Protection of Chemical and Water Infrastructure
Federal Requirements, Actions of Selected Facilities, and Remaining Challenges Gao ID: GAO-05-327 March 28, 2005The National Strategy for Homeland Security grouped critical infrastructure into 13 sectors which include assets that if attacked by terrorists could have a debilitating impact on the nation. Two of these 13 sectors are the chemical and water sectors. The total number of chemical sector facilities is not clear. DHS estimates that there are 4,000 chemical manufacturing facilities that produce, use, or store more than threshold amounts of chemicals that EPA has estimated pose the greatest risk to human health and the environment. There are approximately 53,000 community water systems and more than 2,900 maritime facilities that are required to comply with security regulations under the Maritime Transportation Security Act (MTSA). This report provides information about what federal requirements exist for the chemical and water sectors to secure their facilities, what federal efforts were taken by the lead agencies for these sectors to facilitate sectors' actions, what actions selected facilities within these sectors have taken and whether they reflect a risk management approach, what obstacles they say they faced in implementing enhancements, and what are the Coast Guard's results from its inspection of regulated maritime facilities' security enhancements.
Few federal requirements address the security of the chemical and water sectors. However, the Department of Homeland Security (DHS) and the Environmental Protection Agency (EPA) have taken actions to assist the chemical and water sectors to implement security enhancements including providing financial assistance in the form of grants, threat information and guidance, training and exercises, and infrastructure protection initiatives, as well as setting security requirements for some facilities and reviewing actions by maritime facilities to determine compliance with MTSA. Except for facilities covered by MTSA, the chemical sector's security efforts are not regulated. The water sector is regulated by the Bioterrorism Act of 2002, which, among other things, requires community water systems to perform vulnerability analyses of their facilities. Chemical facilities and community water systems reported making security improvements separate from federal requirements. The chemical industry's two principal trade associations require their members to follow a security code that includes elements of a risk management framework such as completing vulnerability assessments and taking actions based on those assessments. Officials at all 10 chemical facilities GAO visited reported making significant progress in implementing the trade associations' security code. However, the proportion of total chemical facilities covered by the code is uncertain. The 8 water systems GAO visited reported completing their required vulnerability assessments, which is one element of a risk management framework. Although community water systems are not required to take any risk reduction measures under the Bioterrorism Act, these 8 water systems reported implementing a number of enhancements, such as increasing access controls. Officials representing 8 of the 10 chemical facilities and 8 community water systems GAO visited reported encountering obstacles in making security enhancements and maintaining a level of security consistent with their needs. Officials at 3 chemical facilities reported experiencing difficulties, such as delays, in obtaining permits or other approvals needed from federal authorities to install fences to better protect the perimeter of their facilities. Officials at 6 of the community water systems GAO visited reported economic constraints, such as balancing the need for rate increases to fund security enhancements with efforts to keep rates low. MTSA's security requirements cover more than 2,900 maritime facilities, including chemical facilities. The Coast Guard found that 97 percent of these facilities complied with MTSA and its implementing regulations. The Coast Guard took 312 enforcement actions against 98 facility owners and operators and imposed operational controls on 29 facilities across the more than 2,900 MTSA-regulated facilities. DHS and EPA generally concurred with the contents of the report.
GAO-05-327, Protection of Chemical and Water Infrastructure: Federal Requirements, Actions of Selected Facilities, and Remaining Challenges
This is the accessible text file for GAO report number GAO-05-327
entitled 'Protection of Chemical and Water Infrastructure: Federal
Requirements, Actions of Selected Facilities, and Remaining Challenges'
which was released on April 4, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Honorable Robert C. Byrd, Ranking Member, Subcommittee on
Homeland Security, Committee on Appropriations, U.S. Senate:
United States Government Accountability Office:
GAO:
March 2005:
Protection of Chemical and Water Infrastructure:
Federal Requirements, Actions of Selected Facilities, and Remaining
Challenges:
GAO-05-327:
GAO Highlights:
Highlights of GAO-05-327, a report to the Honorable Robert C. Byrd,
Ranking Member, Subcommittee on Homeland Security, Committee on
Appropriations, U.S. Senate:
Why GAO Did This Study:
The National Strategy for Homeland Security grouped critical
infrastructure into 13 sectors which include assets that if attacked by
terrorists could have a debilitating impact on the nation. Two of these
13 sectors are the chemical and water sectors. The total number of
chemical sector facilities is not clear. DHS estimates that there are
4,000 chemical manufacturing facilities that produce, use, or store
more than threshold amounts of chemicals that EPA has estimated pose
the greatest risk to human health and the environment. There are
approximately 53,000 community water systems and more than 2,900
maritime facilities that are required to comply with security
regulations under the Maritime Transportation Security Act (MTSA). This
report provides information about what federal requirements exist for
the chemical and water sectors to secure their facilities, what federal
efforts were taken by the lead agencies for these sectors to facilitate
sectors' actions, what actions selected facilities within these sectors
have taken and whether they reflect a risk management approach, what
obstacles they say they faced in implementing enhancements, and what
are the Coast Guard's results from its inspection of regulated maritime
facilities' security enhancements.
What GAO Found:
Few federal requirements address the security of the chemical and water
sectors. However, the Department of Homeland Security (DHS) and the
Environmental Protection Agency (EPA) have taken actions to assist the
chemical and water sectors to implement security enhancements including
providing financial assistance in the form of grants, threat
information and guidance, training and exercises, and infrastructure
protection initiatives, as well as setting security requirements for
some facilities and reviewing actions by maritime facilities to
determine compliance with MTSA. Except for facilities covered by MTSA,
the chemical sector's security efforts are not regulated. The water
sector is regulated by the Bioterrorism Act of 2002, which, among other
things, requires community water systems to perform vulnerability
analyses of their facilities.
Chemical facilities and community water systems reported making
security improvements separate from federal requirements. The chemical
industry's two principal trade associations require their members to
follow a security code that includes elements of a risk management
framework such as completing vulnerability assessments and taking
actions based on those assessments. Officials at all 10 chemical
facilities GAO visited reported making significant progress in
implementing the trade associations' security code. However, the
proportion of total chemical facilities covered by the code is
uncertain. The 8 water systems GAO visited reported completing their
required vulnerability assessments, which is one element of a risk
management framework. Although community water systems are not required
to take any risk reduction measures under the Bioterrorism Act, these 8
water systems reported implementing a number of enhancements, such as
increasing access controls.
Officials representing 8 of the 10 chemical facilities and 8 community
water systems GAO visited reported encountering obstacles in making
security enhancements and maintaining a level of security consistent
with their needs. Officials at 3 chemical facilities reported
experiencing difficulties, such as delays, in obtaining permits or
other approvals needed from federal authorities to install fences to
better protect the perimeter of their facilities. Officials at 6 of the
community water systems GAO visited reported economic constraints, such
as balancing the need for rate increases to fund security enhancements
with efforts to keep rates low.
MTSA's security requirements cover more than 2,900 maritime facilities,
including chemical facilities. The Coast Guard found that 97 percent of
these facilities complied with MTSA and its implementing regulations.
The Coast Guard took 312 enforcement actions against 98 facility owners
and operators and imposed operational controls on 29 facilities across
the more than 2,900 MTSA-regulated facilities. DHS and EPA generally
concurred with the contents of the report.
What GAO Recommends:
Because GAO has previously made recommendations on the key issues
discussed in this report, we are not making any new recommendations.
www.gao.gov/cgi-bin/getrpt?GAO-05-327.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact William O. Jenkins, Jr.,
(202) 512-8777, or jenkinswo@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Few Federal Security Requirements Exist for the Chemical and Water
Sectors, but Other Federal Actions Have Facilitated these Sectors'
Efforts to Enhance Security:
Chemical Facilities and Water Systems Reported Taking Actions to
Address Security Vulnerabilities but Said They Faced Obstacles in
Implementing Security Measures:
The Chemical and Water Sectors Have Incorporated Some Elements of a
Risk Management Framework to Address Their Security Vulnerabilities:
Officials at Chemical Facilities and Water Systems We Visited Agreed in
Part about What the Federal Government's Role Should Be:
The U.S. Coast Guard Completed Its Compliance Inspections and Plans to
Review the Effectiveness of the Process:
Agency Comments:
Appendix I: Scope and Methodology:
Appendix II: Number of Community Water Systems:
Appendix III: Chemical Industry Trade Associations' Implementation of
the Responsible CareŽ Security Code:
Appendix IV: Enforcement Actions Taken by the Coast Guard against MTSA-
Regulated Facilities:
Appendix V: Acknowledgments of Agency and Private Sector Contributors:
Appendix VI: Comments from the Department of Homeland Security:
Appendix VII: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Acknowledgments:
Related GAO Products:
Tables:
Table 1: Type of Security Enhancements the 10 Chemical and 8 Water
Facilities We Visited Reported Making Since September 11:
Table 2: Existing Industry Initiatives and Federal Security
Requirements Imposed on Chemical, Water, and Maritime Facilities:
Table 3: Number of Community Water Systems by Ownership and Population
Service Category for Fiscal Year 2004:
Table 4: Responsible CareŽ Security Code Deadlines for ACC Facilities:
Table 5: Responsible CareŽ Security Code Deadlines for SOCMA
Facilities:
Table 6: Enforcement Actions Taken between July 1, 2004, and December
31, 2004, by Regulatory Citation Topic:
Figures:
Figure 1: A Chemical Facility:
Figure 2: A Community Water System:
Figure 3: A Maritime Facility:
Figure 4: Examples of Perimeter and Access Controls Chemical Facilities
Reported Implementing:
Figure 5: A Risk Management Cycle:
Abbreviations:
ACC: American Chemistry Council:
AMWA: Association of Metropolitan Water Agencies:
DHS: Department of Homeland Security:
EPA: Environmental Protection Agency:
MTSA: Maritime Transportation Security Act of 2002:
NAWC: National Association of Water Companies:
NRWA: National Rural Water Association:
SOCMA: Synthetic Organic Chemical Manufacturers Association:
United States Government Accountability Office:
Washington, DC 20548:
March 28, 2005:
The Honorable Robert C. Byrd:
Ranking Member, Subcommittee on Homeland Security:
Committee on Appropriations:
United States Senate:
Dear Senator Byrd:
The USA PATRIOT Act defined critical infrastructure as those "systems
and assets . . . so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact
on security, national economic security, national public health or
safety, or any combination of those matters."[Footnote 1] We often take
these systems for granted because they are so basic in our daily lives
that we generally only notice them when their service is disrupted. The
National Strategy for Homeland Security grouped the critical
infrastructure of the United States into 13 sectors--agriculture,
banking and finance, chemical, defense industrial base, emergency
services, energy, food, government, information and telecommunications,
postal and shipping, public health, transportation, and water sectors.
Further, the President designated a lead agency for each of the 13
sectors to coordinate interaction between the federal government and
the private sectors. The lead agency for the chemical sector is the
Department of Homeland Security (DHS) and the lead agency for the water
sector is the Environmental Protection Agency (EPA).
In this report, we focus on the chemical and water sectors and on
maritime facilities within the transportation sector. These three
sectors include a variety of vital assets. Although the total number of
chemical sector facilities is not clear, there are many facilities that
manufacture chemicals. There are about 15,000 facilities--including
chemical, water, energy, and other sector facilities--that produce,
use, or store more than threshold amounts of chemicals the EPA has
estimated pose the greatest risk to human health and the environment.
Of these 15,000 facilities, DHS estimates there are about 4,000
chemical manufacturing facilities. There are approximately 53,000
community drinking water systems and more than 2,900 maritime
facilities that are required to comply with certain provisions of the
Maritime Transportation Security Act of 2002 (MTSA).[Footnote 2]
Terrorist attacks, such as the theft of certain chemicals or
contamination of our water at chemical, water, or maritime critical
infrastructure facilities, could have a significant impact on the
health and safety of millions of Americans and result in environmental
damage or disruption to the economy. This report responds to your
request that we describe the actions that the private sector is taking
to secure its critical assets in chemical, water, and maritime
facilities. We are providing information on the following questions:
(1) What federal requirements exist for the chemical and water sectors
to secure their facilities and what federal efforts were taken by the
lead agencies for the chemical and water sectors to facilitate these
sectors' actions? (2) What actions have the chemical and water sectors
reported taking to address security vulnerabilities and what, if any,
obstacles did they say they faced in implementing security measures?
