This is the accessible text file for GAO report number GAO-06-757 
entitled 'Mail Security: Incidents at DOD Mail Facilities Exposed 
Problems That Require Further Actions' which was released on September 
14, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Committee on Homeland Security and Governmental Affairs, 
U.S. Senate: 

United States Government Accountability Office: 

GAO: 

September 2006: 

Mail Security: 

Incidents at DOD Mail Facilities Exposed Problems That Require Further 
Actions: 

DOD Mail Security: 

GAO-06-757: 

GAO Highlights: 

Highlights of GAO-06-757, a report to the Committee on Homeland 
Security and Governmental Affairs, U.S. Senate 

Why GAO Did This Study: 

In March 2005, two well-publicized and nearly simultaneous incidents 
involving the suspicion of anthrax took place in the Washington, D.C., 
area. The incidents occurred at Department of Defense (DOD) mail 
facilities at the Pentagon and at a commercial office complex (Skyline 
Complex). While these incidents were false alarms, DOD and other 
federal and local agencies responded. The Postal Service suspended 
operations at two of its facilities and over a thousand DOD and Postal 
Service employees were given antibiotics as a precaution against their 
possible exposure to anthrax. 

This report describes (1) what occurred at the Pentagon and Skyline 
Complex mail facilities, (2) the problems we identified in detecting 
and responding to the incidents, (3) the actions taken by DOD that 
address the problems that occurred, and (4) the extent to which DOD’s 
actions address the problems. 

What GAO Found: 

Events leading up to the Pentagon incident began when a laboratory that 
tested samples from the Pentagon’s mail-screening equipment informed 
DOD’s mail-screening contractor that test results indicated the 
presence of anthrax in the mail. By the time the contractor notified 
DOD 3 days later, suspect mail had already been released and 
distributed throughout the Pentagon. DOD evacuated its mail-screening 
and remote delivery facilities, notified federal and local agencies, 
and dispensed antibiotics to hundreds of employees. The Skyline Complex 
incident began the same day when Fairfax County, Virginia, emergency 
personnel responded to a 911 call placed by a Skyline employee that an 
alarm had sounded on a biosafety cabinet used to screen mail. Local 
responders closed the complex and decontaminated potentially exposed 
employees, and DOD dispensed antibiotics to the employees. Similarly, 
the Postal Service suspended operations at two facilities and dispensed 
antibiotics to its employees. Laboratory testing later indicated that 
the incidents were false alarms. 

Analysis of these incidents reveals numerous problems related to the 
detection and response to anthrax in the mail. At the Pentagon, DOD’s 
mail-screening contractor did not follow key requirements, such as 
immediately notifying DOD after receiving evidence of contamination. At 
the Skyline Complex, DOD did not ensure that the complex had a mail 
security plan or that it had been reviewed, as required. The lack of a 
plan hampered the response. DOD also did not fully follow the federal 
framework—including the National Response Plan, which was developed to 
ensure effective, participatory decision making. Instead of 
coordinating with other agencies that have the lead in bioterrorism 
incidents, DOD unilaterally dispensed antibiotics to its employees. 

DOD has taken numerous actions that address problems related to the two 
incidents. At the Pentagon, DOD’s actions included selecting a new mail-
screening contractor and defining the roles and responsibilities of 
senior leadership, including those involved in making medical 
decisions. Related to Skyline, DOD prohibited its mail facilities in 
leased space within the Washington, D.C., area from using biosafety 
cabinets to screen mail unless the equipment is being operated within 
the context of a comprehensive mail-screening program. 

While DOD has made significant progress in addressing the problems that 
occurred, its actions do not fully resolve the issues. One remaining 
concern is whether DOD will adhere to the interagency coordination 
protocols specified in the national plan for future bioterrorism 
incidents involving the Pentagon. This concern arises because, more 
than 1 year after the incident, DOD reiterated that it has the 
authority to make medical decisions without collaborating or consulting 
with other agencies. DOD also has not ensured, among other things, that 
its mail facilities (1) have the required mail security plans and (2) 
are appropriately using biosafety cabinets for screening mail. 

What GAO Recommends: 

GAO is making recommendations to help improve the effectiveness of 
future DOD responses involving the suspicion of anthrax in the mail. 
DOD agreed with three of our recommendations but only partially agreed 
with our fourth. GAO retained this recommendation to ensure that DOD’s 
future approach to making medical decisions during bioterrorism 
incidents occur within the participatory federal framework. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-757]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Kate Siggerud at (202) 
512-2834 or siggerudk@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Each of the Incidents Presented a Different Situation and Response and 
Occurred over Several Days: 

Problems Encountered Reflect Both a Failure to Follow Existing Contract 
Provisions and Procedures and a Lack of Procedures and Plans: 

DOD Took Numerous Actions That Address Problems Related to the 
Incidents: 

DOD's Actions Do Not Fully Resolve Identified Problems: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Scope and Methodology: 

Appendix II: Comments from the Department of Defense: 

Appendix III: Comments from the General Services Administration: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Selected Agency Actions Specified in NRP's Biological Incident 
Annex: 

Table 2: Key Changes in the Pentagon's Mail-Screening Contract 
Provisions and Draft Mail-Screening Procedures: 

Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft 
Procedures: 

Figures: 

Figure 1: Chronology of Key Actions and Organizations Involved at 
Pentagon and Skyline Complex: 

Figure 2: DOD's Draft Procedures for Positive Test Results from the 
Pentagon's On-Site Chemical-Biological Laboratory: 

Abbreviations: 

CBI: Commonwealth Biotechnologies Incorporated: 

CDC: Centers for Disease Control and Prevention: 

DHS: Department of Homeland Security: 

DOD: Department of Defense: 

FBI: Federal Bureau of Investigation: 

GSA: General Services Administration: 

HHS: Department of Health and Human Services: 

LRN: Laboratory Response Network: 

MOU: memorandum of understanding: 

NIMS: National Incident Management System: 

NRP: National Response Plan: 

PFPA: Pentagon Force Protection Agency: 

TMA: TRICARE Management Activity: 

United States Government Accountability Office: 
Washington, DC 20548: 

September 15, 2006: 

The Honorable Susan M. Collins: 
Chairman: 
The Honorable Joseph I. Lieberman: 
Ranking Minority Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

Since the fall of 2001, when five persons, including two U.S. Postal 
Service employees, died from exposure to anthrax-contaminated mail 
delivered through the U.S. mail system, the nation has been acutely 
aware of the danger of bioterrorism using anthrax and other potentially 
fatal bacteria. The frequency of incidents involving suspicious 
packages or powder spills has increased dramatically since that time, 
due in part to hoaxes and concerns about leakages from mail that had 
previously been routinely handled. Concerns about anthrax in the mail 
have led federal agencies to establish mail-screening operations, 
including tests for anthrax, that have often resulted in false alarms. 

In March 2005, two well-publicized and nearly simultaneous incidents 
took place in the greater Washington, D.C., area. The incidents 
occurred at a Department of Defense (DOD) mail facility at the 
Pentagon, a building of national military significance located in 
Arlington County, Virginia, and another DOD mail facility in a 
commercial office complex (Skyline Complex), located about 5 miles away 
in Fairfax County, Virginia.[Footnote 1] While these incidents 
ultimately proved to be false alarms, DOD as well as other federal and 
local response agencies responded to the incidents. In the days that 
elapsed before authorities concluded that anthrax was not present in 
the mail or in the facilities, the Postal Service had suspended 
operations at two of its facilities, and over a thousand DOD and Postal 
Service employees had been given antibiotics as a precaution against 
their possible exposure to anthrax. 

You asked us to examine the response to the two March 2005 incidents. 
Specifically, this report addresses the following four questions: 

* What occurred at the Pentagon and Skyline Complex mail facilities? 

* What problems occurred in detecting and responding to these 
incidents, and why? 

* What actions have been taken by DOD that address the problems that 
occurred? 

* To what extent do these actions address the problems that occurred? 

To address these questions, we analyzed, among other things, pertinent 
after-action reports, incident timelines, the contract for mail-
screening services at the Pentagon, mail-screening procedures, federal 
mail management and other applicable regulations and guidance, and the 
federal framework for responding to biological incidents. We compared 
whether the actions taken by DOD, its mail-screening contractor at the 
Pentagon, and employees at the Skyline Complex were in accordance with, 
among other things, the existing contract provisions, mail-screening 
procedures, federal regulations and guidance, DOD's mail manual, and 
the federal framework for responding to biological incidents. We 
interviewed a wide range of federal and local officials involved in the 
response to the two incidents. We also interviewed personnel from the 
Pentagon's mail-screening contractor to obtain their perspective on 
what occurred at the Pentagon. We analyzed current procedures at the 
Pentagon related to detecting and responding to biological agents. To 
assist in our analyses, we reviewed previous GAO work regarding anthrax 
incidents, pertinent literature and previous GAO work on internal 
controls, guidance prepared by the Centers for Disease Control and 
Prevention (CDC) for responding to the detection of anthrax in the 
workplace, and regulations and guidance issued by the General Services 
Administration (GSA) on mail security and responding to biological 
threats in the mail. We performed our work from June 2005 to August 
2006 in accordance with generally accepted government auditing 
standards. Further details about our scope and methodology appear in 
appendix I. 

Results in Brief: 

Each of the incidents at the two mail facilities presented a different 
situation and response. Events leading up to the Pentagon incident 
began when a laboratory that tested samples from the Pentagon's mail- 
screening equipment informed DOD's mail-screening contractor on Friday 
afternoon, March 11, that one of its tests of the previous day's mail 
was positive for anthrax. By the time the mail-screening contractor 
notified DOD on Monday morning, March 14, about the results of Friday's 
test result and that additional testing of the sample over the weekend 
was also positive for anthrax, mail suspected of containing anthrax had 
already been released, picked up, and distributed throughout the 
Pentagon. While DOD officials responded by evacuating the Pentagon's 
mail-screening and remote delivery facilities, notifying numerous 
federal and local agencies, and dispensing antibiotics to hundreds of 
employees--including recipients of the mail that morning--officials 
from the Federal Bureau of Investigation (FBI) initially suspected a 
false alarm based on the totality of the evidence. The incident at the 
Skyline Complex began on Monday afternoon, March 14, when emergency 
personnel in Fairfax County, Virginia, responded to a 911 call placed 
by a Skyline employee that an alarm had sounded on a biosafety cabinet 
used to screen mail, including mail that had been picked up earlier 
that day from the Pentagon. Fairfax County responders closed the 
Skyline Complex, shut off elevators and the air-handling system, 
decontaminated potentially exposed employees, and tested the facility 
for anthrax contamination. The following day, DOD also dispensed 
antibiotics to potentially exposed employees at the Skyline Complex. 
The response to the incidents also affected the Postal Service's 
employees and operations. When Postal Service officials learned about 
the incidents, they immediately (1) suspended operations at two 
facilities that process mail to the Pentagon and conducted 
environmental testing at the facilities and (2) began dispensing 
antibiotics to their potentially exposed employees. Federal and local 
officials learned on Tuesday that the alarm that sounded on the 
biosafety cabinet used for mail-screening at the Skyline Complex 
indicated an airflow obstruction, not the presence of anthrax. 
Nevertheless, testing continued on samples taken from the facilities. 
The incidents were believed to be false alarms on Wednesday evening, 
March 16, after the interpretation of additional laboratory testing did 
not support the preliminary conclusion that the two facilities may be 
contaminated with anthrax. Both mail facilities reopened on Friday 
morning, March 18. Agency officials involved in the response believe 
that the positive tests at the Pentagon could have been the result of 
cross contamination in the laboratory. 

Analysis of these incidents reveals numerous problems related to the 
proper detection and response to anthrax in the mail, reflecting both a 
failure to follow existing contract provisions and procedures and, in 
some cases, a lack of procedures and plans. At the Pentagon, DOD's mail-
screening contractor did not follow two key requirements. Specifically, 
the contractor did not (1) notify DOD immediately after receiving 
evidence of possible contamination of the Pentagon's mail and (2) 
quarantine the mail until it received negative results from the 
laboratory. These problems were further exacerbated by a provision in 
DOD's contract with its mail-screening contractor that did not clearly 
specify how samples from the Pentagon were to be tested. The lack of 
clarity resulted in the use of a laboratory whose testing methods were 
unknown and whose results were questioned. At the Skyline Complex mail 
facility, basic procedures for responding to biohazards and other 
emergencies were inadequate or absent altogether resulting in (1) 
employees not knowing how to properly respond to the alarm on the 
equipment used for mail-screening, (2) employees and first responders 
not knowing about the equipment's limitations, and (3) employees being 
uncertain about whom to contact during a potential emergency. 
Additionally, DOD did not ensure that the Skyline Complex mail facility 
had developed a mail security plan or that it had been reviewed, as 
required, by a competent authority within DOD. The federal framework 
developed to help ensure effective decision making through a 
coordinated response--the National Response Plan and the National 
Incident Management System--was not fully followed. Instead of 
coordinating its actions with others--such as the Department of Health 
and Human Services (HHS), the primary federal agency responsible for a 
public health response to bioterrorism--DOD unilaterally decided to 
provide medication to its employees before having appropriate 
confirmation of laboratory test results. According to DOD officials, 
because the incident occurred at the Pentagon, they did not believe 
that the protocols in the National Response Plan applied. In addition, 
they said that they had the medical authority, experience, and 
resources to act on their own. While the NRP does not repeal DOD's 
medical authorities, making decisions without coordinating with other 
agencies is fundamentally at odds with the protocols specified in the 
National Response Plan and National Incident Management System. If DOD 
had fully coordinated with federal and local agencies as the framework 
prescribes, concerns such as the validity of test results could have 
been discussed and the provision of unnecessary medicine to most of the 
DOD employees (mail recipients and others who, in our view, would not 
likely have been exposed until after the mail's release from quarantine 
on Monday, March 14) may have been avoided. 

