Mail Security: Incidents at DOD Mail Facilities Exposed Problems 
That Require Further Actions (15-SEP-06, GAO-06-757).		 
                                                                 
In March 2005, two well-publicized and nearly simultaneous	 
incidents involving the suspicion of anthrax took place in the	 
Washington, D.C., area. The incidents occurred at Department of  
Defense (DOD) mail facilities at the Pentagon and at a commercial
office complex (Skyline Complex). While these incidents were	 
false alarms, DOD and other federal and local agencies responded.
The Postal Service suspended operations at two of its facilities 
and over a thousand DOD and Postal Service employees were given  
antibiotics as a precaution against their possible exposure to	 
anthrax. This report describes (1) what occurred at the Pentagon 
and Skyline Complex mail facilities, (2) the problems we	 
identified in detecting and responding to the incidents, (3) the 
actions taken by DOD that address the problems that occurred, and
(4) the extent to which DOD's actions address the problems.	 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-06-757 					        
    ACCNO:   A60984						        
  TITLE:     Mail Security: Incidents at DOD Mail Facilities Exposed  
Problems That Require Further Actions				 
     DATE:   09/15/2006 
  SUBJECT:   Anthrax						 
	     Bioterrorism preparedness and response		 
	     program						 
                                                                 
	     Emergency preparedness				 
	     Emergency response 				 
	     Emergency response plans				 
	     Facility security					 
	     National response plan				 
	     Policy evaluation					 
	     Postal facilities					 
	     Postal service					 
	     Public health					 
	     Strategic planning 				 
	     Mail processing operations 			 
	     National Incident Management System		 
	     National Response Plan				 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-06-757

     

     * Results in Brief
     * Background
          * What Is Anthrax and Why Is It a Concern?
          * How Is Anthrax Detected?
          * What Is the Federal Framework for Responses Involving the Su
          * What Federal Requirements Exist for Agencies to Follow?
          * How Did the Pentagon and Skyline Complex Process Mail in Mar
     * Each of the Incidents Presented a Different Situation and Re
          * The Pentagon Incident Was Triggered from Tests Indicating th
          * The Skyline Complex Incident Resulted from an Alarm on Equip
          * The Incidents Also Affected Postal Service Employees and Ope
     * Problems Encountered Reflect Both a Failure to Follow Existi
          * At the Pentagon, the Mail-Screening Contract Provisions and
          * The Pentagon's Mail-Screening Contract Provision for Testing
          * At the Skyline Complex, Basic Response Procedures Were Inade
          * DOD Did Not Fully Follow the Federal Framework for Coordinat
     * DOD Took Numerous Actions That Address Problems Related to t
          * At the Pentagon, Some Actions Were Already Under Way, While
          * DOD Took Other Actions That Address Problems at the Skyline
     * DOD's Actions Do Not Fully Resolve Identified Problems
          * DOD's Adherence to NRP and NIMS Interagency Coordination Pro
          * DOD Still Has Not Ensured That Its Mail Facilities Have Revi
          * DOD Has Not Ensured That Its Facilities in the National Capi
     * Conclusions
     * Recommendations for Executive Action
     * Agency Comments and Our Evaluation
     * Appendix I: Scope and Methodology
     * Appendix II: Comments from the Department of Defense
     * Appendix III: Comments from the General Services Administrat
     * Appendix IV: GAO Contact and Staff Acknowledgments
          * GAO Contact
          * Staff Acknowledgments
               * Order by Mail or Phone

Report to the Committee on Homeland Security and Governmental Affairs,
U.S. Senate

United States Government Accountability Office

GAO

September 2006

MAIL SECURITY

Incidents at DOD Mail Facilities Exposed Problems That Require Further
Actions

GAO-06-757

Contents

Letter 1

Results in Brief 2
Background 7
Each of the Incidents Presented a Different Situation and Response and
Occurred over Several Days 13
Problems Encountered Reflect Both a Failure to Follow Existing Contract
Provisions and Procedures and a Lack of Procedures and Plans 21
DOD Took Numerous Actions That Address Problems Related to the Incidents
30
DOD's Actions Do Not Fully Resolve Identified Problems 40
Conclusions 41
Recommendations for Executive Action 42
Agency Comments and Our Evaluation 42
Appendix I Scope and Methodology 45
Appendix II Comments from the Department of Defense 49
Appendix III Comments from the General Services Administration 52
Appendix IV GAO Contact and Staff Acknowledgments 54

Tables

Table 1: Selected Agency Actions Specified in NRP's Biological Incident
Annex 9
Table 2: Key Changes in the Pentagon's Mail-Screening Contract Provisions
and Draft Mail-Screening Procedures 33
Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft
Procedures 34

Figures

Figure 1: Chronology of Key Actions and Organizations Involved at Pentagon
and Skyline Complex 14
Figure 2: DOD's Draft Procedures for Positive Test Results from the
Pentagon's On-Site Chemical-Biological Laboratory 36

Abbreviations

CBI Commonwealth Biotechnologies Incorporated

CDC Centers for Disease Control and Prevention

DHS Department of Homeland Security

DOD Department of Defense

FBI Federal Bureau of Investigation

GSA General Services Administration

HHS Department of Health and Human Services

LRN Laboratory Response Network

MOU memorandum of understanding

NIMS National Incident Management System

NRP National Response Plan

PFPA Pentagon Force Protection Agency

TMA TRICARE Management Activity

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office

Washington, DC 20548

September 15, 2006 September 15, 2006

The Honorable Susan M. Collins Chairman The Honorable Joseph I. Lieberman
Ranking Minority Member Committee on Homeland Security and Governmental
Affairs United States Senate The Honorable Susan M. Collins Chairman The
Honorable Joseph I. Lieberman Ranking Minority Member Committee on
Homeland Security and Governmental Affairs United States Senate

Since the fall of 2001, when five persons, including two U.S. Postal
Service employees, died from exposure to anthrax-contaminated mail
delivered through the U.S. mail system, the nation has been acutely aware
of the danger of bioterrorism using anthrax and other potentially fatal
bacteria. The frequency of incidents involving suspicious packages or
powder spills has increased dramatically since that time, due in part to
hoaxes and concerns about leakages from mail that had previously been
routinely handled. Concerns about anthrax in the mail have led federal
agencies to establish mail-screening operations, including tests for
anthrax, that have often resulted in false alarms. Since the fall of 2001,
when five persons, including two U.S. Postal Service employees, died from
exposure to anthrax-contaminated mail delivered through the U.S. mail
system, the nation has been acutely aware of the danger of bioterrorism
using anthrax and other potentially fatal bacteria. The frequency of
incidents involving suspicious packages or powder spills has increased
dramatically since that time, due in part to hoaxes and concerns about
leakages from mail that had previously been routinely handled. Concerns
about anthrax in the mail have led federal agencies to establish
mail-screening operations, including tests for anthrax, that have often
resulted in false alarms.

In March 2005, two well-publicized and nearly simultaneous incidents took
place in the greater Washington, D.C., area. The incidents occurred at a
Department of Defense (DOD) mail facility at the Pentagon, a building of
national military significance located in Arlington County, Virginia, and
another DOD mail facility in a commercial office complex (Skyline
Complex), located about 5 miles away in Fairfax County, Virginia.11 While
these incidents ultimately proved to be false alarms, DOD as well as other
federal and local response agencies responded to the incidents. In the
days that elapsed before authorities concluded that anthrax was not
present in the mail or in the facilities, the Postal Service had suspended
operations at two of its facilities, and over a thousand DOD and Postal
Service employees had been given antibiotics as a precaution against their
possible exposure to anthrax. In March 2005, two well-publicized and
nearly simultaneous incidents took place in the greater Washington, D.C.,
area. The incidents occurred at a Department of Defense (DOD) mail
facility at the Pentagon, a building of national military significance
located in Arlington County, Virginia, and another DOD mail facility in a
commercial office complex (Skyline Complex), located about 5 miles away in
Fairfax County, Virginia. While these incidents ultimately proved to be
false alarms, DOD as well as other federal and local response agencies
responded to the incidents. In the days that elapsed before authorities
concluded that anthrax was not present in the mail or in the facilities,
the Postal Service had suspended operations at two of its facilities, and
over a thousand DOD and Postal Service employees had been given
antibiotics as a precaution against their possible exposure to anthrax.

1A third incident occurred at a DOD mail facility at the Bolling Air Force
Base in Washington, D.C. That incident-also a false alarm-was not
connected to the Pentagon and Skyline Complex incidents and, therefore, is
not discussed in this report.

You asked us to examine the response to the two March 2005 incidents.
Specifically, this report addresses the following four questions:

           o  What occurred at the Pentagon and Skyline Complex mail
           facilities?
           o  What problems occurred in detecting and responding to these
           incidents, and why?
           o  What actions have been taken by DOD that address the problems
           that occurred?
           o  To what extent do these actions address the problems that
           occurred?

           To address these questions, we analyzed, among other things,
           pertinent after-action reports, incident timelines, the contract
           for mail-screening services at the Pentagon, mail-screening
           procedures, federal mail management and other applicable
           regulations and guidance, and the federal framework for responding
           to biological incidents. We compared whether the actions taken by
           DOD, its mail-screening contractor at the Pentagon, and employees
           at the Skyline Complex were in accordance with, among other
           things, the existing contract provisions, mail-screening
           procedures, federal regulations and guidance, DOD's mail manual,
           and the federal framework for responding to biological incidents.
           We interviewed a wide range of federal and local officials
           involved in the response to the two incidents. We also interviewed
           personnel from the Pentagon's mail-screening contractor to obtain
           their perspective on what occurred at the Pentagon. We analyzed
           current procedures at the Pentagon related to detecting and
           responding to biological agents. To assist in our analyses, we
           reviewed previous GAO work regarding anthrax incidents, pertinent
           literature and previous GAO work on internal controls, guidance
           prepared by the Centers for Disease Control and Prevention (CDC)
           for responding to the detection of anthrax in the workplace, and
           regulations and guidance issued by the General Services
           Administration (GSA) on mail security and responding to biological
           threats in the mail. We performed our work from June 2005 to
           August 2006 in accordance with generally accepted government
           auditing standards. Further details about our scope and
           methodology appear in appendix I.

                                           Results in Brief
														 
			  Each of the incidents at the two mail facilities presented a
           different situation and response. Events leading up to the
           Pentagon incident began when a laboratory that tested samples from
           the Pentagon's mail-screening equipment informed DOD's
           mail-screening contractor on Friday afternoon, March 11, that one
           of its tests of the previous day's mail was positive for anthrax.
           By the time the mail-screening contractor notified DOD on Monday
           morning, March 14, about the results of Friday's test result and
           that additional testing of the sample over the weekend was also
           positive for anthrax, mail suspected of containing anthrax had
           already been released, picked up, and distributed throughout the
           Pentagon. While DOD officials responded by evacuating the
           Pentagon's mail-screening and remote delivery facilities,
           notifying numerous federal and local agencies, and dispensing
           antibiotics to hundreds of employees-including recipients of the
           mail that morning-officials from the Federal Bureau of
           Investigation (FBI) initially suspected a false alarm based on the
           totality of the evidence. The incident at the Skyline Complex
           began on Monday afternoon, March 14, when emergency personnel in
           Fairfax County, Virginia, responded to a 911 call placed by a
           Skyline employee that an alarm had sounded on a biosafety cabinet
           used to screen mail, including mail that had been picked up
           earlier that day from the Pentagon. Fairfax County responders
           closed the Skyline Complex, shut off elevators and the
           air-handling system, decontaminated potentially exposed employees,
           and tested the facility for anthrax contamination. The following
           day, DOD also dispensed antibiotics to potentially exposed
           employees at the Skyline Complex. The response to the incidents
           also affected the Postal Service's employees and operations. When
           Postal Service officials learned about the incidents, they
           immediately (1) suspended operations at two facilities that
           process mail to the Pentagon and conducted environmental testing
           at the facilities and (2) began dispensing antibiotics to their
           potentially exposed employees. Federal and local officials learned
           on Tuesday that the alarm that sounded on the biosafety cabinet
           used for mail-screening at the Skyline Complex indicated an
           airflow obstruction, not the presence of anthrax. Nevertheless,
           testing continued on samples taken from the facilities. The
           incidents were believed to be false alarms on Wednesday evening,
           March 16, after the interpretation of additional laboratory
           testing did not support the preliminary conclusion that the two
           facilities may be contaminated with anthrax. Both mail facilities
           reopened on Friday morning, March 18. Agency officials involved in
           the response believe that the positive tests at the Pentagon could
           have been the result of cross contamination in the laboratory.

           Analysis of these incidents reveals numerous problems related to
           the proper detection and response to anthrax in the mail,
           reflecting both a failure to follow existing contract provisions
           and procedures and, in some cases, a lack of procedures and plans.
           At the Pentagon, DOD's mail-screening contractor did not follow
           two key requirements. Specifically, the contractor did not (1)
           notify DOD immediately after receiving evidence of possible
           contamination of the Pentagon's mail and (2) quarantine the mail
           until it received negative results from the laboratory. These
           problems were further exacerbated by a provision in DOD's contract
           with its mail-screening contractor that did not clearly specify
           how samples from the Pentagon were to be tested. The lack of
           clarity resulted in the use of a laboratory whose testing methods
           were unknown and whose results were questioned. At the Skyline
           Complex mail facility, basic procedures for responding to
           biohazards and other emergencies were inadequate or absent
           altogether resulting in (1) employees not knowing how to properly
           respond to the alarm on the equipment used for mail-screening, (2)
           employees and first responders not knowing about the equipment's
           limitations, and (3) employees being uncertain about whom to
           contact during a potential emergency. Additionally, DOD did not
           ensure that the Skyline Complex mail facility had developed a mail
           security plan or that it had been reviewed, as required, by a
           competent authority within DOD. The federal framework developed to
           help ensure effective decision making through a coordinated
           response-the National Response Plan and the National Incident
           Management System-was not fully followed. Instead of coordinating
           its actions with others-such as the Department of Health and Human
           Services (HHS), the primary federal agency responsible for a
           public health response to bioterrorism-DOD unilaterally decided to
           provide medication to its employees before having appropriate
           confirmation of laboratory test results. According to DOD
           officials, because the incident occurred at the Pentagon, they did
           not believe that the protocols in the National Response Plan
           applied. In addition, they said that they had the medical
           authority, experience, and resources to act on their own. While
           the NRP does not repeal DOD's medical authorities, making
           decisions without coordinating with other agencies is
           fundamentally at odds with the protocols specified in the National
           Response Plan and National Incident Management System. If DOD had
           fully coordinated with federal and local agencies as the framework
           prescribes, concerns such as the validity of test results could
           have been discussed and the provision of unnecessary medicine to
           most of the DOD employees (mail recipients and others who, in our
           view, would not likely have been exposed until after the mail's
           release from quarantine on Monday, March 14) may have been
           avoided.

           DOD has taken numerous actions that address problems related to
           the two incidents. Some actions, such as modernizing the
           Pentagon's mail-screening facility and changing the laboratory
           used to test daily samples, were under way prior to the incidents,
           but many others were taken in direct response to the incidents. At
           the Pentagon, for example, DOD selected a new mail-screening
           contractor, strengthened the new contract, and developed new mail
           inspection procedures. While still in draft form, the procedures
           are currently being used and require, among other things,
           verification of negative test results by multiple officials before
           quarantined mail is released. The establishment of stringent
           control mechanisms is likely to prevent future premature releases
           of potentially contaminated mail. DOD also drafted new
           notification procedures-which are also being used-for reporting
           positive test results to internal and external parties. The draft
           procedures are intended to improve the way DOD communicates to
           federal and local agencies during incidents. In addition, DOD is
           developing a new policy to define the roles and responsibilities
           of senior DOD leadership-including those involved in making
           medical treatment decisions-during incidents at the Pentagon. DOD
           also took actions to address problems related to the Skyline
           Complex incident. For example, DOD gathered some information about
           mail-screening operations in its facilities in the Washington,
           D.C., area and issued a directive prohibiting DOD mail facilities
           in leased space within the Washington, D.C., area from using
           equipment, including biosafety cabinets, to screen mail unless the
           equipment is being operated within the context of a comprehensive
           mail-screening program. Such a program includes the use of (1)
           trained mail screeners to sample equipment for biological agents
           and (2) an approved laboratory for analyzing the samples.

           Although DOD has made significant progress in addressing the
           problems related to the two incidents, its actions do not fully
           resolve the problems that arose. One remaining and overarching
           concern involves whether, despite its actions, DOD will adhere to
           the interagency coordination protocols in the National Response
           Plan and National Incident Management System-as it has agreed-or,
           instead, revert to the isolated decision-making approach it used
           at the Pentagon. While DOD is aligning its procedures to these
           interagency coordination protocols, in April 2006, a senior health
           official reiterated that DOD has the authority to make final
           decisions on medical treatment at the Pentagon without
           collaboration or consultation with other agencies-including HHS,
           which under the National Response Plan is the primary federal
           agency responsible for coordinating a public health response
           involving an actual or potential biological terrorist attack. More
           than 1 year later, DOD also has not developed a mail security plan
           for the Skyline Complex mail facility. More importantly, it is not
           known whether other DOD facilities also lack a plan because DOD
           does not have a process for certifying the existence of mail
           security plans and verifying that the plans have been reviewed by
           a competent authority. Finally, although DOD prohibits the use of
           mail-screening equipment, including biosafety cabinets, in
           DOD-leased facilities in the Washington, D.C., area unless the
           equipment is being operated within the context of a comprehensive
           mail-screening program, at the completion of our review, DOD still
           had not determined whether other biosafety cabinets are being used
           in the Washington, D.C., area or the conditions under which the
           equipment is being operated.

           We are making several recommendations to help improve the
           effectiveness of future DOD responses involving the suspicion of
           anthrax in the mail. Specifically, we recommend that the Secretary
           of Defense ensure that (1) any future medical decisions reached
           during potential or actual acts of bioterrorism at the Pentagon
           result from the participatory decision-making framework in the
           National Response Plan and the National Incident Management
           System, (2) appropriate officials at all of DOD's mail rooms
           develop effective mail security plans, (3) a competent DOD
           authority conducts an annual review of the plans' adequacy, and
           (4) any biosafety cabinets in use in DOD mail facilities in leased
           space in the Washington, D.C., area are being operated within the
           context of a comprehensive mail-screening program.

           We requested comments on a draft of this report from DOD, GSA, the
           Department of Justice, HHS, the Department of Homeland Security
           (DHS), and the Postal Service. Two of these agencies-DOD and
           GSA-provided written comments. DOD agreed with three of our four
           recommendations, indicating that it either was implementing, or
           intended to immediately implement, actions to address these
           recommendations.2 However, DOD only partially agreed with our
           remaining recommendation. We retained this recommendation to
           ensure that DOD's future approach to making medical decisions
           during bioterrorism incidents occur within the participatory
           federal framework. GSA's written comments clarified federal
           requirements related to the annual review of mail security plans.
           DOD's and GSA's comments are reprinted in appendixes II and III,
           respectively. DOD, the FBI (on behalf of the Department of
           Justice), CDC (on behalf of HHS), and the Postal Service provided
           technical comments, which we incorporated, as appropriate. DHS did
           not provide comments.

           What Is Anthrax and Why Is It a Concern?
			  
			  Anthrax is an acute infectious disease caused by the spore-forming
           bacterium Bacillus anthracis. The anthrax bacterium is commonly
           found in the soil and forms spores (like seeds) that can remain
           dormant in the environment for many years. Human anthrax
           infections are rare in the United States and are usually the
           result of occupational exposure to infected animals or
           contaminated animal products, such as wool, hides, or hair.
           Although infection in humans is rare, a person can die if airborne
           anthrax spores are inhaled into the lungs. Once airborne, there is
           greater possibility that the spores will be inhaled. Medical
           experts believe that symptoms of inhalation anthrax (sore throat,
           muscle aches, and mild fever) typically appear within 4 to 6 days
           of exposure, depending on how the disease is contracted. While
           anthrax is potentially fatal, individuals who are exposed to
           anthrax spores will not necessarily develop the disease.
           Inhalation anthrax can be treated with antibacterial drugs, but
           medical treatment does not necessarily ensure recovery. Anthrax is
           not contagious.

           Anthrax is a potential terrorist weapon because, if refined and
           introduced into letters and packages, anthrax spores can be
           released into the air as letters are processed or opened. The use
           of the mail as a vehicle for transmitting anthrax threatens the
           nation's mail stream and places the American public and federal
           employees at risk. This is what occurred in 2001, when letters
           containing anthrax contaminated at least 23 Postal Service
           facilities and killed five of 22 individuals diagnosed with
           anthrax, including two Postal Service employees.3 Anthrax spores
           can be killed, however, through a process known as irradiation,
           which renders anthrax in the mail harmless for humans.

           How Is Anthrax Detected?
			  
			  Detecting anthrax involves many types of activities, including

           o  developing a sampling strategy for deciding how many samples to
           collect, where to collect them, and what collection methods to
           use;
           o  collecting samples using, for example, dry or premoistened
           swabs;
           o  transporting samples to laboratories for extraction and
           analysis;
           o  extracting the sample material using specific procedures and
           fluids (such as sterile saline or water); and
           o  analyzing the samples using a variety of methods.4

           To provide a coordinated clinical diagnostic testing approach for
           detecting anthrax and other bioterrorism threats, CDC, the
           Association of Public Health Laboratories, the FBI, and others
           collaboratively developed the Laboratory Response Network (LRN) in
           1999.5 LRN laboratories (1) perform standard testing methods
           specified by CDC to either rule out or confirm the presence of
           anthrax and (2) provide public health organizations and others
           with rapid test results for use in making public health decisions.
           Generating a final test result involves both a presumptive and
           confirmatory test. Presumptive tests can be obtained within 2
           hours and are considered "actionable" from a public health
           perspective. According to CDC, antibiotic medical treatment is
           recommended as soon as possible after the LRN has obtained a
           presumptive positive test result.6 Confirmatory tests take
           longer-generally 24 to 48 hours.

           What Is the Federal Framework for Responses Involving the Suspicion
			  of Anthrax?
			  
			  The National Response Plan (NRP), which was developed by the
           federal government under the leadership of DHS, provides one part
           of the coordinated framework for how the United States will
           prepare for, respond to, and recover from domestic incidents. The
           Secretary of Defense, as well as the heads of 31 other federal
           departments and agencies, signed the Letter of Agreement contained
           in the NRP, indicating their agreement to abide by the NRP's
           incident management protocols. The December 2004 plan includes a
           Biological Incident Annex, which specifies actions that agencies
           should take when they become aware of a possible threat involving
           a biological agent. The annex also identifies the roles and
           responsibilities of various agencies that would respond to such an
           event. For example, as specified in the annex, HHS is the primary
           federal agency for coordinating a public health response involving
           an actual or potential biological terrorism attack. Table 1
           identifies selected agency actions specified in the NRP's
           Biological Incident Annex.

           Table 1: Selected Agency Actions Specified in NRP's Biological
           Incident Annex

           Source: Department of Homeland Security.

           The other part of the federal framework is the National Incident
           Management System (NIMS), which was released in March 2004. NIMS
           is intended to provide a consistent and coordinated nationwide
           approach for federal, state, and local governments to work
           effectively and efficiently together to prepare for, respond to,
           and recover from domestic incidents, including those involving
           biological incidents, regardless of their cause, size, and
           complexity. NIMS applies to all levels of government, and for the
           federal government, including DOD, it is prescriptive. A key
           component of NIMS is the incident command system, which is
           designed to integrate the communications, personnel, and
           procedures of different agencies and levels of government within a
           common organizational structure during an emergency. Another key
           component of NIMS is the establishment of a joint information
           center-with representatives from all affected parties and
           jurisdictions-to provide a unified communication message to the
           public during emergencies.

           What Federal Requirements Exist for Agencies to Follow?
			  
			  GSA and DOD have requirements for agencies to follow in protecting
           employees in mail facilities and ensuring effective mail
           operations. For example, GSA's federal mail management regulation
           requires7

           o  every federal agency and agency location with one or more
           full-time personnel processing mail to have a written mail
           security plan including, among other things, procedures for safe
           and secure mail room operations, plans for security training for
           mail employees, and plans for annual reviews of the agency's mail
           security plan and facility-level mail security plans; and
           o  large agencies, such as DOD, that spend over $1 million
           annually on postage to annually (1) verify that facility-level
           mail security plans have been reviewed and (2) report to GSA that
           all facility-level mail security plans have been reviewed by a
           competent authority within the past year.

           GSA also issues guidance and recommendations for effectively
           managing mail programs, including recommendations on the content
           of mail security plans.8 For example, GSA recommends that agencies

           o  develop a communication plan for responding to threats that
           includes names and phone numbers to call during emergencies;
           o  establish and maintain partnerships with personnel who respond
           to emergencies (first responders); and
           o  create a program for training employees on how to respond to
           biological threats, including refresher training on a regular
           basis.

           DOD's mail manual, effective December 2001, implements DOD's
           mail-related requirements.9 DOD requires its components to comply
           with GSA's federal mail management regulation, including the
           requirement that each mail center develop a written mail security
           plan and have it reviewed annually by a competent authority.

           Beyond mail-related requirements, GSA also requires the
           highest-ranking federal official of the largest agency in
           GSA-controlled (leased) office space to develop an occupant
           emergency plan.10 GSA guidance related to this requirement
           recommends that the occupant emergency plan describe, among other
           matters, critical information about the office space and actions
           to be taken during emergencies.

           The GAO Comptroller General's Standards for Internal Control in
           the Federal Government provides the overall framework for agency
           management to establish and maintain effective internal control.11
           Establishing effective internal controls is a major part of
           managing an organization. Such controls include the plans,
           methods, and procedures to be used to meet an organization's
           mission, goals, and objectives by, among other things, monitoring
           performance, training employees, and ensuring that federal
           requirements, such as GSA and DOD mail security requirements, are
           followed.

           How Did the Pentagon and Skyline Complex Process Mail in March 2005?
			  
			  The Pentagon receives its mail from the Postal Service as well as
           from commercial courier services. The Postal Service irradiates
           almost all first-class mail delivered to the Pentagon and other
           federal agencies in the Washington, D.C., area, from its
           facilities on V Street, N.E. in Washington, D.C. (the V Street
           Operation). In March 2005, Pentagon mail was delivered from the V
           Street Operation to a mail-screening facility located within the
           Pentagon remote delivery facility-a 250,000-square-foot shipping
           and receiving facility adjoining the Pentagon. Technicians dressed
           in protective gear then screened the mail over a custom-designed
           table equipped with four filters intended to capture any particles
           that might fall from the mail. The table used a negative airflow
           system that was intended to keep microscopic particles from
           dispersing back into the mail-screening facility.

           At the time of the March 2005 incident at the Pentagon, employees
           of Vistronix Incorporated (Vistronix)-the Pentagon's
           mail-screening contractor-collected and sent daily samples from
           each of the four filters to Commonwealth Biotechnologies
           Incorporated (CBI)-a private laboratory in Richmond, Virginia.
           Vistronix subcontracted the daily testing of the Pentagon's mail
           to CBI. The opened mail was then shrink-wrapped and quarantined in
           a secure room until CBI notified Vistronix of negative test
           results by either fax or e-mail. Upon receipt of negative test
           results, a Vistronix employee released the mail from quarantine.
           Once released from quarantine, mail employees placed the mail into
           mailboxes at the Defense Post Office, where it awaited pickup by
           Pentagon employees.

           The TRICARE Management Activity (TMA) mail room at the Skyline
           Complex received and processed mail differently from the
           Pentagon.12 It received a small amount of its mail from the
           Pentagon, but most of its mail came from a Postal Service facility
           in Merrifield, Virginia, according to a TMA mail room official.
           The TMA mail room had a biosafety cabinet, an X-ray machine, and
           two full-time employees. The biosafety cabinet had a negative
           airflow system with filters for capturing and holding any
           particles that fell from envelopes or packages being opened. While
           the cabinet was used for mail screening, it was not capable of
           detecting anthrax.

           Each of the Incidents Presented a Different Situation and Response
			  and Occurred over Several Days
			  
			  The two incidents involving the suspicion of anthrax occurred over
           several days, but the most significant actions occurred the same
           day-Monday, March 14, 2005. The Pentagon incident occurred first
           and was the result of positive test results for anthrax in the
           mail. The Skyline Complex incident occurred later that day when an
           alarm sounded on the biosafety cabinet that employees took as a
           sign that contaminated mail had been passed from the Pentagon to
           the Skyline Complex.13 Combined, the incidents set in motion a
           large-scale response that also affected Postal Service employees
           and operations. The response ended a few days later, when further
           testing confirmed that anthrax was not present at either DOD
           facility or in the mail. Figure 1 shows a chronology of the key
           actions and organizations involved in the two incidents. The
           discussion that follows explains each incident in turn.



2The Office of the Administrative Assistant to the Secretary of the
Army-the organization responsible for managing DOD's mail-also reviewed
the draft report and concurred "without comment."

                                   Background

What Is Anthrax and Why Is It a Concern?

3We have issued a number of reports on the response to these incidents.
See, for example, GAO, U.S. Postal Service: Better Guidance Is Needed to
Ensure an Appropriate Response to Anthrax Contamination, GAO-04-239 
(Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health Response to
Anthrax Incidents of 2001, GAO-04-152  (Washington, D.C.: Oct. 15, 2003);
and U.S. Postal Service: Better Guidance Is Needed to Improve
Communication Should Anthrax Contamination Occur in the Future, GAO-03-316
(Washington, D.C.: Apr. 7, 2003).

How Is Anthrax Detected?

What Is the Federal Framework for Responses Involving the Suspicion of Anthrax?

4See GAO, Anthrax Detection: Agencies Need to Validate Sampling Activities
in Order to Increase Confidence in Negative Results, GAO-05-251 
(Washington, D.C.: Mar. 31, 2005).

5In March 2005, LRN consisted of 147 laboratories that, according to CDC,
had demonstrated the ability to meet and maintain CDC's testing standards.

6Medical treatment, as used in this report, means administering
postexposure prophylaxis to exposed individuals.

Response actions to be taken by agencies                                   
The Department of Justice is to be notified through the FBI's Weapons of   
Mass Destruction Operations Unit.                                          
The FBI, in turn, is to immediately notify DHS's Homeland Security         
Operations Center and the National Counterterrorism Center under the       
direction of the Director of National Intelligence.                        
The LRN is to be used to test samples for the presence of biological       
threat agents.                                                             
The FBI, in conjunction with HHS, is to make decisions on where to perform 
additional tests on samples. The FBI is to lead criminal investigations of 
terrorist acts or threats.                                                 
Once notified of a credible threat, HHS is to convene an interagency       
meeting to assess the situation and determine the appropriate public       
health response. HHS is to coordinate the overall public health response   
efforts across all federal departments and agencies.                       
DHS is to coordinate the overall nonmedical response actions across all    
federal departments and agencies.                                          

What Federal Requirements Exist for Agencies to Follow?

7GSA issues regulations under the authority of the Federal Records
Management Amendments of 1976 (Section 2 of Public Law 94-575, 44 U.S.C.
2901-2904), which requires the GSA Administrator-the executive head of
GSA-to provide assistance to federal agencies on records management,
including the processing of mail. See 41 CFR Parts 101-9 and 102-192.

8GSA, Mail Communications Policy Office, Mail Center Security Guide, 3rd
edition (Washington, D.C., 2004); and National Guidelines for Assessing
and Managing Biological Threats in Federal Mail Facilities (Washington,
D.C., Dec. 29, 2003).

9DOD's requirements are described in the DOD Instruction 4525.8 and DOD
Manual 4525.8M, effective December 2001.

How Did the Pentagon and Skyline Complex Process Mail in March 2005?

10This requirement is contained in GSA's regulations for managing
property. See 41 CFR Sec. 102-74.230.

11GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999).

12TMA provides administrative support to DOD's civilian health and medical
program for the uniformed services.

Each of the Incidents Presented a Different Situation and Response and Occurred
                               over Several Days

13A portion of TMA's mail destined for the Skyline Complex is screened at
the Pentagon and picked up from an office inside the Pentagon.

Figure 1: Chronology of Key Actions and Organizations Involved at Pentagon
and Skyline Complex

The Pentagon Incident Was Triggered from Tests Indicating the Presence of
Anthrax

Events leading up to the Pentagon incident began on Thursday afternoon,
March 10, 2005. After screening the mail in a facility at the Pentagon
remote delivery facility, Vistronix employees routinely collected swab
samples from four filters and sent them to CBI for analysis. According to
Vistronix's account of events associated with the incident, about 4:00
p.m. on Friday afternoon, March 11, a representative from CBI informed the
Vistronix Director that one of four swab samples collected and tested from
Thursday's mail was positive for anthrax. The Director requested the
laboratory to conduct additional testing over the weekend but did not
notify Defense Post Office officials of the initial positive test results.
On Monday morning, March 14, at about 6:00 a.m., the Vistronix Director
informed a member of his staff (the site supervisor) that while additional
laboratory results for Thursday's mail had not yet been received, test
results for Wednesday's mail were negative, and, therefore, Wednesday's
mail was cleared for release. The site supervisor misunderstood the
conversation, incorrectly concluding that mail from both days could be
released from quarantine, and, consequently, he called his staff to
release the mail. At about 6:30 a.m., Thursday's mail was released, and,
shortly thereafter, employees of the Defense Post Office began processing
the mail for distribution. According to Vistronix, at about 9:10 a.m., the
laboratory notified Vistronix that additional testing of Thursday's swab
sample was also positive. By the time Vistronix notified a Defense Post
Office official of the second test result at about 9:25 a.m., an
unspecified amount of the mail suspected of containing anthrax had already
been picked up and distributed throughout the Pentagon.

These developments initiated a wide-ranging response. At about 10:15 a.m.,
a Defense Post Office official notified the Pentagon Force Protection
Agency (PFPA)-the law enforcement agency responsible for protecting
people, facilities, and infrastructure on the Pentagon Reservation.14 In
the 2 hours that followed, PFPA

           o  shut down the Pentagon remote delivery facility,
           o  coordinated with mail officials to identify possible recipients
           of Thursday's mail,
           o  secured the perimeter around the remote delivery facility with
           the help of antiterrorism units, and
           o  evacuated the majority of the employees from the remote
           delivery facility to the Pentagon's former child development
           center.15

           PFPA continued to lead the response in the hours that followed.
           The Arlington County Emergency Communications Center sent
           emergency personnel to the scene after it was notified through
           official channels at about 10:37 a.m. Emergency personnel
           typically take charge of incidents when the affected individuals
           have immediate medical needs. However, when they arrived, they
           said none of the employees appeared to have symptoms of illness.
           As a result, PFPA and Arlington County agreed that PFPA would
           continue to lead the response. According to a DOD timeline of the
           incident, DOD also attempted to notify the following federal and
           local offices:

           o  12:10 p.m.: First broadcast message sent to local public safety
           and emergency management response agencies.
           o  12:15 p.m.: FBI's Washington Field Office and the Weapons of
           Mass Destructions Operations Unit at FBI Headquarters.
           o  12:30 p.m.: Office of the Postmaster General-the executive head
           of the Postal Service .
           o  12:40 p.m.: Department of Homeland Security's Operations
           Center.

           When FBI staff arrived on the scene at about 1:00 p.m., they began
           to assess the incident's credibility. According to FBI officials,
           the totality of the initial evidence suggested a false alarm.
           First, only one of the four swab samples collected and tested from
           the filters on Thursday was positive for anthrax. If an actual
           incident had occurred, FBI officials said, it would have been
           reasonable to expect that all four samples would have been
           contaminated because, based on experience gained during the fall
           of 2001 anthrax attacks, once airborne, anthrax spores disperse
           over a wide area. In addition, tests conducted on Friday's mail
           were negative. FBI officials said that if anthrax had contaminated
           Thursday's mail, it would likely have contaminated the entire
           mail-screening facility, leaving residual spores that also would
           have been detected in the samples taken from Friday's mail. While
           suspicious of a false alarm, the FBI declared the Pentagon remote
           delivery facility a crime scene based on the evolving response of
           other agencies and the need to further assess the evidence.

           During the afternoon hours, two DOD Health Affairs officials
           responsible for responding to medical issues on the Pentagon
           Reservation-the Commander of the DiLorenzo TRICARE Health Clinic
           and DOD's Assistant Secretary for Health Affairs-began providing
           medical treatment to (1) employees working at the remote delivery
           facility where the mail-screening facility was located, (2)
           Pentagon mail recipients, and (3) the mail-screening technicians.
           DOD health officials estimate that, in total, they dispensed an
           initial 3-day course of antibiotics to about 889 potentially
           affected employees. According to the officials involved, their
           decision to immediately dispense antibiotics as a precautionary
           measure was based on the laboratory's positive test results and
           their experiences gained in the fall of 2001. DOD's Assistant
           Secretary for Health Affairs told us that at about 1:00 p.m., he
           conferred with the CDC Director about DOD's medical decision, and
           that she agreed with the decision. According to the CDC Director,
           the call was made to inform her about the decision that DOD had
           already reached. The Director of CDC said that even if the purpose
           of the call had been to seek her advice on medical treatment
           options, she could not have offered a medical opinion because of
           insufficient information, especially with respect to the
           reliability of the laboratory's test results. She stressed the
           need for clear, accurate, and understandable information for
           making decisions about medical treatment. Such information, she
           said, is typically developed collaboratively with all appropriate
           parties involved. After the conversation, she said she contacted
           the CDC operations center that handles such incidents to ensure
           that appropriate CDC personnel were aware of the incident. While
           HHS is the primary agency responsible for a public health
           response, according to an HHS official, the CDC operations
           center-not DOD-subsequently contacted the HHS operations center.

           As officials from additional federal agencies became aware of the
           incident, several interagency conference calls were held. The
           first of these calls was convened by HHS officials at about 5:00
           p.m.16 Officials from HHS said the purpose of the conference call
           was to obtain a basic understanding of what had occurred at the
           Pentagon (and at the Skyline Complex, where the second incident
           had already begun), so that decisions could be made on how to
           respond appropriately. According to HHS and DHS officials,
           decision makers needed answers to such questions as what analysis
           had been done, what procedures had been used by the contract
           laboratory, and how the Pentagon samples had been collected.
           Obtaining such information was critical to determining whether
           people had been exposed to anthrax, whether the two incidents were
           linked, and what the appropriate response should be. However,
           according to DHS and HHS officials, DOD could not adequately
           answer these and other questions.

           On Monday afternoon, DOD took the samples from CBI for analysis to
           Fort Detrick, located in Frederick, Maryland-the site of two key
           federal laboratories.17 The samples arrived at about 5:30 p.m.
           Over the next few days, the laboratories at Fort Detrick conducted
           numerous tests of the Pentagon's samples as well as environmental
           samples taken from the Pentagon. Late Wednesday evening, results
           of additional testing indicated that anthrax was not present in
           samples collected from the Pentagon's mail-screening facility.
           Agency officials involved in the response believe that the initial
           positive test result could have been caused by cross contamination
           at CBI. The facility reopened on Friday, March 18.

           The Skyline Complex Incident Resulted from an Alarm on Equipment Used
			  for Mail Screening
			  
			  The incident at the Skyline Complex began several hours after the
           Pentagon incident began. At about 10:00 a.m., a TMA employee
           picked up mail from the Pentagon and, by 11:30 a.m., had
           distributed some of the mail within the Skyline Complex-a large
           office complex of privately owned buildings in Fairfax County,
           Virginia.18 According to officials at the Skyline Complex, an
           employee received an urgent telephone call around noon indicating
           an unspecified problem with the Pentagon's mail and directing that
           any mail from the Pentagon be retrieved. The caller did not
           provide any further explanation, according to the official. TMA
           mail room employees retrieved the mail they had already delivered,
           emptied mailboxes, and placed some of the mail in trash bags.
           About 1:00 p.m., a TMA mail room employee was screening other mail
           from the Pentagon using the biosafety cabinet when the cabinet's
           alarm sounded. According to mail room employees, they made several
           unsuccessful attempts to telephone the manufacturer and the
           maintenance contractors for help. In addition, DOD's manager of
           the complex told us that she called PFPA for guidance on how the
           cabinet operated, but the PFPA official was not aware of the type
           of equipment in use at the complex, and consequently, he was not
           able to tell her what to do.19 Finally, at 2:09 p.m., a Skyline
           employee called the Fairfax County 911 emergency line.

           Fairfax County emergency responders (fire, police, public health,
           and hazardous material units) arrived on the scene shortly
           thereafter. They led the incident over the next few hours and took
           several actions, including

           o  closing the Skyline Complex and securing its exits,
           o  shutting off its elevators and air-handling systems,
           o  developing and providing health information to occupants,
           o  collecting contact information from the occupants,
           o  decontaminating some employees who were sheltering in place,
           and
           o  obtaining and testing environmental samples from the complex
           and attempting to remove filters from the biosafety cabinet in
           order to perform additional tests.20

           According to Fairfax County responders, they attempted to hold all
           occupants within the Skyline Complex because they anticipated
           receiving results of environmental testing Monday afternoon. They
           explained that having the complex occupants together would help
           them provide information to the occupants and coordinate any
           further responses that may be necessitated by the results of the
           environmental testing. Test results were delayed, however, and the
           majority of the Skyline Complex employees began to be released.
           Just prior to this, at about 7:30 p.m., Fairfax County responders
           began decontaminating 45 of the complex's employees who were
           believed to be at high risk for exposure to anthrax. The initial
           environmental test results-available on Tuesday-were inconclusive
           and, as a result, Fairfax County and FBI responders collected
           additional environmental samples for analysis at Fort Detrick. On
           Tuesday afternoon, DOD dispensed antibiotics to the 45 high-risk
           employees. This incident began to de-escalate on Tuesday evening
           as officials learned that the alarm that sounded on the biosafety
           cabinet used for mail screening indicated only an airflow
           obstruction, not the presence of anthrax. By Wednesday evening,
           laboratory results from environmental samples indicated that
           anthrax was not present at TMA's mail room in the Skyline Complex.
           The majority of the Skyline Complex reopened on Thursday, while
           TMA's mail room reopened on Friday morning, March 18.

           The Incidents Also Affected Postal Service Employees and Operations
			  
			  A DOD official called the Postmaster General to inform him of the
           Pentagon incident at about 12:30 p.m. on Monday, March 14, 2005,
           but neither the Postmaster General nor other Postal Service
           executive were available to receive the call. The DOD official
           left a voice-mail message, but according to the Postal Service's
           Senior Vice President for Government Relations, the message did
           not convey any urgency about the potential for anthrax in the
           mail. Furthermore, by the time Postal Service officials listened
           to the message, they had already heard about the incident through
           the local media. At about 5:00 p.m., when Postal Service officials
           learned at the first interagency conference call that DOD had
           provided antibiotics to Pentagon employees, Postal Service
           officials acted quickly to protect their employees who, days
           earlier, might have processed the mail. Thus, by Monday evening,
           the Postal Service had suspended operations at its V Street
           Operation and had immediately begun dispensing antibiotics to its
           employees. In total, over 160 Postal Service employees were
           treated for their possible exposure to anthrax. On Tuesday, March
           15, the CDC's National Institute for Occupational Safety and
           Health provided technical assistance to the Postal Service in
           designing an environmental testing strategy for the V Street
           Operation.21 By Wednesday morning, March 16, results from
           environmental testing of the V Street Operation were negative for
           anthrax. The Postal Service reopened the V Street Operation in the
           afternoon.

           Problems Encountered Reflect Both a Failure to Follow Existing
			  Contract Provisions and Procedures and a Lack of Procedures and Plans
			  
			  DOD encountered numerous problems during the two March 2005
           incidents. At the Pentagon, these problems primarily involved not
           following required mail-screening contract provisions and
           procedures. The failure to follow these requirements resulted in,
           among other things, the premature release of the potentially
           contaminated mail that caused the incident at the Pentagon. In
           addition, the Pentagon's contract for mail screening lacked a
           clear provision specifying required testing methods, which
           resulted in the use of a laboratory whose testing methods were
           unknown and whose results were not actionable-this, in turn,
           exacerbated the incident at the Pentagon. At the Skyline Complex
           mail facility, problems were even more basic, in that required
           procedures and plans for responding to biohazards and other
           emergencies were inadequate or absent altogether. Further, at the
           Pentagon, the federal framework developed to, among other things,
           help ensure more effective decision making through the coordinated
           response of all affected parties and decision makers was not fully
           followed. If the framework had been fully followed, decisions
           regarding medical treatment of DOD and Postal Service employees
           may have been improved.

           At the Pentagon, the Mail-Screening Contract Provisions and Procedures
			  Were Not Followed
			  
			  Vistronix did not follow contract provisions and mail inspection
           procedures related to the detection and response to potential
           biohazard emergencies involving the Pentagon's mail. The
           contractor developed procedures for implementing the contract's
           mail-screening requirements, which described the process by which
           mail entering the Pentagon would be inspected, tested,
           quarantined, and released. DOD approved the procedures, but the
           contractor failed to follow two key requirements.

           o  Mail-screening contractor did not provide timely notification
           of potential contamination. Both the contract and the approved
           mail inspection procedures provided specific notification
           requirements for informing DOD of potential biohazardous
           situations involving the Pentagon's mail. The contract required
           Vistronix to notify PFPA "immediately" if there were any evidence
           of risk or possible contamination of the mail. Similarly, the mail
           inspection procedures required PFPA to be contacted (1) within 1
           minute of an actual or potential event involving contamination and
           (2) when a positive test result occurred "at any point" in the
           testing process. The laboratory informed the Vistronix Director
           that a sample from Thursday's mail had tested positive for anthrax
           on Friday afternoon, March 11. Instead of immediately notifying
           PFPA as required, however, the Director asked the laboratory to
           conduct additional tests over the weekend. The contractor did not
           inform DOD of the suspected mail contamination until after it
           received the second positive test result on Monday, March 14-about
           2- 1/2 days after the notification should have occurred. According
           to the Vistronix Director, he believed the procedures required
           them to notify DOD only after a second positive test result. The
           contractor's untimely notification created a sense of urgency
           within DOD to quickly provide antibiotics to its employees-before
           consulting, as specified in the NRP, with other agencies about the
           proper medical response.
           o  Mail-screening contractor did not quarantine mail until it
           received negative test results from the laboratory. The contract
           required Vistronix to quarantine the mail until receipt of
           negative test results. Similarly, the mail inspection procedures
           required Vistronix to hold (i.e., "not release for delivery") the
           Pentagon's mail until the laboratory had reported negative test
           results to Vistronix. The procedures also noted that a positive
           result "at any point" necessitates sequestering all potentially
           contaminated mail. Vistronix failed to follow these requirements.
           Specifically, while the Vistronix Director was aware of an initial
           positive test result on Friday, he did not ensure that the mail
           remained quarantined until receipt of negative test results from
           the laboratory. Instead, miscommunication among Vistronix staff
           led to the mail's release several hours before the laboratory
           informed Vistronix that its weekend test results were also
           positive for anthrax. The premature release of the potentially
           contaminated mail resulted in a broad response at the Pentagon,
           the Skyline Complex, and the Postal Service's V Street Operation.

           The Pentagonï¿½s Mail-Screening Contract Provision for Testing
			  Samples Was Also Unclear
			  
			  The testing provision in the mail-screening contract required
           Vistronix to test samples from the mail-screening equipment in
           accordance with unspecified "CDC guidelines." However, Defense
           Post Office officials-including the contracting officer's
           representative who had responsibility for overseeing the
           contract-told us that they did not identify the specific
           guidelines to be used and were unaware that the CDC publishes both
           general testing guidelines, which are available in the public
           domain, and guidance and protocols for anthrax testing by the LRN,
           which are available only to LRN laboratories.22 The officials
           explained that even if they had known which guidelines DOD
           expected to be followed, they did not have the technical expertise
           to determine whether the contract's testing provision was being
           followed. Defense Post Office officials further explained that the
           contract was awarded quickly in 2001 after the nationwide anthrax
           attacks. Their office was tasked with overseeing the contract,
           they said, because at that time the office was the "executive
           agent for mail in the Pentagon"-not because it had any expertise
           or training on these matters.23 According to Defense Post Office
           officials, the lack of technical expertise regarding anthrax at
           that time contributed to the lack of clarity in the contract's
           testing provision. Their lack of expertise also caused them to
           conclude that CBI met all CDC and federal guidelines, in part,
           because Vistronix had informed DOD that CBI was a certified CDC
           laboratory that adhered to CDC guidelines. An independent review
           of CBI, the subcontract laboratory, sponsored by DOD and conducted
           in April 2005 found that CBI analyzed the Pentagon's samples using
           testing methods that differed from CDC's guidance and protocols.
           The review also found that Vistronix's contract with CBI did not
           require the laboratory to verify its testing methods. By March
           2005, DOD and Vistronix had had 3- 1/2 years to specify its
           testing requirements for the contract. An unclear contracting
           provision, combined with the lack of oversight by both DOD and
           Vistronix, resulted in the use of a laboratory whose testing
           methods were unknown and whose results were not actionable. The
           effect of these events was evident when DOD officials could not
           adequately explain to other agency officials what (1) tests CBI
           had conducted, (2) methods CBI had used, and (3) the results
           meant. DOD's inability to provide adequate answers to these and
           other crucial questions exacerbated the incident at the Pentagon
           and slowed the response since officials from other agencies were
           skeptical of the laboratory's results.

           At the Skyline Complex, Basic Response Procedures Were Inadequate
			  or Absent Altogether
			  
			  At the Skyline Complex, basic procedures for responding to a
           biohazardous incident were inadequate or absent for the TMA mail
           facility in the Skyline Complex. The following three key elements
           were either inadequate or absent.

           o  First, TMA did not ensure that mail room procedures addressed
           what to do, or whom to notify, when the equipment alarm sounded or
           that employees were properly trained on the equipment. TMA is
           responsible for ensuring that adequate procedures are in place and
           effective training occurs, so that employees can perform their
           duties competently. Although some procedures were in place at the
           Skyline Complex, they did not address the capabilities of the
           biosafety cabinet or what to do if the alarm on the equipment
           sounded. At the time of the incident, the mail room's procedures
           provided, among other things, (1) basic instructions for using the
           biosafety cabinet, including how to turn the machine on and off
           and how to open the mail, and (2) information about whom to notify
           when a suspicious package was discovered. The procedures did not
           address what the biosafety cabinet did, how it worked, or how to
           respond to its built-in alarm. The TMA mail manager noted that
           training on the biosafety cabinet had occurred when the machine
           was purchased in 2001, but no subsequent training had been
           conducted.24 In the meantime, he said, staff turnover and the
           absence of additional training had led to a lack of understanding
           about the equipment's capabilities. In addition, while the
           procedures specified whom to call if suspicious mail is
           discovered, the procedures did not address whom to contact when
           the equipment's alarm sounded.25 If procedures were adequate and
           periodic training had occurred, employees would likely have known
           that, although the equipment had a negative airflow system with
           filters for capturing and holding any particles that fell from
           envelopes or packages being opened within the equipment, it did
           not detect biohazards and its alarm sounded only to indicate an
           airflow obstruction. Instead, in conjunction with the phone call
           indicating an unspecified problem with the Pentagon's mail, mail
           room employees assumed the alarm was signaling the presence of
           biohazards in the mail. Because TMA employees lacked adequate
           information and training on the equipment, they unnecessarily
           contacted first responders.
           o  Second, neither TMA nor DOD ensured that the required mail
           security plan was in place. Both TMA and DOD have responsibilities
           for ensuring that an adequate mail security plan exists for the
           mail room in the Skyline Complex. GSA's federal mail management
           regulation and DOD's mail manual both require mail security plans
           for agency mail rooms. According to GSA's regulation,26 security
           plans must include (1) procedures for safe and secure mail room
           operations, (2) plans for training mail room personnel, and (3)
           plans for annually reviewing agency and facility-level mail
           security plans. In addition, DOD's mail manual requires DOD's mail
           room officials to ensure that their mail security plans are
           coordinated with local security officials. TMA did not develop the
           required security plan. If TMA had developed a plan and
           coordinated it with local officials, Fairfax County emergency
           personnel-the local first responders-may have learned about the
           biosafety cabinet's limitations, including the meaning of the
           equipment's audible alarm. Furthermore, DOD did not ensure that
           TMA had developed a plan, or attempt to review it for adequacy, as
           required. GSA's federal mail management regulation requires that
           facility level mail security plans be annually reviewed. Moreover,
           as specified in the regulation, DOD must annually report to GSA
           that its mail security plans have been reviewed by a competent
           authority within the past year. GSA officials noted that DOD's
           Official Mail Manager submits a certification form to GSA
           annually; however, the form does not indicate that DOD's (1) plans
           exist and that (2) the plans have been reviewed by a competent
           authority in the past year. Instead, the form submitted to GSA
           simply certifies that DOD has the requisite requirements in place.
           According to DOD's Official Mail Manager,27 he cannot certify that
           all DOD mail rooms have mail security plans or that they have been
           reviewed by a competent authority because DOD does not have a
           process in place to ensure that the required reviews take place.28
           He further explained that he lacks the time and resources to
           review the plans. If TMA and DOD had followed the applicable
           requirements, the problem that occurred at the Skyline Complex may
           have been avoided.
           o  Third, the Defense Information Systems Agency had not developed
           an Occupant Emergency Plan. GSA requires agencies of
           GSA-controlled buildings to have an occupant emergency plan for
           protecting life and property during an emergency. Critical
           elements of the plan include (1) evacuation and
           sheltering-in-place information; (2) contact information and
           emergency phone numbers; and (3) specific information about the
           building's construction, including its floor plans. The highest
           ranking official of the largest agency in each GSA-controlled
           building is responsible for developing and maintaining the
           occupant emergency plan.29 In March 2005, the Defense Information
           Systems Agency (Defense Agency) was the largest agency in the
           Skyline Complex. According to officials from the Defense Agency,
           they were aware of the agency's responsibility for developing the
           occupant emergency plan as early as June 2002. Defense Agency
           officials had drafted a plan by the time of the incident, but had
           neither distributed it to other federal occupants of the complex
           nor coordinated it with first responders. Moreover, employees had
           not been trained on the plan and affected federal agencies had not
           agreed to or signed the plan. Officials of the Defense Agency
           commented that developing an occupant emergency plan takes a great
           deal of coordination among participating agencies, which prolongs
           the plan's completion. The lack of a required occupancy emergency
           plan contributed to the difficulties that employees and first
           responders experienced during the incident. For example, first
           responders had difficulty getting critical information to
           employees because contact information was not readily available
           for federal employees in the complex. In addition, since
           information about the complex was not readily available, some
           employees were able to exit the complex because Fairfax County
           police, who had attempted to secure the Skyline Complex, were
           unaware of all the existing exits.

           DOD Did Not Fully Follow the Federal Framework for Coordinating
			  Responses at the Pentagon
			  
			  DOD did not fully follow the federal framework for coordinating a
           response to the potential anthrax incident at the Pentagon;
           instead, it chose to make decisions on its own. The federal
           framework is set forth in the NRP and NIMS, which specifies a
           structured and coordinated approach for involving federal, state,
           and local agencies in decision making. The unifying element of
           this framework is the ability to harness the resources of various
           agencies whose expertise and knowledge help ensure informed
           decisions about how to proceed in any given situation. While DOD
           initially followed NIMS when it established its incident command
           at the Pentagon,30 as the incident evolved, key aspects of the
           federal framework were not followed. Here are three examples:

           o  First, DOD did not fully follow NRP's notification structure.
           NRP's Biological Incident Annex requires every federal agency to
           first notify the FBI if it becomes aware of an overt threat
           involving biological agents. While DOD officials did notify the
           FBI, it was not until almost 3 hours after they first became aware
           of the Pentagon's positive test results. Earlier notification
           would have likely helped with the evaluation of test results and
           allowed federal agencies to collectively coordinate a proper
           course of action, particularly because, as discussed earlier, FBI
           officials began questioning the incident's credibility after
           arriving on scene. The Biological Incident Annex also designates
           HHS as the federal agency responsible for coordinating a public
           health response involving bioterrorism threats. DOD officials
           never notified HHS but, instead, called the Director of CDC to
           disclose their intention to administer antibiotics to DOD
           employees. The Director of CDC, not DOD, alerted the CDC
           operations center, which, in turn, notified HHS's operations
           center at about 4:00 p.m. on Monday. As specified in the
           Biological Incident Annex, once HHS officials were notified of a
           credible threat, they convened an interagency conference call
           approximately 1 hour later to coordinate a possible medical
           emergency response. However, by then, DOD had already begun to
           administer antibiotics to its employees. As a result, any advice
           any guidance on (1) medical treatment options or (2) the validity
           of the laboratory's test results that other agency officials may
           have offered were essentially moot.
           o  Second, DOD failed to follow NIMS protocols regarding joint
           decision making. Under NIMS, the incident commander is responsible
           for the entire response to an incident. To assist with various
           aspects of a multijurisdictional response, the incident commander
           is expected to assemble federal, state, and local agencies to
           serve in a unified command. The unified command includes
           representatives from all agencies and organizations that have
           responsibility for, or can provide support to, an incident.
           Collectively, the unified command is expected to consider and help
           make decisions on all objectives and strategies related to an
           incident. At the Pentagon in March 2005, PFPA included federal and
           local agencies in the response; however, the response structure
           never matured into a unified command, especially when some
           decisions-especially those related to medical treatment-were made
           outside the command structure. DOD essentially had two separate
           incident responses: PFPA acted as the incident commander for the
           evacuation and containment of Pentagon employees, while DOD's
           Health Affairs made unilateral decisions regarding the employees'
           medical treatment. According to local public health officials, DOD
           did not consult them on the proper course of action regarding
           whether, or how, to intervene medically. Had information and
           decisions flowed through a unified command structure, local public
           health officials could have raised the concerns they had about
           providing antibiotics without a confirmed LRN test result.
           Additionally, if medical treatment decisions had been made
           collaboratively, DOD and local public health officials could have
           (1) agreed on a strategy for treating potentially affected
           individuals, including access to additional medication and
           follow-up treatment; and (2) discussed the potential ramifications
           of initially providing ciprofloxacin to DOD employees.31 According
           to local public health officials, DOD's initial provision of
           ciprofloxacin to DOD employees set a precedent that essentially
           eliminated other antibiotic treatment options, given the health
           officials' desire to ensure that potentially affected individuals
           would be treated consistently.32 Had medical decisions been made
           within the context of a unified command, a different decision may
           have been reached and hundreds of DOD employees-with no, or
           limited, exposure to potential contamination-may not have received
           unnecessary medication.
           o  Third, DOD did not coordinate the initial public response to
           the incidents. An important outcome envisioned in the federal
           framework is effective management of information available to the
           public. The NIMS structure calls for a joint information center to
           provide a location for organizations participating in the
           management of the incident to work together to ensure that timely,
           accurate, easy-to-understand, and consistent information is
           disseminated to the public. The joint information center is
           supposed to have representatives from each organization involved
           in the management of an incident. DOD did not establish a joint
           information center at the start of the incidents, and it did not
           have clear written procedures for doing so. As a result, the
           public received unclear and inconsistent messages about, among
           other matters, the source of the anthrax. For example, media
           accounts reported that mail through the Postal Service caused the
           incidents when, in fact, the source of possible contamination was
           unknown. According to the Postal Service, this resulted in
           unnecessary anxiety among Postal Service workers, their families,
           and recipients of Postal Service mail.

           According to DOD health officials responsible for making medical
           decisions at the Pentagon, they based their medical treatment
           decision on the experiences they gained from the fall 2001 anthrax
           incidents. The officials explained that they were very sensitive
           to what they perceived to be untimely medical decisions reached in
           the fall of 2001. Consequently, they said they decided to err on
           the side of caution and quickly distribute antibiotics to
           employees at the Pentagon and Skyline Complex. Additionally, since
           the incident occurred on the Pentagon Reservation, DOD officials
           did not believe that the NRP applied because, in their view, they
           had the medical authority, expertise, and resources to handle the
           incident internally.33 However, other federal officials-including
           those in DHS and HHS-told us that the NRP was applicable and that
           DOD should have followed the framework. In addition, CDC guidance
           emphasizes the need to make risk-based decisions, including those
           involving dispensing of antibiotics during suspected anthrax
           incidents. According to the CDC, a risk-based, participatory
           approach is necessary, in part to limit the number of people who
           may receive antibiotics before confirmation by the LRN.34 Since
           the mail had been quarantined over the weekend, the Pentagon
           employees most at risk would have been the technicians who had
           screened the mail the previous week. These persons received
           antibiotics, but so did hundreds of others who, in our view, would
           not likely have been exposed until Monday morning, when the
           Pentagon's mail was released from quarantine.

           DOD health officials' concern about protecting DOD employees from
           the risk of exposure is clearly understandable. However, DOD's
           actions were not consistent with the NRP. Once HHS was contacted
           by CDC, it began using the notification and response protocols
           specified in the NRP. In particular, HHS convened the first
           interagency conference call in which federal participants were
           able to discuss the laboratory's test results and raise concerns
           about the quality of the results. Additionally, CDC was able to
           address the Postal Service's concerns about the possible health
           effects on its employees who may have processed contaminated mail
           to the Pentagon the previous week. CDC recommended antibiotics for
           employees of the V Street Operation because (1) of the confluence
           of the two incidents, which, at the time, were viewed as involving
           the presence of anthrax; (2) DOD had already started its employees
           on antibiotics; and (3) the employees could have been exposed to
           anthrax several days earlier because they process mail to the
           Pentagon.

           DOD Took Numerous Actions That Address Problems Related to the
			  Incidents
			  
			  DOD took numerous actions that address problems related to the
           Pentagon and Skyline Complex incidents. At the Pentagon, some
           actions to improve DOD's mail processing and incident response,
           such as modernizing the mail-screening facility and changing the
           laboratory used to test daily samples, were already under way.
           Other actions, including selecting a new mail-screening contractor
           and improving procedures for releasing quarantined mail, were a
           direct response to what occurred. At the Skyline Complex, DOD's
           actions included prohibiting the use of equipment for screening
           mail unless the equipment is being operated within the context of
           a comprehensive mail-screening program. DOD also commissioned the
           RAND Corporation to conduct an independent review to examine its
           response to the incidents.35 The resulting report,36 issued in
           January 2006, contains numerous recommendations which, according
           to DOD, it has taken action upon.

           At the Pentagon, Some Actions Were Already Under Way, While Others
			  Were Taken in Direct Response to the Incident
			  
			  Some of the actions DOD took at the Pentagon were under way before
           the March 2005 incident. Although the actions were not carried out
           until later, they reflected decisions that had been previously set
           in motion to improve mail screening and responses to biological
           incidents. These actions included the following:

           o  DOD transferred oversight of the mail-screening function to
           PFPA. PFPA assumed oversight of mail-screening from the Department
           of the Army in August 2005 because, according to DOD officials,
           PFPA's strategic mission of providing security and law enforcement
           at the Pentagon is better aligned with the mail-screening
           function. According to a PFPA official, planning for the transfer
           of mail-screening oversight began around January 2005. A gradual
           transition had been planned, he said, but the Pentagon incident
           significantly accelerated efforts to implement the transfer of
           mail-screening oversight responsibilities.
           o  DOD modernized the mail-screening facility, refurbished the
           mail quarantine room, and installed new mail-screening equipment.
           According to a DOD official, initial planning for these
           improvements also began around January 2005. PFPA officials stated
           that the new mail-screening facility and the refurbished
           quarantine room have improved capabilities that are designed to
           protect employees and prevent the spread of anthrax. Finally, a
           DOD official said that the decision to replace the previous
           mail-screening table with new equipment was based on a 2003
           National Academy of Sciences report, which, among other things,
           raised questions about the table's ability to detect anthrax in
           small amounts. PFPA is awaiting the results of a study, which it
           expects to conclude in May 2006, to evaluate the effectiveness of
           the changes.
           o  DOD changed its testing laboratory. Daily testing of samples
           from the Pentagon's mail-screening equipment is now performed by a
           non-LRN chemical-biological laboratory located on the premises,
           instead of a contract laboratory. The laboratory is part of PFPA
           and, according to a PFPA official, was established in January 2005
           to help protect the Pentagon from biological threats. The official
           stated that the original plan was to transfer testing from CBI to
           the Pentagon's chemical-biological laboratory in October 2005,
           after the Vistronix contract expired. However, the transfer was
           accelerated, occurring instead in March 2005, a few days after the
           incident at the Pentagon.
           o  DOD entered into a memorandum of understanding (MOU) on
           biological monitoring with other federal agencies. In April 2005,
           DOD signed an MOU for Coordinated Monitoring of Biological Threat
           Agents, which was developed prior to the Pentagon incident. DHS,
           HHS, the Department of Justice (which includes the FBI), and the
           Postal Service are also parties to the MOU. DHS's Science and
           Technology Directorate is responsible for coordinating the
           implementation of the MOU. The following provisions in the MOU
           help address the notification, laboratory testing, and medical
           response problems that arose at the Pentagon:

                        o  The MOU establishes prompt notification
                        requirements. Specifically, the MOU requires
                        participants to notify the FBI, HHS, and DHS within 1
                        to 2 hours of positive test results that indicate,
                        with a high degree of confidence, the presence of
                        anthrax or other biological agents. However,
                        according to a DHS Science and Technology Directorate
                        official, such test results only trigger notification
                        and, until confirmed by the LRN, are not considered
                        actionable by HHS, DHS, and others.
                        o  The MOU requires participating agencies to develop
                        and employ mutually accepted and validated testing
                        methods to confirm biological threats. According to a
                        Science and Technology official, test results
                        produced from these methods will be considered
                        actionable for public health and other response
                        measures, including the administration of medical
                        treatment. He stated, however, that this MOU
                        provision will take time to implement.37 According to
                        the official, an independent organization is
                        currently performing the extensive testing and
                        analysis needed to evaluate and establish equivalency
                        between the wide array of testing methods employed
                        across agencies.38 DOD officials stated that the
                        Pentagon's chemical-biological laboratory-which is
                        not part of the LRN-plans to adopt the testing
                        methods that emerge from the MOU. As a result, if the
                        MOU's equivalency testing provision is fully
                        implemented, they said, confirmatory positive results
                        from the Pentagon laboratory will be considered
                        equivalent to LRN results and deemed actionable by
                        DHS, HHS, and others for decisions related to the
                        administration of medical treatment.39

           In addition to carrying out actions already in process, DOD also
           initiated numerous actions in direct response to the problems that
           occurred at the Pentagon. Several of these actions address the
           mail-screening contractor's failure to follow established
           requirements. Other actions were carried out in response to the
           RAND review and are intended to better align DOD's procedures with
           those in the federal framework for coordinating responses to
           potential biological threats. The actions are as follows:
           o  DOD changed mail-screening contractors, strengthened the new
           contract, and drafted improved procedures. PFPA selected a new
           contractor for screening mail at the Pentagon in September 2005.
           PFPA also developed new contract provisions and drafted new mail
           inspection procedures to address the previous contractor's failure
           to follow established contractual and procedural requirements.
           Table 2 highlights key changes in the Pentagon's mail-screening
           contract provisions and draft procedures.

           Table 2: Key Changes in the Pentagon's Mail-Screening Contract
           Provisions and Draft Mail-Screening Procedures
			  
			  Key changes in the Pentagon's contract provisions                          
The contractor is required to periodically train its employees on          
emergency response procedures, including those relating to the receipt of  
suspicious materials.                                                      
The contractor is required to develop an effective quality control program 
to ensure that its services are performed in accordance with the           
contract's requirements.                                                   
PFPA's contracting officer representative is required to evaluate the      
contractor's performance to ensure that it meets contract requirements.    
The representative is to monitor the contractor's performance and report   
any deficiencies.                                                          
Key changes in the Pentagon's draft mail-screening procedures              
The facilities manager, a newly created position in PFPA's laboratory      
division, is responsible for, among other things, performing unannounced   
inspections to ensure that the contractor properly executes procedures.    
The contract supervisor, an employee of the mail-screening contractor, is  
responsible for ensuring that contract personnel perform all activities in 
accordance with established procedures.                                    

A PFPA laboratory official verifies that test results are negative for     
mail scheduled to be released.                                             
A PFPA laboratory official notifies the facility manager, the contract     
supervisor, and a Defense Post Office official via e-mail that the results 
are negative and that mail can be released at the scheduled time. All      
parties must verify the receipt of the negative test results by replying   
to the e-mail.                                                             
The PFPA laboratory facility manager, the contract supervisor, and a       
Defense Post Office official, must physically verify that the date stamp   
and other information on the quarantined mail matches the laboratory's     
report indicating negative test results before releasing the mail.     

           Source: GAO analysis of DOD information.

           PFPA strengthened the mail-screening contract by requiring the
           contractor to, among other things, periodically train employees on
           emergency response procedures and develop an effective quality
           control program to ensure adherence to contract provisions. In
           addition, PFPA's contracting officer representative is required to
           evaluate the contractor's performance to ensure that it meets
           contract requirements.40 PFPA has also drafted new mail-screening
           procedures to help ensure the contractor performs in accordance
           with requirements. The draft procedures require PFPA to, among
           other things, perform unannounced inspections to ensure that the
           contractor is properly executing required procedures. As of April
           30, 2006, it was unclear when the draft procedures would be
           finalized; however, according to a PFPA official, the new
           monitoring measures are already being performed. Effective
           monitoring of contractor activities and performance is key to
           maintaining effective agency internal controls.

           o  DOD strengthened controls over the release of quarantined mail.
           The Pentagon's draft mail inspection procedures require
           verification of negative test results by representatives from
           three separate organizations-PFPA, the Defense Post Office, and
           the contractor-before the mail is released. Table 3 identifies the
           key steps for releasing quarantined mail, as specified in the
           draft procedures.

           Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft
           Procedures

           Source: GAO analysis of DOD information.

           Although the mail inspection procedures are still in draft form,
           these steps are currently being used for releasing the Pentagon's
           quarantined mail. The segregation of key duties and
           responsibilities at this critical juncture in the mail release
           process reduces the risk of error and, as such, is designed to
           strengthen the internal controls that were lacking in March 2005.
           During the incident, inadequate internal controls allowed a single
           point of failure-in this case, a misunderstanding between two
           contract employees-to result in the premature release and
           distribution of quarantined mail that may have been contaminated.
           This triggered a broad response at the Pentagon and elsewhere. The
           implementation of rigorous internal controls for releasing the
           Pentagon's mail appears likely to prevent similar incidents in the
           future.

           o  DOD commissioned the RAND Corporation to conduct an independent
           review examining its response to the March 2005 incidents. The
           review primarily focused on evaluating DOD's policies and
           procedures for responding to such incidents and making
           recommendations for improvement. In November 2005, DOD formed a
           working group to review and implement recommendations from a draft
           of the report. The final report was issued in January 2006.
           o  DOD drafted new notification procedures for positive test
           results at the Pentagon. To help address the notification problems
           that arose during the Pentagon incident, DOD drafted new
           procedures for notifying appropriate parties of positive test
           results from the Pentagon's on-site chemical-biological
           laboratory. These procedures help implement a recommendation in
           the RAND report that calls for ensuring timely notification of
           designated agencies in accordance with the NRP and NIMS. The
           recommendation was based on findings similar to those identified
           by GAO. DOD officials stated that the new procedures, while still
           in draft, are currently being used to respond to potential
           incidents involving biological contamination at the Pentagon.
           Figure 2 illustrates DOD's draft notification procedures for
           positive test results from the Pentagon's on-site
           chemical-biological laboratory.

           Figure 2: DOD's Draft Procedures for Positive Test Results from
           the Pentagon's On-Site Chemical-Biological Laboratory

           aThe Assistant Secretary of Defense for Homeland Defense is the
           overall supervisor of homeland defense activities for DOD. This
           office manages domestic incidents and represents DOD in homeland
           defense-related matters with other agencies.

           bThe Assistant Secretary of Defense for Public Affairs is the
           principal staff adviser to the Office of the Secretary of Defense
           for disseminating information related to the Pentagon.

           The procedures require Pentagon laboratory officials to
           immediately notify PFPA of positive test results. Thereafter, PFPA
           and DOD's Assistant Secretary of Homeland Defense are responsible
           for making the required notifications to internal and external
           parties. According to a DOD official, these notifications should
           occur immediately in order to meet the 1 to 2 hour time frame
           specified in the MOU. As prescribed in the NRP, once notified of
           positive test results, (1) the FBI is responsible for coordinating
           appropriate confirmatory testing by the LRN and (2) DHS's
           operations center is responsible for notifying affected local
           jurisdictions. DOD's draft procedures include notification to all
           agencies specified in the NRP's Biological Incident Annex, as well
           as those specified in the MOU. Although not specifically required
           in either the NRP or MOU, the procedures also include notification
           to the Postal Service. An official stated that DOD actively worked
           with DHS, the FBI, and HHS to develop the notification procedures
           and is continuing to improve them based on agency input, actual
           events, and the outcome of training exercises.

           o  DOD is developing a new policy that defines the roles and
           responsibilities of senior DOD leadership during incidents at the
           Pentagon. According to DOD's Director of Administration and
           Management,41 the policy-called an instruction-is being developed
           and will be based, in part, on NRP's Biological Incident Annex. He
           stated that the instruction will detail the health-care
           responsibilities of DOD leadership involved in making medical
           treatment decisions and will be consistent with NRP and NIMS
           protocols. The draft instruction was expected to be tested during
           a Pentagon training exercise in May 2006 and is to be finalized in
           the fall of 2006. The development of the instruction directly
           addresses a recommendation from the RAND review, which arrived at
           findings similar to ours regarding DOD's medical decision making.
           o  DOD drafted new procedures to help ensure that a joint
           information center is established. DOD also drafted procedures for
           ensuring that, consistent with the NIMS framework, a joint
           information center is established during potential emergency
           incidents at the Pentagon. During the March 2005 incident, DOD did
           not establish a joint information center to disseminate timely,
           accurate, and consistent messages to the public. The RAND report
           contained a similar finding and recommended remedial actions. In
           response, DOD drafted procedures that require PFPA, Public
           Affairs, and Washington Headquarters Services to coordinate in the
           establishment and operation of a joint information center to
           disseminate information to the media during incidents at the
           Pentagon.42 According to a Washington Headquarters Services
           official, the draft procedures will be tested during future
           training exercises at the Pentagon.

           DOD Took Other Actions That Address Problems at the Skyline Complex
			  
			  DOD also took a number of other actions that address the specific
           problems we described related to the incident at the Skyline
           Complex. Many of these problems were also raised in the RAND
           report. DOD's actions, several of which also affect other
           DOD-leased facilities, included the following:

           o  DOD developed operating conditions for equipment used to screen
           mail in the national capital region. In January 2006, DOD's
           Director of Administration and Management issued a directive
           prohibiting DOD mail facilities in leased space within the
           national capital region43-including the Skyline Complex-from
           operating equipment used to screen mail, including biosafety
           cabinets, unless the facilities meet five specific operating
           conditions. These conditions include having trained mail screeners
           to sample equipment for biological agents and an approved
           laboratory for analyzing the samples. The directive partially
           addresses a recommendation in the RAND report calling for DOD to
           develop, evaluate, and ensure that appropriate site-specific
           screening practices are in place departmentwide. According to the
           Director, the directive is intended to relay key lessons learned
           in March 2005-specifically, that equipment for screening mail is
           ineffective and potentially risky to personnel and facilities when
           used outside of a comprehensive mail-screening program. The TMA
           facility at the Skyline Complex did not meet these conditions.
           Although the agency purchased a new biosafety cabinet for the
           Skyline Complex, which is similar to the device in place in March
           2005,44 a TMA official stated that the agency is no longer
           operating the device and is taking steps for its disposal in
           response to the directive.
           o  DOD initiated two efforts to gather information on screening
           operations in its mail facilities. First, DOD's Joint Program
           Executive Office for Chemical-Biological Defense, as part of a
           plan required by the National Defense Authorization Act for Fiscal
           Year 2006,45 gathered some information on equipment used for mail
           screening in DOD mail facilities nationwide. However, according to
           a joint program office official, the data is not comprehensive
           because information was not sought from all applicable facilities.
           Second, in response to the RAND review, Washington Headquarters
           Services attempted to identify DOD-leased facilities in the
           national capital region that screen mail for threats. However, as
           discussed later, this data collection effort had numerous
           limitations.
           o  DOD developed an occupant emergency plan for the Skyline
           Complex. In July 2005, the Defense Agency, in conjunction with
           TMA, issued an occupant emergency plan for the Skyline Complex.
           The plan was reviewed and deemed adequate by a building management
           specialist in DOD's Washington Headquarters Services. The plan
           includes emergency contact information and information about the
           complex, such as floor plans, that were not readily available
           during the March 2005 incidents. In addition, according to a
           Defense Agency official, the plan has been fully coordinated with
           Fairfax County first responders, who (1) met with Defense Agency
           officials to discuss the roles and responsibilities of applicable
           parties, (2) reviewed the plan, and (3) participated in the
           emergency training exercises at the Skyline Complex. He also
           stated that if a similar incident were to occur, the plan would
           facilitate communications between first responders and Skyline
           Complex employees. The development of an occupant emergency plan
           addresses findings in this report as well as recommendations from
           the RAND review.

           o  DOD issued supplemental requirements for developing mail
           security plans. DOD's December 2001 mail manual required agency
           mail rooms to develop security plans, but at the time of the
           incidents, did not clearly specify what the plans should include
           or require that they be reviewed. A supplement to the manual,
           issued in September 2005, requires mail room officials to ensure
           that their plan (1) details the reporting procedures and
           responsibilities for handling suspicious mail, (2) has been
           coordinated with local emergency responders, (3) is disseminated
           to all mail center staff, and (4) is reviewed for potential
           revisions at least quarterly. The supplemental requirements refer
           mail room officials to GSA guidance on handling suspicious mail to
           assist in the development of adequate security plans.46

           DODï¿½s Actions Do Not Fully Resolve Identified Problems
			  
			  DOD's actions resolve many of the problems that arose in the March
           2005 incidents but not all. One remaining and overarching concern
           involves whether, despite its actions, DOD will adhere to the
           interagency coordination protocols in the NRP and NIMS or will
           revert to the isolated decision-making approach it used at the
           Pentagon. Other remaining issues include ensuring that DOD (1)
           facilities have adequate mail security plans in place and (2) mail
           facilities in the national capital region are appropriately using
           biosafety cabinets for screening mail.

           DODï¿½s Adherence to NRP and NIMS Interagency Coordination Protocols Remains Uncertain for Incidents at the Pentagon
			  
			  DOD has taken actions to align its procedures with the NRP and
           NIMS, including the development of an instruction defining the
           roles and responsibilities of senior DOD leadership during
           incidents at the Pentagon. The policy instruction is not expected
           to be finalized until the fall of 2006 and, until then, it is
           unknown whether it will adequately specify medical treatment
           responsibilities in accordance with the coordination protocols in
           the NRP and NIMS. In October 2005, senior DOD health officials
           told us that they would handle the medical response at the
           Pentagon in a similar manner if an incident occurred in the
           future, in part, because they have the authority to do so. In
           April 2006-more than 1 year after the incident-another senior
           health official reiterated that DOD has the authority to make
           final decisions on medical treatment at the Pentagon without
           collaboration or consultation with other agencies, including HHS.
           Such views conflict with protocols in both the NRP, which requires
           an HHS-led coordinated public health response, and NIMS, which
           prescribes local-level input into decisions affecting their
           jurisdictions. Until DOD ensures that its senior health officials
           make medical treatment decisions in accordance with the NRP and
           NIMS during potential biological incidents at the Pentagon, the
           problems that occurred in March 2005 remain unresolved.

           DOD Still Has Not Ensured That Its Mail Facilities Have Reviewed
			  Mail Security Plans, As Required
			  
			  TMA did not have a mail security plan for the Skyline Complex at
           the time of the incidents, and although federal mail management
           regulation and DOD's mail manual require such a plan, it has not
           subsequently developed one. Until TMA develops a plan and, among
           other things, coordinates it with local first responders, any
           future response at the facility may also be hampered. More
           importantly, it is not known whether other DOD mail facilities
           also lack plans, or adequate plans, for guiding future responses
           involving potential biological threats in the mail. As discussed
           earlier, DOD does not have a process in place to (1) ensure that
           its mail facilities have mail security plans and (2) verify that
           each plan has been annually reviewed by a competent authority.

           DOD Has Not Ensured That Its Facilities in the National Capital
			  Region Are Appropriately Using Biosafety Cabinets
			  
			  Gaps remain in the actions DOD has taken to ensure the appropriate
           use of biosafety cabinets for mail screening in DOD-leased mail
           facilities in the national capital region. First, DOD has not
           ensured that DOD mail facilities in the national capital region
           are not operating biosafety cabinets outside of a comprehensive
           mail-screening program. As pointed out in the Director of
           Administration and Management's January 2006 directive, using
           mail-screening equipment in isolation of such a program is
           ineffective and potentially risky. Second, at the conclusion of
           our review, DOD still had not identified the number of biosafety
           cabinets in use in the region. For example, although DOD's
           Washington Headquarters Services collected information about
           facilities in the national capital region that screen mail for
           threats, its winter 2005 data collection effort was not
           comprehensive. For example, the office did not attempt to (1)
           identify whether other biosafety cabinets were being used, (2)
           determine the conditions under which the equipment is being
           operated, and (3) collect information on the type and capabilities
           of other mail-screening equipment being used. Moreover, it appears
           that numerous DOD mail facilities in the national capital region
           did not respond to the data request. According to an official from
           Washington Headquarters Services in April 2006, a follow-up effort
           was being conducted to gather additional data on mail-screening
           operations in the region; however, we were unable to obtain
           specific information regarding the purpose, scope, and status of
           the effort. Eliminating equipment that is not being used in
           conjunction with a comprehensive mail-screening program is likely
           to reduce future false alarms and unnecessary response activities
           involving the Skyline Complex and other DOD mail facilities in
           leased space within the national capital region.

           Conclusions
			  
			  Mail continues to be a potential venue for terrorism, particularly
           as an opportunity to strike at the Pentagon-a building of national
           military significance. DOD has taken aggressive measures to ensure
           the safety of its employees during a potential biological attack,
           but the challenge ahead is to ensure that DOD's components and
           leadership are sufficiently prepared in the event of another
           potential incident involving anthrax or other biohazards.
           Preparation involves having the procedures, plans, and training in
           place to effectively coordinate the best available knowledge and
           expertise across the many agencies that will likely be involved.
           While lessons learned from these two false alarms have largely
           been implemented, there still is a need to tighten controls in the
           areas discussed above.

           Recommendations for Executive Action
			  
			  To help prepare DOD to effectively respond to future incidents
           involving the suspicion of biological substances in the mail, we
           recommend that the Secretary of Defense take the following four
           actions:

           o  Ensure that any future medical decisions reached during
           potential or actual acts of bioterrorism at the Pentagon
           Reservation result from the participatory decision-making
           framework specified in the NRP and NIMS.
           o  Ensure that appropriate officials at all of DOD's mail
           facilities develop effective mail security plans in accordance
           with GSA's mail management regulation and guidance and DOD's mail
           manual.
           o  Ensure that a competent DOD authority conducts a DOD-wide
           review of all of its mail security plans.
           o  Determine (1) whether biosafety cabinets are being used at mail
           facilities within DOD-leased space in the national capital region
           and, if so, (2) whether the equipment is being operated within the
           context of a comprehensive mail-screening program. If the use of
           biosafety cabinets does not comply with the criteria specified in
           the Director of Administration and Management's January 2006
           directive, ensure that the equipment will not be operated.

           Agency Comments and Our Evaluation
			  
			  We requested comments on a draft of this report from DOD, GSA, the
           Department of Justice, HHS, DHS, and the Postal Service. Two of
           these agencies-DOD and GSA-provided written comments. The
           agencies' comments are reprinted in appendixes II and III,
           respectively.

           DOD agreed with three of our four recommendations, indicating that
           it either was implementing, or intended to immediately implement,
           actions to address these recommendations.47 Furthermore, while DOD
           is developing a new policy to define the roles and
           responsibilities of senior DOD leadership-including those involved
           in making medical treatment decisions-during incidents at the
           Pentagon, it only partially agreed with our remaining
           recommendation, related to the need for DOD to make future medical
           decisions within the participatory decision-making framework
           specified in the NRP and NIMS. While commenting that "coordination
           in such events is highly desirable," DOD reiterated that it has
           the "medical authority to act in a timely manner to provide the
           best possible medical protection for its personnel at potential
           risk in an incident of this nature." DOD further commented that
           the NRP does not alter or impede its ability to carry out its
           medical authorities and responsibilities.

           We agree that the NRP does not repeal DOD's medical powers,
           authorities, or responsibilities. However, in signing the NRP
           Letter of Agreement, DOD agreed, among other things, to (1)
           support NRP concepts, processes, and structures; (2) modify its
           existing plans to comply with the NRP; and (3) ensure that its
           operations support the NRP. Thus, in our view, DOD's medical
           authorities must be exercised in conjunction with DOD's
           responsibilities under the NRP. Had DOD followed such an approach
           in March 2005, concerns such as the validity of the test results
           could have been discussed among informed agency officials and the
           provision of unnecessary medicine to DOD employees at lower risk
           for exposure may have been avoided.

           DOD also commented that the NRP was not in effect during these
           incidents because none of the criteria for an incident of
           "national significance" had been met. We agree that the December
           2004 NRP plan was somewhat ambiguous about when an incident is
           subject to NRP's concepts, processes, and structures. However,
           revisions made in May 2006 clarified that the NRP is "always in
           effect" and that the plan applies to incidents of lesser severity
           that may, nevertheless, require some federal involvement. In our
           view, this revision makes it even more clear that, going forward,
           coordination is necessary and appropriate with regard to potential
           bioterrorism incidents and decisions about medical treatment. In
           addition, despite the plan's prior ambiguity, it is important to
           note that other federal officials-including those in DHS and
           HHS-told us that the NRP was applicable because of the nearly
           simultaneous occurrence of two incidents involving the Pentagon, a
           building of national military significance. Thus, according to
           these and other involved parties, DOD should have responded to the
           incidents within the context of the federal framework.

           GSA's written comments clarified federal requirements related to
           the annual review of mail security plans. DOD, the FBI (on behalf
           of the Department of Justice), CDC (on behalf of HHS), and the
           Postal Service provided technical comments, which we incorporated,
           as appropriate. DHS did not provide comments.

           We are sending copies of this report to appropriate congressional
           committees and subcommittees, CDC, DHS, DOD, the FBI, GSA, HHS,
           the Postal Service, the Arlington and Fairfax County Offices of
           Emergency Management, the District of Columbia Health Department,
           and other interested parties. We will also make copies available
           to others upon request. In addition, the report is available at no
           charge on the GAO Web site at http://www.gao.gov .

           If you or your staff have any questions about this report, please
           contact me at [email protected] or (202) 512-2834. Contact points
           for our Offices of Congressional Relations and Public Affairs may
           be found on the last page of this report. Staff who made key
           contributions to this report are listed in appendix IV.

           Katherine A. Siggerud Director, Physical Infrastructure Issues

           Appendix I: Scope and Methodology
			  
			  To determine what occurred at the Pentagon and Skyline Complex
           mail facilities in Virginia, we reviewed all available timelines
           and after-action reports, including those prepared by various
           Department of Defense (DOD) components, the Postal Service, the
           RAND Corporation, and other federal, state, and local entities.
           The after-action reports and timelines document what occurred at
           the two sites in March 2005 as well as the sequence and timing of
           what occurred. We also obtained and analyzed other pertinent
           documentation. We developed a timeline of what occurred based on
           the information we obtained, and corroborated this information
           with agency officials, where possible. With respect to this and
           our other reporting objectives, we interviewed a wide range of
           officials from the following organizations:

           o  Office of the Secretary of Defense, Administration and
           Management;
           o  Office of the Assistant Secretary of Defense for Health
           Affairs;
           o  Office of the Assistant Secretary of Defense for Homeland
           Defense;
           o  DOD's DiLorenzo TRICARE Health Clinic;
           o  DOD's TRICARE Management Activity (TMA);
           o  DOD's Pentagon Force Protection Agency, including personnel in
           the Chemical, Biological, Radiological and Nuclear laboratory;
           o  DOD's Washington Headquarters Services;
           o  DOD's Defense Post Office;
           o  Vistronix Incorporated;
           o  Department of Health and Human Services;
           o  Centers for Disease Control and Prevention (CDC);
           o  Department of Homeland Security (DHS);
           o  Federal Bureau of Investigation (FBI) Headquarters and its
           Washington Field Office;

           o  U.S. Postal Service;
           o  District of Columbia's Department of Health; and
           o  Arlington and Fairfax County Offices of Emergency Management.

           To determine what problems occurred and why they occurred, we
           obtained, reviewed, and analyzed, among other documents, (1) all
           available timelines and after-action reports prepared by federal,
           state, and local agencies that were involved in the response; (2)
           the Pentagon's mail-screening contract and procedures; (3) TMA's
           mail procedures; (4) federal mail management and other applicable
           regulations related to occupant emergency plans;1 (5) DOD
           requirements, including its mail manual; (6) applicable guidance
           on the coordination of incidents with appropriate organizations,
           including the National Response Plan (NRP) and its Biological
           Incident Annex and the National Incident Management System (NIMS)
           and; (7) CDC guidance related to the provision of medical services
           to potentially affected employees, including its guidance on the
           timing of antibiotics to affected individuals.2 We also reviewed
           and analyzed GAO's internal control standards for applicable
           criteria and interviewed officials from the previously cited
           organizations as well as those from DOD's Defense Information
           Systems Agency, DOD's Military Postal Service Agency, and the
           General Services Administration. We compared DOD's actions with
           applicable criteria, such as the Pentagon's contract provisions
           and procedures, regulations and guidance, and the national
           coordination protocols in place at the time of the incidents, to
           identify any variations between the actions taken at the two
           facilities and the actions specified in the applicable criteria.
           Where variations existed, we interviewed officials from the
           previously mentioned organizations to determine why the applicable
           criteria was not followed.

           To determine the actions DOD has taken that address the problems
           that arose during the March 2005 incidents at the two mail
           facilities, we interviewed officials from the previously cited DOD
           offices as well as the Office of the Assistant Secretary of
           Defense for Public Affairs, Military

           Postal Service Agency, Joint Program Executive Office for Chemical
           and Biological Defense, and General Services Administration. We
           also interviewed DHS officials from the Science and Technology
           Directorate and DHS's Mail Management Program. We obtained and
           analyzed pertinent information on all identified actions. For
           example, with respect to actions taken at the Pentagon, we
           reviewed the new mail-screening contract, recent interagency
           agreements, and the Pentagon's draft (1) mail-screening operating
           procedures, (2) laboratory procedures, (3) notification
           procedures, and (4) procedures for communicating information to
           the public. For actions taken in response to the incident at the
           Skyline Complex, we reviewed TMA's mail-screening procedures,
           DOD's directive prohibiting the use of biosafety cabinets in
           certain environments, and the Skyline Complex occupant emergency
           plan, all of which were issued after the March 2005 incidents.

