Summary

Although security is an important, nearly billion-dollar-a-year function in the Department of Energy (DOE), key information systems that hold important data about security weaknesses and incidents have limited analytical capabilities and contain unreliable information. The resultant difficulty in identifying patterns and trends reduces managers' ability to ensure the effectiveness of the security program. Resources are also wasted because DOE has deployed incompatible systems that are unable to electronically share or transfer data, often forcing employees to manually re-enter data that are already stored in computers elsewhere. Finally, continuing data problems with other important security information systems, such as those used to track security clearances and classified documents, indicate that information system deficiencies are extensive. A major reason for these problems is that DOE has not done a comprehensive, strategic assessment of its information and information technology needs for the security program. DOE's efforts are fragmented because it has not assigned to any organization the leadership responsibility to determine security information needs and to plan and manage security information resources departmentwide. A number of changes are needed to correct these problems and take advantage of information technology to help strengthen the security program.

GAO found that: (1) although the Office of Safeguards and Security's (OSS) information systems contain departmentwide data on security weaknesses and incidents, they lack the capability to analyze the data because the software was not designed to identify patterns and trends; (2) the Office of Security Evaluations' information system that tracks security weaknesses is also unable to analyze data for patterns and trends; (3) most field offices and most of the 10 security contractors reviewed lacked automated information systems to analyze security incident data; (4) because they receive raw data, security managers find it difficult to identify patterns and trends, hindering their ability to ensure that the security program is effective; (5) OSS managers may be unable to determine whether security weaknesses or incidents are efficiently and effectively resolved because the data in the headquarters systems are often unreliable; (6) DOE is operating incompatible security information systems that are unable to electronically exchange data; (7) DOE has not performed a comprehensive assessment of its information and information technology needs to achieve its security mission and related long-term objectives; and (8) although DOE has attempted to solve security information needs, its efforts have been uncoordinated and driven by individual contractors, field offices, and headquarters security offices.