Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Contents

• Introduction
• Statute and Regulation
• Implementation Analysis
• Chemical Facility Tier Assignment
• Site Security Plan Authorization
• Authorization Inspections and SSP Approvals
• Compliance Inspections
• Assessment and Policy Implications

Summary

The Department of Homeland Security (DHS) implements the Chemical Facility Anti-Terrorism Standards (CFATS) regulations, which regulate security at high-risk facilities possessing more than certain amounts of one or more chemicals of interest. Facilities possessing more than the specified amount must register with DHS through this program (a process known as the Top-Screen) and perform security-related activities. The DHS identifies a subset of high-risk chemical facilities from among those that register. These high-risk chemical facilities must submit a security vulnerability assessment, which DHS uses to confirm their high-risk designation, and a site security plan, which DHS then reviews and authorizes. The DHS also inspects and approves high-risk chemical facilities for adherence to their submitted site security plans. It also later inspects for compliance with these plans following DHS approval. The DHS regulates approximately 3,600 facilities under this program and is in the process of implementing the regulatory requirements for security vulnerability assessment, site security planning, and inspection.

The DHS has had challenges meeting its own projections and congressional expectations regarding program performance, raising questions about its ability to achieve steady-state regulatory implementation. As of April 2014, DHS had made final risk assignments to 3,316 of the approximately 4,200 facilities then regulated. The DHS reported in December 2014 that it now regulates approximately 3,600 facilities, approximately 2,700 of which have final risk assignments. The DHS authorizes a site security plan when the submitted plan satisfies CFATS requirements. Following a successful authorization inspection, DHS approves the site security plan. As of February 2014, DHS had authorized 2,646 site security plans; conducted 1,969 authorization inspections; and approved 1,526 site security plans. Between February 2014 and February 2015, DHS authorized an average of 132 and approved an average of 85 site security plans per month. The DHS has generally increased its average authorization and approval rate over time; between August 2014 and February 2015, DHS authorized an average of 135 and approved an average of 93 site security plans per month. Between January 2015 and February 2015, DHS authorized 120 and approved 80 site security plans.

This report analyzes data from a variety of DHS presentations, testimony, and other sources to present a historical overview of program performance to date. It identifies an ongoing gap between the number of facilities that have received final risk tier assignments and the total number of regulated facilities. This makes it appear likely that DHS will not have inspected or approved site security plans for some portion of the regulated facility universe for at least several years. In addition, the current rates of authorization of site security plans, authorization inspection, and approval of site security plans make it appear likely that DHS will not have completed implementation for the initial facilities before the date when it will potentially need to begin reinspecting already approved facilities. With the onset of compliance inspections, congressional policymakers may have further questions about the ability of the CFATS program to meet congressional expectations regarding timeliness.

---

Implementation of Chemical Facility Anti-Terrorism Standards (CFATS): Issues for Congress

Introduction

The chemical industry is one of the United States' largest manufacturing industries, directly employing more than 790,000 workers. The chemical industry serves both a domestic and a global market, and other industrial sectors rely on chemical products as essential to their business. The potential harm to public health and the environment from a large release of hazardous chemicals has long concerned congressional policymakers. Accidental chemical releases spurred environmental and other legislative proposals to reduce the risk of chemical accidents in the United States. While congressional interest in the security of chemical facilities predates the September 11, 2001, attacks, they prompted renewed congressional attention to the potential security risks posed by hazardous chemicals.

In 2006, Congress authorized the Department of Homeland Security (DHS) to regulate chemical facilities for security purposes.¹ In 2014, Congress reaffirmed this authority with some modifications.² In 2007, DHS issued interim final regulations establishing risk-based performance standards known as the Chemical Facility Anti-Terrorism Standards (CFATS). These regulations provided a process whereby facilities would submit information and security plans to DHS, DHS would review and approve these plans, facilities would implement them, and DHS would inspect their implementation. These regulations continue in force so long as they do not conflict with the new statutory authority enacted in 2014.

The DHS has historically experienced challenges in implementing the CFATS regulations. It has not met its own expected timelines or milestones to begin³ or complete facility inspections.⁴ As of February 2015, DHS had inspected and approved 1,526 site security plans, covering approximately 43% of the regulated facilities.

This report provides information regarding the pace of DHS CFATS implementation and attempts to identify potential sources of challenges for DHS. It does not address broader issues related to chemical facility security; for such information and analysis, see CRS Report R42918, Chemical Facility Security: Issues and Options for the 113^th Congress, by [author name scrubbed].

Statute and Regulation

In 2006, Congress authorized the Department of Homeland Security (DHS) to issue interim final regulations establishing risk-based performance standards for chemical facility security and requiring facilities to develop vulnerability assessments and to develop and implement site security plans.⁵ Among other provisions, the statute directs DHS to allow regulated entities to employ combinations of security measures to meet risk-based performance standards,⁶ and it specifies that these regulations are to apply only to those chemical facilities that the Secretary determines present high levels of security risk.

The law contains a high-level framework for its implementation. The Secretary must review and approve the required vulnerability assessment, site security plan, and its implementation at each facility. The Secretary must audit and inspect chemical facilities and determine regulatory compliance. If the Secretary finds that a facility is not in compliance, the Secretary must write to the facility explaining the deficiencies found, provide an opportunity for the facility to consult with the Secretary, and issue an order to the facility to comply by a specified date. If the facility continues to be out of compliance, the Secretary may impose a fine and, eventually, order the facility to cease operation.

In 2007, the DHS issued an interim final rule and created the Chemical Facility Anti-Terrorism Standards (CFATS) program.⁷ Much of the rule arises from the Secretary's discretion and DHS interpretation of legislative intent and was not explicitly detailed by the law.

Under the interim final rule, the Secretary of Homeland Security determined which chemical facilities must meet regulatory security requirements. Facilities with greater than specified quantities of any of 322 chemicals of interest must submit information to DHS, via a process known as the "Top-Screen," so that DHS can preliminarily determine each facility's risk status. Only those DHS deems high-risk are subject to the CFATS program and regulation.

The DHS assigns all high-risk facilities one of four risk-based tiers. The DHS established different performance-based requirements for facilities assigned to each risk-based tier. Facilities in higher risk tiers must meet more stringent performance-based requirements (Tier 1 being the most stringent and Tier 4 being the least stringent).

All high-risk facilities must develop a vulnerability assessment and an effective security plan, submit these documents to DHS, and implement their security plan. The vulnerability assessment serves two purposes under the interim final rule. One is to determine or confirm the placement of the facility in a risk-based tier. The other is to provide a baseline against which to assess the effectiveness of actions identified in the site security plan.

Each site security plan must describe how activities in the plan address issues identified in the facility vulnerability assessment. Additionally, the site security plan must address preparations for and deterrents against specific modes of potential terrorist attack, as applicable and identified by DHS. The site security plan must also describe how the activities taken by the facility meet the risk-based performance standards provided by DHS.

High-risk facilities may develop vulnerability assessments and site security plans using alternative security programs established by a third party, such as an industry organization program,⁸ so long as they meet the tiered, performance-based requirements of the interim final rule. The Secretary may disapprove submitted vulnerability assessments or site security plans that fail to meet DHS standards but not on the basis of the presence or absence of a specific measure. In the case of disapproval, DHS must identify in writing those areas of the assessment and plan that need improvement. Chemical facilities may request further adjudication by DHS of site security plan disapprovals.

Once facilities have complied with the regulation by submitting security documentation and receiving approval of their plans, they are to implement their site security plans. The DHS then monitors facility compliance with these site security plans. The DHS indicated in 2007 that it would generally require Tier 1 and Tier 2 facilities to update their Top-Screen, security vulnerability assessment, and site security plan every two years and Tier 3 and Tier 4 facilities to do so every three years.⁹

In 2014, Congress provided new authority to DHS to regulate security at chemical facilities.¹⁰ The reauthorization generally supports the existing regulatory structure and expressly allows DHS to continue using the existing regulations unless they conflict with the new authority. The new statute also contains provisions, such as an alternative self-certification program, that likely require action on DHS to implement. The DHS has not yet issued new regulations to implement these provisions.

Implementation Analysis

In effect, the CFATS regulation and its underlying statute create a multistep, iterative process of facility information submission followed by DHS approval. Each step is iterative since both the facility, which may revise its submissions, and DHS, which may disapprove the submitted documents, may cause the other participant to repeat the information exchange. See Figure 1.

Figure 1. Implementation Steps in the CFATS Process

Source: Government Accountability Office, Critical Infrastructure Protection: DHS Needs to Improve Its Risk Assessments and Outreach for Chemical Facilities, GAO-13-801T, August 1, 2013. Notes: The DHS also performs compliance inspections after a facility implements its site security plan. During each of the above steps, the facility, DHS, or both, may request additional information or propose to change a determination. a. Facilities are to submit an initial screening tool (the Top-Screen) that provides basic information about the facilities and the chemicals they possess. b. This step includes determining if a facility has high risk, and if so, DHS assigns a tier and identifies security issues. c. At this stage, if requirements are satisfied, DHS issues a letter of authorization for the facility's plan.

Facilities possessing a chemical of interest in quantities above the screening threshold quantity submit a Top Screen. Top Screen results assist the CFATS program in determining whether a facility presents a high-level security risk. After processing a Top Screen, the CFATS Program assigns the facility a preliminary tier or determines that the facility does not meet the criteria for CFATS regulation. When a facility receives a preliminary tier assignment notification, it must prepare and submit a Security Vulnerability Assessment (SVA) to DHS. After reviewing the SVA, the CFATS Program determines a facility's final tier assignment or that the facility is not high-risk. When the facility receives a final tier assignment, it must develop and submit a Site Security Plan (SSP) to DHS.

The Infrastructure Security Compliance Division (ISCD) in the DHS National Protection and Programs Directorate (NPPD) reviews the SSP to preliminarily determine if it satisfies the applicable risk-based performance standards. This process typically involves discussions between ISCD staff and the facility. It often requires the facility to submit additional information to ISCD and revise the SSP before ISCD can complete its initial review and issue the facility a letter of authorization for the SSP.

After issuing a letter of authorization, ISCD conducts a comprehensive and detailed authorization inspection. The ISCD reviews the inspection results, as well as any further revisions that the facility may make to the SSP. It then makes a final determination as to whether the facility's SSP satisfies the applicable risk-based performance standards. If so, ISCD issues a letter of approval, and the facility must implement the applicable provisions of the SSP. If ISCD determines that the SSP does not satisfy the applicable risk-based performance standards, ISCD may issue a notice of deficiency and require the facility to resubmit a sufficient SSP. If the facility fails to do so, ISCD may disapprove the SSP. Following the authorization inspection, facilities are generally granted an additional 45 days to make any necessary modifications to their SSP. ISCD will then review the resubmitted SSP and make a final determination as to whether the SSP warrants the issuance of a letter of approval. In some cases, the facility may require a technical consultation and another opportunity to revise its SSP.

Over time, the DHS has attempted to develop a consistent nomenclature for its review and inspection process.¹¹ The DHS authorizes an SSP (issuing the facility a letter of authorization) when the submitted SSP is satisfactory under CFATS.¹² The DHS conducts an authorization inspection of a facility with an authorized SSP to compare the authorized SSP to the conditions of the facility. Following a successful authorization inspection, the DHS approves the SSP (issuing the facility a letter of approval). At a later date, expected by DHS to be one year after approval of the SSP, the DHS will conduct a compliance inspection of a facility to determine whether the facility has fully implemented its approved SSP.¹³ Compliance inspections then occur on a periodic basis depending on the risk tier to which the facility is assigned.

The following sections analyze DHS data to identify underlying challenges for the following steps: the process of DHS assigning a facility to a risk tier; the rate at which DHS authorizes site security plans; the rate at which DHS inspects and approves authorized site security plans; and the occurrence of compliance inspections.

Chemical Facility Tier Assignment

In the CFATS process, all facilities possessing chemicals of interest above a certain threshold amount must report to DHS through the Top-Screen process. At the inception of the program, DHS received approximately 29,000 Top-Screen submissions and preliminarily identified approximately 7,000 facilities as high-risk and therefore subject to CFATS regulation. Since that time, DHS has received a cumulative total of more than 48,000 Top-Screen submissions from over 36,000 facilities.¹⁴ Some of this increase is attributable to Top-Screen submissions from facilities that had never previously submitted one. Such facilities include those that have increased their holdings of chemicals of interest above the specified threshold and facilities that had not previously complied with the regulation. Some of these new submissions will be from facilities that are not high-risk. The remaining additional Top-Screens represent resubmissions from facilities with new facility information, modified activities, or changed chemical holdings. Based on this information, DHS may reassess whether facilities should be assigned to a different high-risk tier or removed from the program altogether.¹⁵

Despite the increase in cumulative Top-Screen submissions, the number of facilities meeting the DHS criteria for high risk has fallen over time to approximately 3,600. See Figure 2. This decrease represents facilities that have reduced their holdings of chemicals of interest below threshold levels, which could be caused by voluntary reductions or facility closures. The DHS has stated that it no longer considers as having high risk more than 3,000 facilities that voluntarily removed, reduced, or modified their holdings of chemicals of interest.¹⁶

An appreciable delay may be occurring between the submission of Top-Screen information and DHS identifying a facility as preliminarily high-risk. In 2013, the DHS Office of Inspector General (OIG) analyzed DHS responses to Tier 1 and Tier 2 Top-Screen submissions. It found that the average time to receive a tier assignment was 4.8 months, with the longest observed time being 12 months.¹⁷ This delay might cause the number of Top-Screen submissions to rise without a commensurate increase in the number of regulated facilities until such time as DHS responds to the new submissions.

Figure 2. Regulated Facilities and Top-Screen Submissions (June 2008 through February 2015)

Source: CRS analysis of various DHS presentations, testimony, and other sources. Notes: Total regulated facilities plotted against the left axis; Cumulative Top-Screen submissions plotted against the right axis. The DHS generally expresses the number of Top-Screen submissions as "more than" a certain amount and reports in thousands. Thus, the number of Top-Screen submissions should be taken as a lower bound.

The decrease in the number of regulated facilities results from more facilities leaving the program than entering the program. To the extent that the additional Top-Screen submissions reflect information from new facilities, then a commensurately greater number of facilities must be leaving the CFATS program.

The increasing number of Top-Screen submissions combined with the decreasing number of regulated facilities suggests that some fraction of the existing facility universe is submitting multiple Top-Screens. The filing of multiple Top-Screen submissions may pose a challenge to DHS, since it may trigger a review of the facility's risk tier, related documentation, and required risk-based performance standards.

Once a facility submits Top-Screen data, DHS assigns a preliminary risk tier to the facility. The DHS assigns a final risk tier after reviewing the facility's security vulnerability assessment. As shown in Figure 3, DHS has provided final tier assignments to most facilities. Since mid-2010, between 14% and 25% of high-risk facilities at any given time lack a final tier assignment. Analysis of these data on a tier basis reveals that 63% of the facilities lacking a final tier assignment are in Tier 4.¹⁸

The reasons why facilities lack a final tier assignment are likely to be a combination of several factors:

• Facilities newly joining the CFATS program are assigned a preliminary tier. Some of these new submissions may be from high-risk facilities.
• Facilities with incomplete or insufficient security vulnerability assessments do not receive final tier assignments until DHS and the facility resolved outstanding issues.
• Facilities changing the amount of chemicals of interest on site may request a new tiering determination. During this process, a facility may be identified as preliminarily tiered rather than having a final tier assignment.
• A facility contesting its determination as a high-risk facility or its assignment to a specific risk tier may not receive a final tier assignment.
• Some facilities are in categories for which DHS has indefinitely extended the timeline for compliance. For example, DHS indefinitely extended the timeline for compliance for facilities with aboveground gasoline storage tanks, including facilities (such as petroleum refineries) that may possess other chemicals that trigger the Top-Screen requirement. Approximately 405 such facilities are preliminarily high-risk.¹⁹

Figure 3. High-Risk Facilities Assigned Final Risk Tiers (June 2008 through February 2015)

Source: CRS analysis of various DHS presentations, testimony, and other sources. Notes: The gap between the number of facilities and the number with final tier assignments is facilities with preliminary tier assignments.

A key issue for oversight is how DHS enforces CFATS on facilities receiving a preliminary tier assignment. The DHS requires a facility to begin the site security planning process only after the final assignment to a risk tier. Consequently, DHS oversight of security at facilities awaiting final risk-tier assignment seems likely to be delayed relative to other facilities. In addition, the fraction of facilities receiving a final tier assignment has trended slightly downward over time. This may reflect the dynamic nature of the pool of CFATS-regulated facilities with facilities joining, leaving, and being retiered within the CFATS program, or it may suggest that DHS is not resolving the gap between total facilities and facilities with a final tier.

Site Security Plan Authorization

Regulated facilities must submit site security plans (SSPs) that meet the risk-based performance standards applicable to their final risk tier. The DHS reviews and issues a letter of authorization to facilities submitting a satisfactory SSP. The DHS has experienced challenges in developing an effective and efficient authorization process and has engaged in internal review to improve that process.

Figure 4 shows the number of authorized site security plans. The DHS authorized its first site security plan on May 28, 2010.²⁰ Between then and August 2012, when DHS implemented a new integrated SSP review process, DHS authorized approximately 60 site security plans. Since August 2012, the rate of site security plan authorization has increased. The DHS has authorized a total of 2,646 SSPs as of February 2015. Facilities in all risk tiers have received authorizations, though DHS has focused on Tier 1 and Tier 2 facilities.

Figure 4. Authorized Site Security Plans (January 2012 to February 2015)

Source: CRS analysis of various DHS presentations, testimony, and other sources. Notes: The decline in the number of authorized site security plans in February 2014 reflects removal by DHS of authorized site security plans for facilities no longer regulated under CFATS.

The current authorization rate is significantly higher than it was previously, and 74% of all regulated facilities (97% of facilities having received a final tier assignment as of December 2014) have an authorized SSP as of February 2015. The DHS has authorized most facilities that have submitted an SSP.²¹ Comparison of the current rate of authorization against that necessary to authorize all SSPs suggests that DHS may finish authorization of the existing SSPs in less than a year. See Figure 5.

Figure 5. Projection for Completion of SSP Authorization in 1, 2, 5, and 10 Years

Source: CRS analysis of various DHS presentations, testimony, and other sources. Notes: Dotted lines indicate the trajectories required to complete site security plan authorization within 1, 2, 5, or 10 years. Projections assume a constant rate of authorization, the authorization of SSPs for all facilities (including those currently without a final tier), no change in the total number of facilities, and that each site security plan corresponds to a single regulated facility.

Figure 5 shows trajectories required to complete SSP authorization within 1, 2, 5, or 10 years. Assuming that the total number of regulated facilities remains unchanged over time, DHS would need to authorize an average of 76 site security plans monthly to authorize a number of SSPs equal to the number of facilities within 1 year, an average of 38 monthly to authorize all within 2 years, an average of 15 monthly to authorize all within 5 years, and an average of 8 monthly to authorize all within 10 years. As a point of reference, DHS authorized an average of 132 SSPs per month from February 2014 to February 2015.²² The DHS has generally increased its average authorization rate over time; between August 2014 and February 2015, DHS authorized an average of 135 SSPs per month.²³ Between January 2015 and February 2015, DHS authorized 120 SSPs.²⁴ See Table 1.

The past rate of SSP authorization may not reflect future performance. The DHS may be able to increase the rate of SSP authorization. The DHS has so far mostly been assessing SSPs for Tier 1 and Tier 2 facilities; SSPs for Tier 3 and Tier 4 facilities may be simpler. As DHS obtains greater experience in authorizing SSPs, the process may become more efficient. Conversely, DHS may have difficulty maintaining the current rate of SSP authorizations if future SSPs have lower quality or pose particular challenges or if other activities compete for ISCD resources. Note that the projections reported from the above model assume that no facilities join or leave the CFATS program and that each facility requires only a single authorized site security plan.

A more pressing challenge may be that most facilities without an authorized SSP also lack a final tier assignment. As such, these facilities are not required to yet submit an SSP (see Figure 1). Consequently, resolving the security of these facilities may take additional time, possibly longer than expected from the current rate of authorization.

Authorization Inspections and SSP Approvals

Following authorization of a site security plan, DHS inspects the facility to determine its adherence to its submitted SSP. Once DHS has confirmed such compliance, DHS approves the SSP and provides the facility with a letter of approval. The DHS began performing authorization inspections in July 2010 but, following an internal review, suspended its inspection process pending revisions. The DHS resumed authorization inspections in July 2012 and had completed more than 100 authorization inspections by April 2013. The DHS did not approve site security plans at the same rate as it conducted inspections. See Figure 6.

Figure 6. Authorized SSPs, Authorization Inspections, and Approved SSPs (October 2010 to February 2015)

Source: CRS analysis of various DHS presentations, testimony, and other sources. Note: The decline in the number of authorized site security plans in February 2014 reflects removal by DHS of authorized site security plans for facilities no longer regulated under CFATS.

The number of authorized SSPs and the number of authorization inspections appear to roughly parallel each other. This implies that the authorization inspection rate is roughly commensurate with the rate of SSP authorization. Assuming a single inspection at each facility, the data do not suggest that an additional backlog of authorized SSPs waiting for authorization inspections is likely to build up. If the SSP authorization rate were to increase relative to the rate of authorization inspections, an additional backlog of authorized SSPs could develop. That effect might be addressed through increased inspection capability.

Similarly, the rate of authorization inspections roughly parallels the rate of SSP approval. The number of authorization inspections is greater than that of approved SSPs. One possibility is that not all authorization inspections lead to an approval. Some facilities may be disapproved, while others may require multiple authorization inspections to resolve challenges identified in the inspection process. Another possibility is that the process of issuing an approval following an authorization inspection takes time; DHS has reported that a facility may be granted up to 45 days to amend a site security plan following an authorization inspection.²⁵

As of February 2015, 57% of all regulated facilities (44% of facilities with a final tier assignment as of December 2014) lack an approved SSP.²⁶ Comparison of the current rate of approval against that necessary to approve all SSPs indicates that it will likely take more than a year for DHS to finish inspecting and approving the existing SSPs. See Figure 7.

Figure 7. Projection for Completion of SSP Approval in 1, 2, 5, and 10 Years

Source: CRS analysis of various DHS presentations, testimony, and other sources. Notes: Dotted lines indicate the trajectories required to complete site security plan authorization within 1, 2, 5, or 10 years. Projections assume a constant rate of authorization, the authorization of SSPs for all facilities (including those currently without a final tier), no change in the total number of facilities, and that each site security plan corresponds to a single regulated facility.

If the total number of regulated facilities remained unchanged over time, DHS would need to approve an average of 169 site security plans monthly to approve a number of SSPs equal to the number of facilities within 1 year, an average of 84 monthly to approve all within 2 years, an average of 34 monthly to approve all within 5 years, and an average of 17 monthly to approve all within 10 years. As a point of reference, DHS approved an average of 85 site security plans monthly between February 2014 and February 2015.²⁷ The DHS has generally increased this rate over time; between August 2014 and February 2015, DHS approved an average of 93 SSPs per month.²⁸ Between January 2015 and February 2015, DHS approved 80 SSPs.²⁹ The Government Accountability Office estimated in April 2013 that it could take DHS from seven to nine years to complete reviews and approvals for SSPs then submitted to DHS from facilities with a final risk tier.³⁰ The rate of approvals has increased since that GAO analysis. See Table 2.

The past rate of SSP approval may not reflect future performance. The DHS may be able to increase the rate of SSP approval. The DHS has so far mostly been inspecting Tier 1 and Tier 2 facilities; Tier 3 and Tier 4 facilities may be simpler. As DHS gets more experience in inspecting facilities and issuing SSP approvals, the process may become more efficient. Conversely, DHS may have difficulty maintaining the current rate of SSP approvals if future SSPs have lower quality or pose particular challenges. Note that the projections above assume that no facilities join or leave the CFATS program and that each facility requires only a single approved site security plan.

Compliance Inspections

Following approval of a facility site security plan, DHS inspects the facility for compliance. According to DHS, compliance inspections started in September 2013. As of May 2014, DHS had performed 31 compliance inspections³¹ and 61 compliance inspections as of December 2014.³² In April 2013, GAO estimated that full regulatory implementation, including compliance inspection, for existing facilities would require 8 to 10 years.³³ Insufficient data are available to assess whether the rate of compliance inspection has increased since the GAO analysis. The rate of compliance inspections does not meet that of all facility approvals from one year prior.³⁴

An additional component of future compliance involves the resubmission of updated Top-Screen information, and if so requested, security vulnerability assessments and site security plans. According to DHS's explanation of the CFATS regulation, "the Department will require facilities in Tiers 1 and 2 to update their Top-Screen, SVA, and SSP every two years, and facilities in Tiers 3 and 4 to update their Top-Screen, SVA, and SSP every three years."³⁵ If DHS were to inspect each facility in order to approve a facility's updated SSP, DHS would need to perform approximately 108 inspections monthly to finish these inspections before receiving updated documents.³⁶

The DHS is considering having facilities update their Top-Screen information on this schedule and only submit an updated security vulnerability assessment and site security plan in the case of changes in the Top-Screen information. If so, the number of inspections necessary to approve the updated SSPs would be reduced.

Assessment and Policy Implications

Assessing the future performance of the CFATS program is challenging since it may or may not be similar to the program's past performance. Many external and internal events could dramatically affect program performance. In addition, while the CFATS program has been in place since 2007, significant reforms began in 2012, changing how DHS implemented the program. The data on performance since those reforms are relatively sparse compared with the program's overall duration. Increased efficiencies on the part of the DHS or more effective compliance by regulated facilities could change program performance. Any assessment of the CFATS program is based on the significant assumption that insight about future performance can be informed by analysis of past performance. Even if this assumption is incorrect, however, an analysis based on it may still help to identify potential issues with respect to current agency implementation.

The CFATS program has historically not met DHS-established deadlines for securing high-risk chemical facilities. That said, DHS has now authorized SSPs for almost all facilities receiving a final tier assignment, but authorizing facilities without a final tier assignment will take an unknown amount of time. At the current level of performance, it will likely take approximately two more years to inspect already authorized facilities and approve the SSPs. This conclusion does not consider the impact of compliance inspections, which have only recently begun. Several factors contribute to this conclusion.

Approximately 25% of facilities regulated under CFATS remain in a state of preliminary risk-tier assignment.^{37, 38} As described by DHS, this places those facilities at an early stage of review and compliance. Without an effective mechanism for reducing the number of preliminarily tiered facilities, hundreds of high-risk facilities will be in the SSP authorization and approval portion of the regulation rather than in the SSP implementation and compliance portion. The DHS has acknowledged this effect in the short term by changing its target metric from approval of all Tier 1 facility SSPs by the end of FY2013 to approval of over 90% of Tier 1 and Tier 2 facilities with authorized SSPs by the end of FY2014. The DHS appears to have met this new target.

The CFATS system as a whole appears to operate more slowly than would be necessary to process all regulated facilities within the compliance inspection timeframe established in the CFATS regulation. The most obvious factor reducing throughput appears to be the rate of authorization inspection. The DHS continues to authorize SSPs at a rate equal to or greater than the number of authorization inspections conducted. Since the number of SSPs approved is less than the number of authorization inspections, it appears that multiple inspections are necessary to approve some facilities. Therefore, the rate at which authorization inspections need to be conducted limits the rate of overall compliance with the CFATS program.

Analysis of the available data indicates that during some time periods, the number of authorization inspections exceeds the number of SSP approvals, while during other periods, the opposite is true. This suggests that in addition to the time necessary to perform an authorization inspection, time is required for approval of the SSPs. If so, increasing the number of authorization inspections alone may reveal a secondary capacity gap in the rate at which DHS can process SSP approvals.

The fact that SSP authorizations and authorization inspections roughly parallel each other suggests that DHS does not have significant additional capacity in its authorization inspection process. If the authorization inspection process had additional capacity, the number of authorization inspections would not be limited by the number of authorized SSPs and would equal or surpass that number, assuming that some facilities require multiple authorization inspections prior to SSP approval. Increasing authorization inspection capacity might serve to highlight other potential issues within the CFATS process, such as delays in processing information from authorization inspections and issuing letters of approval. Inspection capacity might be increased by employing more inspectors or by process improvements allowing for more inspections done by the same number of inspectors.

Once compliance inspections start in earnest, the lack of additional inspection capacity may lead to further challenges. The same inspector cadre is responsible for both compliance inspections and authorization inspections. Increasing the required number of inspections by beginning compliance inspections could reduce the availability of staff for completing authorization inspections.

Because DHS has set a short interval for Top-Screen resubmission (every two years for Tier 1 and Tier 2 and every three years for Tier 3 and Tier 4) it appears necessary for initial submissions from regulated facilities to be processed within that time frame. If not, a significant backlog of activity seems likely given the current rates of inspection and approval. As stated above, to process all facilities within the time frame of resubmission, DHS would need to perform 108 inspections per month, higher than the current authorization inspection rate, to avoid developing a backlog relative to facility resubmissions. Should DHS not require all facilities to resubmit updated SVAs and SSPs, this may allow DHS to have a lower inspection rate without developing such a backlog.

As DHS makes progress in approving SSPs and as it begins to gather experience in compliance inspections, it may become possible to project future performance with greater confidence.

Footnotes

1.	P.L. 109-295, Department of Homeland Security Appropriations Act, 2007, §550.
2.	P.L. 113-254, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014.
3.	In July 2007, DHS testified that formal site inspections of a selected group of facilities would begin by the end of the calendar year (Testimony of Robert B. Stephan, Assistant Secretary for Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure, July 24, 2007). In December 2007, DHS testified that facility inspection would begin in fall of 2008 (Testimony of Robert B. Stephan, Assistant Secretary for Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure, December 13, 2007). In 2009, DHS testified that inspections would begin in the first quarter of FY2010 (Testimony of Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security, June 16, 2009). The first authorization inspection took place in July 2010 (House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, Evaluating Internal Operation and Implementation of the Chemical Facility Anti-Terrorism Standards [CFATS] Program by the Department of Homeland Security, Serial 112-111, February 3, 2012, p. 65).
4.	In 2010, DHS testified that it expected to inspect all Tier 1 facilities by the end of calendar year 2010 (Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010). In 2011, DHS testified that it expected to inspect all Tier 1 facilities by the end of calendar year 2011 (Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, February 11, 2011). In 2013, DHS testified that it planned to have all Tier 1 facilities approved by October 2013 (Testimony of Rand Beers, Under Secretary, and David Wulf, Director, Infrastructure Security Compliance Division, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, March 14, 2013). The DHS also planned to have all Tier 1 and Tier 2 facilities approved by May 2014 (Office of the Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program, OIG-13-55, March 2013, p. 22). The DHS did not meet these milestones. It estimated that, by the end of FY2014, it would have approved over 90% of all Tier 1 and Tier 2 facilities that have authorized site security plans (Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, October 25, 2013). The DHS met this milestone.
5.	P.L. 109-295, Department of Homeland Security Appropriations Act, 2007, §550.
6.	According to the White House Office of Management and Budget, a performance standard is a standard that states requirements in terms of required results with criteria for verifying compliance but without stating the methods for achieving required results. A performance standard may define the functional requirements for the item, operational requirements, and/or interface and interchangeability characteristics. A performance standard may be viewed in juxtaposition to a prescriptive standard which may specify design requirements, such as materials to be used, how a requirement is to be achieved, or how an item is to be fabricated or constructed. (Office of Management and Budget, The White House, "Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities," Circular A-119, February 10, 1998). For example, a performance standard might require that a facility perimeter be secured, whereas a prescriptive standard might dictate the height and type of fence to be used to secure the perimeter.
7.	72 Federal Register 17688–17745 (April 9, 2007).
8.	See, for example, American Chemistry Council, Alternate Security Program (ASP) Guidance for CFATS Covered Chemical Facilities, December 2012.
9.	72 Federal Register 17688-17745 (April 9, 2007) at 17691. The DHS is considering having facilities update their Top-Screen information on this schedule and only submit an updated security vulnerability assessment and site security plan in the case of changes in the Top-Screen information.
10.	P.L. 113-254, Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014.
11.	The DHS Office of Inspector General criticized prior language used by ISCD to describe the CFATS program's progress, calling it "confusing" and "ambiguous." Office of Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program, OIG-13-55, March 2013.
12.	In 2011, DHS created "conditional authorization," whereby DHS added specific technical conditions that must be addressed during an authorization inspection. The DHS has not completed its rulemaking regarding personnel surety, so site security plans currently receive "conditional authorization."
13.	Testimony of David Wulf, Director, Infrastructure Security Compliance Division, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, August 1, 2013.
14.	The DHS received submissions from 36,189 unique facilities as of December 2013. Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, January 9, 2014.
15.	As of October 20, 2013, DHS had completed more than 600 facility requests for redetermination that resulted in the non-regulation or retiering of many facilities (Office of Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security, Chemical Facility Anti-Terrorism Standards (CFATS) and Ammonium Nitrate Security Program Updates, October 2013).
16.	Department of Homeland Security, Chemical Facility Anti-Terrorism Standards, January 2015.
17.	Office of Inspector General, Department of Homeland Security, Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program, OIG-13-55, March 2013, p. 25.
18.	As of December 29, 2014, 89% of Tier 1, 80% of Tier 2, 75% of Tier 3, and 73% of Tier 4 facilities had a final tier assignment (CRS analysis of DHS data provided by Office of Legislative Affairs, Department of Homeland Security, December 29, 2014).
19.	75 Federal Register 1552-1555 (January 12, 2010).
20.	Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, January 9, 2014.
21.	This assumes that DHS is presenting output data in terms of net authorizations, where authorized facilities that leave the program reduce the number of authorizations reported. If DHS is presenting process data, where DHS reports the number of authorizations performed that month irrespective of authorized facilities leaving the program, then the number of authorizations will continue to grow. In this latter case, the number of authorizations will surpass the number of facilities, but some facilities will still lack authorized site security plans.
22.	CRS calculation based on number of authorized site security plans reported between February 1, 2014, and February 2, 2015.
23.	CRS calculation based on number of authorized site security plans reported between August 1, 2014, and February 2, 2015.
24.	CRS calculation based on number of authorized site security plans reported between January 5, 2015, and February 2, 2015.
25.	House Committee on Energy and Commerce, Subcommittee on Environment and the Economy, The Chemical Facility Anti-Terrorism Standards Program: A Progress Report, Serial No. 112-172, September 11, 2012, p. 112.
26.	This assumes that DHS is presenting output data in terms of net approvals, where approved facilities that leave the program reduce the number of approvals reported. If DHS is presenting process data, where DHS reports the number of approvals performed that month irrespective of approved facilities leaving the program, then the number of approvals will continue to grow. In this latter case, the number of approvals will surpass the number of facilities, but some facilities will still lack approved site security plans.
27.	CRS calculation based on number of approved site security plans reported between February 1, 2014, and February 2, 2015.
28.	CRS calculation based on number of approved site security plans reported between August 1, 2014, and February 2, 2015.
29.	CRS calculation based on number of approved site security plans reported between January 5, 2015, and February 2, 2015.
30.	Based on an approval rate of 30 to 40 SSPs monthly. Government Accountability Office, Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, GAO-13-353, April 2013.
31.	Testimony of Suzanne Spaulding, Under Secretary for National Protection and Programs, and David Wulf, Director, Infrastructure Security Compliance Division, Office of Infrastructure Protection, National Protection and Programs Directorate, Department of Homeland Security before the Senate Committee on Homeland Security and Governmental Affairs, May 14, 2014.
32.	Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, December 15, 2014.
33.	Government Accountability Office, Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, GAO-13-353, April 2013.
34.	The DHS had approved the SSPs of 362 CFATS facilities as of November 19, 2013.
35.	72 Federal Register 17688-17745 (April 9, 2007) at 17691.
36.	Based on 494 preliminary and final Tier 1 and Tier 2 facilities and 3,140 preliminary and final Tier 3 and Tier 4 facilities (Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, December 29, 2014).
37.	CRS analysis based on DHS data of December 2014 (Communication between Office of Legislative Affairs, Department of Homeland Security, and CRS, December 29, 2014).
38.	Approximately 405 of these are facilities with aboveground gasoline storage tanks. The DHS has identified these facilities as preliminarily high risk but has indefinitely extended their compliance deadlines (75 Federal Register 1552-1555 (January 12, 2010)).