This is the accessible text file for GAO report number GAO-06-757 entitled 'Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions' which was released on September 14, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate: United States Government Accountability Office: GAO: September 2006: Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions: DOD Mail Security: GAO-06-757: GAO Highlights: Highlights of GAO-06-757, a report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate Why GAO Did This Study: In March 2005, two well-publicized and nearly simultaneous incidents involving the suspicion of anthrax took place in the Washington, D.C., area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and at a commercial office complex (Skyline Complex). While these incidents were false alarms, DOD and other federal and local agencies responded. The Postal Service suspended operations at two of its facilities and over a thousand DOD and Postal Service employees were given antibiotics as a precaution against their possible exposure to anthrax. This report describes (1) what occurred at the Pentagon and Skyline Complex mail facilities, (2) the problems we identified in detecting and responding to the incidents, (3) the actions taken by DOD that address the problems that occurred, and (4) the extent to which DOD’s actions address the problems. What GAO Found: Events leading up to the Pentagon incident began when a laboratory that tested samples from the Pentagon’s mail-screening equipment informed DOD’s mail-screening contractor that test results indicated the presence of anthrax in the mail. By the time the contractor notified DOD 3 days later, suspect mail had already been released and distributed throughout the Pentagon. DOD evacuated its mail-screening and remote delivery facilities, notified federal and local agencies, and dispensed antibiotics to hundreds of employees. The Skyline Complex incident began the same day when Fairfax County, Virginia, emergency personnel responded to a 911 call placed by a Skyline employee that an alarm had sounded on a biosafety cabinet used to screen mail. Local responders closed the complex and decontaminated potentially exposed employees, and DOD dispensed antibiotics to the employees. Similarly, the Postal Service suspended operations at two facilities and dispensed antibiotics to its employees. Laboratory testing later indicated that the incidents were false alarms. Analysis of these incidents reveals numerous problems related to the detection and response to anthrax in the mail. At the Pentagon, DOD’s mail-screening contractor did not follow key requirements, such as immediately notifying DOD after receiving evidence of contamination. At the Skyline Complex, DOD did not ensure that the complex had a mail security plan or that it had been reviewed, as required. The lack of a plan hampered the response. DOD also did not fully follow the federal framework—including the National Response Plan, which was developed to ensure effective, participatory decision making. Instead of coordinating with other agencies that have the lead in bioterrorism incidents, DOD unilaterally dispensed antibiotics to its employees. DOD has taken numerous actions that address problems related to the two incidents. At the Pentagon, DOD’s actions included selecting a new mail- screening contractor and defining the roles and responsibilities of senior leadership, including those involved in making medical decisions. Related to Skyline, DOD prohibited its mail facilities in leased space within the Washington, D.C., area from using biosafety cabinets to screen mail unless the equipment is being operated within the context of a comprehensive mail-screening program. While DOD has made significant progress in addressing the problems that occurred, its actions do not fully resolve the issues. One remaining concern is whether DOD will adhere to the interagency coordination protocols specified in the national plan for future bioterrorism incidents involving the Pentagon. This concern arises because, more than 1 year after the incident, DOD reiterated that it has the authority to make medical decisions without collaborating or consulting with other agencies. DOD also has not ensured, among other things, that its mail facilities (1) have the required mail security plans and (2) are appropriately using biosafety cabinets for screening mail. What GAO Recommends: GAO is making recommendations to help improve the effectiveness of future DOD responses involving the suspicion of anthrax in the mail. DOD agreed with three of our recommendations but only partially agreed with our fourth. GAO retained this recommendation to ensure that DOD’s future approach to making medical decisions during bioterrorism incidents occur within the participatory federal framework. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-757]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Kate Siggerud at (202) 512-2834 or siggerudk@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: Each of the Incidents Presented a Different Situation and Response and Occurred over Several Days: Problems Encountered Reflect Both a Failure to Follow Existing Contract Provisions and Procedures and a Lack of Procedures and Plans: DOD Took Numerous Actions That Address Problems Related to the Incidents: DOD's Actions Do Not Fully Resolve Identified Problems: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Comments from the Department of Defense: Appendix III: Comments from the General Services Administration: Appendix IV: GAO Contact and Staff Acknowledgments: Tables: Table 1: Selected Agency Actions Specified in NRP's Biological Incident Annex: Table 2: Key Changes in the Pentagon's Mail-Screening Contract Provisions and Draft Mail-Screening Procedures: Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft Procedures: Figures: Figure 1: Chronology of Key Actions and Organizations Involved at Pentagon and Skyline Complex: Figure 2: DOD's Draft Procedures for Positive Test Results from the Pentagon's On-Site Chemical-Biological Laboratory: Abbreviations: CBI: Commonwealth Biotechnologies Incorporated: CDC: Centers for Disease Control and Prevention: DHS: Department of Homeland Security: DOD: Department of Defense: FBI: Federal Bureau of Investigation: GSA: General Services Administration: HHS: Department of Health and Human Services: LRN: Laboratory Response Network: MOU: memorandum of understanding: NIMS: National Incident Management System: NRP: National Response Plan: PFPA: Pentagon Force Protection Agency: TMA: TRICARE Management Activity: United States Government Accountability Office: Washington, DC 20548: September 15, 2006: The Honorable Susan M. Collins: Chairman: The Honorable Joseph I. Lieberman: Ranking Minority Member: Committee on Homeland Security and Governmental Affairs: United States Senate: Since the fall of 2001, when five persons, including two U.S. Postal Service employees, died from exposure to anthrax-contaminated mail delivered through the U.S. mail system, the nation has been acutely aware of the danger of bioterrorism using anthrax and other potentially fatal bacteria. The frequency of incidents involving suspicious packages or powder spills has increased dramatically since that time, due in part to hoaxes and concerns about leakages from mail that had previously been routinely handled. Concerns about anthrax in the mail have led federal agencies to establish mail-screening operations, including tests for anthrax, that have often resulted in false alarms. In March 2005, two well-publicized and nearly simultaneous incidents took place in the greater Washington, D.C., area. The incidents occurred at a Department of Defense (DOD) mail facility at the Pentagon, a building of national military significance located in Arlington County, Virginia, and another DOD mail facility in a commercial office complex (Skyline Complex), located about 5 miles away in Fairfax County, Virginia.[Footnote 1] While these incidents ultimately proved to be false alarms, DOD as well as other federal and local response agencies responded to the incidents. In the days that elapsed before authorities concluded that anthrax was not present in the mail or in the facilities, the Postal Service had suspended operations at two of its facilities, and over a thousand DOD and Postal Service employees had been given antibiotics as a precaution against their possible exposure to anthrax. You asked us to examine the response to the two March 2005 incidents. Specifically, this report addresses the following four questions: * What occurred at the Pentagon and Skyline Complex mail facilities? * What problems occurred in detecting and responding to these incidents, and why? * What actions have been taken by DOD that address the problems that occurred? * To what extent do these actions address the problems that occurred? To address these questions, we analyzed, among other things, pertinent after-action reports, incident timelines, the contract for mail- screening services at the Pentagon, mail-screening procedures, federal mail management and other applicable regulations and guidance, and the federal framework for responding to biological incidents. We compared whether the actions taken by DOD, its mail-screening contractor at the Pentagon, and employees at the Skyline Complex were in accordance with, among other things, the existing contract provisions, mail-screening procedures, federal regulations and guidance, DOD's mail manual, and the federal framework for responding to biological incidents. We interviewed a wide range of federal and local officials involved in the response to the two incidents. We also interviewed personnel from the Pentagon's mail-screening contractor to obtain their perspective on what occurred at the Pentagon. We analyzed current procedures at the Pentagon related to detecting and responding to biological agents. To assist in our analyses, we reviewed previous GAO work regarding anthrax incidents, pertinent literature and previous GAO work on internal controls, guidance prepared by the Centers for Disease Control and Prevention (CDC) for responding to the detection of anthrax in the workplace, and regulations and guidance issued by the General Services Administration (GSA) on mail security and responding to biological threats in the mail. We performed our work from June 2005 to August 2006 in accordance with generally accepted government auditing standards. Further details about our scope and methodology appear in appendix I. Results in Brief: Each of the incidents at the two mail facilities presented a different situation and response. Events leading up to the Pentagon incident began when a laboratory that tested samples from the Pentagon's mail- screening equipment informed DOD's mail-screening contractor on Friday afternoon, March 11, that one of its tests of the previous day's mail was positive for anthrax. By the time the mail-screening contractor notified DOD on Monday morning, March 14, about the results of Friday's test result and that additional testing of the sample over the weekend was also positive for anthrax, mail suspected of containing anthrax had already been released, picked up, and distributed throughout the Pentagon. While DOD officials responded by evacuating the Pentagon's mail-screening and remote delivery facilities, notifying numerous federal and local agencies, and dispensing antibiotics to hundreds of employees--including recipients of the mail that morning--officials from the Federal Bureau of Investigation (FBI) initially suspected a false alarm based on the totality of the evidence. The incident at the Skyline Complex began on Monday afternoon, March 14, when emergency personnel in Fairfax County, Virginia, responded to a 911 call placed by a Skyline employee that an alarm had sounded on a biosafety cabinet used to screen mail, including mail that had been picked up earlier that day from the Pentagon. Fairfax County responders closed the Skyline Complex, shut off elevators and the air-handling system, decontaminated potentially exposed employees, and tested the facility for anthrax contamination. The following day, DOD also dispensed antibiotics to potentially exposed employees at the Skyline Complex. The response to the incidents also affected the Postal Service's employees and operations. When Postal Service officials learned about the incidents, they immediately (1) suspended operations at two facilities that process mail to the Pentagon and conducted environmental testing at the facilities and (2) began dispensing antibiotics to their potentially exposed employees. Federal and local officials learned on Tuesday that the alarm that sounded on the biosafety cabinet used for mail-screening at the Skyline Complex indicated an airflow obstruction, not the presence of anthrax. Nevertheless, testing continued on samples taken from the facilities. The incidents were believed to be false alarms on Wednesday evening, March 16, after the interpretation of additional laboratory testing did not support the preliminary conclusion that the two facilities may be contaminated with anthrax. Both mail facilities reopened on Friday morning, March 18. Agency officials involved in the response believe that the positive tests at the Pentagon could have been the result of cross contamination in the laboratory. Analysis of these incidents reveals numerous problems related to the proper detection and response to anthrax in the mail, reflecting both a failure to follow existing contract provisions and procedures and, in some cases, a lack of procedures and plans. At the Pentagon, DOD's mail- screening contractor did not follow two key requirements. Specifically, the contractor did not (1) notify DOD immediately after receiving evidence of possible contamination of the Pentagon's mail and (2) quarantine the mail until it received negative results from the laboratory. These problems were further exacerbated by a provision in DOD's contract with its mail-screening contractor that did not clearly specify how samples from the Pentagon were to be tested. The lack of clarity resulted in the use of a laboratory whose testing methods were unknown and whose results were questioned. At the Skyline Complex mail facility, basic procedures for responding to biohazards and other emergencies were inadequate or absent altogether resulting in (1) employees not knowing how to properly respond to the alarm on the equipment used for mail-screening, (2) employees and first responders not knowing about the equipment's limitations, and (3) employees being uncertain about whom to contact during a potential emergency. Additionally, DOD did not ensure that the Skyline Complex mail facility had developed a mail security plan or that it had been reviewed, as required, by a competent authority within DOD. The federal framework developed to help ensure effective decision making through a coordinated response--the National Response Plan and the National Incident Management System--was not fully followed. Instead of coordinating its actions with others--such as the Department of Health and Human Services (HHS), the primary federal agency responsible for a public health response to bioterrorism--DOD unilaterally decided to provide medication to its employees before having appropriate confirmation of laboratory test results. According to DOD officials, because the incident occurred at the Pentagon, they did not believe that the protocols in the National Response Plan applied. In addition, they said that they had the medical authority, experience, and resources to act on their own. While the NRP does not repeal DOD's medical authorities, making decisions without coordinating with other agencies is fundamentally at odds with the protocols specified in the National Response Plan and National Incident Management System. If DOD had fully coordinated with federal and local agencies as the framework prescribes, concerns such as the validity of test results could have been discussed and the provision of unnecessary medicine to most of the DOD employees (mail recipients and others who, in our view, would not likely have been exposed until after the mail's release from quarantine on Monday, March 14) may have been avoided. DOD has taken numerous actions that address problems related to the two incidents. Some actions, such as modernizing the Pentagon's mail- screening facility and changing the laboratory used to test daily samples, were under way prior to the incidents, but many others were taken in direct response to the incidents. At the Pentagon, for example, DOD selected a new mail-screening contractor, strengthened the new contract, and developed new mail inspection procedures. While still in draft form, the procedures are currently being used and require, among other things, verification of negative test results by multiple officials before quarantined mail is released. The establishment of stringent control mechanisms is likely to prevent future premature releases of potentially contaminated mail. DOD also drafted new notification procedures--which are also being used--for reporting positive test results to internal and external parties. The draft procedures are intended to improve the way DOD communicates to federal and local agencies during incidents. In addition, DOD is developing a new policy to define the roles and responsibilities of senior DOD leadership including those involved in making medical treatment decisions during incidents at the Pentagon. DOD also took actions to address problems related to the Skyline Complex incident. For example, DOD gathered some information about mail-screening operations in its facilities in the Washington, D.C., area and issued a directive prohibiting DOD mail facilities in leased space within the Washington, D.C., area from using equipment, including biosafety cabinets, to screen mail unless the equipment is being operated within the context of a comprehensive mail-screening program. Such a program includes the use of (1) trained mail screeners to sample equipment for biological agents and (2) an approved laboratory for analyzing the samples. Although DOD has made significant progress in addressing the problems related to the two incidents, its actions do not fully resolve the problems that arose. One remaining and overarching concern involves whether, despite its actions, DOD will adhere to the interagency coordination protocols in the National Response Plan and National Incident Management System--as it has agreed--or, instead, revert to the isolated decision-making approach it used at the Pentagon. While DOD is aligning its procedures to these interagency coordination protocols, in April 2006, a senior health official reiterated that DOD has the authority to make final decisions on medical treatment at the Pentagon without collaboration or consultation with other agencies-- including HHS, which under the National Response Plan is the primary federal agency responsible for coordinating a public health response involving an actual or potential biological terrorist attack. More than 1 year later, DOD also has not developed a mail security plan for the Skyline Complex mail facility. More importantly, it is not known whether other DOD facilities also lack a plan because DOD does not have a process for certifying the existence of mail security plans and verifying that the plans have been reviewed by a competent authority. Finally, although DOD prohibits the use of mail-screening equipment, including biosafety cabinets, in DOD-leased facilities in the Washington, D.C., area unless the equipment is being operated within the context of a comprehensive mail-screening program, at the completion of our review, DOD still had not determined whether other biosafety cabinets are being used in the Washington, D.C., area or the conditions under which the equipment is being operated. We are making several recommendations to help improve the effectiveness of future DOD responses involving the suspicion of anthrax in the mail. Specifically, we recommend that the Secretary of Defense ensure that (1) any future medical decisions reached during potential or actual acts of bioterrorism at the Pentagon result from the participatory decision-making framework in the National Response Plan and the National Incident Management System, (2) appropriate officials at all of DOD's mail rooms develop effective mail security plans, (3) a competent DOD authority conducts an annual review of the plans' adequacy, and (4) any biosafety cabinets in use in DOD mail facilities in leased space in the Washington, D.C., area are being operated within the context of a comprehensive mail-screening program. We requested comments on a draft of this report from DOD, GSA, the Department of Justice, HHS, the Department of Homeland Security (DHS), and the Postal Service. Two of these agencies--DOD and GSA--provided written comments. DOD agreed with three of our four recommendations, indicating that it either was implementing, or intended to immediately implement, actions to address these recommendations.[Footnote 2] However, DOD only partially agreed with our remaining recommendation. We retained this recommendation to ensure that DOD's future approach to making medical decisions during bioterrorism incidents occur within the participatory federal framework. GSA's written comments clarified federal requirements related to the annual review of mail security plans. DOD's and GSA's comments are reprinted in appendixes II and III, respectively. DOD, the FBI (on behalf of the Department of Justice), CDC (on behalf of HHS), and the Postal Service provided technical comments, which we incorporated, as appropriate. DHS did not provide comments. Background: What Is Anthrax and Why Is It a Concern? Anthrax is an acute infectious disease caused by the spore-forming bacterium Bacillus anthracis. The anthrax bacterium is commonly found in the soil and forms spores (like seeds) that can remain dormant in the environment for many years. Human anthrax infections are rare in the United States and are usually the result of occupational exposure to infected animals or contaminated animal products, such as wool, hides, or hair. Although infection in humans is rare, a person can die if airborne anthrax spores are inhaled into the lungs. Once airborne, there is greater possibility that the spores will be inhaled. Medical experts believe that symptoms of inhalation anthrax (sore throat, muscle aches, and mild fever) typically appear within 4 to 6 days of exposure, depending on how the disease is contracted. While anthrax is potentially fatal, individuals who are exposed to anthrax spores will not necessarily develop the disease. Inhalation anthrax can be treated with antibacterial drugs, but medical treatment does not necessarily ensure recovery. Anthrax is not contagious. Anthrax is a potential terrorist weapon because, if refined and introduced into letters and packages, anthrax spores can be released into the air as letters are processed or opened. The use of the mail as a vehicle for transmitting anthrax threatens the nation's mail stream and places the American public and federal employees at risk. This is what occurred in 2001, when letters containing anthrax contaminated at least 23 Postal Service facilities and killed five of 22 individuals diagnosed with anthrax, including two Postal Service employees.[Footnote 3] Anthrax spores can be killed, however, through a process known as irradiation, which renders anthrax in the mail harmless for humans. How Is Anthrax Detected? Detecting anthrax involves many types of activities, including: * developing a sampling strategy for deciding how many samples to collect, where to collect them, and what collection methods to use; * collecting samples using, for example, dry or premoistened swabs; * transporting samples to laboratories for extraction and analysis; * extracting the sample material using specific procedures and fluids (such as sterile saline or water); and: * analyzing the samples using a variety of methods.[Footnote 4] To provide a coordinated clinical diagnostic testing approach for detecting anthrax and other bioterrorism threats, CDC, the Association of Public Health Laboratories, the FBI, and others collaboratively developed the Laboratory Response Network (LRN) in 1999.[Footnote 5] LRN laboratories (1) perform standard testing methods specified by CDC to either rule out or confirm the presence of anthrax and (2) provide public health organizations and others with rapid test results for use in making public health decisions. Generating a final test result involves both a presumptive and confirmatory test. Presumptive tests can be obtained within 2 hours and are considered "actionable" from a public health perspective. According to CDC, antibiotic medical treatment is recommended as soon as possible after the LRN has obtained a presumptive positive test result.[Footnote 6] Confirmatory tests take longer--generally 24 to 48 hours. What Is the Federal Framework for Responses Involving the Suspicion of Anthrax? The National Response Plan (NRP), which was developed by the federal government under the leadership of DHS, provides one part of the coordinated framework for how the United States will prepare for, respond to, and recover from domestic incidents. The Secretary of Defense, as well as the heads of 31 other federal departments and agencies, signed the Letter of Agreement contained in the NRP, indicating their agreement to abide by the NRP's incident management protocols. The December 2004 plan includes a Biological Incident Annex, which specifies actions that agencies should take when they become aware of a possible threat involving a biological agent. The annex also identifies the roles and responsibilities of various agencies that would respond to such an event. For example, as specified in the annex, HHS is the primary federal agency for coordinating a public health response involving an actual or potential biological terrorism attack. Table 1 identifies selected agency actions specified in the NRP's Biological Incident Annex. Table 1: Selected Agency Actions Specified in NRP's Biological Incident Annex: Response actions to be taken by agencies: The Department of Justice is to be notified through the FBI's Weapons of Mass Destruction Operations Unit. Response actions to be taken by agencies: The FBI, in turn, is to immediately notify DHS's Homeland Security Operations Center and the National Counterterrorism Center under the direction of the Director of National Intelligence. Response actions to be taken by agencies: The LRN is to be used to test samples for the presence of biological threat agents. Response actions to be taken by agencies: The FBI, in conjunction with HHS, is to make decisions on where to perform additional tests on samples. The FBI is to lead criminal investigations of terrorist acts or threats. Response actions to be taken by agencies: Once notified of a credible threat, HHS is to convene an interagency meeting to assess the situation and determine the appropriate public health response. HHS is to coordinate the overall public health response efforts across all federal departments and agencies. Response actions to be taken by agencies: DHS is to coordinate the overall nonmedical response actions across all federal departments and agencies. Source: Department of Homeland Security. [End of table] The other part of the federal framework is the National Incident Management System (NIMS), which was released in March 2004. NIMS is intended to provide a consistent and coordinated nationwide approach for federal, state, and local governments to work effectively and efficiently together to prepare for, respond to, and recover from domestic incidents, including those involving biological incidents, regardless of their cause, size, and complexity. NIMS applies to all levels of government, and for the federal government, including DOD, it is prescriptive. A key component of NIMS is the incident command system, which is designed to integrate the communications, personnel, and procedures of different agencies and levels of government within a common organizational structure during an emergency. Another key component of NIMS is the establishment of a joint information center-- with representatives from all affected parties and jurisdictions--to provide a unified communication message to the public during emergencies. What Federal Requirements Exist for Agencies to Follow? GSA and DOD have requirements for agencies to follow in protecting employees in mail facilities and ensuring effective mail operations. For example, GSA's federal mail management regulation requires[Footnote 7] * every federal agency and agency location with one or more full-time personnel processing mail to have a written mail security plan including, among other things, procedures for safe and secure mail room operations, plans for security training for mail employees, and plans for annual reviews of the agency's mail security plan and facility- level mail security plans; and: * large agencies, such as DOD, that spend over $1 million annually on postage to annually (1) verify that facility-level mail security plans have been reviewed and (2) report to GSA that all facility-level mail security plans have been reviewed by a competent authority within the past year. GSA also issues guidance and recommendations for effectively managing mail programs, including recommendations on the content of mail security plans.[Footnote 8] For example, GSA recommends that agencies: * develop a communication plan for responding to threats that includes names and phone numbers to call during emergencies; * establish and maintain partnerships with personnel who respond to emergencies (first responders); and: * create a program for training employees on how to respond to biological threats, including refresher training on a regular basis. DOD's mail manual, effective December 2001, implements DOD's mail- related requirements.[Footnote 9] DOD requires its components to comply with GSA's federal mail management regulation, including the requirement that each mail center develop a written mail security plan and have it reviewed annually by a competent authority. Beyond mail-related requirements, GSA also requires the highest- ranking federal official of the largest agency in GSA-controlled (leased) office space to develop an occupant emergency plan.[Footnote 10] GSA guidance related to this requirement recommends that the occupant emergency plan describe, among other matters, critical information about the office space and actions to be taken during emergencies. The GAO Comptroller General's Standards for Internal Control in the Federal Government provides the overall framework for agency management to establish and maintain effective internal control.[Footnote 11] Establishing effective internal controls is a major part of managing an organization. Such controls include the plans, methods, and procedures to be used to meet an organization's mission, goals, and objectives by, among other things, monitoring performance, training employees, and ensuring that federal requirements, such as GSA and DOD mail security requirements, are followed. How Did the Pentagon and Skyline Complex Process Mail in March 2005? The Pentagon receives its mail from the Postal Service as well as from commercial courier services. The Postal Service irradiates almost all first-class mail delivered to the Pentagon and other federal agencies in the Washington, D.C., area, from its facilities on V Street, N.E. in Washington, D.C. (the V Street Operation). In March 2005, Pentagon mail was delivered from the V Street Operation to a mail-screening facility located within the Pentagon remote delivery facility--a 250,000-square- foot shipping and receiving facility adjoining the Pentagon. Technicians dressed in protective gear then screened the mail over a custom-designed table equipped with four filters intended to capture any particles that might fall from the mail. The table used a negative airflow system that was intended to keep microscopic particles from dispersing back into the mail-screening facility. At the time of the March 2005 incident at the Pentagon, employees of Vistronix Incorporated (Vistronix)--the Pentagon's mail-screening contractor--collected and sent daily samples from each of the four filters to Commonwealth Biotechnologies Incorporated (CBI)--a private laboratory in Richmond, Virginia. Vistronix subcontracted the daily testing of the Pentagon's mail to CBI. The opened mail was then shrink- wrapped and quarantined in a secure room until CBI notified Vistronix of negative test results by either fax or e-mail. Upon receipt of negative test results, a Vistronix employee released the mail from quarantine. Once released from quarantine, mail employees placed the mail into mailboxes at the Defense Post Office, where it awaited pickup by Pentagon employees. The TRICARE Management Activity (TMA) mail room at the Skyline Complex received and processed mail differently from the Pentagon.[Footnote 12] It received a small amount of its mail from the Pentagon, but most of its mail came from a Postal Service facility in Merrifield, Virginia, according to a TMA mail room official. The TMA mail room had a biosafety cabinet, an X-ray machine, and two full-time employees. The biosafety cabinet had a negative airflow system with filters for capturing and holding any particles that fell from envelopes or packages being opened. While the cabinet was used for mail screening, it was not capable of detecting anthrax. Each of the Incidents Presented a Different Situation and Response and Occurred over Several Days: The two incidents involving the suspicion of anthrax occurred over several days, but the most significant actions occurred the same day-- Monday, March 14, 2005. The Pentagon incident occurred first and was the result of positive test results for anthrax in the mail. The Skyline Complex incident occurred later that day when an alarm sounded on the biosafety cabinet that employees took as a sign that contaminated mail had been passed from the Pentagon to the Skyline Complex.[Footnote 13] Combined, the incidents set in motion a large- scale response that also affected Postal Service employees and operations. The response ended a few days later, when further testing confirmed that anthrax was not present at either DOD facility or in the mail. Figure 1 shows a chronology of the key actions and organizations involved in the two incidents. The discussion that follows explains each incident in turn. Figure 1: Chronology of Key Actions and Organizations Involved at Pentagon and Skyline Complex: [See PDF for image] Source: GAO analysis of information from various sources. [End of figure] The Pentagon Incident Was Triggered from Tests Indicating the Presence of Anthrax: Events leading up to the Pentagon incident began on Thursday afternoon, March 10, 2005. After screening the mail in a facility at the Pentagon remote delivery facility, Vistronix employees routinely collected swab samples from four filters and sent them to CBI for analysis. According to Vistronix's account of events associated with the incident, about 4:00 p.m. on Friday afternoon, March 11, a representative from CBI informed the Vistronix Director that one of four swab samples collected and tested from Thursday's mail was positive for anthrax. The Director requested the laboratory to conduct additional testing over the weekend but did not notify Defense Post Office officials of the initial positive test results. On Monday morning, March 14, at about 6:00 a.m., the Vistronix Director informed a member of his staff (the site supervisor) that while additional laboratory results for Thursday's mail had not yet been received, test results for Wednesday's mail were negative, and, therefore, Wednesday's mail was cleared for release. The site supervisor misunderstood the conversation, incorrectly concluding that mail from both days could be released from quarantine, and, consequently, he called his staff to release the mail. At about 6:30 a.m., Thursday's mail was released, and, shortly thereafter, employees of the Defense Post Office began processing the mail for distribution. According to Vistronix, at about 9:10 a.m., the laboratory notified Vistronix that additional testing of Thursday's swab sample was also positive. By the time Vistronix notified a Defense Post Office official of the second test result at about 9:25 a.m., an unspecified amount of the mail suspected of containing anthrax had already been picked up and distributed throughout the Pentagon. These developments initiated a wide-ranging response. At about 10:15 a.m., a Defense Post Office official notified the Pentagon Force Protection Agency (PFPA)--the law enforcement agency responsible for protecting people, facilities, and infrastructure on the Pentagon Reservation.[Footnote 14] In the 2 hours that followed, PFPA: * shut down the Pentagon remote delivery facility, * coordinated with mail officials to identify possible recipients of Thursday's mail, * secured the perimeter around the remote delivery facility with the help of antiterrorism units, and: * evacuated the majority of the employees from the remote delivery facility to the Pentagon's former child development center.[Footnote 15] PFPA continued to lead the response in the hours that followed. The Arlington County Emergency Communications Center sent emergency personnel to the scene after it was notified through official channels at about 10:37 a.m. Emergency personnel typically take charge of incidents when the affected individuals have immediate medical needs. However, when they arrived, they said none of the employees appeared to have symptoms of illness. As a result, PFPA and Arlington County agreed that PFPA would continue to lead the response. According to a DOD timeline of the incident, DOD also attempted to notify the following federal and local offices: * 12:10 p.m.: First broadcast message sent to local public safety and emergency management response agencies. * 12:15 p.m.: FBI's Washington Field Office and the Weapons of Mass Destructions Operations Unit at FBI Headquarters. * 12:30 p.m.: Office of the Postmaster General--the executive head of the Postal Service . * 12:40 p.m.: Department of Homeland Security's Operations Center. When FBI staff arrived on the scene at about 1:00 p.m., they began to assess the incident's credibility. According to FBI officials, the totality of the initial evidence suggested a false alarm. First, only one of the four swab samples collected and tested from the filters on Thursday was positive for anthrax. If an actual incident had occurred, FBI officials said, it would have been reasonable to expect that all four samples would have been contaminated because, based on experience gained during the fall of 2001 anthrax attacks, once airborne, anthrax spores disperse over a wide area. In addition, tests conducted on Friday's mail were negative. FBI officials said that if anthrax had contaminated Thursday's mail, it would likely have contaminated the entire mail-screening facility, leaving residual spores that also would have been detected in the samples taken from Friday's mail. While suspicious of a false alarm, the FBI declared the Pentagon remote delivery facility a crime scene based on the evolving response of other agencies and the need to further assess the evidence. During the afternoon hours, two DOD Health Affairs officials responsible for responding to medical issues on the Pentagon Reservation--the Commander of the DiLorenzo TRICARE Health Clinic and DOD's Assistant Secretary for Health Affairs--began providing medical treatment to (1) employees working at the remote delivery facility where the mail-screening facility was located, (2) Pentagon mail recipients, and (3) the mail-screening technicians. DOD health officials estimate that, in total, they dispensed an initial 3-day course of antibiotics to about 889 potentially affected employees. According to the officials involved, their decision to immediately dispense antibiotics as a precautionary measure was based on the laboratory's positive test results and their experiences gained in the fall of 2001. DOD's Assistant Secretary for Health Affairs told us that at about 1:00 p.m., he conferred with the CDC Director about DOD's medical decision, and that she agreed with the decision. According to the CDC Director, the call was made to inform her about the decision that DOD had already reached. The Director of CDC said that even if the purpose of the call had been to seek her advice on medical treatment options, she could not have offered a medical opinion because of insufficient information, especially with respect to the reliability of the laboratory's test results. She stressed the need for clear, accurate, and understandable information for making decisions about medical treatment. Such information, she said, is typically developed collaboratively with all appropriate parties involved. After the conversation, she said she contacted the CDC operations center that handles such incidents to ensure that appropriate CDC personnel were aware of the incident. While HHS is the primary agency responsible for a public health response, according to an HHS official, the CDC operations center--not DOD--subsequently contacted the HHS operations center. As officials from additional federal agencies became aware of the incident, several interagency conference calls were held. The first of these calls was convened by HHS officials at about 5:00 p.m.[Footnote 16] Officials from HHS said the purpose of the conference call was to obtain a basic understanding of what had occurred at the Pentagon (and at the Skyline Complex, where the second incident had already begun), so that decisions could be made on how to respond appropriately. According to HHS and DHS officials, decision makers needed answers to such questions as what analysis had been done, what procedures had been used by the contract laboratory, and how the Pentagon samples had been collected. Obtaining such information was critical to determining whether people had been exposed to anthrax, whether the two incidents were linked, and what the appropriate response should be. However, according to DHS and HHS officials, DOD could not adequately answer these and other questions. On Monday afternoon, DOD took the samples from CBI for analysis to Fort Detrick, located in Frederick, Maryland--the site of two key federal laboratories.[Footnote 17] The samples arrived at about 5:30 p.m. Over the next few days, the laboratories at Fort Detrick conducted numerous tests of the Pentagon's samples as well as environmental samples taken from the Pentagon. Late Wednesday evening, results of additional testing indicated that anthrax was not present in samples collected from the Pentagon's mail-screening facility. Agency officials involved in the response believe that the initial positive test result could have been caused by cross contamination at CBI. The facility reopened on Friday, March 18. The Skyline Complex Incident Resulted from an Alarm on Equipment Used for Mail Screening: The incident at the Skyline Complex began several hours after the Pentagon incident began. At about 10:00 a.m., a TMA employee picked up mail from the Pentagon and, by 11:30 a.m., had distributed some of the mail within the Skyline Complex--a large office complex of privately owned buildings in Fairfax County, Virginia.[Footnote 18] According to officials at the Skyline Complex, an employee received an urgent telephone call around noon indicating an unspecified problem with the Pentagon's mail and directing that any mail from the Pentagon be retrieved. The caller did not provide any further explanation, according to the official. TMA mail room employees retrieved the mail they had already delivered, emptied mailboxes, and placed some of the mail in trash bags. About 1:00 p.m., a TMA mail room employee was screening other mail from the Pentagon using the biosafety cabinet when the cabinet's alarm sounded. According to mail room employees, they made several unsuccessful attempts to telephone the manufacturer and the maintenance contractors for help. In addition, DOD's manager of the complex told us that she called PFPA for guidance on how the cabinet operated, but the PFPA official was not aware of the type of equipment in use at the complex, and consequently, he was not able to tell her what to do.[Footnote 19] Finally, at 2:09 p.m., a Skyline employee called the Fairfax County 911 emergency line. Fairfax County emergency responders (fire, police, public health, and hazardous material units) arrived on the scene shortly thereafter. They led the incident over the next few hours and took several actions, including: * closing the Skyline Complex and securing its exits, * shutting off its elevators and air-handling systems, * developing and providing health information to occupants, * collecting contact information from the occupants, * decontaminating some employees who were sheltering in place, and: * obtaining and testing environmental samples from the complex and attempting to remove filters from the biosafety cabinet in order to perform additional tests.[Footnote 20] According to Fairfax County responders, they attempted to hold all occupants within the Skyline Complex because they anticipated receiving results of environmental testing Monday afternoon. They explained that having the complex occupants together would help them provide information to the occupants and coordinate any further responses that may be necessitated by the results of the environmental testing. Test results were delayed, however, and the majority of the Skyline Complex employees began to be released. Just prior to this, at about 7:30 p.m., Fairfax County responders began decontaminating 45 of the complex's employees who were believed to be at high risk for exposure to anthrax. The initial environmental test results--available on Tuesday--were inconclusive and, as a result, Fairfax County and FBI responders collected additional environmental samples for analysis at Fort Detrick. On Tuesday afternoon, DOD dispensed antibiotics to the 45 high- risk employees. This incident began to de-escalate on Tuesday evening as officials learned that the alarm that sounded on the biosafety cabinet used for mail screening indicated only an airflow obstruction, not the presence of anthrax. By Wednesday evening, laboratory results from environmental samples indicated that anthrax was not present at TMA's mail room in the Skyline Complex. The majority of the Skyline Complex reopened on Thursday, while TMA's mail room reopened on Friday morning, March 18. The Incidents Also Affected Postal Service Employees and Operations: A DOD official called the Postmaster General to inform him of the Pentagon incident at about 12:30 p.m. on Monday, March 14, 2005, but neither the Postmaster General nor other Postal Service executive were available to receive the call. The DOD official left a voice-mail message, but according to the Postal Service's Senior Vice President for Government Relations, the message did not convey any urgency about the potential for anthrax in the mail. Furthermore, by the time Postal Service officials listened to the message, they had already heard about the incident through the local media. At about 5:00 p.m., when Postal Service officials learned at the first interagency conference call that DOD had provided antibiotics to Pentagon employees, Postal Service officials acted quickly to protect their employees who, days earlier, might have processed the mail. Thus, by Monday evening, the Postal Service had suspended operations at its V Street Operation and had immediately begun dispensing antibiotics to its employees. In total, over 160 Postal Service employees were treated for their possible exposure to anthrax. On Tuesday, March 15, the CDC's National Institute for Occupational Safety and Health provided technical assistance to the Postal Service in designing an environmental testing strategy for the V Street Operation.[Footnote 21] By Wednesday morning, March 16, results from environmental testing of the V Street Operation were negative for anthrax. The Postal Service reopened the V Street Operation in the afternoon. Problems Encountered Reflect Both a Failure to Follow Existing Contract Provisions and Procedures and a Lack of Procedures and Plans: DOD encountered numerous problems during the two March 2005 incidents. At the Pentagon, these problems primarily involved not following required mail-screening contract provisions and procedures. The failure to follow these requirements resulted in, among other things, the premature release of the potentially contaminated mail that caused the incident at the Pentagon. In addition, the Pentagon's contract for mail screening lacked a clear provision specifying required testing methods, which resulted in the use of a laboratory whose testing methods were unknown and whose results were not actionable--this, in turn, exacerbated the incident at the Pentagon. At the Skyline Complex mail facility, problems were even more basic, in that required procedures and plans for responding to biohazards and other emergencies were inadequate or absent altogether. Further, at the Pentagon, the federal framework developed to, among other things, help ensure more effective decision making through the coordinated response of all affected parties and decision makers was not fully followed. If the framework had been fully followed, decisions regarding medical treatment of DOD and Postal Service employees may have been improved. At the Pentagon, the Mail-Screening Contract Provisions and Procedures Were Not Followed: Vistronix did not follow contract provisions and mail inspection procedures related to the detection and response to potential biohazard emergencies involving the Pentagon's mail. The contractor developed procedures for implementing the contract's mail-screening requirements, which described the process by which mail entering the Pentagon would be inspected, tested, quarantined, and released. DOD approved the procedures, but the contractor failed to follow two key requirements. * Mail-screening contractor did not provide timely notification of potential contamination. Both the contract and the approved mail inspection procedures provided specific notification requirements for informing DOD of potential biohazardous situations involving the Pentagon's mail. The contract required Vistronix to notify PFPA "immediately" if there were any evidence of risk or possible contamination of the mail. Similarly, the mail inspection procedures required PFPA to be contacted (1) within 1 minute of an actual or potential event involving contamination and (2) when a positive test result occurred "at any point" in the testing process. The laboratory informed the Vistronix Director that a sample from Thursday's mail had tested positive for anthrax on Friday afternoon, March 11. Instead of immediately notifying PFPA as required, however, the Director asked the laboratory to conduct additional tests over the weekend. The contractor did not inform DOD of the suspected mail contamination until after it received the second positive test result on Monday, March 14--about 2- ½ days after the notification should have occurred. According to the Vistronix Director, he believed the procedures required them to notify DOD only after a second positive test result. The contractor's untimely notification created a sense of urgency within DOD to quickly provide antibiotics to its employees--before consulting, as specified in the NRP, with other agencies about the proper medical response. * Mail-screening contractor did not quarantine mail until it received negative test results from the laboratory. The contract required Vistronix to quarantine the mail until receipt of negative test results. Similarly, the mail inspection procedures required Vistronix to hold (i.e., "not release for delivery") the Pentagon's mail until the laboratory had reported negative test results to Vistronix. The procedures also noted that a positive result "at any point" necessitates sequestering all potentially contaminated mail. Vistronix failed to follow these requirements. Specifically, while the Vistronix Director was aware of an initial positive test result on Friday, he did not ensure that the mail remained quarantined until receipt of negative test results from the laboratory. Instead, miscommunication among Vistronix staff led to the mail's release several hours before the laboratory informed Vistronix that its weekend test results were also positive for anthrax. The premature release of the potentially contaminated mail resulted in a broad response at the Pentagon, the Skyline Complex, and the Postal Service's V Street Operation. The Pentagon's Mail-Screening Contract Provision for Testing Samples Was Also Unclear: The testing provision in the mail-screening contract required Vistronix to test samples from the mail-screening equipment in accordance with unspecified "CDC guidelines." However, Defense Post Office officials-- including the contracting officer's representative who had responsibility for overseeing the contract--told us that they did not identify the specific guidelines to be used and were unaware that the CDC publishes both general testing guidelines, which are available in the public domain, and guidance and protocols for anthrax testing by the LRN, which are available only to LRN laboratories.[Footnote 22] The officials explained that even if they had known which guidelines DOD expected to be followed, they did not have the technical expertise to determine whether the contract's testing provision was being followed. Defense Post Office officials further explained that the contract was awarded quickly in 2001 after the nationwide anthrax attacks. Their office was tasked with overseeing the contract, they said, because at that time the office was the "executive agent for mail in the Pentagon"--not because it had any expertise or training on these matters.[Footnote 23] According to Defense Post Office officials, the lack of technical expertise regarding anthrax at that time contributed to the lack of clarity in the contract's testing provision. Their lack of expertise also caused them to conclude that CBI met all CDC and federal guidelines, in part, because Vistronix had informed DOD that CBI was a certified CDC laboratory that adhered to CDC guidelines. An independent review of CBI, the subcontract laboratory, sponsored by DOD and conducted in April 2005 found that CBI analyzed the Pentagon's samples using testing methods that differed from CDC's guidance and protocols. The review also found that Vistronix's contract with CBI did not require the laboratory to verify its testing methods. By March 2005, DOD and Vistronix had had 3-½ years to specify its testing requirements for the contract. An unclear contracting provision, combined with the lack of oversight by both DOD and Vistronix, resulted in the use of a laboratory whose testing methods were unknown and whose results were not actionable. The effect of these events was evident when DOD officials could not adequately explain to other agency officials what (1) tests CBI had conducted, (2) methods CBI had used, and (3) the results meant. DOD's inability to provide adequate answers to these and other crucial questions exacerbated the incident at the Pentagon and slowed the response since officials from other agencies were skeptical of the laboratory's results. At the Skyline Complex, Basic Response Procedures Were Inadequate or Absent Altogether: At the Skyline Complex, basic procedures for responding to a biohazardous incident were inadequate or absent for the TMA mail facility in the Skyline Complex. The following three key elements were either inadequate or absent. * First, TMA did not ensure that mail room procedures addressed what to do, or whom to notify, when the equipment alarm sounded or that employees were properly trained on the equipment. TMA is responsible for ensuring that adequate procedures are in place and effective training occurs, so that employees can perform their duties competently. Although some procedures were in place at the Skyline Complex, they did not address the capabilities of the biosafety cabinet or what to do if the alarm on the equipment sounded. At the time of the incident, the mail room's procedures provided, among other things, (1) basic instructions for using the biosafety cabinet, including how to turn the machine on and off and how to open the mail, and (2) information about whom to notify when a suspicious package was discovered. The procedures did not address what the biosafety cabinet did, how it worked, or how to respond to its built-in alarm. The TMA mail manager noted that training on the biosafety cabinet had occurred when the machine was purchased in 2001, but no subsequent training had been conducted.[Footnote 24] In the meantime, he said, staff turnover and the absence of additional training had led to a lack of understanding about the equipment's capabilities. In addition, while the procedures specified whom to call if suspicious mail is discovered, the procedures did not address whom to contact when the equipment's alarm sounded.[Footnote 25] If procedures were adequate and periodic training had occurred, employees would likely have known that, although the equipment had a negative airflow system with filters for capturing and holding any particles that fell from envelopes or packages being opened within the equipment, it did not detect biohazards and its alarm sounded only to indicate an airflow obstruction. Instead, in conjunction with the phone call indicating an unspecified problem with the Pentagon's mail, mail room employees assumed the alarm was signaling the presence of biohazards in the mail. Because TMA employees lacked adequate information and training on the equipment, they unnecessarily contacted first responders. * Second, neither TMA nor DOD ensured that the required mail security plan was in place. Both TMA and DOD have responsibilities for ensuring that an adequate mail security plan exists for the mail room in the Skyline Complex. GSA's federal mail management regulation and DOD's mail manual both require mail security plans for agency mail rooms. According to GSA's regulation,[Footnote 26] security plans must include (1) procedures for safe and secure mail room operations, (2) plans for training mail room personnel, and (3) plans for annually reviewing agency and facility-level mail security plans. In addition, DOD's mail manual requires DOD's mail room officials to ensure that their mail security plans are coordinated with local security officials. TMA did not develop the required security plan. If TMA had developed a plan and coordinated it with local officials, Fairfax County emergency personnel--the local first responders--may have learned about the biosafety cabinet's limitations, including the meaning of the equipment's audible alarm. Furthermore, DOD did not ensure that TMA had developed a plan, or attempt to review it for adequacy, as required. GSA's federal mail management regulation requires that facility level mail security plans be annually reviewed. Moreover, as specified in the regulation, DOD must annually report to GSA that its mail security plans have been reviewed by a competent authority within the past year. GSA officials noted that DOD's Official Mail Manager submits a certification form to GSA annually; however, the form does not indicate that DOD's (1) plans exist and that (2) the plans have been reviewed by a competent authority in the past year. Instead, the form submitted to GSA simply certifies that DOD has the requisite requirements in place. According to DOD's Official Mail Manager,[Footnote 27] he cannot certify that all DOD mail rooms have mail security plans or that they have been reviewed by a competent authority because DOD does not have a process in place to ensure that the required reviews take place.[Footnote 28] He further explained that he lacks the time and resources to review the plans. If TMA and DOD had followed the applicable requirements, the problem that occurred at the Skyline Complex may have been avoided. * Third, the Defense Information Systems Agency had not developed an Occupant Emergency Plan. GSA requires agencies of GSA-controlled buildings to have an occupant emergency plan for protecting life and property during an emergency. Critical elements of the plan include (1) evacuation and sheltering-in-place information; (2) contact information and emergency phone numbers; and (3) specific information about the building's construction, including its floor plans. The highest ranking official of the largest agency in each GSA-controlled building is responsible for developing and maintaining the occupant emergency plan.[Footnote 29] In March 2005, the Defense Information Systems Agency (Defense Agency) was the largest agency in the Skyline Complex. According to officials from the Defense Agency, they were aware of the agency's responsibility for developing the occupant emergency plan as early as June 2002. Defense Agency officials had drafted a plan by the time of the incident, but had neither distributed it to other federal occupants of the complex nor coordinated it with first responders. Moreover, employees had not been trained on the plan and affected federal agencies had not agreed to or signed the plan. Officials of the Defense Agency commented that developing an occupant emergency plan takes a great deal of coordination among participating agencies, which prolongs the plan's completion. The lack of a required occupancy emergency plan contributed to the difficulties that employees and first responders experienced during the incident. For example, first responders had difficulty getting critical information to employees because contact information was not readily available for federal employees in the complex. In addition, since information about the complex was not readily available, some employees were able to exit the complex because Fairfax County police, who had attempted to secure the Skyline Complex, were unaware of all the existing exits. DOD Did Not Fully Follow the Federal Framework for Coordinating Responses at the Pentagon: DOD did not fully follow the federal framework for coordinating a response to the potential anthrax incident at the Pentagon; instead, it chose to make decisions on its own. The federal framework is set forth in the NRP and NIMS, which specifies a structured and coordinated approach for involving federal, state, and local agencies in decision making. The unifying element of this framework is the ability to harness the resources of various agencies whose expertise and knowledge help ensure informed decisions about how to proceed in any given situation. While DOD initially followed NIMS when it established its incident command at the Pentagon,[Footnote 30] as the incident evolved, key aspects of the federal framework were not followed. Here are three examples: * First, DOD did not fully follow NRP's notification structure. NRP's Biological Incident Annex requires every federal agency to first notify the FBI if it becomes aware of an overt threat involving biological agents. While DOD officials did notify the FBI, it was not until almost 3 hours after they first became aware of the Pentagon's positive test results. Earlier notification would have likely helped with the evaluation of test results and allowed federal agencies to collectively coordinate a proper course of action, particularly because, as discussed earlier, FBI officials began questioning the incident's credibility after arriving on scene. The Biological Incident Annex also designates HHS as the federal agency responsible for coordinating a public health response involving bioterrorism threats. DOD officials never notified HHS but, instead, called the Director of CDC to disclose their intention to administer antibiotics to DOD employees. The Director of CDC, not DOD, alerted the CDC operations center, which, in turn, notified HHS's operations center at about 4:00 p.m. on Monday. As specified in the Biological Incident Annex, once HHS officials were notified of a credible threat, they convened an interagency conference call approximately 1 hour later to coordinate a possible medical emergency response. However, by then, DOD had already begun to administer antibiotics to its employees. As a result, any advice any guidance on (1) medical treatment options or (2) the validity of the laboratory's test results that other agency officials may have offered were essentially moot. * Second, DOD failed to follow NIMS protocols regarding joint decision making. Under NIMS, the incident commander is responsible for the entire response to an incident. To assist with various aspects of a multijurisdictional response, the incident commander is expected to assemble federal, state, and local agencies to serve in a unified command. The unified command includes representatives from all agencies and organizations that have responsibility for, or can provide support to, an incident. Collectively, the unified command is expected to consider and help make decisions on all objectives and strategies related to an incident. At the Pentagon in March 2005, PFPA included federal and local agencies in the response; however, the response structure never matured into a unified command, especially when some decisions--especially those related to medical treatment--were made outside the command structure. DOD essentially had two separate incident responses: PFPA acted as the incident commander for the evacuation and containment of Pentagon employees, while DOD's Health Affairs made unilateral decisions regarding the employees' medical treatment. According to local public health officials, DOD did not consult them on the proper course of action regarding whether, or how, to intervene medically. Had information and decisions flowed through a unified command structure, local public health officials could have raised the concerns they had about providing antibiotics without a confirmed LRN test result. Additionally, if medical treatment decisions had been made collaboratively, DOD and local public health officials could have (1) agreed on a strategy for treating potentially affected individuals, including access to additional medication and follow-up treatment; and (2) discussed the potential ramifications of initially providing ciprofloxacin to DOD employees.[Footnote 31] According to local public health officials, DOD's initial provision of ciprofloxacin to DOD employees set a precedent that essentially eliminated other antibiotic treatment options, given the health officials' desire to ensure that potentially affected individuals would be treated consistently.[Footnote 32] Had medical decisions been made within the context of a unified command, a different decision may have been reached and hundreds of DOD employees--with no, or limited, exposure to potential contamination--may not have received unnecessary medication. * Third, DOD did not coordinate the initial public response to the incidents. An important outcome envisioned in the federal framework is effective management of information available to the public. The NIMS structure calls for a joint information center to provide a location for organizations participating in the management of the incident to work together to ensure that timely, accurate, easy-to-understand, and consistent information is disseminated to the public. The joint information center is supposed to have representatives from each organization involved in the management of an incident. DOD did not establish a joint information center at the start of the incidents, and it did not have clear written procedures for doing so. As a result, the public received unclear and inconsistent messages about, among other matters, the source of the anthrax. For example, media accounts reported that mail through the Postal Service caused the incidents when, in fact, the source of possible contamination was unknown. According to the Postal Service, this resulted in unnecessary anxiety among Postal Service workers, their families, and recipients of Postal Service mail. According to DOD health officials responsible for making medical decisions at the Pentagon, they based their medical treatment decision on the experiences they gained from the fall 2001 anthrax incidents. The officials explained that they were very sensitive to what they perceived to be untimely medical decisions reached in the fall of 2001. Consequently, they said they decided to err on the side of caution and quickly distribute antibiotics to employees at the Pentagon and Skyline Complex. Additionally, since the incident occurred on the Pentagon Reservation, DOD officials did not believe that the NRP applied because, in their view, they had the medical authority, expertise, and resources to handle the incident internally.[Footnote 33] However, other federal officials--including those in DHS and HHS--told us that the NRP was applicable and that DOD should have followed the framework. In addition, CDC guidance emphasizes the need to make risk-based decisions, including those involving dispensing of antibiotics during suspected anthrax incidents. According to the CDC, a risk-based, participatory approach is necessary, in part to limit the number of people who may receive antibiotics before confirmation by the LRN.[Footnote 34] Since the mail had been quarantined over the weekend, the Pentagon employees most at risk would have been the technicians who had screened the mail the previous week. These persons received antibiotics, but so did hundreds of others who, in our view, would not likely have been exposed until Monday morning, when the Pentagon's mail was released from quarantine. DOD health officials' concern about protecting DOD employees from the risk of exposure is clearly understandable. However, DOD's actions were not consistent with the NRP. Once HHS was contacted by CDC, it began using the notification and response protocols specified in the NRP. In particular, HHS convened the first interagency conference call in which federal participants were able to discuss the laboratory's test results and raise concerns about the quality of the results. Additionally, CDC was able to address the Postal Service's concerns about the possible health effects on its employees who may have processed contaminated mail to the Pentagon the previous week. CDC recommended antibiotics for employees of the V Street Operation because (1) of the confluence of the two incidents, which, at the time, were viewed as involving the presence of anthrax; (2) DOD had already started its employees on antibiotics; and (3) the employees could have been exposed to anthrax several days earlier because they process mail to the Pentagon. DOD Took Numerous Actions That Address Problems Related to the Incidents: DOD took numerous actions that address problems related to the Pentagon and Skyline Complex incidents. At the Pentagon, some actions to improve DOD's mail processing and incident response, such as modernizing the mail-screening facility and changing the laboratory used to test daily samples, were already under way. Other actions, including selecting a new mail-screening contractor and improving procedures for releasing quarantined mail, were a direct response to what occurred. At the Skyline Complex, DOD's actions included prohibiting the use of equipment for screening mail unless the equipment is being operated within the context of a comprehensive mail-screening program. DOD also commissioned the RAND Corporation to conduct an independent review to examine its response to the incidents.[Footnote 35] The resulting report,[Footnote 36] issued in January 2006, contains numerous recommendations which, according to DOD, it has taken action upon. At the Pentagon, Some Actions Were Already Under Way, While Others Were Taken in Direct Response to the Incident: Some of the actions DOD took at the Pentagon were under way before the March 2005 incident. Although the actions were not carried out until later, they reflected decisions that had been previously set in motion to improve mail screening and responses to biological incidents. These actions included the following: * DOD transferred oversight of the mail-screening function to PFPA. PFPA assumed oversight of mail-screening from the Department of the Army in August 2005 because, according to DOD officials, PFPA's strategic mission of providing security and law enforcement at the Pentagon is better aligned with the mail-screening function. According to a PFPA official, planning for the transfer of mail-screening oversight began around January 2005. A gradual transition had been planned, he said, but the Pentagon incident significantly accelerated efforts to implement the transfer of mail-screening oversight responsibilities. * DOD modernized the mail-screening facility, refurbished the mail quarantine room, and installed new mail-screening equipment. According to a DOD official, initial planning for these improvements also began around January 2005. PFPA officials stated that the new mail-screening facility and the refurbished quarantine room have improved capabilities that are designed to protect employees and prevent the spread of anthrax. Finally, a DOD official said that the decision to replace the previous mail-screening table with new equipment was based on a 2003 National Academy of Sciences report, which, among other things, raised questions about the table's ability to detect anthrax in small amounts. PFPA is awaiting the results of a study, which it expects to conclude in May 2006, to evaluate the effectiveness of the changes. * DOD changed its testing laboratory. Daily testing of samples from the Pentagon's mail-screening equipment is now performed by a non-LRN chemical-biological laboratory located on the premises, instead of a contract laboratory. The laboratory is part of PFPA and, according to a PFPA official, was established in January 2005 to help protect the Pentagon from biological threats. The official stated that the original plan was to transfer testing from CBI to the Pentagon's chemical- biological laboratory in October 2005, after the Vistronix contract expired. However, the transfer was accelerated, occurring instead in March 2005, a few days after the incident at the Pentagon. * DOD entered into a memorandum of understanding (MOU) on biological monitoring with other federal agencies. In April 2005, DOD signed an MOU for Coordinated Monitoring of Biological Threat Agents, which was developed prior to the Pentagon incident. DHS, HHS, the Department of Justice (which includes the FBI), and the Postal Service are also parties to the MOU. DHS's Science and Technology Directorate is responsible for coordinating the implementation of the MOU. The following provisions in the MOU help address the notification, laboratory testing, and medical response problems that arose at the Pentagon: * The MOU establishes prompt notification requirements. Specifically, the MOU requires participants to notify the FBI, HHS, and DHS within 1 to 2 hours of positive test results that indicate, with a high degree of confidence, the presence of anthrax or other biological agents. However, according to a DHS Science and Technology Directorate official, such test results only trigger notification and, until confirmed by the LRN, are not considered actionable by HHS, DHS, and others. * The MOU requires participating agencies to develop and employ mutually accepted and validated testing methods to confirm biological threats. According to a Science and Technology official, test results produced from these methods will be considered actionable for public health and other response measures, including the administration of medical treatment. He stated, however, that this MOU provision will take time to implement.[Footnote 37] According to the official, an independent organization is currently performing the extensive testing and analysis needed to evaluate and establish equivalency between the wide array of testing methods employed across agencies.[Footnote 38] DOD officials stated that the Pentagon's chemical-biological laboratory--which is not part of the LRN--plans to adopt the testing methods that emerge from the MOU. As a result, if the MOU's equivalency testing provision is fully implemented, they said, confirmatory positive results from the Pentagon laboratory will be considered equivalent to LRN results and deemed actionable by DHS, HHS, and others for decisions related to the administration of medical treatment.[Footnote 39] In addition to carrying out actions already in process, DOD also initiated numerous actions in direct response to the problems that occurred at the Pentagon. Several of these actions address the mail- screening contractor's failure to follow established requirements. Other actions were carried out in response to the RAND review and are intended to better align DOD's procedures with those in the federal framework for coordinating responses to potential biological threats. The actions are as follows: * DOD changed mail-screening contractors, strengthened the new contract, and drafted improved procedures. PFPA selected a new contractor for screening mail at the Pentagon in September 2005. PFPA also developed new contract provisions and drafted new mail inspection procedures to address the previous contractor's failure to follow established contractual and procedural requirements. Table 2 highlights key changes in the Pentagon's mail-screening contract provisions and draft procedures. Table 2: Key Changes in the Pentagon's Mail-Screening Contract Provisions and Draft Mail-Screening Procedures: Key changes in the Pentagon's contract provisions: The contractor is required to periodically train its employees on emergency response procedures, including those relating to the receipt of suspicious materials. Key changes in the Pentagon's contract provisions: The contractor is required to develop an effective quality control program to ensure that its services are performed in accordance with the contract's requirements. Key changes in the Pentagon's contract provisions: PFPA's contracting officer representative is required to evaluate the contractor's performance to ensure that it meets contract requirements. The representative is to monitor the contractor's performance and report any deficiencies. Key changes in the Pentagon's draft mail-screening procedures: The facilities manager, a newly created position in PFPA's laboratory division, is responsible for, among other things, performing unannounced inspections to ensure that the contractor properly executes procedures. Key changes in the Pentagon's draft mail-screening procedures: The contract supervisor, an employee of the mail-screening contractor, is responsible for ensuring that contract personnel perform all activities in accordance with established procedures. Source: GAO analysis of DOD information. [End of table] PFPA strengthened the mail-screening contract by requiring the contractor to, among other things, periodically train employees on emergency response procedures and develop an effective quality control program to ensure adherence to contract provisions. In addition, PFPA's contracting officer representative is required to evaluate the contractor's performance to ensure that it meets contract requirements.[Footnote 40] PFPA has also drafted new mail-screening procedures to help ensure the contractor performs in accordance with requirements. The draft procedures require PFPA to, among other things, perform unannounced inspections to ensure that the contractor is properly executing required procedures. As of April 30, 2006, it was unclear when the draft procedures would be finalized; however, according to a PFPA official, the new monitoring measures are already being performed. Effective monitoring of contractor activities and performance is key to maintaining effective agency internal controls. * DOD strengthened controls over the release of quarantined mail. The Pentagon's draft mail inspection procedures require verification of negative test results by representatives from three separate organizations--PFPA, the Defense Post Office, and the contractor-- before the mail is released. Table 3 identifies the key steps for releasing quarantined mail, as specified in the draft procedures. Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft Procedures: A PFPA laboratory official verifies that test results are negative for mail scheduled to be released. A PFPA laboratory official notifies the facility manager, the contract supervisor, and a Defense Post Office official via e-mail that the results are negative and that mail can be released at the scheduled time. All parties must verify the receipt of the negative test results by replying to the e-mail. A PFPA laboratory official verifies that test results are negative for mail scheduled to be released.: The PFPA laboratory facility manager, the contract supervisor, and a Defense Post Office official, must physically verify that the date stamp and other information on the quarantined mail matches the laboratory's report indicating negative test results before releasing the mail. Source: GAO analysis of DOD information. [End of table] Although the mail inspection procedures are still in draft form, these steps are currently being used for releasing the Pentagon's quarantined mail. The segregation of key duties and responsibilities at this critical juncture in the mail release process reduces the risk of error and, as such, is designed to strengthen the internal controls that were lacking in March 2005. During the incident, inadequate internal controls allowed a single point of failure--in this case, a misunderstanding between two contract employees--to result in the premature release and distribution of quarantined mail that may have been contaminated. This triggered a broad response at the Pentagon and elsewhere. The implementation of rigorous internal controls for releasing the Pentagon's mail appears likely to prevent similar incidents in the future. * DOD commissioned the RAND Corporation to conduct an independent review examining its response to the March 2005 incidents. The review primarily focused on evaluating DOD's policies and procedures for responding to such incidents and making recommendations for improvement. In November 2005, DOD formed a working group to review and implement recommendations from a draft of the report. The final report was issued in January 2006. * DOD drafted new notification procedures for positive test results at the Pentagon. To help address the notification problems that arose during the Pentagon incident, DOD drafted new procedures for notifying appropriate parties of positive test results from the Pentagon's on- site chemical-biological laboratory. These procedures help implement a recommendation in the RAND report that calls for ensuring timely notification of designated agencies in accordance with the NRP and NIMS. The recommendation was based on findings similar to those identified by GAO. DOD officials stated that the new procedures, while still in draft, are currently being used to respond to potential incidents involving biological contamination at the Pentagon. Figure 2 illustrates DOD's draft notification procedures for positive test results from the Pentagon's on-site chemical-biological laboratory. Figure 2: DOD's Draft Procedures for Positive Test Results from the Pentagon's On-Site Chemical-Biological Laboratory: [See PDF for image] Source: GAO; DOD. [A] The Assistant Secretary of Defense for Homeland Defense is the overall supervisor of homeland defense activities for DOD. This office manages domestic incidents and represents DOD in homeland defense- related matters with other agencies. [B] The Assistant Secretary of Defense for Public Affairs is the principal staff adviser to the Office of the Secretary of Defense for disseminating information related to the Pentagon. [End of figure] The procedures require Pentagon laboratory officials to immediately notify PFPA of positive test results. Thereafter, PFPA and DOD's Assistant Secretary of Homeland Defense are responsible for making the required notifications to internal and external parties. According to a DOD official, these notifications should occur immediately in order to meet the 1 to 2 hour time frame specified in the MOU. As prescribed in the NRP, once notified of positive test results, (1) the FBI is responsible for coordinating appropriate confirmatory testing by the LRN and (2) DHS's operations center is responsible for notifying affected local jurisdictions. DOD's draft procedures include notification to all agencies specified in the NRP's Biological Incident Annex, as well as those specified in the MOU. Although not specifically required in either the NRP or MOU, the procedures also include notification to the Postal Service. An official stated that DOD actively worked with DHS, the FBI, and HHS to develop the notification procedures and is continuing to improve them based on agency input, actual events, and the outcome of training exercises. * DOD is developing a new policy that defines the roles and responsibilities of senior DOD leadership during incidents at the Pentagon. According to DOD's Director of Administration and Management,[Footnote 41] the policy--called an instruction--is being developed and will be based, in part, on NRP's Biological Incident Annex. He stated that the instruction will detail the health-care responsibilities of DOD leadership involved in making medical treatment decisions and will be consistent with NRP and NIMS protocols. The draft instruction was expected to be tested during a Pentagon training exercise in May 2006 and is to be finalized in the fall of 2006. The development of the instruction directly addresses a recommendation from the RAND review, which arrived at findings similar to ours regarding DOD's medical decision making. * DOD drafted new procedures to help ensure that a joint information center is established. DOD also drafted procedures for ensuring that, consistent with the NIMS framework, a joint information center is established during potential emergency incidents at the Pentagon. During the March 2005 incident, DOD did not establish a joint information center to disseminate timely, accurate, and consistent messages to the public. The RAND report contained a similar finding and recommended remedial actions. In response, DOD drafted procedures that require PFPA, Public Affairs, and Washington Headquarters Services to coordinate in the establishment and operation of a joint information center to disseminate information to the media during incidents at the Pentagon.[Footnote 42] According to a Washington Headquarters Services official, the draft procedures will be tested during future training exercises at the Pentagon. DOD Took Other Actions That Address Problems at the Skyline Complex: DOD also took a number of other actions that address the specific problems we described related to the incident at the Skyline Complex. Many of these problems were also raised in the RAND report. DOD's actions, several of which also affect other DOD-leased facilities, included the following: * DOD developed operating conditions for equipment used to screen mail in the national capital region. In January 2006, DOD's Director of Administration and Management issued a directive prohibiting DOD mail facilities in leased space within the national capital region[Footnote 43]--including the Skyline Complex--from operating equipment used to screen mail, including biosafety cabinets, unless the facilities meet five specific operating conditions. These conditions include having trained mail screeners to sample equipment for biological agents and an approved laboratory for analyzing the samples. The directive partially addresses a recommendation in the RAND report calling for DOD to develop, evaluate, and ensure that appropriate site-specific screening practices are in place departmentwide. According to the Director, the directive is intended to relay key lessons learned in March 2005-- specifically, that equipment for screening mail is ineffective and potentially risky to personnel and facilities when used outside of a comprehensive mail-screening program. The TMA facility at the Skyline Complex did not meet these conditions. Although the agency purchased a new biosafety cabinet for the Skyline Complex, which is similar to the device in place in March 2005,[Footnote 44] a TMA official stated that the agency is no longer operating the device and is taking steps for its disposal in response to the directive. * DOD initiated two efforts to gather information on screening operations in its mail facilities. First, DOD's Joint Program Executive Office for Chemical-Biological Defense, as part of a plan required by the National Defense Authorization Act for Fiscal Year 2006,[Footnote 45] gathered some information on equipment used for mail screening in DOD mail facilities nationwide. However, according to a joint program office official, the data is not comprehensive because information was not sought from all applicable facilities. Second, in response to the RAND review, Washington Headquarters Services attempted to identify DOD- leased facilities in the national capital region that screen mail for threats. However, as discussed later, this data collection effort had numerous limitations. * DOD developed an occupant emergency plan for the Skyline Complex. In July 2005, the Defense Agency, in conjunction with TMA, issued an occupant emergency plan for the Skyline Complex. The plan was reviewed and deemed adequate by a building management specialist in DOD's Washington Headquarters Services. The plan includes emergency contact information and information about the complex, such as floor plans, that were not readily available during the March 2005 incidents. In addition, according to a Defense Agency official, the plan has been fully coordinated with Fairfax County first responders, who (1) met with Defense Agency officials to discuss the roles and responsibilities of applicable parties, (2) reviewed the plan, and (3) participated in the emergency training exercises at the Skyline Complex. He also stated that if a similar incident were to occur, the plan would facilitate communications between first responders and Skyline Complex employees. The development of an occupant emergency plan addresses findings in this report as well as recommendations from the RAND review. * DOD issued supplemental requirements for developing mail security plans. DOD's December 2001 mail manual required agency mail rooms to develop security plans, but at the time of the incidents, did not clearly specify what the plans should include or require that they be reviewed. A supplement to the manual, issued in September 2005, requires mail room officials to ensure that their plan (1) details the reporting procedures and responsibilities for handling suspicious mail, (2) has been coordinated with local emergency responders, (3) is disseminated to all mail center staff, and (4) is reviewed for potential revisions at least quarterly. The supplemental requirements refer mail room officials to GSA guidance on handling suspicious mail to assist in the development of adequate security plans.[Footnote 46] DOD's Actions Do Not Fully Resolve Identified Problems: DOD's actions resolve many of the problems that arose in the March 2005 incidents but not all. One remaining and overarching concern involves whether, despite its actions, DOD will adhere to the interagency coordination protocols in the NRP and NIMS or will revert to the isolated decision-making approach it used at the Pentagon. Other remaining issues include ensuring that DOD (1) facilities have adequate mail security plans in place and (2) mail facilities in the national capital region are appropriately using biosafety cabinets for screening mail. DOD's Adherence to NRP and NIMS Interagency Coordination Protocols Remains Uncertain for Incidents at the Pentagon: DOD has taken actions to align its procedures with the NRP and NIMS, including the development of an instruction defining the roles and responsibilities of senior DOD leadership during incidents at the Pentagon. The policy instruction is not expected to be finalized until the fall of 2006 and, until then, it is unknown whether it will adequately specify medical treatment responsibilities in accordance with the coordination protocols in the NRP and NIMS. In October 2005, senior DOD health officials told us that they would handle the medical response at the Pentagon in a similar manner if an incident occurred in the future, in part, because they have the authority to do so. In April 2006--more than 1 year after the incident--another senior health official reiterated that DOD has the authority to make final decisions on medical treatment at the Pentagon without collaboration or consultation with other agencies, including HHS. Such views conflict with protocols in both the NRP, which requires an HHS-led coordinated public health response, and NIMS, which prescribes local-level input into decisions affecting their jurisdictions. Until DOD ensures that its senior health officials make medical treatment decisions in accordance with the NRP and NIMS during potential biological incidents at the Pentagon, the problems that occurred in March 2005 remain unresolved. DOD Still Has Not Ensured That Its Mail Facilities Have Reviewed Mail Security Plans, As Required: TMA did not have a mail security plan for the Skyline Complex at the time of the incidents, and although federal mail management regulation and DOD's mail manual require such a plan, it has not subsequently developed one. Until TMA develops a plan and, among other things, coordinates it with local first responders, any future response at the facility may also be hampered. More importantly, it is not known whether other DOD mail facilities also lack plans, or adequate plans, for guiding future responses involving potential biological threats in the mail. As discussed earlier, DOD does not have a process in place to (1) ensure that its mail facilities have mail security plans and (2) verify that each plan has been annually reviewed by a competent authority. DOD Has Not Ensured That Its Facilities in the National Capital Region Are Appropriately Using Biosafety Cabinets: Gaps remain in the actions DOD has taken to ensure the appropriate use of biosafety cabinets for mail screening in DOD-leased mail facilities in the national capital region. First, DOD has not ensured that DOD mail facilities in the national capital region are not operating biosafety cabinets outside of a comprehensive mail-screening program. As pointed out in the Director of Administration and Management's January 2006 directive, using mail-screening equipment in isolation of such a program is ineffective and potentially risky. Second, at the conclusion of our review, DOD still had not identified the number of biosafety cabinets in use in the region. For example, although DOD's Washington Headquarters Services collected information about facilities in the national capital region that screen mail for threats, its winter 2005 data collection effort was not comprehensive. For example, the office did not attempt to (1) identify whether other biosafety cabinets were being used, (2) determine the conditions under which the equipment is being operated, and (3) collect information on the type and capabilities of other mail-screening equipment being used. Moreover, it appears that numerous DOD mail facilities in the national capital region did not respond to the data request. According to an official from Washington Headquarters Services in April 2006, a follow- up effort was being conducted to gather additional data on mail- screening operations in the region; however, we were unable to obtain specific information regarding the purpose, scope, and status of the effort. Eliminating equipment that is not being used in conjunction with a comprehensive mail-screening program is likely to reduce future false alarms and unnecessary response activities involving the Skyline Complex and other DOD mail facilities in leased space within the national capital region. Conclusions: Mail continues to be a potential venue for terrorism, particularly as an opportunity to strike at the Pentagon--a building of national military significance. DOD has taken aggressive measures to ensure the safety of its employees during a potential biological attack, but the challenge ahead is to ensure that DOD's components and leadership are sufficiently prepared in the event of another potential incident involving anthrax or other biohazards. Preparation involves having the procedures, plans, and training in place to effectively coordinate the best available knowledge and expertise across the many agencies that will likely be involved. While lessons learned from these two false alarms have largely been implemented, there still is a need to tighten controls in the areas discussed above. Recommendations for Executive Action: To help prepare DOD to effectively respond to future incidents involving the suspicion of biological substances in the mail, we recommend that the Secretary of Defense take the following four actions: * Ensure that any future medical decisions reached during potential or actual acts of bioterrorism at the Pentagon Reservation result from the participatory decision-making framework specified in the NRP and NIMS. * Ensure that appropriate officials at all of DOD's mail facilities develop effective mail security plans in accordance with GSA's mail management regulation and guidance and DOD's mail manual. * Ensure that a competent DOD authority conducts a DOD-wide review of all of its mail security plans. * Determine (1) whether biosafety cabinets are being used at mail facilities within DOD-leased space in the national capital region and, if so, (2) whether the equipment is being operated within the context of a comprehensive mail-screening program. If the use of biosafety cabinets does not comply with the criteria specified in the Director of Administration and Management's January 2006 directive, ensure that the equipment will not be operated. Agency Comments and Our Evaluation: We requested comments on a draft of this report from DOD, GSA, the Department of Justice, HHS, DHS, and the Postal Service. Two of these agencies--DOD and GSA--provided written comments. The agencies' comments are reprinted in appendixes II and III, respectively. DOD agreed with three of our four recommendations, indicating that it either was implementing, or intended to immediately implement, actions to address these recommendations.[Footnote 47] Furthermore, while DOD is developing a new policy to define the roles and responsibilities of senior DOD leadership including those involved in making medical treatment decisions during incidents at the Pentagon, it only partially agreed with our remaining recommendation, related to the need for DOD to make future medical decisions within the participatory decision- making framework specified in the NRP and NIMS. While commenting that "coordination in such events is highly desirable," DOD reiterated that it has the "medical authority to act in a timely manner to provide the best possible medical protection for its personnel at potential risk in an incident of this nature." DOD further commented that the NRP does not alter or impede its ability to carry out its medical authorities and responsibilities. We agree that the NRP does not repeal DOD's medical powers, authorities, or responsibilities. However, in signing the NRP Letter of Agreement, DOD agreed, among other things, to (1) support NRP concepts, processes, and structures; (2) modify its existing plans to comply with the NRP; and (3) ensure that its operations support the NRP. Thus, in our view, DOD's medical authorities must be exercised in conjunction with DOD's responsibilities under the NRP. Had DOD followed such an approach in March 2005, concerns such as the validity of the test results could have been discussed among informed agency officials and the provision of unnecessary medicine to DOD employees at lower risk for exposure may have been avoided. DOD also commented that the NRP was not in effect during these incidents because none of the criteria for an incident of "national significance" had been met. We agree that the December 2004 NRP plan was somewhat ambiguous about when an incident is subject to NRP's concepts, processes, and structures. However, revisions made in May 2006 clarified that the NRP is "always in effect" and that the plan applies to incidents of lesser severity that may, nevertheless, require some federal involvement. In our view, this revision makes it even more clear that, going forward, coordination is necessary and appropriate with regard to potential bioterrorism incidents and decisions about medical treatment. In addition, despite the plan's prior ambiguity, it is important to note that other federal officials--including those in DHS and HHS--told us that the NRP was applicable because of the nearly simultaneous occurrence of two incidents involving the Pentagon, a building of national military significance. Thus, according to these and other involved parties, DOD should have responded to the incidents within the context of the federal framework. GSA's written comments clarified federal requirements related to the annual review of mail security plans. DOD, the FBI (on behalf of the Department of Justice), CDC (on behalf of HHS), and the Postal Service provided technical comments, which we incorporated, as appropriate. DHS did not provide comments. We are sending copies of this report to appropriate congressional committees and subcommittees, CDC, DHS, DOD, the FBI, GSA, HHS, the Postal Service, the Arlington and Fairfax County Offices of Emergency Management, the District of Columbia Health Department, and other interested parties. We will also make copies available to others upon request. In addition, the report is available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at siggerudk@gao.gov or (202) 512-2834. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Staff who made key contributions to this report are listed in appendix IV. Signed by: Katherine A. Siggerud: Director, Physical Infrastructure Issues: [End of section] Appendix I: Scope and Methodology: To determine what occurred at the Pentagon and Skyline Complex mail facilities in Virginia, we reviewed all available timelines and after- action reports, including those prepared by various Department of Defense (DOD) components, the Postal Service, the RAND Corporation, and other federal, state, and local entities. The after-action reports and timelines document what occurred at the two sites in March 2005 as well as the sequence and timing of what occurred. We also obtained and analyzed other pertinent documentation. We developed a timeline of what occurred based on the information we obtained, and corroborated this information with agency officials, where possible. With respect to this and our other reporting objectives, we interviewed a wide range of officials from the following organizations: * Office of the Secretary of Defense, Administration and Management; * Office of the Assistant Secretary of Defense for Health Affairs; * Office of the Assistant Secretary of Defense for Homeland Defense; * DOD's DiLorenzo TRICARE Health Clinic; * DOD's TRICARE Management Activity (TMA); * DOD's Pentagon Force Protection Agency, including personnel in the Chemical, Biological, Radiological and Nuclear laboratory; * DOD's Washington Headquarters Services; * DOD's Defense Post Office; * Vistronix Incorporated; * Department of Health and Human Services; * Centers for Disease Control and Prevention (CDC); * Department of Homeland Security (DHS); * Federal Bureau of Investigation (FBI) Headquarters and its Washington Field Office; * U.S. Postal Service; * District of Columbia's Department of Health; and: * Arlington and Fairfax County Offices of Emergency Management. To determine what problems occurred and why they occurred, we obtained, reviewed, and analyzed, among other documents, (1) all available timelines and after-action reports prepared by federal, state, and local agencies that were involved in the response; (2) the Pentagon's mail-screening contract and procedures; (3) TMA's mail procedures; (4) federal mail management and other applicable regulations related to occupant emergency plans;[Footnote 48] (5) DOD requirements, including its mail manual; (6) applicable guidance on the coordination of incidents with appropriate organizations, including the National Response Plan (NRP) and its Biological Incident Annex and the National Incident Management System (NIMS) and; (7) CDC guidance related to the provision of medical services to potentially affected employees, including its guidance on the timing of antibiotics to affected individuals.[Footnote 49] We also reviewed and analyzed GAO's internal control standards for applicable criteria and interviewed officials from the previously cited organizations as well as those from DOD's Defense Information Systems Agency, DOD's Military Postal Service Agency, and the General Services Administration. We compared DOD's actions with applicable criteria, such as the Pentagon's contract provisions and procedures, regulations and guidance, and the national coordination protocols in place at the time of the incidents, to identify any variations between the actions taken at the two facilities and the actions specified in the applicable criteria. Where variations existed, we interviewed officials from the previously mentioned organizations to determine why the applicable criteria was not followed. To determine the actions DOD has taken that address the problems that arose during the March 2005 incidents at the two mail facilities, we interviewed officials from the previously cited DOD offices as well as the Office of the Assistant Secretary of Defense for Public Affairs, Military: Postal Service Agency, Joint Program Executive Office for Chemical and Biological Defense, and General Services Administration. We also interviewed DHS officials from the Science and Technology Directorate and DHS's Mail Management Program. We obtained and analyzed pertinent information on all identified actions. For example, with respect to actions taken at the Pentagon, we reviewed the new mail-screening contract, recent interagency agreements, and the Pentagon's draft (1) mail-screening operating procedures, (2) laboratory procedures, (3) notification procedures, and (4) procedures for communicating information to the public. For actions taken in response to the incident at the Skyline Complex, we reviewed TMA's mail-screening procedures, DOD's directive prohibiting the use of biosafety cabinets in certain environments, and the Skyline Complex occupant emergency plan, all of which were issued after the March 2005 incidents. To determine the extent to which the actions taken address the problems that arose at the two mail facilities during the March 2005 incidents, we reviewed and analyzed, among other things, the Pentagon's new mail- screening contract and its draft (1) mail-screening operating procedures, (2) laboratory procedures, (3) notification procedures, and (4) procedures for communicating information to the public. To assess whether the actions appeared to resolve the problems that arose during the incidents, we compared policy and procedural changes to applicable criteria, including criteria contained in DOD's mail manual, GSA's regulations and guidance, CDC guidance, GAO Internal Controls Standards, the NRP's Biological Incident Annex, and NIMS. We determined the status of key recommendations in the after-action reports and, through our analysis, identified further actions necessary to remedy the issues that arose. In addition, to provide broader perspective on issues related to detecting and responding to suspected anthrax incidents, we reviewed previous studies, congressional testimony, and other pertinent documents including those prepared by GAO.[Footnote 50] We performed our work from June 2005 to August 2006 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Department of Defense: Homeland Defense: Assistant Secretary Of Defense: 2600 Defense Pentagon: Washington, DC 20301-2600: Jun 22 2006: Ms. Kate Siggerud: General Accountability Office: 441 G Street NW: Washington, DC 20548: Dear Ms. Siggerud: (U) We Appreciate The Opportunity To Comment On The Draft Report, "Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions," dated June 2006, (GAO Code 542066/GAO-06- 757C). We note several factual errors in the report, and partially concur with the recommendations. (U) The Department of Defense continues to institute emergency management policies, refine interagency and internal coordination procedures for potential biological terrorism incidents, and protect all persons who could potentially be affected in such incidents. (U) Let me take this opportunity to thank you and your staff for producing a reasoned and useful report. I am forwarding the Department's comments on the draft report recommendations at enclosure one. Recommended technical changes that were identified are at enclosure two. Sincerely, Sincerely, Peter F. Verga: Principal Deputy: Enclosures: 1. DoD comments: 2. Technical changes: GAO Draft Report - Dated May 23, 2006 GAO Code 542066/GAO-06-757C "Mail Security: Incidents at DoD Mail Facilities Exposed Problems That Require Further Actions" Department Of Defense Comments: Recommendation 1: The GAO recommends that DoD ".ensure that any future medical decision reached during potential or actual acts of bio- terrorism at the Pentagon Reservation result from the participatory decision-making framework specified in the NRP and the NIMS. DoD Response: DoD partially concurs. While coordination in such events is highly desirable and was, in fact, performed in these incidents, the GAO recommendation, if adopted, could actually serve to confuse an operational response. The NRP cannot be read selectively. Two other portions of the NRP significantly apply in this situation, but are omitted from the report. Page 2 the NRP states, "Nothing in this plan alters or impedes the ability of Federal. departments and agencies to carry out their specific authorities or perform their responsibilities under all applicable laws, Executive orders, and directives." Additionally, on pages 3-4 the subject of the NRP's applicability is described and the criteria for an Incident of National Significance are stipulated. During these incidents, none of these criteria were reached. Accordingly, the NRP was not in effect for the response to these incidents and, if NRP had been in effect, the authorities of the Secretary of Defense are not altered or impeded by the plan. The Department of Defense has the medical authority to act in a timely manner to provide the best possible medical protection for its personnel at potential risk in an incident of this nature. As noted in the report, the DoD is developing a new policy to define the roles and responsibilities of senior DoD leadership in emergency management and incident command on the Pentagon reservation - including those making medical treatment decisions. Recommendation 2: GAO recommends that DoD ".ensure that appropriate officials at all of DoD's mail facilities develop effective mail security plans in accordance with GSA's mail management regulation and guidance and DoD's mail manual." DOD Response: DoD concurs. Military postal authorities are evaluating the most effective assurance method and are considering reporting methodologies for GSA and DoD guidance compliance. Recommendation 3: GAO recommends that DoD ".ensure that a competent DOD authority conducts a DoD-wide review of all of its mail security plans." DOD Response: DoD concurs. Military postal authorities are evaluating the most effective assurance method and are considering reporting methodologies for GSA and DOD guidance compliance. Recommendation 4: GAO recommends that DoD ".determine whether (1) bio- safety cabinets are being used at mail facilities within DoD leased space in the national capital region and, if so, (2) the equipment is being operated within the context of a comprehensive mail-screening program. If the use of bio-safety cabinets does not comply with the criteria specified in the Director of Administration and Management's January 2006 directive, ensure that the equipment will not be operated." DOD Response: DoD Concurs. The Pentagon Force Protection Agency (PFPA) will immediately determine compliance with the January 2006 DA&M memo. Additionally, PFPA will incorporate procedures for reviewing mail screening programs into their Antiterrorism Vulnerability Assessments, which are conducted annually at each of the DoD leased facilities in the NCR. [End of section] Appendix III: Comments from the General Services Administration: GSA Office of Governmentwide Policy: Jun 19 2006: Ms. Katherine A. Siggerud: Director: Physical Infrastructure Issues: Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Ms. Siggerud: Thank you for the opportunity to comment on the draft Government Accountability Office (GAO) Report, Mail Security: Incidents at Department of Defense (DOD) Mail Facilities Exposed Problems That Are Not Yet Fully Resolved (GAO-06-757C). The draft report paraphrases and refers to GSA regulations regarding mail security at several points. All of these paraphrases and references are accurate and appropriate, with one exception. On Page 28, the draft report says: "GSA's Federal Mail Management Regulation requires that facility level mail security plans be annually reviewed at the agency's level." The issue we have is with the phrase: "at the agency's level." The actual text of the regulation says: "The annual report must state that all facility security plans have been reviewed by a competent authority within the past year." (FMR 102-192.60). The regulation provides that a competent authority must review all security plans, but it does not say that this review must be performed at the agency's level. An agency's level review of every facility's security plan would be an intolerable burden in agencies such as the DOD and the Department of Agriculture that have thousands of facilities. We look forward to seeing this report in its final form. Its recommendations and implications will be important to all Federal mail facilities. If you have any questions, please contact Mr. Henry Maury, Office of Travel, Transportation and Asset Management, on (202) 208- 7928. Sincerely, Signed by: Stan Kaczmerczyk for: John G. Sindelar: Acting Associate Administrator: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Katherine A. Siggerud, (202) 512-2834 or siggerudk@gao.gov: Staff Acknowledgments: In addition to the contact named above, Kathleen Turner (Assistant Director), David Hooper, Daniel Klabunde, Steve Martinez, Josh Ormond, Stanley Stenersen, and Johanna Wong made key contributions to this report. FOOTNOTES [1] A third incident occurred at a DOD mail facility at the Bolling Air Force Base in Washington, D.C. That incident--also a false alarm--was not connected to the Pentagon and Skyline Complex incidents and, therefore, is not discussed in this report. [2] The Office of the Administrative Assistant to the Secretary of the Army--the organization responsible for managing DOD's mail--also reviewed the draft report and concurred "without comment." [3] We have issued a number of reports on the response to these incidents. See, for example, GAO, U.S. Postal Service: Better Guidance Is Needed to Ensure an Appropriate Response to Anthrax Contamination, GAO-04-239 (Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health Response to Anthrax Incidents of 2001, GAO-04-152 (Washington, D.C.: Oct. 15, 2003); and U.S. Postal Service: Better Guidance Is Needed to Improve Communication Should Anthrax Contamination Occur in the Future, GAO-03-316 (Washington, D.C.: Apr. 7, 2003). [4] See GAO, Anthrax Detection: Agencies Need to Validate Sampling Activities in Order to Increase Confidence in Negative Results, GAO-05- 251 (Washington, D.C.: Mar. 31, 2005). [5] In March 2005, LRN consisted of 147 laboratories that, according to CDC, had demonstrated the ability to meet and maintain CDC's testing standards. [6] Medical treatment, as used in this report, means administering postexposure prophylaxis to exposed individuals. [7] GSA issues regulations under the authority of the Federal Records Management Amendments of 1976 (Section 2 of Public Law 94-575, 44 U.S.C. 2901-2904), which requires the GSA Administrator--the executive head of GSA--to provide assistance to federal agencies on records management, including the processing of mail. See 41 CFR Parts 101-9 and 102-192. [8] GSA, Mail Communications Policy Office, Mail Center Security Guide, 3rd edition (Washington, D.C., 2004); and National Guidelines for Assessing and Managing Biological Threats in Federal Mail Facilities (Washington, D.C., Dec. 29, 2003). [9] DOD's requirements are described in the DOD Instruction 4525.8 and DOD Manual 4525.8M, effective December 2001. [10] This requirement is contained in GSA's regulations for managing property. See 41 CFR Sec. 102-74.230. [11] GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). [12] TMA provides administrative support to DOD's civilian health and medical program for the uniformed services. [13] A portion of TMA's mail destined for the Skyline Complex is screened at the Pentagon and picked up from an office inside the Pentagon. [14] 10 USC Sec. 2674(f)(1) defines the Pentagon Reservation as the area of land (consisting of approximately 280 acres) and improvements thereon, located in Arlington, Virginia, on which the Pentagon Office Building, Federal Office Building #2, the Pentagon heating and sewage treatment plants, and other related facilities are located, including various areas designated for the parking of vehicles. [15] The mail-screening technicians were not evacuated and, instead, remained isolated in the mail-screening facility, according to PFPA officials. [16] Other conference calls occurred over the next few days. [17] The two laboratories at Fort Detrick are associated with the United States Army Medical Research Institute of Infectious Diseases and the National Bioforensic Analysis Center. [18] GSA leases office space at the Skyline Complex for federal agencies, including DOD's TMA office. [19] According to the manager, the PFPA employee thought that the equipment was an X-ray machine. [20] The biosafety cabinet was destroyed as a result of efforts to extract its filters for testing. [21] The National Institute is the federal agency responsible for conducting research into occupational safety and health matters. [22] CBI was not a part of the LRN in March 2005 and, consequently, would not have had access to CDC's guidelines and protocols for LRN laboratories. [23] The officials noted that PFPA's Chemical, Biological, Radiological, and Nuclear department did not exist when DOD initially awarded the mail-screening contract. The laboratory associated with this department, as well as its current role in the Pentagon's mail screening, is discussed later in this report. [24] In its technical comments on a draft of this report, DOD noted that subsequent training had been conducted, but that the training was "not as detailed." [25] As discussed earlier, mail room employees made several unsuccessful attempts to telephone the manufacturer and the maintenance contractors for help. In addition, DOD's manager of the complex told us that she called PFPA for guidance on how the cabinet operated, but the PFPA official was not aware of the type of equipment in use at the complex, and consequently, he was not able to tell her what to do. Finally, an employee called 911, which brought emergency responders from Fairfax County, Virginia. [26] 41 CFR §102-192.90. [27] The Official Mail Manager retired in April 2006. [28] Related to this, GSA officials told us that GSA does not have the authority to enforce its reporting requirement. [29] 41 CFR Ch 102-74.230. [30] The incident command initially included federal and local agencies and was used for, among other things, coordinating the evacuation of the mail screening and remote delivery facilities and the relocation of potentially affected employees. [31] Ciprofloxacin is one of several antibacterial drugs, including amoxicillin and doxycycline, that can be used to treat anthrax exposure. CDC currently recommends doxycycline for preventive treatment of anthrax. [32] Local public health officials explained that their desire to ensure that potentially affected individuals would be treated consistently derived from lessons learned in the fall of 2001. At that time, Capitol Hill staff was also initially provided with ciprofloxacin for their potential exposure to anthrax; however, Postal Service employees generally received doxycycline. CDC's recommendations in this area had changed, but that was not well understood, in part because ciprofloxacin had been described as the drug of choice in media reports. Because Postal Service employees generally received doxycycline--instead of ciprofloxacin--they believed that they had been given an inferior drug. According to local public health officials, this misperception was difficult to explain and, together with the death and illness of exposed postal employees, caused trauma within the Postal Service community. [33] Under DOD Directive 6200.3, Emergency Health Powers on Military Installations, DOD commanders and the designated Public Health Emergency Officer--in this case, the commander of the DiLorenzo TRICARE Health Clinic--can take actions to protect installations, facilities, and personnel in the event of a public health emergency resulting from biological warfare, terrorism, or a communicable disease epidemic. [34] According to CDC, antibiotic medical treatment is recommended as soon as possible after the LRN has obtained a presumptive positive test result. Such results can be obtained within 2 hours. [35] The RAND Corporation is a nonprofit research organization. Its National Defense Research Institutea federally funded research and development center conducted the review. RAND also examined a third incident that occurred at a DOD mail facility on the Bolling Air Force Base. The incident at the Bolling Air Force Base was not connected to the Pentagon and Skyline Complex incidents. Consequently, that incident is not discussed in this report. [36] Except for an unclassified summary, the RAND report is not available publicly. [37] The MOU established August 2005 as the deadline for agencies to begin using mutually accepted testing methods, a date that has long passed. According to an official from DHS's Science and Technology Directorate, it will take a considerable amount of additional time to assess and develop consensus on testing methods. The official estimated that the process to establish mutually accepted testing methods will be completed between September 2006 and March 2007. [38] According to CDC officials, the process involves establishing equivalency between DOD and LRN testing methods. In addition, they stated that once mutually accepted methods are established, it will take additional time to fully implement the testing and response procedures from an operational standpoint. [39] A DOD official noted that positive test results are taken in conjunction with other relevant factors to determine if antibiotics should be administered. [40] As discussed, the previous contracting officer's representative for administering the mail-screening contract was an official from the Defense Post Office with no expertise or training related to screening mail for anthrax or other biological hazards. The new contracting officer's representative is the Director of PFPA's chemical-biological laboratory located at the Pentagon. [41] The Director of Administration and Management is the principal adviser on DOD-wide organizational and administrative management matters. The Director's responsibilities include providing policy guidance to DOD components at (1) the Pentagon and (2) DOD-leased space in the Washington, D.C., area. [42] Washington Headquarters Services manages DOD-wide programs and operations for the Pentagon Reservation and DOD-leased facilities in the Washington, D.C., area. [43] The national capital region includes the District of Columbia and 11 local jurisdictions in Maryland and Virginia, including Arlington and Fairfax Counties, where the two incidents occurred. [44] TMA's previous biosafety cabinet was destroyed during the March 2005 incident. The new cabinet, purchased prior to receiving the directive, is functionally similar to the old one in that it is not capable of detecting biological agents and its alarm only indicates an obstruction in the equipment's airflow. [45] In January 2006, the President signed into law the National Defense Authorization Act for Fiscal Year 2006, P.L. 109-163, which could change the way DOD processes mail at the Pentagon and around the world. The law requires the Secretary of Defense to submit a report to Congress on the safety of mail within the military mail system, including a plan to screen all incoming mail for biological agents. [46] Specifically, the September 2005 supplement to DOD's mail manual cites the third edition of GSA's Mail Center Security Guide and GSA's December 2003 policy advisory entitled National Guidelines for Assessing and Managing Biological Threats in Federal Mail Facilities. [47] The Office of the Administrative Assistant to the Secretary of the Army also reviewed the draft report and concurred "without comment." [48] Federal Management Regulation, 41 C.F.R. ch. 102, issued by GSA. [49] U.S. Department of Health and Human Services, Centers for Disease Control and Prevention, Morbidity and Mortality Weekly Report, "Responding to Detection of Aerosolized Bacillus anthracis by Autonomous Detection Systems in the Workplace" (Atlanta, Georgia, June 4, 2004). [50] See, for example, GAO, U.S. Postal Service: Better Guidance Is Needed to Ensure an Appropriate Response to Anthrax Contamination, GAO- 04-239 (Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health Response to Anthrax Incidents of 2001, GAO-04-152 (Washington, D.C.: Oct. 15, 2003); and U.S. Postal Service: Better Guidance Is Needed to Improve Communication Should Anthrax Contamination Occur in the Future, GAO-03-316 (Washington, D.C.: Apr. 7, 2003). GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: