Skip to main content

Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions

GAO-06-757 Published: Sep 15, 2006. Publicly Released: Sep 15, 2006.
Jump To:
Skip to Highlights

Highlights

In March 2005, two well-publicized and nearly simultaneous incidents involving the suspicion of anthrax took place in the Washington, D.C., area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and at a commercial office complex (Skyline Complex). While these incidents were false alarms, DOD and other federal and local agencies responded. The Postal Service suspended operations at two of its facilities and over a thousand DOD and Postal Service employees were given antibiotics as a precaution against their possible exposure to anthrax. This report describes (1) what occurred at the Pentagon and Skyline Complex mail facilities, (2) the problems we identified in detecting and responding to the incidents, (3) the actions taken by DOD that address the problems that occurred, and (4) the extent to which DOD's actions address the problems.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Defense To help prepare DOD to effectively respond to future incidents involving the suspicion of biological substances in the mail, the Secretary of Defense should ensure that any future medical decisions reached during potential or actual acts of bioterrorism at the Pentagon Reservation result from the participatory decision-making framework specified in the National Response Plan and National Incident Management System.
Closed – Implemented
In March 2005, two well-publicized and nearly simultaneous incidents involving the suspicion of anthrax in the mail took place in the Washington, D.C. area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and space leased for DOD in a commercial office complex in Virginia. Both incidents were eventually determined to be false alarms. In September 2006, we reported that DOD did not fully follow the federal framework--the National Response Plan (NRP) and the National Incident Management System (NIMS)--in responding to these events. The federal government developed this framework to help ensure effective, participatory decision making through a coordinated response to, among other situations, an actual or potential bioterrorist incident. Thus, the framework specifies lead federal agencies depending on the nature of the incident. For example, as specified in the NRP, the Department of Health and Human Services (HHS) is the lead federal agency for responding to public health threats arising from anthrax and other bioterrorism incidents. However, instead of immediately coordinating DOD's actions with HHS, the Federal Bureau of Investigation, HHS and others, as required by the NRP, the two DOD Health Affairs officials responsible for responding to medical issues at these locations--the Commander of the DiLorenzo TRICARE Health Clinic and DOD's Assistant Secretary for Health Affairs--unilaterally decided to provide antibiotics to about 890 DOD employees. According to these officials, they did not believe that the NRP applied because, in their view, they had the medical authority, expertise, and resources to handle the incident internally. We also reported that if DOD had fully coordinated with federal and local agencies as the framework prescribes, concerns about the validity of test results could have been discussed and the provision of unnecessary medicine to DOD employees may have been avoided. Therefore, we recommended that the Secretary of Defense ensure that any future medical decisions reached during potential or actual acts of bioterrorism involving the Pentagon result from the participatory decision-making framework specified in the NRP and NIMS (See Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions; GAO-06-757.) DOD's Director of Administration and Management responded to our recommendation in March 2007 by issuing an instruction that established policy, assigned responsibilities, and provided procedures for responding to, among other situations, biological incidents involving the Pentagon. The instruction references the participatory decision-making framework specified in the NRP and NIMS throughout. For example, matters involving a public health response to the threat of biological incidents specifically requires the Commander of the DiLorenzo TRICARE Health Clinic, in coordination with the Assistant Secretary for Health Affairs, to coordinate with HHS and other assigned biological incident emergency personnel to assess the situation and determine the appropriate public health and medical actions, including a recommended treatment plan.
Department of Defense To help prepare DOD to effectively respond to future incidents involving the suspicion of biological substances in the mail, the Secretary of Defense should ensure that appropriate officials at all of DOD's mail facilities develop effective mail security plans in accordance with GSA's mail management regulation and guidance and DOD's mail manual.
Closed – Implemented
In March 2005, two well-publicized and nearly simultaneous incidents involving the suspicion of anthrax in the mail took place in the Washington, D.C. area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and in leased space for DOD at a commercial office complex in Virginia (Skyline Complex). In September 2006, we reported that DOD had not ensured that the Skyline Complex had a mail security plan, as required by GSA's federal mail management regulation and guidance and DOD's mail manual. (See Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions; GAO-06-757). In addition, we reported that it was not known whether other DOD facilities also lacked a mail security plan because DOD did not have a process for ensuring that its mail facilities had developed the required plan. We therefore recommended that the Secretary of Defense ensure that appropriate officials at all of DOD's mail facilities develop mail security plans in accordance with GSA's mail management regulation and guidance and DOD's mail manual. DOD's Military Postal Service Agency responded to our recommendation in January 2009 by issuing a memorandum (1) reminding senior DOD agency managers that DOD requires every facility with one or more full-time mail processing employees to have a written mail security plan and (2) requiring these managers to return a form to DOD's Official Mail Manager certifying that every mail facility within his/her purview had a mail security plan. According to DOD's Official Mail Manager, DOD plans to maintain and carry out this requirement annually.
Department of Defense To help prepare DOD to effectively respond to future incidents involving the suspicion of biological substances in the mail, the Secretary of Defense should ensure that a competent DOD authority conducts a DOD-wide review of all of its mail security plans.
Closed – Implemented
In March 2005, two well-publicized and nearly simultaneous incidents involving the suspicion of anthrax in the mail took place in the Washington, D.C. area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and in leased DOD space for DOD at a commercial office complex in Virginia (Skyline Complex). In September 2006, we reported that DOD had not ensured that a mail security plan for the Skyline Complex had been reviewed, as required by GSA's mail management regulation and guidance and DOD's mail manual. (See Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions; GAO-06-757). In addition, we reported that it was not known whether a competent authority-an individual with mail security expertise-had reviewed mail security plans at other DOD facilities because DOD did not have a process for ensuring that the reviews are performed. We therefore recommended that the Secretary of Defense ensure that a competent DOD authority conduct a DOD-wide review of all of its mail security plans. DOD's Military Postal Service Agency responded to our recommendation in January 2009 by issuing a memorandum (1) reminding agency managers that DOD requires a competent authority to review each mail facility's mail security plan at least once a year, and (2) requiring senior DOD managers to return a form to DOD's Official Mail Manager certifying that the manager had taken all reasonable steps to ensure that the plans for each facility under his/her purview had been reviewed by a competent authority within the past 12 months. According to DOD's Official Mail Manager, DOD plans to maintain and carry out this requirement annually. DOD's action satisfies the intent of our recommendation because, as noted by GSA in its comments on our draft report, reviews of facility mail security plans need not be performed by any one competent authority at the agency level.
Department of Defense To help prepare DOD to effectively respond to future incidents involving the suspicion of biological substances in the mail, the Secretary of Defense should determine (1) whether biosafety cabinets are being used at mail facilities within DOD-leased space in the national capital region and, if so, (2) whether the equipment is being operated within the context of a comprehensive mail-screening program. If the use of biosafety cabinets does not comply with the criteria specified in the Director of Administration and Management's January 2006 directive, ensure that the equipment will not be operated.
Closed – Implemented
In March 2005, two incidents involving the suspicion of anthrax in the mail took place in the Washington, D.C. area. The incidents occurred at Department of Defense (DOD) mail facilities at the Pentagon and, a few hours later, in space leased for DOD in a commercial office complex in Virginia (Skyline Complex). In September 2006, we reported that the latter incident began when mail delivered from the Pentagon activated an alarm on a biosafety cabinet used to screen mail at the Skyline Complex. The incident occurred because (1) existing procedures did not address what the biosafety cabinet did, how it worked, or how to respond to its built-in alarm and (2) staff turnover and the absence of additional training led to a lack of understanding about the equipment's capabilities. Further, we reported that when the DOD manager of the complex called DOD's Pentagon Force Protection Agency (PFPA)--the law enforcement agency responsible for, among other matters, conducting vulnerability assessments of DOD-occupied facilities in the national capital region--for guidance on how the cabinet operated, PFPA was unable to help because it was not aware of the type of equipment in use at the complex. Consequently, instead of understanding that the alarm indicated only an airflow obstruction, not the presence of a biohazard such as anthrax, a DOD employee at the complex unnecessarily contacted first responders. (See Mail Security: Incidents at DOD Mail Facilities Exposed Problems That Require Further Actions; GAO-06-757). While operating biosafety cabinets to screen mail outside of a comprehensive mail screening program (as occurred at the Skyline Complex) is both ineffective and potentially risky, we reported that DOD had not (1) identified whether other biosafety cabinets were being used in the national capital region or, where applicable, (2) determined the conditions under which the equipment was being operated. We, therefore, recommended that the Secretary of Defense determine (1) whether biosafety cabinets are being used at mail facilities within DOD-leased space in the region and, if so, (2) whether the equipment is being operated within the context of a comprehensive mail-screening program. As we reported, such a program includes the use of trained mail screeners. According to an audit tracking system maintained by DOD's Inspector General Office (DOD IG), PFPA responded to our recommendation by changing its vulnerability assessments of DOD leased buildings in the national capital region. For example, PFPA assessments now ensure compliance with a January 2006 DOD directive which prohibited DOD mail facilities in leased space within the region from operating mail screening equipment, including biosafety cabinets, unless the facility meets five specific operating conditions, including the presence of trained mail screeners. In addition, PFPA's assessments now identify any screening equipment being used to evaluate biological risks in mail or packages (e.g., biosafety cabinets) and whether the equipment is being used and maintained in compliance with DOD's January 2006 directive. A spokesperson for PFPA confirmed that PFPA added several questions to its assessment to identify the types of equipment being used to screen mail in the national capital region and to ensure that this equipment is being operated within the context of a comprehensive mail screening program. An excerpt from the revised assessment, for example, indicates that PFPA assesses whether (1) mail handlers have been trained on the mail screening equipment, (2) the equipment is routinely tested for biological agents, and (3) the mailroom is equipped with special gloves and large sealable bags for isolating suspicious mail. According to the PFPA spokesperson, the assessments are conducted on an ongoing (annual) basis.

Full Report

Office of Public Affairs

Topics

AnthraxBioterrorism preparedness and response programEmergency preparednessEmergency responseEmergency response plansFacility securityPolicy evaluationPostal facilitiesPostal servicePublic healthStrategic planningMail processing operations