Congressional authorization and funding for the Department of Homeland Security’s (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program is once again nearing expiration. That means there will almost certainly be a new authorizing law carrying a fresh set of program amendments. While there is no meaningful opposition to the CFATS as a whole, there is also no shortage of stakeholder opinions on how the program can be improved.
Industry would like Congress and the DHS to provide stronger protections for information the CFATS requires facilities to submit to the government. Spokespersons are also wary of any expansion of the program to cover facilities that are not currently classified as high risk. Public health and worker safety advocates have a longer list of recommended improvements, including the expansion of the CFATS that industry opposes, assurances of stronger worker awareness of and participation in facility programs, and more emphasis on risk reduction (for example, through the required use of inherently safer chemicals) than on risk management.
These and other recommendations were discussed by witnesses at a September 11, 2019, hearing of the House Subcommittee on Environment and Climate Change. The current authorization for the CFATS expires in April 2020, and legislation has been introduced to amend the program and extend it to May 1, 2025. Below, we summarize the CFATS and points made by the hearing witnesses.
Created by Congress in 2006, the CFATS authorizes the DHS to determine whether chemical facilities present “a high level of security risk” because of a potential terrorist attack that could result in adverse consequences for human health, national security, or economic assets. The DHS finalized regulations to implement the CFATS in April 2007. Facilities with screening threshold quantities of dangerous chemicals, or chemicals of interest (COIs), complete a DHS survey called a Top-Screen. Based on data in the Top-Screen, the DHS places facilities into one of four high-risk tiers with Tier 1 representing the highest risk. Tiered facilities must then develop vulnerability assessments and site security plans (SSPs). These plans must meet risk-based performance standards covering 18 areas, including securing site assets, preventing theft and diversion, and restricting the area perimeter. As of September 4, 2019, the CFATS program identified 3,321 facilities as high risk, with 167 facilities placed in Tier 1, 79 facilities in Tier 2, and the remainder in Tiers 3 and 4.
The original CFATS authorization was intended to end in 2009. Congress extended the program through annual appropriations until passage of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. Under that statute, the DHS modified aspects of the program, including improving its methodology for assessing risk and requiring that facilities share more information about facility vulnerabilities with emergency first responders. The legislation also extended the program through the beginning of 2019. In January 2019, the president signed legislation that extended the program again, this time for 15 months, through April 2020.
As noted, there is little if any opposition to legislation to continue the CFATS program for multiple years. Long-term authorization is important for the program. In its early years, the CFATS was not the most efficient federal operation. One reason was that it was difficult to attract and keep highly qualified technical staff in the DHS’s Infrastructure Security Compliance Division (ISCD), which implements the program, because there was no assurance that jobs would last more than 1 year. If testimony at the hearing by industry representatives is any indication, the ISCD no longer lacks skilled staff for determining compliance as well as the adequacy of SSPs.
Periodic reauthorization also allows Congress to consider how the CFATS legislation should be changed to keep current with new threats and new technologies.
“Threats to chemical facilities continue to evolve—from cybersecurity to extreme weather events—and the programs that guarantee the safety of workers, first responders, and frontline communities must also evolve to meet these threats,” said Rep. Paul Tonko (D-NY), who chairs the subcommittee. “We cannot afford to overlook this opportunity to reinforce what is working well and address what could be improved.”
Industry Supportive and Cautious
Two industry representatives at the hearing agreed that the CFATS is an essential regulatory tool that is achieving its mission.
“The CFATS Program has made our industry, our communities and our country more secure,” testified Scott Whelchel on behalf of the American Chemistry Council (ACC). “Ensuring that the CFATS program remains in place is a crucial part of establishing a stable regulatory environment, and providing the needed certainty to foster long-term security investments.”
“I believe the CFATS program has made the chemical industry and our nation much more secure,” said Matthew Fridley, who spoke for the National Association of Chemical Distributors (NACD). “From the time of the program’s establishment in 2007, the industry has invested significant capital and training resources toward enhanced or augmented security measures at our facilities.”
Whelchel also pointed to some of the program’s recent successes, including improved site security inspectors and inspections, an improved risk assessment process, an improved SSP authorization process, and a commitment to work with the regulated community to better the program.
But Whelchel said that several directions the program is taking may present unnecessary difficulties for some regulated entities. For example, one performance standard involves screening individuals for terrorist ties. Initially, this measure required about 240 Tier 1 and 2 facilities to collect sensitive personal identifying information from thousands of employees and contractors and transmit that information over the Internet to the DHS’s Terrorist Screening Database (TSDB) for vetting. The DHS is now expanding the requirement to 3,000 Tier 3 and 4 facilities.
“ACC believes that such an expansion is unnecessary and will needlessly create a security risk by exposing thousands of individual records to loss or cyber theft and operational interruptions (false positives, etc.),” said Whelchel. “Further, we believe the benefit of TSDB vetting at lower risk facilities is minimal at best.”
ACC members, Whelchel continued, also believe the DHS should be more transparent about how it determines risk at a facility.
“Often, covered facilities are not fully aware of the specific threat driving CFATS risk at a specified tier level,” said Whelchel. “It is the site security manager who has the overall responsibility and authority for making critical security risk management decisions at CFATS facilities, and the facility security director should be fully informed by DHS of all details related to threat and risk. If needed, this can be done in a classified setting.”
Other Federal Programs
Fridley also discussed the importance of protecting confidential information. The proposed legislation would provide the DHS with broad authority to disseminate information to emergency response providers to ensure that they are prepared and provided with the situational awareness needed to respond to security incidents at covered chemical facilities. According to Fridley, such assurance is already contained in the existing regulations.
“The current Chemical-terrorism Vulnerability Information process has the correct balance to ensure facilities communicate and share need-to-know information with those agencies to enable them to respond effectively,” said Fridley. “During the inspections process, all DHS inspectors verify that the facility has performed its yearly requirement for outreach with local responders and will not approve the facility’s SSP if this outreach has not occurred.”
Fridley also listed 11 other federal programs that require facilities with dangerous chemicals to communicate certain information to first responders and other local entities. These programs include four sections of the Emergency Planning and Community Right-to-Know Act, the Clean Air Act’s Risk Management Program, emergency response and release reporting of hazardous substances required by the Department of Transportation, and the Occupational Safety and Health Administration’s (OSHA) Hazard Communication Standard and Process Safety Management Standard.
“NACD … believes these requirements appropriately address public safety and facilitate the proper level of dialogue between regulated entities and the public. Therefore, we oppose additional information-sharing requirements in CFATS reauthorization legislation,” testified Fridley.
Calls for More Regulation
Michele Roberts of the Environmental Justice Health Alliance for Chemical Policy Reform began her testimony by describing three industrial disasters in Wisconsin, Texas, and Pennsylvania that illustrate how such incidents can injure workers, endanger communities, and cause the abrupt closure of important industrial facilities.
“While those specific incidents were not terrorism-related, they show the serious vulnerability at facilities located in communities around the country,” said Roberts. “CFATS is a critical program to defend against these incidents. Reauthorizing CFATS represents an important opportunity to strengthen its effectiveness.”
- Including water treatment and maritime facilities in the CFATS program;
- Including clear protections against cybersecurity threats; and
- Requiring that the DHS verify statements submitted by facilities that claim to no longer fall within the CFATS’s jurisdiction.
Roberts also said that the entire CFATS program is “secretive and confusing,” an opinion shared by Whelchel, as noted above.
“Even experienced advocates are sometimes unsure about aspects of CFATS,” testified Roberts. “Because it’s impossible to know for sure what facilities are even required to participate in CFATS, it’s impossible for community members or advocates to fully understand the level of danger, planning, preparedness (or lack thereof), etc., in their neighborhoods.”
As with many environmental and public health advocates, Roberts believes that the CFATS legislation should require that facilities take steps to prevent disasters by minimizing the quantity of dangerous chemicals stored on site and switching to safer chemicals and processes where feasible.
“Risk management steps like fencing, security guards, et cetera, can also be helpful, but risk reduction should be the primary objective,” said Roberts.
Roberts also endorsed the position that the CFATS program and site planning decisions must be more inclusive of and transparent to workers at CFATS facilities. At the hearing, the extent to which facility owners and operators should be required by law to involve facility employees in CFATS activities was discussed in further detail by John Paul Smith of the United Steelworkers. There are several aspects to this topic. One is to make employees aware that there is a CFATS program. This can be done by requiring owners and operators to display a CFATS poster at regulated facilities. That measure is included in the House legislative proposal. The other aspect is to directly involve workers in CFATS decisions. Roberts stated that workers in facilities with dangerous chemicals possess invaluable knowledge and experience about risks and safety.
“It is crucial that CFATS include clear language requiring worker involvement in SSPs and that workers are able to choose the person to best represent them,” he said. “That representative should be provided with the facility information necessary to contribute and participate throughout all phases of security planning and implementation and accompany DHS compliance officers during CFATS inspections. While Congress included some worker participation language in the 2014 authorization bill, our union is not aware of any actual worker participation at facilities in CFATS-related processes as a result of the language.”
The House bill would change the option in the current CFATS law to involve an employee representative in development of the SSP into a requirement.