent a 
relatively short period of time on the ground, yet in that 
short period you found a lot of serious problems at the site? 
Is that correct?
    Mr. Friedman. That's correct, Mr. Chairman.
    The Chairman. Mr. Friedman, in fact, didn't your 
investigation of the recent incident reveal that in a number of 
key areas that security plans and policies were either applied 
inconsistently or not followed in some cases or, in others, 
nonexistent?
    Mr. Friedman. That is correct.
    The Chairman. Mr. Friedman, isn't it true that your audit 
revealed that the critical cybersecurity internal controls and 
safeguards were not functioning as intended at various places 
across the LANL?
    Mr. Friedman. Yes, sir.
    The Chairman. Now, Mr. Friedman, isn't it also correct that 
monitoring by both the laboratory and Federal officials was 
also found to be inadequate or, in other cases, nonexistent?
    Mr. Friedman. It was.
    The Chairman. Isn't it correct also, Mr. Friedman, that 
even though the network engineering officials and others within 
the lab's Chief of Information Office expressed concerns about 
open ports and problems with managing tamper-indicating 
devices, and these concerns were largely ignored by LANL 
officials?
    Mr. Friedman. Yes. And can I elaborate on my answer on that 
one, Mr. Chairman?
    The Chairman. Now, Mr. Podonsky, I believe your testimony 
also says that Los Alamos received the lowest set of 
performance ratings for security and emergency management since 
1999; is that correct?
    Mr. Podonsky. Yes, sir.
    The Chairman. Now, Mr. Friedman and Mr. Podonsky, both of 
you know that I've been working at this security problem for 
more than a little while.
    Mr. Podonsky, you indicated Los Alamos received some of the 
lowest scores since 1999 on security issues.
    Mr. Friedman, your report found that there was a core 
breakdown of Los Alamos' ability to protect classified 
information.
    That's correct, is it not, gentlemen?
    Mr. Friedman. Yes.
    Mr. Podonsky. Yes, sir.
    The Chairman. Would you like to tell us what is going on 
here? And we are going to ask the Secretary why we need to keep 
on having these hearings.
    What comments do you have, gentlemen?
    Mr. Friedman. Well, I think your series of questions, Mr. 
Chairman, from my perspective, basically outline--as you say, 
we have been on the ground for a relatively short period of 
time, although we have a resident staff at Los Alamos who spend 
a lot of time there, but to say that the system we found in 
place was inadequate to protect the material is an accurate 
reflection of what we found.
    The Chairman. Mr. Podonsky, are you going to comment?
    Mr. Podonsky. Yes, sir. I do not disagree with your 
statements. The only thing I would like to again point out to 
the committee is that, when our inspection team was at the 
site, we again did determine that the nuclear material was 
protected, and that's not insignificant. That is something, Mr. 
Chairman, as you'll recall back in the 1980's we paid a lot of 
attention to. That doesn't make it a good story, because the 
classified matter is something of grave concern to all of us, 
and as my colleague Mr. Friedman has talked about, we do 
believe that Los Alamos has a mission to perform for the 
country, but the security performance that they've demonstrated 
inspection after inspection continues to leave us concerned and 
baffled.
    The Chairman. Now, I would like to direct this to the 
panel, but with particular emphasis to Danielle Brian.
    A statement here says this,

    Now, in the most recent incident, a subcontractor employee 
freely took over 200 pages of hard-copy, classified documents 
and over 400 classified documents on flash drives to her home, 
which she shared with a drug dealer. This could only have 
happened if there was a complete collapse of multiple 
supervisory and security systems. It is only by happenstance 
that she was caught, not because of an effective security 
system in place. We never know--we would never have known about 
this security breach if it hadn't been for a domestic 
disturbance.

    Then she goes on to say this,

    Furthermore, we have no way of knowing how many other 
incidences like this are out there or have flown below the 
radar. It is important to remember that NNSA attempted to keep 
this incident secret from Congress and the public until POGO 
learned about it about--learned about it 8 days after a local 
police raid.

    Then here, as a side note,

    If media reports and statements by investigators are 
accurate, this most recent case points to extraordinary 
failures in the personnel security clearance process in 
addition to cybersecurity failures at the lab.

    Now, my concern here is we seem to have a situation where 
the process has broken down, whether there just is a lack of 
will or there isn't a competence on the part of the agency to 
do what needs to be done. Would you each like to tell us what 
your feelings are on this matter?
    Could I just ask for 1 minute more, Mr. Chairman, please?
    Mr. Stupak. Without objection.
    The Chairman. What do you have to say, ladies and 
gentlemen?
    Ms. Brian. Well, that is what I had to say.
    I think the problem here is a combination of extraordinary 
breakdowns. Maybe the systems aren't even there, and it's not a 
case of broken systems, but I am also equally concerned that at 
the time this was becoming known at Los Alamos, there was a 
real effort to make sure that people in the Congress didn't 
know about it. They were hoping they would make this go away.
    The Chairman. Thank you.
    Mr. Podonsky and Mr. Friedman.
    Mr. Podonsky. We did not investigate the actual 
circumstances. As I said in my testimony, Mr. Friedman did the 
investigation. We were there doing a comprehensive safeguard 
security inspection which gave us an overall, comprehensive 
review of the various topics, but we did see clearly the 
laboratory suffering from a lack of policies, procedures, 
adequate management, adequate oversight--both contractor and 
Federal--and all of that would contribute, we believe, to the 
incident that the Inspector General investigated.
    The Chairman. Thank you.
    Mr. Friedman.
    Mr. Friedman. Mr. Chairman, you made a point in your 
earlier questioning that I wanted to comment on which I think 
would respond to this question as well.
    You pointed out, which was a good read of our report if I 
may say so, that we found that, I think it was in the March 
2006 time frame, there was e-mail communication, within the 
laboratory about the concern about open ports. So, in other 
words, the institution itself identified that as a problem, and 
there was a fair amount of traffic, e-mail traffic, on that 
issue.
    And it gets to the point that I was trying to make earlier 
about closing the deal, sustainability and the ultimate fix, 
and that is that, tragically, even though it was discussed 
extensively--and I think it was in March 2006, and I don't have 
that instant recall. I think that's the right date--no one took 
it to the next step, which is to make sure that the proper fix 
was implemented to address the concern. Now, it was not of 
universal concern. There were people at the laboratory who 
didn't think the open ports were a serious problem, but there 
were enough people who did, and it would seem to me--and I 
think this is, perhaps, revealing as to the essence of the 
problem--that they didn't address the problem then and resolve 
it.
    The Chairman. Your comments earlier in response to a 
question were that we ought to give the laboratory the benefit 
of the doubt. I wonder if, after this commentary, you are in 
agreement that we ought to give them the benefit of the doubt.
    Mr. Friedman. Well, I think I'm the one who said it, Mr. 
Chairman, so I will stand by the statement.
    First of all, I think the laboratory is an extraordinary 
institution, and second, I think that in fairness--and believe 
me, I am not here--I probably write more critical reports about 
Los Alamos than anyone, but in fairness, I think the new 
contractor is really brand new, was brand new when this 
occurred, and they deserve an opportunity to try to fix the 
problem, and if they can't fix the problem, I'd be the first 
one to sit before you and tell you that a much more radical 
solution needs to be tried.
    The Chairman. Thank you, Mr. Chairman.
    Mr. Stupak. Next, Mr. Barton from Texas.
    Mr. Barton. Thank you. Some of the statements just kind of 
strain credulity.
    Mr. Friedman, who was the old contractor?
    Mr. Friedman. The University of California.
    Mr. Barton. Who is the new contractor?
    Mr. Friedman. I think it's a consortium. I believe it's a 
limited----
    Mr. Barton. Come on. Who is the new contractor? It is the 
University of California. They've got a consortium, and there 
may be some different players, but the University of California 
has had this contract for 60 years. They were the old 
contractor; they are the new contractor; is that not correct?
    Mr. Friedman. Well, I----
    Mr. Barton. Yes or no?
    Mr. Friedman. No, actually.
    Mr. Barton. It's not?
    Mr. Friedman. No.
    Mr. Barton. They are not part of it?
    Mr. Friedman. They are the primary science player, there is 
no question about that, but the whole concept, as I understand 
it----
    Mr. Barton. They have 50 percent of the contract.
    Mr. Friedman. That's true, but it----
    Mr. Barton. The person who has been moved to the new--who 
is the new lab director is a University of California employee.
    Mr. Friedman. That is correct.
    Mr. Barton. The Bechtel individual, who is the top person, 
has already left; is that correct?
    Mr. Friedman. That is correct, yes.
    Mr. Barton. Now at least be honest with the committee.
    Mr. Friedman. Well, I have tried to be honest, Mr. 
Chairman.
    Mr. Barton. This semantics about old and new is an affront 
at least to me. My gosh. Is it not true that under the new 
contract the performance part of it is at risk if there is a 
security lapse?
    Mr. Friedman. Well, let me give you the read of the 
contract as I understand it, Mr. Barton, and there are people 
at least on the third panel who are the negotiators of the 
contract who can give you more detail.
    In its full bloom, my understanding is there's about a $70 
million-a-year potential award fee, 30 percent of which, as I 
understand it, is----
    Mr. Barton. It is $73,280,000 to be exact.
    Mr. Friedman. As I understand it, 30 percent of it is 
fixed, and 70 percent is at risk. That's the way I understand 
the formulation of the contract. I believe there also is a 
provision--and I'm not an expert on the contract. There are 
people here who are. I believe there are provisions that, in 
extraordinary circumstances, at least the entire at-risk 
portion can be withheld from the contract.
    Mr. Barton. Is it not true that, in your testimony, you 
suggested that there'd be a serious withholding of the 
incentive part of the contract?
    Mr. Friedman. Yes, sir, I did.
    Mr. Barton. Do you want to put a number on that? How 
serious is ``serious''? The safeguard and security execution 
part of the mission success is $3 million.
    Mr. Friedman. Yes.
    Mr. Barton. Is that serious, or do you think ``serious'' 
would be $10 million?
    Mr. Friedman. No, I think it may be $3.8 million, Mr. 
Chairman, but I don't think that's serious money.
    Mr. Barton. Mr. Stupak is the chairman. I am the ranking 
member.
    Mr. Friedman. Mr. Ranking Member then. I apologize.
    Mr. Barton. I'm just at a loss here.
    I'm going to ask Mr. Podonsky something.
    The gentle lady next to you indicated that the contractor 
at the site office has 20 vacancies. Is that your 
understanding?
    Mr. Podonsky. I do not know the exact number, but, yes, I 
do know that they are short.
    Mr. Barton. What is the number--what would be the full 
complement? Is it like 40 people at the site office, 100 
people?
    Mr. Podonsky. Mr. Barton, I do not have that number. That 
would be--the NNSA would have that number, but I would just 
tell you that I do know that they're short on qualified Federal 
staff.
    Mr. Barton. OK.
    Ms. Brian, do you know how many people would be the full 
complement if they were fully manned at the site office?
    Ms. Brian. I don't know. I do know that of the 20 
vacancies, a large percentage of them are in the security and 
safety area for the site office.
    Mr. Barton. Does that, to you, indicate that the Department 
is serious and the new contractor is serious about this?
    Ms. Brian. Well, that's actually the Federal Government.
    Mr. Barton. I understand that.
    Ms. Brian. So my worry is that DOE isn't serious or NNSA.
    Mr. Barton. OK. Could we get that information, what the 
total staffing is and what these vacancies are?
     Mr. Podonsky, do you think that we ought to fill those 
slots?
    Mr. Podonsky. Yes, sir. I think that they need to be filled 
with the right qualified people because this laboratory needs 
appropriate Federal oversight from the NNSA.
    Mr. Barton. My time has expired, Mr. Stupak.
    Mr. Stupak. I thank the gentleman.
    Ms. DeGette.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    Mr. Friedman, I wanted to ask you some questions about what 
you had said in response to several of the other Members' 
questions.
    The first thing is you said that we really need to give 
this new contractor a chance, and that we need to--if we need 
to do something dramatic, we should do it down the road. So I'm 
kind of wondering how long is that road, because I've been 
sitting here in this subcommittee since 1999 hearing these 
assurances. I understand what you're saying about the quality 
of people that we have there and the high-level work that's 
going on, but how much longer do you think we need to be 
patient? How much longer do we need to give these folks to fix 
these problems?
    Mr. Friedman. Well, my view is, from the start date, it 
should be probably 1 year.
    Ms. DeGette. One year from June? So until this June?
    Mr. Friedman. This June, yes.
    Ms. DeGette. And do you think that--and my second question 
is how will we know if the new contractors have fixed the 
problem? Will we know that if the local law enforcement 
authorities bust some people or if the local newspapers have an 
expose? How are we going to know if the problem's been fixed?
    Mr. Friedman. Well, with 12,000 people there, you may never 
know for sure. I understand that, but I think in the next 6 
months' time what will be devoted by the Department is an 
intensive examination of all aspects of the function of the lab 
to make sure that the problems have been addressed.
    Ms. DeGette. Well, do you think we haven't had that 
intensive examination in the many past times that we've worked 
on this?
    Mr. Friedman. I do not think we've had that intensive 
examination.
    Ms. DeGette. That's just appalling to me because they 
closed down the lab after we visited in 2004, and you don't 
think they did that intensive examination?
    Mr. Friedman. Well, I think they did an intensive 
examination, but the point I've been trying to make is that, 
once they did the intensive examination, did they sustain an 
aggressive program to address the problems that were 
identified, and that's the concern that I'm expressing today.
    Ms. DeGette. Do you have some specific recommendations as 
to what the Department can do to do this intensive examination 
within the next 6 months?
    Mr. Friedman. Yes.
    Ms. DeGette. Would you mind supplementing your responses by 
delineating those specific things that the Department can do?
    Mr. Friedman. Certainly.
    Ms. DeGette. Thank you.
    Ms. Brian, what is your view about all of this that we 
should give some time for the Department to clean this up, and 
then it'll be fixed?
    Ms. Brian. I respectfully disagree with Mr. Friedman.
    I think that the first thing is that the DOE needs to get 
its house in order and NNSA, and then I think the contractor 
will ultimately follow in line. I just think that the 
Government hasn't been doing its end of the job.
    Ms. DeGette. And what do you think the Government can do?
    Ms. Brian. I think we need to have sincere--well, one of 
the things that I think is really important is that a lot of 
these issues, as I discussed in my written testimony, are 
infuriatingly familiar.
    Ms. DeGette. Right.
    Ms. Brian. We've known about these problems before. We've 
had IG and various iterations of Mr. Podonsky's office make 
recommendations, and nothing has--no one has required the 
people at NNSA to actually implement these recommendations. 
We've had Secretaries--in fact, the issues that--I think it was 
Mr. Walden who was raising them with the glue sticks. Those 
were the kinds of things that were supposed to have been dealt 
with back with Secretary Richardson----
    Ms. DeGette. Right.
    Ms. Brian [continuing]. And they've been buying new 
computers for the last 10 years with the USB ports because, as 
I learned, the people who were in charge of buying the 
computers at Los Alamos weren't really talking to the 
cybersecurity people to realize that they didn't want to have 
computers with USB ports.
    Ms. DeGette. Mr. Podonsky, do you have a view on that? Do 
you think this problem can be fixed in 6 months without any 
substantial changes?
    Mr. Podonsky. No. We do believe that there needs to be 
substantial changes, and we do believe that this Secretary and 
the Deputy Secretary are moving towards that direction. They're 
not just promissory notes of the past. We've seen actions taken 
that we have never seen in 25 years of this Department where 
people were actually held accountable.
    You do need to have performance measures that the 
contractor's held accountable against. We also have an 
enforcement function within the office that we also need to 
employ.
    So there are a lot of--a lot of tools for the Department to 
exercise now and get on with fixing the laboratory together 
with fixing the NNSA and the policy of the Department.
    Ms. DeGette. Do you think, Mr. Friedman, that the physical 
size of Los Alamos is a problem?
    Mr. Friedman. Yes, I think it's a challenge.
    Ms. DeGette. And what can we do to deal with that 
challenge, do you think?
    Mr. Friedman. Well, first of all, we can make a concerted 
effort to consolidate functions, reduce the number of vaults, 
reduce the number of classified computing environments. I don't 
know how practical that is. I think it's something that we need 
to look at very carefully.
    Ms. DeGette. Thank you.
    Mr. Friedman. Second, I think we need to enclose the 
footprint so that the security perimeter is reduced so physical 
security will be--will be somewhat easier.
    Ms. DeGette. Mr. Chairman, I think a good time for a 
follow-up hearing--I mean, we should have some interim ones, 
but we also need to have one in June to mark the 1-year 
anniversary and see how they fixed all these problems.
    Mr. Stupak. Mr. Burgess, questions?
    Mr. Burgess. Thank you, Mr. Chairman.
    Mr. Podonsky, we have been through--I have been through at 
least 2 years of these travails, and it seems like every 
security incident that has been reviewed has been by an 
employee who has received a security clearance; is that 
correct?
    Mr. Podonsky. My recollection is that predominantly cleared 
individuals have been violating DOE's requirements.
    Mr. Burgess. Was that the case in this most recent event in 
October?
    Mr. Podonsky. I believe so.
    Mr. Burgess. OK. And the individual who claimed assault at 
the bar a couple of years ago, was that also an individual who 
had been cleared?
    Mr. Podonsky. I believe that is the case.
    Mr. Burgess. Is there a problem with how we're granting 
clearances to--how NNSA is granting security clearances?
    Mr. Podonsky. The personnel security process is one of--the 
task force that the Secretary initiated at the beginning of 
this event after Mr. Friedman's report was to look at personnel 
security, specifically at the case in question as well as DOE-
wide. Concurrently there was a review that had begun by Deputy 
Secretary Sell in May of last year where we were looking at 
personnel security processes.
    So the short answer is, yes, we do believe that personnel 
security processes within the Department and, in fact, the 
entire executive branch which are being looked at by the OMB 
right now are something that we need to get on with, and that's 
what we're doing, and we're going to be making recommendations 
to the Secretary and the Deputy Secretary at the end of 
February of what to do with the personnel security program 
within the Department of Energy.
    Mr. Burgess. Will that include any type of program that 
looks at cleared individuals in an ongoing fashion?
    When I was there in July 2005, it was right after the 
credit card abuses came to light, and it appeared, as I recall, 
that those were cleared individuals who had then subsequently 
developed either domestic problems or substance abuse problems 
that led them to misuse the credit cards, and you can just 
imagine that other things may have happened also as a result.
    So will there be an ongoing evaluation?
    Mr. Podonsky. The recommendations that, I believe, are 
coming out of the task force will be covering both from the 
beginning of hiring all the way through current employees so 
that we have an ongoing review of people holding clearances.
    Mr. Burgess. Inspector Friedman, do you think, in 
retrospect--I reference the RFP process that the lab just went 
through. Chairman Barton also referenced the contractor. Do you 
think that was an open and fair process?
    Mr. Friedman. Frankly, Dr. Burgess, I have no information 
that it was not. Unfortunately, there were two proposals, as I 
understand it, in the final field, but I have no reason to 
believe it was not open and fair. I have no information to that 
effect.
    Mr. Burgess. Would that be in the purview of the Inspector 
General's Office to know that, or is that outside your 
capabilities?
    Mr. Friedman. No, it's not outside our capabilities, and, 
by the way, if there had been concerns by proposers that were 
not considered, it would not be unusual for us to get 
complaints about that, and to the best of my recollection, and 
I could be wrong about this, I don't think we received any 
complaints along those lines.
    Mr. Burgess. And yet some of just the traffic from the 
bloggers on line--and I realize that that carries its own 
inherent dangers, but there is some question as to whether or 
not the current contractor was, in fact, the best one and is 
the best one going forward.
    Again, I don't know whether it's the purview of this 
committee to investigate that process, but, Mr. Chairman, I for 
one certainly wonder if we oughtn't to look at that.
    Ranking Member Barton asked about the fines. The amount of 
money levied so far against the current contractor, do we have 
a dollar figure on that?
    Mr. Friedman. Are you referring that question to me?
    Mr. Burgess. Yes, sir.
    Mr. Friedman. I do not have a number on that, no.
    Mr. Burgess. Is there a way to--for anyone, is there a way 
to get that dollar figure on the fines levied against the 
contractor?
    Mr. Friedman. Well, respectfully, the third panel, I think, 
includes people who would have that information.
    Mr. Burgess. Does the contractor recognize the amount of 
dollars that they are putting at risk?
    Mr. Friedman. I suspect they know the contract intimately.
    Mr. Burgess. OK.
    Mr. Friedman, just to finish up, your statement said the 
criminal investigation into the matter last fall is ongoing and 
may yet reveal additional security problems.
    In an open session can you expand on that statement?
    Mr. Friedman. Well, simply, the FBI has been conducting a 
criminal investigation from the get-go, and the purpose of that 
statement in my testimony--and I think it's in our report as 
well if I'm not mistaken--is that until their investigation is 
complete, we don't know what will turn up. There may be more.
    Mr. Burgess. What would be a reasonable time frame for this 
committee to expect that that investigation will take?
    Mr. Friedman. That's within the purview of the FBI, sir, 
and I have no idea.
    Mr. Burgess. Mr. Chairman, will we be privy to that report 
when the Department of Justice completes that?
    Mr. Stupak. That's a good question. We'll double check on 
it. I don't see why not, but let's double check first.
    Mr. Burgess. All right. My time has expired.
    Mr. Stupak. The gentleman from Louisiana Mr. Melancon.
    Mr. Melancon. Thank you, Mr. Chairman.
    I guess, Mr. Friedman, one of the first things when you 
look at--and I understand there's a problem with the drug use, 
apparently, with this one particular breach, but apparently 
there's some additional problems out there within.
    Does the staff or the security people require or do the 
random drug sampling, the urine test, at all on the employees, 
or is it ``you're hired''?
    Mr. Friedman. I'm in open session. Part of your question I 
think I can address, but part of it I would prefer not to 
address.
    My understanding is--and, again, there are people who are 
on the third panel who can address the issue of the current 
policy. My understanding is that they have implemented a random 
drug test for all Los Alamos employees, but I may be wrong 
about that, and you'll need to ask the third panel, sir.
    Mr. Melancon. And have you just done that just recently?
    Mr. Friedman. Fairly recently, yes.
    Mr. Melancon. With the time that's transpired with the 
issue of security breaches and you've replaced the chain of 
command, the latest chain of command replacement took place 
when, how long ago?
    Mr. Friedman. June 1.
    Mr. Melancon. June 1 of last year?
    Mr. Friedman. Correct.
    Mr. Melancon. And that was subsequent of the close-down for 
7 months in 2004?
    Mr. Friedman. Well, the contract changed hands on or about 
June 1, 2006, and, yes, it was subsequent to the 2004 shutdown.
    Mr. Melancon. OK. So somewhere between 2004 and last year, 
which was 2006, how was the lab run? Who was in charge?
    Mr. Friedman. The University of California was the prime 
contractor.
    Mr. Melancon. And the on-site security?
    Mr. Friedman. They ultimately were responsible for the on-
site security.
    Mr. Melancon. Who did they subcontract out for the 
security? I don't think the University of California is a 
security company.
    Mr. Friedman. Well, they are at some locations, 
interestingly enough, and I forget the name of the contractor, 
to be honest with you; the subcontractor, I should say.
    Mr. Melancon. The diversity of the science--and this is, of 
course, somewhat new to me--that's out there or the regimens 
that you have out there of the different scientists, is there 
some way--and I think maybe you spoke to it earlier. Is there 
some way to isolate these and provide better security on each 
sector rather than just have these--and I haven't been to the 
facility--12,000 people just coming and going wherever they 
want to go?
    Mr. Friedman. Well, there are a number of secure areas at 
the facility, and it's worthwhile going to see it. It's quite 
impressive. So I wouldn't say there are 12,000 people running 
back and forth at will. It's much more systematic and 
controlled than that. I'm not sure if there's a practical way 
of doing it by discipline, but I haven't thought that through, 
I can't give you a good answer.
    Mr. Melancon. Yes, I'd like to go and see it. The only view 
I've had of it was from across the valley at a friend's house 
at night with the lights, so getting in there and looking at 
it, I guess, close-hand would do me a whole lot of good.
    I listened to the frustration of Ranking Member Barton and 
Chairman Stupak and others who have been here and gone through 
this for a period of time, and I guess to--we're to June.
    Why did it take so long from the 7-month shutdown--and 
that's another year, year and a half--before we got the new 
contract in, and now we're waiting a year to see if we're going 
to get--what's the problems with moving this thing quicker? I 
mean, I know the numbers are big, but----
    Mr. Friedman. Well, yes. I'm not sure I can give you the 
precise timeline, but in the general sense, the recompetition 
of this contract was a very turbulent issue. It was a very 
costly issue. It was a very labor-intensive issue, and it was a 
time--a time issue as well. It takes a long time to prepare the 
RFP, to address, hopefully, the issues that have been resident 
at Los Alamos for 64 years, and to go to the street, give 
people time to propose, to evaluate the proposals, and to move 
forward.
    So I don't know if that answers your question, but it is a 
very time-consuming task.
    Mr. Melancon. I'm from south Louisiana. I've seen inside 
baseball, and they're getting plagued down in recovery efforts, 
so I think I can understand some of it.
    Thank you. I have no more questions.
    Mr. Stupak. Mr. Murphy.
    Mr. Murphy. Thank you, Mr. Chairman.
    Mr. Friedman, do we have information yet on what was the 
motive for this theft?
    Mr. Friedman. Mr. Murphy, It would be inappropriate--first 
of all, I don't know the answer to the question. It perhaps 
resides with the FBI, but at this point I don't know.
    Mr. Murphy. Do we know yet--and I guess I would open this 
to all of you--what, if anything, was--I know there was also 
talk about printers being bought and things like that--about to 
what extent things were copied, distributed and sold or who 
these documents also went to?
    Mr. Friedman. If you're directing that to me, I'll give you 
the same answer. The FBI really, ultimately, will have to 
address that.
    Mr. Murphy. The same with Mr. Podonsky and Ms. Brian. Does 
anybody know yet?
    Mr. Podonsky. I would say the same thing as Mr. Friedman. 
We don't have the answers to that.
    Ms. Brian. I can speak to the press reports from her 
attorney, which were that she was taking the work home to get 
extra work done, that she was behind.
    Mr. Murphy. OK. Has anybody determined if there has been--
if any of these contents have appeared anywhere else besides 
just there?
    I guess what I'm getting to here is, with regard to this 
information, that even though we're waiting for further details 
from the FBI, have we learned anything from this yet that can 
be used to take other steps other than just blocking some of 
the ways you can put in a thumb drive or something; but have we 
learned how it affects security, of how it will affect hardware 
and software inspections, how people come on and off the site, 
their security clearances? Have we learned things from this, 
unique to this, that has affected what we're doing overall and 
what's been implemented, or are we still going to wait for the 
FBI reports on this?
    Mr. Podonsky. I would start, first of all, Congressman, 
with a task force that we are heading up on the personnel 
security piece. We believe there is going to be a lot of 
serious lessons learned that are going to come out of the 
specifics to the case as well as the broader issue on personnel 
security that one of the members of the committee asked 
earlier.
    We believe that, in terms of cybersecurity as well, there 
are also lessons learned that we know that the CIOs for both 
NNSA as well as the Department are looking at, and we also know 
that the third panel will--has, in fact, done a damage 
assessment that they could probably talk about in executive 
session.
    Mr. Murphy. And I will look forward to that part.
    I was just wondering here, while we're still in a public 
hearing, what we can assure the American public with regard to 
some lessons learned, because it concerns me that this 
subcommittee has looked at these issues for a long time. Your 
inspections give us pretty solid, yet frightening information 
on the levels of breach of security, and we're still awaiting 
another review before we determine what else we need to do when 
so much has been out there for a while, and so it's just 
something I just have to continue to raise the question of. 
What more do we need to know before we really put the heel down 
on this?
    Ms. Brian. Congressman, if I could answer one question, I'm 
hoping by the end of this hearing that one thing that could 
change is NNSA's pilot program at Los Alamos, which is 
essentially self-policing for safety and cybersecurity. I'm 
generally not a big fan of self-policing as a rule, and I think 
that a facility like Los Alamos hasn't earned the trust of the 
Congress or the public to be essentially left up to themselves 
to report when they have problems, and I think that's something 
that should be changed immediately.
    Mr. Murphy. Anybody else on that issue?
    Mr. Friedman, do you have something on that?
    Mr. Friedman. I did want to point out to you, Mr. Murphy, 
that our report--and I think we have 14 recommendations for 
corrective actions. They're not all-encompassing, all-
inclusive, but we think it's a good start. The Secretary, as I 
indicated in my testimony, has a task force looking at those, 
and we'll be interested to see what their report says in 
February in terms of how to convert those ideas into reality at 
the laboratory, both at the Federal level and the contractor 
level.
    Mr. Murphy. Mr. Podonsky.
    Mr. Podonsky. As the independent overseer for the Secretary 
and the Deputy Secretary, I would just tell you that I have a 
prejudicial answer, and that is we don't think that self-
assessment, by itself, is good, and the contractor should have 
Federal oversight. That's why we have contractors and the Feds 
managing them or should be managing them. So, while the NNSA 
has this pilot proposed, we don't think it's ready for prime 
time as exemplified by their performance to date.
    Mr. Murphy. And I would add to that. We're waiting for 
further investigations. We're reviewing these 14 
recommendations. It seems to me a lot of time is ticking by, 
and I'm just frightened, and I shudder to think what is out 
there and what else could be happening while all these breaches 
have occurred and continue to occur. So we will hopefully speed 
up this whole process.
    Thank you, Mr. Chairman.
    Mr. Stupak. I thank the gentleman.
    Mr. Green from Texas, questions?
    Mr. Green. Thank you, Mr. Chairman.
    Mr. Podonsky, you state in your testimony that 25,000 
unclassified workstations and servers were not certified or 
accredited. What does that actually mean? Are they unprotected 
workstations?
    Mr. Podonsky. No, sir. I should--I should clarify that the 
certification and accreditation process makes sure that 
security features are in place and operating as designed. When 
you didn't--when they didn't do the accreditation of the 25,000 
unclassified workstations, they did do a network accreditation. 
Our cyber experts tell me that that's not sufficient, because 
you don't know if you have individual vulnerabilities on those 
25,000 computer workstations. So that's something that--what we 
believe should be done and should be included in their 
certification and accreditation process.
    Mr. Green. It seems like--and, again, you've heard it from 
every Member up here for the last at least 8 years, I guess--
we've identified problems time and time again and identified 
solutions, but for some reason there's no follow-through on 
closing the deal. I know it's a great task to do--to just deal 
with those 25,000 workstations and servers, but why wasn't that 
done before this particular person walked out with the disk? It 
seemed like that would have come up in the last 8 years before, 
at least before this committee, and is there a problem, and 
nobody knows how to implement the solutions to it?
    Mr. Podonsky. Well, sir, we've identified that the lab has 
inadequate cyber plans, policies and procedures; incomplete 
risk management processes; weak self-assessment. So there's a 
whole litany of things that the laboratory could do to fix 
this.
    Mr. Green. OK. I imagine this is not news to anyone sitting 
on this panel for the last 8 years. As I said, I just came back 
after 6 years off of it.
    Why can't it be fixed? Why can't we have this? Since it's a 
new contract, I assume when it went out for bids, this new 
contractor was security-conscious, and is it just not an issue 
that makes it to the floor of the actual Los Alamos?
    Mr. Podonsky. Sir, if you're addressing that to me, I would 
answer it can be fixed, and I believe, under the current 
leadership of the Department, it will be fixed. As I said for 
my third time now, having listened to all the plans before, to 
answer your question specifically, it is that the contractors 
in years past have not been held accountable to do what the 
Department has expected them to do.
    Mr. Green. Mr. Friedman, do you have a comment on that?
    Mr. Friedman. Well, a number of failures that we identified 
in our report, Mr. Green, are low-hanging fruit: plug the holes 
where they should be, the ports where they should be plugged, 
essentially segregate duties where they need to be segregated, 
ensure that there's adequate monitoring. I mean, these are not 
high-tech, costly, time-consuming, difficult things to do, and 
they should be done--they should have been done 
instantaneously, and if the lab has not taken steps to do those 
at this point, I would be very discouraged and very 
disappointed.
    Mr. Green. Well, Mr. Chairman, it seems like I'm refreshing 
my memory on this. I remember, over the years, we've had--this 
is really a college campus. The security is mostly research, 
what they're doing, and they're more interested in that. And it 
seems like, since the last time I was on the committee, we 
haven't seen any changes even though it went out for bid, and I 
hope the next panel, even in closed session, will show us what 
can be done from--to make sure that this oversight 
investigation committee doesn't continue to be dealing with 
what's happening at Los Alamos for almost a decade now, so--and 
I yield back my time.
    Mr. Stupak. I thank the gentleman.
    The Members have just a couple of quick follow-ups. We're 
going to switch to 2 minutes and just a quick follow-up with 
this panel, and then we're going to ask Mr. Friedman and Mr. 
Podonsky to stay because we will go to executive session a 
little bit later, but we'd like to get the other panels done 
before we move to executive session.
    So, with that, for 2 minutes, I'll just recognize myself 
for 2 minutes.
    In questions Mr. Green put forth and throughout the 
testimony today, we've heard that the system breaks down; 
there's broken systems; it's inadequate.
    In July 2004, the lab was shut down. They were doing this 
extensive review. Everything was supposed to be fixed up for 
that. It cost the taxpayers $350 million.
    So what happened? The $350 million and the 6-month shutdown 
didn't accomplish anything? The systems weren't updated? The 
holes weren't plugged? What happened? What did we get for $350 
million besides a shut-down lab for 6 months?
    Mr. Friedman. Are you directing that to me?
    Mr. Stupak. Sure, Mr. Friedman.
    Mr. Friedman. Look, Mr. Chairman, if I gave anybody the 
impression by my earlier testimony that I think that the 
situation you find now is OK and it will get better 
automatically, I left the wrong impression, and I apologize for 
that.
    I am extremely discouraged and disappointed that after the 
litany of reports and the series of unsettling events that have 
taken place, that the simple fixes that are obviously readily 
available have not been in place, regardless of whether there 
is a new contractor or not.
    So if you are asking what we got for our own money, it 
seems to me if this is the result, we did not get a lot for our 
money.
    Mr. Stupak. As I stated earlier, Mr. Friedman, in your 
report you said. Reviewing serious breakdown in the core 
laboratory security controls. Core. Their very basic, 
fundamental security is broken down. If we couldn't fix it 
after shutting it down for 6 months and $350 million, how do we 
fix it now other than we have a new person coming on board?
    Mr. Friedman. Well, I think I tried to lay it out. As I 
said, we have 14 recommendations in our report, and I try to 
lay out some bigger-picture items that we talked about. One is 
the question of real accountability, significant material 
impact on award fees, reassignments, terminations; perhaps a 
change of the mix of the mission of the lab is a possibility. 
So I think there needs to be some really fundamental changes to 
shake up the system to ensure that there is a sincere 
dedication to fixing these problems. We haven't seen it yet.
    Mr. Stupak. My time has expired. Let me ask one question if 
I may.
    Los Alamos has a great record. They have great people 
there, top scientists, some of our best, most sensitive work 
there, no doubt about that. But I asked a question last hearing 
and never really got an answer. Maybe you can answer it now 
after some time reflecting upon it.
    What do we do at Los Alamos that cannot be duplicated or 
done at the other labs? Is there anything so unique that can 
only be done at Los Alamos and not at the other labs?
    Mr. Friedman. Well, let me try to answer it this way. You 
did ask that question in a hearing that I participated.
    Mr. Stupak. And no one has come can up with a unique 
mission.
    Mr. Friedman. It seems to me once you get past the 
facilities, the physical plant, and there are unique aspects of 
the physical plant that would cost hundreds of millions, if 
perhaps billions, to replicate, once you get past the core of 
the extraordinary intellectual invigoration that exists there, 
the people with the unique talents, it seems to that--the 
fundamental issues that go on there could be done someplace 
else. I think the answer to your question is yes.
    Mr. Stupak. Mr. Whitfield.
    Mr. Whitfield. Thank you, Mr. Stupak.
    Mr. Podonsky, under the terms of the new contract with LANS 
at Los Alamos, and when it comes time to assess penalties or 
fees which we had discussed a number of times today, does the 
National Nuclear Security Administration have the primary 
responsibility of enforcing the contract?
    Mr. Podonsky. For enforcing the contract, yes, sir.
    Mr. Whitfield. And could you just briefly explain the 
process that would be entailed in assessing a penalty under the 
contract?
    Mr. Podonsky. Not under the contract. I would have to 
request that you defer that to the third panel.
    Mr. Whitfield. So you are not involved in that at all?
    Mr. Podonsky. Not in that type of enforcement.
    Mr. Whitfield. Thank you.
    Mr. Stupak. Mr. Melancon, any questions to follow?
    Seeing no other Members present, we will dismiss this 
panel.
    Mr. Friedman and Mr. Podonsky, we would ask you to stay.
    Ms. Brian, thank you.
    Mr. Stupak. Our next panel, if we may, would consist of the 
Honorable Clay Sell, Deputy Secretary of the Department of 
Energy.
    Mr. Sell, again, I have to ask you to since we take all 
testimony under oath, and did you bring a legal counsel with 
you?
    Mr. Sell. I would just note, Mr. Chairman, the presence of 
our Deputy General Counsel from the Department of Energy.
    Mr. Stupak. Very good.
    OK, sir, I would ask you to please raise your right hand.
    [Witness sworn.]
    Mr. Stupak. The record should reflect the witness has 
affirmatively stated that his testimony would be under oath.
    Mr. Deputy Secretary, please, if you want to give an 
opening statement.

