Alissa Tabirian
NS&D Monitor
7/24/2015
Sandia Corporation is required to pay a penalty of $577,500 for six classified information security violations, according to a July 13 Final Notice of Violation (FNOV) from the National Nuclear Security Administration (NNSA) released last week. The violations, dating back to 1997 and discovered in 2012 at Sandia National Laboratories’ New Mexico site, involved the use of classified information, including Critical Nuclear Weapon Design Information, in 13 slides of an employee’s presentation. A Preliminary Notice of Violation (PNOV) issued to Sandia at the end of May noted that the presentation had not been submitted for classification review, was given at public venues and remained on an unclassified shared server for years.
Forty-seven variations of the presentation were created “for over 15 years without receiving the requisite classification review,” the FNOV says. The presentation was “delivered on several occasions in unclassified settings” and was stored on servers that were accessible to foreign nationals and “individuals without security clearances,” it says. After the 2012 incident discovery, Sandia “took immediate action to sanitize the unclassified shared network server” but left other variations of the presentation on other unclassified servers, the notice says.
Following issuance of the PNOV, Sandia challenged some of the severity levels determined by NNSA “on the basis that the information associated with the security event is available in open sources and could not result in any actual or high potential for adverse impact on national security,” according to the FNOV. However, NNSA determined that “the availability of this information in the open literature does not automatically declassify the information” and “Sandia is aware of existing processes in place to have information declassified,” the July 13 letter says. It adds that “Sandia should have identified the security program weaknesses” earlier than the 2012 date of discovery.
As a result, NNSA “finds no merit” in Sandia’s challenge to the PNOV, the letter says. NNSA imposed a $660,000 civil penalty for four Severity Level I and two Severity Level II violations of classified information security requirements, and adjusted the amount following some corrective actions to $577,500, the letter says. In a statement issued after the PNOV was released, Sandia spokeswoman Nancy Salem said, “Sandia has taken this security issue seriously since becoming aware of it in 2012. After discovering and reporting the issue, Sandia analyzed the causes and identified, developed and carried out a series of improvements that will reduce the likelihood of security violations of this kind.” Sandia has been given 30 days to request a hearing to contest the allegations in the FNOV.
