Chemical Facility Security: Reauthorization,
Policy Issues, and Options for Congress

Dana A. Shea
Specialist in Science and Technology Policy
September 3, 2009
Congressional Research Service
7-5700
www.crs.gov
R40695
CRS Report for Congress
P
repared for Members and Committees of Congress

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Summary
The granted the Department of Homeland Security (DHS) statutory authority to regulate chemical
facilities for security purposes. This authority expires in October 2009. The 111th Congress is
taking action to reauthorize this program, but the manner of its reauthorization remains an issue
of congressional debate. The Obama Administration and some Members of Congress support an
extension, either short- or long-term, of the existing authority. Other Members call for revision
and more extensive codification of chemical facility security authorities. The tension between
continuing and changing the statutory authority is exacerbated by questions regarding its
effectiveness in reducing chemical facility risk and the sufficiency of federal funding for chemical
facility security.
Key policy issues debated in previous Congresses are likely to be considered during the
reauthorization debate. These issues include the facilities that should be considered as chemical
facilities; the appropriateness and scope of federal preemption of state chemical facility security
activities; the availability of information for public comment, potential litigation, and
congressional oversight; and the role of inherently safer technologies.
Congress is faced with a variety of options. Congress might allow the statutory authority to
expire. Congress might permanently or temporarily extend the expiring statutory authority in
order to observe the impact of the current regulations and, if necessary, address any perceived
weaknesses at a later date. Congress might codify the existing regulation in statute and reduce the
discretion available to the Secretary of Homeland Security to change the current regulatory
framework. Alternatively, Congress might change the current regulation’s implementation, scope,
or impact by amending the existing statute or creating a new one.
Members have introduced several bills in the 111th Congress to address chemical facility security.
Both the Senate-passed and House-passed versions of the DHS appropriations bill (H.R. 2892)
would extend the existing statutory authority through October 4, 2010. Both appropriations bills
provide additional chemical facility security funding relative to FY2009. H.R. 2477 would extend
the existing statutory authority until October 1, 2012. H.R. 2868, as reported by the House
Committee on Homeland Security, would increase the types of facilities eligible for regulation;
mandate, in certain cases, the use of measures to reduce the consequences of a terrorist attack;
create a citizen-suit process for requiring enforcement; and codify components of the existing
regulations. H.R. 261 would alter the existing authority but has not been reported.
Other bills would expand security requirements to facilities not currently regulated for security
purposes. H.R. 3258 would authorize the Environmental Protection Agency (EPA) to create risk-
based security regulations for drinking water facilities; include the use of measures to reduce the
consequences of a terrorist attack; and delegate certain authorities to the states. H.R. 2883 would
authorize EPA to establish certain risk-based security requirements for wastewater facilities.

Congressional Research Service

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Contents
Introduction ................................................................................................................................ 1
Overview of Statute and Regulation ............................................................................................ 1
Statute................................................................................................................................... 1
Regulation ............................................................................................................................ 3
Implementation ........................................................................................................................... 4
Policy Issues ............................................................................................................................... 5
Adequacy of Funds ............................................................................................................... 6
Federal Preemption of State Activities ................................................................................... 6
Transparency of Process........................................................................................................7
Definition of Chemical Facility ............................................................................................. 8
Inherently Safer Technologies ............................................................................................... 9
Policy Options .......................................................................................................................... 10
Maintain the Existing Regulatory Framework...................................................................... 11
Extend the Sunset Date ................................................................................................. 11
Codify Existing Regulations.......................................................................................... 11
Alter the Existing Statutory Authority ................................................................................. 12
Accelerate or Decelerate Compliance Activities ............................................................ 12
Incorporate Additional Facility Types ............................................................................ 12
Consider Inherently Safer Technologies ........................................................................ 14
Modify Information Security Provisions........................................................................ 16
Preempt State Regulations............................................................................................. 18
Harmonization of Regulations ....................................................................................... 18
Legislation in the 111th Congress ............................................................................................... 18
Extend the Existing Authority ............................................................................................. 18
Modify the Existing Authority............................................................................................. 19

Tables
Table 1. DHS Funding for Chemical Facility Security Regulation by Fiscal Year ......................... 5

Contacts
Author Contact Information ...................................................................................................... 20

Congressional Research Service

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Introduction
Facilities possessing certain amounts of hazardous chemicals have been the target of safety and
security efforts since prior to September 11, 2001. The sudden release of hazardous chemicals
from facilities storing large quantities might potentially harm large numbers of persons living or
working near the facility. Congress has debated whether such facilities should be regulated for
security purposes to reduce the risk that they pose. The 109th Congress passed legislation in 2006
providing the Department of Homeland Security (DHS) statutory authority to regulate chemical
facilities for security purposes. This statutory authority expires in October 2009. Advocacy
groups, stakeholders, and policymakers have called for congressional attention to reauthorization
of this authority, though they disagree about the preferred option. Congress is faced with a
decision to extend the existing authority, revise the existing authority to resolve contentious
issues, or allow this authority to lapse.
This report provides a brief overview of the existing statutory authority and the regulation
implementing this authority. It describes several policy issues raised in previous debates
regarding chemical facility security. The report identifies policy options that might resolve
components of these issues. Finally, legislation introduced in the 111th Congress is discussed.
Overview of Statute and Regulation
Congress provided statutory authority to DHS to regulate chemical facilities for security
purposes. This statutory authority provided some explicit authorities to DHS and left other
implementation aspects to the discretion of the Secretary of Homeland Security. The DHS issued
an interim final rule drawing on both explicit statutory authorities and the implicit authorities
granted to the Secretary’s discretion.1
Statute
The Homeland Security Appropriations Act, 2007 (P.L. 109-295), Section 550, directs the
Secretary of Homeland Security to issue interim final regulations establishing risk-based
performance standards for chemical facility security and requiring the development of
vulnerability assessments and the development and implementation of site security plans.
Furthermore, the regulations are to allow regulated entities to employ combinations of security
measures to meet the risk-based performance standards.2 The law specifies that these regulations

1 An interim final rule is a rule which meets the requirements for a final rule and which has the same force and effect as
a final rule, but which contains an invitation for further public comment on its provisions. After reviewing comments to
the interim final rule, an agency may modify the interim final rule and issue a “final” final rule.
2 According to the White House Office of Management and Budget, a performance standard is a standard
that states requirements in terms of required results with criteria for verifying compliance but
without stating the methods for achieving required results. A performance standard may define the
functional requirements for the item, operational requirements, and/or interface and
interchangeability characteristics. A performance standard may be viewed in juxtaposition to a
prescriptive standard which may specify design requirements, such as materials to be used, how a
requirement is to be achieved, or how an item is to be fabricated or constructed.
(continued...)
Congressional Research Service
1

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

are to apply only to those chemical facilities that the Secretary determines present high levels of
security risk. The statute exempts from the Secretary’s authority facilities defined as a water
system or wastewater treatment works; facilities owned or operated by the Department of
Defense or Department of Energy; facilities regulated by the Nuclear Regulatory Commission;
and those facilities regulated under the Maritime Transportation Security Act of 2002 (P.L. 107-
295).
Under the law, the Secretary must review and approve the required assessment, plan, and
implementation for each facility. The Secretary may approve vulnerability assessments and site
security plans created through security programs not developed by DHS, so long as the results of
these programs meet the risk-based performance standards established in regulation. The statute
prohibits the Secretary from disapproving a site security plan on the basis of the presence or
absence of a particular security measure, but the Secretary may disapprove a site security plan
that does not meet the risk-based performance standards.
Information developed for these requirements is to be protected from public disclosure but may
be shared, at the Secretary’s discretion, with state and local government officials, including law
enforcement officials and first responders possessing the necessary security clearances. Such
shared information may not be publicly disclosed, regardless of state or local laws, and is exempt
from the Freedom of Information Act (FOIA). Additionally, the information provided to the
Secretary, along with related vulnerability information, is to be treated as classified information in
all judicial and administrative proceedings. Violation of the information protection provision is
punishable by fine.
The Secretary must audit and inspect chemical facilities and determine regulatory compliance. If
the Secretary finds a facility not in compliance, the Secretary must write to the facility explaining
the deficiencies found, provide an opportunity for the facility to consult with the Secretary, and
issue an order to the facility to comply by a specified date. If the facility continues to be out of
compliance, the Secretary may fine and, eventually, order the facility to cease operation.
Only the Secretary may bring a lawsuit against a facility owner to enforce provisions of this law.
The law does not affect any other federal law regulating chemicals in commerce. The statute
contains a “sunset provision” and expires on October 4, 2009, three years from the date of
enactment.
Section 550 was amended by the Consolidated Appropriations Act, 2008 (P.L. 110-161). This
amendment clarifies a state’s right to promulgate chemical facility security regulation that is at
least as stringent as the federal chemical facility security regulation. Only in the case of an “actual
conflict” between the federal and state regulation would the state regulation be preempted. The
scope of an “actual conflict” was not further defined in the statute.

(...continued)
Office of Management and Budget, The White House, “Federal Participation in the Development and Use of Voluntary
Consensus Standards and in Conformity Assessment Activities,” Circular A-119, February 10, 1998. For example, a
performance standard might require that a facility perimeter be secured, while a prescriptive standard might dictate the
height and type of fence to be used to secure the perimeter.

Congressional Research Service
2

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Regulation
On April 9, 2007, the Department of Homeland Security issued an interim final rule regarding the
Chemical Facility Anti-Terrorism Standards (CFATS). This interim final rule entered into force on
June 8, 2007. The interim final rule implements both statutory authority explicit in P.L. 109-295,
Section 550, and authorities DHS found to be implicitly granted. The DHS has described the
statutory authority for regulation of chemical facility security as “compact.”3 According to DHS,
“Each subsection and sentence of this provision has significant consequences for the structure and
content of the regulatory program.”4 In promulgating the interim final rule, DHS interpreted the
language of the statute to determine what it asserts was the intent of Congress when crafting the
statutory authority. Consequently, much of the rule arises from the Secretary’s discretion and
interpretation of legislative intent and was not explicitly detailed by the law.
Under the interim final rule, the Secretary of Homeland Security will determine which chemical
facilities must meet regulatory security requirements. The decision is to be based on the degree of
risk posed by each facility. Chemical facilities with greater than specified quantities of potentially
dangerous chemicals are required to submit information to DHS, so that DHS can determine the
facility’s risk status. Approximately 300 chemicals are considered “chemicals of interest” for the
purposes of compliance with CFATS. Each chemical is considered in the context of three threats:
release, theft or diversion, and sabotage and contamination. High-risk facilities are then further
categorized into four risk-based tiers. The DHS established different performance-based
requirements for facilities assigned to each risk-based tier. Facilities in higher risk tiers must meet
more stringent performance-based requirements.
All high-risk facilities must assess their vulnerabilities, develop an effective security plan, submit
these documents to DHS, and implement their security plan. The vulnerability assessment serves
two purposes under the interim final rule. One is to determine or confirm the placement of the
facility in a risk-based tier. The other is to provide a baseline against which to compare the site
security plan activities. The DHS requires the vulnerability assessment to include the following
components: asset characterization, threat assessment, security vulnerability analysis, risk
assessment, and countermeasures analysis.
The site security plans must address the vulnerability assessment by describing how activities in
the plan correspond to securing facility vulnerabilities. Additionally, the site security plan must
address preparations for and deterrents against specific modes of potential terrorist attack, as
applicable and identified by DHS. The site security plans must also describe how the activities
taken by the facility meet the risk-based performance standards provided by DHS.
Vulnerability assessments and site security plans developed through alternative security programs
will be accepted so long as they meet the tiered, performance-based requirements of the interim
final rule. The Secretary may disapprove submitted vulnerability assessments or site security
plans that fail to meet DHS standards but not on the basis of the presence or absence of a specific
measure. In the case of disapproval, DHS must identify in writing those areas of the assessment
and plan that need improvement. Chemical facilities may appeal disapprovals to DHS.

3 71 Fed. Reg. 78276-78332 (December 28, 2006) at 78280.
4 Ibid.
Congressional Research Service
3

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

The information generated under this interim final rule, as well as any information developed for
chemical facility security purposes that the Secretary determines needs to be protected, will be
labeled “Chemical-terrorism Vulnerability Information” (CVI), a new category of security-related
information. The DHS asserts sole discretion regarding who will be eligible to receive CVI.
The interim final rule states it will preempt state and local regulation that “conflicts with, hinders,
poses an obstacle to or frustrates the purposes of” the federal regulation. States, localities, or
affected companies may request a decision from DHS regarding potential conflict between the
regulations. Since DHS promulgated the interim final rule, Congress has amended this statute to
state that such preemption will occur only in the case of an “actual conflict.” The DHS has not
issued revised regulations addressing this change in statute.
The interim final rule establishes penalties for lack of compliance and for the disclosure of CVI
information. If a facility remains out of compliance with the interim final rule, DHS may order it
to cease operations after other penalties, such as fines, have been levied. The interim final rule
establishes the process by which chemical facilities can appeal DHS decisions and rulings.
Implementation
The DHS statutory authority to regulate chemical facilities for security purposes is executed
through the National Protection and Programs Directorate (NPPD). The NPPD attempts to
generally reduce the risks to the homeland and has various offices addressing both physical and
virtual threats. The Office of Infrastructure Protection oversees the CFATS program. Within the
Office of Infrastructure Protection, the Infrastructure Security Compliance Project contains the
funding and personnel efforts allocated for implementing the CFATS regulations. As seen in
Table 1, requested and appropriated funding for this program has annually increased since its
creation. Additionally, full-time equivalent staffing for this program has also increased. This
increase in staffing reflects, in part, the development of a cadre of CFATS inspectors.
Congressional Research Service
4

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Table 1. DHS Funding for Chemical Facility Security Regulation by Fiscal Year
(in millions)
Full-time
Fiscal Year
Request
Appropriation
Equivalents
FY2007 $10 $22a 0
FY2008 25
50
21
FY2009 63
73b 78
FY2010 55c
–d 246e
Source: Department of Homeland Security, Preparedness Directorate, Infrastructure Protection and
Information Security, FY2007 Congressional Justification; Department of Homeland Security, National Protection
and Programs Directorate, Infrastructure Protection and Information Security, Fiscal Year 2008 Congressional
Justification; Department of Homeland Security, National Protection and Programs Directorate, Infrastructure
Protection and Information Security, Fiscal Year 2009 Congressional Justification; Department of Homeland
Security, National Protection and Programs Directorate, Infrastructure Protection and Information Security,
Fiscal Year 2010 Congressional Justification; H.Rept. 109-699; P.L. 110-28; the explanatory statement for P.L. 110-
161 at Congressional Record, December 17, 2007, H16092; and the explanatory statement for P.L. 110-329 at
Congressional Record, September 24, 2008, pp. H9806-H9807.
Notes: Funding levels rounded to nearest million. A full-time equivalent equals one staff person working a full-
time work schedule for one year.
a. Including funds provided in supplemental appropriations.
b. The Infrastructure Security Compliance Project also received $5 million for activities related to the
development of regulations for ammonium nitrate. This funding was excluded in Table 1.
c. The Infrastructure Security Compliance Project also requested $14 million for activities related to the
development of regulations for ammonium nitrate. This funding was excluded in Table 1.
d. Both the Senate-passed and the House-passed versions of the Department of Homeland Security
appropriations bill (H.R. 2892) provide funding for chemical facility security regulation at the requested
level.
e. Requested number of ful -time equivalent positions.
As of June 2009, more than 36,500 chemical facilities had registered with DHS and completed
the Top-Screen process.5 Of these facilities, approximately 7,010 were considered to be high-risk
and were required to submit a site vulnerability assessment.6 Once DHS processes the site
vulnerability assessments, these facilities will be assigned risk tiers. The DHS has reportedly
begun to contact 140 facilities in the highest risk tier, requiring those facilities to develop and
implement a site security plan.7 Inspections by DHS are expected to begin later in 2009.
Policy Issues
Previous congressional discussion on chemical facility security raised several contentious policy
issues. Some issues, such as whether DHS has sufficient funds to adequately oversee chemical

5 The Top-Screen process is the initial submission of information to DHS to determine whether a facility is high risk.
6 Testimony of Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Homeland Security, June 15, 2009.
7 Testimony of Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Homeland Security, June 15, 2009.
Congressional Research Service
5

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

facility security; whether the federal chemical facility security regulations should preempt state
regulations; and how much information developed for chemical security purposes may be shared
outside of the facility and the federal government, will exist even if the existing statutory
authority is extended. Other issues, such as what facilities should be regulated as a chemical
facility and whether chemical facilities should be required to adopt or consider adopting
inherently safer technologies, are more likely to be addressed in the context of efforts to revise or
expand existing authority.
Adequacy of Funds
The regulation establishes an oversight structure that relies on DHS personnel inspecting
chemical facilities and ascertaining whether approved site security plans have been implemented.
Although the use of performance-based measures, where chemical facilities are granted flexibility
in determining how to achieve the required security performance, may reduce some demands on
the regulated entities, it may also require greater training and judgment on the part of DHS
inspectors. Inspecting the regulated facilities is likely to be costly. Congressional oversight has
raised the question of whether requested and existing appropriated funds are sufficient to hire and
retain the staff necessary to perform the required compliance inspections.8
The degree to which funds are sufficient to meet agency needs likely depends on several factors
external and internal to DHS. External factors include the number of regulated facilities and the
sufficiency of security plan implementation. Internal factors include the ratio between
headquarters staff and field inspectors; the risk tiers of the regulated facilities; and the timetable
for implementation. Once the number of regulated facilities and their associated timetables are
determined, it may be possible for DHS to more comprehensively determine its resource needs.9
Now that DHS has begun implementation of these requirements, it may be able to provide further
estimates of both funding and staff requirements.
Federal Preemption of State Activities
The original statute did not expressly address the issue of federal preemption of state and local
chemical facility security statute or regulation. When DHS issued regulations establishing the
CFATS program, DHS asserted that the CFATS regulations would preempt state and local
chemical facility security statute or regulation that conflicted with, hindered, posed an obstacle, or
frustrated the purposes of the federal regulation.10 Subsequent to the release of the regulation,
Congress amended DHS’s statutory authority to state that only in the case of an “actual conflict”
would the federal regulation preempt state authority. As the CFATS program has only begun to be
implemented and few states have established independent chemical facility security regulatory
programs, conflict between the federal and state activities has had little opportunity to occur. The

8 House Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure Protection,
Chemical Security: The Implementation of the Chemical Facility Anti-Terrorism Standards and the Road Ahead, 110th
Congress, December 12, 2007.
9 The DHS was required in FY2006 and FY2007 to provide Congress with a report on the resources needed to create
and implement mandatory security requirements. See P.L. 109-295, Department of Homeland Security Appropriations
Act, 2007, and H.Rept. 109-241, accompanying P.L. 109-90, Department of Homeland Security Appropriations Act,
2006.
10 72 Federal Register 17688–17745 (April 9, 2007) at 17739.
Congressional Research Service
6

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

DHS has not identified state programs that conflict with the CFATS regulations.11 The DHS has
also not altered its regulatory language in response to the statutory amendment.
Advocates for federal preemption call for a uniform security framework across the nation. They
assert that a “patchwork” of regulations might develop if states were allowed to independently
develop additional chemical facility security regulations.12 Variances in security requirements
might place companies at a competitive disadvantage based on their geographic location due to
the differing regulatory compliance costs.
Supporters of state rights to establish chemical facility security regulation claim that the federal
regulation should be treated as the minimum standard with which all regulated entities must
comply. They assert that states should be allowed to develop more stringent regulations than the
federal regulations. By doing so, they claim, security would be increased. Some supporters of
state regulation suggest that the state regulations should preempt the federal regulations so long as
they are more stringent than the federal regulation.13 Such a case might occur if a state regulation
mandated the use of a particular security approach at chemical facilities, conflicting with the
federal regulation that adopts a performance-based rather than prescriptive approach. Any state
inclination to require overly stringent regulations likely would be tempered by a desire to retain
industries that might relocate to avoid overly stringent regulation.
Transparency of Process
The CFATS process involves determining chemical facility vulnerabilities and developing
security plans to address them. Information developed in this process is not to be widely and
openly disseminated. The CFATS program protects this information by categorizing it as CVI and
providing penalties for its disclosure. Some advocates have argued for greater transparency in the
CFATS process, even if the detailed information regarding potential vulnerabilities and specific
security measures are kept protected. They assert that those individuals living in surrounding
communities require such information to plan effectively and make choices in an emergency.14
Events stemming from a 2007 explosion at a Bayer CropScience chemical facility in West
Virginia have also led to debate regarding the protective labeling of security information at
chemical facilities.15 This chemical facility was regulated under the Maritime Transportation

11 72 Federal Register 17688–17745 (April 9, 2007) at 17727.
12 See, for example, National Association of Chemical Distributors, “NACD Key Issue: Chemical Facility Security,”
Key Issues 2009 Washington Fly-In 111th Congress.
13 For example, Representative Rothman asked Secretary of Homeland Security Napolitano,
And in particular, there was language enacted in 2008 which said that the states could have their
own regulations with regard to securing chemical plant facilities unless there was a conflict with
the federal requirements. Might it be time to revisit that language to allow each state to have its
own chemical plant security regulations, even stricter than a national minimum standard, even if
they conflict?
(“House Appropriations Subcommittee on Homeland Security Holds Hearing on the Department of Homeland
Security,” CQ Congressional Transcripts, May 12, 2009.)
14 OMB Watch and Public Citizen, “Chemical Facility Anti-Terrorism Standards, Department of Homeland Security,
DHS-2006-0073,” Letter, February 7, 2007.
15 For example, see “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on
the Bayer CropScience Facility Explosion,” CQ Congressional Transcripts, April 21, 2009.
Congressional Research Service
7

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Security Act (MTSA), not CFATS.16 In this case, security information was protected from
disclosure as Sensitive Security Information (SSI), an information protection regime similar to
CVI. Revelations by company officials that the SSI marking was broadly applied partly in hopes
to avoid a public debate on the use of particular chemicals at the facility have led to questions
regarding the application and oversight of such protective markings.17
Definition of Chemical Facility
Many types of facilities are regulated as chemical facilities because they possess, rather than
manufacture, chemicals of interest. These types of facilities include agricultural facilities,
universities, and others. By defining chemical facilities according to possession of a substance of
concern, facilities not part of the chemical manufacturing and distributing chain have become
regulated facilities. Stakeholders have expressed concern that the number of entities so regulated
might be unwieldy and that the regulatory program might focus on many chemical facilities that
pose little risk rather than on those facilities that posed more substantial risk. For example, during
the rulemaking process, DHS received commentary and revised its regulatory threshold for
possession of propane, stating:
DHS, however, set the [screening threshold quantities] for propane in this final rule at 60,000
pounds. Sixty thousand pounds is the estimated maximum amount of propane that non-
industrial propane customers, such as restaurants and farmers, typically use. The Department
believes that non-industrial users, especially those in rural areas, do not have the potential to
create a significant risk to human life or health as would industrial users. The Department
has elected, at this time, to focus efforts on large commercial propane establishments but
may, after providing the public with an opportunity for notice and comment, extend its
[CFATS] screening efforts to smaller facilities in the future. This higher [screening threshold
quantity] will focus DHS’s security screening effort on industrial and major consumers,
regional suppliers, bulk retail, and storage sites and away from non-industrial propane
customers.18
Similarly, academic institutions have asserted that DHS should not apply CFATS regulations to
them because of the dispersed nature of chemical holdings at colleges and universities. These
institutions claim that regulatory compliance costs would not be commensurate with the risk
reduction.19 While the regulatory compliance costs likely decrease at lower risk tiers compared to
higher risk tiers, such costs will be on-going and born by the regulated entities.
As mentioned above, the statutory authority underlying CFATS contains an exemption for several
types of facilities. Some advocacy groups argue against the exclusion of drinking water and
wastewater treatment facilities from chemical facility security regulation.20 Some drinking water
and wastewater treatment facilities possess large amounts of potentially hazardous chemicals,

16 Chemical facilities located in ports are regulated for security purposes under the Maritime Transportation Security
Act of 2002 (P.L. 107-295). Chemical facilities regulated under MTSA are statutorily exempt from CFATS regulation.
17 Testimony of William B. Buckner, President and Chief Executive Officer of Bayer CropScience, before the House
Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009.
18 72 Federal Register 65396–65435 (November 20, 2007) at 65406.
19 72 Federal Register 65396–65435 (November 20, 2007) at 65412.
20 See, for example, Testimony of Philip J. Crowley, Senior Fellow and Director of Homeland Security, Center for
American Progress, before the House Committee on Energy and Commerce, Subcommittee on Environment and
Hazardous Materials, June 12, 2008.
Congressional Research Service
8

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

such as chlorine, for purposes such as disinfection.21 Advocates for their inclusion in security
regulations cite the presence of such potentially hazardous chemicals and their relative proximity
to population centers as reasons to mandate security measures for such facilities. In contrast,
representatives of the water sector point to the critical role that water and wastewater treatment
play in daily life and caution against including these facilities in the existing regulatory
framework citing the potential for undue public impacts. They cite, for example, loss of basic fire
protection and sanitation services if a water or wastewater utility is ordered to cease operations
for security reasons.22
Inherently Safer Technologies
Previous debate on chemical facility security has included whether to mandate the adoption or
consideration of changes in chemical process to reduce the potential consequences following a
successful attack on a chemical facility. Suggestions for such changes have included reducing the
amount of chemical stored onsite and changing the chemicals being used. In previous
congressional debate, these approaches have been referred to as inherently safer technologies or
methods to reduce the consequences of a terrorist attack.
A fundamental challenge with regard to inherently safer technologies is providing an adequate
basis for comparing one technology with its replacement. Without adequate metrics, it is
challenging to unequivocally state that one technology is inherently safer than the other, as factors
may exist that are outside of the comparison framing.23 Additional factors a facility might
consider when weighing the applicability and benefit of switching from one process to another
are issues of cost, technical challenges regarding implementation in specific situations, supply
chain impacts, quality and availability of end products, and indirect effects caused to workers.
Supporters of adopting these approaches as a way to improve chemical facility security argue that
by reducing or removing these chemicals from the facility, the incentive to attack the facility is
also reduced. They suggest that by lowering the consequences of a release, the threat from
terrorist attack is also lowered, and thus the risk to the surrounding populace would be mitigated.
They point to facilities that have voluntarily changed amounts of chemicals on hand or chemical

21 Approximately 52,000 community water systems and 16,500 wastewater treatment facilities are in the United States.
Only some facilities possess potentially hazardous chemicals. See U.S. Environmental Protection Agency, Factoids:
Drinking Water and Ground Water Statistics for 2008
, EPA 816-K-08-004, November 2008, and U.S. Environmental
Protection Agency, Clean Watersheds Needs Survey 2004: Report to Congress, January 2008.
22 American Water Works Association, “Chemical Facility Security,” Fact Sheet, 2009, online at
http://www.awwa.org/files/GovtPublicAffairs/PDF/2009Security.pdf.
For more information on security issues in the water infrastructure sector, see CRS Report RL32189, Terrorism and
Security Issues Facing the Water Infrastructure Sector
, by Claudia Copeland.
23 For example, the replacement of hydrogen fluoride with sulfuric acid for refinery processing would replace a more
toxic chemical with a less toxic one. In this case, experts estimate that twenty-five times more sulfuric acid would be
required for equivalent processing capacity. Thus, more chemical storage facilities and transportation would be
required, potentially posing different dangers than atmospheric release to the surrounding community. Determining
which chemical process had less overall risk might require considering factors both internal and external to the
chemical facility and the surrounding community. See Testimony of Dr. M. Sam Mannan, Director, Mary Kay
O'Connor Process Safety Center, Texas A&M University before the House Committee on Homeland Security,
December 12, 2007.
Congressional Research Service
9

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

processes being used as examples that such an approach can be done in a cost-effective, practical
fashion.24
Opponents of mandating what proponents call inherently safer technologies question the validity
of the approach as a security tool and the government’s ability to effectively oversee its
implementation. One concern stated by industrial entities is a belief that such approaches are
safety, not security, methods already being employed by process safety engineers within the
regulated industry. They assert that process safety experts and business executives should
determine whether changing existing processes is applicable to the specific chemical facility and
is financially practical.25 A second stated concern is that few existing alternative approaches are
well understood with regard to their unanticipated side effects. They claim that these alternative
approaches should continue to be studied rather than immediately applied, since unanticipated
side effects could be deleterious to business and other interests.26 A third opposing view questions
whether the federal government contains the required technical expertise to adjudicate whether an
alternative approach is both practical and beneficial. Holders of this view raise concerns that the
federal government may not possess the required knowledge or expertise to judge whether an
alternative technology can be implemented at a particular site, even if the alternative theoretically
provides benefits over existing technology.27
Policy Options
With the statutory authority expiring in October 2009, Congress faces a decision regarding
chemical facility security. Congress might extend the existing statutory authority by revising or
repealing its sunset provision; codify the existing regulations; amend the existing statutory
authority; address existing programmatic activities; or restrict or expand the scope of chemical
facility security regulation. If Congress doesn’t act and the statutory authority is allowed to
expire, the authority for the application and enforcement of the CFATS regulations may be
brought into question.
If Congress both allows the statutory authority to expire and does not appropriate funding for
implementing the CFATS program, DHS may have difficulty enforcing the CFATS regulations. In
the case where Congress allows the statutory authority to expire, but Congress appropriates funds
for enforcing the CFATS program, DHS will likely be able to enforce the CFATS regulations. The

24 See, for example, Paul Orum and Reece Rushing, Center for American Progress, Preventing Toxic Terrorism: How
Some Chemical Facilities are Removing Danger to American Communities
, April 2006, and Paul Orum and Reece
Rushing, Center for American Progress, Chemical Security 101: What You Don’t Have Can’t Leak, or Be Blown Up by
Terrorists
, November 2008.
25 Testimony of Marty Durbin, Managing Director, Federal Affairs, American Chemistry Council, before the House
Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008.
26 For example, EPA experts have pointed to the change by drinking water treatment facilities from gaseous chlorine
disinfection to chloramine disinfection—a change identified by some advocacy groups as being an inherently safer
substitution—as being correlated with increased levels of lead in drinking water due to increased corrosion.
Government Accountability Office, Lead in D.C. Drinking Water, GAO-05-344, March 2005.
27 See, for example, Testimony of Dennis C. Hendershot, Staff Consultant, Center for Chemical Process Safety,
American Institute of Chemical Engineers, before the Senate Committee on Environment and Public Works, June 21,
2006, S.Hrg. 109-1044. See also, Testimony of Matthew Barmasse, Synthetic Organic Chemical Manufacturers
Association, before the Senate Committee on Homeland Security and Governmental Affairs, July 13, 2005.
Congressional Research Service
10

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

GAO has found that in the case where a program’s statutory authority expires, but Congress
explicitly appropriates funding for it, the program may continue to operate without interruption.28
Maintain the Existing Regulatory Framework
The existing statutory authority places much of the regulatory framework at the discretion of the
Secretary of Homeland Security. The existing statutory authority has led to the development of
CFATS regulations. The DHS is still in the process of implementing the regulations, and their
efficacy has not yet been determined. Congressional oversight of their implementation,
enforcement, and efficacy may play a key role in determining whether the existing authority and
regulations are sufficient. Congress might choose to maintain the existing regulations by
extending the statutory authority’s sunset date, or codifying the existing regulations. Also, as
noted above, allowing the statutory authority to expire could in effect maintain the existing
regulatory framework if Congress continues to fund implementation, although this may be
litigated.
Extend the Sunset Date
Congress might choose to extend the current statutory authority for a fixed or indefinite time. The
Obama Administration has proposed an extension of the existing statutory authority until October
4, 2010.29 Extending the existing statutory authority may provide regulated entities continuity and
protect them from losing those resources already expended in regulatory compliance. An
extension may allow for the efficacy of the existing regulations to be assessed and this
information to be included in any future attempts to revise or extend DHS’s statutory authority.
By extending the sunset date one year, Congress may also provide itself with additional time to
address unresolved policy issues.
Congress might make the existing program permanent by removing the sunset date entirely. Some
chemical manufacturers support converting the existing program into a permanent program.30 The
removal of the sunset date would maintain the current discretion granted to the Secretary of
Homeland Security to develop regulations and might allow for the efficacy of the existing
regulations to be assessed. Making the existing statute permanent might provide consistency in
authority and remove the statutory pressure to reauthorize a program that has a sunset date.
Codify Existing Regulations
Congress might choose to affirm the existing regulations by codifying them or their principles in
statute. Such codification would reduce the discretion of the Secretary of Homeland Security to
alter the CFATS regulations in the future. The existing statutory authority grants broad discretion
to the Secretary in developing many parts of the CFATS regulations. Future Secretaries may
choose to alter its structure or approach and still comply with the existing statute. Congress might
identify specific components of the existing regulation that they wish to be retained in any future

28 Office of the General Counsel, General Accounting Office, Principles of Federal Appropriations Law, Third Edition,
GAO-04-261SP, January, 2004, pp. 2-70–2-71.
29 Department of Homeland Security, FY2010 Budget Justification.
30 Randy Dearth and Cal Dooley, “Commentary: Taking Chemical Plant Security In Pittsburgh Seriously,” Pittsburgh
Post-Gazette
, May 27, 2009.
Congressional Research Service
11

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

regulation and codify those portions. By doing so, the ability of the Secretary to react to changing
circumstance might be limited. On the other hand, the regulated community might be more able
to plan for expenses and future requirements relating to the codified portions.
Alter the Existing Statutory Authority
Congress might choose to alter the existing statutory authority to modify the existing regulations,
address stakeholder concerns, or broadly change the regulatory program.
Accelerate or Decelerate Compliance Activities
The DHS has adopted a schedule for compliance with CFATS that is based on the chemical
facility’s assigned risk tier. Those chemical facilities assigned to higher risk tiers have a more
accelerated compliance and resubmission schedule than those assigned to lower risk tiers.
Congress might attempt to accelerate the compliance schedule by increasing funding available to
DHS for CFATS, increasing the ability of DHS to provide feedback to regulated entities, review
submissions, and inspect facilities filing site security plans. In doing so, inefficiencies or delays
related to DHS processing of submissions might be reduced or mitigated.
Alternatively, Congress might provide DHS with the authority to use third parties as CFATS
inspectors. The DHS would then be able to augment the number of CFATS inspectors to meet
increased demand or delegate inspection authority to state and local governments. Third-party
inspectors might allow DHS to draw on expertise outside of the federal government in assessing
the efficacy of the implemented site security activities. In drawing upon third-party inspectors,
DHS may need to define the roles and responsibilities of these inspectors and how the
qualifications of these inspectors will be assessed and accredited. The DHS has stated its intent to
issue a rulemaking regarding the use of third-party auditors but has not yet done so.31
Congress might choose to slow the implementation schedule of the chemical facility security
regulations. Concern about the impact of the regulation on small businesses or other entities
might lead to a decelerated compliance schedule. The DHS has already implemented select
regulatory extensions for certain agricultural operations32 and colleges and universities.33
Congress might direct DHS to provide longer submission, implementation, and resubmission
timelines for those regulated entities that might suffer disproportionate economic burdens from
compliance.
Incorporate Additional Facility Types
Some advocacy groups have called for inclusion of currently exempt facilities, such as water and
wastewater treatment facilities.34 The federal government does not regulate water and wastewater
treatment facilities for chemical security purposes. Instead, current chemical security efforts at

31 72 Federal Register 17688–17745 (April 9, 2007) at 17712.
32 73 Federal Register 1640 (January 9, 2008).
33 72 Federal Register 65395–65435 (November 20, 2007) at 65412.
34 See, for example, Paul Orum and Reece Rushing, Center for American Progress, Chemical Security 101: What You
Don’t Have Can’t Leak, or Be Blown Up by Terrorists
, November 2008.
Congressional Research Service
12

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

water and wastewater treatment facilities are voluntary in nature.35 The DHS and the
Environmental Protection Agency (EPA) have also called for additional authorities to regulate
these facilities:
The Department of Homeland Security and the Environmental Protection Agency believe
that there is an important gap in the framework for regulating the security of chemicals at
water and wastewater treatment facilities in the United States. The authority for regulating
the chemical industry purposefully excludes from its coverage water and wastewater
treatment facilities. We need to work with the Congress to close this gap in the chemical
security authorities in order to secure chemicals of interest at these facilities and protect the
communities they serve. Water and wastewater treatment facilities that are determined to be
high-risk due to the presence of chemicals of interest should be regulated for security in a
manner that is consistent with the CFATS risk and performance-based framework while also
recognizing the unique public health and environmental requirements and responsibilities of
such facilities.36
If Congress provides the Executive Branch with statutory authority to regulate water and
wastewater treatment facilities for chemical security purposes, it will face several policy
decisions. Among these choices are which facilities should be regulated, how stringent such
security measures should be, what federal agency should oversee them, and whether complying
with these security measures is feasible given the public nature of many water and wastewater
treatment facilities.
One option might be to include water and wastewater treatment facilities under the existing
CFATS regulations, effectively removing the exemption currently in statute. In doing so, water
and wastewater treatment facilities would be placed on par with other possessors of chemicals of
interest. The DHS would provide oversight of all regulated chemical facilities.37 Opponents of
such an approach might cite the essential role that water and wastewater treatment facilities play
in daily life and that several authorities available to DHS under CFATS, such as the ability to
require a facility to cease operations, might be inappropriate if applied to a municipal utility.38
Also, opponents might claim that activities under CFATS, such as vulnerability assessment, are
duplicative of existing requirements under the Safe Drinking Water Act.39
Another option might be to grant statutory authority to regulate water and wastewater treatment
facilities for security purposes to the EPA or require DHS to consult with EPA regarding its
regulation of water and wastewater treatment facilities. Following prior debate on chemical

35 Congress required certain drinking water facilities to perform vulnerability assessments and develop emergency
response plans through section 401 of P.L. 107-188, the Public Health Security and Bioterrorism Preparedness and
Response Act of 2002.
36 Testimony of Benjamin H. Grumbles, Assistant Administrator for Water, U.S. Environmental Protection Agency
before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June
12, 2008.
37 Those chemical facilities exempt from CFATS because they are regulated under MTSA are overseen by the Coast
Guard, which is part of DHS. The DHS testified that 365 facilities are fully exempt from CFATS regulation due to
compliance with MTSA, while 135 are partially exempt (“House Homeland Security Committee Holds Hearing on the
Chemical Facility Antiterrorism Act of 2009,” CQ Congressional Transcripts, June 16, 2009).
38 Testimony of Brad Coffey, Association of Metropolitan Water Agencies, before the House Committee on Energy
and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008.
39 Section 1433 of the Safe Drinking Water Act as amended by section 401 of P.L. 107-188, the Public Health Security
and Bioterrorism Preparedness and Response Act of 2002.
Congressional Research Service
13

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

facility security, Congress provided statutory authority for chemical security to DHS, separating
security responsibilities from the public health and safety responsibilities given to EPA. Providing
one agency the authority to oversee safety and security operations may reduce the potential for
redundancy. Since water treatment facilities must provide a vulnerability assessment to EPA,
some facilities might view regulation under CFATS as redundant in this context.
Similarly, industry representatives have expressed concern regarding multiple agencies regulating
security at drinking water and wastewater treatment facilities.40 They assert that municipalities
that operate both types of facilities might face conflicting regulations and guidance if different
agencies regulate drinking water and wastewater treatment facilities.
The number of regulated facilities might substantially increase if the drinking water and
wastewater treatment facility exemption is removed. The United States contains approximately
52,000 community water systems and 16,500 wastewater treatment facilities.41 These facilities
vary substantially in size and service. The number of regulated facilities would depend on what
criteria are used to determine inclusion, such as chemical possession or number of individuals
served. It is likely that only a subset of these facilities would meet a regulatory threshold.42
Any new regulation of drinking water and wastewater treatment facilities is likely to cause the
regulated entities, and potentially the federal government, to incur some costs. Representatives of
the water and wastewater sectors argue that capital and ongoing costs incurred due to increased
security measures will eventually be borne by local ratepayers.43 Congress may wish to consider
whether these costs should be borne by the regulated entities, as is done for other regulated
chemical facilities, and by those ratepayers served by them or by the taxpayers in general through
financial assistance to the regulated entities. Additionally, if inclusion of other facility types
significantly increases the number of regulated entities, DHS may require additional funds to
process regulatory submissions and perform required inspections.
Consider Inherently Safer Technologies
Congress may choose to address the issue of inherently safer technologies, sometimes called
methods to reduce the consequences of terrorist attack, through a variety of mechanisms. One
approach might be to mandate the implementation of inherently safer technologies for a set of
processes. Another might be to mandate the consideration of implementation of inherently safer
technologies with certain criteria controlling whether implementation is required. A third

40 See, for example, American Water Works Association, “AWWA Members Urged to Contact Congress on Chemical
Security Bill,” and Association of Metropolitan Water Agencies, “Drinking Water Security and Treatment Mandates,”
Policy Resolution, October 2008.
41 See U.S. Environmental Protection Agency, Factoids: Drinking Water and Ground Water Statistics for 2008, EPA
816-K-08-004, November 2008, and U.S. Environmental Protection Agency, Clean Watersheds Needs Survey 2004:
Report to Congress
, January 2008.
42 For example, the number of individuals served by the drinking water facility might be used as a regulatory criterion.
Section 401 of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188)
mandated drinking water facilities serving more than 3,300 individuals develop an emergency response plan and
perform a vulnerability assessment. Approximately 8,400 community water systems met this requirement at that time.
For more information on drinking water security activities, see CRS Report RL31294, Safeguarding the Nation’s
Drinking Water: EPA and Congressional Actions
, by Mary Tiemann.
43 Testimony of Brad Coffey, Association of Metropolitan Water Agencies, before the House Committee on Energy
and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008.
Congressional Research Service
14

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

approach might be to mandate the development of a federal repository of inherently safer
technology approaches and consideration of chemical processes against those options listed in the
repository. Stakeholders might assess and review the viability of applying these inherently safer
approaches at lower cost if such information were centralized and freely available. Congress
might establish an incentive-based structure to encourage the adoption of inherently safer
technologies by regulated entities. Lastly, Congress might choose to not require any consideration
or adoption of inherently safer technology approaches.
Some experts assert that inherently safer technology approaches are considered and assessed as
part of chemical process safety activities.44 These assessments may lead to changes in chemical
process when deemed safer, more reliable, and cost-effective. Congressionally mandated adoption
or consideration of adoption of inherently safer technologies may be viewed as adding factors not
previously considered by an individual facility, such as impact on homeland security. An
additional complication to assessing inherently safer technology is the varying amounts of
information available regarding industrial implementation of inherently safer technologies. While
some facilities have converted to processes generally deemed as inherently safer, sufficient
information may not be available for all facilities and processes to make effective assessment of
the impacts from changing existing processes to ones considered inherently safer.45 Indeed, some
experts have asserted that the metrics for comparing industrial processes are not yet fully
established and need additional research and study.46 The National Academies have recommended
that DHS support research and development to foster cost-effective, inherently safer chemistries
and chemical processes.47
Mandating the implementation of inherently safer technologies at regulated entities may be
challenging due to the differences that exist among chemical facilities, in terms of chemical
process, facility layout, and ability to finance implementation. Even the mandatory consideration
of inherently safer technologies may place a financial burden on some small regulated entities.
Congress might limit mandatory measures to those facilities considered by DHS to pose the most
risk or might provide financial assistance to regulated facilities.48
Congress might choose to try to further incentivize regulated entities to adopt inherently safer
technologies. Under the CFATS regulations, facilities that adopt inherently safer technologies
might change their assigned risk tier by reducing the amount of chemicals of interest on hand.
Congress might provide for financial incentives to regulated entities that adopt inherently safer
technologies for chemicals of interest. Alternatively, Congress might direct DHS or another

44 See, for example, Testimony of Dennis C. Hendershot, Staff Consultant, Center for Chemical Process Safety,
American Institute of Chemical Engineers, before the Senate Committee on Environment and Public Works, June 21,
2006, S.Hrg. 109-1044.
45 The DHS Science and Technology (S&T) Directorate is engaged in a Chemical Infrastructure Risk Assessment
Project that, among other goals, will assess the potential for safer alternative processes that may reduce risk to a select
subset of high volume toxic chemicals (Department of Homeland Security, FY2010 Budget Justification, pp. S&T
R&D - 27–28.).
46 Testimony of Dr. M. Sam Mannan, Director, Mary Kay O'Connor Process Safety Center, Texas A&M University
before the House Committee on Homeland Security, December 12, 2007.
47 Committee on Assessing Vulnerabilities Related to the Nation’s Chemical Infrastructure, National Research Council,
Terrorism and the Chemical Infrastructure: Protecting People and Reducing Vulnerabilities, 2006.
48 Section 401 of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188)
mandated drinking water facilities serving more than 3,300 individuals develop an emergency response plan and
perform a vulnerability assessment. Funds were authorized to help offset the costs to these facilities.
Congressional Research Service
15

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

agency to perform inherently safer technology assessments for regulated entities, transferring the
cost of such assessment from the facility to the federal government.49 The results of these
assessments might then be provided to the regulated entity or used by the agency in overseeing
implementation.
Modify Information Security Provisions
The current statute and regulation protect security-related information from public disclosure.
Only specific “covered persons” are provided access to such protected information. While
acknowledging a legitimate homeland security need to protect security information, some
policymakers have questioned whether information protection regimes applied to chemical
facilities are also meeting other needs. For example, first responders and community
representatives have highlighted how such information protection regimes may impede
emergency response and the ability of those in the surrounding community to react to emergency
situations at the chemical facility.50 Additionally, worker representatives have raised concerns that
worker input into such security plans may be impeded by information protection regimes and the
lack of mandated inclusion of worker representatives.51 Finally, addressing these concerns is
complicated by the need to balance the acknowledged security value of prohibiting disclosure of
facility security information while providing sufficient opportunity for community and worker
input and understanding.
The current information protection regimes for chemical facility security information, CVI under
CFATS and SSI under MTSA, do not contain penalties for incorrectly marking information as
protected. Only disclosure of correctly marked information is penalized. Additionally, the
chemical facility is responsible for identifying and appropriately marking protected information.
These information markings only would be assessed in the case of dispute. As was asserted
during congressional oversight, this disparity may lead to a tendency by regulated entities, in
order to protect themselves against potential liability or scrutiny, to erroneously protect
information that should be made available to the public.52
Additionally, the existing statute contains no provisions explicitly protecting or allowing for
concerned covered persons to divulge protected information or to challenge the categorization of
information as protected in an attempt to inform authorities about security vulnerabilities or other
weaknesses. Depending on the circumstances, those individuals might be penalized for their
disclosure of protected information. The CFATS regulations, reflecting this inherent tension,
provide for a point of contact to which such information might be revealed, but also state

49 Following investigation into the explosion at the Bayer CropScience facility in Institute, West Virginia, Members of
Congress requested that the Chemical Safety Board provide recommendations on the adoption of alternative chemical
processes at the chemical facility. Rep. Henry A. Waxman, Sen. John D. Rockefeller IV, Rep. Bart Stupak, and Rep.
Edward J. Markey, Letter to John Bresland, May 4, 2009, online at http://energycommerce.house.gov/Press_111/
20090504/bayer.pdf.
50 Testimony of Joseph Crawford, Chief of Police, City Saint Albans, West Virginia, before the House Committee on
Energy and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009; and testimony of Kent Carper,
President, Kanawha County Commission, Kanawha County, West Virginia, before the House Committee on Energy
and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009.
51 See, for example, testimony of Glenn Erwin, United Steelworkers International Union, before the Senate Committee
on Homeland Security and Governmental Affairs, July 13, 2005.
52 “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on the Bayer
CropScience Facility Explosion,” CQ Congressional Transcripts, April 21, 2009.
Congressional Research Service
16

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

“Section 550 did not give DHS authority to provide whistleblower protection, and so DHS has
not incorporated specific whistleblower protections into this regulation.”53
Congress might choose to address any of the above issues through amending the existing
statutory authority. For example, while still retaining protections for vulnerability or security
related information, Congress might require specific input to be gathered and documented. Such
input might come from outside groups, worker organizations, or other trade representatives
through formal and informal mechanisms or by the solicitation, development, and use of industry
best practices. The DHS might be directed to make specific types of information, such as the
results of enforcement activities or the approval of successful implementation of a site security
plan, more generally available. By mandating the inclusion of such information gathering or the
release of specific information, Congress might facilitate greater cooperation between various
stakeholder groups. Conversely, such requirements may raise concerns about the degree of
security given to the protected information, since more individuals will be involved in its
development and analysis, perhaps increasing the ability of malicious persons to use such
information for targeting purposes. As more information about the vulnerability assessment
process and the results of the security process are made available, the potential that this disparate
information might be combined to provide insight into a security weakness might increase.
Congress might require the Executive Branch or another entity to identify the threats or
vulnerabilities that might accrue from release of a greater amount of chemical facility security
information prior to implementing such a change.54
Congress might choose to alter the information protection regime afforded to chemical facility
security information by specifically expanding access to first responders. The existing regulation
explicitly states that information developed in response to other laws or regulations, such as
Emergency Planning and Community Right-to-Know Act, are not protected from disclosure. By
enhancing first responder access to such information (for example, by mandating the designation
of a covered individual in all jurisdictions containing a regulated chemical facility) perceived
barriers to disclosing information during an accident might be minimized.
Congress might also choose to address the issue of identifying and marking protected information
by mandating review of marked documents. Such a review might be performed and certified by
the chemical facility. The federal government alternatively might be required to perform such a
review on a regular basis. A review requirement might be burdensome on the entity required to
perform the review and, while potentially limiting incorrect marking, may inhibit information
reporting by regulated entities to the federal government. Additionally, absent a penalty for
incorrect marking, it is unclear how compliance would be assured.
Congress may also address concerns raised regarding the ability of concerned individuals to
report misdeeds by creating a “whistleblower” reporting mechanism.55 One approach might be to
codify the current mechanism of reporting such concerns specifically to DHS or a similar federal
entity, such as an agency Inspector General. Alternatively, a more general exemption to the

53 72 Federal Register 17688–17745 (April 9, 2007) at 17718.
54 A similar approach was taken with regard to making available chemical facility information submitted to the EPA
under the auspices of the Risk Management Program. In this case, the President was directed to assess the potential risk
of placing this information on the Internet. See Section 3 of Chemical Safety Information, Site Security and Fuels
Regulatory Relief Act (P.L. 106-40).
55 While DHS has established a “CFATS Tip-Line” where individuals may report security concerns, no special
protections accrue to individuals using the tip-line.
Congressional Research Service
17

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

penalties arising from disclosure of protected information might be created for those individuals
who report such concerns to federal officials in general. As part of a whistleblower mechanism,
Congress might choose to extend protections against retaliation or other job-related actions to
those individuals availing themselves of current or newly established reporting mechanisms.
Preempt State Regulations
Congress addressed the issue of federal preemption of state chemical facility security statutes and
regulations in the 110th Congress, placing in statute the requirement that only when an “actual
conflict” occurs between state and federal regulation will the state regulation be preempted.56
Congress may choose to further limit the cases where federal regulation would preempt state
regulation by affirming the right of states to make chemical facility security regulations that are
more stringent than federal regulation even if they conflict. Alternatively, Congress may choose
to increase the number of cases where federal regulations preempt those of a state by expanding
the types of conflict, beyond “actual,” that will lead to preemption.
Harmonization of Regulations
Some facilities exempt from the existing chemical facility security regulations are regulated under
other security provisions. If these facilities become included, conflicts may arise between
requirements under chemical facility security regulations and these other provisions. One
approach to resolving these conflicts is to identify which statute will supersede the others,
providing a single statutory requirement. Critics of such an approach might assert that the
superseding statute does not contain all of the protections present in the other statutes. Another
approach might be to require agencies to generally harmonize the regulations implementing each
statute. Regulatory agencies might identify and determine the best ways to meet statutory
requirements while also limiting regulatory duplication or contradiction.
Legislation in the 111th Congress
Members of the 111th Congress have introduced legislation to extend or enhance DHS chemical
facility security activities. Additionally, the annual appropriations process is providing FY2010
funding for implementation of chemical facility security regulation. Legislative proposals have
generally taken one of two approaches: extending the existing authority or modifying the existing
authority.
Extend the Existing Authority
Several bills would extend the expiration date of the existing statutory authority. The
Administration had requested in its budget submission an extension of the existing statutory
authority to October 4, 2010. Both the Senate-passed and the House-passed versions of the
Department of Homeland Security appropriations bill (H.R. 2892) would provide an extension of
the existing statutory authority to October 4, 2010. In contrast, H.R. 2477, the Chemical Facility

56 P.L. 110-161, the Consolidated Appropriations Act, 2008.
Congressional Research Service
18

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

Security Authorization Act of 2009, would extend the duration of the existing statutory authority
to October 1, 2012.
Modify the Existing Authority
Bills modifying the existing authority have been introduced in the House. H.R. 2868, the
Chemical Facility Anti-Terrorism Act of 2009, would reduce the discretion of the Secretary of
Homeland Security by placing in statute aspects of the CFATS regulatory framework. It would
also modify the existing authority in several ways. Among other changes, H.R. 2868 would
increase the types of facilities eligible for regulation by the Secretary, removing current statutory
exemptions for selected types of entities, such as wastewater and drinking water facilities and
those facilities already regulated under MTSA. It would also mandate the use, in certain cases, of
measures to reduce the consequences of a terrorist attack as part of a site security plan. The bill
would alter the existing information protection scheme, removing the existing requirement that
security information be treated as classified in enforcement proceedings. H.R. 2868 would create
a citizens’ suit process for requiring enforcement and establish explicit protections for individuals
who act as “whistleblowers” and report security vulnerabilities. The bill also identifies criteria
and parameters for mandatory security background checks. Finally, H.R. 2868 directs that state
and local chemical facility security laws and regulations are preempted only if they are less
stringent than the federal law and regulation. H.R. 2868 has been reported by the House
Committee on Homeland Security57 and referred to the House Committees on Energy and
Commerce and on the Judiciary.
H.R. 261, the Chemical Facility Security Improvement Act of 2009, would prohibit the Secretary
of Homeland Security from approving a chemical facility site security plan if the plan did not
meet or exceed existing state or local security requirements. It would allow the Secretary of
Homeland Security to mandate the use of specific security measures in site security plans. The
bill would also cause protected information to be treated as SSI in both general and legal
proceedings. Finally, the act would no longer prohibit suit to be brought in court to require the
Secretary of Homeland Security to enforce chemical facility security regulations against a
chemical facility.
Other introduced bills would apply security requirements similar facilities currently exempt under
CFATS. H.R. 3258 would require the Administrator of EPA to promulgate regulations requiring
drinking water systems serving more than 3,300 individuals to perform a vulnerability
assessment, develop and implement a site security plan meeting tiered risk-based performance
standards, and develop an emergency response plan. It would mandate that each regulated system
perform an assessment of methods to reduce the consequences of a chemical release from an
intentional act at the system and, if the system is in one of the two highest risk-based tiers,
implement such methods if so directed. H.R. 3258 would mandate employee participation and
training. States that have been delegated primary enforcement responsibility for regulated water
systems under the Safe Drinking Water Act would be responsible for security oversight. Penalties
for violations of the regulations are specified. H.R. 3258 would prohibit the release of specific
information under FOIA and require a periodic report to Congress regarding implementation of
the regulation. It also would exempt covered facilities from regulation under other specified
chemical facility security laws. The Administrator would be authorized to provide grants to states,

57 H.Rept. 111-205.
Congressional Research Service
19

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

covered water systems, and non-profit organizations to assist in meeting regulatory requirements.
H.R. 3258 has been referred to the House Committee on Energy and Commerce.
H.R. 2883 would require wastewater treatment facilities possessing certain chemicals at amounts
specified by the Administrator of the EPA to perform a vulnerability assessment that includes a
site security plan. The Administrator of the EPA would be required to publish guidelines for the
development of the vulnerability assessments and develop standards for categorizing treatment
works into four risk-based tiers. The vulnerability assessments would be reviewed by the
Administrator and would not be released under FOIA. H.R. 2883 would authorize the
Administrator to provide grants for vulnerability assessments, security enhancements, and worker
training programs and to provide technical assistance to small publicly owned treatment works.
H.R. 2883 has been referred to the House Committee on Transportation and Infrastructure.

Author Contact Information

Dana A. Shea

Specialist in Science and Technology Policy
dshea@crs.loc.gov, 7-6844




Congressional Research Service
20