Defense Nuclear Security Lessons Learned Center Enhancing the Defense Nuclear Security Lessons Learned Center Patricia Blount – DNS-LLC Project Leader OEC Workshop SLAC - May 5, 2010 UNCLASSIFIED

DNS SEC-LLC Mission The Security Lessons Learned Center (SEC-LLC) was established in 2007 by the Defense Nuclear Security (DNS) to provide an infrastructure for gathering, archiving, and communicating security lessons learned related to physical safeguards and security (S&S) issues across the NNSA Enterprise. Provide a platform to encourage and facilitate the sharing of lessons learned information. Mission – As originally defined Slide 2 UNCLASSIFIED

Program Drivers DOE O 210.2, DOE Corporate Operating Experience/Lessons Learned Program (OEC) DOE O 226.1A, Implementation of Department of Energy Oversight Policy NA-1 SD 226.1A, NNSA Line Oversight & Contractor Assurance System Supplemental Directive DOE Manual 470.4-1 Chg 1, Safeguards and Security Program Planning and Management Part 1, Section F, Performance Assurance Program Part 1, Section G, Survey, Review and Self-Assessment Programs Program Drivers Standard driver for all OE programs PLUS Security specific requirements Elaborate on EPAP in later slides UNCLASSIFIED

Lessons Learned Operating Experience Program The purpose of the DNS Safeguards and Security Operating Experience Program is to capture and apply lessons taken from operating experiences from across the National Security Enterprise in order to avoid repeat events, anticipate and mitigate undesirable consequences, and replicate best practices. Originally established as a LL program. Programs across the NNSA/DPE Enterprise moved toward a Operating Experience philosophy Emphasize the BLUE BOX elements Experiences are important to replicate awareness Lessons are important to replicate learning Slide 4 4

National Security Enterprise (NSE) Promote the Lessons Learned Center by leveraging the efforts of designated Points of Contact (POCs) at the site level. Patty Slide 5 UNCLASSIFIED

Points of Contact Patty Slide 6 UNCLASSIFIED

Infrastructure Webpage Database Help Desk Web-based Homepage available on open network – linked to HSS and other DOE/NNSA websites Timely posting and dissemination of security communications Database Microsoft Access database maintained by DNS-LLC for archiving, tracking, trending and reporting Operating Experiences Compatible with the Office of Health, Safety and Security (HSS) database (DOE Corporate) DNS-LLC uploads to HSS for posting to DOE Corporate Shared Resource between Safety, Security, and Project Management Professionals Gatekeeper Authority - Approve user access to security related lessons learned Help Desk Call-In and E-Mail Resource Center Patty Slide 7 UNCLASSIFIED

Website http://dns-lessons.lanl.gov/ David Slide 8 UNCLASSIFIED

Security Smarts Bethany UNCLASSIFIED Apr. 11, 2008 Avoiding Copyright Infringement Mar. 14, 2008 Detecting Unusual Behavior and Your Responsibilities Feb. 20, 2008 "You Are The Target!" Dec. 13, 2007 Holiday Security Awareness Nov. 27, 2007 Official Use Only (OUO) Sept. 27, 2007 Integrated Safeguards and Security Management Sept.24, 2007Identity Theft Slide 9 UNCLASSIFIED

CSI: Contemplating Security Incidents Bethany Feb. 27, 2008 Personally Identifiable Information (PII) Jan. 24, 2008 Unprotected Computer User ID and Password Nov.15, 2007 Improperly Secured Classified Slides Slide 10 UNCLASSIFIED

Operating Experience Template Forms & Field Descriptions Topical/Sub-Topical Area Date Originator Site Publish Anonymously Title Facility/Site POC Derivative Classifier/ Reviewing Official Lesson Learned Discussion of Activities Lesson Learned Summary Analysis Recommended Actions Estimated Savings/Cost Avoidance Keyword David Lesson Learned - Knowledge and experience, positive or negative, derived from actual events shared to promote positive information or prevent recurrence of negative events; benefit from the experiences of others. Discussion of Activities - Brief discussion focused on the facts that resulted in the initiation of the lesson learned. Lesson Learned Summary - Executive summary focusing on knowledge gained from the lesson learned. Sufficient detail to allow a reader to understand what the problem is/was, how it was identified, and what steps have/will be taken to correct the problem and prevent recurrence. Analysis - Results of any analysis that was performed, if available. Recommended Actions - Description of management-approved actions that were taken or will be taken to promote implementation of work enhancements or to prevent recurrence. Focus on actionable recommendations (i.e., the change resulting from the lesson) rather than reminders. Slide 11 UNCLASSIFIED

Quarterly Tracking/Reporting Bethany Slide 12 UNCLASSIFIED

NNSA’s Enterprise Re-Engineering and Management Reform Six-Month Moratorium on NNSA Initiated Assessments (January – June 2010) Contractor Assurance Systems (CAS) Contractor Performance Evaluation Plans (CPEP) Enterprise-wide S&S Assessment Plan Security Requirements Reform Safeguards and Security Evaluation and Performance Assurance Program (EPAP)/ Management Systems Assurance Program (MSAP) We have since moved toward Operating Awareness Program Still fulfill the requirements and expectations of an OE program PLUS, those elements unique to an Operating Awareness Program Focus is on “continuous process” that allows for describing the state of the program health at any given time Mention Fremont’s 3 key EPAP elements Align with Secretarial objective to reply more on Contractor Assurance Systems Slide 13 13

