US flag signifying that this is a United States Federal Government website   Official website of the Department of Homeland Security

Homeland Security

Written testimony of National Protection and Programs Directorate (NPPD) Under Secretary Rand Beers for a House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies hearing titled “The Chemical Facilities Anti-Terrorism Standards Program: Addressing Its Challenges and Finding a Way Forward”

Release Date: 
March 7, 2012

311 Cannon

Introduction

Thank you, Chairman Lungren, Ranking Member Clarke, and distinguished Members of the Committee. It is a pleasure to appear before you today to discuss the Department of Homeland Security's (DHS) efforts to regulate the security of high-risk chemical facilities under the

As you are aware, the Department's current statutory authority to implement CFATS – Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act, as amended was recently extended through October 4, 2012. I believe strongly in the CFATS program and welcome the opportunity to continue to work with the Committee, Congress, and all levels of government and the private sector to further improve this vital national security program.

In the interest of facilitating that collaboration, my testimony today focuses on the current status of the program, examples of the program’s successes to date, some of the current challenges facing the National Protection and Programs Directorate (NPPD) in implementing CFATS, and the actions we are taking to address these challenges. Additionally, I will reiterate the principles that we believe should guide the program's maturation and continued authorization.

At my direction, the program’s leadership has outlined their priorities, the challenges they believe the program faces, and a proposed path forward to address those challenges and accomplish program objectives. I assure the Committee that the CFATS program is making progress; that NPPD, the Directorate with oversight responsibility for the CFATS program, is continuously reviewing the program to identify areas for improvement and correcting course when necessary to ensure proper implementation; and that CFATS’s value as a national security program warrants your support and commitment.

Chemical Facility Security Regulations

Section 550 of the FY 2007 Department of Homeland Security Appropriations Act directed the Department to develop and adopt, within six months, a regulatory framework to address the security of chemical facilities that the Department determines pose high levels of risk. Specifically, Section 550(a) of the Act authorized the Department to adopt rules requiring high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop Site Security Plans (SSPs), and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published an Interim Final Rule, known as CFATS, on April 9, 2007. Section 550, however, expressly exempts from those rules certain facilities that are regulated under other federal statutes, specifically those regulated by the United States Coast Guard pursuant to the Maritime Transportation Security Act (MTSA), drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Departments of Defense or Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC).

The following core principles guided the development of the CFATS regulatory structure:

  1. Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders—federal, state, local, tribal and territorial government partners as well as the private sector—is essential to securing our critical infrastructure, including high-risk chemical facilities. Implementing this program means tackling a sophisticated and complex set of issues related to identifying and mitigating vulnerabilities and setting security goals. This requires a broad spectrum of input, as the regulated facilities bridge multiple industries and critical infrastructure sectors. By working closely with members of industry, academia, and partners across government at every level, we leveraged vital knowledge and insight to develop the regulation;
  2. Risk-based tiering is used to guide resource allocations. Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk—those that, if attacked, would endanger the greatest number of lives;
  3. Reasonable, clear, and calibrated performance standards will lead to enhanced security. The CFATS rule establishes enforceable risk-based performance standards (RBPS) for the security of our nation’s chemical facilities. High-risk facilities have the flexibility to develop appropriate site-specific security measures that will effectively address risk by meeting these standards. NPPD’s Infrastructure Security Compliance Division (ISCD), the Division within NPPD responsible for managing CFATS, will analyze all final high-risk facility SSPs to ensure they meet the applicable RBPS and will approve those that do. If necessary, ISCD will work with a facility to revise and resubmit an acceptable plan and can disapprove security plans if an acceptable plan is not submitted; and
  4. Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies made significant capital investments in security following 9/11, and even more have done so since the passage of the legislation establishing this program. Building on that progress in implementing the CFATS program will raise the overall security baseline at high-risk chemical facilities.

On November 20, 2007, the Department published CFATS’s Appendix A, which lists 322 chemicals of interest—including common industrial chemicals such as chlorine, propane, and anhydrous ammonia—as well as specialty chemicals, such as arsine and phosphorus trichloride. The Department included chemicals based on the potential consequences associated with one or more of the following three security issues:

  1. Release – Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated;
  2. Theft/Diversion – Chemicals that have the potential, if stolen or diverted, to be used as or converted into weapons that could cause significant adverse consequences for human life or health; and
  3. Sabotage/Contamination – Chemicals that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health.

The Department also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways.

Implementation of the CFATS regulation requires the Department to identify which facilities it considers high-risk. In support of this, ISCD developed the Chemical Security Assessment Tool (CSAT) to help the Department identify potentially high-risk facilities and to provide methodologies those facilities can use to conduct SVAs and to develop SSPs. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the initial consequence-based screening tool (Top-Screen), an SVA tool, and an SSP template. The CSAT tool is a secure method as it can be accessed only by Chemical-terrorism Vulnerability Information (CVI) authorized users.

Through the Top-Screen process, ISCD initially identifies high-risk facilities, which the Department then assigns to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk. Tiered facilities must then complete SVAs and submit them to the Department for approval, although preliminary Tier 4 facilities may submit an Alternative Security Program (ASP) in lieu of an SVA. Each SVA is carefully reviewed for its description of how chemicals are managed and for physical, cyber, and chemical security risks.

After completing its review of a facility's SVA, ISCD makes a final determination as to whether the facility is high-risk and, if so, assigns the facility a final risk-based tier. Each final high-risk facility is then required to develop for ISCD approval an SSP or, if it so chooses, an ASP, that addresses its identified vulnerabilities and security issues and satisfies the applicable RBPS. ISCD’s final determinations as to which facilities are high-risk, and as to their appropriate tier levels, are based on each facility's individual security risk as determined by its Top-Screen, SVA, and any other available information. The higher the facility's risk-based tier, the more robust the security measures it will be expected to adopt in its SSP. Risk tier will also be a factor in determining the frequency of inspections.

The SSP is a critical element of the Department's efforts to secure the nation's high-risk chemical facilities; it enables final high-risk facilities to document their individual security strategies for meeting the applicable RBPS. The RBPS cover the fundamentals of security, such as restricting the area perimeter, securing site assets, screening and controlling access, cybersecurity, training, and response. Each high-risk facility's security strategy and measures, as described in the SSP, will be unique, as they depend on the facility's risk level, security issues, characteristics, and other facility-specific factors. In fact, under Section 550, the Department cannot mandate any specific security measure to approve the SSP.

Therefore, the CSAT SSP tool collects information on how each facility will meet the applicable RBPS. The SSP tool is designed to take into account the complicated nature of chemical facility security and allows facilities to describe both facility-wide and asset-specific security measures. NPPD understands that the private sector generally, and CFATS-affected industries in particular, are dynamic. The SSP tool allows facilities to involve their subject-matter experts from across the facility, company, and corporation, as appropriate, in completing the SSP and submitting a combination of existing and planned security measures to satisfy the RBPS. NPPD expects that most SSPs will comprise both existing and planned security measures. Through a review of the SSP, in conjunction with an on-site inspection, ISCD determines whether a facility has met the requisite level of performance given its risk profile and thus whether its SSP should be approved.

For additional context, I would like to provide you with an example of how some facilities approach the development and submission of their SSPs: in the case of a Tier 1 facility with a release hazard security issue, the facility is required to restrict the area perimeter appropriately, which may include preventing breach by a wheeled vehicle. To meet this standard, the facility is able to propose numerous security measures, such as by cables anchored in concrete blocks along with movable bollards at all active gates or by perimeter landscaping (e.g., large boulders, steep berms, streams, or other obstacles) that would thwart vehicle entry. The Department will approve the security measure as long as ISCD determines it to be sufficient to address the applicable performance standard.

In May 2009, DHS issued Risk-Based Performance Standards Guidance to assist high-risk chemical facilities in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the appropriate level of performance for the RBPS at each tier level. The Guidance also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose—whether or not in the Guidance—provided that they achieve the requisite level of performance under the CFATS RBPS.

Implementation Status

To date, ISCD has reviewed more than 40,000 Top-Screens submitted by chemical facilities. Since June 2008, ISCD has notified more than 7,000 facilities that they have been initially designated as high-risk and are thus required to submit SVAs; and ISCD has completed our review of approximately 6,500 submitted SVAs. (Note, not all facilities initially designated as high-risk ultimately submit SVAs or ASPs, as some choose to make material modifications to their chemical holdings, or make other changes, prior to the SVA due date that result in the facility no longer being considered high-risk.) In May 2009, ISCD began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or ASP.

In May 2009, ISCD issued 141 final tier determination letters to the highest risk (Tier 1) facilities, confirming their high-risk status and initiating the 120-day time frame for submitting an SSP. After issuing this initial set of final tier determinations, ISCD periodically issued notifications to additional facilities of their final high-risk status. To date, more than 4,100 additional facilities have received final high-risk determinations and tier assignments, and several hundred that were preliminarily-tiered by ISCD were informed that they are no longer considered high-risk.

As of February 14, 2012, CFATS covers 4,464 high-risk facilities nationwide; of these 4,464 facilities, 3,693 are currently subject to final high-risk determinations and due dates for submission of an SSP or ASP. The remainder of the facilities are awaiting final tier determinations based on their SVA submissions. ISCD continues to issue final tier notifications to facilities across all four risk tiers as we make additional final tier determinations.

It should be noted that since the inception of CFATS, more than 1,600 facilities completely removed their chemicals of interest, and more than 700 other facilities have reduced their holdings of chemicals of interest to levels resulting in the facilities no longer being considered high-risk. These actions, many of which NPPD believes were the result of choices made by facilities after Congressional passage of Section 550 and the adoption of the CFATS regulation, have helped reduce the number of high-risk chemical facilities located throughout the nation, and have correspondingly made the nation more secure. This is just one way in which Congress’s passage of Section 550 to authorize the CFATS program is already helping to make our citizens safer and our nation more secure.

Prior to approving an SSP, ISCD must first authorize the SSP.

  • In February 2010, ISCD began conducting pre-authorization visits of final-tiered facilities, starting with the Tier 1 facilities, and has completed approximately 180 such pre-authorization visits to date. ISCD used these pre-authorization visits to help gain a comprehensive understanding of the processes, risks, vulnerabilities, response capabilities, security measures and practices, and other factors at a covered facility that affect security risk and to help facilities more fully develop and explain the security measures in their SSPs.
  • After ISCD issues a Letter of Authorization for a facility's SSP, ISCD conducts a comprehensive and detailed authorization inspection before making a final determination as to whether the facility's SSP satisfies all applicable RBPS.
    • To date, ISCD has authorized or conditionally authorized 55 of the 117 Tier 1 SSPs and conducted 10 authorization inspections.
    • Facilities that successfully pass inspection and that DHS determines have satisfied the RBPS will then be issued Letters of Approval for their SSPs.
    • Facilities must fully implement their approved SSPs to be considered CFATS-compliant.
    • ISCD plans to issue the first Letters of Approval this year and is currently conducting its due diligence to ensure that the existing or planned security measures at any facility that will receive a Letter of Approval will, in fact, meet the appropriate risk-based performance standards.
  • It is important to note that many of the roughly 4,000 SSPs or ASPs received to date have required or likely will require substantial additional information and clarification from the facilities, adding to the timeline as DHS works with the facilities to fill in the gaps and finalize their SSP or ASP submissions.
  • Under CFATS, when a facility does not meet its obligations under the program, an Administrative Order is the first formal step toward enforcement. An Administrative Order does not impose a penalty or fine but directs the facility to take specific action to comply with CFATS—for example, to complete an overdue SSP within a specified timeframe.
  • If the facility does not comply with the Administrative Order, the Department may issue an Order Assessing Civil Penalty of up to $25,000 each day the violation continues and/or an Order to Cease Operations.
  • In June 2010, ISCD issued its first Administrative Orders to 18 chemical facilities for failure to submit an SSP. During the remainder of the year, ISCD issued an additional 48 Administrative Orders to chemical facilities that had failed to submit their SSPs in a timely manner under CFATS. We are pleased to report that all 66 facilities complied with the Administrative Orders issued. As CFATS implementation progresses, we expect to continue to exercise our enforcement authority to ensure CFATS compliance.

Outreach Efforts

Since the release of CFATS in April 2007, ISCD has taken significant steps to publicize the rule and ensure that the regulated community and our security partners are aware of its requirements. As part of this outreach program, ISCD has regularly updated impacted sectors through their Sector Coordinating Councils and the Government Coordinating Councils of industries most impacted by CFATS, including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors. ISCD has also solicited feedback from our public and private sector partners and, where appropriate, has reflected that feedback in implementation activities.

To date, ISCD inspectors have conducted nearly 900 Compliance Assistance Visits and have held more than 3,000 informal introductory meetings with owners and/or operators of CFATS-regulated facilities. ISCD staff have presented at hundreds of security and chemical industry conferences; participated in a variety of other meetings of relevant security partners; established a Help Desk for CFATS questions that receives between 40 and 80 calls daily; put in place a CFATS tip-line for anonymous chemical security reporting; and developed and regularly updated a highly regarded Chemical Security website (www.DHS.gov/chemicalsecurity), which includes a searchable Knowledge Center. ISCD has also offered regular SSP training webinars to assist high-risk facilities to complete their SSPs.

In addition, ISCD continues to focus on fostering solid working relationships with state and local officials as well as first responders in jurisdictions with high-risk facilities. To meet the risk-based performance standards under CFATS, facilities need to cultivate and maintain effective working relationships—including a clear understanding of roles and responsibilities—with local officials who aid in preventing, mitigating and responding to potential attacks. To facilitate these relationships, ISCD inspectors have been actively working with facilities and officials in their areas of operation, and they have participated in more than 2,000 meetings with federal, state, and local partners, including more than 100 Local Emergency Planning Committee meetings. Such meetings afford ISCD inspectors with an opportunity to provide our federal, state, and local security partners with a better understanding of CFATS requirements and allow our inspectors to gain insight into the activities of federal, state, and local partners operating within their jurisdictions.

Other efforts to ensure state and local awareness of and involvement in CFATS include the joint development with the State, Local, Tribal, and Territorial Government Coordinating Council and sharing of outreach materials specifically tailored to the emergency response community, which summarize CFATS programs and processes for local emergency responders; annual collaboration with the State of New Jersey's Office of Homeland Security and Preparedness and participation in several CFATS-based workshops hosted by the state that have brought together facility owners/operators, site security personnel, emergency responders, and other state-based stakeholders; and participation in two successful CFATS workshops hosted by the State of Michigan in Detroit and Midland, Michigan. Moving forward, ISCD hopes to continue and expand our collaborative efforts with our state partners on CFATS-based workshops. Additionally, in May 2010, ISCD launched a web-based information-sharing portal called “CFATS-Share.” This tool provides selected Federal, State, and Local stakeholders, such as interested state Homeland Security Advisors and their designees, DHS Protective Security Advisors, the National Infrastructure Coordinating Center, the DHS Chemical Sector-Specific Agency, as well as certain members of the State, Local, Tribal and Territorial Government Coordinating Council, access to key details on CFATS facility information as needed.

ISCD also continues to collaborate within DHS and with other federal agencies in the area of chemical security, including routine engagement among the NPPD’s subcomponents and with the USCG, the Transportation Security Administration, the Department of Justice's FBI and Bureau of Alcohol, Tobacco, Firearms and Explosives, the NRC, and the EPA. An example of this coordination includes the establishment of a joint ISCD/USCG CFATS-MTSA Working Group to evaluate and, where appropriate, implement methods to harmonize the CFATS and MTSA regulations. Similarly, NPPD has been working closely with the EPA to begin evaluating how the CFATS approach could be used for water and wastewater treatment facilities.

Internally, we are continuing to build ISCD. We have hired, or are in the process of on-boarding, more than 206 people, and we are continuing to hire to meet our staffing goal of 253 positions this fiscal year. These numbers include our field inspector cadre, where we have filled 102 of 108 field inspector positions and all 14 field leadership positions.

Identified Challenges and Next Steps

The Department, NPPD, and ISCD have done much work over the past few years to establish and implement this unprecedented regulatory program, but CFATS still has challenges to address. In recognition of this, upon the arrival of ISCD’s new Director and Deputy Director, I asked them to provide for my consideration their views on the successes and challenges of the CFATS program. Candid, honest assessments and critiques are valuable tools in evaluating progress and determining where improvement is needed. Furthermore, course corrections are to be expected and ongoing decisions will need to be made.

In late November 2011, the ISCD Director and Deputy Director hand-delivered to me a memo providing their views. It is important to note that, in addition to the referenced challenges, the ISCD memorandum also proposed for my consideration a charted path to addressing the challenges. Specifically, the memorandum included an Action Plan with detailed recommended steps for addressing the issues identified, and we have shared those with the Committee. Since my receipt of the ISCD memorandum, each of the nearly 100 action items contained in the proposed Action Plan has now been assigned to a member of ISCD’s senior leadership team for action, and I have already seen progress on many of these items. For accountability, planning, and tracking purposes, the members of that leadership team have been asked to provide milestones and a schedule for the completion of each task assigned to them, and the Acting ISCD Chief of Staff will monitor progress. In addition, ISCD leadership meets with my Principal Deputy Under Secretary at least once a week to provide status updates on the action items.

The speed with which the program was stood up necessitated some decisions that, at the time, seemed appropriate. For example, at the program’s outset, certain roles and responsibilities were envisioned for the program staff that, in the end, did not apply. This resulted in the hiring of some employees whose skills did not match their ultimate job responsibilities and the purchase of some equipment that in hindsight appears to be unnecessary for chemical inspectors. Additionally, we initially envisioned a greater number of field offices than we determined were necessary to deploy in our current environment. These decisions and the subsequent challenges that have resulted from them are directly related to the accelerated stand-up of the program—and while we regret that they occurred, we consider them valuable lessons learned.

Program Successes

I would like to point out to the Committee that NPPD has made progress in addressing some of the other challenges in the ISCD memorandum and Action Plan. One identified challenge regards the ability of ISCD to complete SSP reviews in a consistent, reasonable, and timely fashion. To help overcome past difficulties in meeting this challenge, ISCD is utilizing an interim SSP review process that is allowing the Department to review Tier 1 facility SSPs in a more effective and timely manner.

Over the past few months, ISCD has been able to more than quadruple the number of authorized SSPs, and I am pleased to report that as of February 21, 2012, 55 of the 117 Tier 1 SSPs have been authorized or conditionally authorized. ISCD expects to complete its review of all Tier 1 SSPs and to notify the facilities of ISCD’s decisions on those SSPs within the coming months. ISCD also expects to begin issuing authorizations to Tier 2 facilities during FY12. While this interim review process is under way, ISCD is also working on an even more efficient long-term approach to SSP review for facilities in Tiers 2, 3, and 4. This long-term approach will incorporate lessons learned.

A second challenge identified in the memorandum concerns organizational culture and morale. Based in part on internal staff surveys and personal observation, ISCD leadership believes that improved internal communication, stronger programmatic leadership, consistent levels of accountability, and a clearly articulated shared vision and values will significantly improve morale throughout ISCD. The Action Plan contains numerous planned or proposed actions designed to achieve this goal, many of which already are being implemented.

For instance, ISCD employees now contribute to, and receive a monthly ISCD newsletter and weekly updates on ISCD events in an effort to improve internal communications; numerous ISCD Director-led town halls and open-door sessions have been held with employees in D.C. and throughout the country; vacancy announcements that will be used to hire a permanent leadership team to support the new Director and Deputy Director are going through the Departmental human capital process; more thorough supervisory training and guidance on performance monitoring is being identified and will be provided to all Divisional supervisors; and a cross-Divisional working group was established to update or develop a Division mission statement, vision statement, and statement of core values, which will be shared and consistently reinforced with all ISCD staff. Through these and other activities, I believe that Division-wide morale is improving, which ultimately will pay dividends not only in improved staff retention, but also in improved staff performance. In addition, ISCD leadership has worked with, and will continue to work with, the CFATS inspector cadre’s union to develop and implement appropriate and sustainable solutions to address these challenges.

In working on implementing action items and identifying the best solutions for the challenges facing CFATS, NPPD leadership is committed to receiving input from and, where appropriate, collaborating with the regulated community and our Federal, State, and local partners.

NPPD, ISCD, and the Department are taking our responsibilities for the CFATS program and the nation’s security seriously and are moving forward quickly and strategically to address the challenges before us. We believe that CFATS is making the nation safer and are dedicated to its success. We will make the necessary course corrections to improve the program to better protect the nation.

Legislation to Permanently Authorize CFATS

We have benefited from the constructive dialogue with Congress, including Members of the Committee, as it continues to contemplate new authorizing legislation for CFATS. The Department recognizes the significant work that the Committee and others have accomplished to reauthorize the CFATS program. We appreciate this effort and look forward to continuing the constructive engagement with Congress on these important matters.

The Department supports a permanent authorization for the CFATS program and is committed to working with Congress and other security partners to establish a permanent authority for the CFATS program in Federal law.

Conclusion

As the activities described above demonstrate, NPPD is continuing to make progress in the implementation of CFATS. CFATS already is reducing the risks associated with our nation’s chemical infrastructure. In August 2011, the American Chemistry Council (ACC) conducted a survey of CFATS-regulated facility owners covering approximately 800 facilities and received over 135 responses. Among other things, the ACC survey found that the majority of respondents believe extending CFATS will improve chemical security at CFATS-regulated facilities. The results also revealed that companies have made substantial investments in security upgrades as a result of CFATS, and plan to make additional investments following ISCD approval of their SSPs.

As we implement CFATS, we will continue to work with industry, our federal partners, states, and localities to get the job done, meet the challenges identified in the ISCD report, and effectuate the continuing utility of the program in preventing terrorists from exploiting chemicals or chemical facilities in a terrorist attack against this country.

Thank you for holding this important hearing. I would be happy to respond to any questions you may have.

Back to Top