Introduction
Recognizing the potential harm that a large, sudden release of hazardous chemicals poses to nearby people, state and federal governments have long regulated safety practices at chemical facilities. Historically, chemical facilities have engaged in security activities on a voluntary basis. Even before the terrorist attacks of 2001, congressional policy makers expressed concern over the security vulnerabilities of these facilities. After the 2001 attacks and the decision by several states to begin regulating security at chemical facilities, Congress again considered requiring federal security regulations to mitigate these risks.
In 2006, the 109th Congress passed legislation providing the Department of Homeland Security (DHS) with statutory authority to regulate chemical facilities for security purposes. Subsequent Congresses have extended this authority, which currently expires on December 13, 2014. Advocacy groups, stakeholders, and policy makers have called for Congress to reauthorize this authority, though they disagree about the preferred approach. The 113th Congress has passed H.R. 4007, which provides new statutory authority through the Homeland Security Act and extends the termination date of this authority for four years.
The explosion on April 17, 2013, at the West Fertilizer Company fertilizer distribution facility in West, TX, has led to additional focus on DHS's ability to identify noncompliant facilities. The West Fertilizer Company had not reported to DHS under the CFATS program, though it appeared to have possessed more than screening threshold quantities of chemicals of interest.1 While DHS had engaged in previous activity to identify facilities that had not complied with CFATS reporting requirements, DHS did not identify the West Fertilizer Company. Congressional policy makers have questioned the sufficiency of DHS efforts to identify these noncompliant "outlier" facilities.2
This report provides a brief overview of the existing statutory authority and implementing regulation. It describes several policy issues raised in previous debates regarding chemical facility security and identifies policy options for congressional consideration. For additional analysis of CFATS implementation, see CRS Report R43346, Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress.
Overview of Statute and Regulation
The 109th Congress provided DHS with statutory authority to regulate chemical facilities for security purposes.3 The statute explicitly identified some DHS authorities and left other aspects to the discretion of the Secretary of Homeland Security. The statute contains a "sunset provision" that causes the statutory authority to expire on December 13, 2014.4 This section reviews the chemical facility security statute and regulation, focusing on the regulatory compliance process.
The 113th Congress has passed H.R. 4007, which will provide new statutory authority through the Homeland Security Act to regulate chemical facilities for security purposes. The regulations issued by DHS under the authority of previous statutory authority may be used to implement the new authority, and DHS may issue additional regulation to implement the new authorities.
On April 9, 2007, DHS issued an interim final rule regarding the chemical facility anti-terrorism standards (CFATS).5 This interim final rule entered into force on June 8, 2007. The interim final rule implements statutory authority explicit in P.L. 109-295, Section 550, and authorities DHS found that Congress implicitly granted. In promulgating the interim final rule, DHS interpreted the language of the statute to determine what DHS asserts was the intent of Congress. Consequently, much of the rule arises from the Secretary's discretion and interpretation of legislative intent rather than explicit statutory language.
Under the interim final rule, the Secretary of Homeland Security determines which chemical facilities must meet regulatory security requirements, based on the degree of risk posed by each facility. The DHS lists 322 "chemicals of interest" for the purposes of compliance with CFATS.6 The DHS considers each chemical in the context of three threats: release; theft or diversion; and sabotage and contamination. Chemical facilities with greater than specified quantities, called screening threshold quantities, of chemicals of interest must submit information to DHS to determine the facility's risk status. See Figure 1. The statute exempts several types of facilities from this requirement: facilities defined as a water system or wastewater treatment works; facilities owned or operated by the Department of Defense or Department of Energy; facilities regulated by the Nuclear Regulatory Commission (NRC); and those facilities regulated under the Maritime Transportation Security Act of 2002 (P.L. 107-295).
Based on the information received from the facility, DHS determines whether a facility is or is not high-risk. Facilities that DHS deems high risk must meet CFATS requirements. The DHS assigns high-risk facilities into one of four tiers based on the magnitude of the facility's risk. Facilities in higher risk tiers must meet more stringent requirements. The statute mandated the use of performance-based security requirements.7 The DHS created graduated performance-based requirements for facilities assigned to each risk-based tier.
All high-risk facilities must perform a security vulnerability assessment, develop an effective site security plan, submit these documents to DHS, and implement their security plan.8 The security vulnerability assessment serves two purposes under the interim final rule. One is to determine or confirm the placement of the facility in a risk-based tier. The other is to provide a baseline against which to evaluate the site security plan activities.
The site security plans must address the security vulnerability assessment by describing how activities in the plan correspond to securing facility vulnerabilities. Additionally, the site security plan must address preparations for and deterrents against specific modes of potential terrorist attack, as applicable and identified by DHS. The site security plans must also describe how the activities taken by the facility meet the risk-based performance standards provided by DHS.
The DHS must review and approve the submitted documents, audit and inspect chemical facilities, and determine regulatory compliance. The DHS may disapprove submitted security vulnerability assessments or site security plans that fail to meet DHS performance-based standards, but not because of the presence or absence of a specific security measure. In the case of disapproval, DHS must identify in writing those areas of the assessment and/or plan that need improvement. Owners or operators of chemical facilities may appeal disapproval of site security plans to DHS.
Similarly, if, after inspecting a chemical facility, DHS finds the facility not in compliance, the Secretary must write to the facility explaining the deficiencies found, provide an opportunity for the facility to consult with DHS, and issue an order to the facility to comply by a specified date. If the facility continues to be out of compliance, DHS may fine and, eventually, order the facility to cease operation. The interim final rule establishes the process by which chemical facilities can appeal such DHS decisions and rulings, but the statute prohibits third-party suits for enforcement purposes.
The statute requires certain protections for information developed in compliance with this act. The interim final rule creates a category of information exempted from disclosure under the Freedom of Information Act (FOIA) and comparable state and local laws. The DHS named this category of information "Chemical-terrorism Vulnerability Information" (CVI). Information generated under the interim final rule, as well as any information developed for chemical facility security purposes identified by the Secretary, comprise this category. Judicial and administrative proceedings shall treat CVI as classified information. The DHS asserts sole discretion regarding who will be eligible to receive CVI. Disclosure of CVI may be punishable by fine.
The interim final rule states it preempts state and local regulation that "conflicts with, hinders, poses an obstacle to, or frustrates the purposes of" the federal regulation.9 States, localities, or affected companies may request a decision from DHS regarding potential conflict between the regulations. Since DHS promulgated the interim final rule, Congress amended P.L. 109-295, Section 550, to state that such preemption will occur only in the case of an "actual conflict."10 The DHS has not issued revised regulations addressing this change in statute.
Implementation
The National Protection and Programs Directorate (NPPD) within DHS is responsible for chemical facility security regulations. In turn, the Office of Infrastructure Protection, through its Infrastructure Security Compliance Division (ISCD), oversees the CFATS program within NPPD.11 This section reviews implementation of the chemical facility security regulations, focusing on funding, the number of regulated facilities, rate of facility inspection, and reviews of DHS implementation efforts.
Staffing and Funding
The availability of staff, infrastructure, and funds is a key factor in implementing the CFATS program. Congress has not authorized specific appropriations for the CFATS program. As seen in Table 1, the staffing and funding for this program generally increased since its creation, but decreased since FY2011. The full-time-equivalent (FTE) staffing peaked in FY2011 at 257 FTE. Appropriations for this program peaked in FY2010 at $103 million.
|
Fiscal Year |
Request |
Appropriation |
Full-time Equivalents |
|
FY2007 |
10 |
22a |
0 |
|
FY2008 |
25 |
50 |
21 |
|
FY2009 |
63 |
78b |
78 |
|
FY2010 |
103c |
103d |
246 |
|
FY2011 |
105 |
96 |
257 |
|
FY2012 |
99 |
93 |
242 |
|
FY2013 |
75 |
72e |
230 |
|
FY2014 |
86 |
81 |
242 |
|
FY2015 |
87 |
263 |
Sources: Department of Homeland Security, congressional justifications FY2007-FY2015; H.Rept. 109-699; P.L. 110-28; the explanatory statement for P.L. 110-161 at Congressional Record, December 17, 2007, p. H16092; the explanatory statement for P.L. 110-329 at Congressional Record, September 24, 2008, pp. H9806-H9807; H.Rept. 111-298; P.L. 111-242, as amended; S.Rept. 112-74; H.Rept. 112-331; P.L. 112-175; P.L. 113-6; Department of Homeland Security, U.S. Department of Homeland Security Fiscal Year 2013 Post-Sequestration Operating Plan; Fiscal Year 2013 Report to Congress, April 26, 2013; P.L. 113-46; H.Rept. 113-91; S.Rept. 113-77; and the joint explanatory statement for P.L. 113-76 at Congressional Record, January 15, 2014, p. H935.
Notes: Congress has not enacted specific authorization of appropriations for chemical facility security. Funding levels rounded to nearest million. A full-time equivalent equals one staff person working a full-time work schedule for one year. The DHS requests funding for chemical facility security through the Infrastructure Security Compliance Project. Beginning in FY2009, DHS designated some of this funding for activities related to regulation of ammonium nitrate.
a. Includes funds provided in supplemental appropriations (P.L. 110-28).
b. Of this amount appropriated for the Infrastructure Security Compliance Project, $5 million were designated for activities related to the development of ammonium nitrate regulations.
c. Of this amount requested for the Infrastructure Security Compliance Project, $14 million were designated for activities related to the development of ammonium nitrate regulations.
d. Of this amount appropriated for the Infrastructure Security Compliance Project, $14 million were designated for activities related to the development of ammonium nitrate regulations. The ISCD reports an additional $4.8 million rescission in FY2010. See House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, The Chemical Facility Anti-Terrorism Standards Program: A Progress Report, Serial No. 112-172, September 11, 2012, p. 123.
e. The appropriation reported here is after reduction due to rescissions and sequestration. Funding as appropriated, prior to rescission and sequestration, was $78 million.
f. According to H.Rept. 113-481 accompanying H.R. 4903, Department of Homeland Security Appropriations Act, 2015, the House Committee on Appropriations would recommend $83 million for the Infrastructure Security Compliance Division. According to S.Rept. 113-198 accompanying S. 2534, Department of Homeland Security Appropriations Act, 2015, the Senate Committee on Appropriations would recommend $87 million for the Infrastructure Security Compliance Division.
When DHS received statutory authority to regulate chemical facilities in 2006, it did not possess a chemical facility security office or inspector cadre. The general increase in FTE over time reflects the creation and staffing of the office and the development of an inspector cadre. In February 2012, DHS testified that it had hired most of the inspector cadre.12 In March 2013, the DHS Inspector General reported that a working group within ISCD requested an additional 64 inspectors for FY2014 and FY2015 to increase the rate of facility inspection. According to the DHS Inspector General, this request was not approved.13
For FY2014, Congress appropriated $81 million for ISCD, an increase in funding from FY2013.14 The joint explanatory statement accompanying FY2014 appropriations also directed DHS to provide reports to Congress on CFATS implementation, coordination of chemical security responsibilities, how ISCD will improve its review process, and how NPPD is avoiding program duplication and is ensuring facility security in its personnel surety efforts. It also requires DHS provide a comprehensive update on efforts to address facilities not reporting under CFATS.
Number of Regulated Facilities
The DHS has received more than 48,000 Top-Screen submissions from over 36,000 chemical facilities (step 4 in Figure 1).15 Of these facilities, DHS required more than 7,800 to submit a security vulnerability assessment to determine whether they were high-risk. From the submitted security vulnerability assessments, DHS currently identifies approximately 3,700 facilities as high-risk. The DHS considers the other facilities as low-risk, and they need meet no further CFATS requirements at this time.16 The DHS assigned each high-risk facility, in some cases preliminarily, to one of four risk tiers (step 7 in Figure 1). Table 2 shows the number of high-risk facilities in each tier, with Tier 1 those facilities of highest risk.
In May 2010, DHS identified an anomaly in one of the risk-assessment tools it used to determine a facility's risk tier. At that time, DHS believed that it had resolved the anomaly. In June 2011, a new acting ISCD Director "rediscovered" this issue, identified its potential effect on facility tiering, brought the issue to the attention of NPPD leadership,17 and notified facilities of their change in risk tier.18 Subsequent review of this risk-assessment tool resulted in DHS reviewing the tier determination of approximately 500 facilities.19 The DHS lowered the number of facilities allocated at that time to the highest-risk tier from 219 to 102, a greater than 50% reduction.20 In some cases, DHS determined that facilities no longer qualified as a high-risk facility and thus were not subject to the CFATS regulations.
|
Risk Tier |
Facilities with |
Facilities Awaiting Final Tier Decision |
Total Facilities |
|
111 |
10 |
121 |
|
|
2 |
334 |
48 |
382 |
|
3 |
933 |
155 |
1,088 |
|
4 |
1,914 |
628 |
2,542 |
|
Total |
3,292 |
841 |
4,133 |
Source: Testimony of Suzanne Spaulding, Under Secretary for National Protection and Programs, and David Wulf, Director, Infrastructure Security Compliance Division, Office of Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security before the Senate Committee on Homeland Security and Governmental Affairs, May 14, 2014.
Notes: The DHS has preliminarily assigned some facilities to a risk tier. Final assignment to a risk tier occurs after final review of submitted security vulnerability assessments. The DHS has released more recent information regarding the total number of facilities (3,669) but has not identified them by risk tier. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, December 2014.
Overall, the total number of chemical facilities assigned a risk tier by DHS has declined since the CFATS program began. The DHS asserts that the observed reduction in regulated chemical facilities indicates that the CFATS program and its statutory authority are increasing security by inducing regulated entities to voluntarily reduce the chemical holdings to levels below the regulatory threshold. Several other factors may have contributed to this decline, including erroneous filing by regulated entities, process changes on the part of regulated entities, and business operations and decisions.
The reported total number of facilities may not fully reflect the actual number of facilities possessing chemicals of interest above screening threshold quantities. Since the CFATS program relies on facilities possessing such chemicals to report their holdings, it is possible that additional facilities exist that have not reported possessing chemicals of interest.21 For example, DHS did not receive any submissions from the West Fertilizer Company.22 Reportedly DHS was not aware of the chemical holdings at the facility prior to its explosion.23
If such facilities did not report their holdings, DHS would not assess whether they were high-risk and thus regulated. A potential mitigating factor might be if other federal agencies that receive information about facility chemical holdings through different regulatory programs shared such information with DHS. Such information sharing might allow DHS to identify facilities that had not reported to it but had reported to other federal agencies.
Facility Inspections and Plan Approval
The DHS originally planned to begin inspections of Tier 1 facilities as soon as 14 months after it issued regulations implementing CFATS (step 11 of Figure 1).24 Several factors have delayed inspections, including the release of additional regulatory requirements in the form of an appendix and the need to build an inspector cadre, establish a regional infrastructure, and assist facilities in complying with the regulation. Chemical inspectors must be able to assess the security measures at a chemical facility using the performance-based criteria developed by DHS. Performance-based security measures are likely more difficult to assess than prescriptive measures and thus inspectors may require greater training and experience. To overcome this challenge, DHS established a Chemical Security Academy, a 10-week training course for inspectors. Such training, while likely improving the quality of inspection, also introduces additional time between the hiring of new inspectors and their deployment in the field.
Since 2007, DHS officials have provided numerous dates for beginning inspections.25 The DHS began inspections of Tier 1 facilities in February 2010.26 At that time, DHS testified that it planned to inspect all Tier 1 facilities by the end of calendar year 2010,27 but by the end of calendar year 2011, DHS had only authorized 10 site security plans (step 10 of Figure 1) and had approved no implementation of any site security plan.28 Since then, DHS has implemented an interim site security plan review process that it asserts is more effective and timely. The DHS has used this interim review process to authorize additional site security plans. As of December 2014, DHS had authorized or conditionally authorized 2,456 site security plans. The DHS also reported that it had successfully inspected and approved the site security plan at 1,366 facilities.29 The DHS has not identified the tier assignment of these facilities. In April 2014, DHS identified the tier assignments of facilities with authorized and approved site security plans. This data showed that DHS has focused on authorizing and approving site security plans for facilities assigned to the higher risk tiers. See Table 3.
|
Tier |
Facilities |
Authorized Site Security Plans |
Approved Site Security Plans |
|||
|
1 |
|
|
|
|||
|
2 |
|
|
|
|||
|
3 |
|
|
|
|||
|
4 |
|
|
|
|||
|
Total |
|
|
|
Source: Testimony of Suzanne Spaulding, Under Secretary for National Protection and Programs, and David Wulf, Director, Infrastructure Security Compliance Division, Office of Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security before the Senate Committee on Homeland Security and Governmental Affairs, May 14, 2014.
Notes: The facilities column includes facilities with preliminary tier assignments. Site security plans include plans submitted under alternative security programs. The DHS no longer regulates some facilities that have authorized or approved site security plans but still accounts for those security plans in its data on authorizations and approvals by tier. The DHS has released more recent information regarding the total number of authorized (2,456) and approved (1,366) site security plans but has not identified them by risk tier. Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, December 2014.
According to DHS, ISCD inspected and approved more facilities than it had expected to in FY2013, but some of these approvals were for facilities in tiers lower than planned.30 In March 2013, DHS testified that it planned to have all Tier 1 facilities approved by October 201331 and all Tier 1 and Tier 2 facilities approved by May 2014.32 The DHS did not meet this milestone and now estimates that, by the end of FY2014, it will have approved over 90% of all Tier 1 and Tier 2 facilities that have authorized site security plans. The DHS notes that regulated facilities may move between tiers, and new regulated facilities may be assigned any tier. As a consequence, DHS asserts it is likely that a small percentage of facilities in each tier will not have approved site security plans at any given time.33
The DHS has identified an additional factor in the delay of the inspection schedule: iteration between DHS and regulated entities regarding their site security plans.34 The DHS has issued at least 66 administrative orders to compel facilities to complete their site security plans.35 In addition, DHS established a pre-authorization inspection process to gain additional information from facilities to fully assess the submitted site security plan and potentially reduce the number of requests for additional information from DHS to regulated facilities. Once DHS completes a pre-authorization inspection at a facility, the facility may amend its site security plan to reflect the results of the pre-authorization inspection. The DHS had performed approximately 180 pre-authorization inspections as of February 2012.36 The DHS has since included this type of inspection in its more general compliance assistance visit program. As of December 2014, DHS had conducted 1,691 compliance assistance visits.37
Program Reviews
The CFATS program has undergone three reviews of its processes and progress. The first was an internal review conducted by program management to identify programmatic challenges. Since that review, both the DHS Office of the Inspector General (OIG) and the Government Accountability Office (GAO) have released reports addressing the CFATS program.
Internal Review of CFATS Program
In December 2010, NPPD initiated a management review of ISCD through the NPPD Office of Compliance and Security. In July 2011, new leadership took charge of ISCD and, at the direction of Under Secretary Beers, began a review of the goals, challenges, and potential corrective actions to improve program performance. In November 2011, ISCD leadership presented Under Secretary Beers with a report containing the results of both reviews. According to DHS, the report was intended as a candid, internal assessment that focused predominantly on the challenges faced by ISCD rather than on the program's successes and opportunities.38
At the time of the report, DHS had received approximately 4,200 site security plans but had not approved any. The review report identified several factors that contributed to the absence of approvals. These factors included the inability to perform compliance inspections and the lack of an established records management system to document key decisions.39 Other difficulties facing ISCD reportedly included human resource issues, such as having employees with insufficient qualifications and work training, erroneous impressions of inspector roles and responsibilities, and the use of contractors to perform inherently governmental work.40 Additional reported challenges included difficulty in quickly altering workplace requirements, resolving personnel security requirements, detailing site security compliance inspections, managing workplace behavior and perceptions, and dealing with a unionized workforce. Additionally, ISCD lacked a system for tracking the usage of consumable supplies, potentially allowing for waste, fraud, and abuse; faced challenges in hiring new qualified individuals; and suffered from a lack of morale.
The report identified three top priorities to address the challenges addressing ISCD:
- clearing the backlog of site security plans;
- developing a chemical inspection process; and
- addressing ISCD statutory responsibilities for regulating ammonium nitrate and managing personnel surety as part of the CFATS program.41
The ISCD developed an action plan with discrete action items to address identified challenges. In addition to the action plan, NPPD requested ISCD leadership to provide milestones and a schedule for completion of the action plan tasks. The ISCD implemented this plan with the oversight of NPPD leadership.42 According to GAO, ISCD developed at least eight sequential versions of the action plan, updating each additional version, and in some cases adding additional detail, milestones, or timelines.43
As of July 2013, DHS had completed 90 of the 95 action items included in the action plan.44 Completed action items include updated internal policy and guidance materials for inspections, a monthly ISCD newsletter, increased staff engagement and dialogue, and additional supervisory training and guidance.
The GAO reviewed the DHS action plan and stated that "ISCD appears to be heading in the right direction, but it is too early to tell if individual items are having their desired effect because ISCD is in the early stages of implementing corrective actions and has not established performance measures to assess results."45 The GAO provided several caveats to its assessment, including that it did not have available documentary evidence about the causes of the issues identified in the ISCD memorandum. For example, GAO stated, "Program officials did not maintain records of key decisions and the basis for those decisions during the early years of the program."46
Office of the Inspector General Review
In March 2013, the DHS OIG released a report on its review of the CFATS program through the end of FY2012.47 The DHS OIG review addressed whether:
- management controls were in place and operational to ensure that CFATS is not mismanaged;
- NPPD and ISCD leadership misrepresented program progress; and
- nonconforming opinions of program personnel were suppressed or met with retaliation.
The DHS OIG report was critical of the prior performance of the CFATS program, stating:
Program progress has been slowed by inadequate tools, poorly executed processes, and insufficient feedback on facility submissions. In addition, program oversight had been limited, and confusing terminology and absence of appropriate metrics led to misunderstandings of program progress. The Infrastructure Security Compliance Division still struggles with a reliance on contractors and the inability to provide employees with appropriate training. Overall efforts to implement the program have resulted in systematic noncompliance with sound Federal Government internal controls and fiscal stewardship, and employees perceive that their opinions have been suppressed or met with retaliation. Although we were unable to substantiate any claims of retaliation or suppression of nonconforming opinions, the Infrastructure Security Compliance Division work environment and culture cultivates this perception. Despite the Infrastructure Security Compliance Division's challenges, the regulated community views the Chemical Facility Anti-Terrorism Standards Program as necessary in establishing a level playing field across a diverse industry.48
The DHS OIG issued 24 recommendations to assist ISCD to correct identified program deficiencies and attain intended program results and outcomes. The ISCD concurred fully or partially with 20 recommendations and did not concur with 4 recommendations. The DHS OIG recommendations included improving internal processes to achieve a more timely response to information submissions and requests from regulated entities; defining, developing, and implementing improved processes and procedures for inspections; refining and improving the existing CFATS tiering methodology and tiering process; and reducing reliance on contractors and improving managerial oversight within ISCD.
In response to these recommendations, ISCD provided the DHS OIG with a corrective action plan. As of February 2014, ISCD has addressed 12 of the DHS OIG recommendations. Nine recommendations were administrative and include selecting permanent ISCD leadership; reducing reliance on contract personnel; developing policy for appointing acting management; ensuring that all employees serving in an acting supervisory capacity have a supervisory position description; ensuring that all employees receive performance reviews; disseminating ISCD organizational and reporting structure to staff; reiterating to all employees the process for reporting misconduct allegations; implementing a plan to ensure the long‐term authorization of the CFATS Program; and establishing internal controls for the accountability of appropriated funds. Three recommendations were programmatic and pertained to: revising the long‐term review process to reduce the Site Security Plan backlog; implementing a process to improve the timeliness of facility submission determinations; and program metrics that measure CFATS program value accurately and demonstrate the extent to which risk has been reduced at regulated facilities.49
The ISCD is still addressing 12 DHS OIG recommendations. Ten recommendations are programmatic and include improving CFATS Program tools and processes; engaging regulated industry and government partners; and finalizing program requirements. The two administrative recommendations include providing training and guidance; and eliminating inappropriate Administratively Uncontrollable Overtime pay.50
Government Accountability Office Review
In April 2013, GAO issued a report on the CFATS program.51 The GAO assessed how DHS assigned chemical facilities to tiers and the extent to which it did so, how DHS revised its process to review facility security plans, and whether DHS communicated and worked with owners and operators to improve security. The GAO found that the approach DHS used to assess risk and make decisions to place facilities in final tiers does not consider all of the elements of consequence, threat, and vulnerability. For example, the risk assessment approach is based primarily on consequences arising from human casualties, but does not consider economic consequences. The GAO review of the risk assessment approach revealed that ISCD was inconsistent in how it assessed threat. According to GAO, ISCD considered threat for the 10% of facilities tiered because of the risk of release or sabotage, but not for the approximately 90% of facilities that are tiered because of the risk of theft or diversion. Also, GAO identified that when it did use threat data, the data was not current. In addition, GAO found that DHS had not been tracking data on reviews of site security plans and thus could not quantify improvements to that process. The GAO estimated that it could take another seven to nine years before DHS completed reviews on submitted site security plans. Input GAO solicited from 11 trade associations also indicated that DHS does not obtain systematic feedback on outreach activities. The GAO recommended that DHS:
- develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD's risk assessment approach and
- conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach that fully validates and verifies ISCD's risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.
The ISCD has taken steps to address the GAO recommendations. For example, ISCD engaged the Homeland Security Studies and Analysis Institute to coordinate an examination of the CFATS risk assessment model. According to GAO, HSSAI recommended that ISCD revise the current risk-tiering model and create a standing advisory committee—with membership drawn from government, expert communities, and stakeholder groups—to advise DHS on significant changes to the methodology. In addition, ISCD plans to modify the risk assessment approach to better include all elements of risk.52
Executive Order 13650
On August 1, 2013, President Obama signed an executive order on improving chemical facility safety and security.53 The executive order directs multiple federal agencies, including DHS, to take certain actions in the areas of chemical facility safety and security. It also establishes a Chemical Facility Safety and Security Working Group co-led by DHS, EPA, and the Department of Labor.
Among other topics, it contains several provisions related to information sharing and coordination in the CFATS program. The executive order directs the working group to develop a plan that will, among other goals, identify ways to improve coordination among the federal government, first responders, and state, local, and tribal entities.54 It specifically directs the Secretary of Homeland Security to assess the feasibility of sharing CFATS data with State Emergency Response Commissions (SERCs), Tribal Emergency Planning Committees (TEPCs), and Local Emergency Planning Committees (LEPCs).55
The executive order directs the working group to analyze the potential to improve information collection by and sharing between agencies to help identify chemical facilities which may not have provided all required information or may be noncompliant with federal requirements to ensure chemical facility safety.56 It also directs the working group to produce a proposal for a coordinated, flexible data-sharing process that can be used to track submitted data. The proposal is to allow for the sharing of information with and by state, local, and tribal entities.57 The executive order also directs the working group to convene an array of stakeholders to identify and share successes to date and best practices to reduce safety and security risks. The executive order specifically includes consideration of "the use of safer alternatives."58
The executive order directs the working group to deploy a pilot program to validate best practices and test innovative methods for federal interagency collaboration regarding chemical facility safety and security.59 The pilot program, which DHS has implemented, is to include innovative and effective methods of collecting, storing, and using facility information, stakeholder outreach, inspection planning, and, as appropriate, joint inspection efforts. The results of this pilot program are to inform comprehensive and integrated standard operating procedures for a unified federal approach for identifying and responding to risks in chemical facilities, incident reporting and response procedures, enforcement, and collection, storage, and use of facility information. These best practices are to reflect best practices and are to include agency-to-agency referrals and joint inspection procedures where possible and appropriate.60
Additionally, the executive order directs the Secretary of Homeland Security to identify a list of chemicals that should be considered for addition to the CFATS chemical of interest list.61 Expanding the list of chemicals of interest, while not changing the mechanism by which DHS defines a chemical facility, would likely lead to additional facilities regulated under CFATS.
In May 2014, the working group issued a report to the President on progress to date.62 The report includes descriptions of various efforts to modify the CFATS program in order to improve its performance individually and in conjunction with other programs. These efforts include improved information sharing among federal agencies regarding regulated facilities with chemical holdings; outreach to state homeland security advisors, first responders, and other state and local agencies; comparison of federal chemical facility information with that held by states; and continued coordination and harmonization activities among chemical facility security regulatory programs.
The report also described a planned CFATS Advance Notice of Proposed Rulemaking (ANPRM) on potential modification of the CFATS regulations to address ammonium nitrate as a chemical of interest, updates to the list of chemicals of interest, and other aspects of the program. On May 30, 2014, the Office of Management and Budget indicated its Office of Information and Regulatory Affairs had received the proposed ANPRM language from DHS.63
Finally, the report identifies three specific areas where the working group calls for congressional action with regard to CFATS. These are:
- providing permanent authorization for the CFATS program;
- streamlining the CFATS enforcement process; and
- removing the water and wastewater treatment facilities exemption from CFATS.64
Policy Issues
Previous congressional discussion on chemical facility security raised several contentious policy issues.65 Some issues will exist even if Congress extends the existing statutory authority without changes. These include whether DHS has sufficient funding and capabilities to adequately oversee chemical facility security; whether federal chemical facility security regulations should preempt state regulations; and how much chemical security information individuals may share outside of the facility and the federal government. Other issues, such as what facilities DHS should regulate as a chemical facility and whether DHS should require chemical facilities to adopt or consider adopting inherently safer technologies, may be more likely addressed if Congress chooses to revise or expand existing authority.
Funding and Infrastructure and Workforce Capabilities
The 2007 CFATS regulations establish an oversight structure that relies on DHS personnel inspecting chemical facilities and ascertaining whether regulated entities have implemented their authorized site security plans. Although the use of performance-based measures, where chemical facilities have flexibility in how to achieve the required security performance, may reduce some demands on the regulated entities, it may also require greater training and judgment on the part of DHS inspectors. Congressional oversight has raised the question of whether DHS has requested and received appropriated funds sufficient to hire and retain the staff necessary to perform the required compliance inspections and whether DHS has properly managed the appropriated funds received.66
The DHS has faced challenges when creating the necessary infrastructure to perform nationwide inspections. As stated by DHS, initial expectations for inspector responsibilities and infrastructure needs did not match the final needs.
For example, at the program's outset, certain roles and responsibilities were envisioned for the program staff that, in the end, did not apply. This resulted in the hiring of some employees whose skills did not match their ultimate job responsibilities and the purchase of some equipment that in hindsight appear to be unnecessary for chemical inspectors. Additionally, we envisioned a greater number of field offices than we eventually decided to employ.67
The degree to which funding meets agency infrastructural needs likely depends on factors both external and internal to DHS. External factors include the number of regulated facilities and the sufficiency of security plan implementation. Challenges experienced by DHS in overseeing facility site security plan implementation will likely increase the workforce necessary to meet the planned inspection cycle. In contrast, reduction in the number of regulated facilities will likely decrease the number of needed inspectors. Internal factors include the ratio between headquarters staff and field inspectors; the assigned risk tiers of the regulated facilities; and the timetable for implementation of inspections. Once DHS has more fully engaged in inspection of regulated facilities, it may be able to more comprehensively determine its long-term resource needs and estimate both funding and staff requirements. A key factor for achieving program efficacy and efficiency may be the success in training inspectors to perform CFATS inspections, given the reported difficulties in developing inspector training combined with the requirements of a new regulatory program.
Inspection Rate
As of December 2014, 1,366 chemical facilities had been approved in the CFATS process, which starts with information submission by chemical facilities and finishes with approval of inspected security measures by DHS.68 The DHS states that the first authorization inspection was conducted in 2010; as of December 2014, DHS had conducted 1,851 authorization inspections.69 In 2013, GAO projected that DHS may require between seven and nine years to complete review of site security plans and that to inspect and approve all regulated facilities will require additional time.70 This estimate is premised on an approval rate of 30 to 40 facilities per month. As DHS has increased its rate of inspection and approval, it is likely that it will take DHS less time to approve all regulated facilities. Some policy makers have expressed surprise at the pace of inspection and questioned whether DHS should continue at the current pace or accelerate the compliance process.71 Several factors likely complicate and slow the inspection process. One factor appears to be the internal operations of the DHS implementing office and the skills and capabilities of the ISCD inspector cadre. Another factor appears to be that the information facilities submit in site security plans may not provide what DHS views as sufficient detail to evaluate compliance.72 Rather than reject such site security plans, DHS attempts to gather iteratively the necessary information from the facilities, including through compliance assistance visits.
Compliance assistance visits may lead to higher quality site security plan submissions, even though the visits appear to be a significant drain on DHS resources. In principle, such visits may lower the future authorization inspection burden, as CFATS inspectors will be familiar with security measures at the chemical facility. Such familiarity may hasten the actual authorization inspection.
The DHS has also suggested that higher risk-tier facilities benefit more from these types of assistance visits due to the complexity of the facility, the potential presence of multiple chemicals of interest, and the more stringent risk-based performance standards that apply. Lower risk-tier facilities may not need such visits because these facilities may be less complex and inspectors may develop best practices through the compliance assistance visits of higher-tiered facilities. However, the converse might be true instead. Smaller facilities with less security experience may benefit more from such visits.
Some policy makers have questioned whether the low inspection rate is due to constraints in the number of chemical facility security inspectors hired by DHS or the availability of appropriated funding. The CFATS regulations state that DHS will inspect the implementation of site security plans at all facilities and require that facilities resubmit their Top-Screen and, if so directed by DHS, their security vulnerability assessment and site security plan every two years for Tier 1 and Tier 2 facilities or three years for Tier 3 and Tier 4 facilities.73 This would require DHS to perform over 1,400 inspections annually to inspect every facility's implementation of its site security plan. The DHS has asserted that each inspection would require two or more inspectors and approximately one week to perform.74
The DHS appears to have requested sufficient inspectors to manage the workload associated with a reinspection cycle of every two years for top tier facilities and every three years for lower tier facilities, but such a staffing level may be insufficient to address the large number of initial regulatory submissions or a more frequent reinspection cycle or the use of inspectors to perform compliance assistance visits.75 This level of staffing would appear to require at least several years of inspections to reduce the backlog created from the initial site security plan submissions, even if DHS performed only authorization inspections. A June 2012 DHS analysis estimated that DHS might perform 813 inspections annually.76 At this rate, DHS would require approximately five years to complete the initial inspections.77 If DHS were to hire additional inspectors, it might reduce the backlog of site security plans but also run the risk of having additional unnecessary staff in future years. The DHS might hire temporary or short-term staff to augment the inspector cadre, but the need to train such employees for CFATS-specific inspections may pose challenges.
Finally, because DHS has focused on inspecting those facilities in the highest risk tier, it potentially faces the most complicated inspection environments. Inspections of lower risk tier facilities may pose fewer complications, take less time, and involve fewer inspectors. If so, DHS might quickly and substantially increase the number of facilities inspected by focusing efforts on lower tier facilities. Through this approach, DHS might gain insight and experience among the inspector cadre while reducing some national risk.78
Federal Preemption of State Activities
The original statute did not expressly address the issue of federal preemption of state and local chemical facility security statute or regulation. When DHS issued regulations establishing the CFATS program, DHS asserted that the CFATS regulations would preempt state and local chemical facility security statute or regulation that "conflicts with, hinders, poses an obstacle to or frustrates the purposes of" the federal regulation.79 After the regulation's release, Congress amended DHS's statutory authority to state that only in the case of an "actual conflict" would the federal regulation preempt state authority.80 Few states have established independent chemical facility security regulatory programs, and conflict between the federal and state activities has not yet occurred.81 The DHS did not identify any state programs that conflict with the CFATS regulations.82 The DHS has also not altered its regulatory language in response to the statutory amendment.
Advocates for federal preemption call for a uniform security framework across the nation. They assert that a "patchwork" of regulations might develop if states independently develop additional chemical facility security regulations.83 Variation in security requirements might lead to differing regulatory compliance costs, and companies might suffer competitive disadvantage based on their geographic location.
Supporters of a state's right to regulate chemical facility security claim that the federal regulation should be a minimum standard with which all regulated entities must comply. They assert that DHS should allow states to develop more stringent regulations than the federal regulations. They claim such regulations would increase security. Some supporters of state regulation suggest that more stringent, conflicting state regulations should preempt the federal regulations. Such a case might occur if a state regulation mandated the use of a particular security approach at chemical facilities, conflicting with the federal regulation that adopts a performance-based, rather than prescriptive, approach. The desire to retain industries that might relocate if faced with increased regulation arguably would temper state inclinations to require overly stringent or incompatible regulations.
Some policy makers may assert that chemical facility security should be left to the states rather than be implemented by the federal government. If Congress allows the statutory authority to expire and does not appropriate funds for the further implementation of CFATS, the federal authority would lapse, and state and local jurisdictions would be solely responsible for regulating chemical facility security.
Transparency
The CFATS process involves determining chemical facility vulnerabilities and developing security plans to address them. Information developed in this process is not openly disseminated. The CFATS program categorizes this information as Chemical-terrorism Vulnerability Information (CVI) and provides penalties for its disclosure. Some advocates have argued for greater transparency in the CFATS process, even if the program does not provide detailed information regarding potential vulnerabilities and specific security measures. They assert that those individuals living in surrounding communities require such information to effectively plan and make choices in an emergency.84
The current statute and regulation prohibit public disclosure of CVI. Only specific "covered persons" may access CVI. While acknowledging a legitimate homeland security need to limit dissemination of security information, some policy makers have questioned whether such limitations hinder other efforts. For example, first responders and community representatives have highlighted how such information protection regimes may impede emergency response and the ability of those in the surrounding community to react to emergency situations at the chemical facility.85 Additionally, worker representatives have raised concerns that these limitations and the lack of mandated inclusion of worker representatives may impede worker input into security plans.86
The current information protection regimes for chemical facility security information, CVI under CFATS and Sensitive Security Information (SSI) under the Maritime Transportation Security Act (MTSA), do not contain penalties for incorrectly marking information as protected. Only disclosure of correctly marked information is penalized. Additionally, the chemical facility is responsible for identifying and appropriately marking protected information. These information markings only would be assessed in the case of dispute. As was asserted during congressional oversight, this disparity may lead to a tendency by regulated entities, in order to protect themselves against potential liability or scrutiny, to erroneously limit dissemination of information that should be made available to the public.87
Additionally, the existing statute contains no provisions explicitly protecting or allowing for concerned covered persons to divulge CVI or to challenge the categorization of information as protected in an attempt to inform authorities about security vulnerabilities or other weaknesses. Depending on the circumstances, those individuals might be penalized for their disclosure of protected information. The CFATS regulations, reflecting this inherent tension, provide for a DHS point of contact to which such information might be revealed, but also state "Section 550 did not give DHS authority to provide whistleblower protection, and so DHS has not incorporated specific whistleblower protections into this regulation."88
Definition of Chemical Facility
The DHS regulates an assortment of entities that possess and manufacture chemicals of interest. Thus, the term chemical facility encompasses many types of facilities, including agricultural facilities, universities, and others.89 With DHS defining chemical facilities according to possession of a chemical of interest, it regulates facilities not part of the chemical manufacturing and distributing chain. Stakeholders have expressed concern that the number of entities so regulated might be unwieldy and that the regulatory program might focus on many chemical facilities that pose little risk rather than on those facilities that pose more substantial risk. For example, during the rulemaking process, DHS received commentary and revised its regulatory threshold for possession of propane, stating:
DHS, however, set the [screening threshold quantities] for propane in this final rule at 60,000 pounds. Sixty thousand pounds is the estimated maximum amount of propane that non-industrial propane customers, such as restaurants and farmers, typically use. The Department believes that non-industrial users, especially those in rural areas, do not have the potential to create a significant risk to human life or health as would industrial users. The Department has elected, at this time, to focus efforts on large commercial propane establishments but may, after providing the public with an opportunity for notice and comment, extend its [CFATS] screening efforts to smaller facilities in the future. This higher [screening threshold quantity] will focus DHS's security screening effort on industrial and major consumers, regional suppliers, bulk retail, and storage sites and away from non-industrial propane customers.90
In 2007, when developing its interim final rule, DHS estimated the expected number of regulated facilities and identified them by primary risk category: release due to loss of containment or potential for theft and diversion.91 In 2012, DHS analyzed the number of facilities with final tier assignments and identified their primary risk category. As seen in Table 4, initial expectations of the distribution of facilities by primary risk did not match the risk types of the actual regulated facilities.92
|
Risk Type |
2007 Estimate |
2012 Actual |
|
Release |
62% |
13% |
|
Theft/Diversion |
38% |
87% |
Source: CRS analysis of data in Department of Homeland Security, Chemical Facility Anti-Terrorism Standards Interim Final Rule Regulatory Assessment, DHS-2006-0073, April 1, 2007; and 79 Federal Register 6418-6452 (February 3, 2014) at 6438.
Notes: The 2007 estimate is based on 5,000 facilities (3,117 release facilities: 1,883 theft/diversion facilities). The 2012 analysis of facilities actually reporting is based on 3,566 facilities (455 release facilities: 3,111 theft/diversion facilities).
Academic institutions have asserted that DHS should not apply CFATS regulations to them because of the dispersed nature of chemical holdings at colleges and universities. These institutions claim that regulatory compliance costs would not be commensurate with the risk reduction.93 The DHS has identified that a college or university with a high-risk facility on campus might choose to implement security measures at the specific location rather than across the entire campus.94 The DHS has already implemented select regulatory extensions for agricultural chemical users, though not distributors.95 While the regulatory compliance costs likely decrease at lower risk tiers compared to higher risk tiers, all regulated entities bear compliance costs as continued annual expenses.
As mentioned above, the statutory authority underlying CFATS exempts several types of facilities, including water and wastewater treatment facilities. The federal government does not regulate water and wastewater treatment facilities for chemical security purposes. Instead, current chemical security efforts at water and wastewater treatment facilities are voluntary in nature.96 Some advocacy groups have called for inclusion of currently exempt facilities, such as water and wastewater treatment facilities.97 Some drinking water and wastewater treatment facilities possess amounts of chemicals of interest and would lead to regulation if located at a different type of facility.98 Advocates for their inclusion in security regulations cite the presence of such potentially hazardous chemicals and their relative proximity to population centers as reasons to mandate security measures for such facilities. In contrast, representatives of the water sector point to the critical role that water and wastewater treatment facilities have in daily life. They caution against including these facilities in the existing regulatory framework because of the potential for undue public impacts. They cite, for example, loss of basic fire protection and sanitation services if the federal government were to order a water or wastewater utility to cease operations for security reasons or failure to comply with regulation.99
If Congress were to remove the drinking water and wastewater treatment facility exemption, the number of regulated facilities might substantially increase, placing additional burdens on the CFATS program. The United States contains approximately 52,000 community water systems and 16,500 wastewater treatment facilities.100 These facilities vary substantially in size and service. The number of regulated facilities would depend on the criteria used to determine inclusion, such as chemical possession or number of individuals served. It is likely that only a subset of these facilities would meet a regulatory threshold.101 In 2011, a DHS official testified that approximately 6,000 such facilities would likely meet the CFATS threshold.102
Identification of Non-Responsive Facilities
Although facilities with greater than screening threshold quantities of chemicals of interest must submit information to DHS under the Top-Screen process, an unknown number of facilities do not provide such information. One limited survey of community hospitals reported that 56% of respondents were aware of CFATS reporting requirements.103 Another example appears to be the West Fertilizer Company, which reported more than a threshold amount of chemical of interest to the EPA under the Risk Management Plan (RMP) program but did not file with DHS under CFATS. The DHS refers to these non-compliant facilities as "outliers." Congressional policy makers have raised the concern that many facilities may still not have properly reported to DHS.104
The number of facilities not complying with CFATS reporting requirements is unknown. If DHS lacks information about a facility's chemical holdings, it is unlikely to be able to identify it as an outlier. As noted above, DHS has regulatory authority to direct specific facilities to comply with CFATS, but DHS might not issue such orders without information indicating that a facility is out of compliance.
In 2009, DHS listed some identification mechanisms in use at that time. These mechanisms included receiving information from the public through the DHS CFATS Tip Line;105 cross-referencing with information from other federal regulatory programs, such as the Environmental Protection Agency's (EPA's) Risk Management Planning (RMP) program (see text box below);106 and a pilot program with the state of New York and the state of New Jersey to identify non-responsive facilities in those states.107 Since then, DHS has also created the CFATS Share tool through which state Homeland Security Advisors, appropriate DHS components, and other stakeholders have access to data on the CFATS-regulated facilities within their jurisdictions. In addition, DHS participates "in engagements with various State Homeland Security Advisors (HSA) and other state and local security partners. The Department also has participated in numerous meetings with Local Emergency Planning Committees, Area Maritime Security Committees, Sector Coordinating Councils, and Fusion Centers."108 The DHS terminated some of these activities but continues others.
Integration of this information with the CFATS program may pose challenges due to different data formats, resource availability, and limited utility. The DHS has requested $3 million in funding for FY2015 to develop an automated process to collect and analyze data provided by other federal, state, and local partners. As part of this process, DHS plans to compare information from EPA Risk Management Program and the Superfund Amendments and Reauthorization Act Title III data from all 50 states annually to identify potentially non-compliant facilities.109
|
Comparing federally held information on regulated facilities may be effective in identifying outliers. In order to identify such facilities, DHS has reengaged with EPA regarding RMP data and has identified some outlier facilities.110 According to the EPA Office of Inspector General, 12,774 facilities reported to EPA under the RMP program.111 According to DHS, Oak Ridge National Laboratory (ORNL) identified approximately 3,724 facilities reporting to the EPA that they possessed more than a threshold quantity of a chemical of interest.112 The DHS identified 3,362 of these facilities as potential outliers. These facilities, in addition to 106 facilities identified by DHS through consultation with the Texas State Chemist, were sent letters regarding their potential responsibilities under CFATS. The DHS has received a response from 2,946 facilities, approximately 1,500 of which indicated they had previously filed a Top-Screen. Of the remaining facilities 857 have submitted or intend to submit a Top-Screen. The DHS has not received a response from 522 facilities.113 The DHS is in the process of verifying the information submitted by the facilities and determining why facilities have not yet replied to the DHS letter. The fact that approximately 40% of the facilities had previously submitted a Top-Screen is, according to DHS, demonstrative of the difficulties in comparing data across multiple regulatory programs.114 In addition, DHS asserts that, based on prior data, it identifies only a small fraction of facilities filing a Top-Screen as high risk. |
Inherently Safer Technologies
Previous debate on chemical facility security has included whether to mandate the adoption or consideration of changes in chemical processes to reduce the potential consequences following a successful attack on a chemical facility. Suggestions for such changes have included reducing the amount of chemical stored onsite and changing the chemicals used. In previous congressional debate, these approaches have been referred to as inherently safer technologies or methods to reduce the consequences of a terrorist attack.
A fundamental challenge for inherently safer technologies is how to compare one technology with its potential replacement. It is challenging to unequivocally state that one technology is inherently safer than the other without adequate metrics. Risk factors may exist outside of the comparison framework.115 Some experts have asserted that the metrics for comparing industrial processes are not yet fully established and need additional research and study.116 A committee of the National Research Council of the National Academies has recommended that DHS support research and development to foster cost-effective, inherently safer chemistries and chemical processes.117 The National Academies has identified as a potential concern that inherently safer process analyses may become narrowly focused and its outcomes inappropriately weighted.118 A facility might consider many additional factors beyond homeland security implications when weighing the applicability and benefit of switching from one process to another. These factors include cost, technical challenges regarding implementation in specific situations, supply chain impacts, quality and availability of end products, and indirect effects on workers.119
Supporters of adopting these approaches as a way to improve chemical facility security argue that reducing or removing these chemicals from a facility will reduce the incentive to attack the facility. They suggest that reducing the consequences of a release also lowers the threat from terrorist attack and mitigates the risk to the surrounding populace. They point to facilities that have voluntarily changed amounts of chemicals on hand or chemical processes in use as examples that facilities can implement such an approach in a cost-effective, practical fashion.120
Opponents of mandating what proponents call inherently safer technologies question the validity of the approach as a security tool and the government's ability to effectively oversee its implementation. Industrial entities assert that process safety engineers within the regulated industry already employ such approaches and that these are safety, not security, methods. They assert that process safety experts and business executives should determine the applicability and financial practicality of changing existing processes at specific chemical facilities.121 A 2011 industry survey stated that, of those respondents that assessed using alternative chemicals or processes, 66.4% determined such alternatives were not technically feasible.122 Opponents of an inherently safer technology mandate also question whether the federal government contains the required technical expertise to adjudicate the practicality and benefit of alternative technological approaches.123A third opposing view states concern that few existing alternative approaches are well understood with regard to their unanticipated side effects. They claim that researchers should continue to study these alternative approaches rather than immediately apply them, since unanticipated side effects could injure business and other interests.124
The DHS has engaged in research and development activities within its Science and Technology (S&T) Directorate to develop a better understanding of inherently safer technology, including efforts to define inherently safer technology.125 The NPPD has not adopted the results from these research and development efforts within its regulatory context. Congress has directed DHS to detail and report to Congress the Department's definition of inherently safer technology as it relates to chemical facilities under the purview of CFATS.126
Some industry representatives have asserted that an inherently safer technology mandate might have a potentially significant negative financial impact.127 Regulated entities incur a cost when meeting existing CFATS requirements, and small businesses may be challenged to make additional necessary capital investments. In its interim final rule, DHS estimated that even without an inherently safer technology requirement CFATS "may have a significant economic impact on a substantial number of small entities."128 Because of the performance-based nature of the regulatory requirement, it is difficult to detail the exact impact on small businesses.129 Adding an inherently safer technology requirement might increase the cost of CFATS compliance and might disproportionately affect small entities not already incorporating such activities in their business processes. Policy makers in previous Congresses highlighted the issue of small business impact, especially in the context of requiring additional measures that might hurt productivity.
Personnel Surety
A recurring issue in chemical facility security is ensuring that individuals with known terrorist affiliations do not gain access to high-risk facilities. The CFATS program addresses this concern by establishing a personnel surety risk-based performance standard in regulation. This performance standard requires facilities to conduct background checks on employees and unescorted visitors and provide identifying information to DHS for use in screening employees against the Terrorist Screening Database (TSDB).130
The DHS has not fully established the process by which CFATS-regulated facilities can meet this standard.131 The DHS issued a series of information collection requests from 2009 to 2011 that described how DHS would gather and use information on employees at CFATS-regulated facilities and requested public comment.132 Stakeholders and policy makers raised concerns that the DHS approach seemed to duplicate existing requirements underpinning the Transportation Worker Identification Credential (TWIC). In addition, DHS did not plan to accept existing TWIC cards as meeting the CFATS screening requirement. In July 2012, DHS withdrew this proposed personnel surety program from Office of Management and Budget review.
The DHS asserts that its position on how to comply with the personnel surety standard has "evolved" in response to industry-provided information.133 The DHS engaged in industry outreach activities through conference calls with industry associations and meetings with Chemical Sector Coordinating Council leadership and members.134
In March 2013 and February 2014, DHS released notices of a new information collection request for compliance with the CFATS personnel surety program.135 The proposed personnel surety program contains provisions similar to those in the earlier information collection requests. The DHS proposes that regulated entities would provide certain identifying information to DHS before giving individuals access to restricted areas within a chemical facility. The DHS would use that information to screen employees and unescorted visitors against the TSDB. As with the prior personnel surety proposals, DHS would still require facilities to provide identifying information even for employees or visitors who have a TWIC card or another credential that is issued only following screening against the TSDB. The DHS asserts the purpose of this requirement is to allow DHS to verify that the credential is still valid, not to perform an additional background check. The DHS would alternatively allow facilities to use approved electronic reader devices to verify the validity of TWIC cards, but not other credentials. While DHS plans eventually to require implementation of the personnel surety program at facilities in each risk tier, it would limit the initial program to only Tier 1 and Tier 2 facilities.
The DHS has indicated that this new information collection request clarifies that DHS will implement the personnel surety program in phases; that DHS will accept third-party submission of information on behalf of regulated entities; that facilities will not need to submit information each time an affected individual seeks access; and that entities with multiple regulated facilities may submit information on a company-wide basis, rather than separately for each facility. Additionally, the DHS requests comment on mechanisms to use electronic verification and validation of TWIC cards rather than requiring submission of information to DHS.136
The extent to which this new information collection request addresses industry concerns is not yet resolved. Industry stakeholders, in comments on the information collection requests, highlight the importance of recognizing other credentials, question whether the information regarding visitors could be obtained in the requisite time, and suggest that the number of individuals who would require screening may be larger than DHS estimates.
Policy Options
The existing statutory authority for CFATS expires on December 13, 2014. The 113th Congress has passed H.R. 4007, which authorizes DHS to regulate chemical facilities for security purposes through the Homeland Security Act. This bill will repeal the existing statutory authority on the effective date of the act (30 days after enactment). Many of the existing authorities are present in H.R. 4007, but it also provides DHS with new authorities, such as the ability for certain covered chemical facilities to self-certify the sufficiency of their security plans. The DHS may use the existing regulations and issue new regulations as necessary to implement the new authority.
The 113th Congress may address chemical facility security through several options. Congress may continue its oversight of DHS's efforts to implement this program. Congress might also take legislative action to extend further the existing statutory authority by revising or repealing its sunset provision; codifying the existing regulations; amending the existing statutory authority; addressing existing programmatic activities; or restricting or expanding the scope of chemical facility security regulation.
If Congress does not act and allows the statutory authority to expire, regulated entities may question the application and enforcement of the CFATS regulations. In the case where Congress allows the statutory authority to expire, but Congress appropriates funds for enforcing the CFATS program, DHS will likely be able to enforce the CFATS regulations. The GAO has found that in the case where a program's statutory authority expires, but Congress explicitly appropriates funding for it, the program may continue to operate without interruption.137 If Congress allows the statutory authority to expire and also does not appropriate funding for implementing the CFATS program, the CFATS regulations will likely also lapse. In this case, the states would likely become the primary source of any chemical facility security regulation.
Continue Congressional Oversight
Under one possible policy option, interested Members of Congress or congressional committees might continue their oversight of the CFATS program. Historically, much of the congressional debate has considered legislative options to reauthorize the existing statute or authorize the CFATS program through a different statutory vehicle. Congressional committees have accepted the assurances of DHS officials regarding CFATS activities even as DHS failed to meet its self-established deadlines. The program's critical self-assessment and DHS's lack of identifying the West Fertilizer Company as a CFATS-regulated facility may lead congressional oversight to increase focus on program performance, use of appropriations, and internal oversight. Congressional oversight of the program's implementation, enforcement, and efficacy may play a key role in determining the sufficiency of the existing authority and regulations.
Maintain the Existing Regulatory Framework
The existing statutory authority places much of the CFATS regulatory framework at the discretion of the Secretary of Homeland Security. The DHS is still in the process of implementing these regulations and has not yet determined their effectiveness. Congress might choose to maintain the existing regulations by extending the statutory authority's sunset date or codifying the existing regulations. Also, as noted above, allowing the statutory authority to expire could maintain, in effect, the existing regulatory framework if Congress continues to fund implementation, although this might lead to legal challenge.
Extend the Sunset Date
Congressional policy makers might choose to extend the current statutory authority for a fixed or indefinite time. Congress has enacted a series of limited extensions of the statutory authority since its inception. H.J.Res. 130 extends the existing statutory authority through December 13, 2014. Extending the existing statutory authority may provide regulated entities continuity, protect them from losing those resources already expended in regulatory compliance, and avoid providing a competitive advantage to those regulated entities that remained out of regulatory compliance. An extension may allow assessment of the efficacy of the existing regulations and inclusion of this information in any future attempts to revise or extend DHS's statutory authority. Moreover, since DHS is in the process of implementing current regulations, some policy makers argue for a simple extension without changing statutory requirements.
The Obama Administration FY2015 budget requests an extension of the statutory authority until October 4, 2015, but the Obama Administration also supports enacting a longer duration or permanent statutory authority.138 The Administration's Chemical Facility Safety and Security Working Group's report to the President called for action from Congress to provide permanent statutory authorization for the CFATS program.139 Congress might make the existing program permanent by removing the statutory authority's sunset date. Some regulated entities support converting the existing program into a program with permanent or long-term authorization.140 The removal of the sunset date would make the statutory authority permanent, maintain the current discretion granted to the Secretary of Homeland Security to develop regulations, and might allow long-term assessment of the efficacy of the existing regulations. Making the existing statute permanent would provide consistency in authority and remove the statutory pressure to reauthorize the program. In contrast, the presence of a sunset date for the statutory authority arguably increases the likelihood of congressional attention to chemical facility security as a legislative topic. Some advocates who wish for more regular congressional review of the statutory authority might oppose removing its sunset date.
Codify the Existing Regulations
Congressional policy makers might choose to affirm the existing regulations by codifying them or their principles in statute. Such codification could reduce the discretion of the Secretary of Homeland Security to alter the CFATS regulations in the future. The existing statutory authority grants broad discretion to the Secretary to develop many elements of the CFATS regulations. Future Secretaries may choose to alter its structure or approach and still comply with the existing statute. Policy makers might identify specific components of the existing regulation that they wish any future regulation to retain and codify those portions. Specifying these components might limit the ability of the Secretary to react to changing circumstance, gained experience, and new knowledge. On the other hand, the codified portions might enhance the regulated community's ability to plan for future expenses and requirements.
Alter the Existing Statutory Authority
Congressional policy makers might choose to alter the existing statutory authority to modify the existing regulations, address stakeholder concerns, or broadly change the regulatory program.
Accelerate or Decelerate Compliance Activities
The DHS bases its schedule for facility CFATS compliance on the chemical facility's assigned risk tier. Those chemical facilities assigned to higher risk tiers have a more accelerated compliance and resubmission schedule than those assigned to lower risk tiers. Congressional policy makers might attempt to accelerate the compliance schedule by increasing funding available to DHS for CFATS, thereby increasing the ability of DHS to provide feedback to regulated entities, review submissions, and inspect facilities filing site security plans. Additional funding might reduce or mitigate inefficiencies or delays related to DHS processing of submissions.
Alternatively, policy makers might provide DHS with the authority to use third parties as CFATS inspectors. The DHS could then augment the number of CFATS inspectors to meet increased demand or delegate inspection authority to state and local governments. Third-party inspectors might allow DHS to draw on expertise outside of the federal government in assessing the efficacy of the implemented site security activities. The DHS may need to define the roles and responsibilities of these inspectors and how DHS will assess and accredit their qualifications. The DHS has stated its intent to issue a rulemaking regarding the use of third-party inspectors but has not yet done so.141 The use of third-party inspectors might lead to concerns about equal treatment of chemical facilities by different third-party inspectors, and questions about whether homeland security inspections of this type are an inherently governmental responsibility that only federal employees should perform.
Congress might direct DHS to increase its activities on identifying noncompliant facilities. Following an explosion in West, TX, DHS identified that the facility had not complied with CFATS, though it reportedly possessed more than a screening threshold quantity of chemicals of interest. Congressional policy makers may prioritize identifying those facilities that have not yet reported over other parts of the CFATS process, depending on their view of the relative risk reduction of these activities.
Finally, Congress might determine that DHS has sufficient resources to accelerate compliance activities but is restrained by some other procedural factor. Some congressional policy makers assert that the internal and external reviews of the CFATS program indicate internal challenges and claim "the basic programmatic building blocks of CFATS are missing."142 Congressional policy makers might direct DHS to refine its internal procedures, streamline its review process, reduce the timeframe for response and interaction with regulated entities, or otherwise enact process improvements.
Conversely, congressional policy makers might choose to slow the implementation schedule of the chemical facility security regulations. Concern about the impact of the regulation on small businesses or other entities might lead to a decelerated compliance schedule. The DHS has already implemented select regulatory extensions for certain agricultural operations.143 Congressional policy makers might direct DHS to provide longer submission, implementation, and resubmission timelines for those regulated entities that might suffer disproportionate economic burdens from compliance.
Incorporate Excluded Facilities
Policy makers might remove some or all of the statutory exclusions from the CFATS program. The Administration has supported revising the existing exclusions to provide a more comprehensive chemical facility security approach. The DHS supports modifying the existing exemption for (1) facilities regulated under the Maritime Transportation Security Act (MTSA) to increase security at these facilities to the CFATS standard and (2) facilities regulated by the Nuclear Regulatory Commission to clarify the scope of the exemption.144
In addition, DHS and the Environmental Protection Agency (EPA) have called for additional authorities to regulate water and wastewater treatment facilities:
The Department of Homeland Security and the Environmental Protection Agency believe that there is an important gap in the framework for regulating the security of chemicals at water and wastewater treatment facilities in the United States. The authority for regulating the chemical industry purposefully excludes from its coverage water and wastewater treatment facilities. We need to work with the Congress to close this gap in the chemical security authorities in order to secure chemicals of interest at these facilities and protect the communities they serve. Water and wastewater treatment facilities that are determined to be high-risk due to the presence of chemicals of interest should be regulated for security in a manner that is consistent with the CFATS risk and performance-based framework while also recognizing the unique public health and environmental requirements and responsibilities of such facilities.145
The EPA has testified that the Obama Administration believes that EPA should be the lead agency for chemical security for both drinking water and wastewater systems, with DHS supporting EPA's efforts. The EPA also supports providing states with an important role in regulating chemical security at water systems, including determinations, auditing, and inspecting.146
In contrast, the Administration's Chemical Facility Safety and Security Working Group's report to the President called for action from Congress to remove the exemption for water and wastewater treatment facilities. According to the report, DHS could then regulate security at these facilities in collaboration with the EPA.147
If Congress provides the executive branch with statutory authority to regulate water and wastewater treatment facilities for chemical security purposes, it may weigh several policy decisions. Among these choices are which facilities should be regulated; how stringent such security measures should be; what federal agency should oversee them; and whether compliance with these security measures is practicable given the public nature of many water and wastewater treatment facilities.
One option for congressional policy makers might be to include water and wastewater treatment facilities under the existing CFATS regulations, effectively removing the exemption currently in statute. This would place water and wastewater treatment facilities on par with other possessors of chemicals of interest. The DHS would provide oversight of all regulated chemical facilities.148 Opponents might claim that activities under CFATS, such as vulnerability assessment, duplicate existing requirements under the Safe Drinking Water Act.149 Also, opponents of such an approach cite the essential role that water and wastewater treatment facilities play in daily life and assert that several authorities available to DHS under CFATS, such as the ability to require a facility to cease operations, are inappropriate if applied to a municipal utility.150 Congressional policy makers might mitigate some of these concerns by requiring DHS to consult with EPA regarding its regulation of water and wastewater treatment facilities and harmonizing existing vulnerability assessment requirements.
Another option might be to grant statutory authority to regulate water and wastewater treatment facilities for security purposes to EPA. Some water-sector stakeholders suggest that EPA retaining the lead for water and wastewater treatment facilities would be more efficient. Providing EPA the authority to oversee security as well as public health and safety operations may reduce the potential for redundancy and other inefficiencies.151
If policy makers assign responsibility for chemical facility security at different facilities to different agencies, each agency will promulgate separate rules. These rules may be similar or different depending on the agencies' statutory authority, interpretation of that authority, and ability of the regulated entities to comply as well as any interagency coordination that might occur. Some industry representatives have expressed concern regarding the effects of multiple agencies regulating security at drinking water and wastewater treatment facilities.152 They assert that municipalities that operate both types of facilities might face conflicting regulations and guidance if different agencies regulate drinking water and wastewater treatment facilities. Congress may wish to assess the areas where such facilities are similar and different in order to provide authorities that meet any unique characteristics.
Any new regulation of drinking water and wastewater treatment facilities is likely to cause the regulated entities, and potentially the federal government, to incur some costs. Representatives of the water and wastewater sectors argue that local ratepayers will eventually bear the capital and ongoing costs incurred due to increased security measures.153 Congressional policy makers may wish to consider whether the regulated entities and the customers they serve should bear these costs, as is done for other regulated chemical facilities, or whether they should be borne by the taxpayers in general through federal financial assistance to the regulated entities. Additionally, if inclusion of other facility types significantly increases the number of regulated entities, the regulating agency may require additional funds to process regulatory submissions and perform required inspections.
Harmonize Regulations
Other security statutes, such as MTSA, apply to some facilities exempt from the existing chemical facility security regulations. The DHS supports modifying the existing exemption for MTSA-regulated facilities to increase security at these facilities to the CFATS standard and modifying the existing exemption for facilities regulated by the Nuclear Regulatory Commission to clarify the scope of the exemption for NRC-regulated facilities.154 The EPA has testified that the Obama Administration believes that DHS should be responsible for ensuring consistency of high-risk chemical facility security across all critical infrastructure sectors.155
If Congress modifies these exemptions, conflicts might arise between requirements under chemical facility security regulations and these other provisions. One approach to resolving these conflicts is to identify which statute would supersede the others. Critics of such an approach might assert that the superseding statute does not contain all of the protections present in the other statutes. Another approach might be to require agencies to generally harmonize the regulations implementing each statute. Regulatory agencies might identify and determine the best ways to meet statutory requirements while also limiting regulatory duplication or contradiction.
Such harmonization might reduce the regulatory burden on companies possessing facilities regulated under two frameworks, such as MTSA and CFATS, by allowing a single security approach to the regulations. For example, equivalent credentialing of workers under both regulatory frameworks might limit the regulatory cost of compliance, in contrast to requiring two distinct security credentials. The DHS has established a joint NPPD/U.S. Coast Guard (USCG) working group to evaluate and, where appropriate, implement methods to harmonize the CFATS and MTSA regulations.156 In contrast, if the process of harmonization leads to a significant increase in security requirements, the regulatory burden faced by industry might also increase. The USCG and NPPD have signed a memorandum of agreement regarding collaborative use of security risk management information developed by each entity.157 Congress previously expressed its expectation that DHS would execute a memorandum of agreement between NPPD and USCG regarding harmonization of chemical security responsibilities under CFATS and MTSA no later than March 30, 2012.158 The DHS did not meet this expectation, and Congress reaffirmed this direction in March 2013.159
Increase Interagency Coordination
Congress may also focus on the interaction between different federal agencies, or between federal and state agencies, regulating facilities possessing chemicals of interest. States and the EPA, for example, receive information on certain chemical facilities through compliance with environmental regulations. The extent to which these agencies coordinate and exchange information with each other may affect overall regulatory compliance. The White House is coordinating a review of chemical safety and security regulations across departments and agencies for potential gaps in coverage and explore ways to mitigate those gaps through existing authorities.160
As early as 2009, DHS identified reconciling CFATS submissions with EPA RMP facility information as a way to reveal outliers.161 The West Fertilizer Company, for example, was compliant with the EPA RMP program and had provided a five-year update in 2011, but it was not identified by DHS as noncompliant under CFATS.162 Comparing federally held information on regulated facilities may be effective in identifying outliers. Such a process likely would occur through data analysis rather than through outreach activities, a potentially less costly procedure. The success of this approach would depend on the quality of self-reporting by regulated entities. In the case of the West Fertilizer Company, its report to EPA might have indicated to DHS that it should also have reported to DHS, but this approach would not allow DHS to identify a facility that fails to self-report to any agency. In order to identify such facilities, DHS has reengaged with EPA regarding RMP data and has identified some outlier facilities.163
Similarly, DHS might attempt to collect chemical holdings data from other governmental entities, including state and local regulatory agencies. State and local regulatory agencies may possess more diverse information about chemical holdings at particular facilities than federal agencies. For example, under Title III of the Superfund Amendments and Reauthorization Act (SARA; P.L. 99-499), the Emergency Planning and Community Right-to-Know Act (EPCRA) requires certain facilities to submit chemical inventories to state and local planning authorities and the local fire department, so-called "Tier II" reporting. Reporting to states under EPCRA results in chemical inventories while reporting to EPA under the RMP program is required only for select chemicals. For example, EPCRA-based reporting to the state of Texas showed the presence of ammonium nitrate at the West Fertilizer Company. Ammonium nitrate does not require reporting under the RMP program but is a CFATS chemical of interest.164 The DHS might request such information from state or local authorities and use it to verify facility compliance with CFATS reporting requirements. The DHS is in the process of contacting certain state officials regarding facilities containing chemicals within their jurisdictions.165 The DHS requests specific funding for FY2015 to establish a capacity for such analysis on an annual basis.166
Because of the range of information possessed by various federal, state, and local regulatory agencies, this approach may provide a greater insight into the identities of non-compliant facilities but also be resource intensive, as different state and local agencies store such data in various, potentially incompatible formats. In addition, industry stakeholders may have concerns about the identification and subsequent protection of proprietary or competitive information arising from the aggregation of different regulatory filings.
Consider Inherently Safer Technologies
Congressional policy makers may choose to address the issue of inherently safer technologies, sometimes called methods to reduce the consequences of terrorist attack. The current statute bars DHS from mandating the presence or absence of a particular security measure. Therefore, DHS cannot require a regulated facility to adopt or consider inherently safer technologies.167 Congress could choose to continue the current policy or provide DHS with statutory authority regarding inherently safer technologies at regulated chemical facilities or require efforts regarding inherently safer technologies.
One policy approach might be to mandate the implementation of inherently safer technologies for a set of processes. Another policy approach might be to mandate the consideration of implementation of inherently safer technologies with certain criteria controlling whether implementation is required. A third policy approach might be to mandate the development of a federal repository of inherently safer technology approaches and consideration of chemical processes against those options listed in the repository. Stakeholders might assess and review the viability of applying these inherently safer approaches at lower cost if such information were centralized and freely available. Alternatively, policy makers might establish an incentive-based structure outside of the chemical facility security mandate to encourage the adoption of inherently safer technologies by regulated entities.
The Obama Administration supports use of inherently safer technologies to enhance security at high-risk chemical facilities in some circumstances. It has established a series of principles directing its policy:
- The Administration supports consistency of inherently safer technology approaches for facilities regardless of sector.
- The Administration believes that all high-risk chemical facilities, Tiers 1-4, should assess [inherently safer technology] methods and report the assessment in the facilities' site security plans. Further, the appropriate regulatory entity should have the authority to require facilities posing the highest degree of risk (Tiers 1 and 2) to implement inherently safer technology methods if such methods demonstrably enhance overall security, are determined to be feasible, and, in the case of water sector facilities, consider public health and environmental requirements.
- The Administration believes that the appropriate regulatory entity should review the inherently safer technology assessment contained in the site security plan for all Tier 3 and Tier 4 facilities. The entity should be authorized to provide recommendations on implementing inherently safer technologies, but it would not have the authority to require facilities to implement the inherently safer technology methods.
- The Administration believes that flexibility and staggered implementation would be required in implementing this new inherently safer technology policy.168
A congressional mandate for regulated entities to adopt or consider adopting inherently safer technologies may have benefits and drawbacks. It may lead regulated entities to consider factors such as homeland security impact in their chemical process assessments. Some experts assert that existing chemical process safety activities consider and assess inherently safer technology approaches though not necessarily in a homeland security context.169 These assessments may lead to changes in chemical process when deemed safer, more reliable, and cost-effective. The extent to which homeland security impact has factored into these industry decisions is unknown, but DHS has identified cases where chemical facilities have voluntarily modified chemical processes to lower their CFATS tier. An additional complication to assessing inherently safer technology is the varying amounts and quality of information available regarding industrial implementation of inherently safer technologies. While some facilities have converted to processes generally deemed as inherently safer, other facilities may not have sufficient information available to effectively assess the impacts from changing existing processes to ones considered inherently safer.170 The differences that exist among chemical facilities, in terms of chemical process, facility layout, and ability to finance implementation, may challenge mandatory implementation of inherently safer technologies at regulated entities. Finally, the National Academies have identified that the chemical industry lacks a common understanding and set of practice protocols for identifying safer processes.171 Therefore, it seems likely that any such mandate will also require accompanying outreach and educational activities for regulated entities. Even the mandatory consideration of inherently safer technologies may place a financial burden on some small regulated entities. Congress might limit mandatory measures to those facilities considered by DHS to pose the most risk or might provide such financial assistance to regulated facilities.172
Policy makers might choose to try to further incentivize regulated entities to adopt inherently safer technologies. Under the CFATS regulations, facilities that adopt inherently safer technologies might change their assigned risk tier by reducing the amount of chemicals of interest they store. As of December 2014, more than 3,000 facilities had removed or reduced the amount of chemicals of interest stored onsite and no longer qualify as a high-risk facility.173 Policy makers might provide regulated entities that adopt inherently safer technologies with additional financial or regulatory incentives. Alternatively, policy makers might direct DHS or another agency to perform inherently safer technology assessments for regulated entities, transferring the cost of such assessment from the facility to the federal government.174 The regulated entity or the overseeing agency might use the results of these assessments to guide adoption of inherently safer technologies.
Modify Information Security Provisions
Congressional policy makers might choose to increase transparency in the CFATS process by altering the information security provisions of the program. Such an approach might include increasing the number and type of individuals granted access to CVI, improving information exchange with first responders, and adjusting the manner by which courts and administrative proceedings handle CVI. The Obama Administration has testified that CVI is a distinct information protection regime and expressed support for maintaining CVI in its current form.175
Congress might choose to amend the existing statutory authority to address policy concerns. Policy makers might direct DHS to make specific types of information, such as the results of enforcement activities or the approval of successful implementation of a site security plan, more generally available. As more information about the vulnerability assessment and the security process becomes available, the potential that adversaries might combine this disparate information to obtain insight into a security weakness may increase. Congressional policy makers might require that the executive branch or another entity identify the threats or vulnerabilities that might accrue from release of a greater amount of chemical facility security information prior to implementing such a policy change.176
Congressional policy makers might choose to alter the information protection regime afforded to chemical facility security information by specifically expanding access to first responders. The existing regulation explicitly states that it does not protect from disclosure information developed in response to other laws or regulations, such as the Emergency Planning and Community Right-to-Know Act (EPCRA). Enhancing first responder access to such information might minimize perceived barriers to disclosing information during an accident. For example, Congress might mandate that each jurisdiction with a regulated chemical facility contain a first responder designated as a covered individual.
Conversely, congressional policy makers might choose to further limit dissemination of CVI so as to increase barriers to its release. Congress might prohibit DHS from sharing such information outside of the federal government or further limit CVI access to state and local officials by establishing additional eligibility criteria. Limiting the number of individuals with access to CVI may make it more difficult for those wishing to do harm to obtain technical or operational security information. Conversely, state and local officials may not support such an approach, as limitations on distribution may also adversely affect emergency response at a regulated facility or inhibit the ability of state and local law enforcement officials to provide targeted protection of particular chemical facility assets.
Policy makers might also choose to address the issue of identifying and marking protected information by mandating review of marked documents. Congressional policy makers might assign this responsibility to review and certify marked information to the chemical facility. Alternatively, the federal government might review and certify documents marked CVI on a regular basis. Industry representatives may not support such a requirement due to the additional regulatory burden caused by the review. While such review might potentially limit incorrect marking, it may inhibit information reporting by regulated entities to the federal government. Additionally, absent a penalty for incorrect marking, it is unclear how to discourage incorrect marking of non-security materials in order to avoid public release.
Congressional policy makers may also address concerns raised regarding the ability of concerned individuals to report misdeeds by creating a "whistleblower" reporting mechanism.177 One approach might be to codify the current mechanism of reporting such concerns to DHS or a similar federal entity, such as an agency Inspector General. Alternatively, Congress can create a more general exemption to the penalties arising from disclosure of protected information for those individuals who report such concerns to federal officials if that is needed to protect whistleblowers. As part of a whistleblower mechanism, policy makers might choose to extend protections against retaliation or other job-related actions to those individuals availing themselves of current or newly established reporting mechanisms.
Preempt State Regulations
The 110th Congress addressed the issue of federal preemption of state chemical facility security statutes and regulations by placing in statute the requirement that federal regulation preempt the state regulation only when an "actual conflict" occurs between them.178 Congressional policy makers may choose to further limit the cases where federal regulation would preempt state regulation by affirming the right of states to make chemical facility security regulations that are more stringent than federal regulation even if they conflict. Alternatively, policy makers may choose to increase the number of cases where federal regulations preempt those of a state by expanding the types of conflict, beyond "actual," that will lead to preemption.
Congressional Action
The annual appropriations process provides funding for implementation of chemical facility security regulation. The 113th Congress, through H.J.Res. 130, extended the statutory authority through December 13, 2014, and provided appropriations for CFATS implementation. The 113th Congress has passed H.R. 4007, which authorizes DHS to regulate chemical facilities for security purposes through the Homeland Security Act. This bill will repeal the existing statutory authority on the effective date of the act (30 days after enactment). Many of the existing authorities are present in H.R. 4007, but it also provides DHS with new authorities, such as the ability for certain covered chemical facilities to self-certify the sufficiency of their security plans. The DHS may use the existing regulations and issue new regulations as necessary to implement the new authority. Other chemical facility security legislation has also been introduced in the 113th Congress.
Modify the Existing Authority
Legislation in the 113th Congress has been introduced in the House that would modify the existing authority. Of this legislation, the 113th Congress has passed H.R. 4007.
H.R. 4007
H.R. 4007, as passed the Senate, passed the House on December 11, 2014. This bill will repeal Section 550 of P.L. 109-295 on the effective date of the act (30 days after enactment), but DHS may use the existing regulations and issue new regulations as necessary to implement the new authority.
Senate-Passed
H.R. 4007, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, as amended, passed the Senate on December 10, 2014. The Senate Committee on Homeland Security and Governmental Affairs reported the bill on September 18, 2014.
The act would establish a Chemical Facility Anti-Terrorism Standards Program within DHS. It would require the Secretary of Homeland Security to establish risk-based performance standards through the program and mandate that the Secretary identify chemical facilities of interest and covered chemical facilities. Chemical facilities of interest would be those chemical facilities possessing certain chemicals in greater than threshold quantities. Covered chemical facilities would be chemical facilities of interest designated by the Secretary as meeting certain security risk criteria. Facilities regulated under MTSA; public water systems; wastewater treatment works; facilities owned or operated by the Department of Defense and Department of Energy; and facilities regulated by the Nuclear Regulatory Commission would be excluded from the definitions of chemical facility of interest and covered chemical facility. Chemical facilities of interest would submit Top-Screen information to DHS, while covered chemical facilities would also submit a security vulnerability assessment, and develop, submit, and implement a site security plan.
The act would require the Secretary to review and approve or disapprove such security vulnerability assessments and site security plans, though not on the basis of the presence or absence of a particular security measure. It would allow the Secretary to approve alternative security programs if the programs meet DHS requirements. The act would allow the Secretary to recommend additional security measures so that an alternative security program would meet DHS requirements.
The act would also provide a mechanism for Tier 3 and Tier 4 chemical facilities to self-certify the sufficiency of their site security plans to DHS. The act would prohibit DHS from disapproving the site security plans of such "expedited approval facilities." It would allow DHS to assess facility compliance with the risk-based performance standards and the self-certified site security plans. The act would allow the Secretary to recommend additional security measures so that a self-certified site security plan would meet DHS requirements and allow the Secretary to develop templates for use in developing self-certified site security plans. The Secretary would be required to evaluate this aspect of the chemical facility security program and report the results to the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Homeland Security.
H.R. 4007, as passed the Senate, would require the Secretary to audit and inspect covered facilities. It would explicitly allow the Secretary to permit non-departmental and nongovernmental entities to perform such activities and would allow nongovernmental personnel to provide administrative and logistical services to DHS in support of audits and inspections. It would limit approval of site security plans and determination of compliance with an approved site security plan to the Secretary and the Secretary's designees within DHS. It would also require the Secretary to set standards for departmental and nongovernmental inspectors. Also, the act would allow a covered facility to satisfy a personnel surety performance standard by using any federal screening program that periodically vets individuals against the terrorist screening database, including the DHS personnel surety program.
The act would provide a mechanism for addressing covered facility noncompliance including the issuance of penalties. The Secretary would also have the authority to issue certain emergency orders that would take effect immediately. Owners or operators of chemical facilities of interest that fail to comply with or knowingly submit false information under the CFATS regulations would be liable for a civil penalty.
The act, as passed the Senate, would require the Secretary to consult with other federal agencies, relevant business associations, and public and private labor organizations to identify potentially noncompliant facilities. The act would provide protections to information developed pursuant to the act and would explicitly exempt such information from the Freedom of Information Act. It would allow the Secretary to share information with covered facilities, state and local government officials, as well as first responders through state and local fusion centers.
The act would also require the Secretary to establish a reporting procedure for employees of a chemical facility to confidentially submit information to DHS. In addition, the Secretary would be required to acknowledge receipt of such information, review it, and take appropriate actions to address any substantiated problems or deficiencies. The act would expressly prohibit retaliation against employees using this process.
The Secretary would be granted the discretion to use existing and new regulations to implement these authorities. In addition, it would direct DHS and GAO to provide various reports on the program.
H.R. 4007, as passed the Senate, also would allow the Secretary to provide guidance on recordkeeping, reporting, physical security, and cybersecurity compliance to regulated small chemical facilities. Finally, the bill would require the Secretary to commission a third-party study on vulnerabilities associated with the existing CFATS program.
H.R. 4007, as passed the Senate, would repeal Section 550 of P.L. 109-295 on the effective date of the act (30 days after enactment). It contains a sunset date, and the statute would expire four years after the effective date of the act. It does not contain an authorization of appropriations.
House-Passed
H.R. 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014, was passed by the House of Representatives on July 8, 2014. On June 23, 2014, the House Committee on Homeland Security amended the bill as forwarded by the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies and reported it, as amended, to the House of Representatives.179 On April 3, 2014, the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, of the House Committee on Homeland Security, amended the bill as introduced and ordered it forwarded to the full committee with a favorable recommendation, as amended.
The act would establish a Chemical Facility Anti-Terrorism Standards Program within DHS. It would require the Secretary of Homeland Security to establish risk-based performance standards through the program and mandate that chemical facilities of interest and covered facilities submit security vulnerability assessments and develop and implement site security plans. Chemical facilities of interest would be those chemical facilities possessing certain chemicals in greater than threshold quantities. Covered chemical facilities would be chemical facilities of interest designated by the Secretary as meeting certain security risk criteria, excluding facilities regulated under MTSA; public water systems; wastewater treatment works; facilities owned or operated by the Department of Defense and Department of Energy; facilities regulated by the Nuclear Regulatory Commission; and certain rail facilities regulated by the Transportation Security Administration.
The act would require the Secretary to review and approve or disapprove such security vulnerability assessments and site security plans, though not on the basis of the presence or absence of a particular security measure. It would allow the Secretary to approve alternative security programs if the programs meet DHS requirements. Also, the act would allow a covered facility to satisfy a personnel surety performance standard by using any federal screening program that periodically vets individuals against the terrorist screening database, including the DHS personnel surety program. It also would prohibit the Secretary from requiring a covered facility to submit information about individuals with access to the facility unless the individual was vetted under the DHS personnel surety program or had been identified as presenting a terrorism security risk.
H.R. 4007, as passed the House, would require the Secretary to audit and inspect covered facilities and explicitly allows the Secretary to permit non-departmental and nongovernmental entities to perform such activities. It would also require the Secretary to set standards for departmental and nongovernmental inspectors. The act would provide a mechanism for addressing covered facility noncompliance including the issuance of penalties. Also, it would require the Secretary to consult with other federal agencies and relevant business associations to identify potentially noncompliant facilities.
The act would provide protections to information developed pursuant to the act. It would allow the Secretary to share information with covered facilities, state and local government officials, as well as first responders through state and local fusion centers. The Secretary would be granted the discretion to use existing and new regulations to implement these authorities. In addition, it would direct DHS and GAO to provide various reports on the program.
H.R. 4007, as passed the House, also would require the Secretary to make available information about protections for providing information to DHS, allow the Secretary to provide guidance on physical security compliance to regulated small chemical facilities, and provide authorization of appropriations from FY2015 through FY2018 at $87.436 million. Finally, the bill would require the Secretary to establish an outreach implementation plan, submit a plan to Congress on CFATS metrics, and commission a third-party study on vulnerabilities associated with the existing CFATS program.
H.R. 4007, as passed the House, does not contain a sunset date.
In February 2014, Secretary of Homeland Security, Jeh Johnson, testified that he was in support of H.R. 4007, as introduced, stating:
I have reviewed H.R. 4007. I think it is a good bill. I'm very supportive of it. Indeed, my folks tell me, "We wish we could extend the period longer." We have a regulatory scheme that we have put in place. I agree with you, that over the last year, it's gotten better. That all stems from an appropriations measure, not an authorizations measure. I've read this bill. I think it's a good bill. Our critical infrastructure folks think it's a good bill. And I support it.180
In addition, several industry organizations have expressed support for H.R. 4007.181 In contrast, a labor representative asserted that the bill fails to address several weaknesses present in the current CFATS program.182
H.R. 68
H.R. 68 was referred to the House Committee on Energy and Commerce and the House Committee on Homeland Security. The act would prohibit the Secretary of Homeland Security from approving a chemical facility site security plan if the plan did not meet or exceed existing state or local security requirements. It would allow the Secretary of Homeland Security to mandate the use of specific security measures in site security plans. The bill would also cause CVI to be treated as sensitive security information in both general and legal proceedings. Finally, the act would no longer prohibit third-party individuals from bringing suit in court to require the Secretary of Homeland Security to enforce chemical facility security regulations against a chemical facility.
S. 67
S. 67, the Secure Water Facilities Act, was referred to the Senate Committee on Environment and Public Works. The act would authorize the EPA Administrator to regulate community water systems and wastewater treatment facilities for security purposes. S. 67 also would authorize implementation of methods to reduce the consequences of a chemical release from an intentional act. Among other provisions, the Administrator would be directed to promulgate regulations as necessary to prohibit the unauthorized disclosure of controlled information. S. 67 would authorize the Administrator to provide grants or enter into cooperative agreements with states or regulated entities to assist in regulatory compliance.
S. 68
S. 68, the Secure Chemical Facilities Act, was referred to the Senate Committee on Homeland Security and Governmental Affairs. The act would codify aspects of the CFATS regulation. It would require facilities to evaluate whether the facility could reduce the consequences of an attack by using a safer chemical or process. The act would authorize DHS to require implementation of those safer measures if a facility has been classified as one of the highest-risk facilities, implementation of safer measures is feasible, and implementation would not increase risk overall by shifting risk to another location. Among other provisions, S. 68 also would increase the participation of employees and employee representatives in developing security plans. S. 68 would alter the current information control regime, aligning it with that for sensitive security information. Finally, S. 68 would allow third-party individuals to file suit against the Secretary of Homeland Security or submit a petition to the Secretary to enforce compliance with statute.
S. 814
S. 814, the Protecting Communities from Chemical Explosions Act of 2013, was referred to the Senate Committee on Homeland Security and Governmental Affairs. The act would levy a civil penalty on owners or operators of a facility that does not file Top-Screen information when possessing a chemical of interest at above the screening threshold quantity. It would also establish a criminal penalty if a facility owner, a facility operator, or an officer of an entity that owns or operates a facility intentionally fails to file Top-Screen information when the facility possesses a chemical of interest at above the screening threshold quantity.
Extend the Existing Authority
The current statutory authority to regulate security at chemical facilities expires on December 13, 2014. Historically, Congress has extended this authority through appropriations acts. The Administration's budget requests that the statutory authority be extended to October 4, 2015.
H.J.Res. 130
H.J.Res. 130 extends the current statutory authority to December 13, 2014.
P.L. 113-164
P.L. 113-164, Continuing Appropriations Resolution, 2015, extended the current statutory authority to December 11, 2014.
H.R. 4903
H.R. 4903, Department of Homeland Security Appropriations Act, 2015, would extend the current statutory authority to October 4, 2015.183 In addition, the act would prohibit DHS from using any funds appropriated by the act for certain personnel surety activities at chemical facilities. The DHS would not be able to require a chemical facility to employ or not employ a particular security measure for personnel surety if the facility has adopted certain personnel measures. These personnel measures must be designed to verify and validate an individual's identification; check an individual's criminal history; verify and validate an individual's legal authorization to work; and identify individuals with terrorist ties. The act would expressly allow a facility to use any federal screening program "that periodically vets individuals against the terrorist screening database, or any successor to such database, including the Personnel Surety Program of the Department of Homeland Security" to satisfy the requirement to identify individuals with terrorist ties.184
H.Rept. 113-481
H.Rept. 113-481, the report accompanying H.R. 4903, would recommend $83 million for Infrastructure Security Compliance, $3.7 million less than the Administration's request. According to the House Committee on Appropriations, this recommended funding would "enhance critical efforts related to compliance with CFATS, including developing an automated process for identification of CFATS outliers, addressing concerns raised by GAO regarding the risk-tiering methodology, and fulfilling other requirements."185
The report also expresses the committee's determination that "DHS should not mandate how a covered chemical facility meets the personnel surety standard if the facility has already adopted a rigorous process to verify and validate identity, check criminal history, verify and validate legal authorization to work, and identify individuals with terrorist ties by using a federal vetting program, such as one that periodically vets individuals." The report would also direct the Under Secretary of NPPD to report to the appropriations committees within 120 days and semiannually thereafter on the implementation of the CFATS program. Finally, the report would encourage DHS to work with the Chemical Sector Coordinating Council to disseminate information to the chemical sector, about proven next-generation sealing technologies.
S. 2534
S. 2534, Department of Homeland Security Appropriations Act, 2015, would extend the current statutory authority to October 4, 2015.186
S.Rept. 113-198
S.Rept. 113-198, the report accompanying S. 2534, would recommend $87 million for Infrastructure Security Compliance, $249 thousand less than the Administration's request.187 The report would also direct the Under Secretary of NPPD to report within 90 days and semiannually thereafter on the implementation of the CFATS program. The report would be delineated by risk tier and include the number of facilities covered, inspectors, completed inspections, inspections completed by region, pending inspections, days inspections are overdue, enforcements resulting from inspections, and enforcements overdue for resolution.
The report also would direct NPPD to brief the Senate Committee on Appropriations within 90 days on the progress made on improving chemical facility security coordination among federal agencies and fulfilling the recommendations made in the report of the Chemical Facility Safety and Security Working Group established by Executive Order 13650.
In addition, the report urges NPPD to "find the best possible path to ensure safety while not overburdening the industry with excessive regulatory requirements. In particular it is imperative that NPPD work with industry on a viable solution to personnel surety."188 It also encourages NPPD to consider chemical neutralization technologies when creating comprehensive and integrated standard operating procedures for a unified federal approach for identifying and responding to risks in chemical facilities.
Finally, the report would direct NPPD to consider the eligibility of chemical security inspectors for administratively uncontrollable overtime and keep the Senate Committee on Appropriations apprised of developments in this area.189
P.L. 113-76
P.L. 113-76, the Consolidated Appropriations Act, 2014, became law on January 17, 2014. It extended the statutory authority through October 4, 2014, and provided appropriations for the federal government for FY2014. A joint explanatory statement for P.L. 113-76 contained specific directions for the CFATS program, as did the House and Senate reports accompanying their respective passed and reported homeland security appropriations bills.
Joint Explanatory Statement
The joint explanatory statement for P.L. 113-76 provided $81.0 million for Infrastructure Security Compliance, $4.8 million less than the Administration's request.190 The joint explanatory statement clarified that
The language and allocations contained in the House and Senate reports should be complied with and carry the same weight as the language included in this explanatory statement, unless specifically addressed to the contrary in the final bill or this explanatory statement.191
The joint explanatory statement contained certain requirements for DHS with respect to chemical facility security and the CFATS program.192 It directed NPPD to, as detailed in the House report, provide a report within 90 days of enactment to the appropriations and authorizing committees explaining how ISCD will further improve the review process for regulated facilities. The joint explanatory statement directed NPPD to report to the appropriations and authorizing committees not later than April 15, 2014, on the steps NPPD is taking to avoid costly duplication of programs, as detailed in the House report. The report is also to describe how NPPD is helping to ensure the safety of facilities and whether DHS intends to mandate how a covered chemical facility meets the personnel surety standard, particularly in cases where the facility has already adopted strong and identifiable personnel measures designed to verify identity, check criminal history, validate legal authorization to work, and identify individuals with terrorist ties.
The statement further directed the Under Secretary of NPPD to provide a report within 90 days of enactment to the appropriations committees on the implementation of the CFATS program, as detailed in the Senate report. This report shall be in lieu of language in the House report directing NPPD to provide a detailed expenditure plan.
In lieu of the requirement in the Senate report for the Chemical Sector Coordination Council to develop recommendations to improve coordination on chemical security and safety, the joint explanatory statement directed NPPD to continue implementing the requirements designated in Executive Order 13650.193 The joint explanatory statement stated its expectation that NPPD provide regular updates on the progress of implementing improvements, the status of corrective measures being taken to ensure awareness of facilities that fall under the purview of the CFATS program, and the need for any additional funding requirements that emerge to address coordination needs. In lieu of language in the House report, the joint explanatory statement directed NPPD to report semiannually to the appropriations committees on progress in complying with all the DHS Office of Inspector General recommendations made on ISCD's management practices related to CFATS.194 The joint explanatory statement also directed ISCD to improve the compliance of current Top-Screen registrants, such as through ongoing, proactive risk monitoring, data management, and the verification of business information in lieu of language in the House report.
H.Rept. 113-91
H.Rept. 113-91, the House Committee on Appropriations report accompanying H.R. 2217, would have recommended $77.1 million for Infrastructure Security Compliance, $8.7 million less than the Administration's request. The report cites "the continued delays in the implementation of the Chemical Facility Anti-terrorism Standards (CFATS) program" and "the Infrastructure Security Compliance Division's (ISCD) inability to mitigate real risks" as the reason for the decrease.195
The House committee report would direct DHS to perform certain activities and to provide several reports to congressional policy makers. It would direct NPPD to report on how it will further accelerate the site security plan review process and detail actions DHS is taking to better manage the CFATS program.196 The committee report also expresses the committee's expectation that NPPD will comply with the recommendations of the DHS Inspector General regarding the CFATS program and would direct NPPD to report to the committee on its compliance with those recommendations.197 It would direct the Under Secretary for NPPD to report on steps NPPD is taking to leverage existing personnel surety infrastructure within DHS and industry and to ensure that DHS does not inadvertently compromise facility safety due to overzealous protection of criminal investigations.198 It would direct DHS to review CFATS program implementation and collaboration and communication within ISCD and with the regulated community. The review also would address improvement of facility identification methodology used by ISCD, information sharing with state entities by ISCD, and efforts to address stakeholder concerns.199 The report also states the committee's expectation that NPPD will provide it with a comprehensive update on measures being taken to ensure that facilities with chemicals of interest are notified by ISCD when they fall within the purview of the CFATS program, an estimate of the potential number of outlier facilities, and a detailed performance evaluation of CFATS inspectors.200
S.Rept. 113-77
S.Rept. 113-77, the Senate Committee on Appropriations report accompanying H.R. 2217, would have recommended $85.5 million for the Infrastructure Security Compliance, $0.2 million less than the Administration's request. The Senate committee report would direct DHS to perform certain activities and to provide several reports to congressional policy makers. It would require DHS to report semiannually on the coordination of chemical security efforts within DHS and across departments and agencies and direct DHS to work in conjunction with the Office of Management and Budget to review and synchronize federal entities involved in chemical security activities.201 In addition, the report would direct NPPD to support the Chemical Sector Coordination Council in an effort to develop and provide to the committee recommendations to improve the coordination among federal agencies, streamline reporting requirements, and improve the CFATS program.202 The report would direct NPPD to report semiannually on the implementation of the CFATS program including the number of facilities covered, inspectors, completed inspections, inspections completed by region, pending inspections, days inspections are overdue, enforcements resulting from inspections, and enforcements overdue for resolution, with the data delineated by tier.203
P.L. 113-73
P.L. 113-73, which made further continuing appropriations for FY2014, became law on January 15, 2014. It extended the statutory authority through January 18, 2014.
P.L. 113-46
P.L. 113-46, the Continuing Appropriations Act, 2014, became law on October 17, 2013. It extended the statutory authority through January 15, 2014.
P.L. 113-6
P.L. 113-6, the Consolidated and Further Continuing Appropriations Act, 2013, became law on March 26, 2013. It extended the statutory authority through October 4, 2013.