Order Code RL33847
Chemical Facility Security:
Regulation and Issues for Congress
Updated April 28, 2008
Dana A. Shea
Specialist in Science and Technology Policy
Resources, Science, and Industry Division
Todd B. Tatelman
American Law Division
Chemical Facility Security:
Regulation and Issues for Congress
On April 9, 2007, the Department of Homeland Security (DHS) issued an
interim final rule (72 Federal Register 17688-17745) on chemical facility security,
implementing the statutory authority granted in the Homeland Security
Appropriations Act, 2007 (P.L. 109-295, Section 550). The regulations require
chemical facilities possessing amounts and types of substances considered by the
Secretary to be hazardous to notify DHS and undergo a consequence-based screening
process. The Secretary then determines which chemical facilities are high-risk and
thus need to comply with additional security requirements. High-risk facilities are
to be categorized into tiers based on risk, and those with higher risk must comply
with more stringent performance-based security requirements.
Under the interim final rule, high-risk chemical facilities are required to create
and submit to DHS a vulnerability assessment; create and submit to DHS a site
security plan, addressing the vulnerability assessment and complying with the
performance-based standards; and implement the site security plan at the chemical
facility. The Secretary is to approve or disapprove each step in the process, and may
require the chemical facility to improve the submission or implementation.
The interim final rule establishes a new category of protected information,
Chemical-terrorism Vulnerability Information (CVI), granting it a status between
sensitive but unclassified and classified information. The Secretary has discretion
over access to this information, how it may be used, and what will comprise CVI.
While the interim final rule states it may preempt future state and local chemical
facility security regulations, the 110th Congress has narrowed such preemption to
when federal regulations have an “actual conflict” with state and local regulations.
These regulations highlight key issues debated in previous Congresses. These
issues include what facilities should be considered as chemical facilities; which
chemical facilities should be considered as “high-risk” and thus regulated; the scope
of the risk-based performance standards for different tiers of high-risk chemical
facilities; the appropriateness and scope of federal preemption of existing state
chemical facility security regulation; and the availability of information for public
comment, potential litigation, and congressional oversight. One key issue not
directly addressed by the regulation is the role of inherently safer technology.
Congress may take further action. Since the statutory authority to regulate
chemical facilities expires in 2009, policymakers may choose to observe the impact
of the current regulations and, if necessary, address any perceived weaknesses at a
later date. Congress might attempt to influence its implementation through oversight
and report language or through additional legislation. Congress addressed concerns
over state preemption through the Consolidated Appropriations Act, 2008 (P.L. 110161). Authorizing bills (H.R. 1530, H.R. 1574, H.R. 1633, H.R. 5533, and H.R.
5577) on chemical facility security have been introduced in the House, and chemical
facility security language has been attached to the 2007 farm bill (S. 2302 and H.R.
2419, as amended by the Senate).
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Authority to Regulate Chemical Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Regulations Issued by the Department of Homeland Security . . . . . . . . . . . . . . . . 3
Key Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Scope of Regulated Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Inherently Safer Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Federal Preemption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Information Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Expiration of Regulations and Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Sufficiency of DHS Funding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Policy Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Maintain Status Quo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Attempt to Influence Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Legislative Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Legislation in the 110th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
List of Tables
Table 1. DHS Funding for Chemical Facility Security Regulation . . . . . . . . . . 14
Chemical Facility Security: Regulation and
Issues for Congress
Chemical facility security has been an issue of congressional interest for many
years. First considered an environmental issue, the potential for release of toxic
chemicals and the associated potential health impacts on surrounding areas became
linked to concerns over terrorism following the September 11, 2001 attacks. The
passage of Section 550 of the Homeland Security Appropriation Act, 2007 (P.L. 109295) established statutory authority for the Department of Homeland Security (DHS)
to regulate security at select chemical facilities.1 How DHS implements this
authority will likely be an area of intense congressional interest, given that chemical
facility security legislation was introduced in each of the previous four Congresses
and that this new statutory authority expires three years after enactment.2
Chemical facility security authority had been called for by both the Executive
and Legislative branches for many years, but disagreements about how chemical
facilities should be regulated impeded consensus. The potential for injuries and
fatalities following an attack on a chemical facility, as well as the value of the
chemical sector to the national economy, led many security experts to suggest that
chemical facilities are high-value targets for terrorists. Securing chemical facilities
is considered a key component of protecting the nation’s critical infrastructure.3
Enactment of P.L. 109-295 and promulgation of the interim final rule were seen by
stakeholders as important steps in protecting chemical facilities against terrorist
attack; however, any increase in homeland security will depend on their effective
This report describes the statutory authority granted to DHS and the interim final
rule promulgated by DHS and identifies select issues of contention related to the
interim final rule. Finally, this report discusses several possible policy options for
Department of Homeland Security Appropriations Act, 2007, P.L. 109-295 § 550, 120 Stat.
1355 (2006) [hereinafter DHS Appropriations Act]. See also 71 Federal Register 7827678332 (December 28, 2006) and 72 Federal Register 17688-17745 (April 9, 2007).
See CRS Report RL31530, Chemical Facility Security, by Linda-Jo Schierow (providing
background on the need for additional security measures, security enhancement options, and
legislation in the 109th Congress).
Executive Office of the President, The White House, “Critical Infrastructure Identification,
Prioritization, and Protection,” Homeland Security Presidential Directive/HSPD-7,
December 17, 2003.
Authority to Regulate Chemical Facilities
The Homeland Security Appropriations Act, 2007 (P.L. 109-295), Section 550
provides statutory authority to DHS to regulate chemical facilities for security
purposes. This law directed the Secretary of Homeland Security to issue interim final
regulations establishing risk-based performance standards for chemical facility
security and requiring the development of vulnerability assessments and the
development and implementation of site security plans.4 The law specified that these
regulations are to apply only to those chemical facilities that the Secretary determines
present high levels of security risk.5 Furthermore, the regulations are to allow
regulated entities to employ combinations of security measures to meet the risk-based
Under the law, the Secretary must review and approve the required assessment,
plan, and implementation for each facility. The statute prohibits the Secretary from
disapproving a site security plan on the basis of the presence or absence of a
particular security measure, but the Secretary may disapprove a site security plan that
does not meet the risk-based performance standards. The Secretary may approve
vulnerability assessments and site security plans created through security programs
not developed by DHS, so long as the results of these programs meet the risk-based
performance standards established in regulation.
Information developed for these regulations is to be protected from public
disclosure but may be shared, at the Secretary’s discretion, with state and local
government officials, including law enforcement officials and first responders
possessing the necessary security clearances. Such shared information may not be
publicly disclosed, regardless of state or local laws, and is exempt from the Freedom
of Information Act (FOIA). Additionally, the information provided to the Secretary,
These interim final regulations must be issued within six months of the date of enactment
of P.L. 109-295. The statutory deadline for the interim final regulations was April 4, 2007.
Regulations were issued April 9, 2007.
By statute, some facilities are exempt from these regulations. They are facilities defined
as a water system or wastewater treatment works; facilities owned or operated by the
Department of Defense or Department of Energy; facilities regulated by the Nuclear
Regulatory Commission; and those facilities regulated under the Maritime Transportation
Security Act of 2002 (P.L. 107-295).
According to the White House Office of Management and Budget, a performance standard
is a standard “that states requirements in terms of required results with criteria for verifying
compliance but without stating the methods for achieving required results. A performance
standard may define the functional requirements for the item, operational requirements,
and/or interface and interchangeability characteristics. A performance standard may be
viewed in juxtaposition to a prescriptive standard which may specify design requirements,
such as materials to be used, how a requirement is to be achieved, or how an item is to be
fabricated or constructed.” Office of Management and Budget, The White House, “Federal
Participation in the Development and Use of Voluntary Consensus Standards and in
Conformity Assessment Activities,” Circular A-119, February 10, 1998. For example, a
performance standard might require that a facility perimeter be secured, while a prescriptive
standard might dictate the height and type of fence to be used to secure the perimeter.
along with related vulnerability information, is to be treated as classified information
in all judicial and administrative proceedings. Violation of the information
protection provision is punishable by fine.
The Secretary must audit and inspect chemical facilities and determine
regulatory compliance. If the Secretary finds a facility not in compliance, the
Secretary shall write to the facility explaining the deficiencies found, provide an
opportunity for the facility to consult with the Secretary, and issue an order to comply
by a date determined by the Secretary. If the facility continues to be out of
compliance, the Secretary may fine and, eventually, order the facility to close.
Only the Secretary of DHS may bring a lawsuit against a facility owner to
enforce provisions of the law. The law does not affect any other federal law
regulating chemicals in commerce. The statute contains a “sunset provision” and
expires on October 4, 2009, three years from the date of enactment.
Section 550 was amended by the Consolidated Appropriations Act, 2008 (P.L.
110-161) and established a state’s right to promulgate chemical facility security
regulation that is at least as stringent as the federal chemical facility security
regulation. Only in the case of an “actual conflict” between the federal and state
regulation would the state regulation be preempted. The scope of an “actual conflict”
was not further defined.
Regulations Issued by the Department of Homeland
On April 9, 2007, the Department of Homeland Security issued an interim final
rule regarding chemical facility security.7 This interim final rule, implementing P.L.
109-295, entered into force on June 8, 2007. The interim final rule implements both
statutory authority explicit in P.L. 109-295 and authorities DHS found to be
Under the interim final rule, the Secretary of DHS will determine which
chemical facilities must meet the security requirements of these regulations. The
decision is to be based on the degree of risk posed by each facility.8 Chemical
facilities with greater than specified quantities of potentially dangerous chemicals are
72 Federal Register 17688-17745 (April 9, 2007). This interim final rule followed the
release of an advanced notice of rulemaking. See 71 Federal Register 78276-78332
(December 28, 2006).
This initial screening of chemical facilities will be done on the basis of potential
consequence, rather than risk. It is unclear whether compliance with the regulation would
reduce the risk status of the chemical facility, since regulatory compliance would
presumably decrease the vulnerability of the facility and vulnerability is a factor used to
determine risk status. 72 Federal Register 17688-17745 (April 9, 2007) at 17700.
be required to submit information to DHS, so that DHS can determine the facility’s
risk status.9 High-risk facilities are then categorized into risk-based tiers.
The DHS is to establish a different performance-based requirements for
facilities assigned to each risk-based tier. Those facilities identified by DHS as high
risk will have additional responsibilities. All high-risk facilities must assess their
vulnerabilities, develop an effective security plan, submit these documents to DHS,
and implement their security plan. Vulnerability assessments and site security plans
developed through alternative security programs will be accepted so long as they
meet the tiered, performance-based requirements of the interim final rule. In turn,
DHS will approve or disapprove the vulnerability assessments, the site security plans,
and their implementation through audit and inspection. The DHS will provide
certification of the facility’s compliance status.10
The vulnerability assessment will serve two purposes under the interim final
rule. One is to determine or confirm the placement of the facility in a risk-based tier.
The other is to provide a baseline against which to compare the site security plan
activities. The DHS requires the vulnerability assessment to include the following
components: asset characterization, threat assessment, security vulnerability analysis,
risk assessment, and countermeasures analysis.11
The site security plans must address the vulnerability assessment by describing
how activities in the plan correspond to facility vulnerabilities. Additionally, the site
security plan must address preparations for and deterrents against specific modes of
potential terrorist attack, as applicable. These modes of attack may include vehicleborne improvised explosive device; water-borne explosive device; ground assault;
or other modes of potential attack identified by DHS.12 The site security plans must
also describe how the activities taken by the facility meet the risk-based performance
standards provided by DHS.
All vulnerability assessments and site security plans are to be submitted to DHS
for approval. The Secretary may disapprove those assessments or plans that fail to
meet DHS standards but not on the basis of the presence or absence of a specific
measure. In the case of disapproval, DHS must identify in writing those areas of the
assessment and plan that need improvement. Chemical facilities may appeal
disapprovals to DHS.
The information generated under this interim final rule, as well as any
information developed for chemical facility security purposes that the Secretary
determines needs to be protected, will be labeled “Chemical-terrorism Vulnerability
The list contains approximately 300 chemicals and is specified as Appendix A to the
regulation. 72 Federal Register 65396-65435 (November 20, 2007).
Audit inspections may be conducted by third-party auditors. The DHS plans to issue a
future rulemaking regarding the use of third-party auditing. 72 Federal Register 1768817745 (April 9, 2007) at 17712.
72 Federal Register 17688-17745 (April 9, 2007) at 17732.
Id. at 17732.
Information” (CVI), a new category of security-related information. According to the
interim final rule, DHS will have sole discretion regarding who will be eligible to
The interim final rule states it will preempt state and local regulation that
“conflicts with, hinders, poses an obstacle to or frustrates the purposes of” the federal
regulation.14 States, localities, or affected companies may request a decision from
DHS regarding potential conflict between the regulations. Since promulgation of the
interim final rule, Congress has amended the DHS’s statutory authority for chemical
facility security to state that such preemption will occur only in the case of an “actual
conflict.” The DHS has not yet issued revised regulations addressing this change in
The interim final rule establishes penalties for lack of compliance and the
disclosure of CVI information. If a facility remains out of compliance with this
interim final rule, DHS may order its closure after other penalties, such as fines, have
been levied. The interim final rule establishes the process by which chemical
facilities can appeal DHS decisions and rulings.
Chemical facility security was the focus of several congressional hearings and
policy debates surrounding proposed legislation in the 109th Congress, legislation
reported by the House Homeland Security Committee and the Senate Committee on
Homeland Security and Governmental Affairs. Some, but not all, of the topics that
were considered contentious were addressed by P.L. 109-295. Even so, many of
these topics have remained issues of interest to the 110th Congress. This section
describes several of these topics in light of the enacted provisions: the scope of the
regulated facilities, inherently safer technology, federal preemption, and the
protection of information.
Scope of Regulated Facilities
P.L. 109-295 did not specify which facilities should be regulated, and this
remains an issue of policy debate. Under the interim final rule, chemical facilities
shall mean any establishment that possesses or plans to possess, at any relevant
point in time, a quantity of a chemical substance determined by the Secretary to
be potentially dangerous or that meets other risk-related criteria identified by the
Regulated, or covered, facilities represent only a portion of all chemical facilities,
being those that present “a high risk of significant adverse consequences for human
Id. at 17738.
Id. at 17739.
Id. at 17730.
life or health, national security and/or critical economic assets if subjected to terrorist
attack, compromise, infiltration, or exploitation.”16
The chemical substances determined by the Secretary to be potentially
dangerous were reported with the interim final rule. A final rule reporting the list of
chemical substances of interest, promulgated as Appendix A to the interim final rule,
has been released by DHS.17 The DHS sought public comment on the chemical list,
and the final rulemaking incorporated DHS’s responses to these comments. The list
includes chemicals from the Environmental Protection Agency’s Risk Management
Program list, the Chemical Weapons Convention schedules, and the Department of
Transportation’s list of hazardous materials. The list specifies the amount of each
chemical that triggers the reporting requirement. The DHS established three
thresholds, for chemical release, for chemical theft or diversion, and for sabotage or
contamination. Facilities must assess the chemicals on hand for each type of
The rule’s definition of chemical facility may describe many facilities.18 While
many, if not most, of these facilities would not be high-risk, DHS will require all of
these chemical facilities to complete a consequence-based screening questionnaire
to determine their risk category.19 The DHS will treat facilities not completing such
a questionnaire as presumptively high-risk.20 Such an approach may tax DHS
resources, as well as negatively impact small businesses, especially during the initial
screening process. Retail propane dealers, for example, have asserted that they
would be adversely affected by the proposed threshold.21 Since the reporting
requirement depends on the total amount of chemical of interest held at a chemical
facility, not the amount of chemical of interest in a particular storage vessel, facilities
that have large numbers of small containers of a chemical of interest may be required
to report. Some universities and colleges, not typically considered as a chemical
72 Federal Register 65396-65435 (November 20, 2007).
The Environmental Protection Agency’s Risk Management Program, a program whose
list of chemicals is almost wholly subsumed within the DHS list of chemicals of interest, is
estimated to regulate approximately 15,000 facilities. Some of these facilities would fall
within the statutory exemptions to chemical security regulation, such as water or wastewater
In 2005, DHS testified that approximately 3,400 chemical facilities were considered highrisk, having the ability to impact 1,000 or more people. Testimony of Robert B. Stephan,
Assistant Secretary for Infrastructure Protection, Department of Homeland Security, before
the Senate Committee on Homeland Security and Governmental Affairs on June 15, 2005.
The use of a consequence threshold as an approximation of risk, as is used in the initial
screening procedure, would likely capture all high-risk facilities if the consequence
threshold was set at a low level. That tactic might also capture many non-high-risk
72 Federal Register 17688-17745 (April 9, 2007) at 17731.
Linda Roeder, “Security Homeland Security Rule Provisions Spur Criticism Over
Chemical Thresholds,” Daily Environment Report, June 4, 2007.
facility, have asserted that, because of the low threshold for some chemicals of
interest, they are likely to have to report to DHS as a chemical facility.22
In responding to public comment on the rule, DHS appears to have attempted
to address these specific concerns, among others. For example, the threshold amount
for propane was increased so that DHS could focus their “security screening effort
on industrial and major consumers, regional suppliers, bulk retail, and storage sites
and away from non-industrial propane customers.”23 Other thresholds have also been
increased from the initial proposed threshold. Universities and colleges, which may
have a significant burden in inventorying their chemical holdings, have been granted
the option of requesting additional time to perform necessary work before coming
into compliance with the chemical facility regulations.24
The Department expects that roughly 40,000 facilities will be required to
comply with the reporting requirements of the regulations. The Department
estimates that between 1,500 and 6,500 facilities eventually will be covered by riskbased performance measure requirements. Such facilities would have completed the
initial screening process and been categorized as falling within one of the four
regulated risk tiers.25 As of December 2007, more than 16,000 facilities had
registered with DHS, with more than 1,000 having completed submitting the required
Inherently Safer Technology
Considerable congressional debate on chemical facility security revolved around
the issue of inherently safer technology. During this debate, the application of
inherently safer technology as a risk-reducing security measure was generally
supported by environmental groups and opposed by industry groups. Environmental
groups proposed that reducing the inherent consequences from a release at a chemical
facility would increase its security, as the incentive to attack such a lowerconsequence facility would be reduced. Industry groups argued that chemical
substance and technology changes were business and process safety concerns, not
related to security issues, and best left to the discretion of the chemical facility, rather
than the federal government.
Both the statute and the interim final rule are silent on the issue of inherently
safer technology. Neither recommend nor prohibit the use of inherently safer
technology as a security method, assuming that it contributes to meeting the risk22
Kelly Field, “Chemical-Security Rules Could Pose Huge Burden for Colleges, Critics
Say,” Chronicle of Higher Education Daily News, June 5, 2007.
72 Federal Register 65396-65435 (November 20, 2007) at 65406.
72 Federal Register 65396-65435 (November 20, 2007) at 65412.
72 Federal Register 17688-17745 (April 9, 2007) at 17723.
Robert B. Stephan, Assistant Secretary for Infrastructure Protection, National Protection
and Programs Directorate, Department of Homeland Security, before the House Committee
on Homeland Security, Subcommittee on Transportation Security and Infrastructure
Protection, December 12, 2007.
based performance standards put forth by DHS. The risk-based performance
standards appear more focused on hardening facilities than on consequence
mitigation techniques. Alternatively, use of inherently safer technology may reduce
the quantity or type of chemical stored on site, possibly removing the chemical
facility from regulation. Both the statute and the interim final rule, in establishing
risk-based performance standards, expressly prohibit requiring any specific security
measure from chemical facilities.
Another area of congressional debate was whether federal chemical facility
security legislation should preempt such activities on the state level.27 Several states
have begun to enact security regulations for chemical facilities.28 Supporters of
explicit federal preemption assert that a patchwork of state regulation provides a
competitive disadvantage to companies on a state-by-state basis and may lead to
uneven security efforts. Opponents of explicit federal preemption claim that federal
security regulation should set a floor, rather than a ceiling, for security efforts;
individual states should, in their opinion, be allowed to require additional security
measures, so long as the federal standard is surpassed.
The statute was originally silent with respect to preemption; however, the
interim final rule contains language indicating that DHS reserves the authority to
preempt conflicting state requirements. According to DHS, the balance struck by
P.L. 109-295 between DHS security requirements and a facility’s flexibility to choose
specific security measures must be preserved.29 The interim final rule’s explanatory
statement distinguishes, consistent with federal case law, between “field preemption”
and “conflict preemption,” asserting that the Department intends only the latter to
apply to chemical security regulations.30 As an example, DHS notes that Congress’s
delegation of authority extends only to those facilities that pose “high levels of
See Cong. Rec. H7968-69 (daily ed. September 29, 2006) (statement of Rep. Barton)
(stating that “[d]uring negotiations it was discussed and consciously decided among the
authorizing committee negotiators to not include a provision exempting this section from
Federal preemption because we do not want a patchwork of chemical facilities that are
trying to secure themselves against threats of terrorism caught in a bind of wondering
whether their site security complies with all law.”). See also Cong. Rec. H7967 (daily ed.
September 29, 2006) (statement of Rep. King) (noting that the intent of the committee was
not to preempt state authority in adopting requirements more stringent than federal standards
and concluding that “...it is our understanding, and we had the opinion of committee counsel
on this, that [the bill language] does not preempt States.”).
New Jersey, arguably the state with the most stringent chemical security regulations,
requires the consideration of inherently safer technology as a component of a facility’s
72 Federal Register 17688-17745 (April 9, 2007) at 17727.
72 Federal Register 17688-17745 (April 9, 2007) at 17727 (stating that “[DHS] does not
view its regulatory scheme as one which so fully occupies the field as to preempt any state
law touching the same subject.”).
security risk;” thus, according to DHS, the states remain free to regulate any facility
that DHS has determined not to be encompassed by this classification.31
According to the statute, “the Secretary may not disapprove a Site Security Plan
submitted under this section based on the presence or absence of a particular security
measure.”32 The federal chemical facility security regulation thus does not require
the application or use of any particular security measure. The interim final rule then
seems to imply that any state regulation that does require a specific security measure
would have been preempted, because it “conflicts with, hinders, poses an obstacle to
or frustrates the purposes of these regulations or of any approval, disapproval or order
Although DHS has indicated that it has not reviewed all existing state
regulations for preemption purposes, they assert that these existing state regulations
are unlikely to be preempted by the interim final rule. Future state regulations,
however, may be found to be preempted. It seems likely that prescriptive state
regulations would be interpreted by DHS as preempted by the performance-based
Subsequent to promulgation of the chemical facility security regulations,
Congress passed the Consolidated Appropriations Act, 2008 (P.L. 110-161). This
law contained a provision that established a state’s right to establish chemical facility
security regulation that is at least as stringent as the federal chemical facility security
regulation. Only in the case of an “actual conflict” between the federal and state
regulation would the state regulation be preempted. The DHS has not yet altered its
chemical facility regulation to incorporate this change in statute. Consequently, it is
not yet known exactly how DHS will implement this provision in regulation or how
DHS will determine whether “actual conflict” arises between state and federal
Another issue that generated considerable congressional interest and debate was
how, and to what extent, the information created by chemical facilities and submitted
to DHS is to be protected from disclosure to the public, industry competitors, and
potential bad actors. The Freedom of Information Act (FOIA), which generally
applies to records held by agencies of the executive branch of the federal
72 Federal Register 17688-17745 (April 9, 2007) at 17727.
DHS Appropriations Act, supra note 1 at § 550(a).
72 Federal Register 17688-17745 (April 9, 2007) at 17739.
For a legal analysis of preemption and a discussion of DHS’s authority to preempt state
law by administrative action, see CRS Congressional Distribution Memorandum, Legal
Analysis of the Preemption Provisions in the Recent Department of Homeland Security’s
Chemical Facility Security Advance Notice of Rulemaking, by Todd B. Tatelman (January
23, 2007) (available from author upon request).
government, regulates the disclosure of government information.35 The FOIA
requires agencies to publish in the Federal Register certain records, and to make
other records available for public inspection and copying.36
While the FOIA contains three specific law enforcement related exclusions and
nine exemptions that permit the withholding of certain government-held information,
it has been the prevailing view since September 11, 2001, that separate federal
statutes prohibiting the disclosure of certain types of information, and authorizing its
withholding under the FOIA, are necessary. As a result, several security-related
information protection statutes have been enacted by Congress and implemented by
the government. Of specific relevance to chemical facilities is the protection regime
known as “Sensitive Security Information” (SSI), currently used by the
Transportation Security Administration in enforcing the Maritime Transportation
Security Act of 2002 (MTSA).37
Section 550(c) of P.L. 109-295 contains two specific mandates regarding
information protection. The first mandate requires that
information developed under this section, including vulnerability assessments,
site security plans, and other security related information, records, and
documents shall be given protections from public disclosure consistent with
similar information developed by chemical facilities subject to regulation under
The reference to MTSA is considered to be a reference to SSI, which is the
information protection regime developed and administered by the Transportation
Security Administration and applicable to maritime facilities regulated under MTSA.
The DHS’s interim final chemical facility security regulations expressly
recognize the reference to SSI; however, instead of amending the existing SSI
regulations to include application to chemical facilities, DHS has implemented a new
security-information protection regime, “Chemical-terrorism Vulnerability
The interim final rule provides that the following types of information will
constitute CVI: (1) vulnerability assessments; (2) site security plans; (3) any
5 U.S.C. § 552 et seq. (2000). For an overview of FOIA, see CRS Report RL32780,
Freedom of Information Act (FOIA) Amendments: 110th Congress, by Harold C. Relyea.
See id. at § 552(a)(1)-(2).
While initially created for the Department of Transportation in 1974, SSI has been
significantly expanded by the Aviation Transportation Security Act of 2001 (ATSA), the
Homeland Security Act of 2002, and the Maritime Transportation Security Act of 2002. See
CRS Report RL33670, Protection of Security-Related Information, by Gina Marie Stevens
and Todd B. Tatelman (providing an in-depth discussion of the history, requirements, and
litigation that has developed under SSI).
DHS Appropriations Act, supra note 1 at § 550(c).
72 Federal Register 17688-17745 (April 9, 2007) at 17727-17739.
documents developed relating to the Department’s review and approval of
vulnerability assessments and security plans; (4) alternate security plans; (5)
documents relating to inspection or audits; (6) any records required to be created or
retained under these regulations; (7) sensitive portions of orders, notices or letters
(8) information developed to determine the risk posed by chemical facilities, or to
determine which facilities are “high risk;” and (9) any other information that the
Secretary, in his discretion, determines warrants the protections set forth in this part.40
The interim final rule states that “covered persons” must “[d]isclose, or
otherwise provide access to, CVI only to covered persons who have a need to
know.”41 The interim final rule defines the term “covered persons” as: persons who
have a need to know CVI and as persons who otherwise receive access to “what they
know or reasonably should know constitutes CVI.”42 According to the interim final
rule, persons with the “need to know,” which expressly includes state and local
officials, are categorized in five ways: (1) persons who require access to carry out
activities approved or sanctioned by DHS; (2) persons who require access to train for
DHS approved or sanctioned activities; (3) persons required to supervise, manage,
or otherwise oversee DHS approved or sanctioned activities; (4) persons who require
the information for the purposes of providing technical or legal advice; and (5)
persons who are representing a covered person in either an administrative or judicial
The interim final rule indicates that DHS may “make an individual’s access to
the CVI contingent upon satisfactory completion of a security background check or
other procedures or requirements for safeguarding CVI that are satisfactory to
DHS.”44 Finally, the interim final rule provides DHS with discretionary authority to
further limit access to CVI, even if persons otherwise meet the required
qualifications. The regulations state that “[f]or some specific CVI, DHS may make
a finding that only specific persons or classes of persons have a need to know.”45 It
is unclear from this language in what circumstances, or by what standards, DHS will
issue such findings.
The second mandate contained in P.L. 109-295 states that:
in any proceeding to enforce this section, vulnerability assessments, site security
plans, and other information submitted to or obtained by the Secretary under this
section, and related vulnerability or security information, shall be treated as if the
information were classified material.46
72 Federal Register 17688-17745 (April 9, 2007) at 17737.
Id. at 17738.
DHS Appropriations Act, supra note 1 at § 550(c).
The terms “classified material” or “classified information” have been defined in
several different contexts. Congress has statutorily defined “classified material” as
“[a]ny information or material that has been determined by the United States
government pursuant to an Executive Order, statute, or regulation, to require
protection against unauthorized disclosure for reasons of national security....”47
Executive Orders have defined “classified information” as “information that ...
require[s] protection against unauthorized disclosure and is marked to indicate its
classified status when in documentary form.”48 In addition, according to Executive
Order, “classified information” may include anything that the original classifying
authority determines that “reasonably could be expected to result in damage to
national security, which include[s] defense against transnational terrorism, and the
original classification authority is able to identify and describe the damage.”49
As a result of this congressional mandate and the nature of the information at
issue, DHS has indicated that in administrative proceedings and litigation before
courts, CVI will only be disclosed under the narrowest of parameters consistent with
Executive Orders and other congressional enactments. In administrative proceedings,
DHS indicates that CVI will only be disclosed at the Secretary’s sole discretion and
only when it “is necessary for the person to prepare a response to allegations
contained in a legal enforcement action document issued by the Department.”50 Even
in such a circumstance, DHS reserves the right to require the requesting person or
entity to undergo and satisfy a security background check before receiving the
Similarly, in litigation arising out of enforcement actions, whether civil or
criminal, DHS has implemented a system of applicable procedures akin to those
contained in both the Classified Information Protection Act,52 and at 18 U.S.C. §
2339B. For example, DHS will permit reviewing courts, after an opportunity to
independently view the documents, to authorize one of the following as a substitute
for CVI sought in discovery: (1) A redacted version of the CVI documents; (2) a
summary of the information contained in the CVI documents; or (3) a statement
admitting relevant facts that the CVI documents would tend to prove.53 The interim
final rule also provides protections against the disclosure of CVI through live witness
testimony.54 Moreover, in the event that the Government objects to a witness’s
testimony, the regulations authorize the court to consider an ex parte proffer by the
Government on what the witness is likely to say, as well as a proffer from the
Classified Information Procedures Act, P.L. 96-456, 94 Stat. 2025 (1980) (codified as
amended at 18 U.S.C. App. 3 §§ 1-16 (2000)) [hereinafter CIPA].
Exec. Order No. 12958 § 6.1(h), 60 Federal Register 19825 (April 20, 1995).
Exec. Order No. 13292 §1.1(a)(4), 68 Federal Register 15315 (March 28, 2003).
72 Federal Register 17688-17745 (April 9, 2007) at 17738.
See CIPA, supra note 45.
72 Federal Register 17688-17745 (April 9, 2007) at 17738-17739.
defendant of the nature of the information sought.55 Further, the interim final rule
permits the Department to immediately appeal if a court denies any request related
to the disclosure of CVI.56 Finally, the interim final rule expressly states that no CVI
will be provided in any civil litigation unrelated to the enforcement of Section 550.57
Expiration of Regulations and Authority
The meaning of the expiration provision of P.L. 109-295 appears to be the
subject of some uncertainty. The statute states:
Interim regulations issued under this section shall apply until the effective date
of interim or final regulations promulgated under other laws that establish
requirements and standards referred to in subsection (a) and expressly supercede
this section. Provided, [t]hat the authority provided by this section shall
terminate three years after the date of enactment of this Act.58
In the preamble to DHS’s proposed regulations the Department suggests that
notwithstanding the plain text of the statute, should future funds be appropriated by
Congress, even in the absence of an authorizing statute, the regulations and the
authority to enforce them would continue as though sufficiently authorized.59
As a general rule, there is no specific statutory or other legal requirements that
appropriations be preceded by specific authorizations. As a result, Congress may,
subject to possible procedural points of order,60 appropriate funds for programs that
exceed the scope and/or duration of a prior authorization. In instances where
Congress has opted for this type of action, the enacted appropriation has been
interpreted by the Comptroller General to, in effect, carry with it its own
authorization and, therefore, is to be available to the agency for obligation and
expenditure.61 In addition, the Comptroller General has also held that, as a general
proposition, the appropriation of funds for a program whose funding authorization
has expired, or is about to expire during the period of availability of the appropriation
(e.g., authorization expires during a fiscal year for which money has already been
appropriated), provides sufficient legal basis to continue a program during that period
DHS Appropriations Act, supra note 1 at § 550(b).
See 71 Federal Register 78276-78332 (December 28, 2006) at 78276 and 78281 (stating
that “[i]f a future appropriations bill continued funding for the Section 550 program beyond
that period, the Department could consider that future funding for the program as an
extension of the ‘authority provided by this section.’”).
Rule XXI(2) of the Rules of the House of Representatives prohibits appropriations for
objects not previously authorized by law. A similar, but more limited, prohibition exists in
Rule XVI of the Standing Rules of the Senate. Each of these provisions must be raised via
a “point of order,” which may be overcome by a super-majority vote in each chamber.
See 67 Comp. Gen. 401 (1988).
of availability, even when expressed congressional intent appears to be contrary.62
Given these general rules, it would appear that should Congress appropriate funds to
DHS for the purpose of continuing to secure chemical facilities, even after the
expiration of the Section 550 authorization, sufficient legal authority would exist for
the regulations to remain in effect.
Sufficiency of DHS Funding
Policymakers and others have expressed concern about whether DHS has
sufficient funding to fully implement chemical facility security regulations.63 The
DHS is statutorily required to inspect and audit regulated facilities to determine their
compliance with the chemical facility security regulations. With the large number
of potentially regulated facilities, this inspection and audit requirement is potentially
costly. Table 1 provides requested and appropriated funding for chemical facility
Table 1. DHS Funding for Chemical Facility Security Regulation
($ in millions)
Source: Requested levels rounded to nearest million and taken from Department of Homeland
Security, Preparedness Directorate, Infrastructure Protection and Information Security, FY2007
Congressional Justification; Department of Homeland Security, National Protection and Programs
Directorate, Infrastructure Protection and Information Security, Fiscal Year 2008 Congressional
Justification; and Department of Homeland Security, National Protection and Programs Directorate,
Infrastructure Protection and Information Security, Fiscal Year 2009 Congressional Justification.
Appropriated levels taken from H.Rept. 109-699, P.L. 110-28, and the explanatory statement for P.L.
110-161 at Congressional Record, December 17, 2007, H16092.
a. Includes both regular and supplemental appropriations.
Before passage of the chemical facility security statute, DHS Secretary Chertoff
suggested that Congress consider authorizing the use of third-party auditors to
determine chemical facility security compliance.64 Critics of outside auditing
question the impartiality and rigor of such reviews, citing problems with analogous
See, e.g., 65 Comp. Gen. 524 (1986); 65 Comp. Gen. 318, 320-21 (1986); 55 Comp. Gen.
See, for example, testimony of Clyde D. Miller, BASF Corporation, before the Committee
on Homeland Security, Subcommittee on Transportation Security and Infrastructure
Protection, on December 12, 2007.
Remarks by Homeland Security Secretary Michael Chertoff at the National Chemical
Security Forum, Washington, DC, March 21, 2006.
third-party financial audits.65 The current regulations do not provide for third-party
inspection and audits. The DHS states that it “intends to issue a future rulemaking
providing the details about its plans to use third-party auditors” and, in the meantime,
“will use its own inspectors for conducting inspections and audits.”66
Reaction to the proposed regulation and the interim final rule has been mixed.
Some policymakers and advocates have criticized the approach taken by DHS.
Others have been supportive. As written, the law anticipates further legislative
activity in this area. Policymakers may decide to wait and observe how the final
interim rule is implemented, attempt to influence DHS’s implementation of the
interim final rule, or legislate to alter or supersede the enacted legislation.
Maintain Status Quo
The authority to federally regulate chemical facility security is new. As such,
regulation in this area may need time to mature. Congress, when passing P.L. 109295, contemplated the eventual supersession of these regulations:
Interim regulations issued under this section shall apply until the effective date
of interim or final regulations promulgated under other laws that establish
requirements and standards referred to in subsection (a) and expressly supersede
this section: Provided, [t]hat the authority provided by this section shall
terminate three years after the date of enactment of this Act.67
Policymakers may view this regulatory authority, and thus these regulations, as a
stop-gap measure, providing a temporary solution to the perceived chemical security
problem, with the intent of allowing the security policy debate to further mature. In
this case, policymakers may decide to wait, allowing DHS to implement its interim
final rule before considering changes in chemical facility security policy. This might
more fully reveal the impacts of the current regulation.
Attempt to Influence Implementation
The statutory language of P.L. 109-295, Section 550 grants significant discretion
to the Secretary. The interpretation and application of this discretion by the
Secretary, particularly in the areas of information protection and state preemption,
were the source of some of the criticisms levied against the proposed regulations.68
Eric Lipton, “Chertoff Seeks a Chemical Security Law, Within Limits,” The New York
Times, March 22, 2006.
72 Federal Register 17688-17745 (April 9, 2007) at 17712.
DHS Appropriations Act, supra note 1 at § 550.
John Heilprin, “Chemical Plants to Submit Security Plans,” Associated Press, December
22, 2006; Greg Gordon, “New Rules Aim to Protect Chemical Plants from Terrorists,” San
While discretionary authority may be important to the effective and efficient
implementation of a regulatory structure, policymakers may believe that execution
of this discretionary authority has been counter to congressional intent. Policymakers
may decide to influence the manner in which the Secretary exercises this discretion.
The DHS requested public comment from interested parties on questions, issues,
and the proposed regulatory language.69 As such, the comments of policymakers,
advocates and interested parties influenced the form and language of the interim final
rule. Through comments to the docket, policymakers expressed support for and
criticism of the proposed regulations.70 The docket for the proposed regulation
closed on February 7, 2007. The interim final rule, promulgated on April 9, 2007,
took account of these comments, addressing them as the Department deemed
Policymakers may conclude that they are dissatisfied with the form of the
interim final rule. If this is the case, policymakers could act to more explicitly
describe and limit the discretionary scope granted to the Secretary. They may
influence the interim final rule’s implementation through the congressional oversight
process by clarifying congressional intent, through hearings on the interim final rule’s
implementation, or through language added to DHS appropriations reports.
Policymakers may decide that additional legislation is necessary in the chemical
facility security area. Such legislation could be targeted in nature, attempting to
remedy perceived flaws by slightly altering the existing authorities granted to DHS,
or more comprehensive. A more comprehensive approach may make substantive
changes in the existing authorities and thus extensive revision of any chemical
facility security regulation.
Policymakers may ultimately decide that the regulatory structure established by
DHS does not satisfy homeland security needs or will prove too onerous to industry
and opt to enact new chemical facility legislation. Such legislation might expand the
reach of the regulatory structure, for example, by mandating the inclusion of
particular chemical substances as potentially dangerous; restrict the scope of
regulation, for example, by lowering regulatory burdens or requirements on small
businesses; or direct the agency to include or exclude particular components from its
Jose Mercury News, December 22, 2006.
71 Federal Register 78276-78332 (December 28, 2006) at 78277. An electronic docket
for this proposed regulation was established at [http://www.regulations.gov] under docket
identification number DHS-2006-0073.
Comments submitted to the docket may be viewed online at [http://www.regulations.gov]
under docket identification number DHS-2006-0073.
Developing new legislation, or changing existing legislation, to alter the DHS
interim final rule may bring additional costs, especially to facilities that have already
come into compliance. If new regulations, established under new or amended
authority, present new requirements for chemical facilities, security efforts enacted
under the original interim final rule may not be entirely applicable. Chemical
facilities may be required to invest in additional security measures to meet these new
requirements, potentially incurring further cost. When considering whether to enact
new legislation or amend existing law, policymakers may opt to consider methods
to mitigate additional costs to chemical facilities that have already complied with the
interim final rule. As the initial statute had a three-year sunset provision, Congress
may have intended that future legislation build upon P.L. 109-295, Section 550, so
that future regulations would be harmonized with the interim final rule initially
Legislation in the 110th Congress. Legislative efforts are under way in the
110 Congress to alter DHS’s statutory authority to regulate chemical facilities. The
Consolidated Appropriations Act, 2008 (P.L. 110-161) contained provisions affecting
the chemical security regulations. Freestanding bills have been introduced in the
House of Representatives and chemical facility security provisions are found in the
farm bill (H.R. 2419, as amended, and S. 2302). Chemical facility security
provisions were also present in the House and Senate DHS 2008 appropriations
bills.71 Finally, chemical facility security provisions were included in the vetoed
FY2007 supplemental appropriation bill (H.R. 1591).
The Consolidated Appropriations Act, 2008 (P.L. 110-161) amended Section
550 of the Department of Homeland Security Appropriations Act, 2007 (P.L. 109295) to establish a state’s right to promulgate chemical facility security regulation
that is at least as stringent as the federal chemical facility security regulation. Only
in the case of an “actual conflict” between the federal and state regulation would the
state regulation be preempted. The DHS has not altered its chemical facility
regulation to explicitly incorporate this change in statute.
The Chemical Facility Anti-Terrorism Act of 2008 (H.R. 5577) would codify,
amend, and further define DHS’s authority to regulate chemical facility security.
Regulations conforming to the new statutory authority would apply upon the sunset
of the current statutory authority. The new statutory authority would require
regulated entities to assess the applicability of inherently safer technologies
(“methods to reduce the consequences of a terrorist attack”) and, on the DHS
Secretary’s determination, implement such technologies. The DHS Secretary would
also provide chemical facilities with information on the use and availability of such
technologies. The act would also require the DHS Secretary to establish a process
for confidential reporting of problems, deficiencies, or vulnerabilities at a covered
chemical facility; it would prohibit retaliation against anyone submitting such reports.
No chemical facilities would automatically be exempt from regulation under the act,
but the DHS Secretary would not be able to require regulated drinking or wastewater
facilities to implement inherently safer technologies unless DHS provided funding
FY2008 appropriations for DHS were provided through the Consolidated Appropriations
Act, 2008 (P.L. 110-161) rather than an independent appropriations act.
to the facility to do so. The act also would allow for certification of regulatory
compliance by third-party entities.
The Chemical Facilities Security Act of 2008 (H.R. 5533) would extend DHS’s
chemical facility regulatory authority by removing the statutory sunset provision. In
addition, it would attempt to preserve state chemical facility security authority by
prohibiting the Secretary from promulgating chemical facility security regulations
that preempt more stringent state chemical facility security regulations.
The Safe Facilities Act (H.R. 1574) would attempt to preserve state chemical
facility security authority by preventing federal preemption of state chemical facility
security laws and regulations that are more stringent than the federal standard.
Similarly, H.R. 1633 would attempt to preserve state chemical facility security
authority by prohibiting the Secretary from promulgating chemical facility security
regulations that preempt more stringent state chemical facility security regulations.
The Chemical Facility Security Improvement Act of 2007 (H.R. 1530) also
would attempt to preserve state chemical facility security laws and regulations, but
it contains additional provisions. It would limit the chemical facility security
information protected from disclosure to vulnerability assessments and site security
plans. Chemical facility security information would be treated in judicial
proceedings as Sensitive Security Information (SSI), rather than as classified
material.72 It would allow the Secretary to disapprove a site security plan based on
the presence or absence of a particular security measure. Finally, it would grant
others besides the Secretary a right of legal action to enforce security provisions.
The 2007 farm bill (H.R. 2419, as amended by the Senate) addresses the impact
of chemical facility security regulations on possessors of propane. It would require
the DHS Secretary to provide a report to Congress that enumerated details regarding
propane-possessing facilities that were required to comply with chemical facility
security regulations. It would also require educational outreach by DHS to rural,
propane-possessing facilities, possibly facilitated by the Food and Agricultural Sector
Coordinating Council. H.R. 2419, as amended by the Senate, passed the Senate on
December 14, 2007, and the House of Representatives, in its unamended form, on
July 27, 2007. It has not yet reported from conference.
An earlier version of the Senate 2007 farm bill (S. 2302, Food and Energy
Security Act of 2007) contains a provision related to chemical facility security.
Section 11070 would prohibit the DHS Secretary from applying the chemical facility
security regulations to sale, use, or storage of propane at rural chemical facilities. It
would not prohibit the DHS Secretary from applying such regulations to nonrural
facilities. S. 2302 was reported out of the Senate Committee on Agriculture,
Nutrition, and Forestry on November 2, 2007.
See CRS Report RL33670, Protection of Security-Related Information, by Gina Marie
Stevens and Todd B. Tatelman (providing an in-depth discussion of the history,
requirements, and litigation that has developed under SSI).
The Department of Homeland Security Appropriations Act, 2008 (S. 1644)
would attempt to preserve state chemical facility security laws and regulations by
preventing federal preemption of state chemical facility security regulations that are
more stringent than the federal standard. Only in the case of “actual conflict” would
state law be preempted. S. 1644 was reported out of the Senate Committee on
Appropriations on June 18, 2007. The Department of Homeland Security
Appropriations Act, 2008 (H.R. 2638) would attempt to preserve state chemical
facility security laws and regulations by preventing federal preemption of state
chemical facility security regulations that are more stringent than the federal
standard. It would also limit the chemical security information protected and treat
protected information as SSI. H.R. 2638 passed the House of Representatives on
June 15, 2007. The Senate amended H.R. 2638 with the language of S. 1644. H.R.
2638 passed the Senate on July 26, 2007. No further action was taken since the
Consolidated Appropriations Act, 2008 (P.L. 110-161), discussed above, provided
appropriations for DHS.
Chemical facility security provisions were included in the vetoed FY2007
supplemental appropriations bill. The chemical facility security provisions of the
U.S. Troop Readiness, Veterans’ Health, and Iraq Accountability Act, 2007 (H.R.
1591) would have attempted to preserve state chemical facility security laws and
regulations; limited the scope of information protected as chemical security
information; and treated protected information as SSI.