2359 Rayburn House Office Building
Thank you, Chairman Aderholt, Ranking Member Price, and distinguished Members of the Subcommittee. It is a pleasure to appear before you today to discuss the Department of Homeland Security's (DHS) efforts to regulate the security of high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS).
As you are aware, the Department's current statutory authority to implement CFATS – Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act, as amended – has been extended through October 4, 2012, and is about to be further extended by the FY 2013 Continuing Appropriations Resolution once that has been enacted. The CFATS program has made our Nation more secure and DHS welcomes the opportunity to continue to work with Congress, all levels of government, and the private sector to further improve this vital national security program.
CFATS has helped to make our country safer. Since the inception of CFATS, more than 2,700 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk.
In the interest of building upon our collaboration, my testimony today focuses on the current status of the program, examples of the program’s successes to date, some of the current challenges facing the National Protection and Programs Directorate (NPPD) in implementing CFATS, and the actions we are taking to address these challenges through the Infrastructure Security Compliance Division (ISCD) Action Plan. Progress has been made on all of the Action Plan action items that remain open, and I would be glad to discuss both the progress made by the Department on these action items as well as the path forward the Department has charted for completing these items. Equally as important, I will reiterate the principles that we believe should guide the program's maturation and continued authorization.
I am pleased to inform you that the Department has completed 68 of the 95 action items included in the Action Plan. It should be noted that this is significantly higher than the number reported by the Government Accountability Office (GAO) in its July 2012 report, as the Department continues to work on and complete action items following the conclusion of the GAO audit. I would also like to thank GAO for their efforts in reviewing the CFATS program. We have made progress in addressing identified challenges, but more remains to be done.
At Under Secretary Beers’ direction, the program’s leadership has outlined its priorities, the challenges it believes the program faces, and a proposed path forward to address those challenges and accomplish program objectives. NPPD, the Directorate with oversight responsibility for the CFATS program, is continuously reviewing the program to identify areas for improvement and correcting course when necessary to ensure proper implementation.
Chemical Facility Security Regulations
Section 550 of the FY 2007 Department of Homeland Security Appropriations Act directed the Department to develop and adopt within six months a regulatory framework to address the security of chemical facilities that the Department determines pose high levels of risk. Specifically, Section 550(a) of the Act authorized the Department to adopt regulatory requirements for high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop Site Security Plans (SSPs), and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published an interim final rule, known as CFATS, on April 9, 2007. Section 550, however, expressly exempts from the regulation certain facilities that are regulated under other federal statutes, specifically those regulated by the United States Coast Guard (USCG) pursuant to the Maritime Transportation Security Act (MTSA), drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Departments of Defense or Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC).
The following core principles guided the development of the CFATS regulatory structure:
Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders—federal, state, local, tribal, and territorial government partners, as well as the private sector—is essential to securing our critical infrastructure, including high-risk chemical facilities
Risk-based tiering is used to guide resource allocations.1 Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk—those that, if targeted, would endanger the greatest number of lives;
Reasonable, clear, and calibrated performance standards will lead to enhanced security. The CFATS rule establishes enforceable risk-based performance standards, or RBPS, for the security of our Nation’s chemical facilities. High-risk facilities have the flexibility to develop appropriate site-specific security measures that will address risk effectively by meeting these standards. ISCD will analyze all final high-risk facility SSPs to ensure that they meet the applicable RBPS and will approve those that do. If necessary, ISCD will work with a facility to revise and resubmit an acceptable plan and can disapprove security plans if an acceptable plan is not submitted; and
Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies made significant capital investments in security following 9/11, and even more have done so since the passage of the legislation establishing this program.
1Tiering determinations are dynamic; for example, a tiering determination can change when a company voluntarily alters its facilities in a way that reduces its risk profile. “Final tiering” refers to a tiering assignment following a Security Vulnerability Assessment—it does not imply that this is the final tiering assignment a facility may ever receive.
On November 20, 2007, the Department published CFATS’ Appendix A, which lists 322 chemicals of interest—including common industrial chemicals such as chlorine, propane, and anhydrous ammonia—as well as specialty chemicals, such as arsine and phosphorus trichloride. The Department included chemicals based on the potential consequences associated with one or more of the following three security issues:
Release – Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated;
Theft/Diversion – Chemicals that have the potential, if stolen or diverted, to be used as or converted into weapons that could cause significant adverse consequences for human life or health; and
Sabotage/Contamination – Chemicals that are shipped and that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health.
The Department also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways. Any chemical facility that possesses any chemical of interest at or above the applicable Screening Threshold Quantity must submit an initial consequence-based screening tool, commonly referred to as the “Top-Screen,” to DHS. Through the Top-Screen process, ISCD identifies high-risk facilities, which the Department then assigns to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk.
Implementation of the CFATS regulation requires the Department to identify which facilities it considers high-risk. Supporting this, ISCD developed the Chemical Security Assessment Tool (CSAT) to help the Department identify potentially high-risk facilities and to provide methodologies those facilities can use to conduct SVAs and to develop SSPs. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the Top-Screen, an SVA tool, and an SSP template. The CSAT tool is a secure tool that can be accessed only by Chemical-terrorism Vulnerability Information (CVI) authorized users.
In May 2009, DHS issued Risk-Based Performance Standards Guidance to assist final high-risk chemical facilities in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the appropriate level of performance for the RBPS at each tier level. The Guidance was informed by the experience of the Transportation Security Administration (TSA), U.S. Coast Guard (USCG), and the Environmental Protection Agency (EPA), and also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose – whether or not in the Guidance – provided that DHS determines through approval of the facilities’ SSPs that they achieve the requisite level of performance under the CFATS RBPS.
To date, ISCD has received more than 41,000 Top-Screens submitted by chemical facilities. Since June 2008, ISCD identified more than 8,000 facilities that it has initially designated as high-risk. These facilities have used the CSAT tool to compile and submit SVAs. In May 2009, following reviews of facilities’ SVA submissions, ISCD began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or an Alternative Security Program (ASP) in lieu of an SSP.
As of September 4, 2012, CFATS covers 4,433 high-risk facilities nationwide; of these, 3,660 facilities are currently subject to final high-risk determinations and submission of an SSP or ASP. The remaining facilities are awaiting final tier determinations based on their SVA submissions. ISCD continues to issue final tier notifications to facilities across all four risk tiers as it makes additional final tier determinations.
Personnel Surety. Under CFATS Risk-Based Performance Standard 12 (RBPS 12), final high-risk chemical facilities are required to perform background checks on certain individuals with access to restricted areas or critical assets. NPPD has been seeking to implement a CFATS Personnel Surety Program to enable facilities to comply with the requirement to identify individuals who may pose a risk to chemical security by enabling facilities to submit biographical information to NPPD. NPPD would compare this biographical information against information about known or suspected terrorists listed in the Terrorist Screening Database (TSDB).
Since submitting an Information Collection Request (ICR) to OMB in June of 2011, the Department’s position on how facilities can comply with RBPS 12 has evolved, thanks in large part to information the chemical industry has provided to us as part of the PRA process. As a result, in July of 2012, the Department withdrew the ICR from OMB review. This has enabled the Department to engage in direct dialogue with security partners and with stakeholders in the regulated community about the CFATS Personnel Surety Program. Additionally, the Department has learned a great deal about various facilities through visits to chemical facilities it has conducted. This on the ground knowledge of the facilities will help to inform the Department of the impacts of the Personal Surety Program will have. The Department plans to re-initiate the PRA process by publishing a 60-day notice to solicit comment in the Federal Register in the near future. After that, the Department will concurrently publish a 30-day notice to solicit additional comments, and submit a new ICR for the CFATS Personnel Surety Program to OMB for review.
Since the establishment of CFATS in April 2007, NPPD and ISCD have taken significant steps to publicize the rule and ensure that the regulated community and other interested or affected entities are aware of its requirements. NPPD and ISCD management and staff have presented at hundreds of security and chemical industry conferences and participated in a variety of other meetings. As part of this outreach program, NPPD and ISCD has regularly updated impacted sectors through their Sector Coordinating Councils and the Government Coordinating Councils – including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors. In addition, ISCD continues to focus on fostering solid working relationships with state and local officials including first responders.
NPPD and ISCD continue to collaborate within DHS and with other federal agencies in the area of chemical security, including routine engagement with USCG; TSA; the Department of Justice's Federal Bureau of Investigation and Bureau of Alcohol, Tobacco, Firearms and Explosives; the NRC; and EPA.
Across the Nation, ISCD’s Chemical Security Inspectors have been actively working with facilities and governmental agencies. Collectively, they have participated in more than 4,050 meetings with federal, state, and local officials, conducted over 1,060 Compliance Assistance Visits, and have held more than 4,240 informal introductory meetings with owners and/or operators of CFATS-regulated facilities.
To promote information sharing, ISCD has developed several communication tools for stakeholder use, including: the Chemical Security website (www.DHS.gov/chemicalsecurity); a Help Desk for CFATS-related questions; a CFATS tip-line for anonymous chemical security reporting; and CFATS-Share, a web-based information-sharing portal that provides certain Federal, state, and local agencies access to key details on CFATS facility information as needed.
Highlights and Successes of CFATS Program
As we have previously discussed, the ISCD Action Plan currently contains 95 items, each of which has been assigned to a member of ISCD’s senior leadership team for implementation. As of September 11, 68 of the 95 action items contained in the Action Plan have been completed. For accountability, planning, and tracking purposes, the members of that leadership team have established milestones and a schedule for the completion of each task assigned to them. In addition, ISCD leadership meets with me at least once per week to provide status updates on the action items and discuss ways that NPPD leadership can help.
I would like to share with the Subcommittee some of the highlights and successes that are a direct result of the implementation of the Action Plan and other recent initiatives performed by ISCD. These include: improving the SSP review process and increasing the pace of SSP reviews; refining inspector tools and training; reinvigorating industry engagement on their development of ASP templates; improving internal communications and organizational culture; and preparing for an external peer review of the CFATS risk assessment methodology.
SSP Review Process. ISCD is currently utilizing a refined approach for reviewing SSPs in order to move forward in a more efficient and timely fashion. At this time, ISCD has completed its initial review of all Tier 1 SSPs and has begun reviewing Tier 2 SSPs. As of September 11, 2012, of the Tier 1 SSPs reviewed, the Department has authorized or conditionally authorized SSPs for 73 facilities. Of the remaining Tier 1 SSPs reviewed by the Department, we are either validating results or reaching out to these facilities to obtain additional information or action in the hope of resolving the outstanding issues affecting their SSPs. While the interim approach for SSP reviews is underway, ISCD will continue to work to improve the long-term approach to the SSP review process. As of September 17, 2012, DHS has approved the SSPs for two Tier 1 facilities.
Inspections. In September 2011, ISCD established an Inspector Tools Working Group to ensure the Chemical Security Inspectors have up-to-date and, where appropriate, improved inspections procedures, policies, equipment, and guidance. In June 2012, ISCD finished updating its internal inspections policy and guidance materials for inspectors. ISCD also began providing additional training that focuses on the updated policy and guidance materials to prepare Chemical Security Inspectors to resume authorization inspections at facilities with authorized or conditionally authorized SSPs. As a result, I am pleased to announce that as of July 16, 2012, ISCD has resumed authorization inspections at Tier 1 facilities. This is a vital step for moving the CFATS program toward a regular cycle of approving SSPs and conducting compliance inspections for facilities with approved SSPs.
Alternative Security Programs (ASPs). Many members of the regulated community and their representative industry associations have expressed interest in exploring ways to use the ASP provisions of the CFATS regulation to streamline the security plan submission and review process. In support of this, ISCD has been holding vigorous discussions with industry stakeholders in regard to their development and submission of ASPs. One particularly promising effort has been ISCD’s engagement with the American Chemistry Council (ACC) in support of its efforts to develop an ASP template for use by interested members of its organization. In August 2012, the ACC piloted the ASP template in Michigan ASPs submitted by facilities using the ACC template will be reviewed under the same standards that ISCD currently reviews SSPs, but the use of ASP templates may streamline both the plan development and plan review processes. Additionally, DHS continues to review existing industry programs, such as ACC Responsible Care® and SOCMA ChemStewards®, to identify potential areas of engagement and further discussion.
Internal Communications and Employee Morale. The Action Plan contains a number of items designed to improve internal communications and morale within ISCD. ISCD has implemented many of these action items and has made significant progress on many others. For instance, ISCD employees now contribute to and receive a monthly ISCD newsletter, which covers a wide variety of both field and headquarters activities. ISCD leadership has promoted staff engagement and a dialogue about issues and concerns through monthly town halls and a senior leadership open-door policy. ISCD staff has a standing invitation to participate in group open-door sessions or to schedule one-on-one discussions with Division leadership.
ISCD is also moving forward with issuing vacancy announcements to hire a permanent leadership team; several announcements have already been posted and several others are nearing posting. Supervisors have been provided with additional supervisory training and guidance on performance monitoring. The Division has developed a mission statement, vision statement, and core values. As a result of these and other efforts, I believe that Division-wide morale is improving, which ultimately will pay dividends not only in improved staff retention, but also in improved staff performance and program execution.
Risk Assessment Methodology Review. In light of prior revisions to the SVA risk assessment computer program for chemical facilities, NPPD has committed to doing a thorough review of the risk assessment process and keeping the Subcommittee apprised of any significant issues related to that review. In support of this, NPPD developed a three-phased approach, which is captured in the Action Plan and includes: documenting all processes and procedures relating to the risk assessment methodology; conducting an internal DHS review of the risk assessment process; and initiating an external peer review of the risk assessment methodology. The Division has made significant progress on this action item by completing the first two steps. Procurement actions for the external peer review have been completed as of September 11, 2012, which is expected to begin before the end of FY12.
NPPD remains committed to both developing appropriate responses to any risk assessment issues that it identifies and keeping Congress and stakeholders apprised of any significant issues related to that review.
ISCD Budget Priorities for FY13
The President’s Budget for FY 2013 requested $74.544 million for the Infrastructure Security Compliance Program, including funds for 253 full-time positions/242 full-time equivalents (FTE). The primary initiatives under Infrastructure Security Compliance are the implementation of the CFATS Program and the development and implementation of the proposed Ammonium Nitrate Security Program. In helping to develop the President’s Budget, DHS considered as its top priority the retention of basic CFATS functionality. Accordingly, DHS prioritized its funding request to enable DHS to thoroughly and expediently review SSPs of CFATS-covered facilities that pose the highest level of risk to ensure that such facilities’ security measures meet applicable risk-based performance standards and to expedite the performance of inspections at those facilities.
The FY 2013 DHS Appropriations bill that was approved by this Subcommittee would provide $45.4 million for the Infrastructure Security Compliance Program. This represents a decrease of $47.908 million from the FY 2012 enacted level of $93.348 million, and is $29.1 million less than the President’s Budget.
An appropriation of $45.4 million would drastically curtail DHS’s ability to: 1) implement the statutory and regulatory requirements for the security of high-risk chemical facilities as specified in CFATS; 2) continue development of the proposed Ammonium Nitrate Security Program; and 3) fully implement the program improvements identified in the ISCD Action Plan. DHS estimates that, after expending approximately $35 million for salaries and benefits for 242 FTEs, approximately $12 million would remain for implementing CFATS and completing development of the proposed Ammonium Nitrate Security Program. DHS would be forced to cease virtually all activities under CFATS other than those directly related to reviewing SSPs and performing facility inspections – which means those other activities would be significantly delayed. At the proposed $45.4 million funding level, the Department’s ability to conduct the most basic CFATS functions would be impacted. These include maintaining the CSAT and the Chemical-Security Management System (CHEMS) information technology (IT) systems, and acquiring important technical and subject-matter support. Additionally, CFATS-related outreach and engagement with the regulated community would be significantly reduced and some aspects would cease; development and implementation of the proposed Ammonium Nitrate Security Program would be significantly delayed; and many of the managerial improvements outlined in the ISCD Action Plan may be delayed or negatively impacted.
Legislation to Permanently Authorize CFATS
DHS recognizes the significant work that the Subcommittee and others have accomplished to reauthorize the CFATS program. The Department supports a permanent authorization for the CFATS program and is committed to working with Congress and other security partners to establish a permanent authority for the CFATS program in federal law. We appreciate this effort and look forward to continuing engagement with Congress on these important matters.
ISCD, NPPD, and the Department are moving forward quickly and strategically to address the challenges before us. CFATS is reducing the risks associated with our Nation’s chemical infrastructure. We believe that CFATS is making the Nation safer and are dedicated to its success. As we implement CFATS, we will continue to work with stakeholders to get the job done, meet the challenges identified in the ISCD report, and execute a program to help prevent terrorists from exploiting chemicals or chemical facilities.
Thank you for holding this important hearing. I would be happy to respond to any questions you may have.