January 30, 2024

Allegations of Security and Safety Concerns at Sandia National Laboratories

On September 2, 2022, the IG Hotline received two complaints alleging inappropriate management response to security and safety events at Sandia National Laboratories (SNL).  The complainant alleged that SNL management allowed a vendor to introduce and use a Bluetooth-enabled device in a Limited Area (LA) where unapproved electronic devices are expressly prohibited.  Further, the complainant alleged that SNL management did not track the Bluetooth-enabled device while it was in the LA; did not report it properly; and was attempting not to report it.  The complainant also alleged that, in February 2022, management neither documented the cause nor addressed concerns related to a water leak that flooded part of the Microsystems Engineering, Science and Applications complex that posed serious risks to equipment and personnel.

We initiated this inspection to determine the facts and circumstances regarding the alleged security and safety concerns at SNL.

We substantiated the allegation that SNL management allowed a vendor to introduce and use a prohibited Bluetooth-enabled device in a LA, and SNL management did not track its presence or report it properly.  However, we did not substantiate that SNL management deceptively attempted not to report it.  Specifically, we determined that SNL management had approved an exemption for the Bluetooth-enabled device to be brought into the LA on a temporary basis and did not track it.  The issues we identified occurred because SNL management: (1) did not properly identify the device as a Controlled Article; (2) should not have allowed the Bluetooth-enabled device to be brought into the LA without going through the established approval process; and (3) approved a policy exception that inadvertently deviated from the federally approved process.  Moreover, we did not substantiate the allegation that SNL management failed to respond to a water leak that subsequently flooded part of SNL’s Microsystems Engineering, Science and Applications Complex.  

The report contains four recommendations that, if fully implemented, should help ensure that similar security events do not occur in the future.  Management agreed with our findings and recommendations, and its proposed corrective actions are consistent with our recommendations.