Mail Security: Incidents at DOD Mail Facilities Exposed Problems
That Require Further Actions (15-SEP-06, GAO-06-757).
In March 2005, two well-publicized and nearly simultaneous
incidents involving the suspicion of anthrax took place in the
Washington, D.C., area. The incidents occurred at Department of
Defense (DOD) mail facilities at the Pentagon and at a commercial
office complex (Skyline Complex). While these incidents were
false alarms, DOD and other federal and local agencies responded.
The Postal Service suspended operations at two of its facilities
and over a thousand DOD and Postal Service employees were given
antibiotics as a precaution against their possible exposure to
anthrax. This report describes (1) what occurred at the Pentagon
and Skyline Complex mail facilities, (2) the problems we
identified in detecting and responding to the incidents, (3) the
actions taken by DOD that address the problems that occurred, and
(4) the extent to which DOD's actions address the problems.
-------------------------Indexing Terms-------------------------
REPORTNUM: GAO-06-757
ACCNO: A60984
TITLE: Mail Security: Incidents at DOD Mail Facilities Exposed
Problems That Require Further Actions
DATE: 09/15/2006
SUBJECT: Anthrax
Bioterrorism preparedness and response
program
Emergency preparedness
Emergency response
Emergency response plans
Facility security
National response plan
Policy evaluation
Postal facilities
Postal service
Public health
Strategic planning
Mail processing operations
National Incident Management System
National Response Plan
******************************************************************
** This file contains an ASCII representation of the text of a **
** GAO Product. **
** **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced. Tables are included, but **
** may not resemble those in the printed version. **
** **
** Please see the PDF (Portable Document Format) file, when **
** available, for a complete electronic file of the printed **
** document's contents. **
** **
******************************************************************
GAO-06-757
* Results in Brief
* Background
* What Is Anthrax and Why Is It a Concern?
* How Is Anthrax Detected?
* What Is the Federal Framework for Responses Involving the Su
* What Federal Requirements Exist for Agencies to Follow?
* How Did the Pentagon and Skyline Complex Process Mail in Mar
* Each of the Incidents Presented a Different Situation and Re
* The Pentagon Incident Was Triggered from Tests Indicating th
* The Skyline Complex Incident Resulted from an Alarm on Equip
* The Incidents Also Affected Postal Service Employees and Ope
* Problems Encountered Reflect Both a Failure to Follow Existi
* At the Pentagon, the Mail-Screening Contract Provisions and
* The Pentagon's Mail-Screening Contract Provision for Testing
* At the Skyline Complex, Basic Response Procedures Were Inade
* DOD Did Not Fully Follow the Federal Framework for Coordinat
* DOD Took Numerous Actions That Address Problems Related to t
* At the Pentagon, Some Actions Were Already Under Way, While
* DOD Took Other Actions That Address Problems at the Skyline
* DOD's Actions Do Not Fully Resolve Identified Problems
* DOD's Adherence to NRP and NIMS Interagency Coordination Pro
* DOD Still Has Not Ensured That Its Mail Facilities Have Revi
* DOD Has Not Ensured That Its Facilities in the National Capi
* Conclusions
* Recommendations for Executive Action
* Agency Comments and Our Evaluation
* Appendix I: Scope and Methodology
* Appendix II: Comments from the Department of Defense
* Appendix III: Comments from the General Services Administrat
* Appendix IV: GAO Contact and Staff Acknowledgments
* GAO Contact
* Staff Acknowledgments
* Order by Mail or Phone
Report to the Committee on Homeland Security and Governmental Affairs,
U.S. Senate
United States Government Accountability Office
GAO
September 2006
MAIL SECURITY
Incidents at DOD Mail Facilities Exposed Problems That Require Further
Actions
GAO-06-757
Contents
Letter 1
Results in Brief 2
Background 7
Each of the Incidents Presented a Different Situation and Response and
Occurred over Several Days 13
Problems Encountered Reflect Both a Failure to Follow Existing Contract
Provisions and Procedures and a Lack of Procedures and Plans 21
DOD Took Numerous Actions That Address Problems Related to the Incidents
30
DOD's Actions Do Not Fully Resolve Identified Problems 40
Conclusions 41
Recommendations for Executive Action 42
Agency Comments and Our Evaluation 42
Appendix I Scope and Methodology 45
Appendix II Comments from the Department of Defense 49
Appendix III Comments from the General Services Administration 52
Appendix IV GAO Contact and Staff Acknowledgments 54
Tables
Table 1: Selected Agency Actions Specified in NRP's Biological Incident
Annex 9
Table 2: Key Changes in the Pentagon's Mail-Screening Contract Provisions
and Draft Mail-Screening Procedures 33
Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft
Procedures 34
Figures
Figure 1: Chronology of Key Actions and Organizations Involved at Pentagon
and Skyline Complex 14
Figure 2: DOD's Draft Procedures for Positive Test Results from the
Pentagon's On-Site Chemical-Biological Laboratory 36
Abbreviations
CBI Commonwealth Biotechnologies Incorporated
CDC Centers for Disease Control and Prevention
DHS Department of Homeland Security
DOD Department of Defense
FBI Federal Bureau of Investigation
GSA General Services Administration
HHS Department of Health and Human Services
LRN Laboratory Response Network
MOU memorandum of understanding
NIMS National Incident Management System
NRP National Response Plan
PFPA Pentagon Force Protection Agency
TMA TRICARE Management Activity
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.
United States Government Accountability Office
Washington, DC 20548
September 15, 2006 September 15, 2006
The Honorable Susan M. Collins Chairman The Honorable Joseph I. Lieberman
Ranking Minority Member Committee on Homeland Security and Governmental
Affairs United States Senate The Honorable Susan M. Collins Chairman The
Honorable Joseph I. Lieberman Ranking Minority Member Committee on
Homeland Security and Governmental Affairs United States Senate
Since the fall of 2001, when five persons, including two U.S. Postal
Service employees, died from exposure to anthrax-contaminated mail
delivered through the U.S. mail system, the nation has been acutely aware
of the danger of bioterrorism using anthrax and other potentially fatal
bacteria. The frequency of incidents involving suspicious packages or
powder spills has increased dramatically since that time, due in part to
hoaxes and concerns about leakages from mail that had previously been
routinely handled. Concerns about anthrax in the mail have led federal
agencies to establish mail-screening operations, including tests for
anthrax, that have often resulted in false alarms. Since the fall of 2001,
when five persons, including two U.S. Postal Service employees, died from
exposure to anthrax-contaminated mail delivered through the U.S. mail
system, the nation has been acutely aware of the danger of bioterrorism
using anthrax and other potentially fatal bacteria. The frequency of
incidents involving suspicious packages or powder spills has increased
dramatically since that time, due in part to hoaxes and concerns about
leakages from mail that had previously been routinely handled. Concerns
about anthrax in the mail have led federal agencies to establish
mail-screening operations, including tests for anthrax, that have often
resulted in false alarms.
In March 2005, two well-publicized and nearly simultaneous incidents took
place in the greater Washington, D.C., area. The incidents occurred at a
Department of Defense (DOD) mail facility at the Pentagon, a building of
national military significance located in Arlington County, Virginia, and
another DOD mail facility in a commercial office complex (Skyline
Complex), located about 5 miles away in Fairfax County, Virginia.11 While
these incidents ultimately proved to be false alarms, DOD as well as other
federal and local response agencies responded to the incidents. In the
days that elapsed before authorities concluded that anthrax was not
present in the mail or in the facilities, the Postal Service had suspended
operations at two of its facilities, and over a thousand DOD and Postal
Service employees had been given antibiotics as a precaution against their
possible exposure to anthrax. In March 2005, two well-publicized and
nearly simultaneous incidents took place in the greater Washington, D.C.,
area. The incidents occurred at a Department of Defense (DOD) mail
facility at the Pentagon, a building of national military significance
located in Arlington County, Virginia, and another DOD mail facility in a
commercial office complex (Skyline Complex), located about 5 miles away in
Fairfax County, Virginia. While these incidents ultimately proved to be
false alarms, DOD as well as other federal and local response agencies
responded to the incidents. In the days that elapsed before authorities
concluded that anthrax was not present in the mail or in the facilities,
the Postal Service had suspended operations at two of its facilities, and
over a thousand DOD and Postal Service employees had been given
antibiotics as a precaution against their possible exposure to anthrax.
1A third incident occurred at a DOD mail facility at the Bolling Air Force
Base in Washington, D.C. That incident-also a false alarm-was not
connected to the Pentagon and Skyline Complex incidents and, therefore, is
not discussed in this report.
You asked us to examine the response to the two March 2005 incidents.
Specifically, this report addresses the following four questions:
o What occurred at the Pentagon and Skyline Complex mail
facilities?
o What problems occurred in detecting and responding to these
incidents, and why?
o What actions have been taken by DOD that address the problems
that occurred?
o To what extent do these actions address the problems that
occurred?
To address these questions, we analyzed, among other things,
pertinent after-action reports, incident timelines, the contract
for mail-screening services at the Pentagon, mail-screening
procedures, federal mail management and other applicable
regulations and guidance, and the federal framework for responding
to biological incidents. We compared whether the actions taken by
DOD, its mail-screening contractor at the Pentagon, and employees
at the Skyline Complex were in accordance with, among other
things, the existing contract provisions, mail-screening
procedures, federal regulations and guidance, DOD's mail manual,
and the federal framework for responding to biological incidents.
We interviewed a wide range of federal and local officials
involved in the response to the two incidents. We also interviewed
personnel from the Pentagon's mail-screening contractor to obtain
their perspective on what occurred at the Pentagon. We analyzed
current procedures at the Pentagon related to detecting and
responding to biological agents. To assist in our analyses, we
reviewed previous GAO work regarding anthrax incidents, pertinent
literature and previous GAO work on internal controls, guidance
prepared by the Centers for Disease Control and Prevention (CDC)
for responding to the detection of anthrax in the workplace, and
regulations and guidance issued by the General Services
Administration (GSA) on mail security and responding to biological
threats in the mail. We performed our work from June 2005 to
August 2006 in accordance with generally accepted government
auditing standards. Further details about our scope and
methodology appear in appendix I.
Results in Brief
Each of the incidents at the two mail facilities presented a
different situation and response. Events leading up to the
Pentagon incident began when a laboratory that tested samples from
the Pentagon's mail-screening equipment informed DOD's
mail-screening contractor on Friday afternoon, March 11, that one
of its tests of the previous day's mail was positive for anthrax.
By the time the mail-screening contractor notified DOD on Monday
morning, March 14, about the results of Friday's test result and
that additional testing of the sample over the weekend was also
positive for anthrax, mail suspected of containing anthrax had
already been released, picked up, and distributed throughout the
Pentagon. While DOD officials responded by evacuating the
Pentagon's mail-screening and remote delivery facilities,
notifying numerous federal and local agencies, and dispensing
antibiotics to hundreds of employees-including recipients of the
mail that morning-officials from the Federal Bureau of
Investigation (FBI) initially suspected a false alarm based on the
totality of the evidence. The incident at the Skyline Complex
began on Monday afternoon, March 14, when emergency personnel in
Fairfax County, Virginia, responded to a 911 call placed by a
Skyline employee that an alarm had sounded on a biosafety cabinet
used to screen mail, including mail that had been picked up
earlier that day from the Pentagon. Fairfax County responders
closed the Skyline Complex, shut off elevators and the
air-handling system, decontaminated potentially exposed employees,
and tested the facility for anthrax contamination. The following
day, DOD also dispensed antibiotics to potentially exposed
employees at the Skyline Complex. The response to the incidents
also affected the Postal Service's employees and operations. When
Postal Service officials learned about the incidents, they
immediately (1) suspended operations at two facilities that
process mail to the Pentagon and conducted environmental testing
at the facilities and (2) began dispensing antibiotics to their
potentially exposed employees. Federal and local officials learned
on Tuesday that the alarm that sounded on the biosafety cabinet
used for mail-screening at the Skyline Complex indicated an
airflow obstruction, not the presence of anthrax. Nevertheless,
testing continued on samples taken from the facilities. The
incidents were believed to be false alarms on Wednesday evening,
March 16, after the interpretation of additional laboratory
testing did not support the preliminary conclusion that the two
facilities may be contaminated with anthrax. Both mail facilities
reopened on Friday morning, March 18. Agency officials involved in
the response believe that the positive tests at the Pentagon could
have been the result of cross contamination in the laboratory.
Analysis of these incidents reveals numerous problems related to
the proper detection and response to anthrax in the mail,
reflecting both a failure to follow existing contract provisions
and procedures and, in some cases, a lack of procedures and plans.
