The government agency that oversees the nation’s nuclear laboratories and the highly classified material they house often does not revoke the security clearance of employees and contractors after they leave, potentially compromising national security. The failure involves the Department of Energy (DOE), which issues the authorization via Personal Identity Verification (PIV) cards that serve as entry badges indicating the level of access to classified matter or special nuclear material. PIV cards also allow employees to enter, occupy or leave DOE sites and facilities.
During a three-year period more than 10,000 federal and contract workers left the DOE through retirement, resignation, removal, or death, according to a recently released DOE Inspector General report. Among them were thousands of individuals with security clearances and an alarmingly high percentage of their PIVs were not properly cancelled. In thousands of other cases the names of separated federal and contract workers did not even match records in the government database. “If clearances and PIV cards are not properly terminated, recovered, and destroyed, former employees may gain unauthorized access to department buildings or information,” the DOE watchdog writes in the lengthy document. “This risk has been demonstrated by incidents at the Department and other federal agencies in which former employees have accessed facilities or systems using unrecovered badges.”
Investigators examined records for 2,703 separated DOE employees and contractors at the agency headquarters in Washington D.C. and a field office in Albuquerque, New Mexico. They found that 66% of former employees’ PIV cards not marked as “destroyed” in the government database known as USAccess were not retrieved and manually eliminated per destruction records reviewed. Nearly 40% of departed workers’ PIV cards or employment statuses had not been updated in USAccess to reflect that the person was gone and no longer required access to DOE facilities and systems. In 30% of the cases, the former DOE and contractor employees’ security clearances were not terminated in accordance with agency requirements. “We noticed that several Headquarters Federal and contractor employees remained active in USAccess for months and even years after separation,” the report states. “For example, one employee that separated in November 2015 remained active in USAccess when we reviewed the database in July 2018, over 2 years later. Further, some of these employees were identified as having been removed from their jobs and others were deceased.”
During the audit, a DOE official told investigators that he witnessed a former employee at the agency headquarters enter the building and access his former workspace in a restricted area. The former staffer’s PIV card had not been recovered and his status in USAccess had not been updated, as required. The report offers a separate example at another federal agency in which a terminated employee repeatedly used administrator credentials to log onto government servers and make unauthorized changes to the agency’s website, including disabling a portion of the site. “To mitigate the risk of unauthorized access, the Department needs to take actions to ensure that it terminates security clearances and PIV card access for separated Federal and contractor employees in a timely manner,” the watchdog writes.
This is especially important considering the DOE oversees the nation’s nuclear laboratories, which have long been plagued by embarrassing security breaches. The last thing they need is a disgruntled former employee with access to the facility. Judicial Watch has reported on the problem extensively and helped expose a disturbing scheme back in 1999 involving a Chinese Communist scientist (Wen Ho Lee) who stole nuclear secrets from the Los Alamos National Laboratory in New Mexico. Lee was not prosecuted by the Clinton Justice Department because then Attorney General Janet Reno claimed the accusations were racist. Judicial Watch represented the whistleblower, Notra Trulock, responsible for launching an investigation into Lee’s actions. A multitude of scandals have rocked Los Alamos, the nation’s key nuclear weapons research facility, since then. A Los Alamos scientist and his wife, both contractors at the facility, stole “classified restricted data” involving nuclear weapons and passed it along to a foreign government that is hostile to the U.S. Before that, Los Alamos officials sent top secret data relating to nuclear weapons via an open electronic mail network and police accidentally stumbled upon it in a drug dealer’s mobile home during a drug bust. In 2017 the lab mistakenly shipped radioactive material on a commercial cargo plane. A few years later an epidemic of theft, fraud and security lapses led the DOE to label it “a systematic management failure.” The problem is not limited to Los Alamos. The nation’s other government-owned nuclear labs (there are 17) have also experienced decades of faulty management, weak security, and lousy oversight.