(3) To what extent do the chemical and water sectors' actions reflect a
risk management approach? (4) How do the chemical and water sectors
perceive the role of the federal government in protecting these
facilities? (5) What are the results of the Coast Guard's compliance
inspection program to ensure that maritime facilities implemented
security enhancements as required by the MTSA and what actions has the
Coast Guard taken to ensure that its program is effective?
To address our five objectives, we reviewed pertinent federal
legislation, implementing regulations, and agency guidance on facility
security and met with DHS and EPA officials. We also met with industry
representatives from the American Chemistry Council (ACC) and the
Synthetic Organic Chemical Manufacturers Association (SOCMA),[Footnote
3] the two principal U.S. chemical industry associations; the
Association of Metropolitan Water Agencies (AMWA),[Footnote 4]
representing public water systems; 10 chemical facilities that were
members of ACC or SOCMA; and 8 community water systems, 5 public and 3
private. We also obtained information from the National Association of
Water Companies (NAWC), which represents privately owned water systems
and the National Rural Water Association (NRWA).[Footnote 5] In
conducting our work in the water sector, we focused on community water
systems--public water systems that supply water to the same population
year-round--since the primary focus of critical infrastructure efforts
in the water sector is on these systems. Seven of the 10 chemical
facilities we visited are located on navigable waterways and are also
regulated by the Coast Guard under the MTSA. We included chemical
facilities from which a chemical release, resulting from an attack,
could have a severe impact on surrounding communities. To assist us in
selecting these facilities, we relied upon assessments completed by ACC
and SOCMA members regarding the impact of a potential chemical release
at its facilities. In conducting our work on the chemical sector, we
focused on actions taken to strengthen security at a selected facility.
We did not address actions taken by facility personnel to protect the
transport of chemicals from the facility to other locations by way of
various transport mechanisms such as rail cars or tank trucks nor did
we address actions taken by facility personnel to prevent the sale of
hazardous chemicals to terrorists masquerading as bona fide customers.
The 8 community water systems we chose served a range of populations
and were selected from systems that were subject to drinking water
security and safety requirements of the Public Health Security and
Bioterrorism Response Act of 2002 (Bioterrorism Act).[Footnote 6] We
also interviewed Coast Guard officials in headquarters and five local
Coast Guard Marine Safety Offices and reviewed Coast Guard data and
documents regarding the Coast Guard's efforts to complete compliance
inspections of facilities covered by MTSA, enforcement actions and
operational controls taken, and efforts to ensure the effectiveness of
the inspection program. Information gathered from the 10 chemical and 8
water facilities we visited are illustrative, are not statistically
representative of their respective industry as a whole, and therefore
should not be considered to represent the views of the sectors as a
whole.
We conducted our work in accordance with generally accepted government
auditing standards from October 2004 through March 2005. Appendix I
includes more detailed information on our scope and methodology.
Results in Brief:
Few federal requirements address security in the chemical and water
sectors. However, the government has provided financial and other types
of assistance to help these sectors implement security improvements.
The federal government has enacted some legislation in these sectors to
help prevent accidental releases of hazardous materials. For example,
the Emergency Planning and Community Right to Know Act requires, in
general, certain facilities to participate with local emergency
planning committees that develop emergency response plans in the event
of an accidental release of hazardous material.[Footnote 7] With the
enactment of the Bioterrorism Act of 2002, the federal government
provided legislation to secure community water systems that serve more
than 3,300 people, including systems that store various chemicals,
against intentional attacks. This act requires operators of community
water systems to perform vulnerability analyses of their facilities and
to prepare or update an existing emergency response plan. MTSA and its
implementing regulations require maritime facility owners and
operators, including chemical facilities, to conduct assessments of
their facilities to identify vulnerabilities, develop security plans to
mitigate these vulnerabilities, and implement the measures discussed in
the security plans. Other federal actions taken by DHS and EPA to
assist the chemical and water sectors include providing financial
assistance in the form of grants, threat information and guidance,
training and exercises, and infrastructure protection initiatives, as
well as setting security requirements for some facilities and reviewing
actions by maritime facilities to determine compliance with MTSA.
Chemical facilities and community water systems reported making
security improvements separate from federal requirements. The chemical
industry's principal trade associations, the American Chemistry Council
and the Synthetic Organic Chemical Manufacturers Association, adopted
the Responsible CareŽ Security Code in 2002; it requires their member
companies to perform vulnerability assessments, develop plans to
mitigate vulnerabilities, take actions to implement the plans, and
undergo a third-party verification that facilities implemented
identified physical security enhancements. All 10 of the chemical
facilities we visited reported making significant progress in
fulfilling the requirements of the security code. Other facilities that
use chemicals also have developed security initiatives on their own,
some of which are modeled after the Responsible CareŽ Security Code.
Although the water sector has not generated a specific industry code,
the eight community water systems we visited were all regulated under
the Bioterrorism Act, which requires systems to, among other things,
perform vulnerability analyses of their facilities and prepare or
update an existing emergency response plan with respect to intentional
attacks. All eight of the community water systems we visited reported
that they had completed their vulnerability assessments as well as
implemented additional enhancements not required under the Bioterrorism
Act, such as increasing access controls. Despite progress being made to
enhance security, officials at both the chemical facilities and
community water systems we visited reported encountering obstacles in
making security enhancements and maintaining a level of security
consistent with their needs. For example, officials at three chemical
facilities reported experiencing difficulties, such as delays in
obtaining permits or other approvals needed from federal authorities to
install fences to better protect the perimeter of their chemical
facilities. Officials at six of the community water systems we visited
reported economic constraints, such as balancing the need for rate
increases to fund security enhancements with efforts to keep rates low.
Through federal regulations and private sector efforts, chemical
facilities that are members of the chemical industry's principal trade
associations and the drinking water sector have incorporated some
elements of a risk management framework to improve their security since
September 11. A risk management framework includes assessing risk,
evaluating alternatives for reducing risks, prioritizing which of those
alternatives to implement, monitoring their implementation, and
continually using new information to adjust actions taken. Information
about risks is central to determining which security enhancements
should be implemented based on available resources. Although the
chemical sector's security efforts are not regulated, the chemical
industry's principal trade associations require their members, as a
condition of membership, to follow a security code. While the code
incorporates elements of a risk management framework, the proportion of
total chemical facilities within the chemical sector that adhere to the
code is uncertain. About 2,300 ACC and SOCMA chemical manufacturing
facilities follow the Responsible CareŽ Security Code; 1,100 of which
are among the 15,000 facilities--including chemical, water, energy, and
other sector facilities--that produce, use, or store more than
threshold amounts of chemicals that EPA has estimated pose the greatest
risk to human health and the environment. Within these 15,000
facilities, DHS estimates there are about 4,000 chemical manufacturing
facilities. In March 2003, we recommended that the Secretary of
Homeland Security and the Administrator of EPA jointly develop, in
consultation with the Office of Homeland Security a comprehensive
national chemical security strategy to include, among other things,
information on industry security preparedness and a legislative
proposal to require chemical facilities to expeditiously assess their
vulnerability to terrorist attacks and, where necessary, require these
facilities to take corrective action.[Footnote 8] At that time, DHS and
EPA agreed that legislation requiring chemical facilities to assess and
address vulnerabilities to terrorist attack should be enacted.
The water sector is regulated by the Bioterrorism Act of 2002, which
requires community water systems serving more than 3,300 people to,
among other things, perform vulnerability analyses of their facilities.
The community water systems we visited implemented enhancements not
required under the act, although actions were limited by their own
resource constraints. The nation's drinking water systems are not
required to implement any risk reduction actions based on their
vulnerability assessments or report to EPA on measures that have been
implemented. Thus, the extent of the actions taken by these water
systems is unknown. However, the Conference Report accompanying the
Department of Homeland Security Appropriations Act for fiscal year 2005
calls for DHS to analyze whether it should require private sector
entities to provide it with information concerning these entities'
security measures and vulnerabilities to improve DHS's ability to
evaluate critical infrastructure protections nationwide.[Footnote 9]
This report also mandates that GAO review DHS's analysis when it is
complete. A DHS official has told us that it preliminarily expects to
complete this analysis in December 2005.
In February 2005, DHS released its interim National Infrastructure
Protection Plan, which we have not fully evaluated. This plan outlines
a risk management framework to guide future efforts to identify and
protect critical infrastructure and defines the roles of federal,
state, local, and tribal agencies and the private sector using elements
of this framework.
Operators of chemical manufacturing facilities and community water
systems we contacted agreed that the federal role should include
communicating threat information but had different views with respect
to the need for the government to enact additional regulation to
enhance security protection. Officials at 8 of the 10 of the chemical
facilities we visited reported that the federal government should
introduce regulations comparable to the Responsible CareŽ Security Code
for the entire chemical sector to follow. Officials at 3 of the
facilities we visited stated that those facilities that do not adhere
to the Responsible CareŽ Security Code may have a competitive advantage
over those facilities that do adhere to the code. In comparison, the
majority of officials at the community water systems we visited
reported that the federal government should provide technical support
and guidance to help the water sector in developing and implementing
security enhancements. The majority of officials we interviewed also
supported the need for the federal government to expand financial
support for security enhancements in the water sector by providing
funding designated for community water systems.
The Coast Guard has found that the vast majority, or approximately 97
percent, of maritime facilities are in compliance with MTSA
requirements. However, the Coast Guard has not yet determined the
effectiveness of its MTSA compliance inspection process. The Coast
Guard reported inspecting all of the more than 2,900 regulated
facilities between July 1, 2004, and December 31, 2004, and taking 312
enforcement actions against facility owners or operators for
noncompliance with MTSA requirements. In addition to taking the 312
enforcement actions, the Coast Guard imposed operational controls on 29
MTSA facilities, such as suspending certain facility operations. The
Coast Guard has taken some actions to facilitate the effectiveness of
its compliance program, such as developing detailed checklists for
facility inspections and training its inspectors. However, because of
the high priority given to complete inspections at all regulated
facilities by December 31, 2004, the Coast Guard said it has not
completed an evaluation of the overall effectiveness of the compliance
inspections, but plans to incorporate lessons learned from such an
evaluation in the future. In June 2004, we issued a report on the
status of the Coast Guard's strategy for monitoring and overseeing the
implementation requirements of MTSA. At that time, we recommended that
the Coast Guard evaluate its initial compliance inspection efforts upon
completion and use the results to strengthen the compliance process for
its long-term strategy.[Footnote 10] The Coast Guard agreed with our
recommendation.
We provided a draft of this report to DHS and EPA for review and
comment. DHS and EPA generally concurred with the contents of the
report. A copy of DHS's letter commenting on the report is presented in
appendix VI. EPA did not provide a formal letter.
Background:
The National Strategy for Homeland Security and the National Strategy
for the Physical Protection of Critical Infrastructures and Key Assets
identified the private sector as the owner of 85 percent of the
nation's critical infrastructure and recognized that the owners of this
infrastructure bear primary responsibility for protecting their
facilities from deliberate acts of terrorism. The National Strategy for
the Physical Protection of Critical Infrastructures and Key Assets
specifically designated the role of the federal government, "to
coordinate the complementary efforts and capabilities of government and
private institutions to raise our level of protection over the long
term." Moreover, the President issued a directive emphasizing the
federal government's role by designating the Secretary of Homeland
Security to identify, prioritize, and coordinate the protection of
critical infrastructure and key resources with an emphasis on those
that could be exploited to cause catastrophic health effects or mass
casualties.[Footnote 11] The directive requires the Secretary to
collaborate with other federal departments and agencies to develop a
program to map critical infrastructure and key resources; model the
potential implications of terrorist exploitation of vulnerabilities
within the critical infrastructure and key resources; and develop a
national indications and warnings architecture, among other things, to
help identify indicators and precursors to an attack. This directive
also required DHS to produce a comprehensive integrated National Plan
for Critical Infrastructure and Key Resources Protection to outline
national goals, objectives, milestones, and key initiatives by December
17, 2004.
Our report focuses on efforts in the chemical and water sectors and the
maritime segment of the transportation sector. The chemical sector is
diverse in that its facilities produce, use, or store a multitude of
products including (1) basic chemicals used to manufacture other
products such as plastics, fertilizers, and synthetic fibers; (2)
specialty chemicals used for a specific purpose such as a functional
ingredient or as a processing aid in the manufacture of a diverse range
of products such as adhesives and solvents, coatings, industrial gases,
industrial cleaners, and water management chemicals; (3) life science
chemicals consisting of pharmaceuticals and pesticides; and (4)
consumer products such as hair and skin care products and cosmetics. To
produce and deliver these products, the sector depends on raw
materials, manufacturing plants and processes, and distribution
systems, as well as research facilities and supporting infrastructure
services, such as transportation and electricity. Because many
chemicals are inherently hazardous, the release of chemicals or the
risk of contamination at chemical facilities poses a potential threat
to public health and the economy. Figure 1 depicts a chemical facility.
Figure 1: A Chemical Facility:
[See PDF for image]
[End of figure]
The water sector consists of two basic components: freshwater supply
and wastewater collection and treatment. As we previously mentioned, we
focused on community water systems within supply since the primary
focus of critical infrastructure efforts is on these systems. According
to EPA data, in 2004, there were approximately 53,000 community water
systems in the United States.[Footnote 12] EPA's data reflect that
ownership of these systems is evenly split--about half are publicly
owned by state and local authorities and about half are privately
owned.[Footnote 13] According to EPA, the majority of the U.S.
population gets its water from publicly owned systems (see app. II for
more details on the number of community water systems in the United
States). Community water systems vary by size and other factors but
most typically include a supply source, such as a reservoir; a
treatment facility, which stores and uses chemicals, such as chlorine,
to eliminate biological contaminants; and a distribution system, which
includes water towers, piping grids, pumps, and other components to
deliver treated water to consumers. Community water systems often
contain thousands of miles of pipes and numerous access points that can
be vulnerable to terrorist attack. Figure 2 reflects a community water
system.
Figure 2: A Community Water System:
[See PDF for image]
[End of figure]
Maritime facilities include a number of waterfront facilities such as
container terminals, factories, and shipping terminals, which may
contain hazardous materials, as well as passenger terminals. In
addition to possessing the potential for being used as a conduit for
smuggling weapons of mass destruction or other dangerous materials into
the country, maritime facilities present attractive targets of
opportunity for terrorists to impact the nation's economy. Figure 3
depicts a maritime facility.
Figure 3: A Maritime Facility:
[See PDF for image]
[End of figure]
Few Federal Security Requirements Exist for the Chemical and Water
Sectors, but Other Federal Actions Have Facilitated these Sectors'
Efforts to Enhance Security:
Currently, few federal requirements specifically address the security
of chemical or drinking water systems from terrorism. Some federal
requirements have been enacted to help prevent and mitigate accidental
releases of hazardous chemicals. For example, the Emergency Planning
and Community Right to Know Act requires, in general, certain
facilities to participate with local emergency planning committees that
develop emergency response plans in the event of an accidental release
of hazardous material. Additionally, the 1990 Clean Air Act
Amendments[Footnote 14] require certain chemical facilities to develop
risk management plans to help prevent accidental releases of hazardous
air pollutants. Under this act, EPA requires that about 15,000
facilities--including chemical, water, energy, and other sector
facilities--that produce, use, or store more than threshold amounts of
chemicals posing the greatest risk to human health and the environment
take a number of steps to prevent and prepare for an accidental
chemical release.[Footnote 15] Specifically, EPA regulations
implementing the Clean Air Act require that the owners and operators of
chemical facilities include a facility hazard assessment, an accident
prevention program, and an emergency response program as part of their
risk management plans. The Bioterrorism Act was enacted to specifically
help secure community water systems that provide water to more than
3,300 people, including such systems' storage of various chemicals,
against purposeful attacks.[Footnote 16] It requires operators of
community water systems to perform vulnerability analyses of their
facilities and to prepare or update an existing emergency response
plan. MTSA and its implementing regulations require maritime facility
owners and operators to conduct assessments of certain at-risk
facilities to identify vulnerabilities, develop security plans to
mitigate these vulnerabilities, and implement the measures discussed in
the security plans.
Although the federal government does not have primary responsibility
for implementing security enhancements at privately owned critical
infrastructure, DHS and EPA--the lead agencies for the chemical and
water sectors respectively--have taken some actions to try to
facilitate private sector security improvements by (1) providing
financial assistance, (2) providing information and guidance, (3)
providing training and exercises, (4) developing infrastructure
protection initiatives, (5) setting security requirements for some
facilities and related deadlines for taking required measures, and (6)
reviewing actions taken at those facilities.
* Providing financial assistance: The federal government has provided
financial assistance through several grant programs such as port
security grants,[Footnote 17] EPA's security planning grant program for
vulnerability assessments,[Footnote 18] and the Homeland Security Grant
Program[Footnote 19] for infrastructure security. For example, 4 of the
10 chemical facilities we visited reported receiving port security
grants ranging from $265,000 to $1.8 million that helped to defray the
costs they incurred in implementing security enhancements since
September 11, which ranged from $2.3 million to $10 million.[Footnote
20]
* Information sharing and guidance: DHS and EPA partner with the
chemical and water sectors' Information Sharing and Analysis Centers to
coordinate and establish information-sharing mechanisms on critical
infrastructure protection that includes threat information.[Footnote
21] As we reported in January 2005, DHS is also seeking to enhance
communication between critical infrastructure sectors, like the
chemical and water sectors, with the government.[Footnote 22] For
example, it established a Water Sector Coordinating Council that
consists of representative members of the water sector community and is
charged with identifying information and other needs of the sector,
including the appropriate use of and the relationships among the Water
Information Sharing and Analysis Center, the Water Security Channel,
and the Homeland Security Information Network--a national communication
mechanism that is to provide the water sector with a suite of
information and communication tools to share critical information
within the sector, across other sectors, and with DHS.[Footnote 23]
According to a DHS official, the department is assembling a Government
Coordinating Council made up of federal, state, and local officials to
assess impacts across critical infrastructure sectors, including the
water sector. A DHS official also told us that a similar Government
Coordinating Council for the chemical sector was formed on March 17,
2005. For maritime facilities, the Coast Guard established local port
security committees known as Area Maritime Security Committees to,
among other things, serve as a link for communicating threats and
disseminating appropriate security information to port stakeholders
such as facility owners or operators. Required under MTSA, these
committees are headed by a Coast Guard officer and are composed of a
wide range of port stakeholders including members from law enforcement
agencies, maritime industry (which could include chemical facilities on
the waterfront), and federal, state, and local governments. DHS and EPA
have also provided guidance to the chemical and water sectors,
respectively, for conducting risk assessments.[Footnote 24] In
addition, EPA provides technical assistance to the water sector to help
ensure the continued security of the nation's drinking water. For
example, trained environmental professionals, scientists, and engineers
provide information on technological advances in water security. EPA
prepared voluntary guidelines--the Interim Final Response Protocol
Toolbox: Planning for and Responding to Contamination Threats to
Drinking Water Systems--for drinking water systems to use to help plan
for and respond to intentional threats and incidents related to water
contamination. EPA also established a Water Security Working Group made
up of 16 members from the wastewater and drinking water utilities and
environmental and rate-setting organizations. The group advises the
National Drinking Water Advisory Council (NDWAC)[Footnote 25] on ways
to address several specific security needs of the sector. The working
group is to identify features of an active and effective security
program and ways to measure the adoption of these practices and provide
recommendations to NDWAC by the spring of 2005. The working group is
also charged with identifying incentives for the voluntary adoption of
an active and effective security program in the drinking water and
wastewater sector. In turn, NDWAC provides advice and recommendations
to EPA related to drinking water quality, including water security and
emerging issues on drinking water.
* Training and exercises: DHS and EPA have also provided a series of
specialized security training courses to assist the private sector in
protecting its critical assets. For instance, DHS has provided training
programs to first responders and facility security officers to better
equip these personnel with appropriate skills to prevent and protect
against continuing and emerging threats to the nation's critical
infrastructure. Additionally, EPA has sponsored a variety of training
courses, meetings, workshops, and webcasts to help enhance the security
and emergency response capabilities of drinking water facilities. DHS
has also initiated several security exercises with individual
facilities and held portwide exercises or drills initiated by the Coast
Guard to help these facilities react appropriately in the event of a
terrorist attack.
* Infrastructure protection initiatives: Two initiatives that DHS has
under way to facilitate efforts by the private sector to enhance
critical infrastructure protection are the Buffer Zone Protection
Program and Site Assistance Visits. As part of the Buffer Zone
Protection Program--a program designed to reduce specific
vulnerabilities by developing protective measures that extend from the
critical infrastructure site to the surrounding community--DHS provides
advice and guidance to state and local partners as they prioritize
specific vulnerability reduction efforts. DHS also conducts site
assistance visits at critical infrastructure sites nationwide to
address key areas of concern at facilities requiring security
enhancements. DHS subject matter experts in the area of physical
security measures, system/interdependencies, and terrorist attack
planning conduct these visits (which generally last 1 to 3 days) in
which, among other things, the vulnerabilities of the site or facility
are identified and mitigation options are discussed. The site
assistance visits also provide insight into threats that pertain to the
sector based on DHS's access to threat information.
* Setting security requirements and deadlines: In October 2003, the
Coast Guard issued regulations to enforce MTSA's security requirements
for maritime facilities, including some chemical facilities in
proximity to waters subject to U.S. jurisdiction. These regulations
established a process and related deadlines for maritime facilities to
follow in assessing their security risks and preparing related plans to
include actions mitigating any identified vulnerabilities.
* Reviewing actions taken: In 2004, the Coast Guard began a compliance
inspection program with on-site inspections and spot checks to help
ensure compliance by MTSA-regulated facilities.
As part of its efforts to coordinate with the chemical sector to
enhance critical infrastructure protection as discussed above, DHS
gathered data on actions taken by some chemical facilities. However,
DHS officials told us that these data do not reflect actions taken by
the entire chemical industry. In addition, EPA officials told us that
while engaged in meetings and technical assistance or training sessions
with community water systems, they received information on actions
taken by some community water systems. However, they also stated that
this information was anecdotal and does not reflect actions taken by
the entire water sector.
Chemical Facilities and Water Systems Reported Taking Actions to
Address Security Vulnerabilities but Said They Faced Obstacles in
Implementing Security Measures:
One of the chemical industry's principal trade associations, ACC, set
policy for its members to follow that was designed to strengthen
infrastructure protection at its members' facilities, whereas, the
water sector followed the requirements of legislation. While the
chemical and water facilities we visited reported taking a variety of
actions to strengthen the security of their facilities; they also
identified obstacles both in making these enhancements and in
maintaining them.
Chemical Facilities and Water Systems We Visited Reported Making
Security Enhancements Separate from Federal Regulations:
After September 11, the chemical and water sectors reported taking a
variety of actions to strengthen the security of their facilities.
Prior to September 11, ACC, SOCMA, and the Chlorine Institute initiated
the development of Site Security Guidelines for its members to help
facility managers make decisions on appropriate security measures based
on risk that were subsequently published in October 2001. In 2002, ACC
adopted a security code to accompany its Responsible Care Management
SystemŽ.[Footnote 26] As a condition of membership, ACC requires its
members to adhere to its Responsible CareŽ Security Code. Under the
Responsible CareŽ Security Code, member companies are to perform
vulnerability assessments, develop plans to mitigate vulnerabilities,
take actions to implement the plans, and undergo third-party
verification that the facilities implemented identified physical
security enhancements. While the Responsible CareŽ Security Code does
not require third parties to verify that a vulnerability assessment was
conducted appropriately or that actions taken by a facility adequately
address security risks, the Responsible Care Management SystemŽ
certification requirements do require member companies to periodically
conduct independent third-party audits that include an assessment of
their security programs and processes and implementation of corrective
actions. SOCMA also adopted the Responsible CareŽ Security Code,
requiring its members to adhere to it as well. (For more details
regarding the Responsible CareŽ Security Code and the status of ACC and
SOCMA members' actions, see app. III).
In June, 2004, the chemical industry confirmed to DHS that it had
established the Chemical Sector Council to act as a coordination
mechanism for the chemical sector to identify, prioritize, and
coordinate the protection of critical infrastructure and key resources;
and to facilitate sharing of information about physical and cyber
threats, vulnerabilities, incidents, potential protective measures and
best practices. The Chemical Sector Council is composed of 15 sector
associations: ACC, the American Forest and Paper Association, the
Chemical Producers and Distributors Association, the Chlorine Chemistry
Council, the Compressed Gas Association, Crop Life America, the
Institute of Makers of Explosives, the International Institute of
Ammonia Refrigeration, the National Association of Chemical
Distributors, the National Paint and Coatings Association, SOCMA, the
Adhesive and Sealant Council, the Chlorine Institute, the Fertilizer
Institute, and the Society of the Plastics Industry, Inc.