TESTIMONY OF HON. CLAY SELL, DEPUTY SECRETARY, U.S. DEPARTMENT 
                           OF ENERGY

    Mr. Sell. Chairman Stupak, Congressman Whitfield, members 
of the subcommittee, I welcome this opportunity to appear 
before you today to discuss security within the Department of 
Energy and the recent security incident at Los Alamos National 
Lab.
    The national security responsibilities entrusted to Los 
Alamos are our Nation's most important. The successes that have 
sprung forth from this great lab in years past and today are 
properly a source of great pride and great power in our 
country. The capabilities of the men and women of Los Alamos 
continue today to make this lab the only place to go for many 
national security requirements. And, of course, the secrets 
entrusted to this lab are among the Nation's most sensitive.
    These are among the reasons that the facts of the most 
recent security incident at Los Alamos are so troubling and the 
source of such tremendous frustration and concern to the 
Secretary, to me and to many others throughout the DOE 
enterprise.
    And now, despite years of focused attention and the 
expenditure of millions of dollars, we are confronted again 
with the security failure, the facts of which suggest we still 
have a much larger and a much deeper problem.
    As has been alluded to, many well-intentioned leaders have 
worked to improve security at Los Alamos over the last few 
years, and in many key areas the Department has made 
substantial progress. But Secretary Bodman and I are less 
interested in effort, process and good intentions and more 
interested in results. The results on matters of security at 
Los Alamos National Laboratory remain unacceptable.
    You have already heard from earlier witnesses; in fact, you 
each have made statements about what have led to the problems 
and what happened in this recent matter.
    Later today you will hear from the Acting Administrator of 
the NNSA, our Department's Chief Information Officer and the 
Director of Los Alamos National Laboratory in more detail. 
Therefore, I intend to focus the balance of my remarks on what 
the Secretary and I are doing to fix the problems and move 
forward.
    First, in the immediate aftermath of learning about the 
security breach at Los Alamos, we acted immediately to assess 
the situation and understand the facts. The NNSA Administrator 
dispatched the Chief of Defense Nuclear Security and the 
Cybersecurity Team to the site to begin an immediate review of 
the incident. On October 26, the Secretary ordered the 
Inspector General to investigate. And on October 30, I 
personally traveled to the lab to meet directly with those on 
the ground and to gain firsthand knowledge of the incident and 
remedial actions to address the problems.
    Second, we took quick action to address realized 
vulnerabilities. On November 8, I issued a memorandum to 
improve cybersecurity protection for classified computer 
systems throughout the DOE complex. That memo included 
immediate direction to every lab and every facility operating a 
classified system to conduct an examination of the adequacy of 
its practices and procedures to ensure that classified 
information is protected using multiple layers of cybersecurity 
protection including protection against potential insider 
threats. Also, the memo required an accounting by each lab and 
facility throughout our complex for full implementation by 
January 15 of this year. Today I am informed that the entire 
complex is in compliance. The line managers will be responsible 
for ensuring continued adherence to this policy.
    Third, in response to findings contained within the 
Inspector General's report issued on November 27, the Secretary 
directed two specific actions: first the creation of a senior-
level ad hoc committee to review all of the recommendations in 
the IG's report except those concerning the Department's 
security clearance process; second, the establishment of a task 
force to review the personnel security programs throughout the 
entire DOE complex.
    Both reviews will conclude and provide recommendations to 
the Secretary no later than February 28 of this year. Once we 
have reviewed the results of the laboratory's actions, 
corporate and Federal validation activities, the Secretary's 
two task force recommendations and other actions that have been 
directed, we will follow up--we will follow up and develop 
additional improvements and additional reviews as necessary.
    We will be pleased to discuss with the subcommittee the 
additional actions the Secretary decides to take once he has 
received and reviewed the task force recommendations.
    Fourth, during numerous occasions, meetings and 
conversations with the NNSA, with the NNSA Administrator and 
his team, with the Los Alamos Director, and with members of the 
Executive Board, the new contractor at Los Alamos, the 
Secretary and I have expressed our depth of concern, our sense 
of urgency and clear expectations for accountability from the 
top of the Department to the bottom of the laboratory, and that 
these continuing security problems must be addressed, 
rectified, and prevented in the future.
    Fifth, even before the recent incident at Los Alamos, the 
Department had substantially increased focus and attention to 
matters of cybersecurity including hiring of a new Chief 
Information Officer in November 2005 to reinvigorate and 
strengthen our efforts. Among other things, he accelerated our 
efforts to update our cybersecurity order and National Security 
Systems Control Manual, and has taken numerous actions to 
improve our Department's cybersecurity posture. We also brought 
in a new Chief of Counterintelligence and reorganized the 
office to improve its performance.
    Sixth, the Department also previously recognized--and I 
would add with strong urging from the Congress--that the 
leadership of the laboratory could be strengthened by competing 
the M&O contract. And last June a new corporate leadership team 
took over management of the laboratory for the first time in 
its 64-year history.
    Seventh and finally, because it is our view that we are--
that we, the Department, the Secretary and I, are accountable 
to the President, the Congress, and the American people not 
just for efforts, but for results, the Secretary and I made the 
extremely difficult decision to replace the Administrator of 
the NNSA and bring in new leadership.
    Now, only time will tell if we are to be successful, if we 
are to distinguish ourselves from our predecessors. But the 
Secretary and I are committed to making the tough decisions 
required to lead our Department to a level of security 
performance befitting the great missions the country has asked 
us to carry out. We have made progress in improving the 
security across the Department and at Los Alamos, but as the 
latest incident indicates, we have much more work to do. We 
remain committed to the task.
    I am happy to answer your questions at this time.
    [The prepared statement of Mr. Sell appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you, Mr. Secretary.
     You indicated that only time will tell whether or not we 
are going to be successful, and I say this politely, but one of 
the problems, I think there is a turnover we see at the lab and 
administration and things like that. Secretary Bodman, with an 
upcoming Presidential election, will only be there 2 years. 
Those problems that we see, the problems, the constant problems 
we see, won't be resolved in 2 years, will they?
    Mr. Sell. The efforts to resolve these problems, in my 
judgment, take continuous effort over the course of the next 2 
years and in the years thereafter. Threats evolve, technologies 
evolve, and require constant vigilance.
    Mr. Stupak. Wouldn't it be easy for folks in Los Alamos to 
say, well, there is that directive; we have seen that directive 
for 2 years. A new set of people come in, and we can sit back?
    Mr. Sell. Mr. Chairman, that is certainly a limitation of 
the manner in which the executive branch of our Government 
operates. I will be gone in 2 years as will the senior 
leadership of this Department, as will the President, so we are 
taking great effort to institutionalize the changes that we are 
making, and I will give you an example.
    After a previous incident in 1999, then-Secretary 
Richardson issued a substantial press release announcing a 
number of changes to correct the then-perceived security 
problems at the lab. Those announcements that were made were 
never put into the directives which actually govern the 
relationship between the Department and its contractors.
    Mr. Stupak. We have just seen a $350 million review, and 
things that were supposed to be done were never implemented at 
Los Alamos.
    Mr. Sell. What we are doing, with the changes that we have 
made, is putting them into the directives which actually govern 
the contractual relationship so----
    Mr. Stupak. Let's talk about the directives though. You 
personally travel to Los Alamos. You did a memo on November 8 
directing each laboratory and DOE facility operating a 
classified computer--didn't do anything about unclassified--but 
classified computer system to conduct an immediate and thorough 
examination to ensure that classified information is protected 
using multiple layers of cybersecurity. But isn't it also true 
that in this memo you set forth minimum standards that must be 
met by January 15, 2007; is that correct?
    Mr. Sell. That is correct.
    Mr. Stupak. Were these minimum standards accomplished by 
January 15?
    Mr. Sell. Not in all cases.
    Mr. Stupak. Not in all cases.
    Your memo also says steps are to be taken--I am looking at 
your memo. I am sure you have one there in front of you. Steps 
to be taken are to include at a minimum those in the attached 
guidance prepared by DOE Chief Information Officer. There it 
is. So these were the minimum things.
    Did anyone at Los Alamos come back to you and say, Mr. 
Secretary, you asked for the minimum. We went over and above; 
we went beyond the minimum. Did they do anything beyond the 
minimum? Any recommendations going beyond the minimum?
    Mr. Sell. Yes, Mr. Chairman. The lab is doing a number of 
things beyond what was addressed in the memo. The memo that I 
put out was based on the immediate recognition that we had a 
real problem----
    Mr. Stupak. Sure.
    Mr. Sell. Specifically with ports; I wanted to take the 
lesson that we had learned under very unfortunate circumstances 
at Los Alamos----
    Mr. Stupak. But you said part of it was complied by or 
complied with your request by January 15; other parts were not, 
correct?
    Mr. Sell. To clarify completely, Los Alamos was the last of 
our labs and facilities to come into compliance, and that 
occurred on January 22. But that is a report that I have.
    Mr. Stupak. Well, let me ask you this question then. Your 
Chief Information Officer of NNSA in staff interviews said that 
she sent the team out on January 8 to see whether Los Alamos 
was complying with your directive. They found widespread 
noncompliance with your directive; isn't that correct?
    Mr. Sell. I know as of January 8 the lab was not in 
compliance.
    Mr. Stupak. OK. Isn't it also true that even in the face of 
all the publicity of the most recent security lapse, that NNSA 
had to pull the entire team back from the lab because they 
either could not understand your directives or simply were 
incapable of responding to your directives of securing the very 
areas and items that were under question as a result of the 
October 6 event? Why did NNSA have to pull back its teams?
    Mr. Sell. Mr. Chairman, we are trying to deal in a very 
serious way; I gave out in this case very clear guidance as to 
what was to be accomplished. I could have just given clear 
guidance and gone on and done something else, but we followed 
up on that clear guidance by sending a team out.
    Mr. Stupak. And have you pulled back?
    Mr. Sell. We sent the team out even before the deadline for 
compliance, and we found out when the team was out there that 
we weren't making progress----
    Mr. Stupak. We were not making progress?
    Mr. Sell. We were not making progress at a sufficient pace 
to accomplish what needed to be accomplished by January 15. 
That came to our attention. We gave further direction. I 
clarified. I talked to the lab Director. They understood what 
their requirements were. We sent a team back out shortly after 
January 15 and concluded approximately January 22 that they had 
complied with the directive.
    I think it is indicative that unfortunately ensuring 
compliance and making progress requires continued effort. It 
requires vigilance. It requires follow-up. It will require that 
long after I am gone. I only have control of the 2 years that I 
remain in my position, and that is the way I intend to deal. 
And I hope we can also institutionalize the progress that we 
are making, and there are a number of means within our disposal 
to help do that, through the contract, through the outstanding 
career staff that we have in our Department, through a number 
of the individuals and leaders of the laboratory that will 
remain into the next administration.
    But it is difficult. There are reasons sufficient progress 
has not been made in previous years, and the only thing I can 
commit to you is that I am trying to deal in a way which is 
distinct and different and distinguishable from the ways that 
folks have dealt in the past.
    I believe the Secretary and I have taken more aggressive 
action, and because I believe we are acting differently, at 
least I have some reasonable expectation that this time we will 
get different results, but only time will tell.
    Mr. Stupak. All right. My time has expired.
    Mr. Whitfield for 5 minutes.
    Mr. Whitfield. Thank you, Mr. Chairman.
    And, Secretary Sell, we enjoyed your testimony today and 
appreciate your being here. It seems to me the years that I 
have been on this subcommittee and this issue of security 
breaches has been a subject that ultimately the effectiveness 
of really dealing with this is through the M&O contract. And 
you were involved in preparing or negotiating this most recent 
M&O contract with the consortium that is now operating LANS; is 
that correct or not correct?
    Mr. Sell. I am happy to have the opportunity to tell you my 
exact level of involvement.
    When I came to the Department in March 2005, the 
procurement work was already well under way. But certainly I 
knew it to be and believed it to be the most important 
procurement--and I said this--in the history of the Department 
to date.
    I am not the selecting official.
    Mr. Whitfield. Who is the selecting official?
    Mr. Sell. The selecting official at the time, I believe, 
and I will ask was Tom D'Agostino, who is not yet confirmed as 
the Deputy Administrator for Defense Programs. He has been a 
career member of our NNSA team for a number of years.
    Mr. Whitfield. So was he within the NNSA at that time?
    Mr. Sell. Yes, sir.
    Mr. Whitfield. So the NNSA has the responsibility for 
selecting?
    Mr. Sell. The NNSA had the responsibility; Mr. D'Agostino, 
I believe, was the selecting officer. But the Secretary and I 
did spend time--once the decision had been made, after the 
decision had been made, we met by video teleconference with the 
Source Selection Advisory Board. We met at length with Mr. 
D'Agostino, and it is my view that the decision that the 
Department made was absolutely the correct one.
    Mr. Whitfield. Now what is the length of the contract?
    Mr. Sell. The length of the contract, I believe, Mr. 
Whitfield, is a 7-year initial period but could be extended to 
20 years. And I may be off 1 or 2 years.
    Mr. Whitfield. What is the approximate total value per year 
to the consortium for being awarded the contract?
    Mr. Sell. The total value, in rough order, about $2 
billion, or $1\1/2\ to $2 billion a year flow through the 
contractor.
    Mr. Whitfield. One and a half to $2 billion?
    Mr. Sell. The fee available to the contractor is on rough 
order $70 million a year. So that is the potential net to the 
contractor.
    Mr. Whitfield. So would I be accurate or inaccurate to 
describe the $70 million as incentive pay that they can receive 
in addition to the base amount?
    Mr. Sell. The $70 million, Mr. Whitfield, includes both the 
base amount and the incentive portion. I think that is the 
total fee, roughly, that is available to be paid to the 
contractor.
    Mr. Whitfield. OK. Now, you would think that since the real 
problem is safety and security, that is one of the major 
problems, that the incentives apportioned to do that would be 
greater than $3 million out of a total of $73-some million 
incentives. What would be the explanation for not making that a 
greater amount?
    Mr. Sell. Mr. Whitfield, I don't think I can say anything 
that you would find to be a great explanation. Although the 
next panel--and I don't mean to just kick this to Mr. 
D'Agostino, I do think he is more informed on that. But I will 
also state my belief that we have a greater authority to 
restrict and pull back award fee for failures beyond just the 
$3 to $6 million for the security.
    Mr. Whitfield. Are you aware, yourself, of the amount of 
penalty assessed in the 2004 6-month shutdown or not?
    Mr. Sell. I am aware that it was generally in the 
neighborhood of around $3 million for the failures in 2004.
    Mr. Whitfield. So that was a penalty that University of 
California paid?
    Mr. Sell. That was a fee reduction in the amount that 
they----
    Mr. Whitfield. A fee reduction. OK.
    Now, it is my understanding that in the most recent 
contract that the consortium agreed that the 21 key personnel 
committed--that they committed to stay for a minimum of 2 
years, and after 6 months the Deputy Director has already left; 
is that true?
    Mr. Sell. Yes, sir.
    Mr. Whitfield. Has anyone else left of those 21 key people?
    Mr. Sell. To my knowledge none of the other 21 key 
individuals have left.
    Mr. Whitfield. But you all do have authority to assess a 
fee for the breach of that aspect of the contract, I would 
assume?
    Mr. Sell. I believe we do. And the only reason I hesitate 
is these are actual decisions that must be made by the 
contracting officer of whom I am not. I am trying to state as 
clearly as possible my expectation and belief.
    Mr. Whitfield. My time has expired.
    Mr. Stupak. The gentleman from Louisiana Mr. Melancon.
    Mr. Melancon. Thank you, Mr. Chairman.
    Mr. Sell, I was just wondering if Los Alamos or your 
children are causing this premature gray hair.
    Mr. Sell. Both.
    Mr. Melancon. Some of the thoughts that have run through my 
mind, is the DOE team, is it on site, or was it just sent and 
came back and made a report? And how long were they on site 
when they were there?
    Mr. Sell. We have a Federal site presence of around 120 
individuals that live there, work there, and deal every day as 
the Federal representative at Los Alamos. But there have been 
tens and tens of individuals from headquarters, from other 
locations around the complex, outside experts that have come 
for the various reviews and evaluations and recommendations 
since this most recent incident in October.
    Mr. Melancon. Is it feasible or possible--we are looking at 
a June deadline, I think Mr. Friedman had said, to try to 
ascertain where we were in compliance--that--do you think it 
would make any difference if we put the team back down there 
several days a week between now and that time to monitor it, to 
make it progress faster, to maybe sometimes even point out 
their deficiencies, which apparently they are not seeing 
readily?
    Mr. Sell. Well, I think it may well help, but I want to 
emphasize that we have a team there that worked for me. I mean, 
they worked for the Secretary and I and the Administrator and 
on down the chain. And their responsibility is to ensure that 
the contractor is performing pursuant to the terms of their 
contract.
    And in addition to that, we have other oversight groups 
from headquarters. And we have other oversight groups from the 
contractor that they have hired, and they will continue to go--
I mean, it is going to take continuous vigilance and 
monitoring, and perhaps other groups consistent with your 
suggestion would be helpful as well in ensuring that we make an 
institutionalized progress at the lab.
    Mr. Melancon. The people that are on the DOE team or the 
people that are responsible from DOE to monitor security, are 
they the same people that are there when the first breaches 
occurred and subsequent breaches?
    Mr. Sell. Some of them. But we have made a change at the 
top of the NNSA. The new Acting Administrator then subsequently 
made a change in the person that is heading the site office at 
Los Alamos. And so we are trying to find the right kind of 
leadership that can ensure much higher levels of performance at 
the lab.
    Mr. Melancon. I have a general in Louisiana I can suggest, 
because it sounds like it is going to take more than just a 
manager out there.
    And I guess that is the concern that I have is it appears 
to me--and this is new to me--that we have rolled a head or 
two, but the problem is the tail is wagging this dog. And I 
just--do you have any comments? I mean, how deep is our 
problem, or is our problem--is the problem at the upper levels 
or security at the lower levels?
    Mr. Sell. Well, it has been suggested, Mr. Melancon, that 
we should shoot the dog, and I have to reject that suggestion 
in the strongest possible terms. We do have 12,000 individuals 
at Los Alamos that were there under the University of 
California. They are there under LANS and will continue to be 
there. They are the core capability of that laboratory. And I 
do believe that we have deep-seated issues that are going to 
take time. And I would suggest, with all due respect to our 
Inspector General, it will take longer than a year. It is going 
to take time to change.
    But we do have an outstanding new leadership team in place, 
and I believe the LANS team is the right team to lead the lab. 
I believe Mike Anastasio is the right Director to lead the lab.
    I believe we have a new Federal lead there on an acting 
basis, Dan Glenn. We have an Acting Administrator, in Tom 
D'Agostino. We are putting in place new policies that will 
actually be incorporated in the terms of the contract by which 
we can hold the contractor accountable, and we intend to use 
the authorities in that contract to the greatest extent 
possible to ensure compliance and institutionalization of 
progress.
    That is our approach going forward, and if the tail 
continues to wag the dog, then the committee may properly 
question whether I am the right one to continue to provide 
leadership. But I have laid out our path as to how we are 
proceeding, and I am confident that we can make real progress.
    Mr. Melancon. Mr. Chairman, if I could be allowed one more.
    Mr. Sell, I guess the last question that I have is when do 
you think we are going to get this dog into the kennel?
    Mr. Sell. We have made in the last few months substantial 
progress. Just for example, we had--there were thousands of 
open ports on classified computers when this--the day this 
thing came to light.
    I have some level of confidence, not supreme confidence, 
but some level of confidence that that situation has been 
rectified; it will stay rectified at Los Alamos. We are 
changing our processes, but it will take--so we will continue 
to make progress. But the nature of security, particularly at a 
place as dynamic as Los Alamos, is constantly evolving, and I 
don't think there is ever a point where we will reach where we 
say--where we can say we are done and we need not worry about 
security anymore. We will have to be constantly tending the 
kennel door to make sure we have got the dog contained.
    Mr. Melancon. Thank you.
    Mr. Stupak. Mr. Secretary, let me assure you no one wants 
to shoot the dog. We want to put that dog on a diet and put him 
in a new kennel.
    Mr. Melancon. He needs to be trained.
    Mr. Stupak. Mr. Burgess, questions?
    Mr. Burgess. Thank you, Mr. Chairman.
    Mr. Secretary, good to see you again. You mentioned in your 
testimony, or I think in response to a question, that you were 
not the selector in the process of going through the RFP last 
year. I have asked this question of other witnesses, but in 
your opinion the process was fair and open and above board?
    Mr. Sell. Yes.
    Mr. Burgess. Let me ask you this: At Los Alamos what 
measures are being taken to ensure the laptops and removable 
media are being encrypted or sequestered so that sensitive data 
is not leaving your site unprotected?
    Mr. Sell. Just so I understand, this is a different set of 
vulnerabilities as to the encryption of data that is then--you 
mean when it is communicated across open lines, or when it is 
in laptops?
    Mr. Burgess. Yes. Is it encrypted in laptops to reduce 
susceptibility to theft?
    Mr. Sell. The encryption of classified material on laptops 
when they are at a secure facility is a matter that is covered 
under our policies, and those policies are those directives 
that--the manual which governs that is being updated and will 
be finalized in the course of the next few weeks. That governs 
the exact terms under which laptops have to be encrypted. But I 
am sorry, Dr. Burgess, I can't give a more exact recitation as 
to exactly how that is carried out.
    Mr. Burgess. And will that be something that is universal 
across the Department of Energy, or will that be specific for 
Los Alamos?
    Mr. Sell. It will be universal across the Department.
    Mr. Burgess. We heard previous testimony from the other 
panel that the concept of at will employment be curtailed, but 
that really is not something that is within the purview of the 
Department of Energy, is it? That is up to the individual 
contractor involved?
    Mr. Sell. That is something I believe that we largely leave 
to the contractor as to the negotiation of employment terms 
with their employees.
    Mr. Burgess. When the contract was awarded to LANS a year 
ago, it was done so in a belief that it could substantially 
improve security at Los Alamos. Do we still believe that?
    Mr. Sell. I do.
    Mr. Burgess. And we believe we have in place the metrics by 
which we are going to be able to show not just this committee, 
but America at large that is indeed the case?
    Mr. Sell. We have some metrics, and we are developing 
additional metrics, and we will develop even further ways of 
measuring progress once we have the full recommendations from 
our two groups that are reviewing the IG's report and once we 
put in place all of the policies going forward. But certainly 
our ability to measure progress and understand when there are 
failures or when there are potential failures before they 
actually happen or before they get outside the gates of the 
laboratory is a very important management tool that we must 
have, and I will ensure that we will have it.
    Mr. Burgess. So in your opinion that is what real progress 
will look like? Hopefully to us it will look like the absence 
of breaches, and we won't be back here every 6 months covering 
one of these incidents.
    Mr. Sell. It is--a much higher level of performance must be 
required. But I would like to just take a moment. I think some 
context about what our lab does. They generate many secrets. 
That is the nature of their business. That is the tools of 
their trade. And we talk about 139 vault-type rooms and 3,000 
classified computers. That is the nature of the work that we 
do. And in order to print something or to move it around the 
lab or to store it, it requires lots of computer capability. It 
requires ports. It is a very complex manner dealing with our 
business. Vault-type rooms----
    Mr. Burgess. Can you then reduce the number of computers 
without compromising your business?
    Mr. Sell. I don't know that we can. That is certainly 
something we are looking at, and I think it is a sound 
suggestion. It is a suggestion that has been made internally. 
But I have not received a recommendation that we, in fact, can 
do that. If we can, we will. But our business at Los Alamos is 
national security matters. Almost all of it is classified.
    And so I just want to try to put this into context that it 
may not be as simple as taking 139 vault-type rooms and going 
to 100. That may mean that a third of the work that we would 
like to do can't get done.
    Mr. Burgess. Thank you, Mr. Chairman. I will yield back.
    Mr. Stupak. Mr. Sell, if I may, let me just ask you 
quickly, hopefully we are going to have the Secretary here in 
March to answer some questions, but he put out a memo on 
November 28 after this incident came to light, and he states 
that the recent incident at Los Alamos and the findings of the 
Inspector General report indicate there may be significant 
deficiencies involving the application of personnel security 
policies and standards within the Department. What were those 
significant deficiencies?
    Mr. Sell. Mr. Chairman, I don't know that I can get into 
the details of the deficiencies without treading into areas 
which are governed by the Privacy Act in the instant case.
    Mr. Stupak. Will you stay for the executive session then? 
We can ask you the questions then?
    Mr. Sell. I will accommodate the committee and you, Mr. 
Chairman, however you would like.
    Mr. Stupak. OK, because I had a couple of follow-up 
questions on that. So allow me to do that in closed session. 
Thank you.
    Anyone else have questions? Mr. Whitfield.
    Mr. Whitfield. Just one additional quick question. Mr. 
Burgess was asking questions about the number of computers. 
This is a similar question relating to the separate security 
area, over 1,700 of them, and I was just wondering have you 
yourself formed any opinions about to believe that such a large 
number of geographically dispersed and classified areas 
increases the vulnerability of operations? And do you think the 
areas should be reduced? And your views on that.
    Mr. Sell. Mr. Whitfield, I believe that there may be 
benefits from those, and certainly instinctively I would think 
that we could perhaps do that. I know that there are views 
inside our Department that we can do that. We are looking at 
it. And I know in your letter of last night you suggested also 
that we look at it, and we will do that. We are looking for 
suggestions and good ideas from any corners from which they 
come.
    I have not made a conclusion that is going to be possible. 
But it may well be.
    Mr. Whitfield. Thank you.
    Mr. Stupak. Thank you, Mr. Secretary. And, yes, sir. You 
want to clarify something?
    Mr. Sell. Well, Mr. Chairman, I wanted to take an 
opportunity to answer a question which you posed to other 
witnesses but you did not pose to me: What is unique about Los 
Alamos?
    Mr. Stupak. The unique mission that they do there. What is 
the unique mission that cannot be duplicated at any of our 
national labs?
    Mr. Sell. Los Alamos National Laboratory and the men and 
women of that lab invented and designed and are responsible for 
certifying to this day two-thirds of our strategic nuclear 
weapons stockpile. They are the only place in the country today 
where we can build a plutonium pit, which is the trigger, in 
layman's terms, for a nuclear weapon. They have many, many 
other unique capabilities beyond that.
    But it is my view that we have to have Los Alamos, and we 
have to be successful, but more importantly that we can be 
successful. We are not destined to failure. We can be 
successful, but it is--we must have it.
    Mr. Stupak. No doubt men and women at Los Alamos are 
unique. Whether they work in Sandia, Los Alamos, or Lawrence 
Livermore, they are all unique and all talented people, and we 
have no problem with that. But we are not going to continue to 
have lapse after lapse. They owe it to the American people, not 
this committee, but the American people, to guard.
    You tell about the most sensitive things that are going on 
not only for nuclear or antiterrorism or anywhere else. We 
cannot have it going on at the same time going out the back 
door. That is what we want to impress upon not only you, but 
the Secretary and everybody else.
    Look at the list here, how many hearings we have had here? 
350 million taxpayer dollars spent; the fine was $3 million, 
less than 1 percent? No wonder there is no accountability. They 
will just ignore it and continue.
    We just want things done and done properly. American people 
deserve it. It is the American people who pay for those 
weapons, American people that have developed this. And we 
appreciate everyone who works at those labs, but it is not 
going to continue like it has been.
    With that, if you have any further comment?
    Mr. Sell. Mr. Chairman, I agree with your final statement 
completely, and you have my full commitment for as long as I am 
in my position.
    Mr. Stupak. We appreciate that, and we look forward to 
talking to you a little bit more in executive session. Thank 
you.
    Mr. Stupak. We have our third panel. Our final panel 
consists of five people: Mr. Thomas D'Agostino, Acting 
Administrator, National Nuclear Security Administration; Ms. 
Linda Wilbanks, Chief Information Officer, National Nuclear 
Security Administration; Michael R. Anastasio, Director, Los 
Alamos National Laboratory; Mr. William Desmond, Associate 
Administrator and Chief for Defense Nuclear Security; and Mr. 
Thomas Pyke, Jr., Chief Information Officer, Department of 
Energy.
    It is the policy of this subcommittee to take all testimony 
under oath.
    Please be advised the witnesses have a right under the 
rules of the House to be advised by counsel during testimony. 
Do any of the witnesses desire to be advised by counsel at this 
time? If so, would you please introduce your counsel?
    Hearing nothing in the affirmative, I take it you do not 
have counsel with you.
    Please rise and raise your right hand to take the oath.
    [Witnesses sworn.]
    Mr. Stupak. Let the record reflect all witnesses answered 
in the affirmative.
    Mr. D'Agostino, sir, is going to start, please.

