oversight

Defense Infrastructure: The Navy's Use of Risk Management at Naval Stations Mayport and Norfolk

Published by the Government Accountability Office on 2012-07-13.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

United States Government Accountability Office
Washington, DC 20548



           July 13, 2012

           Congressional Committees

           Subject: Defense Infrastructure: The Navy’s Use of Risk Management at Naval Stations
           Mayport and Norfolk

           The recent financial crisis, emerging political unrest in nations around the globe, and the
           impact of significant natural disasters are causing organizations of all types and sizes to
           place increasing emphasis on robust risk management practices. The 2010 Quadrennial
           Defense Review Report 1 states that risk management is vital to the Department of
           Defense’s (DOD) success and that although it is difficult, risk management is central to
           effective DOD decision making. In an uncertain fiscal environment, while facing the threat of
           terrorism and natural disasters, the Navy must continually manage and assess the threats to
           and the vulnerabilities of its installations and assets. According to Navy officials, since the
           terrorist attack on the USS Cole in 2000 and the terrorist attacks of September 11, 2001,
           DOD has enhanced and updated its antiterrorism/force protection standards and physical
           security requirements for all DOD assets and installations. The Navy performs risk
           management at all levels of its headquarters and command structure for all of its operations
           and assets, including naval installations where nuclear-powered aircraft carriers and other
           high-value Navy assets 2 are located.

           In Senate Report 112-26, accompanying a proposed bill for the National Defense
           Authorization Act for Fiscal Year 2012 (S. 1253), GAO was directed to conduct an analysis
           of certain matters related to the Navy’s plan to establish a second East Coast homeport for
           a nuclear-powered aircraft carrier, including the risks the plan seeks to address. 3 Our
           reporting objectives were to determine the extent to which the Navy (1) conducts risk
           management to identify and assess the risk associated with its force structure and high-
           value assets, including the risk associated with homeporting nuclear-powered aircraft
           carriers on the East Coast, and (2) has taken actions to mitigate any identified risks.

           To gain an understanding of how the Navy conducts risk management to identify and
           assess the risk associated with its force structure and high-value assets, including the risk
           associated with homeporting nuclear-powered aircraft carriers on the East Coast, and the
           actions it has taken to mitigate any identified risks, we interviewed cognizant officials from
           the Department of the Navy and reviewed and analyzed relevant Navy documents and

           1
            Department of Defense, Quadrennial Defense Review Report (February 2010).
           2
            The Navy describes the following as high-value units, which we refer to in this report as high-value
           assets: aircraft carriers, amphibious assault ships, ballistic missile submarines, guided missile
           submarines, attack submarines, and certain Military Sealift Command vessels. See Office of the Chief
           of Naval Operations Instruction 3880.5, High Value Unit Transit Escort Operations, § 5(a) (June 15,
           2010). We also use “high-value asset” to refer to an installation necessary for the support of military
           operations.
           3
            See S. Rep. No. 112-26, at 241 (2011).


                                                                        GAO-12-710R Defense Infrastructure
instructions, such as the draft strategic laydown and dispersal policy and guidance
document. 4 In addition, we conducted a literature search to identify relevant guiding
principles and leading practices of risk management used by DOD, the services, the private
sector, and GAO. Based on our analysis of these risk management practices, we found
commonalities among them and identified five basic guiding principles of risk management:
(1) identify risks, (2) analyze risks, (3) plan for risk mitigation, (4) implement a risk mitigation
action plan, and (5) track risks and mitigation action plan implementation. Further, we
interviewed knowledgeable officials from the Joint Staff, the Defense Threat Reduction
Agency, and the Navy to obtain an understanding of the Navy’s actions to mitigate
(eliminate or reduce) risk associated with homeporting nuclear-powered aircraft carriers at
Naval Stations Mayport and Norfolk. We interviewed officials from the Naval Facilities
Engineering Command to obtain relevant information and an understanding of the current
Unified Facilities Criteria, which provides technical criteria and standards pertaining to
planning, design, construction, and operation and maintenance of DOD real property
facilities. We obtained documents and interviewed officials from the Naval Criminal
Investigative Service to understand its performance of threat assessments of the areas
surrounding the naval installations on the East Coast. To obtain an understanding of the
U.S. Coast Guard’s role and responsibilities regarding the Navy’s high-value assets, such as
nuclear-powered aircraft carriers, we interviewed Coast Guard officials. These officials
provided us with the Coast Guard’s Domestic Port Security Assessments for the
Jacksonville and Norfolk ports. We also interviewed officials from DOD’s Cost Assessment
and Program Evaluation Office; the Office of the Secretary of the Navy; the Office of the
Chief of Naval Operations; Fleet Forces Command; and the Commander, Navy Installations
Command.

To gain an understanding of the actions the Navy has taken to mitigate risks associated with
homeporting nuclear-powered aircraft carriers on the East Coast, we obtained the
vulnerability assessment reports for Naval Stations Mayport and Norfolk and analyzed them
to determine the types of assessments completed, vulnerabilities identified,
recommendations made, and courses of action or mitigation action plans developed to
correct the identified vulnerabilities. Further, we obtained an understanding of a database
maintained in the Joint Staff Core Vulnerability Assessment Management Program. This
database is used to identify, analyze, prioritize, track, and manage antiterrorism
vulnerabilities at DOD’s installations, including naval stations. Through document reviews
and interviews with officials at the Joint Staff and the Defense Technical Information Center
who are knowledgeable about the Joint Staff Core Vulnerability Assessment Management
Program database, the data it contains, and the internal controls used to maintain the
integrity of the data, we determined that the data were sufficiently reliable to verify that the
mitigation action plans are tracked and monitored.

We conducted this performance audit from July 2011 to July 2012 in accordance with
generally accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives. We believe that the
evidence obtained provides a reasonable basis for our findings and conclusions based on
our audit objectives.




4
 Department of the Navy, Draft Strategic Laydown and Dispersal Strategic Guidance (February
2011).


Page 2                                                     GAO-12-710R Defense Infrastructure
Summary

The Navy follows the five basic guiding principles for managing risk at the strategic,
environmental, and operational levels before making decisions about the placement and
operation of its force structure—including the placement of nuclear-powered aircraft carriers
on the East Coast of the United States. The Navy does not conduct any unique risk
assessment for its nuclear-powered aircraft carriers at naval installations; rather, nuclear-
powered aircraft carriers are high-value assets that are included in the Navy’s overall risk
management process. At the strategic level, Office of the Secretary of the Navy and Office
of the Chief of Naval Operations headquarters staff have identified and analyzed risks, such
as emerging threats from hostile nation-states, which could make demands on homeland
defense capabilities. Since 2004, according to Navy officials, the Navy has been using its
strategic laydown and dispersal methodology in dividing its force structure and assets
between the Atlantic and Pacific Fleets. In addition, officials stated that there may be
adjustments to the Navy’s current split of assets between the Atlantic and Pacific Fleets
based on direction from the President that is reflected in DOD’s January 2012 defense
strategic guidance, which emphasizes rebalancing defense assets in the Pacific region.
Furthermore, naval guidance indicates that the Navy seeks to operate around the world in
an environmentally responsible manner, both ashore (installations) and afloat (ships), and
work with stakeholders to ensure that it follows environmental laws, regulations, and
policies. 5 Since the terrorist attacks of 2000 and 2001, the Navy’s risk management at the
operational level has included conducting threat assessments for areas surrounding naval
installations, as well as the installations themselves, and providing increased protection for
high-value assets, such as nuclear-powered aircraft carriers. In addition, since the terrorist
attacks, the Coast Guard has at times been providing escorts to the Navy’s high-value
assets. The Coast Guard officials also noted that the communication of threat information
among stakeholders in the Hampton Roads Regional Threat Working Group in Virginia has
been much improved during this period.

The Navy has taken some actions to mitigate risk associated with homeporting nuclear-
powered aircraft carriers at two East Coast naval installations. A naval installation and its
high-value assets—such as nuclear-powered aircraft carriers—may be susceptible to the
threat of a terrorist attack. The risk of becoming the target of such an attack is affected by
vulnerabilities at the installation. As part of its ongoing risk management process to identify
and assess vulnerabilities at installations, DOD requires that many of its installations
undergo an annual antiterrorism vulnerability assessment. 6 According to security experts
who conduct the annual vulnerability assessments, they determine whether the installation
is in compliance with DOD’s 32 antiterrorism standards, such as establishing and
implementing an antiterrorism program. During our site visits, we found that vulnerability
assessments were performed at Naval Stations Mayport, Florida, and Norfolk, Virginia, on
an annual basis. In addition, we found that the two naval stations had developed mitigation
action plans and identified different possible courses of action to eliminate or mitigate the
vulnerabilities and reduce the risk to the installations. The installation commander is
responsible for protecting the installation and its assets—including nuclear-powered aircraft
carriers—and selects the course of action that most effectively mitigates the vulnerability.
Finally, as part of their ongoing risk management process, Naval Stations Mayport and
Norfolk conduct four integrated training events each year, as directed by Commander, Naval


5
 See Office of the Chief of Naval Operations Instruction 5090.1C, Environmental Readiness Program
Manual (Oct. 30, 2007) (incorporating change July 18, 2011) (hereinafter OPNAVINST 5090.1C (Oct.
30, 2007) (incorporating change July 18, 2011)).
6
 See Department of Defense Instruction 2000.16, DOD Antiterrorism (AT) Standards, encl. 3, §
E3.6.1.4 (Oct. 2, 2006) (incorporating change Dec. 8, 2006).


Page 3                                                    GAO-12-710R Defense Infrastructure
Installations Command guidance. 7 These training exercises focus on enhancing skills in
emergency management, fire protection, and force protection conditions.

Background

Navy Designated Naval Station Mayport, Florida, as a Second East Coast Homeport for
Nuclear-Powered Aircraft Carriers

The Navy has been reporting to Congress and congressional subcommittees, since the
1990s, on its development of plans for making Naval Station Mayport a potential homeport
for nuclear-powered aircraft carriers. In March 1997, the Navy released a programmatic
environmental impact statement 8 to evaluate the environmental impact of homeporting a
nuclear-powered aircraft carrier at this location. In 2001, the Quadrennial Defense Review
Report called for the Navy to provide more warfighting assets more quickly to multiple
locations. In order to meet this new demand, the Navy made a preliminary decision to
homeport additional fleet surface ships at Naval Station Mayport. The Navy completed the
final environmental impact statement for this action in 2008. 9 On January 14, 2009, the Navy
issued its record of decision to homeport a nuclear-powered aircraft carrier at Naval Station
Mayport. 10 Further, the 2010 Quadrennial Defense Review Report stated that the United
States Navy will homeport an East Coast carrier in Mayport, Florida, as one of its defense
postures in the Western Hemisphere to mitigate the risk of a terrorist attack, accident, or
natural disaster.

According to the Navy’s record of decision, the need to develop a hedge against the
potentially crippling results of a catastrophic event was ultimately the determining factor in
the Navy’s decision to establish a second nuclear-powered aircraft carrier homeport on the
East Coast of the United States. Figure 1 shows the locations of five homeports for the
Navy’s nuclear-powered aircraft carriers on the East and West Coasts as well as in Japan
as of fiscal year 2012.




7
 See Commander, Navy Installations Command Instruction 5530.14, CNIC Ashore Protection
Program, encl. 1, § 0805(c) (July 7, 2011).
8
 Department of the Navy, Final Programmatic Environmental Impact Statement for Facilities
Development Necessary to Support Potential Aircraft Carrier Homeporting at Naval Station Mayport,
Florida (March 1997).
9
 Department of the Navy, Final Environmental Impact Statement for the Proposed Homeporting of
Additional Surface Ships at Naval Station Mayport, Florida (Nov. 21, 2008).
10
  Department of the Navy, Record of Decision for Homeporting of Additional Surface Ships at Naval
Station Mayport, FL (Jan. 14, 2009). available at http://www.mayporthomeportingeis.com. The
decision was signed by the Assistant Secretary of the Navy (Installations and Environment).


Page 4                                                    GAO-12-710R Defense Infrastructure
Figure 1: Navy’s Nuclear-Powered Aircraft Carrier Homeports as of Fiscal Year 2012




In addition, in 2009 and 2010, the House Committee on Armed Services directed that we
report on multiple matters related to the Navy’s decision to homeport a nuclear-powered
aircraft carrier at Naval Station Mayport. 11 Our previous reports on the Navy’s decision are
listed at the end of this report. According to a Navy official, because of the current budget
situation, the Navy is presently reviewing all of its decisions, including the decision to
homeport a nuclear-powered aircraft carrier at Naval Station Mayport.

Principles of Risk Management

According to Standards for Internal Control in the Federal Government, 12 risk management
is an aspect of management control that is built into an organization as part of its
infrastructure, to help managers run the organization and achieve its objectives. Because
governmental, economic, industry, regulatory, and operating conditions continually change,
mechanisms should be provided to identify and deal with any special risks prompted by
such changes. Risk identification methods may include qualitative and quantitative ranking
activities. Once risks have been identified, the organization should analyze the risks and
their potential impact and decide what actions are needed to manage and mitigate
(eliminate or reduce) them.




11
 See H.R. Rep. No. 111-491, at 254, 260-61, 507 (2010); H.R. Rep. No. 111-166, at 537-38 (2009).
12
 GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1
(Washington, D.C.: November 1999).


Page 5                                                    GAO-12-710R Defense Infrastructure
In researching guidelines and leading practices for risk management, 13 we found that risk
management is a continuous process, for which an organization’s management and
personnel should be responsible. In addition, we found commonalities among these
guidelines and leading practices and identified five basic guiding principles of risk
management: (1) management and personnel identify risks; (2) they analyze risks; (3) after
analyzing the risks, they create a plan that identifies different possible courses of action to
mitigate the identified risk; (4) when a plan for risk mitigation is approved, management and
personnel implement the risk mitigation action plan; and (5) they track risks and mitigation
action plan implementation to determine if the plan was successful in mitigating the risk. In
addition, the Defense Risk Management Framework described in the 2010 Quadrennial
Defense Review Report and the private sector’s Enterprise Risk Management—Integrated
Framework suggest that risk management should be performed across the whole
organization in order to achieve its strategic and operational objectives.

The Navy Follows the Five Basic Guiding Principles for Risk Management at the
Strategic, Environmental, and Operational Levels

In making decisions about the placement and operation of its naval force structure around
the world—including the placement of nuclear-powered aircraft carriers on the East Coast of
the United States—the Navy follows the five basic guiding principles for managing risk at the
strategic, environmental, and operational levels. We found that the Defense Risk
Management Framework described in the 2010 Quadrennial Defense Review Report and
the Navy’s Operational Risk Management contain the five basic guiding principles for risk
management. During our review, we found various organizations both inside and outside of
the Navy that perform risk management before decisions on the placement of the Navy’s
force structure and high-value assets—including nuclear-powered aircraft carriers—are
finalized. These organizations reported that they then continuously manage the risks
associated with naval operations and assets. We also found that the Navy does not conduct
any unique risk assessment for its nuclear-powered aircraft carriers at naval installations;
rather, nuclear-powered aircraft carriers are included in the Navy’s overall risk management
process applicable to all assets the Navy determines to be of high value.

Strategic Level

At the strategic level, the Office of the Secretary of the Navy and the Office of the Chief of
Naval Operations headquarters staff have identified and analyzed risks, such as emerging
threats from hostile nation-states, which could make demands on homeland defense
capabilities. According to officials from the Office of the Chief of Naval Operations, in
response to the Navy’s analysis of these and other risks, they developed and implemented a
plan to position and distribute the Navy’s force structure between the Atlantic and Pacific
Fleet commands and among naval installations. According to these Navy officials, the draft


13
  We reviewed a variety of sources from various government and private entities, including
Department of Defense Instruction 6055.17. DOD Installation Emergency Management (IEM)
Program (Jan. 13, 2009) (incorporating change 1 Nov. 19, 2010); Department of Defense, Risk
Management Guide for DOD Acquisition (6th ed. Aug. 2006); Army Regulation 525-26, Infrastructure
Risk Management (Army) (June 22, 2004); Office of the Chief of Naval Operations Instruction
3500.39C, Operational Risk Management (July 2, 2010); Headquarters Marine Corps, Marine Corps
Institute, Operational Risk Management (Feb. 2002); Air Force Instruction 90-901, Operational Risk
Management (Apr. 1, 2000); Committee of Sponsoring Organizations of the Treadway Commission,
Enterprise Risk Management—Integrated Framework (Sept. 2004); and GAO, GAO Cost Estimating
and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs, GAO-
09-3SP (Washington, D.C.: March 2009).


Page 6                                                     GAO-12-710R Defense Infrastructure
strategic laydown and dispersal plan functions as a mitigation action plan for risks such as
the following (not an inclusive list):

     •   challenges in meeting planned shipbuilding and aircraft procurement schedules;
     •   unexpected terrorist attacks or intentional obstruction of international waterways or
         other critical lines of communication;
     •   major changes to force structure or programs;
     •   major changes to projected future operational demands for contingency operations,
         including changes in operational concepts, roles and missions, or required response
         times;
     •   increased requirements for homeland defense, including changes to antiterrorism
         and force protection at naval installations; and
     •   significant changes to future infrastructure, such as elimination of military
         construction projects or future Base Closure and Realignment Commission reports,
         operational availability, access to ranges and support, port services, and quality of
         service and life.

According to Navy officials, the draft laydown and dispersal plan and the risks it addresses
are updated and tracked during the annual budgeting process or when there are revisions to
the President’s strategic direction to DOD 14 that will affect its military defense plan and the
Navy’s maritime plan. As of February 2012, the Navy’s draft strategic laydown and dispersal
plan divides naval forces between the Atlantic and Pacific Fleets and discusses distributing
ships and other forces by homeport. Since 2004, according to Navy officials, the Navy has
been using its strategic laydown and dispersal methodology in dividing its force structure
and assets between the Atlantic and Pacific Fleets. In addition, officials stated that there
may be adjustments to the Navy’s current split of assets between the Atlantic and Pacific
Fleets based on direction from the President that is reflected in DOD’s January 2012
defense strategic guidance, which emphasizes rebalancing defense assets toward the
Pacific region.

Environmental Level

Navy guidance indicates that the Navy seeks to operate around the world in an
environmentally responsible manner, both ashore (installations) and afloat (ships), and work
with stakeholders to ensure that it follows environmental laws, regulations, and policies. 15 If
the Navy proposes to undertake certain actions that have the potential for significant
environmental impact, it identifies and analyzes the environmental risks in the course of
preparing environmental planning documents, such as an environmental survey,
environmental assessment, or full environmental impact statement, and may develop a plan
to mitigate




14
  Officials referenced DOD’s January 2012 defense strategic guidance, which is described as
reflecting the President’s strategic direction to the department. See DOD, Sustaining U.S. Global
Leadership: Priorities for 21st Century Defense (Jan. 2012).
15
  See OPNAVINST 5090.1C (Oct. 30, 2007) (incorporating change July 18, 2011).


Page 7                                                      GAO-12-710R Defense Infrastructure
them. 16 Mitigation action plans describe the costs and benefits of several different possible
courses of action to reduce environmental risks. For example, before finalizing decisions on
where to place Atlantic Fleet surface ships and supporting infrastructure, the responsible
naval commands identified and analyzed environmental risks, such as contamination of the
water and air as a result of dredging at a particular location, or encroachment risks to
endangered species. The Naval Facilities Engineering Command prepared an
environmental impact statement in November 2008, which evaluated environmental risks
and courses of action for homeporting Atlantic Fleet surface ships at Naval Station Mayport.

In addition, Fleet Forces Command developed and implemented mitigation action plans to
address the risks of natural disasters to naval assets on the East Coast. For example, to
reduce the risk to ships and aircraft, Fleet Forces Command provides operational guidance
for these valuable naval assets that describes general conditions of readiness, including
evacuation within 48 hours when a tropical storm or hurricane is expected to strike a
location. According to an official from the National Oceanic and Atmospheric Administration,
the hurricane return periods are now calculated based on a 50-nautical-mile radius, 17 which
has the effect of making the hurricane return periods longer. In other words, a hurricane
return period means that a Category 1 to 5 18 hurricane passed within 50 nautical miles of
that location. For example, using calculations based on the 50-nautical-mile radius, the
return period for all categories of hurricanes to the Norfolk area is now 11 years; for the
Jacksonville area, which includes Naval Station Mayport, the return period is 13 years.

Operational Level

Since the terrorist attacks of 2000 and 2001, the Navy’s risk management at the operational
level has included conducting threat assessments for areas surrounding naval installations,
as well as for the installations themselves, and providing increased protection for high-value
assets, such as nuclear-powered aircraft carriers. For example, the Naval Criminal
Investigative Service performs threat assessments to identify and analyze the risks of
terrorist or criminal activity near naval installations. In addition, the Coast Guard, via
Domestic Port Security Assessment reports, 19 provides another level of awareness of

16
  Environmental assessments and environmental impact statements are documents developed in
accordance with the National Environmental Policy Act, Pub. L. No. 91-190 (1970) (codified as
amended at 42 U.S.C. §§ 4321-4347). Under the act, federal agencies must assess the effects of
major federal actions—those they propose to carry out or to permit—that significantly affect the
environment. The act has two principal purposes: (1) to ensure that an agency carefully considers
detailed information concerning significant environmental impacts and (2) to ensure that this
information will be made available to the public. As a matter of Navy policy, the act applies to Navy
actions that affect the human environment in the United States, including the 12-nautical-mile
territorial sea. See OPNAVINST 5090.1C, § 5-1.1(a) (Oct. 30, 2007) (incorporating change July 18,
2011). Navy regulations provide some categorical exclusions for specified actions from further
analysis under the act. See, e.g., 32 C.F.R. § 775.6(f). Similar environmental assessments are
carried out for Navy actions occurring outside the United States and its territories and possessions
pursuant to an executive order. See OPNAVINST 5090.1C, § 5-1.1(b) (Oct. 30, 2007) (incorporating
change July 18, 2011).
17
  A hurricane return period is the frequency with which a certain intensity of hurricane can be
expected within a given distance. The previous calculation for hurricane return periods used a 75-
nautical-mile radius.
18
  Based on the Saffir/Simpson Hurricane Wind Scale Category Table (in miles per hour (mph)),
hurricane categories are as follows: Category 1 = 74-95 mph; Category 2 = 96-110 mph; Category 3 =
111-130 mph; Category 4 = 131-155 mph; and Category 5 = >155 mph.
19
  The Coast Guard annually conducts approximately five port vulnerability assessments of major U.S.
ports to identify and evaluate critical assets and infrastructures; the threats to those assets and
infrastructures; and the weaknesses in physical security, passenger and cargo security, structural
integrity, protection systems, and other areas.


Page 8                                                       GAO-12-710R Defense Infrastructure
threats to naval homeports. The results of these assessments are routinely communicated
to the staff of the Commander, Navy Installations Command; naval station commanders;
and regional threat working groups. Based on the results of these threat assessments and
the identified risks, the staff from the Commander, Navy Installations Command uses the
threat data to develop its risk-informed investment strategy, which supports the command’s
request to fund mitigation action plans to reduce risk to Navy assets. Moreover, during the
Navy’s annual budget process, the Commander, Navy Installations Command briefs the
Office of the Secretary of the Navy regarding the risk-informed investment strategy.

In addition, officials at the Coast Guard in the Hampton Roads and Jacksonville sectors and
Navy officials at Naval Stations Mayport and Norfolk told us that since the terrorist attack on
the USS Cole in 2000 and the terrorist attacks of September 11, 2001, they have enhanced
security in and around these naval installations. For example, according to Coast Guard
officials, there is a restricted area around all naval high-value assets, such as nuclear-
powered aircraft carriers and naval stations. In addition, Navy officials stated that the Unified
Facilities Criteria regulations have been restructured to provide for the fortification of
installation buildings against terrorist attacks, and DOD has updated its antiterrorism/force
protection standards and physical security requirements for DOD installations, including
naval installations. Officials from Naval Stations Mayport and Norfolk stated that DOD’s
updated antiterrorism standards have brought about enhancements to all facets of the
antiterrorism/force protection and physical security efforts on their installations. Furthermore,
we interviewed Coast Guard officials from Jacksonville and Hampton Roads and found that
they provide escort services for the Navy’s high-value assets, which include nuclear-
powered aircraft carriers, using Coast Guard harbor patrol boats. For example, Coast Guard
District 7 (Jacksonville sector) officials stated that their patrol boats have been providing
escorts to the Navy’s high-value assets as they travel to and from the port basin at Naval
Station Mayport. Coast Guard officials in both the Hampton Roads and Jacksonville sectors
stated that they have been sharing threat information about criminal activity or terrorist cells
with the Navy installations and have participated in the installations’ training exercises for
emergency consequence management and deterring or responding to terrorist attacks. The
naval installations have also participated in Coast Guard training exercises. Naval officials at
Naval Station Norfolk noted that the communication of threat information among
stakeholders in the Hampton Roads Regional Threat Working Group is much improved
since the terrorist attacks of September 2001.

The Navy Has Taken Some Actions to Mitigate Risk Associated with Homeporting
Nuclear-Powered Aircraft Carriers at Two East Coast Naval Installations

The Navy has taken some actions to mitigate risk associated with homeporting nuclear-
powered aircraft carriers at two East Coast naval installations. For example, based on
vulnerability assessments performed at Naval Stations Mayport and Norfolk, these
installations have developed mitigation action plans to address identified risks. A naval
installation and its high-value assets—such as nuclear-powered aircraft carriers—may be
susceptible to the threat of a terrorist attack. The risk of becoming the target of such an
attack is affected by vulnerabilities at the installation. As part of its ongoing risk management
process to identify and assess vulnerabilities at installations, DOD requires that many of its
installations undergo an annual antiterrorism vulnerability assessment. 20 According to the


20
  See Department of Defense Instruction 2000.16, DOD Antiterrorism (AT) Standards, encl. 3, §
E3.6.1.4 (Oct. 2, 2006) (incorporating change Dec. 8, 2006). The instruction requires terrorism
vulnerability assessments for certain types of installations, including facilities populated daily by 300
or more DOD personnel; facilities with responsibility for emergency response or physical security
plans and programs; facilities determined to host critical infrastructure; sea and air ports of


Page 9                                                         GAO-12-710R Defense Infrastructure
security experts who conduct the assessments, they determine whether the installation is in
compliance with DOD’s 32 antiterrorism standards, such as establishing and implementing
an antiterrorism program and complying with antiterrorism construction standards in the
Unified Facilities Criteria. 21 The assessments can be performed by the Joint Staff Integrated
Vulnerability Assessment Team, a higher-headquarters vulnerability assessment team, or
the installation itself, as a self-assessment. During our site visits, we found that vulnerability
assessments were performed at Naval Stations Mayport and Norfolk on an annual basis.
Table 1 shows the types of vulnerability assessments that were or will be performed at
Naval Stations Mayport and Norfolk from 2006 through 2012.

Table 1: Vulnerability Assessments Performed at Naval Stations Mayport and Norfolk
Since 2006
 Year                Type of assessment
 Naval Station Mayport
 2012                Commander, Navy Region Southeast Installation
                     Protection Assessment Cell Assessment (scheduled)
 2011                Self-assessment
 2010                Joint Staff Integrated Vulnerability Assessment
 2009                Self-assessment
 2008                Self-assessment
 2007                Chief of Naval Operations Integrated Vulnerability
                     Assessment (a higher-headquarters assessment)
 2006                Self-assessment
 Naval Station Norfolk
 2012                Joint Staff Integrated Vulnerability Assessment (scheduled)
 2011                Commander, Navy Region Mid-Atlantic (a higher-
                     headquarters assessment)
 2010                Self-assessment
 2009                Chief of Naval Operations Integrated Vulnerability
                     Assessment (a higher-headquarters assessment)
 2008                Commander, Navy Region Mid-Atlantic (a higher-
                     headquarters assessment)
 2007                Self-assessment
 2006                Joint Staff Integrated Vulnerability Assessment
Source: GAO analysis of Navy data.



The annual vulnerability assessments identify antiterrorism/force protection and physical
security vulnerabilities, assess them, and provide recommendations to mitigate them. These
recommendations are considered in developing mitigation action plans to address the
identified vulnerabilities and associated risks. The vulnerabilities identified at an installation
and the recommendations for mitigating them are recorded in the Joint Staff Core
Vulnerability Assessment Management Program database, which is used by the installations
to develop, implement, and track mitigation action plans to correct the vulnerabilities and
reduce the associated risks at the station. For example, in September and October 2011,
the Commander, Navy Region, Mid-Atlantic, conducted a higher-headquarters antiterrorism
assessment at Naval Station Norfolk. The vulnerability assessment team consisted of
regional and installation antiterrorism specialists; they focused on the station’s security
operations, structural analysis, emergency management, and the antiterrorism program at
the installation. The team analyzed the structural vulnerability of facilities against terrorist

embarkation and debarkation; and locations where there is assembly, staging, reception, and final
placement of force structure in support of battalions, squadrons, or ships. See id.
21
  DOD’s baseline antiterrorism standards are contained in an enclosure to DOD Instruction 2000.16.
See id., encl. 3.


Page 10                                                    GAO-12-710R Defense Infrastructure
bombings and determined whether the level of resources and personnel at the installation
could successfully deter a terrorist attack. After analyzing the vulnerabilities, the assessment
team provided recommendations for mitigating them. The vulnerability assessment team
then recorded its findings in the Joint Staff Core Vulnerability Assessment Management
Program database and reviewed the database to determine if the results of prior
vulnerability assessments had been reported to the commanding officer and entered into the
database.

In taking action to address vulnerabilities identified by assessment teams, a naval
installation’s antiterrorism officer and antiterrorism working group develop mitigation action
plans, which propose different possible courses of action to reduce the risk by eliminating or
mitigating the identified vulnerabilities. The working group considers the recommendations
made by the assessment team in developing the different courses of actions for the
mitigation action plans. The working group analyzes the courses of action to consider their
cost-effectiveness in reducing risk and then presents its analysis to the installation
commander. The installation commander is responsible for protecting the installation and its
assets—including nuclear-powered aircraft carriers. The installation commander selects the
course of action that will most effectively mitigate the vulnerability and submits it for funding
as part of the Navy’s budget process. If the selected course of action does not receive
funding during the budgeting process, the installation is asked to submit a different course of
action to the Commander, Navy Installations Command for review. For example, one naval
station submitted a plan to purchase security cameras to monitor a specific area. However,
the installation was unable to secure funding for this course of action and, as an interim
solution, deployed additional security personnel to patrol the area until the funding could be
obtained. Since the terrorist attacks of 2000 and 2001, each of the installations has
enhanced the security at its gates and at the waterfront with mitigation actions such as
building barrier gates for each pier that homeports a nuclear-powered aircraft carrier.

As part of their ongoing risk management process, Naval Stations Mayport and Norfolk
conduct four integrated training events each year, as directed by Commander, Navy
Installations Command guidance. 22 These training exercises are conducted to identify gaps
in force protection and emergency management response, including incidents such as
chemical, biological, radiological, nuclear, and high-yield explosive events. According to the
training officers at Naval Stations Mayport and Norfolk, after each training exercise, lessons
learned are captured. For example, Naval Station Mayport conducted an integrated training
event in 2010 and 2011 with the Marine Corps, the Federal Bureau of Investigation, the local
city police and fire departments, and the British Royal Navy. Based on the lessons learned
that were captured during the integrated training events, participants in these events
recommended corrective actions to facilitate communication among all emergency
responders. These corrective actions have been taken, resulting in improved
communications for use in future training events and emergency situations.

Agency Comments

We are not making any recommendations in this report. Officials from the Office of the
Secretary of Defense, the Department of the Navy, and the Secretary of Homeland Security
reviewed a draft of this report and provided technical comments, which we incorporated in
the final report as appropriate.

                                             -----


22
 See Commander, Navy Installations Command Instruction 5530.14, CNIC Ashore Protection
Program, encl. 1, § 0805(c) (July 7, 2011).


Page 11                                                  GAO-12-710R Defense Infrastructure
We are sending a copy of this report to the Secretary of Defense, the Secretary of the Navy,
the Secretary of Homeland Security, and appropriate congressional offices. In addition, this
report will be available at no charge on GAO’s Web site at http://www.gao.gov .

Should you or your staffs have any questions about this report, please contact me at (202)
512-4523 or leporeb@gao.gov. Contact points for our Offices of Congressional Relations
and Public Affairs may be found on the last page of this report. GAO staff who made major
contributions to this report are listed in the enclosure.




Brian J. Lepore
Director, Defense Capabilities
  and Management


Enclosure




Page 12                                                GAO-12-710R Defense Infrastructure
List of Committees

The Honorable Carl Levin
Chairman
The Honorable John McCain
Ranking Member
Committee on Armed Services
United States Senate

The Honorable Daniel K. Inouye
Chairman
The Honorable Thad Cochran
Ranking Member
Subcommittee on Defense
Committee on Appropriations
United States Senate

The Honorable Howard P. “Buck” McKeon
Chairman
The Honorable Adam Smith
Ranking Member
Committee on Armed Services
House of Representatives

The Honorable C.W. Bill Young
Chairman
The Honorable Norman D. Dicks
Ranking Member
Subcommittee on Defense
Committee on Appropriations
House of Representatives




Page 13                                 GAO-12-710R Defense Infrastructure
Enclosure: GAO Contact and Staff Acknowledgments

GAO Contact                 Brian J. Lepore, (202) 512-4523 or leporeb@gao.gov

Staff Acknowledgments       In addition to the contact named above, Mark J.
                            Wielgoszynski, Assistant Director; Nicholas P. Benne;
                            Pat L Bohan; Joanne Landesman; Charles Perdue;
                            Carol Petersen; Steven R. Putansu; Michael C.
                            Shaughnessy; and Amie Steele made major
                            contributions to this report.




Page 14                                      GAO-12-710R Defense Infrastructure
Related GAO Products

Defense Infrastructure: Ability of Ship Maintenance Industrial Base to Support a Nuclear
Aircraft Carrier at Naval Station Mayport. GAO-11-388R. Washington, D.C.: March 29, 2011.


Defense Infrastructure: Navy Can Improve the Quality of Its Cost Estimate to Homeport an
Aircraft Carrier at Naval Station Mayport. GAO-11-309. Washington, D.C.: March 3, 2011.


Depot Maintenance: Navy Has Revised Its Estimated Workforce Cost for Basing an Aircraft
Carrier at Mayport, Florida. GAO-11-257R. Washington, D.C.: March 3, 2011.


Defense Infrastructure: Opportunities Exist to Improve the Navy’s Basing Decision Process
and DOD Oversight. GAO-10-482. Washington, D.C.: May 11, 2010.




(351647)


Page 15                                              GAO-12-710R Defense Infrastructure
This is a work of the U.S. government and is not subject to copyright protection in the
United States. The published product may be reproduced and distributed in its entirety
without further permission from GAO. However, because this work may contain
copyrighted images or other material, permission from the copyright holder may be
necessary if you wish to reproduce this material separately.
                      The Government Accountability Office, the audit, evaluation, and
GAO’s Mission         investigative arm of Congress, exists to support Congress in meeting its
                      constitutional responsibilities and to help improve the performance and
                      accountability of the federal government for the American people. GAO
                      examines the use of public funds; evaluates federal programs and
                      policies; and provides analyses, recommendations, and other assistance
                      to help Congress make informed oversight, policy, and funding decisions.
                      GAO’s commitment to good government is reflected in its core values of
                      accountability, integrity, and reliability.

                      The fastest and easiest way to obtain copies of GAO documents at no
Obtaining Copies of   cost is through GAO’s website (www.gao.gov). Each weekday afternoon,
GAO Reports and       GAO posts on its website newly released reports, testimony, and
                      correspondence. To have GAO e-mail you a list of newly posted products,
Testimony             go to www.gao.gov and select “E-mail Updates.”

Order by Phone        The price of each GAO publication reflects GAO’s actual cost of
                      production and distribution and depends on the number of pages in the
                      publication and whether the publication is printed in color or black and
                      white. Pricing and ordering information is posted on GAO’s website,
                      http://www.gao.gov/ordering.htm.
                      Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
                      TDD (202) 512-2537.
                      Orders may be paid for using American Express, Discover Card,
                      MasterCard, Visa, check, or money order. Call for additional information.
                      Connect with GAO on Facebook, Flickr, Twitter, and YouTube.
Connect with GAO      Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts.
                      Visit GAO on the web at www.gao.gov.
                      Contact:
To Report Fraud,
Waste, and Abuse in   Website: www.gao.gov/fraudnet/fraudnet.htm
                      E-mail: fraudnet@gao.gov
Federal Programs      Automated answering system: (800) 424-5454 or (202) 512-7470

                      Katherine Siggerud, Managing Director, siggerudk@gao.gov, (202) 512-
Congressional         4400, U.S. Government Accountability Office, 441 G Street NW, Room
Relations             7125, Washington, DC 20548

                      Chuck Young, Managing Director, youngc1@gao.gov, (202) 512-4800
Public Affairs        U.S. Government Accountability Office, 441 G Street NW, Room 7149
                      Washington, DC 20548




                        Please Print on Recycled Paper.