DOD has taken numerous actions that address problems related to the two 
incidents. Some actions, such as modernizing the Pentagon's mail- 
screening facility and changing the laboratory used to test daily 
samples, were under way prior to the incidents, but many others were 
taken in direct response to the incidents. At the Pentagon, for 
example, DOD selected a new mail-screening contractor, strengthened the 
new contract, and developed new mail inspection procedures. While still 
in draft form, the procedures are currently being used and require, 
among other things, verification of negative test results by multiple 
officials before quarantined mail is released. The establishment of 
stringent control mechanisms is likely to prevent future premature 
releases of potentially contaminated mail. DOD also drafted new 
notification procedures--which are also being used--for reporting 
positive test results to internal and external parties. The draft 
procedures are intended to improve the way DOD communicates to federal 
and local agencies during incidents. In addition, DOD is developing a 
new policy to define the roles and responsibilities of senior DOD 
leadership including those involved in making medical treatment 
decisions during incidents at the Pentagon. DOD also took actions to 
address problems related to the Skyline Complex incident. For example, 
DOD gathered some information about mail-screening operations in its 
facilities in the Washington, D.C., area and issued a directive 
prohibiting DOD mail facilities in leased space within the Washington, 
D.C., area from using equipment, including biosafety cabinets, to 
screen mail unless the equipment is being operated within the context 
of a comprehensive mail-screening program. Such a program includes the 
use of (1) trained mail screeners to sample equipment for biological 
agents and (2) an approved laboratory for analyzing the samples. 

Although DOD has made significant progress in addressing the problems 
related to the two incidents, its actions do not fully resolve the 
problems that arose. One remaining and overarching concern involves 
whether, despite its actions, DOD will adhere to the interagency 
coordination protocols in the National Response Plan and National 
Incident Management System--as it has agreed--or, instead, revert to 
the isolated decision-making approach it used at the Pentagon. While 
DOD is aligning its procedures to these interagency coordination 
protocols, in April 2006, a senior health official reiterated that DOD 
has the authority to make final decisions on medical treatment at the 
Pentagon without collaboration or consultation with other agencies-- 
including HHS, which under the National Response Plan is the primary 
federal agency responsible for coordinating a public health response 
involving an actual or potential biological terrorist attack. More than 
1 year later, DOD also has not developed a mail security plan for the 
Skyline Complex mail facility. More importantly, it is not known 
whether other DOD facilities also lack a plan because DOD does not have 
a process for certifying the existence of mail security plans and 
verifying that the plans have been reviewed by a competent authority. 
Finally, although DOD prohibits the use of mail-screening equipment, 
including biosafety cabinets, in DOD-leased facilities in the 
Washington, D.C., area unless the equipment is being operated within 
the context of a comprehensive mail-screening program, at the 
completion of our review, DOD still had not determined whether other 
biosafety cabinets are being used in the Washington, D.C., area or the 
conditions under which the equipment is being operated. 

We are making several recommendations to help improve the effectiveness 
of future DOD responses involving the suspicion of anthrax in the mail. 
Specifically, we recommend that the Secretary of Defense ensure that 
(1) any future medical decisions reached during potential or actual 
acts of bioterrorism at the Pentagon result from the participatory 
decision-making framework in the National Response Plan and the 
National Incident Management System, (2) appropriate officials at all 
of DOD's mail rooms develop effective mail security plans, (3) a 
competent DOD authority conducts an annual review of the plans' 
adequacy, and (4) any biosafety cabinets in use in DOD mail facilities 
in leased space in the Washington, D.C., area are being operated within 
the context of a comprehensive mail-screening program. 

We requested comments on a draft of this report from DOD, GSA, the 
Department of Justice, HHS, the Department of Homeland Security (DHS), 
and the Postal Service. Two of these agencies--DOD and GSA--provided 
written comments. DOD agreed with three of our four recommendations, 
indicating that it either was implementing, or intended to immediately 
implement, actions to address these recommendations.[Footnote 2] 
However, DOD only partially agreed with our remaining recommendation. 
We retained this recommendation to ensure that DOD's future approach to 
making medical decisions during bioterrorism incidents occur within the 
participatory federal framework. GSA's written comments clarified 
federal requirements related to the annual review of mail security 
plans. DOD's and GSA's comments are reprinted in appendixes II and III, 
respectively. DOD, the FBI (on behalf of the Department of Justice), 
CDC (on behalf of HHS), and the Postal Service provided technical 
comments, which we incorporated, as appropriate. DHS did not provide 
comments. 

Background: 

What Is Anthrax and Why Is It a Concern? 

Anthrax is an acute infectious disease caused by the spore-forming 
bacterium Bacillus anthracis. The anthrax bacterium is commonly found 
in the soil and forms spores (like seeds) that can remain dormant in 
the environment for many years. Human anthrax infections are rare in 
the United States and are usually the result of occupational exposure 
to infected animals or contaminated animal products, such as wool, 
hides, or hair. Although infection in humans is rare, a person can die 
if airborne anthrax spores are inhaled into the lungs. Once airborne, 
there is greater possibility that the spores will be inhaled. Medical 
experts believe that symptoms of inhalation anthrax (sore throat, 
muscle aches, and mild fever) typically appear within 4 to 6 days of 
exposure, depending on how the disease is contracted. While anthrax is 
potentially fatal, individuals who are exposed to anthrax spores will 
not necessarily develop the disease. Inhalation anthrax can be treated 
with antibacterial drugs, but medical treatment does not necessarily 
ensure recovery. Anthrax is not contagious. 

Anthrax is a potential terrorist weapon because, if refined and 
introduced into letters and packages, anthrax spores can be released 
into the air as letters are processed or opened. The use of the mail as 
a vehicle for transmitting anthrax threatens the nation's mail stream 
and places the American public and federal employees at risk. This is 
what occurred in 2001, when letters containing anthrax contaminated at 
least 23 Postal Service facilities and killed five of 22 individuals 
diagnosed with anthrax, including two Postal Service 
employees.[Footnote 3] Anthrax spores can be killed, however, through a 
process known as irradiation, which renders anthrax in the mail 
harmless for humans. 

How Is Anthrax Detected? 

Detecting anthrax involves many types of activities, including: 

* developing a sampling strategy for deciding how many samples to 
collect, where to collect them, and what collection methods to use; 

* collecting samples using, for example, dry or premoistened swabs; 

* transporting samples to laboratories for extraction and analysis; 

* extracting the sample material using specific procedures and fluids 
(such as sterile saline or water); and: 

* analyzing the samples using a variety of methods.[Footnote 4] 

To provide a coordinated clinical diagnostic testing approach for 
detecting anthrax and other bioterrorism threats, CDC, the Association 
of Public Health Laboratories, the FBI, and others collaboratively 
developed the Laboratory Response Network (LRN) in 1999.[Footnote 5] 
LRN laboratories (1) perform standard testing methods specified by CDC 
to either rule out or confirm the presence of anthrax and (2) provide 
public health organizations and others with rapid test results for use 
in making public health decisions. Generating a final test result 
involves both a presumptive and confirmatory test. Presumptive tests 
can be obtained within 2 hours and are considered "actionable" from a 
public health perspective. According to CDC, antibiotic medical 
treatment is recommended as soon as possible after the LRN has obtained 
a presumptive positive test result.[Footnote 6] Confirmatory tests take 
longer--generally 24 to 48 hours. 

What Is the Federal Framework for Responses Involving the Suspicion of 
Anthrax? 

The National Response Plan (NRP), which was developed by the federal 
government under the leadership of DHS, provides one part of the 
coordinated framework for how the United States will prepare for, 
respond to, and recover from domestic incidents. The Secretary of 
Defense, as well as the heads of 31 other federal departments and 
agencies, signed the Letter of Agreement contained in the NRP, 
indicating their agreement to abide by the NRP's incident management 
protocols. The December 2004 plan includes a Biological Incident Annex, 
which specifies actions that agencies should take when they become 
aware of a possible threat involving a biological agent. The annex also 
identifies the roles and responsibilities of various agencies that 
would respond to such an event. For example, as specified in the annex, 
HHS is the primary federal agency for coordinating a public health 
response involving an actual or potential biological terrorism attack. 
Table 1 identifies selected agency actions specified in the NRP's 
Biological Incident Annex. 

Table 1: Selected Agency Actions Specified in NRP's Biological Incident 
Annex: 

Response actions to be taken by agencies: The Department of Justice is 
to be notified through the FBI's Weapons of Mass Destruction Operations 
Unit. 

Response actions to be taken by agencies: The FBI, in turn, is to 
immediately notify DHS's Homeland Security Operations Center and the 
National Counterterrorism Center under the direction of the Director of 
National Intelligence. 

Response actions to be taken by agencies: The LRN is to be used to test 
samples for the presence of biological threat agents. 

Response actions to be taken by agencies: The FBI, in conjunction with 
HHS, is to make decisions on where to perform additional tests on 
samples. The FBI is to lead criminal investigations of terrorist acts 
or threats. 

Response actions to be taken by agencies: Once notified of a credible 
threat, HHS is to convene an interagency meeting to assess the 
situation and determine the appropriate public health response. HHS is 
to coordinate the overall public health response efforts across all 
federal departments and agencies. 

Response actions to be taken by agencies: DHS is to coordinate the 
overall nonmedical response actions across all federal departments and 
agencies. 

Source: Department of Homeland Security. 

[End of table] 

The other part of the federal framework is the National Incident 
Management System (NIMS), which was released in March 2004. NIMS is 
intended to provide a consistent and coordinated nationwide approach 
for federal, state, and local governments to work effectively and 
efficiently together to prepare for, respond to, and recover from 
domestic incidents, including those involving biological incidents, 
regardless of their cause, size, and complexity. NIMS applies to all 
levels of government, and for the federal government, including DOD, it 
is prescriptive. A key component of NIMS is the incident command 
system, which is designed to integrate the communications, personnel, 
and procedures of different agencies and levels of government within a 
common organizational structure during an emergency. Another key 
component of NIMS is the establishment of a joint information center-- 
with representatives from all affected parties and jurisdictions--to 
provide a unified communication message to the public during 
emergencies. 

What Federal Requirements Exist for Agencies to Follow? 

GSA and DOD have requirements for agencies to follow in protecting 
employees in mail facilities and ensuring effective mail operations. 
For example, GSA's federal mail management regulation requires[Footnote 
7] 

* every federal agency and agency location with one or more full-time 
personnel processing mail to have a written mail security plan 
including, among other things, procedures for safe and secure mail room 
operations, plans for security training for mail employees, and plans 
for annual reviews of the agency's mail security plan and facility- 
level mail security plans; and: 

* large agencies, such as DOD, that spend over $1 million annually on 
postage to annually (1) verify that facility-level mail security plans 
have been reviewed and (2) report to GSA that all facility-level mail 
security plans have been reviewed by a competent authority within the 
past year. 

GSA also issues guidance and recommendations for effectively managing 
mail programs, including recommendations on the content of mail 
security plans.[Footnote 8] For example, GSA recommends that agencies: 

* develop a communication plan for responding to threats that includes 
names and phone numbers to call during emergencies; 

* establish and maintain partnerships with personnel who respond to 
emergencies (first responders); and: 

* create a program for training employees on how to respond to 
biological threats, including refresher training on a regular basis. 

DOD's mail manual, effective December 2001, implements DOD's mail- 
related requirements.[Footnote 9] DOD requires its components to comply 
with GSA's federal mail management regulation, including the 
requirement that each mail center develop a written mail security plan 
and have it reviewed annually by a competent authority. 

Beyond mail-related requirements, GSA also requires the highest- 
ranking federal official of the largest agency in GSA-controlled 
(leased) office space to develop an occupant emergency plan.[Footnote 
10] GSA guidance related to this requirement recommends that the 
occupant emergency plan describe, among other matters, critical 
information about the office space and actions to be taken during 
emergencies. 

The GAO Comptroller General's Standards for Internal Control in the 
Federal Government provides the overall framework for agency management 
to establish and maintain effective internal control.[Footnote 11] 
Establishing effective internal controls is a major part of managing an 
organization. Such controls include the plans, methods, and procedures 
to be used to meet an organization's mission, goals, and objectives by, 
among other things, monitoring performance, training employees, and 
ensuring that federal requirements, such as GSA and DOD mail security 
requirements, are followed. 

How Did the Pentagon and Skyline Complex Process Mail in March 2005? 

The Pentagon receives its mail from the Postal Service as well as from 
commercial courier services. The Postal Service irradiates almost all 
first-class mail delivered to the Pentagon and other federal agencies 
in the Washington, D.C., area, from its facilities on V Street, N.E. in 
Washington, D.C. (the V Street Operation). In March 2005, Pentagon mail 
was delivered from the V Street Operation to a mail-screening facility 
located within the Pentagon remote delivery facility--a 250,000-square- 
foot shipping and receiving facility adjoining the Pentagon. 
Technicians dressed in protective gear then screened the mail over a 
custom-designed table equipped with four filters intended to capture 
any particles that might fall from the mail. The table used a negative 
airflow system that was intended to keep microscopic particles from 
dispersing back into the mail-screening facility. 