At the Pentagon, DOD's mail-screening contractor did not follow
two key requirements. Specifically, the contractor did not (1)
notify DOD immediately after receiving evidence of possible
contamination of the Pentagon's mail and (2) quarantine the mail
until it received negative results from the laboratory. These
problems were further exacerbated by a provision in DOD's contract
with its mail-screening contractor that did not clearly specify
how samples from the Pentagon were to be tested. The lack of
clarity resulted in the use of a laboratory whose testing methods
were unknown and whose results were questioned. At the Skyline
Complex mail facility, basic procedures for responding to
biohazards and other emergencies were inadequate or absent
altogether resulting in (1) employees not knowing how to properly
respond to the alarm on the equipment used for mail-screening, (2)
employees and first responders not knowing about the equipment's
limitations, and (3) employees being uncertain about whom to
contact during a potential emergency. Additionally, DOD did not
ensure that the Skyline Complex mail facility had developed a mail
security plan or that it had been reviewed, as required, by a
competent authority within DOD. The federal framework developed to
help ensure effective decision making through a coordinated
response-the National Response Plan and the National Incident
Management System-was not fully followed. Instead of coordinating
its actions with others-such as the Department of Health and Human
Services (HHS), the primary federal agency responsible for a
public health response to bioterrorism-DOD unilaterally decided to
provide medication to its employees before having appropriate
confirmation of laboratory test results. According to DOD
officials, because the incident occurred at the Pentagon, they did
not believe that the protocols in the National Response Plan
applied. In addition, they said that they had the medical
authority, experience, and resources to act on their own. While
the NRP does not repeal DOD's medical authorities, making
decisions without coordinating with other agencies is
fundamentally at odds with the protocols specified in the National
Response Plan and National Incident Management System. If DOD had
fully coordinated with federal and local agencies as the framework
prescribes, concerns such as the validity of test results could
have been discussed and the provision of unnecessary medicine to
most of the DOD employees (mail recipients and others who, in our
view, would not likely have been exposed until after the mail's
release from quarantine on Monday, March 14) may have been
avoided.
DOD has taken numerous actions that address problems related to
the two incidents. Some actions, such as modernizing the
Pentagon's mail-screening facility and changing the laboratory
used to test daily samples, were under way prior to the incidents,
but many others were taken in direct response to the incidents. At
the Pentagon, for example, DOD selected a new mail-screening
contractor, strengthened the new contract, and developed new mail
inspection procedures. While still in draft form, the procedures
are currently being used and require, among other things,
verification of negative test results by multiple officials before
quarantined mail is released. The establishment of stringent
control mechanisms is likely to prevent future premature releases
of potentially contaminated mail. DOD also drafted new
notification procedures-which are also being used-for reporting
positive test results to internal and external parties. The draft
procedures are intended to improve the way DOD communicates to
federal and local agencies during incidents. In addition, DOD is
developing a new policy to define the roles and responsibilities
of senior DOD leadership-including those involved in making
medical treatment decisions-during incidents at the Pentagon. DOD
also took actions to address problems related to the Skyline
Complex incident. For example, DOD gathered some information about
mail-screening operations in its facilities in the Washington,
D.C., area and issued a directive prohibiting DOD mail facilities
in leased space within the Washington, D.C., area from using
equipment, including biosafety cabinets, to screen mail unless the
equipment is being operated within the context of a comprehensive
mail-screening program. Such a program includes the use of (1)
trained mail screeners to sample equipment for biological agents
and (2) an approved laboratory for analyzing the samples.
Although DOD has made significant progress in addressing the
problems related to the two incidents, its actions do not fully
resolve the problems that arose. One remaining and overarching
concern involves whether, despite its actions, DOD will adhere to
the interagency coordination protocols in the National Response
Plan and National Incident Management System-as it has agreed-or,
instead, revert to the isolated decision-making approach it used
at the Pentagon. While DOD is aligning its procedures to these
interagency coordination protocols, in April 2006, a senior health
official reiterated that DOD has the authority to make final
decisions on medical treatment at the Pentagon without
collaboration or consultation with other agencies-including HHS,
which under the National Response Plan is the primary federal
agency responsible for coordinating a public health response
involving an actual or potential biological terrorist attack. More
than 1 year later, DOD also has not developed a mail security plan
for the Skyline Complex mail facility. More importantly, it is not
known whether other DOD facilities also lack a plan because DOD
does not have a process for certifying the existence of mail
security plans and verifying that the plans have been reviewed by
a competent authority. Finally, although DOD prohibits the use of
mail-screening equipment, including biosafety cabinets, in
DOD-leased facilities in the Washington, D.C., area unless the
equipment is being operated within the context of a comprehensive
mail-screening program, at the completion of our review, DOD still
had not determined whether other biosafety cabinets are being used
in the Washington, D.C., area or the conditions under which the
equipment is being operated.
We are making several recommendations to help improve the
effectiveness of future DOD responses involving the suspicion of
anthrax in the mail. Specifically, we recommend that the Secretary
of Defense ensure that (1) any future medical decisions reached
during potential or actual acts of bioterrorism at the Pentagon
result from the participatory decision-making framework in the
National Response Plan and the National Incident Management
System, (2) appropriate officials at all of DOD's mail rooms
develop effective mail security plans, (3) a competent DOD
authority conducts an annual review of the plans' adequacy, and
(4) any biosafety cabinets in use in DOD mail facilities in leased
space in the Washington, D.C., area are being operated within the
context of a comprehensive mail-screening program.
We requested comments on a draft of this report from DOD, GSA, the
Department of Justice, HHS, the Department of Homeland Security
(DHS), and the Postal Service. Two of these agencies-DOD and
GSA-provided written comments. DOD agreed with three of our four
recommendations, indicating that it either was implementing, or
intended to immediately implement, actions to address these
recommendations.2 However, DOD only partially agreed with our
remaining recommendation. We retained this recommendation to
ensure that DOD's future approach to making medical decisions
during bioterrorism incidents occur within the participatory
federal framework. GSA's written comments clarified federal
requirements related to the annual review of mail security plans.
DOD's and GSA's comments are reprinted in appendixes II and III,
respectively. DOD, the FBI (on behalf of the Department of
Justice), CDC (on behalf of HHS), and the Postal Service provided
technical comments, which we incorporated, as appropriate. DHS did
not provide comments.
What Is Anthrax and Why Is It a Concern?
Anthrax is an acute infectious disease caused by the spore-forming
bacterium Bacillus anthracis. The anthrax bacterium is commonly
found in the soil and forms spores (like seeds) that can remain
dormant in the environment for many years. Human anthrax
infections are rare in the United States and are usually the
result of occupational exposure to infected animals or
contaminated animal products, such as wool, hides, or hair.
Although infection in humans is rare, a person can die if airborne
anthrax spores are inhaled into the lungs. Once airborne, there is
greater possibility that the spores will be inhaled. Medical
experts believe that symptoms of inhalation anthrax (sore throat,
muscle aches, and mild fever) typically appear within 4 to 6 days
of exposure, depending on how the disease is contracted. While
anthrax is potentially fatal, individuals who are exposed to
anthrax spores will not necessarily develop the disease.
Inhalation anthrax can be treated with antibacterial drugs, but
medical treatment does not necessarily ensure recovery. Anthrax is
not contagious.
Anthrax is a potential terrorist weapon because, if refined and
introduced into letters and packages, anthrax spores can be
released into the air as letters are processed or opened. The use
of the mail as a vehicle for transmitting anthrax threatens the
nation's mail stream and places the American public and federal
employees at risk. This is what occurred in 2001, when letters
containing anthrax contaminated at least 23 Postal Service
facilities and killed five of 22 individuals diagnosed with
anthrax, including two Postal Service employees.3 Anthrax spores
can be killed, however, through a process known as irradiation,
which renders anthrax in the mail harmless for humans.
How Is Anthrax Detected?
Detecting anthrax involves many types of activities, including
o developing a sampling strategy for deciding how many samples to
collect, where to collect them, and what collection methods to
use;
o collecting samples using, for example, dry or premoistened
swabs;
o transporting samples to laboratories for extraction and
analysis;
o extracting the sample material using specific procedures and
fluids (such as sterile saline or water); and
o analyzing the samples using a variety of methods.4
To provide a coordinated clinical diagnostic testing approach for
detecting anthrax and other bioterrorism threats, CDC, the
Association of Public Health Laboratories, the FBI, and others
collaboratively developed the Laboratory Response Network (LRN) in
1999.5 LRN laboratories (1) perform standard testing methods
specified by CDC to either rule out or confirm the presence of
anthrax and (2) provide public health organizations and others
with rapid test results for use in making public health decisions.
Generating a final test result involves both a presumptive and
confirmatory test. Presumptive tests can be obtained within 2
hours and are considered "actionable" from a public health
perspective. According to CDC, antibiotic medical treatment is
recommended as soon as possible after the LRN has obtained a
presumptive positive test result.6 Confirmatory tests take
longer-generally 24 to 48 hours.
What Is the Federal Framework for Responses Involving the Suspicion
of Anthrax?
The National Response Plan (NRP), which was developed by the
federal government under the leadership of DHS, provides one part
of the coordinated framework for how the United States will
prepare for, respond to, and recover from domestic incidents. The
Secretary of Defense, as well as the heads of 31 other federal
departments and agencies, signed the Letter of Agreement contained
in the NRP, indicating their agreement to abide by the NRP's
incident management protocols. The December 2004 plan includes a
Biological Incident Annex, which specifies actions that agencies
should take when they become aware of a possible threat involving
a biological agent. The annex also identifies the roles and
responsibilities of various agencies that would respond to such an
event. For example, as specified in the annex, HHS is the primary
federal agency for coordinating a public health response involving
an actual or potential biological terrorism attack. Table 1
identifies selected agency actions specified in the NRP's
Biological Incident Annex.
Table 1: Selected Agency Actions Specified in NRP's Biological
Incident Annex
Source: Department of Homeland Security.
The other part of the federal framework is the National Incident
Management System (NIMS), which was released in March 2004. NIMS
is intended to provide a consistent and coordinated nationwide
approach for federal, state, and local governments to work
effectively and efficiently together to prepare for, respond to,
and recover from domestic incidents, including those involving
biological incidents, regardless of their cause, size, and
complexity. NIMS applies to all levels of government, and for the
federal government, including DOD, it is prescriptive. A key
component of NIMS is the incident command system, which is
designed to integrate the communications, personnel, and
procedures of different agencies and levels of government within a
common organizational structure during an emergency. Another key
component of NIMS is the establishment of a joint information
center-with representatives from all affected parties and
jurisdictions-to provide a unified communication message to the
public during emergencies.
What Federal Requirements Exist for Agencies to Follow?
GSA and DOD have requirements for agencies to follow in protecting
employees in mail facilities and ensuring effective mail
operations. For example, GSA's federal mail management regulation
requires7
o every federal agency and agency location with one or more
full-time personnel processing mail to have a written mail
security plan including, among other things, procedures for safe
and secure mail room operations, plans for security training for
mail employees, and plans for annual reviews of the agency's mail
security plan and facility-level mail security plans; and
o large agencies, such as DOD, that spend over $1 million
annually on postage to annually (1) verify that facility-level
mail security plans have been reviewed and (2) report to GSA that
all facility-level mail security plans have been reviewed by a
competent authority within the past year.
GSA also issues guidance and recommendations for effectively
managing mail programs, including recommendations on the content
of mail security plans.8 For example, GSA recommends that agencies
o develop a communication plan for responding to threats that
includes names and phone numbers to call during emergencies;
o establish and maintain partnerships with personnel who respond
to emergencies (first responders); and
o create a program for training employees on how to respond to
biological threats, including refresher training on a regular
basis.
DOD's mail manual, effective December 2001, implements DOD's
mail-related requirements.9 DOD requires its components to comply
with GSA's federal mail management regulation, including the
requirement that each mail center develop a written mail security
plan and have it reviewed annually by a competent authority.
Beyond mail-related requirements, GSA also requires the
highest-ranking federal official of the largest agency in
GSA-controlled (leased) office space to develop an occupant
emergency plan.10 GSA guidance related to this requirement
recommends that the occupant emergency plan describe, among other
matters, critical information about the office space and actions
to be taken during emergencies.
The GAO Comptroller General's Standards for Internal Control in
the Federal Government provides the overall framework for agency
management to establish and maintain effective internal control.11
Establishing effective internal controls is a major part of
managing an organization. Such controls include the plans,
methods, and procedures to be used to meet an organization's
mission, goals, and objectives by, among other things, monitoring
performance, training employees, and ensuring that federal
requirements, such as GSA and DOD mail security requirements, are
followed.
How Did the Pentagon and Skyline Complex Process Mail in March 2005?
The Pentagon receives its mail from the Postal Service as well as
from commercial courier services. The Postal Service irradiates
almost all first-class mail delivered to the Pentagon and other
federal agencies in the Washington, D.C., area, from its
facilities on V Street, N.E. in Washington, D.C. (the V Street
Operation). In March 2005, Pentagon mail was delivered from the V
Street Operation to a mail-screening facility located within the
Pentagon remote delivery facility-a 250,000-square-foot shipping
and receiving facility adjoining the Pentagon. Technicians dressed
in protective gear then screened the mail over a custom-designed
table equipped with four filters intended to capture any particles
that might fall from the mail. The table used a negative airflow
system that was intended to keep microscopic particles from
dispersing back into the mail-screening facility.
At the time of the March 2005 incident at the Pentagon, employees
of Vistronix Incorporated (Vistronix)-the Pentagon's
mail-screening contractor-collected and sent daily samples from
each of the four filters to Commonwealth Biotechnologies
Incorporated (CBI)-a private laboratory in Richmond, Virginia.
Vistronix subcontracted the daily testing of the Pentagon's mail
to CBI. The opened mail was then shrink-wrapped and quarantined in
a secure room until CBI notified Vistronix of negative test
results by either fax or e-mail. Upon receipt of negative test
results, a Vistronix employee released the mail from quarantine.
Once released from quarantine, mail employees placed the mail into
mailboxes at the Defense Post Office, where it awaited pickup by
Pentagon employees.
The TRICARE Management Activity (TMA) mail room at the Skyline
Complex received and processed mail differently from the
Pentagon.12 It received a small amount of its mail from the
Pentagon, but most of its mail came from a Postal Service facility
in Merrifield, Virginia, according to a TMA mail room official.
The TMA mail room had a biosafety cabinet, an X-ray machine, and
two full-time employees. The biosafety cabinet had a negative
airflow system with filters for capturing and holding any
particles that fell from envelopes or packages being opened. While
the cabinet was used for mail screening, it was not capable of
detecting anthrax.
Each of the Incidents Presented a Different Situation and Response
and Occurred over Several Days
The two incidents involving the suspicion of anthrax occurred over
several days, but the most significant actions occurred the same
day-Monday, March 14, 2005. The Pentagon incident occurred first
and was the result of positive test results for anthrax in the
mail. The Skyline Complex incident occurred later that day when an
alarm sounded on the biosafety cabinet that employees took as a
sign that contaminated mail had been passed from the Pentagon to
the Skyline Complex.13 Combined, the incidents set in motion a
large-scale response that also affected Postal Service employees
and operations. The response ended a few days later, when further
testing confirmed that anthrax was not present at either DOD
facility or in the mail. Figure 1 shows a chronology of the key
actions and organizations involved in the two incidents. The
discussion that follows explains each incident in turn.
2The Office of the Administrative Assistant to the Secretary of the
Army-the organization responsible for managing DOD's mail-also reviewed
the draft report and concurred "without comment."
Background
What Is Anthrax and Why Is It a Concern?
3We have issued a number of reports on the response to these incidents.
See, for example, GAO, U.S. Postal Service: Better Guidance Is Needed to
Ensure an Appropriate Response to Anthrax Contamination, GAO-04-239
(Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health Response to
Anthrax Incidents of 2001, GAO-04-152 (Washington, D.C.: Oct. 15, 2003);
and U.S. Postal Service: Better Guidance Is Needed to Improve
Communication Should Anthrax Contamination Occur in the Future, GAO-03-316
(Washington, D.C.: Apr. 7, 2003).
How Is Anthrax Detected?
What Is the Federal Framework for Responses Involving the Suspicion of Anthrax?
4See GAO, Anthrax Detection: Agencies Need to Validate Sampling Activities
in Order to Increase Confidence in Negative Results, GAO-05-251
(Washington, D.C.: Mar. 31, 2005).
5In March 2005, LRN consisted of 147 laboratories that, according to CDC,
had demonstrated the ability to meet and maintain CDC's testing standards.
6Medical treatment, as used in this report, means administering
postexposure prophylaxis to exposed individuals.
Response actions to be taken by agencies
The Department of Justice is to be notified through the FBI's Weapons of
Mass Destruction Operations Unit.
The FBI, in turn, is to immediately notify DHS's Homeland Security
Operations Center and the National Counterterrorism Center under the
direction of the Director of National Intelligence.
The LRN is to be used to test samples for the presence of biological
threat agents.
The FBI, in conjunction with HHS, is to make decisions on where to perform
additional tests on samples. The FBI is to lead criminal investigations of
terrorist acts or threats.
Once notified of a credible threat, HHS is to convene an interagency
meeting to assess the situation and determine the appropriate public
health response. HHS is to coordinate the overall public health response
efforts across all federal departments and agencies.
DHS is to coordinate the overall nonmedical response actions across all
federal departments and agencies.
What Federal Requirements Exist for Agencies to Follow?
7GSA issues regulations under the authority of the Federal Records
Management Amendments of 1976 (Section 2 of Public Law 94-575, 44 U.S.C.
2901-2904), which requires the GSA Administrator-the executive head of
GSA-to provide assistance to federal agencies on records management,
including the processing of mail. See 41 CFR Parts 101-9 and 102-192.
8GSA, Mail Communications Policy Office, Mail Center Security Guide, 3rd
edition (Washington, D.C., 2004); and National Guidelines for Assessing
and Managing Biological Threats in Federal Mail Facilities (Washington,
D.C., Dec. 29, 2003).
9DOD's requirements are described in the DOD Instruction 4525.8 and DOD
Manual 4525.8M, effective December 2001.
How Did the Pentagon and Skyline Complex Process Mail in March 2005?
10This requirement is contained in GSA's regulations for managing
property. See 41 CFR Sec. 102-74.230.
11GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21 .3.1 (Washington, D.C.: November 1999).
12TMA provides administrative support to DOD's civilian health and medical
program for the uniformed services.
Each of the Incidents Presented a Different Situation and Response and Occurred
over Several Days
13A portion of TMA's mail destined for the Skyline Complex is screened at
the Pentagon and picked up from an office inside the Pentagon.
Figure 1: Chronology of Key Actions and Organizations Involved at Pentagon
and Skyline Complex
The Pentagon Incident Was Triggered from Tests Indicating the Presence of
Anthrax
Events leading up to the Pentagon incident began on Thursday afternoon,
March 10, 2005. After screening the mail in a facility at the Pentagon
remote delivery facility, Vistronix employees routinely collected swab
samples from four filters and sent them to CBI for analysis. According to
Vistronix's account of events associated with the incident, about 4:00
p.m. on Friday afternoon, March 11, a representative from CBI informed the
Vistronix Director that one of four swab samples collected and tested from
Thursday's mail was positive for anthrax. The Director requested the
laboratory to conduct additional testing over the weekend but did not
notify Defense Post Office officials of the initial positive test results.
On Monday morning, March 14, at about 6:00 a.m., the Vistronix Director
informed a member of his staff (the site supervisor) that while additional
laboratory results for Thursday's mail had not yet been received, test
results for Wednesday's mail were negative, and, therefore, Wednesday's
mail was cleared for release. The site supervisor misunderstood the
conversation, incorrectly concluding that mail from both days could be
released from quarantine, and, consequently, he called his staff to
release the mail. At about 6:30 a.m., Thursday's mail was released, and,
shortly thereafter, employees of the Defense Post Office began processing
the mail for distribution. According to Vistronix, at about 9:10 a.m., the
laboratory notified Vistronix that additional testing of Thursday's swab
sample was also positive. By the time Vistronix notified a Defense Post
Office official of the second test result at about 9:25 a.m., an
unspecified amount of the mail suspected of containing anthrax had already
been picked up and distributed throughout the Pentagon.
These developments initiated a wide-ranging response. At about 10:15 a.m.,
a Defense Post Office official notified the Pentagon Force Protection
Agency (PFPA)-the law enforcement agency responsible for protecting
people, facilities, and infrastructure on the Pentagon Reservation.14 In
the 2 hours that followed, PFPA
o shut down the Pentagon remote delivery facility,
o coordinated with mail officials to identify possible recipients
of Thursday's mail,
o secured the perimeter around the remote delivery facility with
the help of antiterrorism units, and
o evacuated the majority of the employees from the remote
delivery facility to the Pentagon's former child development
center.15
PFPA continued to lead the response in the hours that followed.
The Arlington County Emergency Communications Center sent
emergency personnel to the scene after it was notified through
official channels at about 10:37 a.m. Emergency personnel
typically take charge of incidents when the affected individuals
have immediate medical needs. However, when they arrived, they
said none of the employees appeared to have symptoms of illness.
As a result, PFPA and Arlington County agreed that PFPA would
continue to lead the response. According to a DOD timeline of the
incident, DOD also attempted to notify the following federal and
local offices:
o 12:10 p.m.: First broadcast message sent to local public safety
and emergency management response agencies.
o 12:15 p.m.: FBI's Washington Field Office and the Weapons of
Mass Destructions Operations Unit at FBI Headquarters.
o 12:30 p.m.: Office of the Postmaster General-the executive head
of the Postal Service .
o 12:40 p.m.: Department of Homeland Security's Operations
Center.
When FBI staff arrived on the scene at about 1:00 p.m., they began
to assess the incident's credibility. According to FBI officials,
the totality of the initial evidence suggested a false alarm.
First, only one of the four swab samples collected and tested from
the filters on Thursday was positive for anthrax. If an actual
incident had occurred, FBI officials said, it would have been
reasonable to expect that all four samples would have been
contaminated because, based on experience gained during the fall
of 2001 anthrax attacks, once airborne, anthrax spores disperse
over a wide area. In addition, tests conducted on Friday's mail
were negative. FBI officials said that if anthrax had contaminated
Thursday's mail, it would likely have contaminated the entire
mail-screening facility, leaving residual spores that also would
have been detected in the samples taken from Friday's mail. While
suspicious of a false alarm, the FBI declared the Pentagon remote
delivery facility a crime scene based on the evolving response of
other agencies and the need to further assess the evidence.
During the afternoon hours, two DOD Health Affairs officials
responsible for responding to medical issues on the Pentagon
Reservation-the Commander of the DiLorenzo TRICARE Health Clinic
and DOD's Assistant Secretary for Health Affairs-began providing
medical treatment to (1) employees working at the remote delivery
facility where the mail-screening facility was located, (2)
Pentagon mail recipients, and (3) the mail-screening technicians.
DOD health officials estimate that, in total, they dispensed an
initial 3-day course of antibiotics to about 889 potentially
affected employees. According to the officials involved, their
decision to immediately dispense antibiotics as a precautionary
measure was based on the laboratory's positive test results and
their experiences gained in the fall of 2001. DOD's Assistant
Secretary for Health Affairs told us that at about 1:00 p.m., he
conferred with the CDC Director about DOD's medical decision, and
that she agreed with the decision. According to the CDC Director,
the call was made to inform her about the decision that DOD had
already reached. The Director of CDC said that even if the purpose
of the call had been to seek her advice on medical treatment
options, she could not have offered a medical opinion because of
insufficient information, especially with respect to the
reliability of the laboratory's test results. She stressed the
need for clear, accurate, and understandable information for
making decisions about medical treatment. Such information, she
said, is typically developed collaboratively with all appropriate
parties involved. After the conversation, she said she contacted
the CDC operations center that handles such incidents to ensure
that appropriate CDC personnel were aware of the incident. While
HHS is the primary agency responsible for a public health
response, according to an HHS official, the CDC operations
center-not DOD-subsequently contacted the HHS operations center.
As officials from additional federal agencies became aware of the
incident, several interagency conference calls were held. The
first of these calls was convened by HHS officials at about 5:00
p.m.16 Officials from HHS said the purpose of the conference call
was to obtain a basic understanding of what had occurred at the
Pentagon (and at the Skyline Complex, where the second incident
had already begun), so that decisions could be made on how to
respond appropriately. According to HHS and DHS officials,
decision makers needed answers to such questions as what analysis
had been done, what procedures had been used by the contract
laboratory, and how the Pentagon samples had been collected.
Obtaining such information was critical to determining whether
people had been exposed to anthrax, whether the two incidents were
linked, and what the appropriate response should be. However,
according to DHS and HHS officials, DOD could not adequately
answer these and other questions.
On Monday afternoon, DOD took the samples from CBI for analysis to
Fort Detrick, located in Frederick, Maryland-the site of two key
federal laboratories.17 The samples arrived at about 5:30 p.m.
Over the next few days, the laboratories at Fort Detrick conducted
numerous tests of the Pentagon's samples as well as environmental
samples taken from the Pentagon. Late Wednesday evening, results
of additional testing indicated that anthrax was not present in
samples collected from the Pentagon's mail-screening facility.
Agency officials involved in the response believe that the initial
positive test result could have been caused by cross contamination
at CBI. The facility reopened on Friday, March 18.
The Skyline Complex Incident Resulted from an Alarm on Equipment Used
for Mail Screening
The incident at the Skyline Complex began several hours after the
Pentagon incident began. At about 10:00 a.m., a TMA employee
picked up mail from the Pentagon and, by 11:30 a.m., had
distributed some of the mail within the Skyline Complex-a large
office complex of privately owned buildings in Fairfax County,
Virginia.18 According to officials at the Skyline Complex, an
employee received an urgent telephone call around noon indicating
an unspecified problem with the Pentagon's mail and directing that
any mail from the Pentagon be retrieved. The caller did not
provide any further explanation, according to the official. TMA
mail room employees retrieved the mail they had already delivered,
emptied mailboxes, and placed some of the mail in trash bags.
About 1:00 p.m., a TMA mail room employee was screening other mail
from the Pentagon using the biosafety cabinet when the cabinet's
alarm sounded. According to mail room employees, they made several
unsuccessful attempts to telephone the manufacturer and the
maintenance contractors for help. In addition, DOD's manager of
the complex told us that she called PFPA for guidance on how the
cabinet operated, but the PFPA official was not aware of the type
of equipment in use at the complex, and consequently, he was not
able to tell her what to do.19 Finally, at 2:09 p.m., a Skyline
employee called the Fairfax County 911 emergency line.
Fairfax County emergency responders (fire, police, public health,
and hazardous material units) arrived on the scene shortly
thereafter. They led the incident over the next few hours and took
several actions, including
o closing the Skyline Complex and securing its exits,
o shutting off its elevators and air-handling systems,
o developing and providing health information to occupants,
o collecting contact information from the occupants,
o decontaminating some employees who were sheltering in place,
and
o obtaining and testing environmental samples from the complex
and attempting to remove filters from the biosafety cabinet in
order to perform additional tests.20
According to Fairfax County responders, they attempted to hold all
occupants within the Skyline Complex because they anticipated
receiving results of environmental testing Monday afternoon. They
explained that having the complex occupants together would help
them provide information to the occupants and coordinate any
further responses that may be necessitated by the results of the
environmental testing. Test results were delayed, however, and the
majority of the Skyline Complex employees began to be released.
Just prior to this, at about 7:30 p.m., Fairfax County responders
began decontaminating 45 of the complex's employees who were
believed to be at high risk for exposure to anthrax. The initial
environmental test results-available on Tuesday-were inconclusive
and, as a result, Fairfax County and FBI responders collected
additional environmental samples for analysis at Fort Detrick. On
Tuesday afternoon, DOD dispensed antibiotics to the 45 high-risk
employees. This incident began to de-escalate on Tuesday evening
as officials learned that the alarm that sounded on the biosafety
cabinet used for mail screening indicated only an airflow
obstruction, not the presence of anthrax. By Wednesday evening,
laboratory results from environmental samples indicated that
anthrax was not present at TMA's mail room in the Skyline Complex.
The majority of the Skyline Complex reopened on Thursday, while
TMA's mail room reopened on Friday morning, March 18.
The Incidents Also Affected Postal Service Employees and Operations
A DOD official called the Postmaster General to inform him of the
Pentagon incident at about 12:30 p.m. on Monday, March 14, 2005,
but neither the Postmaster General nor other Postal Service
executive were available to receive the call. The DOD official
left a voice-mail message, but according to the Postal Service's
Senior Vice President for Government Relations, the message did
not convey any urgency about the potential for anthrax in the
mail. Furthermore, by the time Postal Service officials listened
to the message, they had already heard about the incident through
the local media. At about 5:00 p.m., when Postal Service officials
learned at the first interagency conference call that DOD had
provided antibiotics to Pentagon employees, Postal Service
officials acted quickly to protect their employees who, days
earlier, might have processed the mail. Thus, by Monday evening,
the Postal Service had suspended operations at its V Street
Operation and had immediately begun dispensing antibiotics to its
employees. In total, over 160 Postal Service employees were
treated for their possible exposure to anthrax. On Tuesday, March
15, the CDC's National Institute for Occupational Safety and
Health provided technical assistance to the Postal Service in
designing an environmental testing strategy for the V Street
Operation.21 By Wednesday morning, March 16, results from
environmental testing of the V Street Operation were negative for
anthrax. The Postal Service reopened the V Street Operation in the
afternoon.
Problems Encountered Reflect Both a Failure to Follow Existing
Contract Provisions and Procedures and a Lack of Procedures and Plans
DOD encountered numerous problems during the two March 2005
incidents. At the Pentagon, these problems primarily involved not
following required mail-screening contract provisions and
procedures. The failure to follow these requirements resulted in,
among other things, the premature release of the potentially
contaminated mail that caused the incident at the Pentagon. In
addition, the Pentagon's contract for mail screening lacked a
clear provision specifying required testing methods, which
resulted in the use of a laboratory whose testing methods were
unknown and whose results were not actionable-this, in turn,
exacerbated the incident at the Pentagon. At the Skyline Complex
mail facility, problems were even more basic, in that required
procedures and plans for responding to biohazards and other
emergencies were inadequate or absent altogether. Further, at the
Pentagon, the federal framework developed to, among other things,
help ensure more effective decision making through the coordinated
response of all affected parties and decision makers was not fully
followed. If the framework had been fully followed, decisions
regarding medical treatment of DOD and Postal Service employees
may have been improved.
At the Pentagon, the Mail-Screening Contract Provisions and Procedures
Were Not Followed
Vistronix did not follow contract provisions and mail inspection
procedures related to the detection and response to potential
biohazard emergencies involving the Pentagon's mail. The
contractor developed procedures for implementing the contract's
mail-screening requirements, which described the process by which
mail entering the Pentagon would be inspected, tested,
quarantined, and released. DOD approved the procedures, but the
contractor failed to follow two key requirements.
o Mail-screening contractor did not provide timely notification
of potential contamination. Both the contract and the approved
mail inspection procedures provided specific notification
requirements for informing DOD of potential biohazardous
situations involving the Pentagon's mail. The contract required
Vistronix to notify PFPA "immediately" if there were any evidence
of risk or possible contamination of the mail. Similarly, the mail
inspection procedures required PFPA to be contacted (1) within 1
minute of an actual or potential event involving contamination and
(2) when a positive test result occurred "at any point" in the
testing process. The laboratory informed the Vistronix Director
that a sample from Thursday's mail had tested positive for anthrax
on Friday afternoon, March 11. Instead of immediately notifying
PFPA as required, however, the Director asked the laboratory to
conduct additional tests over the weekend. The contractor did not
inform DOD of the suspected mail contamination until after it
received the second positive test result on Monday, March 14-about
2- 1/2 days after the notification should have occurred. According
to the Vistronix Director, he believed the procedures required
them to notify DOD only after a second positive test result. The
contractor's untimely notification created a sense of urgency
within DOD to quickly provide antibiotics to its employees-before
consulting, as specified in the NRP, with other agencies about the
proper medical response.
o Mail-screening contractor did not quarantine mail until it
received negative test results from the laboratory. The contract
required Vistronix to quarantine the mail until receipt of
negative test results. Similarly, the mail inspection procedures
required Vistronix to hold (i.e., "not release for delivery") the
Pentagon's mail until the laboratory had reported negative test
results to Vistronix. The procedures also noted that a positive
result "at any point" necessitates sequestering all potentially
contaminated mail. Vistronix failed to follow these requirements.
Specifically, while the Vistronix Director was aware of an initial
positive test result on Friday, he did not ensure that the mail
remained quarantined until receipt of negative test results from
the laboratory. Instead, miscommunication among Vistronix staff
led to the mail's release several hours before the laboratory
informed Vistronix that its weekend test results were also
positive for anthrax. The premature release of the potentially
contaminated mail resulted in a broad response at the Pentagon,
the Skyline Complex, and the Postal Service's V Street Operation.
The Pentagon�s Mail-Screening Contract Provision for Testing
Samples Was Also Unclear
The testing provision in the mail-screening contract required
Vistronix to test samples from the mail-screening equipment in
accordance with unspecified "CDC guidelines." However, Defense
Post Office officials-including the contracting officer's
representative who had responsibility for overseeing the
contract-told us that they did not identify the specific
guidelines to be used and were unaware that the CDC publishes both
general testing guidelines, which are available in the public
domain, and guidance and protocols for anthrax testing by the LRN,
which are available only to LRN laboratories.22 The officials
explained that even if they had known which guidelines DOD
expected to be followed, they did not have the technical expertise
to determine whether the contract's testing provision was being
followed. Defense Post Office officials further explained that the
contract was awarded quickly in 2001 after the nationwide anthrax
attacks. Their office was tasked with overseeing the contract,
they said, because at that time the office was the "executive
agent for mail in the Pentagon"-not because it had any expertise
or training on these matters.23 According to Defense Post Office
officials, the lack of technical expertise regarding anthrax at
that time contributed to the lack of clarity in the contract's
testing provision. Their lack of expertise also caused them to
conclude that CBI met all CDC and federal guidelines, in part,
because Vistronix had informed DOD that CBI was a certified CDC
laboratory that adhered to CDC guidelines. An independent review
of CBI, the subcontract laboratory, sponsored by DOD and conducted
in April 2005 found that CBI analyzed the Pentagon's samples using
testing methods that differed from CDC's guidance and protocols.
The review also found that Vistronix's contract with CBI did not
require the laboratory to verify its testing methods. By March
2005, DOD and Vistronix had had 3- 1/2 years to specify its
testing requirements for the contract. An unclear contracting
provision, combined with the lack of oversight by both DOD and
Vistronix, resulted in the use of a laboratory whose testing
methods were unknown and whose results were not actionable. The
effect of these events was evident when DOD officials could not
adequately explain to other agency officials what (1) tests CBI
had conducted, (2) methods CBI had used, and (3) the results
meant. DOD's inability to provide adequate answers to these and
other crucial questions exacerbated the incident at the Pentagon
and slowed the response since officials from other agencies were
skeptical of the laboratory's results.
At the Skyline Complex, Basic Response Procedures Were Inadequate
or Absent Altogether
At the Skyline Complex, basic procedures for responding to a
biohazardous incident were inadequate or absent for the TMA mail
facility in the Skyline Complex. The following three key elements
were either inadequate or absent.
o First, TMA did not ensure that mail room procedures addressed
what to do, or whom to notify, when the equipment alarm sounded or
that employees were properly trained on the equipment. TMA is
responsible for ensuring that adequate procedures are in place and
effective training occurs, so that employees can perform their
duties competently. Although some procedures were in place at the
Skyline Complex, they did not address the capabilities of the
biosafety cabinet or what to do if the alarm on the equipment
sounded. At the time of the incident, the mail room's procedures
provided, among other things, (1) basic instructions for using the
biosafety cabinet, including how to turn the machine on and off
and how to open the mail, and (2) information about whom to notify
when a suspicious package was discovered. The procedures did not
address what the biosafety cabinet did, how it worked, or how to
respond to its built-in alarm. The TMA mail manager noted that
training on the biosafety cabinet had occurred when the machine
was purchased in 2001, but no subsequent training had been
conducted.24 In the meantime, he said, staff turnover and the
absence of additional training had led to a lack of understanding
about the equipment's capabilities. In addition, while the
procedures specified whom to call if suspicious mail is
discovered, the procedures did not address whom to contact when
the equipment's alarm sounded.25 If procedures were adequate and
periodic training had occurred, employees would likely have known
that, although the equipment had a negative airflow system with
filters for capturing and holding any particles that fell from
envelopes or packages being opened within the equipment, it did
not detect biohazards and its alarm sounded only to indicate an
airflow obstruction. Instead, in conjunction with the phone call
indicating an unspecified problem with the Pentagon's mail, mail
room employees assumed the alarm was signaling the presence of
biohazards in the mail. Because TMA employees lacked adequate
information and training on the equipment, they unnecessarily
contacted first responders.
o Second, neither TMA nor DOD ensured that the required mail
security plan was in place. Both TMA and DOD have responsibilities
for ensuring that an adequate mail security plan exists for the
mail room in the Skyline Complex. GSA's federal mail management
regulation and DOD's mail manual both require mail security plans
for agency mail rooms. According to GSA's regulation,26 security
plans must include (1) procedures for safe and secure mail room
operations, (2) plans for training mail room personnel, and (3)
plans for annually reviewing agency and facility-level mail
security plans. In addition, DOD's mail manual requires DOD's mail
room officials to ensure that their mail security plans are
coordinated with local security officials. TMA did not develop the
required security plan. If TMA had developed a plan and
coordinated it with local officials, Fairfax County emergency
personnel-the local first responders-may have learned about the
biosafety cabinet's limitations, including the meaning of the
equipment's audible alarm. Furthermore, DOD did not ensure that
TMA had developed a plan, or attempt to review it for adequacy, as
required. GSA's federal mail management regulation requires that
facility level mail security plans be annually reviewed. Moreover,
as specified in the regulation, DOD must annually report to GSA
that its mail security plans have been reviewed by a competent
authority within the past year. GSA officials noted that DOD's
Official Mail Manager submits a certification form to GSA
annually; however, the form does not indicate that DOD's (1) plans
exist and that (2) the plans have been reviewed by a competent
authority in the past year. Instead, the form submitted to GSA
simply certifies that DOD has the requisite requirements in place.
According to DOD's Official Mail Manager,27 he cannot certify that
all DOD mail rooms have mail security plans or that they have been
reviewed by a competent authority because DOD does not have a
process in place to ensure that the required reviews take place.28
He further explained that he lacks the time and resources to
review the plans. If TMA and DOD had followed the applicable
requirements, the problem that occurred at the Skyline Complex may
have been avoided.
o Third, the Defense Information Systems Agency had not developed
an Occupant Emergency Plan. GSA requires agencies of
GSA-controlled buildings to have an occupant emergency plan for
protecting life and property during an emergency. Critical
elements of the plan include (1) evacuation and
sheltering-in-place information; (2) contact information and
emergency phone numbers; and (3) specific information about the
building's construction, including its floor plans. The highest
ranking official of the largest agency in each GSA-controlled
building is responsible for developing and maintaining the
occupant emergency plan.29 In March 2005, the Defense Information
Systems Agency (Defense Agency) was the largest agency in the
Skyline Complex. According to officials from the Defense Agency,
they were aware of the agency's responsibility for developing the
occupant emergency plan as early as June 2002. Defense Agency
officials had drafted a plan by the time of the incident, but had
neither distributed it to other federal occupants of the complex
nor coordinated it with first responders. Moreover, employees had
not been trained on the plan and affected federal agencies had not
agreed to or signed the plan. Officials of the Defense Agency
commented that developing an occupant emergency plan takes a great
deal of coordination among participating agencies, which prolongs
the plan's completion. The lack of a required occupancy emergency
plan contributed to the difficulties that employees and first
responders experienced during the incident. For example, first
responders had difficulty getting critical information to
employees because contact information was not readily available
for federal employees in the complex. In addition, since
information about the complex was not readily available, some
employees were able to exit the complex because Fairfax County
police, who had attempted to secure the Skyline Complex, were
unaware of all the existing exits.
DOD Did Not Fully Follow the Federal Framework for Coordinating
Responses at the Pentagon
DOD did not fully follow the federal framework for coordinating a
response to the potential anthrax incident at the Pentagon;
instead, it chose to make decisions on its own. The federal
framework is set forth in the NRP and NIMS, which specifies a
structured and coordinated approach for involving federal, state,
and local agencies in decision making. The unifying element of
this framework is the ability to harness the resources of various
agencies whose expertise and knowledge help ensure informed
decisions about how to proceed in any given situation. While DOD
initially followed NIMS when it established its incident command
at the Pentagon,30 as the incident evolved, key aspects of the
federal framework were not followed. Here are three examples:
o First, DOD did not fully follow NRP's notification structure.
NRP's Biological Incident Annex requires every federal agency to
first notify the FBI if it becomes aware of an overt threat
involving biological agents. While DOD officials did notify the
FBI, it was not until almost 3 hours after they first became aware
of the Pentagon's positive test results. Earlier notification
would have likely helped with the evaluation of test results and
allowed federal agencies to collectively coordinate a proper
course of action, particularly because, as discussed earlier, FBI
officials began questioning the incident's credibility after
arriving on scene. The Biological Incident Annex also designates
HHS as the federal agency responsible for coordinating a public
health response involving bioterrorism threats. DOD officials
never notified HHS but, instead, called the Director of CDC to
disclose their intention to administer antibiotics to DOD
employees. The Director of CDC, not DOD, alerted the CDC
operations center, which, in turn, notified HHS's operations
center at about 4:00 p.m. on Monday. As specified in the
Biological Incident Annex, once HHS officials were notified of a
credible threat, they convened an interagency conference call
approximately 1 hour later to coordinate a possible medical
emergency response. However, by then, DOD had already begun to
administer antibiotics to its employees. As a result, any advice
any guidance on (1) medical treatment options or (2) the validity
of the laboratory's test results that other agency officials may
have offered were essentially moot.
o Second, DOD failed to follow NIMS protocols regarding joint
decision making. Under NIMS, the incident commander is responsible
for the entire response to an incident. To assist with various
aspects of a multijurisdictional response, the incident commander
is expected to assemble federal, state, and local agencies to
serve in a unified command. The unified command includes
representatives from all agencies and organizations that have
responsibility for, or can provide support to, an incident.
Collectively, the unified command is expected to consider and help
make decisions on all objectives and strategies related to an
incident. At the Pentagon in March 2005, PFPA included federal and
local agencies in the response; however, the response structure
never matured into a unified command, especially when some
decisions-especially those related to medical treatment-were made
outside the command structure. DOD essentially had two separate
incident responses: PFPA acted as the incident commander for the
evacuation and containment of Pentagon employees, while DOD's
Health Affairs made unilateral decisions regarding the employees'
medical treatment. According to local public health officials, DOD
did not consult them on the proper course of action regarding
whether, or how, to intervene medically. Had information and
decisions flowed through a unified command structure, local public
health officials could have raised the concerns they had about
providing antibiotics without a confirmed LRN test result.
Additionally, if medical treatment decisions had been made
collaboratively, DOD and local public health officials could have
(1) agreed on a strategy for treating potentially affected
individuals, including access to additional medication and
follow-up treatment; and (2) discussed the potential ramifications
of initially providing ciprofloxacin to DOD employees.31 According
to local public health officials, DOD's initial provision of
ciprofloxacin to DOD employees set a precedent that essentially
eliminated other antibiotic treatment options, given the health
officials' desire to ensure that potentially affected individuals
would be treated consistently.32 Had medical decisions been made
within the context of a unified command, a different decision may
have been reached and hundreds of DOD employees-with no, or
limited, exposure to potential contamination-may not have received
unnecessary medication.
o Third, DOD did not coordinate the initial public response to
the incidents. An important outcome envisioned in the federal
framework is effective management of information available to the
public. The NIMS structure calls for a joint information center to
provide a location for organizations participating in the
management of the incident to work together to ensure that timely,
accurate, easy-to-understand, and consistent information is
disseminated to the public. The joint information center is
supposed to have representatives from each organization involved
in the management of an incident. DOD did not establish a joint
information center at the start of the incidents, and it did not
have clear written procedures for doing so. As a result, the
public received unclear and inconsistent messages about, among
other matters, the source of the anthrax. For example, media
accounts reported that mail through the Postal Service caused the
incidents when, in fact, the source of possible contamination was
unknown. According to the Postal Service, this resulted in
unnecessary anxiety among Postal Service workers, their families,
and recipients of Postal Service mail.
According to DOD health officials responsible for making medical
decisions at the Pentagon, they based their medical treatment
decision on the experiences they gained from the fall 2001 anthrax
incidents. The officials explained that they were very sensitive
to what they perceived to be untimely medical decisions reached in
the fall of 2001. Consequently, they said they decided to err on
the side of caution and quickly distribute antibiotics to
employees at the Pentagon and Skyline Complex. Additionally, since
the incident occurred on the Pentagon Reservation, DOD officials
did not believe that the NRP applied because, in their view, they
had the medical authority, expertise, and resources to handle the
incident internally.33 However, other federal officials-including
those in DHS and HHS-told us that the NRP was applicable and that
DOD should have followed the framework. In addition, CDC guidance
emphasizes the need to make risk-based decisions, including those
involving dispensing of antibiotics during suspected anthrax
incidents. According to the CDC, a risk-based, participatory
approach is necessary, in part to limit the number of people who
may receive antibiotics before confirmation by the LRN.34 Since
the mail had been quarantined over the weekend, the Pentagon
employees most at risk would have been the technicians who had
screened the mail the previous week. These persons received
antibiotics, but so did hundreds of others who, in our view, would
not likely have been exposed until Monday morning, when the
Pentagon's mail was released from quarantine.
DOD health officials' concern about protecting DOD employees from
the risk of exposure is clearly understandable. However, DOD's
actions were not consistent with the NRP. Once HHS was contacted
by CDC, it began using the notification and response protocols
specified in the NRP. In particular, HHS convened the first
interagency conference call in which federal participants were
able to discuss the laboratory's test results and raise concerns
about the quality of the results. Additionally, CDC was able to
address the Postal Service's concerns about the possible health
effects on its employees who may have processed contaminated mail
to the Pentagon the previous week. CDC recommended antibiotics for
employees of the V Street Operation because (1) of the confluence
of the two incidents, which, at the time, were viewed as involving
the presence of anthrax; (2) DOD had already started its employees
on antibiotics; and (3) the employees could have been exposed to
anthrax several days earlier because they process mail to the
Pentagon.
DOD Took Numerous Actions That Address Problems Related to the
Incidents
DOD took numerous actions that address problems related to the
Pentagon and Skyline Complex incidents. At the Pentagon, some
actions to improve DOD's mail processing and incident response,
such as modernizing the mail-screening facility and changing the
laboratory used to test daily samples, were already under way.
Other actions, including selecting a new mail-screening contractor
and improving procedures for releasing quarantined mail, were a
direct response to what occurred. At the Skyline Complex, DOD's
actions included prohibiting the use of equipment for screening
mail unless the equipment is being operated within the context of
a comprehensive mail-screening program. DOD also commissioned the
RAND Corporation to conduct an independent review to examine its
response to the incidents.35 The resulting report,36 issued in
January 2006, contains numerous recommendations which, according
to DOD, it has taken action upon.
At the Pentagon, Some Actions Were Already Under Way, While Others
Were Taken in Direct Response to the Incident
Some of the actions DOD took at the Pentagon were under way before
the March 2005 incident. Although the actions were not carried out
until later, they reflected decisions that had been previously set
in motion to improve mail screening and responses to biological
incidents. These actions included the following:
o DOD transferred oversight of the mail-screening function to
PFPA. PFPA assumed oversight of mail-screening from the Department
of the Army in August 2005 because, according to DOD officials,
PFPA's strategic mission of providing security and law enforcement
at the Pentagon is better aligned with the mail-screening
function. According to a PFPA official, planning for the transfer
of mail-screening oversight began around January 2005. A gradual
transition had been planned, he said, but the Pentagon incident
significantly accelerated efforts to implement the transfer of
mail-screening oversight responsibilities.
o DOD modernized the mail-screening facility, refurbished the
mail quarantine room, and installed new mail-screening equipment.
According to a DOD official, initial planning for these
improvements also began around January 2005. PFPA officials stated
that the new mail-screening facility and the refurbished
quarantine room have improved capabilities that are designed to
protect employees and prevent the spread of anthrax. Finally, a
DOD official said that the decision to replace the previous
mail-screening table with new equipment was based on a 2003
National Academy of Sciences report, which, among other things,
raised questions about the table's ability to detect anthrax in
small amounts. PFPA is awaiting the results of a study, which it
expects to conclude in May 2006, to evaluate the effectiveness of
the changes.
o DOD changed its testing laboratory. Daily testing of samples
from the Pentagon's mail-screening equipment is now performed by a
non-LRN chemical-biological laboratory located on the premises,
instead of a contract laboratory. The laboratory is part of PFPA
and, according to a PFPA official, was established in January 2005
to help protect the Pentagon from biological threats. The official
stated that the original plan was to transfer testing from CBI to
the Pentagon's chemical-biological laboratory in October 2005,
after the Vistronix contract expired. However, the transfer was
accelerated, occurring instead in March 2005, a few days after the
incident at the Pentagon.
o DOD entered into a memorandum of understanding (MOU) on
biological monitoring with other federal agencies. In April 2005,
DOD signed an MOU for Coordinated Monitoring of Biological Threat
Agents, which was developed prior to the Pentagon incident. DHS,
HHS, the Department of Justice (which includes the FBI), and the
Postal Service are also parties to the MOU. DHS's Science and
Technology Directorate is responsible for coordinating the
implementation of the MOU. The following provisions in the MOU
help address the notification, laboratory testing, and medical
response problems that arose at the Pentagon:
o The MOU establishes prompt notification
requirements. Specifically, the MOU requires
participants to notify the FBI, HHS, and DHS within 1
to 2 hours of positive test results that indicate,
with a high degree of confidence, the presence of
anthrax or other biological agents. However,
according to a DHS Science and Technology Directorate
official, such test results only trigger notification
and, until confirmed by the LRN, are not considered
actionable by HHS, DHS, and others.
o The MOU requires participating agencies to develop
and employ mutually accepted and validated testing
methods to confirm biological threats. According to a
Science and Technology official, test results
produced from these methods will be considered
actionable for public health and other response
measures, including the administration of medical
treatment. He stated, however, that this MOU
provision will take time to implement.37 According to
the official, an independent organization is
currently performing the extensive testing and
analysis needed to evaluate and establish equivalency
between the wide array of testing methods employed
across agencies.38 DOD officials stated that the
Pentagon's chemical-biological laboratory-which is
not part of the LRN-plans to adopt the testing
methods that emerge from the MOU. As a result, if the
MOU's equivalency testing provision is fully
implemented, they said, confirmatory positive results
from the Pentagon laboratory will be considered
equivalent to LRN results and deemed actionable by
DHS, HHS, and others for decisions related to the
administration of medical treatment.39
In addition to carrying out actions already in process, DOD also
initiated numerous actions in direct response to the problems that
occurred at the Pentagon. Several of these actions address the
mail-screening contractor's failure to follow established
requirements. Other actions were carried out in response to the
RAND review and are intended to better align DOD's procedures with
those in the federal framework for coordinating responses to
potential biological threats. The actions are as follows:
o DOD changed mail-screening contractors, strengthened the new
contract, and drafted improved procedures. PFPA selected a new
contractor for screening mail at the Pentagon in September 2005.
PFPA also developed new contract provisions and drafted new mail
inspection procedures to address the previous contractor's failure
to follow established contractual and procedural requirements.
Table 2 highlights key changes in the Pentagon's mail-screening
contract provisions and draft procedures.
Table 2: Key Changes in the Pentagon's Mail-Screening Contract
Provisions and Draft Mail-Screening Procedures
Key changes in the Pentagon's contract provisions
The contractor is required to periodically train its employees on
emergency response procedures, including those relating to the receipt of
suspicious materials.
The contractor is required to develop an effective quality control program
to ensure that its services are performed in accordance with the
contract's requirements.
PFPA's contracting officer representative is required to evaluate the
contractor's performance to ensure that it meets contract requirements.
The representative is to monitor the contractor's performance and report
any deficiencies.
Key changes in the Pentagon's draft mail-screening procedures
The facilities manager, a newly created position in PFPA's laboratory
division, is responsible for, among other things, performing unannounced
inspections to ensure that the contractor properly executes procedures.
The contract supervisor, an employee of the mail-screening contractor, is
responsible for ensuring that contract personnel perform all activities in
accordance with established procedures.
A PFPA laboratory official verifies that test results are negative for
mail scheduled to be released.
A PFPA laboratory official notifies the facility manager, the contract
supervisor, and a Defense Post Office official via e-mail that the results
are negative and that mail can be released at the scheduled time. All
parties must verify the receipt of the negative test results by replying
to the e-mail.
The PFPA laboratory facility manager, the contract supervisor, and a
Defense Post Office official, must physically verify that the date stamp
and other information on the quarantined mail matches the laboratory's
report indicating negative test results before releasing the mail.
Source: GAO analysis of DOD information.
PFPA strengthened the mail-screening contract by requiring the
contractor to, among other things, periodically train employees on
emergency response procedures and develop an effective quality
control program to ensure adherence to contract provisions. In
addition, PFPA's contracting officer representative is required to
evaluate the contractor's performance to ensure that it meets
contract requirements.40 PFPA has also drafted new mail-screening
procedures to help ensure the contractor performs in accordance
with requirements. The draft procedures require PFPA to, among
other things, perform unannounced inspections to ensure that the
contractor is properly executing required procedures. As of April
30, 2006, it was unclear when the draft procedures would be
finalized; however, according to a PFPA official, the new
monitoring measures are already being performed. Effective
monitoring of contractor activities and performance is key to
maintaining effective agency internal controls.
o DOD strengthened controls over the release of quarantined mail.
The Pentagon's draft mail inspection procedures require
verification of negative test results by representatives from
three separate organizations-PFPA, the Defense Post Office, and
the contractor-before the mail is released. Table 3 identifies the
key steps for releasing quarantined mail, as specified in the
draft procedures.
Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft
Procedures
Source: GAO analysis of DOD information.
Although the mail inspection procedures are still in draft form,
these steps are currently being used for releasing the Pentagon's
quarantined mail. The segregation of key duties and
responsibilities at this critical juncture in the mail release
process reduces the risk of error and, as such, is designed to
strengthen the internal controls that were lacking in March 2005.
During the incident, inadequate internal controls allowed a single
point of failure-in this case, a misunderstanding between two
contract employees-to result in the premature release and
distribution of quarantined mail that may have been contaminated.
This triggered a broad response at the Pentagon and elsewhere. The
implementation of rigorous internal controls for releasing the
Pentagon's mail appears likely to prevent similar incidents in the
future.
o DOD commissioned the RAND Corporation to conduct an independent
review examining its response to the March 2005 incidents. The
review primarily focused on evaluating DOD's policies and
procedures for responding to such incidents and making
recommendations for improvement. In November 2005, DOD formed a
working group to review and implement recommendations from a draft
of the report. The final report was issued in January 2006.
o DOD drafted new notification procedures for positive test
results at the Pentagon. To help address the notification problems
that arose during the Pentagon incident, DOD drafted new
procedures for notifying appropriate parties of positive test
results from the Pentagon's on-site chemical-biological
laboratory. These procedures help implement a recommendation in
the RAND report that calls for ensuring timely notification of
designated agencies in accordance with the NRP and NIMS. The
recommendation was based on findings similar to those identified
by GAO. DOD officials stated that the new procedures, while still
in draft, are currently being used to respond to potential
incidents involving biological contamination at the Pentagon.
Figure 2 illustrates DOD's draft notification procedures for
positive test results from the Pentagon's on-site
chemical-biological laboratory.
Figure 2: DOD's Draft Procedures for Positive Test Results from
the Pentagon's On-Site Chemical-Biological Laboratory
aThe Assistant Secretary of Defense for Homeland Defense is the
overall supervisor of homeland defense activities for DOD. This
office manages domestic incidents and represents DOD in homeland
defense-related matters with other agencies.
bThe Assistant Secretary of Defense for Public Affairs is the
principal staff adviser to the Office of the Secretary of Defense
for disseminating information related to the Pentagon.
The procedures require Pentagon laboratory officials to
immediately notify PFPA of positive test results. Thereafter, PFPA
and DOD's Assistant Secretary of Homeland Defense are responsible
for making the required notifications to internal and external
parties. According to a DOD official, these notifications should
occur immediately in order to meet the 1 to 2 hour time frame
specified in the MOU. As prescribed in the NRP, once notified of
positive test results, (1) the FBI is responsible for coordinating
appropriate confirmatory testing by the LRN and (2) DHS's
operations center is responsible for notifying affected local
jurisdictions. DOD's draft procedures include notification to all
agencies specified in the NRP's Biological Incident Annex, as well
as those specified in the MOU. Although not specifically required
in either the NRP or MOU, the procedures also include notification
to the Postal Service. An official stated that DOD actively worked
with DHS, the FBI, and HHS to develop the notification procedures
and is continuing to improve them based on agency input, actual
events, and the outcome of training exercises.
o DOD is developing a new policy that defines the roles and
responsibilities of senior DOD leadership during incidents at the
Pentagon. According to DOD's Director of Administration and
Management,41 the policy-called an instruction-is being developed
and will be based, in part, on NRP's Biological Incident Annex. He
stated that the instruction will detail the health-care
responsibilities of DOD leadership involved in making medical
treatment decisions and will be consistent with NRP and NIMS
protocols. The draft instruction was expected to be tested during
a Pentagon training exercise in May 2006 and is to be finalized in
the fall of 2006. The development of the instruction directly
addresses a recommendation from the RAND review, which arrived at
findings similar to ours regarding DOD's medical decision making.
o DOD drafted new procedures to help ensure that a joint
information center is established. DOD also drafted procedures for
ensuring that, consistent with the NIMS framework, a joint
information center is established during potential emergency
incidents at the Pentagon. During the March 2005 incident, DOD did
not establish a joint information center to disseminate timely,
accurate, and consistent messages to the public. The RAND report
contained a similar finding and recommended remedial actions. In
response, DOD drafted procedures that require PFPA, Public
Affairs, and Washington Headquarters Services to coordinate in the
establishment and operation of a joint information center to
disseminate information to the media during incidents at the
Pentagon.42 According to a Washington Headquarters Services
official, the draft procedures will be tested during future
training exercises at the Pentagon.
DOD Took Other Actions That Address Problems at the Skyline Complex
DOD also took a number of other actions that address the specific
problems we described related to the incident at the Skyline
Complex. Many of these problems were also raised in the RAND
report. DOD's actions, several of which also affect other
DOD-leased facilities, included the following:
o DOD developed operating conditions for equipment used to screen
mail in the national capital region. In January 2006, DOD's
Director of Administration and Management issued a directive
prohibiting DOD mail facilities in leased space within the
national capital region43-including the Skyline Complex-from
operating equipment used to screen mail, including biosafety
cabinets, unless the facilities meet five specific operating
conditions. These conditions include having trained mail screeners
to sample equipment for biological agents and an approved
laboratory for analyzing the samples. The directive partially
addresses a recommendation in the RAND report calling for DOD to
develop, evaluate, and ensure that appropriate site-specific
screening practices are in place departmentwide. According to the
Director, the directive is intended to relay key lessons learned
in March 2005-specifically, that equipment for screening mail is
ineffective and potentially risky to personnel and facilities when
used outside of a comprehensive mail-screening program. The TMA
facility at the Skyline Complex did not meet these conditions.
Although the agency purchased a new biosafety cabinet for the
Skyline Complex, which is similar to the device in place in March
2005,44 a TMA official stated that the agency is no longer
operating the device and is taking steps for its disposal in
response to the directive.
o DOD initiated two efforts to gather information on screening
operations in its mail facilities. First, DOD's Joint Program
Executive Office for Chemical-Biological Defense, as part of a
plan required by the National Defense Authorization Act for Fiscal
Year 2006,45 gathered some information on equipment used for mail
screening in DOD mail facilities nationwide. However, according to
a joint program office official, the data is not comprehensive
because information was not sought from all applicable facilities.
Second, in response to the RAND review, Washington Headquarters
Services attempted to identify DOD-leased facilities in the
national capital region that screen mail for threats. However, as
discussed later, this data collection effort had numerous
limitations.
o DOD developed an occupant emergency plan for the Skyline
Complex. In July 2005, the Defense Agency, in conjunction with
TMA, issued an occupant emergency plan for the Skyline Complex.
The plan was reviewed and deemed adequate by a building management
specialist in DOD's Washington Headquarters Services. The plan
includes emergency contact information and information about the
complex, such as floor plans, that were not readily available
during the March 2005 incidents. In addition, according to a
Defense Agency official, the plan has been fully coordinated with
Fairfax County first responders, who (1) met with Defense Agency
officials to discuss the roles and responsibilities of applicable
parties, (2) reviewed the plan, and (3) participated in the
emergency training exercises at the Skyline Complex. He also
stated that if a similar incident were to occur, the plan would
facilitate communications between first responders and Skyline
Complex employees. The development of an occupant emergency plan
addresses findings in this report as well as recommendations from
the RAND review.
o DOD issued supplemental requirements for developing mail
security plans. DOD's December 2001 mail manual required agency
mail rooms to develop security plans, but at the time of the
incidents, did not clearly specify what the plans should include
or require that they be reviewed. A supplement to the manual,
issued in September 2005, requires mail room officials to ensure
that their plan (1) details the reporting procedures and
responsibilities for handling suspicious mail, (2) has been
coordinated with local emergency responders, (3) is disseminated
to all mail center staff, and (4) is reviewed for potential
revisions at least quarterly. The supplemental requirements refer
mail room officials to GSA guidance on handling suspicious mail to
assist in the development of adequate security plans.46
DOD�s Actions Do Not Fully Resolve Identified Problems
DOD's actions resolve many of the problems that arose in the March
2005 incidents but not all. One remaining and overarching concern
involves whether, despite its actions, DOD will adhere to the
interagency coordination protocols in the NRP and NIMS or will
revert to the isolated decision-making approach it used at the
Pentagon. Other remaining issues include ensuring that DOD (1)
facilities have adequate mail security plans in place and (2) mail
facilities in the national capital region are appropriately using
biosafety cabinets for screening mail.
DOD�s Adherence to NRP and NIMS Interagency Coordination Protocols Remains Uncertain for Incidents at the Pentagon
DOD has taken actions to align its procedures with the NRP and
NIMS, including the development of an instruction defining the
roles and responsibilities of senior DOD leadership during
incidents at the Pentagon. The policy instruction is not expected
to be finalized until the fall of 2006 and, until then, it is
unknown whether it will adequately specify medical treatment
responsibilities in accordance with the coordination protocols in
the NRP and NIMS. In October 2005, senior DOD health officials
told us that they would handle the medical response at the
Pentagon in a similar manner if an incident occurred in the
future, in part, because they have the authority to do so. In
April 2006-more than 1 year after the incident-another senior
health official reiterated that DOD has the authority to make
final decisions on medical treatment at the Pentagon without
collaboration or consultation with other agencies, including HHS.
Such views conflict with protocols in both the NRP, which requires
an HHS-led coordinated public health response, and NIMS, which
prescribes local-level input into decisions affecting their
jurisdictions. Until DOD ensures that its senior health officials
make medical treatment decisions in accordance with the NRP and
NIMS during potential biological incidents at the Pentagon, the
problems that occurred in March 2005 remain unresolved.
DOD Still Has Not Ensured That Its Mail Facilities Have Reviewed
Mail Security Plans, As Required
TMA did not have a mail security plan for the Skyline Complex at
the time of the incidents, and although federal mail management
regulation and DOD's mail manual require such a plan, it has not
subsequently developed one. Until TMA develops a plan and, among
other things, coordinates it with local first responders, any
future response at the facility may also be hampered. More
importantly, it is not known whether other DOD mail facilities
also lack plans, or adequate plans, for guiding future responses
involving potential biological threats in the mail. As discussed
earlier, DOD does not have a process in place to (1) ensure that
its mail facilities have mail security plans and (2) verify that
each plan has been annually reviewed by a competent authority.
DOD Has Not Ensured That Its Facilities in the National Capital
Region Are Appropriately Using Biosafety Cabinets
Gaps remain in the actions DOD has taken to ensure the appropriate
use of biosafety cabinets for mail screening in DOD-leased mail
facilities in the national capital region. First, DOD has not
ensured that DOD mail facilities in the national capital region
are not operating biosafety cabinets outside of a comprehensive
mail-screening program. As pointed out in the Director of
Administration and Management's January 2006 directive, using
mail-screening equipment in isolation of such a program is
ineffective and potentially risky. Second, at the conclusion of
our review, DOD still had not identified the number of biosafety
cabinets in use in the region. For example, although DOD's
Washington Headquarters Services collected information about
facilities in the national capital region that screen mail for
threats, its winter 2005 data collection effort was not
comprehensive. For example, the office did not attempt to (1)
identify whether other biosafety cabinets were being used, (2)
determine the conditions under which the equipment is being
operated, and (3) collect information on the type and capabilities
of other mail-screening equipment being used. Moreover, it appears
that numerous DOD mail facilities in the national capital region
did not respond to the data request. According to an official from
Washington Headquarters Services in April 2006, a follow-up effort
was being conducted to gather additional data on mail-screening
operations in the region; however, we were unable to obtain
specific information regarding the purpose, scope, and status of
the effort. Eliminating equipment that is not being used in
conjunction with a comprehensive mail-screening program is likely
to reduce future false alarms and unnecessary response activities
involving the Skyline Complex and other DOD mail facilities in
leased space within the national capital region.
Conclusions
Mail continues to be a potential venue for terrorism, particularly
as an opportunity to strike at the Pentagon-a building of national
military significance. DOD has taken aggressive measures to ensure
the safety of its employees during a potential biological attack,
but the challenge ahead is to ensure that DOD's components and
leadership are sufficiently prepared in the event of another
potential incident involving anthrax or other biohazards.
Preparation involves having the procedures, plans, and training in
place to effectively coordinate the best available knowledge and
expertise across the many agencies that will likely be involved.
While lessons learned from these two false alarms have largely
been implemented, there still is a need to tighten controls in the
areas discussed above.
Recommendations for Executive Action
To help prepare DOD to effectively respond to future incidents
involving the suspicion of biological substances in the mail, we
recommend that the Secretary of Defense take the following four
actions:
o Ensure that any future medical decisions reached during
potential or actual acts of bioterrorism at the Pentagon
Reservation result from the participatory decision-making
framework specified in the NRP and NIMS.
o Ensure that appropriate officials at all of DOD's mail
facilities develop effective mail security plans in accordance
with GSA's mail management regulation and guidance and DOD's mail
manual.
o Ensure that a competent DOD authority conducts a DOD-wide
review of all of its mail security plans.
o Determine (1) whether biosafety cabinets are being used at mail
facilities within DOD-leased space in the national capital region
and, if so, (2) whether the equipment is being operated within the
context of a comprehensive mail-screening program. If the use of
biosafety cabinets does not comply with the criteria specified in
the Director of Administration and Management's January 2006
directive, ensure that the equipment will not be operated.
Agency Comments and Our Evaluation
We requested comments on a draft of this report from DOD, GSA, the
Department of Justice, HHS, DHS, and the Postal Service. Two of
these agencies-DOD and GSA-provided written comments. The
agencies' comments are reprinted in appendixes II and III,
respectively.
DOD agreed with three of our four recommendations, indicating that
it either was implementing, or intended to immediately implement,
actions to address these recommendations.47 Furthermore, while DOD
is developing a new policy to define the roles and
responsibilities of senior DOD leadership-including those involved
in making medical treatment decisions-during incidents at the
Pentagon, it only partially agreed with our remaining
recommendation, related to the need for DOD to make future medical
decisions within the participatory decision-making framework
specified in the NRP and NIMS. While commenting that "coordination
in such events is highly desirable," DOD reiterated that it has
the "medical authority to act in a timely manner to provide the
best possible medical protection for its personnel at potential
risk in an incident of this nature." DOD further commented that
the NRP does not alter or impede its ability to carry out its
medical authorities and responsibilities.
We agree that the NRP does not repeal DOD's medical powers,
authorities, or responsibilities. However, in signing the NRP
Letter of Agreement, DOD agreed, among other things, to (1)
support NRP concepts, processes, and structures; (2) modify its
existing plans to comply with the NRP; and (3) ensure that its
operations support the NRP. Thus, in our view, DOD's medical
authorities must be exercised in conjunction with DOD's
responsibilities under the NRP. Had DOD followed such an approach
in March 2005, concerns such as the validity of the test results
could have been discussed among informed agency officials and the
provision of unnecessary medicine to DOD employees at lower risk
for exposure may have been avoided.
DOD also commented that the NRP was not in effect during these
incidents because none of the criteria for an incident of
"national significance" had been met. We agree that the December
2004 NRP plan was somewhat ambiguous about when an incident is
subject to NRP's concepts, processes, and structures. However,
revisions made in May 2006 clarified that the NRP is "always in
effect" and that the plan applies to incidents of lesser severity
that may, nevertheless, require some federal involvement. In our
view, this revision makes it even more clear that, going forward,
coordination is necessary and appropriate with regard to potential
bioterrorism incidents and decisions about medical treatment. In
addition, despite the plan's prior ambiguity, it is important to
note that other federal officials-including those in DHS and
HHS-told us that the NRP was applicable because of the nearly
simultaneous occurrence of two incidents involving the Pentagon, a
building of national military significance. Thus, according to
these and other involved parties, DOD should have responded to the
incidents within the context of the federal framework.
GSA's written comments clarified federal requirements related to
the annual review of mail security plans. DOD, the FBI (on behalf
of the Department of Justice), CDC (on behalf of HHS), and the
Postal Service provided technical comments, which we incorporated,
as appropriate. DHS did not provide comments.
We are sending copies of this report to appropriate congressional
committees and subcommittees, CDC, DHS, DOD, the FBI, GSA, HHS,
the Postal Service, the Arlington and Fairfax County Offices of
Emergency Management, the District of Columbia Health Department,
and other interested parties. We will also make copies available
to others upon request. In addition, the report is available at no
charge on the GAO Web site at http://www.gao.gov .
If you or your staff have any questions about this report, please
contact me at [email protected] or (202) 512-2834. Contact points
for our Offices of Congressional Relations and Public Affairs may
be found on the last page of this report. Staff who made key
contributions to this report are listed in appendix IV.
Katherine A. Siggerud Director, Physical Infrastructure Issues
Appendix I: Scope and Methodology
To determine what occurred at the Pentagon and Skyline Complex
mail facilities in Virginia, we reviewed all available timelines
and after-action reports, including those prepared by various
Department of Defense (DOD) components, the Postal Service, the
RAND Corporation, and other federal, state, and local entities.
The after-action reports and timelines document what occurred at
the two sites in March 2005 as well as the sequence and timing of
what occurred. We also obtained and analyzed other pertinent
documentation. We developed a timeline of what occurred based on
the information we obtained, and corroborated this information
with agency officials, where possible. With respect to this and
our other reporting objectives, we interviewed a wide range of
officials from the following organizations:
o Office of the Secretary of Defense, Administration and
Management;
o Office of the Assistant Secretary of Defense for Health
Affairs;
o Office of the Assistant Secretary of Defense for Homeland
Defense;
o DOD's DiLorenzo TRICARE Health Clinic;
o DOD's TRICARE Management Activity (TMA);
o DOD's Pentagon Force Protection Agency, including personnel in
the Chemical, Biological, Radiological and Nuclear laboratory;
o DOD's Washington Headquarters Services;
o DOD's Defense Post Office;
o Vistronix Incorporated;
o Department of Health and Human Services;
o Centers for Disease Control and Prevention (CDC);
o Department of Homeland Security (DHS);
o Federal Bureau of Investigation (FBI) Headquarters and its
Washington Field Office;
o U.S. Postal Service;
o District of Columbia's Department of Health; and
o Arlington and Fairfax County Offices of Emergency Management.
To determine what problems occurred and why they occurred, we
obtained, reviewed, and analyzed, among other documents, (1) all
available timelines and after-action reports prepared by federal,
state, and local agencies that were involved in the response; (2)
the Pentagon's mail-screening contract and procedures; (3) TMA's
mail procedures; (4) federal mail management and other applicable
regulations related to occupant emergency plans;1 (5) DOD
requirements, including its mail manual; (6) applicable guidance
on the coordination of incidents with appropriate organizations,
including the National Response Plan (NRP) and its Biological
Incident Annex and the National Incident Management System (NIMS)
and; (7) CDC guidance related to the provision of medical services
to potentially affected employees, including its guidance on the
timing of antibiotics to affected individuals.2 We also reviewed
and analyzed GAO's internal control standards for applicable
criteria and interviewed officials from the previously cited
organizations as well as those from DOD's Defense Information
Systems Agency, DOD's Military Postal Service Agency, and the
General Services Administration. We compared DOD's actions with
applicable criteria, such as the Pentagon's contract provisions
and procedures, regulations and guidance, and the national
coordination protocols in place at the time of the incidents, to
identify any variations between the actions taken at the two
facilities and the actions specified in the applicable criteria.
Where variations existed, we interviewed officials from the
previously mentioned organizations to determine why the applicable
criteria was not followed.
To determine the actions DOD has taken that address the problems
that arose during the March 2005 incidents at the two mail
facilities, we interviewed officials from the previously cited DOD
offices as well as the Office of the Assistant Secretary of
Defense for Public Affairs, Military
Postal Service Agency, Joint Program Executive Office for Chemical
and Biological Defense, and General Services Administration. We
also interviewed DHS officials from the Science and Technology
Directorate and DHS's Mail Management Program. We obtained and
analyzed pertinent information on all identified actions. For
example, with respect to actions taken at the Pentagon, we
reviewed the new mail-screening contract, recent interagency
agreements, and the Pentagon's draft (1) mail-screening operating
procedures, (2) laboratory procedures, (3) notification
procedures, and (4) procedures for communicating information to
the public. For actions taken in response to the incident at the
Skyline Complex, we reviewed TMA's mail-screening procedures,
DOD's directive prohibiting the use of biosafety cabinets in
certain environments, and the Skyline Complex occupant emergency
plan, all of which were issued after the March 2005 incidents.
To determine the extent to which the actions taken address the
problems that arose at the two mail facilities during the March
2005 incidents, we reviewed and analyzed, among other things, the
Pentagon's new mail-screening contract and its draft (1)
mail-screening operating procedures, (2) laboratory procedures,
(3) notification procedures, and (4) procedures for communicating
information to the public. To assess whether the actions appeared
to resolve the problems that arose during the incidents, we
compared policy and procedural changes to applicable criteria,
including criteria contained in DOD's mail manual, GSA's
regulations and guidance, CDC guidance, GAO Internal Controls
Standards, the NRP's
Biological Incident Annex, and NIMS. We determined the status of
key recommendations in the after-action reports and, through our
analysis, identified further actions necessary to remedy the
issues that arose. In addition, to provide broader perspective on
issues related to detecting and responding to suspected anthrax
incidents, we reviewed previous studies, congressional testimony,
and other pertinent documents including those prepared by GAO.3
We performed our work from June 2005 to August 2006 in accordance
with generally accepted government auditing standards.
Appendix II: Comments from the Department of Defense
Appendix III: Comments from the General Services Administration
Appendix IV: GAO Contact and Staff Acknowledgments
GAO Contact
Katherine A. Siggerud, (202) 512-2834 or [email protected]
Staff Acknowledgments
In addition to the contact named above, Kathleen Turner (Assistant
Director), David Hooper, Daniel Klabunde, Steve Martinez, Josh Ormond,
Stanley Stenersen, and Johanna Wong made key contributions to this report.
1410 USC Sec. 2674(f)(1) defines the Pentagon Reservation as the area of
land (consisting of approximately 280 acres) and improvements thereon,
located in Arlington, Virginia, on which the Pentagon Office Building,
Federal Office Building #2, the Pentagon heating and sewage treatment
plants, and other related facilities are located, including various areas
designated for the parking of vehicles.
15The mail-screening technicians were not evacuated and, instead, remained
isolated in the mail-screening facility, according to PFPA officials.
16Other conference calls occurred over the next few days.
17The two laboratories at Fort Detrick are associated with the United
States Army Medical Research Institute of Infectious Diseases and the
National Bioforensic Analysis Center.
18GSA leases office space at the Skyline Complex for federal agencies,
including DOD's TMA office.
19According to the manager, the PFPA employee thought that the equipment
was an X-ray machine.
20The biosafety cabinet was destroyed as a result of efforts to extract
its filters for testing.
21The National Institute is the federal agency responsible for conducting
research into occupational safety and health matters.
22CBI was not a part of the LRN in March 2005 and, consequently, would not
have had access to CDC's guidelines and protocols for LRN laboratories.
23The officials noted that PFPA's Chemical, Biological, Radiological, and
Nuclear department did not exist when DOD initially awarded the
mail-screening contract. The laboratory associated with this department,
as well as its current role in the Pentagon's mail screening, is discussed
later in this report.
24In its technical comments on a draft of this report, DOD noted that
subsequent training had been conducted, but that the training was "not as
detailed."
25As discussed earlier, mail room employees made several unsuccessful
attempts to telephone the manufacturer and the maintenance contractors for
help. In addition, DOD's manager of the complex told us that she called
PFPA for guidance on how the cabinet operated, but the PFPA official was
not aware of the type of equipment in use at the complex, and
consequently, he was not able to tell her what to do. Finally, an employee
called 911, which brought emergency responders from Fairfax County,
Virginia.
2641 CFR S:102-192.90.
27The Official Mail Manager retired in April 2006.
28Related to this, GSA officials told us that GSA does not have the
authority to enforce its reporting requirement.
2941 CFR Ch 102-74.230.
30The incident command initially included federal and local agencies and
was used for, among other things, coordinating the evacuation of the mail
screening and remote delivery facilities and the relocation of potentially
affected employees.
31Ciprofloxacin is one of several antibacterial drugs, including
amoxicillin and doxycycline, that can be used to treat anthrax exposure.
CDC currently recommends doxycycline for preventive treatment of anthrax.
32Local public health officials explained that their desire to ensure that
potentially affected individuals would be treated consistently derived
from lessons learned in the fall of 2001. At that time, Capitol Hill staff
was also initially provided with ciprofloxacin for their potential
exposure to anthrax; however, Postal Service employees generally received
doxycycline. CDC's recommendations in this area had changed, but that was
not well understood, in part because ciprofloxacin had been described as
the drug of choice in media reports. Because Postal Service employees
generally received doxycycline-instead of ciprofloxacin-they believed that
they had been given an inferior drug. According to local public health
officials, this misperception was difficult to explain and, together with
the death and illness of exposed postal employees, caused trauma within
the Postal Service community.
33Under DOD Directive 6200.3, Emergency Health Powers on Military
Installations, DOD commanders and the designated Public Health Emergency
Officer-in this case, the commander of the DiLorenzo TRICARE Health
Clinic-can take actions to protect installations, facilities, and
personnel in the event of a public health emergency resulting from
biological warfare, terrorism, or a communicable disease epidemic.
34According to CDC, antibiotic medical treatment is recommended as soon as
possible after the LRN has obtained a presumptive positive test result.
Such results can be obtained within 2 hours.
35The RAND Corporation is a nonprofit research organization. Its National
Defense Research Institute-a federally funded research and development
center-conducted the review. RAND also examined a third incident that
occurred at a DOD mail facility on the Bolling Air Force Base. The
incident at the Bolling Air Force Base was not connected to the Pentagon
and Skyline Complex incidents. Consequently, that incident is not
discussed in this report.
36Except for an unclassified summary, the RAND report is not available
publicly.
37The MOU established August 2005 as the deadline for agencies to begin
using mutually accepted testing methods, a date that has long passed.
According to an official from DHS's Science and Technology Directorate, it
will take a considerable amount of additional time to assess and develop
consensus on testing methods. The official estimated that the process to
establish mutually accepted testing methods will be completed between
September 2006 and March 2007.
38According to CDC officials, the process involves establishing
equivalency between DOD and LRN testing methods. In addition, they stated
that once mutually accepted methods are established, it will take
additional time to fully implement the testing and response procedures
from an operational standpoint.
39A DOD official noted that positive test results are taken in conjunction
with other relevant factors to determine if antibiotics should be
administered.
40As discussed, the previous contracting officer's representative for
administering the mail-screening contract was an official from the Defense
Post Office with no expertise or training related to screening mail for
anthrax or other biological hazards. The new contracting officer's
representative is the Director of PFPA's chemical-biological laboratory
located at the Pentagon.
41The Director of Administration and Management is the principal adviser
on DOD-wide organizational and administrative management matters. The
Director's responsibilities include providing policy guidance to DOD
components at (1) the Pentagon and (2) DOD-leased space in the Washington,
D.C., area.
42Washington Headquarters Services manages DOD-wide programs and
operations for the Pentagon Reservation and DOD-leased facilities in the
Washington, D.C., area.
43The national capital region includes the District of Columbia and 11
local jurisdictions in Maryland and Virginia, including Arlington and
Fairfax Counties, where the two incidents occurred.
44TMA's previous biosafety cabinet was destroyed during the March 2005
incident. The new cabinet, purchased prior to receiving the directive, is
functionally similar to the old one in that it is not capable of detecting
biological agents and its alarm only indicates an obstruction in the
equipment's airflow.
45In January 2006, the President signed into law the National Defense
Authorization Act for Fiscal Year 2006, P.L. 109-163, which could change
the way DOD processes mail at the Pentagon and around the world. The law
requires the Secretary of Defense to submit a report to Congress on the
safety of mail within the military mail system, including a plan to screen
all incoming mail for biological agents.
46Specifically, the September 2005 supplement to DOD's mail manual cites
the third edition of GSA's Mail Center Security Guide and GSA's December
2003 policy advisory entitled National Guidelines for Assessing and
Managing Biological Threats in Federal Mail Facilities.
47The Office of the Administrative Assistant to the Secretary of the Army
also reviewed the draft report and concurred "without comment."
1Federal Management Regulation, 41 C.F.R. ch. 102, issued by GSA.
2U.S. Department of Health and Human Services, Centers for Disease Control
and Prevention, Morbidity and Mortality Weekly Report, "Responding to
Detection of Aerosolized Bacillus anthracis by Autonomous Detection
Systems in the Workplace" (Atlanta, Georgia, June 4, 2004).
3See, for example, GAO, U.S. Postal Service: Better Guidance Is Needed to
Ensure an Appropriate Response to Anthrax Contamination, GAO-04-239
(Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health Response to
Anthrax Incidents of 2001, GAO-04-152 (Washington, D.C.: Oct. 15, 2003);
and U.S. Postal Service: Better Guidance Is Needed to Improve
Communication Should Anthrax Contamination Occur in the Future, GAO-03-316
(Washington, D.C.: Apr. 7, 2003).
(542066)
GAO's Mission
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( www.gao.gov ). Each weekday, GAO posts newly
released reports, testimony, and correspondence on its Web site. To have
GAO e-mail you a list of newly posted products every afternoon, go to
www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
D.C. 20548
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061
To Report Fraud, Waste, and Abuse in Federal Programs
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: [email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470
Congressional Relations
Gloria Jarmon, Managing Director, [email protected] (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125 Washington,
D.C. 20548
Public Affairs
Paul Anderson, Managing Director, [email protected] (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
D.C. 20548
www.gao.gov/cgi-bin/getrpt? GAO-06-757 .
To view the full product, including the scope
and methodology, click on the link above.
For more information, contact Kate Siggerud at (202) 512-2834 or
[email protected].
Highlights of GAO-06-757 , a report to the Committee on Homeland Security
and Governmental Affairs, U.S. Senate
September 2006
MAIL SECURITY
Incidents at DOD Mail Facilities Exposed Problems That Require Further
Actions
In March 2005, two well-publicized and nearly simultaneous incidents
involving the suspicion of anthrax took place in the Washington, D.C.,
area. The incidents occurred at Department of Defense (DOD) mail
facilities at the Pentagon and at a commercial office complex (Skyline
Complex). While these incidents were false alarms, DOD and other federal
and local agencies responded. The Postal Service suspended operations at
two of its facilities and over a thousand DOD and Postal Service employees
were given antibiotics as a precaution against their possible exposure to
anthrax.
This report describes (1) what occurred at the Pentagon and Skyline
Complex mail facilities, (2) the problems we identified in detecting and
responding to the incidents, (3) the actions taken by DOD that address the
problems that occurred, and (4) the extent to which DOD's actions address
the problems.
What GAO Recommends
GAO is making recommendations to help improve the effectiveness of future
DOD responses involving the suspicion of anthrax in the mail. DOD agreed
with three of our recommendations but only partially agreed with our
fourth. GAO retained this recommendation to ensure that DOD's future
approach to making medical decisions during bioterrorism incidents occur
within the participatory federal framework.
Events leading up to the Pentagon incident began when a laboratory that
tested samples from the Pentagon's mail-screening equipment informed DOD's
mail-screening contractor that test results indicated the presence of
anthrax in the mail. By the time the contractor notified DOD 3 days later,
suspect mail had already been released and distributed throughout the
Pentagon. DOD evacuated its mail-screening and remote delivery facilities,
notified federal and local agencies, and dispensed antibiotics to hundreds
of employees. The Skyline Complex incident began the same day when Fairfax
County, Virginia, emergency personnel responded to a 911 call placed by a
Skyline employee that an alarm had sounded on a biosafety cabinet used to
screen mail. Local responders closed the complex and decontaminated
potentially exposed employees, and DOD dispensed antibiotics to the
employees. Similarly, the Postal Service suspended operations at two
facilities and dispensed antibiotics to its employees. Laboratory testing
later indicated that the incidents were false alarms.
Analysis of these incidents reveals numerous problems related to the
detection and response to anthrax in the mail. At the Pentagon, DOD's
mail-screening contractor did not follow key requirements, such as
immediately notifying DOD after receiving evidence of contamination. At
the Skyline Complex, DOD did not ensure that the complex had a mail
security plan or that it had been reviewed, as required. The lack of a
plan hampered the response. DOD also did not fully follow the federal
framework-including the National Response Plan, which was developed to
ensure effective, participatory decision making. Instead of coordinating
with other agencies that have the lead in bioterrorism incidents, DOD
unilaterally dispensed antibiotics to its employees.
DOD has taken numerous actions that address problems related to the two
incidents. At the Pentagon, DOD's actions included selecting a new
mail-screening contractor and defining the roles and responsibilities of
senior leadership, including those involved in making medical decisions.
Related to Skyline, DOD prohibited its mail facilities in leased space
within the Washington, D.C., area from using biosafety cabinets to screen
mail unless the equipment is being operated within the context of a
comprehensive mail-screening program.
While DOD has made significant progress in addressing the problems that
occurred, its actions do not fully resolve the issues. One remaining
concern is whether DOD will adhere to the interagency coordination
protocols specified in the national plan for future bioterrorism incidents
involving the Pentagon. This concern arises because, more than 1 year
after the incident, DOD reiterated that it has the authority to make
medical decisions without collaborating or consulting with other agencies.
DOD also has not ensured, among other things, that its mail facilities (1)
have the required mail security plans and (2) are appropriately using
biosafety cabinets for screening mail.
*** End of document. ***