This is the accessible text file for GAO report number GAO-08-1054R entitled 'Defense Infrastructure: NORAD and USNORTHCOM Need to Reevaluate Vulnerabilities Associated with Moving the NORAD Command Center from Cheyenne Mountain to Peterson Air Force Base, and to Acknowledge Acceptance of the Risks' which was released on September 18, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-08-1054R: United States Government Accountability Office: Washington, DC 20548: September 18, 2008: Congressional Committees: Subject: Defense Infrastructure: NORAD and USNORTHCOM Need to Reevaluate Vulnerabilities Associated with Moving the NORAD Command Center from Cheyenne Mountain to Peterson Air Force Base, and to Acknowledge Acceptance of the Risks: In July 2006, the former Commander of North American Aerospace Defense Command (NORAD) and United States Northern Command (USNORTHCOM) announced plans to relocate certain functions from Cheyenne Mountain to create an integrated command center in Building 2 at Peterson Air Force Base (AFB), Colorado. In May 2007, we reported that NORAD and USNORTHCOM had not analyzed the anticipated operational effects--both positive and negative--of the relocation, and that the Department of Defense (DOD) could not discern the full costs or security implications of the move until ongoing security assessments had been completed and a protection level designated for the integrated command center.[Footnote 1] We suggested that Congress should consider restricting DOD's authority to fund the relocation until all security analyses were complete, the full costs for the move were determined, and DOD provided Congress with an analysis of the operational effects of the proposed realignments. As a result, in the National Defense Authorization Act for Fiscal Year 2008[Footnote 2] (hereinafter referred to as the Act), Congress directed the Secretary of Defense to submit a report by March 1, 2008, assessing the relocation of the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB. The Act required the report to contain (1) an analysis comparing the total costs associated with the relocation, including costs determined as part of ongoing security-related studies of the relocation, to anticipated operational benefits from the relocation; (2) a detailed explanation of the backup functions that will remain located at Cheyenne Mountain, and how those functions will maintain operational connectivity with their related commands; (3) the final plans for the relocation of the NORAD Command Center and related functions; and (4) the findings and recommendations resulting from the independent security and vulnerability assessment of Peterson AFB, including the Secretary of Defense's plans for mitigating any security and vulnerability risks identified and estimates for associated costs and scheduling. The Act mandated that we review DOD's report and the final plans for the relocation, and that we report to Congress within 120 days. On March 3, 2008, DOD submitted its report to Congress.[Footnote 3] DOD's report included a cost-benefit analysis comparing the following three alternatives:[Footnote 4] * Status quo--retain separate command centers at Cheyenne Mountain and Peterson AFB. * Establish a combined and integrated command center at Peterson AFB with reach-back capability to the computer systems at Cheyenne Mountain. * Establish a combined command center at Peterson AFB that duplicates the systems at Cheyenne Mountain. DOD's report to Congress also described the functions remaining at Cheyenne Mountain, provided a diagram of the final configuration of the command center at Peterson AFB, summarized the Air Force Space Command's classified security and vulnerability assessment, known as the Systems Effectiveness Assessment (SEA), and included the SEA as an attachment.[Footnote 5] Our report to Congress,[Footnote 6] which was classified by DOD, was issued on July 1, 2008, and provides additional details on the security issues surrounding the relocation of the NORAD Command Center from Cheyenne Mountain to Peterson AFB. This report is the unclassified version of our classified report. Because of the nature of the assets being moved, the Air Force must designate a protection level for the assets being moved from Cheyenne Mountain to Peterson AFB. The Air Force uses its protection level system to allocate security resources based on the respective risks associated with different assets. If resources are not available to meet the assigned protection level requirements, then the commander must obtain permanent exceptions or temporary waivers from the security requirements and develop compensatory measures.[Footnote 7] The Air Force designated the functions moving into the integrated command center as Protection Level-1, signifying that the loss, theft, destruction, misuse, or compromise of these assets would result in great harm to the strategic capability of the United States. DOD is proceeding with its plans to relocate the NORAD Command Center and other functions from Cheyenne Mountain to Peterson AFB and, according to DOD officials, as of May 29, 2008, operations had already begun at the combined command center. In reviewing DOD's report to Congress, our objectives were (1) to evaluate DOD's assumptions in its cost-benefit analysis of the three alternatives, and their effect on the recommendation; (2) to determine the extent to which DOD's report assessed and contained a plan to mitigate the security risks DOD identified at Peterson AFB; and (3) to determine the extent to which the final relocation plans take into account security issues raised in DOD's report. To conduct our evaluation, we reviewed DOD's report to Congress and the associated security study completed by Air Force Space Command. To assess the assumptions DOD used in its cost-benefit analysis related to the relocation and to determine how they affected the