Operating Experience Program Operational Awareness Office of DNS S&S Evaluation and Performance Assurance Program (EPAP) “…those activities that ensure operations are securely performed; provide early identification of vulnerabilities; and ensure that there are effective lines of communication between organizations performing the work… Operational awareness also extends to management activities including maintaining a current awareness of the status, conditions and issues that may affect operations; performance expectations and measures; and contract deliverables or requirements. Operational awareness is not a scheduled activity…” We have since moved toward Operating Awareness Program Still fulfill the requirements and expectations of an OE program PLUS, those elements unique to an Operating Awareness Program Focus is on “continuous process” that allows for describing the state of the program health at any given time Mention Fremont’s 3 key EPAP elements Operational Awareness is a continuous process Slide 14 14

Operational Awareness What data is meaningful? Ensure that data is being analyzed & understood Communicate the operational aspects of S&S performance Ensure the application of relevant lessons learned/best practice Overview of Operational Awareness components that the SEC-LLC is actively involved in. Operational Awareness relies on timely data to anticipate shortfalls and focus resources, identify issues, gauge “weak signals,” and determine where assistance is needed in the field Slide 15 15

Screening & Distribution Process Improvements The SEC-LLC will “coordinate with the Office of Security Operations and Performance Assurance on the extent of the distribution of the lessons learned/best practice.” Routine Entered into the SEC-LLC and HSS databases Targeted distribution through normal means Significant – Major Impact on Operations or Policy Special Markings Site Office must provide “Positive Response” Green Flag – Routine Issues – Equivalent to Informational issues within the HSS Safety DB Red Flag Issues – Due to nature of security events and reporting, communications may be made before the posting to the HSS DB (ie existing vulnerabilities may still be “classified” – and won’t be downgraded until resolution) – Red flag items will still undergo the same actions as Routine Ask – “Why it occurred, not just what” Slide 16 16

Operational Awareness Data Analysis, Tracking, and Trending Lessons Learned/Best Practices Management System Assurance Program Reports (MSAP) Site Self-Assessments & Periodic Reviews Performance Metrics/Measures Other sources including, but not limited to: Office of Independent Oversight Inspector General Reports Line Oversight & Contractor Assurance System (LOCAS) Safeguards and Security Information Management System (SSIMs) Occurrence Reporting and Processing System (ORPs) Enforcement Actions/ Reports Review of safety-related lessons learned (e.g., conduct of operations, risk management) to determine whether aspects of safety lessons learned have applicability to S&S programs Microsoft Access database developed and maintained by LLC for document repository, archiving, tracking, trending, and reporting of Enterprise-wide S&S operational awareness activities. Currently houses 200+ documents. Production of analytical reports based on information collected and trended from the available reports. Provide appropriate information regarding SEC-LLC activity to NA-70 for Security Program Reviews. SEC-LLC staff trained/certified in use of the SSIMs database. Able to provide review of deviations, variances, and exceptions from an Enterprise-wide perspective. Slide 17 UNCLASSIFIED

Communicating Data Enterprise-Wide Periodic briefings provided to NNSA Administrator, Deputy Administrator for Defense Programs, and Site Office Managers Monthly Conference Calls – DNS Management & NNSA Assistant Managers for Safeguards and Security (AMSSs) & Site Office AMSSs Quarterly Program Reviews. Increased Communications and Partnership Increase Sharing and Communications Between NA-71, Site Office Points of Contacts & SEC-LLC SEC-LLC Participation & Integration with various Security Working Groups Participation on the Security Reforms Communication Team DNS Quarterly Performance Improvement Bulletins The effectiveness of the DNS EPAP is dependent upon how well the results are communicated Slide 18 UNCLASSIFIED

Targeted Distributions and Partnerships Classification Cyber Security Facility Security Human Reliability Program Information Protection Incidents of Security Concern Personnel Security Physical Security Operational Security (OPSEC) Material Control & Accountability Federal Points of Contact Protective Force Program Management Training Managers Safeguards & Security Information Management Additional Interest Groups Training Manager’s Working Group Office of Science National Training Center HSS OEC Working Group Office of Enforcement EFCOG Security Working Group (SSWG) Security Awareness Special Interest Working Group (SASIG) National Security Information Exchange (NSIE) United Kingdom Counterparts Expand as needed Slide 19

Performance Improvement News Bulletin Translating Events into Actionable Information Integration of HPI principles into communication products Analyses of patterns and trends in incidents and reportable occurrences Communication of high leverage lessons and actions Recognition for developing and sharing lessons learned Slide 20 20

Webpage: http://dns-lessons.lanl.gov/ Help Desk/Resource Center Defense Nuclear Security Lessons Learned Center Contact Information… Webpage: http://dns-lessons.lanl.gov/ Help Desk/Resource Center (505) 665-0196 sec-llc@lanl.gov Slide 21 21

Enhancing the Defense Nuclear Security Lessons Learned Center Questions? Slide 22 22