GAO

United States General Accounting Office Report to Congressional Requesters

September 2003

NUCLEAR REGULATORY COMMISSION

Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened

GAO-03-752

NRC has taken numerous actions to respond to the heightened risk of terrorist attack, including interacting with the Department of Homeland Security and issuing orders designed to increase security and improve plant defensive barriers. However, three aspects of its security inspection program reduced NRC’s effectiveness in overseeing security at commercial nuclear power plants.

First, NRC inspectors often used a process that minimized the significance of security problems found in annual inspections by classifying them as “non-cited violations” if the problem had not been identified frequently in the past or if the problem had no direct, immediate, adverse consequences at the time it was identified. Non-cited violations do not require a written response from the licensee and do not require NRC inspectors to verify that the problem has been corrected. For example, guards at one plant failed to physically search several individuals for metal objects after a walk-through detector and a hand-held scanner detected metal objects in their clothing. The unchecked individuals were then allowed unescorted access throughout the plant’s protected area. By making extensive use of non-cited violations for serious problems, NRC may overstate the level of security at a power plant and reduce the likelihood that needed improvements are made.

Second, NRC does not have a routine, centralized process for collecting, analyzing, and disseminating security inspections to identify problems that may be common to plants or to provide lessons learned in resolving security problems. Such a mechanism may help plants improve their security.

Third, although NRC’s force-on-force exercises can demonstrate how well a nuclear plant might defend against a real-life threat, several weaknesses in how NRC conducted these exercises limited their usefulness. Weaknesses included using (1) more personnel to defend the plant during these exercises than during a normal day, (2) attacking forces that are not trained in terrorist tactics, and (3) unrealistic weapons (rubber guns) that do not simulate actual gunfire. Furthermore, NRC has made only limited use of some available improvements that would make force-on-force exercises more realistic and provide a more useful learning experience.

Even if NRC strengthens its inspection program, commercial nuclear power plants face legal challenges in ensuring plant security. First, federal law generally prohibits guards at these plants from using automatic weapons, although terrorists are likely to have them. As a result, guards at commercial nuclear power plants could be at a disadvantage in firepower, if attacked. Second, state laws vary regarding the permissible use of deadly force and the authority to arrest and detain intruders, and guards are unsure about the extent of their authorities and may hesitate or fail to act if the plant is attacked.

The September 11, 2001, terrorist attacks intensified the nation’s focus on national preparedness and homeland security. Among possible terrorist targets are the nation’s nuclear power plants—104 facilities containing radioactive fuel and waste. The Nuclear Regulatory Commission (NRC) oversees plant security through an inspection program designed to verify the plants’ compliance with security requirements. As part of that program, NRC conducted annual security inspections of plants and force-on-force exercises to test plant security against a simulated terrorist attack. GAO was asked to review (1) the effectiveness of NRC’s security inspection program and (2) legal challenges affecting power plant security. Currently, NRC is reevaluating its inspection program. We did not assess the adequacy of security at the individual plants; rather, our focus was on NRC’s oversight and regulation of plant security. GAO is making recommendations to strengthen NRC’s oversight at commercial nuclear power plants by promptly restoring annual security inspections and revising force-on-force exercises. NRC disagreed with many of GAO’s findings, but did not comment on GAO’s recommendations. GAO continues to believe its findings are appropriate and the recommendations need to be acted upon.

www.gao.gov/cgi-bin/getrpt?GAO-03-752.

To view the full product, including the scope and methodology, click on the link above.

For more information, contact Jim Wells at (202) 512-3841 or wellsj@gao.gov.

Highlights of GAO-03-752, a report to congressional requesters

September 2003

NUCLEAR REGULATORY COMMISSION

Oversight of Security at Commercial Nuclear Power Plants Needs to Be Strengthened

Page i GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

Contents

Letter 1

Results in Brief 2

Background 4

Three Aspects of NRC’s Security Inspection Program Inhibit Effective Oversight 9

Federal Law Limits the Type of Weapons That Guards Can Use, and State Laws Vary on Guards’ Authority to Deal with Intruders 20 Conclusions 22

Recommendations for Executive Action 24

Agency Comments and Our Evaluation 24

Appendixes

Appendix I: Scope And Methodology 28

Appendix II: U.S. Commercial Nuclear Power Plants That Are Licensed to Operate 30

Appendix III: Comments from the Nuclear Regulatory Commission 33

Appendix IV: GAO Contacts and Staff Acknowledgments 35

GAO Contacts 35

Staff Acknowledgments 35

Figures Figure 1: Commercial Nuclear Power Plants in the United States 5

Figure 2: Security Enhancements Made before OSRE Exercises 16

Abbreviations

DOE Department of Energy

NRC Nuclear Regulatory Commission

OSRE Operational Safeguards Response Evaluation

This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

Page 1 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security United States General Accounting Office Washington, D.C. 20548

September 4, 2003

Leter The Honorable John D. Dingell Ranking Minority Member Committee on Energy and Commerce House of Representatives

The Honorable Edward J. Markey House of Representatives

The September 11, 2001, terrorist attacks on the World Trade Center and the Pentagon intensified the nation’s focus on national preparedness and homeland security. Among possible terrorist targets are the nation’s commercial nuclear power plants—104 facilities containing radioactive fuel and waste operating in 32 states. The Nuclear Regulatory Commission (NRC) licenses commercial nuclear power plants and requires the licensee, among other things, to protect the plants against a potential terrorist threat.

The design basis threat—which NRC develops for these facilities— delineates the maximum number of terrorists that NRC expects plants to defend against, the extent of their training, and the weapons and tactics they could use.

To ensure that commercial nuclear power plants can be protected against the design basis threat and meet other security requirements, NRC requires each licensee to have an NRC-reviewed and -approved security plan before NRC allows the plant to operate. After the plant begins operations, NRC oversees plant security through an inspection program designed to verify that the plant continues to meet security requirements. As part of the security inspection program, NRC conducts annual security inspections of plants and conducts force-on-force exercises. During the security inspections, NRC reviews (1) the list of those who have access to the plant, (2) the plant’s response to an unusual security event, (3) any changes to the security plan, and (4) samples of the plant’s own assessment of its security. Since 1991, the inspection program has also included periodic force-onforce exercises, which are designed to simulate an attack on the plant that is based on the design basis threat. NRC also conducts nonrecurring inspection activities, such as special inspections to ensure that post- September 11, 2001, security enhancements have been implemented at each plant.

In 2001, NRC curtailed its annual security inspections and force-on-force exercises to redesign them for heightened security threats. Until the annual Page 2 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security security inspections are resumed sometime in 2004, NRC inspectors have been verifying that post-September 11, 2001, security improvements have been implemented at each plant and conducting special inspections if a serious problem is identified by the licensee in its quarterly selfassessment. In terms of force-on-force exercises, NRC is currently testing and evaluating these exercises under a pilot program that has resulted in five exercises being conducted since January 2003. You asked us to review (1) the effectiveness of NRC’s inspection program to oversee security at commercial nuclear power plants and (2) legal challenges currently affecting physical security at the power plants. We did not assess the adequacy of security at the nation’s nuclear power plants. Rather, our focus was on NRC’s oversight and regulation of plant security. In conducting our review, we analyzed NRC’s inspection program from January 2000 through September 2001 and the force-on-force exercise program from January 1991 through September 2001. We also reviewed NRC’s initiatives to enhance power plant security after September 11, 2001, as well as its efforts to ensure that the power plants implemented those initiatives. We met with NRC, the Department of Energy (DOE), and power plant representatives and obtained NRC advisories, orders, regulations, and inspections reports. To determine how NRC tests the power plants’ security, we reviewed reports for 80 force-on-force exercises that NRC conducted through September 2001. We designed and completed a data collection instrument in order to organize specific elements that we extracted from these reports. We also held discussions with DOE officials to determine how they conduct force-on-force exercises at DOE’s nuclear facilities and if there are any “promising practices” that might be applied to NRC’s program. Finally, we obtained NRC’s and industry officials’ views on laws that could affect a licensee’s ability to adequately secure commercial nuclear power plants. Appendix I contains a more detailed discussion of our scope and methodology.

Results in Brief Since September 11, 2001, NRC has taken numerous actions to increase security at commercial nuclear power plants. However, three aspects of NRC’s security inspection program have reduced its effectiveness in overseeing security at commercial nuclear power plants. First, during annual inspections, NRC inspectors often classified security problems as “non-cited violations” if the problem had not been identified frequently in the past or if the problem had no direct, immediate, adverse consequences at the time that it was identified. This classification tends to minimize the seriousness of the problems. Non-cited violations do not require a written Page 3 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security response from the licensee and do not require NRC inspectors to verify that each problem has been corrected. For example, guards at one plant failed to physically search several individuals for metal objects after a walkthrough detector and a hand-held scanner detected metal objects in their clothing. The unchecked individuals were then allowed unescorted access throughout the plant’s protected area. Although this incident appears serious, NRC issued a non-cited violation for it and rated the plant’s security as meeting security objectives. Through its extensive use of noncited violations, rather than reporting the problems as more serious cited violations, NRC may have overstated the level of security at power plants. Second, NRC does not have a centralized process for routinely collecting, analyzing, and disseminating security inspections to identify problems that may be common to plants or to provide lessons learned in resolving a security problem. Third, although force-on-force exercises could demonstrate how well a nuclear plant might defend against a real-life threat, several weaknesses in how NRC conducted past exercises limited their usefulness. Specifically, (1) NRC conducted these exercises at each nuclear power plant once every 8 years; (2) the licensees used plant defenses during the exercises that were enhanced beyond those used during normal operations; (3) the attacking forces were not trained in terrorist tactics; (4) participants used unrealistic weapons (e.g., rubber guns instead of laser equipment, which would better simulate weapon fire); (5) exercises did not test the full extent of the design basis threat; and (6) exercise reports were often late. As a result, the exercises did not provide information on a power plant’s ability to defend against the maximum design basis threat and permanent correction of problems may have been delayed. Furthermore, NRC has made only limited use of some available administrative and technological improvements that would make force-onforce exercises more realistic and provide a more useful learning experience.

Commercial nuclear power plants face legal challenges in ensuring physical plant security. First, federal law generally prohibits private citizens—including guards at these plants—from using automatic weapons, although terrorists are likely to have them. As a result, guards at commercial nuclear power plants could be at a disadvantage in firepower if attacked. Second, state laws vary regarding the permissible use of deadly force and the authority to arrest and detain intruders. According to NRC’s force-on-force reports and NRC officials, plant guards are unsure about when and if they can use deadly force, and guards are unclear about what authority they have to arrest and detain intruders. As a result, guards may Page 4 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security hesitate or fail to take action if a plant comes under attack. NRC has recognized the impact of these federal and state laws on security and has sought federal legislation to address these legal challenges. We are making recommendations to the NRC Commissioners to restore and strengthen NRC’s oversight of security at commercial nuclear power plants—specifically, NRC’s annual inspection program and force-on-force exercises. In reviewing a draft of this report, NRC did not comment on our conclusions and recommendations. NRC did comment that our report failed to reflect changes made to the program since September 11, 2001, and that the issues addressed in the report were relatively minor and were appropriately addressed. While we agree that NRC has taken many actions since September 11, we note that most of these actions related to enhancing security at the plants and did not relate to NRC’s oversight efforts. In fact, since September 11, NRC has suspended the two major elements of its oversight program, baseline inspections and force-on-force exercises. We believe that the issues cited in this report, such as improperly screening individuals entering the plant, are not minor, and that promptly restoring the annual security inspections and force-on-force exercises will improve NRC’s oversight responsibilities.

Background NRC is an independent agency established by the Energy Reorganization Act of 1974 to regulate civilian use of nuclear materials. NRC is headed by a five-member commission. The President designates one commission member to serve as Chairman and official spokesperson. The commission as a whole formulates policies and regulations governing nuclear reactor and materials safety, issues orders to licensees, and adjudicates legal matters brought before it. Security for commercial nuclear power plants is primarily the responsibility of NRC’s Office of Nuclear Security and Incident Response. This office develops overall agency policy and provides management direction for evaluating and assessing technical issues involving security at nuclear facilities, and it is NRC’s safeguards and security interface with the Department of Homeland Security, the intelligence and law enforcement communities, DOE, and other agencies.1 The office also develops and directs the NRC program for response to incidents, and it is NRC’s incident response interface with the Federal Emergency Management Agency and other federal agencies. NRC 1DOE operates facilities that contain radioactive material used in its nuclear weapons program.

Page 5

GAO-03-752

Nuclear Regulatory Commission: Oversight of Security implements its programs through four regional offices. Figure 1 shows the location of commercial nuclear power plants operating in the United States. (See app. II for a list of the commercial nuclear power plants, their locations, and the NRC regions that are responsible for them.)

Figure 1: Commercial Nuclear Power Plants in the United States Commercial nuclear power plants are also subject to federal and state laws that control certain matters related to security functions, such as the possession and use of automatic weapons by security guards and the use of deadly force.

Page 6 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

NRC Security Regulation and Oversight

NRC begins regulating security at a commercial nuclear power plant when the plant is constructed. Before granting an operating license, NRC must approve a security plan for the plant. Since 1977, NRC has required the plants to have a security plan that is designed to protect against a design basis threat for radiological sabotage.2 Details of the design basis threat are considered “safeguards information” and are restricted from public dissemination.3 The design basis threat characterizes the elements of a postulated attack, including the number of attackers, their training, and the weapons and tactics they are capable of using. The design basis threat, revised twice since it was first issued in 1977, requires the plants to protect against “a determined violent external assault by stealth, or deceptive actions” or “an internal threat of an insider, including an employee in any position.” Under the 1977 design basis threat, plants had to

• add barriers to vital equipment and work zones and develop identification and search procedures for anyone entering restricted areas;

• upgrade alarm systems and internal communication networks and control keys, locks, and combinations; and

• maintain a minimum number of guards, armed with semiautomatic weapons, that had to be on duty at all times (unless NRC granted an exemption that allowed fewer guards).

In 1993, in response to the first terrorist attack on the World Trade Center in New York City and to a vehicle intrusion at the Three Mile Island nuclear power plant in Pennsylvania, NRC revised the design basis threat for radiological sabotage to include the possible use of a vehicle bomb. This action required the installation of vehicle barriers at the power plants. On April 29, 2003, NRC issued a revised design basis threat that the commission believes is the “largest reasonable threat against which a regulated private guard force should be expected to defend under existing law.” NRC has given the power plants 18 months to comply with the new design basis threat.

1. Radiological sabotage against a nuclear power plant is a deliberate act that could directly or indirectly endanger the public health and safety by exposure to radiation.
2. Safeguards information is unclassified sensitive information.

Page 7 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

NRC’s inspection program is an important element in its oversight effort to ensure that commercial nuclear power plants comply with security requirements. Security inspectors from the agency’s four regional offices conduct annual inspections at each plant. These inspections are designed to check that the power plants’ security programs meet NRC requirements in the areas of access authorization, access control, and response to contingency events. The inspections also involve reviewing changes to the plant’s security plan and random samples of the plant’s own assessment of its security. NRC suspended its inspection program in September 2001 to focus its resources on the implementation of security enhancements. NRC is currently revising the security inspection program. NRC also conducted force-on-force exercises under the security inspection program. These force-on-force exercises, which were referred to as Operational Safeguards Response Evaluation (OSRE) exercises, were designed to test the adequacy of a plant’s capability to respond to a simulated attack. NRC began conducting these exercises in 1991 but suspended them after September 11, 2001. NRC intends to restructure the program. It has recently begun a series of pilot force-on-force exercises that are designed to provide a more rigorous test of security at the plants and to provide information for designing a new force-on-force exercise program. No date has been set for completing the pilot program or for initiating a new, formal force-on-force program.

NRC Actions to Enhance Security at Commercial Nuclear Power Plants since September 11, 2001

In order to respond to the heightened risk of terrorist attack, NRC has had extensive interactions with the Department of Homeland Security and the Homeland Security Council on security at commercial nuclear power plants. NRC also has issued advisories and orders that were designed to increase the size and improve the proficiency of plant security forces, restrict access to the plants, and increase and improve plant defensive barriers. On October 6, 2001, NRC issued a major advisory, stating that the licensees should consider taking immediate action to increase the number of security guards and to be cautious of temporary employees. NRC conducted a three-phase security inspection, checking the licensees to see if they had complied with these advisories. Each licensee’s resident inspector4 conducted phase one, which was a quick overview of the licensee’s security program using a headquarters-prepared survey. During 4NRC resident inspectors are stationed at each commercial nuclear power plant facility. The resident inspectors are not security specialists, focusing primarily on plant safety.

Page 8 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

phase two, NRC’s regional security inspectors conducted a more thorough survey of each plant’s security. During phase three, which concluded in January 2002, NRC’s regional security inspectors reviewed each licensee’s security program to determine if the licensee had complied with the additional measures suggested in the October 6, 2001, advisory. NRC used the results from the three-phase security inspection in developing its February 25, 2002, order requiring licensees to implement additional security mechanisms.5 Many of the order’s requirements were actions suggested in previous advisories. The licensees had until August 31, 2002, to implement these security requirements. In December 2002, NRC completed a checklist to provide assurance that the licensees had complied with the order. In addition, NRC developed a security inspection procedure to validate and verify licensee compliance with all aspects of the order. NRC estimates that this procedure will be completed by December 2003. On August 14, 2003, NRC stated that 75 percent of the power plants had been inspected for compliance with the order.

NRC also took action on an item that had been a security concern for a number of years—the use of temporary clearances for temporary workers. Commercial nuclear power plants use hundreds of temporary employees for maintenance—most frequently during the period when the plant is shut down for refueling. In the past, NRC found instances in which personnel who failed to report criminal records had temporary clearances that allowed them unescorted access to vital areas. 6 In its October 6, 2001, advisory, NRC suggested that licensees limit temporary clearances for temporary workers. On February 25, 2002, NRC issued an order that limited the use and duration of temporary clearances, and, on January 7, 2003, NRC issued an order to eliminate the use of these clearances.7 NRC now requires a criminal history review and a background investigation to be completed before allowing temporary workers to have unescorted access to the power plants.

1. NRC Order EA-02-026.
2. The vital area, within the protected area, contains the plant equipment, systems, devices, or material whose failure, destruction, or release could endanger the public health and safety by exposure to radiation. This area is protected by guard stations, reinforced gates, surveillance cameras, and locked doors.
3. NRC Order EA-02-261.

Page 9 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

On April 29, 2003, in addition to issuing a new design basis threat, NRC issued two orders that are designed to ensure that excessive work hours do not challenge the ability of security forces in performing their duties and to enhance the training and qualification program for security forces. Three Aspects of NRC’s Security Inspection Program Inhibit Effective Oversight

NRC’s security inspection program may not be fully effective because of weakness in three areas. First, during the annual inspections conducted from 1999 until September 2001, NRC’s regional security specialists used a process to categorize the seriousness of security problems that, in some cases, minimized their significance. As a result, NRC did not track these problems to ensure that they had been permanently corrected and may have overstated the level of security at power plants. Second, NRC does not routinely collect and disseminate information from security inspections to NRC headquarters, other NRC regions, or other power plants. Dissemination of this information may help other plants to correct similar problems or prevent them from occurring. Third, NRC has made limited use of some available administrative and technological improvements that would make force-on-force exercises more realistic and provide a more useful learning experience.

NRC’s Inspection Practices Minimize the Significance of Some Security Problems

NRC ensures that commercial nuclear power plants maintain security by monitoring the performance and procedures of the licensees that operate them. NRC’s inspection program is the agency’s only means to verify that these plants comply with their own NRC-approved security plans and with other NRC security requirements.

NRC suspended its annual security inspection program after September 11, 2001, and currently is revising the program. NRC does not expect a new security inspection program to be implemented until some time in 2004. Although NRC has temporarily suspended its annual security inspections, it continues to check a plant’s self-assessments and conduct an inspection if the licensee identifies a serious problem.

Under the previous security inspection program, initiated in 1999 and suspended in 2001, NRC used a “risk informed” performance-based system (the Reactor Oversight Process) that was intended to focus both NRC’s and the licensees’ resources on important safety matters. In an attempt to focus NRC attention on plants with the most serious problems, and to reduce regulatory burdens on the nuclear industry, the Reactor Oversight Process Page 10 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security relied heavily on performance assessment data generated by the licensees and submitted quarterly to NRC. In the security area, these licensee selfassessments provided NRC with data on (1) the operation of security equipment (such as intrusion detectors and closed-circuit television cameras), (2) the effectiveness of the personnel screening program (including criminal history and background checks), and (3) the effectiveness of the employee fitness-for-duty program (including tests for substance abuse and behavioral observations). Under guidelines for these self-assessments, licensees are required to report only the most serious problems. NRC inspectors followed a multistep process to monitor security, including verifying the licensees’ self-assessments and conducting their own annual inspection. NRC inspectors did not verify all aspects of the licensees’ self-assessments. Instead, the inspectors made random checks of the quarterly self-assessments during their annual security inspection of the plant.

During the inspections, the inspectors reviewed the following aspects of security at each plant:

• Access authorization and fitness for duty (performed annually). Inspectors interviewed supervisors and their staffs about procedures for recognizing drug use, possession, and sale; indications of alcohol use and aberrant behavior; and records of testing for suspicious behavior. These procedures were designed to ensure that the licensee conducts adequate personnel screening and enforces fitness-for-duty requirements—functions considered critical to protect against an insider threat of radiological sabotage.

• Access control (performed annually). Inspectors observed guards at entry points during peak hours, checked screening equipment, read event reports and logs, checked access procedures for the plant’s vital area, and surveyed data in the security computers. For example, inspectors observed searches of personnel, packages, and vehicles for contraband (i.e., firearms, explosives, or drugs) before entry into the protected area and ensured that the guards granted only authorized persons unescorted access to the protected and the vital areas of the plant.

Page 11 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

• Response to contingency events (performed triennially).8 Inspectors tested the licensee’s physical security by testing the intrusion detection system.

• Random checks of changes to security plans (performed biennially). Under NRC regulations, licensees can change their security plans without informing NRC if they believe that the change does not decrease the effectiveness of the plan. Inspectors reviewed security plan changes and could have physically examined a change if an issue arose. If NRC inspectors detected a security problem in these areas, they determined the problem’s safety significance and whether it violated the plant’s security plan or other NRC requirements. If a violation occurred, and the inspectors determined that the problem was “more than minor,” they used a “significance determination process” to relate the violation to overall plant security. According to NRC officials, the significance determination process is also being revised. Under the process previously used, the inspectors assigned a violation one of the following four ratings: very low significance, low to moderate significance, substantial significance, and high significance. For violations more serious than very low significance, the licensee was required to prepare a written response, stating the actions it would take to correct the problem. However, violations judged to be of very low significance—usually categorized as non-cited violations—were routinely recorded; entered into the plant’s corrective action plan; and, from NRC’s perspective, closed. Violations were judged to be of low significance and categorized as a non-cited violation if the problem had not been identified more than twice in the past year or if the problem had no direct, immediate, adverse consequences at the time it was identified. In addition, for non-cited violations, NRC did not require a written response from the licensee and did not routinely follow up to ensure that a permanent remedy had been implemented unless the noncited violation was randomly selected for review of the licensee’s corrective action program.

We found that NRC frequently issued non-cited violations. NRC issued 72 non-cited security violations from 2000 to 2001 compared with no cited security violations during the same period. In addition, NRC issued noncited violations for security problems that, while within NRC’s guidance for 8A contingency event is any event that could impact on the security of the plant.

Page 12 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security

non-cited violations, appear to be serious and seem to justify the formality and follow-up of a cited violation. For example:

• At one plant, an NRC inspector found a security guard sleeping on duty for more than half an hour. This incident was treated as a non-cited violation because no actual attack had occurred during that time, and because neither he nor any other guard at the plant had been found sleeping more than twice during the past year.

• At another plant, a security officer falsified logs to show that he had checked vital area doors and barriers when he was actually in another part of the plant. The officer was the only protection for this area because of a “security upgrade project.”

• At another plant, NRC inspectors categorized two security problems as non-cited violations because they had not occurred more than twice in the past year. In one incident, an inspector observed guards who failed to physically search several individuals for metal objects after a walkthrough detector and a hand-held scanner detected metal objects in their clothing. The unchecked individuals were then allowed unescorted access throughout the plant’s protected area. Also, security was compromised in a vital area—where equipment that could be required to protect public health and safety is located—when an inspector found that tamper alarms on an access door had been disabled. In this case, the only compensatory measure implemented was to have a guard check the location once during each 12-hour shift.

In addition to NRC’s annual inspections, NRC will conduct an inspection if a plant’s quarterly self-assessment identifies a serious security problem. Between 2000 and 2002, only 4 of the 104 plants reported security problems that required NRC to conduct a follow-up inspection. In 2000, each plant identified that equipment for controlling access to the plant’s protected area was often broken, requiring extra guards as compensation. None of the 104 plants’ self-assessments identified any security problems in 2001, 2002, or the first 6 months of 2003.

Once every 3 months, NRC develops performance summaries for each of the nuclear power plants it regulates. In the security area, NRC uses each plant’s self-assessment performance indicators and its own annual inspections as the basis for each plant’s quarterly rating. The performance rating can range from “meeting security objectives” to “unacceptable.” The ratings are displayed on NRC’s Web site, which is the public’s main link to Page 13 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security NRC’s assessment of the security at each plant. However, because of NRC’s extensive use of non-cited violations, the performance rating may not always accurately represent the security level of the plant. For example, the plant where the sleeping guard was found was rated as meeting security objectives for that period. NRC also rated security as meeting objectives at the plant where physical searches were not conducted for metal detected by scanners.

NRC Does Not Systematically Collect, Analyze, and Disseminate Information That May Improve Security at All Plants

NRC does not have a routine, centralized process for collecting, analyzing, and disseminating security inspections to identify problems that may be common to other plants or to identify lessons learned in resolving a security problem that may be helpful to plants in other regions. NRC headquarters only receives inspection reports when a licensee challenges the findings from security inspections. Following the inspection, the regional security specialist prepares a report that is then sent to the licensee for comment. If the licensee does not challenge the report’s findings, the report is filed at the region. If the licensee challenges the findings, a NRC headquarters security review panel meets to resolve the issue. At this point, headquarters security specialists may informally retain copies of the case, but, officially, headquarters returns the files to the region, which replies to the licensee.

According to NRC headquarters officials, they do not routinely obtain copies of all security inspection reports because headquarters files and computer databases are insufficient to hold all inspection reports. In addition, some of the reports contain safeguards information and can only be transferred by mail, courier, or secure fax. Instead, headquarters only has a list of reports in its computer database—not the narrative details that include safeguards information. According to headquarters officials, regional NRC security specialists may maintain their own information about security problems and their resolution, but they have not done this systematically nor have they routinely shared their findings with headquarters or the other regions.

NRC’s Force-on-Force Exercises Are Limited in Their Usefulness

From 1991 through 2001, NRC conducted force-on-force exercises, called OSREs, at the nation’s commercial nuclear power plants. Although these exercises have provided learning experiences for the plants and may have helped improve plant security, the exercises did not fully demonstrate the plants’ security preparedness. The exercises were conducted infrequently, against plant security that was enhanced by additional guards and/or Page 14 GAO-03-752 Nuclear Regulatory Commission: Oversight of Security security barriers, by simulated terrorists who were not trained to operate like terrorists, and with unrealistic weapons. In addition, the exercises did not test the maximum limits of the design basis threat, and inspectors often filed OSRE reports late. As a result, the exercises did not provide complete and accurate information on