           To determine the extent to which the actions taken address the
           problems that arose at the two mail facilities during the March
           2005 incidents, we reviewed and analyzed, among other things, the
           Pentagon's new mail-screening contract and its draft (1)
           mail-screening operating procedures, (2) laboratory procedures,
           (3) notification procedures, and (4) procedures for communicating
           information to the public. To assess whether the actions appeared
           to resolve the problems that arose during the incidents, we
           compared policy and procedural changes to applicable criteria,
           including criteria contained in DOD's mail manual, GSA's
           regulations and guidance, CDC guidance, GAO Internal Controls
           Standards, the NRP's

           Biological Incident Annex, and NIMS. We determined the status of
           key recommendations in the after-action reports and, through our
           analysis, identified further actions necessary to remedy the
           issues that arose. In addition, to provide broader perspective on
           issues related to detecting and responding to suspected anthrax
           incidents, we reviewed previous studies, congressional testimony,
           and other pertinent documents including those prepared by GAO.3

           We performed our work from June 2005 to August 2006 in accordance
           with generally accepted government auditing standards.
			  
Appendix II: Comments from the Department of Defense 

Appendix III: Comments from the General Services Administration

Appendix IV: GAO Contact and Staff Acknowledgments

                                  GAO Contact

Katherine A. Siggerud, (202) 512-2834 or [email protected]

                             Staff Acknowledgments

In addition to the contact named above, Kathleen Turner (Assistant
Director), David Hooper, Daniel Klabunde, Steve Martinez, Josh Ormond,
Stanley Stenersen, and Johanna Wong made key contributions to this report.

1410 USC Sec. 2674(f)(1) defines the Pentagon Reservation as the area of
land (consisting of approximately 280 acres) and improvements thereon,
located in Arlington, Virginia, on which the Pentagon Office Building,
Federal Office Building #2, the Pentagon heating and sewage treatment
plants, and other related facilities are located, including various areas
designated for the parking of vehicles.

15The mail-screening technicians were not evacuated and, instead, remained
isolated in the mail-screening facility, according to PFPA officials.

16Other conference calls occurred over the next few days.

17The two laboratories at Fort Detrick are associated with the United
States Army Medical Research Institute of Infectious Diseases and the
National Bioforensic Analysis Center.

18GSA leases office space at the Skyline Complex for federal agencies,
including DOD's TMA office.

19According to the manager, the PFPA employee thought that the equipment
was an X-ray machine.

20The biosafety cabinet was destroyed as a result of efforts to extract
its filters for testing.

21The National Institute is the federal agency responsible for conducting
research into occupational safety and health matters.

22CBI was not a part of the LRN in March 2005 and, consequently, would not
have had access to CDC's guidelines and protocols for LRN laboratories.

23The officials noted that PFPA's Chemical, Biological, Radiological, and
Nuclear department did not exist when DOD initially awarded the
mail-screening contract. The laboratory associated with this department,
as well as its current role in the Pentagon's mail screening, is discussed
later in this report.

24In its technical comments on a draft of this report, DOD noted that
subsequent training had been conducted, but that the training was "not as
detailed."

25As discussed earlier, mail room employees made several unsuccessful
attempts to telephone the manufacturer and the maintenance contractors for
help. In addition, DOD's manager of the complex told us that she called
PFPA for guidance on how the cabinet operated, but the PFPA official was
not aware of the type of equipment in use at the complex, and
consequently, he was not able to tell her what to do. Finally, an employee
called 911, which brought emergency responders from Fairfax County,
Virginia.

2641 CFR S:102-192.90.

27The Official Mail Manager retired in April 2006.

28Related to this, GSA officials told us that GSA does not have the
authority to enforce its reporting requirement.

2941 CFR Ch 102-74.230.

30The incident command initially included federal and local agencies and
was used for, among other things, coordinating the evacuation of the mail
screening and remote delivery facilities and the relocation of potentially
affected employees.

31Ciprofloxacin is one of several antibacterial drugs, including
amoxicillin and doxycycline, that can be used to treat anthrax exposure.
CDC currently recommends doxycycline for preventive treatment of anthrax.

32Local public health officials explained that their desire to ensure that
potentially affected individuals would be treated consistently derived
from lessons learned in the fall of 2001. At that time, Capitol Hill staff
was also initially provided with ciprofloxacin for their potential
exposure to anthrax; however, Postal Service employees generally received
doxycycline. CDC's recommendations in this area had changed, but that was
not well understood, in part because ciprofloxacin had been described as
the drug of choice in media reports. Because Postal Service employees
generally received doxycycline-instead of ciprofloxacin-they believed that
they had been given an inferior drug. According to local public health
officials, this misperception was difficult to explain and, together with
the death and illness of exposed postal employees, caused trauma within
the Postal Service community.

33Under DOD Directive 6200.3, Emergency Health Powers on Military
Installations, DOD commanders and the designated Public Health Emergency
Officer-in this case, the commander of the DiLorenzo TRICARE Health
Clinic-can take actions to protect installations, facilities, and
personnel in the event of a public health emergency resulting from
biological warfare, terrorism, or a communicable disease epidemic.

34According to CDC, antibiotic medical treatment is recommended as soon as
possible after the LRN has obtained a presumptive positive test result.
Such results can be obtained within 2 hours.

35The RAND Corporation is a nonprofit research organization. Its National
Defense Research Institute-a federally funded research and development
center-conducted the review. RAND also examined a third incident that
occurred at a DOD mail facility on the Bolling Air Force Base. The
incident at the Bolling Air Force Base was not connected to the Pentagon
and Skyline Complex incidents. Consequently, that incident is not
discussed in this report.

36Except for an unclassified summary, the RAND report is not available
publicly.

37The MOU established August 2005 as the deadline for agencies to begin
using mutually accepted testing methods, a date that has long passed.
According to an official from DHS's Science and Technology Directorate, it
will take a considerable amount of additional time to assess and develop
consensus on testing methods. The official estimated that the process to
establish mutually accepted testing methods will be completed between
September 2006 and March 2007.

38According to CDC officials, the process involves establishing
equivalency between DOD and LRN testing methods. In addition, they stated
that once mutually accepted methods are established, it will take
additional time to fully implement the testing and response procedures
from an operational standpoint.

39A DOD official noted that positive test results are taken in conjunction
with other relevant factors to determine if antibiotics should be
administered.  

40As discussed, the previous contracting officer's representative for
administering the mail-screening contract was an official from the Defense
Post Office with no expertise or training related to screening mail for
anthrax or other biological hazards. The new contracting officer's
representative is the Director of PFPA's chemical-biological laboratory
located at the Pentagon.

41The Director of Administration and Management is the principal adviser
on DOD-wide organizational and administrative management matters. The
Director's responsibilities include providing policy guidance to DOD
components at (1) the Pentagon and (2) DOD-leased space in the Washington,
D.C., area.

42Washington Headquarters Services manages DOD-wide programs and
operations for the Pentagon Reservation and DOD-leased facilities in the
Washington, D.C., area.

43The national capital region includes the District of Columbia and 11
local jurisdictions in Maryland and Virginia, including Arlington and
Fairfax Counties, where the two incidents occurred.

44TMA's previous biosafety cabinet was destroyed during the March 2005
incident. The new cabinet, purchased prior to receiving the directive, is
functionally similar to the old one in that it is not capable of detecting
biological agents and its alarm only indicates an obstruction in the
equipment's airflow.

45In January 2006, the President signed into law the National Defense
Authorization Act for Fiscal Year 2006, P.L. 109-163, which could change
the way DOD processes mail at the Pentagon and around the world. The law
requires the Secretary of Defense to submit a report to Congress on the
safety of mail within the military mail system, including a plan to screen
all incoming mail for biological agents.

46Specifically, the September 2005 supplement to DOD's mail manual cites
the third edition of GSA's Mail Center Security Guide and GSA's December
2003 policy advisory entitled National Guidelines for Assessing and
Managing Biological Threats in Federal Mail Facilities.

47The Office of the Administrative Assistant to the Secretary of the Army
also reviewed the draft report and concurred "without comment."

1Federal Management Regulation, 41 C.F.R. ch. 102, issued by GSA.

2U.S. Department of Health and Human Services, Centers for Disease Control
and Prevention, Morbidity and Mortality Weekly Report, "Responding to
Detection of Aerosolized Bacillus anthracis by Autonomous Detection
Systems in the Workplace" (Atlanta, Georgia, June 4, 2004).

3See, for example, GAO, U.S. Postal Service: Better Guidance Is Needed to
Ensure an Appropriate Response to Anthrax Contamination, GAO-04-239 
(Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health Response to
Anthrax Incidents of 2001, GAO-04-152  (Washington, D.C.: Oct. 15, 2003);
and U.S. Postal Service: Better Guidance Is Needed to Improve
Communication Should Anthrax Contamination Occur in the Future, GAO-03-316
(Washington, D.C.: Apr. 7, 2003).

(542066)

GAO's Mission

The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548

To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548

Public Affairs

Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548

www.gao.gov/cgi-bin/getrpt? GAO-06-757 .

To view the full product, including the scope

and methodology, click on the link above.

For more information, contact Kate Siggerud at (202) 512-2834 or
[email protected].

Highlights of GAO-06-757 , a report to the Committee on Homeland Security
and Governmental Affairs, U.S. Senate

September 2006

MAIL SECURITY

Incidents at DOD Mail Facilities Exposed Problems That Require Further
Actions

In March 2005, two well-publicized and nearly simultaneous incidents
involving the suspicion of anthrax took place in the Washington, D.C.,
area. The incidents occurred at Department of Defense (DOD) mail
facilities at the Pentagon and at a commercial office complex (Skyline
Complex). While these incidents were false alarms, DOD and other federal
and local agencies responded. The Postal Service suspended operations at
two of its facilities and over a thousand DOD and Postal Service employees
were given antibiotics as a precaution against their possible exposure to
anthrax.

This report describes (1) what occurred at the Pentagon and Skyline
Complex mail facilities, (2) the problems we identified in detecting and
responding to the incidents, (3) the actions taken by DOD that address the
problems that occurred, and (4) the extent to which DOD's actions address
the problems.

What GAO Recommends

GAO is making recommendations to help improve the effectiveness of future
DOD responses involving the suspicion of anthrax in the mail. DOD agreed
with three of our recommendations but only partially agreed with our
fourth. GAO retained this recommendation to ensure that DOD's future
approach to making medical decisions during bioterrorism incidents occur
within the participatory federal framework.

Events leading up to the Pentagon incident began when a laboratory that
tested samples from the Pentagon's mail-screening equipment informed DOD's
mail-screening contractor that test results indicated the presence of
anthrax in the mail. By the time the contractor notified DOD 3 days later,
suspect mail had already been released and distributed throughout the
Pentagon. DOD evacuated its mail-screening and remote delivery facilities,
notified federal and local agencies, and dispensed antibiotics to hundreds
of employees. The Skyline Complex incident began the same day when Fairfax
County, Virginia, emergency personnel responded to a 911 call placed by a
Skyline employee that an alarm had sounded on a biosafety cabinet used to
screen mail. Local responders closed the complex and decontaminated
potentially exposed employees, and DOD dispensed antibiotics to the
employees. Similarly, the Postal Service suspended operations at two
facilities and dispensed antibiotics to its employees. Laboratory testing
later indicated  that the incidents were false alarms.

Analysis of these incidents reveals numerous problems related to the
detection and response to anthrax in the mail. At the Pentagon, DOD's
mail-screening contractor did not follow key requirements, such as
immediately notifying DOD after receiving evidence of contamination. At
the Skyline Complex, DOD did not ensure that the complex had a mail
security plan or that it had been reviewed, as required. The lack of a
plan hampered the response. DOD also did not fully follow the federal
framework-including the National Response Plan, which was developed to
ensure effective, participatory decision making. Instead of coordinating
with other agencies that have the lead in bioterrorism incidents, DOD
unilaterally dispensed antibiotics to its employees.

DOD has taken numerous actions that address problems related to the two
incidents. At the Pentagon, DOD's actions included selecting a new
mail-screening contractor and defining the roles and responsibilities of
senior leadership, including those involved in making medical decisions.
Related to Skyline, DOD prohibited  its mail facilities in leased space
within the Washington, D.C., area from using biosafety cabinets to screen
mail unless the equipment is being operated within the context of a
comprehensive mail-screening program.

While DOD has made significant progress in addressing the problems that
occurred, its actions do not fully resolve the issues. One remaining
concern is whether DOD will adhere to the interagency coordination
protocols specified in the national plan for future bioterrorism incidents
involving the Pentagon. This concern arises because, more than 1 year
after the incident, DOD reiterated that it has the authority to make
medical decisions without collaborating or consulting with other agencies.
DOD also has not ensured, among other things, that its mail facilities (1)
have the required mail security plans and (2) are appropriately using
biosafety cabinets for screening mail.
*** End of document. ***