Nuclear Security: DOE Could Improve Aspects of Nuclear Security Reporting
The Department of Energy operates sites that hold special nuclear material—such as highly enriched uranium—which can be used to make nuclear weapons. Due to the sensitive nature of these sites, DOE must annually report on the status of their security infrastructure to Congress.
DOE's reports identified challenges that could affect the security at some of its sites, and we found that the agency is not fully prepared to address these challenges. Among other things, we recommended that DOE develop a plan to address physical security infrastructure needs—such as fences, alarms, and sensors—at its sites.
Photo of the Department of Energy building in Washington, DC.
What GAO Found
The Department of Energy's (DOE) and the National Nuclear Security Administration's (NNSA) annual reports for 2014 and 2015 on the security of nuclear facilities holding special nuclear material did not fully meet the definition of quality information under the federal internal control standards. These standards define quality information as appropriate, current, complete, accurate, accessible, and provided on a timely basis. GAO found that, in general, while the reports were based on current information and were accessible to Congress, they did not fully meet quality information standards because the reports:
- did not always contain complete information on the assessments used to support the agencies' certifications that sites are secure and
- were not provided to Congress in a timely manner.
For example, DOE's 2015 annual security report did not mention whether an important assessment was conducted at two of its four sites or include information regarding the date or outcome of the assessment at three of its four sites. NNSA's 2015 annual security report noted its sites conducted these assessments; however, it did not provide information regarding the date or outcome at one site. Without complete information on the assessments used to determine each site's overall security assessment, it was not always possible to determine the basis for the site security certification solely using the information contained in the reports. In addition, GAO found that DOE's and NNSA's annual 2014 and 2015 security reports were issued several months late. DOE officials told GAO the delay was partly due to the lengthy internal review process. DOE and NNSA stated that they would promptly report any serious security issues to Congress using means other than the annual security reports. When the reports are issued late, however, Congress may not routinely receive timely notice of issues so that it can take actions to improve sites' security.
GAO's review of the annual security status reports and interviews with agency officials indicated that DOE and NNSA share significant challenges that could affect their ability to maintain physical security at sites and certify them as secure. For example, security infrastructure, such as fences, alarms, and sensors, at many DOE and NNSA facilities is outdated and requires extensive maintenance to ensure proper functioning. NNSA is developing a physical security infrastructure plan to be issued in spring 2017, but DOE has not fully developed plans or estimated costs to address its needs. Additionally, DOE has not fully implemented a June 2011 order, which could result in some nuclear materials requiring additional security. GAO found that even though the order called for implementation plans within 6 months of its issuance, one DOE site, with the approval of the Deputy Secretary of Energy, will not have an implementation plan until 2018. Based on GAO's review and the comments of agency officials, neither the 2014 and 2015 security reports provided comprehensive risk and potential vulnerability information to Congress nor had these issues been communicated through other means.
Why GAO Did This Study
DOE and NNSA operate sites with facilities holding special nuclear material that can be used to make nuclear weapons. The National Defense Authorization Act of 2014 requires the Secretary of Energy to submit to congressional committees a report detailing the status of security at sites holding key quantities of special nuclear material, along with a certification that the sites meet DOE's security standards and requirements by December 1 of each year. The law requires DOE's reports to include a similar report from NNSA. A report accompanying the legislation included a provision for GAO to evaluate these efforts. This report examines (1) the extent to which these DOE and NNSA reports meet the definition of quality information under federal internal control standards, and (2) any significant physical security challenges at sites that the reports or agency officials identified and the extent to which the agencies have addressed them. GAO reviewed the 2014 and 2015 reports and interviewed agency officials.
GAO recommends that DOE include more complete information in the reports, better align the review process and mandated deadlines, plan for infrastructure needs, and inform Congress of the reason for delays in implementing its June 2011 order and any identified vulnerabilities. DOE raised concerns with the first recommendation, generally agreed with the second and the third, and stated it had already implemented the fourth. In response, GAO modified the first recommendation and will assess DOE's implementation of the fourth.
Recommendations for Executive Action
|Department of Energy||The Secretary of Energy, working with the Administrator of the National Nuclear Security Administration, should include more complete information on the assessments--that is, security plans, vulnerability assessments, independent assessments, and other assessments--used in the annual reports to support the agencies' assessments that DOE and NNSA sites are secure.||
We reported in May 2019 that DOE and NNSA continued to make progress in responding to this recommendation. The draft 2018 annual report contained, as recommended, more complete and uniform information on assessments, though in some cases different terminology was used by programs and sites. In June 2020, we requested final 2018, 2019, and 2020 annual reports from NNSA to ensure progress had continued. In October 2020 we reviewed the reports and found that NNSA had addressed this issue. The 2020 DOE report also addressed this issue, with a uniform report template and a detailed table showing for each site when the various assessments had been performed as well as their result. DOE staff stated this was accomplished through an improved data collection instrument and a lot of follow-up with the sites and program offices.
|Department of Energy||The Secretary of Energy, working with the Administrator of the National Nuclear Security Administration, should better align the internal review process and mandated report publication deadlines.||
DOE and NNSA have responded positively and effectively to this recommendation. The 2017 letter report was delivered to Congress on time and the draft 2018 report is being produced on a schedule that should enable timely delivery to Congress. In addition, DOE and Congress agreed that, after the 2018 report is complete, the agency will move to a biennial reporting cycle. This may help with timely submissions of the report in the future,
|Department of Energy||Additionally, the Secretary of Energy should develop a plan for addressing the physical security infrastructure needs at DOE sites. Similar to a report under development by NNSA, this plan could identify cost and time frames and enable DOE and the Congress to prioritize these projects.||
As of June 2020, DOE had not implemented this recommendation. While DOE program offices (Environmental Management, Science, and Nuclear Energy) were individually considering long-term needs, the program offices are not required by Congress to submit the kind of physical security plan that Congress requires of NNSA. In the absence of Congressional direction, we believed it was unlikely that DOE would fully implement this recommendation. In October 2020, however, we met with DOE and NNSA staff, who informed us that NNSA has developed such a plan only because it was required by Congress and because NNSA, also required by Congress, must produce future years programming, planning, and budgeting documents such as the FYNSP and SSMP. Staff explained there are no similar requirements for DOE's other Category 1 SNM sites, and the aforementioned structural issues for non-NNSA sites makes it very unlikely that such a plan will ever be developed unless directed by Congress. We elected in our report not to make this a matter for Congressional consideration. Although a comprehensive plan is unlikely to be developed unless required by Congress, the latest report extensively discusses the physical security improvements needed, underway, and planned at two DOE sites. One DOE site recently finished such improvements and another is less dependent on physical security systems because its security strategy involves the eventual removal of SNM, although this is occurring at a much slower pace than was originally envisioned. Given the limitations discussed and the progress made, we closed this recommendation as implemented.
|Department of Energy||Additionally, the Secretary of Energy should, in future annual security certification reports, inform Congress of the reasons for the delayed implementation of the June 2011 DOE material control and accountability order at some sites, as well as the steps DOE and its sites are taking to implement it. DOE should also provide Congress with information on any vulnerabilities or deficiencies in the security at sites that may potentially exist while the sites complete implementation of the order as well as information on any concomitant adjustment to their security posture that is required.||
We closed this recommendation as implemented. DOE has acknowledged the security risks associated with the slow pace of the material control and accountability order. DOE has also developed a plan to implement measures to address these risks in a phased approach with final implementation sometime in the 2020s. Some of the early phases will be complete between 2019 and 2022, but others will extend beyond 2022. In October 2020 we reviewed the latest report and found it directly addresses this issue than in contrast to previous reports. Only a single site is affected, and a variety of measures have been implemented since 2016. Final implementation is expected to be complete by 2024. Two facilities at this site will operate at higher risk until these final measures are implemented. Acknowledging and accepting risk is within DOE policy and part of a risk management approach.