This is the second blog in a series taking a critical look at the recent Heritage Foundation report on the problems with the CFATS program. While the report authored by Jessica Zuckerman is not up to the usual editorial standards of the Heritage Foundation it does raise some interesting issues. The earlier blog post can be found here:
In this post I will be looking at the discussion in the Report under the heading of ‘Right in Principle, Wrong in Practice’. This section looks at the program from the perspective of how well the CFATS implementation has followed the four principles outlined by Under Secretary Beers in his March 30th, 2011 testimony before the House Homeland Security Committee (Oops, it was before the House Energy and Commerce Committee on March 31st, 2011 and the link provided in the report is bad, DHS web site change not Ms. Zuckerman’s fault there, but the rest is just poor scholarship).
Zuckerman properly points out that the individual facilities, the Federal government as well as State and local governments all have interests in securing high-risk chemical facilities. She then takes the CFATS program to task for centralizing the responsibility for security at the Federal level. She notes that:
“The government must determine facilities’ risk levels, set performance standards, and assess security plans and compliance.”
Congress provided in §550 that DHS was supposed to develop a security program targeted at just those chemical facilities that were determined to be at the high risk for terrorist attack. Furthermore, the program should be risk-based with the highest risk plants getting the earliest attention. All of these require DHS to determine facility risk levels.
The performance standards were published by DHS as one would expect since they would be judging if facilities met these performance standards in the implementation of their security plans. DHS developed the standards in conjunction with industry input and published a draft of the Risk-Based Performance Standards. Extensive industry comments were received on that draft (see my blog posts from 11-28-08, 12-05-08, 12-05-08, 01-09-09 and 01-13-09) and were taken into account when the final version was published.
Furthermore, DHS worked hand-in-hand with industry in developing, fielding and modifying the Top Screen and Security Vulnerability Assessment Tools. For both of these portions of the CFATS process the first ten or so facilities to complete submissions had DHS personnel on site in the information development and submission process to work out the inevitable bugs in the system. The lessons learned in those shared submission efforts were put into modifying the tools and documentation before those systems went live for the remainder of the CFATS community. That this was not done in the SSP submission process probably goes a long way to explain the problems in that system.
Ms. Zuckerman closes this section by claiming that:
“Enhancing chemical security does not mean that the private sector should yield its responsibility to the federal government.” (pg 5)
Nowhere in her arguments does she show where the private sector has been required to yield its responsibility for the security of their facilities. The CFATS program does not specify how a security program should be put together, it simply provides standards by which the government will judge the success of that program. That those standards are vague at best is at least partially the responsibility of private industry. They were the ones that demanded performance based standards and complained about anything coming close to specifics in the draft version of the RBPS Guidance Document.
Zuckerman takes DHS to task for not sharing the basis for the Department’s risk tiering process, a complaint that has been made a number of times over the years since the first NPRM was published for the CFATS regulations. Actually this complaint has been combined with the lack of openness about the process for establishing the ‘high-risk’ status of facilities in the first place.
The report properly notes that the details of the risk-ranking methodology is not shared with owners. This does not allow an owner to do more than to make a reasonable guess as to what actions the facility can take to have their Tier ranking lowered or even to be removed from the CFATS list all together. There is a process in place to submit information to have either the Tier ranking or CFATS listing reconsidered, but it is an iterative process at best.
While I agree with Ms. Zuckerman’s assertion in this case, she does her report ill service by not addressing, even in passing, the reasoning that DHS has used to avoid publicizing the details of their methodology. This lack of addressing opposing arguments is another of the reasons that this Heritage Foundation report is probably more useful as a political document than a real study of the issues involved.
Any discussion of the sharing of information about the security tiering or assessment process must take into account the official DHS response to such questions in the regulatory comment process. DHS outlines their position quite clearly in the preamble to the Interim Final Rule published in the Federal Register (72 FR 17700 – 17701).
Zuckerman also addresses the failure of DHS to share tiering information with State and local authorities; stating that:
“In addition, first responders and community leaders have also expressed concern about the lack of transparency of facility tiering and risk assessments, citing the fact that the lack of information sharing may impede emergency response and community preparedness.” (pg 5)
While one might suppose that State and local officials might want some input on the evaluation process of facilities within their jurisdiction, the claim of lack of transparency of the facility tiering and risk assessment process fails to address the efforts made to share that information with local authorities. DHS has made it clear that facilities have an inherent responsibility for coordinating with local emergency response officials and provides the State Homeland Security Directors with access to an online tool in CSAT to check on the CFATS status of chemical facilities within the State.
Finally, Ms. Zuckerman takes DHS to task for the problem it discovered last year in its risk model. While there should be some discussion on the internal delays in responding to the discovery of the model discrepancy, it really is disingenuous to complain about the problem with the model. Any researcher or academic knows that a model is only an approximation of reality and adjustments have to frequently be made to models to ensure their accurate reflection of reality. ISCD should be commended on monitoring their system closely enough to detect and correct the problem.
On an editorial note there are many claims of comments by unnamed industry or local government officials within this section. The footnotes to those claims almost uniformly point to the book “Chemical Facility Security” by Shea, but not a single page citation is provided. This is just another continuing example of the poor scholarship exhibited throughout this work.
Zuckerman’s section on performance standards, or more appropriately the Risk-Based Performance Standards (RBPS) actually addresses the core issue of the current ISCD problems. She acknowledges that the theory behind the RBPS is good but notes that in practice “chemical facilities have largely been left uncertain over what is expected of them in meeting the DHS’s standards” (pg 6). Unfortunately, industry is largely to blame for these problems. They insisted on risk-based performance standards instead of concrete security measures and even convinced their politicians in Congress to prohibit DHS from specifying any security measure as being necessary for SSP approval.
As I noted earlier, when DHS published the draft of the RBPS Guidance document in October 2008, the industry comments came fast and furious. While many of the comments were constructive the vast majority were complaining that this or that was too specific and wouldn’t or shouldn’t apply to their industry or company. Once again DHS gave in to the political pressure (which is never mentioned in Ms. Zuckerman’s report), and produced a very vague RBPS Guidance document.
Ms. Zuckerman blames the problem, in part, on the Chemical Facility Security Inspectors (CFSI’s; oh, she never does use their proper title; a small thing to be sure); noting that:
“Similarly, issues in training and hiring capable and experienced inspectors has resulted in confusing and conflicting feedback from ISCD inspectors in the course of pre-authorization visits and authorization inspections.”
I’ll address the CFSI specific issues in a later post, but this complaint (not unique to Zuckerman) misses the important point. In the pre-authorization and Authorization inspections, the inspectors are just the eyes and ears of the ISCD staff. It is that staff (and frequently contractors) that never sees the facility that makes the decision on whether or not an SSP is approved or not. Thus, the person the plant talks to is not the person making the decisions.
DHS has tried to clarify this on a number of occasions, but I seriously don’t think that it has really gotten through to the folks in the inspected facilities. Thus this reported confusion in the field. Oh by the way, Ms. Zuckerman provides no source for her comments about ‘confusing and conflicting feedback from ISCD inspectors’.
Leveraging Existing Advancements
This section of the report deals with the usage of ‘Alternative Security Plans’ or ASPs. Ms. Zuckerman falls into the same language trap that most people do when the discuss ASPs. When most of the chemical industry talks about ASPs they mean security programs like the American Chemistry Council’s Responsible Care Security program. This is a set of standards along with a third party verification of compliance for security related issues. When industry talks about ‘accepting’ such a plan it appears that they mean the facility should be given credit for that plan when they have been certified by the third party and DHS should accept that as an approved SSP.
DHS, on the other hand misnamed their SSP; it is not a site security plan. What the SSP is is a series of questions about the security set up at a particular facility to determine if that security program meets the requirements of the Risk-Based Performance Standards. DHS doesn’t care if the security measures are part of another certified site security plan; great, just so long as your answers to the questions show the facility meets the RBPS.
The problem is that ISCD does not have the time nor the manpower to read the documents associated with a real security plan; a 100+ page document with annexes describing emergency response, personnel surety, key control, etc. Adding a variety of formats from different security programs will only add to that problem.
Ms. Zuckerman manifests her misunderstanding of the problem by stating that:
“This lack of motivation on the part of the DHS to seriously consider ASPs inhibits the ability of companies to continue to employ security measures in which they have already invested time and effort, thereby discouraging the innovation and creative thinking that have been critical to the security of the private sector in the past. As such, it limits the field of security options to those rigidly established by the federal government.” (pg 6)
Nothing that DHS is doing is limiting the ability of facilities to continue to use existing security measures, either to completely or partially fulfill their compliance with the 18 risk-based performance standards set forth in the CFATS regulations. And DHS is specifically prohibited from establishing rigid security options.
What industry really wants is for the currently established voluntary security programs to be accepted without review by DHS. In essence what they want is to have these third-party certification agencies to perform the inherently governmental function of examining and approving the security plan for CFATS covered facilities. Unfortunately, DHS has been given the responsibility for performing this function and does not have authority to transfer that responsibility to a private sector entity (okay, we’ll ignore for the moment that they are using contractors for the information processing necessary to make that decision; oh, that isn’t in the Heritage Foundation report).
In the closing paragraph in this section of the report Ms. Zuckerman brings up an interesting point that I must admit I haven’t seen mentioned in reference to the CFATS program. She mentions that “the department should encourage companies to apply for certification under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002”. Actually I have heard of the SAFETY Act program and I seem to recall that it is run by DHS S&T, not NPPD.
Still if NPPD could identify areas where new technology would benefit facilities covered under the CFATS program, it would certainly be helpful if a SAFETY Act program could be put together to fulfill that need. Okay, I’ll remake a suggestion here; chemical facility response forces need a weapon that can be used to stop violent attackers without posing a safety hazard when used within the high-risk environment of a chemical facility. Sorry that’s a pet peeve of mine and doesn’t really have anything to do with the review of this report. It won’t happen again.
Other Critical Concerns
This section deals with the issues raised in the so called Anderson memo that was made public last December. Ms. Zuckerman has had no more access to that memo than have any of the rest of us that have commented on the problems at ISCD. So I’ll give her a pass on all of the errors in this section as they are the same ones that just about everyone has made. She has no background working with this program so she can only repeat the same unfounded charges. See my blog post from last December on my reporting on the ISCD issues.