Mail Security
Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions Gao ID: GAO-06-757 September 15, 2006In March 2005, two well-publicized and nearly simultaneous incidents involving the suspicion of anthrax took place in the Washington, D.C., area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and at a commercial office complex (Skyline Complex). While these incidents were false alarms, DOD and other federal and local agencies responded. The Postal Service suspended operations at two of its facilities and over a thousand DOD and Postal Service employees were given antibiotics as a precaution against their possible exposure to anthrax. This report describes (1) what occurred at the Pentagon and Skyline Complex mail facilities, (2) the problems we identified in detecting and responding to the incidents, (3) the actions taken by DOD that address the problems that occurred, and (4) the extent to which DOD's actions address the problems.
Events leading up to the Pentagon incident began when a laboratory that tested samples from the Pentagon's mail-screening equipment informed DOD's mail-screening contractor that test results indicated the presence of anthrax in the mail. By the time the contractor notified DOD 3 days later, suspect mail had already been released and distributed throughout the Pentagon. DOD evacuated its mail-screening and remote delivery facilities, notified federal and local agencies, and dispensed antibiotics to hundreds of employees. The Skyline Complex incident began the same day when Fairfax County, Virginia, emergency personnel responded to a 911 call placed by a Skyline employee that an alarm had sounded on a biosafety cabinet used to screen mail. Local responders closed the complex and decontaminated potentially exposed employees, and DOD dispensed antibiotics to the employees. Similarly, the Postal Service suspended operations at two facilities and dispensed antibiotics to its employees. Laboratory testing later indicated that the incidents were false alarms. Analysis of these incidents reveals numerous problems related to the detection and response to anthrax in the mail. At the Pentagon, DOD's mail-screening contractor did not follow key requirements, such as immediately notifying DOD after receiving evidence of contamination. At the Skyline Complex, DOD did not ensure that the complex had a mail security plan or that it had been reviewed, as required. The lack of a plan hampered the response. DOD also did not fully follow the federal framework--including the National Response Plan, which was developed to ensure effective, participatory decision making. Instead of coordinating with other agencies that have the lead in bioterrorism incidents, DOD unilaterally dispensed antibiotics to its employees. DOD has taken numerous actions that address problems related to the two incidents. At the Pentagon, DOD's actions included selecting a new mail-screening contractor and defining the roles and responsibilities of senior leadership, including those involved in making medical decisions. Related to Skyline, DOD prohibited its mail facilities in leased space within the Washington, D.C., area from using biosafety cabinets to screen mail unless the equipment is being operated within the context of a comprehensive mail-screening program. While DOD has made significant progress in addressing the problems that occurred, its actions do not fully resolve the issues. One remaining concern is whether DOD will adhere to the interagency coordination protocols specified in the national plan for future bioterrorism incidents involving the Pentagon. This concern arises because, more than 1 year after the incident, DOD reiterated that it has the authority to make medical decisions without collaborating or consulting with other agencies. DOD also has not ensured, among other things, that its mail facilities (1) have the required mail security plans and (2) are appropriately using biosafety cabinets for screening mail.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-757, Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions
This is the accessible text file for GAO report number GAO-06-757
entitled 'Mail Security: Incidents at DOD Mail Facilities Exposed
Problems That Require Further Actions' which was released on September
14, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Committee on Homeland Security and Governmental Affairs,
U.S. Senate:
United States Government Accountability Office:
GAO:
September 2006:
Mail Security:
Incidents at DOD Mail Facilities Exposed Problems That Require Further
Actions:
DOD Mail Security:
GAO-06-757:
GAO Highlights:
Highlights of GAO-06-757, a report to the Committee on Homeland
Security and Governmental Affairs, U.S. Senate
Why GAO Did This Study:
In March 2005, two well-publicized and nearly simultaneous incidents
involving the suspicion of anthrax took place in the Washington, D.C.,
area. The incidents occurred at Department of Defense (DOD) mail
facilities at the Pentagon and at a commercial office complex (Skyline
Complex). While these incidents were false alarms, DOD and other
federal and local agencies responded. The Postal Service suspended
operations at two of its facilities and over a thousand DOD and Postal
Service employees were given antibiotics as a precaution against their
possible exposure to anthrax.
This report describes (1) what occurred at the Pentagon and Skyline
Complex mail facilities, (2) the problems we identified in detecting
and responding to the incidents, (3) the actions taken by DOD that
address the problems that occurred, and (4) the extent to which DOD‘s
actions address the problems.
What GAO Found:
Events leading up to the Pentagon incident began when a laboratory that
tested samples from the Pentagon‘s mail-screening equipment informed
DOD‘s mail-screening contractor that test results indicated the
presence of anthrax in the mail. By the time the contractor notified
DOD 3 days later, suspect mail had already been released and
distributed throughout the Pentagon. DOD evacuated its mail-screening
and remote delivery facilities, notified federal and local agencies,
and dispensed antibiotics to hundreds of employees. The Skyline Complex
incident began the same day when Fairfax County, Virginia, emergency
personnel responded to a 911 call placed by a Skyline employee that an
alarm had sounded on a biosafety cabinet used to screen mail. Local
responders closed the complex and decontaminated potentially exposed
employees, and DOD dispensed antibiotics to the employees. Similarly,
the Postal Service suspended operations at two facilities and dispensed
antibiotics to its employees. Laboratory testing later indicated that
the incidents were false alarms.
Analysis of these incidents reveals numerous problems related to the
detection and response to anthrax in the mail. At the Pentagon, DOD‘s
mail-screening contractor did not follow key requirements, such as
immediately notifying DOD after receiving evidence of contamination. At
the Skyline Complex, DOD did not ensure that the complex had a mail
security plan or that it had been reviewed, as required. The lack of a
plan hampered the response. DOD also did not fully follow the federal
framework”including the National Response Plan, which was developed to
ensure effective, participatory decision making. Instead of
coordinating with other agencies that have the lead in bioterrorism
incidents, DOD unilaterally dispensed antibiotics to its employees.
DOD has taken numerous actions that address problems related to the two
incidents. At the Pentagon, DOD‘s actions included selecting a new mail-
screening contractor and defining the roles and responsibilities of
senior leadership, including those involved in making medical
decisions. Related to Skyline, DOD prohibited its mail facilities in
leased space within the Washington, D.C., area from using biosafety
cabinets to screen mail unless the equipment is being operated within
the context of a comprehensive mail-screening program.
While DOD has made significant progress in addressing the problems that
occurred, its actions do not fully resolve the issues. One remaining
concern is whether DOD will adhere to the interagency coordination
protocols specified in the national plan for future bioterrorism
incidents involving the Pentagon. This concern arises because, more
than 1 year after the incident, DOD reiterated that it has the
authority to make medical decisions without collaborating or consulting
with other agencies. DOD also has not ensured, among other things, that
its mail facilities (1) have the required mail security plans and (2)
are appropriately using biosafety cabinets for screening mail.
What GAO Recommends:
GAO is making recommendations to help improve the effectiveness of
future DOD responses involving the suspicion of anthrax in the mail.
DOD agreed with three of our recommendations but only partially agreed
with our fourth. GAO retained this recommendation to ensure that DOD‘s
future approach to making medical decisions during bioterrorism
incidents occur within the participatory federal framework.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-757].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Kate Siggerud at (202)
512-2834 or siggerudk@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
Each of the Incidents Presented a Different Situation and Response and
Occurred over Several Days:
Problems Encountered Reflect Both a Failure to Follow Existing Contract
Provisions and Procedures and a Lack of Procedures and Plans:
DOD Took Numerous Actions That Address Problems Related to the
Incidents:
DOD's Actions Do Not Fully Resolve Identified Problems:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: Comments from the Department of Defense:
Appendix III: Comments from the General Services Administration:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Selected Agency Actions Specified in NRP's Biological Incident
Annex:
Table 2: Key Changes in the Pentagon's Mail-Screening Contract
Provisions and Draft Mail-Screening Procedures:
Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft
Procedures:
Figures:
Figure 1: Chronology of Key Actions and Organizations Involved at
Pentagon and Skyline Complex:
Figure 2: DOD's Draft Procedures for Positive Test Results from the
Pentagon's On-Site Chemical-Biological Laboratory:
Abbreviations:
CBI: Commonwealth Biotechnologies Incorporated:
CDC: Centers for Disease Control and Prevention:
DHS: Department of Homeland Security:
DOD: Department of Defense:
FBI: Federal Bureau of Investigation:
GSA: General Services Administration:
HHS: Department of Health and Human Services:
LRN: Laboratory Response Network:
MOU: memorandum of understanding:
NIMS: National Incident Management System:
NRP: National Response Plan:
PFPA: Pentagon Force Protection Agency:
TMA: TRICARE Management Activity:
United States Government Accountability Office:
Washington, DC 20548:
September 15, 2006:
The Honorable Susan M. Collins:
Chairman:
The Honorable Joseph I. Lieberman:
Ranking Minority Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
Since the fall of 2001, when five persons, including two U.S. Postal
Service employees, died from exposure to anthrax-contaminated mail
delivered through the U.S. mail system, the nation has been acutely
aware of the danger of bioterrorism using anthrax and other potentially
fatal bacteria. The frequency of incidents involving suspicious
packages or powder spills has increased dramatically since that time,
due in part to hoaxes and concerns about leakages from mail that had
previously been routinely handled. Concerns about anthrax in the mail
have led federal agencies to establish mail-screening operations,
including tests for anthrax, that have often resulted in false alarms.
In March 2005, two well-publicized and nearly simultaneous incidents
took place in the greater Washington, D.C., area. The incidents
occurred at a Department of Defense (DOD) mail facility at the
Pentagon, a building of national military significance located in
Arlington County, Virginia, and another DOD mail facility in a
commercial office complex (Skyline Complex), located about 5 miles away
in Fairfax County, Virginia.[Footnote 1] While these incidents
ultimately proved to be false alarms, DOD as well as other federal and
local response agencies responded to the incidents. In the days that
elapsed before authorities concluded that anthrax was not present in
the mail or in the facilities, the Postal Service had suspended
operations at two of its facilities, and over a thousand DOD and Postal
Service employees had been given antibiotics as a precaution against
their possible exposure to anthrax.
You asked us to examine the response to the two March 2005 incidents.
Specifically, this report addresses the following four questions:
* What occurred at the Pentagon and Skyline Complex mail facilities?
* What problems occurred in detecting and responding to these
incidents, and why?
* What actions have been taken by DOD that address the problems that
occurred?
* To what extent do these actions address the problems that occurred?
To address these questions, we analyzed, among other things, pertinent
after-action reports, incident timelines, the contract for mail-
screening services at the Pentagon, mail-screening procedures, federal
mail management and other applicable regulations and guidance, and the
federal framework for responding to biological incidents. We compared
whether the actions taken by DOD, its mail-screening contractor at the
Pentagon, and employees at the Skyline Complex were in accordance with,
among other things, the existing contract provisions, mail-screening
procedures, federal regulations and guidance, DOD's mail manual, and
the federal framework for responding to biological incidents. We
interviewed a wide range of federal and local officials involved in the
response to the two incidents. We also interviewed personnel from the
Pentagon's mail-screening contractor to obtain their perspective on
what occurred at the Pentagon. We analyzed current procedures at the
Pentagon related to detecting and responding to biological agents. To
assist in our analyses, we reviewed previous GAO work regarding anthrax
incidents, pertinent literature and previous GAO work on internal
controls, guidance prepared by the Centers for Disease Control and
Prevention (CDC) for responding to the detection of anthrax in the
workplace, and regulations and guidance issued by the General Services
Administration (GSA) on mail security and responding to biological
threats in the mail. We performed our work from June 2005 to August
2006 in accordance with generally accepted government auditing
standards. Further details about our scope and methodology appear in
appendix I.
Results in Brief:
Each of the incidents at the two mail facilities presented a different
situation and response. Events leading up to the Pentagon incident
began when a laboratory that tested samples from the Pentagon's mail-
screening equipment informed DOD's mail-screening contractor on Friday
afternoon, March 11, that one of its tests of the previous day's mail
was positive for anthrax. By the time the mail-screening contractor
notified DOD on Monday morning, March 14, about the results of Friday's
test result and that additional testing of the sample over the weekend
was also positive for anthrax, mail suspected of containing anthrax had
already been released, picked up, and distributed throughout the
Pentagon. While DOD officials responded by evacuating the Pentagon's
mail-screening and remote delivery facilities, notifying numerous
federal and local agencies, and dispensing antibiotics to hundreds of
employees--including recipients of the mail that morning--officials
from the Federal Bureau of Investigation (FBI) initially suspected a
false alarm based on the totality of the evidence. The incident at the
Skyline Complex began on Monday afternoon, March 14, when emergency
personnel in Fairfax County, Virginia, responded to a 911 call placed
by a Skyline employee that an alarm had sounded on a biosafety cabinet
used to screen mail, including mail that had been picked up earlier
that day from the Pentagon. Fairfax County responders closed the
Skyline Complex, shut off elevators and the air-handling system,
decontaminated potentially exposed employees, and tested the facility
for anthrax contamination. The following day, DOD also dispensed
antibiotics to potentially exposed employees at the Skyline Complex.
The response to the incidents also affected the Postal Service's
employees and operations. When Postal Service officials learned about
the incidents, they immediately (1) suspended operations at two
facilities that process mail to the Pentagon and conducted
environmental testing at the facilities and (2) began dispensing
antibiotics to their potentially exposed employees. Federal and local
officials learned on Tuesday that the alarm that sounded on the
biosafety cabinet used for mail-screening at the Skyline Complex
indicated an airflow obstruction, not the presence of anthrax.
Nevertheless, testing continued on samples taken from the facilities.
The incidents were believed to be false alarms on Wednesday evening,
March 16, after the interpretation of additional laboratory testing did
not support the preliminary conclusion that the two facilities may be
contaminated with anthrax. Both mail facilities reopened on Friday
morning, March 18. Agency officials involved in the response believe
that the positive tests at the Pentagon could have been the result of
cross contamination in the laboratory.
Analysis of these incidents reveals numerous problems related to the
proper detection and response to anthrax in the mail, reflecting both a
failure to follow existing contract provisions and procedures and, in
some cases, a lack of procedures and plans. At the Pentagon, DOD's mail-
screening contractor did not follow two key requirements. Specifically,
the contractor did not (1) notify DOD immediately after receiving
evidence of possible contamination of the Pentagon's mail and (2)
quarantine the mail until it received negative results from the
laboratory. These problems were further exacerbated by a provision in
DOD's contract with its mail-screening contractor that did not clearly
specify how samples from the Pentagon were to be tested. The lack of
clarity resulted in the use of a laboratory whose testing methods were
unknown and whose results were questioned. At the Skyline Complex mail
facility, basic procedures for responding to biohazards and other
emergencies were inadequate or absent altogether resulting in (1)
employees not knowing how to properly respond to the alarm on the
equipment used for mail-screening, (2) employees and first responders
not knowing about the equipment's limitations, and (3) employees being
uncertain about whom to contact during a potential emergency.
Additionally, DOD did not ensure that the Skyline Complex mail facility
had developed a mail security plan or that it had been reviewed, as
required, by a competent authority within DOD. The federal framework
developed to help ensure effective decision making through a
coordinated response--the National Response Plan and the National
Incident Management System--was not fully followed. Instead of
coordinating its actions with others--such as the Department of Health
and Human Services (HHS), the primary federal agency responsible for a
public health response to bioterrorism--DOD unilaterally decided to
provide medication to its employees before having appropriate
confirmation of laboratory test results. According to DOD officials,
because the incident occurred at the Pentagon, they did not believe
that the protocols in the National Response Plan applied. In addition,
they said that they had the medical authority, experience, and
resources to act on their own. While the NRP does not repeal DOD's
medical authorities, making decisions without coordinating with other
agencies is fundamentally at odds with the protocols specified in the
National Response Plan and National Incident Management System. If DOD
had fully coordinated with federal and local agencies as the framework
prescribes, concerns such as the validity of test results could have
been discussed and the provision of unnecessary medicine to most of the
DOD employees (mail recipients and others who, in our view, would not
likely have been exposed until after the mail's release from quarantine
on Monday, March 14) may have been avoided.
DOD has taken numerous actions that address problems related to the two
incidents. Some actions, such as modernizing the Pentagon's mail-
screening facility and changing the laboratory used to test daily
samples, were under way prior to the incidents, but many others were
taken in direct response to the incidents. At the Pentagon, for
example, DOD selected a new mail-screening contractor, strengthened the
new contract, and developed new mail inspection procedures. While still
in draft form, the procedures are currently being used and require,
among other things, verification of negative test results by multiple
officials before quarantined mail is released. The establishment of
stringent control mechanisms is likely to prevent future premature
releases of potentially contaminated mail. DOD also drafted new
notification procedures--which are also being used--for reporting
positive test results to internal and external parties. The draft
procedures are intended to improve the way DOD communicates to federal
and local agencies during incidents. In addition, DOD is developing a
new policy to define the roles and responsibilities of senior DOD
leadership including those involved in making medical treatment
decisions during incidents at the Pentagon. DOD also took actions to
address problems related to the Skyline Complex incident. For example,
DOD gathered some information about mail-screening operations in its
facilities in the Washington, D.C., area and issued a directive
prohibiting DOD mail facilities in leased space within the Washington,
D.C., area from using equipment, including biosafety cabinets, to
screen mail unless the equipment is being operated within the context
of a comprehensive mail-screening program. Such a program includes the
use of (1) trained mail screeners to sample equipment for biological
agents and (2) an approved laboratory for analyzing the samples.
Although DOD has made significant progress in addressing the problems
related to the two incidents, its actions do not fully resolve the
problems that arose. One remaining and overarching concern involves
whether, despite its actions, DOD will adhere to the interagency
coordination protocols in the National Response Plan and National
Incident Management System--as it has agreed--or, instead, revert to
the isolated decision-making approach it used at the Pentagon. While
DOD is aligning its procedures to these interagency coordination
protocols, in April 2006, a senior health official reiterated that DOD
has the authority to make final decisions on medical treatment at the
Pentagon without collaboration or consultation with other agencies--
including HHS, which under the National Response Plan is the primary
federal agency responsible for coordinating a public health response
involving an actual or potential biological terrorist attack. More than
1 year later, DOD also has not developed a mail security plan for the
Skyline Complex mail facility. More importantly, it is not known
whether other DOD facilities also lack a plan because DOD does not have
a process for certifying the existence of mail security plans and
verifying that the plans have been reviewed by a competent authority.
Finally, although DOD prohibits the use of mail-screening equipment,
including biosafety cabinets, in DOD-leased facilities in the
Washington, D.C., area unless the equipment is being operated within
the context of a comprehensive mail-screening program, at the
completion of our review, DOD still had not determined whether other
biosafety cabinets are being used in the Washington, D.C., area or the
conditions under which the equipment is being operated.
We are making several recommendations to help improve the effectiveness
of future DOD responses involving the suspicion of anthrax in the mail.
Specifically, we recommend that the Secretary of Defense ensure that
(1) any future medical decisions reached during potential or actual
acts of bioterrorism at the Pentagon result from the participatory
decision-making framework in the National Response Plan and the
National Incident Management System, (2) appropriate officials at all
of DOD's mail rooms develop effective mail security plans, (3) a
competent DOD authority conducts an annual review of the plans'
adequacy, and (4) any biosafety cabinets in use in DOD mail facilities
in leased space in the Washington, D.C., area are being operated within
the context of a comprehensive mail-screening program.
We requested comments on a draft of this report from DOD, GSA, the
Department of Justice, HHS, the Department of Homeland Security (DHS),
and the Postal Service. Two of these agencies--DOD and GSA--provided
written comments. DOD agreed with three of our four recommendations,
indicating that it either was implementing, or intended to immediately
implement, actions to address these recommendations.[Footnote 2]
However, DOD only partially agreed with our remaining recommendation.
We retained this recommendation to ensure that DOD's future approach to
making medical decisions during bioterrorism incidents occur within the
participatory federal framework. GSA's written comments clarified
federal requirements related to the annual review of mail security
plans. DOD's and GSA's comments are reprinted in appendixes II and III,
respectively. DOD, the FBI (on behalf of the Department of Justice),
CDC (on behalf of HHS), and the Postal Service provided technical
comments, which we incorporated, as appropriate. DHS did not provide
comments.
Background:
What Is Anthrax and Why Is It a Concern?
Anthrax is an acute infectious disease caused by the spore-forming
bacterium Bacillus anthracis. The anthrax bacterium is commonly found
in the soil and forms spores (like seeds) that can remain dormant in
the environment for many years. Human anthrax infections are rare in
the United States and are usually the result of occupational exposure
to infected animals or contaminated animal products, such as wool,
hides, or hair. Although infection in humans is rare, a person can die
if airborne anthrax spores are inhaled into the lungs. Once airborne,
there is greater possibility that the spores will be inhaled. Medical
experts believe that symptoms of inhalation anthrax (sore throat,
muscle aches, and mild fever) typically appear within 4 to 6 days of
exposure, depending on how the disease is contracted. While anthrax is
potentially fatal, individuals who are exposed to anthrax spores will
not necessarily develop the disease. Inhalation anthrax can be treated
with antibacterial drugs, but medical treatment does not necessarily
ensure recovery. Anthrax is not contagious.
Anthrax is a potential terrorist weapon because, if refined and
introduced into letters and packages, anthrax spores can be released
into the air as letters are processed or opened. The use of the mail as
a vehicle for transmitting anthrax threatens the nation's mail stream
and places the American public and federal employees at risk. This is
what occurred in 2001, when letters containing anthrax contaminated at
least 23 Postal Service facilities and killed five of 22 individuals
diagnosed with anthrax, including two Postal Service
employees.[Footnote 3] Anthrax spores can be killed, however, through a
process known as irradiation, which renders anthrax in the mail
harmless for humans.
How Is Anthrax Detected?
Detecting anthrax involves many types of activities, including:
* developing a sampling strategy for deciding how many samples to
collect, where to collect them, and what collection methods to use;
* collecting samples using, for example, dry or premoistened swabs;
* transporting samples to laboratories for extraction and analysis;
* extracting the sample material using specific procedures and fluids
(such as sterile saline or water); and:
* analyzing the samples using a variety of methods.[Footnote 4]
To provide a coordinated clinical diagnostic testing approach for
detecting anthrax and other bioterrorism threats, CDC, the Association
of Public Health Laboratories, the FBI, and others collaboratively
developed the Laboratory Response Network (LRN) in 1999.[Footnote 5]
LRN laboratories (1) perform standard testing methods specified by CDC
to either rule out or confirm the presence of anthrax and (2) provide
public health organizations and others with rapid test results for use
in making public health decisions. Generating a final test result
involves both a presumptive and confirmatory test. Presumptive tests
can be obtained within 2 hours and are considered "actionable" from a
public health perspective. According to CDC, antibiotic medical
treatment is recommended as soon as possible after the LRN has obtained
a presumptive positive test result.[Footnote 6] Confirmatory tests take
longer--generally 24 to 48 hours.
What Is the Federal Framework for Responses Involving the Suspicion of
Anthrax?
The National Response Plan (NRP), which was developed by the federal
government under the leadership of DHS, provides one part of the
coordinated framework for how the United States will prepare for,
respond to, and recover from domestic incidents. The Secretary of
Defense, as well as the heads of 31 other federal departments and
agencies, signed the Letter of Agreement contained in the NRP,
indicating their agreement to abide by the NRP's incident management
protocols. The December 2004 plan includes a Biological Incident Annex,
which specifies actions that agencies should take when they become
aware of a possible threat involving a biological agent. The annex also
identifies the roles and responsibilities of various agencies that
would respond to such an event. For example, as specified in the annex,
HHS is the primary federal agency for coordinating a public health
response involving an actual or potential biological terrorism attack.
Table 1 identifies selected agency actions specified in the NRP's
Biological Incident Annex.
Table 1: Selected Agency Actions Specified in NRP's Biological Incident
Annex:
Response actions to be taken by agencies: The Department of Justice is
to be notified through the FBI's Weapons of Mass Destruction Operations
Unit.
Response actions to be taken by agencies: The FBI, in turn, is to
immediately notify DHS's Homeland Security Operations Center and the
National Counterterrorism Center under the direction of the Director of
National Intelligence.
Response actions to be taken by agencies: The LRN is to be used to test
samples for the presence of biological threat agents.
Response actions to be taken by agencies: The FBI, in conjunction with
HHS, is to make decisions on where to perform additional tests on
samples. The FBI is to lead criminal investigations of terrorist acts
or threats.
Response actions to be taken by agencies: Once notified of a credible
threat, HHS is to convene an interagency meeting to assess the
situation and determine the appropriate public health response. HHS is
to coordinate the overall public health response efforts across all
federal departments and agencies.
Response actions to be taken by agencies: DHS is to coordinate the
overall nonmedical response actions across all federal departments and
agencies.
Source: Department of Homeland Security.
[End of table]
The other part of the federal framework is the National Incident
Management System (NIMS), which was released in March 2004. NIMS is
intended to provide a consistent and coordinated nationwide approach
for federal, state, and local governments to work effectively and
efficiently together to prepare for, respond to, and recover from
domestic incidents, including those involving biological incidents,
regardless of their cause, size, and complexity. NIMS applies to all
levels of government, and for the federal government, including DOD, it
is prescriptive. A key component of NIMS is the incident command
system, which is designed to integrate the communications, personnel,
and procedures of different agencies and levels of government within a
common organizational structure during an emergency. Another key
component of NIMS is the establishment of a joint information center--
with representatives from all affected parties and jurisdictions--to
provide a unified communication message to the public during
emergencies.
What Federal Requirements Exist for Agencies to Follow?
GSA and DOD have requirements for agencies to follow in protecting
employees in mail facilities and ensuring effective mail operations.
For example, GSA's federal mail management regulation requires[Footnote
7]
* every federal agency and agency location with one or more full-time
personnel processing mail to have a written mail security plan
including, among other things, procedures for safe and secure mail room
operations, plans for security training for mail employees, and plans
for annual reviews of the agency's mail security plan and facility-
level mail security plans; and:
* large agencies, such as DOD, that spend over $1 million annually on
postage to annually (1) verify that facility-level mail security plans
have been reviewed and (2) report to GSA that all facility-level mail
security plans have been reviewed by a competent authority within the
past year.
GSA also issues guidance and recommendations for effectively managing
mail programs, including recommendations on the content of mail
security plans.[Footnote 8] For example, GSA recommends that agencies:
* develop a communication plan for responding to threats that includes
names and phone numbers to call during emergencies;
* establish and maintain partnerships with personnel who respond to
emergencies (first responders); and:
* create a program for training employees on how to respond to
biological threats, including refresher training on a regular basis.
DOD's mail manual, effective December 2001, implements DOD's mail-
related requirements.[Footnote 9] DOD requires its components to comply
with GSA's federal mail management regulation, including the
requirement that each mail center develop a written mail security plan
and have it reviewed annually by a competent authority.
Beyond mail-related requirements, GSA also requires the highest-
ranking federal official of the largest agency in GSA-controlled
(leased) office space to develop an occupant emergency plan.[Footnote
10] GSA guidance related to this requirement recommends that the
occupant emergency plan describe, among other matters, critical
information about the office space and actions to be taken during
emergencies.
The GAO Comptroller General's Standards for Internal Control in the
Federal Government provides the overall framework for agency management
to establish and maintain effective internal control.[Footnote 11]
Establishing effective internal controls is a major part of managing an
organization. Such controls include the plans, methods, and procedures
to be used to meet an organization's mission, goals, and objectives by,
among other things, monitoring performance, training employees, and
ensuring that federal requirements, such as GSA and DOD mail security
requirements, are followed.
How Did the Pentagon and Skyline Complex Process Mail in March 2005?
The Pentagon receives its mail from the Postal Service as well as from
commercial courier services. The Postal Service irradiates almost all
first-class mail delivered to the Pentagon and other federal agencies
in the Washington, D.C., area, from its facilities on V Street, N.E. in
Washington, D.C. (the V Street Operation). In March 2005, Pentagon mail
was delivered from the V Street Operation to a mail-screening facility
located within the Pentagon remote delivery facility--a 250,000-square-
foot shipping and receiving facility adjoining the Pentagon.
Technicians dressed in protective gear then screened the mail over a
custom-designed table equipped with four filters intended to capture
any particles that might fall from the mail. The table used a negative
airflow system that was intended to keep microscopic particles from
dispersing back into the mail-screening facility.
At the time of the March 2005 incident at the Pentagon, employees of
Vistronix Incorporated (Vistronix)--the Pentagon's mail-screening
contractor--collected and sent daily samples from each of the four
filters to Commonwealth Biotechnologies Incorporated (CBI)--a private
laboratory in Richmond, Virginia. Vistronix subcontracted the daily
testing of the Pentagon's mail to CBI. The opened mail was then shrink-
wrapped and quarantined in a secure room until CBI notified Vistronix
of negative test results by either fax or e-mail. Upon receipt of
negative test results, a Vistronix employee released the mail from
quarantine. Once released from quarantine, mail employees placed the
mail into mailboxes at the Defense Post Office, where it awaited pickup
by Pentagon employees.
The TRICARE Management Activity (TMA) mail room at the Skyline Complex
received and processed mail differently from the Pentagon.[Footnote 12]
It received a small amount of its mail from the Pentagon, but most of
its mail came from a Postal Service facility in Merrifield, Virginia,
according to a TMA mail room official. The TMA mail room had a
biosafety cabinet, an X-ray machine, and two full-time employees. The
biosafety cabinet had a negative airflow system with filters for
capturing and holding any particles that fell from envelopes or
packages being opened. While the cabinet was used for mail screening,
it was not capable of detecting anthrax.
Each of the Incidents Presented a Different Situation and Response and
Occurred over Several Days:
The two incidents involving the suspicion of anthrax occurred over
several days, but the most significant actions occurred the same day--
Monday, March 14, 2005. The Pentagon incident occurred first and was
the result of positive test results for anthrax in the mail. The
Skyline Complex incident occurred later that day when an alarm sounded
on the biosafety cabinet that employees took as a sign that
contaminated mail had been passed from the Pentagon to the Skyline
Complex.[Footnote 13] Combined, the incidents set in motion a large-
scale response that also affected Postal Service employees and
operations. The response ended a few days later, when further testing
confirmed that anthrax was not present at either DOD facility or in the
mail. Figure 1 shows a chronology of the key actions and organizations
involved in the two incidents. The discussion that follows explains
each incident in turn.
Figure 1: Chronology of Key Actions and Organizations Involved at
Pentagon and Skyline Complex:
[See PDF for image]
Source: GAO analysis of information from various sources.
[End of figure]
The Pentagon Incident Was Triggered from Tests Indicating the Presence
of Anthrax:
Events leading up to the Pentagon incident began on Thursday afternoon,
March 10, 2005. After screening the mail in a facility at the Pentagon
remote delivery facility, Vistronix employees routinely collected swab
samples from four filters and sent them to CBI for analysis. According
to Vistronix's account of events associated with the incident, about
4:00 p.m. on Friday afternoon, March 11, a representative from CBI
informed the Vistronix Director that one of four swab samples collected
and tested from Thursday's mail was positive for anthrax. The Director
requested the laboratory to conduct additional testing over the weekend
but did not notify Defense Post Office officials of the initial
positive test results. On Monday morning, March 14, at about 6:00 a.m.,
the Vistronix Director informed a member of his staff (the site
supervisor) that while additional laboratory results for Thursday's
mail had not yet been received, test results for Wednesday's mail were
negative, and, therefore, Wednesday's mail was cleared for release. The
site supervisor misunderstood the conversation, incorrectly concluding
that mail from both days could be released from quarantine, and,
consequently, he called his staff to release the mail. At about 6:30
a.m., Thursday's mail was released, and, shortly thereafter, employees
of the Defense Post Office began processing the mail for distribution.
According to Vistronix, at about 9:10 a.m., the laboratory notified
Vistronix that additional testing of Thursday's swab sample was also
positive. By the time Vistronix notified a Defense Post Office official
of the second test result at about 9:25 a.m., an unspecified amount of
the mail suspected of containing anthrax had already been picked up and
distributed throughout the Pentagon.
These developments initiated a wide-ranging response. At about 10:15
a.m., a Defense Post Office official notified the Pentagon Force
Protection Agency (PFPA)--the law enforcement agency responsible for
protecting people, facilities, and infrastructure on the Pentagon
Reservation.[Footnote 14] In the 2 hours that followed, PFPA:
* shut down the Pentagon remote delivery facility,
* coordinated with mail officials to identify possible recipients of
Thursday's mail,
* secured the perimeter around the remote delivery facility with the
help of antiterrorism units, and:
* evacuated the majority of the employees from the remote delivery
facility to the Pentagon's former child development center.[Footnote
15]
PFPA continued to lead the response in the hours that followed. The
Arlington County Emergency Communications Center sent emergency
personnel to the scene after it was notified through official channels
at about 10:37 a.m. Emergency personnel typically take charge of
incidents when the affected individuals have immediate medical needs.
However, when they arrived, they said none of the employees appeared to
have symptoms of illness. As a result, PFPA and Arlington County agreed
that PFPA would continue to lead the response. According to a DOD
timeline of the incident, DOD also attempted to notify the following
federal and local offices:
* 12:10 p.m.: First broadcast message sent to local public safety and
emergency management response agencies.
* 12:15 p.m.: FBI's Washington Field Office and the Weapons of Mass
Destructions Operations Unit at FBI Headquarters.
* 12:30 p.m.: Office of the Postmaster General--the executive head of
the Postal Service .
* 12:40 p.m.: Department of Homeland Security's Operations Center.
When FBI staff arrived on the scene at about 1:00 p.m., they began to
assess the incident's credibility. According to FBI officials, the
totality of the initial evidence suggested a false alarm. First, only
one of the four swab samples collected and tested from the filters on
Thursday was positive for anthrax. If an actual incident had occurred,
FBI officials said, it would have been reasonable to expect that all
four samples would have been contaminated because, based on experience
gained during the fall of 2001 anthrax attacks, once airborne, anthrax
spores disperse over a wide area. In addition, tests conducted on
Friday's mail were negative. FBI officials said that if anthrax had
contaminated Thursday's mail, it would likely have contaminated the
entire mail-screening facility, leaving residual spores that also would
have been detected in the samples taken from Friday's mail. While
suspicious of a false alarm, the FBI declared the Pentagon remote
delivery facility a crime scene based on the evolving response of other
agencies and the need to further assess the evidence.
During the afternoon hours, two DOD Health Affairs officials
responsible for responding to medical issues on the Pentagon
Reservation--the Commander of the DiLorenzo TRICARE Health Clinic and
DOD's Assistant Secretary for Health Affairs--began providing medical
treatment to (1) employees working at the remote delivery facility
where the mail-screening facility was located, (2) Pentagon mail
recipients, and (3) the mail-screening technicians. DOD health
officials estimate that, in total, they dispensed an initial 3-day
course of antibiotics to about 889 potentially affected employees.
According to the officials involved, their decision to immediately
dispense antibiotics as a precautionary measure was based on the
laboratory's positive test results and their experiences gained in the
fall of 2001. DOD's Assistant Secretary for Health Affairs told us that
at about 1:00 p.m., he conferred with the CDC Director about DOD's
medical decision, and that she agreed with the decision. According to
the CDC Director, the call was made to inform her about the decision
that DOD had already reached. The Director of CDC said that even if the
purpose of the call had been to seek her advice on medical treatment
options, she could not have offered a medical opinion because of
insufficient information, especially with respect to the reliability of
the laboratory's test results. She stressed the need for clear,
accurate, and understandable information for making decisions about
medical treatment. Such information, she said, is typically developed
collaboratively with all appropriate parties involved. After the
conversation, she said she contacted the CDC operations center that
handles such incidents to ensure that appropriate CDC personnel were
aware of the incident. While HHS is the primary agency responsible for
a public health response, according to an HHS official, the CDC
operations center--not DOD--subsequently contacted the HHS operations
center.
As officials from additional federal agencies became aware of the
incident, several interagency conference calls were held. The first of
these calls was convened by HHS officials at about 5:00 p.m.[Footnote
16] Officials from HHS said the purpose of the conference call was to
obtain a basic understanding of what had occurred at the Pentagon (and
at the Skyline Complex, where the second incident had already begun),
so that decisions could be made on how to respond appropriately.
According to HHS and DHS officials, decision makers needed answers to
such questions as what analysis had been done, what procedures had been
used by the contract laboratory, and how the Pentagon samples had been
collected. Obtaining such information was critical to determining
whether people had been exposed to anthrax, whether the two incidents
were linked, and what the appropriate response should be. However,
according to DHS and HHS officials, DOD could not adequately answer
these and other questions.
On Monday afternoon, DOD took the samples from CBI for analysis to Fort
Detrick, located in Frederick, Maryland--the site of two key federal
laboratories.[Footnote 17] The samples arrived at about 5:30 p.m. Over
the next few days, the laboratories at Fort Detrick conducted numerous
tests of the Pentagon's samples as well as environmental samples taken
from the Pentagon. Late Wednesday evening, results of additional
testing indicated that anthrax was not present in samples collected
from the Pentagon's mail-screening facility. Agency officials involved
in the response believe that the initial positive test result could
have been caused by cross contamination at CBI. The facility reopened
on Friday, March 18.
The Skyline Complex Incident Resulted from an Alarm on Equipment Used
for Mail Screening:
The incident at the Skyline Complex began several hours after the
Pentagon incident began. At about 10:00 a.m., a TMA employee picked up
mail from the Pentagon and, by 11:30 a.m., had distributed some of the
mail within the Skyline Complex--a large office complex of privately
owned buildings in Fairfax County, Virginia.[Footnote 18] According to
officials at the Skyline Complex, an employee received an urgent
telephone call around noon indicating an unspecified problem with the
Pentagon's mail and directing that any mail from the Pentagon be
retrieved. The caller did not provide any further explanation,
according to the official. TMA mail room employees retrieved the mail
they had already delivered, emptied mailboxes, and placed some of the
mail in trash bags. About 1:00 p.m., a TMA mail room employee was
screening other mail from the Pentagon using the biosafety cabinet when
the cabinet's alarm sounded. According to mail room employees, they
made several unsuccessful attempts to telephone the manufacturer and
the maintenance contractors for help. In addition, DOD's manager of the
complex told us that she called PFPA for guidance on how the cabinet
operated, but the PFPA official was not aware of the type of equipment
in use at the complex, and consequently, he was not able to tell her
what to do.[Footnote 19] Finally, at 2:09 p.m., a Skyline employee
called the Fairfax County 911 emergency line.
Fairfax County emergency responders (fire, police, public health, and
hazardous material units) arrived on the scene shortly thereafter. They
led the incident over the next few hours and took several actions,
including:
* closing the Skyline Complex and securing its exits,
* shutting off its elevators and air-handling systems,
* developing and providing health information to occupants,
* collecting contact information from the occupants,
* decontaminating some employees who were sheltering in place, and:
* obtaining and testing environmental samples from the complex and
attempting to remove filters from the biosafety cabinet in order to
perform additional tests.[Footnote 20]
According to Fairfax County responders, they attempted to hold all
occupants within the Skyline Complex because they anticipated receiving
results of environmental testing Monday afternoon. They explained that
having the complex occupants together would help them provide
information to the occupants and coordinate any further responses that
may be necessitated by the results of the environmental testing. Test
results were delayed, however, and the majority of the Skyline Complex
employees began to be released. Just prior to this, at about 7:30 p.m.,
Fairfax County responders began decontaminating 45 of the complex's
employees who were believed to be at high risk for exposure to anthrax.
The initial environmental test results--available on Tuesday--were
inconclusive and, as a result, Fairfax County and FBI responders
collected additional environmental samples for analysis at Fort
Detrick. On Tuesday afternoon, DOD dispensed antibiotics to the 45 high-
risk employees. This incident began to de-escalate on Tuesday evening
as officials learned that the alarm that sounded on the biosafety
cabinet used for mail screening indicated only an airflow obstruction,
not the presence of anthrax. By Wednesday evening, laboratory results
from environmental samples indicated that anthrax was not present at
TMA's mail room in the Skyline Complex. The majority of the Skyline
Complex reopened on Thursday, while TMA's mail room reopened on Friday
morning, March 18.
The Incidents Also Affected Postal Service Employees and Operations:
A DOD official called the Postmaster General to inform him of the
Pentagon incident at about 12:30 p.m. on Monday, March 14, 2005, but
neither the Postmaster General nor other Postal Service executive were
available to receive the call. The DOD official left a voice-mail
message, but according to the Postal Service's Senior Vice President
for Government Relations, the message did not convey any urgency about
the potential for anthrax in the mail. Furthermore, by the time Postal
Service officials listened to the message, they had already heard about
the incident through the local media. At about 5:00 p.m., when Postal
Service officials learned at the first interagency conference call that
DOD had provided antibiotics to Pentagon employees, Postal Service
officials acted quickly to protect their employees who, days earlier,
might have processed the mail. Thus, by Monday evening, the Postal
Service had suspended operations at its V Street Operation and had
immediately begun dispensing antibiotics to its employees. In total,
over 160 Postal Service employees were treated for their possible
exposure to anthrax. On Tuesday, March 15, the CDC's National Institute
for Occupational Safety and Health provided technical assistance to the
Postal Service in designing an environmental testing strategy for the V
Street Operation.[Footnote 21] By Wednesday morning, March 16, results
from environmental testing of the V Street Operation were negative for
anthrax. The Postal Service reopened the V Street Operation in the
afternoon.
Problems Encountered Reflect Both a Failure to Follow Existing Contract
Provisions and Procedures and a Lack of Procedures and Plans:
DOD encountered numerous problems during the two March 2005 incidents.
At the Pentagon, these problems primarily involved not following
required mail-screening contract provisions and procedures. The failure
to follow these requirements resulted in, among other things, the
premature release of the potentially contaminated mail that caused the
incident at the Pentagon. In addition, the Pentagon's contract for mail
screening lacked a clear provision specifying required testing methods,
which resulted in the use of a laboratory whose testing methods were
unknown and whose results were not actionable--this, in turn,
exacerbated the incident at the Pentagon. At the Skyline Complex mail
facility, problems were even more basic, in that required procedures
and plans for responding to biohazards and other emergencies were
inadequate or absent altogether. Further, at the Pentagon, the federal
framework developed to, among other things, help ensure more effective
decision making through the coordinated response of all affected
parties and decision makers was not fully followed. If the framework
had been fully followed, decisions regarding medical treatment of DOD
and Postal Service employees may have been improved.
At the Pentagon, the Mail-Screening Contract Provisions and Procedures
Were Not Followed:
Vistronix did not follow contract provisions and mail inspection
procedures related to the detection and response to potential biohazard
emergencies involving the Pentagon's mail. The contractor developed
procedures for implementing the contract's mail-screening requirements,
which described the process by which mail entering the Pentagon would
be inspected, tested, quarantined, and released. DOD approved the
procedures, but the contractor failed to follow two key requirements.
* Mail-screening contractor did not provide timely notification of
potential contamination. Both the contract and the approved mail
inspection procedures provided specific notification requirements for
informing DOD of potential biohazardous situations involving the
Pentagon's mail. The contract required Vistronix to notify PFPA
"immediately" if there were any evidence of risk or possible
contamination of the mail. Similarly, the mail inspection procedures
required PFPA to be contacted (1) within 1 minute of an actual or
potential event involving contamination and (2) when a positive test
result occurred "at any point" in the testing process. The laboratory
informed the Vistronix Director that a sample from Thursday's mail had
tested positive for anthrax on Friday afternoon, March 11. Instead of
immediately notifying PFPA as required, however, the Director asked the
laboratory to conduct additional tests over the weekend. The contractor
did not inform DOD of the suspected mail contamination until after it
received the second positive test result on Monday, March 14--about 2-
½ days after the notification should have occurred. According to the
Vistronix Director, he believed the procedures required them to notify
DOD only after a second positive test result. The contractor's untimely
notification created a sense of urgency within DOD to quickly provide
antibiotics to its employees--before consulting, as specified in the
NRP, with other agencies about the proper medical response.
* Mail-screening contractor did not quarantine mail until it received
negative test results from the laboratory. The contract required
Vistronix to quarantine the mail until receipt of negative test
results. Similarly, the mail inspection procedures required Vistronix
to hold (i.e., "not release for delivery") the Pentagon's mail until
the laboratory had reported negative test results to Vistronix. The
procedures also noted that a positive result "at any point"
necessitates sequestering all potentially contaminated mail. Vistronix
failed to follow these requirements. Specifically, while the Vistronix
Director was aware of an initial positive test result on Friday, he did
not ensure that the mail remained quarantined until receipt of negative
test results from the laboratory. Instead, miscommunication among
Vistronix staff led to the mail's release several hours before the
laboratory informed Vistronix that its weekend test results were also
positive for anthrax. The premature release of the potentially
contaminated mail resulted in a broad response at the Pentagon, the
Skyline Complex, and the Postal Service's V Street Operation.
The Pentagon's Mail-Screening Contract Provision for Testing Samples
Was Also Unclear:
The testing provision in the mail-screening contract required Vistronix
to test samples from the mail-screening equipment in accordance with
unspecified "CDC guidelines." However, Defense Post Office officials--
including the contracting officer's representative who had
responsibility for overseeing the contract--told us that they did not
identify the specific guidelines to be used and were unaware that the
CDC publishes both general testing guidelines, which are available in
the public domain, and guidance and protocols for anthrax testing by
the LRN, which are available only to LRN laboratories.[Footnote 22] The
officials explained that even if they had known which guidelines DOD
expected to be followed, they did not have the technical expertise to
determine whether the contract's testing provision was being followed.
Defense Post Office officials further explained that the contract was
awarded quickly in 2001 after the nationwide anthrax attacks. Their
office was tasked with overseeing the contract, they said, because at
that time the office was the "executive agent for mail in the
Pentagon"--not because it had any expertise or training on these
matters.[Footnote 23] According to Defense Post Office officials, the
lack of technical expertise regarding anthrax at that time contributed
to the lack of clarity in the contract's testing provision. Their lack
of expertise also caused them to conclude that CBI met all CDC and
federal guidelines, in part, because Vistronix had informed DOD that
CBI was a certified CDC laboratory that adhered to CDC guidelines. An
independent review of CBI, the subcontract laboratory, sponsored by DOD
and conducted in April 2005 found that CBI analyzed the Pentagon's
samples using testing methods that differed from CDC's guidance and
protocols. The review also found that Vistronix's contract with CBI did
not require the laboratory to verify its testing methods. By March
2005, DOD and Vistronix had had 3-½ years to specify its testing
requirements for the contract. An unclear contracting provision,
combined with the lack of oversight by both DOD and Vistronix, resulted
in the use of a laboratory whose testing methods were unknown and whose
results were not actionable. The effect of these events was evident
when DOD officials could not adequately explain to other agency
officials what (1) tests CBI had conducted, (2) methods CBI had used,
and (3) the results meant. DOD's inability to provide adequate answers
to these and other crucial questions exacerbated the incident at the
Pentagon and slowed the response since officials from other agencies
were skeptical of the laboratory's results.
At the Skyline Complex, Basic Response Procedures Were Inadequate or
Absent Altogether:
At the Skyline Complex, basic procedures for responding to a
biohazardous incident were inadequate or absent for the TMA mail
facility in the Skyline Complex. The following three key elements were
either inadequate or absent.
* First, TMA did not ensure that mail room procedures addressed what to
do, or whom to notify, when the equipment alarm sounded or that
employees were properly trained on the equipment. TMA is responsible
for ensuring that adequate procedures are in place and effective
training occurs, so that employees can perform their duties
competently. Although some procedures were in place at the Skyline
Complex, they did not address the capabilities of the biosafety cabinet
or what to do if the alarm on the equipment sounded. At the time of the
incident, the mail room's procedures provided, among other things, (1)
basic instructions for using the biosafety cabinet, including how to
turn the machine on and off and how to open the mail, and (2)
information about whom to notify when a suspicious package was
discovered. The procedures did not address what the biosafety cabinet
did, how it worked, or how to respond to its built-in alarm. The TMA
mail manager noted that training on the biosafety cabinet had occurred
when the machine was purchased in 2001, but no subsequent training had
been conducted.[Footnote 24] In the meantime, he said, staff turnover
and the absence of additional training had led to a lack of
understanding about the equipment's capabilities. In addition, while
the procedures specified whom to call if suspicious mail is discovered,
the procedures did not address whom to contact when the equipment's
alarm sounded.[Footnote 25] If procedures were adequate and periodic
training had occurred, employees would likely have known that, although
the equipment had a negative airflow system with filters for capturing
and holding any particles that fell from envelopes or packages being
opened within the equipment, it did not detect biohazards and its alarm
sounded only to indicate an airflow obstruction. Instead, in
conjunction with the phone call indicating an unspecified problem with
the Pentagon's mail, mail room employees assumed the alarm was
signaling the presence of biohazards in the mail. Because TMA employees
lacked adequate information and training on the equipment, they
unnecessarily contacted first responders.
* Second, neither TMA nor DOD ensured that the required mail security
plan was in place. Both TMA and DOD have responsibilities for ensuring
that an adequate mail security plan exists for the mail room in the
Skyline Complex. GSA's federal mail management regulation and DOD's
mail manual both require mail security plans for agency mail rooms.
According to GSA's regulation,[Footnote 26] security plans must include
(1) procedures for safe and secure mail room operations, (2) plans for
training mail room personnel, and (3) plans for annually reviewing
agency and facility-level mail security plans. In addition, DOD's mail
manual requires DOD's mail room officials to ensure that their mail
security plans are coordinated with local security officials. TMA did
not develop the required security plan. If TMA had developed a plan and
coordinated it with local officials, Fairfax County emergency
personnel--the local first responders--may have learned about the
biosafety cabinet's limitations, including the meaning of the
equipment's audible alarm. Furthermore, DOD did not ensure that TMA had
developed a plan, or attempt to review it for adequacy, as required.
GSA's federal mail management regulation requires that facility level
mail security plans be annually reviewed. Moreover, as specified in the
regulation, DOD must annually report to GSA that its mail security
plans have been reviewed by a competent authority within the past year.
GSA officials noted that DOD's Official Mail Manager submits a
certification form to GSA annually; however, the form does not indicate
that DOD's (1) plans exist and that (2) the plans have been reviewed by
a competent authority in the past year. Instead, the form submitted to
GSA simply certifies that DOD has the requisite requirements in place.
According to DOD's Official Mail Manager,[Footnote 27] he cannot
certify that all DOD mail rooms have mail security plans or that they
have been reviewed by a competent authority because DOD does not have a
process in place to ensure that the required reviews take
place.[Footnote 28] He further explained that he lacks the time and
resources to review the plans. If TMA and DOD had followed the
applicable requirements, the problem that occurred at the Skyline
Complex may have been avoided.
* Third, the Defense Information Systems Agency had not developed an
Occupant Emergency Plan. GSA requires agencies of GSA-controlled
buildings to have an occupant emergency plan for protecting life and
property during an emergency. Critical elements of the plan include (1)
evacuation and sheltering-in-place information; (2) contact information
and emergency phone numbers; and (3) specific information about the
building's construction, including its floor plans. The highest ranking
official of the largest agency in each GSA-controlled building is
responsible for developing and maintaining the occupant emergency
plan.[Footnote 29] In March 2005, the Defense Information Systems
Agency (Defense Agency) was the largest agency in the Skyline Complex.
According to officials from the Defense Agency, they were aware of the
agency's responsibility for developing the occupant emergency plan as
early as June 2002. Defense Agency officials had drafted a plan by the
time of the incident, but had neither distributed it to other federal
occupants of the complex nor coordinated it with first responders.
Moreover, employees had not been trained on the plan and affected
federal agencies had not agreed to or signed the plan. Officials of the
Defense Agency commented that developing an occupant emergency plan
takes a great deal of coordination among participating agencies, which
prolongs the plan's completion. The lack of a required occupancy
emergency plan contributed to the difficulties that employees and first
responders experienced during the incident. For example, first
responders had difficulty getting critical information to employees
because contact information was not readily available for federal
employees in the complex. In addition, since information about the
complex was not readily available, some employees were able to exit the
complex because Fairfax County police, who had attempted to secure the
Skyline Complex, were unaware of all the existing exits.
DOD Did Not Fully Follow the Federal Framework for Coordinating
Responses at the Pentagon:
DOD did not fully follow the federal framework for coordinating a
response to the potential anthrax incident at the Pentagon; instead, it
chose to make decisions on its own. The federal framework is set forth
in the NRP and NIMS, which specifies a structured and coordinated
approach for involving federal, state, and local agencies in decision
making. The unifying element of this framework is the ability to
harness the resources of various agencies whose expertise and knowledge
help ensure informed decisions about how to proceed in any given
situation. While DOD initially followed NIMS when it established its
incident command at the Pentagon,[Footnote 30] as the incident evolved,
key aspects of the federal framework were not followed. Here are three
examples:
* First, DOD did not fully follow NRP's notification structure. NRP's
Biological Incident Annex requires every federal agency to first notify
the FBI if it becomes aware of an overt threat involving biological
agents. While DOD officials did notify the FBI, it was not until almost
3 hours after they first became aware of the Pentagon's positive test
results. Earlier notification would have likely helped with the
evaluation of test results and allowed federal agencies to collectively
coordinate a proper course of action, particularly because, as
discussed earlier, FBI officials began questioning the incident's
credibility after arriving on scene. The Biological Incident Annex also
designates HHS as the federal agency responsible for coordinating a
public health response involving bioterrorism threats. DOD officials
never notified HHS but, instead, called the Director of CDC to disclose
their intention to administer antibiotics to DOD employees. The
Director of CDC, not DOD, alerted the CDC operations center, which, in
turn, notified HHS's operations center at about 4:00 p.m. on Monday. As
specified in the Biological Incident Annex, once HHS officials were
notified of a credible threat, they convened an interagency conference
call approximately 1 hour later to coordinate a possible medical
emergency response. However, by then, DOD had already begun to
administer antibiotics to its employees. As a result, any advice any
guidance on (1) medical treatment options or (2) the validity of the
laboratory's test results that other agency officials may have offered
were essentially moot.
* Second, DOD failed to follow NIMS protocols regarding joint decision
making. Under NIMS, the incident commander is responsible for the
entire response to an incident. To assist with various aspects of a
multijurisdictional response, the incident commander is expected to
assemble federal, state, and local agencies to serve in a unified
command. The unified command includes representatives from all agencies
and organizations that have responsibility for, or can provide support
to, an incident. Collectively, the unified command is expected to
consider and help make decisions on all objectives and strategies
related to an incident. At the Pentagon in March 2005, PFPA included
federal and local agencies in the response; however, the response
structure never matured into a unified command, especially when some
decisions--especially those related to medical treatment--were made
outside the command structure. DOD essentially had two separate
incident responses: PFPA acted as the incident commander for the
evacuation and containment of Pentagon employees, while DOD's Health
Affairs made unilateral decisions regarding the employees' medical
treatment. According to local public health officials, DOD did not
consult them on the proper course of action regarding whether, or how,
to intervene medically. Had information and decisions flowed through a
unified command structure, local public health officials could have
raised the concerns they had about providing antibiotics without a
confirmed LRN test result. Additionally, if medical treatment decisions
had been made collaboratively, DOD and local public health officials
could have (1) agreed on a strategy for treating potentially affected
individuals, including access to additional medication and follow-up
treatment; and (2) discussed the potential ramifications of initially
providing ciprofloxacin to DOD employees.[Footnote 31] According to
local public health officials, DOD's initial provision of ciprofloxacin
to DOD employees set a precedent that essentially eliminated other
antibiotic treatment options, given the health officials' desire to
ensure that potentially affected individuals would be treated
consistently.[Footnote 32] Had medical decisions been made within the
context of a unified command, a different decision may have been
reached and hundreds of DOD employees--with no, or limited, exposure to
potential contamination--may not have received unnecessary medication.
* Third, DOD did not coordinate the initial public response to the
incidents. An important outcome envisioned in the federal framework is
effective management of information available to the public. The NIMS
structure calls for a joint information center to provide a location
for organizations participating in the management of the incident to
work together to ensure that timely, accurate, easy-to-understand, and
consistent information is disseminated to the public. The joint
information center is supposed to have representatives from each
organization involved in the management of an incident. DOD did not
establish a joint information center at the start of the incidents, and
it did not have clear written procedures for doing so. As a result, the
public received unclear and inconsistent messages about, among other
matters, the source of the anthrax. For example, media accounts
reported that mail through the Postal Service caused the incidents
when, in fact, the source of possible contamination was unknown.
According to the Postal Service, this resulted in unnecessary anxiety
among Postal Service workers, their families, and recipients of Postal
Service mail.
According to DOD health officials responsible for making medical
decisions at the Pentagon, they based their medical treatment decision
on the experiences they gained from the fall 2001 anthrax incidents.
The officials explained that they were very sensitive to what they
perceived to be untimely medical decisions reached in the fall of 2001.
Consequently, they said they decided to err on the side of caution and
quickly distribute antibiotics to employees at the Pentagon and Skyline
Complex. Additionally, since the incident occurred on the Pentagon
Reservation, DOD officials did not believe that the NRP applied
because, in their view, they had the medical authority, expertise, and
resources to handle the incident internally.[Footnote 33] However,
other federal officials--including those in DHS and HHS--told us that
the NRP was applicable and that DOD should have followed the framework.
In addition, CDC guidance emphasizes the need to make risk-based
decisions, including those involving dispensing of antibiotics during
suspected anthrax incidents. According to the CDC, a risk-based,
participatory approach is necessary, in part to limit the number of
people who may receive antibiotics before confirmation by the
LRN.[Footnote 34] Since the mail had been quarantined over the weekend,
the Pentagon employees most at risk would have been the technicians who
had screened the mail the previous week. These persons received
antibiotics, but so did hundreds of others who, in our view, would not
likely have been exposed until Monday morning, when the Pentagon's mail
was released from quarantine.
DOD health officials' concern about protecting DOD employees from the
risk of exposure is clearly understandable. However, DOD's actions were
not consistent with the NRP. Once HHS was contacted by CDC, it began
using the notification and response protocols specified in the NRP. In
particular, HHS convened the first interagency conference call in which
federal participants were able to discuss the laboratory's test results
and raise concerns about the quality of the results. Additionally, CDC
was able to address the Postal Service's concerns about the possible
health effects on its employees who may have processed contaminated
mail to the Pentagon the previous week. CDC recommended antibiotics for
employees of the V Street Operation because (1) of the confluence of
the two incidents, which, at the time, were viewed as involving the
presence of anthrax; (2) DOD had already started its employees on
antibiotics; and (3) the employees could have been exposed to anthrax
several days earlier because they process mail to the Pentagon.
DOD Took Numerous Actions That Address Problems Related to the
Incidents:
DOD took numerous actions that address problems related to the Pentagon
and Skyline Complex incidents. At the Pentagon, some actions to improve
DOD's mail processing and incident response, such as modernizing the
mail-screening facility and changing the laboratory used to test daily
samples, were already under way. Other actions, including selecting a
new mail-screening contractor and improving procedures for releasing
quarantined mail, were a direct response to what occurred. At the
Skyline Complex, DOD's actions included prohibiting the use of
equipment for screening mail unless the equipment is being operated
within the context of a comprehensive mail-screening program. DOD also
commissioned the RAND Corporation to conduct an independent review to
examine its response to the incidents.[Footnote 35] The resulting
report,[Footnote 36] issued in January 2006, contains numerous
recommendations which, according to DOD, it has taken action upon.
At the Pentagon, Some Actions Were Already Under Way, While Others Were
Taken in Direct Response to the Incident:
Some of the actions DOD took at the Pentagon were under way before the
March 2005 incident. Although the actions were not carried out until
later, they reflected decisions that had been previously set in motion
to improve mail screening and responses to biological incidents. These
actions included the following:
* DOD transferred oversight of the mail-screening function to PFPA.
PFPA assumed oversight of mail-screening from the Department of the
Army in August 2005 because, according to DOD officials, PFPA's
strategic mission of providing security and law enforcement at the
Pentagon is better aligned with the mail-screening function. According
to a PFPA official, planning for the transfer of mail-screening
oversight began around January 2005. A gradual transition had been
planned, he said, but the Pentagon incident significantly accelerated
efforts to implement the transfer of mail-screening oversight
responsibilities.
* DOD modernized the mail-screening facility, refurbished the mail
quarantine room, and installed new mail-screening equipment. According
to a DOD official, initial planning for these improvements also began
around January 2005. PFPA officials stated that the new mail-screening
facility and the refurbished quarantine room have improved capabilities
that are designed to protect employees and prevent the spread of
anthrax. Finally, a DOD official said that the decision to replace the
previous mail-screening table with new equipment was based on a 2003
National Academy of Sciences report, which, among other things, raised
questions about the table's ability to detect anthrax in small amounts.
PFPA is awaiting the results of a study, which it expects to conclude
in May 2006, to evaluate the effectiveness of the changes.
* DOD changed its testing laboratory. Daily testing of samples from the
Pentagon's mail-screening equipment is now performed by a non-LRN
chemical-biological laboratory located on the premises, instead of a
contract laboratory. The laboratory is part of PFPA and, according to a
PFPA official, was established in January 2005 to help protect the
Pentagon from biological threats. The official stated that the original
plan was to transfer testing from CBI to the Pentagon's chemical-
biological laboratory in October 2005, after the Vistronix contract
expired. However, the transfer was accelerated, occurring instead in
March 2005, a few days after the incident at the Pentagon.
* DOD entered into a memorandum of understanding (MOU) on biological
monitoring with other federal agencies. In April 2005, DOD signed an
MOU for Coordinated Monitoring of Biological Threat Agents, which was
developed prior to the Pentagon incident. DHS, HHS, the Department of
Justice (which includes the FBI), and the Postal Service are also
parties to the MOU. DHS's Science and Technology Directorate is
responsible for coordinating the implementation of the MOU. The
following provisions in the MOU help address the notification,
laboratory testing, and medical response problems that arose at the
Pentagon:
* The MOU establishes prompt notification requirements. Specifically,
the MOU requires participants to notify the FBI, HHS, and DHS within 1
to 2 hours of positive test results that indicate, with a high degree
of confidence, the presence of anthrax or other biological agents.
However, according to a DHS Science and Technology Directorate
official, such test results only trigger notification and, until
confirmed by the LRN, are not considered actionable by HHS, DHS, and
others.
* The MOU requires participating agencies to develop and employ
mutually accepted and validated testing methods to confirm biological
threats. According to a Science and Technology official, test results
produced from these methods will be considered actionable for public
health and other response measures, including the administration of
medical treatment. He stated, however, that this MOU provision will
take time to implement.[Footnote 37] According to the official, an
independent organization is currently performing the extensive testing
and analysis needed to evaluate and establish equivalency between the
wide array of testing methods employed across agencies.[Footnote 38]
DOD officials stated that the Pentagon's chemical-biological
laboratory--which is not part of the LRN--plans to adopt the testing
methods that emerge from the MOU. As a result, if the MOU's equivalency
testing provision is fully implemented, they said, confirmatory
positive results from the Pentagon laboratory will be considered
equivalent to LRN results and deemed actionable by DHS, HHS, and others
for decisions related to the administration of medical
treatment.[Footnote 39]
In addition to carrying out actions already in process, DOD also
initiated numerous actions in direct response to the problems that
occurred at the Pentagon. Several of these actions address the mail-
screening contractor's failure to follow established requirements.
Other actions were carried out in response to the RAND review and are
intended to better align DOD's procedures with those in the federal
framework for coordinating responses to potential biological threats.
The actions are as follows:
* DOD changed mail-screening contractors, strengthened the new
contract, and drafted improved procedures. PFPA selected a new
contractor for screening mail at the Pentagon in September 2005. PFPA
also developed new contract provisions and drafted new mail inspection
procedures to address the previous contractor's failure to follow
established contractual and procedural requirements. Table 2 highlights
key changes in the Pentagon's mail-screening contract provisions and
draft procedures.
Table 2: Key Changes in the Pentagon's Mail-Screening Contract
Provisions and Draft Mail-Screening Procedures:
Key changes in the Pentagon's contract provisions: The contractor is
required to periodically train its employees on emergency response
procedures, including those relating to the receipt of suspicious
materials.
Key changes in the Pentagon's contract provisions: The contractor is
required to develop an effective quality control program to ensure that
its services are performed in accordance with the contract's
requirements.
Key changes in the Pentagon's contract provisions: PFPA's contracting
officer representative is required to evaluate the contractor's
performance to ensure that it meets contract requirements. The
representative is to monitor the contractor's performance and report
any deficiencies.
Key changes in the Pentagon's draft mail-screening procedures: The
facilities manager, a newly created position in PFPA's laboratory
division, is responsible for, among other things, performing
unannounced inspections to ensure that the contractor properly executes
procedures.
Key changes in the Pentagon's draft mail-screening procedures: The
contract supervisor, an employee of the mail-screening contractor, is
responsible for ensuring that contract personnel perform all activities
in accordance with established procedures.
Source: GAO analysis of DOD information.
[End of table]
PFPA strengthened the mail-screening contract by requiring the
contractor to, among other things, periodically train employees on
emergency response procedures and develop an effective quality control
program to ensure adherence to contract provisions. In addition, PFPA's
contracting officer representative is required to evaluate the
contractor's performance to ensure that it meets contract
requirements.[Footnote 40] PFPA has also drafted new mail-screening
procedures to help ensure the contractor performs in accordance with
requirements. The draft procedures require PFPA to, among other things,
perform unannounced inspections to ensure that the contractor is
properly executing required procedures. As of April 30, 2006, it was
unclear when the draft procedures would be finalized; however,
according to a PFPA official, the new monitoring measures are already
being performed. Effective monitoring of contractor activities and
performance is key to maintaining effective agency internal controls.
* DOD strengthened controls over the release of quarantined mail. The
Pentagon's draft mail inspection procedures require verification of
negative test results by representatives from three separate
organizations--PFPA, the Defense Post Office, and the contractor--
before the mail is released. Table 3 identifies the key steps for
releasing quarantined mail, as specified in the draft procedures.
Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft
Procedures:
A PFPA laboratory official verifies that test results are negative for
mail scheduled to be released.
A PFPA laboratory official notifies the facility manager, the contract
supervisor, and a Defense Post Office official via e-mail that the
results are negative and that mail can be released at the scheduled
time. All parties must verify the receipt of the negative test results
by replying to the e-mail.
A PFPA laboratory official verifies that test results are negative for
mail scheduled to be released.: The PFPA laboratory facility manager,
the contract supervisor, and a Defense Post Office official, must
physically verify that the date stamp and other information on the
quarantined mail matches the laboratory's report indicating negative
test results before releasing the mail.
Source: GAO analysis of DOD information.
[End of table]
Although the mail inspection procedures are still in draft form, these
steps are currently being used for releasing the Pentagon's quarantined
mail. The segregation of key duties and responsibilities at this
critical juncture in the mail release process reduces the risk of error
and, as such, is designed to strengthen the internal controls that were
lacking in March 2005. During the incident, inadequate internal
controls allowed a single point of failure--in this case, a
misunderstanding between two contract employees--to result in the
premature release and distribution of quarantined mail that may have
been contaminated. This triggered a broad response at the Pentagon and
elsewhere. The implementation of rigorous internal controls for
releasing the Pentagon's mail appears likely to prevent similar
incidents in the future.
* DOD commissioned the RAND Corporation to conduct an independent
review examining its response to the March 2005 incidents. The review
primarily focused on evaluating DOD's policies and procedures for
responding to such incidents and making recommendations for
improvement. In November 2005, DOD formed a working group to review and
implement recommendations from a draft of the report. The final report
was issued in January 2006.
* DOD drafted new notification procedures for positive test results at
the Pentagon. To help address the notification problems that arose
during the Pentagon incident, DOD drafted new procedures for notifying
appropriate parties of positive test results from the Pentagon's on-
site chemical-biological laboratory. These procedures help implement a
recommendation in the RAND report that calls for ensuring timely
notification of designated agencies in accordance with the NRP and
NIMS. The recommendation was based on findings similar to those
identified by GAO. DOD officials stated that the new procedures, while
still in draft, are currently being used to respond to potential
incidents involving biological contamination at the Pentagon. Figure 2
illustrates DOD's draft notification procedures for positive test
results from the Pentagon's on-site chemical-biological laboratory.
Figure 2: DOD's Draft Procedures for Positive Test Results from the
Pentagon's On-Site Chemical-Biological Laboratory:
[See PDF for image]
Source: GAO; DOD.
[A] The Assistant Secretary of Defense for Homeland Defense is the
overall supervisor of homeland defense activities for DOD. This office
manages domestic incidents and represents DOD in homeland defense-
related matters with other agencies.
[B] The Assistant Secretary of Defense for Public Affairs is the
principal staff adviser to the Office of the Secretary of Defense for
disseminating information related to the Pentagon.
[End of figure]
The procedures require Pentagon laboratory officials to immediately
notify PFPA of positive test results. Thereafter, PFPA and DOD's
Assistant Secretary of Homeland Defense are responsible for making the
required notifications to internal and external parties. According to a
DOD official, these notifications should occur immediately in order to
meet the 1 to 2 hour time frame specified in the MOU. As prescribed in
the NRP, once notified of positive test results, (1) the FBI is
responsible for coordinating appropriate confirmatory testing by the
LRN and (2) DHS's operations center is responsible for notifying
affected local jurisdictions. DOD's draft procedures include
notification to all agencies specified in the NRP's Biological Incident
Annex, as well as those specified in the MOU. Although not specifically
required in either the NRP or MOU, the procedures also include
notification to the Postal Service. An official stated that DOD
actively worked with DHS, the FBI, and HHS to develop the notification
procedures and is continuing to improve them based on agency input,
actual events, and the outcome of training exercises.
* DOD is developing a new policy that defines the roles and
responsibilities of senior DOD leadership during incidents at the
Pentagon. According to DOD's Director of Administration and
Management,[Footnote 41] the policy--called an instruction--is being
developed and will be based, in part, on NRP's Biological Incident
Annex. He stated that the instruction will detail the health-care
responsibilities of DOD leadership involved in making medical treatment
decisions and will be consistent with NRP and NIMS protocols. The draft
instruction was expected to be tested during a Pentagon training
exercise in May 2006 and is to be finalized in the fall of 2006. The
development of the instruction directly addresses a recommendation from
the RAND review, which arrived at findings similar to ours regarding
DOD's medical decision making.
* DOD drafted new procedures to help ensure that a joint information
center is established. DOD also drafted procedures for ensuring that,
consistent with the NIMS framework, a joint information center is
established during potential emergency incidents at the Pentagon.
During the March 2005 incident, DOD did not establish a joint
information center to disseminate timely, accurate, and consistent
messages to the public. The RAND report contained a similar finding and
recommended remedial actions. In response, DOD drafted procedures that
require PFPA, Public Affairs, and Washington Headquarters Services to
coordinate in the establishment and operation of a joint information
center to disseminate information to the media during incidents at the
Pentagon.[Footnote 42] According to a Washington Headquarters Services
official, the draft procedures will be tested during future training
exercises at the Pentagon.
DOD Took Other Actions That Address Problems at the Skyline Complex:
DOD also took a number of other actions that address the specific
problems we described related to the incident at the Skyline Complex.
Many of these problems were also raised in the RAND report. DOD's
actions, several of which also affect other DOD-leased facilities,
included the following:
* DOD developed operating conditions for equipment used to screen mail
in the national capital region. In January 2006, DOD's Director of
Administration and Management issued a directive prohibiting DOD mail
facilities in leased space within the national capital region[Footnote
43]--including the Skyline Complex--from operating equipment used to
screen mail, including biosafety cabinets, unless the facilities meet
five specific operating conditions. These conditions include having
trained mail screeners to sample equipment for biological agents and an
approved laboratory for analyzing the samples. The directive partially
addresses a recommendation in the RAND report calling for DOD to
develop, evaluate, and ensure that appropriate site-specific screening
practices are in place departmentwide. According to the Director, the
directive is intended to relay key lessons learned in March 2005--
specifically, that equipment for screening mail is ineffective and
potentially risky to personnel and facilities when used outside of a
comprehensive mail-screening program. The TMA facility at the Skyline
Complex did not meet these conditions. Although the agency purchased a
new biosafety cabinet for the Skyline Complex, which is similar to the
device in place in March 2005,[Footnote 44] a TMA official stated that
the agency is no longer operating the device and is taking steps for
its disposal in response to the directive.
* DOD initiated two efforts to gather information on screening
operations in its mail facilities. First, DOD's Joint Program Executive
Office for Chemical-Biological Defense, as part of a plan required by
the National Defense Authorization Act for Fiscal Year 2006,[Footnote
45] gathered some information on equipment used for mail screening in
DOD mail facilities nationwide. However, according to a joint program
office official, the data is not comprehensive because information was
not sought from all applicable facilities. Second, in response to the
RAND review, Washington Headquarters Services attempted to identify DOD-
leased facilities in the national capital region that screen mail for
threats. However, as discussed later, this data collection effort had
numerous limitations.
* DOD developed an occupant emergency plan for the Skyline Complex. In
July 2005, the Defense Agency, in conjunction with TMA, issued an
occupant emergency plan for the Skyline Complex. The plan was reviewed
and deemed adequate by a building management specialist in DOD's
Washington Headquarters Services. The plan includes emergency contact
information and information about the complex, such as floor plans,
that were not readily available during the March 2005 incidents. In
addition, according to a Defense Agency official, the plan has been
fully coordinated with Fairfax County first responders, who (1) met
with Defense Agency officials to discuss the roles and responsibilities
of applicable parties, (2) reviewed the plan, and (3) participated in
the emergency training exercises at the Skyline Complex. He also stated
that if a similar incident were to occur, the plan would facilitate
communications between first responders and Skyline Complex employees.
The development of an occupant emergency plan addresses findings in
this report as well as recommendations from the RAND review.
* DOD issued supplemental requirements for developing mail security
plans. DOD's December 2001 mail manual required agency mail rooms to
develop security plans, but at the time of the incidents, did not
clearly specify what the plans should include or require that they be
reviewed. A supplement to the manual, issued in September 2005,
requires mail room officials to ensure that their plan (1) details the
reporting procedures and responsibilities for handling suspicious mail,
(2) has been coordinated with local emergency responders, (3) is
disseminated to all mail center staff, and (4) is reviewed for
potential revisions at least quarterly. The supplemental requirements
refer mail room officials to GSA guidance on handling suspicious mail
to assist in the development of adequate security plans.[Footnote 46]
DOD's Actions Do Not Fully Resolve Identified Problems:
DOD's actions resolve many of the problems that arose in the March 2005
incidents but not all. One remaining and overarching concern involves
whether, despite its actions, DOD will adhere to the interagency
coordination protocols in the NRP and NIMS or will revert to the
isolated decision-making approach it used at the Pentagon. Other
remaining issues include ensuring that DOD (1) facilities have adequate
mail security plans in place and (2) mail facilities in the national
capital region are appropriately using biosafety cabinets for screening
mail.
DOD's Adherence to NRP and NIMS Interagency Coordination Protocols
Remains Uncertain for Incidents at the Pentagon:
DOD has taken actions to align its procedures with the NRP and NIMS,
including the development of an instruction defining the roles and
responsibilities of senior DOD leadership during incidents at the
Pentagon. The policy instruction is not expected to be finalized until
the fall of 2006 and, until then, it is unknown whether it will
adequately specify medical treatment responsibilities in accordance
with the coordination protocols in the NRP and NIMS. In October 2005,
senior DOD health officials told us that they would handle the medical
response at the Pentagon in a similar manner if an incident occurred in
the future, in part, because they have the authority to do so. In April
2006--more than 1 year after the incident--another senior health
official reiterated that DOD has the authority to make final decisions
on medical treatment at the Pentagon without collaboration or
consultation with other agencies, including HHS. Such views conflict
with protocols in both the NRP, which requires an HHS-led coordinated
public health response, and NIMS, which prescribes local-level input
into decisions affecting their jurisdictions. Until DOD ensures that
its senior health officials make medical treatment decisions in
accordance with the NRP and NIMS during potential biological incidents
at the Pentagon, the problems that occurred in March 2005 remain
unresolved.
DOD Still Has Not Ensured That Its Mail Facilities Have Reviewed Mail
Security Plans, As Required:
TMA did not have a mail security plan for the Skyline Complex at the
time of the incidents, and although federal mail management regulation
and DOD's mail manual require such a plan, it has not subsequently
developed one. Until TMA develops a plan and, among other things,
coordinates it with local first responders, any future response at the
facility may also be hampered. More importantly, it is not known
whether other DOD mail facilities also lack plans, or adequate plans,
for guiding future responses involving potential biological threats in
the mail. As discussed earlier, DOD does not have a process in place to
(1) ensure that its mail facilities have mail security plans and (2)
verify that each plan has been annually reviewed by a competent
authority.
DOD Has Not Ensured That Its Facilities in the National Capital Region
Are Appropriately Using Biosafety Cabinets:
Gaps remain in the actions DOD has taken to ensure the appropriate use
of biosafety cabinets for mail screening in DOD-leased mail facilities
in the national capital region. First, DOD has not ensured that DOD
mail facilities in the national capital region are not operating
biosafety cabinets outside of a comprehensive mail-screening program.
As pointed out in the Director of Administration and Management's
January 2006 directive, using mail-screening equipment in isolation of
such a program is ineffective and potentially risky. Second, at the
conclusion of our review, DOD still had not identified the number of
biosafety cabinets in use in the region. For example, although DOD's
Washington Headquarters Services collected information about facilities
in the national capital region that screen mail for threats, its winter
2005 data collection effort was not comprehensive. For example, the
office did not attempt to (1) identify whether other biosafety cabinets
were being used, (2) determine the conditions under which the equipment
is being operated, and (3) collect information on the type and
capabilities of other mail-screening equipment being used. Moreover, it
appears that numerous DOD mail facilities in the national capital
region did not respond to the data request. According to an official
from Washington Headquarters Services in April 2006, a follow- up
effort was being conducted to gather additional data on mail- screening
operations in the region; however, we were unable to obtain specific
information regarding the purpose, scope, and status of the effort.
Eliminating equipment that is not being used in conjunction with a
comprehensive mail-screening program is likely to reduce future false
alarms and unnecessary response activities involving the Skyline
Complex and other DOD mail facilities in leased space within the
national capital region.
Conclusions:
Mail continues to be a potential venue for terrorism, particularly as
an opportunity to strike at the Pentagon--a building of national
military significance. DOD has taken aggressive measures to ensure the
safety of its employees during a potential biological attack, but the
challenge ahead is to ensure that DOD's components and leadership are
sufficiently prepared in the event of another potential incident
involving anthrax or other biohazards. Preparation involves having the
procedures, plans, and training in place to effectively coordinate the
best available knowledge and expertise across the many agencies that
will likely be involved. While lessons learned from these two false
alarms have largely been implemented, there still is a need to tighten
controls in the areas discussed above.
Recommendations for Executive Action:
To help prepare DOD to effectively respond to future incidents
involving the suspicion of biological substances in the mail, we
recommend that the Secretary of Defense take the following four
actions:
* Ensure that any future medical decisions reached during potential or
actual acts of bioterrorism at the Pentagon Reservation result from the
participatory decision-making framework specified in the NRP and NIMS.
* Ensure that appropriate officials at all of DOD's mail facilities
develop effective mail security plans in accordance with GSA's mail
management regulation and guidance and DOD's mail manual.
* Ensure that a competent DOD authority conducts a DOD-wide review of
all of its mail security plans.
* Determine (1) whether biosafety cabinets are being used at mail
facilities within DOD-leased space in the national capital region and,
if so, (2) whether the equipment is being operated within the context
of a comprehensive mail-screening program. If the use of biosafety
cabinets does not comply with the criteria specified in the Director of
Administration and Management's January 2006 directive, ensure that the
equipment will not be operated.
Agency Comments and Our Evaluation:
We requested comments on a draft of this report from DOD, GSA, the
Department of Justice, HHS, DHS, and the Postal Service. Two of these
agencies--DOD and GSA--provided written comments. The agencies'
comments are reprinted in appendixes II and III, respectively.
DOD agreed with three of our four recommendations, indicating that it
either was implementing, or intended to immediately implement, actions
to address these recommendations.[Footnote 47] Furthermore, while DOD
is developing a new policy to define the roles and responsibilities of
senior DOD leadership including those involved in making medical
treatment decisions during incidents at the Pentagon, it only partially
agreed with our remaining recommendation, related to the need for DOD
to make future medical decisions within the participatory decision-
making framework specified in the NRP and NIMS. While commenting that
"coordination in such events is highly desirable," DOD reiterated that
it has the "medical authority to act in a timely manner to provide the
best possible medical protection for its personnel at potential risk in
an incident of this nature." DOD further commented that the NRP does
not alter or impede its ability to carry out its medical authorities
and responsibilities.
We agree that the NRP does not repeal DOD's medical powers,
authorities, or responsibilities. However, in signing the NRP Letter of
Agreement, DOD agreed, among other things, to (1) support NRP concepts,
processes, and structures; (2) modify its existing plans to comply with
the NRP; and (3) ensure that its operations support the NRP. Thus, in
our view, DOD's medical authorities must be exercised in conjunction
with DOD's responsibilities under the NRP. Had DOD followed such an
approach in March 2005, concerns such as the validity of the test
results could have been discussed among informed agency officials and
the provision of unnecessary medicine to DOD employees at lower risk
for exposure may have been avoided.
DOD also commented that the NRP was not in effect during these
incidents because none of the criteria for an incident of "national
significance" had been met. We agree that the December 2004 NRP plan
was somewhat ambiguous about when an incident is subject to NRP's
concepts, processes, and structures. However, revisions made in May
2006 clarified that the NRP is "always in effect" and that the plan
applies to incidents of lesser severity that may, nevertheless, require
some federal involvement. In our view, this revision makes it even more
clear that, going forward, coordination is necessary and appropriate
with regard to potential bioterrorism incidents and decisions about
medical treatment. In addition, despite the plan's prior ambiguity, it
is important to note that other federal officials--including those in
DHS and HHS--told us that the NRP was applicable because of the nearly
simultaneous occurrence of two incidents involving the Pentagon, a
building of national military significance. Thus, according to these
and other involved parties, DOD should have responded to the incidents
within the context of the federal framework.
GSA's written comments clarified federal requirements related to the
annual review of mail security plans. DOD, the FBI (on behalf of the
Department of Justice), CDC (on behalf of HHS), and the Postal Service
provided technical comments, which we incorporated, as appropriate. DHS
did not provide comments.
We are sending copies of this report to appropriate congressional
committees and subcommittees, CDC, DHS, DOD, the FBI, GSA, HHS, the
Postal Service, the Arlington and Fairfax County Offices of Emergency
Management, the District of Columbia Health Department, and other
interested parties. We will also make copies available to others upon
request. In addition, the report is available at no charge on the GAO
Web site at [Hyperlink, http://www.gao.gov].
If you or your staff have any questions about this report, please
contact me at siggerudk@gao.gov or (202) 512-2834. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Staff who made key contributions to
this report are listed in appendix IV.
Signed by:
Katherine A. Siggerud:
Director, Physical Infrastructure Issues:
[End of section]
Appendix I: Scope and Methodology:
To determine what occurred at the Pentagon and Skyline Complex mail
facilities in Virginia, we reviewed all available timelines and after-
action reports, including those prepared by various Department of
Defense (DOD) components, the Postal Service, the RAND Corporation, and
other federal, state, and local entities. The after-action reports and
timelines document what occurred at the two sites in March 2005 as well
as the sequence and timing of what occurred. We also obtained and
analyzed other pertinent documentation. We developed a timeline of what
occurred based on the information we obtained, and corroborated this
information with agency officials, where possible. With respect to this
and our other reporting objectives, we interviewed a wide range of
officials from the following organizations:
* Office of the Secretary of Defense, Administration and Management;
* Office of the Assistant Secretary of Defense for Health Affairs;
* Office of the Assistant Secretary of Defense for Homeland Defense;
* DOD's DiLorenzo TRICARE Health Clinic;
* DOD's TRICARE Management Activity (TMA);
* DOD's Pentagon Force Protection Agency, including personnel in the
Chemical, Biological, Radiological and Nuclear laboratory;
* DOD's Washington Headquarters Services;
* DOD's Defense Post Office;
* Vistronix Incorporated;
* Department of Health and Human Services;
* Centers for Disease Control and Prevention (CDC);
* Department of Homeland Security (DHS);
* Federal Bureau of Investigation (FBI) Headquarters and its Washington
Field Office;
* U.S. Postal Service;
* District of Columbia's Department of Health; and:
* Arlington and Fairfax County Offices of Emergency Management.
To determine what problems occurred and why they occurred, we obtained,
reviewed, and analyzed, among other documents, (1) all available
timelines and after-action reports prepared by federal, state, and
local agencies that were involved in the response; (2) the Pentagon's
mail-screening contract and procedures; (3) TMA's mail procedures; (4)
federal mail management and other applicable regulations related to
occupant emergency plans;[Footnote 48] (5) DOD requirements, including
its mail manual; (6) applicable guidance on the coordination of
incidents with appropriate organizations, including the National
Response Plan (NRP) and its Biological Incident Annex and the National
Incident Management System (NIMS) and; (7) CDC guidance related to the
provision of medical services to potentially affected employees,
including its guidance on the timing of antibiotics to affected
individuals.[Footnote 49] We also reviewed and analyzed GAO's internal
control standards for applicable criteria and interviewed officials
from the previously cited organizations as well as those from DOD's
Defense Information Systems Agency, DOD's Military Postal Service
Agency, and the General Services Administration. We compared DOD's
actions with applicable criteria, such as the Pentagon's contract
provisions and procedures, regulations and guidance, and the national
coordination protocols in place at the time of the incidents, to
identify any variations between the actions taken at the two facilities
and the actions specified in the applicable criteria. Where variations
existed, we interviewed officials from the previously mentioned
organizations to determine why the applicable criteria was not
followed.
To determine the actions DOD has taken that address the problems that
arose during the March 2005 incidents at the two mail facilities, we
interviewed officials from the previously cited DOD offices as well as
the Office of the Assistant Secretary of Defense for Public Affairs,
Military:
Postal Service Agency, Joint Program Executive Office for Chemical and
Biological Defense, and General Services Administration. We also
interviewed DHS officials from the Science and Technology Directorate
and DHS's Mail Management Program. We obtained and analyzed pertinent
information on all identified actions. For example, with respect to
actions taken at the Pentagon, we reviewed the new mail-screening
contract, recent interagency agreements, and the Pentagon's draft (1)
mail-screening operating procedures, (2) laboratory procedures, (3)
notification procedures, and (4) procedures for communicating
information to the public. For actions taken in response to the
incident at the Skyline Complex, we reviewed TMA's mail-screening
procedures, DOD's directive prohibiting the use of biosafety cabinets
in certain environments, and the Skyline Complex occupant emergency
plan, all of which were issued after the March 2005 incidents.
To determine the extent to which the actions taken address the problems
that arose at the two mail facilities during the March 2005 incidents,
we reviewed and analyzed, among other things, the Pentagon's new mail-
screening contract and its draft (1) mail-screening operating
procedures, (2) laboratory procedures, (3) notification procedures, and
(4) procedures for communicating information to the public. To assess
whether the actions appeared to resolve the problems that arose during
the incidents, we compared policy and procedural changes to applicable
criteria, including criteria contained in DOD's mail manual, GSA's
regulations and guidance, CDC guidance, GAO Internal Controls
Standards, the NRP's Biological Incident Annex, and NIMS. We determined
the status of key recommendations in the after-action reports and,
through our analysis, identified further actions necessary to remedy
the issues that arose. In addition, to provide broader perspective on
issues related to detecting and responding to suspected anthrax
incidents, we reviewed previous studies, congressional testimony, and
other pertinent documents including those prepared by GAO.[Footnote 50]
We performed our work from June 2005 to August 2006 in accordance with
generally accepted government auditing standards.
[End of section]
Appendix II: Comments from the Department of Defense:
Homeland Defense:
Assistant Secretary Of Defense:
2600 Defense Pentagon:
Washington, DC 20301-2600:
Jun 22 2006:
Ms. Kate Siggerud:
General Accountability Office:
441 G Street NW:
Washington, DC 20548:
Dear Ms. Siggerud:
(U) We Appreciate The Opportunity To Comment On The Draft Report, "Mail
Security: Incidents at DOD Mail Facilities Exposed Problems That
Require Further Actions," dated June 2006, (GAO Code 542066/GAO-06-
757C). We note several factual errors in the report, and partially
concur with the recommendations.
(U) The Department of Defense continues to institute emergency
management policies, refine interagency and internal coordination
procedures for potential biological terrorism incidents, and protect
all persons who could potentially be affected in such incidents.
(U) Let me take this opportunity to thank you and your staff for
producing a reasoned and useful report. I am forwarding the
Department's comments on the draft report recommendations at enclosure
one. Recommended technical changes that were identified are at
enclosure two.
Sincerely,
Sincerely,
Peter F. Verga:
Principal Deputy:
Enclosures:
1. DoD comments:
2. Technical changes:
GAO Draft Report - Dated May 23, 2006 GAO Code 542066/GAO-06-757C "Mail
Security: Incidents at DoD Mail Facilities Exposed Problems That
Require Further Actions"
Department Of Defense Comments:
Recommendation 1: The GAO recommends that DoD ".ensure that any future
medical decision reached during potential or actual acts of bio-
terrorism at the Pentagon Reservation result from the participatory
decision-making framework specified in the NRP and the NIMS.
DoD Response: DoD partially concurs. While coordination in such events
is highly desirable and was, in fact, performed in these incidents, the
GAO recommendation, if adopted, could actually serve to confuse an
operational response. The NRP cannot be read selectively. Two other
portions of the NRP significantly apply in this situation, but are
omitted from the report. Page 2 the NRP states, "Nothing in this plan
alters or impedes the ability of Federal. departments and agencies to
carry out their specific authorities or perform their responsibilities
under all applicable laws, Executive orders, and directives."
Additionally, on pages 3-4 the subject of the NRP's applicability is
described and the criteria for an Incident of National Significance are
stipulated. During these incidents, none of these criteria were
reached. Accordingly, the NRP was not in effect for the response to
these incidents and, if NRP had been in effect, the authorities of the
Secretary of Defense are not altered or impeded by the plan.
The Department of Defense has the medical authority to act in a timely
manner to provide the best possible medical protection for its
personnel at potential risk in an incident of this nature. As noted in
the report, the DoD is developing a new policy to define the roles and
responsibilities of senior DoD leadership in emergency management and
incident command on the Pentagon reservation - including those making
medical treatment decisions.
Recommendation 2: GAO recommends that DoD ".ensure that appropriate
officials at all of DoD's mail facilities develop effective mail
security plans in accordance with GSA's mail management regulation and
guidance and DoD's mail manual."
DOD Response: DoD concurs. Military postal authorities are evaluating
the most effective assurance method and are considering reporting
methodologies for GSA and DoD guidance compliance.
Recommendation 3: GAO recommends that DoD ".ensure that a competent DOD
authority conducts a DoD-wide review of all of its mail security
plans."
DOD Response: DoD concurs. Military postal authorities are evaluating
the most effective assurance method and are considering reporting
methodologies for GSA and DOD guidance compliance.
Recommendation 4: GAO recommends that DoD ".determine whether (1) bio-
safety cabinets are being used at mail facilities within DoD leased
space in the national capital region and, if so, (2) the equipment is
being operated within the context of a comprehensive mail-screening
program. If the use of bio-safety cabinets does not comply with the
criteria specified in the Director of Administration and Management's
January 2006 directive, ensure that the equipment will not be
operated."
DOD Response: DoD Concurs. The Pentagon Force Protection Agency (PFPA)
will immediately determine compliance with the January 2006 DA&M memo.
Additionally, PFPA will incorporate procedures for reviewing mail
screening programs into their Antiterrorism Vulnerability Assessments,
which are conducted annually at each of the DoD leased facilities in
the NCR.
[End of section]
Appendix III: Comments from the General Services Administration:
GSA Office of Governmentwide Policy:
Jun 19 2006:
Ms. Katherine A. Siggerud:
Director:
Physical Infrastructure Issues:
Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Ms. Siggerud:
Thank you for the opportunity to comment on the draft Government
Accountability Office (GAO) Report, Mail Security: Incidents at
Department of Defense (DOD) Mail Facilities Exposed Problems That Are
Not Yet Fully Resolved (GAO-06-757C).
The draft report paraphrases and refers to GSA regulations regarding
mail security at several points. All of these paraphrases and
references are accurate and appropriate, with one exception. On Page
28, the draft report says: "GSA's Federal Mail Management Regulation
requires that facility level mail security plans be annually reviewed
at the agency's level." The issue we have is with the phrase: "at the
agency's level."
The actual text of the regulation says: "The annual report must state
that all facility security plans have been reviewed by a competent
authority within the past year." (FMR 102-192.60). The regulation
provides that a competent authority must review all security plans, but
it does not say that this review must be performed at the agency's
level. An agency's level review of every facility's security plan would
be an intolerable burden in agencies such as the DOD and the Department
of Agriculture that have thousands of facilities.
We look forward to seeing this report in its final form. Its
recommendations and implications will be important to all Federal mail
facilities. If you have any questions, please contact Mr. Henry Maury,
Office of Travel, Transportation and Asset Management, on (202) 208-
7928.
Sincerely,
Signed by:
Stan Kaczmerczyk for:
John G. Sindelar:
Acting Associate Administrator:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Katherine A. Siggerud, (202) 512-2834 or siggerudk@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, Kathleen Turner (Assistant
Director), David Hooper, Daniel Klabunde, Steve Martinez, Josh Ormond,
Stanley Stenersen, and Johanna Wong made key contributions to this
report.
FOOTNOTES
[1] A third incident occurred at a DOD mail facility at the Bolling Air
Force Base in Washington, D.C. That incident--also a false alarm--was
not connected to the Pentagon and Skyline Complex incidents and,
therefore, is not discussed in this report.
[2] The Office of the Administrative Assistant to the Secretary of the
Army--the organization responsible for managing DOD's mail--also
reviewed the draft report and concurred "without comment."
[3] We have issued a number of reports on the response to these
incidents. See, for example, GAO, U.S. Postal Service: Better Guidance
Is Needed to Ensure an Appropriate Response to Anthrax Contamination,
GAO-04-239 (Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public
Health Response to Anthrax Incidents of 2001, GAO-04-152 (Washington,
D.C.: Oct. 15, 2003); and U.S. Postal Service: Better Guidance Is
Needed to Improve Communication Should Anthrax Contamination Occur in
the Future, GAO-03-316 (Washington, D.C.: Apr. 7, 2003).
[4] See GAO, Anthrax Detection: Agencies Need to Validate Sampling
Activities in Order to Increase Confidence in Negative Results, GAO-05-
251 (Washington, D.C.: Mar. 31, 2005).
[5] In March 2005, LRN consisted of 147 laboratories that, according to
CDC, had demonstrated the ability to meet and maintain CDC's testing
standards.
[6] Medical treatment, as used in this report, means administering
postexposure prophylaxis to exposed individuals.
[7] GSA issues regulations under the authority of the Federal Records
Management Amendments of 1976 (Section 2 of Public Law 94-575, 44
U.S.C. 2901-2904), which requires the GSA Administrator--the executive
head of GSA--to provide assistance to federal agencies on records
management, including the processing of mail. See 41 CFR Parts 101-9
and 102-192.
[8] GSA, Mail Communications Policy Office, Mail Center Security Guide,
3rd edition (Washington, D.C., 2004); and National Guidelines for
Assessing and Managing Biological Threats in Federal Mail Facilities
(Washington, D.C., Dec. 29, 2003).
[9] DOD's requirements are described in the DOD Instruction 4525.8 and
DOD Manual 4525.8M, effective December 2001.
[10] This requirement is contained in GSA's regulations for managing
property. See 41 CFR Sec. 102-74.230.
[11] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[12] TMA provides administrative support to DOD's civilian health and
medical program for the uniformed services.
[13] A portion of TMA's mail destined for the Skyline Complex is
screened at the Pentagon and picked up from an office inside the
Pentagon.
[14] 10 USC Sec. 2674(f)(1) defines the Pentagon Reservation as the
area of land (consisting of approximately 280 acres) and improvements
thereon, located in Arlington, Virginia, on which the Pentagon Office
Building, Federal Office Building #2, the Pentagon heating and sewage
treatment plants, and other related facilities are located, including
various areas designated for the parking of vehicles.
[15] The mail-screening technicians were not evacuated and, instead,
remained isolated in the mail-screening facility, according to PFPA
officials.
[16] Other conference calls occurred over the next few days.
[17] The two laboratories at Fort Detrick are associated with the
United States Army Medical Research Institute of Infectious Diseases
and the National Bioforensic Analysis Center.
[18] GSA leases office space at the Skyline Complex for federal
agencies, including DOD's TMA office.
[19] According to the manager, the PFPA employee thought that the
equipment was an X-ray machine.
[20] The biosafety cabinet was destroyed as a result of efforts to
extract its filters for testing.
[21] The National Institute is the federal agency responsible for
conducting research into occupational safety and health matters.
[22] CBI was not a part of the LRN in March 2005 and, consequently,
would not have had access to CDC's guidelines and protocols for LRN
laboratories.
[23] The officials noted that PFPA's Chemical, Biological,
Radiological, and Nuclear department did not exist when DOD initially
awarded the mail-screening contract. The laboratory associated with
this department, as well as its current role in the Pentagon's mail
screening, is discussed later in this report.
[24] In its technical comments on a draft of this report, DOD noted
that subsequent training had been conducted, but that the training was
"not as detailed."
[25] As discussed earlier, mail room employees made several
unsuccessful attempts to telephone the manufacturer and the maintenance
contractors for help. In addition, DOD's manager of the complex told us
that she called PFPA for guidance on how the cabinet operated, but the
PFPA official was not aware of the type of equipment in use at the
complex, and consequently, he was not able to tell her what to do.
Finally, an employee called 911, which brought emergency responders
from Fairfax County, Virginia.
[26] 41 CFR §102-192.90.
[27] The Official Mail Manager retired in April 2006.
[28] Related to this, GSA officials told us that GSA does not have the
authority to enforce its reporting requirement.
[29] 41 CFR Ch 102-74.230.
[30] The incident command initially included federal and local agencies
and was used for, among other things, coordinating the evacuation of
the mail screening and remote delivery facilities and the relocation of
potentially affected employees.
[31] Ciprofloxacin is one of several antibacterial drugs, including
amoxicillin and doxycycline, that can be used to treat anthrax
exposure. CDC currently recommends doxycycline for preventive treatment
of anthrax.
[32] Local public health officials explained that their desire to
ensure that potentially affected individuals would be treated
consistently derived from lessons learned in the fall of 2001. At that
time, Capitol Hill staff was also initially provided with ciprofloxacin
for their potential exposure to anthrax; however, Postal Service
employees generally received doxycycline. CDC's recommendations in this
area had changed, but that was not well understood, in part because
ciprofloxacin had been described as the drug of choice in media
reports. Because Postal Service employees generally received
doxycycline--instead of ciprofloxacin--they believed that they had been
given an inferior drug. According to local public health officials,
this misperception was difficult to explain and, together with the
death and illness of exposed postal employees, caused trauma within the
Postal Service community.
[33] Under DOD Directive 6200.3, Emergency Health Powers on Military
Installations, DOD commanders and the designated Public Health
Emergency Officer--in this case, the commander of the DiLorenzo TRICARE
Health Clinic--can take actions to protect installations, facilities,
and personnel in the event of a public health emergency resulting from
biological warfare, terrorism, or a communicable disease epidemic.
[34] According to CDC, antibiotic medical treatment is recommended as
soon as possible after the LRN has obtained a presumptive positive test
result. Such results can be obtained within 2 hours.
[35] The RAND Corporation is a nonprofit research organization. Its
National Defense Research Institutea federally funded research and
development center conducted the review. RAND also examined a third
incident that occurred at a DOD mail facility on the Bolling Air Force
Base. The incident at the Bolling Air Force Base was not connected to
the Pentagon and Skyline Complex incidents. Consequently, that incident
is not discussed in this report.
[36] Except for an unclassified summary, the RAND report is not
available publicly.
[37] The MOU established August 2005 as the deadline for agencies to
begin using mutually accepted testing methods, a date that has long
passed. According to an official from DHS's Science and Technology
Directorate, it will take a considerable amount of additional time to
assess and develop consensus on testing methods. The official estimated
that the process to establish mutually accepted testing methods will be
completed between September 2006 and March 2007.
[38] According to CDC officials, the process involves establishing
equivalency between DOD and LRN testing methods. In addition, they
stated that once mutually accepted methods are established, it will
take additional time to fully implement the testing and response
procedures from an operational standpoint.
[39] A DOD official noted that positive test results are taken in
conjunction with other relevant factors to determine if antibiotics
should be administered.
[40] As discussed, the previous contracting officer's representative
for administering the mail-screening contract was an official from the
Defense Post Office with no expertise or training related to screening
mail for anthrax or other biological hazards. The new contracting
officer's representative is the Director of PFPA's chemical-biological
laboratory located at the Pentagon.
[41] The Director of Administration and Management is the principal
adviser on DOD-wide organizational and administrative management
matters. The Director's responsibilities include providing policy
guidance to DOD components at (1) the Pentagon and (2) DOD-leased space
in the Washington, D.C., area.
[42] Washington Headquarters Services manages DOD-wide programs and
operations for the Pentagon Reservation and DOD-leased facilities in
the Washington, D.C., area.
[43] The national capital region includes the District of Columbia and
11 local jurisdictions in Maryland and Virginia, including Arlington
and Fairfax Counties, where the two incidents occurred.
[44] TMA's previous biosafety cabinet was destroyed during the March
2005 incident. The new cabinet, purchased prior to receiving the
directive, is functionally similar to the old one in that it is not
capable of detecting biological agents and its alarm only indicates an
obstruction in the equipment's airflow.
[45] In January 2006, the President signed into law the National
Defense Authorization Act for Fiscal Year 2006, P.L. 109-163, which
could change the way DOD processes mail at the Pentagon and around the
world. The law requires the Secretary of Defense to submit a report to
Congress on the safety of mail within the military mail system,
including a plan to screen all incoming mail for biological agents.
[46] Specifically, the September 2005 supplement to DOD's mail manual
cites the third edition of GSA's Mail Center Security Guide and GSA's
December 2003 policy advisory entitled National Guidelines for
Assessing and Managing Biological Threats in Federal Mail Facilities.
[47] The Office of the Administrative Assistant to the Secretary of the
Army also reviewed the draft report and concurred "without comment."
[48] Federal Management Regulation, 41 C.F.R. ch. 102, issued by GSA.
[49] U.S. Department of Health and Human Services, Centers for Disease
Control and Prevention, Morbidity and Mortality Weekly Report,
"Responding to Detection of Aerosolized Bacillus anthracis by
Autonomous Detection Systems in the Workplace" (Atlanta, Georgia, June
4, 2004).
[50] See, for example, GAO, U.S. Postal Service: Better Guidance Is
Needed to Ensure an Appropriate Response to Anthrax Contamination, GAO-
04-239 (Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health
Response to Anthrax Incidents of 2001, GAO-04-152 (Washington, D.C.:
Oct. 15, 2003); and U.S. Postal Service: Better Guidance Is Needed to
Improve Communication Should Anthrax Contamination Occur in the Future,
GAO-03-316 (Washington, D.C.: Apr. 7, 2003).
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
