This is the accessible text file for GAO report number GAO-12-710R entitled 'Defense Infrastructure: The Navy's Use of Risk Management at Naval Stations Mayport and Norfolk' which was released on July 13, 2012. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-12-710R: United States Government Accountability Office: Washington, DC 20548: July 13, 2012: Congressional Committees: Subject: Defense Infrastructure: The Navy's Use of Risk Management at Naval Stations Mayport and Norfolk: The recent financial crisis, emerging political unrest in nations around the globe, and the impact of significant natural disasters are causing organizations of all types and sizes to place increasing emphasis on robust risk management practices. The 2010 Quadrennial Defense Review Report[Footnote 1] states that risk management is vital to the Department of Defense's (DOD) success and that although it is difficult, risk management is central to effective DOD decision making. In an uncertain fiscal environment, while facing the threat of terrorism and natural disasters, the Navy must continually manage and assess the threats to and the vulnerabilities of its installations and assets. According to Navy officials, since the terrorist attack on the USS Cole in 2000 and the terrorist attacks of September 11, 2001, DOD has enhanced and updated its antiterrorism/force protection standards and physical security requirements for all DOD assets and installations. The Navy performs risk management at all levels of its headquarters and command structure for all of its operations and assets, including naval installations where nuclear-powered aircraft carriers and other high-value Navy assets[Footnote 2] are located. In Senate Report 112-26, accompanying a proposed bill for the National Defense Authorization Act for Fiscal Year 2012 (S. 1253), GAO was directed to conduct an analysis of certain matters related to the Navy's plan to establish a second East Coast homeport for a nuclear- powered aircraft carrier, including the risks the plan seeks to address.[Footnote 3] Our reporting objectives were to determine the extent to which the Navy (1) conducts risk management to identify and assess the risk associated with its force structure and high-value assets, including the risk associated with homeporting nuclear-powered aircraft carriers on the East Coast, and (2) has taken actions to mitigate any identified risks. To gain an understanding of how the Navy conducts risk management to identify and assess the risk associated with its force structure and high-value assets, including the risk associated with homeporting nuclear-powered aircraft carriers on the East Coast, and the actions it has taken to mitigate any identified risks, we interviewed cognizant officials from the Department of the Navy and reviewed and analyzed relevant Navy documents and instructions, such as the draft strategic laydown and dispersal policy and guidance document.[Footnote 4] In addition, we conducted a literature search to identify relevant guiding principles and leading practices of risk management used by DOD, the services, the private sector, and GAO. Based on our analysis of these risk management practices, we found commonalities among them and identified five basic guiding principles of risk management: (1) identify risks, (2) analyze risks, (3) plan for risk mitigation, (4) implement a risk mitigation action plan, and (5) track risks and mitigation action plan implementation. Further, we interviewed knowledgeable officials from the Joint Staff, the Defense Threat Reduction Agency, and the Navy to obtain an understanding of the Navy's actions to mitigate (eliminate or reduce) risk associated with homeporting nuclear-powered aircraft carriers at Naval Stations Mayport and Norfolk. We interviewed officials from the Naval Facilities Engineering Command to obtain relevant information and an understanding of the current Unified Facilities Criteria, which provides technical criteria and standards pertaining to planning, design, construction, and operation and maintenance of DOD real property facilities. We obtained documents and interviewed officials from the Naval Criminal Investigative Service to understand its performance of threat assessments of the areas surrounding the naval installations on the East Coast. To obtain an understanding of the U.S. Coast Guard's role and responsibilities regarding the Navy's high- value assets, such as nuclear-powered aircraft carriers, we interviewed Coast Guard officials. These officials provided us with the Coast Guard's Domestic Port Security Assessments for the Jacksonville and Norfolk ports. We also interviewed officials from DOD's Cost Assessment and Program Evaluation Office; the Office of the Secretary of the Navy; the Office of the Chief of Naval Operations; Fleet Forces Command; and the Commander, Navy Installations Command. To gain an understanding of the actions the Navy has taken to mitigate risks associated with homeporting nuclear-powered aircraft carriers on the East Coast, we obtained the vulnerability assessment reports for Naval Stations Mayport and Norfolk and analyzed them to determine the types of assessments completed, vulnerabilities identified, recommendations made, and courses of action or mitigation action plans developed to correct the