DOE and NRC Have Different Security Requirements for Protecting Weapons-Grade Material from Terrorist Attacks
GAO-07-1197R: Published: Sep 11, 2007. Publicly Released: Sep 25, 2007.
In terrorists' hands, weapons-grade nuclear material--known as Category I special nuclear material when in specified forms and quantities--can be used to construct an improvised nuclear device capable of producing a nuclear explosion. Responsibility for the security of Category I special nuclear material is divided between the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC). Specifically, DOE and the National Nuclear Security Administration (NNSA), a separately organized agency within DOE, are responsible for overseeing physical security at government-owned and contractor-operated sites with Category I special nuclear material. NRC, which is responsible for licensing and overseeing commercially owned facilities with nuclear materials, such as nuclear power plants, is responsible for regulating physical security at those licensees that store and process Category I special nuclear material under contract, primarily for DOE. Because of the risks associated with Category I special nuclear material, both DOE and NRC recognize that effective security programs are essential. The key component in both DOE's and NRC's security programs is each agency's design basis threat (DBT)--classified documents that identify the potential size and capabilities of terrorist threats to special nuclear material. To counter the threat contained in their respective DBTs, both DOE sites and NRC licensees use physical security systems, such as alarms, fences, and other barriers; trained and armed security forces; and operational security procedures, such as a "two-person" rule that prevents unobserved access to special nuclear material. In addition, to ensure DBT requirements are being met and to detect potential security vulnerabilities, DOE and NRC employ a variety of other measures, including inspection programs; reviews; and force-on-force performance tests, in which the site's security forces undergo simulated attacks by a group of mock terrorists. Over the past several years, we have raised concerns about certain aspects of security at DOE sites and at NRC-regulated commercial nuclear power plants. In this context, you asked us to determine (1) whether DOE's and NRC's requirements for protecting Category I special nuclear material from terrorist threats differ from one another; (2) the reasons for any differences between these requirements; and (3) if, as a result, there are differences between how NRC-licensed facilities that store and process Category I special nuclear material and how DOE facilities that store and process Category I special nuclear material are defended against a terrorist attack.
Several factors have contributed to the differences between DOE's and NRC's DBTs. First, a key document used in the development of DOE's DBT was the Postulated Threat to U.S. Nuclear Weapon Facilities and Other Selected Strategic Facilities (Postulated Threat). The Postulated Threat is developed by the U.S. intelligence community, principally the Department of Defense's Defense Intelligence Agency, and the security organizations of several different agencies, including DOE and NRC. The most recent Postulated Threat, issued in 2003, identified, among other things, the most likely threats to U.S. facilities with Category I special nuclear material. While NRC participated in the development of the Postulated Threat, NRC believes that the Postulated Threat does not apply to commercial nuclear facilities such as its licensees. Second, DOE and NRC also differ in their consideration of other intelligence information in developing their DBTs. In this context, NRC has developed its DBT to be within the range of what it has determined are the limitations that a private guard force can reasonably be expected to defend against. Specifically, NRC believes that the defense against threats not contained in its DBT is the responsibility of the federal government, in conjunction with state and local governments. Finally, even though they did so in the past, since September 11, 2001, DOE and NRC have not fully cooperated in sharing classified information on potential misuse of Category I special nuclear material. Reflecting the differences in their respective DBTs, we found differences in the actions DOE sites and NRC licensees are taking to increase their preparedness to defeat a large and sophisticated terrorist attack. For example, currently, NRC licensees do not have the same legal authority as DOE sites to acquire heavier weaponry, such as fully automatic weapons, or the same legal authority to use deadly force to protect special nuclear material. NRC is pursuing new regulations, authorized by the Energy Policy Act of 2005, to allow its licensees to use automatic weapons, but expects to take from 1 to 2 years to issue such regulations. At the same time, DOE is implementing plans that, if fully realized, will further increase security at its sites. These plans include developing and deploying improved security technologies; consolidating special nuclear material into fewer, better protected locations; and providing better training and equipment for its security forces. Finally, DOE has better developed tools for assessing security preparedness and understanding vulnerabilities, such as computer modeling and force-on-force testing programs that simulate terrorist attacks on facilities. However, NRC is in the process of adopting computer modeling and implementing a new force-on-force testing program.