IG blasts management of Energy’s classified information network

After spending nine years and at least $153 million, managers at the National Nuclear Security Administration developing a project to improve cybersecurity throughout the nuclear weapons complex failed to plan or execute the program effectively, the Energy Department's watchdog found.

In a report released on Monday, Energy Inspector General Gregory Friedman said NNSA's Enterprise Secure Network project, which became operational earlier this year, was more than three years behind schedule and did not meet pre-established objectives, namely that it be the primary network for sharing classified information at the agency.

Additionally, because managers failed to develop an acquisition strategy for the project, they purchased hardware years earlier than necessary, rendering it obsolete by the time the network became operational.

Initiated in 2000, the Enterprise Secure Network was intended to protect classified information, including data related to nuclear weapons, and replace the classified network known as SecureNet.

ESN originally was conceived to handle all NNSA's classified network traffic, but managers eventually decided to scale back the project. As a result, the network now lacks the capacity to handle all traffic so the agency continues to maintain a separate network infrastructure for its advanced simulation and computing supercomputers. In addition, the three-year delay in making ESN operational adversely affected efforts to standardize and consolidate weapons data and enforce need-to-know access rules agencywide.

NNSA has acknowledged that maintaining separate secure infrastructures weakens security and increases costs by adding unnecessary complexity. "In spite of this acknowledgement and understanding, decisions to limit capacity of ESN will require that NNSA and the department program offices continue to maintain multiple infrastructures to transmit classified data," the IG said.

Friedman attributed the network project's failures to the fact that managers did not incorporate controls required for procurements expected to cost more than $20 million. For the first seven years, managers failed to properly track costs associated with the program, causing agency officials to recently announce -- erroneously it turned out -- that the project was completed for $60 million. In fact, the IG found the agency had spent more than $153 million on the effort.

Energy requires that all projects exceeding $20 million meet specific milestones in five areas: mission need, alternative selection, performance baseline, construction and start of operation. Documentation showing that those milestones have been achieved also is required. Nonetheless, ESN managers did not begin developing the necessary documentation until the project was in its sixth year and had consumed more than $100 million -- by which time the network was to have been completed under the original plan.

"Because of the lack of project management rigor, senior NNSA management officials were deprived of the information necessary to ensure that the ESN initiative was properly planned and executed, apply generally recognized best practices and to properly track project costs," the IG said.

In a letter responding to a draft of the report, Michael Kane, associate administrator for management and administration at NNSA, agreed with auditors' recommendations for ensuring project management requirements and best practices are followed for all ongoing and future information technology projects.

But Kane sharply disputed the IG's conclusions about ESN management. By the agency's calculation, the project took four years to complete and cost $70 million instead of the $153 million the IG found. "The $83 million difference between these amounts, as identified in the report, was actually spent on developing [classified infrastructure enhancements]," he wrote.

The IG maintained that none of ESN's sites was operational in 2006, and no sites were using ESN for its intended purposes -- to transmit classified data between sites -- until after the IG's field work was complete. In addition, managers at NNSA were unable to supply information to support their cost calculations. "In contrast, based on varying information provided by NNSA, we calculated that costs for the project incurred by the end of our review ranged between $153 million and $180 million," the IG said.