Download chapter PDF



Chapter 5
5.1 Overview

A primary responsibility of the Department of Defense (DoD) and Department of Energy (DOE) stockpile mission is to ensure that U.S. nuclear weapons are safe, secure, reliable, and under positive control, a concept commonly referred to as “surety.” This chapter provides a basic understanding of the various elements contributing to nuclear weapons surety.

5.2 Dual Agency Surety Responsibilities

Because a nuclear weapon is in DoD custody for the majority of its lifetime, the Department of Defense is responsible for a wide range of operational requirements, including accident prevention and response.

The Department of Defense and the Department of Energy, through the National Nuclear Security Administration (NNSA), share primary responsibility for the safety, security, and control of U.S. nuclear weapons. A 1983 DoD-DOE Memorandum of Understanding (MOU), signed by the secretaries of defense and energy, reaffirmed “the obligation of the DoD and the DOE to protect public health and safety provides the basic premise for dual-agency judgment and responsibility for safety, security, and control of nuclear weapons.”

Because a nuclear weapon is in DoD custody for the majority of its lifetime, the Department of Defense is responsible for a wide range of operational requirements, including accident prevention and response. The DOE, through the NNSA and the national security laboratories, is responsible for the design, production, assembly, surety technology, disassembly, and dismantlement of U.S. nuclear weapons. The DOE is also responsible for the transportation of weapons to and from the Military First Destination (MFD). There are, however, overlaps in responsibility between the Department of Defense and the Department of Energy, requiring considerable coordination between the two departments regarding surety issues. For example, the DoD and the DOE share responsibility for the interface between the weapon and the delivery system.

5.3 National Security Presidential Directive 28

National Security Presidential Directive 28 (NSPD-28), U.S. Nuclear Weapons Command and Control, Safety, and Security, was issued on June 20, 2003. The document supersedes three former Presidential Directives:

  • National Security Decision Memorandum 312, Nuclear Weapons Recovery Policy (1975);
  • National Security Decision Directive 281, Nuclear Weapons Command and Control (1987); and
  • National Security Decision Directive 309, Nuclear Weapons Safety, Security, and Control (1988).

NSPD-28 provides explicit guidance and standards in three nuclear weapons-related areas: nuclear command, control, and communications (NC3); nuclear weapons safety; and nuclear weapons security. NSPD-28 also called for the establishment of the Nuclear Command and Control System (NCCS) Committee of Principals (CoP).

5.3.1 The NCCS CoP

The NCCS CoP was established in 2004, and its membership includes a senior official (i.e., a principal) from each of the following NCCS components:

  • White House Military Office
  • Department of Defense
  • Department of State (DOS)
  • Department of Energy, National Nuclear Security Administration
  • Department of Homeland Security (DHS)
  • Department of Justice (DOJ), Federal Bureau of Investigation (FBI)
  • Office of the Director of National Intelligence (DNI)
  • National Security Staff (formerly National Security Council)[1]
  • Nuclear Support Staff (NSS)[2]
  • Nuclear Regulatory Commission (NRC)
  • Office of Science and Technology Policy (OSTP)

In 2008, the CoP drafted and approved its first official charter that clarified members’ roles and responsibilities under the broader guidance in NSPD-28. In 2009, by direction of the CoP chairman, the charter was revised to add two new voting members to the CoP, the Nuclear Regulatory Commission and the Office of Science and Technology Policy.

In addition to the members listed above, the vice chairman of the Joint Chiefs of Staff and the associate director for National Security Programs at the Office of Management and Budget (OMB) attend NCCS CoP meetings as invited guests.

The NCCS CoP first met in December 2004. CoP meetings are normally held three times per year or at the direction of the presiding chairman, the deputy secretary of defense.

5.3.2 NCCS CoP Responsibilities

NSPD-28 established the NCCS CoP in order to facilitate interagency cooperation and to ensure effective implementation of the NSPD. The NCCS CoP has direct oversight of implementation activities, including:

  • Addressing NCCS-related issues applicable to two or more departments or agencies;
  • Promoting effective liaison among federal government NCCS components;
  • Coordinating interdepartmental NCCS supporting programs and policies to ensure unified and integrated management of the NCCS priority objects stated in NSPD-28;
  • Recommending priorities for funding;
  • Monitoring corrective actions within implementing organizations; and
  • Establishing mechanisms to share best practices and lessons learned.

The NCCS CoP provides oversight through the assistance of several committees and subcommittees, including the Deputies Committee, the Action Officers Group, the Nuclear Weapons Accident/Incident Response Subcommittee (NWAIRS), and the Nuclear Weapons Physical Security Subcommittee (NWPSS).

5.4 Nuclear Weapon System Safety

Nuclear weapons systems require special safety considerations because of the weapons’ unique destructive power and the potential consequences of an accident or unauthorized act. Therefore, nuclear weapons systems must be protected against risks and threats inherent in both peacetime and wartime environments. Nuclear weapons system safety refers to the collection of positive measures designed to minimize the possibility of a nuclear detonation because of accidents, inadvertent errors, or acts of nature. For safety purposes, a nuclear detonation is defined as an instantaneous release of energy from nuclear events (i.e., fission or fusion) exceeding the energy released from an explosion of four pounds of TNT. Nuclear safety also encompasses design features and actions to reduce the potential for dispersal of radioactive materials in the event of an accident. Nuclear weapons system safety integrates policy, organizational responsibilities, and the conduct of safety-related activities throughout the life-cycle of a nuclear weapon system.

The nuclear weapon safety philosophy deviates from many other performance criteria insofar as safety is not synonymous with reliability. Safety is concerned with how things fail (as opposed to focusing on what must work for reliability) and relies mostly on passive approaches rather than on active ones. For instance, an airplane is considered safe as long as critical systems, such as the engines and landing gear, work reliably. Active (i.e., pilot) intervention is relied upon for accident prevention. With nuclear weapons, however, safety requirements must be met in the event of an accident, with or without human intervention. For nuclear weapons, reliability is the probability that a weapon will perform in accordance with its design intent or requirements; safety focuses on preventing a nuclear detonation under all circumstances, except when directed by the president. High reliability is required for expected operational, or normal, wartime employment environments. Safety is required for normal wartime employment environments, normal environments, and abnormal environments.

5.4.1 DoD and DOE Safety Programs

The objective of the DoD Nuclear Weapon System Safety Program and the DOE Nuclear Explosive and Weapons Surety Program is to prevent accidents and inadvertent or unauthorized use of U.S. nuclear weapons. DoD Safety Standards are promulgated under DoD Directive 3150.2, DoD Nuclear Weapons System Safety Program. The DOE revised its standards to emphasize its responsibilities for nuclear explosive operations in 2005 with DOE Order 452.1C, Nuclear Explosive and Weapons Surety Program. Although the operating environments differ significantly, DoD and DOE standards share many similarities. Figure 5.1 compares DoD nuclear weapons system safety standards with DOE nuclear explosive surety standards.

Figure 5.1 Comparison of DoD Nuclear Weapon System Safety Standards with DOE Nuclear Explosive Surety Standards

5.4.2 Nuclear Weapon Design Safety

Modern nuclear weapons incorporate a number of safety design features. These features provide an extremely high assurance that an accident, or other abnormal environment, will not produce a nuclear detonation. They also minimize the probability that an accident or other abnormal environment will cause the scattering of radioactive material. In the past, there have been performance trade-offs to consider in determining whether to include various safety features in the design of a particular warhead. Thus, not all warhead-types incorporate every available safety feature. All legacy warheads, however, were designed to meet specific safety criteria across the range of both normal and abnormal environments.

Normal environments are the expected logistical and operational environments, as defined in a weapon’s military characteristics (MCs) and stockpile-to-target sequence (STS) documents, in which the weapon is expected to survive without degradation in operational reliability. Normal environments include a spectrum of conditions that the weapon could be subjected to in expected peacetime logistical situations and in wartime employment conditions up to the moment of detonation. For example, a normal environment may include conditions such as a temperature range of -180 to +155 degrees Fahrenheit, a force of 10G set-back upon missile launch, or shock from an impact of a container being dropped from a height of up to two inches.

Abnormal environments are the expected logistical and operational environments, as defined in a weapon’s MCs and STS documents, in which the weapon is not expected to retain full operational reliability. Abnormal environments include conditions not expected in normal logistical or operational situations but which could occur in credible accidental or unusual situations, including an aircraft accident, lightning strike, shipboard fire, or a bullet, missile, or fragmentation strike.

The following are safety criteria design requirements for all U.S. nuclear weapons:

  • Normal environment: Prior to receipt of the enabling input signals and the arming signal, the probability of a premature nuclear detonation must not exceed one in a billion per nuclear weapon lifetime.
  • Abnormal environment: Prior to receipt of the enabling input signals, the probability of a premature nuclear detonation must not exceed one in a million per credible nuclear weapon accident or exposure to abnormal environments.
  • One-point safety: The probability of achieving a nuclear yield greater than four pounds TNT equivalent in the event of a one-point initiation of the weapon’s high explosive must not exceed one in a million.
Enhanced Nuclear Detonation Safety

Nuclear detonation safety deals with preventing nuclear detonation through accidental or inadvertent causes. For modern weapons, the firing system forms a key part of detonation safety implementation. The goal of nuclear safety design is to prevent inadvertent detonation by isolating the components essential to weapon detonation from significant electrical energy. This involves the enclosure of detonation-critical components in a barrier to prevent unintended energy sources from powering or operating the weapon’s functions. When a barrier is used, a gateway is required to allow the proper signals to reach the firing set. A gateway can also be used to prevent the firing set stimulus from reaching the detonators. These gateways are known as stronglinks. The enhanced nuclear detonation safety (ENDS) concept is focused on a special region of the weapon system containing safety-critical components designed to respond to abnormal environments in a predictably safe manner. This ensures that nuclear safety is achieved in an abnormal environment despite the appearance of premature signals at the input of the special region. Figure 5.2 illustrates this modern nuclear safety architecture.

Figure 5.e Modern Nuclear Safety Architecture

Stronglinks operate upon receipt of a unique signal (UQS). Stronglinks open only upon receipt of a unique signal indicating proper human intent (UQS #1) or a specific weapon trajectory (UQS #2). Stronglinks are designed to withstand severe accident environments including physical shock, high temperatures, and high voltage. Before stronglink failure occurs, another component is designed to render the fireset safe: the weaklink. The weaklink is designed so that, in the event that a certain part is ruptured, it will keep the weapon’s electrical system in a safe mode, thereby preventing a nuclear detonation. Any force strong enough to pass the stronglink will rupture the weaklink, “freezing” the electrical system in a safe condition.

Modern safety requirements dictate that each firing set contains two independent stronglinks. The unique signal for the intent stronglink cannot be stored in the weapon and must be entered by a human being. The pattern for the trajectory stronglink is frequently stored in a device known as a trajectory-sensing signal generator (TSSG).

There are four principal safety themes for nuclear weapons: isolation, incompatibility, inoperability, and independence. The stronglink plays an important role in all four themes.

Isolation

The critical components necessary for a nuclear detonation are isolated from their surroundings by placing them within a physical barrier known as an exclusion region. This barrier blocks all forms of significant electrical energy, such as lightning or power surges, even when the exclusion region is subjected to a variety of abnormal environments.

The barrier is not perfect, and only a perfect barrier would make a weapon perfectly safe. However, the result of perfect isolation is a non-functional weapon. To initiate a nuclear detonation, some energy must be permitted inside the exclusion region. Therefore, an energy gateway, or shutter, is required. When the shutter is closed, it should form an integral part of the barrier; when the shutter is opened, it should readily transfer energy inside the exclusion region to cause a nuclear detonation. The stronglink provides the energy gateway.

Incompatibility

It is critical to ensure that only a deliberate act opens the shutter; the act can originate from human intent or the delivery environments of the weapon. The stronglink serves as an electrical combination lock preventing weapon usage until deliberate action occurs. The combination to the lock is a complex pattern of binary pulses. To activate the stronglink switch, an operator must input the unique signal information when the weapon is ready for use. This information is converted into a specific pattern of a specific number of long and short electrical pulses, which must also be in the correct sequence. This is the only signal that will activate the stronglink; any other pattern is incompatible. An incompatible pattern will cause the switch to lock up and remain in a safe condition. Figure 5.3 illustrates the concept of incompatibility.
Each stronglink contains one pattern and can only be operated by the application of its unique pattern. Stronglink patterns are analyzed for their uniqueness to ensure they are incompatible with naturally occurring signals; stronglinks are engineered so that the odds of their accidental generation from a naturally occurring source are far less than one chance in a million.

Figure 5.3 Incompatibility
Inoperability

At some level of exposure to an abnormal environment, the energy from the surroundings becomes so intense the barrier loses integrity, and the barrier melts or ruptures. Incorporating environmental vulnerability into weaklinks ensures nuclear safety. Weaklinks perform the opposite function of stronglinks. They must be functional for a nuclear detonation, but weaklinks are designed to fail at relatively low environmental levels, thus rendering the weapon inoperable. These levels are low enough to ensure the weaklink fails before the stronglink or exclusion barrier fails. Ideally, the weaklinks are co-located with the stronglink so that both components experience the same environmental assault. Figure 5.4 is a diagram of the concept of inoperability.

Figure 5.4 Inoperability
Independence

Typically, two different stronglinks are used per weapon. Different stronglinks with different patterns are used to gain independence and to provide the required assurance of safety. With independent stronglinks, a design flaw may cause the first stronglink to fail, but the second stronglink will still protect the weapon.

Insensitive High Explosive

Another feature of nuclear weapons design safety is the use of insensitive high explosive (IHE) as opposed to conventional high explosive. IHE is much less sensitive to shock or heat; it is highly resistant to accidental detonation and represents a great advance in safety by reducing the likelihood of plutonium scatter.

Fire-Resistant Pit

A third feature of nuclear weapons design safety is the fire-resistant pit (FRP). In an accident, plutonium can be dispersed if it is aerosolized by intense heat, such as that from ignited jet fuel. To prevent this, the nuclear weapon pit can be designed with a continuous barrier around it. In theory, this barrier will contain the highly corrosive, molten plutonium for a sufficient amount of time to extinguish the fire.

5.5 Nuclear Weapons Security

Nuclear weapons security refers to the range of active and passive measures employed to protect a weapon from access by unauthorized personnel and prevent loss or damage. These measures include department nuclear security policy; security forces; equipment; technology; tactics, techniques, and procedures (TTPs); and personnel security standards. Ensuring security is vital throughout the entire life-cycle of a weapon.

Nuclear weapons security is essential for both the Department of Defense and the Department of Energy. Each department is responsible for providing appropriate security for all nuclear weapons in its custody. Custody is defined as the responsibility for controlling the transfer, movement, and access to a nuclear weapon or its components.

5.5.1 DoD Nuclear Weapons Security Standard

DoD Directive O-5210.41, Security Policy for Protecting Nuclear Weapons, establishes the DoD Nuclear Weapon Security Standard (NWSS). The objectives of the standard include: prevent unauthorized access to nuclear weapons; prevent loss of custody; and prevent, to the maximum extent possible, radiological contamination caused by unauthorized acts. The NWSS defines two fundamental tenets of nuclear weapons physical security. The first tenet is “to deny unauthorized access to nuclear weapons,” and the second is “failing denial of access, commanders must take any and all actions necessary to regain control of nuclear weapons immediately.”

. . . the five “Ds” of nuclear security: deter, detect, delay, deny, and defeat.

The central and overriding objective of nuclear weapons security is denial of unauthorized access. This is accomplished by employing an integrated, defense-in-depth concept that leverages five distinct security capabilities. These security system capabilities are commonly referred to as the five “Ds” of nuclear security: deter, detect, delay, deny, and defeat. Together, the security capabilities support the NWSS. First, a security system must be sufficiently robust to deter adversaries from attempting to achieve unauthorized access. Deterrence is accomplished through facility hardening, security forces tactics, TTPs, and an aggressive counterintelligence program.

If deterrence fails, a security system must be designed to ensure rapid detection of an adversary’s intention as far away from the nuclear weapon as practical. Detection is achieved through close coordination with the intelligence community coupled with a system of alarms, sensors, procedural requirements, and human surveillance (e.g., patrols).

In concert with detection, security systems must provide sufficient delay features to prevent adversaries from gaining unauthorized access before the response of armed security forces. Delay is achieved through physical security barriers, facility hardening, response forces, and the design features of the weapons storage facility.

Security forces must incorporate capabilities to deny adversaries unauthorized access to nuclear weapons. Denial can be achieved through technological means (lethal or non-lethal) or by creating adversarial duress sufficient to prevent unauthorized access. If denial fails, however, security forces and systems must be capable of defeating a hostile adversary and immediately regaining custody of the nuclear weapon.

The DoD has a program called Mighty Guardian (MG) that is designed to ensure that vulnerabilities are identified and potential risks are minimized. The MG process combines force-on-force exercises and engineering assessments to evaluate the effectiveness of nuclear security policy and standards and identify its failure points. MG results are used to identify shortfalls and improvements in the U.S. nuclear security system. Commanders use risk management principles to identify potential risks to nuclear weapons and to prioritize risk reduction requirements. The DoD Nuclear Security Risk Management Model assists commanders in this responsibility and incorporates security enhancements into the DoD Nuclear Weapons Physical Security (NWPS) Roadmap. The roadmap examines the current state of NWPS and plans for the future to ensure that security capabilities are adequate to meet the NWSS.

5.5.2 DOE Safeguards and Security

The Department of Energy has programs similar to those of the Department of Defense to ensure the physical security of nuclear weapons and special nuclear materials in transport and at NNSA locations and laboratories. Like the DoD, the DOE—through the NNSA—is evaluating its future security capabilities in concert with its plans for the future of the Nuclear Security Enterprise to ensure that adequate security is provided to meet identified threats. (For more information on the Nuclear Security Enterprise, see Chapter 7: U.S. Nuclear Infrastructure.)

5.5.3 DoD and DOE Personnel Security

Both the DoD and the DOE have programs in place to ensure that personnel assigned to nuclear weapons-related duties are trustworthy. Both the DoD Personnel Reliability Program (PRP) and the DOE Human Reliability Program (HRP) ensure that personnel are reliable and possess the necessary judgment to work with nuclear weapons. Unescorted access to nuclear weapons is limited to those who are PRP- or HRP-certified.

The DoD PRP is designed to ensure the highest possible standards of individual reliability for those personnel assigned to nuclear weapons duties. It emphasizes the individual’s loyalty, integrity, trustworthiness, and behavior. The program applies to all personnel who handle nuclear weapons, nuclear weapon systems, or nuclear components, as well as to those who have access to, or who control access to, nuclear weapons. Personnel positions associated with nuclear weapons are designated as either critical or controlled depending on the degree of physical access to nuclear weapons and the technical knowledge required by the person in that position. The DOE HRP, similar to the DoD PRP, is designed to ensure that authorized access to nuclear weapons is limited to those personnel who have been carefully screened and certified.

Before personnel are assigned to designated DoD PRP or DOE HRP positions, a screening process is conducted that includes the following:

  • a personal security investigation and the granting of a security clearance;
  • a medical evaluation to determine the physical and mental fitness of the individual;
  • a review of the individual’s personnel file and any other locally available information concerning behavior that may be relevant;
  • a proficiency qualification process designed to certify that the individual has the training and experience necessary to perform the assigned duties; and
  • a personal interview to ascertain the individual’s attitude toward the reliability program.

The certifying official is responsible for determining a person’s overall reliability and for assigning that individual to a substantive nuclear weapons-related position.

Once a person begins to perform duties in a DoD PRP or DOE HRP position, that individual is periodically evaluated to ensure continued conformity to reliability standards. Any information raising questions about an individual’s judgment or reliability is subject to review. For example, whenever a prescription drug is prescribed to a PRP-certified individual, depending on the effects of the particular medication, that person might be temporarily suspended from nuclear weapons-related duty. Personnel who cannot meet the standards are eliminated from the program and relieved of their nuclear weapons-related responsibilities.

5.5.4 Procedural Security

The first and most important aspect of procedural security is the two-person rule, which requires the presence of at least two cleared, PRP- or HRP-certified, and task-knowledgeable individuals whenever there is authorized access to a nuclear weapon.

The first and most important aspect of procedural security is the two-person rule, which requires the presence of at least two cleared, PRP- or HRP-certified, and task-knowledgeable individuals whenever there is authorized access to a nuclear weapon. Each person is required to be capable of detecting incorrect or unauthorized actions pertaining to the task being performed. Additionally, restricted entry to certain sectors and exclusion areas based on strict need-to-know criteria reduces the possibility of unauthorized access.

5.5.5 DoD and DOE Security Program Authorities

Within the United States, nuclear weapon security programs are governed by DoD and DOE policy. For U.S. nuclear weapons forward deployed in other countries, the United States has established Programs of Cooperation (POCs) to delineate the duties and responsibilities involved in the weapons’ deployment.

DoD Security Program Authorities

DoD policies and procedures for nuclear weapons security are found in DoD Directives and Manuals. They are designed to guard against threats to the security of U.S. nuclear weapons.

DoD Directive O-5210.41, Security Policy for Protecting Nuclear Weapons, outlines the DoD security policy for protecting nuclear weapons in peacetime environments. It gives guidance to commanders to provide security for and to ensure the survivability of nuclear weapons. The directive also authorizes the publication of DoD S-5210.41-M, which is the DoD manual providing security criteria and standards for protecting nuclear weapons.

DoD Directive 5210.42, Nuclear Weapons Personnel Reliability Program, provides the specific guidance needed to implement the DoD PRP.

DoD Instruction 5210.63, DoD Procedures for Security of Nuclear Reactors and Special Nuclear Materials (SNM), directs policy, responsibilities, procedures, and minimum standards for safeguarding DoD nuclear reactors and special nuclear material.

DoD Manual S-5210.92, Physical Security Requirements for Nuclear Command and Control (NC2) Facilities, implements policy governing physical security requirements of U.S. NC2 facilities and systems that have the capability to make and transmit a nuclear control order as part of the NCCS.

DoD Directive 3224.3, Physical Security Equipment (PSE) Research, Development, Test, and Evaluation (RDT&E), provides guidance for the acquisition of all physical security equipment. It assigns responsibility for physical security equipment research, engineering, procurement, installation, and maintenance.

DOE Security Program Authorities

Several DOE Regulations and Orders address the security of nuclear weapons.

DOE Order 452.1C, Nuclear Explosive and Weapon Surety Program, outlines the Nuclear Explosive and Weapon Surety (NEWS) Program and the five DOE surety standards.

DOE Order 470.1, Safeguards and Security Program, outlines the DOE Safeguards and Security Program, which provides the basis for security for all NNSA activities related to nuclear weapons.

10 CFR Part 712, Human Reliability Program, establishes the policies and procedures for the Human Reliability Program in the DOE, including the NNSA. This document consolidates and supersedes two former programs, the Personnel Assurance Program and the Personnel Security Assurance Program.

DOE Order 452.2C, Nuclear Explosive Safety, addresses security regarding the safety of NNSA nuclear explosive operations.

5.6 Use Control

The term use control refers to the collection of measures that facilitate authorized use of nuclear weapons but protect against deliberate unauthorized use. These measures include a combination of weapon Figure 5.5 Nuclear Consent Switchdesign features and operational procedures.

Use control is achieved by designing weapon systems with electronic and mechanical features that prevent unauthorized use and allow authorized use. Figure 5.5 shows a nuclear consent switch, one of several use control features. Not all use control features are installed on every weapon system.

Weapons System Coded Control

Both strategic nuclear missile systems and strategic heavy bomber aircraft use system coded control. Intercontinental ballistic missile (ICBM) crews require an externally transmitted launch code in order to launch a missile. Similarly, SSBN crews require an externally transmitted authorization code to launch a submarine-launched ballistic missile (SLBM). Strategic bomber crews use a pre-arming circuit that also requires an externally transmitted authorization code to employ nuclear bombs or cruise missiles. The externally transmitted authorization code is received via nuclear control order or emergency action message (EAM).

Coded Control Device

A coded control device (CCD) is a use control component that may be a part of the overall weapons system coded control discussed above.

Command Disablement System

The command disablement system (CDS) allows for manual activation of the non-violent disablement of essential weapons components, which renders the warhead inoperable. The CDS may be internal or external to the weapon and requires human initiation. The CDS is not installed on all weapon systems.

Active Protection System

The active protection system (APS) senses attempts to gain unauthorized access to weapon-critical components. In response to unauthorized access, critical components are physically damaged or destroyed automatically. This system requires no human intervention for activation. It is not installed on all weapons systems.

Environmental Sensing Device

The environmental sensing device is a feature placed in the arming circuit of a weapon providing both safety and control. It prevents inadvertent functioning of the circuit until the weapon is launched or released and experiences environmental parameters specific to its particular delivery system. Accelerometers are commonly employed for this purpose.

Permissive Action Link Figure 5.6 Entering a Code into a Bomb

A permissive action link (PAL) is a device included in or attached to a nuclear weapon system in order to preclude arming and/or launching until the insertion of a prescribed, discrete code or combination. It may include equipment and cabling external to the weapon or weapon system that can activate components within the weapon or weapon system. Most modern U.S. PAL systems include a multiple-code coded switch (MCCS) component. Figure 5.6 shows an individual entering a PAL authorization code into a bomb.

5.61 The DoD Use Control Program

The DoD has broad responsibilities in the area of nuclear weapons use control. DoD Directive S-3150.7, Controlling the Use of Nuclear Weapons, establishes policies and responsibilities for controlling the use of nuclear weapons and nuclear weapons systems. It describes:

  • the president as the sole authority for employing U.S. nuclear weapons;
  • a layered approach to protecting weapons;
  • positive measures to prevent unauthorized access and use;
  • methods to counter threats and vulnerabilities; and
  • the legal and policy requirements to ensure presidential control while simultaneously facilitating authorized use in a timely manner.
5.6.2 The NNSA Use Control Program

Use control responsibilities of the NNSA include the design and testing of new use control features and their installation into the nuclear weapon. Additionally, the DOE National Weapons Laboratories provide technical support to reinforce DoD use control efforts. The NNSA Nuclear Explosive and Weapon Security and Control Program comprises an integrated system of devices, design techniques, and other methods to maintain control of nuclear explosives and nuclear weapons at all times. These use control measures allow use when authorized and directed by proper authority and protect against deliberate unauthorized use (DUU). Major elements of the program include the following:

  • use control measures for nuclear explosives and nuclear weapons, including design features that are incorporated and used at the earliest practical point during assembly and removed at the latest practical point during disassembly or dismantlement; and
  • measures to assist in the recapture or recovery of lost or stolen nuclear explosives or nuclear weapons.

The NNSA program includes the development, implementation, and maintenance of standards, plans, procedures, and other measures. These include the production of equipment designed to ensure the safety, security, and reliability of nuclear weapons and components in coordination with the DoD. The NNSA conducts research and development on a broad range of use control methods and devices for nuclear weapons. It assists the DoD in developing, implementing, and maintaining plans, procedures, and capabilities to store and move nuclear weapons. The NNSA also assists other departments in developing, implementing, and maintaining plans, procedures, and capabilities to recover lost, missing, or stolen nuclear weapons or components.


[1] The National Security Council and the Homeland Security Council were merged in 2009 to create the National Security Staff.

[2] As stated in DoD Directive 3150.06, U.S. Nuclear Command and Control System Support Staff, the Commander, United States Strategic Command (USSTRATCOM), is designated as the Director of the Nuclear Support Staff.


Top of Page