recommendation, we reviewed the cost-benefit analysis, examining the costs as well as the benefits, and determined whether DOD had completed a sensitivity analysis for key sources of uncertainty. However, we did not independently verify or validate the cost estimate. We examined the assumptions, such as the discount rate used, and how benefits were measured. We also performed a sensitivity analysis for benefits to determine how sensitive the outcomes were to changes in benefit scores. To determine the extent to which DOD's report assessed and contained a plan to mitigate the security risks DOD identified at Peterson AFB, we compared the Air Force Space Command's security study with DOD's report to Congress, examining how DOD characterized the risks, mitigation plans, and cost and schedule estimates contained in the security study. To determine the extent to which the final relocation plans presented in DOD's report took into account security issues raised in DOD's report, we compared the report's presentation of plans with the report's summary of security issues. We also reviewed prior GAO work on the Cheyenne Mountain relocation. We conducted our work from April to July 2008 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. We prepared this unclassified version of our classified report from August to September 2008. Summary: DOD's report to Congress neither recognized the uncertainty of benefit scoring of the three options it analyzed for the planned relocation of certain functions from Cheyenne Mountain to Peterson AFB, Colorado, nor included a sensitivity analysis for the benefits used in calculating the cost-benefit ratio for the options. The scoring of the benefit factors was based on functional managers' subjective estimates of the factors' relative importance and fulfillment of requirements. However, DOD's cost-benefit analysis did not recognize the uncertainty of the benefits. Moreover, although Office of Management and Budget (OMB) guidance calls for the performance of a sensitivity analysis of key sources of uncertainty, such as, in this case, the subjective scoring of benefits, there is no indication that DOD performed such an analysis regarding either costs or benefits, and we found that a slight change in the benefit scores could significantly change the outcome as measured by the cost-benefit ratio. For example, raising the benefit score for the status quo by just 5 percent--a change that, in our opinion, falls within the margin of imprecision for a subjective judgment--would cause the status quo to become the preferred option. In addition, based on the limited cost information in DOD's report to Congress, it is unclear how sensitive DOD's cost estimates are to different assumptions. DOD's report to Congress did not provide a detailed mitigation strategy for all of the security and vulnerability risks identified in Air Force Space Command's classified security assessment and did not include all plans, costs, or schedule estimates. Also, it is unclear whether security upgrades meet necessary requirements. DOD's report understates the security challenges at Peterson AFB. Further, like the SEA, DOD's report does not address the full spectrum of threats and hazards associated with Peterson AFB. The classified version of this report contains information about the specific threats that were excluded from the scope of the Air Force Space Command's security assessment, and raises questions about how fully the SEA addresses certain key threats and all hazards. DOD's report also did not include plans, costs, or schedule estimates for mitigating all risks identified, since some recommendations were awaiting a conceptual design from Air Force Space Command before plans, costs, or schedule estimates could be determined. Furthermore, although the missions moving from Cheyenne Mountain were designated as Protection Level-1, at the time DOD issued its report to Congress, it did not state whether all recommended security upgrades met Protection Level-1 requirements and, therefore, whether waivers would be needed to begin operations at Peterson AFB. DOD officials told us that they had obtained waivers and, as a result, the new combined command center met the necessary security requirements as of May 28, 2008. DOD subsequently provided us with copies of three waivers (known as a Request for Deviation from Security Criteria), each of which was approved on May 20, 2008. The section of the DOD report regarding final plans for the relocation does not identify any security issues, including those that were identified in the SEA. Rather, it includes only a diagram of the final configuration of the command center at Peterson AFB. We are recommending that the Commander of NORAD and USNORTHCOM reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB, and that the Commander certify that he is fully aware of and accepts all of the risks. In written comments on a draft of this report, DOD disagreed with our recommendation that the Commander of NORAD and USNORTHCOM reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB. DOD stated that the SEA focused on threats considered most likely to affect Peterson AFB and Building 2, and that DOD viewed a threat assessment covering all possible threats encompassing both Cheyenne Mountain and Building 2 as unfocused. DOD stated that it considers the risk of certain other key threats--which we identified in the classified version of this report--to be low and outweighed by the benefits provided by the combined command center. However, we note that although the SEA did develop a "threat spectrum" that defined a range of potential threats to NORAD and USNORTHCOM, at the time of our review, DOD could not provide any documented evidence of having performed a risk assessment that analyzed the most likely threats to Peterson AFB and Building 2, nor any documented basis for its assumed assessment of low probability for certain key threats that were excluded from the scope of the SEA. We continue to believe that DOD should document having performed a risk assessment that analyzed the most likely threats to Peterson AFB and Building 2, along with the basis for its assumed assessment of low probability and adequate warning of certain key threats. DOD neither agreed nor disagreed with our recommendation that the Commander certify that he is fully aware of all of the risks associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB, and accepts those risks. DOD stated that through the waiver process and other mitigation actions, the Commander has formally accepted the outstanding actions and associated risks related to a Protection Level-1 facility. DOD recently provided us with copies of three waivers; however, it was unclear to us that the Commander had explicitly accepted the risks posed by the full spectrum of threats or hazards. Thus, we continue to believe that our recommendation has merit and that he should certify that he accepts those risks. Subsequent to DOD's letter containing the comments restated above, DOD provided us with another letter on August 29, 2008, containing its comments on our final classified report. In its additional comments, the department stated that NORAD and USNORTHCOM are in the process of implementing GAO's recommendation that the Commander of NORAD and USNORTHCOM reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB. Specifically, DOD stated that a new Director of Security has been appointed and is leading a Security Tiger Team, which has partnered with Sandia National Laboratories to evaluate all threats and vulnerabilities to the headquarters. Moreover, DOD stated that in concert with other planned vulnerability assessments, the Security Tiger Team is recommending actions to mitigate vulnerabilities and the Commander is incrementally approving changes to the security posture of the headquarters as a result of this process. We have not verified or validated the information provided in these additional comments. Background: During a series of major exercises conducted in 2005, the NORAD/ USNORTHCOM Commander directed planning, operations, and command and control elements from two separate command centers. In the course of the exercises, the Commander identified impediments to unity of effort and time-critical decision making, and he attributed these impediments to the geographic separation of the two command centers. A subsequent analysis conducted by a NORAD/USNORTHCOM senior official concluded that having a single command center at Peterson AFB represented the only option that offered both the physical space required for a consolidated command center and a strengthened unity of effort between the commands. A USNORTHCOM study[Footnote 8] outlined a second option to move certain functions out of Cheyenne Mountain while retaining the core computer systems there, providing what DOD refers to as "reach-back." NORAD and USNORTHCOM officials stated that once the functions and their associated personnel were moved, they intended to use Cheyenne Mountain as an alternate command center. DOD's Cost-Benefit Analysis Does Not Recognize the Uncertainty of Benefits and Lacks a Sensitivity Analysis: DOD's report to Congress neither recognized the uncertainty of benefit scoring of the three options it analyzed for the planned relocation of certain functions from Cheyenne Mountain to Peterson AFB, Colorado, nor included a sensitivity analysis for the benefits used in calculating the cost-benefit ratio for the options. DOD's report used subjective and imprecise measurements of the benefits of the three options it analyzed for the planned relocation of certain functions from Cheyenne Mountain to Peterson AFB, Colorado. We recognize that subjectivity can be involved in estimating costs and benefits, which typically are uncertain because of imprecision in both underlying data and modeling assumptions. However, OMB guidance states that "because uncertainty is common to many analyses, its effects should be analyzed and reported." [Footnote 9] As required by the Act, DOD's report to Congress included an analysis comparing the total costs associated with the relocation of the NORAD Command Center and related functions against the anticipated operational benefits. DOD calculated the costs and benefits for the following three alternatives: * Alternative 1--Status Quo: retaining separate command centers (split operations) at Cheyenne Mountain and Peterson AFB. * Alternative 2--Reach-back Capability: establishing a combined and integrated command center at Peterson AFB (the primary command center), with reach-back capability to key computer systems at Cheyenne Mountain (the alternate command center). * Alternative 3--Duplicate Systems: establishing a combined command center at Peterson AFB (the primary command center) that duplicates the capabilities at Cheyenne Mountain (the secondary command center). This third alternative would result in stand-alone systems at both sites. In calculating costs, DOD considered nonrecurring investment costs and recurring costs. For all three alternatives, the nonrecurring investment costs were sustained in the first year of analysis, and the recurring costs would be sustained in every year over the 10-year period of analysis. Costs that were identical for each of the alternatives were not considered. All of the costs were presented in 2008 constant dollars. The total costs for the three alternatives over the 10-year period of analysis were calculated in present value [Footnote 10] terms using a 2.8 percent discount rate.[Footnote 11] Table 1 shows the total costs for each alternative. Table 1: Comparison of Total Costs for the Three Relocation Alternatives (2008 constant dollars): Present value of total costs: Alternative 1- Status Quo: $20,011,111; Alternative 2- Reach-back Capability: $71,762,643; Alternative 3- Duplicate Systems: $137,038,661. Source: DOD. [End of table] The derived benefits from each alternative could not be measured monetarily, so DOD considered nine nonmonetary factors. According to DOD, these benefit factors were analyzed during a meeting of NORAD/ USNORTHCOM functional managers. Each manager ranked the nonmonetary benefits, and the weight points were assigned on a scale of 1 through 10 to reflect each benefit's relative importance; the more important the benefit, the greater the number of weight points. Each of the three alternatives was weighted on a continuous scale from 0 to 100 percent, with 0 percent signifying that the alternative does not meet all requirements and 100 percent signifying that the alternative meets all requirements. These two weight values--weight points and requirements percentages--were multiplied to derive a benefit score. The benefit score was divided into the total cost of an alternative to determine the cost-benefit ratio for each alternative. As table 2 shows, Alternative 2--Reach-back Capability--has the lowest cost-benefit ratio, at $1,028,855, indicating that it had the lowest cost per unit of benefit, that is, the cheapest alternative relative to benefits. Table 2: Cost-Benefit Analysis of the Three Relocation Alternatives: Benefit factors: Superior decision making; Weight points: 10.0; Alternative 1--Status Quo: Requirements (percent): 15; Alternative 1--Status Quo: Benefit score: 1.5; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 10.0; Alternative 3--Duplicate Systems: Requirements (percent): 100; Alternative 3--Duplicate Systems: Benefit score: 10.0. Benefit factors: Full spectrum integration; Weight points: 9.0; Alternative 1--Status Quo: Requirements (percent): 15; Alternative 1--Status Quo: Benefit score: 1.4; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 9.0; Alternative 3--Duplicate Systems: Requirements (percent): 100; Alternative 3--Duplicate Systems: Benefit score: 9.0. Benefit factors: Simultaneous command and control processes; Weight points: 9.0; Alternative 1--Status Quo: Requirements (percent): 25; Alternative 1--Status Quo: Benefit score: 2.3; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 9.0; Alternative 3--Duplicate Systems: Requirements (percent): 100; Alternative 3--Duplicate Systems: Benefit score: 9.0. Benefit factors: Dispersed command and control; Weight points: 8.0; Alternative 1--Status Quo: Requirements (percent): 40; Alternative 1--Status Quo: Benefit score: 3.2; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 7.2; Alternative 3--Duplicate Systems: Requirements (percent): 90; Alternative 3--Duplicate Systems: Benefit score: 7.2 Benefit factors: Shared understanding; Weight points: 8.0; Alternative 1--Status Quo: Requirements (percent): 20; Alternative 1--Status Quo: Benefit score: 1.6; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 8.0; Alternative 3--Duplicate Systems: Requirements (percent): 100; Alternative 3--Duplicate Systems: Benefit score: 8.0. Benefit factors: Responsive and tailorable organization; Weight points: 8.0; Alternative 1--Status Quo: Requirements (percent): 20; Alternative 1--Status Quo: Benefit score: 1.6; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 8.0; Alternative 3--Duplicate Systems: Requirements (percent): 100; Alternative 3--Duplicate Systems: Benefit score: 8.0. Benefit factors: Shared quality information; Weight points: 7.0; Alternative 1--Status Quo: Requirements (percent): 30; Alternative 1--Status Quo: Benefit score: 2.1; Alternative 2--Reach-back Capability: Requirements (percent): 100; Alternative 2--Reach-back Capability: Benefit score: 7.0; Alternative 3--Duplicate Systems: Requirements (percent): 100; Alternative 3--Duplicate Systems: Benefit score: 7.0. Benefit factors: Robust networking; Weight points: 7.0; Alternative 1--Status Quo: Requirements (percent): 40; Alternative 1--Status Quo: Benefit score: 2.8; Alternative 2--Reach-back Capability: Requirements (percent): 75; Alternative 2--Reach-back Capability: Benefit score: 5.3; Alternative 3--Duplicate Systems: Requirements (percent): 95; Alternative 3--Duplicate Systems: Benefit score: 6.7. Benefit factors: Flexible synchronization; Weight points: 7.0; Alternative 1--Status Quo: Requirements (percent): 40; Alternative 1--Status Quo: Benefit score: 2.8; Alternative 2--Reach-back Capability: Requirements (percent): 90; Alternative 2--Reach-back Capability: Benefit score: 6.3; Alternative 3--Duplicate Systems: Requirements (percent): 90; Alternative 3--Duplicate Systems: Benefit score: 6.3. Benefit factors: Benefit score; Alternative 1--Status Quo: Benefit score: 19.20; Alternative 2--Reach-back Capability: Benefit score: 69.75; Alternative 3--Duplicate Systems: Benefit score: 71.15. Benefit factors: Total cost (in 2008 constant dollars); Alternative 1--Status Quo: $20,011,111; Alternative 2--Reach-back Capability: $71,762,643; Alternative 3--Duplicate Systems: $137,038,661. Benefit factors: Cost-benefit ratio; Alternative 1--Status Quo: $1,042,245; Alternative 2--Reach-back Capability: $1,028,855; Alternative 3--Duplicate Systems: $1,926,053. Source: DOD. [End of table] In examining how DOD scored benefits, we noted several concerns. First, the benefit score for Alternative 1, Status Quo, is significantly lower than the benefit score for the other two alternatives. Alternative 1's benefit is 72 percent lower than that of Alternative 2, Reach-back Capability, and 73 percent lower than that of Alternative 3, Duplicate Systems. Second, only a slight change in the benefit scores would change the cost-benefit score rankings of two of the three alternatives. For example, if the benefit score for each of the nine nonmonetary benefit factors for Alternative 1, Status Quo, were increased by as little as 5 percent--a change that, in our opinion, falls within the margin of imprecision for a subjective judgment-- Alternative 1 would become the preferred option (rather than Alternative 2) based on its cost-benefit ratio (see table 3). Table 3: Cost-Benefit Analysis with Revised Benefit Score for Alternative 1 (2008 constant dollars): Benefit score: Alternative 1--Status Quo: 19.20; Alternative 1--Status Quo, with a 5 percent higher benefit score: 20.16; Alternative 2--Reach-back Capability: 69.75; Alternative 3--Duplicate Systems: 71.15. Total cost: Alternative 1--Status Quo: $20,011,111; Alternative 1--Status Quo, with a 5 percent higher benefit score: $20,011,111; Alternative 2--Reach-back Capability: $71,762,643; Alternative 3--Duplicate Systems: $137,038,661. Cost-benefit ratio: Alternative 1--Status Quo: $1,042,245; Alternative 1--Status Quo, with a 5 percent higher benefit score: $992,615; Alternative 2--Reach-back Capability: $1,028,855; Alternative 3--Duplicate Systems: $1,926,053. Source: GAO analysis of DOD data. [End of table] The sensitivity of the benefit scores is important for three reasons. First, benefits are predicated on the functional managers' subjective estimates of relative importance and fulfillment of requirements. Because managerial estimates are not objective measures--like dollars, time, or distance--there is a degree of imprecision to the measurement. Second, the preferred alternative--Alternative 2, Reach-back Capability--was already known to the managers before the benefit scoring was conducted. The extent to which this affected managers' scoring, coupled with the lack of anonymity in the scoring, cannot be determined. Third, the cost-benefit ratio between the preferred solution--Alternative 2, Reach-back Capability--and Alternative 1, Status Quo, differed by only 1.3 percent. According to OMB guidance, [Footnote 12] a sensitivity analysis should have been performed and reported to determine the cost-benefit ratio values' sensitivity to the uncertainty of benefit scoring and the results of this analysis. There is no indication that DOD performed a sensitivity analysis regarding either the costs or the benefits; it is not mentioned in DOD's report to Congress. In addition, based on the limited cost information in DOD's report to Congress, it is unclear how sensitive DOD's cost estimates are to different assumptions. DOD's Report to Congress Does Not Provide a Detailed Risk Mitigation Strategy; Does Not Include All Plans, Costs, or Schedule Estimates; and Does Not Clearly Indicate Whether Upgrades Meet Necessary Requirements: DOD's report to Congress does not provide a detailed mitigation strategy for all of the security and vulnerability risks identified in the Air Force's SEA. First, DOD's report to Congress understates the security challenges at Peterson AFB. Second, as the SEA itself acknowledges, the SEA did not analyze security risks associated with a specific key capability at Peterson AFB, and thus the DOD report lacks this information. Third, like the SEA, DOD's report does not address the full spectrum of threats or hazards associated with Peterson AFB. Fourth, DOD only summarizes the SEA recommendations in its report rather than presenting a detailed discussion of the actions needed to mitigate security vulnerabilities. Moreover, as DOD was still waiting for a conceptual design to be submitted by Air Force Space Command that would address certain recommendations, its report did not include all plans, costs, or schedule estimates for these recommended actions. Furthermore, although the missions moving from Cheyenne Mountain have been designated as Protection Level-1, DOD's report does not state whether all recommended measures will meet the necessary requirements and, therefore, whether waivers and compensatory measures are needed to begin operations at Peterson AFB. DOD's Report Does Not Fully Detail Mitigation Strategies: First, DOD's report to Congress understates the security challenges at Peterson AFB. According to the Act, DOD's report to Congress must include the findings and recommendations of an independent security and vulnerability assessment of Peterson AFB and the Secretary of Defense's plans for mitigating any security and vulnerability risks identified as part of that assessment. DOD's report noted the existence of some security issues, but not to the extent as is presented in the SEA. Second, the SEA acknowledges that it did not analyze security risks associated with a specific key capability that DOD classified. Consequently, security risks associated with that capability were not included in DOD's report to Congress--even though the SEA noted that diverse redundancy with regard to this key capability was needed to eliminate or mitigate single points of failure. Third, DOD's report, like the SEA, does not address the full spectrum of threats or all hazards, such as natural disasters. Our aforementioned classified report contains information about the specific threats that were excluded from the scope of the Air Force Space Command's security assessment. According to the SEA, the assessment team considered a wide range of threats that it culled from Air Force policy documents, local Air Force Office of Special Investigations reports, historical data, and previous studies. The SEA states that although protecting soft targets from certain key types of attacks would be very difficult and costly, the assessment team would have to perform a new assessment to reflect a new threat, should the threat change. Our classified report raised questions about how fully the SEA addresses certain key threats and all hazards. Finally, while DOD's report to Congress appears to address all of the recommended security upgrades contained in the noncomprehensively scoped SEA, those upgrades and their mitigation strategies are only summarized. Moreover, some of the solutions have been submitted as unfunded requests. DOD officials told us on May 29, 2008, that when operations began at the new integrated command center shortly before that date, DOD substituted some alternative measures to mitigate needed upgrades that had not been performed. However, we cannot verify whether these measures are adequate due to the limited scope of the SEA and the parameters of our review. DOD's Report Does Not Include All Plans, Costs, or Schedule Estimates; and Does Not Clearly Indicate Whether Upgrades Meet Necessary Requirements: DOD's report to Congress lists security upgrades recommended in the SEA that are awaiting final conceptual design. Consequently, DOD's report did not include plans, costs, or schedule estimates for these upgrades. Additional information provided by NORAD and USNORTHCOM indicates that compensatory measures have been performed while awaiting final design for these upgrades, and for funding to be secured. DOD recently provided us with a copy of the December 2007 Sandia National Laboratories study on which these conceptual design recommendations were based. However, we have not analyzed the study to determine whether all recommended security upgrades are being implemented or whether waivers have been approved and compensatory measures put in place. Security enhancements have a cumulative effect and, without a detailed analysis, it is difficult to evaluate whether the planned upgrades identified in DOD's report will achieve the desired level of protection. Further, it is unclear whether assets moving from Cheyenne Mountain to Building 2 at Peterson AFB will be protected in accordance with Air Force policy. As mentioned earlier, if NORAD and USNORTHCOM cannot meet Protection Level-1 requirements for the integrated command center because of resource or funding constraints, then NORAD and USNORTHCOM will have to request waivers and develop compensatory measures. However, neither DOD's report to Congress nor the SEA stated whether all recommended security upgrades would enable Building 2 to meet necessary requirements or whether waivers would be needed to begin operations. Final Plans for Relocation Do Not Take Security Issues into Account: As required by the Act, DOD includes in its report a section on its final plans for relocating the NORAD Command Center and related functions. However, this section consists solely of a configuration diagram of the new integrated command center and a time frame for when it will commence operations. The section does not include any of the security issues DOD identified in either its report or the SEA. Conclusions: DOD is proceeding with its plans to relocate the NORAD Command Center and other functions from Cheyenne Mountain to Peterson AFB and, according to DOD officials, operations at the combined command center had begun by May 29, 2008. However, our review of DOD's report to Congress showed that it did not recognize the uncertainty of benefit scoring or include a sensitivity analysis, thus rendering its comparison of alternatives subject to very different outcomes with only slight changes to subjectively estimated benefit scores. Furthermore, DOD's report did not include certain key threats, which we identified in the classified version of this report, and it understated the security issues surrounding the relocation, as detailed in the SEA. Recommendations for Executive Action: To help mitigate the security and vulnerability risks identified in, and incorporate certain key threats excluded from, the Air Force Space Command's security assessment, we recommend that the Secretary of Defense, through the Joint Chiefs of Staff, direct the Commander of NORAD and USNORTHCOM to take the following two actions: * Reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB. * Certify that he is fully aware of all the risks associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB, and accepts those risks. Agency Comments and Our Evaluation: In written comments on a draft of this report, DOD disagreed with our first recommendation and neither agreed nor disagreed with our second recommendation. DOD's comments are reprinted in their entirety in enclosure I. DOD disagreed with our recommendation that the Commander of NORAD and USNORTHCOM reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB. In its comments, DOD stated that the SEA focused on threats considered most likely to affect Peterson AFB and Building 2 and stated that the Defense Threat Reduction Agency will conduct a Balanced Survivability Assessment in the fall of 2008 to further refine Headquarters NORAD and USNORTHCOM security needs. DOD stated that it views a threat assessment covering all possible threats encompassing both Cheyenne Mountain and Building 2 as unfocused, and that it has prioritized resources according to most likely scenarios. However, although the SEA did develop a "threat spectrum" that defined a range of potential threats to NORAD and USNORTHCOM, DOD could not provide any documented evidence of having performed a risk assessment that analyzed the most likely threats to Peterson AFB and Building 2 in order to prioritize resources. DOD states that should there be a credible threat to Peterson AFB, command center functions could be transferred back to Cheyenne Mountain. We continue to believe that DOD should document having performed a risk assessment that analyzed the most likely threats to Peterson AFB and Building 2, along with the basis for its assumed assessment of low probability of certain key threats that are identified in the classified version of this report. DOD neither agreed nor disagreed with our recommendation that the Commander of NORAD and USNORTHCOM certify that he is fully aware of all the risks associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB, and that he accepts those risks. DOD stated in its comments that its report to Congress was based on a security analysis completed in May 2007. DOD stated that to date, NORAD and USNORTHCOM have implemented