Order Code RL33847
Chemical Facility Security:
Regulation and Issues for Congress
January 31, 2007
Dana A. Shea
Specialist in Science and Technology Policy
Resources, Science, and Industry Division
Todd B. Tatelman
Legislative Attorney
American Law Division
Chemical Facility Security: Regulation and Issues for
Congress
Summary
The Department of Homeland Security (DHS) has proposed security regulations
for chemical facilities, implementing the statutory authority granted in the Homeland
Security Appropriations Act, 2007 (P.L. 109-295, Section 550). The proposed
regulations (71 Federal Register 78,276–78,332 (December 28, 2006)) require
chemical facilities possessing amounts and types of substances considered by the
DHS Secretary to be hazardous to notify DHS and undergo a consequence-based
screening process. The Secretary would then determine what chemical facilities are
high-risk, and thus need to comply with additional security requirements. The
proposed security requirements would be performance-based, rather than
prescriptive, and tiered, with facilities in higher tiers having more stringent
requirements than those in lower tiers.
High-risk chemical facilities will be required to create and submit to DHS a
vulnerability assessment; create and submit to DHS a site security plan, addressing
the vulnerability assessment and complying with the performance-based standards;
and implement the site security plan at the chemical facility. The DHS Secretary will
approve or disapprove each step in the process, requiring the chemical facility to
improve the facility submission or implementation in the case of disapproval.
The proposed security regulations also establish a new category of protected
information, Chemical-terrorism Security and Vulnerability Information (CVI),
granting it a status between sensitive but unclassified and classified information. The
Secretary maintains discretion over who will gain access to this information, how it
may be used, and what will comprise CVI. Additionally, the proposed security
regulations will preempt state and local chemical facility security regulations.
Key issues debated in previous Congresses are highlighted in the proposed
security regulations, even when the enacted authorizing statute remained mute on the
topic. These issues include what facilities should be considered as chemical
facilities; which chemical facilities should be considered as “high-risk” and thus
regulated; the scope of the risk-based performance standards for different tiers of
high-risk chemical facilities; the appropriateness of federal preemption of existing
state chemical facility security regulation; and the availability of information for
public comment, potential litigation, and congressional oversight. One key issue not
directly addressed by the regulation is the role of inherently safer technology in the
chemical security process.
Policymakers, as well as the general public, have the opportunity to comment
in support of or in opposition to the proposed regulation. After promulgation,
Congress might disapprove the rule, or attempt to influence implementation through
oversight or provisions in appropriations language. Since the statutory authority to
regulate chemical facilities expires in 2009, policymakers may wish to observe the
impact of the current regulations, determine their effectiveness and efficiency, and,
if necessary, address any perceived weaknesses at a later date by amending or
superseding them through additional legislation.
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Authority to Regulate Chemical Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Proposed Regulations Issued by the Department of Homeland Security . . . . . . . . 3
Key Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Scope of Regulated Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Inherently Safer Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Federal Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Information Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Expiration of Regulations and Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Maintain Status Quo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Attempt to Influence Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Create New Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chemical Facility Security: Regulation and
Issues for Congress
Introduction
Chemical facility security has been an issue of congressional interest for many
years. First considered an environmental issue, the potential release of toxic
chemicals and the potential health impacts on surrounding areas became linked to
concerns over terrorism after the September 11, 2001 attacks on the Wold Trade
Center and the Pentagon. The passage of Section 550 of the Homeland Security
Appropriation Act, 2007 (P.L. 109-295) established statutory authority for the
Department of Homeland Security (DHS) to regulate select chemical facilities.1 How
DHS implements this authority will likely be an area of intense congressional
interest, given that chemical facility security legislation was introduced in each of the
previous four Congresses and that this new statutory authority expires in three years.2
Chemical facility security authority had been called for by both the Executive
and Legislative branches for many years, but disagreements about how chemical
facilities should be regulated impeded consensus. The potential for injuries and
fatalities following an attack on a chemical facility, as well the value of the chemical
sector to the national economy, led many security experts to suggest that chemical
facilities were high-value targets for terrorists. Chemical facilities were considered
a key component to securing the nation’s critical infrastructure. The passage of P.L.
109-295 provided DHS with chemical facility security authority, but the
implementation of this authority, the effectiveness of promulgated regulations, and
the increase in homeland security are all yet to occur.
This report will describe the statutory authority granted to DHS and the
regulations proposed by DHS, and will identify select issues of contention related to
the proposed regulations. Finally, this report will discuss several possible policy
options for Congress.
1 Department of Homeland Security Appropriations Act, 2007, P.L. 109-295 § 550, 120 Stat.
1355 (20006) [hereinafter DHS Appropriations Act]. See also 71 Federal Register
78,276–78,332 (December 28, 2006).
2 See CRS Report RL31530, Chemical Facility Security, by Linda-Jo Schierow (providing
background on the need for additional security measures, security enhancement options, and
legislation in the 109th Congress).
CRS-2
Authority to Regulate Chemical Facilities
The Homeland Security Appropriations Act, 2007 (P.L. 109-295), Section 550
provides statutory authority to DHS to regulate, for security purposes, chemical
facilities. The Secretary of Homeland Security is directed to issue interim final
regulations establishing risk-based performance standards for chemical facility
security and, requiring the development of vulnerability assessments and the
development and implementation of site security plans.3 These regulations are to
apply only to those chemical facilities that the Secretary determines present high
levels of security risk.4 The regulations are to allow regulated entities to employ
combinations of security measures to meet the risk-based performance standards.
Under the law, the Secretary must review and approve the required assessment,
plan, and implementation for each facility. The Secretary is prohibited from
disapproving a site security plan on the basis of the presence or absence of a
particular security measure, but may disapprove a site security plan that does not
meet the risk-based performance standards. The Secretary may approve vulnerability
assessments and site security plans developed through security programs not created
by DHS, so long as the results of these programs meet the risk-based performance
standards laid out in regulation.
All information developed for these regulations is to be protected from public
disclosure, but may be shared, at the Secretary’s discretion, with state and local
government officials, including law enforcement officials and first responders
possessing the necessary security clearances. Any information shared may not be
publicly disclosed pursuant to state or local law. Additionally, the information
provided to the Secretary, along with related vulnerability information, is to be
treated as classified information in all judicial and administrative proceedings.
Violation of the information protection provision is punishable by fine.
The Secretary must audit and inspect chemical facilities and determine
regulatory compliance. If the Secretary finds a facility not in compliance, the
Secretary shall write to the facility explaining the deficiencies found, provide an
opportunity for the facility to consult with the Secretary, and issue an order to comply
by a date determined by the Secretary. If the facility continues to be out of
compliance, the Secretary may fine and, eventually, order the facility to close.
There is no right for anyone, except the Secretary of DHS, to bring a lawsuit
against a facility owner to enforce provisions of the law. The law does not affect any
other federal law regulating chemicals in commerce. The statute contains a “sunset
3 These interim final regulations must be issued within six months of the date of enactment
of P.L. 109-295. The statutory deadline for the interim final regulations is April 4, 2007.
4 Some facilities are exempt from these regulations. They are facilities defined as a water
system or a wastewater treatment works; facilities owned or operated by the Department of
Defense or Department of Energy; facilities regulated by the Nuclear Regulatory
Commission; and those facilities regulated under the Maritime Transportation Security Act
of 2002 (P.L. 107-295).
CRS-3
provision” and, thus, expires three years from the date of enactment, which was
October 4, 2006.
Proposed Regulations Issued by the Department of
Homeland Security
On December 28, 2006, the Department of Homeland Security issued an
advance notice of rulemaking regarding chemical facility security.5 Proposed
regulatory language implementing P.L. 109-295 was introduced and comments
requested from stakeholders and the public by February 7, 2007. The proposed
regulation implements both statutory authority explicit in P.L. 109-295 and
authorities DHS found to be implicitly granted.
The proposed regulations state that the Secretary of DHS will select from the
universe of all facilities that possess, or plan to possess at any relevant point in time,
a quantity of chemical substance determined by the Secretary to be potentially
dangerous, a smaller set of chemical facilities deemed as presenting a high level of
security risk.6 As such, chemical facilities with greater than specified quantities of
potentially dangerous chemicals will be required to submit information to DHS, so
that DHS can determine the facility’s risk status.
Those facilities identified by DHS as high risk will have additional
responsibilities. The DHS will establish a series of risk-based tiers with different
performance-based requirements for facilities assigned to each tier. All high-risk
facilities must assess their vulnerabilities, using methodology accepted by DHS;
develop an effective security plan; submit these documents to DHS; and implement
the security plan. Vulnerability assessments and site security plans developed
through alternative security programs will be accepted so long as they meet the
tiered, performance-based requirements of the regulation. In turn, DHS will approve
or disapprove the vulnerability assessments, the site security plans, and their
implementation through audit and inspection. The DHS will provide certification of
the facility’s compliance status.7
The vulnerability assessment will serve two purposes under the regulation. One
is to determine or confirm the placement of the facility in a risk-based tier. The other
is to provide a basis against which to compare the site security plan activities. The
vulnerability assessment required by DHS will include the following components:
5 71 Federal Register 78,276–78,332 (December 28, 2006).
6 This initial screening of chemical facilities will be done on the basis of potential
consequence, rather than risk. 71 Federal Register 78,276–78,332 (December 28, 2006) at
78,302.
7 Audit inspections may be conducted by third-party auditors. It is unclear whether
compliance with the regulation would reduce the risk status of the chemical facility, since
the vulnerability of the facility would presumably decrease and vulnerability is a factor used
to determine risk status.
CRS-4
asset characterization, threat assessment, vulnerability analysis, risk assessment, and
countermeasures analysis.8
The site security plans must address the vulnerability assessment by describing
how activities in the plan relate to facility vulnerabilities. Additionally, the site
security plan must address preparations for and deterrents against specific modes of
potential terrorist attack, as applicable. These modes of attack may include vehicle-
borne improvised explosive device; water-borne explosive device; ground assault;
or other modes of potential attack identified by DHS.9 The site security plans must
also address how the activities taken by the facility meet the risk-based performance
standards provided by DHS.
All vulnerability assessments and site security plans are to be submitted to DHS
for approval. The Secretary may disapprove of those assessments or plans that fail
to meet DHS standards, but not on the basis of the presence or absence of a specific
measure. In the case of disapproval, DHS must, in writing, identify those areas of the
assessment and plan that need improvement. Chemical facilities may appeal
disapprovals to DHS.
The information generated under this regulation, as well as any information that
the Secretary determines needs to be protected, will be labeled “Chemical-terrorism
Security and Vulnerability Information” (CVI), a new category of security-related
information. According to its proposal, DHS will have sole discretion regarding who
will be eligible to receive CVI.10
The proposed federal regulation will preempt state and local regulation where
state and local regulation “conflicts with, hinders, poses an obstacle to or frustrates
the purposes of” the federal regulation.11 Specifically, since the statute underlying
the federal regulation prohibits DHS from requiring the presence or absence of a
particular security measure, DHS asserts that state and local regulations that require
the presence or absence of a particular security measure will be preempted.12 States,
localities, or affected companies may request a decision from DHS regarding
potential conflict between extant regulation and the federal regulation.
The proposed interim regulations establish penalties for the disclosure of CVI
information or lack of compliance, as well as processes for appeal by chemical
facilities of DHS actions. If a facility remains out of compliance with these
regulations, DHS may order its closure, after other penalties, such as fines, have been
levied.
8 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,296.
9 Id. at 78,297.
10 Audit inspections may be conducted by third-party auditors. It is unclear what criteria
might be established for the certification of such third-party auditors, who would need to
have access to CVI for those facilities being audited.
11 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,302.
12 Id. at 78,292-78,293.
CRS-5
Key Issues
Chemical facility security was the focus of several congressional hearings and
policy debates surrounding proposed legislation in the 109th Congress, legislation
reported by the House Homeland Security Committee and the Senate Committee on
Homeland Security and Governmental Affairs. Some, but not all, of the topics that
were considered contentious were addressed by P.L. 109-295. This section will
discuss several of these topics in light of the enacted provisions: the scope of the
regulated facilities, inherently safer technology, federal preemption, and the
protection of information.
Scope of Regulated Facilities
The universe of regulated facilities is not specified in P.L. 109-295 and thus
remains potentially an issue of policy debate. Under the proposed regulation,
chemical facilities
shall mean any facility that possesses or plans to possess, at any relevant point
in time, a quantity of a chemical substance determined by the Secretary to be
potentially dangerous or that meets other risk-related criterion identified by the
Department.13
Regulated facilities are a subset of the chemical facility universe, including any
facility that
in the discretion of the Secretary of Homeland Security, presents a high risk of
significant adverse consequences for human life or health, national security
and/or critical economic assets if subjected to terrorist attack, compromise,
infiltration, or exploitation.14
The chemical substances determined by the Secretary to be potentially dangerous
were not reported with the regulation. Instead, the preamble states,
The Department may draw on many sources of available information, including
existing Federal data and lists addressing particularly hazardous chemicals and
particular chemical facilities. Such lists include the [Environmental Protection
Agency’s Risk Management Program] list ...; the schedule of chemicals from the
Convention on the Development, Production, Stockpiling and Use of Chemical
Weapons and Their Destruction, also known as the Chemical Weapons
Convention or CWC ...; the hazardous materials listed in Department of
Transportation’s Hazardous Materials Regulations (see e.g. 49 CFR 172.101);
and the [Transportation Security Administration’s] Select Hazardous Materials
List. The Department may also seek and analyze information from many other
sources, including from experts in the industry, from state or local governments
or directly from facilities that may qualify as high-risk.15
13 Id. at 78,294.
14 Id.
15 Id. at 78,281-78,282.
CRS-6
Depending on what chemical substances the DHS Secretary determines are
potentially dangerous, the universe of chemical facilities may be small or large.16
While many, if not most, of these facilities will not be high-risk, DHS will require
all of these chemical facilities to complete a consequence-based screening
questionnaire to determine their risk category.17 The DHS will treat facilities not
completing such a questionnaire as presumptively high-risk.18 Such an approach may
tax DHS resources, as well as negatively impact small businesses, especially during
the initial screening process. Additionally, depending on how DHS publicizes
chemical substance and quantity requirements, chemical facilities may not know
whether they are required to report under this proposed regulation.
Inherently Safer Technology
Considerable congressional debate on chemical facility security revolved around
the issue of inherently safer technology. During this debate, the application of
inherently safer technology as a risk-reducing security measure was generally
supported by environmental groups and opposed by industry groups. Environmental
groups proposed that reducing the inherent consequences from a release at a chemical
facility would increase its security, as the incentive to attack such a lower-
consequence facility would be reduced. Industry groups argued that chemical
substance and technology changes were business and safety concerns, not related to
security issues, and best left to the discretion of the chemical facility, rather than the
federal government.
Both the statute and the regulation are silent on the issue of inherently safer
technology. Neither recommend nor prohibit the use of inherently safer technology
as a security method, assuming that it contributes to meeting the risk-based
performance standards put forth by DHS. The risk-based performance standards
appear more focused on hardening facilities than on consequence mitigation
techniques. Alternatively, use of inherently safer technology may reduce the quantity
or type of chemical stored on site, possibly removing the chemical facility from
regulation. Both the statute and the regulation, in establishing risk-based
performance standards, expressly deny requiring any specific security measure from
chemical facilities.
16 For example, the list of hazardous materials in the Department of Transportation's
Hazardous Materials Regulations (49 CFR 172.101) is roughly 160 pages long. Also, the
universe of the Environmental Protection Agency’s Risk Management Program, a program
based on one of the lists cited in the preamble, is approximately 15,000 facilities. Some of
these facilities would fall within the statutory exemptions to chemical security regulation.
17 In 2005, DHS testified that approximately 3,400 chemical facilities were considered high-
risk, having the ability impacting 1,000 or more people. Testimony of Robert B. Stephan,
Assistant Secretary for Infrastructure Protection, Department of Homeland Security, before
the Senate Committee on Homeland Security and Governmental Affairs on June 15, 2005.
The use of a consequence threshold, as is proposed in the initial screening procedure, would
likely capture all high-risk facilities if the threshold was set at a low level. That tactic might
also capture many non-high-risk facilities.
18 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,282.
CRS-7
Federal Preemption
Another area of congressional debate was whether federal chemical facility
security legislation should expressly preempt such activities on the state level.
Several states have begun to enact security regulations for chemical facilities.19
Supporters of express federal preemption assert that a patchwork of state regulation
provides a competitive disadvantage to companies on a state-by-state basis and may
lead to uneven security efforts. Opponents of express federal preemption claim that
federal security regulation should set a floor, rather than a ceiling, for security efforts;
individual states should, in their opinion, be allowed to require additional security
measures, so long as the federal standard is surpassed.
The statute was silent with respect to preemption, but the proposed regulation
is not. The DHS asserts that statutory limits placed on the form of the federal
regulation should be met by any state regulation. Specifically, according to DHS, the
balance struck by P.L. 109-295 between DHS security requirements and a facility’s
flexibility to choose specific security measures must be preserved. The preamble to
the rule provides, “A state measure frustrating this balance will be preempted.”20
According to the statute, “the Secretary may not disapprove a Site Security Plan
submitted under this section based on the presence or absence of a particular security
measure.”21 The federal chemical facility security regulation thus does not require
the application or use of any particular security measure. The proposed interim rule
then seems to imply that any state regulation that does require a specific security
measure would be preempted, because it “conflicts with, hinders, poses an obstacle
to or frustrates the purposes of these regulations or of any approval, disapproval or
order issued thereunder.” 22 If this proposed language is retained in the interim final
rule, it seems likely that any existing prescriptive state regulations, such as those in
New Jersey, would be preempted by the performance-based federal regulation.23
19 New Jersey, arguably the state with the most stringent chemical security regulations,
requires the consideration of inherently safer technology as a component of a facility’s
security plan.
20 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,293.
21 DHS Appropriations Act, supra note 1 at § 550(a).
22 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,302.
23 For a legal analysis of preemption and a discussion of DHS’s authority to preempt state
law by administrative action, see Legal Analysis of the Preemption Provisions in the Recent
Department of Homeland Security's Chemical Facility Security Advance Notice of
Rulemaking, Cong. Dist. Memo., by Todd B. Tatelman (January 23, 2007) (available from
authors upon request).
CRS-8
Information Availability
Another issue that generated considerable congressional interest and debate was
how, and to what extent, the information created by chemical facilities and submitted
to DHS is to be protected from disclosure to the public, industry competitors, and
potential bad actors. The Freedom of Information Act (FOIA), which generally
applies to records held by agencies of the executive branch of the federal
government, regulates the disclosure of government information.24 The FOIA
requires agencies to publish in the Federal Register certain records, and to make
other records available for public inspection and copying.25
While the FOIA contains three specific law enforcement related exclusions and
nine exemptions that permit the withholding of certain government-held information,
it has been the prevailing view since September 11, 2001, that separate federal
statutes prohibiting the disclosure of certain types of information, and authorizing its
withholding under the FOIA, are necessary. As a result, several security-related
information protection statutes have been adopted by Congress and implemented by
the government. Of specific relevance to chemical facilities is the protection regime
known as “Sensitive Security Information” (SSI), currently used by the
Transportation Security Administration in enforcing the Maritime Transportation
Security Act of 2002 (MTSA).26
Section 550(c) of P.L. 109-295 contains two specific mandates regarding
information protection. The first mandate requires that
information developed under this section, including vulnerability assessments,
site security plans, and other security related information, records, and
documents shall be given protections from public disclosure consistent with
similar information developed by chemical facilities subject to regulation under
[MTSA].27
The reference to MTSA is considered to be a reference to SSI, which is the
information protection regime developed and administered by the Transportation
Security Administration, and applicable to maritime facilities regulated under MTSA.
The DHS’s proposed chemical facility security regulations expressly recognize
the reference to SSI; however, instead of amending the existing SSI regulations to
include application to chemical facilities, DHS has proposed a new security-
information protection regime, “Chemical-Terrorism Security and Vulnerability
24 5 U.S.C. § 552 et seq. (2000).
25 See id. at § 552(a)(1)-(2).
26 While initially created for the Department of Transportation in 1974, SSI has been
significantly expanded by the Aviation Transportation Security Act of 2001 (ATSA), the
Homeland Security Act of 2002, and the Maritime Transportation Security Act of 2002. See
CRS Report RL33670, Protection of Security-Related Information, by Gina Marie Stevens
and Todd B. Tatelman (providing an in-depth discussion of the history, requirements, and
litigation that has developed under SSI).
27 DHS Appropriations Act, supra note 1 at § 550(c).
CRS-9
Information” (CVI). According to DHS, information classified as CVI is to receive
“a level of security not inconsistent with that provided to SSI. Yet the Department
believes that Section 550(c) provides it with broad discretion and maximum
flexibility to employ more rigorous standards to protect CVI from inappropriate
public disclosure as necessary.”28
The DHS’s proposed regulations provide that the following types of information
will constitute CVI: (1) vulnerability assessments; (2) site security plans; (3) any
documents developed relating to the Department’s review and approval of
vulnerability assessments and security plans; (4) alternate security plans; (5)
documents relating to inspection or audits; (6) any records required to be created or
retained under these regulations; (7) sensitive portions of orders, notices or letters
(8) information developed to determine the risk posed by chemical facilities, or to
determine which facilities are “high risk;” and (9) any other information that the
Secretary, in his discretion, determines warrants the protections set forth in this part.29
The proposed regulations state that “covered persons” must “[d]isclose, or
otherwise provide access to, CVI only to covered persons who have a need to know,
unless otherwise authorized in writing by the Secretary of DHS.”30 The term
“covered persons” is defined by the proposed rules as: persons who have access to
CVI; persons receiving CVI in the course of administrative proceedings or litigation;
and as persons who otherwise receive access to “what they know or reasonably
should know constitutes CVI.”31 Persons with the “need to know,” according to the
proposed rule, are categorized in 6 ways: (1) persons who require access to carry out
activities approved or sanctioned by DHS; (2) persons who require access to train for
DHS approved or sanctioned activities; (3) persons required to supervise, manage,
or otherwise oversee DHS approved or sanctioned activities; (4) persons who require
the information for the purposes of providing technical or legal advice; (5) persons
who are representing a covered person in either an administrative or judicial
proceeding; and (6) when DHS determines access is required in an administrative or
judicial proceeding.32
Also of note in the proposed regulations is the possibility that access to CVI may
be contingent upon completion of a background or other security check. The
proposed rule indicates that DHS may “make an individual’s access to the CVI
contingent upon satisfactory completion of a security background check or other
procedures or requirements for safeguarding CVI that are satisfactory to DHS.”33
Finally, the proposed regulations provide DHS with discretionary authority to further
limit access to CVI, even if persons otherwise meet the required qualifications. The
regulations state that “[f]or some specific CVI, DHS may make a finding that only
28 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,288.
29 Id. at 78,300.
30 Id.
31 Id.
32 Id. at 78,300–301.
33 Id. at 78,301.
CRS-10
specific persons or classes of persons have a need to know.”34 It is unclear from this
language in what circumstances, or by what standards, DHS will issue such findings.
The second mandate contained in P.L. 109-295 states that:
in any proceeding to enforce this section, vulnerability assessments, site security
plans, and other information submitted to or obtained by the Secretary under this
section, and related vulnerability or security information, shall be treated as if the
information were classified material.35
The terms “classified material” or “classified information” have been defined in
several different contexts. Congress has statutorily defined “classified material” as
“[a]ny information or material that has been determined by the United States
government pursuant to an Executive Order, statute, or regulation, to require
protection against authorized disclosure for reasons of national security....”36
Executive Orders have defined “classified information” as “information that ...
require[s] protection against unauthorized disclosure and is marked to indicate its
classified statutes when in documentary form.”37 In addition, according to Executive
Order, “classified information” may include anything that the original classifying
authority determines that “reasonably could be expected to result in damage to
national security, which include[s] defense against transnational terrorism, and the
original classification authority is able to identify and describe the damage.”38
As a result of this congressional mandate and the nature of the information at
issue, DHS has indicated that in administrative proceedings and litigation before
courts, CVI will only be disclosed under the narrowest of parameters consistent with
Executive Orders and other congressional enactments. In administrative proceedings,
DHS proposes that CVI only be disclosed at the Secretary’s sole discretion and only
when it “is necessary for the person to prepare a response to allegations contained in
a legal enforcement action document issued by DHS.”39 Even in such a
circumstance, DHS reserves the right to require the requesting person or entity to
undergo and satisfy a security background check before receiving the information.40
Similarly, in litigation arising out of enforcement actions, whether civil or
criminal, DHS has proposed a system of applicable procedures akin to those
contained in both the Classified Information Protection Act,41 and at 18 U.S.C. §
2339B. For example, DHS’s proposal would permit reviewing courts, after an
34 Id.
35 DHS Appropriations Act, supra note 1 at § 550(c).
36 Classified Information Procedures Act, P.L. 96-456, 94 Stat. 2025 (1980) (codified as
amended at 18 U.S.C. App. 3 §§ 1-16 (2000)) [hereinafter CIPA].
37 Exec. Order No. 12,958 § 6.1(h), 60 Fed. Reg. 19,825 (April 20, 1995).
38 Exec. Order No. 13,292 §1.1(a)(4), 68 Fed. Reg. 15,315 (March 28, 2003).
39 See 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,276 and 78,301.
40 Id.
41 See CIPA, supra note 36.
CRS-11
opportunity to independently view the documents, to authorize one of the following
as a substitute for CVI sought in discovery: (1) A redacted version of the CVI
documents; (2) a summary of the information contained in the CVI documents; or (3)
a statement admitting relevant facts that the CVI documents would tend to prove.
The DHS’s proposal also provides protections against the disclosure of CVI through
live witness testimony.42 Moreover, in the event that the Government objects to a
witness’s testimony, the regulations authorize the court to consider an ex parte
proffer by the Government on what the witness is likely to say as well as a proffer
from the defendant of the nature of the information sought.43 Further, DHS’s
proposal would permit the Department to immediately appeal if a court denies any
request related to the disclosure of CVI.44 Finally, DHS’s proposal expressly states
that no CVI will be provided in any civil litigation unrelated to the enforcement of
Section 550.45
Expiration of Regulations and Authority
The meaning of the expiration provision of P.L. 109-295 appears to be the
subject of some uncertainty. The statute specifically states that:
Interim regulations issued under this section shall apply until the effective date
of interim or final regulations promulgated under other laws that establish
requirements and standards referred to in subsection (a) and expressly supercede
this section. Provided, That the authority provided by this section shall terminate
three years after the date of enactment of this Act.46
In the preamble to DHS’s proposed regulations the Department suggests that
notwithstanding the plain text of the statute, should future funds be appropriated by
Congress, even in the absence of an authorizing statute, the regulations and the
authority to enforce them would continue as though sufficiently authorized.47
As a general rule, there is no specific statutory or other legal reguirement that
appropriations be preceded by specific authorizations. As a result, Congress may,
subject to possible procedural points of order,48 appropriate funds for programs that
exceed the scope and/or duration of a prior authorization. In instances where
42 See 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,301.
43 Id.
44 Id.
45 Id.
46 DHS Appropriations Act, supra note 1 at § 550(b).
47 See 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,276 and 78,281
(stating that “[i]f a future appropriations bill continued funding for the Section 550 program
beyond that period, the Department could consider that future funding for the program as
an extension of the ‘authority provided by this section.’”).
48 Rule XXI(2) of the Rules of the House of Representatives prohibits appropriations for
objects not previously authorized by law. A similar, but more limited, prohibition exists in
Rule XVI of the Standing Rules of the Senate. Each of these provisions must be raised via
a “point of order,” which may be overcome by a super-majority vote in each chamber.
CRS-12
Congress has opted for this type of action, the enacted appropriation has been
interpreted by the Comptroller General to, in effect, carry with it its own
authorization and, therefore, is to be available to the agency for obligation and
expenditure.49 In addition, the Comptroller General has also held that, as a general
proposition, the appropriation of funds for a program whose funding authorization
has expired, or is about to expire during the period of availability of the appropriation
(e.g., authorization expires during a fiscal year for which money has already been
appropriated), provides sufficient legal basis to continue a program during that period
of availability, even when expressed congressional intent appears to be contrary.50
Given these general rules, it would appear that should Congress appropriate funds to
DHS for the purpose of continuing to secure chemical facilities, even after the
expiration of the Section 550 authorization, sufficient legal authority would exist for
the regulations to remain in effect.
Policy Options
Reaction to the proposed regulation has been mixed. Some policymakers and
advocates have criticized the approach taken by DHS. Others have been supportive
of the proposed regulation. As written, the law anticipates further legislative activity
in this area. Policymakers may decide to wait and observe how the final interim
regulation is promulgated and implemented, attempt to influence DHS’s final
regulation or implementation, or legislate to alter or supersede the enacted legislation.
Maintain Status Quo
The authority to federally regulate chemical facility security is new. As such,
regulation in this area may need time to mature. Congress, when passing P.L. 109-
295, contemplated the eventual supersession of these regulations:
Interim regulations issued under this section shall apply until the effective date
of interim or final regulations promulgated under other laws that establish
requirements and standards referred to in subsection (a) and expressly supersede
this section: Provided, [t]hat the authority provided by this section shall
terminate three years after the date of enactment of this Act.51
Policymakers may view this regulatory authority, and thus these regulations, as a
stop-gap measure, providing a temporary solution to the perceived chemical security
problem, with the intent of allowing the security policy debate to further mature. In
this case, policymakers may decide to wait, allowing DHS to promulgate and
implement its proposed regulation before considering changes in chemical facility
security policy. This might more fully reveal the impacts of the current regulation.
49 See 67 Comp. Gen. 401 (1988).
50 See, e.g., 65 Comp. Gen. 524 (1986); 65 Comp. Gen. 318, 320-21 (1986); 55 Comp. Gen.
289 (1975).
51 DHS Appropriations Act, supra note 1 at § 550.
CRS-13
Attempt to Influence Implementation
The statutory language of P.L. 109-295, Section 550 grants significant discretion
to the DHS Secretary. The interpretation and application of this discretion by the
DHS Secretary, particularly in the areas of information protection and state
preemption, is the source of some of the criticisms levied against the proposed
regulations.52 While discretionary authority may be important to the effective and
efficient implementation of a regulatory structure, policymakers may believe that
execution of this discretionary authority has been counter to congressional intent.
Policymakers may decide to influence the manner in which the DHS Secretary’s
discretion is applied.
The DHS has requested public comment from interested parties on questions,
issues, and the proposed regulatory language.53 As such, the comments of
policymakers, advocates and interested parties may influence the form and language
of the interim final regulation. Through providing comments to the docket,
policymakers may express support for and criticism of the proposed regulations and
possible policy solutions to perceived regulatory problems. The docket for the
proposed regulation closes on February 7, 2007, and the interim final regulation is
projected to be promulgated in April 2007.
Once the interim final regulation is promulgated, policymakers may conclude
they are dissatisfied with the form of the final regulations. If this is the case,
policymakers could act to more explicitly describe and limit the discretionary scope
granted to the DHS Secretary. They may influence the regulations’ implementation
through the congressional oversight process by clarifying congressional intent,
through hearings on the regulation’s implementation, or through language added to
DHS appropriations legislation.
Another option would be for Congress to invoke the Congressional Review Act
(CRA).54 The CRA establishes an expedited mechanism by which Congress can
review and disapprove final federal agency rules.55 Since its enactment, however, the
CRA has been successfully used only once. If the final rule is successfully
disapproved under the CRA, DHS would be prohibited from promulgating a similar
rule absent an express authorization from Congress.
52 John Heilprin, “Chemical Plants to Submit Security Plans,” Associated Press, December
22, 2006; Greg Gordon, “New Rules Aim to Protect Chemical Plants from Terrorists,” San
Jose Mercury News, December 22, 2006.
53 71 Federal Register 78,276–78,332 (December 28, 2006) at 78,277. An electronic docket
for this proposed regulation is established at [http://www.regulations.gov] under docket
identifications number DHS-2006-0073. Electronic comments may be submitted before
February 7, 2007 or generally read under this docket number.
54 Small Business Regulatory Enforcement Fairness Act of 1996, P.L. 104-121.
55 See CRS Report RL31160, Disapproval of Regulations by Congress: Procedure Under
the Congressional Review Act, by Richard S. Beth.
CRS-14
Create New Legislation
Policymakers may decide that additional legislation is necessary in the chemical
facility security area. Such legislation could be targeted in nature, attempting to
remedy perceived flaws by slightly altering the existing authorities granted to DHS,
or more comprehensive. A more comprehensive approach may occasion substantive
changes in the existing authorities and thus extensive revision of any chemical
facility security regulation.
Policymakers may ultimately decide that the regulatory structure proposed by
DHS does not satisfy homeland security needs or will prove too onerous to industry
and opt to enact new chemical facility legislation. Such legislation might expand the
reach of the proposed regulatory structure, for example, by mandating the inclusion
of particular chemical substances as potentially dangerous; restrict the proposed
regulations, for example, by lowering regulatory burdens or requirements on small
businesses; or direct the agency to include or exclude particular components from its
regulations.
Developing new legislation, or changing existing legislation, to change DHS
regulation may bring additional costs, especially to facilities that have already come
into compliance. If new regulations, established under new or amended authority,
present new requirements for chemical facilities, security efforts enacted under the
original regulation may not be entirely applicable. Chemical facilities may be
required to invest in additional security measures to meet these new requirements,
potentially incurring further cost. When considering whether to enact new legislation
or amend existing law, policymakers may opt to consider methods to mitigate
additional costs to chemical facilities that have already complied with the proposed
regulation. Considering the initial statute had a three-year sunset provision, Congress
may have intended that future legislation build upon P.L. 109-295, Section 550, so
that future regulations would be harmonized with the interim final regulations
initially promulgated.