Nuclear Security
DOE and NRC Have Different Security Requirements for Protecting Weapons-Grade Material from Terrorist Attacks
Gao ID: GAO-07-1197R September 11, 2007
In terrorists' hands, weapons-grade nuclear material--known as Category I special nuclear material when in specified forms and quantities--can be used to construct an improvised nuclear device capable of producing a nuclear explosion. Responsibility for the security of Category I special nuclear material is divided between the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC). Specifically, DOE and the National Nuclear Security Administration (NNSA), a separately organized agency within DOE, are responsible for overseeing physical security at government-owned and contractor-operated sites with Category I special nuclear material. NRC, which is responsible for licensing and overseeing commercially owned facilities with nuclear materials, such as nuclear power plants, is responsible for regulating physical security at those licensees that store and process Category I special nuclear material under contract, primarily for DOE. Because of the risks associated with Category I special nuclear material, both DOE and NRC recognize that effective security programs are essential. The key component in both DOE's and NRC's security programs is each agency's design basis threat (DBT)--classified documents that identify the potential size and capabilities of terrorist threats to special nuclear material. To counter the threat contained in their respective DBTs, both DOE sites and NRC licensees use physical security systems, such as alarms, fences, and other barriers; trained and armed security forces; and operational security procedures, such as a "two-person" rule that prevents unobserved access to special nuclear material. In addition, to ensure DBT requirements are being met and to detect potential security vulnerabilities, DOE and NRC employ a variety of other measures, including inspection programs; reviews; and force-on-force performance tests, in which the site's security forces undergo simulated attacks by a group of mock terrorists. Over the past several years, we have raised concerns about certain aspects of security at DOE sites and at NRC-regulated commercial nuclear power plants. In this context, you asked us to determine (1) whether DOE's and NRC's requirements for protecting Category I special nuclear material from terrorist threats differ from one another; (2) the reasons for any differences between these requirements; and (3) if, as a result, there are differences between how NRC-licensed facilities that store and process Category I special nuclear material and how DOE facilities that store and process Category I special nuclear material are defended against a terrorist attack.
Several factors have contributed to the differences between DOE's and NRC's DBTs. First, a key document used in the development of DOE's DBT was the Postulated Threat to U.S. Nuclear Weapon Facilities and Other Selected Strategic Facilities (Postulated Threat). The Postulated Threat is developed by the U.S. intelligence community, principally the Department of Defense's Defense Intelligence Agency, and the security organizations of several different agencies, including DOE and NRC. The most recent Postulated Threat, issued in 2003, identified, among other things, the most likely threats to U.S. facilities with Category I special nuclear material. While NRC participated in the development of the Postulated Threat, NRC believes that the Postulated Threat does not apply to commercial nuclear facilities such as its licensees. Second, DOE and NRC also differ in their consideration of other intelligence information in developing their DBTs. In this context, NRC has developed its DBT to be within the range of what it has determined are the limitations that a private guard force can reasonably be expected to defend against. Specifically, NRC believes that the defense against threats not contained in its DBT is the responsibility of the federal government, in conjunction with state and local governments. Finally, even though they did so in the past, since September 11, 2001, DOE and NRC have not fully cooperated in sharing classified information on potential misuse of Category I special nuclear material. Reflecting the differences in their respective DBTs, we found differences in the actions DOE sites and NRC licensees are taking to increase their preparedness to defeat a large and sophisticated terrorist attack. For example, currently, NRC licensees do not have the same legal authority as DOE sites to acquire heavier weaponry, such as fully automatic weapons, or the same legal authority to use deadly force to protect special nuclear material. NRC is pursuing new regulations, authorized by the Energy Policy Act of 2005, to allow its licensees to use automatic weapons, but expects to take from 1 to 2 years to issue such regulations. At the same time, DOE is implementing plans that, if fully realized, will further increase security at its sites. These plans include developing and deploying improved security technologies; consolidating special nuclear material into fewer, better protected locations; and providing better training and equipment for its security forces. Finally, DOE has better developed tools for assessing security preparedness and understanding vulnerabilities, such as computer modeling and force-on-force testing programs that simulate terrorist attacks on facilities. However, NRC is in the process of adopting computer modeling and implementing a new force-on-force testing program.
GAO-07-1197R, Nuclear Security: DOE and NRC Have Different Security Requirements for Protecting Weapons-Grade Material from Terrorist Attacks
This is the accessible text file for GAO report number GAO-07-1197R
entitled 'Nuclear Security: DOE and NRC Have Different Security
Requirements for Protecting Weapons-Grade Material from Terrorist
Attacks' which was released on September 25, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
September 11, 2007:
The Honorable Christopher Shays:
Ranking Member, Subcommittee on National Security:
and Foreign Affairs:
Committee on Oversight and Government Reform:
House of Representatives:
Subject: Nuclear Security: DOE and NRC Have Different Security
Requirements for Protecting Weapons-Grade Material from Terrorist
Attacks:
Dear Mr. Shays:
In terrorists' hands, weapons-grade nuclear material--known as Category
I special nuclear material when in specified forms and quantities--can
be used to construct an improvised nuclear device capable of producing
a nuclear explosion. Responsibility for the security of Category I
special nuclear material is divided between the Department of Energy
(DOE) and the Nuclear Regulatory Commission (NRC). Specifically, DOE
and the National Nuclear Security Administration (NNSA), a separately
organized agency within DOE, are responsible for overseeing physical
security at government-owned and contractor-operated sites with
Category I special nuclear material. NRC, which is responsible for
licensing and overseeing commercially owned facilities with nuclear
materials, such as nuclear power plants, is responsible for regulating
physical security at those licensees that store and process Category I
special nuclear material under contract, primarily for DOE.
Because of the risks associated with Category I special nuclear
material, both DOE and NRC recognize that effective security programs
are essential. The key component in both DOE's and NRC's security
programs is each agency's design basis threat (DBT)--classified
documents that identify the potential size and capabilities of
terrorist threats to special nuclear material. To counter the threat
contained in their respective DBTs, both DOE sites and NRC licensees
use physical security systems, such as alarms, fences, and other
barriers; trained and armed security forces; and operational security
procedures, such as a "two-person" rule that prevents unobserved access
to special nuclear material. In addition, to ensure DBT requirements
are being met and to detect potential security vulnerabilities, DOE and
NRC employ a variety of other measures, including inspection programs;
reviews; and force-on-force performance tests, in which the site's
security forces undergo simulated attacks by a group of mock
terrorists.
Over the past several years, we have raised concerns about certain
aspects of security at DOE sites and at NRC-regulated commercial
nuclear power plants. For example, we reported that DOE had taken some
action in response to the terrorist attacks of September 11, 2001, but
that it needed to improve the management of its security
program.[Footnote 1] In addition, we found that DOE needed to fully
implement security improvements initiated in response to its DBT, such
as the consolidation of special nuclear material and the development of
a better-trained and -organized security force, in order to ensure that
its sites were adequately prepared to defend themselves.[Footnote 2]
Regarding NRC, in September 2003, we reported that NRC's oversight of
security at commercial nuclear power plants needed to be
strengthened.[Footnote 3] In March 2006, we reported that commercial
nuclear power plants had upgraded security against terrorist attacks,
and NRC had improved its force-on-force inspections at these plants.
However, we found that NRC's DBT process, as it is applied to
commercial nuclear power plants, should be improved to remove the
appearance that changes to the DBT were based on what the nuclear
industry considered feasible to defend against rather than on an
assessment of the terrorist threat itself.[Footnote 4] While NRC has a
more rigorous DBT for its licensees that store and process Category I
special nuclear material than it does for the commercial nuclear power
plants that it licenses and regulates, NRC uses a similar DBT
development process for both sets of licensees.
In this context, you asked us to determine (1) whether DOE's and NRC's
requirements for protecting Category I special nuclear material from
terrorist threats differ from one another; (2) the reasons for any
differences between these requirements; and (3) if, as a result, there
are differences between how NRC-licensed facilities that store and
process Category I special nuclear material and how DOE facilities that
store and process Category I special nuclear material are defended
against a terrorist attack. In February 2007, we reported to you on the
results of our work in a classified report.[Footnote 5] Subsequently,
you asked us to provide you with an unclassified summary of our report.
This report provides the unclassified summary. We conducted our work
for this report between May 2007 and September 2007 in accordance with
generally accepted government auditing standards.
In summary:
Historically, DOE and NRC have sought comparability in their respective
DBTs because DOE sites and NRC licensees often deal with the same types
of Category I special nuclear material. For example, in 2000, NRC
imposed additional security requirements on its licensees because, as
it stated at the time, NRC is responsible for ensuring that weapons-
usable material in the commercial sector receives protection comparable
with that provided to similar DOE material. Following the September 11,
2001, terrorist attacks, both DOE and NRC put in place more demanding
DBTs. NRC issued its most recent DBT in 2003, and DOE issued its most
recent DBT in 2005. More importantly, even though DOE's sites and NRC's
licensees store and process similar weapons-grade nuclear material, the
DBTs each agency adopted for Category I special nuclear material are
different.
Several factors have contributed to the differences between DOE's and
NRC's DBTs. First, a key document used in the development of DOE's DBT
was the Postulated Threat to U.S. Nuclear Weapon Facilities and Other
Selected Strategic Facilities (Postulated Threat). The Postulated
Threat is developed by the U.S. intelligence community, principally the
Department of Defense's Defense Intelligence Agency, and the security
organizations of several different agencies, including DOE and NRC. The
most recent Postulated Threat, issued in 2003, identified, among other
things, the most likely threats to U.S. facilities with Category I
special nuclear material. While NRC participated in the development of
the Postulated Threat, NRC believes that the Postulated Threat does not
apply to commercial nuclear facilities such as its licensees. Second,
DOE and NRC also differ in their consideration of other intelligence
information in developing their DBTs. In this context, NRC has
developed its DBT to be within the range of what it has determined are
the limitations that a private guard force can reasonably be expected
to defend against. Specifically, NRC believes that the defense against
threats not contained in its DBT is the responsibility of the federal
government, in conjunction with state and local governments. Finally,
even though they did so in the past, since September 11, 2001, DOE and
NRC have not fully cooperated in sharing classified information on
potential misuse of Category I special nuclear material.
Reflecting the differences in their respective DBTs, we found
differences in the actions DOE sites and NRC licensees are taking to
increase their preparedness to defeat a large and sophisticated
terrorist attack. For example, currently, NRC licensees do not have the
same legal authority as DOE sites to acquire heavier weaponry, such as
fully automatic weapons, or the same legal authority to use deadly
force to protect special nuclear material. NRC is pursuing new
regulations, authorized by the Energy Policy Act of 2005, to allow its
licensees to use automatic weapons, but expects to take from 1 to 2
years to issue such regulations. At the same time, DOE is implementing
plans that, if fully realized, will further increase security at its
sites. These plans include developing and deploying improved security
technologies; consolidating special nuclear material into fewer, better
protected locations; and providing better training and equipment for
its security forces. Finally, DOE has better developed tools for
assessing security preparedness and understanding vulnerabilities, such
as computer modeling and force-on-force testing programs that simulate
terrorist attacks on facilities. However, NRC is in the process of
adopting computer modeling and implementing a new force-on- force
testing program.
A successful attack on a facility with Category I special nuclear
material could have unacceptable human, economic, and symbolic
consequences. Consequently, we believe that, regardless of location,
there should not be differences in the protection of Category I special
nuclear material. To address these differences, we made a series of
recommendations in our February 2007 report, including the following:
* DOE and NRC should develop a common DBT for DOE sites and NRC
licensees that store and process Category I special nuclear material.
