HR 3258 Analysis – VA-SSP Review

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 Analysis – Vulnerability Assessments HR 3258 Analysis – IST Assessments I mentioned in an earlier blog that the EPA is likely to work with existing State enforcement authorities to manage this security program. One area of enforcement is reserved to the Administrator in this legislation; that is the review of the submitted vulnerability assessments and site security plans. Section 1433(h) specifies that VA and SSP submissions must be made to the Administrator who will review them and either approve them or require the facility to correct ‘significant deficiencies’. Administrator Review of VA and SSP Even where the legislation provides the Administrator with specific responsibility for enforcement, it still requires this determination to be made “in consultation, as appropriate, with the State exercising primary enforcement responsibility for such system, if any” {§1433(h)(2)}. Once again, this is in keeping with the EPA process for oversight of water treatment systems, so it is not surprising that the Energy and Commerce Committee drafters of this legislation would include such language. Significant deficiencies are determined by finding that a:

Vulnerability assessment does not comply with the requirements of §1433(a)(1); Site security plan does not address the vulnerabilities found during the VA; or Site security plan does not meet all of the appropriate risk-based performance standards (RBPS) required in §1433(b).

No Submission to State or Local Governments Even thought the State enforcement agency is required to be consulted on the determination of deficiencies, the legislation is quite specific in noting that facilities are not required to provide copies of the VA or SSP to State or local agencies. Section 1433(h)(3) states that:

“No covered water system shall be required under State, local, or tribal law to provide a vulnerability assessment or site security plan described in this section to any State, regional, local, or tribal governmental entity solely by reason of the requirement set forth in paragraph (1) that the system submit such an assessment and plan to the Administrator.”

This is a very odd provision given the ‘consultation’ requirements of §1433(h)(2) and the pre-emption provision of §1433(n) that specifically allow for state and local rules that are “more stringent than a regulation, requirement, or standard of performance under this section”. Thus, a State or local agency may not require that the facility provide a copy of a VA or SSP made for regulations developed under this legislation, but may require the completion of a separate VA or SSP with stricter requirements. Risk-Based Performance Standards The RBPS mentioned in the ‘significant deficiencies’ section mentioned above is only very broadly outlined in this legislation. Section 1433(b) only requires the Administrator to set forth RBPS in the regulations supporting this legislation and that those standards will be “increasingly stringent based on the level of risk associated with the covered water system’s risk-based tier assignment”. The Administrator is required to ‘take into account’ the RBPS set forth in the CFATS regulations {6 CFR 27.230} or such successor regulations required by new legislation (like HR 2868). The phrase ‘take into account’ is very vague. It would allow the Administrator to adopt the entire §27.230 as part of the regulations (with or without using the RBPS Guidance document adopted by DHS last year), use parts of that section as a template for writing the EPA rule, or writing off the DHS effort as inapplicable to water treatment facilities as long the matter was addressed in appropriate preamble to the publication of the draft rule. There is nothing in the RBPS section of this legislation that would require, or prohibit the Administrator from requiring specific security measures. Typically risk-based performance standard type regulations specify what must be accomplished rather than how something must be done, but without a specific prohibition against requiring a specific measure (as was found in the §550 authorization for CFATS), there is nothing that would stop the regulations from specifying some specific security measures as long as most of them were performance based requirements.