Assessment of the Bureau of Reclamation's Security Program (2008)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

1 Context O ne lesson from the September 11, 2001, attacks on the World Trade Center and the Pentagon is that buildings and infrastructure constructed for beneficial purposes can become instruments of mass destruction if they fail as the result of a malicious act.  Dams are primarily constructed for beneficial purposes: to control the flow of a river and mitigate flooding. The water impounded behind a dam can be used to generate power and to provide water for drinking, industry, irrigation, and recreation. However, the uncontrolled release of the wall of water behind a major dam can cause mass destruction to areas and communities downstream. Dam-failure-related disasters, while rare, have resulted in as many as 85,000 deaths (the Banquiao and Shimantan dams, China, 1975); the devastation of towns and infrastructure (South Fork Dam, Johnstown, Pennsylvania, 1889, and St. Francis Dam, Los Angeles, California, 1928); and hundreds of millions of dollars in damages (Teton Dam, Madison County, Idaho, 1976) (Table 1.1). To date, no dam failure has been caused by a malicious act. However, the potential for dams to cause mass destruction has not gone unrec- ognized. Hoover Dam was identified as a potential target for enemy forces during World War II (Pfaff, 2003) and the sabotage of Glen Canyon Dam was fictionalized in the novel The Monkey Wrench Gang (Abbey and A malicious act is defined as a willful act of destruction perpetrated by a determined individual or group of individuals, such as international terrorists, domestic extremists, or a disgruntled employee. 14 

CONTEXT 15 TABLE 1.1  Some Dam Failures and Their Consequences Dam Year Location Failure Mode Consequences Ka Loko 2006 Kauai, Hawaii Unusually heavy 7 killed Reservoir rain Val di Stava 1985 Near Trento, Poor maintenance; 268 killed; 62 buildings Italy failure of outlet and 8 bridges destroyed pipes Lawn 1982 Rocky Poor maintenance; 3 killed; $31 million in Lake and Mountain outlet pipe erosion damage (1982 dollars) Cascade National Park dams Morvi Dam 1979 India Excessive rain; 15,000 killed massive flooding Kelly 1977 Toccoa, Combination of 39 killed; property Barnes Dam Georgia factors damage in surrounding area Teton Dam 1976 Idaho Internal erosion as 11 killed; several towns dam being filled destroyed; $300 million in damages (1976 dollars) Banquiao 1975 China Extreme rainfall 85,000 killed and beyond design Shimantan capability of dam Baldwin 1963 Los Angeles, Subsidence 5 killed, 277 homes Hills California leading to destroyed Reservoir cracking of asphalt impervious seal Vajont 1963 Italy Tectonic failure Est. 2,000 killed; several villages wrecked Malpasset 1959 Côte d’Azur, Geological failure; 421 killed; $68 million in France rupture along damage (1959 dollars) foundation joints St. Francis 1928 Los Angeles, Geological More than 450 killed; Dam California instability; human one power plant error; failure of and other properties left abutment destroyed Austin 1911 Potter County, Design flaws 78 killed; $10 million in Pennsylvania damage (1911 dollars) South Fork 1889 Johnstown, Poor maintenance; 2,200 killed; several Pennsylvania heavy rain towns destroyed 

16 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM Brinkley, 1975). Serbian forces attempted to blow up the Peruća Dam in Croatia in 1993 during the Serbo-Croatian War. The attempt was thwarted, preventing a disaster for people in the cities and towns downstream (Nonveiller et al., 1999). Across the United States, 79,500 dams in operation today are more than 25 feet high and are considered to be significant hazards if they fail (FEMA, 2006). Some of the most significant and iconic of these are owned and managed by the U.S. Bureau of Reclamation (hereinafter BOR or R ­ eclamation). BOR’s mission is to manage, develop, and protect water and related resources in an environmentally and economically sound manner in the interest of the American public. This mission can be car- ried out only if Reclamation can secure its dams and related infrastructure from terrorist or other malicious acts. RECLAMATION’S SECURITY CHALLENGES The Bureau of Reclamation was established in 1902 to bring water to 17 western states. The importance of the water and power produced by BOR to the quality of life in the West cannot be overstated. Today, R ­ eclamation is the nation’s largest wholesaler of water, serving more than 31 million people and several large cities, including Denver, Seattle, Salt Lake City, Sacramento, San Francisco, Los Angeles, Las Vegas, and P ­ hoenix. It provides the water to irrigate 10 million acres of farmland, which, in turn, produce 60 percent of the nation’s vegetables and one- quarter of its fruit and nut crops. It is the second largest producer of hydroelectric power in the western United States: 58 power plants annu- ally provide more than 40 billion kilowatt-hours of electricity to heat, cool, light, and power homes, factories, businesses, and government facilities. Approximately 90 million people visit 300 recreation sites, including Lake Havasu, Lake Mead, and Lake Powell, each year. Major disruptions to Reclamation’s operations—the cutting off of water and power for days, weeks, or months—would have a significant impact on local and regional economies and on the lives of millions of people. Thus, Reclamation’s overriding security challenge is to assure the physical integrity of its facilities and the reliability of its power and water supplies if faced with a terrorist or other malicious act. Currently, Reclamation manages 249 facilities comprising 479 dams and dikes, including such iconic and massive structures as the Hoover, Grand Coulee, Glen Canyon, Shasta, and Folsom dams (Figure 1.1). These facilities are distributed across 17 states. Some dams are in remote areas Arizona, California, Colorado, Idaho, Kansas, Montana, Nebraska, Nevada, New Mexico, North Dakota, Oklahoma, Oregon, South Dakota, Texas, Utah, Washington, and Wyoming. 

CONTEXT 17 FIGURE 1.1  Hoover, Grand Coulee, Glen Canyon, Shasta, and Folsom dams. SOURCE: BOR Web site. not easily accessed by air or by road. Others that were once in rural areas are now surrounded by cities and towns as a result of population growth and urban development. In some cases, service roads originally built across the tops of dams to provide access for operations and maintenance crews have been incorporated into key transportation corridors serving commuters and trucking. Reclamation’s security challenge has multiple aspects, including sev- eral that involve balancing security measures with other societal needs 

18 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM and objectives. For example, Reclamation must find ways to provide public access to its facilities for transportation and recreation purposes and concurrently limit access to some areas within facilities. If an incident occurs, Reclamation must be prepared to respond rapidly and appropri- ately wherever the facility is located. Reclamation must also identify vulnerabilities in its facilities and find ways to mitigate the risk that someone will exploit them. Each BOR facility is unique, although they share some common physical, human, and cyber elements. Most dam facilities comprise the dam itself, water impound- ments or reservoirs, power plants, spillways, outlet works, penstocks (pipelines or conduits to turbines), and control rooms. However, the dams are built of different materials, have different configurations, and use dif- ferent methods to impound water. The amount of water impounded by any single dam varies by season and weather condition. Each component and structure type potentially incorporates vulnerabilities that could be exploited. Reclamation needs not only to identify existing vulnerabilities but also to understand how they might change in a world where security threats are continually emerging. In addition to protecting individual facilities, Reclamation must con- sider their interdependencies with other facilities. Many dams were built as interconnected components of systems to control major river basins and watersheds, such as the Colorado and Missouri river basins, the Central Valley Project in California, and the Columbia Basin Project in Washington. Although facilities along these watersheds are separated geographically, their operations are interconnected. Some are manned 24 hours per day, 7 days per week, while others are manned only part time or are controlled remotely through supervisory control and data analysis (SCADA) systems. Reclamation’s facilities are in some cases interdependent with other infrastructure that is not under its direct con- trol. Switchyards, roads, bridges, dams, and power plants owned or man- aged by other federal, state, or local organizations or by the private sector could, if compromised, damage Reclamation’s facilities and their capacity to provide water and power. Mitigating such vulnerabilities requires BOR staff to partner with staff at other organizations such as the Department of Energy, the U.S. Army Corps of Engineers (USACE), and state depart- ments of transportation. The human elements of Reclamation’s operations also present a secu- rity challenge. Its dams may be operated by federal government staff, local water and power authorities, or some combination of the two. Hundreds of contract workers access Reclamation’s facilities every day to implement new construction or to carry out renovation, repair, and maintenance. BOR must ensure that its staff, its operators, and its contractors do not include individuals who present a security threat. 

CONTEXT 19 Finally, Reclamation is challenged to provide adequate resources— staff, funds, expertise—to conduct an effective security program while conducting its other programs and operations. In the last several years, Reclamation’s overall budget has been decreasing even though the costs of maintaining and repairing existing infrastructure are rising for a number of reasons, among them the age of its facilities and increased stakeholder attention to environmental issues (NRC, 2006). The security program has been staffed and funded primarily by redirecting resources from other programs, placing additional constraints and pressures on Reclamation’s budget. TETON DAM FAILURE AND RECLAMATION’S RESPONSE In its 105-year history, BOR has experienced one major dam failure, that of the Teton Dam in Madison County, Idaho (Figure 1.2). Teton Dam was a 305-foot-high earth-filled dam constructed across the Teton River. The dam failed catastrophically and completely on June 5, 1976, just as it was being filled for the first time. The failure was initiated by a large leak about 130 feet below the crest of the dam. The first signs of the leak appeared at 7:30 a.m. By 8:00 p.m. the reservoir had emptied completely, triggering more than 200 landslides. The 30-foot-high wall of water released from the reservoir killed 11 people and destroyed entire downstream communities (Figure 1.3). FIGURE 1.2  Teton Dam failure. View northwest toward the breach. The canyon floor is flooded from bank to bank, and all works there are completely inundated. SOURCE: BOR. 

20 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM FIGURE 1.3  Teton Dam failure. Flood waters advancing through Rexburg, Idaho. SOURCE: BOR. Although the federal response to the Teton Dam failure was immedi- ate and far reaching, the costs were high. President Gerald Ford requested a $200 million appropriation to pay for damages. By 1987 more than 7,500 claims totaling more than $300 million had been paid. The Teton Dam failure, followed by the Kelly Barnes Dam failure in 1977, changed how BOR and the nation managed, inspected, and invested in dams. Since 1976, Reclamation has institutionalized a rigorous review of every major dam under its purview under the congressionally authorized safety of dams program. That program requires a comprehensive facility review (CFR) every 6 years by subject-matter experts. A CFR includes a detailed dam inspection, identification of any change in loading on the dam or in downstream population and development, and a risk assess- ment. Periodic facility reviews (PFRs), which involve detailed inspections of dams, are performed midway between CFRs. Annual inspections are conducted by Reclamation’s area offices in those years that CFRs or PFRs are not done. In addition to the dam safety aspects of the facility reviews and inspections, major operational and maintenance requirements are identified. Requests for funding to pay for such requirements are priori- tized based on urgency and availability of funds. Emergency action plans (EAPs) have been developed for all of Rec- lamation’s dams. The plans are intended to lay out clearly the roles and responsibilities of BOR staff and others who would be called on to act in the event of a safety-related dam failure. By statute, Reclamation staff are 

CONTEXT 21 responsible for notifying local officials of an emergency. Local officials, in turn, are responsible for warning the general public and for setting evacuation plans in motion. EAPs are updated annually for all high dams that are a significant hazard. Training exercises are performed for each “high hazard dam” and “significant hazard dam” every 3 and 6 years, respectively. During these exercises the BOR staff and other responders practice a timed response to a simulated incident in order to test roles, responsibilities, and lines of communication. In 1998, Reclamation established a “risk cadre,” whose members were five experts at the Denver Technical Services Center (TSC) assigned to further the risk analysis processes for dam safety. The risk cadre developed a consistent risk analysis methodology, developed toolboxes of meth- odologies for dam loading probability and consequences, and trained others in risk analysis, with the objective of continually improving the organization’s risk analysis procedures. BOR also works with other federal agencies in support of the Federal Emergency Management Agency (FEMA), which was directed to establish a national dam safety program under the Water Resources and Development Act of 1996. FEMA coordinates federal agencies’ dam safety programs and promotes dam safety through state and local government organizations. FEMA’s responsibilities were expanded by the Dam Safety and Security Act of 2002 (P.L. 107-310) to include developing technical assistance, materials, seminars, and guidelines to improve the security of U.S. dams. Today, dam safety has matured into a well-established set of regula- tions, programs, and organizations. Reclamation’s vision statement and goals clearly consider dam safety essential to its mission, and responsibil- ity for dam safety is firmly embedded in its culture. And now, in the face of twenty-first century realities, Reclamation is challenged to proactively develop a security program and culture that are as robust as its program for dam safety. HISTORY OF RECLAMATION’S SECURITY PROGRAM Reclamation has recognized that terrorism and other malicious acts pose a threat to its facilities, its people, its customers, and the general pub- lic. In response to the 1995 bombing of the Alfred C. Murrah Building in Oklahoma City and the 9/11 attacks, Reclamation has invested significant resources—staff time and expertise, outside expertise, technical and phys- ical measures, and funds—to build a security program. On November 12, 2001, Congress enacted P.L. 107-69, which provided Reclamation with law The TSC provides centralized engineering and scientific services that are typically beyond the capabilities of the areas and the regions (NRC, 2006). It is located in Denver. 

22 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM enforcement authority at all of its facilities. The law allows Reclamation to use law enforcement personnel from the Department of the Interior (DOI) or other federal agencies (except the Department of Defense). Recla- mation may not itself directly hire law enforcement personnel. The BOR’s Security, Safety, and Law Enforcement (SSLE) Office was subsequently established to focus on critical security needs. It was initially staffed by personnel from other BOR programs. One of SSLE’s first activities was the development of a long-range strategy for comprehensive security risk assessments at all critical facilities. The safety of dams program was the model for assessing the security risk, decision making, and incident response procedures and programs. In February 2003, Homeland Security Presidential Directive 5 (HSPD-5), Management of Domestic Incidents, was issued to enhance the ability of the United States to manage domestic incidents by establishing a single, comprehensive National Incident Management System (NIMS). The objec- tive of the directive is to ensure that all levels of government across the nation are able to work together efficiently and effectively in response to ­ domestic incidents regardless of their cause, size, or complexity (EOP, 2003a). HSPD-5 also notes that initial responsibility for managing incidents generally falls on State and local authorities. The Federal government will assist State and ­ local authorities when their resources are overwhelmed or when Federal i ­ nterests are involved. The Secretary will coordinate with State and ­local governments to ensure adequate planning, equipment, training, and exercise activities. (EOP, 2003a, p. 1) The Departmental Manual of DOI incorporates policy for the coor- dination of emergency management incidents, which include terrorist attacks and threats, floods, and other occurrences. The policy states that incident management activities must be initiated and conducted using the principles contained in the NIMS and that response activities are to be managed at the lowest possible organizational level (DOI, 2006). In December 2003, Homeland Security Presidential Directive 7 (HSPD- 7), Critical Infrastructure Identification, Prioritization, and Protection, was issued. It established national policy for federal departments and agen- cies to identify and prioritize United States critical infrastructure and key resources and protect them from terrorist attacks. The directive states as follows: The Bureau of Reclamation had no law enforcement authority with the exception of the police force at Hoover Dam before enactment of this law. Instead, BOR relied on support from other Department of Interior bureaus and from local law enforcement agencies that worked with specific BOR facilities. 

CONTEXT 23 The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruc­ tion, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debili- tating effect on security and economic well-being. (EOP, 2003b, p. 1) Under this directive, Reclamation and other federal agencies are required to • Identify, prioritize, and coordinate the protection of critical infra­ structure and key resources in order to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them; • Work with state and local governments and the private sector to accomplish this objective; • Ensure that homeland security programs do not diminish the overall economic security of the United States; • Appropriately protect information associated with carrying out this directive, including handling voluntarily provided information and information that would facilitate terrorist targeting of critical infra­structure and key resources; • Conduct or facilitate vulnerability assessments of their infra­ structure; and • Encourage risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources. In response to HSPD-7, the National Infrastructure Protection Plan (NIPP) was written and issued in 2006. It defines critical infrastructure as “assets, systems, and networks, whether physical or virtual, so vital to the United States that the incapacity or destruction of such assets, systems, or networks would have a debilitating impact on security, national economic security, public health or safety or any combination of those matters (NIPP, 2006, p. 103). NIPP also outlines how the Department of Home- land Security (DHS) and its stakeholders will organize and carry out the national effort to protect 18 categories of infrastructure, including dams. It establishes national goals and objectives, introduces a risk-­management framework that supports the national goals, and proposes key actions that are crucial to meeting the national goals. Five of Reclamation’s dams are designated as national critical infrastructure. 

24 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM DHS has also drafted a sector-specific plan for the protection of dams and related resources. The plan sets out strategies for identifying dam assets, assessing vulnerabilities and prioritizing assets, developing protective programs, and planning for research and development. BOR helped to develop the dam sector plan in collaboration with USACE, other federal agencies, and other owners and operators of large dams (OMB, 2007). In the 6 years after the 9/11 attacks, Reclamation • Completed threat and vulnerability assessments for about 300 dams and related facilities; • Hired security guards for its NCI dams and for some other critical facilities; • Installed cameras and deployed other security measures such as barriers, bollards, fences, and gates to limit access to facilities; • Closed or limited the use of some roads that traverse dams; • Installed redundant control systems and upgraded SCADA systems for dams and related facilities; and • Conducted internal training through seminars and tabletop and full-scale exercises. Special events, including the 2002 Winter Olympics, the 2002 BOR Centennial, and the 2004 Lewis and Clark Bicentennial, received additional security attention and provided opportunities for security training. PREVIOUS REVIEWS OF RECLAMATION’S SECURITY PROGRAM Early in its effort to establish a security program, Reclamation requested a top-down security program review to ensure that the program becomes balanced and sustainable and is based on a graded approach to protection. The review was conducted by experts from Sandia National Laboratories and the Interagency Forum for Infrastructure Protection, who collected data between July 29 and December 18, 2002. These outside experts were tasked to (1) evaluate the organizational structure, policies, and processes of BOR’s security program and (2) make recommendations The report is designated For Official Use Only and is exempted from disclosure to the public. A graded approach gives the greatest of protection to the most important assets. The Interagency Forum on Infrastructure Protection included the Army Corps of E ­ ngineers, Tennessee Valley Authority, Bonneville Power Administration, Western Area Power Administrations, Federal Emergency Management Agency, Federal Energy Regula- tory Commission, Sandia National Laboratories, Association of State Dam Safety Officials, and others. 

CONTEXT 25 for a mature, sustainable security program. The final report was issued in June 2003. The top-down review contained a series of recommendations for enhancing and sustaining the security program. It was adopted by Rec- lamation as the roadmap for long-term security policies and strategies. Many of the recommendations have been or are being implemented. Two years later, in 2005, Reclamation’s security program was reviewed by the Program Integrity Division of DOI’s Office of the Inspector Gen- eral. The review focused on whether Reclamation had implemented an adequate security program for its dams, particularly at the five NCI sites and other major dams, and whether funds appropriated for dam security had been properly expended.10 The performance of one element of Reclamation’s security program, site security, was reviewed by the Office of Management and ­ Budget (OMB) in 2005 and 2006. The OMB review is based on the Program Assess- ment Rating Tool (PART) that was developed to assess and improve the performance of federal government programs and achieve better results. The PART review is intended to identify a program’s strengths and weak- nesses to inform funding and management decisions aimed at making the program more effective. It looks at all factors that affect and reflect pro- gram performance, including program purpose and design; performance measurement, evaluations, and strategic planning; program management; and program results. The PART includes a consistent series of analytical questions that are intended to determine if programs are improving over time and to allow comparisons between similar programs in different agencies (OMB, 2007).11 OMB rated Reclamation’s site security program as “moderately effec- tive,” which OMB defines as having set ambitious goals and being well managed. In summarizing its findings, OMB reported that the program has been re-invented since September 11, 2001, and after several rounds of internal and external reviews has made notable prog- ress in improving the safety and security of key Reclamation facilities. To date it has made the most progress on upgrading the security of National Critical Infrastructure facilities, and is next moving to upgrade lower-risk facilities. The program has recently developed several creative and useful per- formance measures that will help track program accomplishments and The report is designated For Official Use Only and is exempted from disclosure to the public. 10The report is designated For Official Use Only and is exempted from disclosure to the public. 11OMB has also evaluated 13 other Reclamation programs, including the safety of dams program, which was given the highest rating, “effective.” 

26 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM efficiency, but because they are new have not yet been used to guide program development or funding. Program oversight within the Department of the Interior falls out- side normal program and budget pathways, possibly impairing inter- nal program oversight. Also, certain oversight officials do not have the n ­ ecessary security clearances, which limits their effectiveness and may cause internal information flow problems. (OMB, 2007, p. 1) The report states that the OMB was taking action to (1) improve the linkage between program performance and program budget requests; (2) reexamine the internal management of the program to improve internal oversight and communication between BOR and DOI staff; and (3) collect performance information and refine timelines and cost esti- mates for reducing risk at critical and project-essential facilities. Statement of Task At the request of the BOR, the NRC, through the Board on Infra- structure and the Constructed Environment, appointed a committee of 14 experts to assess BOR’s security program and determine its prepared- ness to prevent, deter, respond to, and recover from malicious acts to BOR’s physical infrastructure and to the people who use and manage it. The members of this multidisciplinary committee have broad and substantial experience and expertise in physical security, law enforce- ment, threat assessment and mitigation, risk analysis, dam safety, civil engineering, and emergency response. They have worked in government, academia, and the private sector. To meet its charge, the committee was asked to: (1) Assess security, law enforcement, and emergency manage- ment response processes, functions, and expertise to determine whether the BOR is appropriately structured and has the required expertise to effectively protect its infrastructure and its people and assess the BOR’s working relationships with other organi- zations involved with security and law enforcement functions, including other units within the Department of the Interior and other federal, state, and local agencies; (2) Evaluate BOR’s future plans for its security, law enforce- ment, and emergency management programs; (3) Recommend strategies, methods, and practices to inte- grate security principles, policies, practices, and a culture of secu- rity throughout the organization, from headquarters to the field; (4) Develop a prioritized set of recommended actions that should be taken to close any gaps in preparedness or effectiveness. 

CONTEXT 27 The committee notes that the overarching statement refers to Recla- mation’s level of preparedness to “respond to . . . malicious acts,” but that the individual tasks refer to emergency management response processes, functions, and expertise. In discussions and briefings with Reclamation and SSLE staff it was clear that the committee was being asked to evalu- ate how well prepared Reclamation is to respond to security-related inci- dents. Therefore, the committee’s assessment focuses on Reclamation’s processes, functions, and expertise for responding to security-related incidents. The committee also notes that this report covers only the Bureau of Reclamation, although there are many other owners and operators of large dams in the United States, including USACE, the Tennessee Valley Authority, other federal agencies, states and localities, water and power authorities, and private sector corporations that must grapple with simi- lar security challenges and find ways to overcome them. The committee could not extend its investigations beyond the security issues faced by the Bureau of Reclamation. It believes, however, that a comprehensive review of the security of the nation’s dams would be of value. THE COMMITTEE’S APPROACH To accomplish its tasks, the committee met as a whole four times between January and November 2007. At the first two meetings, the committee received briefings from the SSLE’s directors and program man­ agers and from program managers in the office of the Chief Information Officer (CIO). Some of the briefings presented information that was classi- fied as secret or sensitive. Groups of two or three committee ­members and NRC staff visited the BOR’s five national critical infrastructure facilities and other dams. During the site visits, the committee members met with the senior staff at four regional offices—Salt Lake City, Utah; ­Sacramento, California; Boulder City, Nevada; and Boise, Idaho—and at several area offices, including Casper, Wyoming. The committee members also inter- viewed area office managers, law enforcement and security personnel, and BOR operators and contractors and observed the customs and prac- tices of BOR staff in the field. After completing all the site visits, the groups met as the full committee to report on and discuss their observa- tions and findings. The committee also received briefings on the physical security of dams and BOR’s security program from Reclamation representatives in Washington, D.C., and staff from DOI and discussed issues with both sets of individuals. To gain an outside perspective, the committee con- ducted a roundtable discussion with staff from the DHS, FEMA, and USACE about their dam-related security programs and security issues 

28 ASSESSMENT OF THE BUREAU OF RECLAMATION’S SECURITY PROGRAM in general. The committee’s meetings, briefings, and site visits are listed in Appendix B. To promote open and candid discussions throughout the study, the participants were assured that comments would not be attributed to spe- cific individuals. Important facts and opinions were learned in this way and have been relied on for the development of this report. The committee formulated its findings and recommendations on the basis of earlier reviews of BOR’s security program, information gathered in the course of the briefings, site visits, and discussions, a review of refer- ence materials and studies, and on the committee members’ own expertise and experience. REFERENCES Abbey, Edward, and Douglas Brinkley. 1975. The Monkey Wrench Gang. First Edition. P ­ hiladelphia, Pa.: J.B. Lippincott Company. Department of the Interior (DOI). 2006. Departmental Manual. Chapter 4: Coordination of Emergency Management Incidents. Available at http://elips.doi.gov/app_dm/act_ getfiles.cfm?relnum=3696. Executive Office of the President (EOP). 2003a. Homeland Security Presidential Directive 5, Management of Domestic Incidents. Available at www.nimsonline.com/­presidential_ d ­ irectives/hspd_5.htm. EOP. 2003b. Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Priori- tization and Protection. Available at www.fas.org/irp/offdocs/nspd/hspd-7.html. Federal Emergency Management Agency (FEMA). 2006. Dam Safety and Security in the U.S. A Report on the National Dam Safety Program. Fiscal Years 2005 and 2006. FEMA 576. Available at www.fema.gov/library/viewRecord.do?id=2139. Nonveiller, E., J. Rupcic, and Z. Sever. 1999. War damages and construction of Peruca Dam. Journal of Geotechnical and Geoenvironmental Engineering 125(4): 280-288. Office of Management and Budget (OMB). 2007. Program Assessment. Bureau of ­ eclamation—Site Security. Available at www.whitehouse.gov/omb/expectmore/­ R summary/10003701.2005.html. Pfaff, Christine. 2003. “Safeguarding Hoover Dam during World War II.” The U.S. National Archives and Records Administration Vol. 35. No. 2.