At the time of the March 2005 incident at the Pentagon, employees of 
Vistronix Incorporated (Vistronix)--the Pentagon's mail-screening 
contractor--collected and sent daily samples from each of the four 
filters to Commonwealth Biotechnologies Incorporated (CBI)--a private 
laboratory in Richmond, Virginia. Vistronix subcontracted the daily 
testing of the Pentagon's mail to CBI. The opened mail was then shrink- 
wrapped and quarantined in a secure room until CBI notified Vistronix 
of negative test results by either fax or e-mail. Upon receipt of 
negative test results, a Vistronix employee released the mail from 
quarantine. Once released from quarantine, mail employees placed the 
mail into mailboxes at the Defense Post Office, where it awaited pickup 
by Pentagon employees. 

The TRICARE Management Activity (TMA) mail room at the Skyline Complex 
received and processed mail differently from the Pentagon.[Footnote 12] 
It received a small amount of its mail from the Pentagon, but most of 
its mail came from a Postal Service facility in Merrifield, Virginia, 
according to a TMA mail room official. The TMA mail room had a 
biosafety cabinet, an X-ray machine, and two full-time employees. The 
biosafety cabinet had a negative airflow system with filters for 
capturing and holding any particles that fell from envelopes or 
packages being opened. While the cabinet was used for mail screening, 
it was not capable of detecting anthrax. 

Each of the Incidents Presented a Different Situation and Response and 
Occurred over Several Days: 

The two incidents involving the suspicion of anthrax occurred over 
several days, but the most significant actions occurred the same day-- 
Monday, March 14, 2005. The Pentagon incident occurred first and was 
the result of positive test results for anthrax in the mail. The 
Skyline Complex incident occurred later that day when an alarm sounded 
on the biosafety cabinet that employees took as a sign that 
contaminated mail had been passed from the Pentagon to the Skyline 
Complex.[Footnote 13] Combined, the incidents set in motion a large- 
scale response that also affected Postal Service employees and 
operations. The response ended a few days later, when further testing 
confirmed that anthrax was not present at either DOD facility or in the 
mail. Figure 1 shows a chronology of the key actions and organizations 
involved in the two incidents. The discussion that follows explains 
each incident in turn. 

Figure 1: Chronology of Key Actions and Organizations Involved at 
Pentagon and Skyline Complex: 

[See PDF for image] 

Source: GAO analysis of information from various sources. 

[End of figure] 

The Pentagon Incident Was Triggered from Tests Indicating the Presence 
of Anthrax: 

Events leading up to the Pentagon incident began on Thursday afternoon, 
March 10, 2005. After screening the mail in a facility at the Pentagon 
remote delivery facility, Vistronix employees routinely collected swab 
samples from four filters and sent them to CBI for analysis. According 
to Vistronix's account of events associated with the incident, about 
4:00 p.m. on Friday afternoon, March 11, a representative from CBI 
informed the Vistronix Director that one of four swab samples collected 
and tested from Thursday's mail was positive for anthrax. The Director 
requested the laboratory to conduct additional testing over the weekend 
but did not notify Defense Post Office officials of the initial 
positive test results. On Monday morning, March 14, at about 6:00 a.m., 
the Vistronix Director informed a member of his staff (the site 
supervisor) that while additional laboratory results for Thursday's 
mail had not yet been received, test results for Wednesday's mail were 
negative, and, therefore, Wednesday's mail was cleared for release. The 
site supervisor misunderstood the conversation, incorrectly concluding 
that mail from both days could be released from quarantine, and, 
consequently, he called his staff to release the mail. At about 6:30 
a.m., Thursday's mail was released, and, shortly thereafter, employees 
of the Defense Post Office began processing the mail for distribution. 
According to Vistronix, at about 9:10 a.m., the laboratory notified 
Vistronix that additional testing of Thursday's swab sample was also 
positive. By the time Vistronix notified a Defense Post Office official 
of the second test result at about 9:25 a.m., an unspecified amount of 
the mail suspected of containing anthrax had already been picked up and 
distributed throughout the Pentagon. 

These developments initiated a wide-ranging response. At about 10:15 
a.m., a Defense Post Office official notified the Pentagon Force 
Protection Agency (PFPA)--the law enforcement agency responsible for 
protecting people, facilities, and infrastructure on the Pentagon 
Reservation.[Footnote 14] In the 2 hours that followed, PFPA: 

* shut down the Pentagon remote delivery facility, 

* coordinated with mail officials to identify possible recipients of 
Thursday's mail, 

* secured the perimeter around the remote delivery facility with the 
help of antiterrorism units, and: 

* evacuated the majority of the employees from the remote delivery 
facility to the Pentagon's former child development center.[Footnote 
15] 

PFPA continued to lead the response in the hours that followed. The 
Arlington County Emergency Communications Center sent emergency 
personnel to the scene after it was notified through official channels 
at about 10:37 a.m. Emergency personnel typically take charge of 
incidents when the affected individuals have immediate medical needs. 
However, when they arrived, they said none of the employees appeared to 
have symptoms of illness. As a result, PFPA and Arlington County agreed 
that PFPA would continue to lead the response. According to a DOD 
timeline of the incident, DOD also attempted to notify the following 
federal and local offices: 

* 12:10 p.m.: First broadcast message sent to local public safety and 
emergency management response agencies. 

* 12:15 p.m.: FBI's Washington Field Office and the Weapons of Mass 
Destructions Operations Unit at FBI Headquarters. 

* 12:30 p.m.: Office of the Postmaster General--the executive head of 
the Postal Service . 

* 12:40 p.m.: Department of Homeland Security's Operations Center. 

When FBI staff arrived on the scene at about 1:00 p.m., they began to 
assess the incident's credibility. According to FBI officials, the 
totality of the initial evidence suggested a false alarm. First, only 
one of the four swab samples collected and tested from the filters on 
Thursday was positive for anthrax. If an actual incident had occurred, 
FBI officials said, it would have been reasonable to expect that all 
four samples would have been contaminated because, based on experience 
gained during the fall of 2001 anthrax attacks, once airborne, anthrax 
spores disperse over a wide area. In addition, tests conducted on 
Friday's mail were negative. FBI officials said that if anthrax had 
contaminated Thursday's mail, it would likely have contaminated the 
entire mail-screening facility, leaving residual spores that also would 
have been detected in the samples taken from Friday's mail. While 
suspicious of a false alarm, the FBI declared the Pentagon remote 
delivery facility a crime scene based on the evolving response of other 
agencies and the need to further assess the evidence. 

During the afternoon hours, two DOD Health Affairs officials 
responsible for responding to medical issues on the Pentagon 
Reservation--the Commander of the DiLorenzo TRICARE Health Clinic and 
DOD's Assistant Secretary for Health Affairs--began providing medical 
treatment to (1) employees working at the remote delivery facility 
where the mail-screening facility was located, (2) Pentagon mail 
recipients, and (3) the mail-screening technicians. DOD health 
officials estimate that, in total, they dispensed an initial 3-day 
course of antibiotics to about 889 potentially affected employees. 
According to the officials involved, their decision to immediately 
dispense antibiotics as a precautionary measure was based on the 
laboratory's positive test results and their experiences gained in the 
fall of 2001. DOD's Assistant Secretary for Health Affairs told us that 
at about 1:00 p.m., he conferred with the CDC Director about DOD's 
medical decision, and that she agreed with the decision. According to 
the CDC Director, the call was made to inform her about the decision 
that DOD had already reached. The Director of CDC said that even if the 
purpose of the call had been to seek her advice on medical treatment 
options, she could not have offered a medical opinion because of 
insufficient information, especially with respect to the reliability of 
the laboratory's test results. She stressed the need for clear, 
accurate, and understandable information for making decisions about 
medical treatment. Such information, she said, is typically developed 
collaboratively with all appropriate parties involved. After the 
conversation, she said she contacted the CDC operations center that 
handles such incidents to ensure that appropriate CDC personnel were 
aware of the incident. While HHS is the primary agency responsible for 
a public health response, according to an HHS official, the CDC 
operations center--not DOD--subsequently contacted the HHS operations 
center. 

As officials from additional federal agencies became aware of the 
incident, several interagency conference calls were held. The first of 
these calls was convened by HHS officials at about 5:00 p.m.[Footnote 
16] Officials from HHS said the purpose of the conference call was to 
obtain a basic understanding of what had occurred at the Pentagon (and 
at the Skyline Complex, where the second incident had already begun), 
so that decisions could be made on how to respond appropriately. 
According to HHS and DHS officials, decision makers needed answers to 
such questions as what analysis had been done, what procedures had been 
used by the contract laboratory, and how the Pentagon samples had been 
collected. Obtaining such information was critical to determining 
whether people had been exposed to anthrax, whether the two incidents 
were linked, and what the appropriate response should be. However, 
according to DHS and HHS officials, DOD could not adequately answer 
these and other questions. 

On Monday afternoon, DOD took the samples from CBI for analysis to Fort 
Detrick, located in Frederick, Maryland--the site of two key federal 
laboratories.[Footnote 17] The samples arrived at about 5:30 p.m. Over 
the next few days, the laboratories at Fort Detrick conducted numerous 
tests of the Pentagon's samples as well as environmental samples taken 
from the Pentagon. Late Wednesday evening, results of additional 
testing indicated that anthrax was not present in samples collected 
from the Pentagon's mail-screening facility. Agency officials involved 
in the response believe that the initial positive test result could 
have been caused by cross contamination at CBI. The facility reopened 
on Friday, March 18. 

The Skyline Complex Incident Resulted from an Alarm on Equipment Used 
for Mail Screening: 

The incident at the Skyline Complex began several hours after the 
Pentagon incident began. At about 10:00 a.m., a TMA employee picked up 
mail from the Pentagon and, by 11:30 a.m., had distributed some of the 
mail within the Skyline Complex--a large office complex of privately 
owned buildings in Fairfax County, Virginia.[Footnote 18] According to 
officials at the Skyline Complex, an employee received an urgent 
telephone call around noon indicating an unspecified problem with the 
Pentagon's mail and directing that any mail from the Pentagon be 
retrieved. The caller did not provide any further explanation, 
according to the official. TMA mail room employees retrieved the mail 
they had already delivered, emptied mailboxes, and placed some of the 
mail in trash bags. About 1:00 p.m., a TMA mail room employee was 
screening other mail from the Pentagon using the biosafety cabinet when 
the cabinet's alarm sounded. According to mail room employees, they 
made several unsuccessful attempts to telephone the manufacturer and 
the maintenance contractors for help. In addition, DOD's manager of the 
complex told us that she called PFPA for guidance on how the cabinet 
operated, but the PFPA official was not aware of the type of equipment 
in use at the complex, and consequently, he was not able to tell her 
what to do.[Footnote 19] Finally, at 2:09 p.m., a Skyline employee 
called the Fairfax County 911 emergency line. 

Fairfax County emergency responders (fire, police, public health, and 
hazardous material units) arrived on the scene shortly thereafter. They 
led the incident over the next few hours and took several actions, 
including: 

* closing the Skyline Complex and securing its exits, 

* shutting off its elevators and air-handling systems, 

* developing and providing health information to occupants, 

* collecting contact information from the occupants, 

* decontaminating some employees who were sheltering in place, and: 

* obtaining and testing environmental samples from the complex and 
attempting to remove filters from the biosafety cabinet in order to 
perform additional tests.[Footnote 20] 

According to Fairfax County responders, they attempted to hold all 
occupants within the Skyline Complex because they anticipated receiving 
results of environmental testing Monday afternoon. They explained that 
having the complex occupants together would help them provide 
information to the occupants and coordinate any further responses that 
may be necessitated by the results of the environmental testing. Test 
results were delayed, however, and the majority of the Skyline Complex 
employees began to be released. Just prior to this, at about 7:30 p.m., 
Fairfax County responders began decontaminating 45 of the complex's 
employees who were believed to be at high risk for exposure to anthrax. 
The initial environmental test results--available on Tuesday--were 
inconclusive and, as a result, Fairfax County and FBI responders 
collected additional environmental samples for analysis at Fort 
Detrick. On Tuesday afternoon, DOD dispensed antibiotics to the 45 high-
risk employees. This incident began to de-escalate on Tuesday evening 
as officials learned that the alarm that sounded on the biosafety 
cabinet used for mail screening indicated only an airflow obstruction, 
not the presence of anthrax. By Wednesday evening, laboratory results 
from environmental samples indicated that anthrax was not present at 
TMA's mail room in the Skyline Complex. The majority of the Skyline 
Complex reopened on Thursday, while TMA's mail room reopened on Friday 
morning, March 18. 

The Incidents Also Affected Postal Service Employees and Operations: 

A DOD official called the Postmaster General to inform him of the 
Pentagon incident at about 12:30 p.m. on Monday, March 14, 2005, but 
neither the Postmaster General nor other Postal Service executive were 
available to receive the call. The DOD official left a voice-mail 
message, but according to the Postal Service's Senior Vice President 
for Government Relations, the message did not convey any urgency about 
the potential for anthrax in the mail. Furthermore, by the time Postal 
Service officials listened to the message, they had already heard about 
the incident through the local media. At about 5:00 p.m., when Postal 
Service officials learned at the first interagency conference call that 
DOD had provided antibiotics to Pentagon employees, Postal Service 
officials acted quickly to protect their employees who, days earlier, 
might have processed the mail. Thus, by Monday evening, the Postal 
Service had suspended operations at its V Street Operation and had 
immediately begun dispensing antibiotics to its employees. In total, 
over 160 Postal Service employees were treated for their possible 
exposure to anthrax. On Tuesday, March 15, the CDC's National Institute 
for Occupational Safety and Health provided technical assistance to the 
Postal Service in designing an environmental testing strategy for the V 
Street Operation.[Footnote 21] By Wednesday morning, March 16, results 
from environmental testing of the V Street Operation were negative for 
anthrax. The Postal Service reopened the V Street Operation in the 
afternoon. 

Problems Encountered Reflect Both a Failure to Follow Existing Contract 
Provisions and Procedures and a Lack of Procedures and Plans: 

DOD encountered numerous problems during the two March 2005 incidents. 
At the Pentagon, these problems primarily involved not following 
required mail-screening contract provisions and procedures. The failure 
to follow these requirements resulted in, among other things, the 
premature release of the potentially contaminated mail that caused the 
incident at the Pentagon. In addition, the Pentagon's contract for mail 
screening lacked a clear provision specifying required testing methods, 
which resulted in the use of a laboratory whose testing methods were 
unknown and whose results were not actionable--this, in turn, 
exacerbated the incident at the Pentagon. At the Skyline Complex mail 
facility, problems were even more basic, in that required procedures 
and plans for responding to biohazards and other emergencies were 
inadequate or absent altogether. Further, at the Pentagon, the federal 
framework developed to, among other things, help ensure more effective 
decision making through the coordinated response of all affected 
parties and decision makers was not fully followed. If the framework 
had been fully followed, decisions regarding medical treatment of DOD 
and Postal Service employees may have been improved. 

At the Pentagon, the Mail-Screening Contract Provisions and Procedures 
Were Not Followed: 

Vistronix did not follow contract provisions and mail inspection 
procedures related to the detection and response to potential biohazard 
emergencies involving the Pentagon's mail. The contractor developed 
procedures for implementing the contract's mail-screening requirements, 
which described the process by which mail entering the Pentagon would 
be inspected, tested, quarantined, and released. DOD approved the 
procedures, but the contractor failed to follow two key requirements. 

* Mail-screening contractor did not provide timely notification of 
potential contamination. Both the contract and the approved mail 
inspection procedures provided specific notification requirements for 
informing DOD of potential biohazardous situations involving the 
Pentagon's mail. The contract required Vistronix to notify PFPA 
"immediately" if there were any evidence of risk or possible 
contamination of the mail. Similarly, the mail inspection procedures 
required PFPA to be contacted (1) within 1 minute of an actual or 
potential event involving contamination and (2) when a positive test 
result occurred "at any point" in the testing process. The laboratory 
informed the Vistronix Director that a sample from Thursday's mail had 
tested positive for anthrax on Friday afternoon, March 11. Instead of 
immediately notifying PFPA as required, however, the Director asked the 
laboratory to conduct additional tests over the weekend. The contractor 
did not inform DOD of the suspected mail contamination until after it 
received the second positive test result on Monday, March 14--about 2- 
˝ days after the notification should have occurred. According to the 
Vistronix Director, he believed the procedures required them to notify 
DOD only after a second positive test result. The contractor's untimely 
notification created a sense of urgency within DOD to quickly provide 
antibiotics to its employees--before consulting, as specified in the 
NRP, with other agencies about the proper medical response. 

* Mail-screening contractor did not quarantine mail until it received 
negative test results from the laboratory. The contract required 
Vistronix to quarantine the mail until receipt of negative test 
results. Similarly, the mail inspection procedures required Vistronix 
to hold (i.e., "not release for delivery") the Pentagon's mail until 
the laboratory had reported negative test results to Vistronix. The 
procedures also noted that a positive result "at any point" 
necessitates sequestering all potentially contaminated mail. Vistronix 
failed to follow these requirements. Specifically, while the Vistronix 
Director was aware of an initial positive test result on Friday, he did 
not ensure that the mail remained quarantined until receipt of negative 
test results from the laboratory. Instead, miscommunication among 
Vistronix staff led to the mail's release several hours before the 
laboratory informed Vistronix that its weekend test results were also 
positive for anthrax. The premature release of the potentially 
contaminated mail resulted in a broad response at the Pentagon, the 
Skyline Complex, and the Postal Service's V Street Operation. 

The Pentagon's Mail-Screening Contract Provision for Testing Samples 
Was Also Unclear: 

The testing provision in the mail-screening contract required Vistronix 
to test samples from the mail-screening equipment in accordance with 
unspecified "CDC guidelines." However, Defense Post Office officials-- 
including the contracting officer's representative who had 
responsibility for overseeing the contract--told us that they did not 
identify the specific guidelines to be used and were unaware that the 
CDC publishes both general testing guidelines, which are available in 
the public domain, and guidance and protocols for anthrax testing by 
the LRN, which are available only to LRN laboratories.[Footnote 22] The 
officials explained that even if they had known which guidelines DOD 
expected to be followed, they did not have the technical expertise to 
determine whether the contract's testing provision was being followed. 
Defense Post Office officials further explained that the contract was 
awarded quickly in 2001 after the nationwide anthrax attacks. Their 
office was tasked with overseeing the contract, they said, because at 
that time the office was the "executive agent for mail in the 
Pentagon"--not because it had any expertise or training on these 
matters.[Footnote 23] According to Defense Post Office officials, the 
lack of technical expertise regarding anthrax at that time contributed 
to the lack of clarity in the contract's testing provision. Their lack 
of expertise also caused them to conclude that CBI met all CDC and 
federal guidelines, in part, because Vistronix had informed DOD that 
CBI was a certified CDC laboratory that adhered to CDC guidelines. An 
independent review of CBI, the subcontract laboratory, sponsored by DOD 
and conducted in April 2005 found that CBI analyzed the Pentagon's 
samples using testing methods that differed from CDC's guidance and 
protocols. The review also found that Vistronix's contract with CBI did 
not require the laboratory to verify its testing methods. By March 
2005, DOD and Vistronix had had 3-˝ years to specify its testing 
requirements for the contract. An unclear contracting provision, 
combined with the lack of oversight by both DOD and Vistronix, resulted 
in the use of a laboratory whose testing methods were unknown and whose 
results were not actionable. The effect of these events was evident 
when DOD officials could not adequately explain to other agency 
officials what (1) tests CBI had conducted, (2) methods CBI had used, 
and (3) the results meant. DOD's inability to provide adequate answers 
to these and other crucial questions exacerbated the incident at the 
Pentagon and slowed the response since officials from other agencies 
were skeptical of the laboratory's results. 

At the Skyline Complex, Basic Response Procedures Were Inadequate or 
Absent Altogether: 

At the Skyline Complex, basic procedures for responding to a 
biohazardous incident were inadequate or absent for the TMA mail 
facility in the Skyline Complex. The following three key elements were 
either inadequate or absent. 

* First, TMA did not ensure that mail room procedures addressed what to 
do, or whom to notify, when the equipment alarm sounded or that 
employees were properly trained on the equipment. TMA is responsible 
for ensuring that adequate procedures are in place and effective 
training occurs, so that employees can perform their duties 
competently. Although some procedures were in place at the Skyline 
Complex, they did not address the capabilities of the biosafety cabinet 
or what to do if the alarm on the equipment sounded. At the time of the 
incident, the mail room's procedures provided, among other things, (1) 
basic instructions for using the biosafety cabinet, including how to 
turn the machine on and off and how to open the mail, and (2) 
information about whom to notify when a suspicious package was 
discovered. The procedures did not address what the biosafety cabinet 
did, how it worked, or how to respond to its built-in alarm. The TMA 
mail manager noted that training on the biosafety cabinet had occurred 
when the machine was purchased in 2001, but no subsequent training had 
been conducted.[Footnote 24] In the meantime, he said, staff turnover 
and the absence of additional training had led to a lack of 
understanding about the equipment's capabilities. In addition, while 
the procedures specified whom to call if suspicious mail is discovered, 
the procedures did not address whom to contact when the equipment's 
alarm sounded.[Footnote 25] If procedures were adequate and periodic 
training had occurred, employees would likely have known that, although 
the equipment had a negative airflow system with filters for capturing 
and holding any particles that fell from envelopes or packages being 
opened within the equipment, it did not detect biohazards and its alarm 
sounded only to indicate an airflow obstruction. Instead, in 
conjunction with the phone call indicating an unspecified problem with 
the Pentagon's mail, mail room employees assumed the alarm was 
signaling the presence of biohazards in the mail. Because TMA employees 
lacked adequate information and training on the equipment, they 
unnecessarily contacted first responders. 

* Second, neither TMA nor DOD ensured that the required mail security 
plan was in place. Both TMA and DOD have responsibilities for ensuring 
that an adequate mail security plan exists for the mail room in the 
Skyline Complex. GSA's federal mail management regulation and DOD's 
mail manual both require mail security plans for agency mail rooms. 
According to GSA's regulation,[Footnote 26] security plans must include 
(1) procedures for safe and secure mail room operations, (2) plans for 
training mail room personnel, and (3) plans for annually reviewing 
agency and facility-level mail security plans. In addition, DOD's mail 
manual requires DOD's mail room officials to ensure that their mail 
security plans are coordinated with local security officials. TMA did 
not develop the required security plan. If TMA had developed a plan and 
coordinated it with local officials, Fairfax County emergency 
personnel--the local first responders--may have learned about the 
biosafety cabinet's limitations, including the meaning of the 
equipment's audible alarm. Furthermore, DOD did not ensure that TMA had 
developed a plan, or attempt to review it for adequacy, as required. 
GSA's federal mail management regulation requires that facility level 
mail security plans be annually reviewed. Moreover, as specified in the 
regulation, DOD must annually report to GSA that its mail security 
plans have been reviewed by a competent authority within the past year. 
GSA officials noted that DOD's Official Mail Manager submits a 
certification form to GSA annually; however, the form does not indicate 
that DOD's (1) plans exist and that (2) the plans have been reviewed by 
a competent authority in the past year. Instead, the form submitted to 
GSA simply certifies that DOD has the requisite requirements in place. 
According to DOD's Official Mail Manager,[Footnote 27] he cannot 
certify that all DOD mail rooms have mail security plans or that they 
have been reviewed by a competent authority because DOD does not have a 
process in place to ensure that the required reviews take 
place.[Footnote 28] He further explained that he lacks the time and 
resources to review the plans. If TMA and DOD had followed the 
applicable requirements, the problem that occurred at the Skyline 
Complex may have been avoided. 

* Third, the Defense Information Systems Agency had not developed an 
Occupant Emergency Plan. GSA requires agencies of GSA-controlled 
buildings to have an occupant emergency plan for protecting life and 
property during an emergency. Critical elements of the plan include (1) 
evacuation and sheltering-in-place information; (2) contact information 
and emergency phone numbers; and (3) specific information about the 
building's construction, including its floor plans. The highest ranking 
official of the largest agency in each GSA-controlled building is 
responsible for developing and maintaining the occupant emergency 
plan.[Footnote 29] In March 2005, the Defense Information Systems 
Agency (Defense Agency) was the largest agency in the Skyline Complex. 
According to officials from the Defense Agency, they were aware of the 
agency's responsibility for developing the occupant emergency plan as 
early as June 2002. Defense Agency officials had drafted a plan by the 
time of the incident, but had neither distributed it to other federal 
occupants of the complex nor coordinated it with first responders. 
Moreover, employees had not been trained on the plan and affected 
federal agencies had not agreed to or signed the plan. Officials of the 
Defense Agency commented that developing an occupant emergency plan 
takes a great deal of coordination among participating agencies, which 
prolongs the plan's completion. The lack of a required occupancy 
emergency plan contributed to the difficulties that employees and first 
responders experienced during the incident. For example, first 
responders had difficulty getting critical information to employees 
because contact information was not readily available for federal 
employees in the complex. In addition, since information about the 
complex was not readily available, some employees were able to exit the 
complex because Fairfax County police, who had attempted to secure the 
Skyline Complex, were unaware of all the existing exits. 

DOD Did Not Fully Follow the Federal Framework for Coordinating 
Responses at the Pentagon: 

DOD did not fully follow the federal framework for coordinating a 
response to the potential anthrax incident at the Pentagon; instead, it 
chose to make decisions on its own. The federal framework is set forth 
in the NRP and NIMS, which specifies a structured and coordinated 
approach for involving federal, state, and local agencies in decision 
making. The unifying element of this framework is the ability to 
harness the resources of various agencies whose expertise and knowledge 
help ensure informed decisions about how to proceed in any given 
situation. While DOD initially followed NIMS when it established its 
incident command at the Pentagon,[Footnote 30] as the incident evolved, 
key aspects of the federal framework were not followed. Here are three 
examples: 

* First, DOD did not fully follow NRP's notification structure. NRP's 
Biological Incident Annex requires every federal agency to first notify 
the FBI if it becomes aware of an overt threat involving biological 
agents. While DOD officials did notify the FBI, it was not until almost 
3 hours after they first became aware of the Pentagon's positive test 
results. Earlier notification would have likely helped with the 
evaluation of test results and allowed federal agencies to collectively 
coordinate a proper course of action, particularly because, as 
discussed earlier, FBI officials began questioning the incident's 
credibility after arriving on scene. The Biological Incident Annex also 
designates HHS as the federal agency responsible for coordinating a 
public health response involving bioterrorism threats. DOD officials 
never notified HHS but, instead, called the Director of CDC to disclose 
their intention to administer antibiotics to DOD employees. The 
Director of CDC, not DOD, alerted the CDC operations center, which, in 
turn, notified HHS's operations center at about 4:00 p.m. on Monday. As 
specified in the Biological Incident Annex, once HHS officials were 
notified of a credible threat, they convened an interagency conference 
call approximately 1 hour later to coordinate a possible medical 
emergency response. However, by then, DOD had already begun to 
administer antibiotics to its employees. As a result, any advice any 
guidance on (1) medical treatment options or (2) the validity of the 
laboratory's test results that other agency officials may have offered 
were essentially moot. 