In March 2003, we reported that other facilities that use chemicals,
including fertilizer suppliers, petroleum and natural gas facilities,
food storage facilities, water treatment facilities, and wastewater
treatment facilities, have developed their own security initiatives.
[Footnote 27] For example, the Fertilizer Institute, which represents
fertilizer manufacturers and fertilizer retail and distribution
facilities, developed a security code modeled after ACC's Responsible
CareŽ Security Code. The Fertilizer Institute's code encourages
facilities to develop vulnerability assessments and implement plans
based on the assessments.
However, because the total number of facilities within the chemical
sector is uncertain, it is difficult to determine the proportion of all
chemical sector facilities that are not members of ACC or SOCMA and
thus are not required to adhere to the Responsible CareŽ Security Code.
For example, there are approximately 2,300 ACC and SOCMA facilities,
1,100 of which are among the15,000 facilities--including, chemical,
water, energy, and other sector facilities--that produce, use, or store
more than threshold amounts of chemicals that EPA has estimated pose
the greatest risk to human health and the environment. Within these
15,000 facilities, DHS estimates that there are about 4,000 chemical
manufacturing facilities. A DHS official told us that the department is
working with Argonne National Laboratory on the development of a
taxonomy--a list of the types of facilities that should be included--
for each critical infrastructure sector, including the chemical sector.
Although the water sector has not generated a specific industry code,
all community water systems that serve more than 3,300 people are
subject to the drinking water security and safety requirements of the
Bioterrorism Act. According to EPA data, in fiscal year 2004, there
were approximately 53,000 community water systems in the United States,
of which about 8,600 (16 percent) were required by the Bioterrorism Act
to prepare vulnerability assessments for their systems. According to
EPA officials, as of February 23, 2005, all community water systems
that serve 50,000 or more people have submitted their vulnerability
assessments to EPA; whereas, 92 percent of the smaller systems (those
serving between 3,301 and 49,999 people) have submitted their
vulnerability assessments. Under the Bioterrorism Act, community water
systems that serve 100,000 or more people were required to submit their
vulnerability assessments to EPA by March 31, 2003; those systems that
served between 50,000 and 99,999 people were required to submit their
vulnerability assessments to EPA by December 31, 2003; and those that
served between 3,301 and 49,999 people were required to submit their
assessments by June 30, 2004.
The actions the facilities we visited reported taking reflect, in many
ways, the security initiatives issued from trade industry associations
and legislation enacted by the federal government. For example, all 10
of the chemical facilities we visited reported fulfilling the steps
under the Responsible CareŽ Security Code by completing their
vulnerability assessments and developing plans to mitigate
vulnerabilities.[Footnote 28] Eight of those facilities reported that
they have fully implemented their planned enhancements. The remaining
two chemical facilities reported making significant progress on planned
enhancements. However, they also reported implementing alternative
measures for some enhancements, such as adding guards for additional
patrols while permanent barriers are being constructed. In the water
sector, officials at eight community water systems that we visited
reported that they completed their vulnerability assessments in
accordance with the Bioterrorism Act. Even though not specifically
required by the Bioterrorism Act, officials at the eight community
water systems we visited told us they implemented a number of
enhancements, such as increasing access controls by establishing an
electronic key control system that assigns keys to individual staff
members and tracks their use. Table 1 provides additional information
on the types of enhancements the chemical and water facilities reported
taking since September 11, and figure 4 provides examples of some of
these enhancements.
Table 1: Type of Security Enhancements the 10 Chemical and 8 Water
Facilities We Visited Reported Making Since September 11:
Type of security enhancement: Increasing perimeter control;
Number of chemical facilities: 10;
Number of community water systems: 8;
Examples of enhancements: Fencing, gates, cameras, and signs.
Type of security enhancement: Increasing access control;
Number of chemical facilities: 10;
Number of community water systems: 8;
Examples of enhancements: Turnstiles, access control cards, and
changing outer locks.
Type of security enhancement: Enhancing monitoring;
Number of chemical facilities: 10;
Number of community water systems: 7;
Examples of enhancements: Motion detectors and contamination detectors.
Type of security enhancement: Establishing system redundancies;
Number of chemical facilities: 5;
Number of community water systems: 5;
Examples of enhancements: Backup pumps, power systems, and storage
capacity.
Type of security enhancement: Increasing automated (cyber) system
protections;
Number of chemical facilities: 9;
Number of community water systems: 7;
Examples of enhancements: Separation of business and control process
networks and firewalls.
Type of security enhancement: Increasing facility precautions;
Number of chemical facilities: N/A;
Number of community water systems: 7;
Examples of enhancements: Shredding old facility maps.
Type of security enhancement: Making process or inventory changes;
Number of chemical facilities: 7;
Number of community water systems: N/A;
Examples of enhancements: Reducing the inventory of hazardous chemicals
stored on site.
Source: GAO analysis of enhancements the chemical facilities and
community water systems reported taking.
[End of table]
Figure 4: Examples of Perimeter and Access Controls Chemical Facilities
Reported Implementing:
[See PDF for image]
Note: From left to right: entrance barricades, card-code turnstile, and
closed-circuit camera.
[End of figure]
Chemical Facilities and Water Systems Said They Faced Several Obstacles
in Making and Maintaining Security Enhancements:
In making security enhancements and in maintaining a level of security
consistent with their needs, officials at the chemical facilities and
community water systems we visited told us that they faced several
obstacles. However, the obstacles varied by sector. Three chemical
facility operators told us that they experienced difficulties in
obtaining permits or approval from the U.S. Army Corps of Engineers to
install fences to better protect the perimeter of their chemical
facilities. Officials at one facility stated that they did not obtain a
permit from the Army Corps of Engineers to install a fence on wetlands
in a timely manner, while an official at another chemical facility said
that they moved the planned location of their fenceline rather than go
through a permitting process. The official representing the third
chemical facility told us that they moved their fence line because the
Corps of Engineers refused to allow them to install fences on the Corps-
managed property. One of the United States Army Corps of Engineers'
missions is to preserve wetlands. Project proponents who seek to fill
in wetlands or waters are required under federal law to obtain a permit
from the Army Corps of Engineers before they can undertake such
activities. According to the Army Corps of Engineers, the agency
requires permit applicants to avoid, minimize, or mitigate impacts to
wetlands or waters in most cases.[Footnote 29]
Officials from two other chemical companies we visited said that they
were experiencing continuing difficulties in gaining cooperation from
railroads to maintain security when railroad personnel made deliveries
or picked up products from the chemical facilities' premises. An
official from one of these chemical companies said that the railroads
followed security standards that were lower than the chemical company's
standards and often took actions that compromised the chemical
facility's security. Officials representing two of the chemical
facilities we visited also stated that they were challenged in
obtaining contractors, such as crews hired to perform major system
maintenance in the facilities, with an appropriate level of background
screening.
Officials at six of the eight community water systems we visited stated
that they faced economic constraints in addressing security issues,
including insufficient financial resources to implement security
enhancements and determining how best to use available funds given
competing priorities such as nonsecurity-related infrastructure
upgrades. Officials at six of these systems told us that they are
challenged to balance the need for rate increases to fund security
enhancements with efforts to keep water rates low. Furthermore,
officials at two community water systems stated that first responders
such as police and firefighters were generally given priority to use
DHS grant funds awarded to states in relation to homeland security. As
a result, these community water officials said that within their
states, the first responders typically consumed all of the grant funds
and nothing remained for the utilities' use. DHS awards of homeland
security grant funds, in general, have provided states with a certain
measure of flexibility with respect to how grant funds are to be
allocated and used by the states in support of their State Homeland
Security Strategies.
Four of the eight community water systems we visited also stated that
instituting a cultural change that stresses the importance of security
was another challenge they needed to address. For example, an official
at one of these systems said that its employees are not always diligent
about carrying out security enhancements, such as ensuring that doors
stay locked during shift changes. An official at another system noted
that the public in his locality did not perceive the water system to be
at risk and, if it was, the public believed that little could be done
to prevent a terrorist attack, making it difficult for the community
water system to obtain budget increases to pay for security
enhancements. Officials at two of the eight community water systems we
visited reported that sufficient technology was not available to ensure
an appropriate level of security enhancements. For instance, one large
community water system reported that while technology is currently
available to allow a system to test its water supply for contaminants
at a specific point in time, a readily accessible technology does not
exist for continuously monitoring the supply that would alert a system
immediately upon a contaminant's entry into the water. As reported in
the fiscal year 2006 President's Budget, the Administration requested
$44 million to fund the Water Sentinel Initiative as a pilot program in
five major cities. Under this initiative, the federal government would
commence the development of a water surveillance system designed to
enhance security of the nation's water supply by providing an early
warning mechanism for possible contaminants, including chemical or
biological agents, entering the water supply.
The Chemical and Water Sectors Have Incorporated Some Elements of a
Risk Management Framework to Address Their Security Vulnerabilities:
The chemical and drinking water sectors have incorporated some elements
of a risk management framework to protect their critical
infrastructure. As shown in figure 5, a risk management framework
represents a series of analytical and managerial steps, basically
sequential, that can be used to assess risk, assess alternatives for
reducing risks, choose among those alternatives, implement the
alternatives, monitor their implementation, and continually use new
information to adjust and revise the assessments and actions, as
needed. Adoption of a risk management framework can aid in assessing
risk by determining which vulnerabilities should be addressed in what
ways within available resources.
Figure 5: A Risk Management Cycle:
[See PDF for image]
[End of figure]
Assessing risks for specific assets--such as community water systems or
chemical plants on navigable waterways--is defined by two conditions:
(1) probability, the likelihood, quantitative or qualitative, that an
adverse event would occur; and (2) consequences, the damage resulting
from the event, should it occur.
Thus, the most severe risks are those that have both the greatest
probability of occurring and would cause the greatest damage. Actual
risk reflects the combination of the two factors. Risks may be managed
by reducing the probability, the consequence, or, where possible, both.
As this suggests, identifying threats and vulnerabilities (e.g.,
weaknesses in structure or security operations) in existing
infrastructure is necessary but not sufficient to fully manage the
risks to the infrastructure. Assessing the vulnerability of
infrastructure to damage or destruction should be coupled with an
assessment of the probability that the vulnerability will be exploited
and the consequences that would result if it were exploited. Several
risks, each with equally serious potential consequences, may not be
equally likely to occur. In addition, private entities may benefit from
assistance in the form of risk information from intelligence or law
enforcement agencies to assess the types of risks faced and the
probability that these risks would result in an adverse event. Because
it is unlikely that sufficient resources will be available to address
all risks, it becomes necessary to prioritize both risks and the
actions taken to reduce those risks, taking cost into consideration.
For example, which actions will have the greatest net potential benefit
in reducing one or more risks?
The information we obtained from our site visits and discussions with
national chemical and water associations suggests that some elements of
a risk management framework have been incorporated into the assessments
and actions taken by both chemical and community water facilities. The
chemical facilities we visited were all members of the ACC or SOCMA and
subscribe to the Responsible CareŽ Security Code, which those
associations require their members to follow.
Of the 2,300 ACC and SOCMA chemical facilities affected by the
Responsible CareŽ Security Code, 1,100 are among the 15,000 facilities-
-including, chemical, water, energy, and other sector facilities--that
produce, use, or store more than threshold amounts of chemicals that
EPA has estimated pose the greatest risk to human health and the
environment. As we previously mentioned, it is difficult to determine
the proportion of chemical facilities that follow the Responsible CareŽ
Security Code because even though DHS estimates that there are about
4,000 chemical manufacturing facilities within the 15,000 facilities,
the total number of chemical facilities in the chemical sector is
uncertain. In our March 2003 report, we recommended that the Secretary
of Homeland Security and the Administrator of EPA jointly develop, in
consultation with the Office of Homeland Security, a comprehensive
national chemical security strategy to include, among other things,
information on industry security preparedness and a legislative
proposal to require chemical facilities to expeditiously assess their
vulnerability to terrorist attacks and, where necessary, require these
facilities to take corrective action.[Footnote 30] DHS and EPA agreed
that legislation requiring chemical facilities to assess and address
vulnerabilities to terrorist attack should be enacted.[Footnote 31]
Similar to the Responsible CareŽ Security Code, under MTSA and its
implementing regulations, more than 2,900 maritime facilities
(including some chemical) are required to assess risks, develop
security plans to mitigate them, and implement those security plans.
The Coast Guard is responsible for inspecting facilities for
compliance.
The Bioterrorism Act requires all community water systems that serve
populations of 3,300 or more to prepare vulnerability assessments and
update or prepare emergency plans based on those assessments. EPA
guidance for these vulnerability assessments calls for them to include
(1) a characterization of the water system, (2) the identification of
possible consequences of malevolent acts, (3) the critical assets
subject to malevolent acts, (4) an assessment of the threat of
malevolent acts, (5) an evaluation of countermeasures, and (6) a plan
for risk reduction. However, as shown in table 2, community water
systems are not subject to federal requirements to implement any risk
reduction actions based on the completed vulnerability assessments or
report to EPA on measures that have been implemented in a manner
similar to that required of port facilities by MTSA. For those systems
we visited, the actions taken reflected the systems' own risk
assessments and resource constraints. Some systems have had more
resources to devote to risk reduction than others.
Yet, the extent of actions taken by community water systems is unknown.
The Conference Report accompanying the Department of Homeland Security
Appropriations Act for fiscal year 2005 calls for DHS to analyze
whether it should require private sector entities to provide it with
information concerning these entities' security measures and
vulnerabilities to improve DHS's ability to evaluate critical
infrastructure protections nationwide. This report also mandates that
GAO review DHS's analysis when it is complete. A DHS official has
preliminarily told us that the Department expects to complete this
analysis in December 2005.
Table 2: Existing Industry Initiatives and Federal Security
Requirements Imposed on Chemical, Water, and Maritime Facilities:
Security requirements: Chemical Industry--ACC Responsible CareŽ
Security Code[A];
Elements of risk management: Vulnerability assessment: Yes;
Elements of risk management: Security or risk reduction plan: Yes;
Elements of risk management: Implementation of measures: Yes;
Elements of risk management: Third-party verification or compliance
inspection: Yes[B].
Security requirements: Bioterrorism Act[C];
Elements of risk management: Vulnerability assessment: Yes;
Elements of risk management: Security or risk reduction plan: [D];
Elements of risk management: Implementation of measures: No;
Elements of risk management: Third-party verification or compliance
inspection: No.
Security requirements: MTSA and the Coast Guard's implementing
regulations[E];
Elements of risk management: Vulnerability assessment: Yes;
Elements of risk management: Security or risk reduction plan: Yes;
Elements of risk management: Implementation of measures: Yes;
Elements of risk management: Third-party verification or compliance
inspection: Yes.
Source: GAO analysis of above-mentioned legislation, guidance, and
trade association code.
[A] This code applies to chemical facilities that are members of ACC
and SOCMA.
[B] The Responsible CareŽ Security Code does not require that third
parties verify that the vulnerability assessment was conducted
appropriately or that actions taken by a facility adequately address
security risks.
[C] This act and guidance apply to community water systems that serve
more than 3,300 people. The act also requires such systems to prepare
or update existing emergency response plans.
[D] Although not specifically required by the Bioterrorism Act, EPA
guidance related to the preparation of vulnerability assessments
required under the Bioterrorism Act calls for community water systems
to include, among other things, a plan for risk reduction in their
vulnerability assessments.
[E] This act, as implemented, generally applies to maritime facilities
in proximity to navigable waters including facilities that handle
explosive or other dangerous cargos, liquefied natural gas or liquefied
hazardous gas, or transfer oil or other hazardous materials; facilities
that receive vessels certified to carry more than 150 passengers;
facilities that receive certain passenger and cargo ships engaged in
international voyages; facilities that receive certain foreign cargo
vessels; and commercial barge fleeting facilities.
[End of table]
In February 2005, DHS released its Interim National Infrastructure
Protection Plan, whose purpose is to "prioritize protection across
[infrastructure] sectors, so that resources are applied where they
offer the most benefit for reducing vulnerability, deterring threats,
and minimizing consequences of attacks." Because we just recently
received the plan, we have not fully evaluated it. However, the plan
outlines (1) a risk management framework to guide future efforts to
identify and protect critical physical infrastructure and (2) the roles
of federal, state, local, tribal, and private agencies and entities in
implementing this framework.
Under this approach, risks are to be managed in response to (1)
specific threats and (2) plausible threats. Specific threats are
situations where there is intelligence regarding targeted locations,
sectors, or assets, or when there is suspected activity by groups known
to favor attacks on certain types of assets. The likelihood of the
threat would drive short-term protective measures. Plausible threats
are those "that could logically occur and that would have negative
consequences on a particular asset." Plausible threats are treated as
if all are equally likely to occur--that is, they result from the
general threat environment. Thus, plausible threats focus protective
efforts on the inherent vulnerabilities of different assets and the
potential consequences of an attack, rather than the likelihood of a
particular event.
The plan also outlines the roles and responsibilities of federal,
state, local, and tribal agencies, and the private sector using
elements of a risk management framework. The federal government's role
would include setting standards for identifying critical assets,
assessing the most critical assets, developing consistent approaches
and tools for identifying and assessing vulnerabilities, analyzing and
disseminating threat information, promoting cross-sector best
practices, tracking program implementation, and reporting on the
national status of infrastructure assessment and protection. The role
of state, local, and tribal agencies would include helping to identify
assets, conducting and sharing assessments with the federal government,
supplementing private sector capabilities in response to threats,
developing state or local level strategies and best practices, and
tracking performance where applicable. The private sector would play a
role similar to that of state, local, and tribal agencies plus help to
develop incentive programs for private entities.
Officials at Chemical Facilities and Water Systems We Visited Agreed in
Part about What the Federal Government's Role Should Be:
Operators of 4 of the 10 chemical manufacturing facilities and seven of
the eight community water systems we visited agreed that the federal
role in protecting their facilities should include the transmittal of
threat information. As we previously reported, to effectively
communicate risks, experts suggest that threat information should be
consistent, accurate, clear, and provided repeatedly through multiple
methods; it should be provided in a timely fashion; and to the greatest
extent possible, it should be specific about the potential
threat.[Footnote 32]
Officials representing the chemical facilities and community water
systems we visited had fundamentally different views on other roles for
the federal government. Officials representing 8 of the 10 chemical
facilities we visited expressed the view that the federal government
should introduce regulations and standards comparable to the
Responsible CareŽ Security Code for the entire chemical sector to
follow. Officials representing 3 of these facilities stated that those
facilities that do not adhere to the Responsible CareŽ Security Code
may have a competitive advantage over those facilities that do adhere
to the code.
In comparison, only one of the eight water system operators we spoke
with suggested the need for additional federal regulation. Rather,
officials at four community water systems said they would like the
federal government to establish security standards to guide actions for
the water sector. Officials representing seven of the community water
systems we visited said that they would like the federal government to
expand support for security enhancements in the water sector by
providing funding designated for community water systems. Moreover,
officials at six of the community water systems we met with suggested
that the federal government consistently emphasize the need for
security for the sector and provide technical guidance on security
planning. However, officials at four of the community water systems we
met with said that they would prefer the federal government to refrain
from issuing unfunded mandates. These officials elaborated that funding
currently provided by the federal government was not sufficient to
support federal requirements that the water companies complete
vulnerability assessments. For example, officials at one large
community water system said that their system received an EPA grant
that offset approximately 7 percent of the cost it incurred to perform
its mandated vulnerability assessment.[Footnote 33]
The U.S. Coast Guard Completed Its Compliance Inspections and Plans to
Review the Effectiveness of the Process:
The U.S. Coast Guard has found that the vast majority, approximately 97
percent, of maritime facility owners or operators are meeting MTSA
requirements. The Coast Guard reported completing compliance
inspections at all 2,924 regulated facilities by December 31, 2004,
resulting in 312 enforcement actions and operational controls imposed
on 29 facilities. The Coast Guard reported taking these 312 enforcement
actions against 98 facility owners or operators for violations. The
most frequently cited deficiencies related to insufficient access
controls; noncompliance by the owner or operator to ensure that the
facility is operating in compliance with its facility's security
requirements; noncompliance with facility security officer
requirements, such as possessing the required security knowledge or
carrying out all duties as assigned; and insufficient security measures
for restricted areas. The Coast Guard's enforcement actions included
issuing letters of warning or assessing monetary penalties for
noncompliance. See appendix IV for more details on these enforcement
actions. In addition to taking enforcement actions, the Coast Guard
imposed operational controls, such as suspending certain facility
operations, on 29 MTSA regulated facilities between July 1, 2004, and
December 31, 2004, for identified deficiencies.
The Coast Guard has taken some actions to facilitate the effectiveness
of its compliance inspection program for MTSA-regulated facilities, but
it has not yet determined the overall effectiveness of the program.
Some of the actions taken by the Coast Guard include conducting
unscheduled spot checks in addition to scheduled inspections,
developing detailed checklists for the inspectors to use during
facility inspections, conducting reviews at both the local and national
levels of the enforcement actions taken by the inspectors, and
providing training for inspectors. However, Coast Guard officials said
that because their priority was to complete the initial compliance
inspections by December 31, 2004, they have not completed an evaluation
of the effectiveness of the compliance actions for lessons learned that
could be used to improve the inspection program in the future. The
Coast Guard said that now that the initial surge of inspections has
been completed, it plans to begin a systematic effort to evaluate the
effectiveness of the compliance inspection program.
The Marine Safety Offices we visited also reported that evaluations of
their compliance efforts have not yet been completed at the local
level. Officials at these Marine Safety Offices stated that they
anticipate taking a closer look at the results of the initial
inspections to determine what improvements to make. Some of the
measures they mentioned as ways to track the effectiveness of their
compliance inspection activities included the recurrence of
deficiencies previously identified during initial inspections or spot
checks, the number of deficiencies identified during inspections or
spot checks, and an index that tracks a facility's level of risk. In
June 2004, we issued a report on the status of the Coast Guard's
strategy for monitoring and overseeing the implementation requirements
of MTSA. At that time, we recommended that the Coast Guard evaluate its
initial compliance inspection efforts upon completion and use the
results to strengthen the compliance process for its long-term
strategy, clearly define inspector qualifications, and consider
including unscheduled and unannounced inspections and covert
testing.[Footnote 34] The Coast Guard agreed with this recommendation.
Agency Comments:
We provided a draft of this report to DHS and EPA for review and
comment. DHS provided formal written comments on a draft of this report
on March 16, 2005, which are presented in appendix VI. In commenting on
the draft report, DHS noted that it generally concurred with the
report's contents and that the report presented generally valuable and
useful information. DHS observed that the report did not mention
efforts currently under way to improve government and private sector
infrastructure protection coordination efforts through the formation of
Government Coordinating Councils and Sector Coordinating Councils. We
revised our report to include a discussion of the chemical and water
sector Government Coordinating Councils and Sector Coordinating
Councils. We are currently conducting another review of chemical
facility security for the Subcommittee on National Security, Emerging
Threats, and International Relations, House Committee on Government
Reform, and are focusing on actions that DHS and other federal agencies
have taken to improve chemical facilities' security. As part of this
review, we are identifying the efforts taken by the Chemical Sector
Coordinating Council and the related Government Coordinating Council
and will report on these issues at a later date.
EPA did not submit a formal letter but did provide comments. The
comments expressed general agreement with the contents of the report.
We also provided excerpts from our draft report to ACC, SOCMA, AMWA,
NAWC, and NRWA for review and comment. DHS, EPA, ACC, SOCMA, and NAWC
also offered specific technical comments and suggestions, which have
been incorporated as appropriate.
We plan no further distribution of this report until seven days after
the date of this report. At that time, we will send copies of this
report to the Senate Committee on Homeland Security and Governmental
Affairs; Chairman, Subcommittee on Homeland Security, Senate Committee
on Appropriations; House Committee on Government Reform; House
Committee on Homeland Security; Subcommittee on Homeland Security,
House Committee on Appropriations; the Secretary of Homeland Security,
the Administrator of EPA, the Director, Office of Management and Budget
and other interested parties. We will also make copies available to
others on request.
In addition, this report will be available on GAO's Web site at
http://www.gao.gov. If you or your staff have any questions about this
report, please contact me at (202) 512-8777 or by e-mail at
jenkinswo@gao.gov or Debra Sebastian at (202) 512-9385 or by e-mail at
sebastiand@gao.gov. GAO contacts and staff acknowledgments are listed
in appendix VII.
Sincerely yours,
Signed by:
William O. Jenkins, Jr.:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Scope and Methodology:
To determine federal security requirements for the chemical and water
sectors and the efforts taken by the federal government to facilitate
private sector protection of its critical assets, we met with
Department of Homeland Security (DHS) and Environmental Protection
Agency (EPA) officials, as well as representatives from the American
Chemistry Council (ACC), the Synthetic Organic Chemical Manufacturers
Association (SOCMA), the American Metropolitan Water Association
(AMWA), 10 chemical facilities and 8 community water systems (the
criteria used to select these facilities and systems are described
below). We also obtained information from the National Association of
Water Companies (NAWC) and the National Rural Water Association (NRWA).
In addition, we reviewed pertinent federal legislation and implementing
regulations and agency guidance on facility security for these sectors.
To determine actions officials in the chemical sector reported taking
to enhance security of their facilities since September 11, the
obstacles they faced in making such enhancements, and their perceptions
of the role of the federal government in securing chemical facilities,
we met with officials from ACC and SOCMA, and with officials from 10
chemical manufacturing facilities. We selected these facilities from
those operated by members of ACC or SOCMA. To ensure that the
facilities we visited were at greatest risk, and hence had the greatest
need for security, we generally selected facilities from which a
chemical release, stemming from an attack, would have a severe impact
on surrounding communities. To assist us in selecting these facilities,
we relied upon assessments completed by ACC and SOCMA members regarding
the impact of a potential chemical release at its facilities. The
facilities we selected produce petrochemicals, building block
chemicals,[Footnote 35] inorganic chemicals, plastics, and industrial
gases. We also selected chemical facilities that were regulated by the
Coast Guard under the Maritime Transportation Security Act (MTSA) and
facilities that were not regulated to observe differences among these
types of facilities. All facilities we selected were ACC or SOCMA
members that volunteered to meet with us. We used a structured
interview guide when questioning officials during our visits to these
facilities. We did not verify that the security enhancements reported
to us by the chemical facilities were actually taken. In conducting our
work on the chemical sector, we focused on actions taken to strengthen
security at a selected facility. We did not address actions taken by
facility personnel to protect the transport of chemicals from the
facility to other locations by way of various transport mechanisms such
as rail cars or tank trucks nor did we address actions taken by
facility personnel to prevent the sale of hazardous chemicals to
terrorists masquerading as bona fide customers.
To determine actions the water sector officials reported taking to
enhance security of their facilities since September 11, the obstacles
they faced in making such enhancements, and their perceptions of the
role of the federal government in securing community water facilities,
we met with officials from the AMWA and with operators of eight
community water systems.[Footnote 36] We also obtained information from
NAWC and NRWA. We selected systems from those that were regulated under
the Bioterrorism Act--a federal law that addresses security matters
with respect to community water systems. Three of the systems we
selected were privately owned systems and five were publicly owned
systems. For the publicly owned systems, we varied our selection to
include systems that served a range of population sizes. Specifically,
we selected three systems from those that served 100,000 or more
people, one from those that served 50,000 to 99,999 people, and one
from those that served 3,301 to 49,999 people. For the private sector
systems, we selected one system that served approximately 3,500 people
and two that served 100,000 or more.[Footnote 37] In conducting our
work in this area, we focused on water supply systems rather than
wastewater treatment systems.[Footnote 38] We did not verify that the
security enhancements reported to us by the water systems were actually
taken. While we were in the process of determining which community
water systems to select, three systems contacted us and volunteered to
participate in our study. Because they met our criteria, we included
these systems as part of our selection. We used a structured interview
guide when questioning officials during our visits to these systems.
We are not disclosing the names or other identifying information
relating to the individual chemical companies, facilities, or community
water systems to ensure that security-related information is not
unintentionally disclosed. Because we limited our review to 10 chemical
facilities and 8 community water systems, the comments discussed in
this report are illustrative, are not statistically representative of
the chemical and water sectors, and should not be considered to
represent the views of the sectors as a whole.
To determine the extent to which the chemical and water sectors'
actions reflected a risk management approach, we reviewed provisions of
the Responsible CareŽ Security Code, the Bioterrorism Act, and MTSA
that the chemical and water sectors are to follow. We then compared
these provisions with elements of a risk management framework to
determine which elements the sectors have incorporated and to identify
those elements that were missing.[Footnote 39]
To determine the results of the Coast Guard's compliance inspection
program, we reviewed Coast Guard documents, such as inspection
guidance, facility inspector checklists, and navigation and vessel
information circulars regarding the procedures used to conduct the
compliance inspections and the enforcement actions and operational
controls available to the Coast Guard to address any deficiencies found
during the inspection process. We also analyzed national compliance
data provided by Coast Guard from its Marine Information for Safety and
Law Enforcement (MISLE). To assess the reliability of these data, we
examined the data for obvious errors and inconsistencies, reviewed
existing documentation about their system and data, and examined
responses the Coast Guard provided to a questionnaire we sent it
requesting information on the administration and oversight of the
system. We determined the compliance data to be sufficiently reliable
as general indicators of the results of the Coast Guard's inspection
program.
To determine what actions the Coast Guard reported taking agencywide to
ensure the effectiveness of the inspection program, we interviewed
Coast Guard officials at headquarters with responsibilities for the
compliance inspection process. To supplement this national-level
perspective, we visited five local Coast Guard offices in locations
that reflected diversity in strategic importance, geographic location,
and local characteristics. The offices we visited were located in
Charleston, South Carolina; Huntington, West Virginia; New Orleans,
Louisiana; Houston, Texas; and Seattle, Washington. We conducted our
work from October 2004 through March 2005 in accordance with generally
accepted government auditing standards.
[End of section]
Appendix II: Number of Community Water Systems:
The Safe Drinking Water Information System is EPA's national database
of public drinking water systems. Information from this system,
presented in table 3, provides information on the number of community
water systems in place during fiscal year 2004 by population service
category and ownership.
Table 3: Number of Community Water Systems by Ownership and Population
Service Category for Fiscal Year 2004:
Ownership: Private;
Size of population served: 100 or less: 11,484;
Size of population served: 101-500: 9,995;
Size of population served: 501-3,300: 3,480;
Size of population served: 3,301-10,000: 569;
Size of population served: 10,001-50,000: 331;
Size of population served: 50,001-100,000: 66;
Size of population served: 100,001-500,000: 43;
Size of population served: Over 500,000: 9;
All sizes: 25,977.
Ownership: Public;
Size of population served: 100 or less: 2,025;
Size of population served: 101-500: 6,010;
Size of population served: 501- 3,300: 10,501;
Size of population served: 3,301-10,000: 3,986;
Size of population served: 10,001-50,000: 2,623;
Size of population served: 50,001-100,000: 413;
Size of population served: 100,001-500,000: 279;
Size of population served: Over 500,000: 40;
All sizes: 25,877.
Ownership: Unknown;
Size of population served: 100 or less: 257;
Size of population served: 101-500: 235;
Size of population served: 501- 3,300: 231;
Size of population served: 3,301-10,000: 152;
Size of population served: 10,001-50,000: 103;
Size of population served: 50,001-100,000: 5;
Size of population served: 100,001-500,000: 0;
Size of population served: Over 500,000: 1;
All sizes: 984.
Total;
Size of population served: 100 or less: 13,766;
Size of population served: 101-500: 16,240;
Size of population served: 501- 3,300: 14,212;
Size of population served: 3,301-10,000: 4,707;
Size of population served: 10,001-50,000: 3,057;
Size of population served: 50,001-100,000: 484;
Size of population served: 100,001-500,000: 322;
Size of population served: Over 500,000: 50;
All sizes: 52,838.
Source: U.S. Environmental Protection Agency's Safe Drinking Water
Information System.
Note: The information in this chart is presented to provide context on
the number of community water systems in the United States. GAO has not
verified this data.
[End of table]
As reflected in the table, ownership of these systems is evenly split;
about half are publicly owned and about half are privately owned. EPA
does not have data on the ownership of approximately 2 percent, or 984,
of these systems.
[End of section]
Appendix III: Chemical Industry Trade Associations' Implementation of
the Responsible CareŽ Security Code:
The Responsible CareŽ Security Code calls for ACC's approximate 140
member companies to perform security vulnerability assessments of their
approximately 2,000 facilities, develop and implement plans to mitigate
the vulnerabilities, and obtain third-party verification that the
planned physical security enhancements were completed. The Security
Code sets milestones for facilities to complete these steps based on
the level of potential impact a chemical release stemming from a
facility would have on surrounding communities. ACC members assigned
their facilities to "tiers" based on their assessment of this level of
impact. A chemical release stemming from tier 1 facilities could have
the greatest impact on surrounding communities, whereas a chemical
release from tier 4 facilities would have no significant off-site
impacts. The milestones for completion of these steps by each tier
facility are depicted in table 4 below. ACC members operate
approximately 100 tier 1 facilities, 350 tier 2 facilities, 550 tier 3
facilities, and 1,000 tier 4 facilities. Approximately 1,000 of ACC's
facilities are among the 15,000 facilities--including, chemical, water,
energy, and other sector facilities--that produce, use, or store more
than threshold amounts of chemicals that EPA has estimated pose the
greatest risk to human health and the environment.
Table 4: Responsible CareŽ Security Code Deadlines for ACC Facilities:
Actions required under the Responsible CareŽ Security Code: Complete
facility security vulnerability assessment;
Tier 1: 12/31/02;
Tier 2: 6/30/03;
Tier 3: 12/31/03;
Tier 4: 12/31/03.
Actions required under the Responsible CareŽ Security Code: Complete
implementation of facility security enhancements;
Tier 1: 12/31/03;
Tier 2: 6/30/04;
Tier 3: 12/31/04;
Tier 4: 12/31/04.
Actions required under the Responsible CareŽ Security Code: Complete
third-party verification of physical security enhancements;
Tier 1: 3/31/04;
Tier 2: 9/30/04;
Tier 3: 3/31/05;
Tier 4: [A].
Source: American Chemistry Council.
[A] Because tier 4 facilities do not have potential significant off-
site consequences, third-party verification is not required.
[End of table]
ACC reported that as of May 2004, all of its 2,000 facilities have
completed security vulnerability assessments. ACC does not require its
member companies to report the status of security enhancements until
they report completion of third-party verification. ACC told us that
based on the verification reports its members submitted, all tier 1
facilities have completed their security enhancements and their third-
party verifications. Additionally, ACC told us that approximately 90
percent of its members, with tier 2 facilities have completed security
enhancements and the enhancements have been verified. As of March 7,
2005, 10 percent of ACC member companies are still working to complete
their tier 2 verification requirements. ACC told us that it is in
contact with these companies to provide any needed assistance, to
monitor progress, and to ensure completion of these requirements as
soon as possible.
SOCMA's 160 members also follow the provisions of the Responsible CareŽ
Security Code. As members, they are expected to perform security
vulnerability assessments of their facilities, develop and implement
plans to mitigate the vulnerabilities found in the assessments, and
obtain third-party verification that the planned physical security
enhancements were completed. Thirty-six of SOCMA's member companies are
also members of ACC and follow the Responsible CareŽ Security Code and
related milestones as administered by ACC. The remaining 124 SOCMA
companies are responsible for implementing the Responsible CareŽ
Security Code under a SOCMA-established timetable as presented in table
5. These 124 companies operate 273 facilities--of which 77 are among
the 15,000 facilities--including, chemical, water, energy, and other
sector facilities--that produce, use, or store more than threshold
amounts of chemicals that EPA has estimated pose the greatest risk to
human health and the environment in the event of a release (risk
management plan, or RMP, facilities).
Table 5: Responsible CareŽ Security Code Deadlines for SOCMA
Facilities:
Actions required under the Responsible CareŽ Security Code: Complete
facility security vulnerability assessment;
RMP facilities: 6/30/03;
Non-RMP facilities: 12/31/03.
Actions required under the Responsible CareŽ Security Code: Complete
Implementation of facility security enhancements;
RMP facilities: 12/31/04;
Non-RMP facilities: 12/31/04.
Actions required under the Responsible CareŽ Security Code: Complete
verification of enhancements;
RMP facilities: 3/31/05;
Non-RMP facilities: [A].
Source: Synthetic Organic Chemical Manufacturers Association.
[A] Non-RMP facilities are not required to have third-party
verification.
[End of table]
SOCMA officials told us that all of its member companies have reported
completing vulnerability assessments at their 273 facilities. SOCMA
also reports that 98 percent of these member companies reported
completing implementation of security enhancements at their facilities.
[End of section]
Appendix IV: Enforcement Actions Taken by the Coast Guard against MTSA-
Regulated Facilities:
The type of enforcement action the Coast Guard takes against maritime
facilities for noncompliance with MTSA regulations depends on the type
of deficiencies, the severity of the deficiencies, and the number of
times a given facility has been cited for a deficiency. The enforcement
actions taken by the Coast Guard against facility owners or operators
include:
* Letter of warning: A letter of warning is issued for deficiencies
that can usually be immediately corrected but are severe enough to
warrant documentation of noncompliance. A letter of warning can also be
issued when the Coast Guard has previously informed a facility owner or
operator of a less severe deficiency and the owner or operator has not
yet addressed the deficiency upon a subsequent Coast Guard visit or
spot check. Letters of warning document the deficiencies so that the
Coast Guard has a case file in the event a more severe penalty is
needed in the future to enforce compliance.
* Notice of violation: A notice of violation is issued when the
deficiency requires additional investigation and a monetary penalty or
when the Coast Guard has previously issued a letter of warning for the
same deficiency but the facility owner or operator has not yet
addressed the deficiency. With a notice of violation, the inspector
issues a citation that provides the facility owner or operator
immediate notification of the alleged violations and the penalty amount
proposed by the Coast Guard. The owner or operator has the option of
accepting the notice and paying the penalty amount or can decline the
notice. If the owner or operator decides to decline, the case becomes a
standard civil penalty (see below for explanation).
* Civil penalty: A civil penalty is used when a facility has several
instances of noncompliance with the regulations. Typically initiated by
a local Coast Guard unit, the civil penalty is submitted to the Coast
Guard Hearing Office to determine if there is sufficient evidence to
support the charges. Once the owner or operator has had an opportunity
to respond to the charges, the Hearing Office issues its finding and
the penalty, if any, is imposed on the owner or operator. The owner or
operator may then appeal the decision to the Coast Guard Commandant.
The consequences are essentially the same for notices of violation as
for standard civil penalty cases, because in both situations the Coast
Guard assesses a civil penalty that becomes part of a facility owner or
operator's violation history. The primary difference lies in the
severity of the sanction, with the proposed penalty amounts for notices
of violation generally lower than the recommended penalty levels for
standard civil penalty cases. In addition, the Coast Guard will not
issue a notice of violation for more than $10,000, whereas the maximum
civil penalty amount allowed by MTSA is $25,000 for each violation,
using the regular civil penalty process.
Table 6 shows the number of enforcement actions the Coast Guard
reported taking against owners or operators of maritime facilities
between July 1, 2004, and December 31, 2004, for noncompliance with
MTSA regulations to implement their security plans. The specific
regulatory cite topics in the table are listed in descending order of
the total number of enforcement actions taken.
Table 6: Enforcement Actions Taken between July 1, 2004, and December
31, 2004, by Regulatory Citation Topic:
Citation: 33 CFR 105.255;
Description of area of noncompliance: Security measures for access
control;
Number of enforcement actions taken: 89.
Citation: 33 CFR 105.200;
Description of area of noncompliance: Failure of facility owner or
operator to ensure the facility operates in compliance with security
requirements;
Number of enforcement actions taken: 38.
Citation: 33 CFR 105.205;
Description of area of noncompliance: Facility Security Officer
requirements;
Number of enforcement actions taken: 34.
Citation: 33 CFR 105.260;
Description of area of noncompliance: Security measures for restricted
areas;
Number of enforcement actions taken: 31.
Citation: 33 CFR 105.225;
Description of area of noncompliance: Failure of facility owner or
operator to make the required records available to the Coast Guard;
Number of enforcement actions taken: 20.
Citation: 33 CFR 105.405;
Description of area of noncompliance: Failure to ensure proper format
and content of the Facility Security Plan;
Number of enforcement actions taken: 13.
Citation: 33 CFR 105.210;
Description of area of noncompliance: Facility personnel with security
duties;
Number of enforcement actions taken: 11.
Citation: 33 CFR 105.125;
Description of area of noncompliance: Failure of facility owner or
operator to notify cognizant Captain of the Port of temporary
deviations;
Number of enforcement actions taken: 9.
Citation: 33 CFR 105.275;
Description of area of noncompliance: Failure to implement security
measures for monitoring as specified in the Facility Security Plan;
Number of enforcement actions taken: 9.
Citation: 33 CFR 105.265;
Description of area of noncompliance: Failure to implement security
measures for handling cargo;
Number of enforcement actions taken: 8.
Citation: 33 CFR 105.245;
Description of area of noncompliance: Failure of a facility owner or
operator to complete Declaration of Security;
Number of enforcement actions taken: 7.
Citation: 33 CFR 105.235;
Description of area of noncompliance: Failure to meet facility
communications requirements;
Number of enforcement actions taken: 6.
Citation: 33 CFR 105.215;
Description of area of noncompliance: Security training for all other
facility personnel;
Number of enforcement actions taken: 6.
Citation: 33 CFR 105.250;
Description of area of noncompliance: Failure to meet security systems
and equipment maintenance requirements;
Number of enforcement actions taken: 5.
Citation: 33 CFR 105.270;
Description of area of noncompliance: Failure to implement security
measures for delivery of vessel stores and bunkers;
Number of enforcement actions taken: 5.
Citation: 33 CFR 105.220;
Description of area of noncompliance: Failure of facility owner or
operator to meet security drill requirements;
Number of enforcement actions taken: 4.
Citation: 33 CFR 105.285;
Description of area of noncompliance: Failure to meet additional
requirements for passenger and ferry facilities;
Number of enforcement actions taken: 4.
Citation: 33 CFR 105.400;
Description of area of noncompliance: Failure to develop and implement
a Facility Security Plan;
Number of enforcement actions taken: 4.
Citation: 33 CFR 105.120;
Description of area of noncompliance: Failure to provide compliance
documentation;
Number of enforcement actions taken: 2.
Citation: 33 CFR 105.295;
Description of area of noncompliance: Failure to meet additional
requirements for Certain Dangerous Cargo (CDC) facilities;
Number of enforcement actions taken: 2.
Citation: 33 CFR 105.140;
Description of area of noncompliance: Alternative Security Program;
Number of enforcement actions taken: 1.
Citation: 33 CFR 105.230;
Description of area of noncompliance: Maritime Security (MARSEC) Level
coordination and implementation;
Number of enforcement actions taken: 1.
Citation: 33 CFR 105.240;
Description of area of noncompliance: Procedures for interfacing with
vessels;
Number of enforcement actions taken: 1.
Citation: 33 CFR 105.290;
Description of area of noncompliance: Failure to meet additional
requirements for cruise ship terminals;
Number of enforcement actions taken: 1.
Citation: 33 CFR 105.305;
Description of area of noncompliance: Failure of facility owner or
operator to conduct a Facility Security Assessment;
Number of enforcement actions taken: 1.
Total;
Number of enforcement actions taken: 312.
Source: Coast Guard.
[End of table]
[End of section]
Appendix V: Acknowledgments of Agency and Private Sector Contributors:
We would like to acknowledge the time and effort made by federal
agencies, trade associations, and security directors and other
officials representing the chemical facilities, community water
systems, and marine safety offices that provided information and talked
with us during our site visits.
Federal Agencies:
* Department of Homeland Security:
* Environmental Protection Agency:
Trade Associations:
American Chemistry Council:
Synthetic Organic Chemical Manufactures Association:
Association of Metropolitan Water Agencies:
National Association of Water Companies:
National Rural Water Association:
[End of section]
Appendix VI: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
March 16, 2005:
Mr. William O. Jenkins:
Director, Homeland Security and Justice Issues:
Government Accountability Office:
Washington, DC 20548:
Dear Mr. Jenkins:
Re: Draft Report GAO-05-327, Protection of Chemical and Water
Infrastructure: Federal Requirements, Actions of Selected Facilities,
and Remaining Challenges (GAO Job Code 440362):
Thank you for the opportunity to review your draft report. We concur
with the purpose of the report and generally concur with its contents.
Your report effectively discusses many of the regulatory and difficult
financial challenges facing the chemical and water sectors in
strengthening the security of their infrastructures.
Any such report can only represent a snapshot in time. In that context,
it is understandable that the report does not fully reflect all the
activities currently ongoing in this area. For example, the report does
not mention the efforts currently underway to improve government and
private sector infrastructure protection coordination efforts through
the formation of Government Coordinating Councils and Sector
Coordinating Councils. The report also notes that GAO did not have time
to fully evaluate the Interim National Infrastructure Protection Plan
(NIPP). DHS agrees that a rigorous risk management approach is central
to an effective infrastructure protection program and believes that the
NIPP lays out an effective risk management framework. These
observations do not alter our view that the report presents generally
valuable and useful information.
A technical comment will be sent under separate cover. We thank you
again for the opportunity to review the report and provide comments.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Acting Director, Departmental GAO/OIG Liaison Office:
[End of section]
Appendix VII: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
William O. Jenkins, Jr. (202) 512-8777;
Debra B. Sebastian (202) 512- 9385:
Acknowledgments:
In addition to the individuals named above, David P. Alexander,
Jonathan T. Bachman, Fredrick D. Berry, Beatriz Cuartas, Grace A.
Coleman, Dorian R. Dunbar, Michele C. Fejfar, Geoffrey R. Hamilton,
Christopher Hatscher, Sara R. Margraf, and Diane B. Raynes made key
contributions to this report.
[End of section]
Related GAO Products:
High-Risk Series: An Update. GAO-05-207. Washington, D.C. January 1,
2005.
Wastewater Facilities: Experts' Views on How Future Federal Funds
Should Be Spent to Improve Security. GAO-05-165. Washington, D.C.:
January 31, 2005.
Homeland Security: Agency Plans, Implementation, and Challenges
Regarding the National Strategy for Homeland Security. GAO-05-33.
Washington, D.C.: January 14, 2005.
Drinking Water: Experts' Views on How Federal Funding Can Best Be Spent
to Improve Security. GAO-04-1098T. Washington, D.C.: September 30,
2004.
Public Key Infrastructure: Examples of Risks and Internal Control
Objectives Associated with Certification Authorities. GAO-04-1023R.
Washington, D.C.: August 10, 2004.
Maritime Security: Substantial Work Remains to Translate New Planning
Requirements into Effective Port Security. GAO-04-838. Washington,
D.C.: June 30, 2004.
Critical Infrastructure Protection: Improving Information Sharing with
Infrastructure Sectors. GAO-04-780. Washington, D.C.: July 9, 2004.
Critical Infrastructure Protection: Establishing Effective Information
Sharing with Infrastructure Sectors. GAO-04-699T. Washington, D.C.:
April 21, 2004.
Critical Infrastructure Protection: Challenges and Efforts to Secure
Control Systems. GAO-04-628T. Washington, D.C.: March 30, 2004.
Rail Security: Some Actions Taken to Enhance Passenger and Freight Rail
Security, but Significant Challenges Remain. GAO-04-598T. Washington,
D.C.: March 23, 2004.
Homeland Security: Summary of Challenges Faced in Targeting Oceangoing
Cargo Containers for Inspection. GAO-04-557T. Washington, D.C.: March
31, 2004.
Homeland Security: Federal Action Needed to Address Security Challenges
at Chemical Facilities. GAO-04-482T. Washington, D.C.: February 23,
2004.
Critical Infrastructure Protection: Challenges and Efforts to Secure
Control Systems.GAO-04-354. Washington, D.C.: March 15, 2004.
Technology Assessment: Cybersecurity for Critical Infrastructure
Protection. GAO-04-321. Washington, D.C.: May 28, 2004.
Terrorism Insurance: Implementation of the Terrorism Risk Insurance Act
of 2002. GAO-04-307. Washington, D.C.: April 23, 2004.
Posthearing Questions from the September 17, 2003, Hearing on
Implications of Power Blackouts for the Nation's Cybersecurity and
Critical Infrastructure Protection: The Electric Grid, Critical
Interdependencies, Vulnerabilities, and Readiness. GAO-04-300R.
Washington, D.C.: December 8, 2003.
Drinking Water: Experts' Views on How Future Federal Funding Can Best
Be Spent to Improve Security. GAO-04-29. Washington, D.C.: October 31,
2003.
Critical Infrastructure Protection: Challenges in Securing Control
Systems. GAO-04-140T. Washington, D.C.: October 1, 2003.
Information Security: Progress Made, but Challenges Remain to Protect
Federal Systems and the Nation's Critical Infrastructures. GAO-03-564T.
Washington, D.C.: April 8, 2003.
Homeland Security: EPA's Management of Clean Air Act Chemical Facility
Data. GAO-03-509R. Washington, D.C.: March 14, 2003.
Transportation Security Research: Coordination Needed in Selecting and
Implementing Infrastructure Vulnerability Assessments.GAO-03-502.
Washington, D.C.: May 1, 2003.
Homeland Security: Voluntary Initiatives Are Under Way at Chemical
Facilities, but the Extent of Security Preparedness Is Unknown. GAO-03-
439. Washington, D.C.: March 14, 2003.
Critical Infrastructure Protection: Challenges for Selected Agencies
and Industry Sectors. GAO-03-233. Washington, D.C.: February 28, 2003.
Critical Infrastructure Protection: Efforts of the Financial Services
Sector to Address Cyber Threats. GAO-03-173. Washington, D.C.: January
30, 2003.
High-Risk Series: Protecting Information Systems Supporting the Federal
Government and the Nation's Critical Infrastructures. GAO-03-121.
Washington, D.C.: January 1, 2003.
Homeland Security: Department of Justice's Response to Its
Congressional Mandate to Assess and Report on Chemical Industry
Vulnerabilities. GAO-03-24R. Washington, D.C.: October 10, 2002.
Critical Infrastructure Protection: Significant Challenges Need to Be
Addressed. GAO-02-961T. Washington, D.C.: July 24, 2002.
Critical Infrastructure Protection: Significant Homeland Security
Challenges Need to Be Addressed. GAO-02-918T. Washington, D.C.: July 9,
2002.
Chemical Safety: Emergency Response Community Views on the Adequacy of
Federally Required Chemical Information. GAO-02-799. Washington, D.C.:
July 31, 2002.
Critical Infrastructure Protection: Federal Efforts Require a More
Coordinated and Comprehensive Approach for Protecting Information
Systems. GAO-02-474. Washington, D.C.: July 15, 2002.
Homeland Security: A Risk Management Approach Can Guide Preparedness
Efforts, GAO-02-208T. Washington, D.C.: October 31, 2001.
Key Elements of a Risk Management Approach. GAO-02-150T. Washington,
D.C.: Oct. 12, 2001.
Critical Infrastructure Protection: Significant Challenges in
Safeguarding Government and Privately Controlled Systems from Computer-
Based Attacks. GAO-01-1168T. Washington, D.C.: September 26, 2001.
FOOTNOTES
[1] Uniting and Strengthening America by Providing Appropriate Tools
Required to Intercept and Obstruct Terrorism Act of 2001, Pub. L. No.
107-56, 115 Stat. 272, 401 (2001).
[2] Pub. L. No. 107-295, 116 Stat. 2064 (2002). According to the Coast
Guard, 238 MTSA-regulated maritime facilities handle "bulk liquid
chemicals."
[3] The ACC is a trade association that represents approximately 140
companies that operate approximately 2,000 facilities that encompass
more than 85 percent of the productive capacity for the manufacture of
basic chemicals in the United States. SOCMA is a trade association that
represents approximately 160 companies that manufacture specialty or
custom chemicals in the United States. Thirty-six of SOCMA's member
companies are also members of the ACC. The remaining 124 SOCMA members
operate 273 facilities in the United States. Both associations require
their members to abide by the Responsible CareŽ Security Code, which
lays out a process for facility operators to help secure against the
threat of terrorism. ACC has also lobbied Congress regarding the need
for federal regulation for chemical plant security.
[4] AMWA has nearly 200 member agencies that collectively serve 120
million Americans. AMWA functions as the voice for the largest publicly
owned drinking water systems on regulatory, legislative, and security
issues.
[5] NAWC is the only national trade association representing the
private and investor-owned water utility industry that provides
drinking water to 22 million Americans. NAWC serves as a mechanism for
its members to respond to federal legislative and state regulatory
initiatives that broadly affect the industry, including security-
related initiatives. NRWA is a nonprofit federation of state rural
water associations that provides support services to more than 24,550
water and wastewater utilities. NRWA's Board of Directors is composed
of elected board members from each state association. NRWA programs
include technical assistance to rural and small community water systems
(1) on the design and implementation of ground water source water
protection plans, (2) Safe Drinking Water Act compliance issues, (3)
health protection related to public-drinking water, and (4) other
managerial, financial and operational issues.
[6] Pub L. No. 107-188, 116 Stat. 594 (2002). Provisions of this act
require drinking water systems serving more than 3,300 people to
complete vulnerability assessments by certain dates depending upon the
population size served. For example, systems serving a population
greater than 3,300 but less than 50,000 were to complete such
assessments by June 30, 2004. The act further required systems to
prepare or revise an emergency response plan incorporating the results
of the vulnerability assessment within 6 months after completing the
assessment.
[7] Pub. L. No. 99-499, 110 Stat. 1728 (1986).
[8] See GAO, Homeland Security: Voluntary Initiatives Are Under Way at
Chemical Facilities, but the Extent of Security Preparedness Is
Unknown, GAO-03-439 (Washington, D.C.: March 2003).
[9] H.R. Conf. Rep. No. 108-774, at 75 (2004) accompanying H.R. 4567,
ultimately enacted into law as Pub. L. No. 108-334, 118 Stat. 1298
(2004).
[10] See GAO, Maritime Security: Substantial Work Remains to Translate
New Planning Requirements into Effective Port Security, GAO-04-838
(Washington, D.C.: June 2004).
[11] Homeland Security Presidential Directive Number 7 (Washington,
D.C.: December 17, 2003).
[12] EPA provided data on the number of drinking water systems in the
United States, including those subject to the Bioterrorism Act, by
extracting information from the agency's national database called the
Safe Drinking Water Information System. EPA does not have data on the
ownership of approximately 2 percent of these systems.
[13] According to EPA's data, a very small portion of community water
systems (less than 1 percent) are federally owned.
[14] Pub. L. No. 101-549, 104 Stat. 2399 (1990).
[15] These facilities are known as Risk Management Plan, or RMP,
facilities. The federal government has identified 140 toxic and
flammable chemicals that, in certain amounts, would pose the greatest
risk to human health and the environment if they were accidentally
released into the air. See GAO-03-439 (Washington, D.C.: March 2003)
for a more complete listing of the provisions related to an accidental
release under the Clean Air Act.
[16] In 2003, EPA officials stated that approximately 2,000 Risk
Management Plan chemical facilities may be covered under the
Bioterrorism Act.
[17] Port security grants are awarded to critical national seaports and
facilities to enhance facility and operational security. They were
originally administered by the Transportation Security Administration
(TSA) in coordination with the Maritime Administration and the Coast
Guard. These grants are currently administered by the Office of State
and Local Government Coordination and Preparedness in DHS.
[18] Security planning grants were administered by EPA through August
2002 to provide assistance to publicly and privately owned community
drinking water systems serving 100,000 people or more. Under this
program, EPA allowed up to $115,000 to each utility to develop or
revise a vulnerability assessment, emergency response or operating
plan, security enhancement plans and designs, or a combination of these
efforts. In commenting on this report, EPA officials also told us that
they used $20 million from their 2002 supplemental appropriation to
provide funds to (1) states to facilitate small and medium-sized
community water systems' (that is, that served more than 3,300 but less
than 100,000 people) efforts to obtain technical assistance related to
the development of vulnerability assessments and emergency response
plans as required by the Bioterrorism Act and (2) to organizations
providing such assistance.
[19] Homeland security grants are a series of grants designed to
support critical state and local missions, including the preparedness
of first responders and citizens, public health, infrastructure
security, and other public safety activities. These grants are
administered by the Office of State and Local Government Coordination
and Preparedness, the Federal Emergency Management Agency, and TSA.
[20] The 10 chemical facilities we visited reported spending between $1
million and $10 million to enhance security since September 11.
[21] See GAO, Critical Infrastructure Protection: Improving Information
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July
2004).
[22] See GAO, Wastewater Facilities: Experts' Views on How Federal
Funds Should Be Spent to Improve Security, GAO-05-165 (Washington,
D.C.: January 2005).
[23] In November 2004, the Water Information Sharing and Analysis
Center launched a free security advisory system known as the Water
Security Channel to distribute federal advisories on security threats
via e-mail to the water sector.
[24] EPA also developed guidance for community water systems to use in
developing or revising their emergency response plans as required by
the Bioterrorism Act.
[25] The council is made up of 15 members who are appointed by EPA's
Office of Ground Water and Drinking Water, and serve staggered 3-year
terms.
[26] In 1988, the ACC initiated Responsible CareŽ, which is a
comprehensive management system for its members to follow to
continuously improve safety performance; to increase communication; and
to protect employees, communities, and the environment.
[27] See GAO-03-439.
[28] The Responsible CareŽ Security Code directs chemical companies to
perform vulnerability assessments of their facilities using
methodologies developed by either Sandia National Laboratories or the
Center for Chemical Process Safety (or another equivalent methodology).
Sandia National Laboratories are multiprogram oriented and primarily
address national defense issues. Sandia security experts developed the
risk-based assessment methodology under sponsorship from the Department
of Justice. The Center for Chemical Process Safety is a component of
the American Institute of Chemical Engineers that, as part of its work
on chemical safety, has developed vulnerability assessment methodology
and offers courses and a certificate in security vulnerability
analysis. SOCMA also developed a Chemical Site Security Vulnerability
Analysis Model to provide chemical facilities with another mechanism
for conducting site vulnerability analysis.
[29] In 2004, we reported that the Army Corps of Engineers approves
virtually all such permit applications. See GAO, Waters and Wetlands:
Corps of Engineers Needs to Evaluate Its District Office Practices in
Determining Jurisdiction, GAO-04-297 (Washington, D.C.: February 2004).
[30] See GAO-03-439.
[31] At the time of this report, EPA was still the lead agency for the
chemical sector. However, as previously mentioned, DHS is now the lead
agency for the chemical sector.
[32] See GAO, Homeland Security: Communication Protocols and Risk
Communication Principles Can Assist in Refining the Advisory System,
GAO-04-682 (Washington, D.C. June 2004).
[33] Officials at seven of the eight community water systems we visited
reported tracking some cost information related to security
enhancements implemented since September 11 that ranged from
approximately $23,000 to $19 million. However, the cost information
these officials provided is not precise, and as they told us it does
not represent all costs incurred. Thus, the data should not be used to
determine the cumulative costs incurred across all community water
systems.
[34] See GAO-04-838.
[35] Building block chemicals are intermediary chemicals that are
produced from raw materials and used in the production of other
chemicals.
[36] We interviewed operators of community water systems within the
supply component of the water sector since critical infrastructure
efforts within this sector have focused on community water systems.
[37] According to an EPA official, the smaller private systems are
primarily owned and operated by a relatively few companies that also
own and operate much larger private systems. Therefore, we focused on
the larger systems to obtain an adequate perspective of privately held
water systems.
[38] In January of 2005, we issued a report on experts' views regarding
how federal funds should be spent to improve security. In this report,
we stated that the vast majority of experts suggested that wastewater
utilities serving critical infrastructure should be given the highest
priority when allocating federal wastewater security funds.
Furthermore, the activity that experts most frequently cited as
deserving of federal funds to improve wastewater facilities security
was the replacement of gaseous chemicals used in the disinfection
process with less hazardous alternatives. See GAO-05-165.
[39] GAO has consistently called for a risk management approach to
homeland security issues, See GAO, Homeland Security: A Risk Management
Approach Can Guide Preparedness Efforts, GAO-02-208T (Washington, D.C.:
October 12, 2001); Homeland Security: Key Elements of a Risk Management
Approach, GAO-02-150T (Washington, D.C.: Oct. 12, 2001); Homeland
Security: Summary of Challenges Faced in Targeting Oceangoing Cargo
Containers for Inspection, GAO-04-557T (Washington, D.C., Mar. 31,
2004); and Rail Security: Some Actions Taken to Enhance Passenger and
Freight Rail Security, but Significant Challenges Remain, GAO-04-598T
(Washington, D.C.: Mar. 23, 2004).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
