United States Nuclear Regulatory Commission - Protecting People and the Environment
Home > Nuclear Security and Safeguards > Radioactive Material > Response to 2019 GAO Materials Security Audit

Response to 2019 GAO Materials Security Audit

Radioactive materials, also called "sources," play important roles in industry, medicine and research. They make valuable contributions to our health, safety and well-being. But they do pose potential dangers if they are not used safely and securely. The Nuclear Regulatory Commission and its Agreement State partners have implemented a strong and robust regulatory framework that ensures the safety, security and control of radioactive sources so the nation may continue to benefit from their use.

All radioactive sources are covered by security requirements included in the NRC's safety regulations. These requirements increase according to the potential danger posed by the sources. The NRC has adopted a categorization of sources developed by the United Nations' International Atomic Energy Agency as an international standard. Out of five categories of sources, the most "risk-significant" or high risk sources are those defined as Category 1 and Category 2. These could do the most damage if they were stolen and used in a radiological dispersal device (RDD, or "dirty bomb") or a radiological exposure device (RED). The Commission is currently considering whether more security measures are appropriate for Category 3 sources.

The NRC's mission is to license and regulate the use of radioactive materials so they can be used safely and securely for the benefit of society. For each new security requirement we consider, we look to see whether it might impede existing medical practice or the availability of treatment, or impede necessary examination of important infrastructure such as bridges and roadways. We consider whether our licensees can implement the new security requirement without conflicting with other regulatory requirements, and how our inspectors will verify compliance. If a proposed measure is necessary to ensure security, we will take action regardless of cost. But if a measure is not essential to security, we will consider the cost of implementation.

See examples of Category 1, 2 and 3 sources and their beneficial uses.

Here are some of the security requirements for Category 1, 2 and 3 sources:

Security and Control Requirements
Category 1
(10 CFR Part 37)*
Category 2
(10 CFR Part 37)*
Category 3 and lower*
  • Design and performance criteria for sources, devices, and transport packages
  • Constant control and surveillance when in use
  • Secure from removal when in storage
  • For portable devices, additional security barriers to prevent theft
  • Radiation protection, operating procedures, emergency procedures, and facility and transportation security plans
  • Routine inventory, plus use logs
  • License verification prior to transfer, limited to regulatory authority
  • Reporting of events, including loss, theft (attempted or actual), and suspicious activity
  • Detection, assessment, and response to actual or attempted theft events
  • Detection of removal from device
  • Detection of removal from security zone
  • Background investigations, control access to those deemed trustworthy and reliable
  • Coordination of shipment between shipper and receiver, and with transit States
  • Use of continuous and active monitoring during transport
  • For long duration transport, accompanying individual for security while driver rests
  • Coordination with law enforcement
  • Reporting to national registry
  • Design and performance criteria for sources, devices, and transport packages
  • Constant control and surveillance when in use
  • Secure from removal when in storage
  • For portable devices, additional security barriers to prevent theft
  • Radiation protection, operating procedures, emergency procedures, and facility security plan
  • Routine inventory, plus use logs
  • License verification prior to transfer, limited to regulatory authority
  • Reporting of events, including loss, theft (attempted or actual), and suspicious activity
  • Detection, assessment, and response to actual or attempted theft events
  • Detection of removal from security zone
  • Background investigations, control access to those deemed trustworthy and reliable
  • Package tracking during transport
  • Coordination of shipment/receipt (no-later-than time)
  • Coordination with law enforcement
  • Reporting to national registry
  • Design and performance criteria for sources, devices, and transport packages
  • Constant control and surveillance when in use
  • Secure from removal when in storage
  • For portable devices, additional barrier to prevent theft
  • Radiation protection, operating, and emergency procedures
  • Routine inventory, plus use logs
  • License verification prior to transfer
  • Reporting of events (including loss and theft)

*in addition to 10 CFR Parts 19, 20, 30 and 31-36, or 39 (as applicable)

This comprehensive regulatory framework is supported by the Integrated Source Management Portfolio. The ISMP is a suite of information technology tools supporting various functions of the NRC's licensing and accounting of radioactive materials. It consists of three parts:

  • National Source Tracking System: A secure online national registry of more than 77,000 high-risk radioactive sources, tracked from manufacture or importation through disposal or export, or until they decay enough to no longer be of concern. With the NSTS, the NRC knows who has what, and where.
  • Web-Based Licensing System: A common licensing system for the NRC and Agreement States to maintain complete, accurate, and consistent information on license applications, licenses, license amendments, and terminations. WBL helps guard against fraud by ensuring regulators have access to the most up-to-date information on radioactive material licenses.
  • License Verification System: The LVS helps ensure only properly licensed individuals obtain radioactive materials in authorized amounts and guards against the use of counterfeit licenses. LVS gives licensees confidence that transactions involving radioactive materials are conducted properly, and helps federal agencies verify that people transferring or importing materials are authorized to do so.

In addition to our Agreement States, the NRC partners with other federal agencies, including the Department of Homeland Security, the FBI, and various agencies within the intelligence community to evaluate the terrorist threat environment in the United States and abroad. If a credible threat is identified, we alert the Agreement States and licensees.

The NRC is one of 14 federal agencies participating in the Radiation Source Protection and Security Task Force. In October 2018, the Task Force's most recent report to the President and Congress stated that current measures for the security and control of radioactive sources are appropriately protective of risk-significant quantities of radioactive material, and that there are no significant gaps in the area of radiation source protection and security that are not already being addressed by the appropriate agencies.

The GAO

In April 2019, the U.S. Government Accountability Office, or GAO, issued a report titled, "Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High Risk Radioactive Material." The GAO assumed a large dirty bomb could cause up to $30 billion in damages and cleanup costs, and about 1,500 fatalities from the evacuation. The report made three recommendations for the NRC:

  • The NRC should consider socioeconomic consequences and fatalities from evacuations in the criteria for determining what security measures should be required for radioactive materials that could be used in a dirty bomb.
  • The NRC should require additional security measures for high-risk quantities of Category 3 material.
  • The NRC should require all licensees to implement additional security measures when the have certain Category 3 sources at a single facility in sufficient quantity to reach Category 1 or 2 levels.

The NRC staff believes the GAO report and its recommendations are based on faulty assumptions about the risk, nature and consequences of a potential dirty bomb attack. The report and its recommendations lack important context by ignoring the comprehensive federal effort to guard against possible malicious use of radioactive sources and the deterrence, response and mitigation capabilities of federal, state and local agencies.

The NRC staff disagrees with the GAO's first and third recommendations. The second recommendation is currently under consideration by the Commission.

For more on NRC's response to the GAO report, see the following Questions and Answers.

To top of page

Page Last Reviewed/Updated Friday, April 05, 2019