identified vulnerabilities. Further, we obtained an understanding of a database maintained in the Joint Staff Core Vulnerability Assessment Management Program. This database is used to identify, analyze, prioritize, track, and manage antiterrorism vulnerabilities at DOD's installations, including naval stations. Through document reviews and interviews with officials at the Joint Staff and the Defense Technical Information Center who are knowledgeable about the Joint Staff Core Vulnerability Assessment Management Program database, the data it contains, and the internal controls used to maintain the integrity of the data, we determined that the data were sufficiently reliable to verify that the mitigation action plans are tracked and monitored. We conducted this performance audit from July 2011 to July 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Summary: The Navy follows the five basic guiding principles for managing risk at the strategic, environmental, and operational levels before making decisions about the placement and operation of its force structure-- including the placement of nuclear-powered aircraft carriers on the East Coast of the United States. The Navy does not conduct any unique risk assessment for its nuclear-powered aircraft carriers at naval installations; rather, nuclear-powered aircraft carriers are high- value assets that are included in the Navy's overall risk management process. At the strategic level, Office of the Secretary of the Navy and Office of the Chief of Naval Operations headquarters staff have identified and analyzed risks, such as emerging threats from hostile nation-states, which could make demands on homeland defense capabilities. Since 2004, according to Navy officials, the Navy has been using its strategic laydown and dispersal methodology in dividing its force structure and assets between the Atlantic and Pacific Fleets. In addition, officials stated that there may be adjustments to the Navy's current split of assets between the Atlantic and Pacific Fleets based on direction from the President that is reflected in DOD's January 2012 defense strategic guidance, which emphasizes rebalancing defense assets in the Pacific region. Furthermore, naval guidance indicates that the Navy seeks to operate around the world in an environmentally responsible manner, both ashore (installations) and afloat (ships), and work with stakeholders to ensure that it follows environmental laws, regulations, and policies.[Footnote 5] Since the terrorist attacks of 2000 and 2001, the Navy's risk management at the operational level has included conducting threat assessments for areas surrounding naval installations, as well as the installations themselves, and providing increased protection for high-value assets, such as nuclear-powered aircraft carriers. In addition, since the terrorist attacks, the Coast Guard has at times been providing escorts to the Navy's high-value assets. The Coast Guard officials also noted that the communication of threat information among stakeholders in the Hampton Roads Regional Threat Working Group in Virginia has been much improved during this period. The Navy has taken some actions to mitigate risk associated with homeporting nuclear-powered aircraft carriers at two East Coast naval installations. A naval installation and its high-value assets--such as nuclear-powered aircraft carriers--may be susceptible to the threat of a terrorist attack. The risk of becoming the target of such an attack is affected by vulnerabilities at the installation. As part of its ongoing risk management process to identify and assess vulnerabilities at installations, DOD requires that many of its installations undergo an annual antiterrorism vulnerability assessment.[Footnote 6] According to security experts who conduct the annual vulnerability assessments, they determine whether the installation is in compliance with DOD's 32 antiterrorism standards, such as establishing and implementing an antiterrorism program. During our site visits, we found that vulnerability assessments were performed at Naval Stations Mayport, Florida, and Norfolk, Virginia, on an annual basis. In addition, we found that the two naval stations had developed mitigation action plans and identified different possible courses of action to eliminate or mitigate the vulnerabilities and reduce the risk to the installations. The installation commander is responsible for protecting the installation and its assets--including nuclear- powered aircraft carriers--and selects the course of action that most effectively mitigates the vulnerability. Finally, as part of their ongoing risk management process, Naval Stations Mayport and Norfolk conduct four integrated training events each year, as directed by Commander, Naval Installations Command guidance.[Footnote 7] These training exercises focus on enhancing skills in emergency management, fire protection, and force protection conditions. Background: Navy Designated Naval Station Mayport, Florida, as a Second East Coast Homeport for Nuclear-Powered Aircraft Carriers: The Navy has been reporting to Congress and congressional subcommittees, since the 1990s, on its development of plans for making Naval Station Mayport a potential homeport for nuclear-powered aircraft carriers. In March 1997, the Navy released a programmatic environmental impact statement[Footnote 8] to evaluate the environmental impact of homeporting a nuclear-powered aircraft carrier at this location. In 2001, the Quadrennial Defense Review Report called for the Navy to provide more warfighting assets more quickly to multiple locations. In order to meet this new demand, the Navy made a preliminary decision to homeport additional fleet surface ships at Naval Station Mayport. The Navy completed the final environmental impact statement for this action in 2008.[Footnote 9] On January 14, 2009, the Navy issued its record of decision to homeport a nuclear- powered aircraft carrier at Naval Station Mayport.[Footnote 10] Further, the 2010 Quadrennial Defense Review Report stated that the United States Navy will homeport an East Coast carrier in Mayport, Florida, as one of its defense postures in the Western Hemisphere to mitigate the risk of a terrorist attack, accident, or natural disaster. According to the Navy's record of decision, the need to develop a hedge against the potentially crippling results of a catastrophic event was ultimately the determining factor in the Navy's decision to establish a second nuclear-powered aircraft carrier homeport on the East Coast of the United States. Figure 1 shows the locations of five homeports for the Navy's nuclear-powered aircraft carriers on the East and West Coasts as well as in Japan as of fiscal year 2012. Figure 1: Navy's Nuclear-Powered Aircraft Carrier Homeports as of Fiscal Year 2012: [Refer to PDF for image: illustrated U.S. map] Everett Naval Station: Everett, Washington; 2 aircraft carriers Naval Base Kitsap: Bremerton, Washington 1 aircraft carrier. Norfolk Naval Station: Norfolk, Virginia; 5 aircraft carriers. North Island Naval Air Station: San Diego, California; 2 aircraft carriers Yokosuka Naval Base: Yokosuka, Japan; 1 aircraft carrier. Source: GAO analysis of Navy's data. [End of figure] In addition, in 2009 and 2010, the House Committee on Armed Services directed that we report on multiple matters related to the Navy's decision to homeport a nuclear-powered aircraft carrier at Naval Station Mayport.[Footnote 11] Our previous reports on the Navy's decision are listed at the end of this report. According to a Navy official, because of the current budget situation, the Navy is presently reviewing all of its decisions, including the decision to homeport a nuclear-powered aircraft carrier at Naval Station Mayport. Principles of Risk Management: According to Standards for Internal Control in the Federal Government, [Footnote 12] risk management is an aspect of management control that is built into an organization as part of its infrastructure, to help managers run the organization and achieve its objectives. Because governmental, economic, industry, regulatory, and operating conditions continually change, mechanisms should be provided to identify and deal with any special risks prompted by such changes. Risk identification methods may include qualitative and quantitative ranking activities. Once risks have been identified, the organization should analyze the risks and their potential impact and decide what actions are needed to manage and mitigate (eliminate or reduce) them. In researching guidelines and leading practices for risk management, [Footnote 13] we found that risk management is a continuous process, for which an organization's management and personnel should be responsible. In addition, we found commonalities among these guidelines and leading practices and identified five basic guiding principles of risk management: (1) management and personnel identify risks; (2) they analyze risks; (3) after analyzing the risks, they create a plan that identifies different possible courses of action to mitigate the identified risk; (4) when a plan for risk mitigation is approved, management and personnel implement the risk mitigation action plan; and (5) they track risks and mitigation action plan implementation to determine if the plan was successful in mitigating the risk. In addition, the Defense Risk Management Framework described in the 2010 Quadrennial Defense Review Report and the private sector's Enterprise Risk Management--Integrated Framework suggest that risk management should be performed across the whole organization in order to achieve its strategic and operational objectives. The Navy Follows the Five Basic Guiding Principles for Risk Management at the Strategic, Environmental, and Operational Levels: In making decisions about the placement and operation of its naval force structure around the world--including the placement of nuclear- powered aircraft carriers on the East Coast of the United States--the Navy follows the five basic guiding principles for managing risk at the strategic, environmental, and operational levels. We found that the Defense Risk Management Framework described in the 2010 Quadrennial Defense Review Report and the Navy's Operational Risk Management contain the five basic guiding principles for risk management. During our review, we found various organizations both inside and outside of the Navy that perform risk management before decisions on the placement of the Navy's force structure and high- value assets--including nuclear-powered aircraft carriers--are finalized. These organizations reported that they then continuously manage the risks associated with naval operations and assets. We also found that the Navy does not conduct any unique risk assessment for its nuclear-powered aircraft carriers at naval installations; rather, nuclear-powered aircraft carriers are included in the Navy's overall risk management process applicable to all assets the Navy determines to be of high value. Strategic Level: At the strategic level, the Office of the Secretary of the Navy and the Office of the Chief of Naval Operations headquarters staff have identified and analyzed risks, such as emerging threats from hostile nation-states, which could make demands on homeland defense capabilities. According to officials from the Office of the Chief of Naval Operations, in response to the Navy's analysis of these and other risks, they developed and implemented a plan to position and distribute the Navy's force structure between the Atlantic and Pacific Fleet commands and among naval installations. According to these Navy officials, the draft strategic laydown and dispersal plan functions as a mitigation action plan for risks such as the following (not an inclusive list): * challenges in meeting planned shipbuilding and aircraft procurement schedules; * unexpected terrorist attacks or intentional obstruction of international waterways or other critical lines of communication; * major changes to force structure or programs; * major changes to projected future operational demands for contingency operations, including changes in operational concepts, roles and missions, or required response times; * increased requirements for homeland defense, including changes to antiterrorism and force protection at naval installations; and: * significant changes to future infrastructure, such as elimination of military construction projects or future Base Closure and Realignment Commission reports, operational availability, access to ranges and support, port services, and quality of service and life. According to Navy officials, the draft laydown and dispersal plan and the risks it addresses are updated and tracked during the annual budgeting process or when there are revisions to the President's strategic direction to DOD[Footnote 14] that will affect its military defense plan and the Navy's maritime plan. As of February 2012, the Navy's draft strategic laydown and dispersal plan divides naval forces between the Atlantic and Pacific Fleets and discusses distributing ships and other forces by homeport. Since 2004, according to Navy officials, the Navy has been using its strategic laydown and dispersal methodology in dividing its force structure and assets between the Atlantic and Pacific Fleets. In addition, officials stated that there may be adjustments to the Navy's current split of assets between the Atlantic and Pacific Fleets based on direction from the President that is reflected in DOD's January 2012 defense strategic guidance, which emphasizes rebalancing defense assets toward the Pacific region. Environmental Level: Navy guidance indicates that the Navy seeks to operate around the world in an environmentally responsible manner, both ashore (installations) and afloat (ships), and work with stakeholders to ensure that it follows environmental laws, regulations, and policies. [Footnote 15] If the Navy proposes to undertake certain actions that have the potential for significant environmental impact, it identifies and analyzes the environmental risks in the course of preparing environmental planning documents, such as an environmental survey, environmental assessment, or full environmental impact statement, and may develop a plan to mitigate them.[Footnote 16] Mitigation action plans describe the costs and benefits of several different possible courses of action to reduce environmental risks. For example, before finalizing decisions on where to place Atlantic Fleet surface ships and supporting infrastructure, the responsible naval commands identified and analyzed environmental risks, such as contamination of the water and air as a result of dredging at a particular location, or encroachment risks to endangered species. The Naval Facilities Engineering Command prepared an environmental impact statement in November 2008, which evaluated environmental risks and courses of action for homeporting Atlantic Fleet surface ships at Naval Station Mayport. In addition, Fleet Forces Command developed and implemented mitigation action plans to address the risks of natural disasters to naval assets on the East Coast. For example, to reduce the risk to ships and aircraft, Fleet Forces Command provides operational guidance for these valuable naval assets that describes general conditions of readiness, including evacuation within 48 hours when a tropical storm or hurricane is expected to strike a location. According to an official from the National Oceanic and Atmospheric Administration, the hurricane return periods are now calculated based on a 50-nautical- mile radius,[Footnote 17] which has the effect of making the hurricane return periods longer. In other words, a hurricane return period means that a Category 1 to 5[Footnote 18] hurricane passed within 50 nautical miles of that location. For example, using calculations based on the 50-nautical-mile radius, the return period for all categories of hurricanes to the Norfolk area is now 11 years; for the Jacksonville area, which includes Naval Station Mayport, the return period is 13 years. Operational Level: Since the terrorist attacks of 2000 and 2001, the Navy's risk management at the operational level has included conducting threat assessments for areas surrounding naval installations, as well as for the installations themselves, and providing increased protection for high-value assets, such as nuclear-powered aircraft carriers. For example, the Naval Criminal Investigative Service performs threat assessments to identify and analyze the risks of terrorist or criminal activity near naval installations. In addition, the Coast Guard, via Domestic Port Security Assessment reports,[Footnote 19] provides another level of awareness of threats to naval homeports. The results of these assessments are routinely communicated to the staff of the Commander, Navy Installations Command; naval station commanders; and regional threat working groups. Based on the results of these threat assessments and the identified risks, the staff from the Commander, Navy Installations Command uses the threat data to develop its risk- informed investment strategy, which supports the command's request to fund mitigation action plans to reduce risk to Navy assets. Moreover, during the Navy's annual budget process, the Commander, Navy Installations Command briefs the Office of the Secretary of the Navy regarding the risk-informed investment strategy. In addition, officials at the Coast Guard in the Hampton Roads and Jacksonville sectors and Navy officials at Naval Stations Mayport and Norfolk told us that since the terrorist attack on the USS Cole in 2000 and the terrorist attacks of September 11, 2001, they have enhanced security in and around these naval installations. For example, according to Coast Guard officials, there is a restricted area around all naval high-value assets, such as nuclear-powered aircraft carriers and naval stations. In addition, Navy officials stated that the Unified Facilities Criteria regulations have been restructured to provide for the fortification of installation buildings against terrorist attacks, and DOD has updated its antiterrorism/force protection standards and physical security requirements for DOD installations, including naval installations. Officials from Naval Stations Mayport and Norfolk stated that DOD's updated antiterrorism standards have brought about enhancements to all facets of the antiterrorism/force protection and physical security efforts on their installations. Furthermore, we interviewed Coast Guard officials from Jacksonville and Hampton Roads and found that they provide escort services for the Navy's high-value assets, which include nuclear-powered aircraft carriers, using Coast Guard harbor patrol boats. For example, Coast Guard District 7 (Jacksonville sector) officials stated that their patrol boats have been providing escorts to the Navy's high-value assets as they travel to and from the port basin at Naval Station Mayport. Coast Guard officials in both the Hampton Roads and Jacksonville sectors stated that they have been sharing threat information about criminal activity or terrorist cells with the Navy installations and have participated in the installations' training exercises for emergency consequence management and deterring or responding to terrorist attacks. The naval installations have also participated in Coast Guard training exercises. Naval officials at Naval Station Norfolk noted that the communication of threat information among stakeholders in the Hampton Roads Regional Threat Working Group is much improved since the terrorist attacks of September 2001. The Navy Has Taken Some Actions to Mitigate Risk Associated with Homeporting Nuclear-Powered Aircraft Carriers at Two East Coast Naval Installations: The Navy has taken some actions to mitigate risk associated with homeporting nuclear-powered aircraft carriers at two East Coast naval installations. For example, based on vulnerability assessments performed at Naval Stations Mayport and Norfolk, these installations have developed mitigation action plans to address identified risks. A naval installation and its high-value assets--such as nuclear-powered aircraft carriers--may be susceptible to the threat of a terrorist attack. The risk of becoming the target of such an attack is affected by vulnerabilities at the installation. As part of its ongoing risk management process to identify and assess vulnerabilities at installations, DOD requires that many of its installations undergo an annual antiterrorism vulnerability assessment.[Footnote 20] According to the security experts who conduct the assessments, they determine whether the installation is in compliance with DOD's 32 antiterrorism standards, such as establishing and implementing an antiterrorism program and complying with antiterrorism construction standards in the Unified Facilities Criteria.[Footnote 21] The assessments can be performed by the Joint Staff Integrated Vulnerability Assessment Team, a higher-headquarters vulnerability assessment team, or the installation itself, as a self-assessment. During our site visits, we found that vulnerability assessments were performed at Naval Stations Mayport and Norfolk on an annual basis. Table 1 shows the types of vulnerability assessments that were or will be performed at Naval Stations Mayport and Norfolk from 2006 through 2012. Table 1: Vulnerability Assessments Performed at Naval Stations Mayport and Norfolk Since 2006: Naval Station Mayport: Year: 2012; Type of assessment: Commander, Navy Region Southeast Installation Protection Assessment Cell Assessment (scheduled). Year: 2011; Type of assessment: Self-assessment. Year: 2010; Type of assessment: Joint Staff Integrated Vulnerability Assessment. Year: 2009; Type of assessment: Self-assessment. Year: 2008; Type of assessment: Self-assessment. Year: 2007; Type of assessment: Chief of Naval Operations Integrated Vulnerability Assessment (a higher-headquarters assessment). Year: 2006; Type of assessment: Self-assessment. Naval Station Norfolk: Year: 2012; Type of assessment: Joint Staff Integrated Vulnerability Assessment (scheduled). Year: 2011; Type of assessment: Commander, Navy Region Mid-Atlantic (a higher- headquarters assessment). Year: 2010; Type of assessment: Self-assessment. Year: 2009; Type of assessment: Chief of Naval Operations Integrated Vulnerability Assessment (a higher-headquarters assessment). Year: 2008; Type of assessment: Commander, Navy Region Mid-Atlantic (a higher- headquarters assessment). Year: 2007; Type of assessment: Self-assessment. Year: 2006; Type of assessment: Joint Staff Integrated Vulnerability Assessment. Source: GAO analysis of Navy data. [End of table] The annual vulnerability assessments identify antiterrorism/force protection and physical security vulnerabilities, assess them, and provide recommendations to mitigate them. These recommendations are considered in developing mitigation action plans to address the identified vulnerabilities and associated risks. The vulnerabilities identified at an installation and the recommendations for mitigating them are recorded in the Joint Staff Core Vulnerability Assessment Management Program database, which is used by the installations to develop, implement, and track mitigation action plans to correct the vulnerabilities and reduce the associated risks at the station. For example, in September and October 2011, the Commander, Navy Region, Mid-Atlantic, conducted a higher-headquarters antiterrorism assessment at Naval Station Norfolk. The vulnerability assessment team consisted of regional and installation antiterrorism specialists; they focused on the station's security operations, structural analysis, emergency management, and the antiterrorism program at the installation. The team analyzed the structural vulnerability of facilities against terrorist bombings and determined whether the level of resources and personnel at the installation could successfully deter a terrorist attack. After analyzing the vulnerabilities, the assessment team provided recommendations for mitigating them. The vulnerability assessment team then recorded its findings in the Joint Staff Core Vulnerability Assessment Management Program database and reviewed the database to determine if the results of prior vulnerability assessments had been reported to the commanding officer and entered into the database. In taking action to address vulnerabilities identified by assessment teams, a naval installation's antiterrorism officer and antiterrorism working group develop mitigation action plans, which propose different possible courses of action to reduce the risk by eliminating or mitigating the identified vulnerabilities. The working group considers the recommendations made by the assessment team in developing the different courses of actions for the mitigation action plans. The working group analyzes the courses of action to consider their cost- effectiveness in reducing risk and then presents its analysis to the installation commander. The installation commander is responsible for protecting the installation and its assets--including nuclear-powered aircraft carriers. The installation commander selects the course of action that will most effectively mitigate the vulnerability and submits it for funding as part of the Navy's budget process. If the selected course of action does not receive funding during the budgeting process, the installation is asked to submit a different course of action to the Commander, Navy Installations Command for review. For example, one naval station submitted a plan to purchase security cameras to monitor a specific area. However, the installation was unable to secure funding for this course of action and, as an interim solution, deployed additional security personnel to patrol the area until the funding could be obtained. Since the terrorist attacks of 2000 and 2001, each of the installations has enhanced the security at its gates and at the waterfront with mitigation actions such as building barrier gates for each pier that homeports a nuclear-powered aircraft carrier. As part of their ongoing risk management process, Naval Stations Mayport and Norfolk conduct four integrated training events each year, as directed by Commander, Navy Installations Command guidance. [Footnote 22] These training exercises are conducted to identify gaps in force protection and emergency management response, including incidents such as chemical, biological, radiological, nuclear, and high-yield explosive events. According to the training officers at Naval Stations Mayport and Norfolk, after each training exercise, lessons learned are captured. For example, Naval Station Mayport conducted an integrated training event in 2010 and 2011 with the Marine Corps, the Federal Bureau of Investigation, the local city police and fire departments, and the British Royal Navy. Based on the lessons learned that were captured during the integrated training events, participants in these events recommended corrective actions to facilitate communication among all emergency responders. These corrective actions have been taken, resulting in improved communications for use in future training events and emergency situations. Agency Comments: We are not making any recommendations in this report. Officials from the Office of the Secretary of Defense, the Department of the Navy, and the Secretary of Homeland Security reviewed a draft of this report and provided technical comments, which we incorporated in the final report as appropriate. We are sending a copy of this report to the Secretary of Defense, the Secretary of the Navy, the Secretary of Homeland Security, and appropriate congressional offices. In addition, this report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. Should you or your staffs have any questions about this report, please contact me at (202) 512-4523 or leporeb@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in the enclosure. Signed by: Brian J. Lepore: Director, Defense Capabilities and Management: Enclosure: List of Committees: The Honorable Carl Levin: Chairman: The Honorable John McCain: Ranking Member: Committee on Armed Services: United States Senate: The Honorable Daniel K. Inouye: Chairman: The Honorable Thad Cochran: Ranking Member: Subcommittee on Defense: Committee on Appropriations: United States Senate: The Honorable Howard P. "Buck" McKeon: Chairman: The Honorable Adam Smith: Ranking Member: Committee on Armed Services: House of Representatives: The Honorable C.W. Bill Young: Chairman: The Honorable Norman D. Dicks: Ranking Member: Subcommittee on Defense: Committee on Appropriations: House of Representatives: [End of section] Enclosure: GAO Contact and Staff Acknowledgments: GAO Contact: Brian J. Lepore, (202) 512-4523 or leporeb@gao.gov: Staff Acknowledgments: In addition to the contact named above, Mark J. Wielgoszynski, Assistant Director; Nicholas P. Benne; Pat L Bohan; Joanne Landesman; Charles Perdue; Carol Petersen; Steven R. Putansu; Michael C. Shaughnessy; and Amie Steele made major contributions to this report. [End of section] Related GAO Products: Defense Infrastructure: Ability of Ship Maintenance Industrial Base to Support a Nuclear Aircraft Carrier at Naval Station Mayport. [hyperlink, http://www.gao.gov/products/GAO-11-388R]. Washington, D.C.: March 29, 2011. Defense Infrastructure: Navy Can Improve the Quality of Its Cost Estimate to Homeport an Aircraft Carrier at Naval Station Mayport. [hyperlink, http://www.gao.gov/products/GAO-11-309]. Washington, D.C.: March 3, 2011. Depot Maintenance: Navy Has Revised Its Estimated Workforce Cost for Basing an Aircraft Carrier at Mayport, Florida. [hyperlink, http://www.gao.gov/products/GAO-11-257R]. Washington, D.C.: March 3, 2011. Defense Infrastructure: Opportunities Exist to Improve the Navy's Basing Decision Process and DOD Oversight. [hyperlink, http://www.gao.gov/products/GAO-10-482]. Washington, D.C.: May 11, 2010. [End of section] Footnotes: [1] Department of Defense, Quadrennial Defense Review Report (February 2010). [2] The Navy describes the following as high-value units, which we refer to in this report as high-value assets: aircraft carriers, amphibious assault ships, ballistic missile submarines, guided missile submarines, attack submarines, and certain Military Sealift Command vessels. See Office of the Chief of Naval Operations Instruction 3880.5, High Value Unit Transit Escort Operations, § 5(a) (June 15, 2010). We also use "high-value asset" to refer to an installation necessary for the support of military operations. [3] See S. Rep. No. 112-26, at 241 (2011). [4] Department of the Navy, Draft Strategic Laydown and Dispersal Strategic Guidance (February 2011). [5] See Office of the Chief of Naval Operations Instruction 5090.1C, Environmental Readiness Program Manual (Oct. 30, 2007) (incorporating change July 18, 2011) (hereinafter OPNAVINST 5090.1C (Oct. 30, 2007) (incorporating change July 18, 2011)). [6] See Department of Defense Instruction 2000.16, DOD Antiterrorism (AT) Standards, encl. 3, § E3.6.1.4 (Oct. 2, 2006) (incorporating change Dec. 8, 2006). [7] See Commander, Navy Installations Command Instruction 5530.14, CNIC Ashore Protection Program, encl. 1, § 0805(c) (July 7, 2011). [8] Department of the Navy, Final Programmatic Environmental Impact Statement for Facilities Development Necessary to Support Potential Aircraft Carrier Homeporting at Naval Station Mayport, Florida (March 1997). [9] Department of the Navy, Final Environmental Impact Statement for the Proposed Homeporting of Additional Surface Ships at Naval Station Mayport, Florida (Nov. 21, 2008). [10] Department of the Navy, Record of Decision for Homeporting of Additional Surface Ships at Naval Station Mayport, FL (Jan. 14, 2009). available at [hyperlink, http://www.mayporthomeportingeis.com]. The decision was signed by the Assistant Secretary of the Navy (Installations and Environment). [11] See H.R. Rep. No. 111-491, at 254, 260-61, 507 (2010); H.R. Rep. No. 111-166, at 537-38 (2009). [12] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [13] We reviewed a variety of sources from various government and private entities, including Department of Defense Instruction 6055.17. DOD Installation Emergency Management (IEM) Program (Jan. 13, 2009) (incorporating change 1 Nov. 19, 2010); Department of Defense, Risk Management Guide for DOD Acquisition (6th ed. Aug. 2006); Army Regulation 525-26, Infrastructure Risk Management (Army) (June 22, 2004); Office of the Chief of Naval Operations Instruction 3500.39C, Operational Risk Management (July 2, 2010); Headquarters Marine Corps, Marine Corps Institute, Operational Risk Management (Feb. 2002); Air Force Instruction 90-901, Operational Risk Management (Apr. 1, 2000); Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management--Integrated Framework (Sept. 2004); and GAO, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, [hyperlink, http://www.gao.gov/products/GAO-09-3SP] (Washington, D.C.: March 2009). [14] Officials referenced DOD's January 2012 defense strategic guidance, which is described as reflecting the President's strategic direction to the department. See DOD, Sustaining U.S. Global Leadership: Priorities for 21st Century Defense (Jan. 2012). [15] See OPNAVINST 5090.1C (Oct. 30, 2007) (incorporating change July 18, 2011). [16] Environmental assessments and environmental impact statements are documents developed in accordance with the National Environmental Policy Act, Pub. L. No. 91-190 (1970) (codified as amended at 42 U.S.C. §§ 4321-4347). Under the act, federal agencies must assess the effects of major federal actions--those they propose to carry out or to permit- -that significantly affect the environment. The act has two principal purposes: (1) to ensure that an agency carefully considers detailed information concerning significant environmental impacts and (2) to ensure that this information will be made available to the public. As a matter of Navy policy, the act applies to Navy actions that affect the human environment in the United States, including the 12-nautical- mile territorial sea. See OPNAVINST 5090.1C, § 5-1.1(a) (Oct. 30, 2007) (incorporating change July 18, 2011). Navy regulations provide some categorical exclusions for specified actions from further analysis under the act. See, e.g., 32 C.F.R. § 775.6(f). Similar environmental assessments are carried out for Navy actions occurring outside the United States and its territories and possessions pursuant to an executive order. See OPNAVINST 5090.1C, § 5-1.1(b) (Oct. 30, 2007) (incorporating change July 18, 2011). [17] A hurricane return period is the frequency with which a certain intensity of hurricane can be expected within a given distance. The previous calculation for hurricane return periods used a 75-nautical- mile radius. [18] Based on the Saffir/Simpson Hurricane Wind Scale Category Table (in miles per hour (mph)), hurricane categories are as follows: Category 1 = 74-95 mph; Category 2 = 96-110 mph; Category 3 = 111-130 mph; Category 4 = 131-155 mph; and Category 5 = >155 mph. [19] The Coast Guard annually conducts approximately five port vulnerability assessments of major U.S. ports to identify and evaluate critical assets and infrastructures; the threats to those assets and infrastructures; and the weaknesses in physical security, passenger and cargo security, structural integrity, protection systems, and other areas. [20] See Department of Defense Instruction 2000.16, DOD Antiterrorism (AT) Standards, encl. 3, § E3.6.1.4 (Oct. 2, 2006) (incorporating change Dec. 8, 2006). The instruction requires terrorism vulnerability assessments for certain types of installations, including facilities populated daily by 300 or more DOD personnel; facilities with responsibility for emergency response or physical security plans and programs; facilities determined to host critical infrastructure; sea and air ports of embarkation and debarkation; and locations where there is assembly, staging, reception, and final placement of force structure in support of battalions, squadrons, or ships. See id. [21] DOD's baseline antiterrorism standards are contained in an enclosure to DOD Instruction 2000.16. See id., encl. 3. [22] See Commander, Navy Installations Command Instruction 5530.14, CNIC Ashore Protection Program, encl. 1, § 0805(c) (July 7, 2011). [End of section] GAO’s Mission: The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO’s website [hyperlink, http://www.gao.gov]. Each weekday afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted products, go to [hyperlink, http://www.gao.gov] and select “E-mail Updates.” Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO: Connect with GAO on facebook, flickr, twitter, and YouTube. Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts. Visit GAO on the web at [hyperlink, http://www.gao.gov]. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; E-mail: fraudnet@gao.gov; Automated answering system: (800) 424-5454 or (202) 512-7470. Congressional Relations: Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, DC 20548. Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548.