Chemical Security: Regulatory Implications of Terrorism Risk Assessment Methodology




INSIGHTi

Chemical Security: Regulatory Implications of
Terrorism Risk Assessment Methodology

July 14, 2023
The Chemical Facility Anti-Terrorism Standards (CFATS) program imposes security requirements on
certain facilities that manufacture, process, or store chemicals of interest—i.e., chemicals that bad actors
might steal, divert, or exploit for nefarious purposes, including terrorism. Some Members have introduced
legislation in the House and Senate that would provide a long-term extension of existing authorities.
Several major industry groups have signaled support for CFATS extension. However, other Members, as
well as some researchers and industry stakeholders, have raised concerns about the program, including
questions about the risk assessment methodology used to inform CFATS regulatory activities and cost-
benefit analyses. Sub-optimal risk methodologies may impose needless regulatory burdens on some
stakeholders or fail to protect the public as well as intended.
The Department of Homeland Security (DHS), which administers CFATS through the Cybersecurity and
Infrastructure Security Agency (CISA), designed program rules and security requirements in reference to
a basic risk model, which defines risk as a function of threat, vulnerability, and potential consequence
(TVC). This model has been widely used within DHS and the broader homeland security enterprise for
decades, but has also been criticized on conceptual and methodological grounds. Some industry
stakeholders and members of the scientific research community have proposed modifications and
alternatives, or called for greater oversight of the risk methodology development process. As Congress
considers reauthorization of CFATS, it may consider risk methodology issues, available oversight options,
and whether current program authorities should be extended, modified, or allowed to expire. Current
program authorization will expire on July 27, 2023, absent congressional action.
Current DHS Risk Assessment Concepts and Methods
DHS defines risk as the “potential for an unwanted outcome resulting from an incident, event, or
occurrence, as determined by its likelihood and the associated consequences,” which has the three TVC
components noted above. DHS has long used this model—originally developed to inform homeland
security grant award allocations—to inform various other planning, programs, and budget activities. A
variety of formal and informal methods may be used when applying this model to specific analytical
tasks. Depending on the method or approach, the TVC terms may be either multiplied together (as they
Congressional Research Service
https://crsreports.congress.gov
IN12199
CRS INSIGHT
Prepared for Members and
Committees of Congress




Congressional Research Service
2
were originally) to quantify risk in terms of probabilities, or used qualitatively as a philosophical
framework for assessing components of risk.
Because CFATS regulatory activities are fundamentally driven by risk assessments, CISA’s application of
the DHS risk methodology may have regulatory implications. For example:
• coverage and tiering—inclusion or exclusion of facilities in the “high-risk” tier subject to
regulatory compliance requirements;
• chemicals of interest—regulation of certain chemicals and mixtures or exclusion of
others; and
• risk-based performance standards—covered facilities are required to implement each of
the 18 CFATS performance standards to mitigate assessed risks.
CISA introduced an enhanced tiering methodology in 2016 based on the TVC model, partly in response to
previous Government Accountability Office (GAO) findings. Previously, assessments were
predominantly consequence-based, largely omitting threat and vulnerability considerations, according to a
2013 GAO report. The enhanced methodology uses site-specific information submitted by chemical
facilities to assess facility vulnerability, relevant threats, and possible consequences, in order to assign a
risk tier.
CISA has not made details of the methodology public on security grounds, but states that it sought
expertise from public and private sector organizations, and that Sandia National Laboratories provided
third-party “verification” of the methodology. In June 2023, House Committee on Energy and Commerce
leaders wrote CISA Director Jen Easterly, requesting information on any prospective changes to the
CFATS risk methodology and related efforts to ensure increased transparency of the process.
Alternative Risk Models
Statistical methods used to assess risk of frequently recurring events such as natural disasters are difficult
to apply to terrorism for several reasons, according to experts. Terrorist attacks on chemical facilities are
rare, and so do not provide enough data for ordinary statistical analyses. Further, they involve adaptive
human behavior that complicates independent measurement of threat and vulnerability. Quantification of
consequences is similarly difficult, given that the effects of terrorist attacks are often unquantifiable
experiences of collective fear, anxiety, and grief. Finally, critical infrastructure tends to be multitiered and
networked, creating complex interdependencies between single facilities and broader systems.
Experts have proposed alternatives or enhancements to the basic TVC model that address some of the
complicating factors discussed above. A 2010 National Academies study recommended that DHS find
alternative approaches to the TVC model that would emphasize analysis of overall system resiliency over
risk to single facilities assessed in isolation. Much of the technical literature on terrorism risk aligns with
this recommended approach to terrorism risk modeling in its broad outlines, with a focus on networks,
defender-attacker dynamics, and deterrence. Other potentially relevant contributions (concentrated in the
environmental safety field) focus on regulatory compliance as the outcome of interest, providing insights
on such matters as the optimal frequency and character of agency site visits to ensure program buy-in and
participation.
Industry Stakeholder Concerns
Industry stakeholders have provided input on the CFATS program through a variety of channels,
including rulemaking proceedings, comments on a 2014 non-regulatory study of the program by DHS,
court proceedings, and the trade press. General support is widespread, but tempered by concerns about


Congressional Research Service
3
certain aspects of the program, such as coverage criteria for certain chemicals; exemptions of certain
industries or industrial processes said to pose minimal risk;
and use of performance standards that may
overlap with existing regulations or incur excessive compliance costs. Some stakeholders seek to justify
their concerns or requests by highlighting perceived flaws in risk methodology, or alleging inadequate
transparency and inclusion of affected stakeholders.


Author Information

Brian E. Humphreys

Analyst in Science and Technology Policy




Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff
to congressional committees and Members of Congress. It operates solely at the behest of and under the direction of
Congress. Information in a CRS Report should not be relied upon for purposes other than public understanding of
information that has been provided by CRS to Members of Congress in connection with CRS’s institutional role.
CRS Reports, as a work of the United States Government, are not subject to copyright protection in the United
States. Any CRS Report may be reproduced and distributed in its entirety without permission from CRS. However,
as a CRS Report may include copyrighted images or material from a third party, you may need to obtain the
permission of the copyright holder if you wish to copy or otherwise use copyrighted material.

IN12199 · VERSION 1 · NEW