GAO-07-1197R, Nuclear Security: DOE and NRC Have Different Security Requirements for Protecting Weapons-Grade Material from Terrorist Attacks


This is the accessible text file for GAO report number GAO-07-1197R 
entitled 'Nuclear Security: DOE and NRC Have Different Security 
Requirements for Protecting Weapons-Grade Material from Terrorist 
Attacks' which was released on September 25, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

September 11, 2007: 

The Honorable Christopher Shays: 
Ranking Member, Subcommittee on National Security: 
and Foreign Affairs: 
Committee on Oversight and Government Reform: 
House of Representatives: 

Subject: Nuclear Security: DOE and NRC Have Different Security 
Requirements for Protecting Weapons-Grade Material from Terrorist 
Attacks: 

Dear Mr. Shays: 

In terrorists' hands, weapons-grade nuclear material--known as Category 
I special nuclear material when in specified forms and quantities--can 
be used to construct an improvised nuclear device capable of producing 
a nuclear explosion. Responsibility for the security of Category I 
special nuclear material is divided between the Department of Energy 
(DOE) and the Nuclear Regulatory Commission (NRC). Specifically, DOE 
and the National Nuclear Security Administration (NNSA), a separately 
organized agency within DOE, are responsible for overseeing physical 
security at government-owned and contractor-operated sites with 
Category I special nuclear material. NRC, which is responsible for 
licensing and overseeing commercially owned facilities with nuclear 
materials, such as nuclear power plants, is responsible for regulating 
physical security at those licensees that store and process Category I 
special nuclear material under contract, primarily for DOE. 

Because of the risks associated with Category I special nuclear 
material, both DOE and NRC recognize that effective security programs 
are essential. The key component in both DOE's and NRC's security 
programs is each agency's design basis threat (DBT)--classified 
documents that identify the potential size and capabilities of 
terrorist threats to special nuclear material. To counter the threat 
contained in their respective DBTs, both DOE sites and NRC licensees 
use physical security systems, such as alarms, fences, and other 
barriers; trained and armed security forces; and operational security 
procedures, such as a "two-person" rule that prevents unobserved access 
to special nuclear material. In addition, to ensure DBT requirements 
are being met and to detect potential security vulnerabilities, DOE and 
NRC employ a variety of other measures, including inspection programs; 
reviews; and force-on-force performance tests, in which the site's 
security forces undergo simulated attacks by a group of mock 
terrorists. 

Over the past several years, we have raised concerns about certain 
aspects of security at DOE sites and at NRC-regulated commercial 
nuclear power plants. For example, we reported that DOE had taken some 
action in response to the terrorist attacks of September 11, 2001, but 
that it needed to improve the management of its security 
program.[Footnote 1] In addition, we found that DOE needed to fully 
implement security improvements initiated in response to its DBT, such 
as the consolidation of special nuclear material and the development of 
a better-trained and -organized security force, in order to ensure that 
its sites were adequately prepared to defend themselves.[Footnote 2] 

Regarding NRC, in September 2003, we reported that NRC's oversight of 
security at commercial nuclear power plants needed to be 
strengthened.[Footnote 3] In March 2006, we reported that commercial 
nuclear power plants had upgraded security against terrorist attacks, 
and NRC had improved its force-on-force inspections at these plants. 
However, we found that NRC's DBT process, as it is applied to 
commercial nuclear power plants, should be improved to remove the 
appearance that changes to the DBT were based on what the nuclear 
industry considered feasible to defend against rather than on an 
assessment of the terrorist threat itself.[Footnote 4] While NRC has a 
more rigorous DBT for its licensees that store and process Category I 
special nuclear material than it does for the commercial nuclear power 
plants that it licenses and regulates, NRC uses a similar DBT 
development process for both sets of licensees. 

In this context, you asked us to determine (1) whether DOE's and NRC's 
requirements for protecting Category I special nuclear material from 
terrorist threats differ from one another; (2) the reasons for any 
differences between these requirements; and (3) if, as a result, there 
are differences between how NRC-licensed facilities that store and 
process Category I special nuclear material and how DOE facilities that 
store and process Category I special nuclear material are defended 
against a terrorist attack. In February 2007, we reported to you on the 
results of our work in a classified report.[Footnote 5] Subsequently, 
you asked us to provide you with an unclassified summary of our report. 
This report provides the unclassified summary. We conducted our work 
for this report between May 2007 and September 2007 in accordance with 
generally accepted government auditing standards. 

In summary: 

Historically, DOE and NRC have sought comparability in their respective 
DBTs because DOE sites and NRC licensees often deal with the same types 
of Category I special nuclear material. For example, in 2000, NRC 
imposed additional security requirements on its licensees because, as 
it stated at the time, NRC is responsible for ensuring that weapons- 
usable material in the commercial sector receives protection comparable 
with that provided to similar DOE material. Following the September 11, 
2001, terrorist attacks, both DOE and NRC put in place more demanding 
DBTs. NRC issued its most recent DBT in 2003, and DOE issued its most 
recent DBT in 2005. More importantly, even though DOE's sites and NRC's 
licensees store and process similar weapons-grade nuclear material, the 
DBTs each agency adopted for Category I special nuclear material are 
different. 

Several factors have contributed to the differences between DOE's and 
NRC's DBTs. First, a key document used in the development of DOE's DBT 
was the Postulated Threat to U.S. Nuclear Weapon Facilities and Other 
Selected Strategic Facilities (Postulated Threat). The Postulated 
Threat is developed by the U.S. intelligence community, principally the 
Department of Defense's Defense Intelligence Agency, and the security 
organizations of several different agencies, including DOE and NRC. The 
most recent Postulated Threat, issued in 2003, identified, among other 
things, the most likely threats to U.S. facilities with Category I 
special nuclear material. While NRC participated in the development of 
the Postulated Threat, NRC believes that the Postulated Threat does not 
apply to commercial nuclear facilities such as its licensees. Second, 
DOE and NRC also differ in their consideration of other intelligence 
information in developing their DBTs. In this context, NRC has 
developed its DBT to be within the range of what it has determined are 
the limitations that a private guard force can reasonably be expected 
to defend against. Specifically, NRC believes that the defense against 
threats not contained in its DBT is the responsibility of the federal 
government, in conjunction with state and local governments. Finally, 
even though they did so in the past, since September 11, 2001, DOE and 
NRC have not fully cooperated in sharing classified information on 
potential misuse of Category I special nuclear material. 

Reflecting the differences in their respective DBTs, we found 
differences in the actions DOE sites and NRC licensees are taking to 
increase their preparedness to defeat a large and sophisticated 
terrorist attack. For example, currently, NRC licensees do not have the 
same legal authority as DOE sites to acquire heavier weaponry, such as 
fully automatic weapons, or the same legal authority to use deadly 
force to protect special nuclear material. NRC is pursuing new 
regulations, authorized by the Energy Policy Act of 2005, to allow its 
licensees to use automatic weapons, but expects to take from 1 to 2 
years to issue such regulations. At the same time, DOE is implementing 
plans that, if fully realized, will further increase security at its 
sites. These plans include developing and deploying improved security 
technologies; consolidating special nuclear material into fewer, better 
protected locations; and providing better training and equipment for 
its security forces. Finally, DOE has better developed tools for 
assessing security preparedness and understanding vulnerabilities, such 
as computer modeling and force-on-force testing programs that simulate 
terrorist attacks on facilities. However, NRC is in the process of 
adopting computer modeling and implementing a new force-on- force 
testing program. 

A successful attack on a facility with Category I special nuclear 
material could have unacceptable human, economic, and symbolic 
consequences. Consequently, we believe that, regardless of location, 
there should not be differences in the protection of Category I special 
nuclear material. To address these differences, we made a series of 
recommendations in our February 2007 report, including the following: 

* DOE and NRC should develop a common DBT for DOE sites and NRC 
licensees that store and process Category I special nuclear material. 

* NRC should expedite its efforts to ensure that its licensees have the 
same legal authorities to acquire heavier weaponry and use deadly force 
as DOE sites currently have to protect such material. 

* DOE and NRC should cooperate in establishing computer modeling 
capabilities and force-on-force performance testing programs to better 
assess security preparedness and detect vulnerabilities. 

In addition, we recommended that Congress should consider amending the 
Atomic Energy Act of 1954, as amended, to give NRC licensees the same 
legal authority to use deadly force as DOE sites have to protect 
Category I special nuclear material. 

We provided DOE and NRC with a draft of our February 2007 report for 
review and comment. Overall, DOE, through NNSA, and NRC agreed with 
several of our recommendations. Specifically, both NNSA and NRC agreed 
to cooperate on improving force-on-force performance testing and 
computer modeling. NRC also agreed that obtaining legal authority to 
acquire heavier weapons and to clarify policies on the use of deadly 
force to protect Category I special nuclear material could enhance 
security at its licensees. NRC cited ongoing efforts in both areas. 
Finally, NNSA supported having Congress amend the Atomic Energy Act to 
provide NRC licensees with the legal authority to use deadly force to 
protect Category I special nuclear material. However, NNSA and NRC did 
not support our recommendation to develop a common DBT for facilities 
that store and process Category I special nuclear material. 
Specifically, in its comments on our report, NRC stated that it 
believes that it is more important to set protection levels that are 
appropriate for the potential scenarios that involve the malevolent use 
of the nuclear materials stored or handled at a given site. NRC also 
stated that both agencies have recognized that protection strategies 
may differ between the sites they oversee based on the type, form, 
purpose and quantity of material at their sites. However, in our 
evaluation of the agency's comments, we noted that all of the sites and 
licensees have one important thing in common--they all possess 
significant quantities of Category I special nuclear material. As such, 
we believe, there should not be differences in their level of 
protection. 

- - - --: 

As arranged with your office, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 14 days 
after the date of this report. We will then send copies to appropriate 
congressional committees, the Secretary of Energy; the Administrator, 
NNSA; the Chairman of the Nuclear Regulatory Commission; and the 
Director of the Office of Management and Budget. We will make copies of 
this report available to others upon request. This report will also be 
available at no charge on GAO's Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report or need 
additional information, please contact me at (202) 512-3841 or 
aloisee@gao.gov. Contact points for our Office of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. James Noel, Assistant Director, and Jonathan Gill made key 
contributions to this report. 

Sincerely yours, 

Signed by: 

Gene Aloise: 

Director, Natural Resources and Environment: 

(360882): 

FOOTNOTES: 

[1] GAO, Nuclear Security: NNSA Needs to Better Manage Its Safeguards 
and Security Program, GAO-03-471 (Washington, D.C.: May 30, 2003). 

[2] GAO, Nuclear Security: DOE Needs to Resolve Significant Issues 
Before It Fully Meets the New Design Basis Threat, GAO-04-623 
(Washington, D.C.: Apr. 27, 2004); and Nuclear Security: DOE's Office 
of the Under Secretary for Energy, Science, and the Environment Needs 
to Take Prompt, Coordinated Action to Meet the New Design Basis Threat, 
GAO-05-611 (Washington, D.C.: July 15, 2005). 

[3] GAO, Nuclear Regulatory Commission: Oversight of Security at 
Commercial Nuclear Power Plants Needs to Be Strengthened, GAO-03-752 
(Washington, D.C.: Sept. 4, 2003). 

[4] GAO, Nuclear Power Plants: Efforts Made to Upgrade Security, but 
the Nuclear Regulatory Commission's Design Basis Threat Process Should 
Be Improved, GAO-06-388 (Washington, D.C.: Mar. 14, 2006). 

[5] GAO, (U) Nuclear Security: DOE and NRC Security Requirements for 
Special Nuclear Material, GAO-07-41C (Washington, D. C.: Feb. 16, 2007).

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: 

U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Susan Becker, Acting Manager, Beckers@gao.gov (202) 512-4800: 

U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: