2322 Rayburn House Office Building
Thank you, Chairman Shimkus, Ranking Member Tonko, and distinguished Members of the Committee. I appreciate the opportunity to appear before you today to discuss the Department of Homeland Security’s (DHS) regulation of high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS). Over the past year, NPPD has worked diligently to turn a corner and has addressed many issues previously identified as challenges. The CFATS program has made significant progress, advancing programmatically while simultaneously addressing internal operational concerns. The Department remains committed to working with stakeholders and with Congress on a path forward so that the CFATS program continues to improve. My testimony today focuses on the progress made since our last hearing, the current status of the program, and upcoming activities.
The CFATS program has made our Nation more secure by identifying and regulating high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals. CFATS has also played a role in reducing the number of high-risk chemicals, as close to 3,000 facilities have eliminated, reduced or modified their holdings of certain chemicals. We welcome the opportunity to work with stakeholders to further improve this vital national security program. As the Directorate with oversight responsibility for the CFATS program, NPPD, and the Directorate’s Infrastructure Security Compliance Division (ISCD), is continually evaluating the program to identify areas for improvement to ensure proper implementation of the program. Through ISCD’s comprehensive Action Plan, we have identified and acted decisively to address areas in which improvements were warranted.
As you are aware, the Department’s current statutory authority to implement CFATS – Section 550 of the fiscal year (FY) 2007 Department of Homeland Security Appropriations Act, as amended – currently extends through March 27, 2013. DHS recognizes the significant work that the Subcommittee and others have accomplished to reauthorize the CFATS program. The Department supports a permanent authorization for the CFATS program and is committed to working with Congress and other security partners to establish a permanent authority for the CFATS program in Federal law.
CFATS Implementation Progress
The CFATS program has already made our Nation more secure by identifying and regulating high-risk chemical facilities to ensure they have security measure in place to reduce the risks associated with these chemicals. The cornerstone of the CFATS program in regulating the security of high-risk chemical facilities is the development, submission, and implementation of Site Security Plans (SSPs), which document the facility security measures that satisfy the applicable Risk-Based Performance Standards (RBPS) under CFATS. It is important to note that these plans are not “one size fits all,” but in-depth, highly customized, and dependent on each facility’s unique circumstances. Following a facility’s development and submission of an SSP, ISCD conducts an authorization inspection that is tailored to review specific details within the facility’s SSP. High-risk facilities also have the option of submitting an Alternative Security Program (ASP) in lieu of an SSP. Over the last six months, ISCD has made significant strides in authorizing SSPs and ASPs, conducting Authorization Inspections, and approving security plans. NPPD recognizes the need to increase the pace of authorization and approvals and is examining potential approaches for increasing the pace of SSP reviews and inspections for the lower risk Tier 3 and Tier 4 facilities without sacrificing quality or consistency.
| Tier* | Total # of Facilities | Received Final Tier | Authorized SSPs and ASPs | Authorization Inspection Conducted | Approved SSPs and ASPs |
|---|---|---|---|---|---|
| 1 | 131 | 117 | 83 | 61 | 36 |
| 2 | 450 | 398 | 172 | 68 | 4 |
In order to determine whether a facility is regulated under CFATS, the facility uses the web-based Chemical Security Assessment Tool (CSAT), to submit a Top-Screen to ISCD. Since we began collecting this information in 2007 ISCD now has data from more than 44,000 Top-Screens submitted by chemical facilities, providing important information about their chemical holdings. Based on the information received in the Top-Screens, ISCD identified more than 8,500 facilities that were initially designated as high-risk facilities potentially regulated by CFATS. These facilities then compiled and submitted Security Vulnerability Assessments, which are used by ISCD to identify which facilities present a terrorism risk that is sufficiently high to warrant the assignment of a final high-risk tier under CFATS.
As of March 5, 2013, CFATS covers 4,380 high-risk facilities nationwide; of these, 3,468 have received final high-risk determinations and are required to develop SSPs (or ASPs) for ISCD review. The remaining facilities are awaiting final tier determinations based on their Security Vulnerability Assessment submissions. ISCD continues to issue final tier notifications to facilities across all four risk tiers. Facilities that receive a final high-risk determination are notified of the requirement to complete and submit an SSP or an ASP. Tiering determinations are dynamic and can change based on actions a facility takes. For example, a tiering determination can change when a facility voluntarily alters its operations in a material way that reduces its risk profile. Since the inception of CFATS, close to 3,000 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. The significant reduction in the number of chemical facilities that represent the highest risk is an important success of the CFATS program and is attributable both to the design of the program as enacted by Congress and to the work of CFATS personnel and industry at thousands of chemical facilities.
Site Security Plans. Among the important items identified in the ISCD Action Plan was the need to streamline the process for reviewing SSPs. This has enabled the program to complete SSP reviews, authorizations, and approvals for Tier 1 and 2 facilities at an accelerated pace. In the first months of 2012, ISCD took an operational pause as it developed a refined approach to SSP reviews—one that eliminates bottlenecks and involves field inspectors (who work most closely with CFATS facilities) early on in the process. This effort has enabled the program to accelerate the pace of SSP reviews, authorizations, and approvals for Tier 1 and 2 facilities. To date, ISCD has completed its review of all Tier 1 SSPs and has begun reviewing Tier 2 SSPs. ISCD anticipates that we will have completed the approval process for all Tier 1 security plans by October 2013 and for all Tier 2 security plans by May 2014.
Inspections. ISCD is currently carrying out authorization inspections for Tiers 1 and 2 facilities. Authorization inspections are scheduled after ISCD’s review of an SSP (or ASP) results in a preliminary determination that the SSP satisfies applicable RBPS and issues a Letter of Authorization. Since resuming authorization inspections in July 2012, ISCD has conducted 120 authorization inspections. The authorization inspection results, as well as any further revisions that the facility may make to the SSP (or ASP), are reviewed to make a final determination as to whether the facility’s SSP satisfies the applicable RBPS and whether to issue a Letter of Approval. Once issued a Letter of Approval, the facility’s SSP (or ASP) is considered approved and the facility must implement the security measures detailed in the SSP. ISCD plans to conduct compliance inspections approximately one year after an SSP approval, therefore the first compliance inspections will take place around September 2013.
ASPs. ASPs are an important part of the CFATS program’s continued progress and its effort to streamline the authorization and inspection process. The ASP provides an option for regulated facilities to submit information necessary to document site security measures that address the RBPS through a format other than the SSP template. ISCD has been working closely with industry stakeholders regarding options for their development and use of ASPs. Recently, the American Chemistry Council released a guidance document and template developed in consultation with DHS to assist its members with the development of ASPs. Additionally, DHS has been in discussion with other industry stakeholders, including the Agricultural Retailers Association and the Society of Chemical Manufacturers Affiliates, about developing templates. DHS has also been engaging industry on the development of “corporate” ASPs. For members of industry that own several regulated facilities, the corporation can develop a single ASP, which can be easily replicated by other facilities. ASPs submitted by facilities using any industry-developed or proprietary template would be reviewed under the same standards that ISCD currently reviews SSPs. The potential for these ASPs to serve as a force multiplier is tremendous.
Compliance Assistance and Facility Outreach. Compliance Assistance Visits provide chemical facilities with support in preparing for the necessary security-related documentation required by CFATS. During these visits, ISCD offers compliance and technical assistance in the completion of the CSAT registration, Top Screen, Security Vulnerability Assessment, or Site Security Plan. At any point in the CFATS process, a facility can request a Compliance Assistance Visit. As of March 5, 2013, ISCD has conducted more than 1,080 Compliance Assistance Visits. In addition to conducting inspections and supporting Compliance Assistance Visits at regulated facilities, NPPD’s Chemical Security Inspectors actively work with facilities, local stakeholders, and governmental agencies across the country. Collectively, they have participated in more than 5,000 meetings with Federal, state, and local officials; held more than 4,600 introductory meetings with owners and operators of CFATS-regulated or potentially regulated facilities.
Industry Engagement and Information Sharing. Since the establishment of the CFATS program in April 2007, NPPD has conducted significant outreach to the regulated community and other interested or affected entities so that they are aware of the program’s requirements. NPPD and ISCD management and staff have presented at hundreds of security and chemical industry gatherings and participated in a variety of other meetings. As part of this outreach initiative, NPPD and ISCD leadership have regularly updated affected sectors through their Sector Coordinating Councils and the Government Coordinating Councils—including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors. To promote information sharing, ISCD has developed several communication tools for stakeholder use, including: the Chemical Security website (www.DHS.gov/chemicalsecurity); a help desk for CFATS-related questions; a CFATS tip-line for anonymous chemical security reporting; and CFATS-Share, a web-based information-sharing portal that provides certain Federal, state, and local agencies access to key details on CFATS facility information as needed.
Intergovernmental Coordination. NPPD continues to collaborate within DHS and with other Federal agencies in the area of chemical security, including routine engagement with the U.S. Coast Guard (USCG); the Transportation Security Administration (TSA); the Department of Justice’s Federal Bureau of Investigation (FBI) and Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF); the Nuclear Regulatory Commission (NRC); and the Environmental Protection Agency (EPA). In December, the USCG and NPPD signed a Memorandum of Agreement authorizing sharing data and risk methodologies between ISCD’s Chemical Security Assessment Tool and USCG’s Maritime Security Risk Analysis Model. The data sharing will help provide greater visibility to both USCG and ISCD with regard to how each organization assesses and quantifies risk and ultimately will support the development of a comprehensive risk picture for facilities within the Chemical Sector and aid in the identification of potentially unacceptable security gaps that may require changes in regulation or policy.
Personnel Surety. Under CFATS Risk-Based Performance Standard 12 (RBPS 12), final high-risk chemical facilities are required to perform appropriate background checks on and ensure appropriate credentials for facility personnel, and as appropriate, for unescorted visitors with access to restricted areas or critical assets. These include: (i) measures designed to verify and validate identity; (ii) measures designed to check criminal history; (iii) measures designed to verify and validate legal authorization to work; and (iv) measures designed to identify people with terrorist ties. The Department currently reviews, authorizes and approves facility SSP/ASP submissions for RBPS-12 (i), (ii), and (iii). To collect information to fulfill RBPS-12 (iv), NPPD previously submitted to OMB an Information Collection Request in June 2011, but withdrew the Request in order for the Department to further engage with our security partners and with stakeholders in the regulated community about the CFATS Personnel Surety Program given their concerns about the proposed collection.
Over the past six months, the Department invited 25 industry associations to participate in CFATS Personnel Surety conference calls and subsequently held calls with 16 of the organizations. NPPD also met five times with the Sector Coordinating Council leadership and members to identify their primary issues of concern with the CFATS Personnel Surety Program, to discuss privacy-related issues, and to review how use of third parties could be leveraged to provide additional options for facilities to ensure vetting of facility personnel and unescorted facility visitors. We have also engaged a coalition of associations about their concerns related to the transportation sector. Finally, in January, NPPD held a meeting in coordination with the FBI, the Oil & Natural Gas Sector Coordinating Council, and the Chemical Sector Coordinating Council to discuss coordinated U.S. Government response and law-enforcement-investigative activity that may occur in the event of a positive match against the terrorist screening database. We have worked to incorporate this feedback into the revised personnel surety program, and expect to publish a 60-day notice to solicit comment about the proposed information collection in the Federal Register in the next week. After that, the Department plans to concurrently publish a 30-day Federal Register notice to solicit additional comments, and submit a new Information Collection Request for the CFATS Personnel Surety Program to the Office of Management and Budget. Our 30-day notice in the Federal Register will also respond to all comments we receive from the 60 day Federal Register notice. The Department is committed to finalizing the outstanding aspect of personnel surety and implementing a program that provides flexibility to facilities as the final piece to the overarching chemical security program.
Risk Assessment Methodology Review. NPPD is committed to conducting a thorough review of the risk assessment process and keeping Congress apprised of any significant issues related to that review. In support of this, NPPD has implemented a phased approach, which is captured in the ISCD Action Plan and includes: documenting all processes and procedures relating to the risk assessment methodology; conducting an internal NPPD review of the risk assessment process; initiating an external peer review of the risk assessment methodology; and engaging national laboratory partners to assist the Department in developing a model for identifying and tiering high-risk chemical facilities based on economic consequences. ISCD has completed the first two phases and in February, ISCD kicked off the third phase with the start of an external peer review. The panel is comprised of nine members with expertise in risk analysis, infrastructure security, toxicology, chemical process safety, chemical weapon analysis, and IED analysis. We expect the peer review to provide input on how DHS can enhance the models including the CFATS tiering model as appropriate. This involves developing an integrated plan with timeframes and milestones that will set the terms for incorporating the results of these activities into an improved risk methodology. While the Department believes that the current external peer review will result in an integrated plan, the Department notes that a second peer review to validate and verify ISCD’s risk management approach is worthwhile to consider. NPPD remains committed to both developing appropriate responses to any risk assessment issues that it identifies and keeping Congress and stakeholders apprised of any significant concerns related to that review.
CSAT Tool Suite. As part of its commitment to evolve and mature the CFATS program, ISCD is updating its information technology suite used to collect and process information in the Top-Screen, Security Vulnerability Assessment, and SSP. Refining these CSAT applications will make the overall CFATS process more user-friendly for industry, while making it more efficient and effective. ISCD has worked with industry to identify focus groups with the purpose of identifying functional requirements for the next generation of the Chemical Security Assessment Tool (CSAT) suite of tools, including the Top-Screen, Security Vulnerability Assessments, and SSPs. In February, the first focus group meeting was held in Texas. Two additional focus groups, scheduled in Pennsylvania and California, will take place in March and April, respectively. The focus groups will engage users of the CSAT Tool to ensure ISCD receives input directly from the regulated community on recommended updates and requirements. Improvements to the CSAT tool suite will provide stakeholders with more advanced technology, improving the process for submitting SSPs and ensuring facilities have a comprehensive picture of risks to their facilities. The public will also have an opportunity to comment on any proposed changes to the CSAT collection tool when it seeks public comment.
Continued Internal Improvements
Over the last year, ISCD has improved many internal operations that address issues identified in the Action Plan. The ISCD Action Plan currently contains 95 items, each of which has been assigned to a member of ISCD’s senior leadership team for implementation. The members of the leadership team continue to track established milestones and projected timeframes for the completion of each task assigned to them. In addition, NPPD leadership is deeply engaged with the status of the Action Plan. As of March 5, 2013, 88 of the 95 action items contained in the current Action Plan have been completed. Training, hiring, improving employee morale and ensuring ISCD employees have the appropriate skills are a few examples of some of the internal improvements.
Hiring. ISCD has made significant progress with staffing, including filling several leadership positions. By the end of January, 100% of positions that were vacant on December 1, 2012 have been advertised and ISCD is working to fill the positions with qualified employees. As of March 5, 2013, 22 selections have been made and ISCD expects to have the majority of vacancies selected by the end of March.
ISCD Realignment. Since September 2012, ISCD has successfully realigned its organizational structure to meet the needs of the organization going forward with regard to supervisor to employee ratios both at headquarters and in the field. This includes a realignment of the field operations in order to meet the heightened pace of compliance assistance visits and authorization inspections and the expected commencement of compliance inspections.
Training. From Fall 2011 to Spring 2012, ISCD updated and revised its internal inspections policy and guidance materials for conducting inspections. After releasing the updated guidance materials, ISCD conducted five inspector training sessions, which focused on the updated policy, procedures and related materials to better prepare Chemical Security Inspectors to resume authorization inspections. ISCD has made great strides in improving our inspection process over the past year, and we continue to identify efficiencies to keep moving forward.
One such effort is related to the inspection of RBPS 8–Cyber. Cyber systems are integrated throughout the operations of chemical facilities, including in controlling sensitive processes, granting authorized access, and enabling business. Protecting against cyber attacks on these systems is an essential component in managing overall risk for a facility. In order to further understand the requirements for the inspection of security measures relating to RBPS 8 and to determine the most efficient path forward, ISCD is in the process of developing a Cyber Security Inspection Standard Operating Procedure and handbook. Additionally, ISCD, in coordination with the NPPD Office of Cybersecurity and Communications, developed training materials for Chemical Inspectors to assist facilities with cyber security integration in their security posture and conducted webinars to better enable each of the inspectors to perform a RBPS 8 inspection at these facilities. In January, ISCD began offering a more extensive training course to allow Inspectors to perform the RBPS 8 inspection for facilities with cyber security integration, which in turn will greatly help the SSP/ASP approval process.
Internal Communications. Throughout NPPD, leadership has promoted staff engagement and a dialogue about issues and concerns through increased leadership updates to employees and a senior leadership open-door policy. ISCD staff has a standing invitation to participate in group open-door sessions or to schedule one-on-one discussions with Division leadership.
Conclusion
We believe the Department has turned a corner on the CFATS program. We are moving forward strategically to address the challenges before us. As we implement CFATS, we will continue to work with stakeholders to get the job done of preventing terrorists from exploiting chemicals or chemical facilities. We firmly believe that CFATS is making the nation more secure by reducing the risks associated with our Nation’s chemical infrastructure and we are—along with our stakeholders—committed to its success.