   TESTIMONY OF THOMAS P. D'AGOSTINO, ACTING ADMINISTRATOR, 
            NATIONAL NUCLEAR SECURITY ADMINISTRATION

    Mr. D'Agostino. Thank you, Mr. Chairman. My name is Thomas 
D'Agostino, and I am the Acting Administrator of the National 
Nuclear Security Administration within the U.S. Department of 
Energy, a position I have held since January 20, 2007. I am 
also the Deputy Administrator for Defense Programs.
    I want to personally assure you that with respect to the 
current issue of security at Los Alamos National Laboratory, 
that we are committed to providing the most effective security 
possible for nuclear weapons, nuclear material and classified 
information both at the laboratory and at each of our NNSA 
facilities.
    The primary reason I am acting as Administrator is because 
of the Secretary of Energy's dissatisfaction with the 
continuing series of security incidents. When the Secretary 
does not see results he expects, he takes action. The most 
recent of these was his request for the resignation of the 
former NNSA Administrator, Linton Brooks.
    Mr. Chairman, the Secretary and the Deputy Secretary expect 
me to be active in running the NNSA and to be accountable for 
our performance and make decisions when they need to be made. 
That is exactly what I am doing.
    I have made it clear to Los Alamos National Security, or 
LANS, the contractor who manages the laboratory, that we are 
expecting them to take appropriate action against any LANS 
employees determined to be accountable for most recent security 
incident. LANS has reported that formal disciplinary action 
will be taken against 24 employees.
    I have decided to spend my first 2 days on the job as 
Acting Administrator in New Mexico both visiting the laboratory 
itself and the Federal site office responsible for overseeing 
the laboratory to get firsthand, upfront and personal 
information that I can use. I did that last Monday and Tuesday.
    I stressed to them my expectations concerning oversight of 
the laboratory activities and the importance of accountability 
and meeting our commitments.
    I've directed that Dan Glenn, one of the Department's most 
experienced site office managers from the Pantex site in Texas, 
to serve as the acting Federal site office manager until a 
permanent replacement is found. Mr. Glenn has extensive nuclear 
safety and security experience at our most sensitive site. In 
fact, Pantex is the only NNSA facility where we have complete 
nuclear weapons on site. Dan has my complete confidence.
    Dan spent last Thursday and Friday at Los Alamos assessing 
current activities and operations at the Los Alamos site 
office, and he is assembling a team to aggressively oversee 
laboratory security and safety programs and to recommend not 
only immediate, but near-term fixes, fixes that we can 
implement and take action on right away. Dan will take over Los 
Alamos site office on February 5.
    With respect to our specific interactions with LANS, 
management and operating contractor on the latest security 
incident, all contractual options for both penalties and 
motivation are under consideration and on the table. I want to 
assure you that this is not an academic exercise. With a 
nominal fee at stake, the maximum available annual fee with 
security and safety as key factors is over $70 million. The 
majority of LANS's fee is at risk, as is their ability to earn 
additional award terms--or years--added on to the contract. The 
combination of award fee and award term are very powerful 
incentives on performance, and I intend to fully utilize these 
tools that are available to me in managing this contractor.
    The Department is also conducting a review of the incident 
to determine whether notice of violation will be issued, as was 
discussed earlier.
    Finally, the contract has a clause called Conditional 
Payment of Fee, Profits, and Incentives. This clause allows for 
the complete elimination of fee in the event of serious safety 
or security events that result in a loss of life and 
irrecoverable harm to the security of the United States.
    On January 3, 2007, we took further direct action and 
unilaterally notified the LANS Board of Governors Executive 
Committee that I was calling a session in Washington the 
following week. On January 10, I met with the executive 
committee and told them of my specific concerns on how they 
have handled the current security incident at Los Alamos and my 
expectations for performance. The Secretary and the Deputy 
Secretary joined me to emphasize the seriousness of the 
situation.
    The executive committee will provide me with their plans on 
how they will address the current situation and improve the 
culture at the laboratory. In the coming months I will be 
routinely meeting with members of the executive committee to 
hear how they are progressing with their plans. Additionally, I 
have asked the chairman of the committee, Mr. Gerald Parsky, to 
call the Secretary on a regular basis, probably monthly, maybe 
more like on a 5-week basis, to update him personally on the 
actions that the board is taking to reach back to the corporate 
parents and to support improvements at the laboratory.
    In closing, Mr. Chairman, I commit to you that if the 
current laboratory management team is unable or unwilling to 
change the security culture at Los Alamos, I will use every 
tool available to me consistent with the terms of the contract 
to effect the kind of positive changes I expect and we deem 
necessary for our taxpayers.
    Thank you, and I would be pleased to take any questions the 
committee may have.
    [The prepared statement of Mr. D'Agostino appears at the 
conclusion of the hearing.]
    Mr. Stupak. Mr. Desmond, your opening statement.
    Mr. Desmond. Mr. Chairman, I do not have an opening 
statement.
    Mr. Stupak. Ms. Wilbanks, opening statement.

TESTIMONY OF LINDA WILBANKS, CHIEF INFORMATION OFFIER, NATIONAL 
                NUCLEAR SECURITY ADMINISTRATION

    Ms. Wilbanks. Chairman Stupak, Ranking Member Whitfield and 
members of the committee, good afternoon. I am Dr. Linda 
Wilbanks, the National Nuclear Security Administration Chief 
Information Officer.
    Thank you for the opportunity to discuss the cybersecurity 
incident at Los Alamos National Laboratory and the actions NNSA 
has taken to prevent similar incidents. As CIO, I am 
responsible to the Administrator for cybersecurity, 
specifically policies and procedures to ensure the security of 
the information and technology as it relates to the NNSA 
mission and to enhance our ability to protect the classified, 
sensitive and unclassified information systems.
    I came to NNSA after almost 3 years at Goddard Space Flight 
Center as a CIO. I have over 30 years experience in information 
technology, a bachelor's degree in mathematics, a master's 
degree in engineering and a doctorate in computer science.
    When the recent incident was reported, at my direction the 
NNSA Cybersecurity Program Manager and the Director of the 
Diskless Workstation Task Force immediately flew to Los Alamos 
with two members of the DOE cybersecurity team. Their objective 
was to learn as much as possible about the incident from the 
cybersecurity perspective and determine if any of the 
contributing factors could put LANL at further risk or they 
could take place at other NNSA sites.
    I also traveled to Los Alamos and met with the 
cybersecurity personnel responsible for the Los Alamos computer 
systems to further understand the issues. We quickly identified 
two issues: the accessible USB ports and the cybersecurity plan 
that did not address the specific risks of the system and was 
incomplete, which contributed to the system's vulnerabilities.
    The Los Alamos incident occurred when a trusted insider 
maliciously decided to use a personal device to electronically 
remove classified material. The cybersecurity plan allowed for 
the cages to be unlocked with exposed USB ports because the 
servers were in a secure room with limited access by people 
with clearances to access the classified material.
    As a result of this incident, we have taken a number of 
actions to strengthen the cybersecurity at Los Alamos and all 
NNSA sites addressing the cybersecurity root causes that 
allowed this incident to occur.
    As a result of the incident, I immediately required that 
all NNSA sites identify the open ports on classified systems 
and determine if they needed to be open or could be permanently 
disabled.
    We purchased an enterprise license for software to monitor 
open port activity. All sites, including Los Alamos, are now in 
compliance with any ports that can be used to transmit data 
being sealed or monitored.
    The Designated Approving Authority, the DAA, is responsible 
for approving an IT system for operations by signing the 
cybersecurity plan that states how the system will be in 
compliance with DOE and NNSA policy. I have temporarily 
reassigned the DAA from the Sandia site office to Los Alamos to 
strengthen the cybersecurity there. I have directed the DAAs at 
all NNSA sites to review the cybersecurity plans, and I hold 
them accountable to ensure that those plans now address the 
specific risk of each system and to identify and rewrite the 
plans with omissions such as those that allowed the incident at 
Los Alamos.
    I have increased the funding to Los Alamos to hire three 
cybersecurity experts to support the Federal activity there. I 
have assembled a team of eight cybersecurity experts from 
headquarters and NNSA and had them inspect all the vaults at 
Los Alamos to determine if they were in compliance with the 
Department's directive to close ports. The team initially found 
areas of noncompliance; however, when reconvened on the site 
this past week, they inspected all vaults and are now in 
compliance.
    I further directed the team to inspect the cybersecurity 
implementation at all NNSA sites. Those inspections will start 
in February and conclude in April when the team revisits Los 
Alamos.
    My office has worked with the DOE CIO, Mr. Tom Pyke, to 
identify areas where policies and procedures are needed to 
strengthen cybersecurity and to aggressively implement them as 
quickly as possible. NNSA is responsible for over 70 percent of 
the classified networks within the Department. We take this 
responsibility very seriously, and maintaining the security of 
the classified networks is our highest priority.
    Because of the dynamic nature of cybersecurity, no one can 
guarantee there will never be another cybersecurity incident at 
any NNSA site. It is not possible to have perfect and complete 
security. We live in a world where hacking into Federal systems 
is a hobby of many students and many highly paid professionals. 
We are using every tool available and have put in place strong 
cybersecurity policies to ensure this type of event does not 
happen again.
    NNSA is working very diligently to maintain a secure 
environment for our information and that of the Department. We 
work closely with our sites to identify the risks, and we are 
moving ahead in many areas, and we are making progress.
    I am happy to answer your questions, sir.
    [The prepared statement of Ms. Wilbanks appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you.
     Mr. Pyke.

 TESTIMONY OF THOMAS N. PYKE, JR., CHIEF INFORMATION OFFICER, 
                   U.S. DEPARTMENT OF ENERGY

    Mr. Pyke. Good afternoon, Mr. Chairman. My name is Tom 
Pyke. I am the Chief Information Officer at the Department of 
Energy. I came to the Department in November 2005 and have 
given a high priority to revitalizing the management of 
cybersecurity within the Department.
    Over the last year, DOE has undertaken a major effort to 
improve our cybersecurity. We developed a plan to update 
departmental cybersecurity directives and to issue guidance in 
specific high-priority areas. In December 2006, the Deputy 
Secretary signed a new DOE cybersecurity departmental order 
which established a new governance structure for cybersecurity 
program manager. The order directs the use of a risk-based 
management approach and makes clear assignment of 
responsibility to the Under Secretaries and other senior 
officials to oversee cybersecurity management within their 
organizations, including the field organizations under their 
jurisdiction.
     The Under Secretaries have accepted this enhanced role and 
are working hard to strengthen the management of cybersecurity. 
This order is a key part of the institutionalization of 
forceful new direction to the Department. As referred to 
earlier by Deputy Secretary Clay Sell.
    The new order provides for timely issuance of urgently 
needed cybersecurity guidance. To date, I have issued 20 
cybersecurity guidance documents, and the Office of the Chief 
Information Officer continues to develop guidance in accordance 
with the plan developed last year. I have already issued 
guidance on certification and accreditation of systems and on 
system configuration management, both directly relevant to the 
recent Los Alamos incident. We have also issued special 
guidance on the protection of personally identifiable 
information and on the disposal of disk drives.
    Finally, directly to the concerns being addressed at this 
hearing, we have recently completed a planned DOE National 
Security Systems Controls Manual. It is now in final review in 
the Department. We have been able to incorporate actions in the 
manual based on a number of the lessons learned from this 
incident.
    I would be pleased to respond to any questions you may 
have.
    [The prepared statement of Mr. Pyke appears at the 
conclusion of the hearing.]
    Mr. Stupak. Mr. Anastasio.

 TESTIMONY OF MICHAEL ANASTASIO, DIRECTOR, LOS ALAMOS NATIONAL 
                           LABORATORY

    Mr. Anastasio. Chairman Stupak, Ranking Member Whitfield 
and other members of the subcommittee, I thank you for the 
opportunity to speak with you today.
    I'm Michael Anastasio, and since June 1, 2006, I have been 
the Director of the Los Alamos National Laboratory. I am also 
President of the laboratory's new management company, the Los 
Alamos National Security, LLC, often referred to as LANS. 
Previously, I served our country for over 25 years at the 
Lawrence Livermore National Laboratory, first as a scientist 
and ultimately as the director of that institution.
    The security breach at Los Alamos National Laboratory is 
deeply troubling. I want to make it absolutely clear to all of 
you that my board and I personally find this incident totally 
unacceptable. It is precisely because of such incidents that 
the DOE made its decision to recompete the contract at the 
laboratory.
    I want to talk with you today in my opening comments about 
four main points: First, that we take this incident very 
seriously, that we took immediate action upon learning about 
the issues, that we bring a different approach to running this 
laboratory, and that this incident accelerates our plans to 
develop a robust security system that handles today's issues 
and anticipates the future.
    Although this incident occurred only weeks after we took 
control of the laboratory, I am responsible for this incident. 
But even more importantly, we are responsible for the solution 
to fix the laboratory with regard to security and other 
matters. I have detailed in my written testimony a number of 
corrective actions that we've taken, and I would just like to 
cover six of those right now.
    We have tightened controls on the ports on all the 
classified computers. Through our parent organizations, we have 
tapped into independent security expertise from across the 
country. We have established a new cybersecurity organization 
that reports directly to me. Our guard force has significantly 
increased the number of searches of laboratory personnel as 
they leave the site. We terminated the relationship with the 
scanning subcontractor, and I have disciplined 24 employees of 
the laboratory as a result of this incident. We are 
prescreening for illegal drugs of all new hires and will be 
randomly testing the existing workforce.
    These steps have already proven effective as we heard DOE 
and NNSA have certified last week that all the vault-type rooms 
that we have at the laboratory with classified computing are 
now compliant. But these initial actions aren't sufficient. We 
must move beyond the quick-fix, Band-Aid approach that's been 
used in the past, and that means we must now have--address 
security in a comprehensive and integrated manner that 
anticipates risks associated with the inexorable advancement of 
technology.
    There will not be a silver-bullet solution because there 
are none, but we have developed a forward-looking approach 
addressing all of the elements of enhancements to the security 
that needs to be done and do them simultaneously. We will 
quickly put in place demonstration projects that create a test 
bed to try out all these new security approaches that we have 
in mind. We will consolidate 10 to 20 of our existing vault-
type rooms into one overall facility. In there, we will 
implement clear policies with advanced technologies and proven 
behavioral methods. In this way, we will have a plan that we 
have demonstrated will work and that we can then implement 
across the entire laboratory.
    So, Mr. Chairman, in conclusion, the steps that I and the 
board are taking are a fundamental break from the past. The 
LANS partnership brings together expertise and successful 
performance from across the Federal and the commercial sectors.
    As president of LANS, I report to a very demanding board, a 
board that provides a level of oversight, engagement and rigor 
that this laboratory has not seen before. I have a brand new 
management team that I, personally, selected from across our 
parent companies. The partnership of these four companies gives 
me a deep bench of capabilities and personnel that I'm already 
tapping into.
    I'm already seeing evidence of positive change at the 
laboratory, and in time these steps will lead to dramatic 
improvement in the overall performance of the laboratory. We 
have taken immediate action. We have an ambitious and 
comprehensive plan. We have extraordinary capabilities to draw 
upon, and we are working aggressively to execute our plan. All 
of my leadership team and I, personally, are deeply committed 
to the Los Alamos National Laboratory's success and its 
essential role in protecting our country's national security.
    Thank you, Mr. Chairman, and I look forward to answering 
all of your questions.
    [The prepared statement of Mr. Anastasio appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you. And thank you all for your 
testimony.
    Mr. Anastasio, you said you are responsible for what 
happened at Los Alamos. Then what's been the consequences of 
accepting that responsibility? Has anything happened to you?
    Mr. Anastasio. Has anything happened to me?
    Mr. Stupak. Yes.
    Mr. Anastasio. I've been working a lot longer hours, sir. 
Do you mean if I've been disciplined in any way?
    Mr. Stupak. Yes.
    Mr. Anastasio. I've been certainly in contact with my board 
from the very beginning of this incident, and they've made 
their expectations very clear to me. The board also talked with 
NNSA and the Secretary, and based on that conversation, they've 
passed along those expectations, and I've heard the same from 
the Department as well, personally. It's been very clear to me 
what everyone expects of us at the laboratory, and----
    Mr. Stupak. Well, what are the lessons you have learned 
since then, and what is being done to ensure this incident 
doesn't happen again?
    Mr. Anastasio. Well, as I tried to detail for you a little 
bit in my oral testimony and more so in the written, it's that 
we've taken a number of aggressive actions.
    Mr. Stupak. Such as?
    Mr. Anastasio. As soon as I learned about this incident, 
within hours we had already started to control the ports on 
classified computers. We started taking that action 
immediately.
    Mr. Stupak. We've heard that since 2000. We've had eight 
hearings on cybersecurity since we first brought it up in 2000, 
so excuse me, but I don't--what's going to be different? We've 
heard all this before. This is my eighth hearing now on this.
    Mr. Anastasio. We have actually succeeded in doing that, 
and the recent audit confirms that, in fact, we have complied 
with all the direction we've been given.
    Mr. Stupak. The audit from the Inspector General, Mr. 
Friedman, said the core security at Los Alamos is in shambles, 
the core security. I'll read it for you exactly if you want it, 
because I asked him about it, and it was the very basis of Los 
Alamos; the very core of their security was not good.
    Mr. Anastasio. Mr. Chairman, I find this incident and the 
issues around it totally unacceptable. My board finds that 
totally unacceptable. They're going to hold me accountable to 
fix this.
    Mr. Stupak. And we find it totally unacceptable.
    What are we going to do to fix it?
    Mr. Anastasio. I understand that, and we are in the process 
of doing that. And so we've taken a series of immediate actions 
which, I think, address the immediate concerns and risks at the 
laboratory; and, at the same time, we have a long-term plan 
that will get us to a point where we can be out in front of 
these issues--not always playing catch-up that we've done in 
the past--and that will allow me and the American people and 
you, the Congress, to have confidence in this laboratory again.
    The Department recompeted this contract, we understand, 
very well. They recompeted this contract because of these 
issues, and I understand that the reason I've been brought in 
and my team and this new contractor is that we need to fix 
these and the other issues that are going on at the laboratory. 
And that's what I'm here to commit to you to do.
    Mr. Stupak. The Inspector General's report I will quote 
now,

    Our review revealed a serious breakdown in core laboratory 
security controls. In short, these findings raise serious 
concerns about the laboratory's ability to protect both 
classified and sensitive information systems.

    So that's the challenge you have.
    Ms. Wilbanks, at Los Alamos, sensitive, unclassified 
computer systems, are they adequately protected from today's 
threat? You mentioned hackers always trying to get in.
    Ms. Wilbanks. The unclassified, sir?
    Mr. Stupak. The unclassified. ``Sensitive, unclassified,'' 
they're called.
    Ms. Wilbanks. While we do not put as much attention on 
those systems as we do the classified systems, sir, I do 
believe they are adequately protected. The 25,000 systems that 
were referred to by Mr. Podonsky, they are C&A'd under the NIST 
provisions.
    Mr. Stupak. Sure. Would you bet your job on that all 25,000 
are secure?
    Ms. Wilbanks. I can't guarantee what a hacker will do and 
what the new technology will be, sir.
    Mr. Stupak. OK.
    Ms. Wilbanks. I am doing everything in my power, sir, to 
make that guarantee to Mr. D'Agostino.
    Mr. Stupak. OK. In your testimony, you state ``We have 
since secured all USB ports at all NNSA sites and are reviewing 
all cybersecurity plans to ensure they address the specific 
risks for that system. This type of incident, the undetected 
transfer of classified information to a portable device, could 
no longer occur at any NNSA site.''
    So let me ask you: Why wasn't all of this fixed prior to 
this incident?
    Ms. Wilbanks. Actually, at some of our sites, sir, it was 
fixed.
    Mr. Stupak. Right. But not at all of them, obviously.
    Ms. Wilbanks. That is correct, sir. At a meeting of all of 
the DAAs from the sites in November, the ``open ports fine'' 
issue was brought up.
    Mr. Stupak. Sure, that's November, but wasn't that really 
one of the primary reasons the lab was shut down in July 2004?
    Ms. Wilbanks. I was not here then, sir. I'm sorry.
    Mr. Stupak. Did you ever review the report in 2004 and see 
what was required for cybersecurity at the lab's computers?
    Ms. Wilbanks. Yes, I did, sir, and there was very minimal 
in there for cybersecurity.
    Mr. Stupak. OK. Hopefully, I'll have some time for some 
follow-up because I would follow that up, but my time is up.
     Mr. Whitfield.
    Mr. Whitfield. Thank you, Mr. Chairman, and I thank the 
witnesses for their testimony today.
    Mr. Anastasio, you were the Director of Lawrence Livermore, 
I think you said in your testimony.
    Mr. Anastasio. That's correct, sir.
    Mr. Whitfield. For how many years?
    Mr. Anastasio. Almost 4 years.
    Mr. Whitfield. And you've been here now for about 7 months 
at Los Alamos?
    Mr. Anastasio. Since June 1, that's correct.
    Mr. Whitfield. Well, you might have some unique 
perspectives on this that we've been asking a lot of people, 
and I read this comment that said LANS' volume of classified 
holdings is unnecessarily large, conducted in too many security 
areas, involving too many people, and is spread out over too 
large of an area.
    Would you agree that that assessment may give a synopsis of 
the primary differences in Los Alamos and Lawrence Livermore 
and would explain why security is such a challenge at Los 
Alamos?
    Mr. Anastasio. Well, I would agree those factors add a 
challenge to Los Alamos, but I believe the--one of the 
fundamental issues at the laboratory right now is that there is 
unclear, complicated policies which are inconsistently applied 
across the laboratory. And of course one of the reasons for 
inconsistency is the fact that there are so many different 
locations. But in the past, the laboratory has--each 
organization has implemented their own version of the overall 
policies, which led to inconsistency; and I would also argue 
that the policies are overcomplicated and sometimes 
inconsistent, so we have not been enabling our employees to be 
a success. What they see is confusing. They don't know what is 
allowed and what's not allowed. So that's one of the things 
that was in the core approach that we've taken to fix the 
laboratory. But at the same time, we are also looking to 
consolidate the number of vaults, to bring those down. The 
laboratory, before we arrived, has done a lot to reduce the 
total number of accountable, removable, electronic media, a 
number of documents, so I think these are all approaches to an 
overall plan that we're putting together.
    Mr. Whitfield. So, the confusion in policy, is that partly 
the responsibility of the Government and the holder of the M&O 
contract?
    Mr. Anastasio. Well, certainly, we are driven by the 
policies that come from the Department through our contract, 
but I believe my responsibility goes beyond that.
    My job is to make sure the laboratory is secure. I have to 
be compliant with the policies, but if that is not sufficient, 
I have to take further action. I believe that----
    Mr. Whitfield. But you found a lot of things wrong with the 
policy and the confusion in the policy when you arrived there. 
I mean there obviously was room for improvement.
    Mr. Anastasio. Yes, there's certainly room for improvement, 
and we're off dealing with that and trying to----
    Mr. Whitfield. Now, why would we expect that there would 
really be a great improvement when the University of California 
had responsibility for 64 years prior to the new M&O contract, 
and now they are a 50-percent stakeholder in the new contract?
    Mr. Anastasio. Well, I think there's a number of reasons 
why you should have confidence.
    This is a new team. First, we have a board of directors 
that we've never had before who are very demanding.
    Mr. Whitfield. And who is on the board of directors?
    Mr. Anastasio. There are 11 members of the board of 
directors--six from the parent companies and five from the 
outside--outside world.
    Mr. Whitfield. And the parent companies would be the 
University of California, Bechtel, and who else?
    Mr. Anastasio. BWX Technologies and Washington Group 
International.
    Mr. Whitfield. Now, what is the Washington Group 
International? Who is that?
    Mr. Anastasio. I'm sorry. I'm not sure what you mean by 
that.
    Mr. Whitfield. I'm not familiar with that.
    Mr. Anastasio. The president of that is Presray.
    Mr. Whitfield. What is the experience of that company? 
Where does that come from?
    Mr. Anastasio. Oh, they are involved, for instance, with 
the Savannah River site. They are a major part of that 
contract. They are at the WIPP site. Those are a couple of 
places. They have a lot of expertise in nuclear--nuclear 
facility management.
    Mr. Whitfield. But the board is composed of six members 
from those four entities?
    Mr. Anastasio. That's correct, sir.
    Mr. Whitfield. And then five members outside of those?
    Mr. Anastasio. That's correct.
    Mr. Whitfield. Who selected the board members, the five 
that are outside?
    Mr. Anastasio. The six members on the inside from the 
companies, yes.
    Mr. Whitfield. OK, and those five, what companies do they 
represent?
    Mr. Anastasio. We have one for oversight from 
PricewaterhouseCoopers for financial oversight. We have someone 
from Stanford. We have a former admiral, et cetera.
    Mr. Whitfield. And the board meets how often?
    Mr. Anastasio. The board normally meets quarterly but 
whenever they need to. So we've had quite a number of meetings, 
both formal meetings--but I'm in constant conversation on the 
telephone with the key members of the board whenever that's 
necessary.
    Mr. Whitfield. Now my time has expired. I just have one 
quick question.
    As a result of the most recent breach, the 1,500 and some 
documents that were a problem, as the director of Los Alamos, 
representing the president of the new consortium, would you 
expect that the Government would penalize your company 
financially for that breach?
    Mr. Anastasio. Oh, I certainly understand that part of our 
fee or, ultimately, all of our fee could be at risk for this or 
any other incidents that go on at the laboratory. We understand 
that very well.
    Mr. Whitfield. OK. Thank you.
    Mr. Stupak. The gentlewoman from Colorado.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    Mr. Anastasio, I wanted to follow up on some of the ranking 
member's questions because you successfully ran Lawrence 
Livermore for a good number of years, and I'm wondering if you 
could just tell me very briefly what is it that's so different 
at this facility. You said a minute ago there's unclear 
competing policies that are applied inconsistently. Are there 
other things?
    Mr. Anastasio. Certainly things that the ranking member 
identified are issues as well, the fact that it's physically 
spread out----
    Ms. DeGette. The physical layout.
    Mr. Anastasio. Also, there's a history at the site of each 
organization having a lot of autonomy to implement the 
specifics in their own work area. All of these things lead to 
some of these challenges that we face.
    Ms. DeGette. How's the morale out there?
    Mr. Anastasio. Well, the morale of the employees--they are 
really--I think it's improving. They've been through a lot of 
controversy over the last years. They understand, because of 
the contract competition, that change is happening and it needs 
to happen, and I think they're very, very committed to their 
mission.
    Ms. DeGette. Do you think that they're committed to 
complying with security procedures?
    Mr. Anastasio. I think the employees are very committed to 
do their job very well, including their security 
responsibilities.
    Ms. DeGette. And is that a change in attitude? Well, you've 
only been there since June.
    Mr. Anastasio. Yes. I can't say how much there's been a 
change in attitude.
    Ms. DeGette. I'll be frank. When we were out there a couple 
years ago, when Mr. Barton and I were there, we got the sense 
that part of the problem was that many of these high-level 
employees felt like these were--these security procedures were 
ridiculous, and they didn't really want to comply. Have you 
found some of that attitude?
    Mr. Anastasio. The attitude I found is, first, a very loyal 
commitment to their country and their mission but also a 
confusion about what standard they're being held to. And so 
they want to comply, but they're not clear what they're 
supposed to----
    Ms. DeGette. And this is what you were talking about, the 
unclear, competing policies applied inconsistently?
    Mr. Anastasio. Yes. And I think one of the things we're 
trying to do is, as we define the overall goal and policy we 
want them to achieve, we're trying--we're involving some of the 
employees in developing the implementation plan. That way, 
they're there from the beginning. Now, they don't get the final 
choice of what that plan is, but they're part of that 
discussion so they understand why the policy is in place and 
how it's implemented.
    Ms. DeGette. Right. Let me ask you this. Mr. Friedman said 
that he felt like we should give the agency until June, which 
would be your 1-year anniversary, to fix this.
    Can you fix all of these problems by June, and are you 
willing to commit to that today?
    Mr. Anastasio. I would agree with the deputy director that 
we are off fixing them right now. We have been fixing these 
problems ever since the incident occurred, that we are making 
progress every day.
    Ms. DeGette. OK. My question is can you do it by June, 
``yes'' or ``no.''
    Mr. Anastasio. I think this is a continuous challenge that 
we have to be on top of every day from now until----
    Ms. DeGette. Can you make substantial progress by June?
    Mr. Anastasio. Absolutely, we can make substantial progress 
by June.
    Ms. DeGette. OK. Thanks. I just have a quick question for 
you, Mr. D'Agostino.
    In the binders of this Fiscal Year 2000 Performance 
Evaluation Plan--I'm sure you're familiar with that plan----
    Mr. D'Agostino. Yes, ma'am.
    Ms. DeGette. In part of that plan on page 5 is performance-
based incentives. We're a little confused up here. Mr. 
D'Agostino testified about everybody now understands that there 
are incentives under this new contract.
    We're a little concerned about, if we wanted to take some 
kind of punitive action if these problems aren't fixed, how 
much we could penalize the management by. Is it the entire 
$73,280,000 or some other number of that?
    Maybe you can quickly explain that to me.
    Mr. D'Agostino. Yes, ma'am. Thank you for the opportunity 
to do that. A couple of points.
    The one is there's the clause I mentioned during my oral 
testimony, conditional payment of fee. It puts that whole $73 
million at risk.
    Ms. DeGette. OK. So, if we wanted to, we could penalize 
them that whole amount?
    Mr. D'Agostino. Yes, ma'am, but there are conditions 
associated with the contract, associated with the level of 
severity and----
    Ms. DeGette. Whose department is that?
    Mr. D'Agostino. I would go through the contracting officer, 
is my----
    Ms. DeGette. Who determines the level of severity?
    Mr. D'Agostino. There would be an analysis done. The damage 
assessment, for example, in this particular incident will be 
looked at. If there are further safety and security problems 
that happen, those would get added up into the problem, if you 
will, when we look at fee determination at the end of the 
fiscal year.
    So what we will do at the end of the fiscal year, which is 
September 30 of this year, take a look at the laboratory's 
performance not only on this particular security incident but 
on whether there have been any safety issues associated with 
the laboratory, and look at whether that conditional payment of 
fee clause actually applies here.
    In addition, your question, ma'am, was referring to this 
particular page which which broke down the $70-plus million. 
There is the fixed fee: 30 percent of about $22 million; and 
the incentive fee. Within the incentive fee that you call out 
``performance-based incentives''. There are very specific 
measures and deliverables under each one of those performance-
based incentives 1 through 13. PBI No. 5 applies to safeguards 
and security, which was pointed out earlier that, if it's only 
$3 million of the whole 70, why is that--why should we feel----
    Ms. DeGette. Right. So do you think we can only penalize 
them $3 million or $73 million?
    Mr. D'Agostino. No, ma'am. All of the $73 million is at 
stake. I wanted to get to a point. I did spend the first few 
days of this job at Los Alamos last week. I got a chance to see 
firsthand the conditions that we've talked about earlier in the 
hearing.
    Based on that, I directed the manager at the site office, 
working with Mr. Desmond, to reevaluate, and we are 
unilaterally reevaluating this fee allocation within this 
particular plan. So we have two approaches, and we will--as I 
mentioned in my testimony, I'm going to make full use of the 
contract because that is the main tool. It is the tool that we 
should use and will use in order to make sure that the message 
gets across to the contractor.
    Ms. DeGette. OK.
    Mr. D'Agostino. I apologize for taking so long. We are 
going to conduct a reevaluation of this allocation, and we will 
be working with LANS on that reallocation, but if we don't come 
to agreement, the Federal Government has the ability to 
unilaterally impose a change on this allocation.
    Ms. DeGette. Thank you.
    Mr. Stupak. Mr. Burgess.
    Mr. Burgess. Thank you, Mr. Chairman.
    Mr. D'Agostino, just so I'm clear on this, I think Deputy 
Secretary Sell testified that you were the selector in the RFP 
process a little over a year ago; is that correct?
    Mr. D'Agostino. Yes sir, that is correct.
    Mr. Burgess. You mentioned in your testimony about 
recompeting the contract. I'm assuming there you were talking 
about the recompeting of the contract that happened a year ago, 
not a recompete that's at some point in the future.
    Mr. D'Agostino. I'm actually referring to a recompete if it 
should come to this point. If it should come to the point where 
myself as the Acting Administrator of the NNSA feels that we 
have a material breach of the contract or we have a situation 
where it's in the best interest of the Government, I, as the 
Administrator, through my contracting officer, have an ability 
to recompete.
    That is not the case right now. I want to make that clear 
because I do believe we don't have--we don't have all of the 
analysis together as a result of the current criminal 
investigation that's underway.
    Mr. Burgess. But you do have the ability, then, to 
recompete the contract.
    Mr. D'Agostino. The contract allows me to terminate for 
cause of the existing contract.
    Mr. Burgess. Without waiting the 7 years to do so?
    Mr. D'Agostino. That's right. Yes, sir.
    Mr. Burgess. Well, let me just ask you a question then.
    We've heard all kinds of testimony about the fines levied, 
whether it's $3 million or $73 million; and $73 million would 
be a significant fine to levy against the contractor.
    Would they be able to continue in their mission if they 
were hit with that level of fine? Would that damage their 
ability to provide the services, the security that we're going 
to demand of them?
    Mr. D'Agostino. I believe that if I were to decide today 
that I wanted to levy, and I had all of the data with me today 
that it would be a bad management decision to make that move 
right now before the fiscal year is over. I have complete faith 
and confidence in Dr. Anastasio. I understand the plans he's 
putting in place. He does take this seriously. He has taken 
specific steps. There are obligations on the part of the 
Federal Government as well, and I'm making changes on that 
particular side. But I do believe that it would be 
irresponsible and a bad management move from my years of 
managing organizations, before the fiscal year is actually 
over, to make that decision.
    So, to answer your question, I wouldn't do it at this 
point, but what's clear is the fee is an amount of resources 
that are set aside.
    Mr. Burgess. Well, let me just interrupt you then.
    As far as just the management aspects of it, we had a team 
that was on site for over 60 years. I'm relatively new, but it 
sounds like, on this committee, we've been dealing with the 
same sort of problem over and over again. I don't know whether 
they're interrelated or not. I've got to assume that a laser 
injury of the eye is not related to the removal of a thumb 
drive, is not related to the guy getting beat up at the bar, 
but still there are all these things that keep coming up.
    How good a management decision is it to continue on with 
the same group that has brought you these troubles in the past, 
and should we not have been able to anticipate a subsequent 
breach because of the behavior that at least has been exhibited 
since 1999?
    Mr. D'Agostino. Sir, I'd like to address that in two ways. 
One is to make sure that it's clear that the same organization 
is not running this laboratory. It's clear that the proposal 
that I reviewed----
    Mr. Burgess. Has the culture actually changed then since 
the awarding of the contract?
    Mr. D'Agostino. I would say I don't know the answer to that 
question, but here's what I will----
    Mr. Burgess. I hope you find out quickly.
    Mr. D'Agostino. That's exactly right.
    The LANS executive committee knows. The Executive Board of 
Governors, the executive committee on the board, truly 
understands, because I put this in writing, that I don't 
believe this is just a matter of, well, let's straighten out 
our policies and procedures, do a couple of checks and follow 
up, and everything will be all right.
    My job as a manager is to set expectations, to man 
performance and then follow up and use the tools that I have. 
This structure actually allows me the opportunity to do that. 
Never before has the Department had this much money on a 
contract.
    Mr. Burgess. And I hope you have the courage to enforce 
that.
    Ms. Wilbanks, let me just ask you briefly. You used the 
word ``malicious'' in your testimony. Did I understand that 
accurately?
    Ms. Wilbanks. Yes, sir.
    Mr. Burgess. So this person willfully downloaded material, 
took it back to her living quarters. What would be the--if I'm 
going to do something maliciously, presumably I have a reason 
for doing it. Have you explored that? Do we know what that 
answer is or is that still locked up in the FBI report?
    Ms. Wilbanks. I believe it's part of the FBI investigation, 
sir.
    Mr. Burgess. And at some point, again, Mr. Chairman, that 
information is going to be shared with us?
    Mr. Anastasio. Mr. Chairman, Congressman, if I could try to 
answer that briefly, in all the conversations that I've had 
with the FBI, they've given me no evidence that anything's 
happened beyond taking that material to her home.
    Mr. Burgess. But there must have been some financial 
incentive or wanting to damage someone. I mean you don't just 
do something like that on a whim, or at least I can't believe 
that you would.
    Mr. Anastasio. Certainly, the FBI is the one that can 
answer that in better detail, but what they've expressed to me 
in my variety of discussions with them is they have no 
indication that she did anything beyond what was reported in 
the press.
    Mr. Burgess. But, again, the motive--I mean the laser 
injury to the eye, OK, that was an accident; getting beat up in 
a bar, that's bad judgment; but taking material from the server 
back to your living quarters--I mean there's got to be a reason 
why someone would engage in that type of activity. It was 
either for sale or to damage someone else. But again, we don't 
know the answer to that at this point.
    Mr. Anastasio. But what we are working hard to do is make 
sure that never happens again.
    Mr. Burgess. And I would very much like an answer as to why 
it happened in the first place.
    Do we get another round?
    Mr. Stupak. We'll just do one more question or so.
    To get back to the FBI, we talked a little bit off the 
record there. We'll try to have them come in and give us a 
briefing, a members' briefing, on the status there to answer 
some of your questions.
    Mr. Melancon.
    Mr. Melancon. Thank you, Mr. Chairman.
    Mr. Anastasio, you talked earlier about disciplining about 
20-some-odd people. What were the violations that you 
disciplined them for?
    Mr. Anastasio. We did a very extensive review with a 
detailed look at all the incidents going back to over a year 
and a half ago when this project was first set up. The 
conditions of security that were built into the planning that 
they did, all the way through the activities, up until--up 
until the recent times, and in that, there were a variety of 
people that were disciplined, either removed from their job or 
other forms of discipline for all of the different sorts of 
things that went on, which were bad judgment on the part of 
employees, bad policies and procedures that were in place and 
things of that nature.
    Mr. Melancon. Can you give me an illustration of what, 
maybe, the worst one was or one of the worst ones?
    Mr. Anastasio. I think the worst problem was the way the 
security was set up for this particular project. The people who 
set it up actually were trying hard to be very conscious of 
security, but they didn't--they didn't make a plan that 
addressed all of the potential risks, and the people that were 
responsible for that security plan in that vault-type room, I 
think, were the ones that got the most severe penalty. And then 
the second-most, I would say, was the--was the cybersecurity 
team that was responsible for the overall policies of the 
institution.
    Mr. Melancon. Of the 20-some-odd, how many did you fire?
    Mr. Anastasio. Three were removed from their assignments. 
Many of the people who were responsible for this activity were 
no longer in the same assignment when we came on board, so they 
had been moved out of their job for a variety of reasons before 
we even got there, even though they were responsible a year and 
a half ago for--for overall security things.
    Mr. Melancon. Have you been--I don't know if you've been 
there shortly, but has the process been to try and ferret out 
all of these people from as far back--of course, I don't know 
how far back you go.
    Mr. Anastasio. Yes, we went back to the very beginning when 
the project was set up. We identified all the people who were 
responsible. The organization itself that was responsible at 
the time doesn't any longer exist. We've reorganized, et 
cetera, but we went and identified all of the individuals who 
have been involved over this entire period of time and, again, 
went through a very detailed effort to examine all the issues 
and who was responsible for them, and that led to the 24 
different disciplinary actions.
    Mr. Melancon. You ran Lawrence Livermore; is that correct?
    Mr. Anastasio. Yes, sir.
    Mr. Melancon. How many employees are there at Lawrence 
Livermore?
    Mr. Anastasio. Oh, I guess I don't remember offhand. I'd 
say about 8,000 to 9,000.
    Mr. Melancon. So about two-thirds to three-quarters of what 
you have at----
    Mr. Anastasio. That's approximately right.
    Mr. Melancon. Yes, and there's not any security problems 
that you experienced there, cyber or otherwise?
    Mr. Anastasio. There were some security problems at 
Lawrence Livermore while I was there. One incident that got 
quite a lot of attention was some security keys that got lost. 
And the approach I'm taking to the incidence here is the same I 
took there, which is to act very quickly and decisively, to 
find out those who were responsible and make sure that they're 
properly held accountable, and to go build a system that 
addresses the issues. And I would say--I'd defer to others, but 
I've been told that Lawrence Livermore now has the model 
security program for keys in the complex, and in fact, the lab 
goes around and briefs the other sites on the lessons learned 
and how to do a better job. So I think we responded very 
decisively there, and that's been my intent to do here at Los 
Alamos.
    Mr. Melancon. Yes. I guess the thing that I'm having 
problems getting my arms around is that this country--of 
course, I guess, when you look at Homeland Security, maybe we 
really do have a problem, but it's not at your level. But when 
you look at the security that is provided in this country and 
other places by our Government, why is there not some type of 
guideline, some type of program that we can model after? I mean 
this is--are we making it up as we go when we brought these new 
contractors in?
    Mr. Anastasio. Well, certainly, there's an element that's 
very clear on how to do this that has the behavioral issues 
involved, that has issues of policies and procedures, 
infrastructure that we've talked about, how big is your 
infrastructure, et cetera. But there's another piece which I 
think is a very large challenge for the country and us at the 
laboratory, which is the advance of technology.
    The last time the laboratory reviewed its policies--and we 
could argue they should have done it much sooner--these little 
memory stick, thumb drives were not in common usage, and yet 
now that they are, it's quite obvious what a risk they are for 
security. And so what's going to be the challenge we have 2 
years from now is we really need to develop a system in place 
that's robust against the future advancement of technology so 
we don't have to fix it after the fact like we're doing now. 
And that's the plan we're off doing.
    Now, I would argue that, as one of the previous witnesses 
has testified, there are a lot of nefarious people out there 
who are very sophisticated who are always looking to get 
access, and that also concerns me very much. And finding a way 
to defend ourselves from those kinds of attacks as well as the 
kind we're talking about here is a deep concern to me.
    Mr. Melancon. Thank you, sir.
    My time has expired.
    Mr. Stupak. We'll move quickly and see if any members have 
further follow-up. There's been some expression of wanting to 
follow up. If I may, just two questions.
    Mr. Anastasio, you indicated the thumb drives--when that 
cybersecurity was done, thumb drives weren't in use, but if 
you'll look after January 2005, after they shut down the lab 
for a while, five out of 14 points dealt with cybersecurity, 
dealt with the fact that these things are accessible. So I 
would suggest that maybe a good place to start for security is 
go back and look--after we shut down the lab that cost $350 
million, that we look at the recommendations that were made and 
implement those procedures.
    Mr. Anastasio. I can't speak to exactly what happened 
during--during that shutdown and why they did it.
    I can say that we have looked at and have, in fact, 
developed plans for all the issues that came up associated with 
that shutdown, and the corrective actions in place. We have a 
very effective system in place now to keep track of those about 
who's responsible to----
    Mr. Stupak. Sure, but in Mr. Melancon's answer, you said 
the last time you had a security review like that, thumb drives 
weren't being used. They were certainly in use in 2005 and long 
before that.
    Mr. Anastasio. Yes, sir, and I guess what I was--maybe to 
be clearer, the policies that the laboratory has for 
cybersecurity were not changed to be cognizant of the new 
technology that was available, and that was a mistake on the 
laboratory's part, and we're all fixing that.
    Mr. Stupak. Ms. Wilbanks, I was asking you some questions 
about the cybersecurity and the computer systems, and I'll ask 
you the same thing. Had you reviewed the 2004--or after the 
2004 report--recommendations made, and you indicated that there 
wasn't much in there about cybersecurity, but yet five of the 
14 recommendations deal with cybersecurity. In fact, as you are 
the Chief Information Officer, it even states--and I'm looking 
at the January 2005 memo. It says that the Office of Chief 
Information Officer is leading the effort to implement a 
cybersecurity enhancement plan to protect the confidentiality, 
integrity and availability of all DOE information systems.
    So you certainly, as the Chief Information Officer, have a 
huge role to play in shoring up all the classified and 
unclassified systems, including cyber; is that correct?
    Ms. Wilbanks. Yes, sir.
    Mr. Stupak. OK, and with that, Mr. Whitfield.
    Mr. Whitfield. Thank you, Mr. Chairman.
    Just a couple more questions.
    Mr. Anastasio, what is--do you have a policy on 
whistleblowers?
    Mr. Anastasio. Yes, sir, we do.
    Mr. Whitfield. OK, and I'm assuming you encourage----
    Mr. Anastasio. Absolutely. And we have a number of 
mechanisms in place to allow anybody at the laboratory who has 
a concern that they feel they can't discuss with their line 
management, they had, as a confidentiality process, a separate 
group of people to--to--we also have an ombudsman program. We 
have a variety of mechanisms that employees have available to 
them.
    Mr. Whitfield. OK, and then as a result of the deputy lab 
director announcing his retirement, which basically was in 
violation of the contract, the contract administrator or 
contracting officer, Edwin Wilmot, wrote a letter to you on 
December 6, requesting a briefing on what steps you all 
intended to take to ensure the retention of all key personnel.
    Now, have you all had that briefing yet or----
    Mr. Anastasio. I have not formally responded to his letter, 
but he and I, in fact, just last week talked about this very 
subject on the phone, and I gave him an update, and he 
requested me to send him some more information which I promised 
to do right after this hearing.
    Mr. Whitfield. OK. And then just one other comment. Ms. 
DeGette's questions made me think of this a little bit.
    The base contract, Mr. D'Agostino, is $1.5 billion to $2 
billion; is that correct, roughly?
    Mr. D'Agostino. It's roughly $2 billion, sir.
    Mr. Whitfield. And that's basically for managing the site?
    Mr. D'Agostino. That's right. It's for managing the site. 
There's a fee element associated with that. That's right.
    Mr. Whitfield. And then, on top of that, we have a $73 
million pool that can be given for extraordinary performance or 
incentives or whatever; is that correct?
    Mr. D'Agostino. As a subset, sir, not on top. It's roughly 
$2 billion. It depends on how much work we allocate to Los 
Alamos National Laboratory and the amount of work they have. 
The laboratory gets its resources from a number of different 
areas within the Department and across the Federal Government. 
About 60 percent of it, maybe closer to 70 percent of it, 
actually comes from the NNSA. Probably about 15 percent of it 
comes from other elements of the Department of Energy, and 
about 15 percent comes from what we call ``work for others,'' 
which is work for other Federal agencies, the Department of 
Defense and other intelligence agencies.
    Mr. Whitfield. But the $1.5 billion to $2 billion, that 
actually is paid to the M&O contract holder?
    Mr. D'Agostino. Right. That's the sum total of that text 
that I just described to you earlier, and the fee element is 
essentially an indirect charge that we allow the laboratory and 
part of its management to make it an allowable cost, and it's 
set aside in a specific account within the indirect pool, so 
it's not in addition to on top of, sir.
    Mr. Whitfield. OK.
    Mr. Anastasio. Excuse me, Congressman, but that $2 billion 
is to execute work. That's well----
    Mr. Whitfield. OK.
    Mr. Anastasio. That's well defined by Congress and by the 
Department that here's a set of work activities for us to go 
and do.
    Mr. Whitfield. OK. Thank you.
    Mr. Stupak. Ms. DeGette, any follow-up?
    Ms. DeGette. Ms. Wilbanks, when I was at the facility in 
2004, we were told that all of these ports were going to be 
secured then. And then in your testimony today, you said that 
since this incident, you've secured all USB ports at all NNSA 
sites and are reviewing all cybersecurity plans to ensure that 
they address the specific risks for the system. This type of 
incident, the undetected transfer of classified information to 
a portable device, could no longer occur at any NNSA site.
    I guess my great frustration here and, I think, the 
frustration of the rest of the committee is that we keep trying 
to close the barn door after the horse escapes. Mr. Anastasio 
says, well, now we're drug testing the employees before they 
get through the security system. Now you're in here saying that 
the ports have been secured.
    Why didn't that happen before this incident? If we knew the 
problem existed several years ago, why didn't it happen?
    Ms. Wilbanks. I did not come to the Department of Energy 
until the end of October 2004, so I can't speak to the comment 
that was made before I was there.
    I can tell you that the ports have been in the process of 
being closed, and the sites have been working on it. I don't 
have any other----
    Ms. DeGette. It took 2\1/2\ years to do that?
    Ms. Wilbanks. I don't know, ma'am.
    Ms. DeGette. OK. When did you say you came?
    Ms. Wilbanks. October 31st, 2004.
    Ms. DeGette. OK. So that was right after we were there, and 
so when you came, and then in October of this year, that was 2 
years, and the ports still weren't closed in that time, right?
    Ms. Wilbanks. Yes, ma'am. There was no policy or procedure 
in place to require the port closure. It was not identified as 
a high risk is my assumption.
    Ms. DeGette. OK. So, if we were told--you would have no 
knowledge--so no one told you that that was a high priority?
    Ms. Wilbanks. No, ma'am. I was not aware of it.
    Ms. DeGette. OK. See, that's why we're so frustrated is 
because, when we were there earlier that year, we were told 
that that was a high priority.
    I guess this is what you're talking about, Mr. Anastasio, 
about the unclear competing policies.
    Thanks. This is what they secure it with, this JB Weld.
    Ms. Wilbanks. Yes, ma'am.
    Ms. DeGette. So how would that take 2 years? Because it 
wasn't a high priority, I guess.
    Ms. Wilbanks. That would be my answer, ma'am.
    Ms. DeGette. I'll yield to you, Mr. Stupak, for the JB Weld 
question.
    Mr. Stupak. Thanks for yielding.
    I mean, wouldn't you anticipate--if you're security 
experts, wouldn't you anticipate that someone's going to take a 
thumb drive and put it in these computers?
    Ms. Wilbanks. No, sir. She was in a classified environment 
that only cleared----
    Mr. Stupak. No. No. No. I'm not saying this lady.
    You've got 25,000 computers out there that you say contain 
sensitive information. If anyone can just take a thumb drive--
and I think Mr. Friedman held it up earlier and said you could 
take two file cabinets full of information off of it--wouldn't 
you so-called ``security experts'' think of that? I mean 
someone thought of it in 04 and told us when we were out there. 
That's the part that's baffling.
    I yield back.
    Ms. DeGette. I just think, Mr. Anastasio, that you really 
have a job ahead of you, and I hope that you and your team can 
do that job because I don't think there's very long for that to 
happen before we do take really drastic changes. We've been 
sitting here for 8 years doing this, and this is a perfect--
drug testing is another example. I'm assuming at Lawrence 
Livermore and at other labs that drug testing for high-level 
security clearances is pro forma, wouldn't it be?
    Mr. Anastasio. There was not a policy for drug testing at 
Lawrence Livermore when I was there. We have a requirement for 
certain specific activities, the handling of nuclear material, 
for example, that the Department requires us to have a drug 
testing program for, and of course those are in place all 
across all the sites.
    What I've done at Los Alamos is to say that, actually, I'm 
going to have drug testing for all employees whether they have 
a top-level security clearance or not.
    Ms. DeGette. And just----
    Mr. Anastasio. For anybody who comes to work at my site, I 
won't stand for people using illegal drugs.
    Ms. DeGette. Well, that's good. But even under the previous 
standards, this gal who was cleared probably shouldn't have had 
that level of security clearance, wouldn't you agree?
    Mr. Anastasio. I can't speak to that. I don't know. I don't 
know all the background that she had and that led to her--the 
decision about the clearance.
    Ms. DeGette. Thank you.
    Thank you. I yield back.
    Mr. Stupak. Mr. Burgess.
    Mr. Burgess. Thank you. And Mr. Anastasio, it just seems 
incredible that we will drug test our athletes. In fact, we've 
had hearings in this very room about that. We'll drug test our 
athletes, and we're not drug testing at Lawrence Livermore. I 
don't see that as good information.
    Mr. Pyke, let me ask you a question.
    The designation of an ``official use only'' document, what 
would be the reason to designate something as ``official use 
only''? Would that mean that we shouldn't be distributing it, 
say, around in this room for everyone to look at?
    Mr. Pyke. My understanding is that the ``official use 
only'' designation is given when someone has reason to believe 
there's sensitive information in there that should not be 
disseminated broadly.
    Mr. Burgess. Then, of course, you're aware that one of our 
staff members this morning downloaded a document from your Web 
site that's marked ``official use only''.
    Mr. Pyke. His report to me, late morning, is very 
disturbing to me, and in fact, I would appreciate it very 
much--he reported something similar last year, and I'm told 
that our staff went out and assured that the offending material 
had been taken down immediately, that very day, off of the Web. 
I gave directions right after I heard from him this morning 
that if, in fact, that information is still on the Web, that it 
be taken down immediately.
    We have a clear directive to the Department that not only 
is OUO and other sensitive, unclassified information not to be 
placed on the Web, to say nothing of classified information not 
to be placed on the Web, but there is to be a process in place 
to ensure regular monitoring of Web sites to ensure that such 
information has not crept onto the Web by mistake or otherwise.
    Mr. Burgess. Or otherwise. With all of the talk that we've 
had this morning, you do have to worry about the ``otherwise''. 
Fortunately for you, I'm not smart enough to understand what 
I'm holding in front of me. I don't know that I can say the 
same about the staff member who downloaded it, and if it's not 
off the Web site, I do encourage that you do that.
    Just as a final thought on everything we've been talking 
about this morning, I hope we don't focus on so much the 
individual worker at Los Alamos, the person who may have given 
in to a moment of human frailty, but we really have to put 
those procedures and the culture in place that just does not 
allow this to happen in the future. And heaven help us all if 
we're back here doing this same thing in 6 months' time.
    I yield back, Mr. Chairman.
    Mr. Stupak. OK. Our witnesses, nothing else?
    OK. Well, thank you and you're excused.
    We will go into executive session in 2218, Room 2218, in 15 
minutes, 2:05, Mr. Friedman, Mr. Podonsky and Deputy Secretary 
Sell, if you would, please.
    This record will remain open for 30 days. If members have 
questions they'd like to submit to any of the witnesses, that 
record will remain open for 30 days for those questions.
    [Whereupon, at 1:51 p.m., the subcommittee proceeded in 
executive session in room 2218.]
    [Material submitted for inclusion in the record follows:]
    [GRAPHIC] [TIFF OMITTED] 35446.001
    
    [GRAPHIC] [TIFF OMITTED] 35446.002
    
    [GRAPHIC] [TIFF OMITTED] 35446.003
    
    [GRAPHIC] [TIFF OMITTED] 35446.004
    
    [GRAPHIC] [TIFF OMITTED] 35446.005
    
    [GRAPHIC] [TIFF OMITTED] 35446.006
    
    [GRAPHIC] [TIFF OMITTED] 35446.007
    
    [GRAPHIC] [TIFF OMITTED] 35446.008
    
    [GRAPHIC] [TIFF OMITTED] 35446.009
    
    [GRAPHIC] [TIFF OMITTED] 35446.010
    
    [GRAPHIC] [TIFF OMITTED] 35446.011
    
    [GRAPHIC] [TIFF OMITTED] 35446.012
    
    [GRAPHIC] [TIFF OMITTED] 35446.013
    
    [GRAPHIC] [TIFF OMITTED] 35446.014
    
    [GRAPHIC] [TIFF OMITTED] 35446.015
    
    [GRAPHIC] [TIFF OMITTED] 35446.016
    
    [GRAPHIC] [TIFF OMITTED] 35446.017
    
    [GRAPHIC] [TIFF OMITTED] 35446.018
    
    [GRAPHIC] [TIFF OMITTED] 35446.019
    
    [GRAPHIC] [TIFF OMITTED] 35446.020
    
    [GRAPHIC] [TIFF OMITTED] 35446.021
    
    [GRAPHIC] [TIFF OMITTED] 35446.022
    
    [GRAPHIC] [TIFF OMITTED] 35446.023
    
                     Answers to Submitted Questions

    Please identify exactly how many classified computers there 
are at Los Alamos National Laboratory (LANL). Please also 
describe in how many different locations these computers 
reside, and how many computers have open Universal Serial Bus 
(USB) or firewire ports. Please describe why each computer is 
essential and whether there are opportunities to reduce and 
consolidate the number of classified computers.

    The Los Alamos National Laboratory occupies 43 separate 
technical areas spread across an approximate 40-square-mile 
site. When Director Anastasio testified in January, we reported 
an inventory of 3,310 classified systems, 2,990 (89 percent) of 
which were networked and 320 (11percent) were non-networked. Of 
the networked systems, 430 were servers and 2,560 were user 
systems. The non-networked systems consisted of 240 desktop 
systems and 80 laptop systems. Non-networked systems are 
generally utilized in areas where classified network 
connections are not available or to address information 
protection requirements. Laptop systems are needed for 
experiments conducted in remote regions of the LANL site and to 
which data acquisition equipment must often be transported, and 
also are an essential component for nuclear emergency response 
activities. When not in use, the non-networked laptop systems 
are protected as accountable CREM by storing them in a 
classified media library.
    As of the time of this response, LANL has 2,912 classified 
systems, of which 2,653 (91 percent) are networked computers 
and 259 (9 percent) are non-networked. Of the networked 
systems, 450 are servers, and 2,203 are user systems. The non-
networked systems include 54 laptops, 198 desktops, and seven 
custom experimental devices. The reduction is due both to 
conscious decisions made to reduce the total number of systems 
(for instance 94 non-networked systems were decommissioned in 
the first quarter of this year) and changes in our programmatic 
activities and their associated needs for classified computing.
    Only seven of Los Alamos's 43 technical areas house 
classified networked computers. Sixty percent of our networked 
classified computers are located in a single technical area. 
Twenty-seven percent are located in two other technical areas 
and the remaining systems are found at four other technical 
areas. Non-networked systems are found at 14 technical areas; 
50 percent at a single technical area, seven percent at another 
technical area, and the remaining systems are scattered between 
the other 12 technical areas. Nine of the 14 technical areas do 
not house any networked computers. Twelve classified media 
libraries currently store the non-networked classified laptops 
when they are not in use.
    All classified computing is performed in security areas.
    As with the above reductions made in the number of 
classified systems, LANL has also made major changes in the 
control of USB and firewire ports since the time of the 
incident last Fall. Currently, there are no "open" USB or 
firewire ports on classified systems (with the exception of 
systems used by the nuclear emergency response teams, which 
constitute a very small percentage of Los Alamos' total 
classified computing resources). All USB and firewire ports 
have been protected by one or more methods that have been 
approved by the NNSA Los Alamos Site Office.
    The number of computers at LANL varies with changes in our 
programmatic efforts. Expenditures for classified computers, as 
with other equipment, are appropriately justified based on 
programmatic need. Specific discussion about why each program 
requires the specific computers supporting it would render this 
response classified. In general, the classified computers at 
LANL support the following areas:

     Nuclear weapons design
     Stockpile stewardship
     Pit production
     Homeland security and threat reduction
     Nuclear emergency response
     Intelligence community support

    LANL is taking a number of actions to further reduce risks. 
For instance, LANL is emphasizing standardizing the types of 
systems used, networking as many of those as possible to permit 
consistent system administration, reducing accountable CREM, 
monitoring computer activity, and consolidating locations where 
such services as classified printing, media generation, and 
matter storage are available to improve the control of system 
output mechanisms. As an example, the Super VTR prototype is 
expected to eliminate at least six other vault-type rooms and 
five classified media libraries.

     Please identify exactly how many classified security areas 
there are at LANL. Please describe why each classified security 
area is essential and whether there are opportunities to reduce 
and consolidate the number of classified security areas.

    Currently there are 1,372 distinct and separate buildings 
where classified activities occur and where the appropriate 
levels of security are provided. These 1,372 buildings are 
located within 108 ``Security Areas,'' each enclosed by 
security fences and access gates. Each building/area where a 
classified activity occurs has a unique significance relative 
to national security that is mission-specific to those 
locations. The majority of these buildings contain classified 
repositories that reduce the necessity and frequency (and 
resultant risk) of transporting classified documents/materials 
between locations.
    We are continuing our comprehensive review of locations and 
holdings to ensure this number is reduced to the absolute 
minimum consistent with operational requirements.

     Please identify exactly how many classified vaults there 
are at LANL. Please describe why each classified vault is 
essential and whether there are opportunities to reduce and 
consolidate the number of classified vaults.

    There are currently 129 Vaults and Vault Type Rooms at 
LANL. Of that, 11 of those facilities are true vaults. Each 
Vault or Vault Type Room has a unique significance relative to 
national security that is mission-specific to the location. 
Since October 1, 2006 LANL has embarked on a continuing process 
to consolidate and reduce the number of these types of 
facilities. Since then, LANL has successfully reduced the 
number of Vaults and Vault Type Rooms from 142 to 129 using the 
following criteria:

     Wherever possible and when programmatic 
compartmentalization responsibilities allow, remove classified 
material and consolidate into existing Vaults and Vault Type 
Rooms.
     In cases where aging infrastructure make 
compliance with physical security standards and maintenance of 
intrusion detection systems cost prohibitive, classified assets 
are to be consolidated into newer, compliant Vaults and Vault 
Type Rooms.
     Those existing Vaults and Vault Type Rooms that 
only house classified computing infrastructure like server 
racks and networking systems hardware are to be given a 
priority for review for consolidation and reduction.
     LANS is piloting a Super Vault Type Room project 
where similar classified processing activities are to be 
consolidated into a single facility. The first Super VTR will 
combine at least six Vault Type Rooms into one. As funding 
becomes available for additional Super VTRs, additional 
consolidation will be possible.

    These efforts are ongoing and should lead to future further 
reductions in the number of Vaults and Vault Type Rooms at 
LANL. To put our efforts in context with the DOE complex, 
Lawrence Livermore National Laboratory, Sandia National 
Laboratory and the Pantex Plant currently manage over 200 
Vaults and Vault Type Rooms each.
                              ----------                              

[GRAPHIC] [TIFF OMITTED] 35446.024

[GRAPHIC] [TIFF OMITTED] 35446.025

[GRAPHIC] [TIFF OMITTED] 35446.026

[GRAPHIC] [TIFF OMITTED] 35446.027

[GRAPHIC] [TIFF OMITTED] 35446.028

[GRAPHIC] [TIFF OMITTED] 35446.029

[GRAPHIC] [TIFF OMITTED] 35446.030

[GRAPHIC] [TIFF OMITTED] 35446.031

[GRAPHIC] [TIFF OMITTED] 35446.032

[GRAPHIC] [TIFF OMITTED] 35446.033

[GRAPHIC] [TIFF OMITTED] 35446.034

[GRAPHIC] [TIFF OMITTED] 35446.035

[GRAPHIC] [TIFF OMITTED] 35446.036

[GRAPHIC] [TIFF OMITTED] 35446.037

[GRAPHIC] [TIFF OMITTED] 35446.038

[GRAPHIC] [TIFF OMITTED] 35446.039

[GRAPHIC] [TIFF OMITTED] 35446.040

[GRAPHIC] [TIFF OMITTED] 35446.041

[GRAPHIC] [TIFF OMITTED] 35446.042

[GRAPHIC] [TIFF OMITTED] 35446.043

[GRAPHIC] [TIFF OMITTED] 35446.044

[GRAPHIC] [TIFF OMITTED] 35446.045

[GRAPHIC] [TIFF OMITTED] 35446.046

[GRAPHIC] [TIFF OMITTED] 35446.047

[GRAPHIC] [TIFF OMITTED] 35446.048

[GRAPHIC] [TIFF OMITTED] 35446.049

[GRAPHIC] [TIFF OMITTED] 35446.050

[GRAPHIC] [TIFF OMITTED] 35446.051

[GRAPHIC] [TIFF OMITTED] 35446.052

[GRAPHIC] [TIFF OMITTED] 35446.053

[GRAPHIC] [TIFF OMITTED] 35446.054

[GRAPHIC] [TIFF OMITTED] 35446.055

[GRAPHIC] [TIFF OMITTED] 35446.056

[GRAPHIC] [TIFF OMITTED] 35446.057

[GRAPHIC] [TIFF OMITTED] 35446.058

[GRAPHIC] [TIFF OMITTED] 35446.059

[GRAPHIC] [TIFF OMITTED] 35446.060

[GRAPHIC] [TIFF OMITTED] 35446.061

[GRAPHIC] [TIFF OMITTED] 35446.062

[GRAPHIC] [TIFF OMITTED] 35446.063

[GRAPHIC] [TIFF OMITTED] 35446.064

[GRAPHIC] [TIFF OMITTED] 35446.065

[GRAPHIC] [TIFF OMITTED] 35446.066

[GRAPHIC] [TIFF OMITTED] 35446.067

[GRAPHIC] [TIFF OMITTED] 35446.068

[GRAPHIC] [TIFF OMITTED] 35446.069

[GRAPHIC] [TIFF OMITTED] 35446.070

[GRAPHIC] [TIFF OMITTED] 35446.071

[GRAPHIC] [TIFF OMITTED] 35446.072

[GRAPHIC] [TIFF OMITTED] 35446.073

[GRAPHIC] [TIFF OMITTED] 35446.074

[GRAPHIC] [TIFF OMITTED] 35446.075

[GRAPHIC] [TIFF OMITTED] 35446.076

[GRAPHIC] [TIFF OMITTED] 35446.077

[GRAPHIC] [TIFF OMITTED] 35446.078

[GRAPHIC] [TIFF OMITTED] 35446.079

[GRAPHIC] [TIFF OMITTED] 35446.080

[GRAPHIC] [TIFF OMITTED] 35446.081

[GRAPHIC] [TIFF OMITTED] 35446.082



     CONTINUING SECURITY CONCERNS AT LOS ALAMOS NATIONAL LABORATORY

                              ----------                              


                         FRIDAY, APRIL 20, 2007

                  House of Representatives,
                  Committee on Energy and Commerce,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 9:30 a.m., in 
room 2123 of the Rayburn House Office Building, Hon. Bart 
Stupak (chairman of the subcommittee) presiding.
    Members present: Representatives DeGette, Green, Doyle, 
Inslee, Dingell [ex officio], Udall, Whitfield, Walden, Murphy, 
Burgess, Barton [ex officio], and Wilson.
    Staff present: Chris Knauer, Richard Miller, Scott 
Schloegel, Rachel Bleshman, Lauren Bloomberg, Jodi Seth, Bud 
Albright, Alan Slobodin, Dwight Cates, and Matt Johnson.

  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Stupak. This meeting will come to order. Today we have 
a hearing on DOE's response to ongoing mismanagement at the Los 
Alamos National Labs. Each member will be recognized for 5 
minutes for their opening statement, and I will begin.
    Los Alamos National Laboratories is home to many of our 
Nation's most secretive weapons program, yet it is also home to 
some of the worst security breaches in our Nation's history. 
This is our 13th hearing on security problems at Los Alamos in 
just the past 8 years.
     For 63 years, the University of California operated Los 
Alamos; but after numerous high-profile security lapses, the 
Department of Energy was urged to competitively bid the 
contract for operation of LANL. In June of last year, 
University of California was again awarded the contract under a 
limited liability consortium known as Los Alamos National 
Security, or LANS. This committee anxiously awaits proof that 
this new contractor will result in significant changes in Los 
Alamos and not just put new drapes over a broken window.
    At our January 30 hearing, we investigated the October 2006 
case of classified documents that were removed from Los Alamos 
by a contractor. We learned at that hearing that the security 
lapse would probably have not been discovered if it had not 
been for a domestic disturbance at the contract employee's 
home. The resulting investigation led to the discovery of drug 
paraphernalia and the discovery of classified paper and 
electronic files at the residence. The female contract employee 
was not adequately watched by her escort. The employee also had 
access to open ports on classified computers which enabled her 
to download and remove classified documents.
    We heard the Department of Energy's Inspector General 
testify in January that they do not know how much other 
classified information may have been removed using this gaping 
hole in security. We don't know where this classified material 
has ended up. We hope to learn the answers to these questions 
from the FBI's investigation, but they will not brief members 
until their investigation is complete.
    Many of the members of this committee were shocked that the 
National Nuclear Security Administration, NNSA, approved a 
security clearance for this employee, even though she admitted 
using illegal drugs within 30 days of her security clearance 
being approved. We were equally shocked at the fact that there 
was no follow-up evaluation or testing of this individual after 
she was granted her security clearance. Apparently, her promise 
not to use drugs in the future was good enough for NNSA.
    This security breakdown took place against a backdrop of 
previously degraded security performance. In 2006, the 
Department of Energy, Office of Health, Safety, and Security, 
documented substantial substandard-to-failing performance in 14 
of 17 key security areas at Los Alamos. You can see the 2006 
report right over there. The poor grades were in categories 
such as classified matter, protections and control, cyber 
security, and emergency management. Performance in 2006 had 
sharply deteriorated since the previous review in 2002 which 
had cited serious problems. I will be placing into the records 
summaries of these oversight reports. You can see them up on 
the screen now.
    [Slide shown.]
    In today's hearing, I hope to focus on a number of issues 
including what is the Department of Energy's system to issue 
classified security clearances? What led DOE to grant security 
clearance to an individual who admitted using illegal drugs 
within 30 days of her clearance being issued? What lessons are 
learned from this security lapse? What steps have been taken to 
correct the security deficiencies in the Department of Energy 
and at Los Alamos so that we do not have to hold our 14th 
hearing later this year?
    At the January 30 hearing, DOE testified that the Secretary 
convened two task forces, one to examine cyber security and a 
second task force to look at personnel security issues raised 
by the latest security breach. Today we will hear the results 
of these task force reports. A key finding by the personnel 
security task force was that at least two additional employees 
admitted to illegal drug use in the 30 days prior to security 
clearance approval. Eighteen other employees had similar 
information in this 12-month period between 2001 and 2002 
thereby causing DOE to re-examine their security clearances.
    We look forward to hearing what Secretary Bodman plans to 
do about this and other security problems his task force has 
uncovered. We also look forward to hearing how he plans to hold 
the contractors accountable.
    The Department of Energy has various tools, including 
enforcement action and reducing award fees to hold its 
contractors accountable. Nonetheless, this committee was 
disturbed to learn just this week that the Department of Energy 
apparently forgot to put legal requirements in its contract 
with the lab operator, the Los Alamos National Security. These 
legal requirements would have obligated the contractor to 
comply with DOE's stringent safeguards and security order known 
as DOE Order 470. This omission was discovered after the 
October 2006 incident which leaves open the question of whether 
the Department of Energy contracting officer may have handed 
Los Alamos National Security, the partner here, a get-out-of-
jail-free card if and when DOE attempts to bring in enforcement 
action for multiple security violations associated with the 
October 6th incident.
    The committee wants to know when the Department of Energy 
learned of this contract omission. Was it before last hearing 
where DOE officials swore they had all the necessary tools to 
enforce this new security standard? If so, why weren't we 
informed of this problem? When was the committee going to be 
told about this issue and what plans has the Department made to 
fix it?
    After our January hearing, I, along with my Republican 
colleagues, asked the Government Accountability Office to 
evaluate whether the security footprint at Los Alamos is simply 
too large to manage the classified information effectively. We 
also asked GAO to evaluate the possibility of consolidating and 
moving classified operations at Los Alamos to another lab such 
as Sandia where security is managed more effectively. GAO is 
moving forward on this evaluation despite requests by some 
legislators to do an analysis.
    In addition, the committee is reviewing H.R. 703, 
legislation introduced on a bipartisan basis with my 
colleagues, Mr. Barton and Mr. Whitfield, to move 
responsibility for safety and security out of NNSA and place it 
under the direct control of Secretary of Energy. We would 
welcome hearing the Secretary's view on this legislation. 
Secretary Bodman and his predecessors have come before this 
committee with commitments to improve the security culture at 
Los Alamos. Despite the creation of security czars and task 
forces, the end result has been a litany of security breaches 
and mismanagement. To say the least, the committee is 
skeptical.
    Today, Mr. Secretary, we want to know, what is different? 
Why are your proposals more likely to succeed when your 
predecessor's proposals have not? What assurances can DOE give 
us that these new reforms will work? What resources, and from 
whom, will DOE look to pay for these new security measures at 
Los Alamos? I can assure you, Secretary Bodman and the American 
public, that the committee will continue its oversight at Los 
Alamos. I can also assure you that this oversight will continue 
just as it has in the past in a truly bipartisan basis. When it 
comes to Los Alamos and security at nuclear labs, this 
committee is united in its oversight.
    I appreciate the assistance and cooperation of my 
Republican colleagues led by my friend, Mr. Whitfield, and his 
able staff.
     And with that, I would yield to the ranking member, my 
friend from Kentucky, Mr. Whitfield, for his opening statement, 
please.

  OPENING STATEMENT OF HON. ED WHITFIELD, A REPRESENTATIVE IN 
           CONGRESS FROM THE COMMONWEALTH OF KENTUCKY

    Mr. Whitfield. Thank you, Chairman Stupak, and for today's 
hearing to review ongoing security mismanagement at Los Alamos.
    Over the past decade, this subcommittee has established a 
rigorous tradition of strong, bipartisan oversight on DOE 
security matters, and I am pleased that this committee has 
continued this tradition with its close attention to ongoing 
mismanagement at Los Alamos.
    The most recent security incident, which occurred last 
October, resulted in the loss of over 1,500 classified 
documents. As I pointed out at the January hearing, this 
incident demonstrates poor security management, lack of 
formality of operations, and insufficient oversight that has 
plagued the lab for decades. Dramatic new ideas from the 
Department, from LANS, and from Congress are needed.
    At Los Alamos, the security environment is certainly 
challenging. Operations are spread out over a 43-square-mile 
area. The lab has approximately 15,000 employees. There are 
more than 2,000 classified computers and 1,774 separate 
security areas. To give perspective, there are more classified 
security areas at Los Alamos than there are total rooms in the 
Rayburn, Cannon, and Longworth House Office Buildings combined. 
Los Alamos has an unnecessarily large volume of classified 
information and conducts classified activities in too many 
areas involving too many people. These factors, including the 
geographical dispersions of activities, continue to make LANL 
susceptible to security failures.
    At the last hearing, I stated that LANS must be held 
accountable for the loss of classified documents last October 
and that it should pay a price. The Department of Energy must 
assert its contract and regulatory authorities to compel 
greater security performance. The Department has three primary 
tools to help compel performance, the enforcement of new 
information security relations with strong, civil penalties; 
the withholding of incentive pay associated with security 
performance; and three, the use of the conditional payment of 
fee clause in the contract that allows the Department to 
withhold up to 100 percent of the award fee.
    The Department has not yet finalized how they will use 
these enforcement tools, but I know members of the committee 
and in the Congress will be quite interested in what the final 
decision will be.
    Six months have elapsed since the October 2006 security 
incident. That is a reasonable amount of time to allow NNSA and 
LANS to formulate a plan to help improve security at the site. 
Later today, we will hear from Lab Director Michael Anastasio 
on the remedial actions he has taken to correct security 
failures. I think Director Anastasio's efforts to date appear 
to be more responsive than what we've seen in the past. I am 
encouraged by his initial steps to reduce the number of 
classified vaults at Los Alamos, and I think LANS has already 
implemented a few valuable cyber security improvements at the 
site. However, it is too soon to say whether these actions are 
simply short-term fixes or a commitment to long-term security 
improvements. I am delighted Secretary Bodman has joined us 
today, and we certainly look forward to his views on this very 
important issue. And thank you, Mr. Chairman. I yield back my 1 
minute.
    Mr. Stupak. Thank you, Mr. Whitfield. Next, turn to the 
Chairman of the full committee, Mr. Dingell, for an opening 
statement, please.
    The Chairman. Mr. Chairman, I thank you, and I commend you 
for holding this hearing. Mr. Secretary, welcome.
    Secretary Bodman. Thank you.
    The Chairman. I hope your visit here is pleasant here 
today.
    Secretary Bodman. So do I.

OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    The Chairman. Mr. Secretary and my colleagues, today's 
topic is sort of as what is observed as deja vu all over again. 
The security at the Energy Department labs, in particular the 
one we are discussing today, Los Alamos National Laboratory, is 
an issue with which this committee has been involved for more 
than two decades. Our colleagues on this committee and I could 
produce stacks of letters and piles of hearing documents 
relative to the question of security breakdowns at the 
Department of Energy and at this unfortunate laboratory in 
particular. Likewise, we could display a small mountain of 
proposals and promises made by lab directors, blue-ribbon 
panels, task forces, Secretaries of Energy, and yes, even a few 
Presidents to fix the security problems at the labs.
    You, Mr. Secretary, are no different than your 
predecessors, and you inherited a fine mess out there. You have 
proposed a number of changes and recommendations to fix the 
problems, and we commend you for that; and you've convened 
blue-ribbon task forces to make these recommendations. For that 
we are appreciative. I am sure that we will hear about how 
everyone takes this matter of security seriously. I am sure 
that in fact everyone is sincere about improving security; and 
I am certain that you, Mr. Secretary, will propose changes that 
will make sense.
    But before we claim victory in our battle to improve Los 
Alamos, we need to look closely at what is being proposed and 
whether in fact it differs from what has happened before or 
what has come before. As President Reagan used to say, trust 
but verify. As my old daddy used to tell me, trust everybody 
but cut the cards. I would urge my colleagues to do that today. 
In this regard, I recommend you pay particular attention to the 
tools that you, Mr. Secretary of DOE, actually have to enforce 
the new security proposals.
    I understand that the Department's ability to assess an 
effective fine has come into question in the light of 
information provided to the committee this week. The DOE 
officials who reviewed and signed the contract on behalf of the 
U.S. Government were the new contractors, Los Alamos National 
Security, apparently omitted the applicable safeguards and 
security orders for 13 months. This is hardly an auspicious way 
to start new reforms. Although legal implications of this 
omission are still unclear, it appears there is a serious 
question as to whether DOE is unable to cite the contractor for 
each and every violation of its security requirements. 
Apparently, applicable security requirements under DOE Order 
470 were not inserted into the contract until after the 
violations were discovered. In fact, these requirements were 
not included in the contract until after January 25, 2007, a 
mere 5 days before our last hearing on Los Alamos. I am curious 
to know why this information was withheld from the committee 
until now. This is certainly not trusting and verifying.
    I hope the Secretary abides by this maxim, too. Mr. 
Secretary, do not trust everything that you are told. I would 
observe that we have been working on Los Alamos for a long 
time, and our problems with security there have been 
substantial and have run all the way from penetrations by 
foreign countries into the security there to loss of valuable 
Government property to problems with regard to stings that were 
supposed to be held to address problems of narcotics sales 
inside the facility and, very frankly, also two other things 
including a curious event involving fornication in the guard 
towers out there.
    Mr. Secretary, I note with both respect and affection that 
you are not only requiring briefings from your staff regarding 
security and safety issues when you were there but that you 
also poked around the basements and nooks and crannies to 
assure that the situation with regard to security was going 
properly. Certainly, Mr. Secretary, we need that kind of 
approach today. I think we have to look beyond fines and 
penalties to fix the problems at Los Alamos. For that reason, 
along with my good friend, the chairman of the subcommittee, 
our good friends and colleagues in the minority, we have 
requested that the Government Accountability Office, GAO, 
conduct a comprehensive audit of Los Alamos to determine what 
functions are essential at that laboratory. Their report will 
inform us of the options available.
    Mr. Secretary, I hope that you will assist the committee 
and the GAO in this important study and in our efforts to 
improve security at Los Alamos and throughout your Department. 
I thank you for your presence here. I express to you my 
affection and respect and also the hope that you will have 
success in straightening up something which has defied your 
predecessors in office in this matter.
    I want to thank all of our witnesses for appearing before 
us today; and you, Mr. Chairman Stupak, I want to express my 
particular respect and gratitude to you for what you are doing. 
Thank you, Mr. Chairman.
    Mr. Stupak. Thank you, Mr. Dingell. Next we go to Mr. 
Walden from Oregon for opening statement, please.

  OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF OREGON

    Mr. Walden. Thank you very much, Mr. Chairman. And I, too, 
appreciate the continuing efforts in a bipartisan manner of 
this subcommittee to try to figure out how to provide full 
security at these labs. And Secretary, I want to welcome you as 
my colleagues have done and appreciate the work you're doing on 
this.
    I noted in your testimony that you indicate that you feel 
like that significant progress has been made in security at Los 
Alamos and yet then you go on to say you're still not 
satisfied. I would be curious to know with only 20 months left 
in office, provided you're there to the end, how are we going 
to get this thing resolved and do you think it is possible? We 
have had, as you know, multiple hearings over multiple years in 
both classified settings and non-classified settings and 
continue to chase this. And if anybody can get this fixed, I 
have confidence that you certainly have the commitment and the 
ability to get it done. So I will look forward to hearing that. 
Before I have held up the J. B. Weld which is the world's 
finest cold glue I guess for households and hobbies. It is 
great for farm machinery and equipment. It is also $4.99 at 
Wal-Mart and was used I believe to plug something in the order 
of 7,200 USB ports at Los Alamos but only after there had been 
about a year of security breach. It seems to me that for $4.99 
you can fix this problem. Maybe it wouldn't cost that much more 
to fix the whole thing. But it has been very disturbing that 
data can come and go in and out of the lab, and the most recent 
examples are very frustrating for us and I am sure for you, Mr. 
Secretary.
    So we welcome you here today. We look forward to hearing 
your comments, and unfortunately they tell us we are going to 
have a long series of votes beginning in about 9 minutes. So I 
am going to quit and return the balance of my time and look 
forward to your comments. Thank you, sir.
    Secretary Bodman. Thank you, sir.
    Mr. Stupak. Thank you. Mr. Green from Texas, opening 
statement?
    Mr. Green. Mr. Chairman, I'll just welcome the Secretary 
and submit an opening statement for the record.

  Prepared Statement of Hon. Gene Green, a Representative in Congress 
                        from the State of Texas

    Mr. Chairman thank you for calling this hearing.
    I would also like to thank our witnesses, including 
Secretary Bodman and Los Alamos Director Anastasio for 
returning here a couple months after our last hearing to 
provide us with a status report on ongoing security measures at 
Los Alamos National Lab.
    Given the situation at the national laboratory system, 
congressional oversight is a necessity.
    Security can be high tech, involving counter-measures for 
computer hackers and electronic warfare, or it can be very low-
tech, such as old-fashioned human intelligence.
    The national laboratories, particularly Los Alamos, have 
had problems with both issues, as we see in the reports on 
Personnel Security and Cyber Security that the Inspector 
General has produced.
    On the personnel front, this committee is going to be very 
interested in the ongoing review of security clearances and 
background checks for all employees in the DOE national 
security complex.
    We are pleased to see a full review over issues like drug 
history and the implementation of new drug testing measures.
    In addition, we need to ensure the security clearance 
review is not only looking at narcotics, since there can be 
many other security risks as well.
    If people working on sensitive national security projects 
have any kind of major criminal activity or other issues that 
could make them a security risk, then DOE needs to know about 
that.
    Often the lab has taken a reactive security approach, going 
from one crisis to another trying to prevent the same thing 
from happening again.
    We need a proactive approach that thinks ahead to what 
other kinds of security breaches COULD happen, but haven't 
happened yet.
    On the cyber security front, our committee is looking for a 
full update on issues like sealing open USB ports in lab 
computers, disabling dual use computer ports, and securing 
racks of computers with sensitive national security 
information.
    Personnel security and cyber security are related, because 
sometimes it is just as important to know who is on the 
computer system as it is to know who is actually handling bomb-
grade radioactive materials.
    Mr. Chairman, with that I would like to yield back so that 
we may get to the question time for the witnesses. Thank you.

    Mr. Stupak. Mrs. Blackburn from Tennessee.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. Thank you, Mr. Chairman. I do want to thank 
you for holding the hearing and thank you and our ranking 
member, Mr. Whitfield, for the work on the issue; and I want to 
thank our participants for being here on what looks like is 
going to be an interrupted day. And before we begin the 
hearing, I do want to give a little bit of an overview of how I 
see things and how I think a lot of people that are looking at 
this with us see things.
    It seems that, and we all know and it is frustrating, there 
is a systemic problem with management at Los Alamos, and for 
several years the culture of--has seemed to persist. It has 
gone on without seeming to have a lot done about it, and I see 
no significant efforts by NNSA or the DOE to change the 
culture; and I come to this decision by reading the reports 
that you have given us. I am partially relieved to see that the 
previous organization which appeared to be incompetent in so 
many different areas, that they have been replaced; and I have 
several concerns about the new operator and we will address 
those in questions. And from time to time, I think we see new 
policies that are brought forward; and Mr. Secretary, we hold 
great hope for you that new policies this time are actually 
going to do something to correct the problem, that there will 
be timelines, that there will be guidelines and some 
accountability measures that are there. I think all too often 
we see that people admit there is a problem, they find the 
problem; but unfortunately, they do not seem to have the desire 
to correct the problems, and that is the situation in which we 
find ourselves right now. Not correcting the problems it 
appears to me to each employee would be a disservice to their 
personal record, it would be a disservice to the 
administration, it is definitely a disservice to the American 
people. It is something that I hope we hear from the director 
and also from you, Mr. Secretary, that it is no longer going to 
be tolerated and that you can give us some measureables and 
some quantitative data that will prove to us that changes are 
indeed taking place.
    We are hopeful for your progress, and I yield the balance 
of my time.
    Mr. Stupak. I thank the gentlewoman. We will next move to 
the gentlewoman from Colorado, Ms. DeGette.

 OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF COLORADO

    Ms. DeGette. Thank you very much, Mr. Chairman. We were 
trying to count the number of these Los Alamos hearings that--
--
    Mr. Stupak. Thirteen.
    Ms. DeGette. Thirteen? And those are all the ones we have 
been sitting in together plus the visit down there. Secretary 
Bodman, I am delighted to see you today; and I am really glad 
you came because I think that resolving these problems is going 
to have to come from your level, and I know you have got that 
commitment. So I am pleased.
    I am going to submit my whole statement for the record 
because frankly I am really tired of saying the same thing over 
and over again and emoting about what a disaster it is down 
there, and this latest incident with the employee who 
apparently had problems with her security credentials and then 
she takes critical documents on a flash drive and then she gets 
busted for drugs, it just boggles the mind. And it goes on and 
on.
    But there are some really important legal questions that we 
have heard about in recent days that add yet a new dimension 
that I haven't even whined about once because they just came to 
light and that is about the contracting procedures at the 
Department of Energy. The committee has learned that the 
management contract signed by the Department and with great 
fanfare I may add lacked key components that allow penalties to 
be assessed when DOE security procedures are not followed; and 
because those orders were inadvertently omitted from the 
contract, so have the security breaches we have seen could go 
unpunished which frankly just underscores the cavalier attitude 
really that a lot of people take toward security at what should 
be frankly our most secure facility.
    So here is the big picture. The American people need to 
know that management at Los Alamos, which comes from a 
lucrative, multi-million dollar contract, is top notch. That 
hasn't been the case, far from it. And all of our constituents 
need to have the confidence that if managerial negligence is 
found, if security breaches do occur, and if specific DOE 
procedures are not followed, then there will be severe 
consequences. That hasn't been the case, either. Enforcement so 
far has amounted to a slap on the wrist, and I think we all 
agree that is not acceptable. So there will be several 
questions I will be exploring today, what went wrong with the 
contracting procedures at DOE, how could these omissions have 
occurred, has this compromised the Department's ability to 
enforce its rules and assess penalties, and what is being done 
to ensure that this does not happen again?
    Thank you, Mr. Chairman. I look forward to this hearing, 
and I am sure there will be many more. I yield back.
    [The prepared statement of Ms. DeGette follows:]
    [GRAPHIC] [TIFF OMITTED] 35446.083
    
    [GRAPHIC] [TIFF OMITTED] 35446.084
    
    [GRAPHIC] [TIFF OMITTED] 35446.085
    
    [GRAPHIC] [TIFF OMITTED] 35446.086
    
    Mr. Stupak. I hope not but I am afraid there will be. Mr. 
Murphy, opening statement, please.
    Mr. Murphy. Thank you, Mr. Chairman. I will waive in 
interest of time, but I would like to welcome the Secretary for 
being here. Thank you.
    Mr. Stupak. Thank you. Mr. Doyle from Pennsylvania, opening 
statement, please?

   OPENING STATEMENT OF HON. MIKE DOYLE, A REPRESENTATIVE IN 
            CONGRESS FROM THE STATE OF PENNSYLVANIA

    Mr. Doyle. Thank you, Mr. Chairman. I want to commend you 
for your continued vigilance on this important matter.
    The protection of classified documents and information at 
our national labs, especially at Los Alamos National Lab, is 
critical to ensuring that we are able to protect the American 
public against those who may intend to do us harm. The frequent 
security breaches at this and other labs are completely 
unacceptable. I am looking forward to hearing the testimony of 
Secretary Bodman and his colleagues as we work together to 
ensure our nation's classified nuclear information remains 
protected.
    It is no secret that there are and have been over a number 
of years serious security questions at the Los Alamos National 
Lab. Thankfully, most of these breaches have been of an 
accidental nature due to inadequate security breaches being in 
place. In essence, the breaches have served as a wake-up call 
to all of us. I shudder to think what may have occurred had the 
breaches been the result of a well-thought-out and intentional 
plan to secure classified information for sale on the black 
market. We have been lucky so far. But if security there is not 
made ironclad, our luck will surely run out.
    I am looking forward to hearing about the improvements that 
have been made since October 2006 investigation, as well as 
what improvements have been made since our last hearing on this 
matter in January. I am so very interested in being able to 
judge the level of commitment to security improvements, not 
only on the ground at the site but all the way to the 
Secretary's office. I believe it is critical that the Secretary 
maintains his vigilance, not only on this particular incident 
but on the entire security systems under his prevue.
    One thing is clear, when it comes to the long history of 
violations at Los Alamos, an intensive, short-term focus which 
trails off once the media focuses on another subject, will only 
lead to future concerns at the lab. We on this committee, those 
in the administration, and those on the ground at the labs must 
continue to shine a light on security while working together to 
ensure that procedures are updated so that the facilities are 
not only more secure today but will become even more secure 
with the passage of time.
    Former Secretaries of Energy have come before Congress with 
promises of new security; but for one reason or another, they 
have fallen short and violations have continued. Now this 
matter falls to you, Secretary Bodman. We on this committee 
hope to work closely with you so that you will succeed where 
your predecessors have failed. Security, especially nuclear 
security, is not a Democratic or Republican issue, it is an 
American issue in which all branches of Government and both 
political parties must work hand in hand to ensure that the 
American people have the protections in place they deserve. We 
must renew this focus today and continue to fully and 
completely protect our facilities and the critical information 
they possess at both the physical and cyber levels. Anything 
less opens our nation to dangers that none of us even want to 
believe could happen.
    So again, Mr. Chairman, I commend you for your continued 
vigilance. I will look forward to hearing the testimony of our 
distinguished panelists, and I yield back the balance of my 
time.
    Mr. Stupak. Mr. Burgess.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. Thank you, Mr. Chairman. I guess I am glad we 
are here today. Like everyone else, I am frustrated that we 
never seem to make any forward motion on this. It is a 
bipartisan issue. We all share the same concern and anxiety 
regarding security at the lab. I appreciate the aggressive 
nature the committee has taken on the crucial issue of national 
security.
    We have three witnesses today that can provide insight into 
the problems and hopefully solutions to the Los Alamos 
problems. Secretary Bodman, Inspector Friedman, Director 
Anastasio, gentlemen, I welcome you all here today and I look 
forward to entering into a constructive discussion with each of 
you. I understand that there have been improvements made, but 
there are still many, many challenges ahead of both you and us.
    Today we are going to be reviewing the findings of both the 
personnel security task force and the cyber security task 
force. I am encouraged by reading about the task forces, but 
unfortunately, we have been told in the past that actions and 
repercussions will occur but they never do. That is why we have 
held hearing after hearing, year after year, on Los Alamos. To 
quote the Inspector General in his written statement, ``Many of 
the actions are in process and the key to the successful 
resolution of the matter is detailed in our November report, 
its implementation and execution.'' Implementation and 
execution. You all have good ideas that will significantly 
affect the security of Los Alamos, but it is not enough for us 
to come here and hold these hearings and talk and talk and talk 
about it. One of these days someone is going to have to walk 
the walk. I am still not completely comfortable with using 
basically the same contractor for operating Los Alamos. I do 
believe that Director Anastasio was capable and qualified to 
help turn things around but also mentioned during the last 
hearing, you have some of the most intelligent minds in the 
world at work at Los Alamos. While there is clearly an 
institutional problem, we must also remember that there are 
thousands of hard-working employees at the lab who make a 
remarkable contribution to science and the country on a daily 
basis.
    Also at the last hearing, we discussed the issue of 
accountability. It is appropriate to readdress that issue 
today. While there are many organizational changes that can be 
made to better ensure the security of our country's classified 
information, one of the easiest and most effective remedies is 
to make the contractor in charge of security pay a steep and 
deep penalty. As a steward of the taxpayer dollar, I fully 
support this idea. If the contractor is penalized substantial 
sums, and in Washington substantial sums are substantial sums 
of dollars, maybe then they will finally recognize how serious 
of a problem this is and must be stopped at all costs.
    One of the other things we learned at our hearing earlier 
this year was the fact that although the contract for the lab 
had been rebid and re-awarded, that that process could be 
opened again if there were substantial problems encountered. I 
would submit to you that it appears that there are substantial 
problems, but I would like an update on whether or not the 
Department of Energy is going to hold the contractor 
accountable for his actions or lack thereof, if there is going 
to be a reopening of the contract that was awarded the past 
year.
    I have also another issue within the Department of Energy 
that I think is appropriate to briefly mention and discuss. I 
understand that there is a strike occurring at a nuclear 
security weapons plant in my home State of Texas, the Pantex 
facility, and I would appreciate it if Secretary Bodman would 
give us a brief update on that issue and the impact of security 
at the plant.
    Again, Mr. Chairman, thank you for holding this bipartisan 
hearing in which we can further address the security at Los 
Alamos. We are all committed to continuing these hearings until 
this cycle of security breaches at Los Alamos is over once and 
for all.
    I yield back.
    Mr. Stupak. That concludes the opening statements. For the 
record, Mrs. Wilson is here from New Mexico and so is Mr. 
Udall, not members of the subcommittee but we welcome you, and 
I know you have been at every hearing we have had on this, Tom; 
and you certainly can be here when we go to the questions, and 
we will certainly give you an opportunity to ask questions if 
you like.
    So that concludes the opening statements by members of the 
subcommittee. I will now call our first witness to come 
forward. Our first panel we have The Honorable Sam Bodman, 
Secretary of the U.S. Department of Energy. Secretary Bodman, 
it is the policy of the subcommittee to take all testimony 
under oath. Please be advised that witnesses have the right 
under the rules of the House to be advised by counsel during 
the testimony. Do you wish to be represented by counsel?
    Secretary Bodman. No, sir.
    Mr. Stupak. OK.
    [Witness sworn.]
    Mr. Stupak. Mr. Secretary, you are under oath. You may 
begin your opening statement, please.

 STATEMENT OF HON. SAMUEL W. BODMAN, SECRETARY, DEPARTMENT OF 
                     ENERGY, WASHINGTON, DC

    Secretary Bodman. Mr. Chairman, Ranking Member Whitfield, 
members of the subcommittee, I am very pleased to be here to 
discuss what I consider to be one of the most pressing 
management issues confronting my Department.
    Since coming to the Department, one of my top goals has 
been to institute a safer, more secure work environment across 
the DOE complex, and I have meant this to include physical 
safety and security as well as cyber security. I want to be 
absolutely clear with all of you, the protection of sensitive 
information is essential to our ability to meet the mission of 
this Department. Without it, we can't do it.
    What I would like to do today is to briefly outline the 
steps that we have taken since the Deputy Secretary testified 
before you in January. In summary, I would make two points. 
First, we have made significant progress in my judgment, and I 
am confident that we are on the right track. That being said, 
we are not satisfied with where we find ourselves today. We are 
sitting on top of this issue, we continue to look for ways to 
identify and correct any potential weaknesses. If I may, I 
would like to now describe some of the improvements and also 
note that more details appear in my written testimony which 
will be submitted for the record, if that is acceptable to the 
Chairman.
    First, we have made some senior management and oversight 
changes in response to the security breaches at Los Alamos. In 
January, I made what for me has been a very difficult decision 
and that is to replace the Under Secretary for Nuclear 
Security. Tom D'Agostino is the Acting Under Secretary and NNSA 
Administrator. In addition, NNSA has reassigned the Los Alamos 
site office manager and has put one of its strongest managers, 
Daniel Glenn, in place as the Acting Manager.
    Further, Tom D'Agostino has requested that DOE's Office of 
Health, Safety, and Security conduct annual inspections at Los 
Alamos for the next 3 years. This month, both NNSA's Office of 
Defense Nuclear Security and CIO will inspect LANL for cyber 
and physical security problems. In fact, the CIO has already 
been there and conducted her inspection. The site office will 
conduct annual and regular observations of the laboratory's 
security program.
    I would just add that I continue to be in close contact 
with the senior leadership of the laboratory. In fact, I met 
with all of the national laboratory directors just last week in 
Chicago. At a department level, I have formed two teams of 
senior officials, including Under Secretaries, the Chief of 
Security, and our Chief Information Officer and asked them to 
make specific recommendations based on the report of the 
Department's Inspector General who conducted his report at my 
request. I have directed that these recommendations be 
implemented department-wide, including enhanced mandatory 
training for those involved in granting of security clearances; 
a strengthened departmental policy on drug testing that hold 
security clearances, everyone; better quality assurance 
oversight for granting security clearances; and a revised 
organizational structure for our personnel security program 
that will ensure accountability.
    We are also taking actions based on the recommendations 
from our cyber security team. Those include mandatory 
separation of duties for critical positions, improved training 
for all individuals with cyber security responsibilities, and 
improved line management oversight. We are carrying out the 
Department's new authorities related to assessing civil 
penalties for classified information security violations. At 
the same time, the laboratory's current management contractor, 
LANS, is also taking corrective action of their own. Among 
other issues, LANS recognizes that the lab's volume of 
classified holdings is unnecessarily large, it is conducting in 
too many security areas, involves too many people, and is too 
spread out. As a result and with the approval of NNSA, they are 
aggressively reducing the number of locations where they hold 
and process classified matter.
    In closing, Mr. Chairman, let me say this. The men and 
women who work at our national laboratories are among the 
world's most talented scientists and engineers. Since their 
founding, these laboratories have demonstrated again and again 
the tremendous power and terrific promise of science to help 
our nation solve our greatest challenges. But such a system 
cannot tolerate the kind of lapses in security that we have 
seen, be they in the physical or cyber realm. Protecting 
critical information and maintaining a vibrant collaborative 
science culture are not in my judgment mutually exclusive. 
Quite the opposite is true. In this case, you absolutely cannot 
achieve one without the other; and you continue to have my word 
that I will do everything in my power to support both 
objectives. The American people deserve no less.
    I would like to say, sir, that in my view, the objectives 
of this committee and all of the statements that I have heard 
made by the members of the committee are very consistent with 
my own feelings. We have a real problem here, and I think we 
have the opportunity of working together to try to deal with 
it. Thank you very much.
    [The prepared statement Secretary Bodman appears at the 
conclusion of the hearing.]
    Mr. Whitfield. Mr. Chairman, may I ask a procedural 
question before we begin our questioning? I know that we do 
have some information, Official Use Only information, 
particularly relating to the rating summary for the Los Alamos 
plant and various areas, and in the past, whenever we've 
discussed Official Use Only information, we have either gone 
into executive session or a closed session or we have worked 
with the Department to agree on redacted material before we 
release anything to the public. I mean, that is one of the 
documents there. I know it has been partially redacted, but I 
would ask the chairman what his intent is on this issue 
relating to Official Use Only.
    Mr. Stupak. Well, I thank the gentleman for posing the 
question. As you can see on the ratings summary, and we had it 
up during my opening statement, that was the most recent Los 
Alamos site office and lab rating summary. The broad categories 
are there, but the detailed areas of security have been 
redacted at the request of the minority and the majority; and 
the documents with more detailed information in there will not 
be released and have no intentions of being released, even the 
ones I think we have in Secretary Bodman's book up there is all 
redacted. For the audience, the yellow part there is probably 
about a C-minus if we are grading this. Green is maybe a B. 
That's good. R is really bad. I guess that is what R stands 
for, really bad. In 1999, the report was better than this and 
we seem to be on a downhill slope. So I am sure there will be 
questions about it, but there are no details in there. What 
does emergency management, that is the broad category or cyber 
security, but we do not have any details in there nor do we 
intend to release any of those details. As you have said, they 
are for official use, even though this committee or any member 
would have a right to release it I believe in a hearing in the 
context of their official duties, but we are going to leave it 
like it is.
    Mr. Whitfield. Well, I appreciate----
    Mr. Stupak. Not to hold you up.
    Mr. Whitfield. Yes, I appreciate that, Mr. Chairman. And I 
think all of us would stipulate that the grades that the 
Department has received on this are not particularly good, but 
I really appreciate your conveying that information. And I am 
assuming that is the only Official Use document that we have. 
So thank you very much.
    Mr. Stupak. If it would have had the details in, it would 
have been Official Use. Since it has been redacted, it is my 
understanding it is no longer Official Use. That document can 
be released. The ones that say Official Use with the details, 
there is no intention that I know of of anyone on this 
committee or myself or staffs of releasing that. Thank you.
    In order to proceed in a more orderly and efficient manner, 
I would like to propose and set up 5 minutes for each member 
for questions, that each member will have 10 minutes to use for 
questioning during this hearing. Any objection? I see ranking 
member of the full committee, Mr. Barton, has just arrived. 
Before we go into questions, would you care to make an opening 
statement, sir?
    Mr. Barton. Thank you, Mr. Chairman, but I am a little bit 
late so to expedite the hearing, I know we have got some votes, 
so I will put my statement in the record.
    Mr. Stupak. Yes, we have nine votes coming up here. I don't 
know if you want to do an opening before we do the votes and I 
don't know if we want to get halfway through the questions and 
have to stop.
    Mr. Barton. No.
    Mr. Stupak. OK. Then we will proceed to questions. I will 
start off.
    Mr. Secretary, the Cyber Security Task Force calls for an 
independent oversight review of cyber security at Los Alamos 
this year. Your testimony calls for annual reviews. Is Los 
Alamos in compliance with all DOE directives regarding security 
as we sit here today?
    Secretary Bodman. No.
    Mr. Stupak. In what areas are they still deficient?
    Secretary Bodman. Well, we have a number of recommendations 
that have been put in place in the cyber security area, most 
notably a systems manual that was delivered and made available 
to the contractors and with the stipulation that these be 
entered into the agreements with each contract.
    Mr. Stupak. So it is not entered into the contract?
    Secretary Bodman. They are in the process of being entered 
into it. I think it was on the date of March 8 that the 
security manual was issued. They have 90 days in which to 
accomplish that, and we expect them to accomplish that by June 
8. Now that will then put it in being a part of the contract.
    Mr. Stupak. Correct.
    Secretary Bodman. There will then be a period of time. I 
can read through the various issues if you would like.
    Mr. Stupak. When do you think the implementation will be?
    Secretary Bodman. It is going to be a couple of years, sir, 
before all of this is done because this calls for training, it 
calls for a change in the way we manage the entire cyber 
security responsibilities of the Department.
    Mr. Stupak. If it is going to be a couple of years, I think 
we will be having a 14th, 15th, and 16th hearing then. In 
summary, you were summing up and you said LANS, the new 
contractor who is in charge of this lab----
    Secretary Bodman. Yes.
    Mr. Stupak. You see them, might as well call them, 60 
percent of LANS is University of California----
    Secretary Bodman. No, sir, it is not, sir.
    Mr. Stupak. OK.
    Secretary Bodman. Sir, it is not. The 60 percent is not 
California.
    Mr. Stupak. OK. LANS is now in charge.
    Secretary Bodman. That is correct.
    Mr. Stupak. Sixty-three years of U.C., now we got LANS.
    Secretary Bodman. That is correct.
    Mr. Stupak. OK. LANS, if I heard you correctly at the end, 
LANS agrees that Los Alamos is too large, too many people, and 
too spread out is what you said at the end, correct?
    Secretary Bodman. They believe that the use of classified 
information, that there are too many centers, we have too many 
classified retrievable electronic media that are being used, 
and there is a specific program that I am sure Director 
Anastasio will review with you for reducing those.
    Mr. Stupak. OK. As you know, we have asked the GAO to take 
a look at this.
    Secretary Bodman. Yes, sir.
    Mr. Stupak. Not just in the cyber security but the whole 
footprint out there because many of us feel the repeated 
security breaches at Los Alamos, because it is too large, too 
many people, too spread out, and when it takes years to 
implement policy, we do not feel real confident that the 
implementation and the policy will be completed in a timely 
manner and we will be back here again with more breaches. So if 
it going to take years to implement security agreements, that 
really bothers us.
    Secretary Bodman. Well, some of it, sir, depends on 
budgets. In other words, these will be costly, they will 
require the approval of this Congress in order to get 
sufficient funds to do what needs to be done.
    Mr. Stupak. So the taxpayers are going to pay for all these 
new security measures?
    Secretary Bodman. It will be perhaps shifted around from 
one part of the organization to another, so I am not saying 
there will be a total increase in the budget but I am saying 
there will be a funding for this that is required.
    Mr. Stupak. Well, I don't want to throw good money after 
bad, but we are a little concerned here when we learned this 
past week that the enforcement mechanism for LANS wasn't even 
in the contract. Now, 13 months later I guess it is inserted. 
So when I said get-out-of-jail-free card, that is from the game 
Monopoly and this is real money, not paper money.
    Secretary Bodman. I understand that.
    Mr. Stupak. You have a monopoly when one entity you see has 
managed this lab for 63 years and still is part of LANS. And so 
we can't be giving out get-out-of-jail-free, using taxpayer 
money, and a management monopoly and we are back here all the 
time doing the same thing.
    Let me ask you this question. The Inspector General's 
testimony said the Federal and contract managers need to manage 
the lab more aggressively and the Department and the lab must 
develop a regiment of compliance testing. However, it appears 
you are going in the opposite direction by using a pilot 
program at Los Alamos which is based on reduced Federal 
oversight and increased contractor self-assessment. Given the 
core weaknesses in security, safety, and the history of 
mismanagement, do you believe that reduced Federal oversight is 
appropriate model at this time especially when it is going to 
take near 3 or 4 years?
    Secretary Bodman. Of course not.
    Mr. Stupak. Then why would you propose a test pilot program 
at Los Alamos?
    Secretary Bodman. I don't understand what that is. I never 
heard of it.
    Mr. Stupak. You have no idea? OK. All right. Secretary, is 
it true that during the investigation of the security incident 
the Department learned the subcontractor employee had taken an 
unsecure cell phone into the vault at Los Alamos?
    Secretary Bodman. Yes, I heard that yesterday in 
preparation for this hearing that there was some allegation of 
that, but I do not know anything about that.
    Mr. Stupak. We heard that some time ago. From the January 
hearing to now, we heard about this. We heard about the 
enforcement part of the contract not being there, now we hear 
about a cell phone. What are we going to hear about next? I 
thought we had this thing.
    Secretary Bodman. Mr. Chairman, I will repeat for you, sir.
    Mr. Stupak. Sure.
    Secretary Bodman. I do have a record of truthfulness and 
integrity in handling management matters. I do have a record of 
some competence in handling management matters. Now, some of 
your statements, sir, in my judgment are not correct. They have 
the wrong premise.
     And I have attempted to correct those as we have gone 
along.
    Mr. Stupak. What is not correct?
    Secretary Bodman. So I will tell you, sir, that we are 
committed, I am personally committed, to trying to improve the 
security situation at Los Alamos. I frankly find myself in a 
position of some embarrassment. Why? Because I did not 
personally ask the right questions in the early days of my 
tenure in this job, and the questions might have been something 
along the line have all past Declarations of Secretaries been 
included in the policy that has been included in the contracts 
between this Department or between the NNSA and the contractor? 
The answer is no, they have not been. And so there are many 
things. Why haven't we had a compulsory drug testing program 
for all members who are cleared? We have not had. We will now 
to the extent that we are able to do it. And so I am just 
saying that there are number of things that have been done, and 
I am here to tell you that I am committed to trying to get it 
done but I also repeat I am somewhat embarrassed I didn't ask 
all the right questions in the beginning.
    Mr. Stupak. Let me ask you, the January 30 hearing, did the 
Department of Energy know that they didn't put the enforcement 
mechanisms, the DOE Order 470, in the LANS contract in January?
    Secretary Bodman. I don't know, sir.
    Mr. Stupak. All right.
    Secretary Bodman. I learned about it about that time.
    Mr. Stupak. About that time?
    Secretary Bodman. Yes, sir.
    Mr. Stupak. And no one told us about it until last week?
    Secretary Bodman. That was about the time we learned about 
it. I may have been a week or two earlier, but I just don't 
know.
    Mr. Stupak. Well, last week is a lot different from January 
30. That is quite a bit of timeframe. What about the cell phone 
incident in the vault? You just learned about that, too?
    Secretary Bodman. I just learned that the allegation of the 
cell phone in the vault. I don't know of the truth. This is an 
investigation, sir, that is still ongoing; and I would remind 
you on that, and so I am unable to comment on anything specific 
that I have heard. But I just tell you with respect to any 
questions about the cell phone, I have not heard about it 
before.
    Mr. Stupak. Well, when is your investigation anticipated 
then to be done?
    Secretary Bodman. It is not my investigation, sir. This is 
something being handled by the FBI.
    Mr. Stupak. OK.
    Secretary Bodman. So I can't answer for them.
    Mr. Stupak. So after the FBI is done and after they brief 
this committee, are you going to come back up to this committee 
then and tell us the facts of the investigation as you know it?
    Secretary Bodman. We will report to you the facts.
    Mr. Stupak. Well, we would just as soon get them on the 
record so we don't have to have more hearings, but this 
information keep dribbling out is not good.
    Mr. Secretary, let me ask you this. Was it a violation of 
DOE policy, I am talking about DOE policy now, to approve a 
security clearance for an employee who admits to using illegal 
drugs in the 30-day period prior to the approval of their 
security clearance?
    Secretary Bodman. I don't know if it was a violation of DOE 
policy, but it didn't make any sense to do that, sir.
    Mr. Stupak. OK. And in review, we have seen at least two 
other employees and 18 others who have what you call derogatory 
information in it who have received security clearance that 
probably based on derogatory information should not have 
received it or had used drugs within 30 days of receiving that 
clearance?
    Secretary Bodman. I don't know what those were. I can tell 
you that part of the recommendation on the improvements in the 
security system for the Department involves a review of all of 
the clearances that were provided----
    Mr. Walden. Mr. Chairman, can I ask a point of 
parliamentary inquiry? I thought you moved that we would reduce 
the amount of time for questions to 5 minutes?
    Mr. Stupak. Ten minutes we said.
    Mr. Walden. Ten minutes? OK.
    Mr. Stupak. Go ahead, Mr. Secretary. I think where you are 
going is the question I was trying to ask. The Department is 
going to implement the task force's recommendation to review 
all 4,360 security clearances----
    Secretary Bodman. There are some 4,000 that we are in the 
process of doing, and I expect to have that done during the 
balance of this season. I would guess during the summertime.
    Mr. Stupak. Thank you, Mr. Secretary. Mr. Whitfield for 
questioning? We have 6 minutes left.
    Mr. Whitfield. I am going to take 5 minutes and then come 
back when--Mr. Secretary, before you came to the Department of 
Energy, and I know you have other Government experience, but 
you certainly had a reputation in the private sector as being a 
strong executive. And when you look at this situation, you hear 
a lot of comparison about Lawrence Livermore and Los Alamos; 
and we know that the University of California has been involved 
in the management of both of them for many, many years, for 
about 63 years or so, and yet there doesn't seem to be the 
problems at Lawrence Livermore as there is at Los Alamos.
    From your position as Secretary of Energy and experiences 
running business, as a strong executive, why do you feel that 
there has been so much problems at one of these labs but not 
the other?
    Secretary Bodman. That is sort of a speculation on my part. 
I guess I would cite for you, sir, there are significant 
differences between the two institutions as to where they are 
located, geographic location, and getting the right management. 
In San Francisco is a very different matter than getting the 
right people to move to Los Alamos and to take on that 
assignment. So that would be one comment.
    Comment two, I think it goes back to the very history of 
the laboratory. There have been issues of security, if you read 
back the history of this, for 60 years and there has been a 
very challenging environment there because of the preeminence 
of science and less interest apparently at times in security 
responsibilities. The one you should really ask that question 
of is Mr. Anastasio who will testify next. And if I had to 
answer that question, he is the person I would ask.
    Mr. Whitfield. OK.
    Secretary Bodman. He has been at both places.
    Mr. Whitfield. Who at the Department was responsible for 
overseeing the contract letting that LANS recently won and the 
security requirements were omitted from that contract? Who in 
the Department was really responsible for negotiating that 
contract?
    Secretary Bodman. Ultimately, I am responsible, Mr. 
Whitfield for the contract. You then go down through Linton 
Brooks who was the Administrator and oversaw the activity that 
had that responsibility, Tom D'Agostino who oversaw it. A lot 
of things went on if I may say at that point in time. I also 
would add, this is the world according to Sam and not anything 
else, I think that there will be ample opportunity whether or 
not there is the specific inclusion of specific arrangements in 
there for whatever penalties are deemed desirable by the 
enforcement actions to be implemented.
    Mr. Whitfield. Some people feel like the University of 
California has been involved in the management of this plant 
for 63 years; and there was a strong argument that maybe we 
need to just change it completely, and I know they are still a 
part of LANS.
    Secretary Bodman. Right.
    Mr. Whitfield. Was there any discussion of that at the 
Department about maybe just a complete culture change by 
changing the major----
    Secretary Bodman. Yes, there certainly was a discussion, 
and I think that first of all it is important to recognize that 
there are very specific Federal procurement rules that apply 
that involve a Source Selection Officer and a Source Evaluation 
Committee that provides information for the Source Selection 
Officer, and these are all career employees. And so it is 
something that is done in order to prevent political 
interference with the ultimate decision.
    So I know there was a discussion of this general matter, 
but I would think that it is important to recognize that the 
team was recognized for the combined scientific excellence in 
the University of California and the management expertise of 
both Bechtel as well as BWXT and the Washington Group.
    Mr. Whitfield. Right.
    Secretary Bodman. Now, this group I will tell you, I have 
personally dealt with this board on a one-on-one basis meeting 
with both the chairman and the vice-chairman of the Board since 
this event occurred, I think it is fair to say this event 
caught them by surprise just as to how serious this matter was 
and is. They immediately dispatched their own people--I am sure 
Dr. Anastasio will review that with you--in order to review the 
situation. They found a very glaring failure in cyber security 
programs, they said about their own programs, over and beyond 
anything we are doing in order to try and deal with this.
    Mr. Whitfield. Well, Mr. Secretary thank you. We have about 
a minute left so I guess we need to get over and vote.
    Mr. Stupak. OK. So we have seven votes, so let us adjourn. 
We should be back 11:15 or so. We will adjourn the hearing 
until then. How is that with you, Mr. Secretary?
    Secretary Bodman. Whatever you say, sir. I will be happy 
to----
    Mr. Stupak. Well, you got to remember----
    Secretary Bodman. I got a limit as to how long I can stay 
the rest of the day.
    Mr. Stupak. Yes, and unfortunately they give us seven votes 
right now.
    Secretary Bodman. I understand that and I honor that. I 
want you to honor what time pressures I have, sir.
    Mr. Stupak. I understand.
    Secretary Bodman. Thank you.
    Mr. Stupak. Thank you. The subcommittee stands recessed 
until 11:15.
    [Recess.]
    Mr. Stupak. A lot longer than we all thought. We thought we 
had seven votes and it ended up being nine plus motions to 
recommit.
    Unfortunately, the Secretary, as he indicated, had a noon 
appointment that he had to make and so we dismissed him. We may 
call him back at some time in the future. But had he been here 
I would have asked him again about DOE's pilot oversight model 
at Los Alamos that he seemed to know nothing about. I would for 
the record like to read the general question I asked the 
Secretary about this pilot. My question was, Mr. Secretary, the 
Inspector General's testimony said the Federal and contract 
managers need to manage the lab more aggressively in the 
Department and the lab must develop a regiment of compliance 
testing. However, DOE is going in the opposite direction by 
using a pilot program at Los Alamos which is based on reduced 
Federal oversight and increased contractor self-assessment. 
Given the core weaknesses in security, safety, and the history 
of mismanagement, do you believe that reduced Federal oversight 
is the appropriate model at this time? If so, why? The 
Secretary claimed he did not know anything about this pilot. In 
fact, our staff has provided an official Department of Energy 
memorandum establishing this pilot specifically for Los Alamos.
    It is also my understanding that this pilot is well-known 
by other key officials including the Inspector General who is 
rather critical of it. I intend to ask the Inspector General, 
our next panel here, (a), if they know about the pilot and, 
(b), what concerns does he have about it. But now perhaps more 
importantly, I intend to ask the IGY when this memo was signed 
by the former NNSA Chief, Ambassador Linton Brooks, the 
Secretary would apparently know nothing of it. I find that 
troubling unto itself, and we will ask the Secretary in writing 
the same questions.
    We have had problems as you all know in the past with the 
head of the National Nuclear Security Administration not 
conveying key management information related to the Secretary. 
I wonder if this is yet another example.
    So we can move to our second panel so we can get these 
questions out. I will now call our second panel of witnesses, 
the Honorable Gregory Friedman, Inspector General for the 
Department of Energy, and Mr. Michael Anastasio, Director of 
the Los Alamos Nuclear Laboratory.
    It is the policy of this subcommittee, gentlemen, to take 
all testimony under oath. Please be advised witnesses have the 
right under the rules of the House to be advised by counsel 
during their testimony. Do any of you wish to be represented by 
counsel? Mr. Friedman?
    Mr. Friedman. No.
    Mr. Anastasio. No.
    [Witnesses sworn.]
    Mr. Stupak. Thank you. The record should reflect the 
witnesses have replied in the affirmative. You are now under 
oath. Mr. Friedman, we will start with you. Five-minute opening 
statement, sir.

STATEMENT OF HON. GREGORY H. FRIEDMAN, INSPECTOR GENERAL, U.S. 
              DEPARTMENT OF ENERGY, WASHINGTON, DC

    Mr. Friedman. Mr. Chairman and members of the subcommittee, 
I am pleased to be here at your request to testify in the 
concerns expressed in your April 5 letter regarding operations 
at the Los Alamos National Laboratory.
    In January 2007 I testified before this subcommittee on the 
special inquiry conducted by my office regarding the diversion 
of classified data from Los Alamos. Specifically at the request 
of the Secretary of Energy, we examined the efforts of the 
Department and its contractors to protect classified 
information and the steps that were taken to assure that only 
authorized individuals had access to such information. Our 
report on this matter was issued on November 27, 2007. The 
Office of Inspector General found the security environment at 
Los Alamos is inadequate despite the expenditure of millions of 
dollars by the National Nuclear Administration to upgrade 
various components of the laboratory's security apparatus. In 
particular to the cyber security control structure we found 
that certain computer ports had not been disabled, classified 
computer racks were not locked, and some individuals were 
inappropriately granted access to classified computers and 
equipment to which they were not entitled.
    In many cases, laboratory management staff had not 
developed policies necessary to protect classified information, 
enforce existing safeguards, or provided the attention or 
emphasis necessary to ensure protective measures were adequate.
    Some of the security policies were conflicting or applied 
inconsistently. We also found the laboratory and Federal 
officials were not as aggressive as they should have been in 
conducting security reviews and physical inspections. In short, 
our findings raise serious concerns about the laboratory's 
ability to protect both classified and sensitive information 
systems.
    The OIG also reviewed certain aspects of the security 
clearance process in place for laboratory employees. We 
identified particular weaknesses associated with this program 
which were discussed in a closed-session of this subcommittee 
in January 2007.
    After this incident was discovered, Department and 
laboratory management officials launched several efforts to 
identify and correct and control deficiencies that certainly 
contributed to an environment which classified information 
could be removed without authorization. In particular, the 
Deputy Secretary directed an immediate review of policies and 
practices related to computer ports at each of the Departments' 
facilities. Further, the Secretary established two high-level 
task forces to address our findings. The reports of the 
Secretary's task forces and a list of the proposed directive 
actions were provided to my office last week. Many of the 
corrective actions outlined by the two task forces are in 
progress. Implementation, deployment, and execution are key. If 
properly carried out, the corrective actions should improve 
classified operations at Los Alamos and could help prevent 
similar incidents at departmental facilities throughout the 
complex.
    As I have testified on several occasions, the Department 
must do a better job addressing the recurring challenges it 
faces, and I have four or five specific suggestions. Number 1, 
with regard to the current matter, the Department must ensure 
that all actions and recommendations outlined in the Task Force 
Reports are formalized into policy and adopted as practice 
throughout the Department. As part of that effort, these 
policies should be incorporated into all facility contracts.
    Two, to achieve the recommended reforms, the Department 
must establish firm schedules with specific implementation 
timelines and performance metrics. No. 3 both Federal and 
contractor officials need to manage more aggressively. As part 
of that process, the Department needs to ensure that its 
Federal contract management function is adequately staffed with 
the appropriate skill mix. In addition, Department and 
laboratory officials must develop a more comprehensive regimen 
of compliance testing and follow up to ensure that security 
policies and procedures are rigorously followed. Individuals 
and institutions, both Federal and contracted, must be held 
accountable for failure to follow established security 
measures. As it has begun to do so in response to the most 
recent Los Alamos incident, the Department should emphasize 
that the failure to properly protect classified information and 
materials will have meaningful consequences.
    Finally, consistent with our 2006 recommendation, we 
continue to believe the Department should perform a risk-based 
evaluation of cyber security funding at Los Alamos. The 
objective of this evaluation would be to ensure that the 
resources are available for complete implementation of the 
revised cyber security policies and procedures.
    For the past 5 years we have identified both cyber and 
physical security as pressing management challenges. For these 
reasons and because of the recent incidents, the Office of 
Inspector General continues to be concerned about the security 
across the Department of Energy complex. We have ongoing 
activities to examine information technology and system 
security, implementation to revise security measures, disposal 
of sensitive property, and issues related to protective force 
training.
    In addition to our ongoing work, the full committee in 
January 2007 requested that the GAO examine the security of the 
Department's unclassified and classified information networks 
and its cyber security programs. My office coordinates closely 
with GAO on reviews of the Department, and we are hopeful that 
he assessment requested by the committee will provide 
recommendations leading to a strengthened agency-wide security 
posture. My office continues to conduct audit inspection 
investigative work that complements the reviews requested by 
the committee.
    Mr. Chairman, this concludes my statement. I would be 
pleased to answer any questions you may have.
    [The prepared statement of Mr. Friedman appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you, sir. Next we will hear from Mr. 
Anastasio for 5 minutes.

    STATEMENT OF MICHAEL R. ANASTASIO, DIRECTOR, LOS ALAMOS 
                      NATIONAL LABORATORY

    Mr. Anastasio. Good afternoon, Chairman Stupak, Ranking 
Member Whitfield, and other members of the committee. Thank you 
for the opportunity to update you on our progress.
    As you know, I am Michael Anastasio, Director of the Los 
Alamos National Laboratory since June 2006 and president of the 
Los Alamos National Security, LLC.
    I am pleased to report that we have continued to make 
significant progress on many fronts since I last addressed this 
subcommittee 11 weeks ago. Today, in keeping with the subject 
of this hearing, I will focus on security; and I want to 
reiterate what I said at the last hearing, that I personally 
take the issue of security at Los Alamos very, very seriously.
    First, we have significantly reduced risks in both cyber 
and physical security, and this includes reducing and 
consolidating classified holdings, per the subcommittee's 
stated concerns. Second, we have taken actions to make policy 
clear and consistent and to change employee behaviors. And 
third, we are putting in place comprehensive corrective actions 
with a major focus on long-term sustainability.
    Here are some examples of the specific actions my 
management team, my Board of Governors, and I myself personally 
are taking to reduce risk. Starting with cyber security, we now 
have positive control over all our classified computer ports 
using a combination of software, physical locks, and tamper-
indicating devices. All of our classified systems have been 
inspected and found to be compliant, and we have reduced the 
number of stand-alone classified systems by 28 percent.
    As for physical security improvements, we have made our 
vault escort requirements clearer and tougher, for example, 
requiring the search of all belongings carried by those 
escorted both in and out of the vaults. By December, we will 
have reduced our accountable classified removable electronic 
media, known as ACREM, by 50 percent. We have destroyed almost 
1,500 classified parts and 500 boxes of classified documents 
that we inherited. We have eliminated 14 vault-type rooms, a 
reduction of 10 percent, with more to come.
    In the area of policy and behaviors, we have uniformly 
trained our Information Systems Security Officers, our ISSOs, 
and are hiring senior ISSOs in all key organizations to provide 
consistency across the laboratory.
    We are clarifying and simplifying security policy. In 
addition to mandatory training, we will promote the right 
behaviors through active employee participation. For example, 
we have directly involved employees and worker-led security 
teams at multiple levels in our line organizations.
    On March 5, we launched and enhanced substance abuse 
program where every newly hired employee is tested for illegal 
drugs and every badge holder is now subject to random testing, 
regardless of his or her clearance level.
    For long-term effectiveness and sustainability, we have 
begun constructing a super vault-type room, the first of its 
kind. This will allow us to consolidate and uniformly control 
classified information managed by security professionals. At 
the same time, it will give authorized users efficient access 
to this information. I expect to complete construction of the 
first functional prototype this June. This project will 
initially allow us to close six additional vault-type rooms and 
reduce our ACREM libraries by one-third. By constructing 
additional super vault-type rooms, we will reduce the number of 
classified vaults to an absolute minimum consistent with our 
operational and mission requirements.
    We have also been careful to embed validation and 
verification regimes into our corrective action plans in order 
to sustain all of these efforts and to prevent any backsliding. 
Moreover, everything we are doing is being closely scrutinized, 
not only by Congress but by my own Board of Governors, by the 
DOE, NNSA, and other oversight bodies. I welcome that 
continuing scrutiny. It validates that we are heading in the 
right direction and keeps our eye on the ball.
    So in conclusion, Mr. Chairman, as I have testified 
previously on this issue, there are no silver bullets where 
security is concerned, but with these security enhancements and 
Board of Governors' support and oversight, we are aggressively 
moving Los Alamos in the right direction as we are in many 
other fronts vital to our success as a national security 
science laboratory.
    Thank you again for the opportunity to testify, and I am 
happy to take your questions.
    [The prepared statement of Mr. Anastasio appears at the 
conclusion of the hearing.]
    Mr. Stupak. Thank you both for being here, and we will 
start with questioning that will go for 10 minutes. I am glad 
to see Mr. Udall is still here. It is Friday, the votes are 
over for the week, everyone has taken off, but Mr. Udall has 
great interest in this. He remains with us. Thank you again, 
Tom.
    Before we begin, Mr. Friedman, I indicated I was going to 
ask you the same question I put to the Secretary about your 
testimony that the Federal and contractor managers need to be 
more aggressive. In fact, you said that in your opening 
statement and the Department must develop a regimen in 
compliance. However, we seem to have this pilot program at Los 
Alamos which really would reduce Federal oversight increase, 
contractor self-assessment. Do you believe that reduced Federal 
oversight is the appropriate model at this time? If so or if 
no, why not?
    Mr. Friedman. I do not, Mr. Stupak. We have been following 
this proposal for several years.
    Mr. Stupak. So you are familiar with this pilot project?
    Mr. Friedman. Yes.
    Mr. Stupak. And it has been around for a number of years?
    Mr. Friedman. Yes.
    Mr. Stupak. It is it site-specific to Los Alamos?
    Mr. Friedman. Well, I am not the expert as to how they are 
ruling it out, but it seemed to me it may have initiated at 
Sandia and it has some relationship to the Kansas City plant; 
but certainly it is contemplated for Los Alamos as well.
    Mr. Stupak. Right, the document I held up, the memo, was 
from Linton F. Brooks, the Administrator, and former 
ambassador. It's the pilot of the new National Nuclear Security 
Administration, oversight model for Los Alamos. This is the 
document you are speaking of?
    Mr. Friedman. I assume it is.
    Mr. Stupak. While we are here, I will wait until Ed gets 
back, but I would like to move for admission in the record. It 
actually says in December 2002 we announced a new approach to 
oversight with the National Nuclear Security Administration. So 
this is the pilot program we have been speaking about?
    Mr. Friedman. Yes, this memo is not dated and I am not sure 
when I did see it.
    Mr. Stupak. It is signed by Ambassador Brooks?
    Mr. Friedman. It does appear to be, yes.
    Mr. Stupak. Why would a Secretary not know about a memo 
dealing with Los Alamos as to a pilot of the new National 
Nuclear Security Administration oversight model for Los Alamos?
    Mr. Friedman. I certainly cannot testify on behalf of the 
Secretary on that. I really don't know.
    Mr. Stupak. Should the Secretary be made aware of it?
    Mr. Friedman. The span of activities in the Department of 
Energy is enormous, and perhaps he was aware of it under some 
other name. I just can't speak for him.
    Mr. Stupak. OK. I also asked the Secretary about the cell 
phone in a vault. Do you have any knowledge of that in your 
overview about this employee had a cell phone in a vault?
    Mr. Friedman. Mr. Stupak, as I recall your background, I 
think you have a law enforcement background.
    Mr. Stupak. Yes.
    Mr. Friedman. And I am ill at ease answering your question. 
There is an ongoing FBI investigation with deep involvement of 
the Justice Department and the question of the individual's 
background, and what is in her investigative file is certainly 
part of that investigation. And I would not want to say 
anything inadvertently in response to your question that would 
compromise that. I am familiar with at least one incident, and 
there was an allegation of a second incident.
    Mr. Stupak. Of a cell phone in a vault?
    Mr. Friedman. Right.
    Mr. Stupak. It is an unsecured cell phone in a secured 
vault?
    Mr. Friedman. Essentially that is correct.
    Mr. Stupak. OK. And is this a----
    Mr. Friedman. I should say I think it is a personal cell 
phone.
    Mr. Stupak. Right. Personal or departmental but it was an 
unsecured cell phone. And is this a breach or violation of 
security at Los Alamos?
    Mr. Friedman. My understanding it most certainly is or was.
    Mr. Stupak. OK. And again, if the Secretary is briefed 
about an investigation, if there are these allegations, he 
certainly should be made aware of it. You see, my problem is 
the last time we testified here in January we had the breach 
about the employee's personal information being put out on the 
web inadvertently, and the Secretary didn't seem to know about 
that or DOE Order 470, we don't seem to know anything about 
that, we don't seem to know anything about the cell phone. It 
seems like not only is there structural problems within Los 
Alamos and DOE but it seems like there is a communication 
problem, too.
    Mr. Friedman. Well, I think that the people most directly 
responsible for operations of the laboratory and the Federal 
site were aware of the incidents as best I could determine, and 
certainly we were aware of them. So the fact that the Secretary 
was not aware of them given the, again, the scope of his 
activities, I am not sure it is all that surprising.
    Mr. Stupak. The fact that you're aware of it, someone in 
DOE should be made aware of it.
    Mr. Friedman. Yes, absolutely.
    Mr. Stupak. What's the problem with this pilot program 
here? What are your concerns specifically? Does it lead to less 
Federal oversight and more self-assessment by the contractor?
    Mr. Friedman. I am not the best person to testify on the 
program itself, but the essence of it is as you characterized 
it, reliance on self-assessment with a third-party review of 
the assessments, similar to commercial standards. I mean, 
that's basically what we're talking about.
    We have for many years been concerned, we have expressed 
this in a number of forums, about the effectiveness of the 
Department's administration of its contracts. And it is our 
view that sort of stepping back, while it may be satisfying for 
the contractors because it means less reports, less intrusive 
reviews, less evaluations, is not the approach that we should 
take.
    Mr. Stupak. It is not the aggressive approach that you've 
been suggesting?
    Mr. Friedman. No, it is not.
    Mr. Stupak. OK. The 550 security police officers went on 
strike at Pantex. I think Mr. Burgess mentioned it on the first 
span on his opening there, and there is a force of about 211 to 
replace them. Given your reduction in force size, and I 
understand some people have to work up to 84-hour workweeks, 
can you give an opinion whether the Nation's most valuable 
nuclear assets are being protected at a level that is 
sufficient to meet Department requirements?
    Mr. Friedman. I don't know how many people and I accept 
your numbers, Mr. Chairman, and I don't quarrel with them. We 
issued a report I think last year at the Oak Ridge complex in 
which we were concerned about the amount of overtime, that it 
was excessive and it would lead to a degradation of the ability 
of the guard force. And I take it that the guards that have 
been sent to Pantex have been sent from other locations 
throughout the Department complex. So certainly to the extent 
that we have been concerned historically about overtime and the 
impact of the overtime on the ability of the guards to do their 
job, there is that concern.
    Mr. Stupak. Well, besides the drawing of personnel from 
other areas of the other sites to beef up Pantex while we have 
this security police that went on strike there, what would be 
the longer-term consequences to the Pantex site operations if 
this dispute goes on for a protracted period of time? I guess 
my concern is Pantex, where we assemble everything and 
disassemble, seems like it is one of the more sensitive sites. 
So if this goes on for a protracted period of time, that is 
going to lessen our security I would think overall.
    Mr. Friedman. Let me divert for just 1 second. I should 
tell you that in the interest of full disclosure that there are 
five or six points that have been expressed to us by the guards 
themselves and other individuals, and we are pursuing those 
aggressively. Now, we have an open inspections on those 
fundamental issues. And they do deal with core safety and 
security. I am not in the position to evaluate what the short-
term, mid-term, or long-term impact of a strike would be. I 
think it is pretty clear that this is one of the most sensitive 
sites that the U.S. Government has in the continental United 
States, and it is a situation which needs to be resolved as 
soon as possible or there will be potential consequences.
    Mr. Stupak. Thank you. Mr. Anastasio, I was a little 
concerned when the Secretary testified, and I think you were in 
the room then, about the memo here to do the implementation of 
your cyber security I believe it was, that the booklet was 
given to your organization right around March 8, you have 90 
days to comment on it, you send it back to the Department, and 
then he said it would be years to implement it. Why would it 
take years to implement the policy?
     You get 90 days, why would it take years to implement it.
    Mr. Anastasio. Well, it is a complicated set of 
requirements that takes----
    Mr. Stupak. It is complicated to digest and 90 days to----
    Mr. Anastasio. Excuse me? I am sorry, I didn't hear it.
    Mr. Stupak. You have 90 days to digest it.
    Mr. Anastasio. Ninety days to comment and then we will have 
to put in place a plan that will do the implementation over a 
specific period of time; and then of course, we will have lots 
of oversight and the effectiveness of carrying out that plan, 
both to put it in place and to make sure that we have an 
effective plan in place as we do that.
    Mr. Stupak. I mentioned and the Secretary objected to this, 
your new organization managing Los Alamos, is made up of UC 
people. What percentage? I said 60, he said it was not 60. What 
is it, do you know?
    Mr. Anastasio. The management is an equal partnership of 
the two major partners of the UC and the Bechtel National.
    Mr. Stupak. So if it is equal, is it 50 percent then?
    Mr. Anastasio. Yes, so as an example, the executive 
committee of the board has six members, three from the 
university and three from the industrial partners, so in that 
sense it is----
    Mr. Stupak. OK. What about the board makeup then?
    Mr. Anastasio. There is the executive committee as I said 
and then there are an additional five members from outside any 
of the partner companies. Overall 11, but let us say the 
business decisions of the LLC are made by the Executive 
Committee. That is three and three.
    Mr. Stupak. OK. And that is 50 percent then basically?
    Mr. Anastasio. Yes, sir.
    Mr. Stupak. OK. I guess my time has expired. Mr. Walden for 
questions?
    Mr. Walden. Thank you, Mr. Chairman. I appreciate that. 
Director Anastasio, in your testimony you pointed to progress 
at the site by stating, and I quote, ``we have destroyed 500 
boxes of classified documents we inherited at Los Alamos.'' 
Sounds like a lot of documents. However, I am told when the 
committee staff asked about how many classified documents there 
are at Los Alamos, to try and put this in perspective, the 
lab's response was there is no requirement to maintain strict 
accountability of each classified document. We cannot tell you 
how many classified documents we have which leaves some of us 
wondering, do you know how many classified documents you have 
and there is no system in place to monitor those?
    Mr. Anastasio. There is a set of specific kinds of 
classified documents that we are required to keep in an 
accountability system where we have a strict numbering system 
on every individual document, and we track those. But the 
general large collection of documents that we have, there is 
not a requirement to keep it in strict accountability system.
    We do protect those documents in a very rigorous way.
    Mr. Walden. I understand the need to do that. I guess I am 
just trying to put your comment in perspective because I don't 
know how big the boxes are.
    Mr. Anastasio. Oh, I am sorry. So we have probably I would 
estimate, I don't have an exact count, but I would estimate 
that we have several million classified documents.
    Mr. Walden. And so I guess the question is I have heard 
estimates of up to 30 million classified documents?
    Mr. Anastasio. That sounds high to me, but again, I don't 
have an exact number.
    Mr. Walden. When you say you have destroyed 500 boxes of 
classified documents, is that 1,000 documents or is that 10,000 
documents?
    Mr. Anastasio. There are, kind of----
    Mr. Walden. Just sort of file folder box documents?
    Mr. Anastasio. Yes, file folder boxes, yes, sir.
    Mr. Walden. So it wouldn't be that many then?
    Mr. Anastasio. Not in relation to the total number. All I 
was----
    Mr. Walden. That is what I am trying to do is get it in 
perspective.
    Mr. Walden. Yes, sir.
    Mr. Anastasio. All I was trying to express is that we are 
actively in just the last 11 weeks off working down the large 
volume of both documents, parts, removable media, vault-type 
rooms and so forth. We have a concerted effort we have moved 
out on, and there is really concrete progress that we have made 
just the last 11 weeks.
    Mr. Walden. And I appreciate that. I think that is a good 
thing. How many boxes would normally be destroyed in a given 
year? I assume this is like my business where you are always 
shredding things from the prior year, and you are kind of 
keeping the shelving available as you move forward another 
year.
    Mr. Anastasio. Unfortunately, my impression at Los Alamos 
is they have not destroyed many things very often.
    Mr. Walden. Classified as pack rats then?
    Mr. Anastasio. So they keep labeling things and store them 
and to keep good records. Now we have good computer systems 
that we can scan and upload documents into a computer system 
that we can actually use the information more effectively that 
way because you can search it just like you would information 
on the Internet but in a classified network, in a classified 
computer, protected. Then that obviates the need for the 
document and we can start getting rid of documents. So there is 
a very active program and a very active desire on our 
employees, in fact, to move that way because it is easier to 
manage.
    Mr. Walden. Sure. We obviously, and I have, made reference 
to the J.B. Weld project of security enhancement at the labs, 
and I have had our prop here to point out a simple solution. I 
suppose the more simple solution would have been to order 
computers that don't have USB ports to begin with, rather than 
glue these shut.
    As you replace computers, which I assume the lab is doing, 
are they ordering computers with USB ports in them or are they 
ordering them without USB ports in them?
    Mr. Anastasio. Most computers have a USB port as an example 
to plug the keyboard in. That is through USB port, and of 
course, you need a keyboard on the computer. In some cases some 
computer you actually want to get information off the computers 
and you need a mechanism to do that. But what we have done is 
we have put controls in place that, for instance, even if you 
have a keyboard with a USB port plugged in, you can put 
software in place as an example that makes sure that that port 
only recognizes the keyboard.
    Mr. Walden. Right.
    Mr. Anastasio. If you try to put a fun drive or the 
equivalent into it, the computer doesn't recognize what it is, 
it is incapable of reading that. When we move to this super 
vault-type rooms that I alluded to in my testimony, what we are 
looking at right now as part of this prototype is to have what 
I like to call an idiot savant computer, a computer that is 
very, very capable at displaying data but is very stupid at 
doing anything else. And so it doesn't have the operating 
system capability to recognize ports to do anything. So there 
is a keyboard, there is a mouse, and it can display 3-D very 
rapidly, high-resolution data, but it can's process the data. 
That is done on the server that is locked up in this vault, 
protected by people who are security professionals with a 
different approach to security when done in the past.
    So that is the direction we are trying to move to really 
move away from being even concerned about whether you have a 
port or not, you are just going to disable it so that it can't 
function at all.
    Mr. Walden. And clearly it is not really our job to 
micromanage the security of your labs, but it is our job to 
make sure somebody is doing that. And so I know we have all 
gotten to know each other all too well in the last few months 
and years. We couldn't spend this time on every agency, but I 
can't think of one that is more important to American security 
in many respects than the one that you are in charge of. And so 
I just still struggle at how these opportunities to lose data 
occur as we saw I think it was last fall with the woman who 
took the data home and was working out of her home and then got 
caught. And I guess I just still struggle, wondering how is it 
so hard to fix? I mean, you were at Lawrence Livermore before, 
right?
    Mr. Anastasio. That is correct.
    Mr. Walden. And you didn't see these kinds of breaches of 
security at Lawrence Livermore, did we? Did you?
    Mr. Anastasio. Not of this nature, no.
    Mr. Walden. So what is different here? I mean, you have 
been there a while now. What is going on? I mean, you got good 
people, I'm sure, at both labs, top-notch brains, scientists, 
but the security function just seems to be a problem.
    Mr. Anastasio. Well, I think there is a variety of issues. 
I think having the right leadership team and the people who are 
focused on this, to bring a system-level approach to it, to 
have consistency and simplicity so the employees can 
understand, actually making systems so that employees can 
succeed, people are human. They are fallible. People make 
mistakes. So we need to put in place a system so that if there 
is a mistake that we contain any potential impact of the 
mistake. This is standard but kind of safety approached in 
human performance from the nuclear power industry, as an 
example. These are systems that so if you start to drift off, 
there is something to remind you, hey, you are starting to make 
a mistake, you need to stop. And that happens before there is 
any significant consequence.
    So these are the kinds of systems we are trying to put in 
place to really make sure the employees can be a success, they 
are very committed to our national security, they are very 
conscious and conscientious about security in this sense. And 
so my job is to make sure that I give them all the tools they 
can have to be a success and at the same time hold them 
accountable for my expectations of them. And if they really 
intentionally violate the rules, then there are severe 
consequences for that.
     Do you find many who intentionally violate the rules?
    Mr. Anastasio. No, sir. Since June if I remember correctly, 
I think we terminated one employee for violating security 
rules. That is my memory, on the order of one or two.
    So it does happen. We will take the action to terminate 
someone, but it is not very frequent at all.
    Mr. Walden. Mr. Friedman, are you comfortable with what I 
am hearing here today from your independent perspective that 
things are going to turn around soon?
    Mr. Friedman. Mr. Walden, I guess that is the question that 
I hope I wasn't asked.
    Mr. Walden. Now I am doing my job.
    Mr. Friedman. Einstein, I think, said that insanity is 
doing the same thing over and over and expecting a different 
result.
    Mr. Walden. Expect a different result.
    Mr. Friedman. As I testified in January, I am really 
hopeful that the new management team at Los Alamos and the 
Department's aggressiveness will result in a meaningful change 
in the way they view security and safety and the other 
operational issues that have been a problem there for so many 
years. Can I give you a level of guarantee? No. I hope it is 
the case, and it would serve everyone if that is the case.
    Mr. Walden. So we need to plan on another hearing in a 
couple of months at which time you should be able to give us 
that certainty, correct?
    Mr. Friedman. Only if you serve lunch for the next hearing.
    Mr. Walden. Yes, well, hopefully it won't be a barbecue. 
With that, I yield back my time, Mr. Chairman.
    Mr. Stupak. I thank the gentleman from Oregon. The 
gentleman from Washington, Mr. Inslee for questions?
    Mr. Inslee. Thank you. Mr. Friedman, I have missed some of 
this but I wanted to ask you, what could you tell us 
specifically needs to be done that is not currently being done 
at the lab so that you can control classified and unclassified, 
sensitive information?
    Mr. Friedman. Well, I think as the Secretary testified this 
morning that many of the corrective actions are a work in 
progress, and that has been historically one of the problems it 
seems to me that we get off to a good start, we have good 
ideas, we try to implement good fixes, but they lose steam, the 
momentum is lost. So one of the important things that has to be 
done is that all of the good things that have been proposed, 
discussed here today, and have been reduced to writing in 
various forms are, in fact, implemented and they flow down to 
the entire organization. Again, one of the historic problems we 
found is that the upper levels frequently got it but it didn't 
always make it down to the 10,000 or so other people who work 
at Los Alamos. So that is one.
    Second, I think we need to ensure that we overcome the 
resistance to change. Change is difficult for all of us but we 
the question was posed previously about the difference between 
Los Alamos and Livermore as an example. We have found 
historically that there has been strong resistance to change at 
Los Alamos. As much as I admire the laboratory and the work 
that they do and the people that are there, there is that 
resistance. And that has to be overcome. We have to make sure 
that the attempt to reduce the footprint that Dr. Anastasio 
described today, that is, reduce the number of vaults, 
consolidate, actually takes place. We have been advocating that 
frankly for a long, long time, and our recommendations simply 
have never been accepted. So there are some common-sense sorts 
of things that I think need to be done and can be done, and 
certainly the secretary has committed to it, as has Dr. 
Anastasio. And with the right set of oversight principles, I 
think we can hopefully make progress.
    Mr. Inslee. I want to ask Dr. Anastasio, I have been told 
that the DOE failed to incorporate the current safeguards and 
security requirements contained in Order 470 in its contract 
with LANS when the contract was signed in December 2005. Is 
that accurate?
    Mr. Anastasio. My understanding is that the orders that 
were included did not include the appropriate language that 
civil penalties could result per the new 10 C.F.R. 824 order. 
So I believe, and I am not the expert on this, but I believe 
they were in the contract but it wasn't done in the right way 
to make them subject to this new order. But my understand is 
that has now been fixed.
    Mr. Inslee. Well, has that been fixed? Are those new orders 
contractually binding on the contractor now?
    Mr. Anastasio. My understanding is that is the case right 
now, yes, sir.
    Mr. Inslee. OK. Thank you.
    Mr. Stupak. Mr. Whitfield for questions?
    Mr. Whitfield. Thank you. Mr. Friedman, they didn't give 
you lunch today, is that my understanding?
    Mr. Friedman. It doesn't show but no I didn't.
    Mr. Whitfield. When we talk about Los Alamos, we are always 
talking about two basic issues, one, the footprint is way too 
bug, and then second, the culture, what I refer to as culture. 
And people keep talking about this resistance to change, and 
Mr. Anastasio, you have been at Lawrence Livermore and now you 
are at Los Alamos. How do you characterize this resistance to 
change? Is that something that is real or is this just 
something we just talk about?
    Mr. Anastasio. I think it is real. I think there is a 
resistance to change, and I think all organizations have 
resistance to change, all individuals do. The employees at Los 
Alamos have been through very tumultuous times over the last 
many years, and there has been a lot of things happened to 
them. I think there is a lot of anxiety in the workforce, and 
that is one of my goals, of course, to stabilize the morale and 
get us focused on the future. And part of that is change, and I 
think the laboratory has not been through as much change at Los 
Alamos as I experienced at Livermore, having to face during my 
career there. But the goal I set out with the laboratory, I 
said let us think about it as improvement. It is not change to 
make your life worse, let us go decide what laboratory we want 
to be that is going to achieve all these goals that are hard to 
deny, and let us go create that laboratory, the laboratory we 
want to have, the kind that will serve us in the 21st century. 
And I find that employees are responding very much to that. But 
we have to take them through change. Change is a process, we 
all know, and we are in the middle of that process. We are not 
done yet. But I feel the laboratory has been very responsive. 
People want that kind of leadership, they want to move forward, 
they don't like the fact that they get talked about in hearings 
like this, and they are very receptive to doing the things they 
need to do to go forward for the future.
    Mr. Whitfield. What are the total number of employees, 
including independent contractors?
    Mr. Anastasio. I don't have an exact number off the top of 
my head, but around 13,000.
    Mr. Whitfield. Right. But the morale has been low just 
because of this constant barrage of bad publicity and security 
leaks?
    Mr. Anastasio. The constant barrage, the change of 
contractors, the change of directors. Los Alamos is used to 
having a director for 10 years, 20 years at a time; and over 
the last 5 years, maybe we have had three or four different 
directors. I mean, there is just this kind of change that has 
gone on that they are not used to, and so we have to move the 
employees through that.
    Mr. Whitfield. Of course, you are the one responsible for 
doing this. How do you feel yourself about the progress that 
you're making right now?
    Mr. Anastasio. I think we have made some really good 
progress as I tried to outline in my testimony, some examples 
of very concrete things that we have accomplished. I would be 
anxious to be able to do it even faster than we are doing. That 
would be my desire, so I am pushing the system. But on the 
other hand, it is very important that we don't do this the way 
some things have been done in the past as well where you do 
Band-Aids because I think Mr. Friedman's comment, can we 
sustain this? If it is just one Band-Aid here and the next 
thing comes, there is another Band-Aid there. You are just 
moving from issue to issue. We need to put in place a system 
that is sustainable, that puts us not to catch up with the 
threat that we have but gets in front of it so that we can 
respond to the future threats. Cyber security is so difficult 
because computer technology advances so rapidly, and as that 
advances, that generates different kinds of threats. So we have 
to put into place a system that is really sustainable for the 
long term that puts us out in front, as well as putting in 
place the risk reductions immediately to handle the problems 
that we have today in trying to catch up to that. We are also 
trying to build a system that will serve us well into the 
future.
    Mr. Whitfield. Well, we wish you the very best in this, and 
I think everyone in the country is really tired of the issue 
and hope to get it resolved; and I wish you the very best and 
look forward to continue working with you. I yield back the 
balance of my time.
    Mr. Anastasio. Thank you, and we know that we have a 
special responsibility for the country; and we are taking that 
very seriously.
    Mr. Stupak. Mr. Anastasio, I have got a few questions if I 
may. Mr. Friedman, could you give him that memo that you were 
looking at earlier? The second paragraph of this memo from 
Linton Brooks, subject, Pilot of the New National Nuclear 
Security Administration Oversight Model at Los Alamos. The 
second line says, the arrival of a new management team at Los 
Alamos is an opportunity to take that action. Therefore, you 
are directed to move immediately into a 2-year pilot of our new 
oversight model once you have concurred in the Los Alamos 
National Security, LLC (LANS) Contractor Assurance System. Now 
that is your group, right?
    Mr. Anastasio. Yes, sir.
    Mr. Stupak. So this pilot would apply to your group coming 
in to Los Alamos?
    Mr. Anastasio. Yes, sir.
    Mr. Stupak. OK. So you would be familiar with this memo?
    Mr. Anastasio. I am familiar with this, and I would like to 
just clarify one thing about this pilot and I do know about it, 
of course, and we are off doing our part. This of course is a 
memo to the site manager to the Federal workforce, not to us. 
But one thing to be clear on, it was very clear to me and still 
is that this is something that does not apply to security, it 
is something that does not apply to nuclear safety and 
biohazard facilities. This is something that applies----
    Mr. Stupak. It deals with the overall management of this 
site.
    Mr. Anastasio. It deals with overall management.
    Mr. Stupak. And look what it says.
    Mr. Anastasio. The oversight model of security and of 
nuclear operations has not changed because of this pilot. This 
pilot is about other things like----
    Mr. Stupak. Mismanagement of this site. It is totally 
related, whether you are dealing with classified, unclassified, 
employees using drugs, not using drugs, cell phones, not using 
cell phones. It is the whole thing. And it says right here, the 
arrival of a new management team. You alluded to it, Mr. 
Friedman alluded to it. You come into a new management team, 
you are all fired up here to do something but then 6 months we 
lose the enthusiasm, nothing filters down. So instead of having 
more Federal oversight we are having less Federal oversight 
with self-assessment by the new management team, the new 
management team which has financial incentives to do well in 
their assessment. It seems like the fox is guarding the hen 
house in a way.
    Mr. Anastasio. Just to clarify again, sir, that there is 
two issues. There is the management system I use inside the 
laboratory and how we manage the laboratory and what tools we 
use to do that----
    Mr. Stupak. Right, and we are trying to get at how are you 
going to be different from the other teams.
    Mr. Anastasio. That is our Contractor Assurance System that 
is outlined here. This is the management tool I use for all 
activities.
    Mr. Stupak. OK.
    Mr. Anastasio. That management system is transparent to the 
Federal Government so that they can see my dashboard, how I am 
doing against metrics. There is a second issue which is how 
does the Government provide oversight. In this pilot, the 
Government will maintain the same level of oversight, if not 
enhance it as what is going on now in things like security and 
like nuclear safety. The pilot is to try to change the 
oversight model for things that aren't that. So there is a 
management system which is our Contractor Assurance System 
which is my system----
    Mr. Stupak. And the pilot provides less oversight from a 
Federal point of view, from a DOE point of view?
    Mr. Anastasio. But not for security.
    Mr. Stupak. OK. Then let us look at our dashboard, the 
figure we have looked at today, these charts we have had up 
once or twice from opening that.
    Mr. Anastasio. Yes, sir.
    Mr. Stupak. In 2006, DOE's Office of Health, Safety, and 
Security found failing or substandard security performance in 
14 of the 17 key areas--that is the chart over there--including 
classified material protection and control, cyber security, and 
emergency management. The trend was negative compared to 2002. 
Mr. Podonsky, the head of that office, testified on January 30, 
our last hearing, that ``Los Alamos received the lowest set of 
performance ratings for security and emergency management since 
1999.'' As you are looking at your dashboard, what explains it? 
Why are we going downward in our performance, security, cyber 
security?
    Mr. Anastasio. Just to recall that audit was done last 
fall, between October and December of last year. Of course, I 
am very aware of it and was very concerned by it. We have taken 
a number of specific actions to address those issues. I have 
outlined a few of the concrete results of that. The other thing 
I would say is that many audits and reviews have been done 
since Mr. Podonsky's review that you are referring to, and just 
over the last few weeks, Mr. Pike, the DOE CIO, was here----
    Mr. Stupak. Right.
    Mr. Anastasio. Not here, was at the laboratory as well as 
the NNSA CIO; and in talking to those folks after the review, 
they believe that in fact we have made very significant 
progress, that we have improved relative to----
    Mr. Stupak. So what changed the colors on that chart? What 
changed the red to something other than red, the yellow to at 
least green, and maybe we can get a blue one on there some day. 
How do we do it?
    Mr. Anastasio. Well, I think those are the steps that we 
have been taking that I have outlined for you today and that I 
believe that I have tried to demonstrate that we are very 
serious about this, that we are taking very specific actions, 
that they are very concrete. Some have resulted in very 
demonstrable improvement, that we are continuing to focus on 
making those improvements, and at that same time getting it in 
a way that is sustainable, that we don't have to be back here--
--
    Mr. Stupak. Look at your dashboard, look at your 
speedometer. You got another one of these reviews coming up I 
believe this fall.
    Mr. Anastasio. Yes, sir.
    Mr. Stupak. How fast are we going to be going? What colors 
are we going to see on there?
    Mr. Anastasio. Well, I want as many greens up there as I 
can get. That is my goal.
    Mr. Stupak. OK. On March 28 an employee discovered that 550 
employee names and Social Security numbers were posted on the 
Web site of a former subcontractor and worked for the former 
company, Lujan Software Service, to remove this information. Do 
you have any idea how long that information about these 
employees were on the Web site?
    Mr. Anastasio. We are still investigating that issue right 
now, Mr. Chairman, so I don't know for sure how long it has 
been there. We believe the data is from the 1998 period is how 
long it has actually been up on the Web site, we have been 
working with Mr. Lujan and his company to try to do some 
forensics on the Web site to see if we can understand----
    Mr. Stupak. Right. It didn't have a counter, so we don't' 
know how many hits it has had.
    Mr. Anastasio. We are working that. We don't have an answer 
to that.
    Mr. Stupak. It is from 1998 personnel records and was just 
discovered in 2007, so it has been there maybe 9 years?
    Mr. Anastasio. It is potentially that. On the other hand, 
the information was a name and a Social Security number.
    Mr. Stupak. Right.
    Mr. Anastasio. That information was buried in several 
layers down inside that Web site of a relatively small company. 
So we are hopeful that there has been little opportunity to 
compromise it. The second thing that we have done, of course, 
my first concern in this whole incident was for the employees 
themselves and we have taken a number of actions to support the 
employees. And I could go through those, but my point was going 
to be that in fact we have informed all the employees who were 
affected. We have heard back from none of them that say that 
they had a concern that they think that their information might 
have been compromised.
    Mr. Stupak. From this side I tell you, it would be a 
violation of the contract or subcontract to have this 
information out there.
    Mr. Anastasio. Certainly part of his subcontract was to 
protect the personal information.
    Mr. Stupak. Then what action or accountability has been 
taken for Lujan Software Services?
    Mr. Anastasio. Well, certainly we have made sure that we 
took down that information off that Web site. The lawyers and 
working with the IG, we are doing the investigation to 
understand what the----
    Mr. Stupak. So no enforcement action then?
    Mr. Anastasio. Have yet but we are still in the middle of 
the investigation.
    Mr. Stupak. OK. The Inspector General testimony calls for a 
risk-based evaluation of cyber security funding at Los Alamos 
to make sure that the resources are available for revised cyber 
security policies. Has your organization undertaken this 
evaluation? When will it be complete? And do you have an 
estimate of that potential cost?
    Mr. Anastasio. Yes, every year of course we given input to 
the Department on our funding requirements to meet the goals 
that they set out for us. So we do that every year. In 
addition, we have been in discussion with the Department about 
extending this idea of super vault-type rooms and made some 
estimates of what that might cost to--if this works like we 
hope, which we will learn as we run this pilot. We have been 
discussing with them as well what it would take to propagate 
that through the site in the way we would like over several 
years.
    Mr. Stupak. Do you have any numbers or anything for us?
    Mr. Anastasio. I think it is premature to tell you what the 
number is. I think we have made some very simple estimate. Let 
me just say many tens of millions of dollars.
    Mr. Stupak. OK.
    Mr. Anastasio. I hope that is useful.
    Mr. Stupak. Well, I said earlier, it is not get out of jail 
free, it is not Monopoly, it is not paper money, it is 
taxpayers' money and the monopoly--let me ask you a little bit 
about that. You are at Sandia. Did you have the contract at 
Sandia, too? Did you manage that lab?
    Mr. Anastasio. No, it does not.
    Mr. Stupak. Is this the only lab where for 63 years, 
basically the life of this lab, one entity has had 
responsibility there?
    Mr. Anastasio. It is certainly the only one in 63 years 
because Los Alamos was the first lab, of course, of that 
nature. The Lawrence Berkley Lab also has been under the UC 
contract. It is not a national security site but it is a DOE 
laboratory. But then the PNL Lab up in Washington has been 
under the same contractor, and I think that is coming up for 
competition and I don't remember exactly when but in the near 
term. So there are other sites that have had one contractor for 
many decades but----
    Mr. Stupak. Well, if you have open contractor, we have 
Secretaries come and go and members come and go and there is 
really no incentive to make that change, to bring forth any 
kind of change it seems like if you are always getting the same 
contract and no matter how many hearings we have and things 
like this. And your board is still 50 percent UC.
    Mr. Anastasio. But as you said to me or the committee or 
subcommittee said to me earlier in a question, why didn't we 
see these problems at Livermore, and I spent most of my career 
at Livermore which was under UC contract, too. So I don't think 
these problems are fundamentally an issue of the contractor per 
se, I think it is about the local situation more than it is the 
fundamental issue of the contractor. That is my personal view. 
But I would also say that I am very personally motivated to 
make Los Alamos a success. This is certainly something that I 
believe is very important for the country, and I can certainly 
speak for all the employees there, that they are very concerned 
about their role in these turbulent times the country faces to 
fulfill their role, to help the country's security.
    Mr. Stupak. No one questions your commitment to the 
process, but as we have heard over and over again from many, 
many people sitting in those chairs, they are all enthused, 
they are all excited, it goes for a while, it fizzes out, and 
it never seems to get down to the other 13,000 employees. We 
have the guards striking at places, performance reviews seem to 
go from bad to worse, and believe me, we don't like being here 
anymore than you do and having to got through these hearings.
    Any further questions for anyone? I ask that the memo be 
made a part of the record, that our discovery book that we all 
agreed upon earlier be made part of the record except for the 
Official Use ones we will not make a part of the official 
record. We won't put the OU documents in.
     With that we will keep the record open for 30 days and for 
follow-up questions for Secretary Bodman. I am sorry he had to 
leave. I am sure we will catch him back at another time, 
hopefully not in the real near future. And with that, we will 
let you go, Mr. Friedman. Get lunch and thank you for your time 
and effort. The hearing is adjourned.
    [Whereupon, at 1:10 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                    Testimony of Hon. Samuel Bodman

    Chairman Stupak, Congressman Whitfield, and Members of the 
Subcommittee, I'm pleased to appear before you to discuss what 
I consider to be one of the most pressing management issues 
confronting the Department of Energy (DOE). Since coming to the 
Department, one of my top goals has been to institute a safer, 
more secure work environment across the DOE complex. And I have 
meant this to include physical safety and security as well as 
cyber security. I want to be absolutely clear here: the 
protection of sensitive information is essential to our ability 
to meet our mission as a Department.
    This testimony is intended to describe the steps that we 
have taken to improve security within the Department of Energy 
following last year's incident at Los Alamos National 
Laboratory (LANL). In particular, I will discuss improvements 
that have occurred since Deputy Secretary Sell last testified 
before you in January of this year. I would preface this 
discussion with two over-arching points: first, we have made 
significant progress over the past few months, and I am 
confident that we are on the right track. But, we are not 
satisfied. We are staying on top of this issue, and we continue 
to look for ways to identify and correct any potential 
weaknesses.
    And I hasten to add that the entire senior leadership team 
at DOE--including myself, Deputy Secretary Sell, and National 
Nuclear Security Administration (NNSA) Acting Administrator Tom 
D'Agostino--remain strongly committed to improving security at 
the entire DOE complex and to keeping this Committee closely 
informed of our progress.

          Senior Management Changes and DOE Oversight Actions

    First, let me describe the senior management and oversight 
changes that we have made at the Department level. In January, 
I made the difficult decision to replace the Under Secretary 
for Nuclear Security, and Thomas D'Agostino was named as the 
Acting Under Secretary and NNSA Administrator. In addition, 
NNSA has reassigned the Los Alamos Site Office (LASO) Manager 
and has put one of its strongest managers, Daniel Glenn--
formerly of the Pantex Site Office, in place as Acting Manager. 
We are making changes to the Los Alamos National Security, LLC 
(LANS) contract to mandate further improvements, and we have 
increased the planned fiscal year 2008 investment in cyber 
security significantly.
    In addition, following the event at LANL this past October, 
I formed two teams consisting of the Department's three Under 
Secretaries, the Chief of Health, Safety, and Security, and the 
Chief Information Officer: a Personnel Security Task Force and 
a Cyber Security Review Team. I asked them to make specific 
recommendations based on the Department's Inspector General 
report on the LANL incident.
    The Personnel Security Task Force submitted its report on 
February 28, 2007. It recommended improvement in several areas. 
I have accepted their recommendations and have directed 
implementation to begin immediately of the following:
     Enhanced mandatory training for those involved in 
the granting of security clearances,
     Strengthened Departmental policy on drug testing 
for those that hold security clearances,
     Enhanced quality assurance oversight to increase 
confidence in the suitability of those granted a security 
clearance; and
     Revised the personnel security organizational 
structure to increase the authority and ensure greater 
accountability for the Personnel Security Program.
    I have also directed that all of the recommendations made 
by the Cyber Security Review Team that have not already been 
implemented, be implemented immediately. To that end, issuance 
of a revised cyber security policy [DOE Order 205.1A] was 
completed on December 4, 2006. And, the new National Security 
Manual was issued on March 8, 2007. The Cyber Security Task 
Force also recommended the following, which we are in the 
process of implementing:
     Mandatory separation of duties for key positions, 
such as Information System Security Officers and System 
Administrators,
     Improved training for all individuals with cyber 
security responsibilities; and
     Improved line management oversight of cyber 
security.
    We are also taking steps to further strengthen the 
oversight by NNSA of LASO. The NNSA Acting Administrator has 
directed the NNSA Chief Information Officer to work very 
closely with Site Office management to ensure cyber security 
requirements are implemented by LANL. To ensure that these 
requirements are fully implemented, the Designated Approval 
Authority position for cyber security has been strengthened 
within the LASO management structure. This position will report 
directly to the Site Office Manager and is in the process of 
being filled. Working in concert with the Site Office and NNSA 
management additional cyber security personnel will be hired to 
bolster the cyber security staff and program within the Site 
Office.
    Further, Acting Administrator D'Agostino has requested that 
DOE's Office of Health, Safety and Security conduct annual 
inspections at Los Alamos for the next three years. This month, 
both NNSA's Office of Defense Nuclear Security and CIO will 
inspect LANL for the cyber and physical security programs. The 
Site Office will conduct annual surveys--and regular 
observations--of the Lab's security programs.
    We are also exercising the Department's new authorities 
under 10 CFR 824, Procedural Rules for the Assessment of Civil 
Penalties for Classified Information Security Violations. The 
DOE Office of Enforcement has completed its review of the LANL 
incident and last week the Department held an enforcement 
conference with the Lab's current management and operating 
contractor, LANS, and with the former contractor, the 
University of California. Similar to the process we use for 
Price-Anderson enforcement, both contractors now have the 
opportunity to respond before we make a decision regarding a 
Preliminary Notice of Violation.
    Finally, I would just add that I continue to be in close 
contact with the senior leadership of the Laboratory and the 
LANS Board.

 Corrective Actions by LANL Management & Operating Contractor LANS, LLC

    Even while these Departmental reviews and changes have been 
underway, LANS has moved ahead with corrective actions. 
Following the incident, LANS immediately strengthened its 
escorting procedures, initiated mandatory entry and exit 
inspections of vault-type room visitors, and increased the 
number of exit inspections at other security boundaries ten-
fold.
    One of the issues identified as a contributing cause to 
this incident was the span of classified activities. LANS 
continues on schedule to move to a diskless environment, 
reducing the number of pieces of classified removable 
electronic media (CREM) and the number of classified paper 
documents. LANL recognizes their volume of classified holdings 
is unnecessarily large, conducted in too many security areas, 
involves too many people, and is spread out over too large of 
an area. As a result, LANS is aggressively reducing the number 
of locations where they hold and process classified matter. 
LANS will more closely scrutinize the continued need for 
existing security operations or the establishment of a new 
security area. This will enable them to better focus 
professional security resources to provide stronger management 
and oversight of classified operations.
    To achieve this reduction, LANS has proposed, and NNSA has 
approved, a new consolidated vault-type room (VTR) concept to 
create classified matter storage and processing centers 
thatwill reduce the number of security areas and enhance the 
accountability and control of classified matter. The first 
"Super" VTR is planned to open on June 1, 2007.
    The Weapons Engineering Division at LANL plans to close 
three VTRs immediately, three more by the end of April, and 
another five by the end of fiscal year 2007, a reduction of 50 
percent. This division also plans to further reduce its CREM 
holdings by 90 percent, from 364 to a dozen or so pieces in the 
near term. Another division within LANL, the Weapons Physics 
Division, currently has six VTRs; it will close three by the 
end of fiscal year 2007. The classified materials in these VTRs 
will be archived, destroyed, or re-located as appropriate. 
These reductions are just examples of progress that will reduce 
security risk without reducing the productivity of our 
scientists and engineers.
    While this incident occurred during the early stage of 
LANS' contract, I hold it accountable for the incident, and for 
rectifying the situation, just as I would at any DOE site 
managed by any contractor.
    The LANS Board of Governors has also taken an active role 
in reviewing and validating the adequacy of LANL's corrective 
actions. The Board is closely monitoring the Laboratory's 
integrated corrective action plan which was developed to 
address the root causes of the incident identified during the 
incident inquiry. LANS has reassigned cyber security 
responsibilities to the Chief Security Officer who reports 
directly to the Laboratory Director. The Board has also made a 
significant effort to employ the collective power of the LANS 
member companies through the use of Assess, Improve, and 
Modernize, or AIM Teams from the member companies to conduct 
oversight assessments and make recommendations for improvement. 
The Board has taken aleadership role in numerous other ways as 
well, but most importantly, it has opened a clear line of 
communication with me and the Acting NNSA Administrator. I talk 
to the Chairman of the LANS Board of Governors, Gerald Parsky 
on a regular basis. In fact, we met with the Chairman and Vice 
Chairman of the Board of Governors in person two weeks ago.

                        Concluding Observations

    While we have made significant improvements and changes in 
personnel and cyber security programs, I believe that in order 
to guard against future incidents, we must continually improve 
the security culture across the DOE complex. And we will.
    In closing, let me just say this: the men and women who 
work at LANL and all our National Laboratories are among the 
world's most talented scientists and engineers. Since their 
founding, these Laboratories have demonstrated again and again 
the tremendous power--and promise--of science to help our 
nation solve its greatest challenges. But such a system cannot 
tolerate any lapses in security--be they in the physical or 
cyber realm. Protecting critical information and maintaining a 
vibrant, collaborative scientific culture are not mutually 
exclusive goals. Quite the opposite is true. In this case, you 
absolutely cannot achieve one without the other. And, you 
continue to have my word that I will do everything in my power 
to support both objectives. The American people deserve no 
less.
    This concludes my statement. I will be pleased to respond 
to your questions. Thank you.
                              ----------                              


                   Testimony of Michael R. Anastasio

    Good morning Chairman Stupak, Ranking Member Whitfield, and 
Members of the Subcommittee. Thank you for the opportunity to 
update you on our progress.
    I am Michael Anastasio, director of Los Alamos National 
Laboratory since June 2006, and president of Los Alamos 
National Security, LLC.
    I am pleased to report that we have continued to make 
significant progress on many fronts since I last addressed this 
Subcommittee 11 weeks ago. Today, in keeping with the subject 
of this hearing, I will focus on security. As I expressed at 
the last hearing, I personally take the issue of security at 
Los Alamos very seriously. We are entrusted with some of the 
Nation's most important secrets and I view their safeguarding 
as one of my most significant responsibilities.
    First, we have significantly cut our risks in both cyber 
and physical security. This includes reducing and consolidating 
our classified holdings, per the subcommittee's stated concern. 
Second, we are taking additional actions to make policy clear 
and consistent--and to change employee behavior. Third, we are 
putting in place comprehensive corrective actions with a major 
focus on long-term sustainability.
    My management team, my Board of Governors, and I are taking 
a number of specific actions to reduce risk.
    Cyber security.  We now have positive control over both our 
classified computer ports, using a combination of software, 
physical locks, and tamper-indicating devices. All of our 
classified systems have been inspected and found to be 
compliant. We have reduced the number of stand-alone classified 
systems by 28 percent.
    Physical security. We have made our vault escort 
requirements clearer and much tougher, requiring the search of 
all belongings carried by those escorted in and out of vaults. 
By December, we will have reduced our accountable classified 
removable electronic media (known as ACREM) by 50 percent. We 
have destroyed almost 1,500 classified parts and 500 boxes of 
classified documents that we inherited. We have eliminated 14 
vault-type rooms, a reduction of 10 percent--with more to come.
    Policy and behaviors. In the area of policy and behaviors, 
we have uniformly trained our Information Systems Security 
Officers (ISSOs) and are hiring senior ISSOs in all key 
organizations to provide consistency throughout the Laboratory.
    We are making our cyber security policy clearer and 
simpler. In addition to mandatory training, we will promote the 
right behavior through active employee participation. For 
example, we will directly involve employees through worker-led 
security teams at multiple levels.
    On March 5, we launched an enhanced substance abuse 
program. Every newly hired employee is tested for illegal 
drugs, and every badgeholder is now subject to random testing, 
regardless of his or her clearance level.
    New type of vault-type room. For long-term effectiveness 
and sustainability, we have begun constructing a super vault-
type room, the first of its kind. This will allow us to 
consolidate and control classified information uniformly. At 
the same time, it will give authorized users efficient access.
    I expect to complete construction of the first functional 
prototype by June. This project will initially allow us to 
close at least six more vault-type rooms and reduce our ACREM 
libraries by nearly one-third.
    By constructing additional super vault-type rooms, we will 
reduce the number of classified vaults to an absolute minimum, 
consistent with our operational requirements.
    Validation, verification & oversight. We have been careful 
to embed validation and verification into our corrective action 
plans to sustain all these efforts and to prevent backsliding. 
Moreover, everything we're doing is being closely scrutinized 
only by Congress but by my own Board of Governors and by DOE, 
NNSA, and other oversight bodies. I welcome that continuing 
scrutiny. It validates that we're heading in the right 
direction--and keeps our eye on the ball.
    As I testified previously on this issue, there are no 
``silver bullets'' where security is concerned. But, with these 
security enhancements, and Board of Governors support and 
oversight, we are aggressively moving Los Alamos in the right 
direction, as we are on many other fronts vital to the Lab's 
mission.
    Thank you again for the opportunity to testify. I would be 
pleased to answer any questions you may have.
                              ----------                              


                    Statement of Gregory H. Friedman

    Mr. Chairman and members of the Subcommittee, I am pleased 
to be here at your request to testify on the concerns expressed 
in your April 5 letter regarding operations at the Los Alamos 
National Laboratory.

                               Background

    In January of this year, I testified before this 
subcommittee on the special inquiry conducted by my office 
regarding the diversion of classified data from the Los Alamos 
National Laboratory. Specifically, at the request of the 
Secretary of Energy, we examined the efforts of the Department 
and its contractors to protect classified information and the 
steps that were taken to ensure that only authorized 
individuals had access to such information. Our report on this 
matter was issued on November 27, 2006.

                   Office of Inspector General Review

    The Office of Inspector General (OIG) found that the 
security environment at Los Alamos was inadequate, despite the 
expenditure of millions of dollars by the National Nuclear 
Security Administration to upgrade various components of the 
Laboratory's security apparatus.
    In particular, related to the cyber security control 
structure, we found that:
     Certain computer ports, which could have been used 
to inappropriately migrate information from classified systems 
to unclassified devices and computers, had not been disabled;
     Classified computer racks were not locked;
     Certain individuals were inappropriately granted 
access to classified computers and equipment to which they were 
not entitled;
     Computers and peripherals that could have been 
used to compromise network security were introduced into a 
classified computing environment without approval; and,
     Critical security functions had not been 
adequately separated, essentially permitting system 
administrators to supervise themselves and override controls.
    In many cases, Laboratory management and staff had not: 
developed policies necessary to protect classified information, 
enforced existing safeguards, or provided the attention or 
emphasis necessary to ensure protective measures were adequate. 
Some of the security policies were conflicting or applied 
inconsistently. We also found that Laboratory and Federal 
officials were not as aggressive as they should have been in 
conducting security reviews and physical inspections. In short, 
our findings raised serious concerns about the Laboratory's 
ability to protect both classified and sensitive information 
systems.
    The OIG also reviewed certain aspects of the security 
clearance process in place for Laboratory employees. We 
identified particular weaknesses associated with this program 
which were discussed in a closed session of this subcommittee 
in January of this year.

                         Departmental Response

    After this incident was discovered, Department and 
Laboratory management officials launched several efforts to 
identify and correct control deficiencies that contributed to 
an environment in which classified information could be removed 
without authorization. In particular, the Deputy Secretary 
directed an immediate review of policies and practices related 
to computer ports at each of the Department's facilities. 
Further, the Secretary established two high-level Task Forces 
to address our findings. The reports of the Secretary's Task 
Forces and a list of the proposed corrective actions were 
provided to my office last week.
    The report from the Department's Committee to Review the 
Cyber Security-related Recommendations indicated concurrence 
with the OIG's report and specified that the Department had 
initiated corrective actions that involved revising policy, 
securing unneeded ports, limiting access and privileges, and 
maintaining separation of duties. The report also indicated 
that controls over security planning and accreditation and 
physical inspections were to be strengthened and that 
corrective actions would be tracked to resolution.
    The Personnel Security Program Review Task Force analyzed 
the OIG report and agreed that there were personnel security 
program weaknesses. The Task Force addressed the security 
clearance issues raised in our November 2006 report. 
Specifically, it identified and developed recommendations for 
improving Department-wide training, policy, quality assurance 
and oversight, and organizational structure. Additional details 
are contained in the Task Force's report, which has been marked 
by the Department as "Official Use Only."
    Many of the corrective actions outlined by the two Task 
Forces are in progress. However, implementation and execution 
are key. If properly carried out, the corrective actions should 
improve classified operations at Los Alamos and could help 
prevent similar incidents at Departmental facilities around the 
complex.

                 Issues Requiring Continuing Attention

    As I have testified on several occasions, the Department 
must do a better job addressing the recurring challenges it 
faces. Specifically:
      1. With regard to the current matter, the Department must 
ensure that all actions and recommendations outlined in the 
Task Force Reports are formalized into policy and adopted as 
practice throughout the Department. As part of that effort, 
these policies should be incorporated into all facility 
contracts.
      2. To achieve the recommended reforms, the Department 
must establish firm schedules with specific implementation 
timelines and performance metrics.
      3. Both Federal and contractor officials need to manage 
more aggressively. As part of that process, the Department 
needs to ensure that its Federal contract management function 
is adequately staffed and that the skill mix is appropriate. In 
addition, Department and Laboratory officials must develop a 
more comprehensive regimen of compliance testing and follow-up 
to ensure that security policies and procedures are rigorously 
followed.
      4. Individuals and institutions, both Federal and 
contractor, must be held accountable for failure to follow 
established security measures. As it has begun to do in its 
response to the recent Los Alamos incident, the Department 
should emphasize that the failure to properly protect 
classified information and materials will have meaningful 
consequences.
    Finally, consistent with our November 2006 recommendation, 
we continue to believe that the Department should perform a 
risk-based evaluation of cyber security funding at Los Alamos. 
The objective of this evaluation would be to ensure that the 
resources are available for complete implementation of the 
revised cyber security policies and procedures.

                   Ongoing Inspector General Efforts

    For the past 5 years, we have identified both cyber and 
physical security as pressing management challenges. For these 
reasons, and because of the recent incidents, the Office of 
Inspector General continues to be concerned about security 
across the complex. We have ongoing activities to examine 
information technology and systems security; implementation of 
revised security measures; disposal of sensitive property; and, 
issues related to protective force training.
    In addition to our on-going work, the full Committee, in 
January 2007, requested that the Government Accountability 
Office (GAO) examine the security of the Department's 
unclassified and classified information networks and its cyber 
security programs. My office coordinates closely with GAO on 
reviews of the Department, and we believe that the assessment 
requested by the Committee will lead to a strengthened agency-
wide security posture. My office will continue to conduct 
audit, inspection, and investigative work that will complement 
the review requested by the Committee.
    Mr. Chairman, this concludes my statement and I would be 
pleased to answer any questions you may have.

                                 
