This is the accessible text file for GAO report number GAO-06-388 entitled 'Nuclear Power Plants: Efforts Made to Upgrade Security, but the Nuclear Regulatory Commission's Design Basis Threat Process Should Be Improved' which was released on April 4, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: March 2006: Nuclear Power Plants: Efforts Made to Upgrade Security, but the Nuclear Regulatory Commission's Design Basis Threat Process Should Be Improved: [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-388] GAO Highlights: Highlights of GAO-06-388, a report to the Chairman, Subcommittee on National Security, Emerging Threats, and International Relations, Committee on Government Reform, House of Representatives: Why GAO Did This Study: The nation’s commercial nuclear power plants are potential targets for terrorists seeking to cause the release of radioactive material. The Nuclear Regulatory Commission (NRC), an independent agency headed by five commissioners, is responsible for regulating and overseeing security at the plants. In April 2003, in response to the terrorist attacks of September 11, 2001, NRC revised the design basis threat (DBT), which describes the threat that plants must be prepared to defend against in terms of the number of attackers and their training, weapons, and tactics. NRC has also restructured its program for testing security at the plants through force-on-force inspections, which consist of mock terrorist attacks. GAO was asked to review (1) the process NRC used to revise the DBT for nuclear power plants, (2) the actions nuclear power plants have taken to enhance security in response to the revised DBT, and (3) NRC’s progress in strengthening the conduct of force-on-force inspections at the plants. What GAO Found: NRC revised the DBT for nuclear power plants using a generally logical and well-defined process in which trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. The process resulted in a DBT requiring plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb. Key elements of the revised DBT, such as the number of attackers, generally correspond to the NRC threat assessment staff’s original recommendations, but other important elements do not. For example, the NRC staff made changes to some recommendations after obtaining feedback from stakeholders, including the nuclear industry, which objected to certain proposed changes such as the inclusion of certain weapons. NRC officials said the changes resulted from further analysis of intelligence information. Nevertheless, GAO found that the process used to obtain stakeholder feedback created the appearance that changes were made based on what the industry considered reasonable and feasible to defend against rather than on an assessment of the terrorist threat itself. Nuclear power plants made substantial security improvements in response to the September 11, 2001, attacks and the revised DBT, including security barriers and detection equipment, new protective strategies, and additional security officers. It is too early, however, to conclude that all sites are capable of defending against the DBT because, as of November 1, 2005, NRC had conducted force-on-force inspections at about one-third of the plants. NRC has improved its force-on-force inspections—for example, by conducting inspections more frequently at each site. Nevertheless, in observing three inspections and discussing the program with NRC, GAO noted potential issues in the inspections that warrant NRC’s continued attention. For example, a lapse in the protection of information about the planned scenario for a mock attack GAO observed may have given the plant’s security officers knowledge that allowed them to perform better than they otherwise would have. A classified version of this report provides additional details about the DBT and security at nuclear power plants. Barrier Designed to Defend against a Vehicle Bomb: [See PDF for image] [End of figure] What GAO Recommends: GAO recommends that NRC improve its process for making changes to the DBT and evaluate and implement measures to further strengthen its force- on-force inspection program. Commenting on the draft report, NRC provided clarifications regarding the process NRC used to revise the DBT, but it neither agreed nor disagreed with GAO’s recommendations. www.gao.gov/cgi-bin/getrpt?GAO-06-388. To view the full product, including the scope and methodology, click on the link above. For more information, contact Jim Wells at (202) 512- 3841 or wellsj@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: NRC's Process for Revising Its DBT for Nuclear Power Plants Was Generally Logical and Well Defined, but Some Changes Were Not Clearly Linked to an Analysis of the Terrorist Threat: Nuclear Power Plants Made Substantial Changes to Their Security to Address the Revised DBT, but NRC Inspections Have Uncovered Problems: NRC Has Significantly Improved the Force-on-Force Inspection Program, but Challenges Remain: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Scope and Methodology: Appendix II: Details of Findings from NRC Reports on Baseline and Force- on-Force Inspections: Appendix III: Comments from the Nuclear Regulatory Commission: Appendix IV: GAO Contact and Staff Acknowledgments: Table: Table 1: Summary of Key Changes to the NRC DBT for Nuclear Power Plants: Figures: Figure 1: Diagram of a Sample Nuclear Power Plant Site: Figure 2: Example of a Bullet-Resistant Structure: Figure 3: Example of a Vehicle Barrier System: Figure 4: Example of an Active Vehicle Barrier System: Abbreviations: DBT: design basis threat: DHS: Department of Homeland Security: DOE: Department of Energy: FBI: Federal Bureau of Investigation: NEI: Nuclear Energy Institute: NRC: Nuclear Regulatory Commission: Letter March 14, 2006: The Honorable Christopher Shays: Chairman, Subcommittee on National Security, Emerging Threats, and International Relations: Committee on Government Reform: House of Representatives: Dear Mr. Chairman: The nation's 103 operating commercial nuclear power plants, located at 65 sites in 31 states,[Footnote 1] are potential targets for terrorists seeking to cause the release of radioactive material. Such a release, which may result from a meltdown of a plant's nuclear reactor core or damage to the spent nuclear fuel located at the site, could endanger public health and safety through exposure to radiation. The Nuclear Regulatory Commission (NRC), an independent agency headed by five commissioners, licenses commercial nuclear power plants and is responsible for regulating and overseeing their safe operation and security. According to NRC, there is a general credible threat of a terrorist attack to the nation's commercial nuclear power plants, in particular by al Qaeda and like-minded Islamic terrorist groups. For example, as discussed in The 9/11 Commission Report, nuclear power plants were among the targets considered in the original plan for the September 11, 2001, attacks.[Footnote 2] However, NRC and intelligence agency officials we spoke with said they are not aware of current intelligence information indicating specific plans for an attack on a nuclear power plant. NRC issues and enforces security-related regulations and orders, and nuclear power plant licensees implement security measures to meet NRC requirements. In particular, to ensure that nuclear power plants are secure against a terrorist attack, NRC formulates a design basis threat (DBT)--the threat that plants must defend against--and tests plants' ability to defend against the DBT.[Footnote 3] The DBT characterizes the elements of a potential attack, including the number of attackers, their training, and the weapons and tactics they are capable of employing. NRC established the first DBT for nuclear power plants in the late 1970s. NRC conducts semiannual reviews of the potential terrorist threat to determine whether to make changes to the DBT and has revised it twice in response to changes in the threat. First, NRC expanded the DBT to include a vehicle laden with explosives after two incidents in 1993-- the vehicle bombing of the World Trade Center and a vehicle intrusion incident at one of the nuclear power plant sites. NRC revised the DBT again in April 2003 in response to the terrorist attacks of September 11, 2001. Among other changes, this most recent DBT increased the number of attackers, refined and expanded the list of weapons and equipment that might be used in an attack, and increased the maximum size of a vehicle bomb that plants must defend against. The DBT does not represent the maximum size and capability of a terrorist attack that is possible, but rather NRC's assessment of the threat that the nuclear power plants must be prepared to defend against "to ensure adequate protection of public health and safety." Furthermore, NRC regulations do not require nuclear power plants to protect against attacks directed against the sites by an "enemy of the United States," whether a foreign government or other person.[Footnote 4] NRC originally included this provision in its regulations in 1967 (prior to issuing the first DBT for nuclear power plants). According to NRC officials, the provision was intended to address the possibility that Cuba might launch an attack on a nuclear power plant in Florida. In revising the DBT in April 2003, NRC did not use this provision to exempt plants from defending against terrorist groups such as al Qaeda but rather stated that a private security force (such as at a nuclear power plant) cannot reasonably be expected to defend against all threats--for example, airborne attacks. Importantly, NRC also works with the Department of Homeland Security (DHS), the Federal Aviation Administration, the Federal Bureau of Investigation (FBI), and other federal, state, and local authorities to coordinate an integrated response to a terrorist threat or attack on a nuclear power plant.[Footnote 5] Furthermore, NRC does not directly gather intelligence information but rather receives intelligence from other agencies that it uses to formulate the DBT for nuclear power plants. NRC has access to intelligence information on terrorist activities and the domestic terrorist threat, including information from secure databases and intelligence reports from intelligence and other agencies. Before receiving a license to operate a nuclear power plant, owners must develop and implement an NRC-approved security plan describing how they will defend the site against the threat presented in the DBT. As set forth in the security plan, the licensees employ private security forces (either hired directly or through a contractor) and provide them with the weapons, training, and equipment to defend the site. When NRC revised the DBT in 2003, it required licensees to develop new security plans describing their strategy for defending the sites against the revised DBT and to implement any security enhancements outlined in the plans by October 29, 2004. These security enhancements were in addition to other measures licensees implemented--such as stricter requirements for obtaining physical access to nuclear power plants, minimum training requirements for security officers, and limits on the work hours of the security force to address the potential for fatigue--in response to a series of security orders NRC issued after September 11, 2001. According to the Nuclear Energy Institute (NEI), which represents the nuclear power industry, the cost of security enhancements made since September 11, 2001, for all sites amounts to over $1.2 billion.[Footnote 6] NRC reviews and approves the security plans, conducts regular "baseline" inspections to verify compliance with the plans and other security requirements, and conducts force-on-force inspections involving multiple mock terrorist attacks to ensure sites are capable of defending against an attack.[Footnote 7] NRC considers the DBT, the security plans, and the results of its inspections and force-on-force exercises to contain "safeguards information" and other sensitive information, including details about security that could potentially aid terrorists plotting to attack a nuclear power plant.[Footnote 8] Consequently, NRC does not make this information available to the general public, which has made it difficult for the agency to alleviate concerns about the level of security at nuclear power plants. The concerns center on whether the revised DBT adequately reflects the post- September 11 threat to nuclear power plants, and whether sites have done enough to respond to the threat. You asked us to (1) examine the process NRC used to develop the April 2003 DBT for nuclear power plants, and (2) determine what actions nuclear power plants have taken to enhance security in response to the revised DBT. In addition, you asked us to review NRC's progress in strengthening the conduct of force-on-force inspections. In response, we have prepared this unclassified public report, which does not include certain details about the DBT and security at nuclear power plants that NRC considers to be safeguards information. We have prepared a classified version of this report in which we include such details. To address the first objective, we reviewed the process NRC uses to analyze terrorist and criminal activities to assess the threat to nuclear power plants. We interviewed NRC officials responsible for analyzing information received from the intelligence and law enforcement communities and three of the four NRC commissioners serving at the time the DBT was revised to determine what factors they took into account in deciding on changes to the DBT. We compared the April 2003 DBT with NRC documents summarizing the threat to nuclear power plants and with the Department of Energy (DOE) DBT for its nuclear weapons facilities. We also interviewed officials from other federal agencies, including DHS and FBI, to obtain their assessments of the terrorist threat to nuclear power plants, and we interviewed DOE officials regarding the DOE DBT. To address the second objective, we visited four nuclear power plant sites (one in each of the four NRC regions) to observe the security enhancements that sites made to address the revised DBT. We selected the four sites using a number of criteria, including size and type of reactor. GAO staff with a professional background in security accompanied us on our visits in order to provide the expertise needed to fully comprehend the sites' security strategies. At each site, we interviewed senior plant management, security managers, and security officers. Before visiting the four sites, we visited two other nuclear power plants to familiarize ourselves with NRC security requirements and the sites' security equipment and strategies; at one site, we observed an NRC baseline security inspection, and at the other, we observed a force-on- force inspection. We did not test the effectiveness of the security strategies at the four sites, and we cannot project the results of our work to all nuclear power plants. In addition to visiting four sites, we reviewed a sample of NRC's baseline and force-on-force inspection reports. To review NRC's progress in improving the force-on-force inspection program, we observed a total of three force-on-force inspections at two sites, reviewed NRC reports on force-on-force inspections, and interviewed NRC officials responsible for implementing the program. For other views on security at nuclear power plants, we interviewed officials from the nuclear industry group NEI and from the Project on Government Oversight, an independent nonprofit organization. (App. I presents a detailed discussion of our scope and methodology.) We conducted our work from November 2004 through January 2006 in accordance with generally accepted government auditing standards. Results in Brief: The process NRC used to revise the DBT for nuclear power plants in April 2003 was generally logical and well defined. NRC made the revisions as part of a process that it had been using since formulating the first DBT in the late 1970s. NRC staff trained in threat assessment used reports and secure databases provided by intelligence agencies to monitor information on terrorist activities worldwide. To enhance the predictability and consistency of its assessments of this information and its recommendations to the NRC commissioners for changes to the DBT, the NRC threat assessment staff developed and used a comprehensive screening tool to analyze intelligence information and evaluate particular terrorist capabilities, or "adversary characteristics," for inclusion in the DBT. NRC's process also included consultation with DOE, which has a DBT for its facilities that process or store radiological materials and therefore are also potential targets for radiological sabotage, and with stakeholders such as the nuclear power industry and state governments. Using this process, NRC produced a revised DBT that generally, but not always, corresponded to the original recommendations of the threat assessment staff. For example, the maximum number of attackers in the revised DBT is based in part on the staff's analysis of the size of terrorist cells worldwide, as well as NRC's interpretation that multiple cells along the lines of the September 11, 2001, attacks would not necessarily target a single nuclear power plant. However, for other important elements of the DBT, such as the weapons that attackers could use against a plant, the final version of the revised DBT does not correspond to the staff's original recommendations. We identified two principal reasons for these differences: * First, the threat