Nuclear Regulatory Commission

Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants Gao ID: GAO-04-1064T September 14, 2004

The events of September 11, 2001, and the subsequent discovery of commercial nuclear power plants on a list of possible terrorist targets have focused considerable attention on the plants' capabilities to defend against a terrorist attack. The Nuclear Regulatory Commission (NRC), an independent agency established by the Energy Reorganization Act of 1974 to regulate the civilian use of nuclear materials, is responsible for regulating and overseeing security at commercial nuclear power plants. GAO was asked to review (1) NRC's efforts since September 11, 2001, to improve security at nuclear power plants, including actions NRC has taken to implement some of GAO's September 2003 recommendations to improve security oversight and (2) the extent to which NRC is in a position to assure itself and the public that the plants are protected against terrorist attacks. This testimony reflects the preliminary results of GAO's review. GAO will issue a more comprehensive report in early 2005.

NRC responded quickly and decisively to the September 11, 2001, terrorist attacks with multiple steps to enhance security at commercial nuclear power plants. NRC immediately advised the plants to go to the highest level of security according to the system in place at the time and issued advisories and orders to the plants to make certain enhancements, such as installing more physical barriers and augmenting security forces, that could be completed quickly to shore up security. According to NRC officials, their inspections found that the plants complied with these advisories and orders. Later, in April 2003, NRC issued a new design basis threat (DBT), which establishes the maximum terrorist threat that a facility must defend against, and required the plants to develop and implement new security plans to address the new threat by October 2004. It is also improving its force-on-force exercises, as GAO recommended in its September 2003 report. These exercises are an important agency tool to ensure that the plants' security plans are adequate to protect against the DBT. While its efforts to date have enhanced security, NRC is not yet in a position to provide an independent determination that each plant has taken reasonable and appropriate steps to protect against the new DBT. According to NRC officials, the facilities' new security plans are on schedule to be implemented by October 2004. However, NRC's review of the plans, which are not available to the general public for security reasons, has primarily been a paper review and is not detailed enough for NRC to determine if the plans would protect the facility against the threat presented in the DBT. For example, the plans GAO reviewed are largely based on a template and often do not include important site-specific information, such as where responding guards are stationed, how the responders would deploy to their defensive positions, and how long deployment would take. In addition, NRC officials are generally not visiting the facilities to obtain site-specific information and assess the plans in terms of each facility's layout. NRC is largely relying on force-on-force exercises it conducts to test the plans, but these exercises will not be conducted at all facilities for 3 years. NRC's oversight of plants' security could also be improved. However, NRC does not plan to make some improvements in its inspection program that GAO previously recommended and still believes are needed. For example, NRC is not following up to verify that all violations of security requirements have been corrected or taking steps to make "lessons learned" from inspections available to other NRC regional offices and nuclear power plants. Moreover, if NRC needs to revise its DBT further as the terrorist threat is better defined, it will need longer to make and test all the necessary enhancements. The Department of Energy, for example, is currently reviewing the DBT for its nuclear facilities.

GAO-04-1064T, Nuclear Regulatory Commission: Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants This is the accessible text file for GAO report number GAO-04-1064T entitled 'Nuclear Regulatory Commission: Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants' which was released on September 14, 2004. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: United States Government Accountability Office: GAO: For Release on Delivery Expected at 10:00 a.m. EDT: Tuesday, September 14, 2004: Nuclear Regulatory Commission: Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants: Statement of Jim Wells, Director: Natural Resources and Environment: GAO-04-1064T: GAO Highlights: Highlights of GAO-04-1064T, testimony before the Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: Why GAO Did This Study: The events of September 11, 2001, and the subsequent discovery of commercial nuclear power plants on a list of possible terrorist targets have focused considerable attention on the plants‘ capabilities to defend against a terrorist attack. The Nuclear Regulatory Commission (NRC), an independent agency established by the Energy Reorganization Act of 1974 to regulate the civilian use of nuclear materials, is responsible for regulating and overseeing security at commercial nuclear power plants. GAO was asked to review (1) NRC‘s efforts since September 11, 2001, to improve security at nuclear power plants, including actions NRC has taken to implement some of GAO‘s September 2003 recommendations to improve security oversight and (2) the extent to which NRC is in a position to assure itself and the public that the plants are protected against terrorist attacks. This testimony reflects the preliminary results of GAO‘s review. GAO will issue a more comprehensive report in early 2005. What GAO Found: NRC responded quickly and decisively to the September 11, 2001, terrorist attacks with multiple steps to enhance security at commercial nuclear power plants. NRC immediately advised the plants to go to the highest level of security according to the system in place at the time and issued advisories and orders to the plants to make certain enhancements, such as installing more physical barriers and augmenting security forces, that could be completed quickly to shore up security. According to NRC officials, their inspections found that the plants complied with these advisories and orders. Later, in April 2003, NRC issued a new design basis threat (DBT), which establishes the maximum terrorist threat that a facility must defend against, and required the plants to develop and implement new security plans to address the new threat by October 2004. It is also improving its force-on-force exercises, as GAO recommended in its September 2003 report. These exercises are an important agency tool to ensure that the plants‘ security plans are adequate to protect against the DBT. While its efforts to date have enhanced security, NRC is not yet in a position to provide an independent determination that each plant has taken reasonable and appropriate steps to protect against the new DBT. According to NRC officials, the facilities‘ new security plans are on schedule to be implemented by October 2004. However, NRC‘s review of the plans, which are not available to the general public for security reasons, has primarily been a paper review and is not detailed enough for NRC to determine if the plans would protect the facility against the threat presented in the DBT. For example, the plans GAO reviewed are largely based on a template and often do not include important site-specific information, such as where responding guards are stationed, how the responders would deploy to their defensive positions, and how long deployment would take. In addition, NRC officials are generally not visiting the facilities to obtain site- specific information and assess the plans in terms of each facility‘s layout. NRC is largely relying on force-on-force exercises it conducts to test the plans, but these exercises will not be conducted at all facilities for 3 years. NRC‘s oversight of plants‘ security could also be improved. However, NRC does not plan to make some improvements in its inspection program that GAO previously recommended and still believes are needed. For example, NRC is not following up to verify that all violations of security requirements have been corrected or taking steps to make ’lessons learned“ from inspections available to other NRC regional offices and nuclear power plants. Moreover, if NRC needs to revise its DBT further as the terrorist threat is better defined, it will need longer to make and test all the necessary enhancements. The Department of Energy, for example, is currently reviewing the DBT for its nuclear facilities. www.gao.gov/cgi-bin/getrpt?GAO-04-1064T. To view the full product, including the scope and methodology, click on the link above. For more information, contact Jim Wells, (202) 512-3841, wellsj@gao.gov. [End of section] Mr. Chairman and Members of the Subcommittee: We are pleased to be here today to discuss our ongoing review of the Nuclear Regulatory Commission's (NRC) efforts to improve security at the nation's 104 commercial nuclear power plants licensed to operate. These plants, which are located at 65 facilities in 31 states, provide about 20 percent of the nation's electricity.[Footnote 1] We are conducting this review at your request and expect to issue our final report early next year. The events of September 11, 2001, and the subsequent discovery of commercial nuclear power plants on a list of possible terrorist targets have focused considerable attention on the plants' capabilities to defend against a terrorist attack. However, as you know, NRC is not alone in the challenges it faces to protect against terrorism. Recently, the 9/11 Commission's report highlighted the accomplishments and challenges that remain on many fronts in the nation's fight against terrorism. In recent testimony before this Committee, the Comptroller General applauded the efforts of the 9/11 Commission and discussed its recommendations to improve information sharing and analysis by the intelligence agencies.[Footnote 2] We have also testified several times before this Subcommittee on weaknesses in border security, federal action needed to address security challenges at the nation's chemical facilities, and the issues faced by the Department of Energy (DOE) in its efforts to secure its nuclear facilities.[Footnote 3] To protect commercial nuclear power plants from a terrorist attack, NRC formulates a design basis threat (DBT), which establishes the maximum terrorist threat that a facility must prepare to defend against. The DBT characterizes the elements of a postulated attack, including the number of attackers, their training, and the weapons and tactics they are capable of using. Each facility must prepare a security plan describing its strategy for defending against the threat presented in the DBT. NRC is responsible for reviewing and approving these plans, inspecting the facilities to verify compliance with the plans and other NRC requirements, and conducting force-on-force exercises (mock terrorist attacks) at the facilities to ensure that the facilities' execution of their security plans could repel an attack. NRC considers the DBT and the security plans to be safeguards or sensitive information and does not make them available to the general public. Our current review is the second on NRC's security program since the September 11 attacks. In our earlier report, issued in September 2003, we made a number of recommendations to NRC to improve its oversight of security at commercial nuclear power plants.[Footnote 4] In my testimony today, I will (1) describe NRC's efforts since September 11, 2001, to improve security at nuclear power plants, including actions it has taken to implement some of our September 2003 recommendations to improve security oversight and (2) discuss our preliminary views on the extent to which NRC is in a position to assure itself and the public that its efforts will protect the plants against terrorist attacks. To conduct this work, we reviewed the security advisories and orders NRC has issued to the facilities since September 11, 2001. We also reviewed security documents, such as the DBT and individual facilities' draft security plans,[Footnote 5] and interviewed NRC security program officials. We did the work reflected in this statement from March 2004 through August 2004 in accordance with generally accepted government auditing standards. In our final report, we will discuss the extent to which NRC is using a risk management approach to improve security at nuclear power plants. More specifically, we will report on NRC's efforts to (1) define the threat faced by nuclear power plants, (2) identify and characterize the vulnerabilities that would allow a threat to be realized, (3) assess the risks and determine priorities for protecting the plants, and (4) identify the countermeasures to reduce the risk of a successful terrorist attack. In summary: NRC responded quickly to the September 11, 2001, terrorist attacks with multiple steps to enhance security at commercial nuclear power plants. For example, NRC: * immediately advised the plants to go to the highest level of security according to the system in place at the time; * issued a series of advisories and orders to the plants to make certain security enhancements--such as installing additional physical barriers, augmenting security forces, increasing patrols, and further restricting plant access--that could be completed quickly to shore up security until a more comprehensive analysis of the terrorist threat and how to best protect the plants against that threat could be completed; * issued a new DBT in April 2003 and required the plants to develop and implement--by October 2004--new security plans setting out how the plants will protect against the threat defined in the new DBT. NRC expects the plants will meet this deadline; and: * improved its force-on-force exercises, which are an important agency tool to ensure that the plants are secure, by planning to conduct the exercises every 3 years instead of every 8 years and to make them more realistic, which we had recommended. While we applaud these efforts, it will take several more years for NRC to make an independent determination that each plant has taken reasonable and appropriate steps to protect against the threat presented in the new DBT. The plants' development and implementation of security plans to comprehensively address the new DBT is a critical step in ensuring that individual plants can defend against terrorism. Although new security plans are to be approved and implemented by October 29, 2004, NRC will not have detailed knowledge about security at individual facilities to ensure that these plans provide this protection. NRC will not have this detailed knowledge, primarily for two reasons: * First, NRC's review of the new security plans has been rushed and is largely a paper review. NRC is conducting its review of the plans over a 6-month period--as the plants are implementing the plans--and NRC reviewers are generally not visiting the plants to obtain details about the plans and view how the plans interface with the plants' physical layout. For example, the plans do not detail defensive positions at the site, how the defenders would deploy to respond to an attack, or how long the deployment would take. In addition, NRC is not requesting, and the facilities are generally not submitting for review, the documents and studies supporting the draft security plans. * Second, it will take up to 3 years for NRC to test implementation of the new plans through force-on-force exercises at all facilities. Moreover, NRC is considering action that could potentially compromise the integrity of the exercises. The agency is planning to require the use of an adversary force trained in terrorist tactics, as we recommended in our September 2003 report. However, NRC is considering the use of a force provided by a company that the nuclear power industry selected; this company provides guards for about half the facilities to be tested. This relationship with the industry raises questions about the force's independence. Furthermore, NRC is not taking advantage of other opportunities to improve the effectiveness of the exercises and its oversight in general by implementing other recommendations from our September 2003 report. For example, NRC is not following up to verify that all violations it found in previous inspections have been corrected and is not taking steps to make "lessons-learned" from inspections available to other regional offices and nuclear power plants, as we had recommended. In addition to these concerns, we note that NRC's DBT is similar to the DOE's DBT for its nuclear facilities. As you know, in April 2004, DOE officials told this Subcommittee that it would have to revisit its post-September 11 DBT. If NRC also decides to revisit and revise its DBT, NRC will need even longer to put all the necessary security enhancements in place and to test them. Funding the costs of the additional protection could also be an issue. NRC has already stated that the current DBT is the largest reasonable threat against which a regulated private guard force should be expected to defend under existing law. Also, certain potential vulnerabilities, such as airborne assaults, are currently being addressed outside of the DBT. Any changes in this approach to certain vulnerabilities could similarly place additional requirements on the plants. Background: NRC is an independent agency established by the Energy Reorganization Act of 1974 to regulate the civilian use of nuclear materials. NRC's Office of Nuclear Security and Incident Response, which was established in April 2002, is primarily responsible for regulating and overseeing security at commercial nuclear power plants. This office also develops overall agency policy and provides management direction for evaluating and assessing technical issues involving security at nuclear facilities. In addition, it coordinates with the Department of Homeland Security, the intelligence and law enforcement communities, DOE, and other agencies on security matters. NRC begins regulating security at a commercial nuclear power plant when the plant is constructed. Before granting an operating license, NRC must approve a security plan for the plant. If more than one plant is located at a facility, the licensee prepares a physical security plan covering all the plants at the site. Since 1977, NRC has required facilities to have a security plan that is designed to protect against a DBT for radiological sabotage.[Footnote 6] The DBT characterizes the elements of a possible attack, including the number of attackers, their training, and the weapons and tactics they are capable of using. Since it was first issued in 1977, the DBT has been revised twice, each time to reflect increased terrorist threats. The first revision occurred in 1993 in response to the first terrorist attack on the World Trade Center in New York City and to a vehicle intrusion at the Three Mile Island nuclear power plant in Pennsylvania.[Footnote 7] The second revision was issued on April 29, 2003, in response to the September 11, 2001, terrorist attacks. NRC oversees plant security through several activities, particularly security inspections and force-on-force exercises. In annual security inspections at all the plants, inspectors are to check that the plant's security programs meet NRC requirements for access authorization, access control, and response to contingency events. The inspectors also are to review changes to the plant's security plan and self-assessment of security. NRC suspended these inspections in September 2001 to focus its resources on the implementation of security enhancements from NRC's advisories and orders. NRC reinstated the inspection program in early 2004. NRC began conducting force-on-force exercises under its security inspection program in 1991. The agency suspended these exercises, which were referred to as Operational Safeguards Response Evaluation (OSRE) exercises, after the September 11, 2001, attacks because they considered it unsafe to perform mock attacks during a period of heightened security and because NRC and licenses security resources were focused on responding to the events of September 11, 2001. NRC has conducted some exercises during 2003 and 2004 to gain the information necessary to initiate a revised, permanent force-on-force exercise program sometime in the near future. Although NRC officials have not decided on an exact date, they anticipate that the exercises will resume very soon after the facilities have implemented their security plans, which is scheduled for the end of October 2004. NRC Actions Since September 11, 2001, to Improve Security at Nuclear Power Plants: Shortly after September 11, 2001, NRC began to respond to the heightened risk of terrorist attacks. Between September 11, 2001, and the end of March 2003, the agency issued over 60 advisories to licensees of nuclear power plants. These advisories recommended enhancements that could be made quickly to shore up security until a more comprehensive analysis of the terrorist threat and how best to protect the plants against the threat could be completed. NRC immediately advised the plants to go to the highest level of security according to the system in place at the time. It followed with advisories and orders designed to increase the size and improve the proficiency of plants' security forces, restrict access to plants, and increase and improve plants' defensive barriers. For example, on October 6, 2001, NRC issued a major advisory, recommending that the licensees take immediate action to increase the number of security guards and to be cautious about using temporary employees. From October 2001 to January 2002, NRC conducted a three-phase security inspection, checking the facilities to see if they had implemented these advisories. In phase one, NRC inspectors used an NRC-prepared checklist to document the implementation status of NRC's October 6, 2001 advisory. In phase two, security inspectors conducted a more in- depth evaluation of the facilities' implementation of the advisories. During phase three, NRC's security inspectors reviewed each facility's security program to determine if it had complied with the additional measures recommended in the October 6, 2001, advisory. NRC concluded that all facilities were in compliance but that the facilities had not consistently interpreted the recommended measures. NRC used the results from the three-phase inspection to develop a February 25, 2002, order requiring facilities to implement additional security measures by August 31, 2002.[Footnote 8] Many of these measures had been recommended in previous advisories. NRC then conducted security inspections to verify facilities' compliance with all aspects of the order. The inspections were completed in December 2003, and NRC found that all nuclear power facilities were in compliance with the order. NRC also acted on an item that had been a security concern for a number of years--the use of temporary clearances for temporary employees at the plants. Commercial nuclear power plants use hundreds of temporary employees for maintenance--most frequently during the period when the plant is shut down for refueling. In the past, NRC found instances in which personnel who failed to report criminal records had temporary clearances that allowed them unescorted access to vital areas.[Footnote 9] In an October 6, 2001, advisory, NRC suggested that facilities limit temporary clearances for temporary workers. On February 25, 2002, NRC issued an order that limited the use and duration of temporary clearances, and on January 7, 2003, NRC issued an order to eliminate the use of temporary clearances altogether. NRC now requires a criminal history review and a background check investigation to be completed before allowing temporary workers to have unescorted access to the power plant. NRC issued its revised DBT in April 2003 to reflect the post-September 11 terrorist threat. In January 2003, NRC developed a draft DBT that it sent to federal, state, and local law enforcement agencies, federal intelligence and counterintelligence agencies, and the nuclear industry for review and comment. Between January and April of 2003, revisions were made, and the revised drafts were sent for additional comments. On April 29, 2003, NRC issued an order requiring the facilities to protect the power plants from a terrorist attack fitting within the parameters of the new DBT. The new DBT reflected the increased size of a potential terrorist force, the more sophisticated weaponry, and the different methods of deployment demonstrated by the September 11 terrorist attacks. NRC stated that this new DBT was the "largest reasonable threat against which a regulated private guard force should be expected to defend under existing law." Licensees were given 1 year to develop new security plans based on the new DBT. At the same time, NRC issued two other orders that (1) limited work hours for security personnel (to 16 hours per 24-hour period, 26 hours per 48-hour period, and 72 hours per week) so that excessive hours would not impair security forces in performing their duties and (2) required enhanced training and qualifications for the plants' security forces. All told, according to the Nuclear Energy Institute,[Footnote 10] by the end of 2004, the nuclear power industry will have invested about $1 billion in security enhancements since September 11, 2001. During this period, NRC also developed and strengthened its relations with other federal agencies. It collaborated with the Federal Aviation Administration on protecting airspace over the plants and worked with the Department of Homeland Security, Federal Bureau of Investigation, and local law enforcement agencies to monitor and analyze security threats and to determine additional security measures needed to meet such threats. NRC has also taken, or is taking, steps to implement our September 2003 recommendations to improve its security inspections and force-on-force exercises. We had recommended that the NRC Commissioners ensure that the agency's security inspection program and force-on-force exercise program are restored promptly. NRC reinstated the security inspection program in February 2004. NRC has not yet made force-on-force exercises a required activity, as we recommended, but it is taking steps in that direction. During 2003, NRC completed a "pilot" force-on-force program, which included 15 exercises. This pilot program was designed to determine how future force-on-force exercises would be conducted. After completing the 15 pilot exercises, NRC summarized the results in a "lessons learned" document. NRC is now conducting "transition" force-on-force exercises to help it formulate a new, permanent program. Participation in both the pilot and most of the transition exercises was voluntary for the facilities. Only some of the pilot exercises tested the full DBT, and none of the transitional exercises have or will test the full terrorist capabilities of the DBT. NRC officials said that they will not start conducting exercises using the new DBT until November 2004, after the facilities have implemented their new security plans. NRC is also making the following additional improvements we recommended for these exercises: * conducting the exercises more frequently at each site--every 3 years rather than the once every 8 years schedule of the past; * using laser equipment in all force-on-force exercises to more accurately account for shots fired and to establish a more realistic setting; * continuing the practice, begun in 2000, of prohibiting licensees from temporarily increasing the number of guards defending the plant and enhancing plant defenses for force-on-force exercises, or requiring that any temporary security enhancements be officially incorporated into the licensees' security plans; and: * requiring the exercises to make use of the full terrorist capabilities stated in the DBT, including the use of an adversary force that has been trained in terrorist tactics. NRC Cannot Yet Provide Assurances That Its Efforts Will Protect Nuclear Power Plants Against Terrorist Attacks as Outlined in the New DBT: As the principal regulator of commercial nuclear power plants, NRC has an important responsibility to provide an independent determination that each plant is protected against the threat presented in the new DBT. While its efforts to date have no doubt enhanced security, NRC cannot yet provide this determination for three principal reasons. First, its review of the facilities' new security plans setting out how the facilities will respond to the threat presented in the new DBT is not detailed enough. Second, it will not test the effectiveness of all the plans and security at all plants with force-on-force exercises for 3 years, and it does not plan to make some improvements in its security oversight that we believe are needed and have previously recommended. Third, NRC could potentially need to further revise its DBT as the terrorist threat is better defined, which could require changes in the security plans and additional security improvements. NRC's Review of Security Plans Is Not Detailed Enough to Determine if They Effectively Address the New DBT: NRC's strategy for reviewing the facilities' security plans generally allows for only a document review. While NRC staff originally estimated that it would take 2 years to review the plans, NRC now expects to take 6 months--from April 29, 2004, through October 29, 2004--to review and approve the facilities' security plans. The facilities are also expected to have their plans implemented by that date. To review the plans in 6 months, NRC assigned 20 NRC staff and contracted for 20 staff from DOE's Idaho National Engineering Laboratory to perform the reviews. The facilities' use of an industry- developed template is also expected to help speed the review.[Footnote 11] The template was intended to provide standard language for about 80 percent of the plans' contents. However, the plans we reviewed relied almost entirely on the template language and provided little facility- specific information. Agency officials are generally not visiting the facilities to obtain site-specific information and assess the plans in terms of each facility's particular layout. Since completion of our work, NRC has decided to visit six or seven of the plants to verify information in the plan; however, it will not visit the vast majority of plants. In addition, the plans do not contain much detail. For example, the 12 plans NRC provided for our review do not include information about where responding guards are stationed, where their defensive positions are located, how the responders would deploy to their defensive positions, and how long deployment would take.[Footnote 12] The plans state that "[p]hysical security measures and specific response protocols for the onsite security force are contained in facility implementing procedures." Also, in all the plans we reviewed, the defensive positions are described only as being established "where necessary." None of the plans we reviewed specified the type of weapons the security forces will carry; stating only that the forces will meet NRC's minimum requirements. According to staff from our Office of Special Investigations with experience in law enforcement and physical security, the security plans are, at best, general guidelines. The plans often refer to other documents that detail how the requirements will be met and how the plans will be implemented. However, because of the 6-month review time frame, NRC officials do not plan to review these supporting documents as part of their approval process. According to NRC officials, the principal purpose of the plans is to commit the facilities to comply with all NRC security regulations and the template-based plans accomplish that purpose for about 80 to 90 percent of the information. NRC's Security Oversight Is Limited by Timing of Key Activities and Inaction on Some of Our Recommendations: NRC will not determine the adequacy of the sites' procedures and programs for implementing their security plans and the sites' ability to actually implement the plan until it conducts inspections and force- on-force exercises at the sites. Because NRC plans to annually inspect all sites and conduct force-on-force exercises on a 3-year cycle, it could be 2007 before NRC can say with assurance that all the sites can be protected from a terrorist attack as presented in the new DBT. In addition to the limitations of the security inspections and the timing of the force-on-force exercises, NRC has not implemented some of the recommendations we made in our September 2003 report to improve its oversight. We recommended that the NRC Commissioners: * require that NRC regional inspectors conduct follow-up visits to verify that corrective action has been taken when security violations, including non-cited violations,[Footnote 13] have been identified; * ensure that NRC routinely collects, analyzes, and disseminates: information on security problems, solutions, and lessons learned and shares this information with all NRC regions and licensees; and: * enforce NRC's requirement that force-on-force exercise reports be issued within 30 to 45 days after the end of the exercise to ensure prompt correction of the problems noted. Implementation of these recommendations is needed to correct some important program limitations. For example, during annual inspections, NRC inspectors often classified security problems as non-cited violations if the problem had not been identified frequently in the past or if the problem had no direct, immediate, adverse consequence at the time that it was identified. Instances of a security guard sleeping on duty and a security officer falsifying logs to show that he had checked vital areas and barriers when he was actually in another part of the plant, for example, were treated as non-cited violations. This classification tends to minimize the seriousness of the problem. Non- cited violations do not require a written response from the licensee and do not require NRC inspectors to verify that the problem has been corrected. NRC used non-cited violations extensively for serious problems, thereby allowing the licensees to correct the problem on their own without NRC verification of the correction. Consequently, we believe NRC may not be fully aware of the quality of security at a site, and the lack of follow-up and verification reduces assurances that needed improvements have been made. NRC also has not created a system to share the security problems, solutions, and lessons learned that it finds during security inspections with all the NRC regions and licensees. NRC did create a management review panel that is tracking the regions' findings during the security inspections and the dispositions of the findings. It is also keeping a database of all the findings and dispositions or solutions; however, the database is not accessible by the regions and licensees. With respect to NRC's enforcement of its requirement for force-on-force exercise reports, NRC officials said they do plan to issue reports when the permanent force-on-force program is reinstated, but the reports will not be made public. During the pilot force-on-force exercises, NRC did not issue any reports, although it prepared a "lessons learned" document for the Commissioners. In addition, an NRC official stated that NRC will not issue reports on the new transitional force-on-force exercises, but will prepare another internal lessons learned document. We continue to believe that NRC needs to promptly issue reports on each exercise to ensure that any security problems are quickly corrected. These reports would also provide the documentation needed to assess trends and patterns among facilities as well as at particular facilities over time. Finally, although NRC is taking action--as we recommended in our September 2003 report--to establish an adversary force trained in terrorist tactics, NRC is not establishing the force in a manner that provides confidence that the force will be independent and highly trained, and will endeavor to find weaknesses in the facilities' security. NRC delegated the task of establishing the adversary force to an organization--the Nuclear Energy Institute--that represents the licensees of nuclear power plants. The company the Institute selected currently provides security guards to about half of the nuclear power sites to be tested. The company's relationship with the industry raises questions about the force's independence. Of further concern, this company was recently involved in a controversy over similar tests. During a June 2003 DOE force-on-force exercise at a nuclear site in Oak Ridge, Tennessee, security guards working for this company received uncharacteristically high scores. A subsequent investigation by DOE's Office of the Inspector General indicated that the guards might have cheated on the test and perhaps on many other tests at Oak Ridge, dating back to the mid-1980s. It was alleged that the guards had studied plans for the simulated attacks before they were carried out, had disabled the laser sensors they wore during tests to determine when they were "shot" by mock enemies, arranged trucks and other obstacles to help foil simulated attacks, created special, nonstandard plans to help them perform better on tests, and put more guards on duty at the time of the tests than would normally have been present. If NRC Needs to Revise Its DBT, Additional Security Enhancements Could Be Required: In April 2004, DOE told this Subcommittee that it would have to review its post-September 11, 2001, DBT for its nuclear facilities to determine if it should be more stringent.[Footnote 14] If NRC decides, as it gains a better understanding of the terrorist threat, that it also needs to reconsider its DBT, it could take longer to put all necessary enhancements in place and test them with force-on-force exercises. Depending on the additional enhancements needed, funding of the costs of the additional protection and how quickly it could be put in place could also become an issue. NRC previously stated that its April 29, 2003, DBT is the largest reasonable threat against which a regulated private guard force should be expected to defend under current law. Similarly, NRC is addressing certain potential vulnerabilities outside of the DBT. For example, the terrorists' use of aircraft on September 11 raised questions about nuclear power plants' vulnerabilities to such attacks. According to NRC, although the design of many facilities considered the probability of accidental aircraft crashes that may pose undue risks to public health and safety, only a few facilities were specifically designed to withstand an accidental impact. Nonetheless, NRC believes that nuclear power facilities are among the most hardened industrial facilities in the United States. They are massive structures with thick exterior walls and interior barriers of reinforced concrete designed to withstand tornadoes (and projectiles propelled by tornadoes), hurricanes, fires, floods, and earthquakes. NRC also believes that the efforts to enhance security at airports and on airplanes and to identify potential terrorists and prevent potential attacks before they occur are an important part of reducing the threat of airborne attacks. After the September 11 attacks, the Federal Aviation Administration, working with NRC, advised pilots to avoid the airspace above or in proximity to all nuclear power facilities and not to circle in their vicinity. NRC also undertook a major classified research and engineering effort, in conjunction with national laboratories, to evaluate the vulnerabilities and potential effects of a large commercial aircraft's hitting a nuclear power site. This effort includes consideration of additional preventive or mitigating measures to enhance the protection of public health and safety in the event of a deliberate aircraft crash into a nuclear power plant or spent (used) nuclear fuel storage facility. The results are classified and cannot be discussed in this open hearing. According to NRC officials, certain types of aircraft hitting facilities at certain locations pose some risks. The officials noted that, in these cases, the plants would have enough time to take advantage of certain safety features to substantially lessen the risks. NRC officials also believe that the plants would have sufficient time to implement emergency preparedness plans, if necessary. Airborne assaults on plants remain a public concern. If further consideration of NRC's aircraft study results lead to changes in NRC's approach, the DBT may need to be revised further, again raising questions about the timing and cost of improvements. In closing, the nation's commercial nuclear power plants are no doubt more secure against a terrorist attack now than they were on September 11, 2001. NRC responded quickly and decisively to the attacks by requiring various enhancements to existing security at the plants. It will be some time, however, before NRC can provide the public with assurances that what has been done is enough. Some of these enhancements are still being put in place, and NRC cannot independently determine that the enhancements will adequately secure the facilities until they have been effectively tested with force-on-force exercises. While our assessment of NRC activities is still underway, we believe that it is important for NRC to act quickly and take a strong leadership role in establishing a worthy adversary team for these exercises, establish priorities for the facilities to be tested, carefully analyze the test results for shortcomings in facility security, and be willing to require additional security improvements as warranted. Mr. Chairman, this testimony provides our preliminary views. We would be happy to respond to any questions that you or Members of the Subcommittee may have. For further GAO Contact and Staff Acknowledgements: For further information on this testimony, please contact Jim Wells at (202) 512-3841 or at Wellsj@gao.gov. Raymond H. Smith, Jr.; Kenneth E. Lightner, Jr.; Jill Ann Roth Edelson; Kevin L. Jackson; Carol Herrnstadt Shulman; and Barbara R. Timmerman made key contributions to this testimony. FOOTNOTES [1] More than one nuclear power plant are located at some facilities. [2] GAO, 9/11 Commission Report: Reorganization, Transformation, and Information Sharing, GAO-04-1033T (Washington, D.C.: Aug. 3, 2004). [3] GAO, Border Security: Additional Actions Needed to Eliminate Weaknesses in the Visa Revocation Process, GAO-04-899T, (Washington, D.C.: July 13, 2004); GAO, Homeland Security: Federal Action Needed to Address Security Challenges at Chemical Facilities, GAO-04-482T (Washington, D.C.: February 23, 2004); GAO, Nuclear Security: DOE Must Address Significant Issues to Meet the Requirements of the New Design Basis Threat, GAO-04-701T (Washington, D.C.: April 27, 2004); and GAO, Nuclear Security: Several Issues Could Impede the Ability of DOE's Office of Energy, Science and Environment to Meet the May 2003 Design Basis Threat, GAO-04-894T (Washington, D.C.: June 22, 2004). [4] GAO, Nuclear Regulatory Commission: Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened, GAO-03-752, (Washington, D.C.: September 4, 2003). [5] We reviewed 12 of the 65 facilities' draft security plans. According to NRC officials, the plans we reviewed were generally representative of all the plans. [6] Radiological sabotage against a nuclear power plant is a deliberate act that could directly or indirectly endanger public health and safety by exposure to radiation. [7] On February 7, 1993, an intruder drove onto the Three Mile Island power plant site, through a gate, and crashed through a roll-up door into the turbine area. The intruder challenged security barriers and disrupted operations for 4 hours before he was apprehended. [8] NRC Order EA-02-026. [9] The vital area, within the protected area, contains the plant's equipment, systems, devices, or material whose failure, destruction, or release could endanger the public health and safety by exposure to radiation. This area is protected by guard stations, reinforced gates, surveillance cameras, and locked doors. [10] The institute represents licensees of commercial nuclear power plants. [11] NRC provided input to the template's development. [12] Staff from our Office of Special Investigations with experience in law enforcement and physical security assisted in reviewing these plans. [13] A non-cited violation is a problem that had not been identified more than twice in the past year or had no immediate, direct consequences at the time it was identified. [14] DOE's post-September 11, 2001, DBT, which is similar to NRC's in terms of the threat it outlines, was issued in May 2003. DOE has not yet completed its review of the DBT.