Nuclear Power Plants:

Efforts Made to Upgrade Security, but the Nuclear Regulatory Commission's Design Basis Threat Process Should Be Improved

GAO-06-388: Published: Mar 14, 2006. Publicly Released: Apr 4, 2006.

Additional Materials:


Mark E. Gaffigan
(202) 512-6877


Office of Public Affairs
(202) 512-4800

The nation's commercial nuclear power plants are potential targets for terrorists seeking to cause the release of radioactive material. The Nuclear Regulatory Commission (NRC), an independent agency headed by five commissioners, is responsible for regulating and overseeing security at the plants. In April 2003, in response to the terrorist attacks of September 11, 2001, NRC revised the design basis threat (DBT), which describes the threat that plants must be prepared to defend against in terms of the number of attackers and their training, weapons, and tactics. NRC has also restructured its program for testing security at the plants through force-on-force inspections, which consist of mock terrorist attacks. GAO was asked to review (1) the process NRC used to revise the DBT for nuclear power plants, (2) the actions nuclear power plants have taken to enhance security in response to the revised DBT, and (3) NRC's progress in strengthening the conduct of force-on-force inspections at the plants.

NRC revised the DBT for nuclear power plants using a generally logical and well-defined process in which trained threat assessment staff made recommendations for changes based on an analysis of demonstrated terrorist capabilities. The process resulted in a DBT requiring plants to defend against a larger terrorist threat, including a larger number of attackers, a refined and expanded list of weapons, and an increase in the maximum size of a vehicle bomb. Key elements of the revised DBT, such as the number of attackers, generally correspond to the NRC threat assessment staff's original recommendations, but other important elements do not. For example, the NRC staff made changes to some recommendations after obtaining feedback from stakeholders, including the nuclear industry, which objected to certain proposed changes such as the inclusion of certain weapons. NRC officials said the changes resulted from further analysis of intelligence information. Nevertheless, GAO found that the process used to obtain stakeholder feedback created the appearance that changes were made based on what the industry considered reasonable and feasible to defend against rather than on an assessment of the terrorist threat itself. Nuclear power plants made substantial security improvements in response to the September 11, 2001, attacks and the revised DBT, including security barriers and detection equipment, new protective strategies, and additional security officers. It is too early, however, to conclude that all sites are capable of defending against the DBT because, as of November 1, 2005, NRC had conducted force-on-force inspections at about one-third of the plants. NRC has improved its force-on-force inspections--for example, by conducting inspections more frequently at each site. Nevertheless, in observing three inspections and discussing the program with NRC, GAO noted potential issues in the inspections that warrant NRC's continued attention. For example, a lapse in the protection of information about the planned scenario for a mock attack GAO observed may have given the plant's security officers knowledge that allowed them to perform better than they otherwise would have. A classified version of this report provides additional details about the DBT and security at nuclear power plants.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: NRC has decided that its Threat Assessment Section (now the Intelligence Liaison and Threat Assessment Branch or ILTAB) will not be responsible for obtaining feedback from stakeholders, including the nuclear industry, regarding a proposed design basis threat (DBT) revision until after ILTAB has provided an initial assessment to senior management. Feedback from stakeholders on proposed DBT revisions will be initially evaluated by another branch within NRC's Office of Nuclear Security and Incident Response. Responsibility for accepting stakeholder feedback has been transferred to other branches on an issue-specific basis.

    Recommendation: To improve the process by which NRC makes future revisions to the DBT for nuclear power plants, the NRC commissioners should assign responsibility for obtaining feedback from the nuclear industry and other stakeholders on proposed changes to the DBT to an office within NRC other than the Threat Assessment Section, so that the threat assessment staff is able to assess the terrorist threat to nuclear power plants without creating the potential for or appearance of industry influencing their analysis. The commissioners, in turn, could consider both the staff's analysis of the terrorist threat and industry feedback to make the final determination as to whether and how to revise the DBT.

    Agency Affected: Nuclear Regulatory Commission

  2. Status: Closed - Implemented

    Comments: On March 19, 2007, NRC published its final rule on the Design Basis Threat (10 CFR Part 73) in the Federal Register. The new rule revised the current regulation by, for example, including (1) cyber attacks, (2) waterborne vehicle bomb assaults, and (3)adversaries who are willing to kill or be killed and are knowledgeable about specific target selection as an explicit element of the Design Basis Threat. The rule also clarified that the enemy of the state rule (10 CFR Part 50.13), which was promulgated in 1967 in response to concerns about Cuba, was directed at attacks that typically could only be carried out by foreign military organizations.

    Recommendation: To improve the process by which NRC makes future revisions to the DBT for nuclear power plants, the NRC commissioners should develop explicit criteria to guide the commissioners in their deliberations to approve changes to the DBT. These criteria should include setting out the specific factors and how they will be weighed in deciding what characteristics of an attack on a nuclear power plant would constitute an enemy of the United States, or otherwise would not be reasonable for a private security force to defend against.

    Agency Affected: Nuclear Regulatory Commission

  3. Status: Closed - Implemented

    Comments: NRC agreed with this recommendation and has continued to evaluate and implement measures to improve the force-on-force inspection program. For example, in the summer 2006, it issued the "Controller Responsibilities Guideline" to provide sites and controllers with a comprehensive set of instructions to define more clearly command and control, rules of engagement, and controller training requirements. NRC also continues to liaison with its counterparts in the Departments of Defense and Energy to observe force-on-force exercises and share best practices. Furthermore, NRC has endorsed the integration of Joint Conflict and Tactical Simulation (JCATS) technology to add realism to tabletop exercises that are part of the force-on-force exercises and has an ongoing effort to expand the use of laser weapons in the exercises.

    Recommendation: The NRC commissioners should continue to evaluate and implement measures to further strengthen the force-on-force inspection program. For example, NRC may be able to identify and reduce artificialities associated with the inspections to better test how nuclear power plants would respond to an actual terrorist attack.

    Agency Affected: Nuclear Regulatory Commission


Explore the full database of GAO's Open Recommendations »

Nov 19, 2020

Oct 29, 2020

Oct 15, 2020

Jul 24, 2020

Jun 24, 2020

Jun 9, 2020

May 13, 2020

May 12, 2020

Apr 29, 2020

  • energy icon, source: Art Explosion

    Priority Open Recommendations:

    Department of Energy
    GAO-20-285PR: Published: Apr 22, 2020. Publicly Released: Apr 29, 2020.

Apr 17, 2020

Looking for more? Browse all our products here