assessment staff made changes to its initial recommendations after obtaining feedback from stakeholders, including the nuclear industry, on a draft of the DBT. A number of the changes reflected industry objections to the draft. For example, following meetings with industry, the staff decided not to recommend including certain weapons in the list of adversary characteristics that nuclear power plants should be prepared to defend against. In its comments, the industry had pressed for NRC to remove such adversary characteristics from the draft DBT. The industry considered these adversary characteristics prohibitively expensive to defend against or to be representative of an enemy of the United States, which is the responsibility of the government, rather than the industry, to defend against. When we asked about the changes to the staff's original recommendations, NRC officials told us the changes resulted from further analysis of the intelligence data and the reasonableness of required defensive measures rather than the industry objections. Nevertheless, in our view, the process by which NRC used the threat assessment staff to obtain stakeholder feedback created the appearance that changes were made based on what industry considered reasonable and feasible to defend against rather than an assessment of the terrorist threat, especially given the high degree of judgment involved in assessing threat information. NRC officials said they have altered their process in order to better separate the analysis of threat information from interaction with stakeholders. * Second, in deciding on the revised DBT, the NRC commissioners largely supported the staff's recommendations but also made some significant changes to those recommendations. These changes reflected the commissioners' policy judgments on what is reasonable for a private security force to defend against. For example, the commissioners decided against including two weapons that the threat assessment staff had concluded could plausibly be used against a U.S. nuclear power plant. Consideration of issues such as what is reasonable for a private security force to defend against can certainly be considered by the commissioners in approving changes to the DBT. However, the commissioners did not identify explicit criteria for what is and is not reasonable for a private security force to defend against, such as the cost of defending against particular adversary characteristics. NRC officials said detailed criteria on what is reasonable for a private security force would reduce the commissioners' discretion in approving changes to the DBT. Nevertheless, we believe the absence of reviewable criteria reduced the transparency of the commissioners' decisions to make changes to the threat assessment staff's recommendations. The absence of criteria also potentially reduced the rigor of the decision- making process. Licensees of nuclear power plants have made substantial changes to their security in response to the September 11, 2001, attacks and the 2003 revisions to the DBT. At the sites we visited, these actions included, for example, adding security barriers and detection equipment, implementing new protective strategies, enhancing access control, and hiring additional security officers. According to NRC, other sites implemented similar security enhancements to defend against the 2003 DBT. The sites' efforts have been substantial and, in some cases, have gone beyond what was required. For example, one site added electronic intrusion detection equipment to its outer perimeter, which was not required. Despite these considerable efforts, it is too early to conclude that all sites are capable of defending against the DBT because, as of November 1, 2005, NRC had conducted force-on-force inspections at 20 of the 65 sites. According to NRC, sites have generally performed well during force-on-force inspections, and the results of baseline inspections show that sites have generally complied with their security plans. However, a number of sites have experienced problems and have not always met security requirements. For example, a baseline inspection at one site found that detection equipment malfunctioned and had to be fixed. Similarly, we observed a force-on- force inspection at another site in which the licensee's performance at the time was at best questionable in its ability to defend the site against the DBT. According to NRC, it will complete the first cycle of triennial force-on-force inspections at all nuclear power plant sites on schedule, by 2007. NRC has made a number of improvements to its force-on-force inspection program, several of which address recommendations we made in our September 2003 report on the agency's oversight of security at commercial nuclear power plants. For example, NRC is implementing a schedule to conduct the inspections more frequently at each site--every 3 years rather than every 8 years--and has instituted measures to make the inspections more realistic, such as using laser equipment to better simulate the weapons that attackers and security officers would likely employ during an actual attack on a nuclear power plant. These improvements are important because, as we noted from our observation of three force-on-force inspections and our review of NRC reports on others, the inspections have the ability to detect weaknesses in sites' protective strategies, which can then be corrected. Nevertheless, in observing three inspections and discussing the program with NRC officials, we noted issues in the force-on-force program that warrant continued NRC attention. For example, a lapse in protection of information about the planned scenario for a mock attack that we observed may have given the plant's security officers knowledge that allowed them to perform better than they otherwise would have. According to NRC officials, NRC inspectors have been instructed to be vigilant regarding any indications that a site's security force may have received advance knowledge of an attack scenario. We are recommending that NRC improve its DBT development process in two ways. First, we recommend that NRC assign responsibility for obtaining feedback from the nuclear industry and other stakeholders on proposed changes to the DBT to an office within NRC other than the Threat Assessment Section, thereby insulating the staff and mitigating the appearance of industry influence on the threat assessment itself. Second, we recommend that NRC develop explicit criteria to guide the commissioners in their deliberations to approve changes to the DBT. These criteria should include setting out the specific factors and how they will be weighed in deciding what is unreasonable for a private security force to defend against. In addition, we are recommending that NRC continue to evaluate and implement measures to further strengthen its force-on-force inspection program. In commenting on a draft of this report, NRC provided additional clarifying comments pertaining to the process NRC used to revise the DBT for nuclear power plants, and we revised the report accordingly. NRC's written comments are included in appendix III. Background: NRC is an independent agency established by the Energy Reorganization Act of 1974 to regulate the civilian use of nuclear materials. NRC is headed by a five-member commission, with one commission member designated by the President to serve as chairman and official spokesperson. The commission as a whole formulates policies and regulations governing nuclear reactor and materials safety and security, issues orders to licensees, and adjudicates legal matters brought before it. Security for commercial nuclear power plants is addressed by NRC's Office of Nuclear Security and Incident Response. This office develops policy on security at nuclear facilities and is the agency's security interface with DHS, the intelligence and law enforcement communities, DOE, and other agencies. Within this office, the Threat Assessment Section assesses security threats involving NRC- licensed activities and develops recommendations regarding the DBT for the commission's consideration. The DBT for radiological sabotage applied to nuclear power plants identifies the terrorist capabilities (or "adversary characteristics") that sites are required to defend against. The adversary characteristics generally describe the components of a ground assault and include the number of attackers; the size of a vehicle bomb; and the weapons, equipment, and tactics that could be used in an attack. Other threats in the DBT include a waterborne assault and the threat of an insider. The DBT does not include the threat of an airborne attack. However, according to NRC officials, NRC regulations do require nuclear power plants to implement readily available measures to mitigate against the potential consequences of such an attack. In its publicly available regulations governing the licensing of nuclear power plants, NRC has issued a general description of the DBT--for example, requiring sites to defend against an attack by several well-trained and dedicated individuals armed with hand-carried weapons and equipment and assisted by a knowledgeable insider who participates in a passive or active role.[Footnote 9] In April 2003, NRC issued orders to nuclear power plant licensees containing a more detailed description of the revised DBT, which NRC considers safeguards information. NRC requires nuclear power plants to have and implement a security plan that describes their strategy for defending against an attack having the characteristics of the DBT. Nuclear power plant sites are responsible for installing barriers and intrusion detection equipment, hiring security officers, and implementing other measures in accordance with their security plans. NRC then inspects the sites' compliance with the plans and ability to defend against the DBT. After revising the DBT, NRC required sites to submit new plans by April 29, 2004, for NRC's review and approval and to implement the security described in their new plans by October 29, 2004. The plans contain information about the sites, including: * a description of sites' physical layout, such as barriers and buildings, and a description of any environmental features important to the effective coordination of response operations; * the minimum number of security officers defending the vital areas (the areas containing equipment needed to ensure the safe shutdown of the reactor and protection of spent fuel pools); and: * a description of the protective strategy that sites will enact in response to an attack or threat defined in the DBT, such as an external land-based assault, a vehicle bomb, a waterborne assault, or an insider threat. NRC's performance-based means for testing the effectiveness of nuclear power plant security programs is through force-on-force inspections. These inspections, which consist of 350 hours of on-site inspection activity, are intended to demonstrate how well a nuclear power plant might defend against a real-life threat. In a force-on-force inspection, a professional team of adversaries attempts to reach specific "target sets" within a nuclear power plant that would allow them to commit radiological sabotage. These target sets represent the minimum pieces of equipment or infrastructure an attacker would need to destroy or disable to commit radiological sabotage resulting in an elevated release of radioactive material to the environment. Force-on- force exercises do not directly test the response of outside agencies, such as local law enforcement. However, sites simulate actions they would take to notify local law enforcement and other outside agencies. In addition, according to NRC officials, sites routinely conduct liaison activity with local law enforcement and emergency response agencies. While the adversary characteristics terrorists might use in an actual attack are uncertain, the DBT provides parameters for the conduct of force-on-force inspections. For example, the mock adversary force is constrained to using the specific number of attackers, amount of explosives, and weapons and tactics included in the DBT. According to NRC officials, the commission recently approved an option to conduct force-on-force inspections using adversary characteristics that go beyond those in the DBT. This option would be available on a voluntary basis to nuclear power plant licensees that are clearly successful in defending against the first two mock attacks of the force-on-force inspection, which typically includes three mock exercises over 3 days. NRC also conducts baseline inspections at nuclear power plants to determine that licensees have established measures to deter, detect, and protect against the DBT for radiological sabotage. Security inspectors in NRC's four regional offices conduct the inspections. NRC's policy is to conduct a baseline inspection at each site every year, with the complete range of baseline inspection activities conducted over a 3-year cycle. One element of a baseline inspection is evaluating the site's protective strategy--for example, by conducting tabletop drills (simulated attacks using a model of the site) to gain a better understanding of the strategy. Inspectors also examine areas such as officer training, fitness for duty, positioning and operational readiness of multiple physical and technical security components, and the controls the licensee has in place to ensure that unauthorized personnel do not gain access to the protected area. According to NRC officials, agency inspectors spend a total of 136 hours annually at a site for a baseline inspection, and the 3-year baseline inspection cycle involves more than 400 hours of inspection activity. For both force-on-force and baseline inspections, licensees are responsible for immediately correcting or compensating for any deficiency in which NRC concludes that security is not in accordance with the approved security plans or other security orders. According to its inspection manual, NRC has 45 days to send a licensee a report on the results of an inspection, including any findings and the licensee's corrective actions. DHS has overall responsibility among federal agencies for assessing the vulnerability of the nation's critical infrastructure to terrorist attacks and coordinating efforts to enhance security. Nuclear power plants represent one sector of the critical infrastructure. Other sectors include such things as agriculture, chemical facilities, and transportation systems. In 2005, DHS began a series of visits to nuclear power plant sites to conduct comprehensive security reviews in order to assess the risks and consequences of various types of events and to provide better information on the most effective allocation of federal resources to improve security at critical infrastructure sites.[Footnote 10] DHS conducts the comprehensive reviews with relevant agencies such as the FBI and, in the case of nuclear power plants, NRC. According to DHS, the comprehensive reviews for nuclear power plants focus primarily on the security of the sites "outside the fence"--the aspects of security outside the responsibility and control of the nuclear power plant licensees. DHS relies on NRC to regulate the security of nuclear power plants "inside the fence." DHS officials told us that the nuclear power sector is one of the few critical infrastructure sectors in which the federal government has the authority to regulate the security of sites. According to DHS, as of December 2005, the agency had completed 14 comprehensive reviews at nuclear power plant sites. NRC's Process for Revising Its DBT for Nuclear Power Plants Was Generally Logical and Well Defined, but Some Changes Were Not Clearly Linked to an Analysis of the Terrorist Threat: The process that NRC used to revise its DBT for nuclear power plants was generally logical and well defined. In particular, the process included an analysis of intelligence and law enforcement information on terrorist capabilities and consultation with DOE, which also has a DBT for its facilities that are potential targets for terrorists seeking to cause radiological sabotage. Using this process, NRC produced a revised DBT that usually corresponded to the original recommendations of NRC's threat assessment staff. However, certain elements of the revised DBT, such as the weapons that attackers could use against a plant, do not correspond to the staff's original recommendations for two reasons. First, the NRC threat assessment staff charged with reviewing intelligence information made changes to its recommendations after receiving feedback from stakeholders, including the nuclear industry. Given the high degree of judgment involved in assessing threat information, the process NRC used to obtain stakeholder feedback created the appearance that changes were made based on industry views rather than an assessment of the terrorist threat. Second, the NRC commissioners made changes to the staff's recommendations on the basis of what is reasonable for a private security force to defend against but did not identify explicit criteria for such policy judgments. NRC Has Been Assessing Threats to Nuclear Power Plants for Many Years: NRC made its 2003 revisions to the DBT for nuclear power plants as part of a process that the agency has used since first issuing the DBT in the late 1970s. In this process, NRC staff trained in threat assessment use reports and secure databases provided by the intelligence community to monitor information on terrorist activities worldwide. The staff analyze this information both to identify specific references to nuclear power plants and to determine the capabilities that terrorists have acquired and how they might use those capabilities to attack nuclear power plants in the United States. The staff normally summarize applicable intelligence information and any recommendations for changes to the DBT in semiannual reports to the NRC commissioners on the threat environment.[Footnote 11] In addition, the threat assessment staff promptly report changes in the threat to the commissioners and coordinate with the intelligence agencies to help ensure that the staff are aware of all pertinent intelligence information. In 1999, the NRC staff began developing a set of criteria--the adversary characteristics screening process--to decide whether to recommend particular adversary characteristics for inclusion in the DBT and to enhance the predictability and consistency of their recommendations. According to the NRC staff, the adversary characteristics screening process, which they used to develop the April 2003 revised DBT, begins with a thorough review of intelligence reports and application of initial screening criteria to evaluate adversary characteristics. The staff use the initial screening criteria to exclude from further consideration certain adversary characteristics, such as those that are already in the DBT or those that would more likely be used by a foreign military than by a terrorist group. For adversary characteristics that pass the initial round of screening, the threat assessment staff apply additional screening factors. Examples of such factors include the following: * The type of terrorist group that demonstrated the characteristic. For example, the staff consider whether an adversary characteristic has been demonstrated by transnational or terrorist groups operating in the United States, or by terrorist groups that operate only in foreign countries. * The location and level of social stability where the characteristic was demonstrated. For example, the staff consider whether the adversary characteristic has been demonstrated in North America and other countries with a high level of social stability or in countries with an active insurgency or civil war. NRC considers that terrorists planning to attack a nuclear power plant in the United States would face greater operational security and logistical challenges than terrorists operating in countries where there is an internal insurgency. * The frequency with which the characteristic has been demonstrated and its availability. For example, the staff consider the availability of an adversary characteristic on the open or the black market. * The type of target the characteristic has been used against, the tactical use of the characteristic, and the motive behind its use. For example, the staff consider whether the adversary characteristic has been used against a target with a level of security similar to that at nuclear power plants or against targets with less security, such as the October 2002 attack on a Moscow theater by Chechen rebels. Depending on the results of this analysis, the threat assessment staff may interact with intelligence and other agencies to obtain additional information and insights about the adversary characteristics. Finally, on the basis of their analysis and interaction with other agencies, the staff decide whether to recommend that the commission include the adversary characteristics in the DBT for nuclear power plants. NRC's Office of Nuclear Security and Incident Response, which includes the Threat Assessment Section, reviews and endorses the threat assessment staff's analysis and recommendations. Since issuing the revised DBT in April 2003, NRC has continued to use the adversary characteristics screening process to consider additional changes--for example, to consider new intelligence information on weapons not included in the revised DBT. In addition, the Energy Policy Act of 2005 directed NRC to undertake a rulemaking to revise the DBT for nuclear power plants.[Footnote 12] While the detailed description of the April 2003 DBT is safeguards information and thus has not been made available to the public, the rulemaking, which is under way, presents the DBT in less detail so that it can be made available to the public and includes a notice and opportunity for public comment. The act directed NRC to consider the events of September 11, 2001; the potential for an attack on facilities by multiple, coordinated teams of a large number of individuals; the potential for suicide attacks; and other factors. The April 2003 DBT already includes some (but not all) of the adversary characteristics listed in the Energy Policy Act, such as attackers who are willing to commit suicide, the potential for a waterborne assault, and the use of explosive devices. NRC officials told us that, as part of the current rulemaking, they would consider all of the factors listed in the Energy Policy Act, including those not currently in the DBT. NRC Threat Assessment Staff Had to Decide on the Applicability of Intelligence Information to Nuclear Power Plants: Terrorist attacks have generally occurred outside the United States, and intelligence information specific to nuclear power plants is very limited. As a result, one of the NRC threat assessment staff's major challenges has been to decide how to apply this limited information to nuclear power plants in the United States. For example, one of the key elements in the revised DBT, the number of attackers, is based on NRC's analysis of the group size of previous terrorist attacks worldwide. According to NRC threat assessment staff, the number of attackers in the revised DBT falls within the range of most known terrorist cells worldwide.[Footnote 13] Furthermore, the threat assessment staff told us they considered but decided against an even larger number of attackers in the draft DBT because a larger cell would face an increased potential of detection before it could successfully carry out a terrorist attack in the United States. The staff also concluded that multiple cells along the lines of the September 11, 2001, attacks would not necessarily target a single nuclear power plant. Intelligence and law enforcement officials we spoke with did not have information contradicting NRC's interpretation regarding the number of attackers (or other parts of the NRC DBT) but did point to the uncertainty regarding the size of potential attacks and the relative lack of intelligence on the terrorist threat to nuclear power plants. NRC staff recommendations regarding other adversary characteristics also reflected the staff's interpretation of intelligence information. For example, the staff considered increasing the vehicle bomb in the revised DBT to a range of sizes and ultimately recommended a size that was based on an analysis of previous terrorist attacks using vehicle bombs.[Footnote 14] One of the largest vehicle bombs ever detonated was used in the 1996 bombing of the U.S. military residence in Saudi Arabia, and the maximum size of a vehicle bomb used in the United States--the 1995 bombing of the federal building in Oklahoma City-- consisted of the equivalent of 4,800 pounds of TNT. Additional examples of NRC's interpretation of intelligence information and recommendations for the revised DBT included the following: * The threat assessment staff recommended a maximum weight of equipment and explosives per attacker. The staff based this weight on the experience and professional knowledge of NRC staff and contractors with security backgrounds. In developing these limits, the staff evaluated the degree to which attackers would rely on speed of movement rather than be encumbered by large amounts of equipment. They also considered that a relatively small amount of explosives could cause a large amount of damage. * The NRC staff recommended including a waterborne assault with a bomb size based on available intelligence on waterborne terrorist bombs. In addition, according to NRC, watercraft found near nuclear power plants would generally be constrained in terms of payload. Furthermore, the bomb size recommended by the staff was considered sufficient to significantly damage a nuclear power plant's water intake structure. The staff considered that a larger bomb would add little to the potential damage to the intake structure. * The NRC staff supported the inclusion of equipment that is readily available through commercial sources but recommended against weapons with limited use by terrorists. * The staff recommended against including infiltration into a nuclear power plant by air because their review of terrorist attacks did not demonstrate significant use of such tactics against a fixed site. Table 1 summarizes, by adversary characteristic, the key changes to the DBT recommended by the NRC staff and the final changes approved by the NRC commissioners. Table 1: Summary of Key Changes to the NRC DBT for Nuclear Power Plants: Adversary characteristic: Number of attackers; NRC staff's recommended DBT: The staff recommended increasing the number of attackers to fall within the range of most known terrorist cells worldwide; April 2003 revised DBT, as approved by NRC commissioners: The commission supported the number of attackers recommended by the NRC staff. Adversary characteristic: Vehicle bomb; NRC staff's recommended DBT: The staff recommended increasing the maximum size of a vehicle bomb based on an analysis of previous attacks using vehicle bombs. The staff considered a larger vehicle bomb size but decided against the larger size after obtaining comments from stakeholders, including the nuclear industry; April 2003 revised DBT, as approved by NRC commissioners: The commission supported the staff recommendation. Adversary characteristic: Weapons; NRC staff's recommended DBT: The staff refined and expanded the list of weapons that could be used in an attack. The staff decided against recommending certain weapons after obtaining comments from stakeholders, including the nuclear industry; April 2003 revised DBT, as approved by NRC commissioners: The commission retained most weapons recommended by the staff but removed certain weapons the staff had recommended. Adversary characteristic: Inside assistance; NRC staff's recommended DBT: Active or passive; April 2003 revised DBT, as approved by NRC commissioners: Active or passive. The commission added a provision that the likelihood of an active insider can be reduced by a human reliability program, which consists of policies and procedures, such as substance abuse testing, designed to help ensure the reliability of personnel. Adversary characteristic: Weight of equipment and explosives; NRC staff's recommended DBT: Based on the degree to which attackers would rely on speed of movement rather than be encumbered by large amounts of equipment; April 2003 revised DBT, as approved by NRC commissioners: The commission reduced the weight recommended by the staff. Source: GAO analysis of NRC information. [End of table] NRC Generally Established Requirements Less Rigorous Than DOE's DBT for Radiological Sabotage: According to the NRC staff's report on recommended changes to the DBT for nuclear power plants, NRC has a long-standing commitment to work closely with DOE in an effort to maintain comparable protection for comparable facilities. Thus, as part of the process for revising the DBT for nuclear power plants, NRC monitored and exchanged information with DOE, which also has a DBT for comparable facilities that process or store radiological materials and are, therefore, potential targets for radiological sabotage.[Footnote 15] However, while certain aspects of the two agencies' DBTs for radiological sabotage are similar, NRC generally established less rigorous requirements than DOE--for example, with regard to the types of equipment that could be used in an attack. Additional information regarding key adversary characteristics found in both agencies' DBTs includes the following: * Number of attackers. Both DOE and NRC based the number of attackers on intelligence on the size of terrorist cells. According to DOE officials, it is challenging to find intelligence on terrorist activities that can be considered equivalent to a ground assault on a fixed facility such as a nuclear power plant or DOE site. However, DOE officials said they used similar intelligence as NRC to derive the number of attackers. * Vehicle bomb. DOE and NRC officials provided us with similar analyses of intelligence information on previous terrorist attacks using vehicle bombs. In particular, DOE and NRC officials told us that most vehicle bombs used in terrorist attacks are smaller than the size vehicle bomb in NRC's revised DBT. DOE officials also said that site-specific characteristics affect the size of vehicle bomb that sites are capable of defending against. * Weapons. The DOE DBT includes a number of weapons not included in the NRC DBT. Inclusion of such weapons in the NRC DBT for nuclear power plants would have required plants to take substantial additional security measures. Furthermore, DOE included other capabilities in its DBT that are not included in the NRC DBT. As discussed below, NRC staff considered some of the weapons in DOE's DBT for inclusion in the DBT for nuclear power plants but removed them while drafting the DBT. DOE established an even more stringent DBT for its sites that store nuclear weapons (or material that could be used in a nuclear weapon). The security objective for these sites is to prevent the theft or detonation of a nuclear weapon. DOE decided on a more stringent DBT to protect nuclear weapons facilities than sites with the potential for radiological sabotage in accordance with its graded approach, which provides for a higher level of protection to sites with greater potential consequences to public health and safety in the event of a terrorist attack. According to DOE officials, the consequences of theft or detonation of a nuclear weapon would be "orders of magnitude" greater than radiological sabotage at a DOE site or nuclear power plant. Consistent with DOE's graded approach, NRC officials told us they do not consider comparisons between the DOE DBT for nuclear weapons facilities and the NRC DBT for nuclear power plants valid. NRC considers that the potential consequences of the theft of material that could be used in a nuclear weapon could be much greater than radiological sabotage at a nuclear power plant. Furthermore, according to NRC officials, terrorists seeking to steal or detonate a nuclear weapon would require greater capabilities to accomplish their objectives than terrorists seeking to cause radiological sabotage. For example, theft of a nuclear weapon (or material that could be used in a weapon) would require terrorists to defeat a site's security systems when entering and leaving a site. In contrast, attackers willing to commit suicide in the process of causing the release of radiological material from a nuclear power plant would have to overcome security to enter a site and reach a target set but would not have to leave the site. Like DOE, NRC uses a graded approach to security, and, therefore, the NRC DBT for NRC-licensed facilities that store or process material that could be used in a nuclear weapon is more stringent than the NRC DBT for nuclear power plants. NRC's Process for Obtaining Feedback on the Draft DBT Created the Appearance of Industry Influence on the Threat Assessment Staff's Analysis of Intelligence Information: NRC staff sent a draft DBT to stakeholders in January 2003, held a series of meetings with them to obtain their comments, and received written comments. In addition to nuclear power plant licensees and NEI, which represents the nuclear industry, these stakeholders included other federal agencies and government authorities in affected states. NRC specifically sought and received feedback from the nuclear industry on what is reasonable for a private security force to defend against and the cost of and time frame for implementing security measures to defend against specific adversary characteristics.[Footnote 16] During the same period that the threat assessment staff was receiving industry and other stakeholder feedback, they continued to analyze intelligence information and modify the draft DBT. In April 2003, NRC staff submitted their final draft DBT to the commissioners for their review and approval, together with a summary of stakeholder comments. In its written comments on the January 2003 draft DBT, NEI objected to the size of the vehicle bomb, the inclusion of certain weapons, and the inclusion of an active violent insider. The NRC staff's draft DBT submitted to the commissioners reflected some (but not all) of NEI's objections. The reasons for NEI's objections to key adversary characteristics and changes to the NRC threat assessment staff's recommendations included the following: * Vehicle bomb. NEI objected to the vehicle bomb in the draft DBT because of its assessment of (1) the low probability of a vehicle bomb of the size proposed by NRC, (2) the likelihood that federal authorities or local law enforcement would detect a large vehicle bomb, and (3) the inability of some sites to protect against the size of the vehicle bomb proposed by NRC because of insufficient land for installation of vehicle barrier systems at a necessary distance. Instead, NEI agreed that it would be reasonable to protect against a smaller vehicle bomb. In its recommendations to the commissioners, the NRC staff subsequently reduced the size of the vehicle bomb to the amount proposed by NEI. After review, the staff's reason for agreement with NEI was that vehicle bombs as large as that included in the draft provided to stakeholders had rarely been used in previous terrorist attacks and would not be reasonable or practical to include in the DBT. * Weapons. NEI argued against the inclusion of a number of weapons. For example, NEI wrote that (1) one particular weapon recommended by the NRC staff would render the ballistic shielding used at nuclear power plants obsolete, and (2) another proposed weapon would initially cost $1 million to $7 million per site to defend against, with annual recurring costs of up to $2 million per site. Furthermore, NEI argued that these weapons (as well as the vehicle bomb size initially proposed by the NRC staff) would be indicative of an enemy of the United States, which sites are not required to protect against under NRC regulations. In the final draft submitted to the NRC commissioners, the NRC staff removed a number of weapons NEI had objected to. The staff reasoned that the weapons had rarely been used in armed assaults, or had been used infrequently in terrorist assaults despite their wide availability and use by violent criminals in the United States.[Footnote 17] NRC staff did not remove one particular weapon NEI had objected to, which, according to NRC's analysis, has been a staple in the terrorist arsenal since the 1970s and has been used extensively worldwide. (As discussed below, the NRC commissioners later voted to remove this particular weapon.) * Inside assistance. NEI wrote that the nuclear power industry had taken a number of steps to reduce the likelihood of an active violent insider--for example, it tightened the process for granting employees unescorted access to nuclear power plants. Furthermore, NEI wrote that the industry had been unable to identify cost-effective solutions to defend against an active violent insider, and that costs would range from $2 million to $8 million per site for equipment and $5 million per site per year for additional personnel. Despite these objections, the NRC staff recommended the inclusion of an active violent insider in the final draft of the DBT. (The NRC commissioners later allowed nuclear power plants to reduce the likelihood of an active violent insider through a human reliability program.) The chief of NRC's threat assessment staff told us that NRC did not make changes to the draft DBT based solely on industry views. Rather, according to NRC officials, the changes were made based on multiple internal analyses and discussions among the threat assessment staff and higher levels of review within NRC and its Office of Nuclear Security and Incident Response, which includes the Threat Assessment Section. Nevertheless, in our view, the process NRC used to obtain feedback from stakeholders, including the nuclear industry, created the opportunity for, and appearance of, industry influence on the threat assessment regarding the characteristics of an attack. When we raised this issue with NRC officials, they told us that under normal circumstances the threat assessment process is initially undertaken utilizing intelligence and law enforcement information, with other stakeholders subsequently having an opportunity to provide feedback--for example, regarding the cost of implementing security measures in response to proposed changes to the DBT. Furthermore, NRC threat assessment staff and other intelligence agency officials told us they support the separation of intelligence analysis from other responsibilities, such as obtaining stakeholder feedback on changes to the DBT, in order to insulate analysis of intelligence from other considerations. However, according to NRC, the agency made a deliberate decision as part of the process for revising the DBT in 2003 to have the threat assessment staff analyze intelligence information and obtain stakeholder feedback simultaneously, rather than sequentially, in order to accelerate the process in response to the increase in the terrorist threat. NRC officials said that in considering future changes to the DBT, NRC plans to ensure the initial separation of intelligence analysis from interaction with stakeholders. The NRC Commission Made Key Policy Judgments about Changes to the DBT without Criteria on Threats That a Private Security Force Could Reasonably Defend Against: The NRC staff provided the commissioners with a number of documents to consider in making the final decision on changes to the DBT. These included, but were not limited to, two assessments in the fall of 2002 on the terrorist threat to nuclear power plants (one specifically on the potential use of vehicle bombs) and a final paper in April 2003 with the staff recommendations for revisions to the DBT. The April 2003 document also included a summary of comments on the draft DBT received from the nuclear industry and other federal and state agencies; a summary of NEI's estimates of the cost of and time frame for implementing security measures to address specific changes to the DBT; and an updated assessment of the terrorist threat to nuclear power plants. The NRC commissioners told us they also had direct contacts with intelligence agencies that provided them with information on the terrorist threat. The commissioners made the final decision on changes to the DBT by majority vote.[Footnote 18] While the commission largely supported the NRC staff's recommendations for changes to the DBT, it also made some significant changes that reflected policy judgments. Specifically, the commissioners considered whether any of the recommended changes to the DBT constituted characteristics representative of an enemy of the United States, which sites are not required to protect against under NRC regulations. In approving the revised DBT, the commission stated that nuclear power plants' civilian security forces cannot reasonably be expected to defend against all threats, and that defense against certain threats (such as an airborne attack) is the primary responsibility of the federal government, in coordination with state and local law enforcement officials. In connection with this position, the commission directed NRC's Office of General Counsel to prepare a paper for commission approval articulating the factors to be considered in determining whether particular characteristics of an attack constitute an enemy of the United States. (Officials from NRC's Office of General Counsel told us they prepared a document with an analysis of this issue for the commission, but that the document was not a decision paper for approval by the commissioners.) We recognize that consideration of issues such as what is reasonable for a private security force to defend against is an appropriate role of the commission in approving changes to the DBT. However, in approving the revised DBT, the commission did not identify explicit criteria for determining whether specific adversary characteristics constitute an enemy of the United States or criteria for what is reasonable for a private security force to defend against. For example, the commission did not define whether the criteria include the cost for nuclear power plants to defend against an adversary characteristic or the efforts of local, state, and federal agencies to address particular threats. The lack of such criteria can reduce the transparency of commission decisions to make changes to the threat assessment staff's recommendations. NRC officials said detailed criteria on what is reasonable for a private guard force would reduce the commissioners' discretion in approving changes to the DBT. Furthermore, in NRC's view, the basis for the commission's policy decisions and direction to the NRC staff regarding the DBT are sufficiently articulated in the commission's voting record, in which individual commissioners provided the rationale for their votes, and in the related staff requirements memorandum, which documented the commission's decisions. As indicated in table 1, the significant changes the commission made to the NRC staff's recommendations included removal of certain weapons, a decrease in the maximum amount of weight carried by the attackers, and mitigation of an active insider through a human reliability program. In other cases, such as the size of the vehicle bomb, the commission supported the recommendations of the NRC staff. Based on our review of the commissioners' voting records, the commission's decisions on key aspects of the DBT included the following: * Vehicle bomb. A majority of commissioners voted to increase the maximum vehicle bomb to the size recommended by the NRC staff. However, one commissioner supported a larger vehicle bomb that the NRC staff had included in a previous draft of the DBT. The commissioner recognized that some sites would not have sufficient property to install vehicle barrier systems far enough from the plants to protect against the larger vehicle bomb and suggested NRC could provide such sites with an exemption and require them to protect against a smaller vehicle bomb. * Weapons. The commission decided to remove two weapons the NRC staff had recommended for inclusion in the revised DBT. As part of this decision, the commission directed the staff to conduct an in-depth analysis of the additional defensive capabilities, changes to sites' protective strategies, and costs associated with protecting against one of the weapons. Removal of weapons from the revised DBT was significant because of the strength of the NRC staff's intelligence analysis supporting their inclusion. For example, in the April 2003 report to the commissioners, the NRC staff reported that while one such weapon had not been used in the United States, it had been found in weapons caches in the United States. Similarly, the staff noted the use of the other weapon in captured terrorist training videos and its ready availability. The document summarizing the commission's changes to the proposed DBT did not provide a reason for excluding these weapons. However, in written comments on their votes, one commissioner identified these weapons as representative of an enemy of the United States; another commissioner agreed that threat data showed an increased possibility of the use of these weapons but stated that NRC staff needed to assess whether it would be reasonable for a private security force to defend against such weapons. One of the commissioners supported inclusion of these weapons in the DBT, as well as other weapons the staff had not recommended, but nevertheless told us there was more agreement than disagreement among the commissioners about what weapons should be included. The same commissioner told us he supported inclusion of one of the weapons because he considered the means for defending against it to be affordable. * Weight of equipment and explosives. In voting to decrease the maximum weight of equipment, weapons, and explosives (such as grenades) per attacker in the final DBT, three of the commissioners indicated they supported decreasing the weight that an attacker could be expected to carry. In their written comments, the three commissioners indicated that the staff's recommendation regarding carry weight would require further study--for example, to determine whether the greater amount of weight could reduce the capability of the attack force by reducing individual attackers' mobility. * Inside assistance. The commission added language to the DBT stating that a human reliability program for monitoring employees at the sites could reduce the likelihood of an active insider. To qualify, the sites' human reliability program would have to include background checks, substance abuse testing, psychological evaluations, annual supervisory review, and periodic background reinvestigations. The commissioners told us they made this decision based, in part, on the long-standing assumption by NRC that a human reliability program reduces the likelihood of an active insider. The commissioners also told us that other factors, such as increased awareness about the potential for an attack in the communities where nuclear power plants are located, would reduce the likelihood of an active insider. In addition to making changes to specific elements of the DBT for nuclear power plants, the commission provided overall policy direction on NRC's oversight of security of the sites. In particular, recognizing that an attack on a site could exceed the characteristics identified in the DBT, the commission directed the staff to continue coordinating with DHS and other federal and state authorities to help assure the security of nuclear power plants. For example, the commissioners told us that NRC works with the Federal Aviation Administration to address the threat of air strikes against a site. Similarly, NRC supports and participates in DHS comprehensive security reviews of nuclear power plant sites. Other significant policy direction included the following: * The commission affirmed the NRC staff's operating assumption that there may be no specific advance warning of an attack on a nuclear power plant but indicated that a general warning of a potential attack may be provided. * The commission directed the staff to continue providing the commissioners with assessments of specific adversary characteristics, including those not in the revised DBT, and to provide additional recommendations as part of the semiannual review of threats to nuclear power plants. However, the commission also indicated its expectation that there would be a period of "regulatory stability" (a period with no major changes to security regulations) in order to allow sites time to adjust to the changes already made to the DBT and other security requirements. * The commission supported the clarification that sites are not required to "defeat" an attack, because such a requirement could require sites' security forces to employ offensive tactics beyond what is allowed under law for private security forces. Rather, the commission supported the requirement that sites protect against radiological sabotage by preventing the destruction or disablement of vital equipment. Nuclear Power Plants Made Substantial Changes to Their Security to Address the Revised DBT, but NRC Inspections Have Uncovered Problems: The four nuclear power plant sites we visited made substantial changes after the September 11, 2001, attacks and in response to the revised DBT, including measures to detect, delay, and respond to the increased number of attackers and to address the increased vehicle bomb size. According to NRC, other sites took comparable actions to defend against the revised DBT. Despite the industry's considerable efforts, the changes have not been completely without problems and licensees can continue to make improvements. For example, NRC baseline and force-on- force inspections have found that the security changes have not always met NRC's requirements. Sites Addressed the Increase in the Number of Attackers by Implementing Security Enhancements Designed to Detect, Delay, and Respond to an Attack: The four sites we visited all implemented a "defense-in-depth" strategy, with multiple layers of security systems that attackers would have to defeat before reaching vital areas or equipment and destroying or disabling systems sufficient to cause an elevated release of radiation off site. The sites varied in how they implemented these measures, primarily depending on site-specific characteristics such as topography and on the degree to which they planned to interdict attackers within the owner-controlled area and far from the sites' vital area, as opposed to inside the protected area but before they could reach the vital equipment. (See fig. 1 for a diagram of the areas commonly found at nuclear power plants.) NRC officials told us that licensees have the freedom to design their protective strategies to accommodate site-specific conditions, so long as the strategies satisfy NRC requirements and prove successful in a force-on-force inspection. Figure 1: Diagram of a Sample Nuclear Power Plant Site: [See PDF for image] Note: The owner-controlled area refers the land and buildings within the site boundary, and the owner can limit or allow access to it for any reason. The protected area is within the owner-controlled area and requires a higher level of access control. The vital area contains the sites' vital equipment, the destruction of which could directly or indirectly endanger public health and safety through exposure to radiation. [End of figure] The sites we visited implemented security measures corresponding to the three elements generally recognized as constituting an effective security system for defending fixed sites. These include early detection of an attack, sufficient delay for security officers to report to their defensive positions, and capability of the security force to respond to the attack: * Detection. At all four sites, the owners installed additional cameras throughout different areas of the sites and instituted random patrols in the owner-controlled areas.