Chemical Facility Security:
Issues and Options for the 113th Congress
Dana A. Shea
Specialist in Science and Technology Policy
May 9, 2014
Congressional Research Service
7-5700
www.crs.gov
R42918

Chemical Facility Security: Issues and Options for the 113th Congress

Summary
The Department of Homeland Security (DHS) has statutory authority to regulate chemical
facilities for security purposes. The 113th Congress extended this authority through October 4,
2014. Congressional policy makers have debated the scope and details of reauthorization and
continue to consider establishing an authority with longer duration. Some Members of Congress
support an extension, either short- or long-term, of the existing authority. Other Members call for
revision and more extensive codification of chemical facility security regulatory provisions.
Questions regarding the current law’s effectiveness in reducing chemical facility risk and the
sufficiency of federal chemical facility security efforts exacerbate the tension between continuing
current policies and changing the statutory authority.
Congressional policy makers have questioned DHS’s effectiveness in implementing the
authorized regulations, called chemical facility anti-terrorism standards (CFATS). The DHS
finalized CFATS regulations in 2007. Since then, the site security plans for 719 chemical facilities
have been approved in the CFATS process, which starts with information submission by chemical
facilities and finishes with inspection and approval of facility security measures by DHS.
Additionally, DHS has inspected some facilities for subsequent compliance activities. Several
factors, including the amount of detailed information provided to DHS, the effectiveness of DHS
program management, and the availability of CFATS inspectors, likely complicate the inspection
process and lead to delays in inspection. Policy makers have questioned whether the compliance
rate with CFATS is sufficient to mitigate this homeland security risk. For additional analysis of
CFATS implementation, see CRS Report R43346, Implementation of Chemical Facility Anti-
Terrorism Standards (CFATS): Issues for Congress.
Key policy issues debated in previous Congresses contribute to the current reauthorization debate.
These issues include the adequacy of DHS resources and efforts; the appropriateness and scope of
federal preemption of state chemical facility security activities; the availability of information for
public comment, potential litigation, and congressional oversight; the range of chemical facilities
identified by DHS; and the ability of inherently safer technologies to achieve security goals.
The 113th Congress might take various approaches to this issue. Congress might allow the
statutory authority to expire but continue providing appropriations to administer the regulations.
Congress might permanently or temporarily extend the statutory authority to observe the impact
of the current regulations and, if necessary, address any perceived weaknesses at a later date.
Congress might codify the existing regulations in statute and reduce the discretion available to the
Secretary of Homeland Security to change the current regulatory framework. Alternatively,
Congress might substantively change the current regulation’s implementation, scope, or impact
by amending the existing statute or creating a new one. Finally, Congress might choose to
terminate the program by allowing its authority to lapse and removing funding for the program.
This would leave regulation of chemical facility security to state and local governments.

Congressional Research Service

Chemical Facility Security: Issues and Options for the 113th Congress

Contents
Introduction ...................................................................................................................................... 1
Overview of Statute and Regulation ................................................................................................ 1
Implementation ................................................................................................................................ 4
Staffing and Funding ................................................................................................................. 4
Number of Regulated Facilities ................................................................................................. 6
Facility Inspections and Plan Approval ..................................................................................... 8
Program Reviews ..................................................................................................................... 10
Internal Review of CFATS Program ................................................................................. 10
Office of the Inspector General Review ............................................................................ 12
Government Accountability Office Review ...................................................................... 13
Policy Issues .................................................................................................................................. 14
Funding and Infrastructure and Workforce Capabilities .......................................................... 14
Inspection Rate ........................................................................................................................ 15
Federal Preemption of State Activities .................................................................................... 17
Transparency ........................................................................................................................... 18
Definition of Chemical Facility ............................................................................................... 19
Identification of Non-Responsive Facilities ............................................................................ 22
Inherently Safer Technologies ................................................................................................. 24
Personnel Surety ...................................................................................................................... 27
Policy Options ............................................................................................................................... 28
Continue Congressional Oversight .......................................................................................... 29
Maintain the Existing Regulatory Framework ........................................................................ 29
Extend the Sunset Date ..................................................................................................... 29
Codify the Existing Regulations ....................................................................................... 30
Alter the Existing Statutory Authority ..................................................................................... 30
Accelerate or Decelerate Compliance Activities ............................................................... 30
Incorporate Excluded Facilities ......................................................................................... 31
Harmonize Regulations ..................................................................................................... 33
Increase Interagency Coordination .................................................................................... 35
Consider Inherently Safer Technologies ........................................................................... 36
Modify Information Security Provisions ........................................................................... 38
Preempt State Regulations................................................................................................. 40
Congressional Action ..................................................................................................................... 40
Extend the Existing Authority ................................................................................................. 40
P.L. 113-76 ........................................................................................................................ 40
P.L. 113-73 ........................................................................................................................ 43
P.L. 113-46 ........................................................................................................................ 43
P.L. 113-6 .......................................................................................................................... 43
Modify the Existing Authority ................................................................................................. 43
H.R. 4007 .......................................................................................................................... 43
H.R. 68 .............................................................................................................................. 45
S. 67 ................................................................................................................................... 45
S. 68 ................................................................................................................................... 45
S. 814 ................................................................................................................................. 46

Congressional Research Service

Chemical Facility Security: Issues and Options for the 113th Congress

Figures
Figure 1. Overview of CFATS Regulatory Process ......................................................................... 3

Tables
Table 1. DHS Funding for Chemical Facility Security Regulation by Fiscal Year .......................... 5
Table 2. High-Risk Facilities Regulated by DHS under CFATS ..................................................... 7
Table 3. DHS Authorization and Approval of Facility Site Security Plans ..................................... 9
Table 4. Facilities Regulated Under CFATS by Primary Risk Category ....................................... 20

Contacts
Author Contact Information........................................................................................................... 46

Congressional Research Service

Chemical Facility Security: Issues and Options for the 113th Congress

Introduction
Recognizing the potential harm that a large, sudden release of hazardous chemicals poses to
nearby people, state and federal governments have long regulated safety practices at chemical
facilities. Historically, chemical facilities have engaged in security activities on a voluntary basis.
Even before the terrorist attacks of 2001, congressional policy makers expressed concern over the
security vulnerabilities of these facilities. After the 2001 attacks and the decision by several states
to begin regulating security at chemical facilities, Congress again considered requiring federal
security regulations to mitigate these risks.
In 2006, the 109th Congress passed legislation providing the Department of Homeland Security
(DHS) with statutory authority to regulate chemical facilities for security purposes. Subsequent
Congresses have extended this authority, which currently expires on October 4, 2014. Advocacy
groups, stakeholders, and policy makers have called for Congress to reauthorize this authority,
though they disagree about the preferred approach. Congress may extend the existing authority,
revise the existing authority to resolve potentially contentious issues, or allow this authority to
lapse.
The explosion on April 17, 2013, at the West Fertilizer Company fertilizer distribution facility in
West, TX, has led to additional focus on DHS’s ability to identify noncompliant facilities. The
West Fertilizer Company had not reported to DHS under the CFATS program, though it appeared
to have possessed more than screening threshold quantities of chemicals of interest.1 While DHS
had engaged in previous activity to identify facilities that had not complied with CFATS reporting
requirements, DHS did not identify the West Fertilizer Company. Congressional policy makers
have questioned the sufficiency of DHS efforts to identify these noncompliant “outlier” facilities.2
This report provides a brief overview of the existing statutory authority and implementing
regulation. It describes several policy issues raised in previous debates regarding chemical facility
security and identifies policy options for congressional consideration. For additional analysis of
CFATS implementation, see CRS Report R43346, Implementation of Chemical Facility Anti-
Terrorism Standards (CFATS): Issues for Congress.
Overview of Statute and Regulation
The 109th Congress provided DHS with statutory authority to regulate chemical facilities for
security purposes.3 The statute explicitly identified some DHS authorities and left other aspects to
the discretion of the Secretary of Homeland Security. The statute contains a “sunset provision”

1 Personal communication between CRS and DHS staff, April 23, 2013.
2 Representative Michael T. McCaul, Chairman, Committee on Homeland Security; Representative Fred Upton,
Chairman, Committee on Energy and Commerce; and Representative John Carter, Chairman, Homeland Security
Appropriations Subcommittee, Letter to Janet Napolitano, Secretary, U.S. Department of Homeland Security, July 22,
2013; Senator Tom Carper, Chairman, Committee on Homeland Security and Governmental Affairs, Letter to Janet
Napolitano, Secretary, and Suzanne Spaulding, Acting Under Secretary, National Protection and Programs, U.S.
Department of Homeland Security, June 28, 2013; and Representative Henry A. Waxman, ranking Member, Committee
on Energy and Commerce, and Representative Bennie G. Thompson, ranking Member, Committee on Homeland
Security, Letter to President Barack Obama, May 2, 2013.
3 Section 550, P.L. 109-295, Department of Homeland Security Appropriations Act, 2007.
Congressional Research Service
1

Chemical Facility Security: Issues and Options for the 113th Congress

that causes the statutory authority to expire on October 4, 2014.4 This section reviews the
chemical facility security statute and regulation, focusing on the regulatory compliance process.
On April 9, 2007, DHS issued an interim final rule regarding the chemical facility anti-terrorism
standards (CFATS).5 This interim final rule entered into force on June 8, 2007. The interim final
rule implements statutory authority explicit in P.L. 109-295, Section 550, and authorities DHS
found that Congress implicitly granted. In promulgating the interim final rule, DHS interpreted
the language of the statute to determine what DHS asserts was the intent of Congress.
Consequently, much of the rule arises from the Secretary’s discretion and interpretation of
legislative intent rather than explicit statutory language.
Under the interim final rule, the Secretary of Homeland Security determines which chemical
facilities must meet regulatory security requirements, based on the degree of risk posed by each
facility. The DHS lists 322 “chemicals of interest” for the purposes of compliance with CFATS.6
The DHS considers each chemical in the context of three threats: release; theft or diversion; and
sabotage and contamination. Chemical facilities with greater than specified quantities, called
screening threshold quantities, of chemicals of interest must submit information to DHS to
determine the facility’s risk status. See Figure 1. The statute exempts several types of facilities
from this requirement: facilities defined as a water system or wastewater treatment works;
facilities owned or operated by the Department of Defense or Department of Energy; facilities
regulated by the Nuclear Regulatory Commission (NRC); and those facilities regulated under the
Maritime Transportation Security Act of 2002 (P.L. 107-295).
Based on the information received from the facility, DHS determines whether a facility is or is
not high-risk. Facilities that DHS deems high risk must meet CFATS requirements. The DHS
assigns high-risk facilities into one of four tiers based on the magnitude of the facility’s risk.
Facilities in higher risk tiers must meet more stringent requirements. The statute mandated the use
of performance-based security requirements.7 The DHS created graduated performance-based
requirements for facilities assigned to each risk-based tier.

4 The original statutory authority expired on October 4, 2009, three years after enactment. Congress has incrementally
extended this authority through many appropriation acts and continuing resolutions. The Consolidated Appropriations
Act, 2014 (P.L. 113-76) extends the statutory authority through October 4, 2014.
5 72 Federal Register 17688-17745 (April 9, 2007). An interim final rule is a rule that meets the requirements for a
final rule and that has the same force and effect as a final rule, but contains an invitation for further public comment on
its provisions. After reviewing comments to the interim final rule, an agency may modify the interim final rule and
issue a “final” final rule. The DHS first issued the proposed rule in December 2006 and solicited public comments. 71
Federal Register 78276-78332 (December 28, 2006).
6 72 Federal Register 65396-65435 (November 20, 2007).
7 According to the White House Office of Management and Budget, a performance standard is a standard
that states requirements in terms of required results with criteria for verifying compliance but
without stating the methods for achieving required results. A performance standard may define the
functional requirements for the item, operational requirements, and/or interface and
interchangeability characteristics. A performance standard may be viewed in juxtaposition to a
prescriptive standard which may specify design requirements, such as materials to be used, how a
requirement is to be achieved, or how an item is to be fabricated or constructed.
For example, a performance standard might require that a facility perimeter be secured. In contrast, a prescriptive
standard might dictate the height and type of fence to be used to secure the perimeter. See Office of Management and
Budget, The White House, “Federal Participation in the Development and Use of Voluntary Consensus Standards and
in Conformity Assessment Activities,” Circular A-119, February 10, 1998.
Congressional Research Service
2

Chemical Facility Security: Issues and Options for the 113th Congress

Figure 1. Overview of CFATS Regulatory Process
(July 2012)

Source: Office of Infrastructure Protection, National Protection and Programs Directorate, Department of
Homeland Security, Chemical Facility Anti-Terrorism Standards (CFATS) and Ammonium Nitrate Security Regulation
Update, July 31, 2012.
Notes: COI = Chemical of Interest; STQ = Screening Threshold Quantity; CVI = Chemical-terrorism
Vulnerability Information; CSAT = Chemical Security Assessment Tool; SVA = Security Vulnerability Assessment;
ASP = Alternative Security Program; SSP = Site Security Plan.
All high-risk facilities must perform a security vulnerability assessment, develop an effective site
security plan, submit these documents to DHS, and implement their security plan.8 The security
vulnerability assessment serves two purposes under the interim final rule. One is to determine or
confirm the placement of the facility in a risk-based tier. The other is to provide a baseline against
which to evaluate the site security plan activities.
The site security plans must address the security vulnerability assessment by describing how
activities in the plan correspond to securing facility vulnerabilities. Additionally, the site security
plan must address preparations for and deterrents against specific modes of potential terrorist
attack, as applicable and identified by DHS. The site security plans must also describe how the
activities taken by the facility meet the risk-based performance standards provided by DHS.
The DHS must review and approve the submitted documents, audit and inspect chemical
facilities, and determine regulatory compliance. The DHS may disapprove submitted security
vulnerability assessments or site security plans that fail to meet DHS performance-based
standards, but not because of the presence or absence of a specific security measure. In the case
of disapproval, DHS must identify in writing those areas of the assessment and/or plan that need

8 High-risk facilities may develop security vulnerability assessments and site security plans using alternative security
programs so long as they meet the tiered, performance-based requirements of the interim final rule.
Congressional Research Service
3

Chemical Facility Security: Issues and Options for the 113th Congress

improvement. Owners or operators of chemical facilities may appeal disapproval of site security
plans to DHS.
Similarly, if, after inspecting a chemical facility, DHS finds the facility not in compliance, the
Secretary must write to the facility explaining the deficiencies found, provide an opportunity for
the facility to consult with DHS, and issue an order to the facility to comply by a specified date. If
the facility continues to be out of compliance, DHS may fine and, eventually, order the facility to
cease operation. The interim final rule establishes the process by which chemical facilities can
appeal such DHS decisions and rulings, but the statute prohibits third-party suits for enforcement
purposes.
The statute requires certain protections for information developed in compliance with this act.
The interim final rule creates a category of information exempted from disclosure under the
Freedom of Information Act (FOIA) and comparable state and local laws. The DHS named this
category of information “Chemical-terrorism Vulnerability Information” (CVI). Information
generated under the interim final rule, as well as any information developed for chemical facility
security purposes identified by the Secretary, comprise this category. Judicial and administrative
proceedings shall treat CVI as classified information. The DHS asserts sole discretion regarding
who will be eligible to receive CVI. Disclosure of CVI may be punishable by fine.
The interim final rule states it preempts state and local regulation that “conflicts with, hinders,
poses an obstacle to, or frustrates the purposes of” the federal regulation.9 States, localities, or
affected companies may request a decision from DHS regarding potential conflict between the
regulations. Since DHS promulgated the interim final rule, Congress amended P.L. 109-295,
Section 550, to state that such preemption will occur only in the case of an “actual conflict.”10
The DHS has not issued revised regulations addressing this change in statute.
Implementation
The National Protection and Programs Directorate (NPPD) within DHS is responsible for
chemical facility security regulations. In turn, the Office of Infrastructure Protection, through its
Infrastructure Security Compliance Division (ISCD), oversees the CFATS program within
NPPD.11 This section reviews implementation of the chemical facility security regulations,
focusing on funding, the number of regulated facilities, rate of facility inspection, and reviews of
DHS implementation efforts.
Staffing and Funding
The availability of staff, infrastructure, and funds is a key factor in implementing the CFATS
program. Congress has not authorized specific appropriations for the CFATS program. As seen in
Table 1, the staffing and funding for this program generally increased since its creation, but

9 72 Federal Register 17688-17745 (April 9, 2007) at 17739.
10 Section 534, P.L. 110-161, the Consolidated Appropriations Act, 2008.
11 The budget request for the Infrastructure Security Compliance Project contains the Infrastructure Security
Compliance Division funding and personnel allocations for implementing CFATS and ammonium nitrate regulations.
Congressional Research Service
4

Chemical Facility Security: Issues and Options for the 113th Congress

decreased since FY2011. The full-time-equivalent (FTE) staffing peaked in FY2011 at 257 FTE.
Appropriations for this program peaked in FY2010 at $103 million.
Table 1. DHS Funding for Chemical Facility Security Regulation by Fiscal Year
Request
Appropriation
Full-time
Fiscal Year
($ in millions)
($ in millions)
Equivalents
FY2007 10 22a 0
FY2008 25 50 21
FY2009 63 78b 78
FY2010 103c 103d 246
FY2011 105
96 257
FY2012 99 93
242
FY2013 75 72e 230
FY2014 86 81 242
FY2015 87
263
Sources: Department of Homeland Security, congressional justifications FY2007-FY2015; H.Rept. 109-699; P.L.
110-28; the explanatory statement for P.L. 110-161 at Congressional Record, December 17, 2007, p. H16092; the
explanatory statement for P.L. 110-329 at Congressional Record, September 24, 2008, pp. H9806-H9807; H.Rept.
111-298; P.L. 111-242, as amended; S.Rept. 112-74; H.Rept. 112-331; P.L. 112-175; P.L. 113-6; Department of
Homeland Security, U.S. Department of Homeland Security Fiscal Year 2013 Post-Sequestration Operating Plan; Fiscal
Year 2013 Report to Congress, April 26, 2013; P.L. 113-46; H.Rept. 113-91; S.Rept. 113-77; and the joint
explanatory statement for P.L. 113-76 at Congressional Record, January 15, 2014, p. H935.
Notes: Congress has not enacted specific authorization of appropriations for chemical facility security. Funding
levels rounded to nearest million. A full-time equivalent equals one staff person working a full-time work
schedule for one year. The DHS requests funding for chemical facility security through the Infrastructure
Security Compliance Project. Beginning in FY2009, DHS designated some of this funding for activities related to
regulation of ammonium nitrate.
a. Includes funds provided in supplemental appropriations (P.L. 110-28).
b. Of this amount appropriated for the Infrastructure Security Compliance Project, $5 million were designated
for activities related to the development of ammonium nitrate regulations.
c. Of this amount requested for the Infrastructure Security Compliance Project, $14 million were designated
for activities related to the development of ammonium nitrate regulations.
d. Of this amount appropriated for the Infrastructure Security Compliance Project, $14 million were
designated for activities related to the development of ammonium nitrate regulations. The ISCD reports an
additional $4.8 million rescission in FY2010. See House Committee on Energy and Commerce,
Subcommittee on Environment and the Economy, The Chemical Facility Anti-Terrorism Standards Program: A
Progress Report, Serial No. 112-172, September 11, 2012, p. 123.
e. The appropriation reported here is after reduction due to rescissions and sequestration. Funding as
appropriated, prior to rescission and sequestration, was $78 million.
When DHS received statutory authority to regulate chemical facilities in 2006, it did not possess a
chemical facility security office or inspector cadre. The general increase in FTE over time reflects
the creation and staffing of the office and the development of an inspector cadre. In February
2012, DHS testified that it had hired most of the inspector cadre.12 In March 2013, the DHS

12 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland
(continued...)
Congressional Research Service
5

Chemical Facility Security: Issues and Options for the 113th Congress

Inspector General reported that a working group within ISCD requested an additional 64
inspectors for FY2014 and FY2015 to increase the rate of facility inspection. According to the
DHS Inspector General, this request was not approved.13
For FY2014, Congress appropriated $81 million for ISCD, an increase in funding from FY2013.14
The joint explanatory statement accompanying FY2014 appropriations also directed DHS to
provide reports to Congress on CFATS implementation, coordination of chemical security
responsibilities, how ISCD will improve its review process, and how NPPD is avoiding program
duplication and is ensuring facility security in its personnel surety efforts. It also requires DHS
provide a comprehensive update on efforts to address facilities not reporting under CFATS.
Number of Regulated Facilities
The DHS has received more than 46,000 Top-Screen submissions from over 36,000 chemical
facilities (step 4 in Figure 1).15 Of these facilities, DHS required more than 7,800 to submit a
security vulnerability assessment to determine whether they were high-risk. From the submitted
security vulnerability assessments, DHS currently identifies approximately 4,100 facilities as
high-risk. The DHS considers the other facilities as low-risk, and they need meet no further
CFATS requirements at this time.16 The DHS assigned each high-risk facility, in some cases
preliminarily, to one of four risk tiers (step 7 in Figure 1). Table 2 shows the number of high-risk
facilities in each tier, with Tier 1 those facilities of highest risk.
In May 2010, DHS identified an anomaly in one of the risk-assessment tools it used to determine
a facility’s risk tier. At that time, DHS believed that it had resolved the anomaly. In June 2011, a
new acting ISCD Director “rediscovered” this issue, identified its potential effect on facility
tiering, brought the issue to the attention of NPPD leadership,17 and notified facilities of their
change in risk tier.18 Subsequent review of this risk-assessment tool resulted in DHS reviewing
the tier determination of approximately 500 facilities.19 The DHS lowered the number of facilities

(...continued)
Security, before the House Committee on Energy and Commerce, Subcommittee on Environment and the Economy,
February 3, 2012.
13 Office of the Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security
Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program,
OIG-13-55, March 2013, p. 20.
14 This amount is an increase compared to FY2013 funding both before and after reductions due to sequestration.
15 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, May 2014, http://www.dhs.gov/
sites/default/files/publications/CFATS%20Update%20FS_May2014_508_0.pdf.
16 This determination might change, for example, if the facility changed its chemical holdings. The DHS considered
approximately 3,000 facilities as high-risk before the facilities voluntarily removed, reduced, or modified their holdings
of chemicals of interest.
17 Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Energy and Commerce, Subcommittee on Environment and the
Economy, February 3, 2012.
18 Department of Homeland Security, DHS Notifies Chemical Facilities of Revised Tiering Assignments, July 5, 2011,
http://www.dhs.gov/files/programs/cfats-revised-tiering-assignments.shtm.
19 Response to Questions for the Record by Rand Beers, Under Secretary, National Protection and Programs
Directorate, Department of Homeland Security, before the House Committee on Appropriations, Subcommittee on
Homeland Security, March 1, 2012.
Congressional Research Service
6

Chemical Facility Security: Issues and Options for the 113th Congress

allocated at that time to the highest-risk tier from 219 to 102, a greater than 50% reduction.20 In
some cases, DHS determined that facilities no longer qualified as a high-risk facility and thus
were not subject to the CFATS regulations.
Table 2. High-Risk Facilities Regulated by DHS under CFATS
(as of February 27, 2014)
Risk
Facilities with
Facilities Awaiting
Tier
Final Tier Decision
Final Tier Decision
Total Facilities
1 111
9 120
2 343
49 392
3 957 162 1,119
4 1,914
657 2,571
Total 3,325
877
4,202
Source: Testimony of Caitlin Durkovich, Assistant Secretary for Infrastructure Protection, and David Wulf,
Director, Infrastructure Security Compliance Division, National Protection and Programs Directorate,
Department of Homeland Security, before the Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies, House Committee on Homeland Security, February 27, 2014.
Notes: The DHS has preliminarily assigned some facilities to a risk tier. Final assignment to a risk tier occurs
after final review of submitted security vulnerability assessments. The DHS has released more recent information
regarding the total number of facilities (4,093) but has not identified them by risk tier. Department of Homeland
Security, Chemical Facility Anti-Terrorism Standards, May 2014.
Overall, the total number of chemical facilities assigned a risk tier by DHS has declined since the
CFATS program began. The DHS asserts that the observed reduction in regulated chemical
facilities indicates that the CFATS program and its statutory authority are increasing security by
inducing regulated entities to voluntarily reduce the chemical holdings to levels below the
regulatory threshold. Several other factors may have contributed to this decline, including
erroneous filing by regulated entities, process changes on the part of regulated entities, and
business operations and decisions.
The reported total number of facilities may not fully reflect the actual number of facilities
possessing chemicals of interest above screening threshold quantities. Since the CFATS program
relies on facilities possessing such chemicals to report their holdings, it is possible that additional
facilities exist that have not reported possessing chemicals of interest.21 For example, DHS did

20 CRS analysis of facilities with either final or preliminary tier assignment. See National Protection and Programs
Directorate, Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, 13th Annual
DOE/EFCOG Chemical Safety and Lifecycle Management Workshop, March 23, 2011; Personal communication
between CRS and DHS staff, September 15, 2011; and AcuTech Consulting Group, A Survey of CFATS Progress in
Securing the Chemical Sector, September 6, 2011.
21 The DHS has recognized this potential challenge since at least 2009, when it identified these types of facilities as
“outliers.” In 2009, DHS engaged in a pilot program with the state of New York and the state of New Jersey in part to
identify such facilities. See testimony of Philip Reitinger, Deputy Under Secretary, National Protection and Programs
Directorate, Department of Homeland Security, before the House Committee on Homeland Security, June 16, 2009;
and testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
Congressional Research Service
7

Chemical Facility Security: Issues and Options for the 113th Congress

not receive any submissions from the West Fertilizer Company.22 Reportedly DHS was not aware
of the chemical holdings at the facility prior to its explosion.23
If such facilities did not report their holdings, DHS would not assess whether they were high-risk
and thus regulated. A potential mitigating factor might be if other federal agencies that receive
information about facility chemical holdings through different regulatory programs shared such
information with DHS. Such information sharing might allow DHS to identify facilities that had
not reported to it but had reported to other federal agencies.
Facility Inspections and Plan Approval
The DHS originally planned to begin inspections of Tier 1 facilities as soon as 14 months after it
issued regulations implementing CFATS (step 11 of Figure 1).24 Several factors have delayed
inspections, including the release of additional regulatory requirements in the form of an
appendix and the need to build an inspector cadre, establish a regional infrastructure, and assist
facilities in complying with the regulation. Chemical inspectors must be able to assess the
security measures at a chemical facility using the performance-based criteria developed by DHS.
Performance-based security measures are likely more difficult to assess than prescriptive
measures and thus inspectors may require greater training and experience. To overcome this
challenge, DHS established a Chemical Security Academy, a 10-week training course for
inspectors. Such training, while likely improving the quality of inspection, also introduces
additional time between the hiring of new inspectors and their deployment in the field.
Since 2007, DHS officials have provided numerous dates for beginning inspections.25 The DHS
began inspections of Tier 1 facilities in February 2010.26 At that time, DHS testified that it
planned to inspect all Tier 1 facilities by the end of calendar year 2010,27 but by the end of
calendar year 2011, DHS had only authorized 10 site security plans (step 10 of Figure 1) and had
approved no implementation of any site security plan.28 Since then, DHS has implemented an
interim site security plan review process that it asserts is more effective and timely. The DHS has
used this interim review process to authorize additional site security plans. As of May 2014, DHS
had authorized or conditionally authorized 1,474 site security plans. The DHS also reported that it
had successfully inspected and approved the site security plan at 719 facilities.29 The DHS has not

22 Personal communication between CRS and DHS staff, April 23, 2013.
23 Joshua Schneyer, Ryan McNeill, and Janet Roberts, “Texas Fertilizer Company Didn't Heed Disclosure Rules Before
Blast,” Reuters, April 20, 2013.
24 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards Interim Final Rule Regulatory
Assessment, DHS-2006-0073, April 1, 2007, p. 15.
25 In July 2007, DHS provided testimony that formal site inspections of a selected group of facilities would begin by
the end of 2007 (Testimony of Robert B. Stephan, Assistant Secretary for Infrastructure Protection, National Protection
and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security,
Subcommittee on Transportation Security and Infrastructure, July 24, 2007).
26 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland
Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
27 Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
28 Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Homeland Security, Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies, February 11, 2011.
29 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, May 2014, http://www.dhs.gov/
(continued...)
Congressional Research Service
8

Chemical Facility Security: Issues and Options for the 113th Congress

identified the tier assignment of these facilities. In February 2014, DHS identified the tier
assignments of facilities with authorized and approved site security plans. This data showed that
DHS has focused on authorizing and approving site security plans for facilities assigned to the
higher risk tiers. See Table 3.
Table 3. DHS Authorization and Approval of Facility Site Security Plans
(as of February 2014)
Tier
Facilities
Authorized Site Security Plans
Approved Site Security Plans
1 120 106
99
2 392 253
195
3 1,119 541
241
4 2,571 149
5
Total 4,202 1,049
540
Source: Testimony of Caitlin Durkovich, Assistant Secretary for Infrastructure Protection, and David Wulf,
Director, Infrastructure Security Compliance Division, National Protection and Programs Directorate,
Department of Homeland Security, before the Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies, House Committee on Homeland Security, February 27, 2014.
Notes: The facilities column includes facilities with preliminary tier assignments. Site security plans include plans
submitted under alternative security programs. The DHS no longer regulates some facilities that have authorized
or approved site security plans but still accounts for those security plans in its data on authorizations and
approvals by tier. The DHS has released more recent information regarding the total number of authorized
(1,474) and approved (719) site security plans but has not identified them by risk tier. Department of Homeland
Security, Chemical Facility Anti-Terrorism Standards, May 2014.
According to DHS, ISCD inspected and approved more facilities than it had expected to in
FY2013, but some of these approvals were for facilities in tiers lower than planned.30 In March
2013, DHS testified that it planned to have all Tier 1 facilities approved by October 201331 and all
Tier 1 and Tier 2 facilities approved by May 2014.32 The DHS did not meet this milestone and
now estimates that, by the end of FY2014, it will have approved over 90% of all Tier 1 and Tier 2
facilities that have authorized site security plans. The DHS notes that regulated facilities may
move between tiers, and new regulated facilities may be assigned any tier. As a consequence,
DHS asserts it is likely that a small percentage of facilities in each tier will not have approved site
security plans at any given time.33

(...continued)
sites/default/files/publications/CFATS%20Update%20FS_May2014_508_0.pdf.
30 Personal communication between CRS and DHS staff, October 28, 2013.
31 Testimony of Rand Beers, Under Secretary, and David Wulf, Director, Infrastructure Security Compliance Division,
National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on
Energy and Commerce, Subcommittee on Environment and the Economy, March 14, 2013.
32 Testimony of Rand Beers, Under Secretary, and David Wulf, Director, Infrastructure Security Compliance Division,
National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on
Energy and Commerce, Subcommittee on Environment and the Economy, March 14, 2013; and Office of the Inspector
General, Department of Homeland Security, Effectiveness of the Infrastructure Security Compliance Division’s
Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program, OIG-13-55, March
2013, p. 22.
33 Personal communication between CRS and DHS staff, October 28, 2013.
Congressional Research Service
9

Chemical Facility Security: Issues and Options for the 113th Congress

The DHS has identified an additional factor in the delay of the inspection schedule: iteration
between DHS and regulated entities regarding their site security plans.34 The DHS has issued at
least 66 administrative orders to compel facilities to complete their site security plans.35 In
addition, DHS established a pre-authorization inspection process to gain additional information
from facilities to fully assess the submitted site security plan and potentially reduce the number of
requests for additional information from DHS to regulated facilities. Once DHS completes a pre-
authorization inspection at a facility, the facility may amend its site security plan to reflect the
results of the pre-authorization inspection. The DHS had performed approximately 180 pre-
authorization inspections as of February 2012.36 The DHS has since included this type of
inspection in its more general compliance assistance visit program. As of May 2014, DHS had
conducted 1,448 compliance assistance visits.37
Program Reviews
The CFATS program has undergone three reviews of its processes and progress. The first was an
internal review conducted by program management to identify programmatic challenges. Since
that review, both the DHS Office of the Inspector General (OIG) and the Government
Accountability Office (GAO) have released reports addressing the CFATS program.
Internal Review of CFATS Program
In December 2010, NPPD initiated a management review of ISCD through the NPPD Office of
Compliance and Security. In July 2011, new leadership took charge of ISCD and, at the direction
of Under Secretary Beers, began a review of the goals, challenges, and potential corrective
actions to improve program performance. In November 2011, ISCD leadership presented Under
Secretary Beers with a report containing the results of both reviews. According to DHS, the report
was intended as a candid, internal assessment that focused predominantly on the challenges faced
by ISCD rather than on the program’s successes and opportunities.38
At the time of the report, DHS had received approximately 4,200 site security plans but had not
approved any. The review report identified several factors that contributed to the absence of
approvals. These factors included the inability to perform compliance inspections and the lack of

34 The DHS identified such iteration on the contents of site security plans as one factor delaying the start of the
inspection process from December 2009 to February 2010. Oral testimony of Rand Beers, Under Secretary, National
Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland
Security and Governmental Affairs, March 3, 2010.
35 Department of Homeland Security, DHS Responses to Rep. McCaul and Rep. Meehan’s May 2, 2013 Letter
Regarding the Chemical Facility Anti-Terrorism Standards (CFATS) Program, June 2013. This number is unchanged
since March 2011 (Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate,
Department of Homeland Security, before the House Committee on Energy and Commerce, Subcommittee on
Environment and the Economy, March 31, 2011).
36 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland
Security, before the House Committee on Energy and Commerce, Subcommittee on Environment and the Economy,
February 3, 2012.
37 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, May 2014, http://www.dhs.gov/
sites/default/files/publications/CFATS%20Update%20FS_May2014_508_0.pdf.
38 Oral testimony of David Wulf, Deputy Director, Infrastructure Security Compliance Division, National Protection
and Programs Directorate, Department of Homeland Security, before the House Committee on Energy and Commerce,
Subcommittee on Environment and the Economy, February 3, 2012.
Congressional Research Service
10

Chemical Facility Security: Issues and Options for the 113th Congress

an established records management system to document key decisions.39 Other difficulties facing
ISCD reportedly included human resource issues, such as having employees with insufficient
qualifications and work training, erroneous impressions of inspector roles and responsibilities,
and the use of contractors to perform inherently governmental work.40 Additional reported
challenges included difficulty in quickly altering workplace requirements, resolving personnel
security requirements, detailing site security compliance inspections, managing workplace
behavior and perceptions, and dealing with a unionized workforce. Additionally, ISCD lacked a
system for tracking the usage of consumable supplies, potentially allowing for waste, fraud, and
abuse; faced challenges in hiring new qualified individuals; and suffered from a lack of morale.
The report identified three top priorities to address the challenges addressing ISCD:
• clearing the backlog of site security plans;
• developing a chemical inspection process; and
• addressing ISCD statutory responsibilities for regulating ammonium nitrate and
managing personnel surety as part of the CFATS program.41
The ISCD developed an action plan with discrete action items to address identified challenges. In
addition to the action plan, NPPD requested ISCD leadership to provide milestones and a
schedule for completion of the action plan tasks. The ISCD implemented this plan with the
oversight of NPPD leadership.42 According to GAO, ISCD developed at least eight sequential
versions of the action plan, updating each additional version, and in some cases adding additional
detail, milestones, or timelines.43
As of July 2013, DHS had completed 90 of the 95 action items included in the action plan.44
Completed action items include updated internal policy and guidance materials for inspections, a
monthly ISCD newsletter, increased staff engagement and dialogue, and additional supervisory
training and guidance.
The GAO reviewed the DHS action plan and stated that “ISCD appears to be heading in the right
direction, but it is too early to tell if individual items are having their desired effect because ISCD
is in the early stages of implementing corrective actions and has not established performance
measures to assess results.”45 The GAO provided several caveats to its assessment, including that

39 Government Accountability Office, Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its
Chemical Security Program, but It Is Too Early to Assess Results, GAO-12-515T, July 26, 2012.
40 Mike Levine, “EXCLUSIVE: Beset by Strife at Chemical Security Office, DHS Internal Report Claims Anti-
Terrorism Program Now in Jeopardy,” FoxNews.com, December 21, 2011.
41 Government Accountability Office, Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its
Chemical Security Program, but It Is Too Early to Assess Results, GAO-12-515T, July 26, 2012.
42 In 2012, ISCD program leadership met with the Principal NPPD Deputy Under Secretary at least weekly to discuss
progress on the action plan. Oral testimony of Rand Beers, Under Secretary, National Protection and Programs
Directorate, Department of Homeland Security, before the House Committee on Energy and Commerce, Subcommittee
on Environment and the Economy, February 3, 2012.
43 Government Accountability Office, Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its
Chemical Security Program, but It Is Too Early to Assess Results, GAO-12-515T, July 26, 2012.
44 Testimony of David Wulf, Director, Infrastructure Security Compliance Division, National Programs and Protection
Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies, on August 1, 2013.
45 Government Accountability Office, Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its
(continued...)
Congressional Research Service
11

Chemical Facility Security: Issues and Options for the 113th Congress

it did not have available documentary evidence about the causes of the issues identified in the
ISCD memorandum. For example, GAO stated, “Program officials did not maintain records of
key decisions and the basis for those decisions during the early years of the program.”46
Office of the Inspector General Review
In March 2013, the DHS OIG released a report on its review of the CFATS program through the
end of FY2012.47 The DHS OIG review addressed whether:
• management controls were in place and operational to ensure that CFATS is not
mismanaged;
• NPPD and ISCD leadership misrepresented program progress; and
• nonconforming opinions of program personnel were suppressed or met with
retaliation.
The DHS OIG report was critical of the prior performance of the CFATS program, stating:
Program progress has been slowed by inadequate tools, poorly executed processes, and
insufficient feedback on facility submissions. In addition, program oversight had been
limited, and confusing terminology and absence of appropriate metrics led to
misunderstandings of program progress. The Infrastructure Security Compliance Division
still struggles with a reliance on contractors and the inability to provide employees with
appropriate training. Overall efforts to implement the program have resulted in systematic
noncompliance with sound Federal Government internal controls and fiscal stewardship, and
employees perceive that their opinions have been suppressed or met with retaliation.
Although we were unable to substantiate any claims of retaliation or suppression of
nonconforming opinions, the Infrastructure Security Compliance Division work environment
and culture cultivates this perception. Despite the Infrastructure Security Compliance
Division’s challenges, the regulated community views the Chemical Facility Anti-Terrorism
Standards Program as necessary in establishing a level playing field across a diverse
industry.48
The DHS OIG issued 24 recommendations to assist ISCD to correct identified program
deficiencies and attain intended program results and outcomes. The ISCD concurred fully or
partially with 20 recommendations and did not concur with 4 recommendations. The DHS OIG
recommendations included improving internal processes to achieve a more timely response to
information submissions and requests from regulated entities; defining, developing, and
implementing improved processes and procedures for inspections; refining and improving the

(...continued)
Chemical Security Program, but It Is Too Early to Assess Results, GAO-12-515T, July 26, 2012.
46 Government Accountability Office, Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its
Chemical Security Program, but It Is Too Early to Assess Results, GAO-12-515T, July 26, 2012.
47 Office of the Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security
Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program,
OIG-13-55, March 2013.
48 Office of the Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security
Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program,
OIG-13-55, March 2013, p. 1.
Congressional Research Service
12

Chemical Facility Security: Issues and Options for the 113th Congress

existing CFATS tiering methodology and tiering process; and reducing reliance on contractors
and improving managerial oversight within ISCD.
In response to these recommendations, ISCD provided the DHS OIG with a corrective action
plan. As of February 2014, ISCD has addressed 12 of the DHS OIG recommendations. Nine
recommendations were administrative and include selecting permanent ISCD leadership;
reducing reliance on contract personnel; developing policy for appointing acting management;
ensuring that all employees serving in an acting supervisory capacity have a supervisory position
description; ensuring that all employees receive performance reviews; disseminating ISCD
organizational and reporting structure to staff; reiterating to all employees the process for
reporting misconduct allegations; implementing a plan to ensure the long‐term authorization of
the CFATS Program; and establishing internal controls for the accountability of appropriated
funds. Three recommendations were programmatic and pertained to: revising the long‐term
review process to reduce the Site Security Plan backlog; implementing a process to improve the
timeliness of facility submission determinations; and program metrics that measure CFATS
program value accurately and demonstrate the extent to which risk has been reduced at regulated
facilities.49
The ISCD is still addressing 12 DHS OIG recommendations. Ten recommendations are
programmatic and include improving CFATS Program tools and processes; engaging regulated
industry and government partners; and finalizing program requirements. The two administrative
recommendations include providing training and guidance; and eliminating inappropriate
Administratively Uncontrollable Overtime pay.50
Government Accountability Office Review
In April 2013, GAO issued a report on the CFATS program.51 The GAO assessed how DHS
assigned chemical facilities to tiers and the extent to which it did so, how DHS revised its process
to review facility security plans, and whether DHS communicated and worked with owners and
operators to improve security. The GAO found that the approach DHS used to assess risk and
make decisions to place facilities in final tiers does not consider all of the elements of
consequence, threat, and vulnerability. For example, the risk assessment approach is based
primarily on consequences arising from human casualties, but does not consider economic
consequences. The GAO review of the risk assessment approach revealed that ISCD was
inconsistent in how it assessed threat. According to GAO, ISCD considered threat for the 10% of
facilities tiered because of the risk of release or sabotage, but not for the approximately 90% of
facilities that are tiered because of the risk of theft or diversion. Also, GAO identified that when it
did use threat data, the data was not current. In addition, GAO found that DHS had not been
tracking data on reviews of site security plans and thus could not quantify improvements to that
process. The GAO estimated that it could take another seven to nine years before DHS completed

49 Testimony of Marcia Moxey Hodges, Chief Inspector, Office of Inspections, Office of the Inspector General,
Department of Homeland Security, before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies, House Committee on Homeland Security, February 27, 2014.
50 Testimony of Marcia Moxey Hodges, Chief Inspector, Office of Inspections, Office of the Inspector General,
Department of Homeland Security, before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security
Technologies, House Committee on Homeland Security, February 27, 2014.
51 Government Accountability Office, Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk
and Gather Feedback on Facility Outreach Can Be Strengthened, GAO-13-353, April 2013.
Congressional Research Service
13

Chemical Facility Security: Issues and Options for the 113th Congress

reviews on submitted site security plans. Input GAO solicited from 11 trade associations also
indicated that DHS does not obtain systematic feedback on outreach activities. The GAO
recommended that DHS:
• develop a plan, with timeframes and milestones, that incorporates the results of
the various efforts to fully address each of the components of risk and take
associated actions where appropriate to enhance ISCD’s risk assessment
approach and
• conduct an independent peer review, after ISCD completes enhancements to its
risk assessment approach that fully validates and verifies ISCD’s risk assessment
approach consistent with the recommendations of the National Research Council
of the National Academies.
The ISCD has taken steps to address the GAO recommendations. For example, ISCD engaged the
Homeland Security Studies and Analysis Institute to coordinate an examination of the CFATS risk
assessment model. According to GAO, HSSAI recommended that ISCD revise the current risk-
tiering model and create a standing advisory committee—with membership drawn from
government, expert communities, and stakeholder groups—to advise DHS on significant changes
to the methodology. In addition, ISCD plans to modify the risk assessment approach to better
include all elements of risk.52
Policy Issues
Previous congressional discussion on chemical facility security raised several contentious policy
issues.53 Some issues will exist even if Congress extends the existing statutory authority without
changes. These include whether DHS has sufficient funding and capabilities to adequately
oversee chemical facility security; whether federal chemical facility security regulations should
preempt state regulations; and how much chemical security information individuals may share
outside of the facility and the federal government. Other issues, such as what facilities DHS
should regulate as a chemical facility and whether DHS should require chemical facilities to
adopt or consider adopting inherently safer technologies, may be more likely addressed if
Congress chooses to revise or expand existing authority.
Funding and Infrastructure and Workforce Capabilities
The 2007 CFATS regulations establish an oversight structure that relies on DHS personnel
inspecting chemical facilities and ascertaining whether regulated entities have implemented their
authorized site security plans. Although the use of performance-based measures, where chemical
facilities have flexibility in how to achieve the required security performance, may reduce some
demands on the regulated entities, it may also require greater training and judgment on the part of
DHS inspectors. Congressional oversight has raised the question of whether DHS has requested
and received appropriated funds sufficient to hire and retain the staff necessary to perform the

52 Government Accountability Office, Critical Infrastructure Protection: Observations on DHS Efforts to Identify,
Prioritize, Assess and Inspect Chemical Facilities, GAO-14-365T, February 27, 2014.
53 Congressional policy makers have debated chemical facility security issues since at least the 106th Congress.
Congressional Research Service
14

Chemical Facility Security: Issues and Options for the 113th Congress

required compliance inspections and whether DHS has properly managed the appropriated funds
received.54
The DHS has faced challenges when creating the necessary infrastructure to perform nationwide
inspections. As stated by DHS, initial expectations for inspector responsibilities and infrastructure
needs did not match the final needs.
For example, at the program’s outset, certain roles and responsibilities were envisioned for
the program staff that, in the end, did not apply. This resulted in the hiring of some
employees whose skills did not match their ultimate job responsibilities and the purchase of
some equipment that in hindsight appear to be unnecessary for chemical inspectors.
Additionally, we envisioned a greater number of field offices than we eventually decided to
employ.55
The degree to which funding meets agency infrastructural needs likely depends on factors both
external and internal to DHS. External factors include the number of regulated facilities and the
sufficiency of security plan implementation. Challenges experienced by DHS in overseeing
facility site security plan implementation will likely increase the workforce necessary to meet the
planned inspection cycle. In contrast, reduction in the number of regulated facilities will likely
decrease the number of needed inspectors. Internal factors include the ratio between headquarters
staff and field inspectors; the assigned risk tiers of the regulated facilities; and the timetable for
implementation of inspections. Once DHS has more fully engaged in inspection of regulated
facilities, it may be able to more comprehensively determine its long-term resource needs and
estimate both funding and staff requirements. A key factor for achieving program efficacy and
efficiency may be the success in training inspectors to perform CFATS inspections, given the
reported difficulties in developing inspector training combined with the requirements of a new
regulatory program.
Inspection Rate
As of May 2014, 719 chemical facilities had been approved in the CFATS process, which starts
with information submission by chemical facilities and finishes with approval of inspected
security measures by DHS.56 The DHS states that the first authorization inspection was conducted
in 2010; as of May 2014, DHS had conducted 1,008 authorization inspections.57 In 2013, GAO
projected that DHS may require between seven and nine years to complete review of site security
plans and that to inspect and approve all regulated facilities will require additional time.58 This

54 See, for example, House Committee on Homeland Security, Subcommittee on Transportation Security and
Infrastructure Protection, Chemical Security: The Implementation of the Chemical Facility Anti-Terrorism Standards
and the Road Ahead, 110th Congress, December 12, 2007; H.Rept. 112-492, accompanying H.R. 5855, Department of
Homeland Security Appropriations Bill, 2013, and S.Rept. 112-169, accompanying S. 3216, Department of Homeland
Security Appropriations Bill, 2013.
55 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland
Security, before the House Committee on Energy and Commerce, Subcommittee on Environment and the Economy,
February 3, 2012.
56 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, May 2014, http://www.dhs.gov/
sites/default/files/publications/CFATS%20Update%20FS_May2014_508_0.pdf.
57Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, May 2014, http://www.dhs.gov/
sites/default/files/publications/CFATS%20Update%20FS_May2014_508_0.pdf.
58 Government Accountability Office, Critical Infrastructure Protection: Preliminary Observations on DHS Efforts to
Assess Chemical Security Risk and Gather Feedback on Facility Outreach, GAO-13-412T, March 14, 2013; and
(continued...)
Congressional Research Service
15

Chemical Facility Security: Issues and Options for the 113th Congress

estimate is premised on an approval rate of 30 to 40 facilities per month, lower than current
performance. Some policy makers have expressed surprise at the pace of inspection and
questioned whether DHS should continue at the current pace or accelerate the compliance
process.59 Several factors likely complicate and slow the inspection process. One factor appears to
be the internal operations of the DHS implementing office and the skills and capabilities of the
ISCD inspector cadre. Another factor appears to be that the information facilities submit in site
security plans may not provide what DHS views as sufficient detail to evaluate compliance.60
Rather than reject such site security plans, DHS attempts to gather iteratively the necessary
information from the facilities, including through compliance assistance visits.
Compliance assistance visits may lead to higher quality site security plan submissions, even
though the visits appear to be a significant drain on DHS resources. In principle, such visits may
lower the future authorization inspection burden, as CFATS inspectors will be familiar with
security measures at the chemical facility. Such familiarity may hasten the actual authorization
inspection.
The DHS has also suggested that higher risk-tier facilities benefit more from these types of
assistance visits due to the complexity of the facility, the potential presence of multiple chemicals
of interest, and the more stringent risk-based performance standards that apply. Lower risk-tier
facilities may not need such visits because these facilities may be less complex and inspectors
may develop best practices through the compliance assistance visits of higher-tiered facilities.
However, the converse might be true instead. Smaller facilities with less security experience may
benefit more from such visits.
Some policy makers have questioned whether the low inspection rate is due to constraints in the
number of chemical facility security inspectors hired by DHS or the availability of appropriated
funding. The CFATS regulations state that DHS will inspect the implementation of site security
plans at all facilities and require that facilities resubmit their Top-Screen and, if so directed by
DHS, their security vulnerability assessment and site security plan every two years for Tier 1 and
Tier 2 facilities or three years for Tier 3 and Tier 4 facilities.61 This would require DHS to perform
over 1500 inspections annually to inspect every facility’s implementation of its site security plan.
The DHS has asserted that each inspection would require two or more inspectors and
approximately one week to perform.62

(...continued)
Government Accountability Office, Critical Infrastructure Protection: DHS Needs to Improve Its Risk Assessments and
Outreach for Chemical Facilities, GAO-13-801T, August 1, 2013.
59 Monica Hatcher, “Why Chemical Plants Are Vulnerable to Terrorism,” Houston Chronicle, April 5, 2010.
60 For example, see Department of Homeland Security, Chemical Facility Anti-Terrorism Standards Site Security Plans
and Preliminary Inspections, NASTTPO Annual Meeting, May 12, 2010; and W. Koch, Air Products, Overview of DHS
CFATS Pre Authorization Visit, July 7, 2010.
61 Other DHS documents have provided different inspection timeframes. In 2011, DHS stated its expectation that, when
at full operational capability, it would inspect Tier 1 facilities annually, Tier 2 facilities every two years, and a
prioritized selection of 10% of Tier 3 and Tier 4 facilities each year (Department of Homeland Security, Annual
Performance Report Fiscal Years 2010–2012; Appendix A: Measure Descriptions and Data Collection Methodologies,
p. 8).
62 Department of Homeland Security, The Chemical Facility Anti-Terrorism Standards—Update for the Chemical
Sector Security Summit, June 29, 2009.
Congressional Research Service
16

Chemical Facility Security: Issues and Options for the 113th Congress

The DHS appears to have requested sufficient inspectors to manage the workload associated with
a reinspection cycle of every two years for top tier facilities and every three years for lower tier
facilities, but such a staffing level may be insufficient to address the large number of initial
regulatory submissions or a more frequent reinspection cycle or the use of inspectors to perform
compliance assistance visits.63 This level of staffing would appear to require at least several years
of inspections to reduce the backlog created from the initial site security plan submissions, even if
DHS performed only authorization inspections. A June 2012 DHS analysis estimated that DHS
might perform 813 inspections annually.64 At this rate, DHS would require more than five years to
complete the initial inspections.65 If DHS were to hire additional inspectors, it might reduce the
backlog of site security plans but also run the risk of having additional unnecessary staff in future
years. The DHS might hire temporary or short-term staff to augment the inspector cadre, but the
need to train such employees for CFATS-specific inspections may pose challenges.
Finally, because DHS has focused on inspecting those facilities in the highest risk tier, it
potentially faces the most complicated inspection environments. Inspections of lower risk tier
facilities may pose fewer complications, take less time, and involve fewer inspectors. If so, DHS
might quickly and substantially increase the number of facilities inspected by focusing efforts on
lower tier facilities. Through this approach, DHS might gain insight and experience among the
inspector cadre while reducing some national risk.66
Federal Preemption of State Activities
The original statute did not expressly address the issue of federal preemption of state and local
chemical facility security statute or regulation. When DHS issued regulations establishing the
CFATS program, DHS asserted that the CFATS regulations would preempt state and local
chemical facility security statute or regulation that “conflicts with, hinders, poses an obstacle to or
frustrates the purposes of” the federal regulation.67 After the regulation’s release, Congress
amended DHS’s statutory authority to state that only in the case of an “actual conflict” would the
federal regulation preempt state authority.68 Few states have established independent chemical
facility security regulatory programs, and conflict between the federal and state activities has not
yet occurred.69 The DHS did not identify any state programs that conflict with the CFATS
regulations.70 The DHS has also not altered its regulatory language in response to the statutory
amendment.

63 CRS calculation assuming two inspectors per inspection and one inspection per week.
64 This estimate uses three inspectors per inspection. Office of the Inspector General, Department of Homeland
Security, Effectiveness of the Infrastructure Security Compliance Division’s Management Practices to Implement the
Chemical Facility Anti-Terrorism Standards Program, OIG-13-55, March 2013, p. 20.
65 For additional analysis of this issue, see CRS Report R43346, Implementation of Chemical Facility Anti-Terrorism
Standards (CFATS): Issues for Congress, by Dana A. Shea.
66 The DHS defines all facilities regulated under CFATS as high-risk chemical facilities. A lower or higher risk tier is
relative to other high-risk chemical facilities.
67 6 C.F.R. 27.405(a).
68 Section 534, P.L. 110-161, Consolidated Appropriations Act, 2008.
69 Some states, including New Jersey, Maryland, and New York, have implemented laws addressing security at
chemical facilities.
70 72 Federal Register 17688–17745 (April 9, 2007) at 17727.
Congressional Research Service
17

Chemical Facility Security: Issues and Options for the 113th Congress

Advocates for federal preemption call for a uniform security framework across the nation. They
assert that a “patchwork” of regulations might develop if states independently develop additional
chemical facility security regulations.71 Variation in security requirements might lead to differing
regulatory compliance costs, and companies might suffer competitive disadvantage based on their
geographic location.
Supporters of a state’s right to regulate chemical facility security claim that the federal regulation
should be a minimum standard with which all regulated entities must comply. They assert that
DHS should allow states to develop more stringent regulations than the federal regulations. They
claim such regulations would increase security. Some supporters of state regulation suggest that
more stringent, conflicting state regulations should preempt the federal regulations. Such a case
might occur if a state regulation mandated the use of a particular security approach at chemical
facilities, conflicting with the federal regulation that adopts a performance-based, rather than
prescriptive, approach. The desire to retain industries that might relocate if faced with increased
regulation arguably would temper state inclinations to require overly stringent or incompatible
regulations.
Some policy makers may assert that chemical facility security should be left to the states rather
than be implemented by the federal government. If Congress allows the statutory authority to
expire and does not appropriate funds for the further implementation of CFATS, the federal
authority would lapse, and state and local jurisdictions would be solely responsible for regulating
chemical facility security.
Transparency
The CFATS process involves determining chemical facility vulnerabilities and developing
security plans to address them. Information developed in this process is not openly disseminated.
The CFATS program categorizes this information as Chemical-terrorism Vulnerability
Information (CVI) and provides penalties for its disclosure. Some advocates have argued for
greater transparency in the CFATS process, even if the program does not provide detailed
information regarding potential vulnerabilities and specific security measures. They assert that
those individuals living in surrounding communities require such information to effectively plan
and make choices in an emergency.72
The current statute and regulation prohibit public disclosure of CVI. Only specific “covered
persons” may access CVI. While acknowledging a legitimate homeland security need to limit
dissemination of security information, some policy makers have questioned whether such
limitations hinder other efforts. For example, first responders and community representatives
have highlighted how such information protection regimes may impede emergency response and
the ability of those in the surrounding community to react to emergency situations at the chemical
facility.73 Additionally, worker representatives have raised concerns that these limitations and the

71 See, for example, National Association of Chemical Distributors, “NACD Key Issue: Chemical Facility Security,”
Key Issues 2009 Washington Fly-In 111th Congress.
72 OMB Watch and Public Citizen, “Chemical Facility Anti-Terrorism Standards, Department of Homeland Security,
DHS-2006-0073,” Letter, February 7, 2007.
73 Testimony of Joseph Crawford, Chief of Police, City of Saint Albans, WV, before the House Committee on Energy
and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009; and testimony of Kent Carper,
President, Kanawha County Commission, Kanawha County, WV, before the House Committee on Energy and
(continued...)
Congressional Research Service
18

Chemical Facility Security: Issues and Options for the 113th Congress

lack of mandated inclusion of worker representatives may impede worker input into security
plans.74
The current information protection regimes for chemical facility security information, CVI under
CFATS and Sensitive Security Information (SSI) under the Maritime Transportation Security Act
(MTSA), do not contain penalties for incorrectly marking information as protected. Only
disclosure of correctly marked information is penalized. Additionally, the chemical facility is
responsible for identifying and appropriately marking protected information. These information
markings only would be assessed in the case of dispute. As was asserted during congressional
oversight, this disparity may lead to a tendency by regulated entities, in order to protect
themselves against potential liability or scrutiny, to erroneously limit dissemination of
information that should be made available to the public.75
Additionally, the existing statute contains no provisions explicitly protecting or allowing for
concerned covered persons to divulge CVI or to challenge the categorization of information as
protected in an attempt to inform authorities about security vulnerabilities or other weaknesses.
Depending on the circumstances, those individuals might be penalized for their disclosure of
protected information. The CFATS regulations, reflecting this inherent tension, provide for a DHS
point of contact to which such information might be revealed, but also state “Section 550 did not
give DHS authority to provide whistleblower protection, and so DHS has not incorporated
specific whistleblower protections into this regulation.”76
On August 1, 2013, President Obama signed an executive order on improving chemical facility
safety and security and establishing a Chemical Facility Safety and Security Working Group.77 As
one facet of this executive order, it directs the Secretary of Homeland Security to assess the
feasibility within 90 days of sharing CFATS data with State Emergency Response Commissions
(SERCs), Tribal Emergency Planning Committees (TEPCs), and Local Emergency Planning
Committees (LEPCs).78 In addition, it directs the working group more generally to develop within
135 days a plan that will, among other goals, identify ways to improve coordination among the
federal government, first responders, and state, local, and tribal entities.79
Definition of Chemical Facility
The DHS regulates an assortment of entities that possess and manufacture chemicals of interest.
Thus, the term chemical facility encompasses many types of facilities, including agricultural

(...continued)
Commerce, Subcommittee on Oversight and Investigations, April 21, 2009.
74 See, for example, testimony of Glenn Erwin, United Steelworkers International Union, before the Senate Committee
on Homeland Security and Governmental Affairs, July 13, 2005.
75 House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, Secrecy in the
Response to Bayer’s Chemical Plant Explosion, Serial No. 111-28, April 21, 2009.
76 72 Federal Register 17688–17745 (April 9, 2007) at 17718.
77 Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78 Federal Register
48029-48032 (August 7, 2013).
78 Section 3(c) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
79 Section 3(a) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
Congressional Research Service
19

Chemical Facility Security: Issues and Options for the 113th Congress

facilities, universities, and others.80 With DHS defining chemical facilities according to
possession of a chemical of interest, it regulates facilities not part of the chemical manufacturing
and distributing chain. Stakeholders have expressed concern that the number of entities so
regulated might be unwieldy and that the regulatory program might focus on many chemical
facilities that pose little risk rather than on those facilities that pose more substantial risk. For
example, during the rulemaking process, DHS received commentary and revised its regulatory
threshold for possession of propane, stating:
DHS, however, set the [screening threshold quantities] for propane in this final rule at 60,000
pounds. Sixty thousand pounds is the estimated maximum amount of propane that non-
industrial propane customers, such as restaurants and farmers, typically use. The Department
believes that non-industrial users, especially those in rural areas, do not have the potential to
create a significant risk to human life or health as would industrial users. The Department
has elected, at this time, to focus efforts on large commercial propane establishments but
may, after providing the public with an opportunity for notice and comment, extend its
[CFATS] screening efforts to smaller facilities in the future. This higher [screening threshold
quantity] will focus DHS’s security screening effort on industrial and major consumers,
regional suppliers, bulk retail, and storage sites and away from non-industrial propane
customers.81
In 2007, when developing its interim final rule, DHS estimated the expected number of regulated
facilities and identified them by primary risk category: release due to loss of containment or
potential for theft and diversion.82 In 2012, DHS analyzed the number of facilities with final tier
assignments and identified their primary risk category. As seen in Table 4, initial expectations of
the distribution of facilities by primary risk did not match the risk types of the actual regulated
facilities.83
Table 4. Facilities Regulated Under CFATS by Primary Risk Category
(percentage of facilities)
Risk Type
2007 Estimate
2012 Actual
Release 62% 13%
Theft/Diversion 38%
87%
Source: CRS analysis of data in Department of Homeland Security, Chemical Facility Anti-Terrorism Standards
Interim Final Rule Regulatory Assessment, DHS-2006-0073, April 1, 2007; and 79 Federal Register 6418-6452
(February 3, 2014) at 6438.
Notes: The 2007 estimate is based on 5,000 facilities (3,117 release facilities: 1,883 theft/diversion facilities). The
2012 analysis of facilities actually reporting is based on 3,566 facilities (455 release facilities: 3,111 theft/diversion
facilities).
Academic institutions have asserted that DHS should not apply CFATS regulations to them
because of the dispersed nature of chemical holdings at colleges and universities. These

80 For example, facilities distributing agricultural chemicals may be regulated under CFATS. See CRS Report R43070,
Regulation of Fertilizers: Ammonium Nitrate and Anhydrous Ammonia, by Dana A. Shea, David M. Bearden, and Scott
D. Szymendera.
81 72 Federal Register 65396–65435 (November 20, 2007) at 65406.
82 Note that a facility might be primarily regulated for one category but also qualify under the other.
83 In contrast, initial expectations of the number of facilities per tier were more in line with actual enrollment.
Congressional Research Service
20

Chemical Facility Security: Issues and Options for the 113th Congress

institutions claim that regulatory compliance costs would not be commensurate with the risk
reduction.84 The DHS has identified that a college or university with a high-risk facility on
campus might choose to implement security measures at the specific location rather than across
the entire campus.85 The DHS has already implemented select regulatory extensions for
agricultural chemical users, though not distributors.86 While the regulatory compliance costs
likely decrease at lower risk tiers compared to higher risk tiers, all regulated entities bear
compliance costs as continued annual expenses.
As mentioned above, the statutory authority underlying CFATS exempts several types of
facilities, including water and wastewater treatment facilities. The federal government does not
regulate water and wastewater treatment facilities for chemical security purposes. Instead, current
chemical security efforts at water and wastewater treatment facilities are voluntary in nature.87
Some advocacy groups have called for inclusion of currently exempt facilities, such as water and
wastewater treatment facilities.88 Some drinking water and wastewater treatment facilities possess
amounts of chemicals of interest and would lead to regulation if located at a different type of
facility.89 Advocates for their inclusion in security regulations cite the presence of such potentially
hazardous chemicals and their relative proximity to population centers as reasons to mandate
security measures for such facilities. In contrast, representatives of the water sector point to the
critical role that water and wastewater treatment facilities have in daily life. They caution against
including these facilities in the existing regulatory framework because of the potential for undue
public impacts. They cite, for example, loss of basic fire protection and sanitation services if the
federal government were to order a water or wastewater utility to cease operations for security
reasons or failure to comply with regulation.90
If Congress were to remove the drinking water and wastewater treatment facility exemption, the
number of regulated facilities might substantially increase, placing additional burdens on the
CFATS program. The United States contains approximately 52,000 community water systems and
16,500 wastewater treatment facilities.91 These facilities vary substantially in size and service.

84 72 Federal Register 65396–65435 (November 20, 2007) at 65412.
85 Department of Homeland Security, Colleges and Universities and the Chemical Facility Anti-Terrorism Standards
(CFATS), July 2010.
86 73 Federal Register 1640 (January 9, 2008).
87 Congress required certain drinking water facilities to perform vulnerability assessments and develop emergency
response plans through Section 401 of P.L. 107-188, the Public Health Security and Bioterrorism Preparedness and
Response Act of 2002. For more information on drinking water security activities, see CRS Report RL31294,
Safeguarding the Nation’s Drinking Water: EPA and Congressional Actions, by Mary Tiemann.
88 See, for example, Paul Orum and Reece Rushing, Center for American Progress, Chemical Security 101: What You
Don’t Have Can’t Leak, or Be Blown Up by Terrorists, November 2008; and testimony of Philip J. Crowley, Senior
Fellow and Director of Homeland Security, Center for American Progress, before the House Committee on Energy and
Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008.
89 See U.S. Environmental Protection Agency, Factoids: Drinking Water and Ground Water Statistics for 2008, EPA
816-K-08-004, November 2008; and U.S. Environmental Protection Agency, Clean Watersheds Needs Survey 2004:
Report to Congress, January 2008.
90 American Water Works Association, “Chemical Facility Security,” Fact Sheet, 2009. For more information on
security issues in the water infrastructure sector, see CRS Report RL32189, Terrorism and Security Issues Facing the
Water Infrastructure Sector, by Claudia Copeland.
91 See U.S. Environmental Protection Agency, Factoids: Drinking Water and Ground Water Statistics for 2008, EPA
816-K-08-004, November 2008; and U.S. Environmental Protection Agency, Clean Watersheds Needs Survey 2004:
Report to Congress, January 2008. For comparison, more than 36,000 chemical facilities filed a Top-Screen under
CFATS.
Congressional Research Service
21

Chemical Facility Security: Issues and Options for the 113th Congress

The number of regulated facilities would depend on the criteria used to determine inclusion, such
as chemical possession or number of individuals served. It is likely that only a subset of these
facilities would meet a regulatory threshold.92 In 2011, a DHS official testified that approximately
6,000 such facilities would likely meet the CFATS threshold.93
On August 1, 2013, President Obama signed an executive order on improving chemical facility
safety and security and establishing a Chemical Facility Safety and Security Working Group.94 As
one facet of this executive order, it directs the Secretary of Homeland Security to identify within
90 days a list of chemicals that should be considered for addition to the CFATS chemical of
interest list.95 Expanding the list of chemicals of interest, while not changing the mechanism by
which DHS defines a chemical facility, would likely lead to additional facilities regulated under
CFATS.
Identification of Non-Responsive Facilities
Although facilities with greater than screening threshold quantities of chemicals of interest must
submit information to DHS under the Top-Screen process, an unknown number of facilities do
not provide such information. One limited survey of community hospitals reported that 56% of
respondents were aware of CFATS reporting requirements.96 Another example appears to be the
West Fertilizer Company, which reported more than a threshold amount of chemical of interest to
the EPA under the Risk Management Plan (RMP) program but did not file with DHS under
CFATS. The DHS refers to these non-compliant facilities as “outliers.” Congressional policy
makers have raised the concern that many facilities may still not have properly reported to DHS.97
The number of facilities not complying with CFATS reporting requirements is unknown. If DHS
lacks information about a facility’s chemical holdings, it is unlikely to be able to identify it as an

92 For example, the number of individuals served by the drinking water facility might be used as a regulatory criterion.
Section 401 of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188)
mandated drinking water facilities serving more than 3,300 individuals develop an emergency response plan and
perform a vulnerability assessment. Approximately 8,400 community water systems met this requirement in 2002. For
more information on drinking water security activities, see CRS Report RL31294, Safeguarding the Nation’s Drinking
Water: EPA and Congressional Actions, by Mary Tiemann.
93 Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Homeland Security, Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies, February 11, 2011.
94 Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78 Federal Register
48029-48032 (August 7, 2013).
95 Section 6(d) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
96 Morgan M. Bliss, Kiril D. Hristovski, and Jon W. Ulrich. “Compliance of Community Hospitals with the Chemical
Facility Anti-Terrorism Standards (CFATS) in the Western United States” Journal of Homeland Security and
Emergency Management, 10(2), 2013, pp. 433-445.
97 Representative Michael T. McCaul, Chairman, Committee on Homeland Security; Representative Fred Upton,
Chairman, Committee on Energy and Commerce; and Representative John Carter, Chairman, Homeland Security
Appropriations Subcommittee, Letter to Janet Napolitano, Secretary, U.S. Department of Homeland Security, July 22,
2013; Senator Tom Carper, Chairman, Committee on Homeland Security and Governmental Affairs, Letter to Janet
Napolitano, Secretary, and Suzanne Spaulding, Acting Under Secretary, National Protection and Programs, U.S.
Department of Homeland Security, June 28, 2013; and Representative Henry A. Waxman, ranking Member, Committee
on Energy and Commerce, and Representative Bennie G. Thompson, ranking Member, Committee on Homeland
Security, Letter to President Barack Obama, May 2, 2013.
Congressional Research Service
22

Chemical Facility Security: Issues and Options for the 113th Congress

outlier. As noted above, DHS has regulatory authority to direct specific facilities to comply with
CFATS, but DHS might not issue such orders without information indicating that a facility is out
of compliance.
In 2009, DHS listed some identification mechanisms in use at that time. These mechanisms
included receiving information from the public through the DHS CFATS Tip Line;98 cross-
referencing with information from other federal regulatory programs, such as the Environmental
Protection Agency’s (EPA’s) Risk Management Planning (RMP) program (see text box below);99
and a pilot program with the state of New York and the state of New Jersey to identify non-
responsive facilities in those states.100 Since then, DHS has also created the CFATS Share tool
through which state Homeland Security Advisors, appropriate DHS components, and other
stakeholders have access to data on the CFATS-regulated facilities within their jurisdictions. In
addition, DHS participates “in engagements with various State Homeland Security Advisors
(HSA) and other state and local security partners. The Department also has participated in
numerous meetings with Local Emergency Planning Committees, Area Maritime Security
Committees, Sector Coordinating Councils, and Fusion Centers.”101 The DHS terminated some of
these activities but continues others.
On August 1, 2013, President Obama signed an executive order on improving chemical facility
safety and security and establishing a Chemical Facility Safety and Security Working Group.102
The executive order directs the working group to analyze within 90 days the potential to improve
information collection by and sharing between agencies to help identify chemical facilities which
may not have provided all required information or may be noncompliant with federal
requirements to ensure chemical facility safety.103 It also directs the working group to produce a
proposal within 180 days for a coordinated, flexible data-sharing process that can be used to track
submitted data. The proposal is to allow for the sharing of information with and by state, local,
and tribal entities.104
Integration of this information with the CFATS program may pose challenges due to different
data formats, resource availability, and limited utility. The DHS has requested $3 million in
funding for FY2015 to develop an automated process to collect and analyze data provided by

98 The DHS has established a CFATS Tip Line for reporting a possible CFATS security concern. The telephone
number is 877-394-4347. Tips may be made anonymously or not.
99 The EPA RMP program, established under Section 112(r) of the Clean Air Act, requires chemical facilities to report
to EPA possession of certain chemicals above threshold quantities. The RMP chemical list has substantive overlap with
the CFATS list of chemicals of interest, and, in many cases, the RMP threshold quantity is equal to or less than the
CFATS screening threshold quantity. Therefore, many chemical facilities reporting under the RMP program also would
file a Top-Screen under CFATS.
100 Testimony of Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, Department
of Homeland Security, before the House Committee on Homeland Security, June 16, 2009; and testimony of Rand
Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the
Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
101 Department of Homeland Security, DHS Responses to Rep. McCaul and Rep. Meehan’s May 2, 2013 Letter
Regarding the Chemical Facility Anti-Terrorism Standards (CFATS) Program, June 2013.
102 Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78 Federal Register
48029-48032 (August 7, 2013).
103 Section 5(a) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
104 Section 5(b) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
Congressional Research Service
23

Chemical Facility Security: Issues and Options for the 113th Congress

other federal, state, and local partners. As part of this process, DHS plans to compare information
from EPA Risk Management Program and the Superfund Amendments and Reauthorization Act
Title III data from all 50 states annually to identify potentially non-compliant facilities.105
Comparison of DHS CFATS and EPA RMP Facilities
Comparing federally held information on regulated facilities may be effective in identifying outliers. In order to identify
such facilities, DHS has reengaged with EPA regarding RMP data and has identified some outlier facilities.106 According
to the EPA Office of Inspector General, 12,774 facilities reported to EPA under the RMP program.107 According to
DHS, Oak Ridge National Laboratory (ORNL) identified approximately 3,724 facilities reporting to the EPA that they
possessed more than a threshold quantity of a chemical of interest.108 The DHS identified 3,362 of these facilities as
potential outliers. These facilities, in addition to 106 facilities identified by DHS through consultation with the Texas
State Chemist, were sent letters regarding their potential responsibilities under CFATS. The DHS has received a
response from 2,946 facilities, approximately 1,500 of which indicated they had previously filed a Top-Screen. Of the
remaining facilities 857 have submitted or intend to submit a Top-Screen. The DHS has not received a response from
522 facilities.109 The DHS is in the process of verifying the information submitted by the facilities and determining why
facilities have not yet replied to the DHS letter.
The fact that approximately 40% of the facilities had previously submitted a Top-Screen is, according to DHS,
demonstrative of the difficulties in comparing data across multiple regulatory programs.110 In addition, DHS asserts
that, based on prior data, it identifies only a small fraction of facilities filing a Top-Screen as high risk.
Inherently Safer Technologies
Previous debate on chemical facility security has included whether to mandate the adoption or
consideration of changes in chemical processes to reduce the potential consequences following a
successful attack on a chemical facility. Suggestions for such changes have included reducing the
amount of chemical stored onsite and changing the chemicals used. In previous congressional
debate, these approaches have been referred to as inherently safer technologies or methods to
reduce the consequences of a terrorist attack.
A fundamental challenge for inherently safer technologies is how to compare one technology with
its potential replacement. It is challenging to unequivocally state that one technology is inherently
safer than the other without adequate metrics. Risk factors may exist outside of the comparison
framework.111 Some experts have asserted that the metrics for comparing industrial processes are

105 Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and
Information Security Fiscal Year 2015 Congressional Justification, p. 90.
106 Testimony of David Wulf, Director, Infrastructure Security Compliance Division, National Programs and Protection
Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies, on August 1, 2013.
107 Office of Inspector General, U.S. Environmental Protection Agency, Improvements Needed in EPA Training and
Oversight for Risk Management Program Inspections, Report No. 13-P-0178, March 21, 2013, p. 1.
108 Personal communication between CRS and DHS staff, October 28, 2013.
109 Personal communication between CRS and DHS staff, May 8, 2014.
110 Personal communication between CRS and DHS staff, October 28, 2013.
111 For example, the replacement of hydrogen fluoride with sulfuric acid for refinery processing would replace a more
toxic chemical with a less toxic one. In this case, experts estimate that equivalent processing capacity would require 25
times more sulfuric acid. Thus, more chemical storage facilities and transportation would be required, potentially
posing different dangers than atmospheric release to the surrounding community. Determining which chemical process
had less overall risk might require considering factors both internal and external to the chemical facility and the
surrounding community. See testimony of M. Sam Mannan, Director, Mary Kay O’Connor Process Safety Center,
Texas A&M University, before the House Committee on Homeland Security, December 12, 2007.
Congressional Research Service
24

Chemical Facility Security: Issues and Options for the 113th Congress

not yet fully established and need additional research and study.112 A committee of the National
Research Council of the National Academies has recommended that DHS support research and
development to foster cost-effective, inherently safer chemistries and chemical processes.113 The
National Academies has identified as a potential concern that inherently safer process analyses
may become narrowly focused and its outcomes inappropriately weighted.114 A facility might
consider many additional factors beyond homeland security implications when weighing the
applicability and benefit of switching from one process to another. These factors include cost,
technical challenges regarding implementation in specific situations, supply chain impacts,
quality and availability of end products, and indirect effects on workers.115
Supporters of adopting these approaches as a way to improve chemical facility security argue that
reducing or removing these chemicals from a facility will reduce the incentive to attack the
facility. They suggest that reducing the consequences of a release also lowers the threat from
terrorist attack and mitigates the risk to the surrounding populace. They point to facilities that
have voluntarily changed amounts of chemicals on hand or chemical processes in use as examples
that facilities can implement such an approach in a cost-effective, practical fashion.116
Opponents of mandating what proponents call inherently safer technologies question the validity
of the approach as a security tool and the government’s ability to effectively oversee its
implementation. Industrial entities assert that process safety engineers within the regulated
industry already employ such approaches and that these are safety, not security, methods. They
assert that process safety experts and business executives should determine the applicability and
financial practicality of changing existing processes at specific chemical facilities.117 A 2011
industry survey stated that, of those respondents that assessed using alternative chemicals or
processes, 66.4% determined such alternatives were not technically feasible.118 Opponents of an
inherently safer technology mandate also question whether the federal government contains the
required technical expertise to adjudicate the practicality and benefit of alternative technological
approaches.119A third opposing view states concern that few existing alternative approaches are

112 Testimony of M. Sam Mannan, Director, Mary Kay O’Connor Process Safety Center, Texas A&M University,
before the House Committee on Homeland Security, December 12, 2007.
113 Committee on Assessing Vulnerabilities Related to the Nation’s Chemical Infrastructure, National Research
Council, Terrorism and the Chemical Infrastructure: Protecting People and Reducing Vulnerabilities, 2006.
114 Committee on Inherently Safer Chemical Processes, National Research Council, The Use of Methyl Isocyanate
(MIC) at Bayer CropScience, 2012.
115 For further discussion on this issue, see Center for Chemical Process Safety, American Institute of Chemical
Engineers, Final Report: Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use,
July 2010.
116 See, for example, Paul Orum and Reece Rushing, Center for American Progress, Preventing Toxic Terrorism: How
Some Chemical Facilities Are Removing Danger to American Communities, April 2006; and Paul Orum and Reece
Rushing, Center for American Progress, Chemical Security 101: What You Don’t Have Can’t Leak, or Be Blown Up by
Terrorists, November 2008.
117 See, for example, testimony of Timothy J. Scott, Dow Chemical Company, before the House Committee on
Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, February
11, 2011; and testimony of Marty Durbin, Managing Director, Federal Affairs, American Chemistry Council, before
the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12,
2008.
118 AcuTech Consulting Group, A Survey of CFATS Progress in Securing the Chemical Sector, September 6, 2011,
p. 41.
119 See, for example, testimony of M. Sam Mannan, Director, Mary Kay O’Connor Process Safety Center, Texas A&M
University, before the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure
(continued...)
Congressional Research Service
25

Chemical Facility Security: Issues and Options for the 113th Congress

well understood with regard to their unanticipated side effects. They claim that researchers should
continue to study these alternative approaches rather than immediately apply them, since
unanticipated side effects could injure business and other interests.120
The DHS has engaged in research and development activities within its Science and Technology
(S&T) Directorate to develop a better understanding of inherently safer technology, including
efforts to define inherently safer technology.121 The NPPD has not adopted the results from these
research and development efforts within its regulatory context. Congress has directed DHS to
detail and report to Congress the Department’s definition of inherently safer technology as it
relates to chemical facilities under the purview of CFATS.122
Some industry representatives have asserted that an inherently safer technology mandate might
have a potentially significant negative financial impact.123 Regulated entities incur a cost when
meeting existing CFATS requirements, and small businesses may be challenged to make
additional necessary capital investments. In its interim final rule, DHS estimated that even
without an inherently safer technology requirement CFATS “may have a significant economic
impact on a substantial number of small entities.”124 Because of the performance-based nature of
the regulatory requirement, it is difficult to detail the exact impact on small businesses.125 Adding
an inherently safer technology requirement might increase the cost of CFATS compliance and
might disproportionately affect small entities not already incorporating such activities in their
business processes. Policy makers in previous Congresses highlighted the issue of small business
impact, especially in the context of requiring additional measures that might hurt productivity.
On August 1, 2013, President Obama signed an executive order on improving chemical facility
safety and security and establishing a Chemical Facility Safety and Security Working Group.126
As one facet of this executive order, it directs the working group to convene an array of
stakeholders to identify and share successes to date and best practices to reduce safety and

(...continued)
Protection, and Security Technologies, February 11, 2011; testimony of Dennis C. Hendershot, Staff Consultant, Center
for Chemical Process Safety, American Institute of Chemical Engineers, before the Senate Committee on Environment
and Public Works, June 21, 2006, S.Hrg. 109-1044; and testimony of Matthew Barmasse, Synthetic Organic Chemical
Manufacturers Association, before the Senate Committee on Homeland Security and Governmental Affairs, July 13,
2005.
120 For example, EPA experts have pointed to the change by drinking water treatment facilities between two approved
disinfectants—chlorine and chloramine—as correlated with an unexpected increase in levels of lead in drinking water
due to increased corrosion. Government Accountability Office, Lead in D.C. Drinking Water, GAO-05-344, March
2005.
121 The Chemical Security Analysis Center of the DHS S&T Directorate contracted with the Center for Chemical
Process Safety of the American Institute of Chemical Engineers to develop a technically based definition for inherently
safer technology. See Center for Chemical Process Safety, American Institute of Chemical Engineers, Final Report:
Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use, July 2010.
122 H.Rept. 112-331, p. 986.
123 Testimony of Stephen Poorman, International EHS Manager, FUJIFILM Imaging Colorants Ltd., on behalf of the
Society of Chemical Manufacturers and Affiliates before the Senate Committee on Homeland Security and
Governmental Affairs, March 3, 2010.
124 72 Federal Register 17688–17745 (April 9, 2007) at 17772.
125 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards Interim Final Rule Regulatory
Assessment, DHS-2006-0073, April 1, 2007.
126 Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78 Federal Register
48029-48032 (August 7, 2013).
Congressional Research Service
26

Chemical Facility Security: Issues and Options for the 113th Congress

security risks. The executive order specifically includes consideration of “the use of safer
alternatives.”127
Personnel Surety
A recurring issue in chemical facility security is ensuring that individuals with known terrorist
affiliations do not gain access to high-risk facilities. The CFATS program addresses this concern
by establishing a personnel surety risk-based performance standard in regulation. This
performance standard requires facilities to conduct background checks on employees and
unescorted visitors and provide identifying information to DHS for use in screening employees
against the Terrorist Screening Database (TSDB).128
The DHS has not fully established the process by which CFATS-regulated facilities can meet this
standard.129 The DHS issued a series of information collection requests from 2009 to 2011 that
described how DHS would gather and use information on employees at CFATS-regulated
facilities and requested public comment.130 Stakeholders and policy makers raised concerns that
the DHS approach seemed to duplicate existing requirements underpinning the Transportation
Worker Identification Credential (TWIC). In addition, DHS did not plan to accept existing TWIC
cards as meeting the CFATS screening requirement. In July 2012, DHS withdrew this proposed
personnel surety program from Office of Management and Budget review.
The DHS asserts that its position on how to comply with the personnel surety standard has
“evolved” in response to industry-provided information.131 The DHS engaged in industry
outreach activities through conference calls with industry associations and meetings with
Chemical Sector Coordinating Council leadership and members.132
In March 2013 and February 2014, DHS released notices of a new information collection request
for compliance with the CFATS personnel surety program.133 The proposed personnel surety
program contains provisions similar to those in the earlier information collection requests. The
DHS proposes that regulated entities would provide certain identifying information to DHS
before giving individuals access to restricted areas within a chemical facility. The DHS would use
that information to screen employees and unescorted visitors against the TSDB. As with the prior
personnel surety proposals, DHS would still require facilities to provide identifying information
even for employees or visitors who have a TWIC card or another credential that is issued only

127 Section 7 of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
128 The Terrorist Screening Database (TSDB) is a centralized federal database of information about known or suspected
terrorists. For more information, see http://www.fbi.gov/about-us/nsb/tsc/tsc_faqs.
129 The DHS approves facility site security plans on a conditional basis, reflecting the future need to comply with the
personnel surety performance standard.
130 See 74 Federal Register 27555-27557 (June 10, 2009); 75 Federal Register 18850-18857 (April 13, 2010); and 76
Federal Register 34720-24732 (June 14, 2011).
131 Office of Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland
Security, CFATS Personnel Surety Program Update-Chemical Sector Security Summit, August 1, 2012.
132 Testimony of Rand Beers, Under Secretary, and David Wulf, Director, Infrastructure Security Compliance Division,
National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on
Energy and Commerce, Subcommittee on Environment and the Economy, March 14, 2013.
133 78 Federal Register 17680-17701 (March 22, 2013) and 79 Federal Register 6418-6452 (February 3, 2014).
Congressional Research Service
27

Chemical Facility Security: Issues and Options for the 113th Congress

following screening against the TSDB. The DHS asserts the purpose of this requirement is to
allow DHS to verify that the credential is still valid, not to perform an additional background
check. The DHS would alternatively allow facilities to use approved electronic reader devices to
verify the validity of TWIC cards, but not other credentials. While DHS plans eventually to
require implementation of the personnel surety program at facilities in each risk tier, it would
limit the initial program to only Tier 1 and Tier 2 facilities.
The DHS has indicated that this new information collection request clarifies that DHS will
implement the personnel surety program in phases; that DHS will accept third-party submission
of information on behalf of regulated entities; that facilities will not need to submit information
each time an affected individual seeks access; and that entities with multiple regulated facilities
may submit information on a company-wide basis, rather than separately for each facility.
Additionally, the DHS requests comment on mechanisms to use electronic verification and
validation of TWIC cards rather than requiring submission of information to DHS.134
The extent to which this new information collection request addresses industry concerns is not yet
resolved. Industry stakeholders, in comments on the information collection requests, highlight the
importance of recognizing other credentials, question whether the information regarding visitors
could be obtained in the requisite time, and suggest that the number of individuals who would
require screening may be larger than DHS estimates.
Policy Options
The statutory authority for CFATS expires on October 4, 2014. The 113th Congress may address
chemical facility security through several options. Congress may continue its oversight of DHS’s
efforts to implement this program. Congress might also take legislative action to extend further
the existing statutory authority by revising or repealing its sunset provision; codifying the existing
regulations; amending the existing statutory authority; addressing existing programmatic
activities; or restricting or expanding the scope of chemical facility security regulation.
If Congress does not act and allows the statutory authority to expire, regulated entities may
question the application and enforcement of the CFATS regulations. In the case where Congress
allows the statutory authority to expire, but Congress appropriates funds for enforcing the CFATS
program, DHS will likely be able to enforce the CFATS regulations. The GAO has found that in
the case where a program’s statutory authority expires, but Congress explicitly appropriates
funding for it, the program may continue to operate without interruption.135 If Congress allows
the statutory authority to expire and also does not appropriate funding for implementing the
CFATS program, the CFATS regulations will likely also lapse. In this case, the states would likely
become the primary source of any chemical facility security regulation.

134 Office of Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland
Security, CFATS Personnel Surety Program Update-Chemical Sector Security Summit, August 1, 2012.
135 Office of the General Counsel, General Accounting Office, Principles of Federal Appropriations Law, Third
Edition, GAO-04-261SP, January 2004, pp. 2-70–2-71.
Congressional Research Service
28

Chemical Facility Security: Issues and Options for the 113th Congress

Continue Congressional Oversight
Under one possible policy option, interested Members of Congress or congressional committees
might continue their oversight of the CFATS program. Historically, much of the congressional
debate has considered legislative options to reauthorize the existing statute or authorize the
CFATS program through a different statutory vehicle. Congressional committees have accepted
the assurances of DHS officials regarding CFATS activities even as DHS failed to meet its self-
established deadlines. The program’s critical self-assessment and DHS’s lack of identifying the
West Fertilizer Company as a CFATS-regulated facility may lead congressional oversight to
increase focus on program performance, use of appropriations, and internal oversight.
Congressional oversight of the program’s implementation, enforcement, and efficacy may play a
key role in determining the sufficiency of the existing authority and regulations.
Maintain the Existing Regulatory Framework
The existing statutory authority places much of the CFATS regulatory framework at the discretion
of the Secretary of Homeland Security. The DHS is still in the process of implementing these
regulations and has not yet determined their effectiveness. Congress might choose to maintain the
existing regulations by extending the statutory authority’s sunset date or codifying the existing
regulations. Also, as noted above, allowing the statutory authority to expire could maintain, in
effect, the existing regulatory framework if Congress continues to fund implementation, although
this might lead to legal challenge.
Extend the Sunset Date
Congressional policy makers might choose to extend the current statutory authority for a fixed or
indefinite time. Congress has enacted a series of limited extensions of the statutory authority
since its inception. The Consolidated Appropriations Act, 2014 (P.L. 113-76) extends the statutory
authority through October 4, 2014. Extending the existing statutory authority may provide
regulated entities continuity, protect them from losing those resources already expended in
regulatory compliance, and avoid providing a competitive advantage to those regulated entities
that remained out of regulatory compliance. An extension may allow assessment of the efficacy
of the existing regulations and inclusion of this information in any future attempts to revise or
extend DHS’s statutory authority. Moreover, since DHS is in the process of implementing current
regulations, some policy makers argue for a simple extension without changing statutory
requirements.
The Obama Administration FY2015 budget requests an extension of the statutory authority until
October 4, 2015, but the Obama Administration also supports enacting a longer duration or
permanent statutory authority.136 Congress might make the existing program permanent by
removing the statutory authority’s sunset date. Some chemical manufacturers support converting
the existing program into a permanent program.137 The removal of the sunset date would make the

136 Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Homeland Security, Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies, February 11, 2011.
137 Randy Dearth and Cal Dooley, “Commentary: Taking Chemical Plant Security in Pittsburgh Seriously,” Pittsburgh
Post-Gazette, May 27, 2009.
Congressional Research Service
29

Chemical Facility Security: Issues and Options for the 113th Congress

statutory authority permanent, maintain the current discretion granted to the Secretary of
Homeland Security to develop regulations, and might allow long-term assessment of the efficacy
of the existing regulations. Making the existing statute permanent would provide consistency in
authority and remove the statutory pressure to reauthorize the program. In contrast, the presence
of a sunset date for the statutory authority arguably increases the likelihood of congressional
attention to chemical facility security as a legislative topic. Some advocates who wish for more
regular congressional review of the statutory authority might oppose removing its sunset date.
Codify the Existing Regulations
Congressional policy makers might choose to affirm the existing regulations by codifying them or
their principles in statute. Such codification could reduce the discretion of the Secretary of
Homeland Security to alter the CFATS regulations in the future. The existing statutory authority
grants broad discretion to the Secretary to develop many elements of the CFATS regulations.
Future Secretaries may choose to alter its structure or approach and still comply with the existing
statute. Policy makers might identify specific components of the existing regulation that they
wish any future regulation to retain and codify those portions. Specifying these components might
limit the ability of the Secretary to react to changing circumstance, gained experience, and new
knowledge. On the other hand, the codified portions might enhance the regulated community’s
ability to plan for future expenses and requirements.
Alter the Existing Statutory Authority
Congressional policy makers might choose to alter the existing statutory authority to modify the
existing regulations, address stakeholder concerns, or broadly change the regulatory program.
Accelerate or Decelerate Compliance Activities
The DHS bases its schedule for facility CFATS compliance on the chemical facility’s assigned
risk tier. Those chemical facilities assigned to higher risk tiers have a more accelerated
compliance and resubmission schedule than those assigned to lower risk tiers. Congressional
policy makers might attempt to accelerate the compliance schedule by increasing funding
available to DHS for CFATS, thereby increasing the ability of DHS to provide feedback to
regulated entities, review submissions, and inspect facilities filing site security plans. Additional
funding might reduce or mitigate inefficiencies or delays related to DHS processing of
submissions.
Alternatively, policy makers might provide DHS with the authority to use third parties as CFATS
inspectors. The DHS could then augment the number of CFATS inspectors to meet increased
demand or delegate inspection authority to state and local governments. Third-party inspectors
might allow DHS to draw on expertise outside of the federal government in assessing the efficacy
of the implemented site security activities. The DHS may need to define the roles and
responsibilities of these inspectors and how DHS will assess and accredit their qualifications. The
DHS has stated its intent to issue a rulemaking regarding the use of third-party inspectors but has
not yet done so.138 The use of third-party inspectors might lead to concerns about equal treatment

138 72 Federal Register 17688–17745 (April 9, 2007) at 17712.
Congressional Research Service
30

Chemical Facility Security: Issues and Options for the 113th Congress

of chemical facilities by different third-party inspectors, and questions about whether homeland
security inspections of this type are an inherently governmental responsibility that only federal
employees should perform.
Congress might direct DHS to increase its activities on identifying noncompliant facilities.
Following an explosion in West, TX, DHS identified that the facility had not complied with
CFATS, though it reportedly possessed more than a screening threshold quantity of chemicals of
interest. Congressional policy makers may prioritize identifying those facilities that have not yet
reported over other parts of the CFATS process, depending on their view of the relative risk
reduction of these activities.
Finally, Congress might determine that DHS has sufficient resources to accelerate compliance
activities but is restrained by some other procedural factor. Some congressional policy makers
assert that the internal and external reviews of the CFATS program indicate internal challenges
and claim “the basic programmatic building blocks of CFATS are missing.”139 Congressional
policy makers might direct DHS to refine its internal procedures, streamline its review process,
reduce the timeframe for response and interaction with regulated entities, or otherwise enact
process improvements.
Conversely, congressional policy makers might choose to slow the implementation schedule of
the chemical facility security regulations. Concern about the impact of the regulation on small
businesses or other entities might lead to a decelerated compliance schedule. The DHS has
already implemented select regulatory extensions for certain agricultural operations.140
Congressional policy makers might direct DHS to provide longer submission, implementation,
and resubmission timelines for those regulated entities that might suffer disproportionate
economic burdens from compliance.
Incorporate Excluded Facilities
Policy makers might remove some or all of the statutory exclusions from the CFATS program.
The Administration has supported revising the existing exclusions to provide a more
comprehensive chemical facility security approach. The DHS supports modifying the existing
exemption for (1) facilities regulated under the Maritime Transportation Security Act (MTSA) to
increase security at these facilities to the CFATS standard and (2) facilities regulated by the
Nuclear Regulatory Commission to clarify the scope of the exemption.141
In addition, DHS and the Environmental Protection Agency (EPA) have called for additional
authorities to regulate water and wastewater treatment facilities:

139 Representative Michael T. McCaul, Chairman, Committee on Homeland Security; Representative Fred Upton,
Chairman, Committee on Energy and Commerce; and Representative John Carter, Chairman, Homeland Security
Appropriations Subcommittee, Letter to Janet Napolitano, Secretary, U.S. Department of Homeland Security, July 22,
2013.
140 73 Federal Register 1640 (January 9, 2008).
141 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
The DHS and the Nuclear Regulatory Commission have developed a memorandum of understanding regarding security
at chemical facilities regulated by the Nuclear Regulatory Commission (Memorandum of Understanding between the
U.S. Department of Homeland Security and the U.S. Nuclear Regulatory Commission, March 31, 2011).
Congressional Research Service
31

Chemical Facility Security: Issues and Options for the 113th Congress

The Department of Homeland Security and the Environmental Protection Agency believe
that there is an important gap in the framework for regulating the security of chemicals at
water and wastewater treatment facilities in the United States. The authority for regulating
the chemical industry purposefully excludes from its coverage water and wastewater
treatment facilities. We need to work with the Congress to close this gap in the chemical
security authorities in order to secure chemicals of interest at these facilities and protect the
communities they serve. Water and wastewater treatment facilities that are determined to be
high-risk due to the presence of chemicals of interest should be regulated for security in a
manner that is consistent with the CFATS risk and performance-based framework while also
recognizing the unique public health and environmental requirements and responsibilities of
such facilities.142
The EPA has testified that the Obama Administration believes that EPA should be the lead agency
for chemical security for both drinking water and wastewater systems, with DHS supporting
EPA’s efforts. The EPA also supports providing states with an important role in regulating
chemical security at water systems, including determinations, auditing, and inspecting.143
If Congress provides the executive branch with statutory authority to regulate water and
wastewater treatment facilities for chemical security purposes, it may weigh several policy
decisions. Among these choices are which facilities should be regulated; how stringent such
security measures should be; what federal agency should oversee them; and whether compliance
with these security measures is practicable given the public nature of many water and wastewater
treatment facilities.
One option for congressional policy makers might be to include water and wastewater treatment
facilities under the existing CFATS regulations, effectively removing the exemption currently in
statute. This would place water and wastewater treatment facilities on par with other possessors
of chemicals of interest. The DHS would provide oversight of all regulated chemical facilities.144
Opponents might claim that activities under CFATS, such as vulnerability assessment, duplicate
existing requirements under the Safe Drinking Water Act.145 Also, opponents of such an approach
cite the essential role that water and wastewater treatment facilities play in daily life and assert
that several authorities available to DHS under CFATS, such as the ability to require a facility to
cease operations, are inappropriate if applied to a municipal utility.146 Congressional policy

142 Testimony of Benjamin H. Grumbles, Assistant Administrator for Water, U.S. Environmental Protection Agency
before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June
12, 2008. See also testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate,
Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs,
March 3, 2010.
143 Testimony of Peter S. Silva, Assistant Administrator for Water, Environmental Protection Agency, before the
Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
144 The U.S. Coast Guard oversees those chemical facilities exempted from CFATS because they are regulated under
MTSA. In 2013, DHS stated that only 32 facilities claimed a partial exemption from CFATS regulations due to being
partially regulated under MTSA (78 Federal Register 17680-17701 (March 22, 2013) at 17698). In 2009, DHS testified
that 365 facilities were fully exempt from the CFATS regulations due to compliance with MTSA, while 135 were
partially exempt (“House Committee on Homeland Security Holds Hearing on the Chemical Facility Antiterrorism Act
of 2009,” CQ Congressional Transcripts, June 16, 2009).
145 Section 1433 of the Safe Drinking Water Act as amended by Section 401 of P.L. 107-188, the Public Health
Security and Bioterrorism Preparedness and Response Act of 2002, required water systems to perform a vulnerability
assessment.
146 Testimony of Brad Coffey, Association of Metropolitan Water Agencies, before the House Committee on Energy
and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008.
Congressional Research Service
32

Chemical Facility Security: Issues and Options for the 113th Congress

makers might mitigate some of these concerns by requiring DHS to consult with EPA regarding
its regulation of water and wastewater treatment facilities and harmonizing existing vulnerability
assessment requirements.
Another option might be to grant statutory authority to regulate water and wastewater treatment
facilities for security purposes to EPA. Some water-sector stakeholders suggest that EPA retaining
the lead for water and wastewater treatment facilities would be more efficient. Providing EPA the
authority to oversee security as well as public health and safety operations may reduce the
potential for redundancy and other inefficiencies.147
If policy makers assign responsibility for chemical facility security at different facilities to
different agencies, each agency will promulgate separate rules. These rules may be similar or
different depending on the agencies’ statutory authority, interpretation of that authority, and
ability of the regulated entities to comply as well as any interagency coordination that might
occur. Some industry representatives have expressed concern regarding the effects of multiple
agencies regulating security at drinking water and wastewater treatment facilities.148 They assert
that municipalities that operate both types of facilities might face conflicting regulations and
guidance if different agencies regulate drinking water and wastewater treatment facilities.
Congress may wish to assess the areas where such facilities are similar and different in order to
provide authorities that meet any unique characteristics.
Any new regulation of drinking water and wastewater treatment facilities is likely to cause the
regulated entities, and potentially the federal government, to incur some costs. Representatives of
the water and wastewater sectors argue that local ratepayers will eventually bear the capital and
ongoing costs incurred due to increased security measures.149 Congressional policy makers may
wish to consider whether the regulated entities and the customers they serve should bear these
costs, as is done for other regulated chemical facilities, or whether they should be borne by the
taxpayers in general through federal financial assistance to the regulated entities. Additionally, if
inclusion of other facility types significantly increases the number of regulated entities, the
regulating agency may require additional funds to process regulatory submissions and perform
required inspections.
Harmonize Regulations
Other security statutes, such as MTSA, apply to some facilities exempt from the existing
chemical facility security regulations. The DHS supports modifying the existing exemption for
MTSA-regulated facilities to increase security at these facilities to the CFATS standard and
modifying the existing exemption for facilities regulated by the Nuclear Regulatory Commission
to clarify the scope of the exemption for NRC-regulated facilities.150 The EPA has testified that

147 Some agencies oversee both safety and security issues. For example, the U.S. Coast Guard has both safety and
security responsibilities for ports.
148 See, for example, American Water Works Association, “AWWA Members Urged to Contact Congress on Chemical
Security Bill,” and Association of Metropolitan Water Agencies, “Drinking Water Security and Treatment Mandates,”
Policy Resolution, October 2008.
149 Testimony of Brad Coffey, Association of Metropolitan Water Agencies, before the House Committee on Energy
and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008.
150 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
Congressional Research Service
33

Chemical Facility Security: Issues and Options for the 113th Congress

the Obama Administration believes that DHS should be responsible for ensuring consistency of
high-risk chemical facility security across all critical infrastructure sectors.151
On August 1, 2013, President Obama signed an executive order on improving chemical facility
safety and security and establishing a Chemical Facility Safety and Security Working Group.152
As one facet of this executive order, it directs the working group to deploy within 45 days a pilot
program to validate best practices and test innovative methods for federal interagency
collaboration regarding chemical facility safety and security.153 The pilot program, which DHS
has implemented, is to include innovative and effective methods of collecting, storing, and using
facility information, stakeholder outreach, inspection planning, and, as appropriate, joint
inspection efforts. The results of this pilot program are to inform comprehensive and integrated
standard operating procedures for a unified federal approach for identifying and responding to
risks in chemical facilities, incident reporting and response procedures, enforcement, and
collection, storage, and use of facility information, which the working group will create within
270 days. These best practices are to reflect best practices and are to include agency-to-agency
referrals and joint inspection procedures where possible and appropriate.154
If Congress modifies these exemptions, conflicts might arise between requirements under
chemical facility security regulations and these other provisions. One approach to resolving these
conflicts is to identify which statute would supersede the others. Critics of such an approach
might assert that the superseding statute does not contain all of the protections present in the other
statutes. Another approach might be to require agencies to generally harmonize the regulations
implementing each statute. Regulatory agencies might identify and determine the best ways to
meet statutory requirements while also limiting regulatory duplication or contradiction.
Such harmonization might reduce the regulatory burden on companies possessing facilities
regulated under two frameworks, such as MTSA and CFATS, by allowing a single security
approach to the regulations. For example, equivalent credentialing of workers under both
regulatory frameworks might limit the regulatory cost of compliance, in contrast to requiring two
distinct security credentials. The DHS has established a joint NPPD/U.S. Coast Guard (USCG)
working group to evaluate and, where appropriate, implement methods to harmonize the CFATS
and MTSA regulations.155 In contrast, if the process of harmonization leads to a significant
increase in security requirements, the regulatory burden faced by industry might also increase.
The USCG and NPPD have signed a memorandum of agreement regarding collaborative use of
security risk management information developed by each entity.156 Congress previously expressed

151 Testimony of Peter S. Silva, Assistant Administrator for Water, Environmental Protection Agency, before the
Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
152 Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78 Federal Register
48029-48032 (August 7, 2013).
153 Section 4(a) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
154 Section 4(b) of Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78
Federal Register 48029-48032 (August 7, 2013).
155 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the House Committee on Energy and Commerce, Subcommittee on Environment and the
Economy, March 31, 2011.
156 United States Coast Guard and National Protection and Programs Directorate, Department of Homeland Security,
Memorandum of Agreement Between United States Coast Guard and National Protection and Programs Directorate
Regarding Collaborative Use of Security Risk Management Information, December 14, 2012.
Congressional Research Service
34

Chemical Facility Security: Issues and Options for the 113th Congress

its expectation that DHS would execute a memorandum of agreement between NPPD and USCG
regarding harmonization of chemical security responsibilities under CFATS and MTSA no later
than March 30, 2012.157 The DHS did not meet this expectation, and Congress reaffirmed this
direction in March 2013.158
Increase Interagency Coordination
Congress may also focus on the interaction between different federal agencies, or between federal
and state agencies, regulating facilities possessing chemicals of interest. States and the EPA, for
example, receive information on certain chemical facilities through compliance with
environmental regulations. The extent to which these agencies coordinate and exchange
information with each other may affect overall regulatory compliance. The White House is
coordinating a review of chemical safety and security regulations across departments and
agencies for potential gaps in coverage and explore ways to mitigate those gaps through existing
authorities.159
As early as 2009, DHS identified reconciling CFATS submissions with EPA RMP facility
information as a way to reveal outliers.160 The West Fertilizer Company, for example, was
compliant with the EPA RMP program and had provided a five-year update in 2011, but it was not
identified by DHS as noncompliant under CFATS.161 Comparing federally held information on
regulated facilities may be effective in identifying outliers. Such a process likely would occur
through data analysis rather than through outreach activities, a potentially less costly procedure.
The success of this approach would depend on the quality of self-reporting by regulated entities.
In the case of the West Fertilizer Company, its report to EPA might have indicated to DHS that it
should also have reported to DHS, but this approach would not allow DHS to identify a facility
that fails to self-report to any agency. In order to identify such facilities, DHS has reengaged with
EPA regarding RMP data and has identified some outlier facilities.162
Similarly, DHS might attempt to collect chemical holdings data from other governmental entities,
including state and local regulatory agencies. State and local regulatory agencies may possess
more diverse information about chemical holdings at particular facilities than federal agencies.
For example, under Title III of the Superfund Amendments and Reauthorization Act (SARA; P.L.
99-499), the Emergency Planning and Community Right-to-Know Act (EPCRA) requires certain
facilities to submit chemical inventories to state and local planning authorities and the local fire
department, so-called “Tier II” reporting. Reporting to states under EPCRA results in chemical
inventories while reporting to EPA under the RMP program is required only for select chemicals.

157 H.Rept. 112-331, p. 947.
158 See explanatory statement for P.L. 113-6, FY2013 Consolidated and Further Continuing Appropriations Act, printed
in the March 11, 2013, Congressional Record, pp. S1287-S1587 at p. S1554.
159 Department of Homeland Security, DHS Responses to Rep. McCaul and Rep. Meehan’s May 2, 2013 Letter
Regarding the Chemical Facility Anti-Terrorism Standards (CFATS) Program, June 2013.
160 Department of Homeland Security, The Chemical Facility Anti-Terrorism Standards—Update, August 30, 2009,
p. 9.
161 Right-to-Know Net, West Fertilizer Co. Risk Management Plan, June 30, 2011, http://data.rtknet.org/rmp/rmp.php?
facility_id=100000135597&database=rmp&detail=3&datype=T.
162 Testimony of David Wulf, Director, Infrastructure Security Compliance Division, National Programs and Protection
Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies, on August 1, 2013.
Congressional Research Service
35

Chemical Facility Security: Issues and Options for the 113th Congress

For example, EPCRA-based reporting to the state of Texas showed the presence of ammonium
nitrate at the West Fertilizer Company. Ammonium nitrate does not require reporting under the
RMP program but is a CFATS chemical of interest.163 The DHS might request such information
from state or local authorities and use it to verify facility compliance with CFATS reporting
requirements. The DHS is in the process of contacting certain state officials regarding facilities
containing chemicals within their jurisdictions.164 The DHS requests specific funding for FY2015
to establish a capacity for such analysis on an annual basis.165
Because of the range of information possessed by various federal, state, and local regulatory
agencies, this approach may provide a greater insight into the identities of non-compliant
facilities but also be resource intensive, as different state and local agencies store such data in
various, potentially incompatible formats. In addition, industry stakeholders may have concerns
about the identification and subsequent protection of proprietary or competitive information
arising from the aggregation of different regulatory filings.
Consider Inherently Safer Technologies
Congressional policy makers may choose to address the issue of inherently safer technologies,
sometimes called methods to reduce the consequences of terrorist attack. The current statute bars
DHS from mandating the presence or absence of a particular security measure. Therefore, DHS
cannot require a regulated facility to adopt or consider inherently safer technologies.166 Congress
could choose to continue the current policy or provide DHS with statutory authority regarding
inherently safer technologies at regulated chemical facilities or require efforts regarding
inherently safer technologies.
One policy approach might be to mandate the implementation of inherently safer technologies for
a set of processes. Another policy approach might be to mandate the consideration of
implementation of inherently safer technologies with certain criteria controlling whether
implementation is required. A third policy approach might be to mandate the development of a
federal repository of inherently safer technology approaches and consideration of chemical
processes against those options listed in the repository. Stakeholders might assess and review the
viability of applying these inherently safer approaches at lower cost if such information were
centralized and freely available. Alternatively, policy makers might establish an incentive-based
structure outside of the chemical facility security mandate to encourage the adoption of inherently
safer technologies by regulated entities.

163 CRS Report R43070, Regulation of Fertilizers: Ammonium Nitrate and Anhydrous Ammonia, by Dana A. Shea,
David M. Bearden, and Scott D. Szymendera.
164 Oral testimony of David Wulf, Director, Infrastructure Security Compliance Division, National Programs and
Protection Directorate, Department of Homeland Security, before the House Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, on August 1, 2013.
165 Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and
Information Security Fiscal Year 2015 Congressional Justification, p. 90.
166 The National Environmental Justice Advisory Council, an EPA advisory committee, has recommended to the EPA
an alternative approach. It recommends that the EPA Administrator use authorities under the Clean Air Act to require
chemical facilities to implement inherently safer technology approaches (National Environmental Justice Advisory
Council, Letter to Administrator Jackson, March 14, 2012). Several congressional policy makers have expressed their
opposition to this approach. See, for example, Senator James M. Inhofe, Senator Susan M. Collins, Senator David
Vitter, and Senator Mary Landrieu, Letter to Administrator Jackson, July 16, 2012; and Representative Fred Upton,
Representative Ed Whitfield, and Representative John Shimkus, Letter to Administrator Jackson, May 8, 2012.
Congressional Research Service
36

Chemical Facility Security: Issues and Options for the 113th Congress

The Obama Administration supports use of inherently safer technologies to enhance security at
high-risk chemical facilities in some circumstances. It has established a series of principles
directing its policy:
• The Administration supports consistency of inherently safer technology
approaches for facilities regardless of sector.
• The Administration believes that all high-risk chemical facilities, Tiers 1-4,
should assess [inherently safer technology] methods and report the assessment in
the facilities’ site security plans. Further, the appropriate regulatory entity should
have the authority to require facilities posing the highest degree of risk (Tiers 1
and 2) to implement inherently safer technology methods if such methods
demonstrably enhance overall security, are determined to be feasible, and, in the
case of water sector facilities, consider public health and environmental
requirements.
• The Administration believes that the appropriate regulatory entity should review
the inherently safer technology assessment contained in the site security plan for
all Tier 3 and Tier 4 facilities. The entity should be authorized to provide
recommendations on implementing inherently safer technologies, but it would
not have the authority to require facilities to implement the inherently safer
technology methods.
• The Administration believes that flexibility and staggered implementation would
be required in implementing this new inherently safer technology policy.167
A congressional mandate for regulated entities to adopt or consider adopting inherently safer
technologies may have benefits and drawbacks. It may lead regulated entities to consider factors
such as homeland security impact in their chemical process assessments. Some experts assert that
existing chemical process safety activities consider and assess inherently safer technology
approaches though not necessarily in a homeland security context.168 These assessments may lead
to changes in chemical process when deemed safer, more reliable, and cost-effective. The extent
to which homeland security impact has factored into these industry decisions is unknown, but
DHS has identified cases where chemical facilities have voluntarily modified chemical processes
to lower their CFATS tier. An additional complication to assessing inherently safer technology is
the varying amounts and quality of information available regarding industrial implementation of
inherently safer technologies. While some facilities have converted to processes generally
deemed as inherently safer, other facilities may not have sufficient information available to
effectively assess the impacts from changing existing processes to ones considered inherently
safer.169 The differences that exist among chemical facilities, in terms of chemical process, facility

167 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
See also Personal Communication between CRS and Office of Legislative Affairs, Department of Homeland Security,
January 16, 2014.
168 See, for example, testimony of Dennis C. Hendershot, Staff Consultant, Center for Chemical Process Safety,
American Institute of Chemical Engineers, before the Senate Committee on Environment and Public Works, June 21,
2006, S.Hrg. 109-1044.
169 The Chemical Security Analysis Center of the DHS S&T Directorate contracted with the Center for Chemical
Process Safety of the American Institute of Chemical Engineers to develop a technically based definition for inherently
safer technology. See Center for Chemical Process Safety, American Institute of Chemical Engineers, Final Report:
Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use, July 2010. The DHS has
(continued...)
Congressional Research Service
37

Chemical Facility Security: Issues and Options for the 113th Congress

layout, and ability to finance implementation, may challenge mandatory implementation of
inherently safer technologies at regulated entities. Finally, the National Academies have identified
that the chemical industry lacks a common understanding and set of practice protocols for
identifying safer processes.170 Therefore, it seems likely that any such mandate will also require
accompanying outreach and educational activities for regulated entities. Even the mandatory
consideration of inherently safer technologies may place a financial burden on some small
regulated entities. Congress might limit mandatory measures to those facilities considered by
DHS to pose the most risk or might provide such financial assistance to regulated facilities.171
Policy makers might choose to try to further incentivize regulated entities to adopt inherently
safer technologies. Under the CFATS regulations, facilities that adopt inherently safer
technologies might change their assigned risk tier by reducing the amount of chemicals of interest
they store. As of May 2014, more than 3,000 facilities had removed or reduced the amount of
chemicals of interest stored onsite and no longer qualify as a high-risk facility.172 Policy makers
might provide regulated entities that adopt inherently safer technologies with additional financial
or regulatory incentives. Alternatively, policy makers might direct DHS or another agency to
perform inherently safer technology assessments for regulated entities, transferring the cost of
such assessment from the facility to the federal government.173 The regulated entity or the
overseeing agency might use the results of these assessments to guide adoption of inherently safer
technologies.
Modify Information Security Provisions
Congressional policy makers might choose to increase transparency in the CFATS process by
altering the information security provisions of the program. Such an approach might include
increasing the number and type of individuals granted access to CVI, improving information
exchange with first responders, and adjusting the manner by which courts and administrative
proceedings handle CVI. The Obama Administration has testified that CVI is a distinct
information protection regime and expressed support for maintaining CVI in its current form.174
Congress might choose to amend the existing statutory authority to address policy concerns.
Policy makers might direct DHS to make specific types of information, such as the results of

(...continued)
not adopted the S&T Directorate work as a regulatory definition. Congress has directed DHS to detail and report to
Congress the Department’s definition of inherently safer technology as it relates to chemical facilities under the
purview of CFATS. See H.Rept. 112-331, p. 986.
170 Committee on Inherently Safer Chemical Processes, National Research Council, The Use of Methyl Isocyanate
(MIC) at Bayer CropScience, 2012.
171 Section 401 of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188)
mandated drinking water facilities serving more than 3,300 individuals develop an emergency response plan and
perform a vulnerability assessment. Funds were authorized to help offset the costs to these facilities.
172 Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, May 2014, http://www.dhs.gov/
sites/default/files/publications/CFATS%20Update%20FS_May2014_508_0.pdf.
173 Following investigation into the explosion at the Bayer CropScience facility in Institute, WV, Members of Congress
requested that the Chemical Safety Board provide recommendations on the adoption of alternative chemical processes
at the chemical facility. Rep. Henry A. Waxman, Sen. John D. Rockefeller IV, Rep. Bart Stupak, and Rep. Edward J.
Markey, Letter to John Bresland, May 4, 2009.
174 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of
Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010.
Congressional Research Service
38

Chemical Facility Security: Issues and Options for the 113th Congress

enforcement activities or the approval of successful implementation of a site security plan, more
generally available. As more information about the vulnerability assessment and the security
process becomes available, the potential that adversaries might combine this disparate
information to obtain insight into a security weakness may increase. Congressional policy makers
might require that the executive branch or another entity identify the threats or vulnerabilities that
might accrue from release of a greater amount of chemical facility security information prior to
implementing such a policy change.175
Congressional policy makers might choose to alter the information protection regime afforded to
chemical facility security information by specifically expanding access to first responders. The
existing regulation explicitly states that it does not protect from disclosure information developed
in response to other laws or regulations, such as the Emergency Planning and Community Right-
to-Know Act (EPCRA). Enhancing first responder access to such information might minimize
perceived barriers to disclosing information during an accident. For example, Congress might
mandate that each jurisdiction with a regulated chemical facility contain a first responder
designated as a covered individual.
Conversely, congressional policy makers might choose to further limit dissemination of CVI so as
to increase barriers to its release. Congress might prohibit DHS from sharing such information
outside of the federal government or further limit CVI access to state and local officials by
establishing additional eligibility criteria. Limiting the number of individuals with access to CVI
may make it more difficult for those wishing to do harm to obtain technical or operational
security information. Conversely, state and local officials may not support such an approach, as
limitations on distribution may also adversely affect emergency response at a regulated facility or
inhibit the ability of state and local law enforcement officials to provide targeted protection of
particular chemical facility assets.
Policy makers might also choose to address the issue of identifying and marking protected
information by mandating review of marked documents. Congressional policy makers might
assign this responsibility to review and certify marked information to the chemical facility.
Alternatively, the federal government might review and certify documents marked CVI on a
regular basis. Industry representatives may not support such a requirement due to the additional
regulatory burden caused by the review. While such review might potentially limit incorrect
marking, it may inhibit information reporting by regulated entities to the federal government.
Additionally, absent a penalty for incorrect marking, it is unclear how to discourage incorrect
marking of non-security materials in order to avoid public release.
Congressional policy makers may also address concerns raised regarding the ability of concerned
individuals to report misdeeds by creating a “whistleblower” reporting mechanism.176 One
approach might be to codify the current mechanism of reporting such concerns to DHS or a

175 A similar approach was taken with regard to making available chemical facility information submitted to the EPA
under the auspices of the RMP program. In this case, Congress directed the President to assess the potential risk of
placing this information on the Internet. See Section 3 of Chemical Safety Information, Site Security and Fuels
Regulatory Relief Act (P.L. 106-40). The Department of Justice assessed that placing such information on the Internet
posed law enforcement and national security concerns. See U.S. Department of Justice, Assessment of the Increased
Risk of Terrorist or Other Criminal Activity Associated with Posting Off-Site Consequence Analysis Information on the
Internet, April 18, 2000.
176 While DHS has established a “CFATS Tip-Line” where individuals may report security concerns, individuals using
the tip-line accrue no special protections.
Congressional Research Service
39

Chemical Facility Security: Issues and Options for the 113th Congress

similar federal entity, such as an agency Inspector General. Alternatively, Congress can create a
more general exemption to the penalties arising from disclosure of protected information for
those individuals who report such concerns to federal officials if that is needed to protect
whistleblowers. As part of a whistleblower mechanism, policy makers might choose to extend
protections against retaliation or other job-related actions to those individuals availing themselves
of current or newly established reporting mechanisms.
Preempt State Regulations
The 110th Congress addressed the issue of federal preemption of state chemical facility security
statutes and regulations by placing in statute the requirement that federal regulation preempt the
state regulation only when an “actual conflict” occurs between them.177 Congressional policy
makers may choose to further limit the cases where federal regulation would preempt state
regulation by affirming the right of states to make chemical facility security regulations that are
more stringent than federal regulation even if they conflict. Alternatively, policy makers may
choose to increase the number of cases where federal regulations preempt those of a state by
expanding the types of conflict, beyond “actual,” that will lead to preemption.
Congressional Action
The annual appropriations process provides funding for implementation of chemical facility
security regulation. The 113th Congress, through the Continuing Appropriations Act, 2014 (P.L.
113-76), extended the statutory authority through October 4, 2014, and provided appropriations
for CFATS implementation. Chemical facility security legislation has also been introduced in the
113th Congress.
Extend the Existing Authority
The current statutory authority to regulate security at chemical facilities expires on October 4,
2014. Historically, Congress has extended this authority through appropriations acts. The
Administration’s budget requests that the statutory authority be extended to October 4, 2015.
P.L. 113-76
P.L. 113-76, the Consolidated Appropriations Act, 2014, became law on January 17, 2014. It
extends the statutory authority through October 4, 2014, and provides appropriations for the
federal government for FY2014. A joint explanatory statement for P.L. 113-76 contains specific
directions for the CFATS program, as do the House and Senate reports accompanying their
respective passed and reported homeland security appropriations bills.

177 P.L. 110-161, the Consolidated Appropriations Act, 2008, Section 534.
Congressional Research Service
40

Chemical Facility Security: Issues and Options for the 113th Congress

Joint Explanatory Statement
The joint explanatory statement for P.L. 113-76 provides $81.0 million for Infrastructure Security
Compliance, $4.8 million less than the Administration’s request.178 The joint explanatory
statement clarifies that
The language and allocations contained in the House and Senate reports should be complied
with and carry the same weight as the language included in this explanatory statement,
unless specifically addressed to the contrary in the final bill or this explanatory statement.179
The joint explanatory statement contains certain requirements for DHS with respect to chemical
facility security and the CFATS program.180 It directs NPPD to, as detailed in the House report,
provide a report within 90 days of enactment to the appropriations and authorizing committees
explaining how ISCD will further improve the review process for regulated facilities. The joint
explanatory statement directs NPPD to report to the appropriations and authorizing committees
not later than April 15, 2014, on the steps NPPD is taking to avoid costly duplication of
programs, as detailed in the House report. The report is also to describe how NPPD is helping to
ensure the safety of facilities and whether DHS intends to mandate how a covered chemical
facility meets the personnel surety standard, particularly in cases where the facility has already
adopted strong and identifiable personnel measures designed to verify identity, check criminal
history, validate legal authorization to work, and identify individuals with terrorist ties.
The statement further directs the Under Secretary of NPPD to provide a report within 90 days of
enactment to the appropriations committees on the implementation of the CFATS program, as
detailed in the Senate report. This report shall be in lieu of language in the House report directing
NPPD to provide a detailed expenditure plan.
In lieu of the requirement in the Senate report for the Chemical Sector Coordination Council to
develop recommendations to improve coordination on chemical security and safety, the joint
explanatory statement directs NPPD to continue implementing the requirements designated in
Executive Order 13650.181 The joint explanatory statement states its expectation that NPPD
provide regular updates on the progress of implementing improvements, the status of corrective
measures being taken to ensure awareness of facilities that fall under the purview of the CFATS
program, and the need for any additional funding requirements that emerge to address
coordination needs. In lieu of language in the House report, the joint explanatory statement
directs NPPD to report semiannually to the appropriations committees on progress in complying
with all the DHS Office of Inspector General recommendations made on ISCD’s management
practices related to CFATS.182 The joint explanatory statement also directs ISCD to improve the
compliance of current Top Screen registrants, such as through ongoing, proactive risk monitoring,
data management, and the verification of business information in lieu of language in the House
report.

178 Congressional Record, 160: 9 (January 15, 2014) p. H934.
179 Congressional Record, 160: 9 (January 15, 2014) p. H926.
180 Congressional Record, 160: 9 (January 15, 2014) p. H935.
181 Executive Order 13650, Improving Chemical Facility Safety and Security, August 1, 2013. See 78 Federal Register
48029-48032 (August 7, 2013).
182 Office of the Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security
Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program,
OIG-13-55, March 2013.
Congressional Research Service
41

Chemical Facility Security: Issues and Options for the 113th Congress

H.Rept. 113-91
H.Rept. 113-91, the House Committee on Appropriations report accompanying H.R. 2217, would
have recommended $77.1 million for Infrastructure Security Compliance, $8.7 million less than
the Administration’s request. The report cites “the continued delays in the implementation of the
Chemical Facility Anti-terrorism Standards (CFATS) program” and “the Infrastructure Security
Compliance Division’s (ISCD) inability to mitigate real risks” as the reason for the decrease.183
The House committee report would direct DHS to perform certain activities and to provide
several reports to congressional policy makers. It would direct NPPD to report on how it will
further accelerate the site security plan review process and detail actions DHS is taking to better
manage the CFATS program.184 The committee report also expresses the committee’s expectation
that NPPD will comply with the recommendations of the DHS Inspector General regarding the
CFATS program and would direct NPPD to report to the committee on its compliance with those
recommendations.185 It would direct the Under Secretary for NPPD to report on steps NPPD is
taking to leverage existing personnel surety infrastructure within DHS and industry and to ensure
that DHS does not inadvertently compromise facility safety due to overzealous protection of
criminal investigations.186 It would direct DHS to review CFATS program implementation and
collaboration and communication within ISCD and with the regulated community. The review
also would address improvement of facility identification methodology used by ISCD,
information sharing with state entities by ISCD, and efforts to address stakeholder concerns.187
The report also states the committee’s expectation that NPPD will provide it with a
comprehensive update on measures being taken to ensure that facilities with chemicals of interest
are notified by ISCD when they fall within the purview of the CFATS program, an estimate of the
potential number of outlier facilities, and a detailed performance evaluation of CFATS
inspectors.188
S.Rept. 113-77
S.Rept. 113-77, the Senate Committee on Appropriations report accompanying H.R. 2217, would
have recommended $85.5 million for the Infrastructure Security Compliance, $0.2 million less
than the Administration’s request. The Senate committee report would direct DHS to perform
certain activities and to provide several reports to congressional policy makers. It would require
DHS to report semiannually on the coordination of chemical security efforts within DHS and
across departments and agencies and direct DHS to work in conjunction with the Office of
Management and Budget to review and synchronize federal entities involved in chemical security
activities.189 In addition, the report would direct NPPD to support the Chemical Sector
Coordination Council in an effort to develop and provide to the committee recommendations to
improve the coordination among federal agencies, streamline reporting requirements, and

183 H.Rept. 113-91, p. 82.
184 H.Rept. 113-91, p. 84.
185 H.Rept. 113-91, pp. 84-85.
186 H.Rept. 113-91, pp. 85-86.
187 H.Rept. 113-91, pp. 86-87.
188 H.Rept. 113-91, p. 87.
189 S.Rept. 113-77, p. 13.
Congressional Research Service
42

Chemical Facility Security: Issues and Options for the 113th Congress

improve the CFATS program.190 The report would direct NPPD to report semiannually on the
implementation of the CFATS program including the number of facilities covered, inspectors,
completed inspections, inspections completed by region, pending inspections, days inspections
are overdue, enforcements resulting from inspections, and enforcements overdue for resolution,
with the data delineated by tier.191
P.L. 113-73
P.L. 113-73, which made further continuing appropriations for FY2014, became law on January
15, 2014. It extended the statutory authority through January 18, 2014.
P.L. 113-46
P.L. 113-46, the Continuing Appropriations Act, 2014, became law on October 17, 2013. It
extended the statutory authority through January 15, 2014.
P.L. 113-6
P.L. 113-6, the Consolidated and Further Continuing Appropriations Act, 2013, became law on
March 26, 2013. It extended the statutory authority through October 4, 2013.
Modify the Existing Authority
Legislation in the 113th Congress has been introduced in the House that would modify the existing
authority.
H.R. 4007
H.R. 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and
Accountability Act of 2014, was referred to the House Committee on Energy and Commerce and
the House Committee on Homeland Security. On April 3, 2014, the Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies, of the House Committee on
Homeland Security, amended the bill as introduced and ordered it forwarded to the full committee
with a favorable recommendation, as amended. On April 30, 2014, the House Committee on
Homeland Security amended the bill as reported by the Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies and ordered it to be reported to the House of
Representatives with a favorable recommendation, as amended.
As amended, the act would establish a Chemical Facility Anti-Terrorism Standards Program
within DHS. It would require the Secretary of Homeland Security to establish risk-based
performance standards through the program and mandate that covered facilities submit security
vulnerability assessments and develop and implement site security plans. Covered chemical
facilities would be those designated by the Secretary as presenting a high level of security risk,

190 S.Rept. 113-77, p. 100.
191 S.Rept. 113-77, p. 101.
Congressional Research Service
43

Chemical Facility Security: Issues and Options for the 113th Congress

excluding facilities regulated under MTSA; public water systems; wastewater treatment works;
facilities owned or operated by the Department of Defense and Department of Energy; facilities
regulated by the Nuclear Regulatory Commission; and certain rail facilities regulated by the
Transportation Security Administration.
The act as amended would require the Secretary to review and approve or disapprove such
security vulnerability assessments and develop and site security plans, though not on the basis of
the presence or absence of a particular security measure. It would allow the Secretary to approve
alternative security programs if the programs meet DHS requirements. Also, the act as amended
would allow a covered facility to satisfy a personnel surety performance standard by using any
federal screening program that periodically vets individuals against the terrorist screening
database, including the DHS personnel surety program. It also would prohibit the Secretary from
requiring a covered facility to submit information about individuals with access to the facility
unless the individual was vetted under the DHS personnel surety program or had been identified
as presenting a terrorism security risk.
As amended, H.R. 4007 would require the Secretary to audit and inspection of covered facilities
and explicitly allows the Secretary to permit non-departmental and nongovernmental entities to
perform such activities. It would also require the Secretary to set standards for departmental and
nongovernmental inspectors. The act, as amended, would provide a mechanism for addressing
covered facility noncompliance including the issuance of penalties. Also, it would require the
Secretary to consult with other federal agencies and relevant business associations to identify
potentially noncompliant facilities.
As amended, H.R. 4007 would provide protections to information developed pursuant to the act.
It would allow the Secretary to share information with covered facilities, state and local
government officials, as well as first responders through state and local fusion centers. The
Secretary would be granted the discretion to use existing and new regulations to implement these
authorities. In addition, it would direct DHS and GAO to provide reports on the program.
H.R. 4007, as amended, also would provide authorization of appropriations from FY2015 through
FY2018 at $87.436 million, require the Secretary to make available information about protections
for providing information to DHS, and allow the Secretary to provide guidance on physical
security compliance to regulated small chemical facilities. Finally, the bill would require the
Secretary to establish an outreach implementation plan, submit a plan to Congress on CFATS
metrics, and commission a study on vulnerabilities associated with the existing CFATS program.
In February 2014, Secretary of Homeland Security, Jeh Johnson, testified that he was in support
of H.R. 4007, as introduced, stating:
I have reviewed H.R. 4007. I think it is a good bill. I'm very supportive of it. Indeed, my
folks tell me, “We wish we could extend the period longer.” We have a regulatory scheme
that we have put in place. I agree with you, that over the last year, it’s gotten better. That all
stems from an appropriations measure, not an authorizations measure. I've read this bill. I
think it’s a good bill. Our critical infrastructure folks think it’s a good bill. And I support
it.192

192 Testimony of Jeh Johnson, Secretary of Homeland Security, before the House Committee on Homeland Security,
February 26, 2014.
Congressional Research Service
44

Chemical Facility Security: Issues and Options for the 113th Congress

In addition, several industry organizations have expressed support for H.R. 4007.193 In contrast, a
labor representative asserted that the bill fails to address several weaknesses present in the current
CFATS program.194
H.R. 68
H.R. 68 was referred to the House Committee on Energy and Commerce and the House
Committee on Homeland Security. The act would prohibit the Secretary of Homeland Security
from approving a chemical facility site security plan if the plan did not meet or exceed existing
state or local security requirements. It would allow the Secretary of Homeland Security to
mandate the use of specific security measures in site security plans. The bill would also cause
CVI to be treated as sensitive security information in both general and legal proceedings. Finally,
the act would no longer prohibit third-party individuals from bringing suit in court to require the
Secretary of Homeland Security to enforce chemical facility security regulations against a
chemical facility.
S. 67
S. 67, the Secure Water Facilities Act, was referred to the Senate Committee on Environment and
Public Works. The act would authorize the EPA Administrator to regulate community water
systems and wastewater treatment facilities for security purposes. S. 67 also would authorize
implementation of methods to reduce the consequences of a chemical release from an intentional
act. Among other provisions, the Administrator would be directed to promulgate regulations as
necessary to prohibit the unauthorized disclosure of controlled information. S. 67 would authorize
the Administrator to provide grants or enter into cooperative agreements with states or regulated
entities to assist in regulatory compliance.
S. 68
S. 68, the Secure Chemical Facilities Act, was referred to the Senate Committee on Homeland
Security and Governmental Affairs. The act would codify aspects of the CFATS regulation. It
would require facilities to evaluate whether the facility could reduce the consequences of an
attack by using a safer chemical or process. The act would authorize DHS to require
implementation of those safer measures if a facility has been classified as one of the highest-risk
facilities, implementation of safer measures is feasible, and implementation would not increase

193 Agricultural Retailers Association, American Chemistry Council, American Coatings Association, American Forest
& Paper Association, American Fuel and Petrochemical Manufacturers, American Petroleum Institute, American
Trucking Associations, Association of Oil Pipe Lines, Edison Electric Institute, Global Cold Chain Alliance, Institute
of Makers of Explosives, International Association of Refrigerated Warehouses, International Dairy Foods Association,
International Liquid Terminals Association, International Warehouse Logistics Association, National Agricultural
Aviation Association, National Association of Chemical Distributors, National Association of Manufacturers, National
Mining Association, National Pest Management Association, Petroleum Marketers Association of America, Society of
Chemical Manufacturers & Affiliates, The Fertilizer Institute, and U.S. Chamber of Commerce, Letter to
Representative Michael McCaul, Representative Bennie Thompson, Representative Patrick Meehan, and
Representative Yvette Clarke, February 7, 2014; and Security Industry Association, Letter to Representative Patrick
Meehan, February 23, 2014.
194 Testimony of Anna Fendley, United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial
and Service Workers International Union, before the Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies, House Committee on Homeland Security, February 27, 2014.
Congressional Research Service
45

Chemical Facility Security: Issues and Options for the 113th Congress

risk overall by shifting risk to another location. Among other provisions, S. 68 also would
increase the participation of employees and employee representatives in developing security
plans. S. 68 would alter the current information control regime, aligning it with that for sensitive
security information. Finally, S. 68 would allow third-party individuals to file suit against the
Secretary of Homeland Security or submit a petition to the Secretary to enforce compliance with
statute.
S. 814
S. 814, the Protecting Communities from Chemical Explosions Act of 2013, was referred to the
Senate Committee on Homeland Security and Governmental Affairs. The act would levy a civil
penalty on owners or operators of a facility that does not file Top-Screen information when
possessing a chemical of interest at above the screening threshold quantity. It would also establish
a criminal penalty if a facility owner, a facility operator, or an officer of an entity that owns or
operates a facility intentionally fails to file Top-Screen information when the facility possesses a
chemical of interest at above the screening threshold quantity.

Author Contact Information

Dana A. Shea

Specialist in Science and Technology Policy
dshea@crs.loc.gov, 7-6844

Congressional Research Service
46