Nuclear Security: NNSA Needs to Better Manage Its Safeguards and 
Security Program (30-MAY-03, GAO-03-471).			 
                                                                 
The attacks of September 11, 2001, intensified long-standing	 
concerns about the adequacy of safeguards and security at four	 
nuclear weapons production sites and three national laboratories 
that design nuclear weapons--most of these facilities store	 
plutonium and uranium in a variety of forms. These facilities can
become targets for such actions as sabotage or theft. The	 
Department of Energy (DOE) and the National Nuclear Security	 
Administration (NNSA)--a separately organized agency within	 
DOE--are responsible for these facilities. NNSA plays a crucial  
role in managing the contractors operating many of these	 
facilities to ensure that security activities are effective and  
in line with departmental policy. GAO reviewed how effectively	 
NNSA manages its safeguards and security program, including how  
it oversees contractor security operations.			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-03-471 					        
    ACCNO:   A06708						        
  TITLE:     Nuclear Security: NNSA Needs to Better Manage Its	      
Safeguards and Security Program 				 
     DATE:   05/30/2003 
  SUBJECT:   Contract oversight 				 
	     Emergency preparedness				 
	     Internal controls					 
	     National preparedness				 
	     Nuclear facility security				 
	     Nuclear weapons plant security			 
	     Counterterrorism					 
	     Contractors					 
	     DOE Safeguards and Security Information		 
	     Management System					 
                                                                 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-03-471

Report to the Chairman, Subcommittee on National Security, Emerging
Threats, and International Relations, Committee on Government Reform,
House of Representatives

United States General Accounting Office

GAO

May 2003 NUCLEAR SECURITY NNSA Needs to Better Manage Its Safeguards and
Security Program

GAO- 03- 471

NNSA has not been fully effective in managing its safeguards and security
program in four key areas. As a result, NNSA cannot be assured that its
contractors are working to maximum advantage to protect critical
facilities and material from individuals seeking to inflict damage. The
four areas are as follows:

Defining clear roles and responsibilities. NNSA still has not fully
defined clear roles and responsibilities for its headquarters and site
operations. Assessing sites* security activities. Without a stable and
effective

management structure and with ongoing confusion about roles and
responsibilities, inconsistencies have emerged among NNSA sites on how
they assess contractors* security activities. Consequently, NNSA cannot be
assured that all facilities are subject to the

comprehensive annual assessments that DOE policy requires. Overseeing
contractors* corrective actions. To compound the problems in conducting
security assessments, NNSA contractors do not consistently conduct
required analyses in preparing corrective action plans. As a result,
potential opportunities to improve physical security at the sites are not
maximized because corrective actions are developed without fully
considering the problems* root causes,

risks posed, or cost versus the benefit of taking corrective action.
Allocating staff. NNSA has shortfalls at its site offices in the total
number of staff and in expertise, which could make it more difficult for
site offices to effectively oversee security activities. Security Force in
Action

The attacks of September 11, 2001, intensified long- standing concerns
about the adequacy of safeguards and security at four nuclear weapons
production sites and three national laboratories that design nuclear
weapons* most of these

facilities store plutonium and uranium in a variety of forms. These
facilities can become targets

for such actions as sabotage or theft. The Department of Energy (DOE) and
the National Nuclear Security Administration (NNSA)* a separately
organized agency within DOE* are responsible for these facilities. NNSA
plays a crucial role in managing the contractors operating many of these
facilities to ensure that security activities are effective and in line
with

departmental policy. GAO reviewed how effectively NNSA manages its
safeguards and security program, including how it oversees contractor
security operations. GAO is making four recommendations to the Secretary

of Energy and the Administrator of NNSA to focus more on certain key
management and oversight issues. Commenting on the draft report, NNSA
disagreed with GAO*s

conclusion that NNSA was not ensuring the comprehensive, annual
assessments of contractors*

performance that DOE policy requires. GAO continues to believe that NNSA*s
current efforts do not ensure conformance to DOE policy.

www. gao. gov/ cgi- bin/ getrpt? GAO- 03- 471. To view the full report,
including the scope and methodology, click on the link above. For more
information, contact Robin M. Nazzaro at (202) 512- 3841 or nazarror@ gao.
gov. Highlights of GAO- 03- 471, a report to the

Chairman, Subcommittee on National Security, Emerging Threats, and
International Relations, Committee on Government Reform, House of
Representatives

May 2003

NUCLEAR SECURITY NNSA Needs to Better Manage Its Safeguards and Security
Program

Page i GAO- 03- 471 Nuclear Security Letter 1 Results in Brief 4
Background 7 NNSA*s Lack of Safeguards and Security Direction in Key Areas

Results in Inconsistent Management of Contractors 9 Conclusions 16
Recommendations for Executive Action 16 Agency Comments and Our Evaluation
17 Appendix I Comments from the National Nuclear Security Administration
20

Appendix II GAO Contact and Staff Acknowledgments 23

Abbreviations

DOE Department of Energy FRAM Functions, Responsibilities, and Authorities
Manual NNSA National Nuclear Security Administration Contents

This is a work of the U. S. Government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. It may contain
copyrighted graphics, images or other materials. Permission from the
copyright holder may be necessary should you wish to reproduce copyrighted
materials separately from GAO*s product.

Page 1 GAO- 03- 471 Nuclear Security May 30, 2003 The Honorable
Christopher Shays Chairman, Subcommittee on National Security,

Emerging Threats, and International Relations Committee on Government
Reform House of Representatives Dear Mr. Chairman: Over the past decade,
we and others have raised concerns about the adequacy of security at
nuclear weapons facilities within the Department of Energy (DOE) and the
National Nuclear Security Administration (NNSA)* a separately organized
agency within DOE. For example, we reported in 2002 that DOE had not
addressed problems in implementing security initiatives, 1 while an
independent study by the Commission on Science and Security, 2 conducted
at the request of DOE, found deficiencies in cyber security. Concerns over
security within the nuclear weapons complex were brought into sharper
focus by the September 11, 2001, terrorist attacks. These attacks
highlighted the importance of effective physical security 3 in response to
a potentially large and well- organized threat.

NNSA relies upon its safeguards and security program to ensure the
physical security of the nation*s nuclear weapons complex. Currently, the
complex has four production sites: the Pantex Plant, Amarillo, Texas; the
Y- 12 Plant, Oak Ridge, Tennessee; the Kansas City Plant, Kansas City,
Missouri; and the Savannah River Site, Aiken, South Carolina. In addition
to the production sites, the complex includes the Nevada Test Site and
three national laboratories that design nuclear weapons: Lawrence

1 U. S. General Accounting Office, Nuclear Security: Lessons to Be Learned
from Implementing NNSA*s Security Enhancements, GAO- 02- 358 (Washington,
D. C.: March 29, 2002). 2 Commission on Science and Security, Center for
Strategic and International Studies, Science and Security in the 21st
Century: A Report to the Secretary of Energy on the

Department of Energy Laboratories (Washington, D. C.: Apr. 2002). 3
Physical security is the combination of operational and security
equipment, personnel, and procedures used to protect facilities,
information, documents, or material against theft,

sabotage, diversion, or other criminal acts.

United States General Accounting Office Washington, DC 20548

Page 2 GAO- 03- 471 Nuclear Security Livermore National Laboratory,
Livermore, California; Los Alamos National Laboratory, Los Alamos, New
Mexico; and the Sandia National

Laboratories, Albuquerque, New Mexico, and Livermore, California. To
implement its safeguards and security program, NNSA relies on site
contractors that are responsible for conducting day- to- day security
activities and adhering to DOE policies as they operate the complex*s
laboratory and production facilities. The contractors* activities are
subject to DOE- NNSA oversight. NNSA has offices* site offices* co-
located with each site. Many of these sites possess Category I special
nuclear material. Category I material includes plutonium and uranium in
the following

forms: (1) assembled nuclear weapons and test devices; (2) products
containing higher concentrations of plutonium or uranium, such as major
nuclear components, and recastable metal; and (3) high- grade materials,
such as carbides, oxides, solutions, and nitrates. The risks this
radioactive material poses vary, but include the potential for sabotage,
or theft for illegal use in a nuclear weapon. Because these materials pose
such risks, NNSA*s management of the safeguards and security program,
which includes overseeing contractor activities, is essential to
preventing an unacceptable, adverse impact on national security.

DOE*s Office of Security develops and promulgates orders and policies that
guide NNSA*s safeguards and security program. NNSA is responsible for
ensuring that its contractors* security activities are effective and
conform to DOE*s orders and policy requirements. In conducting this
oversight, NNSA generally uses certain key processes intended to identify
specific weaknesses at contractor- operated sites and ensure that
weaknesses are corrected. These processes include, among other things, (1)
annual, comprehensive surveys conducted by subject matter experts from
across the complex and (2) ongoing reviews of one or more aspects of
contractors* program (surveillance) by NNSA site officials. 4 DOE*s Office
of Independent Oversight and Performance Assurance also

assesses contractor security activities. In response to NNSA surveys and
assessments conducted by the Office of Independent Oversight and
Performance Assurance, DOE policy requires contractors to prepare
corrective action plans for identified problems and to ensure that these

4 A surveillance is generally conducted by a single or small number of
subject matter experts, and the documentation from a surveillance or group
of surveillance activities may be used as part of the survey.

Page 3 GAO- 03- 471 Nuclear Security actions are based on documented root
cause analysis, risk assessment, and cost- benefit analysis.

You asked us to review physical security at NNSA and DOE facilities that
contain Category I materials. Specifically, as agreed with your office,
this report examines how NNSA manages its safeguards and security program.
This report is the first of two that we will be issuing to you on various
aspects of physical security at NNSA and DOE facilities. Our followup
report will focus on the extent to which physical security has improved;
the effectiveness of the process for establishing safeguards and security
requirements following the September 11, 2001, attacks; and the remaining
vulnerabilities.

To evaluate the overall safeguards and security oversight process, we
reviewed DOE policy and planning documents, including orders,
implementation guidance, and reports. We looked at what the orders and
guides prescribed, particularly DOE Order 470.1, and compared this to

how operations and site offices were following and implementing the
policies to see if there were any deficiencies. To determine how NNSA
organizes and conducts overall safeguards and security oversight, we met
with officials from DOE and NNSA headquarters and NNSA site offices. The
primary offices from which we obtained information were from DOE*s Office
of Security, Office of Independent Oversight and Performance

Assurance, and NNSA*s Office of Defense Nuclear Security and Nuclear
Safeguards and Security Program. 5 We also evaluated the NNSA
reorganization with regard to the potential impact on oversight roles and
responsibilities of NNSA headquarters and site offices.

We visited 7 site offices from March 2002 to October 2002, to determine
how federal contractor oversight and the safeguards and security program
is managed. Specifically, we visited Los Alamos National Laboratory and
the Office of Los Alamos Site Operations in New Mexico, Sandia National
Laboratory and the Office of Kirtland Site Operations in New Mexico,
Department of Energy*s Albuquerque Operations Office in New Mexico, the
Office of Transportation Safeguards in New Mexico, Y- 12 Plant, and the Y-
12 Site Office in Tennessee, Pantex Plant and the Office of Amarillo

5 We did not include naval reactors in our review because it is a
semiautonomous entity within NNSA with a unique security structure and
program.

Page 4 GAO- 03- 471 Nuclear Security Site Operations in Texas, the
Savannah River Site 6 and the Savannah River Site Office in South
Carolina, and Lawrence Livermore National

Laboratory and the Livermore Site Office in California. At each location
we met with both federal and contractor officials and obtained pertinent
supporting documentation.

To determine how NNSA sites prepare and document corrective action plans
and related analyses, we examined 43 closed and open corrective action
plans dated from 1999 through 2002 that we selected at random from each of
the 6 NNSA sites (as well as the DOE Savannah River Site, which is
expected to come under NNSA*s jurisdiction in the future) that contain
category I special nuclear materials. 7 We reviewed these plans to
determine the extent and type of analyses that support the corrective
actions in the plans. These plans generally represent the contractors*
actions to address high priority findings in contractors* security and
safeguards program. To understand how the corrective action process
currently works, we compared the processes in place at each NNSA site we
visited during 2002.

We performed our review from December 2001 through April 2003 in
accordance with generally accepted government auditing standards.

NNSA has not been fully effective in managing its safeguards and security
program in four key areas, and therefore, it cannot be assured that its
contractors are working to maximum advantage to protect critical
facilities and material from individuals seeking to inflict damage. The
following four areas are key:

 Defining clear roles and responsibilities. Since its creation in March
2000, NNSA*s management structure has been in a state of flux. While in
December 2002, NNSA issued what it considers final directives for
reorganizing headquarters and site offices, NNSA expects it will take
until at least September 2004 to fully implement its new management
structure. In particular, NNSA is still defining its site offices* roles
and

6 Although the Savannah River Site is still an Environmental Management
designated site, according to site officials, it will likely become an
NNSA site once the accelerated cleanup is complete. Because of its present
role as a key DOE nuclear weapons production site, we included it in our
review of site offices.

7 One of the seven sites* Transportation Safeguards** is operated by NNSA,
not a contractor. Results in Brief

Page 5 GAO- 03- 471 Nuclear Security responsibilities for safeguards and
security. Specifically, it is still developing the components of a
Functions, Responsibilities, and

Authorities Manual, which will not be completed for several months because
of the highly detailed planning necessary for determining staff functions
at the various sites. This manual, which NNSA itself recognizes as
crucial, is intended to set out roles and responsibilities clearly. This
still- developing management structure led to confusion about the roles
and responsibilities of the headquarters and site offices.  Assessing
sites* security activities. Without a functional management

structure and with ongoing confusion about roles and responsibilities,
inconsistencies have emerged among the NNSA sites on how to conduct key
aspects of safeguards- and- security assessment activities. In particular,
three out of the seven NNSA site offices use the traditional survey
approach, as required by DOE policy, to oversee security activities, while
four have discontinued surveys and instead rely on surveillance
activities. The distinction between these two activities is important: A
survey provides a comprehensive annual review, by a team of experts from
throughout NNSA, of contractor safeguards and security and generally takes
about 2 weeks. In contrast, surveillance relies on a single or small
number of NNSA site officials overseeing one or more aspects of a
contractor*s safeguards and security activities throughout the year.
However, officials from DOE*s Office of Security* which developed the
policy for conducting surveys* believe the surveillance model does not
comply with the DOE order because it does not provide a comprehensive
overview. Furthermore, officials from DOE*s Office of Independent
Oversight and

Performance Assurance and NNSA headquarters expressed concern about the
site offices* ability to conduct surveillance because of shortfalls in
available expertise. The four site offices have been able to operate using
only surveillance activities because, during the reorganization of the
management structure, NNSA has not issued guidance on complying with DOE
policy for conducting surveys.

 Overseeing contractors* corrective actions. NNSA contractors do not
consistently conduct the analyses DOE policy requires in preparing
corrective action plans, compounding the problems in ensuring physical
security. Inconsistency occurs because the NNSA site officials do not have
implementation guidance from headquarters on how to address corrective
actions. Of the 43 corrective action plans we reviewed for 1999 through
2002, less than half showed that the contractor had performed the required
root cause analysis.

Furthermore, less than 25 percent demonstrated that the contractor had
performed a required risk assessment or cost- benefit analysis. As a

Page 6 GAO- 03- 471 Nuclear Security result, potential opportunities to
improve physical security at the sites are not maximized because
corrective actions are developed without

fully considering the problems* root causes, risks posed, or cost versus
benefit of taking corrective action. However, at the 7 sites we visited in
2002, the site offices and contractors are making some progress to
establish formal processes for root cause and other analyses.
Nevertheless, inconsistencies remain regarding the approaches used to
complete these analyses. For example, some site processes specify that
root cause analyses will be conducted for all corrective action plans,
while other sites consider the completion of these analyses optional. An
NNSA headquarters official stated that the agency expects to issue
additional guidance for implementing DOE security policies in 2003.