the measures necessary for Building 2 to meet required security levels, and that those mitigation items not approved for implementation either were covered in other approved actions or have been waived pending implementation. DOD states that through the waiver process, the Commander formally accepted the outstanding actions and associated risks related to a secure facility. DOD recently provided us with copies of three waivers; however, it was unclear to us that the Commander had explicitly accepted the risks posed by the full spectrum of threats or hazards. Without such added insight into the risks accepted by the Commander, we continue to believe that our recommendation has merit and that he should certify that he accepts those risks. Subsequent to DOD's letter containing the comments restated above, DOD provided us with another letter on August 29, 2008, containing its comments on our final classified report. In its additional comments, the department stated that NORAD and USNORTHCOM are in the process of implementing GAO's recommendation that the Commander of NORAD and USNORTHCOM reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson AFB. Specifically, DOD stated that a new Director of Security has been appointed and is leading a Security Tiger Team, which has partnered with Sandia National Laboratories to evaluate all threats and vulnerabilities to the headquarters. Moreover, DOD stated that in concert with other planned vulnerability assessments, the Security Tiger Team is recommending actions to mitigate vulnerabilities and the Commander is incrementally approving changes to the security posture of the headquarters as a result of this process. We have not verified or validated the information provided in these additional comments. DOD's additional comments are reprinted in their entirety in enclosure II. We are sending copies of this report to other interested congressional parties. We are also sending copies to the Secretary of Defense; the Chairman, Joint Chiefs of Staff; the Secretary of the Air Force; and the Commanders of NORAD/USNORTHCOM and USSTRATCOM. Copies will be made available to others upon request. In addition, this report will be available at no charge on our Web site at [hyperlink, http://www.gao.gov/]. If you or your staff have any questions about this report, please contact me at (202) 512-5431 or dagostinod@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in enclosure III. Signed by: Davi M. D'Agostino: Director: Defense Capabilities and Management: Enclosures - 3: List of Committees: The Honorable Carl Levin: Chairman: The Honorable John McCain: Ranking Member: Committee on Armed Services: United States Senate: The Honorable Ike Skelton: Chairman: The Honorable Duncan L. Hunter: Ranking Member: Committee on Armed Services: House of Representatives: Enclosure I: Comments from the Department of Defense: Note: Page numbers in the draft report may differ from those in the final report. Unclassified: GAO Report - Dated June 3, 2008: GAO Code 351199/GA0-08-807C: "Defense Infrastructure: NORAD and USNORTHCOM Need to Reevaluate the Full Spectrum of Vulnerabilities Associated with Moving the NORAD Command Center from Cheyenne Mountain to Peterson Air Force Base, and to Acknowledge Acceptance of the Risks" (U): Cleared: For Open Publication: July 11, 2008: Office of Security Review, Department of Defense: Unclassified Department Of Defense Comments To The Recommendations (U): (U) Recommendation 1: The GAO recommends that the Secretary of Defense, through the Joint Chiefs of Staff, direct the CDR of North American Aerospace Defense Command (NORAD) and United States Northern Command (USNORTHCOM) to reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson Air Force Base, (Page 15/GAO Draft Report) (U) DOD Response: DOD does not concur. The Security Effectiveness Analysis (SEA) focused on threats considered most likely to impact Peterson Air Force Base and Building 2. In addition, the Defense Threat Reduction Agency will conduct a Balanced Survivability Assessment in the fall of 2008, to include Networks and Information Integration to further refine HQ NORAD and USNORTHCOM security needs. 'The concept behind preparing for the most likely scenarios is to prioritize resources accordingly. We believe we have done this. The command is also still utilizing Cheyenne Mountain as an alternate command center and can resume full capability of all functions. (U) We acknowledge that there are threats from which Cheyenne Mountain would provide better protection. However, we consider the probability of this type of risk to be low and outweighed by the benefits provided by the combined Command Center. (U) Recommendation 2: The GAO recommends that the Secretary of Defense, through the Joint Chiefs of Staff, direct the CDR of North American Aerospace Defense Command (NORAD) and United States Northern Command (USNORTHCOM) to certify that he is fully aware of all the risks associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson Air Force Base, and accepts those risks. (Page 15/GAO Draft Report) (U) DOD Response: Our report to Congress in March 2008 was based on a security analysis completed in May 2007. Since the completion of the security analysis report, the Commander has taken appropriate and additional steps in response to the analyses completed. The Commander has formally accepted the outstanding actions and associated risks related to a PL-1 facility, and understands that risk is an inherit element in command and acknowledges that risk. Enclosure (1) [End of enclosure] Enclosure II: Additional Comments from the Department of Defense on the Final Classified Report: Note: Page numbers in the draft report may differ from those in the final report. North American Aerospace Defense Command And United States Northern Command: Maj Gen John H. Bordelon, USAF: Chief of Staff, NORAD and USNORTHCOM: 250 Vandenberg St., Ste 3804: Peterson AFB CO 80914-3804: August 29, 2008: Ms. Davi M. D'Agostino: Director, Defense Capabilities and Management: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Ms. D'Agostino: This is the Department of Defense (DoD) response to the GAO final report, 'Defense Infrastructure: NORAD and USNORTHCOM Need to Reevaluate the Full Spectrum of Vulnerabilities Associated with Moving the NORAD Command Center from Cheyenne Mountain to Peterson Air Force Base, and to Acknowledge Acceptance of the Risks', July 1, 2008 (GAO Code 351199/GAO-08-807RC). We acknowledge receipt of this report and also acknowledge that our comments are included in the final report. General Renuart has reviewed and concurs with the Department's comments and we have included them as an attachment to this letter. Work continues on the numerous security initiatives referred to in our previous response, and the Commander of North American Aerospace Defense Command and US Northern Command has provided detailed updates and responses, in person, to Members of the House Armed Services Committee. Our point of contact is Commander Joel Paine, USN at joel.paine@northcom.mil or joel.paine@northcom.smil.mil. Sincerely, Signed by: John H. Bordelon: Major General, USAF: Attachment: Department of Defense Comments to GAO Report (GAO code 351199/GA0-08- 807RC): GAO Report - Dated JULY 1, 2008: GAO Code 351199/GAO-08-807RC: "Defense Infrastructure: NORAD and USNORTHCOM Need to Reevaluate the Full Spectrum of Vulnerabilities Associated with Moving the NORAD Command Center from Cheyenne Mountain to Peterson Air Force Base, and to Acknowledge Acceptance of the Risks" (U): Department Of Defense Comments To The Recommendations (U): Recommendation 1: The GAO recommends that the Secretary of Defense, through the Joint Chiefs of Staff, direct the Commander of North American Aerospace Defense Command (NORAD) and United States Northern Command (USNORTHCOM0 to reevaluate the full spectrum of security vulnerabilities associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson Air Force Base. (Page 15/GAO Draft Report) DOD Response: NORAD and USNORTHCOM are in the process of accomplishing this task. A new Director of Security has been appointed (at the Colonel level) and is leading a Security Tiger Team to evaluate all threats and vulnerabilities to the headquarters. The Tiger Team has partnered with Sandia Labs in this process. In addition, we have enlisted the support of the JSIVA team (8-12 Sep 2008) to evaluate our methods to address identified vulnerabilities. The DTRA-led Balanced Survivability Assessment team started an assessment of our command centers in August 2008, with the physical evaluation scheduled to occur 29 Sep to 10 Oct 2008. In concert with our partners, the Security Tiger Team is recommending actions to mitigate vulnerabilities and the Commander is incrementally approving prudent changes to the security posture of our headquarters as a result of this process. Recommendation 2: The GAO recommends that the Secretary of Defense, through the Joint Chiefs of Staff, direct the Commander of North American Aerospace Defense Command (NORAD) and United States Northern Command (USNORTHCOM) to certify that he is fully aware of all the risks associated with moving the NORAD Command Center and related functions from Cheyenne Mountain to Peterson Air Force Base, and accepts those risks. (Page 15/GAO Draft Report) DOD Response: Our report to Congress in March 2008 was based on a security analysis completed in May 2007. Since the completion of the security analysis report, the Commander has taken appropriate and additional steps in response to the analyses completed. The Commander has formally accepted the outstanding actions and associated risks related to a PL-1 facility, and understands that risk is an inherent element in command and acknowledges that risk. [End of section] Enclosure III: GAO Contact and Staff Acknowledgments: GAO Contact: Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov: Acknowledgments: In addition to the contact named above, Mark A. Pross, Assistant Director; Gregory A. Marchand; Charles W. Perdue; Marc J. Schwartz; Kimberly C. Seay; and Cheryl A. Weissman made key contributions to this report. [End of section] Footnotes: [1] GAO, Defense Infrastructure: Full Costs and Security Implications of Cheyenne Mountain Realignment Have Not Been Determined, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-803R] (Washington, D.C.: May 21, 2007). [2] Pub. L. No. 110-181, § 361 (2008). [3] NORAD/USNORTHCOM, Report to Congress on Relocation of North American Aerospace Defense Command Center (Colorado Springs, Colo.: January 2008). [4] A fourth alternative--combine the command center at Cheyenne Mountain--was deemed by DOD as infeasible. [5] Air Force Space Command, Systems Effectiveness Assessment for Headquarters North American Aerospace Defense Command and United States Northern Command, Peterson Air Force Base (Colorado Springs, Colo.: Oct. 11, 2007). [6] GAO, Defense Infrastructure: NORAD and USNORTHCOM Need to Reevaluate the Full Spectrum of Vulnerabilities Associated with Moving the NORAD Command Center from Cheyenne Mountain to Peterson Air Force Base, and to Acknowledge Acceptance of the Risks (Washington, D.C.: July 1, 2008). [7] Air Force Instruction 31-101, The Air Force Installation Security Program, § 6.3.2 (Washington, D.C.: Mar. 1, 2003). [8] U.S. Northern Command, The NORAD-USNORTHCOM Transformation Analysis Report (Colorado Springs, Colo.: July 2006). [9] OMB Circular A-94, Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs (Washington, D.C.: Oct. 29, 1992). [10] Present value is taking into account the time value of money in calculating the value of future costs. [11] The discount rate is the interest rate used in present value calculations. [12] OMB Circular A-94. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: