The Department of Homeland Security (DHS) has streamlined its process for reviewing the security plans of over 3,000 facilities ranked as high-risk under the Chemical Facility Anti-Terrorism Standards (CFATS) program, but still needs almost 10 years to complete reviews.
That assessment was provided by the U.S. Government Accountability Office (GAO), which in an April 2013 report was highly critical of DHS’s management of the CFATS program. At an August 1, 2013, hearing of the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, a GAO official acknowledged DHS’s efforts, but continued to question if the DHS was communicating with CFATS facilities in ways that could lead to improvements in the program.
Established by law in 2007, the CFATS program is intended to assess the risks posed by chemical facilities, place high-risk facilities in one of four risk-based tiers, require high-risk facilities to develop security plans, and require that the DHS review the plans and inspect facilities to ensure compliance with regulatory requirements. Covered facilities must meet risk-based performance standards, meaning they are free to implement whichever security measures they find appropriate; however, it is up to the DHS to confirm that the measures address risk to the requisite level.
Three weaknesses
In its April 2013 report, the GAO said DHS’s implementation of the CFATS had several major problems. First, the approach the DHS used to assign facilities to tiers considered the human consequences of a terrorist attack but failed to consider direct economic consequences. Second, the DHS did not consider the threat from theft or diversion to 90 percent of the tiered facilities. Third, the DHS did not consider vulnerability when developing facility risk scores. Also in the report, the GAO noted that the DHS acknowledged that the program had problems and had begun to take corrective steps.
Simultaneous reviews
In testimony before the subcommittee, Stephen L. Caldwell, who leads GAO’s Homeland Security and Justice team, reported that in July 2012, the DHS launched a new approach to reviewing facility security plans. Specifically, instead of having one reviewer sequentially review pieces of thousands of plans, the DHS began to make use of contractors, teams of DHS employees, and DHS field inspectors to review plans simultaneously. As a result, between July 2012 and December 2012, the DHS approved 18 security plans. Also, the DHS says it believes the revised process could enable the department to approve security plans at a rate of about 30 to 40 per month.
At this rate, says the GAO, it will take 7 to 9 years to complete reviews and approvals for the approximately 3,120 facility plans. Furthermore, the GAO adds, this work estimate considered neither other activities central to the CFATS mission nor the development and implementation of the compliance inspection process, which occurs after security plans are approved. According to the GAO, the DHS said it was actively exploring ways to reprioritize resources and streamline inspections and reviews to thin the backlog of security plans subject to review.
Outreach
In the April 2013 report, the GAO also said the DHS was working harder to communicate and cooperate with facility owners and operators to enhance security. In his testimony, Caldwell said the DHS has increased the number of its visits to facilities to improve plans. However, he also reported that only 3 of the 11 associations responding to a GAO questionnaire said DHS’s outreach effort was effective. Three others said the outreach had a mixed effect; four reported that the outreach was not effective; and one said it did not know.
The GAO concluded that the DHS generally acquired feedback in an informal manner. Accordingly, the GAO has recommended that the DHS systematically gather feedback on its outreach to facilities. The DHS agreed to do so, said Caldwell at the hearing.
Click here for Caldwell’s testimony.