[Footnote 19] The owner-controlled areas generally contain undeveloped property and administrative buildings that would not be targets for terrorists seeking to commit radiological sabotage. Nevertheless, by upgrading security in this area, the sites increased the chance that they would detect attackers before the attackers would be able to approach or infiltrate the protected area, where they might be able to gain access to vital equipment. Patrols can be used to accommodate areas of the sites that are remote or where the view of cameras is obstructed, while cameras provide for a safer inspection of questionable activities than sending a security officer. * Delay. The sites we visited installed a variety of devices designed to delay attackers and allow security officers more time to respond to their posts and fire upon attackers. The sites generally installed these delay devices throughout the protected areas so that attackers would have to defeat multiple security systems before reaching vital areas or equipment. For example, the sites installed fences outside the buildings housing the reactors and other vital equipment and blocked off entrances to make it more difficult for attackers to enter the buildings. Similarly, the sites installed a variety of delay devices within the reactor and other buildings, some of which are permanent and others that security officers would deploy in the event of an attack. * Response. Each of the four sites we visited constructed bullet- resistant structures at various locations in the protected area or within buildings, increased the minimum number of security officers defending the sites at all times, and expanded the amount of training provided to them.[Footnote 20] Security officers are stationed in the bullet-resistant structures or move to them during an attack, at which point they can fire at attackers through gun ports while not exposing themselves to the attackers' gunfire. (See fig. 2 for an example of a bullet-resistant structure.) Having more security officers on duty at any given time means that more individuals can respond to more locations in the event of an attack. It can also increase the sites' ability to detect attackers by allowing more security officers to observe the owner-controlled area and monitor video cameras. Security managers at each site told us they also made changes to their training- -for example, to train officers to use new security equipment or to comply with NRC's training order, issued at the same time as the revised DBT. Moreover, each of the licensees told us they implemented measures to comply with NRC's requirements limiting the number of hours security officers can work to 72 hours during a 7-day period.[Footnote 21] The majority of the security officers we interviewed told us that their training was adequate or had improved and that they generally did not experience fatigue on the job. Figure 2: Example of a Bullet-Resistant Structure: [See PDF for image] [End of figure] Security managers at the four sites considered the layouts of their sites and the paths that attackers might use to reach vital equipment in deciding where to deploy these enhancements. As a result, the sites employed different protective strategies that primarily varied by the degree to which they implemented an external strategy designed to interdict attackers within the owner-controlled area, but far from the sites' vital area, rather than an internal strategy designed to interdict attackers inside the protected area. For example, one site with a predominantly external strategy installed an intrusion detection system in the owner-controlled area. While NRC requires all sites to have an intrusion detection system at the perimeter of the protected area,[Footnote 22] security managers at this site decided to install a second intrusion detection system so that security officers would be able to identify intruders as soon as they cross into the owner- controlled area. The site was able to install such a system because of the large amount of open, unobstructed space in the owner-controlled area. Similarly, the protective strategy at another site focused on the ability of security officers to deny attackers access to the vital area buildings. The site uses cameras and patrols to detect attackers in the owner-controlled area and deploys security officers in bullet-resistant structures. From the structures, located on the roof and attached to the walls of the vital area buildings, security officers could fire upon attackers before they could enter the buildings. In contrast, security managers at the other two sites we visited described protective strategies that combined elements of an external strategy and an internal strategy. At both sites, the external strategy included bullet-resistant structures positioned so that security officers could fire on attackers attempting to enter vital area buildings. Other security officers are stationed inside the vital area buildings and would move to bullet-resistant structures within the buildings to interdict attackers who defeat the external security. At one of these sites in particular, security managers decided to implement a protective strategy that relied more heavily on interdicting attackers inside the protected area. The site uses elements of an external strategy, such as cameras and patrols for detecting attackers in the owner-controlled area, but in contrast to the sites described above, relies to a lesser extent on security officers to stop the attackers in the owner-controlled area. Instead, security managers told us they had implemented an internal protective strategy by identifying "choke points"--locations inside the protected area attackers would need to pass before reaching their targets--and installing bullet-resistant structures at the choke points where officers would be waiting to interdict the attackers. Security managers at the site also told us one of the reasons for implementing a more internal strategy was their desire to maintain radiation doses to security officers as low as is reasonably achievable. In particular, the internal strategy allowed the site to not install bullet-resistant structures on one side of the site, where security officers who would be stationed in the structures could receive elevated radiation doses. In addition to the security enhancements we observed, security managers at each site described changes they plan to make as they continue to improve their protective strategies, such as adding fencing to block a path attackers might use to enter the protected area and a device at the entrance to the site that can detect explosives. Security managers at three of the sites we visited also told us the number of security officers on duty at any one shift exceeded the minimum number of security officers that NRC requires be dedicated to responding to attacks.[Footnote 23] (The fourth site maintained the minimum number of armed dedicated security officers.) According to NRC's analysis, sites typically exceeded the minimum number of responders required by NRC. Sites Addressed the Increase in the Size of a Vehicle Bomb by Designing Comprehensive Systems of Sturdy Barriers: To protect against the increase in the vehicle bomb size, the licensees at the sites we visited designed comprehensive systems consisting of sturdy barriers to prevent a potential vehicle bomb from approaching the sites and to channel vehicles to entrances where security officers could search them for explosives and other prohibited items. Prior to increasing the maximum size vehicle bomb sites must defend against, NRC required the sites to have a vehicle barrier system encircling the reactors and other vital equipment and set at a distance far enough from the plants to prevent a smaller vehicle bomb from damaging vital equipment and releasing radiation. After NRC increased the maximum size of the vehicle bomb in the revised DBT, plants installed a second vehicle barrier system at an even greater distance from the vital equipment, while also keeping the original vehicle barrier systems as a second layer of defense. At the sites we visited, the new vehicle barrier systems consisted of rows of large steel-reinforced concrete blocks, or (at one plant) large boulders weighing up to 7 tons in combination with piles of smaller rocks. (See fig. 3 for an illustration of a vehicle barrier system.) The vehicle barrier systems either completely encircled the plants (except for entrances manned by armed security officers) or formed a continuous barrier in combination with natural or manmade terrain features, such as bodies of water or trenches, that would prevent a vehicle from approaching the sites. Figure 3: Example of a Vehicle Barrier System: [See PDF for image] [End of figure] Licensees at the four sites adapted their vehicle barrier systems to the unique conditions at each site. The vehicle barrier systems also shared many features in common and generally consisted of a combination of the following basic elements: * Vehicle searches. Generally, the security managers told us they implemented procedures to search vehicles at the entry point to the outer vehicle barrier systems. (NRC requires sites to search all vehicles capable of carrying more than a certain amount of TNT and to search a random sample of vehicles capable of carrying a smaller amount of explosives). Examples of search procedures included visual examination of the compartments of vehicles and use of detection equipment to test for explosives. Security managers told us security officers would conduct a second search of all vehicles, regardless of size, at a second checkpoint where vehicles pass through the inner vehicle barrier system. During this search, security officers would look for weapons and other prohibited equipment in addition to any explosives. * "Overwatches." The sites stationed security officers in bullet- resistant structures, or "overwatches," from which the officers could observe the vehicle searches and provide backup support in case of an attack. Like the other bullet-resistant structures installed by the sites, these structures included gun ports for firing at attackers. * "Active" vehicle barrier systems. These systems were installed in the roadways leading into the plants and were designed to block unauthorized vehicles from entering the site. They consisted either of steel plates that could be raised or lowered or rolling gates. (See fig. 4 for an example of an active vehicle barrier system.) Security officers in multiple locations, such as alarm stations and overwatches, could activate the systems if security officers manning the vehicle entrances, who are more vulnerable to attack, were unable to do so. At two of the plants, the barriers were always in the closed position and required two security officers at separate locations to open them. At the other two plants, the barriers were generally in the open position but could be closed by a single security officer to prevent unauthorized entry. Figure 4: Example of an Active Vehicle Barrier System: [See PDF for image] [End of figure] In some cases, the new vehicle barrier systems at the sites we visited appeared to exceed the requirements necessary to protect against the revised DBT. For example, security managers at one site told us that the vehicle barrier system was wider than necessary in order to protect against the vehicle bomb. Furthermore, in at least some areas of the sites, the new vehicle barrier systems were farther from the reactors and other vital equipment than necessary to protect the sites against the size of vehicle bomb in the revised DBT. In particular, security managers at the site with a more external protective strategy decided to take advantage of the large amount of open, unobstructed property surrounding the site to create a large zone between the vehicle barrier system and the site buildings. Although we generally toured the complete perimeter of the vehicle barrier systems at the four sites, we did not calculate how far the barrier systems were installed from the vital equipment, test the equipment performance, or determine how well security officers conducted vehicle searches. Like other aspects of security at the plants, these factors would affect how well the vehicle barrier systems would work in the event of a terrorist attack. In addition, the sites implemented other related measures, such as winding lanes designed to cause vehicles to slow down as they approach entrances; emergency exits to facilitate evacuation of employees from the plant; devices to block unauthorized trains from reaching the plant; parking lots outside the vehicle barrier system for use during an outage to limit the number of additional vehicles entering the vehicle barrier systems and requiring searches; and, at one site, receiving deliveries at an off-site warehouse to limit the number of trucks entering the site. Sites Have Generally Complied with NRC Security Requirements and Performed Well in Force-on-Force Inspections, but Problems Remain: As of November 1, 2005, NRC had completed force-on-force inspections-- testing sites' ability to defend against the revised DBT--at 20 sites. NRC officials told us, and our review of baseline and force-on-force inspection reports indicated, that plants have generally complied with their security plans and other NRC security requirements and have generally performed well during force-on-force inspections.[Footnote 24] However, we also noted from the reports, as well as from our own observations, that sites have encountered a range of problems in meeting NRC security requirements, including a force-on-force inspection in which the site had problems demonstrating it could defend against the revised DBT. (According to NRC officials, inspectors do not leave the site at which a problem is identified until it is corrected or until sufficient compensatory measures are put in place.) Twelve of the 18 baseline inspection reports and 4 of the 9 force-on-force inspection reports we reviewed identified problems or items needing correction. These findings, such as failures in the intrusion detection system at one site and not including certain elements of training at several sites, demonstrate that NRC's baseline and force-on-force inspections are important to identifying problems that need correction. (See app. II for a discussion of the findings in the force-on-force and baseline inspection reports we reviewed.) During a force-on-force inspection at one site, we observed that although the security measures appeared impressive, the site's ability to defend against the DBT was at best questionable. The site's security measures were similar to those we observed at other sites, such as an intrusion detection system equipped with cameras for assessing alarms, bullet-resistant structures both in the protected and vital areas, and a vehicle barrier system consisting of large concrete blocks and large boulders. However, some or all of the attackers were able to enter the protected area in each of the three exercise scenarios. Furthermore, attackers made it to the targets in two of the scenarios, although the outcomes of the two scenarios were called into question by uncertainties regarding whether the attackers had actually been neutralized before reaching the targets. NRC, in turn, raised concerns about the site's lack of "defense in depth" and concluded that it could not validate the licensee's protective strategy in the two scenarios. NRC noted that security officers' ability to interdict attackers was impacted due to problems in the site's detection and assessment, and that, in two of the scenarios, security officers left the external bullet-resistant structures to which they were assigned and transitioned to internal positions once they could account for the number of attackers in the revised DBT. This meant that the security officers left positions that covered a "breach" the attackers had made in the protected area perimeter. As a result of the inspection, NRC required the licensee to install additional security equipment immediately after the inspection, NRC inspectors remained on site until the equipment was put in place, and NRC decided to conduct another force-on-force inspection at the site. At the follow-up force-on-force inspection at the same site, which we also observed, the licensee told us it had spent an additional $37 million to improve security in the 6 months following the first inspection. Some of these changes were clearly visible, such as elevating the bullet-resistant structures that had been on the ground to give officers greater visibility and firing opportunities, razing several buildings to reduce opportunities for attacker concealment, and increasing the distance between the vehicle barrier system and the protected area in a part of the site. The licensee also told us about other changes directly related to the internal aspect of the protective strategy, including positioning more security officers within the vital area, installing additional cameras to increase security officers' ability to detect attackers, and creating new bullet-resistant structures that provided additional protected positions for firing upon the attackers. From the second exercise, NRC officials concluded that they could evaluate the protective strategy and that the site had adequately defended against a DBT-style attack. In addition to our observations of security during force-on-force inspections, GAO security experts who accompanied us to the four other sites we visited suggested a number of opportunities to improve security at the sites. While our experts did not find a lack of compliance with NRC regulations or an inability to defend the sites against the adversary characteristics in the revised DBT, the suggestions support our assessment that security at nuclear power plants is an ongoing process of identifying and implementing potential improvements. For example, at one site, we observed a bullet-resistant enclosure in which curtains--installed to reduce glare from the sun-- obstructed the view through windows, and video equipment associated with surveillance cameras blocked access to several gun ports. We suggested that the site consider replacing the curtains with tinted glass and providing the security officer in the bullet-resistant enclosure with better access to the gun ports. At another site, we suggested that the addition of a bullet-resistant structure on one side of the site would provide the site's security force with greater opportunity to interdict attackers entering on that side of the site. NRC Has Significantly Improved the Force-on-Force Inspection Program, but Challenges Remain: NRC has made a number of improvements to the force-on-force inspection program, several of which address recommendations we made in our September 2003 report on NRC's oversight of security at commercial nuclear power plants. We had made our recommendations when NRC was restructuring the force-on-force program to provide a more rigorous test of security at the sites in accordance with the DBT, which was also under revision.[Footnote 25] For example, we had recommended that NRC strengthen the force-on-force inspections by (1) conducting the inspections more frequently at each site, (2) using laser equipment to better simulate attackers' and security officers' weapons, and (3) requiring the inspections to make use of the full terrorist capabilities stated in the DBT, including the use of an adversary force trained in terrorist tactics. NRC has taken a number of actions as part of its restructuring of the force-on-force program that satisfy the recommendations we made to strengthen the program. For example, NRC has begun conducting the exercises more frequently at each site and is using laser equipment to simulate weapons. Furthermore, the attackers in the force-on-force exercise scenarios we observed used many of the adversary characteristics of the revised DBT, including the number of attackers in the revised DBT, a vehicle bomb, a passive insider, and explosives. In addition, NRC officials told us that the adversaries were trained in military tactics. Nevertheless, in observing three force-on-force inspections and discussing the program with NRC officials, we noted the following issues that continue to warrant NRC's attention: * Problems with laser equipment. At the three force-on-force inspections we observed, the sites used laser equipment to simulate firing live weapons. In general, the equipment appeared to help make the inspections a realistic test of security at the sites. For example, laser equipment provides a much more reliable account of shots fired in comparison with the equipment NRC and the sites had been using, which relied on the judgment of individual participants to determine shooting accuracy. However, problems in using the equipment contributed to NRC's limited ability to evaluate security at one of the sites. In part because of problems with the laser equipment, NRC decided to conduct a second force-on-force inspection at this site. The second inspection made better use of the laser equipment, which proved to be a valuable tool in determining that several security officers engaged attackers unsuccessfully by firing at the attackers while they were too far away. NRC raised this issue to the licensee in the context of improving training so that security officers would not waste ammunition on targets that are beyond the range of their weapons. * Inspection schedules. The way in which NRC schedules force-on-force exercises may create artificialities that enable sites to perform better than they otherwise would. NRC officials said they notify sites of the date of their force-on-force inspection only 8 to 12 weeks in advance. Nevertheless, NRC may be able to further reduce the artificiality of the inspection schedules and thereby enhance its ability to test security at the sites. For example, in each of the exercises we observed, NRC followed the same schedule for conducting nighttime and daytime attacks. Furthermore, the adversary force typically initiated the attack soon after the opening of the exercise "window" (the agreed-upon time for the exercise to begin). Consequently, the sites' security forces might have been able to anticipate the approximate time that the attack would begin, and industry observers from other sites might have more information than necessary prior to inspections at their own sites about NRC's standard practices for conducting the inspections. NRC officials told us that, while the attacks began soon after the opening of the exercise window in the exercises we observed, the attackers do sometimes wait longer in order to increase the level of uncertainty among the site's security force and thereby create a more realistic scenario. * Testing of sites' internal security strategies. Given the amount of resources invested in preparing for and implementing a force-on-force inspection, we believe inspections should test the full extent of sites' "defense-in-depth" strategies, including both the external and internal elements of the strategies. However, the force-on-force exercises end when a site's security force successfully stops an attack. Consequently, if the security force stops an attack before the attackers enter the vital area, NRC would not have an opportunity to observe how the security force would perform in the event that the attackers successfully defeat the site's external security strategy. In a number of the force-on-force exercises we observed, the security force did, in fact, stop the attackers early in the scenario. According to NEI officials, force-on-force inspections would be more valuable if NRC allowed the adversaries to challenge each layer of defense until reaching their targets, or being defeated at the last possible point of defense. NRC officials also told us such an approach is worth considering but that NRC would have to first determine how to implement it. * Operational security. At two of the force-on-force inspections we observed, we noted areas in which "operational security"--the protection of information about the planned scenarios for the mock attacks--could be improved. For example, during a safety "walk down"-- a physical site check conducted prior to every exercise scenario to ensure the safety of exercise participants--a site employee made motions that may have alerted security officers to the targets the adversaries would be trying to reach that evening. In another inspection, security officers could observe adversaries getting into position inside the protected area prior to the start of an exercise, potentially providing clues about the route the adversaries would use to enter the site. We also observed that each force-on-force exercise was attended by a large number of people who had access to scenario information, after signing a nondisclosure form, thus increasing the chance that details about an exercise scenario might be compromised. While we recognize that procedures such as safety walk downs and prepositioning of adversary teams are necessary to the proper conduct of the force-on-force inspections, lapses in operational security have the potential to give security officers knowledge that would allow them to perform better than they would otherwise and raise questions about whether the force-on-force inspections are a true test of the sites' protective strategy. According to NRC officials, NRC inspectors have been instructed to be vigilant regarding any indications that a site's security force may have received advance knowledge of an attack scenario, and procedures for safety walk downs have been revised to improve operational security. * Standards for controllers. NRC relies on the sites to assign and train controllers to observe each participant (both the adversaries and security officers) in the force-on-force inspections.[Footnote 26] In the three inspections we observed, the level of security expertise and training among the controllers varied among the sites. For example, one site assigned as controllers plant employees who did not have security- related backgrounds but who volunteered to help. In its force-on-force inspection report for this site, NRC concluded that the level of controller training was a factor in the force-on-force exercises not being brought to a definitive conclusion. (As discussed above, NRC decided to conduct another force-on-force inspection at this site.) In contrast, another plant used personnel with security backgrounds. NEI has prepared a set of guidelines for controllers in force-on-force inspections that NRC has reviewed. NEI has also created a controller- training workshop in which NEI shares lessons learned from force-on- force exercises. * Quality of feedback to licensee. The quality of the feedback among the force-on-force inspections we observed was inconsistent. In particular, during the first inspection, NRC failed to discuss with the licensee several potential problems raised by the NRC team after each scenario. In the two subsequent inspections we observed, NRC appeared to have improved the quality of its feedback to the licensees. Specifically, the team leader provided the licensee with concise feedback that accurately reflected what the team members had expressed in closed NRC meetings. An NRC official told us that, based on comments from us as well as from NRC team members, NRC took measures to improve the quality of the feedback. * Force-on-force inspection schedule. So far, NRC is on schedule to conduct the first round of force-on-force inspections at all sites within 3 years. As we reported in 2004, NRC is planning to conduct an inspection at each site every 3 years instead of every 8 years, as the agency had been doing.[Footnote 27] NRC initiated a new force-on-force program in November 2004, together with a 3-year schedule to complete inspections at all sites, after the revised DBT took effect on October 29, 2004. NRC officials told us they had completed inspections at 20 (or about 31 percent) of the 65 sites as of November 1, 2005. Furthermore, NRC officials told us that three teams are conducting the inspections and that NRC is hiring additional force-on-force personnel. Given the importance of the force-on-force inspections in demonstrating how well a nuclear power plant might defend against a real-life threat, we believe it is important that NRC devote the necessary resources to ensure that it continues to meet the inspection schedule. Conclusions: The nuclear power industry and NRC have taken very seriously the need to protect nuclear power plants against a potential terrorist attack and have made important investments to this end. However, NRC's process for revising the DBT for nuclear power plants raises a fundamental question--the extent to which the DBT represents the terrorist threat as indicated by intelligence data versus the extent to which it represents the threat that NRC considers reasonable for the plants to defend against. Specifically, NRC's process for deciding on the DBT raised the possibility that the industry may have inappropriately influenced the staff's interpretation of intelligence data. The NRC threat assessment staff obtained the views of the nuclear industry on a draft of the revised DBT while they continued to assess intelligence information, and the staff made industry-recommended changes to the DBT even though the intelligence information had not changed. We recognize that NRC should and would want to obtain feedback from the industry and other stakeholders on the implications of the proposed changes before finalizing the DBT. In addition, NRC has stated that it has altered its process for obtaining industry feedback so that the threat assessment staff interacts with industry only after it has made its proposals for changes to the DBT. However, this approach does not entirely eliminate the appearance of industry influence. Threat assessment is a continuous process, and this sequential approach would still allow for interactions between the agency's threat assessment staff and the nuclear industry. Assigning responsibility for obtaining feedback from the nuclear industry to an office within NRC other than the Threat Assessment Section would further reduce any appearance of industry influence on the process of assessing the terrorist threat to nuclear power plants. The commissioners would then be able to review the threat assessment staff's recommended changes to the DBT with confidence that the recommendations are based strictly on an assessment of the threat. In making the final decision to revise the DBT, the commissioners would also consider industry feedback on the staff's recommendations. Furthermore, the commissioners did not have explicit criteria that they used as the basis for removing certain weapons from the DBT recommended by the NRC staff. Consideration of what is reasonable for a private security force to defend against, as well as industry views on proposed changes to the DBT, is an appropriate function of the commissioners. However, explicit criteria setting out the factors and how they would be weighed to determine what adversary characteristics are not reasonable for a private security force to defend against would have provided greater transparency for the commissioners' decisions to exclude certain characteristics from the DBT. Such criteria would also potentially increase the rigor and consistency of the process. The underlying process used by NRC was logical and well defined and should enable NRC to produce a more credible DBT if these shortcomings are addressed. In our visits to nuclear power plants, we saw a clear connection between the changes in the DBT and the plants' recent security enhancements. The plants' response to the revised DBT and other NRC orders following the September 11 terrorist attacks has been substantial and, in some cases, has gone beyond what was required. Nevertheless, because the plants essentially designed their security to defend against the DBT outlined by NRC, their capability to defend against an attack is essentially limited to how similar such an attack would be to the DBT. Therefore, it is imperative that NRC and the plants continue to work with DHS and other federal, state, and local authorities to ensure they have coordinated their efforts to defend plants in the event of an attack, particularly one that exceeds the adversary characteristics in the revised DBT. Furthermore, although security has improved, the results of NRC's baseline and force-on-force inspections conducted thus far have uncovered some problems that needed to be addressed. Moreover, the effectiveness of any nuclear power plant's security depends on the various parts and systems working well together during the stress of an actual attack. Therefore, NRC's continued vigilance at the plant level, especially in conducting force- on-force inspections, is needed to ensure that plants are consistently well protected. In conjunction with revising the DBT, NRC has implemented improvements to its force-on-force inspection program that put the agency in a better position to evaluate the nuclear power plants' protective strategies. These improvements have addressed several of our previous recommendations regarding the force-on-force inspections. However, in observing three inspections, we noted additional opportunities for improvement, such as artificialities that could be further reduced to better test how plants would respond to an actual terrorist attack. Making further improvements to the force-on-force program would enhance NRC's ability to assure the public and Congress that nuclear power plants are capable of defending against a DBT-style terrorist attack. Recommendations for Executive Action: To improve the process by which NRC makes future revisions to the DBT for nuclear power plants, we recommend that the NRC commissioners take the following two actions: * Assign responsibility for obtaining feedback from the nuclear industry and other stakeholders on proposed changes to the DBT to an office within NRC other than the Threat Assessment Section, so that the threat assessment staff is able to assess the terrorist threat to nuclear power plants without creating the potential for or appearance of industry influencing their analysis. The commissioners, in turn, could consider both the staff's analysis of the terrorist threat and industry feedback to make the final determination as to whether and how to revise the DBT. * Develop explicit criteria to guide the commissioners in their deliberations to approve changes to the DBT. These criteria should include setting out the specific factors and how they will be weighed in deciding what characteristics of an attack on a nuclear power plant would constitute an enemy of the United States, or otherwise would not be reasonable for a private security force to defend against. We further recommend that the NRC commissioners continue to evaluate and implement measures to further strengthen the force-on-force inspection program. For example, NRC may be able to identify and reduce artificialities associated with the inspections to better test how nuclear power plants would respond to an actual terrorist attack. Agency Comments and Our Evaluation: We provided a draft of this report to NRC for its review and comment. In its written comments (see app. III), NRC commended GAO's effort to ensure that the report is accurate and constructive. It also provided additional clarifying comments on two areas of the report pertaining to the process NRC used in 2003 to revise the DBT for nuclear power plants. First, NRC stated that the report should provide a better description of the context for the process by which the agency obtained industry input and the appearance of industry influence on the development of the revised DBT. NRC wrote that the agency made a deliberate decision to develop the revised DBT while simultaneously (rather than sequentially) seeking input from stakeholders, including the nuclear industry. NRC stated that this was a departure from its typical approach and was intended to advance public health and safety and the common defense and security, similar to other government actions taken after the September 11, 2001, terrorist attacks. In addition, NRC stated that it has returned to its normal sequential approach to developing DBT revisions and seeking input from stakeholders. We are pleased that NRC recognizes the need to separate the process of analyzing intelligence information from seeking input from stakeholders, including the nuclear industry. In response to NRC's earlier comments on the classified version of this report, which were essentially the same, we revised the reports to clarify that NRC deliberately decided to develop the revised DBT while simultaneously obtaining stakeholder input to speed up the process in the aftermath of the September 11, 2001, terrorist attacks. However, whether NRC chooses to use a simultaneous or sequential process, we continue to believe that the best approach would be to insulate the threat assessment staff from interactions with the nuclear industry by assigning responsibility for such interactions to a different office in NRC. This would best separate the fact-based analysis of the threat to commercial nuclear power plants from policy-level considerations regarding what is reasonable for a private security force to defend against. We also clarified our recommendation to indicate our view that the threat assessment staff should be insulated from interacting with the nuclear industry and other stakeholders. Second, regarding the criteria the commission used to make decisions regarding the DBT, NRC wrote that a more comprehensive discussion in the report of the commission's deliberative decision-making process would provide important perspective. NRC stated that the agency first established a DBT for nuclear power plants in the late 1970s and has a long history in this area. Furthermore, NRC wrote that the commission's decision-making authority does not require, and could be unduly restricted by, detailed prescriptive criteria. Finally, NRC stated its view that the basis for the commission's policy decisions and direction to the NRC staff with regard to the DBT are sufficiently articulated in the commission's voting record and related staff requirements memorandums. We revised the reports to include NRC's view that the basis for the commission's policy decisions regarding the DBT is articulated in the commission's voting record and related staff requirements memorandum. However, based on our review of the voting record and staff requirements memorandum, as well as other documents related to the April 2003 revised DBT, we remain concerned that the basis for how the commissioners made decisions to exclude certain characteristics from the DBT is not as transparent as it could be. We did not find that the commissioners agreed upon a definition of "enemy of the United States" or explicit criteria for what adversary characteristics would not be reasonable for a private security force to defend against. For example, the memorandum accompanying the commission's April 2003 decision approving changes to the DBT for nuclear power plants did not provide the reason for the commission's decision to remove two weapons the NRC threat assessment staff had recommended for inclusion. Rather, the voting record showed that individual commissioners used differing criteria and emphasized different factors, such as cost or practicality of defensive measures. The staff requirements memorandum set forth the general criteria that a civilian security force cannot reasonably be expected to defend against all threats. Furthermore, the intent of our recommendation that NRC develop criteria for what adversary characteristics constitute an enemy of the United States, or otherwise would not be reasonable for a private security force to defend against, is not to restrict the commission's decision-making authority through detailed prescriptive criteria. Instead, the intent of our recommendation is to have general criteria or definitions to guide the commissioners' decisions and to provide greater transparency for commission decisions, the details of which are safeguards information and withheld from the public. Finally, NRC commented that NRC and GAO staffs discussed potential issues related to the draft report that needed to be addressed. NRC also wrote that the draft report contained safeguards information, which should be removed prior to the report being made public. The potential issues have been resolved, and we have revised the report for the purpose of removing safeguards information. The resulting report is substantially the same as the classified version of the report, with the exception that the classified version contains additional details about the DBT and security at nuclear power plants. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time, we will send copies to interested congressional committees, the Chairman of NRC, and other interested parties. We also will make copies available to others upon request. In addition, the report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-3841 or [Hyperlink, wellsj@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix IV. Sincerely yours, Signed by: Jim Wells: Director, Natural Resources and Environment: [End of section] Appendixes: Appendix I: Scope and Methodology: To examine the process the Nuclear Regulatory Commission (NRC) used to develop the April 2003 design basis threat (DBT) for radiological sabotage applied to nuclear power plants, we analyzed NRC's documentation of the process and conducted interviews with NRC threat assessment staff and other officials. In particular, we compared the adversary characteristics of the April 2003 revised DBT approved by the commissioners with the adversary characteristics in the previous DBT, as described in a February 2000 NRC staff position paper; the January 2003 draft DBT provided to stakeholders for comment; and the NRC staff's April 2003 recommended changes to the DBT submitted to the commissioners. Furthermore, for each component of NRC's process, we analyzed documents and conducted a series of interviews: * To examine the role of intelligence analysis, we analyzed the NRC staff's reports on the terrorist threat to nuclear power plants and the results of their analysis of intelligence information on terrorist activities worldwide. The three key reports we analyzed included an October 2002 report on the use of vehicle bombs; a November 2002 report on the potential use of other adversary characteristics against nuclear power plants; and the April 2003 report that included the staff recommendations on the DBT. To obtain further insight into the NRC's use of intelligence information, we interviewed NRC officials, including the head of NRC's Threat Assessment Section; reviewed a description of the adversary characteristics screening process; and received briefings on the process from NRC. We also interviewed officials from other federal agencies, including the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). NRC redacted text from a number of the documents provided to us if the text contained classified information from other federal agencies, including the Department of Energy (DOE). As agreed with NRC, we identified the selected portions of the redacted text that we wanted to review, and NRC requested permission from the other agencies to provide the text to us. All of the agencies NRC contacted except one granted permission to release the redacted text to us. * We compared NRC's April 2003 revised DBT with DOE's October 2004 DBT and February 2004 Terrorist Adversary Capabilities List and interviewed DOE Office of Security officials regarding the DOE DBT and differences with the NRC DBT. We also reviewed the September 2004 final report of the DOE DBT re-examination task force. We did not compare the implementation of security measures at DOE sites to defend against the DOE DBT with security at commercial nuclear power plants. * To examine NRC's consultation with the nuclear industry, we reviewed the written comments submitted by the Nuclear Energy Institute (NEI) on the January 2003 draft DBT and compared NEI's comments with the changes the NRC staff made to the draft DBT. We also interviewed NEI officials and senior officials at the nuclear power plant sites we visited, including some who served on the NEI working group responsible for security matters. * To examine the decisions by the NRC commission, we analyzed the commission voting record (including written comments of individual commissioners), the April 2003 memorandum summarizing the commission's final decisions, and the NRC regulation on enemy of the United States (10 C.F.R. § 50.13). Furthermore, we interviewed three of the four commissioners who were serving on the commission at the time the DBT was revised and who participated in the decision-making process.[Footnote 28] We interviewed the three commissioners as a group in a meeting that was not subject to the requirements of the Government in the Sunshine Act.[Footnote 29] This meant that the commissioners could discuss previous actions, including their April 2003 decisions on changes to the DBT, but not the formulation of future policy. For example, we did not ask the commissioners about the potential for future changes to the DBT. In addition to this meeting, we met individually with the two commissioners who assumed their posts in 2005 and did not participate in the decision-making process for the April 2003 revised DBT. To determine what actions nuclear power plants have taken to enhance security in response to the revised DBT, we interviewed staff from NRC's Office of Nuclear Security and Incident Response, reviewed security orders NRC has issued since September 11, 2001, and visited a nonprobability sample of four nuclear power plant sites.[Footnote 30] We do not name the sites we visited in this report because information about security at particular sites is sensitive and considered safeguards information, and because the objective of our visits was to provide a general description of the changes in security sites implemented in response to the revised DBT, rather than the changes at a particular site. Prior to our site visits, we observed a baseline inspection at one site and a multiexercise force-on-force inspection at another site in order to better familiarize ourselves with NRC security requirements as well as sites' security equipment and strategies. We selected these two sites based on the timing of the activities. To select the nonprobability sample of four sites we visited, we first eliminated certain sites, such as those we had recently visited for security-related work (including the two sites where we observed NRC inspections) and sites frequently visited by Congress. We then selected one site from each of the four NRC regions using the following criteria: * sites representing different sizes and types of licensees, including licensees that own or operate a single nuclear power plant site, licensees that own or operate two to six sites, and licensees that own or operate seven or more sites; * sites with different surroundings, such as different topography and proximity to water, in order to consider the effect of such factors on sites' security strategies; * sites with security forces hired both directly as site employees as well as through a contractor, including one site that uses security officers employed by Wackenhut Corporation, which provides security services to about half of the nuclear power plant sites; * sites with the two different categories of reactors licensed by NRC for operation in the United States--two sites with boiling-water reactors and two sites with pressurized-water reactors; and: * sites with different numbers of reactors. At each of the four sites, we used a semistructured guide to interview security managers and other site officials, and interviewed a random selection of security officers. We worked with site management so that our interviews with the security officers did not interfere with their duties. We conducted individual interviews with security officers in private rooms, without the attendance of plant management or other plant staff. We also examined security equipment and reviewed documents, including security plans, protective strategy documents, safeguards event logs, security officer work-hour records, training materials, and equipment testing records. GAO staff with a professional background in security accompanied us on our visits in order to provide the expertise needed to fully comprehend the sites' security equipment and strategies. In addition to site visits, we reviewed 9 of the 16 force-on-force inspection reports and a sample of 18 baseline inspection reports that NRC had completed between November 2004 and the time we reviewed the reports.[Footnote 31] The 18 baseline inspection reports we reviewed consisted of reports provided by NRC from each of the four regions, plus additional reports we randomly selected ourselves.[Footnote 32] Time constraints prevented us from reviewing additional reports. We also discussed the revised DBT and security improvements at nuclear power plant sites with the Nuclear Energy Institute and the Project on Government Oversight, an independent nonprofit organization.[Footnote 33] To review NRC's progress in strengthening the conduct of force-on-force inspections, we observed a total of three inspections at two sites. Two of the inspections were at a site where NRC decided to conduct a second inspection as a result of the agency's limited ability to evaluate security during the first inspection. After the first inspection at this site, but before the second, we also attended a meeting at the site in which the licensee briefed NRC on security improvements the site had made in response to the first inspection, and we observed these improvements. GAO staff with a professional background in security accompanied us to the third inspection. In addition, as discussed above, we reviewed NRC reports on 9 of the 16 force-on-force inspections NRC had completed at the time we reviewed the reports. Finally, we interviewed NRC officials responsible for implementing the force-on-force inspection program. We conducted our work from November 2004 through January 2006 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Details of Findings from NRC Reports on Baseline and Force- on-Force Inspections: Of the 27 baseline and force-on-force inspection reports we reviewed, NRC identified no findings in 11 of the reports but did describe a variety of problems with the sites' security in the remaining 16. The reports we reviewed included one on a force-on-force inspection we observed, in which NRC required the licensee to implement measures to address weaknesses in the site's protective strategy and decided to return for a second force-on-force inspection. The following are additional examples of NRC findings from the 16 reports, including corrective actions taken by the licensees:[Footnote 34] * In a baseline inspection at a site, several alarms failed to activate during a test of the intrusion detection system, which alerts security officers to the occurrence and location of a breach. Further testing identified multiple alarms that were not functioning properly, and the site subsequently declared the entire intrusion detection system inoperable. Prior to leaving the site, NRC inspectors confirmed that the site implemented compensatory measures to address problems with the intrusion detection system, and NRC determined that further inspection of the site at a later date was warranted. According to NRC, the subsequent inspection at the site confirmed that the problem had been corrected. * During a force-on-force exercise at another site, NRC observed two officers performing duties other than their assigned patrols of the owner-controlled area. The patrols are a component of NRC's requirement for continuous surveillance of the owner-controlled area. Further inspection revealed that the security officers manning the site's central and secondary alarm stations were unaware that the owner- controlled area was not being continuously patrolled. In the event of an attack, owner-controlled area observations can be crucial both for setting a response in motion by detecting intruders as early as possible and for providing information about where attackers have entered the site and where they are going so that security officers know how to respond. According to NRC, the licensee took immediate corrective action. Also during this inspection, NRC observed that the licensee deployed too many officers in the force-on-force scenarios as a result of a misunderstanding. In particular, the licensee had temporarily increased the number of dedicated responders above the minimum listed in the security plan to respond to the increased national threat level. However, according to NRC, the additional officers did not play a role in stopping the attackers in the scenarios. * In a baseline inspection, NRC observed three examples of failure to perform proper searches of personnel entering the protected area. For example, a security officer did not examine items that had alarmed a metal detector and allowed an individual to collect and carry the items into the protected area without further examination. Based on discussions with security officers and supervisors, NRC found that this deficiency was routine and commonly accepted at the site. NRC concluded that this situation had the potential to reduce the overall effectiveness of the protective strategy by allowing the uncontrolled introduction of weapons or explosives into the protected area. According to NRC, the licensee took immediate corrective action, and security staff were required to attend remedial training on search techniques and policy. * In a force-on-force exercise, the attackers were able to destroy three out of four targeted components. NRC observed that the attackers faced an insufficient level of delay, which allowed them to reach the three components before being interdicted by security officers. According to the inspection report, sufficient delay is an essential component of a protective strategy to prevent radiological sabotage. As a result of the inspection, the licensee agreed to add delay locks to doors and relocate security officers to ensure they could interdict attackers. * NRC found that a number of sites ran weapons-training qualification courses in which security officers were not trained in the way they would be expected to perform during an attack. For example, sites did not train security officers to use backup weapons for when they could not use their primary weapons, or to undergo the level of physical stress an officer would experience during an attack. At one of the sites, NRC also found that the site had lowered the minimum qualification score related to training security officers to use their weapons, potentially resulting in security officers being less qualified in the use of their weapons than what NRC believes is necessary. In addition, the licensee did not seek NRC approval for the change as mandated by NRC's regulations. However, NRC found that all of the security officers who had received the training before the issue was observed and corrected had qualified on the use of their weapons at the higher score. Furthermore, according to NRC, the agency issued amplified guidance to all nuclear power plant sites regarding weapons- training qualification courses. * During the force-on-force inspection we observed, NRC inspectors found that a site had not included the control room, spent fuel pool, and the alternative shutdown panel among its targets. NRC required the licensee to redevelop its target components for use in the force-on- force scenarios. The adequate identification of target components is vital to a site's ability to position security officers or direct them to locations where they can interpose themselves between the attacker and target components. * In an inspection initiated after the licensee observed security officers who were inattentive at their posts, NRC inspectors found the licensee had recorded 19 incidences in which security officers worked more hours in a specific time period than allowed by NRC regulations. NRC concluded that failure to meet the work-hour limits increased the susceptibility of security officers to fatigue and had the potential to reduce the effectiveness of the site's protective strategy. According to the inspection report, the licensee identified several causes that contributed to the problem and took immediate corrective actions. According to NRC, the agency verified that the site updated its procedures to conform to NRC's work-hour regulations. (At the four sites we visited, we reviewed work-hour logs and found that each site had generally stayed within security officer work-hour limits.) * In a baseline inspection, the licensee was unable to provide engineering documents to demonstrate the acceptable minimum safe standoff distance from the inner vehicle barrier system, which is designed to protect the site from a vehicle bomb. NRC requested that the licensee measure the distance between several structures and the closest part of the vehicle barrier system. The measurements showed that the barrier was too close to at least two structures. As immediate corrective and compensatory actions, the licensee installed additional vehicle barriers in the area of concern and implemented direct observation by a security officer. [End of section] Appendix III: Comments from the Nuclear Regulatory Commission: UNITED STATES: NUCLEAR REGULATORY COMMISSION: WASHINGTON, D.C. 20555-0001: February 23, 2006: Mr. James E. Wells, Jr.: Director, Natural Resources and Environment: U.S. Government Accountability Office: 441 G Street NW: Washington, D.C. 20548: Dear Mr. Wells: On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am responding to your letter by e-mail dated February 7, 2006, requesting NRC review and comment on your unclassified, draft report, "Nuclear Power Plants: Efforts Made to Upgrade Security, but the Nuclear Regulatory Commission's Design Basis Threat Process Should Be Improved" (GAO-06-388). I appreciate your providing the NRC the opportunity to review this draft report and the willingness of you and your staff to maintain a continuing dialogue with the NRC. I also appreciate the time and effort that you and your staff have invested in reviewing this important topic and the care that you have taken to ensure that your report is accurate and constructive. I understand that the U.S. Government Accountability Office (GAO) plans to make a number of changes to enhance the report's accuracy, clarity, and context. Given NBC's current understanding of the report's contents, I am providing additional clarifying comments for your consideration on two areas of the report. Please note that these comments are the same as those I provided to you on January 24, 2006, on the classified version of this report, which the NRC previously reviewed. First, GAO's draft report suggests that having detailed criteria for use during design basis threat (DBT) decision-making regarding radiological sabotage at nuclear power plants would increase transparency and reduce a potential for the appearance of arbitrariness. The Commission rejects any implication of arbitrariness. The Commission has been guided by the Atomic Energy Act and its regulations and the broad policy considerations that have been found pertinent during deliberations on the DBT. The Commission has a long history of experience in this area, having first established a DBT for nuclear power plants in the late 1970s. While additional delineation of relevant considerations might be useful in some circumstances, reasoned judgment within this and other areas of the Commission's statutory decision-making authority does not require, and in fact could be unduly restricted, by detailed prescriptive criteria. Moreover, consistent with governing statutes, the Commission utilized an appropriate decision-making process by providing for a majority Commission position on well-documented staff papers in order for actions to proceed, and documenting individual Commissioner views and proposed modifications for consideration by other Commissioners. With regard to the revised DBT, the report does not reflect the NBC's view that the basis for the Commission's policy decisions and direction to the NRC staff are sufficiently articulated in the Commission voting record and related staff requirements memoranda on the revised DBT. A more comprehensive discussion of the Commission's deliberative decision-making process in the report would provide important perspective, and the members of the NRC staff are available to work with you on a more comprehensive description. Second, the NRC believes that the report should provide a better description of the context for NBC's actions regarding the opportunity for industry input and the appearance of industry influence on the development of the revised DBT in 2003. The process used for developing the revised DBT and obtaining stakeholder input was driven, in large part, by the post-9/11 threat environment and the need to enhance security at nuclear power plants. The agency made a deliberate decision to develop the revised DBT, while simultaneously (in lieu of sequentially) seeking input from stakeholders (including the nuclear industry). This was a departure from our typical approach, not unlike other government actions taken after 9/11, and was intended to advance public health and safety and the common defense and security in an expedited manner. As noted in my letter of January 24, 2006, the NRC has since returned to its normal sequential approach of first developing proposed DBT revisions, and then seeking comments on the proposed revisions from stakeholders. The NRC requests that your report fully explain this issue. In addition, the NRC and GAO staffs have discussed potential issues related to the draft report that need to be addressed. Also, NRC staff believes that the current version of the draft report contains Safeguards Information and this information should be removed prior to the document being made public. It is my understanding these issues will be appropriately resolved. Should you have any questions about these comments, please contact either Mr. William Dean at (301) 415-1703, or Ms. Melinda Malloy, at (301) 415-1785, of my staff. Sincerely, Signed by: Luis A. Reyes: Executive Director for Operations: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Jim Wells, (202) 512-3841 or [Hyperlink, wellsj@gao.gov]: Staff Acknowledgments: In addition to the individuals named above, Raymond H. Smith, Jr. (Assistant Director), Joseph H. Cook, and Michelle K. Treistman made key contributions to this report. Also contributing to this report were John Cooney, Doreen Feldman, Andrew O'Connell, Judy K. Pagano, Keith A. Rhodes, Carol Herrnstadt Shulman, and Barbara Timmerman. (360658): FOOTNOTES [1] Some sites have more than one nuclear power plant. [2] The National Commission on Terrorist Attacks Upon the United States issued The 9/11 Commission Report on July 22, 2004. [3] The DBT applied to nuclear power plants is intended to address the threat of radiological sabotage, a deliberate act against a plant that could directly or indirectly endanger public health and safety through exposure to radiation. NRC has a separate DBT (not the subject of this report) for NRC-licensed facilities storing material that could be used in a nuclear weapon. [4] 10 C.F.R. § 50.13. [5] The process of assessing threats to critical infrastructure, such as nuclear power plants, and identifying actions to reduce risks is often referred to as "risk management." Risk management acknowledges that while risk generally cannot be eliminated, enhancing protection from known or potential threats can reduce it. Furthermore, because security systems cannot protect against all threats, plans for actions to be taken if an event occurs that exceeds the capability of a security system are also important to reducing risk. [6] NEI representatives told us this figure is current as of June 2004 based on a survey of nuclear power plants. [7] For more information on these efforts, see GAO, Nuclear Regulatory Commission: Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants, GAO-04-1064T (Washington, D.C.: Sept. 14, 2004); and Nuclear Regulatory Commission: Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened, GAO-03-752 (Washington, D.C.: Sept. 4, 2003). [8] Safeguards information includes information that is not classified as National Security Information or Restricted Data but is considered sensitive because it identifies a licensee's security measures. Requirements for the protection of safeguards information are detailed in 10 C.F.R. § 73.21. [9] 10 C.F.R. § 73.1. [10] DHS conducts these activities in accordance with a Homeland Security Presidential Directive issued by the President on December 17, 2003 (HSPD-7). For further information on DHS efforts to assess risks to critical infrastructure, see GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure, GAO-06-91 (Washington, D.C.: Dec. 15, 2005). [11] These semiannual reports were suspended after the terrorist attacks of September 11, 2001, while the threat assessment staff worked to update the DBT. The threat assessment staff resumed its semiannual reports to the commissioners in October 2003. [12] Pub. L. No. 109-58, § 651(a)(l), (2005). [13] In this report, "terrorist cell" refers only to terrorists who participate in an attack, not those who support but do not participate in an attack. [14] The amount of explosives in a vehicle bomb is expressed in TNT but may consist of an equivalent amount of another type of explosive material. [15] In response to the attacks of September 11, 2001, both NRC and DOE undertook reviews of their DBTs. DOE issued its DBT 1 month after NRC, in May 2003, and revised its DBT again in October 2004 and most recently in November 2005. While NRC required nuclear power plants to implement security enhancements in response to its April 2003 DBT by October 29, 2004, DOE is not requiring full compliance with its DBT for radiological sabotage until October 2006 in order to allow its sites adequate time to implement security measures. For further information on the DOE DBT, see GAO, Nuclear Security: DOE's Office of the Under Secretary for Energy, Science and Environment Needs to Take Prompt, Coordinated Action to Meet the New Design Basis Threat, GAO-05-611 (Washington, D.C.: July 15, 2005); and Nuclear Security: DOE Needs to Resolve Significant Issues Before It Fully Meets the New Design Basis Threat, GAO-04-623 (Washington, D.C.: Apr. 27, 2004). [16] According to NRC, the agency routinely prepares regulatory analyses of costs and benefits when establishing regulations and implementation guidelines, including those that involve security. [17] The NRC staff did recommend some of these weapons for inclusion in the DBT for NRC-licensed facilities storing nuclear material that could be used to construct a nuclear weapon. [18] Four commissioners were serving at the time the DBT was revised, with one seat vacant. According to commission procedures, any change to the prior DBT required a majority vote, with at least three commissioners supporting the change. [19] By an order in February 2002, NRC required plants to enhance security in the owner-controlled areas. [20] The sites had first increased the number of security officers in response to the September 11 attacks. Furthermore, an NRC security order, issued in February 2002, required sites to have a minimum number of security officers stationed in the protected area and immediately available to respond to an attack. [21] On April 29, 2003, the same day NRC issued the revised DBT, NRC issued a publicly available order establishing more stringent requirements for security force work-hour controls. [22] This NRC requirement for an intrusion detection system at the protected area perimeter existed prior to the 2003 revisions to the DBT. [23] These numbers do not include additional security officers at each site who are responsible for security functions such as conducting vehicle searches and manning the central and secondary alarm stations. [24] NRC officials told us that 11 sites required extensions to the deadline for implementing their new security plans but have since implemented all of the security measures described in the plans in accordance with NRC-approved schedules. A common reason for the extensions was the scarcity of bullet-resistant steel, which was in high demand in Iraq. This was the case at one site we visited. Another site we visited required an extension due, in part, to a limited supply of cement for the vehicle barrier system. [25] The current force-on-force inspection program has been in place since November 2004. For further information on NRC's efforts and our recommendations, see GAO-04-1064T and GAO-03-752. [26] Controllers are individuals provided by the licensee who observe each security officer and attacker to ensure the safety and effective conduct of the exercise. They make decisions about aspects of the exercise that are necessarily artificial, such as the use of explosives or any other device that could cause actual damage to a site or its security equipment. Controllers are also responsible for alerting security officers or attackers about events that are part of an exercise scenario but not actually simulated, such as an explosion or loss of power. [27] In addition to triennial force-on-force inspections, NRC requires licensees to conduct and document additional security force training drills. [28] The fourth commissioner was no longer serving on the commission at the time of our review. [29] Pub. L. No. 94-409 (1976), 5 U.S.C. § 552b. [30] Results from nonprobability samples cannot be used to make inferences about a population, because in a nonprobability sample some elements of the population being studied have no chance or an unknown chance of being selected as part of the sample. [31] In accordance with its inspection manual, NRC has 45 days to report the results of a force-on-force inspection. Thus, while NRC had completed 16 force-on-force inspections at the time of our review, only 9 reports were available to us to review for this report. [32] NRC may complete a baseline inspection at one site over several visits to the site and produce a report for each visit. Because of this, the inspection scope of the 18 reports we reviewed varied. [33] We did not discuss the details of the DBT with representatives of the Project on Government Oversight because such information is safeguards information. [34] We did not verify the corrective actions taken by the licensees. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: