But latest bill may be too thin

Industry has expressed solid support for the Chemical Facility Anti-Terrorism Standards (CFATS) Authorization and Accountability Act of 2014 (H.R. 4007), which was recently passed out of the House Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies. 

H.R. 4007 would make several changes to the CFATS program being administered by the Department of Homeland Security (DHS).  These include ensuring that facilities subject to CFATS would have the flexibility to choose how to meet personnel surety requirements; giving facilities the ability to meet site security obligations through alternative plans; providing the option to have DHS-approved nongovernmental third parties conduct inspections; and authorizing the DHS to share security-related information with state and local governments. 

But the primary effect of the bill would be to actually authorize CFATS through a standalone law. CFATS came into existence in 2006 basically as a rider in the annual appropriations bill.  Thus, it has required annual budgetary approval in subsequent appropriations.  One consequence of this occurred during the U.S. government shutdown in October 2013 when CFATS technically ceased to exist.  Another consequence for the people who run CFATS and those working in it is that they have no assurance that they will have a job in the next fiscal year.  An internal DHS report leaked to the media in 2011 indicated that this uncertainty had a detrimental effect on how CFATS was managed.  For example, CFATS administrators acknowledged that some individuals who were hired into the program did not possess the skills needed to perform their responsibilities effectively.  Furthermore, staff was not receiving the requisite training.

Unqualified staff as well as the need to bring in a large number of contractors did not contribute to good results for the program.  In 2011, 5 years after CFATS was formed, not a single site security plan (SSP)—the primary objective of the program for about 4,200 high-risk facilities—had been approved by the Infrastructure Security Compliance Division (ISCD), the DHS office charged with implementing CFATS. 

These and related revelations caused something of a shakeup in the ISCD in areas such as management, communication, and collaboration with industry, which has a great deal more experience than the federal government in implementing security at major chemical facilities.  The DHS now reports improved CFATS performance.  Specifically, as of April 1, 2014, 1,335 SSPs were authorized (basically a finding that an SSP satisfies the requirements of the program), 912 authorization inspections have been conducted, and 649 SSPs have been approved following on-site inspections.

Question of credibility

The DHS acknowledges that these substantial improvements are still falling short of bringing the CFATS program up to date with its timelines.  DHS officials have stated that the department is exploring new approaches to accelerate the process, including encouraging increased use of alternative security programs (ASPs) and supporting industry’s development of new ASP templates, focusing inspections on the highest-risk facilities, exploring ways to streamline the security plan review and inspection process for multiple facilities owned by a single corporation, and identifying efficiencies in the inspection and compliance-assistance scheduling process to reduce travel time for inspectors.

The DHS and the ISCD believe that the value of these and other changes would be enhanced by a CFATS statute.  Speaking before the subcommittee last February, one DHS official noted that the October 2013 government shutdown, loss of CFATS funding, and all ISCD staff being furloughed undermined the credibility of the program.

“The gap in program authorization caused concern among regulated facilities, with many facilities questioning whether the regulations were still in effect,” testified Caitlin Durkovich, assistant secretary with DHS’s National Protection and Programs Directorate.  “Moreover, it is unclear if the Department would have had the authority to act had there been an exigent need during the shutdown to take enforcement action under CFATS in furtherance of national security interests.”

H.R. 4007 would address this concern by authorizing CFATS for 2 years following enactment of the bill.  According to Durkovich, 2 years is not enough time to provide industry stakeholders the stability needed to plan and invest in CFATS-related security measures.  “Companies have regularly communicated to us that their capital-planning/budgeting processes for security improvements frequently run on a three-to-five-year cycle and they deserve to know that the program will not be allowed to lapse as they invest in major CFATS-related security improvements.”

The Society of Chemical Manufacturers and Affiliates (SOCMA) agreed on the need for longer authorization.  “As SOCMA has testified in the past, the CFATS program should be permanent to be successful,” said SOCMA Vice President Bill Almond.  But he added that the bill provides a “strong foundations for the program, lays out clearer direction for the [DHS], and helps our members better anticipate compliance as a result of a multi-year authorization.”

Other organizations, such as the American Coatings Association (ACA), believe 2-year authorization is just enough.  “ACA believes multi-year authorization gives DHS just enough guidance to more successfully carry out its duties, while at the same time, providing Congress the ability to monitor the program and make any necessary changes to it after the expiration of the multi-year period.”

Bill provisions

H.R. 4007 would provide the following changes to the CFATS program:

• Audits and Inspections.  The DHS must arrange for the audit and inspection of covered chemical facilities to determine compliance with the CFATS program.  Audits and inspections may be carried out by a non-DHS or nongovernment entity approved by the DHS. 
• Alternative security programs.  The DHS may approve an alternative security program established by a private sector entity or a federal, state, or local authority or pursuant to other applicable laws if the DHS determines that the requirements of such program satisfy the statutory provisions.
• Personnel surety.  To satisfy the requirements of the program for personnel surety, a covered chemical facility may utilize any federal screening program that periodically vets individuals against the terrorist screening database. 
• State involvement.  The DHS must consult with the heads of other federal agencies, states, and relevant business associations to identify all chemical facilities of interest.  Moreover, the DHS would not be prohibited from sharing information developed under the act with state and local government officials possessing the necessary security clearance, including law enforcement officials and first responders if such information may not be disclosed pursuant to any state or local law.

More to be done

There is not a great deal more to the bill, which fills only 11 pages of widely spaced text.  This is a concern to Rep. Bennie G. Thompson (D-MS), ranking member of the Homeland Security Committee.  “The legislation before us today has some good features,” said Thompson.  “Certainly the mention of personnel surety is positive.”  But Thompson adds that the bill maintains exemptions of categories of facilities that were put in place “in haste” in 2006.  Overall, Thompson said he sees “nothing in the scant eleven pages of H.R. 4007 to deliver the massive reforms that will be required to make CFATS and other chemical security programs more efficient and productive programs.”  Thompson suggested that the writing of legislation to improve CFATS would be aided by recommendations from the Chemical Security Working Group President Obama established by Executive Order in August 2013.  Those recommendations were due in May 2014.

CFATS was written as an interim means of securing chemical facilities, not as a comprehensive, long-term program, noted Anna Fendley, speaking on behalf of the United Steelworkers at the subcommittee hearing.  Fendley lists five areas of CFATS deficiency, which, she says, are not addressed in H.R. 4007. 

• H.R. 4007 does not extend CFATS coverage to chemicals shipped or stored outside a facility’s fence line in nearby rail yards or other areas that may have little or no security measures.  Currently, CFATS does not prevent this risk shifting from one location to another.  “I have seen pictures and gotten accounts from our members of railcars full of hazardous chemicals parked for days outside the fence line within yards of a busy road near homes and other businesses,” testified Fendley. 
• H.R. 4007 does not change the prohibition within CFATS of any “particular security measure” by the DHS, including a fence in a particular area, a specific control on a unit, or any other measure that is well documented through past practice to prevent catastrophic incidents. “This capacity building measure would require covered facilities to conduct a structured review of options that avoid catastrophic chemical hazards in well-documented assessments and plans that are reported to DHS,” testified Fendley.
• H.R. 4007 does not develop or promote the use of safer chemical processes, which, says Fendley, is the most effective means of reducing a catastrophic chemical incident. The DHS, the EPA, and the U.S. Chemical Safety Board have all highlighted the effectiveness of assessing and, where feasible, implementing safer alternatives at high-risk facilities.  Some companies have shifted to safer processes or reduced their inventory of hazardous chemicals so they are no longer listed as high risk.  In fact, according to a report from the DHS to the Coalition to Prevent Chemical Disasters, since the inception of CFATS, nearly 1,300 facilities have completely removed their Chemicals of Interest and approximately 600 no longer possess a Chemical of Interest at the threshold that requires submission of a Top-Screen to the DHS.  But many companies will never even look into innovating with safer chemical processes without a legal requirement to do so, adds Fendley.
• The Personnel Surety Program (PSP) under CFATS has the potential for unintended consequences. Within the current context of the CFATS program, individual chemical facilities are responsible for clearing workers under their PSP.  H.R. 4007 does not prevent the collection of unnecessary personal employee data by employers or third parties that may be full of inaccuracies due to errors in reporting.  CFATS does not have an adequate appeals process for workers who are wrongly discriminated against during the PSP process.  In a February 3, 2014, Federal Register notice, the DHS stated that employment decisions based on background checks are outside of the scope of CFATS and that the DHS expects employers to comply with applicable federal, state, and local law regarding employment and privacy.  “On the whole this is inadequate,” testified Fendley.  “Workers need an appeals process and whistleblower protections under the CFATS.”
• CFATS lacks the requirement for a meaningful role for workers in chemical security; H.R. 4007 does not provide one.

Even if H.R. 4007 does not make it to President Obama’s desk, which seems to be the case at this point, the bill has once again drawn attention to the wide range of security and safety issues at chemical facilities, and the realization that the existing CFATS program is a meaningful, but still initial step in addressing the risks.

Testimony on H.R. 4007 and CFATS

William C. Schillaci
BSchillaci@blr.com