Wednesday, May 16, 2012

House Appropriations Committee Report Addresses CFATS

A House Appropriations Committee draft report on the FY 2013 DHS appropriations bill that was marked up yesterday contains an extensive and scathing analysis of the problems associated with the CFATS program. While the recommendations and mandates included in the report do not carry the force of law, they can be enforced by the Committee’s funding of programs in subsequent years.

The ISCD Problem

While the Committee has not held any hearings on the problems self-identified by the Infrastructure Security Compliance Division, the Committee has reached a definitive conclusion about the effects of these problems (pg 99):

“It is the Committee’s understanding that even with the changes that are currently being implemented, it will still be more than a year before the CFATS regulatory process authorizes, approves, and inspects even a single facility of the over 4,500 facilities that are part of the program. Furthermore, based on information received by the Committee, it may be almost seven years before all facilities will be fully authorized, approved, and inspected. This type of timeline and lack of progress is unacceptable.”

The report goes on to note that another large-scale industrial security program operated by elements of DHS has been effectively implemented in a timely manner. The report describes the Coast Guards Maritime Transportation Security Act (MTSA) implementation this way (pg 99):

“In less than two years after enactment of that Act, vessels and port facilities had conducted vulnerability assessments and developed security plans to include: passenger, vehicle, and baggage screening procedures; security patrols; restricted areas; personnel identification procedures; access control measures; and/or installation of surveillance equipment. The Coast Guard had reviewed and approved these plans and, to this day, continues to regularly inspect the facilities and vessels for compliance to ensure there is a consistent, risk based security program for all the Nation’s ports to better identify and deter threats.”

Based upon this apparent disparity between the successes of the two programs the Committee “directs the Under Secretary for NPPD in conjunction with the Commandant of the Coast Guard” to conduct a critical review of the CFATS implementation. There are eight specific areas that the report identifies to be included in the review (pgs 99-100):

1. Is the ISCD organized to efficiently, effectively, and faithfully carry out the requirements detailed in Section 550 of Public Law 109–295?

2. Is the Site Security Plan program sufficient and justified to accomplish the goals of the CFATS program?

3. Should the facility inspection process be streamlined and if so, what is the most efficient mechanism to do so, particularly for low-threat facilities?

4. Are the requirements for ISCD personnel for the inspection process—to include manning, training, site visits, and enforcement— being met?

5. Have clear training and guidance materials been provided to the inspectors so that they can review security plans and conduct inspections consistently, regardless of the type of facility visited?

6. Has ICSD developed adequate plans for follow up inspections for entities whose Site Security Plans have been approved?

7. Does the CFATS program include the appropriate level of stakeholder outreach to address valid industry concerns?

8. Are the requirements outlined in the Information Collection Request Reference Number 201105–1670–002 [Personnel Security Program] duplicative of other programs?

It is absolutely clear that the Committee intends for this review to be more than they typical congressionally mandated paper study. Instead of the typical 90- or 180- day reporting period the Report mandates that the report be submitted to Congress by April 1st, 2013; almost a full year for the completion of the study.

Alternative Security Programs

The Report also addresses a perennial congressional favorite security topic, the utilization of ‘alternative security programs’. It notes that “the use of alternative security programs established by private sector entities in the implementation of the CFATS program” (pg 100) is specifically allowed by the §550 authorization for the program. The Committee directs the Under Secretary to report on the ISCD use of alternative security programs to “address the massive backlog of unapproved site security plans”. This report will also be due on April 1st, 2013.

Interestingly the Committee demonstrates its lack of understanding of the fundamental definitions of the CFATS program when the report comments that:

“While alternative site security programs may not be advisable for high-risk facilities, the Committee believes that in many cases the use of alternative programs may be an efficient and effective method to reduce the backlog currently in existence.”

All facilities covered by the CFATS program are, by definition, ‘high-risk facilities’. There are rankings or tiers of ‘high-risk’, but all covered facilities are at high risk for terrorist attack as determined by the Secretary. Additionally, no one in Congress has explicated how these alternative security programs will reduce the approval and inspection work load of ISCD. Unless Committee is suggesting that non-governmental organizations can be delegated the inherently governmental responsibility of conducting site approval and inspection activities, ISCD will still have to do the hard work of the program.

Personnel Assurance Program

The Appropriations Committee becomes the third Committee in Congress (Homeland Security and Energy and Commerce Committees being the other two) that has expressed concerns about the personnel surety program that has yet to be finally defined by DHS. Every Congressman that has commented on the program has expressed concerns that the program does not recognize TWIC or HME identifications as meeting the requirements of the program. Since we haven’t seen the final document on the program (another oft delayed program) it isn’t clear that this is actually the case, but the complaints are continuously voiced.

The other concern included in this report about the personnel surety program is the provision that if a submitted name is found to be on the Terrorist Screening Database (TSDB), ISCD specifically has stated that they did not intend to notify the facility of that determination. The Report notes the Committee’s concern (pg 101):

“While the Committee understands the need to protect ongoing investigations, the liability concerns of allowing a person in the TSDB into a chemical facility is distressing to the Committee and to industry stakeholders.”

Another report to be submitted by April 1st, 2013 will be required to address these surety concerns. An interesting requirement in this report is inclusion of an analysis of the number of chemical workers (presumably at CFATS facilities) are already covered by the TWIC. Since no one will be able to make a realistic assessment of the TWIC status until facilities submit the list of covered personnel that will be covered by the surety program, I don’t see how ISCD will legitimately make this information available.

While it might be reasonable to provide a one-year reporting period one would like to think that other Committees in the House and Senate might actually step up and address the problems that I have been identified in the ISCD implementation of the CFATS program. Or maybe not. After all the Senate Homeland Security and Government Affairs Committee has yet to hold a hearing on the problems; they’re more interested in looking as the Secret Service agents consorting with prostitutes.

No comments:

/* Use this with templates/template-twocol.html */