Emerging Issues in Security, Policies and Training

Stakeholders Urge Reauthorization of CFATS as it Overcomes its Growing Pains

After years of sputtering progress, the Department of Homeland Security’s (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program is beginning to resemble a well-run, if not yet mature, government-industry undertaking.Chemical_Tanks

Plagued in its early years by a remarkable level of inefficiency for a congressionally mandated program with a critical mission, the CFATS rebounded after 2014 when Congress wrote the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (CFATS Act). While that legislation included important programmatic improvements, the element most desired—and obtained—by the DHS was multiyear funding for the CFATS, replacing the program’s year-to-year authorization, which began with the DHS Appropriations Act of 2007.

The need to obtain annual approval of funding turned out to be a debilitating drag on the CFATS, both causing the regulated sector to question whether it should make long-term commitments to cooperate with the DHS with a program with an uncertain future and discouraging CFATS’s specialized staff to stick with the DHS when their long-term job security was in doubt.  In October 2013, funding for the CFATS actually lapsed, causing the programmatic activities to cease.

“This gap caused many facilities to question whether the program’s provisions were still in effect and the Department to question whether it had the authority to take enforcement action had there been an exigent need or imminent threat,” said David Wulf, DHS’s acting deputy assistant secretary for Infrastructure Protection. “Enacting a multi-year CFATS authorization as Congress did in 2014 marked an important turning point for the program.”

Funding and CFATS’s prospects are back in the picture as the 2014 authorization will expire in January 2019. Impending expiration prompted the House Subcommittee on Environment to convene a hearing on June 14, 2018, to review the progress the CFATS has made. All witnesses, including Wulf, who spoke specifically about the CFATS, expressed confidence in the program and said Congress should continue to support it. Some witnesses also suggested that the program would benefit from changes.

Here we summarize the basic CFATS program, the changes that came with the 2014 amendments, and several changes sought by stakeholders who spoke at the hearing.

Program Basics

As directed by Congress and developed by the DHS, CFATS regulations established risk-based performance standards wherein certain facilities with on-site threshold amounts of over 300 chemicals—called chemicals of interest (COIs)—undertake actions to prevent COIs from being used in terrorist attacks. The process begins with facilities with COIs conducting a Top Screen, a risk assessment that measures potential facility vulnerabilities. Top Screens are submitted to the DHS, which determines which facilities are high risk. Since the DHS began collecting this information in 2007, more than 40,000 facilities have reported chemical holdings. Facilities found to be high risk are assigned to one of four tiers, with Tier 1 the highest risk tier and Tier 4 the lowest.

Once assigned to a tier, and unless it opts for an Alternate Security Plan, a facility must complete and submit to the DHS a facility vulnerability assessment followed by a Site Security Plan (SSP). Each is subject to DHS approval. The DHS also must conduct site visits to determine whether the vulnerability assessment and SSP are adequate and to ensure compliance with an approved SSP.

Problems Emerge

Beginning about 2010, it was becoming apparent that there were flaws in the CFATS program. A memo prepared by the Subcommittee staff states:

“In May 2010, CFATS program officials realized that improper inputs were used to tier facilities, resulting in the mis-tiering of 600 facilities—among these, 148 facilities were tiered at a lower risk tier, 99 facilities were found not to need a tier and no longer subject to CFATS regulation, 41 facilities had either data errors that still need correction or have their redetermination under review, and 175 facilities remained in the same level, but will have the risk levels for their chemicals of interest decrease. In November 2011, a leaked internal memorandum detailed an array of management flaws, personnel issues, and achievement gaps within the CFATS program.”

Congress subsequently asked the U.S. Government Accountability Office (GAO) to determine where deficiencies with the CFATS program exist. The GAO has responded by issuing seven reports to Congress on its work since 2012, plus its testimony at the June 14 hearing. The GAO is expected to release its final report in summer 2018. GAO’s past findings include the following:

  • In 2013—the risk assessment approach used in CFATS was based primarily on consequences arising from human casualties; it did not consider economic consequences, as called for by the National Infrastructure Protection Plan and the CFATS.
  • In 2013—the DHS faced a 7- to 9-year backlog in its reviews of SSPs.
  • In 2013—the DHS was soliciting informal feedback from facility owners and operators on its efforts to communicate and work with them, but it did not have an approach for obtaining systematic feedback on its outreach activities.
  • In 2014—after an explosion at a fertilizer plant in Texas and an Executive Order from President Barack Obama, the DHS began to work with other agencies to identify facilities that should have reported their chemical holdings to CFATS.

RomoloTavani / iStock / Getty Images Plus / Getty Images

CFATS Act of 2014

In addition to the 4-year authorization of the CFATS program, the 2014 legislation included the following:

  • A mandated security risk assessment approach and corresponding tiering methodology for covered chemical facilities that incorporates threat, vulnerability, and consequence;
  • Required criteria for determining the security risk of terrorism associated with a covered chemical facility to account for relevant threat information; potential economic consequences and the potential loss of human life in the event the facility is struck by terrorists; and vulnerability of the facility to an act of terrorism;
  • A voluntary, expedited approval process for SSPs at Tier 3 and 4 facilities;
  • A process for regulated chemical facility employees to confidentially report CFATS violations to the DHS;
  • New procedures for the Personnel Surety Program (a program used by covered chemical facilities to determine whether persons with access to their facility may have ties to terrorism); and
  • A requirement that the DHS consult with other federal, state, and local governments, as well as business associations and organized labor, to identify all chemical facilities that should be participating in the CFATS.

Current Program

Given its intense involvement in the CFATS, GAO’s current view of the program will likely be factored into any upcoming congressional action. In his testimony before the subcommittee, Chris Currie, who leads GAO’s work on critical infrastructure protection, noted that the DHS has achieved the following improvements:

  • Has taken actions to better verify the accuracy of data on the risk of toxic releases rather than relying on facilities to do so.
  • Launched a new risk assessment methodology in October 2016 and is currently gathering new or updated data from about 27,000 facilities to determine which should be categorized as high risk and assign these facilities to a risk-based tier.
  • Eliminated its backlog of reviews of SSPs and visiting facilities to ensure their security measures meet DHS standards.
  • Developed an enforcement procedure and a draft compliance inspection procedure. The DHS expects to finalize the compliance inspection procedure by the end of fiscal year 2018. (In contrast, in July 2015, the GAO reported that the DHS conducted compliance inspections at 83 of the 1,727 facilities with approved SSPs. The GAO found that nearly half the inspected facilities were not fully compliant with their approved security plans and that the DHS did not have documented procedures for managing facilities’ compliance.

DHS’s Wulf expanded on these achievements.

“In July 2016, after more than 6,000 inspections and compliance assistance visits and review of nearly 3,000 SSPs, I approved an SSP which marked a milestone for the CFATS program,” said Wulf. “This approval, after three years of concerted effort to move the CFATS program forward, effectively eliminated the backlog of SSP reviews six years ahead of GAO projections.

“With this achievement, we transitioned from ‘start up’ to a more mature ‘steady-state’ posture, and are now able to more fully focus on conducting compliance inspections and building a stronger culture of security. Whereas previously our inspections were overwhelmingly of the pre-approval authorization-inspection variety, now the majority of the inspections are post-security plan-approval compliance inspections. To illustrate how far we have come in this regard, at the end of fiscal year 2013, the Department had completed only one compliance inspection. Since that time, the Department has conducted 3,552 compliance inspections. I’m pleased to note that, nearly across the board, the results of these inspections have been positive. Facilities across the nation are effectively executing their comprehensive CFATS SSPs. Where issues have been identified during inspections, they have nearly always been quickly remedied; where needed, however, we have utilized our enforcement authorities to incentivize compliance.”

Lab safety

BraunS / E+ / Getty Images

Stakeholders Agree

At the hearing, representatives of industries with CFATS facilities generally agreed that the program is needed and that the DHS is running it more effectively and efficiently. For example, James W. Conrad, Jr., who spoke on behalf of the Society of Chemical Manufacturers and Affiliates (SOCMA), said the organization strongly supports the CFATS program, that the program turned around under Wulf’s leadership, and that Congress should pass legislation to reauthorize it before its authorization expires. He added:

“The most significant recent improvement in the CFATS program is version 2.0 of the Chemical Security Assessment Tool (CSAT), which was released in September 2016. CSAT is an integrated online portal that enables facilities to submit information for the initial Top-Screen, the Security Vulnerability Assessment, and the Site Security Plan. The original CSAT process was clunky and difficult to use, and took a significant amount of time and energy to complete. The number one recommendation in SOCMA’s CFATS comments in 2014 was that DHS fix it. DHS has now improved the tool dramatically, and our members uniformly report that it is much easier to use and far less resource intensive—while still providing DHS the information it needs.”

Conrad said the SOCMA had “some concerns” with the program and offered the following recommendations:

  • Congress should create a clearer obligation for the DHS to share with a facility the exact reason for its tier assignment. That would better enable facilities to understand what they might do to lower their risk tier.
  • The DHS is considering expanding the CFATS Personnel Surety Program (PSP) from only Tier 1 and Tier 2 facilities to Tier 3 and Tier 4 facilities. This program requires the vetting of facility personnel and unescorted visitors who have or are seeking access to restricted areas and critical assets at high-risk chemical facilities. Conrad says a multiagency review of the effectiveness of the PSP is necessary to really understand the costs and benefits of the PSP before expanding it to Tiers 3 and 4.
  • The CFATS should include recognition of voluntary industry programs to enhance security and, as a result, the CFATS program. “A public/private sector partnership, like ChemStewards, that leverages industry stewardship programs to further enhance the safety and security of hazardous chemicals could benefit both chemical facilities and the public,” said Conrad.
  • Any expansion of Appendix A, the list of COIs that triggers CFATS applicability, should occur only after notice and comment rulemaking. “Facilities impacted by changes to Appendix A must have ample opportunity to supply DHS all the pertinent information it needs to decide whether to list a chemical and at what quantities and concentrations,” testified Conrad.

Other industry stakeholders offered the same and related recommendations for the CFATS program.

Testimony before the subcommittee is available here.