* Second, DOD failed to follow NIMS protocols regarding joint decision 
making. Under NIMS, the incident commander is responsible for the 
entire response to an incident. To assist with various aspects of a 
multijurisdictional response, the incident commander is expected to 
assemble federal, state, and local agencies to serve in a unified 
command. The unified command includes representatives from all agencies 
and organizations that have responsibility for, or can provide support 
to, an incident. Collectively, the unified command is expected to 
consider and help make decisions on all objectives and strategies 
related to an incident. At the Pentagon in March 2005, PFPA included 
federal and local agencies in the response; however, the response 
structure never matured into a unified command, especially when some 
decisions--especially those related to medical treatment--were made 
outside the command structure. DOD essentially had two separate 
incident responses: PFPA acted as the incident commander for the 
evacuation and containment of Pentagon employees, while DOD's Health 
Affairs made unilateral decisions regarding the employees' medical 
treatment. According to local public health officials, DOD did not 
consult them on the proper course of action regarding whether, or how, 
to intervene medically. Had information and decisions flowed through a 
unified command structure, local public health officials could have 
raised the concerns they had about providing antibiotics without a 
confirmed LRN test result. Additionally, if medical treatment decisions 
had been made collaboratively, DOD and local public health officials 
could have (1) agreed on a strategy for treating potentially affected 
individuals, including access to additional medication and follow-up 
treatment; and (2) discussed the potential ramifications of initially 
providing ciprofloxacin to DOD employees.[Footnote 31] According to 
local public health officials, DOD's initial provision of ciprofloxacin 
to DOD employees set a precedent that essentially eliminated other 
antibiotic treatment options, given the health officials' desire to 
ensure that potentially affected individuals would be treated 
consistently.[Footnote 32] Had medical decisions been made within the 
context of a unified command, a different decision may have been 
reached and hundreds of DOD employees--with no, or limited, exposure to 
potential contamination--may not have received unnecessary medication. 

* Third, DOD did not coordinate the initial public response to the 
incidents. An important outcome envisioned in the federal framework is 
effective management of information available to the public. The NIMS 
structure calls for a joint information center to provide a location 
for organizations participating in the management of the incident to 
work together to ensure that timely, accurate, easy-to-understand, and 
consistent information is disseminated to the public. The joint 
information center is supposed to have representatives from each 
organization involved in the management of an incident. DOD did not 
establish a joint information center at the start of the incidents, and 
it did not have clear written procedures for doing so. As a result, the 
public received unclear and inconsistent messages about, among other 
matters, the source of the anthrax. For example, media accounts 
reported that mail through the Postal Service caused the incidents 
when, in fact, the source of possible contamination was unknown. 
According to the Postal Service, this resulted in unnecessary anxiety 
among Postal Service workers, their families, and recipients of Postal 
Service mail. 

According to DOD health officials responsible for making medical 
decisions at the Pentagon, they based their medical treatment decision 
on the experiences they gained from the fall 2001 anthrax incidents. 
The officials explained that they were very sensitive to what they 
perceived to be untimely medical decisions reached in the fall of 2001. 
Consequently, they said they decided to err on the side of caution and 
quickly distribute antibiotics to employees at the Pentagon and Skyline 
Complex. Additionally, since the incident occurred on the Pentagon 
Reservation, DOD officials did not believe that the NRP applied 
because, in their view, they had the medical authority, expertise, and 
resources to handle the incident internally.[Footnote 33] However, 
other federal officials--including those in DHS and HHS--told us that 
the NRP was applicable and that DOD should have followed the framework. 
In addition, CDC guidance emphasizes the need to make risk-based 
decisions, including those involving dispensing of antibiotics during 
suspected anthrax incidents. According to the CDC, a risk-based, 
participatory approach is necessary, in part to limit the number of 
people who may receive antibiotics before confirmation by the 
LRN.[Footnote 34] Since the mail had been quarantined over the weekend, 
the Pentagon employees most at risk would have been the technicians who 
had screened the mail the previous week. These persons received 
antibiotics, but so did hundreds of others who, in our view, would not 
likely have been exposed until Monday morning, when the Pentagon's mail 
was released from quarantine. 

DOD health officials' concern about protecting DOD employees from the 
risk of exposure is clearly understandable. However, DOD's actions were 
not consistent with the NRP. Once HHS was contacted by CDC, it began 
using the notification and response protocols specified in the NRP. In 
particular, HHS convened the first interagency conference call in which 
federal participants were able to discuss the laboratory's test results 
and raise concerns about the quality of the results. Additionally, CDC 
was able to address the Postal Service's concerns about the possible 
health effects on its employees who may have processed contaminated 
mail to the Pentagon the previous week. CDC recommended antibiotics for 
employees of the V Street Operation because (1) of the confluence of 
the two incidents, which, at the time, were viewed as involving the 
presence of anthrax; (2) DOD had already started its employees on 
antibiotics; and (3) the employees could have been exposed to anthrax 
several days earlier because they process mail to the Pentagon. 

DOD Took Numerous Actions That Address Problems Related to the 
Incidents: 

DOD took numerous actions that address problems related to the Pentagon 
and Skyline Complex incidents. At the Pentagon, some actions to improve 
DOD's mail processing and incident response, such as modernizing the 
mail-screening facility and changing the laboratory used to test daily 
samples, were already under way. Other actions, including selecting a 
new mail-screening contractor and improving procedures for releasing 
quarantined mail, were a direct response to what occurred. At the 
Skyline Complex, DOD's actions included prohibiting the use of 
equipment for screening mail unless the equipment is being operated 
within the context of a comprehensive mail-screening program. DOD also 
commissioned the RAND Corporation to conduct an independent review to 
examine its response to the incidents.[Footnote 35] The resulting 
report,[Footnote 36] issued in January 2006, contains numerous 
recommendations which, according to DOD, it has taken action upon. 

At the Pentagon, Some Actions Were Already Under Way, While Others Were 
Taken in Direct Response to the Incident: 

Some of the actions DOD took at the Pentagon were under way before the 
March 2005 incident. Although the actions were not carried out until 
later, they reflected decisions that had been previously set in motion 
to improve mail screening and responses to biological incidents. These 
actions included the following: 

* DOD transferred oversight of the mail-screening function to PFPA. 
PFPA assumed oversight of mail-screening from the Department of the 
Army in August 2005 because, according to DOD officials, PFPA's 
strategic mission of providing security and law enforcement at the 
Pentagon is better aligned with the mail-screening function. According 
to a PFPA official, planning for the transfer of mail-screening 
oversight began around January 2005. A gradual transition had been 
planned, he said, but the Pentagon incident significantly accelerated 
efforts to implement the transfer of mail-screening oversight 
responsibilities. 

* DOD modernized the mail-screening facility, refurbished the mail 
quarantine room, and installed new mail-screening equipment. According 
to a DOD official, initial planning for these improvements also began 
around January 2005. PFPA officials stated that the new mail-screening 
facility and the refurbished quarantine room have improved capabilities 
that are designed to protect employees and prevent the spread of 
anthrax. Finally, a DOD official said that the decision to replace the 
previous mail-screening table with new equipment was based on a 2003 
National Academy of Sciences report, which, among other things, raised 
questions about the table's ability to detect anthrax in small amounts. 
PFPA is awaiting the results of a study, which it expects to conclude 
in May 2006, to evaluate the effectiveness of the changes. 

* DOD changed its testing laboratory. Daily testing of samples from the 
Pentagon's mail-screening equipment is now performed by a non-LRN 
chemical-biological laboratory located on the premises, instead of a 
contract laboratory. The laboratory is part of PFPA and, according to a 
PFPA official, was established in January 2005 to help protect the 
Pentagon from biological threats. The official stated that the original 
plan was to transfer testing from CBI to the Pentagon's chemical- 
biological laboratory in October 2005, after the Vistronix contract 
expired. However, the transfer was accelerated, occurring instead in 
March 2005, a few days after the incident at the Pentagon. 

* DOD entered into a memorandum of understanding (MOU) on biological 
monitoring with other federal agencies. In April 2005, DOD signed an 
MOU for Coordinated Monitoring of Biological Threat Agents, which was 
developed prior to the Pentagon incident. DHS, HHS, the Department of 
Justice (which includes the FBI), and the Postal Service are also 
parties to the MOU. DHS's Science and Technology Directorate is 
responsible for coordinating the implementation of the MOU. The 
following provisions in the MOU help address the notification, 
laboratory testing, and medical response problems that arose at the 
Pentagon: 

* The MOU establishes prompt notification requirements. Specifically, 
the MOU requires participants to notify the FBI, HHS, and DHS within 1 
to 2 hours of positive test results that indicate, with a high degree 
of confidence, the presence of anthrax or other biological agents. 
However, according to a DHS Science and Technology Directorate 
official, such test results only trigger notification and, until 
confirmed by the LRN, are not considered actionable by HHS, DHS, and 
others. 

* The MOU requires participating agencies to develop and employ 
mutually accepted and validated testing methods to confirm biological 
threats. According to a Science and Technology official, test results 
produced from these methods will be considered actionable for public 
health and other response measures, including the administration of 
medical treatment. He stated, however, that this MOU provision will 
take time to implement.[Footnote 37] According to the official, an 
independent organization is currently performing the extensive testing 
and analysis needed to evaluate and establish equivalency between the 
wide array of testing methods employed across agencies.[Footnote 38] 
DOD officials stated that the Pentagon's chemical-biological 
laboratory--which is not part of the LRN--plans to adopt the testing 
methods that emerge from the MOU. As a result, if the MOU's equivalency 
testing provision is fully implemented, they said, confirmatory 
positive results from the Pentagon laboratory will be considered 
equivalent to LRN results and deemed actionable by DHS, HHS, and others 
for decisions related to the administration of medical 
treatment.[Footnote 39] 

In addition to carrying out actions already in process, DOD also 
initiated numerous actions in direct response to the problems that 
occurred at the Pentagon. Several of these actions address the mail- 
screening contractor's failure to follow established requirements. 
Other actions were carried out in response to the RAND review and are 
intended to better align DOD's procedures with those in the federal 
framework for coordinating responses to potential biological threats. 
The actions are as follows: 

* DOD changed mail-screening contractors, strengthened the new 
contract, and drafted improved procedures. PFPA selected a new 
contractor for screening mail at the Pentagon in September 2005. PFPA 
also developed new contract provisions and drafted new mail inspection 
procedures to address the previous contractor's failure to follow 
established contractual and procedural requirements. Table 2 highlights 
key changes in the Pentagon's mail-screening contract provisions and 
draft procedures. 

Table 2: Key Changes in the Pentagon's Mail-Screening Contract 
Provisions and Draft Mail-Screening Procedures: 

Key changes in the Pentagon's contract provisions: The contractor is 
required to periodically train its employees on emergency response 
procedures, including those relating to the receipt of suspicious 
materials. 

Key changes in the Pentagon's contract provisions: The contractor is 
required to develop an effective quality control program to ensure that 
its services are performed in accordance with the contract's 
requirements. 

Key changes in the Pentagon's contract provisions: PFPA's contracting 
officer representative is required to evaluate the contractor's 
performance to ensure that it meets contract requirements. The 
representative is to monitor the contractor's performance and report 
any deficiencies. 

Key changes in the Pentagon's draft mail-screening procedures: The 
facilities manager, a newly created position in PFPA's laboratory 
division, is responsible for, among other things, performing 
unannounced inspections to ensure that the contractor properly executes 
procedures. 

Key changes in the Pentagon's draft mail-screening procedures: The 
contract supervisor, an employee of the mail-screening contractor, is 
responsible for ensuring that contract personnel perform all activities 
in accordance with established procedures. 

Source: GAO analysis of DOD information. 

[End of table] 

PFPA strengthened the mail-screening contract by requiring the 
contractor to, among other things, periodically train employees on 
emergency response procedures and develop an effective quality control 
program to ensure adherence to contract provisions. In addition, PFPA's 
contracting officer representative is required to evaluate the 
contractor's performance to ensure that it meets contract 
requirements.[Footnote 40] PFPA has also drafted new mail-screening 
procedures to help ensure the contractor performs in accordance with 
requirements. The draft procedures require PFPA to, among other things, 
perform unannounced inspections to ensure that the contractor is 
properly executing required procedures. As of April 30, 2006, it was 
unclear when the draft procedures would be finalized; however, 
according to a PFPA official, the new monitoring measures are already 
being performed. Effective monitoring of contractor activities and 
performance is key to maintaining effective agency internal controls. 

* DOD strengthened controls over the release of quarantined mail. The 
Pentagon's draft mail inspection procedures require verification of 
negative test results by representatives from three separate 
organizations--PFPA, the Defense Post Office, and the contractor-- 
before the mail is released. Table 3 identifies the key steps for 
releasing quarantined mail, as specified in the draft procedures. 

Table 3: Key Steps for Releasing Quarantined Mail in DOD's Draft 
Procedures: 

A PFPA laboratory official verifies that test results are negative for 
mail scheduled to be released. 

A PFPA laboratory official notifies the facility manager, the contract 
supervisor, and a Defense Post Office official via e-mail that the 
results are negative and that mail can be released at the scheduled 
time. All parties must verify the receipt of the negative test results 
by replying to the e-mail. 

A PFPA laboratory official verifies that test results are negative for 
mail scheduled to be released.: The PFPA laboratory facility manager, 
the contract supervisor, and a Defense Post Office official, must 
physically verify that the date stamp and other information on the 
quarantined mail matches the laboratory's report indicating negative 
test results before releasing the mail. 

Source: GAO analysis of DOD information. 

[End of table] 

Although the mail inspection procedures are still in draft form, these 
steps are currently being used for releasing the Pentagon's quarantined 
mail. The segregation of key duties and responsibilities at this 
critical juncture in the mail release process reduces the risk of error 
and, as such, is designed to strengthen the internal controls that were 
lacking in March 2005. During the incident, inadequate internal 
controls allowed a single point of failure--in this case, a 
misunderstanding between two contract employees--to result in the 
premature release and distribution of quarantined mail that may have 
been contaminated. This triggered a broad response at the Pentagon and 
elsewhere. The implementation of rigorous internal controls for 
releasing the Pentagon's mail appears likely to prevent similar 
incidents in the future. 

* DOD commissioned the RAND Corporation to conduct an independent 
review examining its response to the March 2005 incidents. The review 
primarily focused on evaluating DOD's policies and procedures for 
responding to such incidents and making recommendations for 
improvement. In November 2005, DOD formed a working group to review and 
implement recommendations from a draft of the report. The final report 
was issued in January 2006. 

* DOD drafted new notification procedures for positive test results at 
the Pentagon. To help address the notification problems that arose 
during the Pentagon incident, DOD drafted new procedures for notifying 
appropriate parties of positive test results from the Pentagon's on- 
site chemical-biological laboratory. These procedures help implement a 
recommendation in the RAND report that calls for ensuring timely 
notification of designated agencies in accordance with the NRP and 
NIMS. The recommendation was based on findings similar to those 
identified by GAO. DOD officials stated that the new procedures, while 
still in draft, are currently being used to respond to potential 
incidents involving biological contamination at the Pentagon. Figure 2 
illustrates DOD's draft notification procedures for positive test 
results from the Pentagon's on-site chemical-biological laboratory. 

Figure 2: DOD's Draft Procedures for Positive Test Results from the 
Pentagon's On-Site Chemical-Biological Laboratory: 

[See PDF for image] 

Source: GAO; DOD. 

[A] The Assistant Secretary of Defense for Homeland Defense is the 
overall supervisor of homeland defense activities for DOD. This office 
manages domestic incidents and represents DOD in homeland defense-
related matters with other agencies. 

[B] The Assistant Secretary of Defense for Public Affairs is the 
principal staff adviser to the Office of the Secretary of Defense for 
disseminating information related to the Pentagon. 

[End of figure] 

The procedures require Pentagon laboratory officials to immediately 
notify PFPA of positive test results. Thereafter, PFPA and DOD's 
Assistant Secretary of Homeland Defense are responsible for making the 
required notifications to internal and external parties. According to a 
DOD official, these notifications should occur immediately in order to 
meet the 1 to 2 hour time frame specified in the MOU. As prescribed in 
the NRP, once notified of positive test results, (1) the FBI is 
responsible for coordinating appropriate confirmatory testing by the 
LRN and (2) DHS's operations center is responsible for notifying 
affected local jurisdictions. DOD's draft procedures include 
notification to all agencies specified in the NRP's Biological Incident 
Annex, as well as those specified in the MOU. Although not specifically 
required in either the NRP or MOU, the procedures also include 
notification to the Postal Service. An official stated that DOD 
actively worked with DHS, the FBI, and HHS to develop the notification 
procedures and is continuing to improve them based on agency input, 
actual events, and the outcome of training exercises. 

* DOD is developing a new policy that defines the roles and 
responsibilities of senior DOD leadership during incidents at the 
Pentagon. According to DOD's Director of Administration and 
Management,[Footnote 41] the policy--called an instruction--is being 
developed and will be based, in part, on NRP's Biological Incident 
Annex. He stated that the instruction will detail the health-care 
responsibilities of DOD leadership involved in making medical treatment 
decisions and will be consistent with NRP and NIMS protocols. The draft 
instruction was expected to be tested during a Pentagon training 
exercise in May 2006 and is to be finalized in the fall of 2006. The 
development of the instruction directly addresses a recommendation from 
the RAND review, which arrived at findings similar to ours regarding 
DOD's medical decision making. 

* DOD drafted new procedures to help ensure that a joint information 
center is established. DOD also drafted procedures for ensuring that, 
consistent with the NIMS framework, a joint information center is 
established during potential emergency incidents at the Pentagon. 
During the March 2005 incident, DOD did not establish a joint 
information center to disseminate timely, accurate, and consistent 
messages to the public. The RAND report contained a similar finding and 
recommended remedial actions. In response, DOD drafted procedures that 
require PFPA, Public Affairs, and Washington Headquarters Services to 
coordinate in the establishment and operation of a joint information 
center to disseminate information to the media during incidents at the 
Pentagon.[Footnote 42] According to a Washington Headquarters Services 
official, the draft procedures will be tested during future training 
exercises at the Pentagon. 

DOD Took Other Actions That Address Problems at the Skyline Complex: 

DOD also took a number of other actions that address the specific 
problems we described related to the incident at the Skyline Complex. 
Many of these problems were also raised in the RAND report. DOD's 
actions, several of which also affect other DOD-leased facilities, 
included the following: 

* DOD developed operating conditions for equipment used to screen mail 
in the national capital region. In January 2006, DOD's Director of 
Administration and Management issued a directive prohibiting DOD mail 
facilities in leased space within the national capital region[Footnote 
43]--including the Skyline Complex--from operating equipment used to 
screen mail, including biosafety cabinets, unless the facilities meet 
five specific operating conditions. These conditions include having 
trained mail screeners to sample equipment for biological agents and an 
approved laboratory for analyzing the samples. The directive partially 
addresses a recommendation in the RAND report calling for DOD to 
develop, evaluate, and ensure that appropriate site-specific screening 
practices are in place departmentwide. According to the Director, the 
directive is intended to relay key lessons learned in March 2005-- 
specifically, that equipment for screening mail is ineffective and 
potentially risky to personnel and facilities when used outside of a 
comprehensive mail-screening program. The TMA facility at the Skyline 
Complex did not meet these conditions. Although the agency purchased a 
new biosafety cabinet for the Skyline Complex, which is similar to the 
device in place in March 2005,[Footnote 44] a TMA official stated that 
the agency is no longer operating the device and is taking steps for 
its disposal in response to the directive. 

* DOD initiated two efforts to gather information on screening 
operations in its mail facilities. First, DOD's Joint Program Executive 
Office for Chemical-Biological Defense, as part of a plan required by 
the National Defense Authorization Act for Fiscal Year 2006,[Footnote 
45] gathered some information on equipment used for mail screening in 
DOD mail facilities nationwide. However, according to a joint program 
office official, the data is not comprehensive because information was 
not sought from all applicable facilities. Second, in response to the 
RAND review, Washington Headquarters Services attempted to identify DOD-
leased facilities in the national capital region that screen mail for 
threats. However, as discussed later, this data collection effort had 
numerous limitations. 

* DOD developed an occupant emergency plan for the Skyline Complex. In 
July 2005, the Defense Agency, in conjunction with TMA, issued an 
occupant emergency plan for the Skyline Complex. The plan was reviewed 
and deemed adequate by a building management specialist in DOD's 
Washington Headquarters Services. The plan includes emergency contact 
information and information about the complex, such as floor plans, 
that were not readily available during the March 2005 incidents. In 
addition, according to a Defense Agency official, the plan has been 
fully coordinated with Fairfax County first responders, who (1) met 
with Defense Agency officials to discuss the roles and responsibilities 
of applicable parties, (2) reviewed the plan, and (3) participated in 
the emergency training exercises at the Skyline Complex. He also stated 
that if a similar incident were to occur, the plan would facilitate 
communications between first responders and Skyline Complex employees. 
The development of an occupant emergency plan addresses findings in 
this report as well as recommendations from the RAND review. 

* DOD issued supplemental requirements for developing mail security 
plans. DOD's December 2001 mail manual required agency mail rooms to 
develop security plans, but at the time of the incidents, did not 
clearly specify what the plans should include or require that they be 
reviewed. A supplement to the manual, issued in September 2005, 
requires mail room officials to ensure that their plan (1) details the 
reporting procedures and responsibilities for handling suspicious mail, 
(2) has been coordinated with local emergency responders, (3) is 
disseminated to all mail center staff, and (4) is reviewed for 
potential revisions at least quarterly. The supplemental requirements 
refer mail room officials to GSA guidance on handling suspicious mail 
to assist in the development of adequate security plans.[Footnote 46] 

DOD's Actions Do Not Fully Resolve Identified Problems: 

DOD's actions resolve many of the problems that arose in the March 2005 
incidents but not all. One remaining and overarching concern involves 
whether, despite its actions, DOD will adhere to the interagency 
coordination protocols in the NRP and NIMS or will revert to the 
isolated decision-making approach it used at the Pentagon. Other 
remaining issues include ensuring that DOD (1) facilities have adequate 
mail security plans in place and (2) mail facilities in the national 
capital region are appropriately using biosafety cabinets for screening 
mail. 

DOD's Adherence to NRP and NIMS Interagency Coordination Protocols 
Remains Uncertain for Incidents at the Pentagon: 

DOD has taken actions to align its procedures with the NRP and NIMS, 
including the development of an instruction defining the roles and 
responsibilities of senior DOD leadership during incidents at the 
Pentagon. The policy instruction is not expected to be finalized until 
the fall of 2006 and, until then, it is unknown whether it will 
adequately specify medical treatment responsibilities in accordance 
with the coordination protocols in the NRP and NIMS. In October 2005, 
senior DOD health officials told us that they would handle the medical 
response at the Pentagon in a similar manner if an incident occurred in 
the future, in part, because they have the authority to do so. In April 
2006--more than 1 year after the incident--another senior health 
official reiterated that DOD has the authority to make final decisions 
on medical treatment at the Pentagon without collaboration or 
consultation with other agencies, including HHS. Such views conflict 
with protocols in both the NRP, which requires an HHS-led coordinated 
public health response, and NIMS, which prescribes local-level input 
into decisions affecting their jurisdictions. Until DOD ensures that 
its senior health officials make medical treatment decisions in 
accordance with the NRP and NIMS during potential biological incidents 
at the Pentagon, the problems that occurred in March 2005 remain 
unresolved. 

DOD Still Has Not Ensured That Its Mail Facilities Have Reviewed Mail 
Security Plans, As Required: 

TMA did not have a mail security plan for the Skyline Complex at the 
time of the incidents, and although federal mail management regulation 
and DOD's mail manual require such a plan, it has not subsequently 
developed one. Until TMA develops a plan and, among other things, 
coordinates it with local first responders, any future response at the 
facility may also be hampered. More importantly, it is not known 
whether other DOD mail facilities also lack plans, or adequate plans, 
for guiding future responses involving potential biological threats in 
the mail. As discussed earlier, DOD does not have a process in place to 
(1) ensure that its mail facilities have mail security plans and (2) 
verify that each plan has been annually reviewed by a competent 
authority. 

DOD Has Not Ensured That Its Facilities in the National Capital Region 
Are Appropriately Using Biosafety Cabinets: 

Gaps remain in the actions DOD has taken to ensure the appropriate use 
of biosafety cabinets for mail screening in DOD-leased mail facilities 
in the national capital region. First, DOD has not ensured that DOD 
mail facilities in the national capital region are not operating 
biosafety cabinets outside of a comprehensive mail-screening program. 
As pointed out in the Director of Administration and Management's 
January 2006 directive, using mail-screening equipment in isolation of 
such a program is ineffective and potentially risky. Second, at the 
conclusion of our review, DOD still had not identified the number of 
biosafety cabinets in use in the region. For example, although DOD's 
Washington Headquarters Services collected information about facilities 
in the national capital region that screen mail for threats, its winter 
2005 data collection effort was not comprehensive. For example, the 
office did not attempt to (1) identify whether other biosafety cabinets 
were being used, (2) determine the conditions under which the equipment 
is being operated, and (3) collect information on the type and 
capabilities of other mail-screening equipment being used. Moreover, it 
appears that numerous DOD mail facilities in the national capital 
region did not respond to the data request. According to an official 
from Washington Headquarters Services in April 2006, a follow- up 
effort was being conducted to gather additional data on mail- screening 
operations in the region; however, we were unable to obtain specific 
information regarding the purpose, scope, and status of the effort. 
Eliminating equipment that is not being used in conjunction with a 
comprehensive mail-screening program is likely to reduce future false 
alarms and unnecessary response activities involving the Skyline 
Complex and other DOD mail facilities in leased space within the 
national capital region. 

Conclusions: 

Mail continues to be a potential venue for terrorism, particularly as 
an opportunity to strike at the Pentagon--a building of national 
military significance. DOD has taken aggressive measures to ensure the 
safety of its employees during a potential biological attack, but the 
challenge ahead is to ensure that DOD's components and leadership are 
sufficiently prepared in the event of another potential incident 
involving anthrax or other biohazards. Preparation involves having the 
procedures, plans, and training in place to effectively coordinate the 
best available knowledge and expertise across the many agencies that 
will likely be involved. While lessons learned from these two false 
alarms have largely been implemented, there still is a need to tighten 
controls in the areas discussed above. 

Recommendations for Executive Action: 

To help prepare DOD to effectively respond to future incidents 
involving the suspicion of biological substances in the mail, we 
recommend that the Secretary of Defense take the following four 
actions: 

* Ensure that any future medical decisions reached during potential or 
actual acts of bioterrorism at the Pentagon Reservation result from the 
participatory decision-making framework specified in the NRP and NIMS. 

* Ensure that appropriate officials at all of DOD's mail facilities 
develop effective mail security plans in accordance with GSA's mail 
management regulation and guidance and DOD's mail manual. 

* Ensure that a competent DOD authority conducts a DOD-wide review of 
all of its mail security plans. 

* Determine (1) whether biosafety cabinets are being used at mail 
facilities within DOD-leased space in the national capital region and, 
if so, (2) whether the equipment is being operated within the context 
of a comprehensive mail-screening program. If the use of biosafety 
cabinets does not comply with the criteria specified in the Director of 
Administration and Management's January 2006 directive, ensure that the 
equipment will not be operated. 

Agency Comments and Our Evaluation: 

We requested comments on a draft of this report from DOD, GSA, the 
Department of Justice, HHS, DHS, and the Postal Service. Two of these 
agencies--DOD and GSA--provided written comments. The agencies' 
comments are reprinted in appendixes II and III, respectively. 

DOD agreed with three of our four recommendations, indicating that it 
either was implementing, or intended to immediately implement, actions 
to address these recommendations.[Footnote 47] Furthermore, while DOD 
is developing a new policy to define the roles and responsibilities of 
senior DOD leadership including those involved in making medical 
treatment decisions during incidents at the Pentagon, it only partially 
agreed with our remaining recommendation, related to the need for DOD 
to make future medical decisions within the participatory decision- 
making framework specified in the NRP and NIMS. While commenting that 
"coordination in such events is highly desirable," DOD reiterated that 
it has the "medical authority to act in a timely manner to provide the 
best possible medical protection for its personnel at potential risk in 
an incident of this nature." DOD further commented that the NRP does 
not alter or impede its ability to carry out its medical authorities 
and responsibilities. 

We agree that the NRP does not repeal DOD's medical powers, 
authorities, or responsibilities. However, in signing the NRP Letter of 
Agreement, DOD agreed, among other things, to (1) support NRP concepts, 
processes, and structures; (2) modify its existing plans to comply with 
the NRP; and (3) ensure that its operations support the NRP. Thus, in 
our view, DOD's medical authorities must be exercised in conjunction 
with DOD's responsibilities under the NRP. Had DOD followed such an 
approach in March 2005, concerns such as the validity of the test 
results could have been discussed among informed agency officials and 
the provision of unnecessary medicine to DOD employees at lower risk 
for exposure may have been avoided. 

DOD also commented that the NRP was not in effect during these 
incidents because none of the criteria for an incident of "national 
significance" had been met. We agree that the December 2004 NRP plan 
was somewhat ambiguous about when an incident is subject to NRP's 
concepts, processes, and structures. However, revisions made in May 
2006 clarified that the NRP is "always in effect" and that the plan 
applies to incidents of lesser severity that may, nevertheless, require 
some federal involvement. In our view, this revision makes it even more 
clear that, going forward, coordination is necessary and appropriate 
with regard to potential bioterrorism incidents and decisions about 
medical treatment. In addition, despite the plan's prior ambiguity, it 
is important to note that other federal officials--including those in 
DHS and HHS--told us that the NRP was applicable because of the nearly 
simultaneous occurrence of two incidents involving the Pentagon, a 
building of national military significance. Thus, according to these 
and other involved parties, DOD should have responded to the incidents 
within the context of the federal framework. 

GSA's written comments clarified federal requirements related to the 
annual review of mail security plans. DOD, the FBI (on behalf of the 
Department of Justice), CDC (on behalf of HHS), and the Postal Service 
provided technical comments, which we incorporated, as appropriate. DHS 
did not provide comments. 

We are sending copies of this report to appropriate congressional 
committees and subcommittees, CDC, DHS, DOD, the FBI, GSA, HHS, the 
Postal Service, the Arlington and Fairfax County Offices of Emergency 
Management, the District of Columbia Health Department, and other 
interested parties. We will also make copies available to others upon 
request. In addition, the report is available at no charge on the GAO 
Web site at [Hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at siggerudk@gao.gov or (202) 512-2834. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this report. Staff who made key contributions to 
this report are listed in appendix IV. 

Signed by: 

Katherine A. Siggerud: 
Director, Physical Infrastructure Issues: 

[End of section] 

Appendix I: Scope and Methodology: 

To determine what occurred at the Pentagon and Skyline Complex mail 
facilities in Virginia, we reviewed all available timelines and after- 
action reports, including those prepared by various Department of 
Defense (DOD) components, the Postal Service, the RAND Corporation, and 
other federal, state, and local entities. The after-action reports and 
timelines document what occurred at the two sites in March 2005 as well 
as the sequence and timing of what occurred. We also obtained and 
analyzed other pertinent documentation. We developed a timeline of what 
occurred based on the information we obtained, and corroborated this 
information with agency officials, where possible. With respect to this 
and our other reporting objectives, we interviewed a wide range of 
officials from the following organizations: 

* Office of the Secretary of Defense, Administration and Management; 

* Office of the Assistant Secretary of Defense for Health Affairs; 

* Office of the Assistant Secretary of Defense for Homeland Defense; 

* DOD's DiLorenzo TRICARE Health Clinic; 

* DOD's TRICARE Management Activity (TMA); 

* DOD's Pentagon Force Protection Agency, including personnel in the 
Chemical, Biological, Radiological and Nuclear laboratory; 

* DOD's Washington Headquarters Services; 

* DOD's Defense Post Office; 

* Vistronix Incorporated; 

* Department of Health and Human Services; 

* Centers for Disease Control and Prevention (CDC); 

* Department of Homeland Security (DHS); 

* Federal Bureau of Investigation (FBI) Headquarters and its Washington 
Field Office; 

* U.S. Postal Service; 

* District of Columbia's Department of Health; and: 

* Arlington and Fairfax County Offices of Emergency Management. 

To determine what problems occurred and why they occurred, we obtained, 
reviewed, and analyzed, among other documents, (1) all available 
timelines and after-action reports prepared by federal, state, and 
local agencies that were involved in the response; (2) the Pentagon's 
mail-screening contract and procedures; (3) TMA's mail procedures; (4) 
federal mail management and other applicable regulations related to 
occupant emergency plans;[Footnote 48] (5) DOD requirements, including 
its mail manual; (6) applicable guidance on the coordination of 
incidents with appropriate organizations, including the National 
Response Plan (NRP) and its Biological Incident Annex and the National 
Incident Management System (NIMS) and; (7) CDC guidance related to the 
provision of medical services to potentially affected employees, 
including its guidance on the timing of antibiotics to affected 
individuals.[Footnote 49] We also reviewed and analyzed GAO's internal 
control standards for applicable criteria and interviewed officials 
from the previously cited organizations as well as those from DOD's 
Defense Information Systems Agency, DOD's Military Postal Service 
Agency, and the General Services Administration. We compared DOD's 
actions with applicable criteria, such as the Pentagon's contract 
provisions and procedures, regulations and guidance, and the national 
coordination protocols in place at the time of the incidents, to 
identify any variations between the actions taken at the two facilities 
and the actions specified in the applicable criteria. Where variations 
existed, we interviewed officials from the previously mentioned 
organizations to determine why the applicable criteria was not 
followed. 

To determine the actions DOD has taken that address the problems that 
arose during the March 2005 incidents at the two mail facilities, we 
interviewed officials from the previously cited DOD offices as well as 
the Office of the Assistant Secretary of Defense for Public Affairs, 
Military: 

Postal Service Agency, Joint Program Executive Office for Chemical and 
Biological Defense, and General Services Administration. We also 
interviewed DHS officials from the Science and Technology Directorate 
and DHS's Mail Management Program. We obtained and analyzed pertinent 
information on all identified actions. For example, with respect to 
actions taken at the Pentagon, we reviewed the new mail-screening 
contract, recent interagency agreements, and the Pentagon's draft (1) 
mail-screening operating procedures, (2) laboratory procedures, (3) 
notification procedures, and (4) procedures for communicating 
information to the public. For actions taken in response to the 
incident at the Skyline Complex, we reviewed TMA's mail-screening 
procedures, DOD's directive prohibiting the use of biosafety cabinets 
in certain environments, and the Skyline Complex occupant emergency 
plan, all of which were issued after the March 2005 incidents. 

To determine the extent to which the actions taken address the problems 
that arose at the two mail facilities during the March 2005 incidents, 
we reviewed and analyzed, among other things, the Pentagon's new mail-
screening contract and its draft (1) mail-screening operating 
procedures, (2) laboratory procedures, (3) notification procedures, and 
(4) procedures for communicating information to the public. To assess 
whether the actions appeared to resolve the problems that arose during 
the incidents, we compared policy and procedural changes to applicable 
criteria, including criteria contained in DOD's mail manual, GSA's 
regulations and guidance, CDC guidance, GAO Internal Controls 
Standards, the NRP's Biological Incident Annex, and NIMS. We determined 
the status of key recommendations in the after-action reports and, 
through our analysis, identified further actions necessary to remedy 
the issues that arose. In addition, to provide broader perspective on 
issues related to detecting and responding to suspected anthrax 
incidents, we reviewed previous studies, congressional testimony, and 
other pertinent documents including those prepared by GAO.[Footnote 50] 

We performed our work from June 2005 to August 2006 in accordance with 
generally accepted government auditing standards. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

Homeland Defense: 
Assistant Secretary Of Defense: 
2600 Defense Pentagon: 
Washington, DC 20301-2600: 

Jun 22 2006: 

Ms. Kate Siggerud: 
General Accountability Office: 
441 G Street NW: 
Washington, DC 20548: 

Dear Ms. Siggerud: 

(U) We Appreciate The Opportunity To Comment On The Draft Report, "Mail 
Security: Incidents at DOD Mail Facilities Exposed Problems That 
Require Further Actions," dated June 2006, (GAO Code 542066/GAO-06- 
757C). We note several factual errors in the report, and partially 
concur with the recommendations. 

(U) The Department of Defense continues to institute emergency 
management policies, refine interagency and internal coordination 
procedures for potential biological terrorism incidents, and protect 
all persons who could potentially be affected in such incidents. 

(U) Let me take this opportunity to thank you and your staff for 
producing a reasoned and useful report. I am forwarding the 
Department's comments on the draft report recommendations at enclosure 
one. Recommended technical changes that were identified are at 
enclosure two. 

Sincerely, 

Sincerely, 

Peter F. Verga: 
Principal Deputy: 

Enclosures: 

1. DoD comments: 
2. Technical changes: 

GAO Draft Report - Dated May 23, 2006 GAO Code 542066/GAO-06-757C "Mail 
Security: Incidents at DoD Mail Facilities Exposed Problems That 
Require Further Actions" 

Department Of Defense Comments: 

Recommendation 1: The GAO recommends that DoD ".ensure that any future 
medical decision reached during potential or actual acts of bio- 
terrorism at the Pentagon Reservation result from the participatory 
decision-making framework specified in the NRP and the NIMS. 

DoD Response: DoD partially concurs. While coordination in such events 
is highly desirable and was, in fact, performed in these incidents, the 
GAO recommendation, if adopted, could actually serve to confuse an 
operational response. The NRP cannot be read selectively. Two other 
portions of the NRP significantly apply in this situation, but are 
omitted from the report. Page 2 the NRP states, "Nothing in this plan 
alters or impedes the ability of Federal. departments and agencies to 
carry out their specific authorities or perform their responsibilities 
under all applicable laws, Executive orders, and directives." 
Additionally, on pages 3-4 the subject of the NRP's applicability is 
described and the criteria for an Incident of National Significance are 
stipulated. During these incidents, none of these criteria were 
reached. Accordingly, the NRP was not in effect for the response to 
these incidents and, if NRP had been in effect, the authorities of the 
Secretary of Defense are not altered or impeded by the plan. 

The Department of Defense has the medical authority to act in a timely 
manner to provide the best possible medical protection for its 
personnel at potential risk in an incident of this nature. As noted in 
the report, the DoD is developing a new policy to define the roles and 
responsibilities of senior DoD leadership in emergency management and 
incident command on the Pentagon reservation - including those making 
medical treatment decisions. 

Recommendation 2: GAO recommends that DoD ".ensure that appropriate 
officials at all of DoD's mail facilities develop effective mail 
security plans in accordance with GSA's mail management regulation and 
guidance and DoD's mail manual." 

DOD Response: DoD concurs. Military postal authorities are evaluating 
the most effective assurance method and are considering reporting 
methodologies for GSA and DoD guidance compliance. 

Recommendation 3: GAO recommends that DoD ".ensure that a competent DOD 
authority conducts a DoD-wide review of all of its mail security 
plans." 

DOD Response: DoD concurs. Military postal authorities are evaluating 
the most effective assurance method and are considering reporting 
methodologies for GSA and DOD guidance compliance. 

Recommendation 4: GAO recommends that DoD ".determine whether (1) bio-
safety cabinets are being used at mail facilities within DoD leased 
space in the national capital region and, if so, (2) the equipment is 
being operated within the context of a comprehensive mail-screening 
program. If the use of bio-safety cabinets does not comply with the 
criteria specified in the Director of Administration and Management's 
January 2006 directive, ensure that the equipment will not be 
operated." 

DOD Response: DoD Concurs. The Pentagon Force Protection Agency (PFPA) 
will immediately determine compliance with the January 2006 DA&M memo. 
Additionally, PFPA will incorporate procedures for reviewing mail 
screening programs into their Antiterrorism Vulnerability Assessments, 
which are conducted annually at each of the DoD leased facilities in 
the NCR. 

[End of section] 

Appendix III: Comments from the General Services Administration: 

GSA Office of Governmentwide Policy: 

Jun 19 2006: 

Ms. Katherine A. Siggerud: 
Director: 
Physical Infrastructure Issues: 
Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Ms. Siggerud: 

Thank you for the opportunity to comment on the draft Government 
Accountability Office (GAO) Report, Mail Security: Incidents at 
Department of Defense (DOD) Mail Facilities Exposed Problems That Are 
Not Yet Fully Resolved (GAO-06-757C). 

The draft report paraphrases and refers to GSA regulations regarding 
mail security at several points. All of these paraphrases and 
references are accurate and appropriate, with one exception. On Page 
28, the draft report says: "GSA's Federal Mail Management Regulation 
requires that facility level mail security plans be annually reviewed 
at the agency's level." The issue we have is with the phrase: "at the 
agency's level." 

The actual text of the regulation says: "The annual report must state 
that all facility security plans have been reviewed by a competent 
authority within the past year." (FMR 102-192.60). The regulation 
provides that a competent authority must review all security plans, but 
it does not say that this review must be performed at the agency's 
level. An agency's level review of every facility's security plan would 
be an intolerable burden in agencies such as the DOD and the Department 
of Agriculture that have thousands of facilities. 

We look forward to seeing this report in its final form. Its 
recommendations and implications will be important to all Federal mail 
facilities. If you have any questions, please contact Mr. Henry Maury, 
Office of Travel, Transportation and Asset Management, on (202) 208-
7928. 

Sincerely, 

Signed by: 

Stan Kaczmerczyk for: 

John G. Sindelar: 
Acting Associate Administrator: 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Katherine A. Siggerud, (202) 512-2834 or siggerudk@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Kathleen Turner (Assistant 
Director), David Hooper, Daniel Klabunde, Steve Martinez, Josh Ormond, 
Stanley Stenersen, and Johanna Wong made key contributions to this 
report. 

FOOTNOTES 

[1] A third incident occurred at a DOD mail facility at the Bolling Air 
Force Base in Washington, D.C. That incident--also a false alarm--was 
not connected to the Pentagon and Skyline Complex incidents and, 
therefore, is not discussed in this report. 

[2] The Office of the Administrative Assistant to the Secretary of the 
Army--the organization responsible for managing DOD's mail--also 
reviewed the draft report and concurred "without comment." 

[3] We have issued a number of reports on the response to these 
incidents. See, for example, GAO, U.S. Postal Service: Better Guidance 
Is Needed to Ensure an Appropriate Response to Anthrax Contamination, 
GAO-04-239 (Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public 
Health Response to Anthrax Incidents of 2001, GAO-04-152 (Washington, 
D.C.: Oct. 15, 2003); and U.S. Postal Service: Better Guidance Is 
Needed to Improve Communication Should Anthrax Contamination Occur in 
the Future, GAO-03-316 (Washington, D.C.: Apr. 7, 2003). 

[4] See GAO, Anthrax Detection: Agencies Need to Validate Sampling 
Activities in Order to Increase Confidence in Negative Results, GAO-05-
251 (Washington, D.C.: Mar. 31, 2005). 

[5] In March 2005, LRN consisted of 147 laboratories that, according to 
CDC, had demonstrated the ability to meet and maintain CDC's testing 
standards. 

[6] Medical treatment, as used in this report, means administering 
postexposure prophylaxis to exposed individuals. 

[7] GSA issues regulations under the authority of the Federal Records 
Management Amendments of 1976 (Section 2 of Public Law 94-575, 44 
U.S.C. 2901-2904), which requires the GSA Administrator--the executive 
head of GSA--to provide assistance to federal agencies on records 
management, including the processing of mail. See 41 CFR Parts 101-9 
and 102-192. 

[8] GSA, Mail Communications Policy Office, Mail Center Security Guide, 
3rd edition (Washington, D.C., 2004); and National Guidelines for 
Assessing and Managing Biological Threats in Federal Mail Facilities 
(Washington, D.C., Dec. 29, 2003). 

[9] DOD's requirements are described in the DOD Instruction 4525.8 and 
DOD Manual 4525.8M, effective December 2001. 

[10] This requirement is contained in GSA's regulations for managing 
property. See 41 CFR Sec. 102-74.230. 

[11] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999). 

[12] TMA provides administrative support to DOD's civilian health and 
medical program for the uniformed services. 

[13] A portion of TMA's mail destined for the Skyline Complex is 
screened at the Pentagon and picked up from an office inside the 
Pentagon. 

[14] 10 USC Sec. 2674(f)(1) defines the Pentagon Reservation as the 
area of land (consisting of approximately 280 acres) and improvements 
thereon, located in Arlington, Virginia, on which the Pentagon Office 
Building, Federal Office Building #2, the Pentagon heating and sewage 
treatment plants, and other related facilities are located, including 
various areas designated for the parking of vehicles. 

[15] The mail-screening technicians were not evacuated and, instead, 
remained isolated in the mail-screening facility, according to PFPA 
officials. 

[16] Other conference calls occurred over the next few days. 

[17] The two laboratories at Fort Detrick are associated with the 
United States Army Medical Research Institute of Infectious Diseases 
and the National Bioforensic Analysis Center. 

[18] GSA leases office space at the Skyline Complex for federal 
agencies, including DOD's TMA office. 

[19] According to the manager, the PFPA employee thought that the 
equipment was an X-ray machine. 

[20] The biosafety cabinet was destroyed as a result of efforts to 
extract its filters for testing. 

[21] The National Institute is the federal agency responsible for 
conducting research into occupational safety and health matters. 

[22] CBI was not a part of the LRN in March 2005 and, consequently, 
would not have had access to CDC's guidelines and protocols for LRN 
laboratories. 

[23] The officials noted that PFPA's Chemical, Biological, 
Radiological, and Nuclear department did not exist when DOD initially 
awarded the mail-screening contract. The laboratory associated with 
this department, as well as its current role in the Pentagon's mail 
screening, is discussed later in this report. 

[24] In its technical comments on a draft of this report, DOD noted 
that subsequent training had been conducted, but that the training was 
"not as detailed." 

[25] As discussed earlier, mail room employees made several 
unsuccessful attempts to telephone the manufacturer and the maintenance 
contractors for help. In addition, DOD's manager of the complex told us 
that she called PFPA for guidance on how the cabinet operated, but the 
PFPA official was not aware of the type of equipment in use at the 
complex, and consequently, he was not able to tell her what to do. 
Finally, an employee called 911, which brought emergency responders 
from Fairfax County, Virginia. 

[26] 41 CFR §102-192.90. 

[27] The Official Mail Manager retired in April 2006. 

[28] Related to this, GSA officials told us that GSA does not have the 
authority to enforce its reporting requirement. 

[29] 41 CFR Ch 102-74.230. 

[30] The incident command initially included federal and local agencies 
and was used for, among other things, coordinating the evacuation of 
the mail screening and remote delivery facilities and the relocation of 
potentially affected employees. 

[31] Ciprofloxacin is one of several antibacterial drugs, including 
amoxicillin and doxycycline, that can be used to treat anthrax 
exposure. CDC currently recommends doxycycline for preventive treatment 
of anthrax. 

[32] Local public health officials explained that their desire to 
ensure that potentially affected individuals would be treated 
consistently derived from lessons learned in the fall of 2001. At that 
time, Capitol Hill staff was also initially provided with ciprofloxacin 
for their potential exposure to anthrax; however, Postal Service 
employees generally received doxycycline. CDC's recommendations in this 
area had changed, but that was not well understood, in part because 
ciprofloxacin had been described as the drug of choice in media 
reports. Because Postal Service employees generally received 
doxycycline--instead of ciprofloxacin--they believed that they had been 
given an inferior drug. According to local public health officials, 
this misperception was difficult to explain and, together with the 
death and illness of exposed postal employees, caused trauma within the 
Postal Service community. 

[33] Under DOD Directive 6200.3, Emergency Health Powers on Military 
Installations, DOD commanders and the designated Public Health 
Emergency Officer--in this case, the commander of the DiLorenzo TRICARE 
Health Clinic--can take actions to protect installations, facilities, 
and personnel in the event of a public health emergency resulting from 
biological warfare, terrorism, or a communicable disease epidemic. 

[34] According to CDC, antibiotic medical treatment is recommended as 
soon as possible after the LRN has obtained a presumptive positive test 
result. Such results can be obtained within 2 hours. 

[35] The RAND Corporation is a nonprofit research organization. Its 
National Defense Research Institutea federally funded research and 
development center conducted the review. RAND also examined a third 
incident that occurred at a DOD mail facility on the Bolling Air Force 
Base. The incident at the Bolling Air Force Base was not connected to 
the Pentagon and Skyline Complex incidents. Consequently, that incident 
is not discussed in this report. 

[36] Except for an unclassified summary, the RAND report is not 
available publicly. 

[37] The MOU established August 2005 as the deadline for agencies to 
begin using mutually accepted testing methods, a date that has long 
passed. According to an official from DHS's Science and Technology 
Directorate, it will take a considerable amount of additional time to 
assess and develop consensus on testing methods. The official estimated 
that the process to establish mutually accepted testing methods will be 
completed between September 2006 and March 2007. 

[38] According to CDC officials, the process involves establishing 
equivalency between DOD and LRN testing methods. In addition, they 
stated that once mutually accepted methods are established, it will 
take additional time to fully implement the testing and response 
procedures from an operational standpoint. 

[39] A DOD official noted that positive test results are taken in 
conjunction with other relevant factors to determine if antibiotics 
should be administered. 

[40] As discussed, the previous contracting officer's representative 
for administering the mail-screening contract was an official from the 
Defense Post Office with no expertise or training related to screening 
mail for anthrax or other biological hazards. The new contracting 
officer's representative is the Director of PFPA's chemical-biological 
laboratory located at the Pentagon. 

[41] The Director of Administration and Management is the principal 
adviser on DOD-wide organizational and administrative management 
matters. The Director's responsibilities include providing policy 
guidance to DOD components at (1) the Pentagon and (2) DOD-leased space 
in the Washington, D.C., area. 

[42] Washington Headquarters Services manages DOD-wide programs and 
operations for the Pentagon Reservation and DOD-leased facilities in 
the Washington, D.C., area. 

[43] The national capital region includes the District of Columbia and 
11 local jurisdictions in Maryland and Virginia, including Arlington 
and Fairfax Counties, where the two incidents occurred. 

[44] TMA's previous biosafety cabinet was destroyed during the March 
2005 incident. The new cabinet, purchased prior to receiving the 
directive, is functionally similar to the old one in that it is not 
capable of detecting biological agents and its alarm only indicates an 
obstruction in the equipment's airflow. 

[45] In January 2006, the President signed into law the National 
Defense Authorization Act for Fiscal Year 2006, P.L. 109-163, which 
could change the way DOD processes mail at the Pentagon and around the 
world. The law requires the Secretary of Defense to submit a report to 
Congress on the safety of mail within the military mail system, 
including a plan to screen all incoming mail for biological agents. 

[46] Specifically, the September 2005 supplement to DOD's mail manual 
cites the third edition of GSA's Mail Center Security Guide and GSA's 
December 2003 policy advisory entitled National Guidelines for 
Assessing and Managing Biological Threats in Federal Mail Facilities. 

[47] The Office of the Administrative Assistant to the Secretary of the 
Army also reviewed the draft report and concurred "without comment." 

[48] Federal Management Regulation, 41 C.F.R. ch. 102, issued by GSA. 

[49] U.S. Department of Health and Human Services, Centers for Disease 
Control and Prevention, Morbidity and Mortality Weekly Report, 
"Responding to Detection of Aerosolized Bacillus anthracis by 
Autonomous Detection Systems in the Workplace" (Atlanta, Georgia, June 
4, 2004). 

[50] See, for example, GAO, U.S. Postal Service: Better Guidance Is 
Needed to Ensure an Appropriate Response to Anthrax Contamination, GAO-
04-239 (Washington, D.C.: Sept. 9, 2004); Bioterrorism: Public Health 
Response to Anthrax Incidents of 2001, GAO-04-152 (Washington, D.C.: 
Oct. 15, 2003); and U.S. Postal Service: Better Guidance Is Needed to 
Improve Communication Should Anthrax Contamination Occur in the Future, 
GAO-03-316 (Washington, D.C.: Apr. 7, 2003). 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: