Order Code RL33847
Chemical Facility Security:
Regulation and Issues for Congress
Updated June 21, 2007
Dana A. Shea
Specialist in Science and Technology Policy
Resources, Science, and Industry Division
Todd B. Tatelman
Legislative Attorney
American Law Division
Chemical Facility Security: Regulation and Issues for
Congress
Summary
On April 9, 2007, the Department of Homeland Security (DHS) issued an
interim final rule (72 Federal Register 17688-17745 (April 9, 2007)) on chemical
facility security, implementing the statutory authority granted in the Homeland
Security Appropriations Act, 2007 (P.L. 109-295, Section 550). The regulations
require chemical facilities possessing amounts and types of substances considered by
the DHS Secretary to be hazardous to notify DHS and undergo a consequence-based
screening process. The Secretary then determines which chemical facilities are high-
risk, and thus need to comply with additional security requirements. High-risk
facilities are to be categorized into tiers based on risk, and those with higher risk
must comply with more stringent, performance-based security requirements.
Under the interim final rule, high-risk chemical facilities are required to create
and submit to DHS a vulnerability assessment; create and submit to DHS a site
security plan, addressing the vulnerability assessment and complying with the
performance-based standards; and implement the site security plan at the chemical
facility. The DHS Secretary is to approve or disapprove each step in the process, and
may require the chemical facility to improve the submission or implementation.
The interim final rule establishes a new category of protected information,
Chemical-terrorism Vulnerability Information (CVI), granting it a status between
sensitive but unclassified and classified information. The Secretary maintains
discretion over who will gain access to this information, how it may be used, and
what will comprise CVI. Additionally, the interim final rule may preempt future
state and local chemical facility security regulations.
Key issues debated in previous Congresses are highlighted in the issued security
regulations, even where the enacted authorizing statute remained mute on the topic.
These issues include what facilities should be considered as chemical facilities;
which chemical facilities should be considered as “high-risk” and thus regulated; the
scope of the risk-based performance standards for different tiers of high-risk
chemical facilities; the appropriateness of federal preemption of existing state
chemical facility security regulation; and the availability of information for public
comment, potential litigation, and congressional oversight. One key issue not
directly addressed by the regulation is the role of inherently safer technology in the
chemical security process.
Congress may take further action. Since the statutory authority to regulate
chemical facilities expires in 2009, policymakers may choose to observe the impact
of the current regulations and, if necessary, address any perceived weaknesses at a
later date. Congress might disapprove the interim final rule or attempt to influence
its implementation through oversight or provisions in appropriations language.
Alternatively, Congress may decide that additional legislation is required. Three
authorizing bills (H.R. 1530, H.R. 1574, and H.R. 1633) on chemical facility security
have been introduced in the House, and chemical facility security language has been
attached to appropriations bills (H.R. 2638 and S. 1644).
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Authority to Regulate Chemical Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Regulations Issued by the Department of Homeland Security . . . . . . . . . . . . . . . . 3
Key Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Scope of Regulated Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Inherently Safer Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Federal Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Information Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Expiration of Regulations and Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Maintain Status Quo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Attempt to Influence Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Legislative Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Legislation in the 110th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chemical Facility Security: Regulation and
Issues for Congress
Introduction
Chemical facility security has been an issue of congressional interest for many
years. First considered an environmental issue, the potential for release of toxic
chemicals and the associated potential health impacts on surrounding areas became
linked to concerns over terrorism after the September 11, 2001 attacks. The passage
of Section 550 of the Homeland Security Appropriation Act, 2007 (P.L. 109-295)
established statutory authority for the Department of Homeland Security (DHS) to
regulate security at select chemical facilities.1 How DHS implements this authority
will likely be an area of intense congressional interest, given that chemical facility
security legislation was introduced in each of the previous four Congresses and that
this new statutory authority expires three years after enactment.2
Chemical facility security authority had been called for by both the Executive
and Legislative branches for many years, but disagreements about how chemical
facilities should be regulated impeded consensus. The potential for injuries and
fatalities following an attack on a chemical facility, as well the value of the chemical
sector to the national economy, led many security experts to suggest that chemical
facilities are high-value targets for terrorists. Securing chemical facilities is
considered a key component of protecting the nation’s critical infrastructure.
Enactment of P.L. 109-295 and promulgation of the interim final rule were seen as
important steps in securing chemical facilities; however, any increase in homeland
security will depend on their effective implementation.
This report describes the statutory authority granted to DHS and the interim final
rule promulgated by DHS, and identifies select issues of contention related to the
interim final rule. Finally, this report discusses several possible policy options for
Congress.
1 Department of Homeland Security Appropriations Act, 2007, P.L. 109-295 § 550, 120 Stat.
1355 (2006) [hereinafter DHS Appropriations Act]. See also 71 Federal Register 78276-
78332 (December 28, 2006) and 72 Federal Register 17688-17745 (April 9, 2007).
2 See CRS Report RL31530, Chemical Facility Security, by Linda-Jo Schierow (providing
background on the need for additional security measures, security enhancement options, and
legislation in the 109th Congress).
CRS-2
Authority to Regulate Chemical Facilities
The Homeland Security Appropriations Act, 2007 (P.L. 109-295), Section 550
provides statutory authority to DHS to regulate chemical facilities for security
purposes. The Secretary of Homeland Security is directed to issue interim final
regulations establishing risk-based performance standards for chemical facility
security, and requiring the development of vulnerability assessments and the
development and implementation of site security plans.3 These regulations are to
apply only to those chemical facilities that the Secretary determines present high
levels of security risk.4 The regulations are to allow regulated entities to employ
combinations of security measures to meet the risk-based performance standards.5
Under the law, the Secretary must review and approve the required assessment,
plan, and implementation for each facility. The Secretary is prohibited from
disapproving a site security plan on the basis of the presence or absence of a
particular security measure, but may disapprove a site security plan that does not
meet the risk-based performance standards. The Secretary may approve vulnerability
assessments and site security plans developed through security programs not created
by DHS, so long as the results of these programs meet the risk-based performance
standards laid out in regulation.
All information developed for these regulations is to be protected from public
disclosure, but may be shared, at the Secretary’s discretion, with state and local
government officials, including law enforcement officials and first responders
possessing the necessary security clearances. Such shared information may not be
publicly disclosed regardless of state or local laws. Additionally, the information
provided to the Secretary, along with related vulnerability information, is to be
treated as classified information in all judicial and administrative proceedings.
Violation of the information protection provision is punishable by fine.
3 These interim final regulations must be issued within six months of the date of enactment
of P.L. 109-295. The statutory deadline for the interim final regulations was April 4, 2007.
4 Some facilities are exempt from these regulations. They are facilities defined as a water
system or a wastewater treatment works; facilities owned or operated by the Department of
Defense or Department of Energy; facilities regulated by the Nuclear Regulatory
Commission; and those facilities regulated under the Maritime Transportation Security Act
of 2002 (P.L. 107-295).
5 According to the Office of Management and Budget, a performance standard is “a standard
as defined above that states requirements in terms of required results with criteria for
verifying compliance but without stating the methods for achieving required results. A
performance standard may define the functional requirements for the item, operational
requirements, and/or interface and interchangeability characteristics. A performance
standard may be viewed in juxtaposition to a prescriptive standard which may specify design
requirements, such as materials to be used, how a requirement is to be achieved, or how an
item is to be fabricated or constructed.” Office of Management and Budget, “Federal
Participation in the Development and Use of Voluntary Consensus Standards and in
Conformity Assessment Activities,” Circular A-119, February 10, 1998.
CRS-3
The Secretary must audit and inspect chemical facilities and determine
regulatory compliance. If the Secretary finds a facility not in compliance, the
Secretary shall write to the facility explaining the deficiencies found, provide an
opportunity for the facility to consult with the Secretary, and issue an order to comply
by a date determined by the Secretary. If the facility continues to be out of
compliance, the Secretary may fine and, eventually, order the facility to close.
There is no right for anyone, except the Secretary of DHS, to bring a lawsuit
against a facility owner to enforce provisions of the law. The law does not affect any
other federal law regulating chemicals in commerce. The statute contains a “sunset
provision” and, thus, expires on October 4, 2009, three years from the date of
enactment.
Regulations Issued by the Department of Homeland
Security
On April 9, 2007, the Department of Homeland Security issued an interim final
rule regarding chemical facility security.6 This interim final rule, implementing P.L.
109-295, entered into force on June 8, 2007. The interim final rule implements both
statutory authority explicit in P.L. 109-295 and authorities DHS found to be
implicitly granted.
The interim final rule states that the Secretary of DHS will select from the
universe of all facilities that possess, or plan to possess at any relevant point in time,
a quantity of chemical substance determined by the Secretary to be potentially
dangerous, a smaller set of chemical facilities deemed as presenting a high level of
security risk.7 As such, chemical facilities with greater than specified quantities of
potentially dangerous chemicals will be required to submit information to DHS, so
that DHS can determine the facility’s risk status.
The DHS is to establish a series of risk-based tiers with different performance-
based requirements for facilities assigned to each tier. Those facilities identified by
DHS as high risk will have additional responsibilities. All high-risk facilities must
assess their vulnerabilities, using methodology accepted by DHS; develop an
effective security plan; submit these documents to DHS; and implement the security
plan. Vulnerability assessments and site security plans developed through alternative
security programs will be accepted so long as they meet the tiered, performance-
based requirements of the interim final rule. In turn, DHS will approve or disapprove
the vulnerability assessments, the site security plans, and their implementation
6 72 Federal Register 17688-17745 (April 9, 2007). This interim final rule followed the
release of an advanced notice of rulemaking. See 71 Federal Register 78276-78332
(December 28, 2006).
7 This initial screening of chemical facilities will be done on the basis of potential
consequence, rather than risk. 72 Federal Register 17688-17745 (April 9, 2007) at 17700.
CRS-4
through audit and inspection. The DHS will provide certification of the facility’s
compliance status.8
The vulnerability assessment will serve two purposes under the interim final
rule. One is to determine or confirm the placement of the facility in a risk-based tier.
The other is to provide a basis against which to compare the site security plan
activities. The vulnerability assessment required by DHS will include the following
components: asset characterization, threat assessment, security vulnerability analysis,
risk assessment, and countermeasures analysis.9
The site security plans must address the vulnerability assessment by describing
how activities in the plan relate to facility vulnerabilities. Additionally, the site
security plan must address preparations for and deterrents against specific modes of
potential terrorist attack, as applicable. These modes of attack may include vehicle-
borne improvised explosive device; water-borne explosive device; ground assault;
or other modes of potential attack identified by DHS.10 The site security plans must
also address how the activities taken by the facility meet the risk-based performance
standards provided by DHS.
All vulnerability assessments and site security plans are to be submitted to DHS
for approval. The Secretary may disapprove of those assessments or plans that fail
to meet DHS standards, but not on the basis of the presence or absence of a specific
measure. In the case of disapproval, DHS must, in writing, identify those areas of the
assessment and plan that need improvement. Chemical facilities may appeal
disapprovals to DHS.
The information generated under this interim final rule, as well as any
information developed for chemical facility security purposes that the Secretary
determines needs to be protected, will be labeled “Chemical-terrorism Vulnerability
Information” (CVI), a new category of security-related information. According to the
interim final rule, DHS will have sole discretion regarding who will be eligible to
receive CVI.11
The interim final rule will preempt state and local regulation where state and
local regulation “conflicts with, hinders, poses an obstacle to or frustrates the
purposes of” the federal regulation.12 States, localities, or affected companies may
8 Audit inspections may be conducted by third-party auditors. It is unclear whether
compliance with the regulation would reduce the risk status of the chemical facility, since
regulatory compliance would presumably decrease the vulnerability of the facility and
vulnerability is a factor used to determine risk status. The DHS plans to issue a future
rulemaking regarding the use of third-party auditing. 72 Federal Register 17688-17745
(April 9, 2007) at 17712.
9 72 Federal Register 17688-17745 (April 9, 2007) at 17732.
10 Id. at 17732.
11 Id. at 17738.
12 Id. at 17739.
CRS-5
request a decision from DHS regarding potential conflict between extant regulation
and the federal regulation.
The interim final rule establishes penalties for the disclosure of CVI information
or lack of compliance, as well as processes for appeal by chemical facilities of DHS
actions. If a facility remains out of compliance with this interim final rule, DHS may
order its closure, after other penalties, such as fines, have been levied.
Key Issues
Chemical facility security was the focus of several congressional hearings and
policy debates surrounding proposed legislation in the 109th Congress, legislation
reported by the House Homeland Security Committee and the Senate Committee on
Homeland Security and Governmental Affairs. Some, but not all, of the topics that
were considered contentious were addressed by P.L. 109-295. This section will
discuss several of these topics in light of the enacted provisions: the scope of the
regulated facilities, inherently safer technology, federal preemption, and the
protection of information.
Scope of Regulated Facilities
The universe of regulated facilities is not specified in P.L. 109-295 and thus
remains potentially an issue of policy debate. Under the interim final rule, chemical
facilities
shall mean any establishment that possesses or plans to possess, at any relevant
point in time, a quantity of a chemical substance determined by the Secretary to
be potentially dangerous or that meets other risk-related criteria identified by the
Department.13
Regulated, or covered, facilities are a subset of the chemical facility universe,
including any chemical facility that “presents a high risk of significant adverse
consequences for human life or health, national security and/or critical economic
assets if subjected to terrorist attack, compromise, infiltration, or exploitation.”14
The chemical substances determined by the Secretary to be potentially
dangerous were reported with the interim final rule. This list, promulgated as
Appendix A, is not final. The DHS sought public comment on the chemical list, and
additional rulemaking is to finalize this list. The current list incorporates chemicals
from the Environmental Protection Agency’s Risk Management Program list, the
Chemical Weapons Convention schedules, and the Department of Transportation’s
list of hazardous materials. The list specifies the amount of each chemical that
triggers the reporting requirement. For some chemicals, possession of any amount
of the chemical would trigger the reporting requirement.
13 Id. at 17730.
14 Id.
CRS-6
Depending on what chemical substances the DHS Secretary determines are
potentially dangerous, the initial universe of screened chemical facilities may be
small or large.15 While many, if not most, of these facilities would not be high-risk,
DHS will require all of these chemical facilities to complete a consequence-based
screening questionnaire to determine their risk category.16 The DHS will treat
facilities not completing such a questionnaire as presumptively high-risk.17 Such an
approach may tax DHS resources, as well as negatively impact small businesses,
especially during the initial screening process. Retail propane dealers, for example,
have asserted that they would be adversely affected by the proposed threshold.18
Since the reporting requirement depends on the amount of chemical of interest held
at a chemical facility, not the amount of chemical of interest in a particular storage
vessel, facilities that have large numbers of small containers of a chemical of interest
may be required to report. Some universities and colleges, not typically considered
as a chemical facility, have asserted that, because of the low threshold for some
chemicals of interest, they are likely to have to report to DHS as a chemical facility.19
Additionally, depending on how DHS publicizes chemical substance and quantity
requirements, chemical facilities may not know whether they are required to report
under the interim final rule.
The Department estimates that between 1,500 and 6,500 facilities will be
covered by risk-based performance measure requirements. Such facilities would
have completed the initial screening process and been categorized as falling within
one of the four regulated risk tiers.20
15 For example, the list of hazardous materials in the Department of Transportation’s
Hazardous Materials Regulations (49 CFR 172.101) is roughly 160 pages long. Also, the
universe of the Environmental Protection Agency’s Risk Management Program, a program
based on one of the lists cited in the preamble, is approximately 15,000 facilities. Some of
these facilities would fall within the statutory exemptions to chemical security regulation,
such as water or wastewater treatment facilities.
16 In 2005, DHS testified that approximately 3,400 chemical facilities were considered high-
risk, having the ability to impact 1,000 or more people. Testimony of Robert B. Stephan,
Assistant Secretary for Infrastructure Protection, Department of Homeland Security, before
the Senate Committee on Homeland Security and Governmental Affairs on June 15, 2005.
The use of a consequence threshold as an approximation of risk, as is used in the initial
screening procedure, would likely capture all high-risk facilities if the consequence
threshold was set at a low level. That tactic might also capture many non-high-risk facilities
though.
17 72 Federal Register 17688-17745 (April 9, 2007) at 17731.
18 Linda Roeder, “Security Homeland Security Rule Provisions Spur Criticism Over
Chemical Thresholds,” Daily Environment Report, June 4, 2007.
19 Kelly Field, “Chemical-Security Rules Could Pose Huge Burden for Colleges, Critics
Say,” Chronicle of Higher Education Daily News, June 5, 2007.
20 72 Federal Register 17688-17745 (April 9, 2007) at 17723.
CRS-7
Inherently Safer Technology
Considerable congressional debate on chemical facility security revolved around
the issue of inherently safer technology. During this debate, the application of
inherently safer technology as a risk-reducing security measure was generally
supported by environmental groups and opposed by industry groups. Environmental
groups proposed that reducing the inherent consequences from a release at a chemical
facility would increase its security, as the incentive to attack such a lower-
consequence facility would be reduced. Industry groups argued that chemical
substance and technology changes were business and process safety concerns, not
related to security issues, and best left to the discretion of the chemical facility, rather
than the federal government.
Both the statute and the interim final rule are silent on the issue of inherently
safer technology. Neither recommend nor prohibit the use of inherently safer
technology as a security method, assuming that it contributes to meeting the risk-
based performance standards put forth by DHS. The risk-based performance
standards appear more focused on hardening facilities than on consequence
mitigation techniques. Alternatively, use of inherently safer technology may reduce
the quantity or type of chemical stored on site, possibly removing the chemical
facility from regulation. Both the statute and the interim final rule, in establishing
risk-based performance standards, expressly deny requiring any specific security
measure from chemical facilities.
Federal Preemption
Another area of congressional debate was whether federal chemical facility
security legislation should preempt such activities on the state level.21 Several states
have begun to enact security regulations for chemical facilities.22 Supporters of
explicit federal preemption assert that a patchwork of state regulation provides a
competitive disadvantage to companies on a state-by-state basis and may lead to
uneven security efforts. Opponents of explicit federal preemption claim that federal
security regulation should set a floor, rather than a ceiling, for security efforts;
individual states should, in their opinion, be allowed to require additional security
measures, so long as the federal standard is surpassed.
21 See Cong. Rec. H7968-69 (daily ed. September 29, 2006) (statement of Rep. Barton)
(stating that “[d]uring negotiations it was discussed and consciously decided among the
authorizing committee negotiators to not include a provision exempting this section from
Federal preemption because we do not want a patchwork of chemical facilities that are
trying to secure themselves against threats of terrorism caught in a bind of wondering
whether their site security complies with all law.”). See also Cong. Rec. H7967 (daily ed.
September 29, 2006) (statement of Rep. King) (noting that the intent of the committee was
not to preempt state authority in adopting requirements more stringent than federal standards
and concluding that “...it is our understanding, and we had the opinion of committee counsel
on this, that [the bill language] does not preempt States.”)
22 New Jersey, arguably the state with the most stringent chemical security regulations,
requires the consideration of inherently safer technology as a component of a facility’s
security plan.
CRS-8
The statute is silent with respect to preemption; however, the interim final rule
contains language indicating that DHS reserves the authority to preempt conflicting
state requirements. According to DHS, the balance struck by P.L. 109-295 between
DHS security requirements and a facility’s flexibility to choose specific security
measures must be preserved.23 The interim final rule’s explanatory statement
distinguishes, consistent with federal case law, between “field preemption” and
“conflict preemption,” asserting that the Department intends only the latter to apply
to chemical security regulations.24 As an example, DHS notes that Congress’s
delegation of authority extends only to those facilities that pose “high levels of
security risk;” thus, according to DHS, the states remain free to regulate any facility
that DHS has determined not to be encompassed by this classification.25
According to the statute, “the Secretary may not disapprove a Site Security Plan
submitted under this section based on the presence or absence of a particular security
measure.”26 The federal chemical facility security regulation thus does not require
the application or use of any particular security measure. The interim final rule then
seems to imply that any state regulation that does require a specific security measure
would be preempted, because it “conflicts with, hinders, poses an obstacle to or
frustrates the purposes of these regulations or of any approval, disapproval or order
issued thereunder.”27
Although DHS has indicated that it has not reviewed all existing state
regulations for preemption purposes, they assert that these existing state regulations
are unlikely to be preempted by the interim final rule. Future state regulations,
however, may be found to be preempted. It seems likely that prescriptive state
regulations would be interpreted by DHS as preempted by the performance-based
federal regulation.28
Information Availability
Another issue that generated considerable congressional interest and debate was
how, and to what extent, the information created by chemical facilities and submitted
to DHS is to be protected from disclosure to the public, industry competitors, and
potential bad actors. The Freedom of Information Act (FOIA), which generally
23 72 Federal Register 17688-17745 (April 9, 2007) at 17727.
24 72 Federal Register 17688-17745 (April 9, 2007) at 17727 (stating that “[DHS] does not
view its regulatory scheme as one which so fully occupies the field as to preempt any state
law touching the same subject.”).
25 72 Federal Register 17688-17745 (April 9, 2007) at 17727.
26 DHS Appropriations Act, supra note 1 at § 550(a).
27 72 Federal Register 17688-17745 (April 9, 2007) at 17739.
28 For a legal analysis of preemption and a discussion of DHS’s authority to preempt state
law by administrative action, see CRS Congressional Distribution Memorandum, Legal
Analysis of the Preemption Provisions in the Recent Department of Homeland Security’s
Chemical Facility Security Advance Notice of Rulemaking, by Todd B. Tatelman (January
23, 2007) (available from author upon request).
CRS-9
applies to records held by agencies of the executive branch of the federal
government, regulates the disclosure of government information.29 The FOIA
requires agencies to publish in the Federal Register certain records, and to make
other records available for public inspection and copying.30
While the FOIA contains three specific law enforcement related exclusions and
nine exemptions that permit the withholding of certain government-held information,
it has been the prevailing view since September 11, 2001, that separate federal
statutes prohibiting the disclosure of certain types of information, and authorizing its
withholding under the FOIA, are necessary. As a result, several security-related
information protection statutes have been enacted by Congress and implemented by
the government. Of specific relevance to chemical facilities is the protection regime
known as “Sensitive Security Information” (SSI), currently used by the
Transportation Security Administration in enforcing the Maritime Transportation
Security Act of 2002 (MTSA).31
Section 550(c) of P.L. 109-295 contains two specific mandates regarding
information protection. The first mandate requires that
information developed under this section, including vulnerability assessments,
site security plans, and other security related information, records, and
documents shall be given protections from public disclosure consistent with
similar information developed by chemical facilities subject to regulation under
[MTSA].32
The reference to MTSA is considered to be a reference to SSI, which is the
information protection regime developed and administered by the Transportation
Security Administration, and applicable to maritime facilities regulated under MTSA.
The DHS’s interim final chemical facility security regulations expressly
recognize the reference to SSI; however, instead of amending the existing SSI
regulations to include application to chemical facilities, DHS has implemented a new
security-information protection regime, “Chemical-terrorism Vulnerability
Information” (CVI).33
29 5 U.S.C. § 552 et seq. (2000). For an overview of FOIA, see CRS Report RL32780,
Freedom of Information Act (FOIA) Amendments: 110th Congress, by Harold C. Relyea.
30 See id. at § 552(a)(1)-(2).
31 While initially created for the Department of Transportation in 1974, SSI has been
significantly expanded by the Aviation Transportation Security Act of 2001 (ATSA), the
Homeland Security Act of 2002, and the Maritime Transportation Security Act of 2002. See
CRS Report RL33670, Protection of Security-Related Information, by Gina Marie Stevens
and Todd B. Tatelman (providing an in-depth discussion of the history, requirements, and
litigation that has developed under SSI).
32 DHS Appropriations Act, supra note 1 at § 550(c).
33 72 Federal Register 17688-17745 (April 9, 2007) at 17727-17739.
CRS-10
The interim final rule provides that the following types of information will
constitute CVI: (1) vulnerability assessments; (2) site security plans; (3) any
documents developed relating to the Department’s review and approval of
vulnerability assessments and security plans; (4) alternate security plans; (5)
documents relating to inspection or audits; (6) any records required to be created or
retained under these regulations; (7) sensitive portions of orders, notices or letters
(8) information developed to determine the risk posed by chemical facilities, or to
determine which facilities are “high risk;” and (9) any other information that the
Secretary, in his discretion, determines warrants the protections set forth in this part.34
The interim final rule states that “covered persons” must “[d]isclose, or
otherwise provide access to, CVI only to covered persons who have a need to
know.”35 The term “covered persons” is defined by the proposed rules as: persons
who have a need to know CVI and as persons who otherwise receive access to “what
they know or reasonably should know constitutes CVI.”36 According to the interim
final rule, persons with the “need to know,” which expressly includes state and local
officials, are categorized in five ways: (1) persons who require access to carry out
activities approved or sanctioned by DHS; (2) persons who require access to train for
DHS approved or sanctioned activities; (3) persons required to supervise, manage,
or otherwise oversee DHS approved or sanctioned activities; (4) persons who require
the information for the purposes of providing technical or legal advice; and (5)
persons who are representing a covered person in either an administrative or judicial
proceeding.37
The interim final rule indicates that DHS may “make an individual’s access to
the CVI contingent upon satisfactory completion of a security background check or
other procedures or requirements for safeguarding CVI that are satisfactory to
DHS.”38 Finally, the interim final rule provides DHS with discretionary authority to
further limit access to CVI, even if persons otherwise meet the required
qualifications. The regulations state that “[f]or some specific CVI, DHS may make
a finding that only specific persons or classes of persons have a need to know.”39 It
is unclear from this language in what circumstances, or by what standards, DHS will
issue such findings.
The second mandate contained in P.L. 109-295 states that:
in any proceeding to enforce this section, vulnerability assessments, site security
plans, and other information submitted to or obtained by the Secretary under this
34 72 Federal Register 17688-17745 (April 9, 2007) at 17737.
35 Id.
36 Id.
37 Id. at 17738.
38 Id.
39 Id.
CRS-11
section, and related vulnerability or security information, shall be treated as if the
information were classified material.40
The terms “classified material” or “classified information” have been defined in
several different contexts. Congress has statutorily defined “classified material” as
“[a]ny information or material that has been determined by the United States
government pursuant to an Executive Order, statute, or regulation, to require
protection against unauthorized disclosure for reasons of national security....”41
Executive Orders have defined “classified information” as “information that ...
require[s] protection against unauthorized disclosure and is marked to indicate its
classified status when in documentary form.”42 In addition, according to Executive
Order, “classified information” may include anything that the original classifying
authority determines that “reasonably could be expected to result in damage to
national security, which include[s] defense against transnational terrorism, and the
original classification authority is able to identify and describe the damage.”43
As a result of this congressional mandate and the nature of the information at
issue, DHS has indicated that in administrative proceedings and litigation before
courts, CVI will only be disclosed under the narrowest of parameters consistent with
Executive Orders and other congressional enactments. In administrative proceedings,
DHS indicates that CVI will only be disclosed at the Secretary’s sole discretion and
only when it “is necessary for the person to prepare a response to allegations
contained in a legal enforcement action document issued by the Department.”44 Even
in such a circumstance, DHS reserves the right to require the requesting person or
entity to undergo and satisfy a security background check before receiving the
information.45
Similarly, in litigation arising out of enforcement actions, whether civil or
criminal, DHS has implemented a system of applicable procedures akin to those
contained in both the Classified Information Protection Act,46 and at 18 U.S.C. §
2339B. For example, DHS will permit reviewing courts, after an opportunity to
independently view the documents, to authorize one of the following as a substitute
for CVI sought in discovery: (1) A redacted version of the CVI documents; (2) a
summary of the information contained in the CVI documents; or (3) a statement
admitting relevant facts that the CVI documents would tend to prove.47 The interim
final rule also provides protections against the disclosure of CVI through live witness
40 DHS Appropriations Act, supra note 1 at § 550(c).
41 Classified Information Procedures Act, P.L. 96-456, 94 Stat. 2025 (1980) (codified as
amended at 18 U.S.C. App. 3 §§ 1-16 (2000)) [hereinafter CIPA].
42 Exec. Order No. 12958 § 6.1(h), 60 Federal Register 19825 (April 20, 1995).
43 Exec. Order No. 13292 §1.1(a)(4), 68 Federal Register 15315 (March 28, 2003).
44 72 Federal Register 17688-17745 (April 9, 2007) at 17738.
45 Id.
46 See CIPA, supra note 36.
47 72 Federal Register 17688-17745 (April 9, 2007) at 17738-17739.
CRS-12
testimony.48 Moreover, in the event that the Government objects to a witness’s
testimony, the regulations authorize the court to consider an ex parte proffer by the
Government on what the witness is likely to say, as well as a proffer from the
defendant of the nature of the information sought.49 Further, the interim final rule
permits the Department to immediately appeal if a court denies any request related
to the disclosure of CVI.50 Finally, the interim final rule expressly states that no CVI
will be provided in any civil litigation unrelated to the enforcement of Section 550.51
Expiration of Regulations and Authority
The meaning of the expiration provision of P.L. 109-295 appears to be the
subject of some uncertainty. The statute specifically states that:
Interim regulations issued under this section shall apply until the effective date
of interim or final regulations promulgated under other laws that establish
requirements and standards referred to in subsection (a) and expressly supercede
this section. Provided, [t]hat the authority provided by this section shall
terminate three years after the date of enactment of this Act.52
In the preamble to DHS’s proposed regulations the Department suggests that
notwithstanding the plain text of the statute, should future funds be appropriated by
Congress, even in the absence of an authorizing statute, the regulations and the
authority to enforce them would continue as though sufficiently authorized.53
As a general rule, there is no specific statutory or other legal requirements that
appropriations be preceded by specific authorizations. As a result, Congress may,
subject to possible procedural points of order,54 appropriate funds for programs that
exceed the scope and/or duration of a prior authorization. In instances where
Congress has opted for this type of action, the enacted appropriation has been
interpreted by the Comptroller General to, in effect, carry with it its own
authorization and, therefore, is to be available to the agency for obligation and
48 Id.
49 Id.
50 Id.
51 Id.
52 DHS Appropriations Act, supra note 1 at § 550(b).
53 See 71 Federal Register 78276-78332 (December 28, 2006) at 78276 and 78281 (stating
that “[i]f a future appropriations bill continued funding for the Section 550 program beyond
that period, the Department could consider that future funding for the program as an
extension of the ‘authority provided by this section.’”).
54 Rule XXI(2) of the Rules of the House of Representatives prohibits appropriations for
objects not previously authorized by law. A similar, but more limited, prohibition exists in
Rule XVI of the Standing Rules of the Senate. Each of these provisions must be raised via
a “point of order,” which may be overcome by a super-majority vote in each chamber.
CRS-13
expenditure.55 In addition, the Comptroller General has also held that, as a general
proposition, the appropriation of funds for a program whose funding authorization
has expired, or is about to expire during the period of availability of the appropriation
(e.g., authorization expires during a fiscal year for which money has already been
appropriated), provides sufficient legal basis to continue a program during that period
of availability, even when expressed congressional intent appears to be contrary.56
Given these general rules, it would appear that should Congress appropriate funds to
DHS for the purpose of continuing to secure chemical facilities, even after the
expiration of the Section 550 authorization, sufficient legal authority would exist for
the regulations to remain in effect.
Policy Options
Reaction to the proposed regulation and the interim final rule has been mixed.
Some policymakers and advocates have criticized the approach taken by DHS.
Others have been supportive. As written, the law anticipates further legislative
activity in this area. Policymakers may decide to wait and observe how the final
interim rule is implemented, attempt to influence DHS’s implementation of the
interim final rule, or legislate to alter or supersede the enacted legislation.
Maintain Status Quo
The authority to federally regulate chemical facility security is new. As such,
regulation in this area may need time to mature. Congress, when passing P.L. 109-
295, contemplated the eventual supersession of these regulations:
Interim regulations issued under this section shall apply until the effective date
of interim or final regulations promulgated under other laws that establish
requirements and standards referred to in subsection (a) and expressly supersede
this section: Provided, [t]hat the authority provided by this section shall
terminate three years after the date of enactment of this Act.57
Policymakers may view this regulatory authority, and thus these regulations, as a
stop-gap measure, providing a temporary solution to the perceived chemical security
problem, with the intent of allowing the security policy debate to further mature. In
this case, policymakers may decide to wait, allowing DHS to implement its interim
final rule before considering changes in chemical facility security policy. This might
more fully reveal the impacts of the current regulation.
55 See 67 Comp. Gen. 401 (1988).
56 See, e.g., 65 Comp. Gen. 524 (1986); 65 Comp. Gen. 318, 320-21 (1986); 55 Comp. Gen.
289 (1975).
57 DHS Appropriations Act, supra note 1 at § 550.
CRS-14
Attempt to Influence Implementation
The statutory language of P.L. 109-295, Section 550 grants significant discretion
to the DHS Secretary. The interpretation and application of this discretion by the
DHS Secretary, particularly in the areas of information protection and state
preemption, were the source of some of the criticisms levied against the proposed
regulations.58 While discretionary authority may be important to the effective and
efficient implementation of a regulatory structure, policymakers may believe that
execution of this discretionary authority has been counter to congressional intent.
Policymakers may decide to influence the manner in which the DHS Secretary’s
discretion is applied.
The DHS requested public comment from interested parties on questions, issues,
and the proposed regulatory language.59 As such, the comments of policymakers,
advocates and interested parties influenced the form and language of the interim final
rule. Through comments to the docket, policymakers expressed support for and
criticism of the proposed regulations.60 The docket for the proposed regulation
closed on February 7, 2007. The interim final rule, promulgated on April 9, 2007,
took account of these comments, addressing them as the Department deemed
appropriate.
Policymakers may conclude that they are dissatisfied with the form of the
interim final rule. If this is the case, policymakers could act to more explicitly
describe and limit the discretionary scope granted to the DHS Secretary. They may
influence the interim final rule’s implementation through the congressional oversight
process by clarifying congressional intent, through hearings on the interim final rule’s
implementation, or through language added to DHS appropriations legislation and
reports.
Another option would be for Congress to invoke the Congressional Review Act
(CRA).61 The CRA establishes an expedited mechanism by which Congress can
review and disapprove final federal agency rules.62 Since its enactment, however, the
CRA has been successfully used only once. If the interim final rule is successfully
disapproved under the CRA, DHS would be prohibited from promulgating a similar
rule absent an express authorization from Congress.
58 John Heilprin, “Chemical Plants to Submit Security Plans,” Associated Press, December
22, 2006; Greg Gordon, “New Rules Aim to Protect Chemical Plants from Terrorists,” San
Jose Mercury News, December 22, 2006.
59 71 Federal Register 78276-78332 (December 28, 2006) at 78277. An electronic docket
for this proposed regulation was established at [http://www.regulations.gov] under docket
identification number DHS-2006-0073.
60 Comments submitted to the docket may be viewed online at [http://www.regulations.gov]
under docket identification number DHS-2006-0073.
61 Small Business Regulatory Enforcement Fairness Act of 1996, P.L. 104-121.
62 See CRS Report RL31160, Disapproval of Regulations by Congress: Procedure Under
the Congressional Review Act, by Richard S. Beth.
CRS-15
Legislative Alternatives
Policymakers may decide that additional legislation is necessary in the chemical
facility security area. Such legislation could be targeted in nature, attempting to
remedy perceived flaws by slightly altering the existing authorities granted to DHS,
or more comprehensive. A more comprehensive approach may occasion substantive
changes in the existing authorities and thus extensive revision of any chemical
facility security regulation.
Policymakers may ultimately decide that the regulatory structure established by
DHS does not satisfy homeland security needs or will prove too onerous to industry
and opt to enact new chemical facility legislation. Such legislation might expand the
reach of the regulatory structure, for example, by mandating the inclusion of
particular chemical substances as potentially dangerous; restrict the scope of
regulation, for example, by lowering regulatory burdens or requirements on small
businesses; or direct the agency to include or exclude particular components from its
regulations.
Developing new legislation, or changing existing legislation, to alter the DHS
interim final rule may bring additional costs, especially to facilities that have already
come into compliance. If new regulations, established under new or amended
authority, present new requirements for chemical facilities, security efforts enacted
under the original interim final rule may not be entirely applicable. Chemical
facilities may be required to invest in additional security measures to meet these new
requirements, potentially incurring further cost. When considering whether to enact
new legislation or amend existing law, policymakers may opt to consider methods
to mitigate additional costs to chemical facilities that have already complied with the
interim final rule. Considering the initial statute had a three-year sunset provision,
Congress may have intended that future legislation build upon P.L. 109-295, Section
550, so that future regulations would be harmonized with the interim final rule
initially promulgated.
Legislation in the 110th Congress. Legislative efforts are under way in the
110th Congress to alter DHS’s statutory authority to regulate chemical facilities.
Three freestanding bills have been introduced in the House of Representatives and
chemical facility security provisions were included in the vetoed FY2007
supplemental appropriation bill (H.R. 1591).
The Safe Facilities Act (H.R. 1574) would attempt to preserve state chemical
facility security authority by preventing federal preemption of state chemical facility
security laws and regulations that are more stringent than the federal standard. H.R.
1633 would attempt to preserve state chemical facility security authority by
prohibiting the Secretary from promulgating chemical facility security regulations
that preempt more stringent state chemical facility security regulations.
The Chemical Facility Security Improvement Act of 2007 (H.R. 1530) also
would attempt to preserve state chemical facility security laws and regulations, but
it contains additional provisions. It would limit the chemical facility security
information protected from disclosure to vulnerability assessments and site security
plans. Chemical facility security information would be treated in judicial
CRS-16
proceedings as Sensitive Security Information (SSI), rather than as classified
material.63 It would allow the Secretary to disapprove a site security plan based on
the presence or absence of a particular security measure. Finally, it would grant
others besides the Secretary a right of legal action to enforce security provisions.
The Department of Homeland Security Appropriations Act, 2008 (H.R. 2638)
would attempt to preserve state chemical facility security laws and regulations by
preventing federal preemption of state chemical facility security regulations that are
more stringent than the federal standard. It would also limit the chemical security
information protected and treat protected information as SSI. H.R. 2638 passed the
House of Representatives on June 15, 2007.
The Department of Homeland Security Appropriations Act, 2008 (S. 1644)
would attempt to preserve state chemical facility security laws and regulations by
preventing federal preemption of state chemical facility security regulations that are
more stringent than the federal standard. Only in the case of actual conflict would
state law be preempted. S. 1644 was reported out of the Senate Committee on
Appropriations on June 18, 2007.
Chemical facility security provisions were included in the vetoed FY2007
supplemental appropriations bill. The chemical facility security provisions of the
U.S. Troop Readiness, Veterans’ Health, and Iraq Accountability Act, 2007 (H.R.
1591) would have attempted to preserve state chemical facility security laws and
regulations; limited the scope of information protected as chemical security
information; and treated protected information as SSI.
63 See CRS Report RL33670, Protection of Security-Related Information, by Gina Marie
Stevens and Todd B. Tatelman (providing an in-depth discussion of the history,
requirements, and litigation that has developed under SSI).