United States Nuclear Regulatory Commission - Protecting People and the Environment
Home > Nuclear Security and Safeguards > Radioactive Material > Response to 2019 GAO Materials Security Audit > Frequently asked questions about NRC's response to the 2019 GAO audit

Frequently asked questions about NRC's response to the 2019 GAO audit

On this page:

[Index to All Frequently Asked Questions Pages]

What is a radioactive source?

A radioactive source contains a particular type of radionuclide (such as Am-241) that is encased in a capsule designed to prevent the material from leaking. The capsules used in industrial and medical applications are made of high quality metal and required to be built to strict national standards. The NRC and/or an Agreement State approve the design and the use of any radioactive source. Sources vary in size, but most are no larger than an adult's fingernail.

To top of page

What is an Agreement State?

The NRC is authorized by Congress to relinquish its authority to a state to regulate byproduct and source material and small quantities of special nuclear material at academic, medical and industrial facilities within their borders. A state that signs such an agreement with the NRC becomes the regulatory authority and conducts its regulatory program under its own legislation and regulations. Agreement State regulatory programs must be adequate to protect public health and safety and compatible with NRC requirements. The compatibility requirements are set by Commission policy. There are currently 38 Agreement States that regulate approximately 85 percent of radioactive material licenses in the country.

The NRC is the regulatory authority in non-Agreement States, the District of Columbia and all U.S. territories, as well as nearly all federal agencies that use radioactive materials. The NRC oversees Agreement State programs through the Integrated Materials Performance Evaluation Program, or IMPEP. The NRC may also reassert its authority if it decides an Agreement State no longer is able to maintain adequate protection of public health and safety.

To top of page

What requirements for source security does NRC current have in place for Category 1, 2, and 3 sources?

All radioactive material is subject to safety and security requirements.  Category 1 and 2 sources, and lower category sources that add up to Category 2 thresholds, are subject to the security requirements of 10 CFR Part 37 that includes controls such as:

  • Background checks, including fingerprinting and criminal history checks through the FBI, to help ensure that individuals with unescorted access are trustworthy and reliable.
  • Controlling personnel access to areas where radioactive material in quantities of concern are stored and used. Access must be limited to individuals who require it and are deemed trustworthy and reliable, based on a background and criminal history check.
  • Documented security programs that are designed with defense in depth to detect, assess, and respond to actual or attempted unauthorized access.
  • Coordination between the licensee and local law enforcement agencies for robust response as needed.
  • Coordination and tracking of radioactive material shipments.
  • Additional security barriers to prevent theft of mobile and portable devices that contain sources.

Category 3 sources, like sources of even lower activity, are subject to the security requirements of 10 CFR Part 20, and must be:

  • Secured from unauthorized access or removal when in storage.
  • Under constant surveillance and control when not in storage.

Additionally, all radioactive sources are subject to controls unique to the use that they are intended for.  As an example, radioactive sources used in well logging – that are generally Category 3 – are also subject to the regulations in 10 CFR Part 39 that include (among other controls) requirements for inventory maintenance, specific requirements for surveillance of operations, and secure transport of sources to and from remote jobsites.  Other licensees who possess radioactive sources have regulations specific to their intended uses, similar to this example.

To top of page

The Government Accountability Office (GAO) has reported security weaknesses or deficiencies with NRC and/or Agreement State regulatory practices or the implementation by licensees in several reports over the past 13 years. How is the NRC confident of the safety and security of the United States despite this track record?

The NRC acknowledges the issues identified by GAO in its various audits, and has taken multiple actions to improve the regulatory framework and implementation practices of regulators and users alike. Since the early 2000s the NRC and Agreement States have increased regulatory controls on licensees for physical protection, protection of information, background checks and access controls to mitigate the insider threat, planning and coordination for shipments, and planning and coordination with law enforcement for emergency response and hazard mitigation. These actions also include development and maintenance of the Integrated Source Management Portfolio, consisting of the U.S. national registry of Category 1 and 2 radioactive sources, called the National Source Tracking System; the Web-based Licensing System that currently holds all licenses of users who are authorized to possess Category 1 and 2 quantities of radioactive material plus all licenses of the NRC and multiple Agreement States; and the License Verification System, which accesses information from the other systems to allow for transfers of category 1 or 2 quantities of radioactive material only to authorized entities. The NRC and Agreement States have also developed extensive guidance for users so that they know how to comply with the regulations, and maintain robust training and qualification programs for regulatory staff so that they can fulfill their important roles.

Together these programs and activities of both the regulators (the NRC and Agreement States) and the regulated (licensees) reduce the likelihood and potential impact of malicious acts using radioactive materials in the United States. This is especially true when considered along with the robust capabilities of law enforcement, emergency responders, and federal, state, and local governments to detect, assess, and respond appropriately to domestic threats.

Many GAO observations portray the control of radioactive materials in an unfavorable light, but NRC maintains that shortcomings identified were generally examples of personnel not following existing regulation or facility policy, rather than a gap or inadequacy in the regulatory framework.

In the current report, the GAO's findings lack important context and do not consider all relevant information on the risk of an RDD using a Category 3 source.  As such, the NRC does not agree that additional regulatory actions are needed to secure sources based on GAO's findings.

To top of page

GAO presented evidence of the terrible consequences of an attack using radioactive materials. Shouldn't that be enough reason for NRC to increase security or ban the use of radioactive materials?

The NRC takes issue with the studies on which GAO based its conclusions and recommendations in this audit. The NRC fully considers a range of factors to justify regulatory action, whether that be new or revised regulation, or banning certain products or practices. The potential consequences of malicious use, which GAO relied on as the sole basis for its recommendations, is merely one factor we consider.

The NRC considers the current domestic threat situation in the United States, the vulnerability of facilities and operational practices to exploitation by malicious actors, as well as the potential consequences of malicious use in either a radiation exposure device (RED) or a radiological dispersal device (RDD). The NRC also considers the existing regulatory infrastructure of the United States for safety and security of radioactive materials, on top of the overall capabilities of the United States to prevent, respond to, and mitigate any hazard whether natural or man-made. These were not considered by GAO in their report.

For this audit specifically, the NRC notes that the studies GAO depended upon as basis for their conclusions were sponsored by and developed for a specific federal program. While these reports may be suitable for use by that program, their initiating assumptions and conclusions were not reviewed or accepted by the NRC or other federal agencies. As such, the studies and their conclusions are not applicable to the question of source security.

The current GAO study would have benefited from a review by the Radiation Source Protection and Security Task Force. The task force is made up of 14 agencies for the express purpose of regularly examining and, if necessary, recommending actions to ensure adequate control of radioactive materials in the United States. In its most recent (2018) report, the task force concluded that current measures for the security and control of radioactive sources are appropriately protective of risk-significant quantities of radioactive material, and that there were no security gaps not already being addressed by the task force agencies. Part of the task force's mandate is to determine the appropriate list of isotopes and respective thresholds for protection of sources containing those isotopes – the list and thresholds within 10 CFR Part 37 is consistent with the task force determination.

Additionally, in 2010 the task force published federally-accepted definitions of both a "significant" RED and RDD.  The consequence assumptions of the NRC are consistent with those definitions, including that the existing security measures adequately protect against economic impacts of land contamination within those definitions.

The NRC disagrees with the assumptions GAO relied upon to make its conclusions.  Assume someone builds a bomb, similar to that used by the Boston Marathon bombers, and attached two Category 3 sources to the explosives within one of the devices. The area of highest radioactive contamination would be within the blast zone, and likely a small area. The city would not become uninhabitable, and would be returned to full access as quickly as possible after criminal investigations are complete. Decontamination activities would begin even during the criminal investigation to ensure the safety of the investigators and the public. Rubble from the blast zone would be quickly collected and sorted for disposal by conventional means or in a low-level radioactive waste facility.

The NRC's existing requirements provide reasonable assurance of adequate protection. This is not absolute assurance of protection or a guarantee of 100% risk-free use of radioactive materials, but assurance that we all will be adequately protected while still able to reap the benefits of these radioactive materials in our daily lives.

To top of page

The GAO report references thousands of deaths that could result from evacuations as a result of an RDD.  Isn't that sufficient basis to require additional security controls?

The GAO's estimate of fatalities resulting from evacuations in the event of an RDD assumes no one will follow existing guidance for response to radiological emergencies. The NRC provides specific advice on how to respond to an RDD, while the U.S. Department of Health and Human Services, Centers for Disease Control and Prevention provides a "Get Inside, Stay Inside, and Stay Tuned" webpage and infographic, and the U.S. Department of Homeland Security's Federal Emergency Management Agency operates its "Ready Campaign."  All these and many other federal and state agencies recommend sheltering in place during radiological emergencies.

The NRC encourages members of the public to read and follow the prevailing guidance to shelter in place as the primary response if they are near any suspected or actual radiological emergency.  Doing this will ensure that fatalities resulting from evacuations are unlikely, and that exposure to radioactive materials is limited, in the event of an RDD.

Furthermore, the studies GAO cites use the consequences of evacuation associated with events such as Fukushima to estimate fatalities due to evacuation as a result of an RDD. The circumstances surrounding the Fukushima events involved a nuclear power plant accident caused by a natural disaster. The natural disaster had severe impacts on infrastructure and the availability of public resources to assist with response efforts. These natural disaster impacts are not analogous to an RDD event.

To top of page

Why would NRC adding the additional requirements mentioned by GAO be of issue? Wouldn't it be worth any cost if the U.S. was safer?

The NRC's rulemaking process is deliberative and transparent in order to allow for the full consideration of all benefits and costs (whether financial or societal) of new regulation. We work diligently to ensure that protection is right-sized to the potential overall risk and also that any proposed regulation would actually provide a measureable benefit, and that it would be inspectable and enforceable. We also are very careful to ensure that our regulatory actions are within our legislative authority and are not duplicative or overly burdensome. In addition, the NRC balances the risk of malicious use of sources with the beneficial uses of these sources as well as the cost of additional regulatory actions.

The NRC does take the observations of the GAO seriously, but maintains that:

  • The basis for GAO's recommendations for further regulatory changes was not well-founded and did not consider all aspects of risk (i.e., threat, vulnerability, and consequence). In addition, the GAO did not evaluate the benefit of recommended changes against the costs and potential impacts to the beneficial uses of radioactive material.
  • The GAO did not consider the mature and robust protection infrastructure of the United States, including capabilities of law enforcement, intelligence gathering, and all-hazards emergency planning. The NRC's mission and regulatory framework are complemented by those of several other federal agencies, such as the Department of Homeland Security, the Department of Energy, and the Federal Bureau of Investigation, that play an integral role in the domestic architecture for radioactive material security.
  • The GAO did not consider the current NRC and Agreement State source security requirements for all uses and quantities of radioactive material which provide a common baseline level of security that is adequate to ensure protection of public health and safety, the common defense and security of the United States, and the protection of the environment. The risk-informed combination of performance-based and prescriptive requirements is appropriate given the threat environment and the risk associated with the material.

To top of page

Q8: For the issue that is under Commission consideration currently, recommendation 2 to impose additional requirements in certain cases, when does the Commission anticipate a final decision?

There is no specific date by which we anticipate a final decision.  The Commission prioritizes the policy issues under consideration and ensures that there is a deliberative process for Commission consideration of issues.

To top of page

What does it mean, when the terms Category 1, 2, 3, 4 and 5 sources is used?

Categories 1 through 5 are part of a classification system developed by the International Atomic Energy Agency. This classification system is used to provide a relative ranking of hazards while taking into consideration how the source could be used to cause harm. This classification system ranges such that Category 1 sources have the most harmful effects on a human in a short period of time down to Category 5 sources which are unlikely to cause effects.

To give an example of relative ranking, think about your neighborhood swimming pool, a bathtub filled with water, and a cereal bowl filled with water. Could a person accidentally drown in these three different scenarios? Yes, everyone can envision such a scenario. Next consider the number of possibilities of drowning in these three scenarios. The swimming pool poses the greatest number of possibilities for drowning, followed by the bathtub, and the cereal bowl of water would pose the least number of possibilities.

To top of page

Why does NRC only require security for Category 1 and 2 sources, shouldn't all radioactive sources be secured?

All radioactive material is subject to safety and security requirements, not just Category 1 and 2. The NRC and Agreement States have for over 50 years implemented a regulatory framework that ensures the safe and secure control and management of radioactive material. With this regulatory framework in place, there is a low possibility of harm to workers and the public, and the benefits from its use will outweigh any risks.

Radioactive material, of all categories, used in medical, academic, and industrial applications is subject to the requirements of 10 CFR Part 20 (radiation protection standards) and Part 30 (domestic licensing of byproduct material) and, depending on the type of license, the specific requirements of Parts 31 (general licenses for byproduct material), Part 32 (manufacturer and distribution licenses), Part 33 (broad scope licenses), Part 34 (industrial radiography licenses), Part 35 (medical use of byproduct material), Part 36 (irradiator licenses), Part 39 (well logging licenses), and/or Part 71 (packaging and transportation). These sections, together, address control and management of all civilian radioactive material in the United States, including security of material in use, storage and transport; qualifications for individuals with control over the material; material accounting; reporting of events; and reporting of loss or theft of materials.

After the events of September 11, 2001, both domestically and internationally, it was agreed that based on the existing threat and consequences from malicious use, certain radioactive materials in certain quantities warranted additional security measures.  The NRC and Agreement States require additional security for Category 1 and 2 materials under 10 CFR Part 37.

The NRC and Agreement State regulatory framework for the safety and security of all radioactive material is consistent with standards and recommendations used globally.

To top of page

What is the potential safety and security concern of category 2 and category 3 sources?

A Category 2 source could cause death or permanent injury to an individual if they remained in contact with the unshielded source (for example, in a shirt or pant pocket) for a period of hours to days.  The GAO's report does not make recommendations for additional security related to Category 2 sources.

For death or permanent injury to happen to an individual with an unshielded Category 3 source, which are the subject of the GAO's report, the individual would have to be in contact with the source (e.g., in pocket) for a period of days to weeks. Death is unlikely from exposure to a Category 3 source because the individual will begin to experience physical effects (e.g. ulcerations, reddening of skin, etc.) and seek medical intervention, which would limit further injury and prevent death.

Exposure to a Category 3 source for days to weeks could lead to permanent injury (e.g., loss of fingers, hand, localized tissue/muscle loss, etc.). It's important to point out that the severe health effects mentioned above, can be significantly mitigated, or even prevented, by employing simple practices such as limiting time near the source (e.g. hours vs. days), increasing distance from the material (contact vs. a few feet away), and adding shielding (e.g. metal container, bricks) between the individual and the material.

If Category 2 or 3 sources were strapped to explosives to create a crude radiological dispersal device or RDD, individuals would be harmed by the explosion, not from exposure to the radiation. First responders using safety practices of time, distance and shielding along with hospitals providing medical care would intervene. There would likely be no fatalities to individuals from exposure to radioactive material.

To top of page

How do we know there aren't some terrorists out there that plan to blow up sources in New York City or Washington D.C.?

In order to determine how much physical protection is enough, the NRC monitors intelligence information to keep abreast of foreign and domestic events and remains aware of the capabilities of potential adversaries. We use this information, and other sources, to determine the physical protection requirements of our regulations.

NRC staff routinely interacts with the intelligence and law enforcement communities on intelligence and threat matters. For example, NRC maintains contact with the FBI, DOE, CIA, DHS including Customs and Border Protection, the Defense Intelligence Agency, DOD, and other agencies concerned with terrorism. Staff provides prompt assessment of security threats to licensed facilities if necessary.

To top of page

Page Last Reviewed/Updated Thursday, April 04, 2019