* NRC should expedite its efforts to ensure that its licensees have the
same legal authorities to acquire heavier weaponry and use deadly force
as DOE sites currently have to protect such material.
* DOE and NRC should cooperate in establishing computer modeling
capabilities and force-on-force performance testing programs to better
assess security preparedness and detect vulnerabilities.
In addition, we recommended that Congress should consider amending the
Atomic Energy Act of 1954, as amended, to give NRC licensees the same
legal authority to use deadly force as DOE sites have to protect
Category I special nuclear material.
We provided DOE and NRC with a draft of our February 2007 report for
review and comment. Overall, DOE, through NNSA, and NRC agreed with
several of our recommendations. Specifically, both NNSA and NRC agreed
to cooperate on improving force-on-force performance testing and
computer modeling. NRC also agreed that obtaining legal authority to
acquire heavier weapons and to clarify policies on the use of deadly
force to protect Category I special nuclear material could enhance
security at its licensees. NRC cited ongoing efforts in both areas.
Finally, NNSA supported having Congress amend the Atomic Energy Act to
provide NRC licensees with the legal authority to use deadly force to
protect Category I special nuclear material. However, NNSA and NRC did
not support our recommendation to develop a common DBT for facilities
that store and process Category I special nuclear material.
Specifically, in its comments on our report, NRC stated that it
believes that it is more important to set protection levels that are
appropriate for the potential scenarios that involve the malevolent use
of the nuclear materials stored or handled at a given site. NRC also
stated that both agencies have recognized that protection strategies
may differ between the sites they oversee based on the type, form,
purpose and quantity of material at their sites. However, in our
evaluation of the agency's comments, we noted that all of the sites and
licensees have one important thing in common--they all possess
significant quantities of Category I special nuclear material. As such,
we believe, there should not be differences in their level of
protection.
- - - --:
As arranged with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 14 days
after the date of this report. We will then send copies to appropriate
congressional committees, the Secretary of Energy; the Administrator,
NNSA; the Chairman of the Nuclear Regulatory Commission; and the
Director of the Office of Management and Budget. We will make copies of
this report available to others upon request. This report will also be
available at no charge on GAO's Web site at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions about this report or need
additional information, please contact me at (202) 512-3841 or
aloisee@gao.gov. Contact points for our Office of Congressional
Relations and Public Affairs may be found on the last page of this
report. James Noel, Assistant Director, and Jonathan Gill made key
contributions to this report.
Sincerely yours,
Signed by:
Gene Aloise:
Director, Natural Resources and Environment:
(360882):
FOOTNOTES:
[1] GAO, Nuclear Security: NNSA Needs to Better Manage Its Safeguards
and Security Program, GAO-03-471 (Washington, D.C.: May 30, 2003).
[2] GAO, Nuclear Security: DOE Needs to Resolve Significant Issues
Before It Fully Meets the New Design Basis Threat, GAO-04-623
(Washington, D.C.: Apr. 27, 2004); and Nuclear Security: DOE's Office
of the Under Secretary for Energy, Science, and the Environment Needs
to Take Prompt, Coordinated Action to Meet the New Design Basis Threat,
GAO-05-611 (Washington, D.C.: July 15, 2005).
[3] GAO, Nuclear Regulatory Commission: Oversight of Security at
Commercial Nuclear Power Plants Needs to Be Strengthened, GAO-03-752
(Washington, D.C.: Sept. 4, 2003).
[4] GAO, Nuclear Power Plants: Efforts Made to Upgrade Security, but
the Nuclear Regulatory Commission's Design Basis Threat Process Should
Be Improved, GAO-06-388 (Washington, D.C.: Mar. 14, 2006).
[5] GAO, (U) Nuclear Security: DOE and NRC Security Requirements for
Special Nuclear Material, GAO-07-41C (Washington, D. C.: Feb. 16, 2007).
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Susan Becker, Acting Manager, Beckers@gao.gov (202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
