As I mentioned yesterday the Environment and the Economy Subcommittee of the House Energy and Commerce Committee will be holding their semi-annual hearing on the progress of the CFATS program. In that blog post I noted that the witness list had not yet been posted to the Committee web site. It still isn’t but it is included in a Hearing Memorandum document posted to the Documents.House.Gov web site.
As everyone expected, Under Secretary Beers and ISCD Director Wulf are the first panel that will face questioning. A separate second panel will have one witness Stephen L. Caldwell, Director, Homeland Security and Justice, GAO. This certainly means that the GAO has updated their report on the CFATS program.
The third is the expected industry panel, with three witnesses:
• Bill Allmond, SOCMA;
• Timothy J. Scott, The Dow Chemical Company; and
• Charlie Drevna, American Fuel & Petrochemical Manufacturers
It is kind of unusual that there isn’t anyone from labor or an environmental activist group to provide a counter view-point on the CFATS program. We can safely assume that no one is going to bring up inherently safer technology on this panel.
The Committee Staff has provided a list of issues that presumably Chairman Shimkus is interested in having addressed at this hearing. Those issues include:
• Is progress being made in securing high-risk facilities against terrorism?
• What are the current steps in the CFATS process of ensuring that regulated facilities meet the risk-based performance standards? How many facilities have attained each such step?
• How does the DHS practice of assessing risk of terrorist incident for individual facilities compare to what is called for in the National Infrastructure Protection Plan?
• How does the recent experience of the regulated community with the CFATS program compare with its experience at the time of the Subcommittee’s last hearing on September 11, 2012? Are there improvements and, if so, what are they?
• What is the status of the personnel surety component of the risk-based performance standards?
• What is the quality of communication between DHS and the regulated community? Is feedback systematic or based more on occasional, informal contacts?
This is a pretty comprehensive list of issues to be addressed in a Congressional Hearing. Even if these are the only topics addressed, and the witnesses and other Subcommittee members will all have their own variations on the agenda, it may be a lengthy hearing.
There is one important topic missing on the Issues List, cybersecurity. As I noted in Sunday’s blog post, the CFATS program is certainly one of the programs that President Obama had in mind when he included §10(a) in Executive Order 13636, Improving Critical Infrastructure Cybersecurity. That section reads:
“Agencies with responsibility for regulating the security of critical infrastructure [certainly includes ISCD] shall engage in a consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements [rather weak in the current Risk-Based Performance Standards guidance document] are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required under section 9 of this order. Within 90 days of the publication of the preliminary Framework [chemical industry is in luck here, ISCD can’t get anything done in 90 days], these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.”
I have been hearing rumors that officials in NPPD, as part of their refocusing the Directorate’s priorities to cybersecurity, are trying to upgrade the effectiveness of the cybersecurity portion of the CFATS program. This would probably require a re-write of RBPS #8 portion of the guidance document, but that would be justified to bring it up to the ‘standards’ of the Framework.
The Memorandum of Understanding (MOU) between NIST and NPPD does not specifically mention ISCD or CFATS, but ISCD is undoubtedly one of the organizations that will be providing input to NIST on current cybersecurity programs, particularly since it is the only regulatory agency in NPPD that currently looks at cybersecurity.
Having said all of this, I am more than a little disappointed that the cybersecurity issue missed the short list for issues to be addressed at this hearing. It will be interesting to see if Beers or Wulf voluntarily mention it in their opening statements.