Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress

This report provides a brief overview of the existing statutory authority and the regulation implementing this authority. It describes several policy issues raised in previous debates regarding chemical facility security and identifies policy options that might resolve components of these issues. Finally, legislation introduced in the 111th Congress is discussed.

Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Dana A. Shea Specialist in Science and Technology Policy December 23, 2010 Congressional Research Service 7-5700 www.crs.gov R40695 CRS Report for Congress Prepared for Members and Committees of Congress Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Summary The Department of Homeland Security (DHS) has statutory authority to regulate chemical facilities for security purposes. This authority expires in March 2011. The 111th Congress took action to extend this program and debated the scope and details of reauthorization. Some members of Congress supported an extension, either short or long term, of the existing authority. Other members called for revision and more extensive codification of chemical facility security regulatory provisions. The tension between continuing and changing the statutory authority was exacerbated by questions regarding the current law’s effectiveness in reducing chemical facility risk and the sufficiency of federal funding for chemical facility security. Key policy issues debated in previous Congresses contributed to the reauthorization debate. These issues included the universe of facilities that should be considered as chemical facilities; the appropriateness and scope of federal preemption of state chemical facility security activities; the availability of information for public comment, potential litigation, and congressional oversight; and the role of inherently safer technologies. The 112th Congress may take various approaches to this issue. Congress might allow the statutory authority to expire. Congress might permanently or temporarily extend the expiring statutory authority in order to observe the impact of the current regulations and, if necessary, address any perceived weaknesses at a later date. Congress might codify the existing regulation in statute and reduce the discretion available to the Secretary of Homeland Security to change the current regulatory framework. Alternatively, Congress might substantively change the current regulation’s implementation, scope, or impact by amending the existing statute or creating a new one. In the 111th Congress, The Department of Homeland Security Appropriations Act, 2010 (P.L. 11183) extended the existing statutory authority through October 4, 2010, and provided DHS with additional chemical facility security funding relative to FY2009. The Continuing Appropriations Act, 2011 (P.L. 111-242) extended the statutory authority through December 3, 2010. P.L. 111290 extended the statutory authority through December 18, 2010. P.L. 111-317 extended the statutory authority through December 21, 2010. P.L. 111-322 extended the statutory authority through March 4, 2011. The House of Representatives passed H.R. 2868, an authorization bill which addresses chemical facility, water treatment facility, and wastewater treatment facility security. This legislation included provisions of H.R. 3258 and H.R. 2883. H.R. 2868 was reported with an amendment in the nature of a substitute by the Senate Committee on Homeland Security and Governmental Affairs. The Senate-reported bill differed significantly from the House-passed version. Members introduced other bills in the 111th Congress to address security at chemical facilities and other facilities that possess chemicals. S. 2996/H.R. 5186 would have extended the existing authority until October 4, 2015, and established chemical security training and exercise programs. H.R. 2477 would have extended the existing statutory authority until October 1, 2012. H.R. 261 and S. 3599 would have altered the existing authority. S. 3598 would have authorized EPA to establish certain risk-based security requirements for wastewater facilities. In addition, draft legislation was reportedly under development by the Department of Homeland Security. Congressional Research Service Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Contents Introduction ................................................................................................................................1 Overview of Statute and Regulation ............................................................................................1 Statute...................................................................................................................................1 Regulation ............................................................................................................................3 Implementation ...........................................................................................................................4 Policy Issues ...............................................................................................................................6 Adequacy of Funds ...............................................................................................................7 Federal Preemption of State Activities ...................................................................................8 Transparency of Process........................................................................................................8 Definition of Chemical Facility .............................................................................................9 Inherently Safer Technologies ............................................................................................. 10 Policy Options .......................................................................................................................... 11 Maintain the Existing Regulatory Framework...................................................................... 12 Extend the Sunset Date ................................................................................................. 12 Codify Existing Regulations.......................................................................................... 13 Alter the Existing Statutory Authority ................................................................................. 13 Accelerate or Decelerate Compliance Activities ............................................................ 13 Incorporate Additional Facility Types ............................................................................ 14 Consider Inherently Safer Technologies ........................................................................ 16 Modify Information Security Provisions........................................................................ 18 Preempt State Regulations............................................................................................. 20 Harmonize Regulations ................................................................................................. 20 Legislation in the 111th Congress ............................................................................................... 21 Extend the Existing Authority ............................................................................................. 21 Modify the Existing Authority............................................................................................. 22 H.R. 2868 ..................................................................................................................... 22 Other Legislation .......................................................................................................... 23 Tables Table 1. DHS Funding for Chemical Facility Security Regulation by Fiscal Year .........................5 Table 2. Facilities Regulated by DHS under CFATS ....................................................................6 Contacts Author Contact Information ...................................................................................................... 24 Congressional Research Service Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Introduction Facilities possessing certain amounts of hazardous chemicals have been the target of safety and security efforts preceding September 11, 2001. The sudden release of hazardous chemicals from facilities storing large quantities might potentially harm large numbers of persons living or working near the facility. Congress has debated whether such facilities should be regulated for security purposes to reduce the risk they pose. The 109th Congress passed legislation in 2006 providing the Department of Homeland Security (DHS) statutory authority to regulate chemical facilities for security purposes. This statutory authority expires in March 2011. Advocacy groups, stakeholders, and policymakers have called for congressional reauthorization of this authority, though they disagree about the preferred option. Congress may extend the existing authority, revise the existing authority to resolve contentious issues, or allow this authority to lapse. This report provides a brief overview of the existing statutory authority and the regulation implementing this authority. It describes several policy issues raised in previous debates regarding chemical facility security and identifies policy options that might resolve components of these issues. Finally, legislation introduced in the 111th Congress is discussed. Overview of Statute and Regulation Congress provided statutory authority to DHS to regulate chemical facilities for security purposes. This statutory authority gave some explicit authorities to DHS and left other implementation aspects to the discretion of the Secretary of Homeland Security. The DHS issued an interim final rule drawing on both explicit statutory authorities and the implicit authorities granted to the Secretary’s discretion. 1 Statute The Homeland Security Appropriations Act, 2007 (P.L. 109-295), Section 550, directs the Secretary of Homeland Security to issue interim final regulations establishing risk-based performance standards for chemical facility security and requiring the development of vulnerability assessments and the development and implementation of site security plans. Furthermore, the regulations are to allow regulated entities to employ combinations of security measures to meet the risk-based performance standards.2 The law specifies that these regulations 1 An interim final rule is a rule that meets the requirements for a final rule and that has the same force and effect as a final rule, but that contains an invitation for further public comment on its provisions. After reviewing comments to the interim final rule, an agency may modify the interim final rule and issue a “final” final rule. 2 According to the White House Office of Management and Budget, a performance standard is a standard that states requirements in terms of required results with criteria for verifying compliance but without stating the methods for achieving required results. A performance standard may define the functional requirements for the item, operational requirements, and/or interface and interchangeability characteristics. A performance standard may be viewed in juxtaposition to a prescriptive standard which may specify design requirements, such as materials to be used, how a requirement is to be achieved, or how an item is to be fabricated or constructed. Office of Management and Budget, The White House, “Federal Participation in the Development and Use of Voluntary Consensus Standards and in Conformity Assessment Activities,” Circular A-119, February 10, 1998. For example, a performance standard might require that a facility perimeter be secured, while a prescriptive standard might dictate the (continued...) Congressional Research Service 1 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress are to apply only to those chemical facilities that the Secretary determines present high levels of security risk. The statute exempts several types of facilities from the Secretary’s authority: facilities defined as a water system or wastewater treatment works; facilities owned or operated by the Department of Defense or Department of Energy; facilities regulated by the Nuclear Regulatory Commission; and those facilities regulated under the Maritime Transportation Security Act of 2002 (P.L. 107-295). Under the law, the Secretary must review and approve the required assessment, plan, and implementation for each facility. The Secretary may approve vulnerability assessments and site security plans created through security programs not developed by DHS, so long as the results of these programs meet the risk-based performance standards established in regulation. The statute prohibits the Secretary from disapproving a site security plan on the basis of the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan that does not meet the risk-based performance standards. Information developed for these requirements is to be protected from public disclosure but may be shared, at the Secretary’s discretion, with state and local government officials, including law enforcement officials and first responders possessing the necessary security clearances. Such shared information may not be publicly disclosed, regardless of state or local laws, and is exempt from the Freedom of Information Act (FOIA). Additionally, the information provided to the Secretary, along with related vulnerability information, is to be treated as classified information in all judicial and administrative proceedings. Violation of the information protection provision is punishable by fine. The Secretary must audit and inspect chemical facilities and determine regulatory compliance. If the Secretary finds a facility not in compliance, the Secretary must write to the facility explaining the deficiencies found, provide an opportunity for the facility to consult with the Secretary, and issue an order to the facility to comply by a specified date. If the facility continues to be out of compliance, the Secretary may fine and, eventually, order the facility to cease operation. Only the Secretary may bring a lawsuit against a facility owner to enforce provisions of this law. The law does not affect any other federal law regulating chemicals in commerce. The statute contains a “sunset provision” and expires on March 4, 2011.3 Section 550 was amended by the Consolidated Appropriations Act, 2008 (P.L. 110-161). This amendment clarifies a state’s right to promulgate chemical facility security regulation that is at least as stringent as the federal chemical facility security regulation. Only in the case of an “actual conflict” between the federal and state regulation would the state regulation be preempted. The scope of an “actual conflict” was not further defined in the statute. (...continued) height and type of fence to be used to secure the perimeter. 3 The original statute expired on October 4, 2009, three years after enactment. The Department of Homeland Security Appropriations Act, 2010 (P.L. 111-83) extended the existing statutory authority an additional year. The Continuing Appropriations Act, 2011 (P.L. 111-242) extended the statutory authority through December 3, 2010. P.L. 111-290 extended the statutory authority through December 18, 2010. P.L. 111-317 extended the statutory authority through December 21, 2010. P.L. 111-322 extended the statutory authority through March 4, 2011. Congressional Research Service 2 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Regulation On April 9, 2007, the Department of Homeland Security issued an interim final rule regarding the Chemical Facility Anti-Terrorism Standards (CFATS). This interim final rule entered into force on June 8, 2007. The interim final rule implements both statutory authority explicit in P.L. 109-295, Section 550, and authorities DHS found to be implicitly granted. The DHS has described the statutory authority for regulation of chemical facility security as “compact.”4 According to DHS, “Each subsection and sentence of this provision has significant consequences for the structure and content of the regulatory program.”5 In promulgating the interim final rule, DHS interpreted the language of the statute to determine what it asserts was the intent of Congress when crafting the statutory authority. Consequently, much of the rule arises from the Secretary’s discretion and interpretation of legislative intent and was not explicitly detailed by the law. Under the interim final rule, the Secretary of Homeland Security will determine which chemical facilities must meet regulatory security requirements. The decision is to be based on the degree of risk posed by each facility. Chemical facilities with greater than specified quantities of potentially dangerous chemicals must submit information to DHS, so that DHS can determine the facility’s risk status. The DHS lists 322 chemicals as “chemicals of interest” for the purposes of compliance with CFATS. Each chemical is considered in the context of three threats: release, theft or diversion, and sabotage and contamination. The DHS assigns high-risk facilities into one of four risk-based tiers. The DHS established different performance-based requirements for facilities assigned to each risk-based tier. Facilities in higher risk tiers must meet more stringent performance-based requirements. All high-risk facilities must assess their vulnerabilities, develop an effective security plan, submit these documents to DHS, and implement their security plan. The vulnerability assessment serves two purposes under the interim final rule. One is to determine or confirm the placement of the facility in a risk-based tier. The other is to provide a baseline against which to compare the site security plan activities. The DHS requires the vulnerability assessment include the following components: asset characterization, threat assessment, security vulnerability analysis, risk assessment, and countermeasures analysis. The site security plans must address the vulnerability assessment by describing how activities in the plan correspond to securing facility vulnerabilities. Additionally, the site security plan must address preparations for and deterrents against specific modes of potential terrorist attack, as applicable and identified by DHS. The site security plans must also describe how the activities taken by the facility meet the risk-based performance standards provided by DHS. High-risk facilities may develop vulnerability assessments and site security plans using alternative security programs so long as they meet the tiered, performance-based requirements of the interim final rule. The Secretary may disapprove submitted vulnerability assessments or site security plans that fail to meet DHS standards but not on the basis of the presence or absence of a specific measure. In the case of disapproval, DHS will identify in writing those areas of the assessment and plan that need improvement. Chemical facilities may appeal disapprovals to DHS. 4 5 71 Federal Register 78276-78332 (December 28, 2006) at 78280. Ibid. Congressional Research Service 3 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress The information generated under this interim final rule, as well as any information developed for chemical facility security purposes that the Secretary determines needs to be protected, will be labeled “Chemical-terrorism Vulnerability Information” (CVI), a new category of security-related information. The DHS asserts sole discretion regarding who will be eligible to receive CVI. The interim final rule states it will preempt state and local regulation that “conflicts with, hinders, poses an obstacle to or frustrates the purposes of” the federal regulation. States, localities, or affected companies may request a decision from DHS regarding potential conflict between the regulations. Since DHS promulgated the interim final rule, Congress has amended this statute to state that such preemption will occur only in the case of an “actual conflict.” The DHS has not issued revised regulations addressing this change in statute. The interim final rule establishes penalties for lack of compliance and for the disclosure of CVI information. If a facility remains out of compliance with the interim final rule, DHS may order it to cease operations after other penalties, such as fines, have been levied. The interim final rule establishes the process by which chemical facilities can appeal DHS decisions and rulings. Implementation Within DHS, the National Protection and Programs Directorate (NPPD) is responsible for chemical facility security regulations. The NPPD attempts to generally reduce the risks to the homeland and has various offices addressing both physical and virtual threats. The Office of Infrastructure Protection oversees the CFATS program. Within the Office of Infrastructure Protection, the Infrastructure Security Compliance Project contains the funding and personnel efforts allocated for implementing the CFATS regulations. As seen in Table 1, requested and appropriated funding for this program has annually increased since its creation. Additionally, fulltime equivalent staffing for this program has also increased. This increase in staffing reflects, in part, the development of a cadre of CFATS inspectors. The DHS received statutory authority to regulate chemical facilities in 2006. It did not possess a chemical facility security office or inspector cadre at that time. The DHS-requested and congressionally appropriated funding for this program has annually increased since its creation. Additionally, full-time equivalent staffing for this program has increased. See Table 1. This increase in staffing reflects, in part, the development of a cadre of CFATS inspectors. The DHS is still in the process of filling the positions it requested and plans to continue to hire throughout the fiscal year. As of July 2010, DHS had 11 regional commanders and 77 chemical inspectors in the Infrastructure Security Compliance Division.6 In addition, DHS has established a Basic Inspector School training program for its inspector cadre. 6 The Infrastructure Security Compliance Division has a total of 168 headquarters and field personnel. Office of Infrastructure Protection, Department of Homeland Security, Update on Implementation of the Chemical Facility AntiTerrorism Standards and Development of Ammonium Nitrate Regulations-2010 Chemical Sector Coordinating Council Security Summit, July 7, 2010. Congressional Research Service 4 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Table 1. DHS Funding for Chemical Facility Security Regulation by Fiscal Year (in millions) Fiscal Year Request Appropriation Full-time Equivalents FY2007 $10 $22a 0 FY2008 25 50 21 FY2009 63 78b 78 FY2010 103c 103d 246 FY2011 105e 257 Source: Department of Homeland Security, Preparedness Directorate, Infrastructure Protection and Information Security, FY2007 Congressional Justification; Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and Information Security, Fiscal Year 2008 Congressional Justification; Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and Information Security, Fiscal Year 2009 Congressional Justification; Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and Information Security, Fiscal Year 2010 Congressional Justification; H.Rept. 109-699; P.L. 110-28; the explanatory statement for P.L. 110161 at Congressional Record, December 17, 2007, p. H16092; the explanatory statement for P.L. 110-329 at Congressional Record, September 24, 2008, pp. H9806-H9807; and H.Rept. 111-298. Notes: Funding levels rounded to nearest million. A full-time equivalent equals one staff person working a fulltime work schedule for one year. a. Including funds provided in supplemental appropriations. b. Of the funds appropriated for the Infrastructure Security Compliance Project, $5 million were designated for activities related to the development of ammonium nitrate regulations. c. Of the funds requested for the Infrastructure Security Compliance Project, $14 million were designated for activities related to the development of ammonium nitrate regulations. d. Of the funds appropriated for the Infrastructure Security Compliance Project, $14 million were designated for activities related to the development of ammonium nitrate regulations. e. The DHS would use some requested funds to regulate ammonium nitrate sale and transfer. As of March 2010, almost 38,000 chemical facilities had registered with DHS and completed the Top-Screen process.7 Of these facilities, DHS considered more than 7,000 as high-risk and required to submit a site vulnerability assessment.8 From the submitted site vulnerability assessments, DHS identified and placed 4,997 facilities into risk tiers. Table 2 identifies by risk tier the universe of regulated facilities. 7 The Top-Screen process is the initial submission of information to DHS to determine whether a facility is high risk. Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 8 Congressional Research Service 5 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Table 2. Facilities Regulated by DHS under CFATS Risk Tier Total Facilities with Regulated Final Tier Awaiting Final Tier 1 226 4 2 531 40 3 1,132 126 4 2,221 717 Total 4,110 887 Source: Office of Infrastructure Protection, Department of Homeland Security, Update on Implementation of the Chemical Facility Anti-Terrorism Standards and Development of Ammonium Nitrate Regulations-2010 Chemical Sector Coordinating Council Security Summit, July 7, 2010. Notes: DHS has preliminarily assigned some facilities to a risk tier. Final assignment to a risk tier occurs after final review of submitted vulnerability assessments. The DHS began inspections of Tier 1 facilities in February 2010,9 a slight delay from initial start date of “the first quarter of FY 2010.”10 The DHS has testified that they plan to inspect all 235 tier 1 facilities by the end of calendar year 2010.11 The DHS has also identified as a factor in the delay of the inspection schedule the necessary iteration between DHS and the regulated entity regarding its site security plan. 12 The DHS has inspected some facilities’ implementation of site security plans and issued 18 administrative orders to compel facilities to complete their site security plans. 13 Policy Issues Previous congressional discussion on chemical facility security raised several contentious policy issues. Some issues, such as whether DHS has sufficient funds to adequately oversee chemical facility security; whether the federal chemical facility security regulations should preempt state regulations; and how much information developed for chemical security purposes may be shared outside of the facility and the federal government, will exist even if Congress extends the existing statutory authority. Other issues, such as what facilities should be regulated as a chemical facility and whether chemical facilities should be required to adopt or consider adopting inherently safer 9 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 10 Testimony of Philip Reitinger, Deputy Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the House Committee on Homeland Security, June 16, 2009. 11 Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 12 The DHS identified such iteration on the contents of site security plans as one factor delaying the start of the inspection process from December 2009 to February 2010. Oral testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 13 Office of Infrastructure Protection, Department of Homeland Security, Update on Implementation of the Chemical Facility Anti-Terrorism Standards and Development of Ammonium Nitrate Regulations-2010 Chemical Sector Coordinating Council Security Summit, July 7, 2010. Congressional Research Service 6 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress technologies, are more likely to be addressed in the context of efforts to revise or expand existing authority. Adequacy of Funds The regulation establishes an oversight structure that relies on DHS personnel inspecting chemical facilities and ascertaining whether approved site security plans have been implemented. Although the use of performance-based measures, where chemical facilities are granted flexibility in determining how to achieve the required security performance, may reduce some demands on the regulated entities, it may also require greater training and judgment on the part of DHS inspectors. Inspecting the regulated facilities is likely to be costly. Congressional oversight has raised the question of whether DHS has requested and received appropriated funds sufficient to hire and retain the staff necessary to perform the required compliance inspections.14 Some policymakers have expressed surprise at the pace of inspection and have suggested that DHS increase it. 15 Creating the necessary infrastructure to perform inspections across the nation may be challenging. As stated by DHS when describing its efforts to hire, train, and deploy an inspector cadre and support staff: Infrastructure Security Inspectors, located in up to 10 primary field offices across the Nation, will inspect and ensure regulatory compliance at facilities covered by the CFATS regulation, including site security plan approval and maintaining respective inspection and audit schedule. Creating a fully functional cadre will require not just recruiting and training staff, but also procurement of communications and [information technology] equipment (laptops, blackberries, etc.) to facilitate work efforts while conducting inspections and traveling, but also the acquisition of office space and equipment, government vehicles, support staff, safety equipment and clothing, and support for frequent travel.16 The degree to which funds are sufficient to meet agency needs likely depends on factors external and internal to DHS. External factors include the number of regulated facilities and the sufficiency of security plan implementation. Internal factors include the ratio between headquarters staff and field inspectors; the risk tiers of the regulated facilities; and the timetable for implementation. Once the number of regulated facilities and their associated timetables are determined, DHS may be able to more comprehensively determine its resource needs.17 Now that DHS has begun implementation of these requirements, it may be able to provide further estimates of both funding and staff requirements. 14 House Committee on Homeland Security, Subcommittee on Transportation Security and Infrastructure Protection, Chemical Security: The Implementation of the Chemical Facility Anti-Terrorism Standards and the Road Ahead, 110th Congress, December 12, 2007. 15 Monica Hatcher, “Why Chemical Plants Are Vulnerable to Terrorism,” Houston Chronicle, April 5, 2010. 16 Department of Homeland Security, National Protection and Programs Directorate, Infrastructure Protection and Information Security, Fiscal Year 2009 Congressional Justification, p. IPIS-41. 17 The DHS was required in FY2006 and FY2007 to provide Congress with a report on the resources needed to create and implement mandatory security requirements. See P.L. 109-295, Department of Homeland Security Appropriations Act, 2007, and H.Rept. 109-241, accompanying P.L. 109-90, Department of Homeland Security Appropriations Act, 2006. Congressional Research Service 7 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Federal Preemption of State Activities The original statute did not expressly address the issue of federal preemption of state and local chemical facility security statute or regulation. When DHS issued regulations establishing the CFATS program, DHS asserted that the CFATS regulations would preempt state and local chemical facility security statute or regulation that conflicted with, hindered, posed an obstacle, or frustrated the purposes of the federal regulation. 18 Subsequent to the release of the regulation, Congress amended DHS’s statutory authority to state that only in the case of an “actual conflict” would the federal regulation preempt state authority. As the CFATS program has only begun to be implemented and few states have established independent chemical facility security regulatory programs, conflict between the federal and state activities has had little opportunity to occur. The DHS has not identified state programs that conflict with the CFATS regulations.19 The DHS has also not altered its regulatory language in response to the statutory amendment. Advocates for federal preemption call for a uniform security framework across the nation. They assert that a “patchwork” of regulations might develop if states independently develop additional chemical facility security regulations. 20 Variances in security requirements might lead to differing regulatory compliance costs, and companies might suffer competitive disadvantage based on their geographic location. Supporters of state rights to regulate chemical facility security claim that the federal regulation should be treated as the minimum standard with which all regulated entities must comply. They assert that DHS should allow states to develop more stringent regulations than the federal regulations. They claim such regulations would increase security. Some supporters of state regulation suggest that more stringent, conflicting state regulations should preempt the federal regulations.21 Such a case might occur if a state regulation mandated the use of a particular security approach at chemical facilities, conflicting with the federal regulation that adopts a performance-based rather than prescriptive approach. The desire to retain industries that might relocate faced with increased regulation likely would temper state inclinations to require overly stringent or incompatible regulations. Transparency of Process The CFATS process involves determining chemical facility vulnerabilities and developing security plans to address them. Information developed in this process is not to be widely and openly disseminated. The CFATS program protects this information by categorizing it as CVI and 18 72 Federal Register 17688–17745 (April 9, 2007) at 17739. 72 Federal Register 17688–17745 (April 9, 2007) at 17727. 20 See, for example, National Association of Chemical Distributors, “NACD Key Issue: Chemical Facility Security,” Key Issues 2009 Washington Fly-In 111th Congress. 21 For example, Representative Rothman asked Secretary of Homeland Security Napolitano, 19 And in particular, there was language enacted in 2008 which said that the states could have their own regulations with regard to securing chemical plant facilities unless there was a conflict with the federal requirements. Might it be time to revisit that language to allow each state to have its own chemical plant security regulations, even stricter than a national minimum standard, even if they conflict? (“House Appropriations Subcommittee on Homeland Security Holds Hearing on the Department of Homeland Security,” CQ Congressional Transcripts, May 12, 2009.) Congressional Research Service 8 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress providing penalties for its disclosure. Some advocates have argued for greater transparency in the CFATS process, even if the program protects detailed information regarding potential vulnerabilities and specific security measures. They assert that those individuals living in surrounding communities require such non-detailed information to plan effectively and make choices in an emergency.22 Events stemming from a 2007 explosion at a Bayer CropScience chemical facility in West Virginia have also led to debate regarding the protective labeling of security information at chemical facilities.23 The DHS regulated this chemical facility under the Maritime Transportation Security Act (MTSA), not CFATS.24 In this case, security information was protected from disclosure as Sensitive Security Information (SSI), an information protection regime similar to CVI. Company officials broadly applied SSI markings to facility documents partly in hopes to avoid a public debate on the use and storage of particular chemicals at the facility. This revelation led to questions regarding the application and oversight of such protective markings.25 Definition of Chemical Facility The DHS regulates as chemical facilities entities that possess, rather than manufacture, chemicals of interest. Thus, the term chemical facility encompasses many types of facilities. These types of facilities include agricultural facilities, universities, and others. By defining chemical facilities according to possession of a substance of concern, facilities not part of the chemical manufacturing and distributing chain have become regulated facilities. Stakeholders have expressed concern that the number of entities so regulated might be unwieldy and that the regulatory program might focus on many chemical facilities that pose little risk rather than on those facilities that posed more substantial risk. For example, during the rulemaking process, DHS received commentary and revised its regulatory threshold for possession of propane, stating: DHS, however, set the [screening threshold quantities] for propane in this final rule at 60,000 pounds. Sixty thousand pounds is the estimated maximum amount of propane that nonindustrial propane customers, such as restaurants and farmers, typically use. The Department believes that non-industrial users, especially those in rural areas, do not have the potential to create a significant risk to human life or health as would industrial users. The Department has elected, at this time, to focus efforts on large commercial propane establishments but may, after providing the public with an opportunity for notice and comment, extend its [CFATS] screening efforts to smaller facilities in the future. This higher [screening threshold quantity] will focus DHS’s security screening effort on industrial and major consumers, regional suppliers, bulk retail, and storage sites and away from non-industrial propane customers.26 22 OMB Watch and Public Citizen, “Chemical Facility Anti-Terrorism Standards, Department of Homeland Security, DHS-2006-0073,” Letter, February 7, 2007. 23 For example, see “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on the Bayer CropScience Facility Explosion,” CQ Congressional Transcripts, April 21, 2009. 24 The DHS regulates for security purposes chemical facilities located in ports under the Maritime Transportation Security Act of 2002 (P.L. 107-295). The chemical facility security statute exempts chemical facilities regulated under MTSA. 25 Testimony of William B. Buckner, President and Chief Executive Officer of Bayer CropScience, before the House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009. 26 72 Federal Register 65396–65435 (November 20, 2007) at 65406. Congressional Research Service 9 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Similarly, academic institutions have asserted that DHS should not apply CFATS regulations to them because of the dispersed nature of chemical holdings at colleges and universities. These institutions claim that regulatory compliance costs would not be commensurate with the risk reduction. 27 While the regulatory compliance costs likely decrease at lower risk tiers compared to higher risk tiers, regulated entities bear such costs as continued annual expenses. As mentioned above, the statutory authority underlying CFATS exempts several types of facilities. Some advocacy groups argue against the exclusion of drinking water and wastewater treatment facilities from chemical facility security regulation.28 Some drinking water and wastewater treatment facilities possess large amounts of potentially hazardous chemicals, such as chlorine, for purposes such as disinfection.29 Advocates for their inclusion in security regulations cite the presence of such potentially hazardous chemicals and their relative proximity to population centers as reasons to mandate security measures for such facilities. In contrast, representatives of the water sector point to the critical role that water and wastewater treatment facilities play in daily life. They caution against including these facilities in the existing regulatory framework because of the potential for undue public impacts. They cite, for example, loss of basic fire protection and sanitation services if the federal government orders a water or wastewater utility to cease operations for security reasons or failure to comply with regulation.30 Inherently Safer Technologies Previous debate on chemical facility security has included whether to mandate the adoption or consideration of changes in chemical process to reduce the potential consequences following a successful attack on a chemical facility. Suggestions for such changes have included reducing the amount of chemical stored onsite and changing the chemicals used. In previous congressional debate, these approaches have been referred to as inherently safer technologies or methods to reduce the consequences of a terrorist attack. Comparing one technology with its potential replacement is a fundamental challenge with regard to inherently safer technologies. Without adequate metrics, it is challenging to unequivocally state that one technology is inherently safer than the other; risk factors may exist outside of the comparison framework. 31 A facility might consider many additional factors when weighing the 27 72 Federal Register 65396–65435 (November 20, 2007) at 65412. 28 See, for example, Testimony of Philip J. Crowley, Senior Fellow and Director of Homeland Security, Center for American Progress, before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008. 29 Approximately 52,000 community water systems and 16,500 wastewater treatment facilities are in the United States. Only some facilities possess potentially hazardous chemicals. See U.S. Environmental Protection Agency, Factoids: Drinking Water and Ground Water Statistics for 2008, EPA 816-K-08-004, November 2008, and U.S. Environmental Protection Agency, Clean Watersheds Needs Survey 2004: Report to Congress, January 2008. 30 American Water Works Association, “Chemical Facility Security,” Fact Sheet, 2009, online at http://www.awwa.org/files/GovtPublicAffairs/PDF/2009Security.pdf. For more information on security issues in the water infrastructure sector, see CRS Report RL32189, Terrorism and Security Issues Facing the Water Infrastructure Sector, by Claudia Copeland. 31 For example, the replacement of hydrogen fluoride with sulfuric acid for refinery processing would replace a more toxic chemical with a less toxic one. In this case, experts estimate that equivalent processing capacity would require twenty-five times more sulfuric acid. Thus, more chemical storage facilities and transportation would be required, potentially posing different dangers than atmospheric release to the surrounding community. Determining which chemical process had less overall risk might require considering factors both internal and external to the chemical facility and the surrounding community. See Testimony of Dr. M. Sam Mannan, Director, Mary Kay O’Connor Process (continued...) Congressional Research Service 10 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress applicability and benefit of switching from one process to another. These factors include cost, technical challenges regarding implementation in specific situations, supply chain impacts, quality and availability of end products, and indirect effects caused to workers.32 Supporters of adopting these approaches as a way to improve chemical facility security argue that reducing or removing these chemicals from the facility will reduce the incentive to attack the facility. They suggest that reducing the consequences of a release also lowers the threat from terrorist attack and mitigates the risk to the surrounding populace. They point to facilities that have voluntarily changed amounts of chemicals on hand or chemical processes in use as examples that facilities can implement such an approach in a cost-effective, practical fashion.33 Opponents of mandating what proponents call inherently safer technologies question the validity of the approach as a security tool and the government’s ability to effectively oversee its implementation. Industrial entities assert that process safety engineers within the regulated industry already employ such approaches and that these are safety, not security, methods. They assert that process safety experts and business executives should determine the applicability and financial practicality of changing existing processes at specific chemical facilities.34 They also state concern that few existing alternative approaches are well understood with regard to their unanticipated side effects. They claim that these alternative approaches should continue to be studied rather than immediately applied, since unanticipated side effects could be deleterious to business and other interests.35 A third opposing view questions whether the federal government contains the required technical expertise to adjudicate the practicality and benefit of alternative approaches. Holders of this view raise concerns that the federal government may not possess the required knowledge or expertise to judge whether a particular site can implement alternative technology, even if the alternative theoretically provides benefits over existing technology.36 Policy Options With the statutory authority expiring in March 2011, the 112th Congress may address chemical facility security. Congress might further extend the existing statutory authority by revising or (...continued) Safety Center, Texas A&M University before the House Committee on Homeland Security, December 12, 2007. 32 For further discussion on this issue, see Center for Chemical Process Safety, American Institute of Chemical Engineers, Final Report: Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use, July 2010. 33 See, for example, Paul Orum and Reece Rushing, Center for American Progress, Preventing Toxic Terrorism: How Some Chemical Facilities are Removing Danger to American Communities, April 2006, and Paul Orum and Reece Rushing, Center for American Progress, Chemical Security 101: What You Don’t Have Can’t Leak, or Be Blown Up by Terrorists, November 2008. 34 Testimony of Marty Durbin, Managing Director, Federal Affairs, American Chemistry Council, before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008. 35 For example, EPA experts have pointed to the change by drinking water treatment facilities from gaseous chlorine disinfection to chloramine disinfection—a change identified by some advocacy groups as being an inherently safer substitution—as being correlated with increased levels of lead in drinking water due to increased corrosion. Government Accountability Office, Lead in D.C. Drinking Water, GAO-05-344, March 2005. 36 See, for example, Testimony of Dennis C. Hendershot, Staff Consultant, Center for Chemical Process Safety, American Institute of Chemical Engineers, before the Senate Committee on Environment and Public Works, June 21, 2006, S.Hrg. 109-1044. See also, Testimony of Matthew Barmasse, Synthetic Organic Chemical Manufacturers Association, before the Senate Committee on Homeland Security and Governmental Affairs, July 13, 2005. Congressional Research Service 11 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress repealing its sunset provision; codify the existing regulations; amend the existing statutory authority; address existing programmatic activities; or restrict or expand the scope of chemical facility security regulation. If Congress doesn’t act and allows the statutory authority to expire, the authority for the application and enforcement of the CFATS regulations may be brought into question. If Congress both allows the statutory authority to expire and does not appropriate funding for implementing the CFATS program, DHS may have difficulty enforcing the CFATS regulations. In the case where Congress allows the statutory authority to expire, but Congress appropriates funds for enforcing the CFATS program, DHS will likely be able to enforce the CFATS regulations. The GAO has found that in the case where a program’s statutory authority expires, but Congress explicitly appropriates funding for it, the program may continue to operate without interruption. 37 Maintain the Existing Regulatory Framework The existing statutory authority places much of the CFATS regulatory framework at the discretion of the Secretary of Homeland Security. The DHS is still in the process of implementing these regulations and has not yet determined their efficacy. Congressional oversight of their implementation, enforcement, and efficacy may play a key role in determining the sufficiency of the existing authority and regulations. Congress might choose to maintain the existing regulations by extending the statutory authority’s sunset date or codifying the existing regulations. Also, as noted above, allowing the statutory authority to expire could in effect maintain the existing regulatory framework if Congress continues to fund implementation, although this may lead to litigation. Extend the Sunset Date Congress might choose to extend the current statutory authority for a fixed or indefinite time. In passing the 2010 DHS appropriations act (P.L. 111-83), Congress extended the existing statutory authority one year to October 4, 2010, as requested by the Obama Administration. 38 The Continuing Appropriations Act, 2011 (P.L. 111-242) extended the statutory authority through December 3, 2010. P.L. 111-290 extended the statutory authority through December 18, 2010. P.L. 111-317 extended the statutory authority through December 21, 2010. P.L. 111-322 extended the statutory authority through March 4, 2011. The Obama Administration requests an additional one year extension of the statutory authority until October 4, 2011.39 Extending the existing statutory authority may provide regulated entities continuity and protect them from losing those resources already expended in regulatory compliance. An extension may allow assessment of the efficacy of the existing regulations and inclusion of this information in any future attempts to revise or extend DHS’s statutory authority. Moreover, since DHS is in the process of implementing current regulations, some policymakers argue for a simple extension without changing statutory requirements. 37 Office of the General Counsel, General Accounting Office, Principles of Federal Appropriations Law, Third Edition, GAO-04-261SP, January, 2004, pp. 2-70–2-71. 38 Department of Homeland Security, FY2010 Budget Justification. 39 Office of Management and Budget, The White House, Budget of the United States Government, Fiscal Year 2011, Appendix, p. 574. Congressional Research Service 12 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Congress might make the existing program permanent by removing the sunset date entirely. Some chemical manufacturers support converting the existing program into a permanent program.40 The removal of the sunset date would maintain the current discretion granted to the Secretary of Homeland Security to develop regulations and might allow assessment of the efficacy of the existing regulations. Making the existing statute permanent might provide consistency in authority and remove the statutory pressure to reauthorize a program that has a sunset date. Codify Existing Regulations Congress might choose to affirm the existing regulations by codifying them or their principles in statute. Such codification would reduce the discretion of the Secretary of Homeland Security to alter the CFATS regulations in the future. The existing statutory authority grants broad discretion to the Secretary to develop many elements of the CFATS regulations. Future Secretaries may choose to alter its structure or approach and still comply with the existing statute. Congress might identify specific components of the existing regulation that they wish any future regulation to retain and codify those portions. Doing so might limit the ability of the Secretary to react to changing circumstance, gained experience, and new knowledge. On the other hand, the codified portions might enhance the regulated community’s ability to plan for future expenses and requirements. Alter the Existing Statutory Authority Congress might choose to alter the existing statutory authority to modify the existing regulations, address stakeholder concerns, or broadly change the regulatory program. Accelerate or Decelerate Compliance Activities The DHS bases its schedule for facility CFATS compliance on the chemical facility’s assigned risk tier. Those chemical facilities assigned to higher risk tiers have a more accelerated compliance and resubmission schedule than those assigned to lower risk tiers. Congress might attempt to accelerate the compliance schedule by increasing funding available to DHS for CFATS, thereby increasing the ability of DHS to provide feedback to regulated entities, review submissions, and inspect facilities filing site security plans. Additional funding might reduce or mitigate inefficiencies or delays related to DHS processing of submissions. Alternatively, Congress might provide DHS with the authority to use third parties as CFATS inspectors. The DHS would then be able to augment the number of CFATS inspectors to meet increased demand or delegate inspection authority to state and local governments. Third-party inspectors might allow DHS to draw on expertise outside of the federal government in assessing the efficacy of the implemented site security activities. The DHS may need to define the roles and responsibilities of these inspectors and how DHS will assess and accredit their qualifications. The DHS has stated its intent to issue a rulemaking regarding the use of third-party auditors but has not yet done so.41 40 Randy Dearth and Cal Dooley, “Commentary: Taking Chemical Plant Security In Pittsburgh Seriously,” Pittsburgh Post-Gazette, May 27, 2009. 41 72 Federal Register 17688–17745 (April 9, 2007) at 17712. Congressional Research Service 13 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Congress might choose to slow the implementation schedule of the chemical facility security regulations. Concern about the impact of the regulation on small businesses or other entities might lead to a decelerated compliance schedule. The DHS has already implemented select regulatory extensions for certain agricultural operations.42 Congress might direct DHS to provide longer submission, implementation, and resubmission timelines for those regulated entities that might suffer disproportionate economic burdens from compliance. Incorporate Additional Facility Types The federal government does not regulate water and wastewater treatment facilities for chemical security purposes. Instead, current chemical security efforts at water and wastewater treatment facilities are voluntary in nature.43 Some advocacy groups have called for inclusion of currently exempt facilities, such as water and wastewater treatment facilities.44 The DHS and the Environmental Protection Agency (EPA) have also called for additional authorities to regulate these facilities: The Department of Homeland Security and the Environmental Protection Agency believe that there is an important gap in the framework for regulating the security of chemicals at water and wastewater treatment facilities in the United States. The authority for regulating the chemical industry purposefully excludes from its coverage water and wastewater treatment facilities. We need to work with the Congress to close this gap in the chemical security authorities in order to secure chemicals of interest at these facilities and protect the communities they serve. Water and wastewater treatment facilities that are determined to be high-risk due to the presence of chemicals of interest should be regulated for security in a manner that is consistent with the CFATS risk and performance-based framework while also recognizing the unique public health and environmental requirements and responsibilities of such facilities.45 In addition, DHS supports modifying the existing exemption for (1) MTSA facilities to increase security at these facilities to the CFATS standard and (2) facilities regulated by the Nuclear Regulatory Commission to clarify the scope of the exemption.46 If Congress provides the executive branch with statutory authority to regulate water and wastewater treatment facilities for chemical security purposes, it may weigh several policy decisions. Among these choices are which facilities should be regulated, how stringent such security measures should be, what federal agency should oversee them, and whether compliance with these security measures is feasible given the public nature of many water and wastewater treatment facilities. 42 73 Federal Register 1640 (January 9, 2008). Congress required certain drinking water facilities to perform vulnerability assessments and develop emergency response plans through section 401 of P.L. 107-188, the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. 44 See, for example, Paul Orum and Reece Rushing, Center for American Progress, Chemical Security 101: What You Don’t Have Can’t Leak, or Be Blown Up by Terrorists, November 2008. 45 Testimony of Benjamin H. Grumbles, Assistant Administrator for Water, U.S. Environmental Protection Agency before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008. 46 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 43 Congressional Research Service 14 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress One option might be to include water and wastewater treatment facilities under the existing CFATS regulations, effectively removing the exemption currently in statute. This would place water and wastewater treatment facilities on par with other possessors of chemicals of interest. The DHS would provide oversight of all regulated chemical facilities.47 Opponents of such an approach cite the essential role that water and wastewater treatment facilities play in daily life and assert that several authorities available to DHS under CFATS, such as the ability to require a facility to cease operations, are inappropriate if applied to a municipal utility. 48 Also, opponents might claim that activities under CFATS, such as vulnerability assessment, duplicate existing requirements under the Safe Drinking Water Act.49 Another option might be to grant statutory authority to regulate water and wastewater treatment facilities for security purposes to the EPA or require DHS to consult with EPA regarding its regulation of water and wastewater treatment facilities. Following prior debate on chemical facility security, Congress provided statutory authority for chemical security to DHS, separating security responsibilities from the public health and safety responsibilities given to EPA. Providing one agency the authority to oversee safety and security operations may reduce the potential for redundancy and other inefficiencies. Since water treatment facilities must provide a vulnerability assessment to EPA, some facilities might view regulation under CFATS as redundant in this context. The EPA has testified that the Obama Administration believes that EPA should be the lead agency for chemical security for both drinking water and wastewater systems, with DHS supporting EPA’s efforts.50 The EPA also supports providing states with an important role in regulating chemical security at water systems, including determinations, auditing, and inspecting. 51 Similarly, industry representatives have expressed concern regarding multiple agencies regulating security at drinking water and wastewater treatment facilities.52 They assert that municipalities that operate both types of facilities might face conflicting regulations and guidance if different agencies regulate drinking water and wastewater treatment facilities. These stakeholders suggest that EPA retaining the lead for water and wastewater facilities would be more efficient. If Congress removes the drinking water and wastewater treatment facility exemption, the number of regulated facilities might substantially increase. The United States contains approximately 52,000 community water systems and 16,500 wastewater treatment facilities. 53 These facilities 47 Those chemical facilities exempt from CFATS because they are regulated under MTSA are overseen by the Coast Guard, which is part of DHS. The DHS testified that 365 facilities are fully exempt from CFATS regulation due to compliance with MTSA, while 135 are partially exempt (“House Homeland Security Committee Holds Hearing on the Chemical Facility Antiterrorism Act of 2009,” CQ Congressional Transcripts, June 16, 2009). 48 Testimony of Brad Coffey, Association of Metropolitan Water Agencies, before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008. 49 Section 1433 of the Safe Drinking Water Act as amended by section 401 of P.L. 107-188, the Public Health Security and Bioterrorism Preparedness and Response Act of 2002. 50 Testimony of Peter S. Silva, Assistant Administrator for Water, Environmental Protection Agency, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 51 Testimony of Peter S. Silva, Assistant Administrator for Water, Environmental Protection Agency, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 52 See, for example, American Water Works Association, “AWWA Members Urged to Contact Congress on Chemical Security Bill,” and Association of Metropolitan Water Agencies, “Drinking Water Security and Treatment Mandates,” Policy Resolution, October 2008. 53 See U.S. Environmental Protection Agency, Factoids: Drinking Water and Ground Water Statistics for 2008, EPA 816-K-08-004, November 2008, and U.S. Environmental Protection Agency, Clean Watersheds Needs Survey 2004: (continued...) Congressional Research Service 15 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress vary substantially in size and service. The number of regulated facilities would depend on the criteria used to determine inclusion, such as chemical possession or number of individuals served. It is likely that only a subset of these facilities would meet a regulatory threshold.54 If Congress assigns responsibility for chemical facility security at different facilities to different agencies, each agency will promulgate separate rules. These rules may be similar or different depending on the agencies’ statutory authority, interpretation of that authority, and ability of the regulated entities to comply as well as any interagency coordination that might occur. Congress may wish to assess the areas where such facilities are similar and different in order to provide authorities that meet any unique characteristics. Any new regulation of drinking water and wastewater treatment facilities is likely to cause the regulated entities, and potentially the federal government, to incur some costs. Representatives of the water and wastewater sectors argue that local ratepayers will eventually bear the capital and ongoing costs incurred due to increased security measures.55 Congress may wish to consider whether the regulated entities should bear these costs, as is done for other regulated chemical facilities, and by those ratepayers they serve or by the taxpayers in general through financial assistance to the regulated entities. Additionally, if inclusion of other facility types significantly increases the number of regulated entities, DHS may require additional funds to process regulatory submissions and perform required inspections. Consider Inherently Safer Technologies Congress may choose to address the issue of inherently safer technologies, sometimes called methods to reduce the consequences of terrorist attack, through a variety of mechanisms. One approach might be to mandate the implementation of inherently safer technologies for a set of processes. Another might be to mandate the consideration of implementation of inherently safer technologies with certain criteria controlling whether implementation is required. A third approach might be to mandate the development of a federal repository of inherently safer technology approaches and consideration of chemical processes against those options listed in the repository. Stakeholders might assess and review the viability of applying these inherently safer approaches at lower cost if such information were centralized and freely available. Congress might establish an incentive-based structure to encourage the adoption of inherently safer technologies by regulated entities. Lastly, Congress might choose to not require any consideration or adoption of inherently safer technology approaches. Some experts assert that existing chemical process safety activities consider and assess inherently safer technology approaches.56 These assessments may lead to changes in chemical process when (...continued) Report to Congress, January 2008. 54 For example, the number of individuals served by the drinking water facility might be used as a regulatory criterion. Section 401 of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188) mandated drinking water facilities serving more than 3,300 individuals develop an emergency response plan and perform a vulnerability assessment. Approximately 8,400 community water systems met this requirement at that time. For more information on drinking water security activities, see CRS Report RL31294, Safeguarding the Nation’s Drinking Water: EPA and Congressional Actions, by Mary Tiemann. 55 Testimony of Brad Coffey, Association of Metropolitan Water Agencies, before the House Committee on Energy and Commerce, Subcommittee on Environment and Hazardous Materials, June 12, 2008. 56 See, for example, Testimony of Dennis C. Hendershot, Staff Consultant, Center for Chemical Process Safety, (continued...) Congressional Research Service 16 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress deemed safer, more reliable, and cost-effective. Congressionally mandated adoption or consideration of adoption of inherently safer technologies may be viewed as adding factors not previously considered by an individual facility, such as impact on homeland security. An additional complication to assessing inherently safer technology is the varying amounts and quality of information available regarding industrial implementation of inherently safer technologies. While some facilities have converted to processes generally deemed as inherently safer, sufficient information may not be available for all facilities and processes to make effective assessment of the impacts from changing existing processes to ones considered inherently safer.57 Indeed, some experts have asserted that the metrics for comparing industrial processes are not yet fully established and need additional research and study.58 The National Academies have recommended that DHS support research and development to foster cost-effective, inherently safer chemistries and chemical processes.59 The Obama Administration has given some support to the use of inherently safer technologies to enhance security at high-risk chemical facilities. It has established a series of principles directing its policy: • The Administration supports consistency of inherently safer technology approaches for facilities regardless of sector. • The Administration believes that all high-risk chemical facilities, Tiers 1-4, should assess IST methods and report the assessment in the facilities’ site security plans. Further, the appropriate regulatory entity should have the authority to require facilities posing the highest degree of risk (Tiers 1 and 2) to implement inherently safer technology methods if such methods demonstrably enhance overall security, are determined to be feasible, and, in the case of water sector facilities, consider public health and environmental requirements. • For Tier 3 and 4 facilities, the appropriate regulatory entity should review the inherently safer technology assessment contained in the site security plan. The entity should be authorized to provide recommendations on implementing inherently safer technologies, but it would not have the authority to require facilities to implement the inherently safer technology methods. • The Administration believes that flexibility and staggered implementation would be required in implementing this new inherently safer technology policy.60 (...continued) American Institute of Chemical Engineers, before the Senate Committee on Environment and Public Works, June 21, 2006, S.Hrg. 109-1044. 57 The DHS Science and Technology (S&T) Directorate is engaged in a Chemical Infrastructure Risk Assessment Project that, among other goals, will assess the potential for safer alternative processes that may reduce risk to a select subset of high volume toxic chemicals (Department of Homeland Security, FY2010 Budget Justification, pp. S&T R&D - 27–28). The Chemical Security Analysis Center of the DHS S&T Directorate contracted with the Center for Chemical Process Safety of the American Institute of Chemical Engineers to develop a technically based definition for inherently safer technology. See Center for Chemical Process Safety, American Institute of Chemical Engineers, Final Report: Definition for Inherently Safer Technology in Production, Transportation, Storage, and Use, July 2010. 58 Testimony of Dr. M. Sam Mannan, Director, Mary Kay O'Connor Process Safety Center, Texas A&M University before the House Committee on Homeland Security, December 12, 2007. 59 Committee on Assessing Vulnerabilities Related to the Nation’s Chemical Infrastructure, National Research Council, Terrorism and the Chemical Infrastructure: Protecting People and Reducing Vulnerabilities, 2006. 60 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland (continued...) Congressional Research Service 17 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Mandating the implementation of inherently safer technologies at regulated entities may be challenging due to the differences that exist among chemical facilities, in terms of chemical process, facility layout, and ability to finance implementation. Even the mandatory consideration of inherently safer technologies may place a financial burden on some small regulated entities. Congress might limit mandatory measures to those facilities considered by DHS to pose the most risk or might provide such financial assistance to regulated facilities. 61 Congress might choose to try to further incentivize regulated entities to adopt inherently safer technologies. Under the CFATS regulations, facilities that adopt inherently safer technologies might change their assigned risk tier by reducing the amount of chemicals of interest on hand. Congress might provide for financial or regulatory incentives to regulated entities that adopt inherently safer technologies for chemicals of interest. Alternatively, Congress might direct DHS or another agency to perform inherently safer technology assessments for regulated entities, transferring the cost of such assessment from the facility to the federal government. 62 The results of these assessments might then be provided to the regulated entity or used by the agency in overseeing implementation. Modify Information Security Provisions The current statute and regulation protect security-related information from public disclosure. Only specific “covered persons” may access such protected information. While acknowledging a legitimate homeland security need to protect security information, some policymakers have questioned whether information protection regimes applied to chemical facilities meet other needs. For example, first responders and community representatives have highlighted how such information protection regimes may impede emergency response and the ability of those in the surrounding community to react to emergency situations at the chemical facility.63 Additionally, worker representatives have raised concerns that these information protection regimes and the lack of mandated inclusion of worker representatives may impede worker input into security plans.64 Finally, the need to balance the acknowledged security value of prohibiting disclosure of facility security information while providing sufficient opportunity for community and worker input and understanding complicates addressing these concerns. (...continued) Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 61 Section 401 of the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 (P.L. 107-188) mandated drinking water facilities serving more than 3,300 individuals develop an emergency response plan and perform a vulnerability assessment. Funds were authorized to help offset the costs to these facilities. 62 Following investigation into the explosion at the Bayer CropScience facility in Institute, West Virginia, members of Congress requested that the Chemical Safety Board provide recommendations on the adoption of alternative chemical processes at the chemical facility. Rep. Henry A. Waxman, Sen. John D. Rockefeller IV, Rep. Bart Stupak, and Rep. Edward J. Markey, Letter to John Bresland, May 4, 2009, online at http://energycommerce.house.gov/Press_111/ 20090504/bayer.pdf. 63 Testimony of Joseph Crawford, Chief of Police, City Saint Albans, West Virginia, before the House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009; and testimony of Kent Carper, President, Kanawha County Commission, Kanawha County, West Virginia, before the House Committee on Energy and Commerce, Subcommittee on Oversight and Investigations, April 21, 2009. 64 See, for example, testimony of Glenn Erwin, United Steelworkers International Union, before the Senate Committee on Homeland Security and Governmental Affairs, July 13, 2005. Congressional Research Service 18 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress The current information protection regimes for chemical facility security information, CVI under CFATS and SSI under MTSA, do not contain penalties for incorrectly marking information as protected. Only disclosure of correctly marked information is penalized. Additionally, the chemical facility is responsible for identifying and appropriately marking protected information. These information markings only would be assessed in the case of dispute. As was asserted during congressional oversight, this disparity may lead to a tendency by regulated entities, in order to protect themselves against potential liability or scrutiny, to erroneously protect information that should be made available to the public.65 Additionally, the existing statute contains no provisions explicitly protecting or allowing for concerned covered persons to divulge protected information or to challenge the categorization of information as protected in an attempt to inform authorities about security vulnerabilities or other weaknesses. Depending on the circumstances, those individuals might be penalized for their disclosure of protected information. The CFATS regulations, reflecting this inherent tension, provide for a point of contact to which such information might be revealed, but also state “Section 550 did not give DHS authority to provide whistleblower protection, and so DHS has not incorporated specific whistleblower protections into this regulation.”66 The Obama Administration has testified that CVI is a distinct information protection regime and expressed support for maintaining it in its current form.67 Congress might choose to address any of the above issues through amending the existing statutory authority. For example, while still retaining protections for vulnerability or security related information, Congress might require specific input to be gathered and documented. Such input might come from outside groups, worker organizations, or other trade representatives through formal and informal mechanisms or by the solicitation, development, and use of industry best practices. Congress might direct DHS to make specific types of information, such as the results of enforcement activities or the approval of successful implementation of a site security plan, more generally available. By mandating the inclusion of such information gathering or the release of specific information, Congress might facilitate greater cooperation between various stakeholder groups. Conversely, such requirements may raise concerns about the degree of security given to the protected information, since more individuals will be involved in its development and analysis, perhaps increasing the ability of malicious persons to use such information for targeting purposes. As more information about the vulnerability assessment process and the results of the security process is made available, the potential that this disparate information might be combined to provide insight into a security weakness might increase. Congress might require the executive branch or another entity to identify the threats or vulnerabilities that might accrue from release of a greater amount of chemical facility security information prior to implementing such a policy change.68 65 “House Energy and Commerce Subcommittee on Oversight and Investigations Holds Hearing on the Bayer CropScience Facility Explosion,” CQ Congressional Transcripts, April 21, 2009. 66 72 Federal Register 17688–17745 (April 9, 2007) at 17718. 67 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 68 A similar approach was taken with regard to making available chemical facility information submitted to the EPA under the auspices of the Risk Management Program. In this case, the President was directed to assess the potential risk of placing this information on the Internet. See Section 3 of Chemical Safety Information, Site Security and Fuels Regulatory Relief Act (P.L. 106-40). Congressional Research Service 19 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress Congress might choose to alter the information protection regime afforded to chemical facility security information by specifically expanding access to first responders. The existing regulation explicitly states that information developed in response to other laws or regulations, such as Emergency Planning and Community Right-to-Know Act, are not protected from disclosure. Enhancing first responder access to such information might minimize perceived barriers to disclosing information during an accident. For example, Congress might mandate that each jurisdiction containing a regulated chemical facility contain a first responder designated as a covered individual. Congress might also choose to address the issue of identifying and marking protected information by mandating review of marked documents. The chemical facility might perform and certify the review. Alternatively, the federal government might perform such a review on a regular basis. A review requirement might burden the entity required to perform the review and, while potentially limiting incorrect marking, may inhibit information reporting by regulated entities to the federal government. Additionally, absent a penalty for incorrect marking, it is unclear how compliance would be assured. Congress may also address concerns raised regarding the ability of concerned individuals to report misdeeds by creating a “whistleblower” reporting mechanism. 69 One approach might be to codify the current mechanism of reporting such concerns specific to DHS or a similar federal entity, such as an agency Inspector General. Alternatively, Congress might create a more general exemption to the penalties arising from disclosure of protected information for those individuals who report such concerns to federal officials. As part of a whistleblower mechanism, Congress might choose to extend protections against retaliation or other job-related actions to those individuals availing themselves of current or newly established reporting mechanisms. Preempt State Regulations Congress addressed the issue of federal preemption of state chemical facility security statutes and regulations in the 110th Congress, placing in statute the requirement that only when an “actual conflict” occurs between state and federal regulation will the state regulation be preempted. 70 Congress may choose to further limit the cases where federal regulation would preempt state regulation by affirming the right of states to make chemical facility security regulations that are more stringent than federal regulation even if they conflict. Alternatively, Congress may choose to increase the number of cases where federal regulations preempt those of a state by expanding the types of conflict, beyond “actual,” that will lead to preemption. Harmonize Regulations Some facilities exempt from the existing chemical facility security regulations are regulated under other security provisions. If these facilities become included, conflicts may arise between requirements under chemical facility security regulations and these other provisions. One approach to resolving these conflicts is to identify which statute would supersede the others, providing a single statutory requirement. Critics of such an approach might assert that the 69 While DHS has established a “CFATS Tip-Line” where individuals may report security concerns, no special protections accrue to individuals using the tip-line. 70 P.L. 110-161, the Consolidated Appropriations Act, 2008. Congressional Research Service 20 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress superseding statute does not contain all of the protections present in the other statutes. Another approach might be to require agencies to generally harmonize the regulations implementing each statute. Regulatory agencies might identify and determine the best ways to meet statutory requirements while also limiting regulatory duplication or contradiction. The EPA has testified that the Obama Administration believes that DHS should be responsible for ensuring consistency of high-risk chemical facility security across all critical infrastructure sectors.71 In addition, DHS supports modifying the existing exemption for MTSA facilities to increase security at these facilities to the CFATS standard and modifying the existing exemption for facilities regulated by the Nuclear Regulatory Commission to clarify the scope of the exemption. 72 Legislation in the 111th Congress Members of the 111th Congress introduced legislation to extend or enhance DHS chemical facility security activities. Additionally, the annual appropriations process provided FY2010 funding for implementation of chemical facility security regulation and extended this funding through March 4, 2011. Legislative proposals have generally taken one of two approaches: extending the existing authority or modifying the existing authority. The Department of Homeland Security Appropriations Act, 2010 (P.L. 111-83) provided an extension of the existing statutory authority to October 4, 2010. The Continuing Appropriations Act, 2011 (P.L. 111-242) extended the statutory authority to December 3, 2010. P.L. 111-290 extended the statutory authority through December 18, 2010. P.L. 111-317 extended the statutory authority through December 21, 2010. P.L. 111-322 extended the statutory authority through March 4, 2011. The Obama Administration requests in its budget submission an extension of the existing statutory authority to October 4, 2011.73 In addition to the legislation introduced by members, the Department of Homeland Security was developing a draft comprehensive authorization bill.74 Extend the Existing Authority The Obama Administration has requested a further one-year extension of the statutory authority to October 4, 2011.75 In contrast, H.R. 2477, the Chemical Facility Security Authorization Act of 2009, would have extended the duration of the existing statutory authority to October 1, 2012. S. 2996/H.R. 5186, the Continuing Chemical Facilities Antiterrorism Security Act of 2010, would have extended the existing statutory authority until October 4, 2015, and would have established chemical security training and exercise programs. 71 Testimony of Peter S. Silva, Assistant Administrator for Water, Environmental Protection Agency, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 72 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 73 Office of Management and Budget, The White House, Budget of the United States Government, Fiscal Year 2011, Appendix, p. 574. 74 Testimony of Rand Beers, Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, before the Senate Committee on Homeland Security and Governmental Affairs, March 3, 2010. 75 Office of Management and Budget, The White House, Budget of the United States Government, Fiscal Year 2011, Appendix, p. 574. Congressional Research Service 21 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress On December 16, 2010, the Senate Committee on Homeland Security and Governmental Affairs reported H.R. 2868 with an amendment in the nature of a substitute.76 The amended language is similar to that found in S. 2996/H.R. 5186 and would have extended the authorization of the current statutory authority by three years, created a voluntary exercise and training program, created a voluntary technical assistance program with DHS to identify and implement methods to reduce the consequences of a terrorist attack, and created a best-practices clearinghouse for chemical facility security activities. Modify the Existing Authority Several members introduced legislation that would have changed the existing authority. H.R. 2868 passed the House and was reported by the Senate Homeland Security and Governmental Affairs Committee. The other legislation was not acted upon. H.R. 2868 The House of Representatives passed H.R. 2868, the Chemical and Water Security Act of 2009. As passed by the House, this bill would have reduced the discretion of the Secretary of Homeland Security by placing in statute aspects of the CFATS regulatory framework. Title I of H.R. 2868 would have increased the types of facilities subject to regulation by the Secretary, removing current statutory exemptions for selected types of entities, such as those facilities already regulated under MTSA.77 It would also have mandated the use, in certain cases, of measures to reduce the consequences of a terrorist attack as part of a site security plan. The bill would have altered the existing information protection scheme, removing the existing requirement that security information be treated as classified in enforcement proceedings. H.R. 2868 would have created a citizens’ suit process for requiring enforcement and established explicit protections for individuals who act as “whistleblowers” and report security vulnerabilities. The bill also identified criteria and parameters for mandatory security background checks. Finally, H.R. 2868 directed that state and local chemical facility security laws and regulations are preempted only if they are less stringent than the federal law and regulation. Title II of H.R. 2868 incorporated provisions of H.R. 3258, Drinking Water System Security Act of 2009, as reported by the House Committee on Energy and Commerce.78 Title II of H.R. 2868 would have required the EPA Administrator to promulgate regulations requiring certain drinking water systems to perform a vulnerability assessment, develop and implement a site security plan meeting tiered risk-based performance standards, and develop an emergency response plan. It would have mandated that each regulated system assess methods to reduce the consequences of a chemical release from an intentional act at the system and, if the system is in one of the two highest risk-based tiers, implement such methods if so directed. Title II of H.R. 2868 would have mandated employee participation and training. States that have been delegated primary enforcement responsibility for regulated water systems under the Safe Drinking Water Act would have been responsible for security oversight. Penalties for violations of the regulations were 76 S.Rept. 111-370. 77 Provisions in Title I of H.R. 2868 originated from the versions of H.R. 2868 reported by the House Committee on Homeland Security (H.Rept. 111-205, Part 1) and the House Committee on Energy and Commerce (H.Rept. 111-205, Part 2). 78 H.Rept. 111-313. Congressional Research Service 22 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress specified. Title II of H.R. 2868 would have prohibited the release of specific information under FOIA and required a periodic report to Congress regarding implementation of the regulation. It also would have exempted covered facilities from regulation under other specified chemical facility security laws. The Administrator would have been authorized to provide grants to states, covered water systems, and non-profit organizations to assist in meeting regulatory requirements. Title III of H.R. 2868 incorporated provisions of H.R. 2883, Wastewater Treatment Works Security Act of 2009. Title III of H.R. 2868 addressed security at wastewater treatment works and generally parallels Title II. Title III of H.R. 2868 would have required the EPA Administrator to promulgate regulations requiring certain wastewater treatment works to perform a vulnerability assessment, develop and implement a site security plan meeting tiered risk-based performance standards, and develop an emergency response plan. It would have mandated that each regulated treatment works assess methods to reduce the consequences of a chemical release from an intentional act at the treatment works and, if the treatment works is in one of the two highest riskbased tiers, implement such methods if so directed. Title III of H.R. 2868 would have mandated employee participation and training. States that have been delegated primary enforcement responsibility for regulated wastewater treatment works under the Federal Water Pollution Control Act would have been responsible for security oversight. Penalties for violations of the regulations were specified. Title III of H.R. 2868 would have prohibited the release of specific information under FOIA and required a periodic report to Congress regarding implementation of the regulation. It also would have exempted covered facilities from regulation under other specified chemical facility security laws. The Administrator would have been authorized to provide grants to states, covered water systems, and non-profit organizations to assist in meeting regulatory requirements. H.R. 2868 was referred to the Senate Committee on Homeland Security and Governmental Affairs. On December 16, 2010, the Senate Committee on Homeland Security and Governmental Affairs reported H.R. 2868 with an amendment in the nature of a substitute.79 The replacement language would have extended the authorization of the current statutory authority by three years, created a voluntary exercise and training program, created a voluntary technical assistance program with DHS to identify and implement methods to reduce the consequences of a terrorist attack, and created a best-practices clearinghouse for chemical facility security activities. Other Legislation H.R. 261, the Chemical Facility Security Improvement Act of 2009, would have prohibited the Secretary of Homeland Security from approving a chemical facility site security plan if the plan did not meet or exceed existing state or local security requirements. It would have allowed the Secretary of Homeland Security to mandate the use of specific security measures in site security plans. The bill would have also caused protected information to be treated as SSI in both general and legal proceedings. Finally, the act would no longer have prohibited individuals from bringing suit in court to require the Secretary of Homeland Security to enforce chemical facility security regulations against a chemical facility. S. 3599, the Secure Chemical Facilities Act, similarly to Title I of H.R. 2868, would have codified aspects of the CFATS regulation and did not address other types of facilities. It would also have required facilities to evaluate whether the facility could reduce the consequences of an attack by 79 S.Rept. 111-370. Congressional Research Service 23 Chemical Facility Security: Reauthorization, Policy Issues, and Options for Congress using a safer chemical or process. The act would have authorized DHS to require implementation of those safer measures if it has been classified as one of the highest-risk facilities, implementation of safer measures is feasible, and implementation would not increase risk overall by shifting risk to another location. Among other provisions, S. 3599 also would have increased the participation of employees and employee representatives in developing security plans. S. 3599 also would have altered the current information protection regime, aligning it with sensitive security information. Finally, S. 3599 would have allowed citizens to file suit against the Secretary of Homeland Security or submit a petition to the Secretary to enforce compliance with statute. S. 3598, the Security Water Facilities Act, similarly to Titles II and III of H.R. 2868, would have authorized the EPA Administrator to regulate community water systems and wastewater treatment facilities for security purposes. S. 3598 also would have authorized implementation of methods to reduce the consequences of a chemical release from an intentional act. Among other provisions, the Administrator was directed to promulgate regulations as necessary to prohibit the unauthorized disclosure of protected information. S. 3598 authorized the Administrator to provide grants or enter into cooperative agreements with states or regulated entities to assist in regulatory compliance. Author Contact Information Dana A. Shea Specialist in Science and Technology Policy dshea@crs.loc.gov, 7-6844 Congressional Research Service 24