Nuclear Regulatory Commission: Preliminary Observations on	 
Efforts to Improve Security at Nuclear Power Plants (14-SEP-04,  
GAO-04-1064T).							 
                                                                 
The events of September 11, 2001, and the subsequent discovery of
commercial nuclear power plants on a list of possible terrorist  
targets have focused considerable attention on the plants'	 
capabilities to defend against a terrorist attack. The Nuclear	 
Regulatory Commission (NRC), an independent agency established by
the Energy Reorganization Act of 1974 to regulate the civilian	 
use of nuclear materials, is responsible for regulating and	 
overseeing security at commercial nuclear power plants. GAO was  
asked to review (1) NRC's efforts since September 11, 2001, to	 
improve security at nuclear power plants, including actions NRC  
has taken to implement some of GAO's September 2003		 
recommendations to improve security oversight and (2) the extent 
to which NRC is in a position to assure itself and the public	 
that the plants are protected against terrorist attacks. This	 
testimony reflects the preliminary results of GAO's review. GAO  
will issue a more comprehensive report in early 2005.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-1064T					        
    ACCNO:   A12457						        
  TITLE:     Nuclear Regulatory Commission: Preliminary Observations  
on Efforts to Improve Security at Nuclear Power Plants		 
     DATE:   09/14/2004 
  SUBJECT:   Counterterrorism					 
	     Facility security					 
	     Inspection 					 
	     Nuclear powerplant safety				 
	     Nuclear powerplant security			 
	     Nuclear powerplants				 
	     Terrorism						 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-1064T

United States Government Accountability Office

GAO Testimony

Before the Subcommittee on National Security, Emerging Threats, and
International Relations, Committee on Government Reform, House of
Representatives

For Release on Delivery

Expected at 10:00 a.m. EDT NUCLEAR REGULATORY

Tuesday, September 14, 2004

COMMISSION

Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants

Statement of Jim Wells, Director Natural Resources and Environment

GAO-04-1064T

Highlights of GAO-04-1064T, testimony before the Subcommittee on National
Security, Emerging Threats, and International Relations, Committee on
Government Reform, House of Representatives

The events of September 11, 2001, and the subsequent discovery of
commercial nuclear power plants on a list of possible terrorist targets
have focused considerable attention on the plants' capabilities to defend
against a terrorist attack. The Nuclear Regulatory Commission (NRC), an
independent agency established by the Energy Reorganization Act of 1974 to
regulate the civilian use of nuclear materials, is responsible for
regulating and overseeing security at commercial nuclear power plants.

GAO was asked to review (1) NRC's efforts since September 11, 2001, to
improve security at nuclear power plants, including actions NRC has taken
to implement some of GAO's September 2003 recommendations to improve
security oversight and (2) the extent to which NRC is in a position to
assure itself and the public that the plants are protected against
terrorist attacks. This testimony reflects the preliminary results of
GAO's review. GAO will issue a more comprehensive report in early 2005.

www.gao.gov/cgi-bin/getrpt?GAO-04-1064T.

To view the full product, including the scope and methodology, click on
the link above. For more information, contact Jim Wells, (202) 512-3841,
[email protected].

September 14, 2004

NUCLEAR REGULATORY COMMISSION

Preliminary Observations on Efforts to Improve Security at Nuclear Power Plants

NRC responded quickly and decisively to the September 11, 2001, terrorist
attacks with multiple steps to enhance security at commercial nuclear
power plants. NRC immediately advised the plants to go to the highest
level of security according to the system in place at the time and issued
advisories and orders to the plants to make certain enhancements, such as
installing more physical barriers and augmenting security forces, that
could be completed quickly to shore up security. According to NRC
officials, their inspections found that the plants complied with these
advisories and orders. Later, in April 2003, NRC issued a new design basis
threat (DBT), which establishes the maximum terrorist threat that a
facility must defend against, and required the plants to develop and
implement new security plans to address the new threat by October 2004. It
is also improving its force-onforce exercises, as GAO recommended in its
September 2003 report. These exercises are an important agency tool to
ensure that the plants' security plans are adequate to protect against the
DBT.

While its efforts to date have enhanced security, NRC is not yet in a
position to provide an independent determination that each plant has taken
reasonable and appropriate steps to protect against the new DBT. According
to NRC officials, the facilities' new security plans are on schedule to be
implemented by October 2004. However, NRC's review of the plans, which are
not available to the general public for security reasons, has primarily
been a paper review and is not detailed enough for NRC to determine if the
plans would protect the facility against the threat presented in the DBT.
For example, the plans GAO reviewed are largely based on a template and
often do not include important site-specific information, such as where
responding guards are stationed, how the responders would deploy to their
defensive positions, and how long deployment would take. In addition, NRC
officials are generally not visiting the facilities to obtain
site-specific information and assess the plans in terms of each facility's
layout. NRC is largely relying on forceon-force exercises it conducts to
test the plans, but these exercises will not be conducted at all
facilities for 3 years. NRC's oversight of plants' security could also be
improved. However, NRC does not plan to make some improvements in its
inspection program that GAO previously recommended and still believes are
needed. For example, NRC is not following up to verify that all violations
of security requirements have been corrected or taking steps to make
"lessons learned" from inspections available to other NRC regional offices
and nuclear power plants. Moreover, if NRC needs to revise its DBT further
as the terrorist threat is better defined, it will need longer to make and
test all the necessary enhancements. The Department of Energy, for
example, is currently reviewing the DBT for its nuclear facilities.

Mr. Chairman and Members of the Subcommittee:

We are pleased to be here today to discuss our ongoing review of the
Nuclear Regulatory Commission's (NRC) efforts to improve security at the
nation's 104 commercial nuclear power plants licensed to operate. These
plants, which are located at 65 facilities in 31 states, provide about 20
percent of the nation's electricity.1 We are conducting this review at
your request and expect to issue our final report early next year.

The events of September 11, 2001, and the subsequent discovery of
commercial nuclear power plants on a list of possible terrorist targets
have focused considerable attention on the plants' capabilities to defend
against a terrorist attack. However, as you know, NRC is not alone in the
challenges it faces to protect against terrorism. Recently, the 9/11
Commission's report highlighted the accomplishments and challenges that
remain on many fronts in the nation's fight against terrorism. In recent
testimony before this Committee, the Comptroller General applauded the
efforts of the 9/11 Commission and discussed its recommendations to
improve information sharing and analysis by the intelligence agencies.2 We
have also testified several times before this Subcommittee on weaknesses
in border security, federal action needed to address security challenges
at the nation's chemical facilities, and the issues faced by the
Department of Energy (DOE) in its efforts to secure its nuclear
facilities.3

To protect commercial nuclear power plants from a terrorist attack, NRC
formulates a design basis threat (DBT), which establishes the maximum
terrorist threat that a facility must prepare to defend against. The DBT
characterizes the elements of a postulated attack, including the number of
attackers, their training, and the weapons and tactics they are capable of
using. Each facility must prepare a security plan describing its strategy
for

1More than one nuclear power plant are located at some facilities.

2GAO, 9/11 Commission Report: Reorganization, Transformation, and
Information Sharing, GAO-04-1033T (Washington, D.C.: Aug. 3, 2004).

3GAO, Border Security: Additional Actions Needed to Eliminate Weaknesses
in the Visa Revocation Process, GAO-04-899T, (Washington, D.C.: July 13,
2004); GAO, Homeland Security: Federal Action Needed to Address Security
Challenges at Chemical Facilities, GAO-04-482T (Washington, D.C.: February
23, 2004); GAO, Nuclear Security: DOE Must Address Significant Issues to
Meet the Requirements of the New Design Basis Threat, GAO-04-701T
(Washington, D.C.: April 27, 2004); and GAO, Nuclear Security: Several
Issues Could Impede the Ability of DOE's Office of Energy, Science and
Environment to Meet the May 2003 Design Basis Threat, GAO-04-894T
(Washington, D.C.: June 22, 2004).

defending against the threat presented in the DBT. NRC is responsible for
reviewing and approving these plans, inspecting the facilities to verify
compliance with the plans and other NRC requirements, and conducting
force-on-force exercises (mock terrorist attacks) at the facilities to
ensure that the facilities' execution of their security plans could repel
an attack. NRC considers the DBT and the security plans to be safeguards
or sensitive information and does not make them available to the general
public.

Our current review is the second on NRC's security program since the
September 11 attacks. In our earlier report, issued in September 2003, we
made a number of recommendations to NRC to improve its oversight of
security at commercial nuclear power plants.4

In my testimony today, I will (1) describe NRC's efforts since September
11, 2001, to improve security at nuclear power plants, including actions
it has taken to implement some of our September 2003 recommendations to
improve security oversight and (2) discuss our preliminary views on the
extent to which NRC is in a position to assure itself and the public that
its efforts will protect the plants against terrorist attacks. To conduct
this work, we reviewed the security advisories and orders NRC has issued
to the facilities since September 11, 2001. We also reviewed security
documents, such as the DBT and individual facilities' draft security
plans,5 and interviewed NRC security program officials. We did the work
reflected in this statement from March 2004 through August 2004 in
accordance with generally accepted government auditing standards.

In our final report, we will discuss the extent to which NRC is using a
risk management approach to improve security at nuclear power plants. More
specifically, we will report on NRC's efforts to (1) define the threat
faced by nuclear power plants, (2) identify and characterize the
vulnerabilities that would allow a threat to be realized, (3) assess the
risks and determine priorities for protecting the plants, and (4) identify
the countermeasures to reduce the risk of a successful terrorist attack.

4GAO, Nuclear Regulatory Commission: Oversight of Security at Commercial
Nuclear Power Plants Needs to Be Strengthened, GAO-03-752, (Washington,
D.C.: September 4, 2003).

5We reviewed 12 of the 65 facilities' draft security plans. According to
NRC officials, the plans we reviewed were generally representative of all
the plans.

In summary:

NRC responded quickly to the September 11, 2001, terrorist attacks with
multiple steps to enhance security at commercial nuclear power plants. For
example, NRC

o  	immediately advised the plants to go to the highest level of security
according to the system in place at the time;

o  	issued a series of advisories and orders to the plants to make certain
security enhancements-such as installing additional physical barriers,
augmenting security forces, increasing patrols, and further restricting
plant access-that could be completed quickly to shore up security until a
more comprehensive analysis of the terrorist threat and how to best
protect the plants against that threat could be completed;

o  	issued a new DBT in April 2003 and required the plants to develop and
implement-by October 2004-new security plans setting out how the plants
will protect against the threat defined in the new DBT. NRC expects the
plants will meet this deadline; and

o  	improved its force-on-force exercises, which are an important agency
tool to ensure that the plants are secure, by planning to conduct the
exercises every 3 years instead of every 8 years and to make them more
realistic, which we had recommended.

While we applaud these efforts, it will take several more years for NRC to
make an independent determination that each plant has taken reasonable and
appropriate steps to protect against the threat presented in the new DBT.
The plants' development and implementation of security plans to
comprehensively address the new DBT is a critical step in ensuring that
individual plants can defend against terrorism. Although new security
plans are to be approved and implemented by October 29, 2004, NRC will not
have detailed knowledge about security at individual facilities to ensure
that these plans provide this protection. NRC will not have this detailed
knowledge, primarily for two reasons:

o  	First, NRC's review of the new security plans has been rushed and is
largely a paper review. NRC is conducting its review of the plans over a
6month period-as the plants are implementing the plans-and NRC reviewers
are generally not visiting the plants to obtain details about the plans
and view how the plans interface with the plants' physical layout. For
example, the plans do not detail defensive positions at the site, how the
defenders would deploy to respond to an attack, or how long the

deployment would take. In addition, NRC is not requesting, and the
facilities are generally not submitting for review, the documents and
studies supporting the draft security plans.

o  	Second, it will take up to 3 years for NRC to test implementation of
the new plans through force-on-force exercises at all facilities.
Moreover, NRC is considering action that could potentially compromise the
integrity of the exercises. The agency is planning to require the use of
an adversary force trained in terrorist tactics, as we recommended in our
September 2003 report. However, NRC is considering the use of a force
provided by a company that the nuclear power industry selected; this
company provides guards for about half the facilities to be tested. This
relationship with the industry raises questions about the force's
independence. Furthermore, NRC is not taking advantage of other
opportunities to improve the effectiveness of the exercises and its
oversight in general by implementing other recommendations from our
September 2003 report. For example, NRC is not following up to verify that
all violations it found in previous inspections have been corrected and is
not taking steps to make "lessonslearned" from inspections available to
other regional offices and nuclear power plants, as we had recommended.

In addition to these concerns, we note that NRC's DBT is similar to the
DOE's DBT for its nuclear facilities. As you know, in April 2004, DOE
officials told this Subcommittee that it would have to revisit its
post-September 11 DBT. If NRC also decides to revisit and revise its DBT,
NRC will need even longer to put all the necessary security enhancements
in place and to test them. Funding the costs of the additional protection
could also be an issue. NRC has already stated that the current DBT is the
largest reasonable threat against which a regulated private guard force
should be expected to defend under existing law. Also, certain potential
vulnerabilities, such as airborne assaults, are currently being addressed
outside of the DBT. Any changes in this approach to certain
vulnerabilities could similarly place additional requirements on the
plants.

Background 	NRC is an independent agency established by the Energy
Reorganization Act of 1974 to regulate the civilian use of nuclear
materials. NRC's Office of Nuclear Security and Incident Response, which
was established in April 2002, is primarily responsible for regulating and
overseeing security at commercial nuclear power plants. This office also
develops overall agency policy and provides management direction for
evaluating and assessing technical issues involving security at nuclear
facilities. In addition, it coordinates with the Department of Homeland
Security, the intelligence

and law enforcement communities, DOE, and other agencies on security
matters.

NRC begins regulating security at a commercial nuclear power plant when
the plant is constructed. Before granting an operating license, NRC must
approve a security plan for the plant. If more than one plant is located
at a facility, the licensee prepares a physical security plan covering all
the plants at the site. Since 1977, NRC has required facilities to have a
security plan that is designed to protect against a DBT for radiological
sabotage.6 The DBT characterizes the elements of a possible attack,
including the number of attackers, their training, and the weapons and
tactics they are capable of using. Since it was first issued in 1977, the
DBT has been revised twice, each time to reflect increased terrorist
threats. The first revision occurred in 1993 in response to the first
terrorist attack on the World Trade Center in New York City and to a
vehicle intrusion at the Three Mile Island nuclear power plant in
Pennsylvania.7 The second revision was issued on April 29, 2003, in
response to the September 11, 2001, terrorist attacks.

NRC oversees plant security through several activities, particularly
security inspections and force-on-force exercises. In annual security
inspections at all the plants, inspectors are to check that the plant's
security programs meet NRC requirements for access authorization, access
control, and response to contingency events. The inspectors also are to
review changes to the plant's security plan and self-assessment of
security. NRC suspended these inspections in September 2001 to focus its
resources on the implementation of security enhancements from NRC's
advisories and orders. NRC reinstated the inspection program in early
2004.

NRC began conducting force-on-force exercises under its security
inspection program in 1991. The agency suspended these exercises, which
were referred to as Operational Safeguards Response Evaluation (OSRE)
exercises, after the September 11, 2001, attacks because they considered
it

6Radiological sabotage against a nuclear power plant is a deliberate act
that could directly or indirectly endanger public health and safety by
exposure to radiation.

7On February 7, 1993, an intruder drove onto the Three Mile Island power
plant site, through a gate, and crashed through a roll-up door into the
turbine area. The intruder challenged security barriers and disrupted
operations for 4 hours before he was apprehended.

  NRC Actions Since September 11, 2001, to Improve Security at Nuclear Power
  Plants

unsafe to perform mock attacks during a period of heightened security and
because NRC and licenses security resources were focused on responding to
the events of September 11, 2001. NRC has conducted some exercises during
2003 and 2004 to gain the information necessary to initiate a revised,
permanent force-on-force exercise program sometime in the near future.
Although NRC officials have not decided on an exact date, they anticipate
that the exercises will resume very soon after the facilities have
implemented their security plans, which is scheduled for the end of
October 2004.

Shortly after September 11, 2001, NRC began to respond to the heightened
risk of terrorist attacks. Between September 11, 2001, and the end of
March 2003, the agency issued over 60 advisories to licensees of nuclear
power plants. These advisories recommended enhancements that could be made
quickly to shore up security until a more comprehensive analysis of the
terrorist threat and how best to protect the plants against the threat
could be completed. NRC immediately advised the plants to go to the
highest level of security according to the system in place at the time. It
followed with advisories and orders designed to increase the size and
improve the proficiency of plants' security forces, restrict access to
plants, and increase and improve plants' defensive barriers. For example,
on October 6, 2001, NRC issued a major advisory, recommending that the
licensees take immediate action to increase the number of security guards
and to be cautious about using temporary employees.

From October 2001 to January 2002, NRC conducted a three-phase security
inspection, checking the facilities to see if they had implemented these
advisories. In phase one, NRC inspectors used an NRC-prepared checklist to
document the implementation status of NRC's October 6, 2001 advisory. In
phase two, security inspectors conducted a more in-depth evaluation of the
facilities' implementation of the advisories. During phase three, NRC's
security inspectors reviewed each facility's security program to determine
if it had complied with the additional measures recommended in the October
6, 2001, advisory. NRC concluded that all facilities were in compliance
but that the facilities had not consistently interpreted the recommended
measures.

NRC used the results from the three-phase inspection to develop a February
25, 2002, order requiring facilities to implement additional

security measures by August 31, 2002.8 Many of these measures had been
recommended in previous advisories. NRC then conducted security
inspections to verify facilities' compliance with all aspects of the
order. The inspections were completed in December 2003, and NRC found that
all nuclear power facilities were in compliance with the order.

NRC also acted on an item that had been a security concern for a number of
years-the use of temporary clearances for temporary employees at the
plants. Commercial nuclear power plants use hundreds of temporary
employees for maintenance-most frequently during the period when the plant
is shut down for refueling. In the past, NRC found instances in which
personnel who failed to report criminal records had temporary clearances
that allowed them unescorted access to vital areas.9 In an October 6,
2001, advisory, NRC suggested that facilities limit temporary clearances
for temporary workers. On February 25, 2002, NRC issued an order that
limited the use and duration of temporary clearances, and on January 7,
2003, NRC issued an order to eliminate the use of temporary clearances
altogether. NRC now requires a criminal history review and a background
check investigation to be completed before allowing temporary workers to
have unescorted access to the power plant.

NRC issued its revised DBT in April 2003 to reflect the post-September 11
terrorist threat. In January 2003, NRC developed a draft DBT that it sent
to federal, state, and local law enforcement agencies, federal
intelligence and counterintelligence agencies, and the nuclear industry
for review and comment. Between January and April of 2003, revisions were
made, and the revised drafts were sent for additional comments. On April
29, 2003, NRC issued an order requiring the facilities to protect the
power plants from a terrorist attack fitting within the parameters of the
new DBT. The new DBT reflected the increased size of a potential terrorist
force, the more sophisticated weaponry, and the different methods of
deployment demonstrated by the September 11 terrorist attacks. NRC stated
that this new DBT was the "largest reasonable threat against which a
regulated private guard force should be expected to defend under existing
law."

8NRC Order EA-02-026.

9The vital area, within the protected area, contains the plant's
equipment, systems, devices, or material whose failure, destruction, or
release could endanger the public health and safety by exposure to
radiation. This area is protected by guard stations, reinforced gates,
surveillance cameras, and locked doors.

Licensees were given 1 year to develop new security plans based on the new
DBT.

At the same time, NRC issued two other orders that (1) limited work hours
for security personnel (to 16 hours per 24-hour period, 26 hours per
48hour period, and 72 hours per week) so that excessive hours would not
impair security forces in performing their duties and (2) required
enhanced training and qualifications for the plants' security forces. All
told, according to the Nuclear Energy Institute,10 by the end of 2004, the
nuclear power industry will have invested about $1 billion in security
enhancements since September 11, 2001.

During this period, NRC also developed and strengthened its relations with
other federal agencies. It collaborated with the Federal Aviation
Administration on protecting airspace over the plants and worked with the
Department of Homeland Security, Federal Bureau of Investigation, and
local law enforcement agencies to monitor and analyze security threats and
to determine additional security measures needed to meet such threats.

NRC has also taken, or is taking, steps to implement our September 2003
recommendations to improve its security inspections and force-on-force
exercises. We had recommended that the NRC Commissioners ensure that the
agency's security inspection program and force-on-force exercise program
are restored promptly. NRC reinstated the security inspection program in
February 2004.

NRC has not yet made force-on-force exercises a required activity, as we
recommended, but it is taking steps in that direction. During 2003, NRC
completed a "pilot" force-on-force program, which included 15 exercises.
This pilot program was designed to determine how future force-on-force
exercises would be conducted. After completing the 15 pilot exercises, NRC
summarized the results in a "lessons learned" document. NRC is now
conducting "transition" force-on-force exercises to help it formulate a
new, permanent program. Participation in both the pilot and most of the
transition exercises was voluntary for the facilities. Only some of the
pilot exercises tested the full DBT, and none of the transitional
exercises have or will test the full terrorist capabilities of the DBT.
NRC officials said that they will not start conducting exercises using the
new DBT until

10The institute represents licensees of commercial nuclear power plants.

November 2004, after the facilities have implemented their new security
plans.

NRC is also making the following additional improvements we recommended
for these exercises:

o  	conducting the exercises more frequently at each site-every 3 years
rather than the once every 8 years schedule of the past;

o  	using laser equipment in all force-on-force exercises to more
accurately account for shots fired and to establish a more realistic
setting;

o  	continuing the practice, begun in 2000, of prohibiting licensees from
temporarily increasing the number of guards defending the plant and
enhancing plant defenses for force-on-force exercises, or requiring that
any temporary security enhancements be officially incorporated into the
licensees' security plans; and

o  requiring the exercises to make use of the full terrorist capabilities
stated

  NRC Cannot Yet Provide Assurances That Its Efforts Will Protect Nuclear Power
  Plants Against Terrorist Attacks as Outlined in the New DBT

in the DBT, including the use of an adversary force that has been trained
in terrorist tactics.

As the principal regulator of commercial nuclear power plants, NRC has an
important responsibility to provide an independent determination that each
plant is protected against the threat presented in the new DBT. While its
efforts to date have no doubt enhanced security, NRC cannot yet provide
this determination for three principal reasons. First, its review of the
facilities' new security plans setting out how the facilities will respond
to the threat presented in the new DBT is not detailed enough. Second, it
will not test the effectiveness of all the plans and security at all
plants with force-on-force exercises for 3 years, and it does not plan to
make some improvements in its security oversight that we believe are
needed and have previously recommended. Third, NRC could potentially need
to further revise its DBT as the terrorist threat is better defined, which
could require changes in the security plans and additional security
improvements.

NRC's Review of Security Plans Is Not Detailed Enough to Determine if They
Effectively Address the New DBT

NRC's strategy for reviewing the facilities' security plans generally
allows for only a document review. While NRC staff originally estimated
that it would take 2 years to review the plans, NRC now expects to take 6
months-from April 29, 2004, through October 29, 2004-to review and approve
the facilities' security plans. The facilities are also expected to have
their plans implemented by that date.

To review the plans in 6 months, NRC assigned 20 NRC staff and contracted
for 20 staff from DOE's Idaho National Engineering Laboratory to perform
the reviews. The facilities' use of an industry-developed template is also
expected to help speed the review.11 The template was intended to provide
standard language for about 80 percent of the plans' contents. However,
the plans we reviewed relied almost entirely on the template language and
provided little facility-specific information.

Agency officials are generally not visiting the facilities to obtain
sitespecific information and assess the plans in terms of each facility's
particular layout. Since completion of our work, NRC has decided to visit
six or seven of the plants to verify information in the plan; however, it
will not visit the vast majority of plants. In addition, the plans do not
contain much detail. For example, the 12 plans NRC provided for our review
do not include information about where responding guards are stationed,
where their defensive positions are located, how the responders would
deploy to their defensive positions, and how long deployment would take.12
The plans state that "[p]hysical security measures and specific response
protocols for the onsite security force are contained in facility
implementing procedures." Also, in all the plans we reviewed, the
defensive positions are described only as being established "where
necessary." None of the plans we reviewed specified the type of weapons
the security forces will carry; stating only that the forces will meet
NRC's minimum requirements. According to staff from our Office of Special
Investigations with experience in law enforcement and physical security,
the security plans are, at best, general guidelines.

The plans often refer to other documents that detail how the requirements
will be met and how the plans will be implemented. However, because of the
6-month review time frame, NRC officials do not plan to review these

11NRC provided input to the template's development.

12Staff from our Office of Special Investigations with experience in law
enforcement and physical security assisted in reviewing these plans.

supporting documents as part of their approval process. According to NRC
officials, the principal purpose of the plans is to commit the facilities
to comply with all NRC security regulations and the template-based plans
accomplish that purpose for about 80 to 90 percent of the information.

NRC's Security Oversight Is Limited by Timing of Key Activities and
Inaction on Some of Our Recommendations

NRC will not determine the adequacy of the sites' procedures and programs
for implementing their security plans and the sites' ability to actually
implement the plan until it conducts inspections and force-onforce
exercises at the sites. Because NRC plans to annually inspect all sites
and conduct force-on-force exercises on a 3-year cycle, it could be 2007
before NRC can say with assurance that all the sites can be protected from
a terrorist attack as presented in the new DBT.

In addition to the limitations of the security inspections and the timing
of the force-on-force exercises, NRC has not implemented some of the
recommendations we made in our September 2003 report to improve its
oversight. We recommended that the NRC Commissioners

o  	require that NRC regional inspectors conduct follow-up visits to
verify that corrective action has been taken when security violations,
including noncited violations,13 have been identified;

o  	ensure that NRC routinely collects, analyzes, and disseminates
information on security problems, solutions, and lessons learned and
shares this information with all NRC regions and licensees; and

o  	enforce NRC's requirement that force-on-force exercise reports be
issued within 30 to 45 days after the end of the exercise to ensure prompt
correction of the problems noted.

Implementation of these recommendations is needed to correct some
important program limitations. For example, during annual inspections, NRC
inspectors often classified security problems as non-cited violations if
the problem had not been identified frequently in the past or if the
problem had no direct, immediate, adverse consequence at the time that it
was identified. Instances of a security guard sleeping on duty and a
security officer falsifying logs to show that he had checked vital areas
and

13A non-cited violation is a problem that had not been identified more
than twice in the past year or had no immediate, direct consequences at
the time it was identified.

barriers when he was actually in another part of the plant, for example,
were treated as non-cited violations. This classification tends to
minimize the seriousness of the problem. Non-cited violations do not
require a written response from the licensee and do not require NRC
inspectors to verify that the problem has been corrected. NRC used
non-cited violations extensively for serious problems, thereby allowing
the licensees to correct the problem on their own without NRC verification
of the correction. Consequently, we believe NRC may not be fully aware of
the quality of security at a site, and the lack of follow-up and
verification reduces assurances that needed improvements have been made.

NRC also has not created a system to share the security problems,
solutions, and lessons learned that it finds during security inspections
with all the NRC regions and licensees. NRC did create a management review
panel that is tracking the regions' findings during the security
inspections and the dispositions of the findings. It is also keeping a
database of all the findings and dispositions or solutions; however, the
database is not accessible by the regions and licensees.

With respect to NRC's enforcement of its requirement for force-on-force
exercise reports, NRC officials said they do plan to issue reports when
the permanent force-on-force program is reinstated, but the reports will
not be made public. During the pilot force-on-force exercises, NRC did not
issue any reports, although it prepared a "lessons learned" document for
the Commissioners. In addition, an NRC official stated that NRC will not
issue reports on the new transitional force-on-force exercises, but will
prepare another internal lessons learned document. We continue to believe
that NRC needs to promptly issue reports on each exercise to ensure that
any security problems are quickly corrected. These reports would also
provide the documentation needed to assess trends and patterns among
facilities as well as at particular facilities over time.

Finally, although NRC is taking action-as we recommended in our September
2003 report-to establish an adversary force trained in terrorist tactics,
NRC is not establishing the force in a manner that provides confidence
that the force will be independent and highly trained, and will endeavor
to find weaknesses in the facilities' security. NRC delegated the task of
establishing the adversary force to an organization-the Nuclear Energy
Institute-that represents the licensees of nuclear power plants. The
company the Institute selected currently provides security guards to about
half of the nuclear power sites to be tested. The company's relationship
with the industry raises questions about the force's independence. Of
further concern, this company was recently involved in

a controversy over similar tests. During a June 2003 DOE force-on-force
exercise at a nuclear site in Oak Ridge, Tennessee, security guards
working for this company received uncharacteristically high scores. A
subsequent investigation by DOE's Office of the Inspector General
indicated that the guards might have cheated on the test and perhaps on
many other tests at Oak Ridge, dating back to the mid-1980s. It was
alleged that the guards had studied plans for the simulated attacks before
they were carried out, had disabled the laser sensors they wore during
tests to determine when they were "shot" by mock enemies, arranged trucks
and other obstacles to help foil simulated attacks, created special,
nonstandard plans to help them perform better on tests, and put more
guards on duty at the time of the tests than would normally have been
present.

If NRC Needs to Revise Its DBT, Additional Security Enhancements Could Be
Required

In April 2004, DOE told this Subcommittee that it would have to review its
post-September 11, 2001, DBT for its nuclear facilities to determine if it
should be more stringent.14 If NRC decides, as it gains a better
understanding of the terrorist threat, that it also needs to reconsider
its DBT, it could take longer to put all necessary enhancements in place
and test them with force-on-force exercises. Depending on the additional
enhancements needed, funding of the costs of the additional protection and
how quickly it could be put in place could also become an issue. NRC
previously stated that its April 29, 2003, DBT is the largest reasonable
threat against which a regulated private guard force should be expected to
defend under current law.

Similarly, NRC is addressing certain potential vulnerabilities outside of
the DBT. For example, the terrorists' use of aircraft on September 11
raised questions about nuclear power plants' vulnerabilities to such
attacks. According to NRC, although the design of many facilities
considered the probability of accidental aircraft crashes that may pose
undue risks to public health and safety, only a few facilities were
specifically designed to withstand an accidental impact. Nonetheless, NRC
believes that nuclear power facilities are among the most hardened
industrial facilities in the United States. They are massive structures
with thick exterior walls and interior barriers of reinforced concrete
designed to withstand tornadoes (and projectiles propelled by tornadoes),
hurricanes, fires, floods, and earthquakes. NRC also believes that the
efforts to enhance security at

14DOE's post-September 11, 2001, DBT, which is similar to NRC's in terms
of the threat it outlines, was issued in May 2003. DOE has not yet
completed its review of the DBT.

airports and on airplanes and to identify potential terrorists and prevent
potential attacks before they occur are an important part of reducing the
threat of airborne attacks.

After the September 11 attacks, the Federal Aviation Administration,
working with NRC, advised pilots to avoid the airspace above or in
proximity to all nuclear power facilities and not to circle in their
vicinity. NRC also undertook a major classified research and engineering
effort, in conjunction with national laboratories, to evaluate the
vulnerabilities and potential effects of a large commercial aircraft's
hitting a nuclear power site. This effort includes consideration of
additional preventive or mitigating measures to enhance the protection of
public health and safety in the event of a deliberate aircraft crash into
a nuclear power plant or spent (used) nuclear fuel storage facility. The
results are classified and cannot be discussed in this open hearing.
According to NRC officials, certain types of aircraft hitting facilities
at certain locations pose some risks. The officials noted that, in these
cases, the plants would have enough time to take advantage of certain
safety features to substantially lessen the risks. NRC officials also
believe that the plants would have sufficient time to implement emergency
preparedness plans, if necessary.

Airborne assaults on plants remain a public concern. If further
consideration of NRC's aircraft study results lead to changes in NRC's
approach, the DBT may need to be revised further, again raising questions
about the timing and cost of improvements.

In closing, the nation's commercial nuclear power plants are no doubt more
secure against a terrorist attack now than they were on September 11,
2001. NRC responded quickly and decisively to the attacks by requiring
various enhancements to existing security at the plants. It will be some
time, however, before NRC can provide the public with assurances that what
has been done is enough. Some of these enhancements are still being put in
place, and NRC cannot independently determine that the enhancements will
adequately secure the facilities until they have been effectively tested
with force-on-force exercises. While our assessment of NRC activities is
still underway, we believe that it is important for NRC to act quickly and
take a strong leadership role in establishing a worthy adversary team for
these exercises, establish priorities for the facilities to be tested,
carefully analyze the test results for shortcomings in facility security,
and be willing to require additional security improvements as warranted.

  For further GAO Contact and Staff Acknowledgements

(360393)

Mr. Chairman, this testimony provides our preliminary views. We would be
happy to respond to any questions that you or Members of the Subcommittee
may have.

For further information on this testimony, please contact Jim Wells at
(202) 512-3841 or at [email protected]. Raymond H. Smith, Jr.; Kenneth E.
Lightner, Jr.; Jill Ann Roth Edelson; Kevin L. Jackson; Carol Herrnstadt
Shulman; and Barbara R. Timmerman made key contributions to this
testimony.

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

  GAO's Mission

Obtaining Copies of GAO Reports and Testimony

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:

Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470

Gloria Jarmon, Managing Director, [email protected](202)
512-4400Congressional U.S. Government Accountability Office, 441 G Street
NW, Room 7125 Relations Washington, D.C. 20548

Public Affairs 	Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

                           PRINTED ON RECYCLED PAPER

           Presorted Standard Postage & Fees Paid GAO Permit No. GI00

United States
Government Accountability Office
Washington, D.C. 20548-0001

    Official Business
    Penalty for Private Use $300

Address Service Requested
*** End of document. ***