Thank you, Chairman Shimkus, Ranking Member Green, and distinguished Members of the Committee. It is a pleasure to appear before you today to discuss the Department of Homeland Security’s (DHS) regulation of high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS). My testimony today focuses on improvements to the program, the current status of the program, examples of the program’s successes to date, some of the current challenges facing the National Protection and Programs Directorate (NPPD) in implementing CFATS, and the actions we are taking to address these challenges through the Infrastructure Security Compliance Division (ISCD) Action Plan.
The CFATS program has made our Nation more secure and we welcome the opportunity to continue to work with Congress, all levels of government, and the private sector to further improve this vital national security program. As you are aware, the Department’s current statutory authority to implement CFATS – Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act, as amended –currently extends through October 4, 2012.
Since the inception of CFATS, more than 2,700 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. In addition, NPPD’s Chemical Security Inspectors have been actively working with facilities and governmental agencies across the country to facilitate the development of measures by high-risk chemical facilities that reduce security risks and enhance nationwide preparedness. Collectively, they have participated in more than 3,800 meetings with federal, state, and local officials; held more than 4,160 introductory meetings with owners and operators of CFATS-regulated or potentially regulated facilities; and conducted more than 1,050 Compliance Assistance Visits at chemical facilities to assist those facilities in the preparation of the necessary security-related documentation required by CFATS. In addition, NPPD has reviewed the Site Security Plans (SSPs) of the highest risk (Tier 1) facilities and is currently reviewing the SSPs for Tier 2 facilities. We have resumed authorization inspections [and begun approving SSPs for Tier 1 facilities].
At my direction, the program’s leadership outlined its priorities, the challenges it believes the program faces, and a proposed path forward to address those challenges and accomplish program objectives. As the Directorate with oversight responsibility for the CFATS program, NPPD is continually evaluating the program to identify areas for improvement and correcting course when necessary to ensure proper implementation. I am pleased to inform you that NPPD has made progress on all 95 of the action items now included in the ISCD Action Plan and as of September 4, 2012 has completed 59 of them.
Chemical Facility Security Regulations
Section 550 of the FY 2007 Department of Homeland Security Appropriations Act directed the Department to develop and adopt within six months a regulatory framework to address the security of chemical facilities that the Department determines pose high levels of risk. Specifically, Section 550(a) of the Act authorized the Department to adopt regulatory requirements for high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop SSPs, and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published final regulations, known as CFATS, on April 9, 2007. Section 550, however, expressly exempts from the regulation certain facilities that are regulated under other federal statutes, specifically those regulated by the United States Coast Guard (USCG) pursuant to the Maritime Transportation Security Act, drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Department of Defense or Department of Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC).
The following core principles guided the development of the CFATS regulatory structure:
- Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders—Federal, state, local, and territorial government partners as well as the private sector—is essential to securing our critical infrastructure, including high-risk chemical facilities;
- Risk-based tiering is used to guide resource allocations. Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk—those that, if targeted, would endanger the greatest number of lives;
- Reasonable, clear, and calibrated performance standards will lead to enhanced security. The CFATS rule establishes enforceable risk-based performance standards (RBPS) for the security of our nation’s high-risk chemical facilities. High-risk facilities have the flexibility to develop appropriate site-specific security measures that will effectively address risk by meeting these standards. ISCD will analyze all final high-risk facility SSPs to ensure they meet the applicable RBPS and will approve those that do. If necessary, ISCD will work with a facility to revise and resubmit an acceptable plan and can disapprove security plans if an acceptable plan is not submitted; and
- Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies made significant capital investments in security following 9/11, and even more have done so since the passage of the legislation establishing this program.
Within a few months after the final regulations were developed, on November 20, 2007, the Department published CFATS Appendix A, which identifies 322 chemicals of interest—including common industrial chemicals such as chlorine, propane, and anhydrous ammonia—as well as specialty chemicals, such as arsine and phosphorus trichloride. These chemicals were included after analyzing the potential consequences associated with one or more of the following three security issues:
- Release – Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated;
- Theft/Diversion – Chemicals that have the potential, if stolen or diverted, to be used as or converted into weapons that could cause significant adverse consequences for human life or health; and
- Sabotage/Contamination – Chemicals that are shipped and that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health.
NPPD also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways. Any chemical facility that possesses any chemical of interest at, or above the applicable Screening Threshold Quantity must submit an initial consequence-based screening tool, the “Top-Screen,” to NPPD.
This Top-Screen process developed by NPPD allows the government, for the first time, to gather data that can identify potential high-risk facilities, which NPPD then assigns to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk.
To support this activity, ISCD developed the Chemical Security Assessment Tool (CSAT) to help NPPD identify potentially high-risk facilities and to provide methodologies those facilities can use to conduct SVAs and to develop security plans. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the Top-Screen, an SVA tool, and an SSP template. To protect this sensitive information, NPPD developed an information management regime, Chemical-terrorism Vulnerability Information (CVI), which limits access to trained and authorized users.
In May 2009, NPPD issued Risk-Based Performance Standards Guidance to assist final high-risk chemical facilities in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the appropriate level of performance for the RBPS at each tier level. The Guidance was informed by the experience of the Transportation Security Administration, United States Coast Guard, and the Environmental Protection Agency, and also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose—whether or not in the Guidance—provided that NPPD determines through approval of the facilities’ SSPs that they achieve the requisite level of performance under the CFATS RBPS.
To date, ISCD has data from more than 41,000 Top-Screens submitted by chemical facilities, providing important information about their chemical holdings. Since June 2008, ISCD identified more than 8,000 facilities that it has initially designated as high-risk. These facilities have used the CSAT tool to compile and submit SVAs. In May 2009, following reviews of facilities’ SVA submissions, ISCD began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or an Alternative Security Program (ASP) in lieu of an SSP.
As of September 4, 2012, CFATS covers 4,433 high-risk facilities nationwide; of these 4,433 facilities, 3,660 are currently subject to final high-risk determinations and have developed security plans for NPPD review. The remaining facilities are awaiting final tier determinations based on their SVA submissions. ISCD continues to issue final tier notifications to facilities across all four risk tiers.1
1 Tiering determinations are dynamic; for example, a tiering determination can change when a facility voluntarily alters its operations in a material way that reduces its risk profile. “Final tiering” refers to a tiering assignment following a Security Vulnerability Assessment; it does not imply that this is the final tiering assignment a facility may receive.
Highlights and Successes of CFATS Program
As we have previously discussed with this Subcommittee, the ISCD Action Plan currently contains 95 items, each of which has been assigned to a member of ISCD’s senior leadership team for implementation. For accountability, planning, and tracking purposes, the members of that leadership team have established milestones and projected timeframes for the completion of each task assigned to them. In addition, ISCD leadership meets with the Deputy Under Secretary of NPPD at least once per week to provide status updates on the action items and discuss ways that NPPD leadership can help. As of September 4, 2012, 59 of the 95 action items contained in the Action Plan have been completed.
I would like to share with the Subcommittee some of the highlights and successes that are a direct result of the implementation of the Action Plan and other recent initiatives performed by ISCD. These include: improving the SSP review process and increasing the pace of SSP reviews; refining inspector tools and training; reinvigorating industry engagement on their development of ASP templates; improving internal communications and organizational culture; and preparing for an external peer review of the CFATS risk assessment methodology.
SSP Review Process. ISCD is currently utilizing a refined approach for reviewing SSPs in order to move forward in a more efficient and timely fashion. At this time, ISCD has completed its review of all Tier 1 SSPs and has begun reviewing Tier 2 SSPs. As of September 9, 2012, of the Tier 1 SSPs reviewed, we have authorized or conditionally authorized SSPs for 73 facilities and approved 1. Of the remaining Tier 1 SSPs reviewed by NPPD, we are either validating results or reaching out to these facilities to obtain additional information or action in the hope of resolving the outstanding issues affecting their SSPs. Going forward, ISCD will continue to work to improve its SSP review process to make it as efficient and effective as possible.
Inspections. Last Fall, ISCD established an Inspector Tools Working Group to ensure the Chemical Security Inspectors have up-to-date and, where appropriate, improved inspections procedures, policies, equipment, and guidance. In late spring 2012, ISCD finished updating and revising its internal inspections policy and guidance materials for conducting inspections. Over the course of the summer, ISCD conducted five inspector training sessions, which focused on the updated policy, procedures and related materials to prepare Chemical Security Inspectors to resume authorization inspections at facilities with authorized or conditionally authorized SSPs. As of July 16, 2012, ISCD has resumed authorization inspections at Tier 1 facilities. This is a vital step for moving the CFATS program toward a regular cycle of approving SSPs and conducting compliance inspections for facilities with approved SSPs.
Alternative Security Programs (ASPs). Many members of the regulated community and their representative industry associations have expressed interest in exploring ways to use the ASP provisions of the CFATS regulation to streamline the security plan submission and review process. In support of this, ISCD has been holding vigorous discussions with industry stakeholders in regard to their development and submission of ASPs. One particularly promising effort has been ISCD’s engagement with the American Chemistry Council (ACC) in support of its efforts to develop an ASP template for use by interested members of its organization. The ACC has developed a template that was piloted at a facility in early August and is expected to be available for use by ACC members later this year. In addition, DHS has been in discussion with other industry stakeholders, including the Agricultural Retailers Association, about developing templates specific to their members. ASPs submitted by facilities using a template will be reviewed under the same standards that ISCD currently reviews SSPs. Additionally, DHS continues to review existing industry programs, such as ACC Responsible Care® and SOCMA ChemStewards®, to identify potential areas of engagement and further discussion.
Internal Communications and Employee Morale. The Action Plan contains a number of items designed to improve internal communications and morale within ISCD. ISCD has implemented many of these action items and has made significant progress on many others. For instance, ISCD employees now contribute to and receive a monthly ISCD newsletter, which covers a wide variety of both field and headquarters activities. ISCD leadership has promoted staff engagement and a dialogue about issues and concerns through monthly town halls and a senior leadership open-door policy. ISCD staff has a standing invitation to participate in group open-door sessions or to schedule one-on-one discussions with Division leadership.
ISCD is also moving forward with issuing vacancy announcements to hire a permanent leadership team; several announcements have already been posted and several others are nearing posting. Supervisors have been provided with additional supervisory training and guidance on performance monitoring. The Division has developed a mission statement, vision statement, and core values. As a result of these and other efforts, I believe that Division-wide morale is improving, which ultimately will pay dividends not only in improved staff retention, but also in improved staff performance and program execution.
Risk Assessment Methodology Review. In light of prior revisions to the SVA risk assessment computer program for chemical facilities, NPPD has committed to doing a thorough review of the risk assessment process and keeping the Subcommittee apprised of any significant issues related to that review. In support of this, NPPD developed a three-phased approach, which is captured in the ISCD Action Plan and includes: documenting all processes and procedures relating to the risk assessment methodology; conducting an internal NPPD review of the risk assessment process; and initiating an external peer review of the risk assessment methodology. The Division has made significant progress on this action item by completing the first two steps. ISCD is also approaching completion of procurement actions for the external peer review, which is expected to begin before the end of FY 2012.
NPPD remains committed to both developing appropriate responses to any risk assessment issues that it identifies and keeping Congress and stakeholders apprised of any significant issues related to that review.
Personnel Surety. Under CFATS Risk-Based Performance Standard 12 (RBPS 12), final high-risk chemical facilities are required to perform background checks on certain individuals with access to restricted areas or critical assets. NPPD has been seeking to implement a CFATS Personnel Surety Program to enable facilities to comply with the requirement to identify individuals who may pose a risk to chemical security by enabling facilities to submit biographical information to NPPD. NPPD would compare this biographical information against information about known or suspected terrorists listed in the Terrorist Screening Database (TSDB).
Although NPPD has the authority under CFATS to implement the Personnel Surety Program, under the Paperwork Reduction Act (PRA) the Office of Management and Budget (OMB) must still approve how the NPPD proposes to collect the necessary information to conduct vetting against the TSDB. In June of 2009, DHS began the process to obtain OMB approval by publishing in the Federal Register a notice soliciting public comments for 60 days.
Following the public comment, DHS submitted the Information Collection Request (ICR) to OMB in June of 2011. Since that time, the Department’s position on how facilities can comply with RBPS 12 has evolved, thanks in large part to information the chemical industry has provided to us as part of the PRA process. As a result, in July of 2012, the Department withdrew the ICR from OMB review. This has enabled the Department to engage in direct dialogue with security partners and with stakeholders in the regulated community about the CFATS Personnel Surety Program. Additionally, the Department has learned a great deal about various facilities through visits to chemical facilities it has conducted. This on-the-ground knowledge of the facilities will help to inform the Department of any impacts that the Personnel Surety Program will may have. The Department plans to re-initiate the PRA process by publishing a 60-day notice to solicit comment in the Federal Register in the near future. After that, the Department will concurrently publish a 30-day notice to solicit additional comments, and submit a new ICR for the CFATS Personnel Surety Program to OMB for review.
Since the establishment of CFATS in April 2007, NPPD and ISCD have taken significant steps to publicize the rule and ensure that the regulated community and other interested or affected entities are aware of and meeting its requirements. NPPD and ISCD management and staff have presented at hundreds of security and chemical industry conferences and participated in a variety of other meetings. As part of this outreach program, NPPD and ISCD have regularly updated impacted sectors through their Sector Coordinating Councils and the Government Coordinating Councils—including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors.
NPPD and ISCD continue to collaborate within DHS and with other federal agencies in the area of chemical security, including routine engagement with: the USCG; the Transportation Security Administration; the Department of Justice’s Federal Bureau of Investigation and Bureau of Alcohol, Tobacco, Firearms and Explosives; the NRC; and the Environmental Protection Agency. In addition, ISCD continues to focus on fostering solid working relationships with state and local officials including first responders.
To promote information sharing, ISCD has developed several communication tools for stakeholder use, including: the Chemical Security website (www.DHS.gov/chemicalsecurity); a Help Desk for CFATS-related questions; a CFATS tip-line for anonymous chemical security reporting; and CFATS-Share, a web-based information-sharing portal that provides certain Federal, state, and local agencies access to key details on CFATS facility information as needed.
ISCD Budget Priorities for FY 2013
The President’s Budget for FY 2013 requested $74.544 million for the Infrastructure Security Compliance Program, including funds for 253 full-time positions/242 full-time equivalents (FTE). The primary initiatives under Infrastructure Security Compliance are the implementation of the CFATS Program and the development and implementation of the proposed Ammonium Nitrate Security Program. In helping to develop the President’s Budget, DHS considered as a priority the retention of basic CFATS functionality. Accordingly, DHS prioritized its funding request to enable DHS to thoroughly and expediently review SSPs of CFATS-covered facilities that pose the highest level of risk to ensure that such facilities’ security measures meet applicable risk-based performance standards and to expedite the performance of inspections at those facilities.
ISCD, NPPD, and the Department are moving forward quickly and strategically to address the challenges before us. CFATS is reducing the risks associated with our nation’s chemical infrastructure. We believe that CFATS is making the nation safer and are dedicated to its success. As we implement CFATS, we will continue to work with stakeholders to get the job done, meet the challenges identified in the ISCD report, and execute a program to help prevent terrorists from exploiting chemicals or chemical facilities.
Thank you for holding this important hearing. I would be happy to respond to any questions you may have.