 Allocating staff. NNSA has shortfalls at its site offices in the total
number of staff and in areas of expertise, which could make it more
difficult for the site offices to oversee safeguards and security
effectively and to ensure that the agency fully knows security

conditions at its sites. According to officials at 5 of the 7 site offices
we visited, they have, or expect to have, an average of 2 to 6 vacancies
per site for overseeing contractors* safeguards and security; typically,
each site expects to have 10 to 14 security- related positions within the
next 2 years. The vacancies occur, in part, because staff are reluctant to
move

to locations they view as less desirable and because NNSA has frozen
hiring in response to budget constraints. Some of these vacancies are for
specialists in particular subject areas, such as Industrial Security
Systems* a key specialty needed for conducting physical security
inspections. The lack of expertise and staff could be further complicated
for some sites by NNSA*s realignment plan. Under this plan, NNSA expects
to streamline federal oversight of contractors and reduce headquarters and
field staff by 20 percent by the end of fiscal year 2004. Site officials
said that they will fill some vacancies through a virtual organization in
which experts at other locations will assist with certain components of
the surveillance activities. However, it will take time to work through
some of the difficulties associated with making the transition to this
approach.

We are making recommendations to the Secretary of Energy and the
Administrator of the NNSA that are intended to place additional focus on
key management and oversight dimensions during NNSA*s ongoing

reorganization. In commenting on our draft report, NNSA concurred with two
of our four recommendations, disagreed with one, and did not indicate
agreement or disagreement with the fourth. NNSA concurred with our
recommendation

Page 7 GAO- 03- 471 Nuclear Security to formally establish roles and
responsibilities, and it plans to issue a formal document in 2003. NNSA
also concurred that corrective action

plans must be prepared in accordance with established standards and
policy. NNSA disagreed with the conclusion that it was not ensuring the
comprehensive annual assessments of contractors* performance that DOE
policy requires. NNSA believed that its surveillance activities were also
comprehensive; however, NNSA provided no evidence* such as implementation
guidance to the sites that are conducting surveillances* that would ensure
that the sites* surveillance activities conform to DOE*s policies.
Finally, regarding our recommendation that NNSA develop and implement a
plan for effectively allocating staff for safeguards and security
oversight, NNSA commented that managers have staffing plans and that its
virtual organization and additional hiring will address sites* need for

certain types of skilled personnel. In our view, while reliance on the
virtual approach may be effective in the short term, the continuing
vacancies at some sites indicate that NNSA may have difficulty attracting
and retaining necessary expertise at specific, understaffed locations over
the long term.

Since its creation in 1977, DOE has been responsible for developing,
producing, and maintaining nuclear weapons; preventing the proliferation
of weapons of mass destruction; designing, building, and maintaining naval
nuclear propulsion systems; and ensuring the security of the nuclear
weapons complex. In 2000, however, the Congress created a separately
organized agency within DOE* the NNSA. 8 NNSA*s Office of Defense Nuclear
Security is primarily responsible for

developing the agency*s security programs, including protecting,
controlling, and accounting for material and ensuring physical security
for all facilities in the complex. Historically, NNSA has conducted
comprehensive annual surveys of contractors* operations for safeguards and
security. These surveys, which can draw upon subject matter experts
throughout the complex, 9 generally take about 2 weeks to conduct and
cover 5 *topical* areas and 32 subtopical areas. The topical areas include

8 National Defense Authorization Act for Fiscal Year 2000, Pub. L. No.
106- 65, tit. 32 (also known as the National Nuclear Security
Administration Act). 9 The core skill sets needed to address the
safeguards and security elements at a facility

include program management and planning; protective force operations;
classified matter protection and control; physical security; technical
security and security systems; nuclear material control and
accountability; and safeguards and security program infrastructure.
Background

Page 8 GAO- 03- 471 Nuclear Security program management, protection
program operations, information security, nuclear materials control and
accountability, and personnel

security. The survey team assigns ratings of satisfactory, marginal, or
unsatisfactory. Currently, NNSA*s facilities have been rated satisfactory
in most topical areas. All deficiencies (findings) identified during a
survey require the contractors to take corrective action, and both
findings and corrective actions are to be entered in the Safeguards and
Security Information Management System* a DOE- wide, integrated tracking
database for findings of surveys and other safeguards and security
activities.

In addition, NNSA*s Office of Facilities and Operations is expected to
provide policy guidance for safeguards and security. This office is also
expected to be responsible for the Nuclear Safeguards and Security
Program, which oversees the implementation of safeguards and security in
NNSA facilities. The office is expected to integrate and defend the budget
for safeguards and security to ensure that program components can

achieve mission objectives. Through various contract mechanisms, NNSA
provides financial incentives, such as award fees, for contractor
performance. NNSA assesses this performance based on the extent
contractors meet a set of measures, which are generally established in
annual performance plans* so- called performance measures.

DOE*s Office of Independent Oversight and Performance Assurance supports
NNSA in safeguards and security assessments and conducts independent
oversight activities in line with DOE and NNSA policies and priorities.
Among other things, the office is responsible for evaluating the
effectiveness of contractors* performance in safeguards and security. To
carry out this function, this office periodically assesses both federal
and contractor operations at a site and identifies findings, issues, and

opportunities for improvement. It also performs follow- up reviews to
ensure corrective actions are effective and that weaknesses in safeguards
and security are appropriately addressed.

Page 9 GAO- 03- 471 Nuclear Security NNSA has not been fully effective in
managing its safeguards and security program in four key areas, and
therefore, it cannot be assured that its contractors are working to
maximum advantage to protect its sites. First,

NNSA has not fully defined safeguards and security roles and
responsibilities. Second, without an effective management structure, site
offices are uncertain about how to conduct their safeguards and security
responsibilities. This uncertainty has resulted in inconsistencies in how
site offices comply with DOE orders in assessing contractors. Third, even
when assessments are done, NNSA contractors do not consistently conduct
required DOE analyses in preparing corrective action plans. Finally,
NNSA*s shortfalls at its site offices in the total number of staff and
expertise could make it more difficult for the site offices to oversee

safeguards and security effectively. Since its creation in March 2000,
NNSA*s management structure has been in a state of flux, and NNSA expects
it will take at least to September 2004 to implement a new management
structure. However, NNSA needs a stable structure to establish clear roles
and responsibilities for its headquarters and site offices, including
safeguards and security oversight. In May 2001, NNSA*s Administrator
proposed a management structure for

his organization, 10 but in December 2001, we reported that a clearly
delineated overall management structure still did not exist. 11 In
February 2002, NNSA reported in more detail to Congress on its outline for
a new management structure 12 to improve NNSA*s effectiveness and
efficiency. NNSA expected to implement the new structure later in the
year.

Since then, NNSA headquarters and field officials have been defining
safeguards and security roles and responsibilities. In December 2002, NNSA
fundamentally changed the management structure for safeguards and
security. It abolished operations offices, which had been responsible for
conducting the annual, comprehensive surveys as well as other

10 National Nuclear Security Administration, Report to Congress on the
Plan for Organizing the National Nuclear Security Administration
(Washington, D. C.: May 3, 2001).

11 U. S. General Accounting Office, NNSA Management: Progress in the
Implementation of Title 32, GAO- 02- 93R (Washington, D. C.: Dec. 12,
2001). 12 National Nuclear Security Administration, Report to Congress on
the Organization and Operations of the National Nuclear Security
Administration (Washington, D. C.: Feb. 25, 2002). NNSA*s Lack of

Safeguards and Security Direction in Key Areas Results in Inconsistent
Management of Contractors

NNSA Has Not Clearly Defined Roles and Responsibilities, Resulting in
Confusion at Sites

Page 10 GAO- 03- 471 Nuclear Security safeguards and security activities.
It divided these operations offices* responsibilities among the site
offices and a service center, formerly the

Albuquerque operations office; headquarters will oversee the performance
of the site offices. The restructuring brings day- to- day federal
oversight of laboratories and plants closer to the site offices. However,
these changes

do not complete the management structure. NNSA plans to further streamline
its oversight of contractors by reducing site activities. Among other
things, NNSA plans to focus more on ensuring that contractors* management
systems are valid. Furthermore, NNSA plans to review its policies and
practices and decide which site office oversight activities can be reduced
or eliminated in order for the site offices to work more efficiently. It
has not yet identified which specific activities will be modified. At the
time of our review, headquarters could not provide details on how it
intends to monitor the NNSA site offices* performance with respect to
safeguards and security or address deficiencies.

In creating this new management structure, NNSA has not yet developed a

Functions, Responsibilities, and Authorities Manual (FRAM), an
organizational tool used by managers at federal agencies, including DOE,
for defining roles and responsibilities. This manual is to address the
functions, responsibilities, and authorities of all elements within NNSA.
NNSA headquarters security officials agree that this guidance is crucial
and stated that they are currently developing the components of a FRAM,
which should be finalized in 2003. NNSA told us that completing the FRAM
takes significant time because of the highly detailed planning necessary
for

determining staff functions at the various sites. According to NNSA site
office officials, as they wait for formal guidance from headquarters on
conducting security oversight, each office is carrying out oversight
activities as it deems appropriate. In addition, these officials told us
that they have not received formal notification about the change in their
safeguards and security oversight responsibilities, such as
responsibilities for the survey program. Officials at several site offices
expressed frustration with this lack of direction. NNSA site offices are
not consistent in how they assess contractor

safeguards and security activities, and they may not be conducting these
assessments in accordance with DOE policy. The lack of consistency and the
failure to implement DOE policy occurs in part because the site offices
have had to assume new oversight responsibilities without, among other
things, clear guidance from headquarters on how to carry out these
responsibilities. As a result, three offices of the seven NNSA site
offices we NNSA*s Security

Assessment Processes Differ among Sites and Are Inconsistent with DOE
Requirements

Page 11 GAO- 03- 471 Nuclear Security visited continue to use the
traditional survey approach to oversee security activities (Oak Ridge,
Savannah River, and NNSA*s Office of Transportation Safeguards), while the
remaining four have adopted or are adopting a surveillance model*-
Amarillo, Kirtland, Livermore, and Los

Alamos. The distinction between these two activities is important: A
survey provides a comprehensive annual review, by a team of experts, of
contractor safeguards and security and generally takes about 2 weeks;
formerly, the operations offices generally conducted surveys, assisted by
experts from throughout the complex, as necessary. In contrast,
surveillance relies on a single or small number of NNSA site officials
overseeing one or more aspects of a contractor*s safeguards and security
activities throughout the year, and the documentation from a surveillance
or a group of surveillance activities may be used as part of the survey.

By relying on surveillance, NNSA may have less assurance that it fully
knows the condition of security at its sites and therefore potentially
cannot act to correct deficiencies undisclosed by this limited review.
Surveillance allows subject matter experts at the sites to evaluate areas
of contractor safeguards and security performance more often than the
traditional survey process and therefore potentially identify deficiencies
faster. However, according to DOE officials, reliance on surveillance is
not consistent with DOE orders calling for a comprehensive survey of a

contractor*s safeguards and security performance. This survey provides a
unified assessment of all security- related topical areas. 13 Officials
from DOE*s Office of Security* which developed the policy for conducting
surveys* believe the surveillance model does not comply with DOE order
survey requirements because it is not comprehensive. Officials from DOE*s
Office of Independent Oversight and Performance Assurance expressed
concern about the site offices* ability to conduct surveillance because of
shortfalls in available expertise. Furthermore, the director of NNSA*s
Office of Defense Nuclear Security acknowledged that although some NNSA
site offices, such as the Los Alamos site office, are using the
surveillance model, this site and others lacked the necessary personnel to
conduct surveillance.

According to officials from DOE*s Office of Independent Oversight and
Performance Assurance and one site office, surveillance is not compatible
with the current Safeguards and Security Information Management

13 The frequency of survey schedules can be modified if the site being
surveyed meets certain criteria.

Page 12 GAO- 03- 471 Nuclear Security System, a DOE information database
system used to track findings and associated corrective actions, and
therefore could pose problems for sites

in entering information. On the other hand, NNSA officials at site offices
and headquarters argue that using the surveillance model for oversight
will produce an annual end of the year survey report and should have the
same end result as an annual survey. However, NNSA could have difficulty
ensuring consistent and comprehensive assessments because of the
difficulties posed by using the surveillance model without appropriate
NNSA- wide implementation guidance, site office staffing shortfalls, and
database compatibility problems.

Contractors have not consistently prepared effective, formal root cause
analyses in developing corrective action plans for identified
deficiencies, as DOE policy requires. 14 An effective, formal, root cause
analysis can enhance the development of corrective actions, as we observed
while reviewing some plans. However, less than half of the 43 corrective
action plans we reviewed, dated between 1999 and 2002, showed that the
contractor had performed the required root cause analysis. Furthermore, in
a few cases corrective action plans were based on root cause analyses that
were poorly prepared, resulting in confusion and contradictions. For

example, NNSA had identified a deficiency at one site of potential entry
into a critical facility. The contractor did not fully develop a root
cause for this problem but merely rebutted the finding*s validity.
Nevertheless, the contractor took a corrective action in response to this
deficiency* spending about $150,000. However, because the root cause
analysis was not fully developed, we could not determine how, or if, the
contractor*s corrective actions would correct the deficiency. Furthermore,
the contractor*s staff preparing the analysis did not have formal training
in how to conduct root cause analyses. NNSA site officials agreed that the
root cause analysis was performed incorrectly and that their oversight
review of the analysis had not detected this problem.

Despite the problems some contractors have had in preparing root cause
analyses, corrective action processes in 2002 at all 7 sites showed that
some sites are making progress. For example, in late 2000, the Office of
Transportation Safeguards, which is responsible for securely transporting
critical NNSA items and material, had begun to correct significant
weaknesses in its process for preparing and tracking corrective actions.

14 DOE Order 470.1 Safeguards and Security Program; Sept. 28, 1995. NNSA*s
Corrective Action

Practices Are Inconsistent with DOE Requirements

Page 13 GAO- 03- 471 Nuclear Security According to an official responsible
for corrective actions at the office, the new process has already resulted
in documented improvements to the

quality and completeness of its corrective action plans. For example, the
new process for root cause analyses identified additional reasons for a
recurring NNSA finding on problems in how three federal agent facilities
in NNSA*s Office of Transportation Safeguards inspected the vehicles used
to transport critical materials across the nation. These inspections are

crucial in preventing individuals from attaching explosives or other
foreign devices to the vehicles in potential attempts at sabotage or
theft. The new process enabled NNSA to identify specific actions to ensure
consistent interpretation and implementation of vehicle inspection
procedures among the three facilities. Because the finding has not been
repeated since July 2000, it appears that the additional corrective
actions proved effective. Another site, Sandia National Laboratories, has
developed a process for root cause analysis that other sites may find
useful. Sandia uses a designated root cause analyst to systematically lead
teams of subject matter experts at the laboratory through the steps for
determining root cause. With this expert in root cause analyses, Sandia
helps ensure that these analyses are consistent and effective. Other
analyses and assessments that are critical to planning corrective

actions are also not consistently prepared at NNSA sites. In particular,
less than 25 percent of the corrective action plans we reviewed showed
documentation of other analyses required by the DOE order for corrective
action, such as risk assessment or cost- benefit analysis. Without this
documentation, we found it difficult to determine what process, if any,
the sites had used to determine the risk level of the problem or the cost
and relative benefit of implementing corrective actions.

Consistency problems are likely to continue without effective NNSA
guidance for corrective actions. For example, at four sites we visited,
the sites either did not require a risk assessment and cost- benefit
analyses or stated that they were optional, depending on the site*s
evaluation of the need for an analysis. However, the remaining three sites
we visited required these analyses for all corrective action plans. This
inconsistency resulted in part from differing interpretations of the DOE
order governing corrective actions. As a result, NNSA cannot be assured
that all contractors are considering the costs of corrective actions in
conjunction with the risk posed or the potential benefits to be gained.
NNSA officials at some sites stated that, without implementation guidance,
the intent of the DOE order requiring these analyses can be interpreted
differently from site to site, which contributes to the inconsistent
practices we observed. Since we provided our draft report to NNSA in April
2003, it has sent a brief

Page 14 GAO- 03- 471 Nuclear Security guidance letter on corrective action
plans to its site offices, clarifying its analysis and documentation
requirements. An NNSA headquarters official

stated that issuance of additional guidance for implementing DOE security
policies is expected in 2003.

And finally, NNSA sites do not consistently measure all performance
aspects of contractors* preparation of corrective action plans and may
reward contractors simply for closing the finding on schedule. According
to our review of performance measures concerning corrective actions, four
of the six contractor- operated sites we visited had measures that were
primarily based on whether the contractor met the schedule for completing
corrective actions, not on whether and how well the contractor had
performed the analyses. 15 The other two sites did not consider any
corrective action performance measures in assessing contractor
performance* not even the schedule. However, DOE guidance encourages sites
to measure qualitative factors, whenever possible, to

minimize the need to rely solely on schedule- driven measures. 16
Effective qualitative performance measures would essentially reflect how
well the contractor completes root cause analyses, risk assessment, and
costbenefit analyses.

The lack of qualitative performance measures affects the quality of the
correction plan. For example, in fiscal year 1999, DOE*s Office of
Independent Oversight and Performance Assurance criticized a site that had
schedule- driven performance measures for poorly prepared corrective
action plans. Out of the 50 plans reviewed for that site, 27 had
inadequate root cause determinations, and 15 had corrective actions that
were unlikely to fix the deficiency cited. The performance measures in
place for this contractor in fiscal year 1999* and then again in fiscal
years 2000 and 2001* did not reflect qualitative aspects of these
analyses; instead, they were primarily focused on schedule- driven
outcomes. Some contract

provisions permit the contractor to forfeit some of the award fee based on
other generic performance factors, such as *management failure.* However,
these generic provisions may not be fully effective in motivating
contractors in all aspects of their corrective action performance because
15 One site, the Office of Transportation Safeguards is federally operated
and therefore performance award fees are not applicable.

16 U. S. Department of Energy, Guidelines for Performance Measurement, DOE
G 120. 1- 5 (Washington, D. C.: June 30, 1996).

Page 15 GAO- 03- 471 Nuclear Security these provisions are not explicitly
focused on corrective action and are therefore not highly visible.

NNSA*s site offices have shortfalls in the total number of staff and in
the expertise for effectively overseeing contractors, including covering
all topical areas in the annual surveys. At five of the seven sites we
visited,

NNSA officials told us that they currently have, or will have, two to six
vacancies in safeguards and security positions once NNSA fully implements
its new management structure; each site believes that it needs from 10 to
14 security- related positions in order to carry out its oversight
activities under NNSA*s new organization. In particular, some of the site
offices are experiencing difficulty in filling positions because some
staff consider the site locations less desirable than others and because
NNSA has instituted a hiring freeze. Some of these vacancies are for
specialists in particular subject areas, such as industrial security
systems* a key specialty needed for conducting physical security
inspections. Officials in the Office of Independent Oversight and
Performance Assurance concurred that NNSA*s reorganization and the
shifting of responsibilities to the site offices has the potential to
weaken security oversight.

To offset the lack of some subject matter experts at sites, NNSA field
officials indicated that they frequently rely on subject matter experts
from headquarters or other site offices to cover site offices that do not
have

expertise locally. With only a limited number of subject matter experts in
the complex, the sites have to coordinate oversight carefully.
Coordination is particularly complicated at those sites that have switched
to a surveillance model since they may have to rely on particular subject
expertise that is only available during certain times.

NNSA*s new management structure further complicates the problems in staff
allocation. NNSA expects to reduce headquarters and field staff by 20
percent by the end of fiscal year 2004. In this restructuring, NNSA plans
to share staff expertise, creating a *virtual* organization to cover the
needs of site offices and other areas within the complex until a final
move of personnel can be made. Headquarters officials told us that it may
take 1 to 2 years to move the appropriate safeguards and security persons
to the areas where they are needed. Until then, they expect the virtual
organization to meet the complex*s needs. The virtual organization will
include subject matter experts whose knowledge will be needed throughout
the nuclear weapons complex and not just at their current sites. Some of
these experts will work from the service center or be detailed to site
offices as needed. With competing demands for the Difficulties in
Allocating

Staff Could Hinder Effective Safeguards and Security Oversight

Page 16 GAO- 03- 471 Nuclear Security experts, it is unclear how they will
successfully provide assistance to site offices in their surveillance
processes. The assistance may be unavailable when needed since components
of surveillance are ongoing and may span

an entire year. Without effectively managing its safeguards and security
program, NNSA cannot be assured that its contractors are working to
maximum advantage to protect its nuclear weapons sites. These sites may
have critical materials that could be prime terrorist targets. Several
factors contribute to this lack of assurance. NNSA continues to change its
management structure, making it difficult to define roles and
responsibilities clearly. Without a functional management structure, some
site offices and

contractors may not be carrying out their security responsibilities, as
DOE orders require. In particular, NNSA has not fully assured itself that
the four sites that rely on surveillance activities, rather than on the
DOE- required surveys, are overseeing contractors* security activities in
the integrated, comprehensive fashion that are called for in the annual
surveys. Moreover, when NNSA site offices allow and reward contractors for
closing findings without ensuring that the contractors have correctly
identified the root cause, assessed risk, and conducted a cost- benefit
analysis, NNSA cannot be assured that the security problem identified was
adequately addressed. Finally, to provide effective oversight, NNSA needs
to develop an

approach, beyond its *virtual* organization, that ensures its limited
security resources are able to provide oversight, over the long term,
where and when it is needed.

In order to strengthen the safeguards and security program of the nuclear
weapons complex, we recommend that the NNSA Administrator and Secretary of
Energy  formalize the roles and responsibilities of site offices and
headquarters

for conducting oversight;  ensure that sites are performing oversight
using a survey approach that provides an integrated comprehensive view of
security conditions and is consistent with DOE orders;  ensure that
contractors* corrective action plans are prepared and

documented consistently and are based on qualitative root- cause, risk-
assessment, and cost- benefit analyses, and that appropriate incentives
are used to help motivate contractors toward effectively addressing
findings; and Conclusions

Recommendations for Executive Action

Page 17 GAO- 03- 471 Nuclear Security  develop and implement a plan to
ensure that NNSA allocates safeguards and security staff so that it
provides effective safeguards and security oversight over the long term.

We provided the DOE*s NNSA with a draft of this report for review and
comment. Overall, NNSA concurred with two of our four recommendations,
disagreed with one, and did not indicate agreement or disagreement with
the fourth. In the area of concurrence, NNSA concurred with our
recommendation to formally establish roles and responsibilities, and it
plans to do so in 2003. NNSA also concurred that corrective action plans
must be prepared in accordance with established standards and policy and
based on documented root cause analysis, risk assessments, and cost-
benefit analysis. Since we provided our draft report to NNSA, it has sent
its site offices a guidance letter on corrective action plans that
clarifies its analysis and documentation requirements. NNSA now allows
required elements to be omitted from corrective action plans, but only if
the contractors document the rationale for the exclusion as a formal part
of their plan. We believe this guidance letter is a positive step in
clarifying some implementation aspects of the DOE requirements, and we
encourage

continued management attention to this area. NNSA did not comment on the
portion of this recommendation concerning the use of appropriate
incentives to motivate contractors to address findings effectively.

NNSA disagreed with the conclusion that led to our recommendation to
conduct oversight using a survey approach, which provides an integrated,
comprehensive view of security conditions and is consistent with DOE

orders. Specifically, NNSA disagreed with our conclusion that it was not
ensuring the comprehensive annual assessments of contractors* performance
that DOE policy requires. As we reported, four of the seven site offices
no longer conduct comprehensive, integrated surveys to assess

security but instead rely on surveillance activities. NNSA believed that
these surveillance activities were also comprehensive; however, NNSA
provided no evidence* such as implementation guidance to the sites that
are conducting surveillances* that would ensure that the sites*
surveillance activities conform to DOE*s policies. Without such guidance,
NNSA cannot be fully assured that surveillance activities, as presently
conducted, provide the comprehensive assessment DOE requires in its
surveys. Our recommendation therefore is intended to focus NNSA management
attention on ensuring that site offices conduct security assessments that
are integrated, comprehensive, and on par with the survey approach
previously used and currently described in DOE orders. Furthermore, NNSA
asserted, incorrectly, that we found its security Agency Comments

and Our Evaluation

Page 18 GAO- 03- 471 Nuclear Security posture to be at risk. Assessing
NNSA*s security posture was not the objective of this report. Rather, our
objective was to assess the way NNSA

manages its overall security program. We have clarified the report, where
appropriate. Finally, regarding our recommendation that NNSA develop and
implement

a plan to ensure that it effectively allocates staff to provide safeguards
and security oversight, NNSA commented that managers have staffing plans
and that its virtual organization and additional hiring will address
sites* need for certain types of skilled personnel. Reliance on the
virtual approach may be effective in the short term. However, the
continuing vacancies at some sites indicate that NNSA may have difficulty
attracting and retaining necessary expertise at specific, understaffed
locations over the long term. NNSA*s comments do not indicate that it
fully understands the need to address this longer- term problem. We have
modified our recommendation to target this specific long- term concern.

We modified our report, where appropriate, to reflect NNSA*s comments and
to clarify some of our conclusions. NNSA*s comments on our draft report
are presented in appendix I.

As arranged with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after the date of this letter. At that time, we will send copies of the
report to the Secretary of Energy, the Administrator of NNSA, the Director
of the Office of Management and Budget, and appropriate congressional
committees.

We will make copies available to others on request. In addition, the
report will also be available at no charge on the GAO Web site at http://
www. gao. gov.

Page 19 GAO- 03- 471 Nuclear Security If you or your staff have any
questions about this report, please call me at (202) 512- 3841. Major
contributors to this report are listed in appendix II. Sincerely yours,

Robin M. Nazzaro Director, Natural Resources

and Environment

Appendix I: Comments from the National Nuclear Security Administration
Page 20 GAO- 03- 471 Nuclear Security

Appendix I: Comments from the National Nuclear Security Administration

Appendix I: Comments from the National Nuclear Security Administration
Page 21 GAO- 03- 471 Nuclear Security

Appendix I: Comments from the National Nuclear Security Administration
Page 22 GAO- 03- 471 Nuclear Security

Appendix II: GAO Contact and Staff Acknowledgments

Page 23 GAO- 03- 471 Nuclear Security James Noel (202) 512- 3591 In
addition to the individual named above, Christopher R. Abraham, Jill

Berman, Jonathan M. Gill, Andrea R. Miller, Christopher M. Pacheco, and
Carol Herrnstadt Shulman made key contributions to this report. Appendix
II: GAO Contact and Staff

Acknowledgments GAO Contact Acknowledgments

(360159)

The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability of
the federal government for the American people. GAO examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO*s commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet. GAO*s Web site (www. gao. gov) contains abstracts
and fulltext files of current reports and testimony and an expanding
archive of older products. The Web site features a search engine to help
you locate documents using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as *Today*s Reports,* on its
Web site daily. The list contains links to the full- text document files.
To have GAO e- mail

this list to you every afternoon, go to www. gao. gov and select
*Subscribe to daily E- mail alert for newly released products* under the
GAO Reports heading.

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to: U. S. General Accounting Office 441 G Street NW, Room LM
Washington, D. C. 20548 To order by Phone: Voice: (202) 512- 6000

TDD: (202) 512- 2537 Fax: (202) 512- 6061

Contact: Web site: www. gao. gov/ fraudnet/ fraudnet. htm E- mail:
fraudnet@ gao. gov Automated answering system: (800) 424- 5454 or (202)
512- 7470 Jeff Nelligan, Managing Director, NelliganJ@ gao. gov (202) 512-
4800

U. S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.
C. 20548 GAO*s Mission Obtaining Copies of

GAO Reports and Testimony

Order by Mail or Phone To Report Fraud, Waste, and Abuse in Federal
Programs Public Affairs
*** End of document. ***