Saturday, February 8, 2014

HR 4007 – 2 Year CFATS Bill

The GPO does not have the CFATS bill, HR 4007, available yet, but we can see the final draft language of the bill on the Homeland Security Committee web site. It is certainly not a comprehensive chemical facility security bill, but it does attempt to address some of the issues facing the CFATS program.

Two Year CFATS Authorization

First off it would take the bill out of the DHS spending bill authorization process. The CFATS program was initially authorized in §550 of the Homeland Security Appropriations Act of 2007 (PL 109-295). That initial authorization expired on October 4th, 2010 and has been extended by a clause in each DHS spending bill (including all of the continuing resolutions) ever since.

The crafters of this bill were responding to industry complaints about the one year re-authorization process adding too much uncertainty to the life of the program when long term capital expenditures were being made for security processes and procedures in response to the program. If the program ever failed to get extended in the spending process, the feeling has been expressed, many facilities would be ‘stuck with unnecessary’ security infrastructure. Interestingly, there has been no wide spread industry complaints about unnecessary security requirements, so it would seem that there is actually very little ‘unnecessary security infrastructure’ being installed.

What is actually driving the industry uneasiness about the yearly authorization process is that if the CFATS program is ever really cancelled, it will only be removed to put some other chemical facility security program in place. The general fear in the industry is that the replacement program would be likely to be more intrusive and expensive. One only has to look at the industry’s reaction to HR 2868 which passed in a Democrat controlled House in 2009.

While this current bill would remove the CFATS program from the §550 process and extends the program to a two year reauthorization, the crafters of this bill still kept the program in political limbo by not choosing to make the provisions of this bill amendments to the Homeland Security Act of 2002. This was done with the best of intentions (as was the initial 3 year authorization in §550) partially as a chance for ISCD to show that it has recovered from some of the administrative issues in the middle years of the program and also to give Congress a chance to work out a permanent chemical facility program, the comprehensive program of legislative legend.

Changes to CFATS

Most of the §550 language has made it back into this bill. And the bill specifically requires the current regulations (49 CFR Part 29) to remain intact except where this bill requires changes to those regulations {§9(a)}. And facilities that have approved site security plans as of the date of enactment will not have to resubmit those plans for approval just because the bill was enacted {§2(c)(3)}.

There have been some significant changes made to the authorization language to address some of the short comings and issues that have arisen with the current program. Those changes address:

• The expansion of the inspection force to include contractors;
• The use of other Department security vetting programs;
• The coordination of facility coverage with other agencies;
• The implementation of the risk assessment process; and
• Reports to Congress

Inspections Not an Inherently Governmental Function

Section 2(d)(1) specifically authorizes the Secretary to designate inspectors that are not DHS employees. The language says that the audit and inspection processes “may be carried out by a non-Department or nongovernmental entity, as approved by the Secretary”. This is clearly being done to aid the Department in accelerating the site security authorization – approval – compliance process with a limited number (about 120 currently) chemical security inspectors.

Contract inspectors lower the personnel cost to the Department and once the heavy load associated with the initial authorization – approval process is complete, it is much easier to reduce the number of contract personnel associated with the program.

The problem, of course, with this is that inspections are an inherently governmental function, particularly when the results of those inspections form the basis for civil actions and possibly facility cease and desist orders. ISCD could take care of this by ensuring that their regulations call for the use of contract inspectors only during authorization visits which are less about inspecting and more about looking and talking. This is the area where ISCD currently needs the most manpower help and the area where that need will quickly disappear in a couple of years,

Personnel Surety

We haven’t yet seen any industry replies to the latest version of the ISCD Personnel Surety Program, but there will certainly be some of the same complaints heard against the earlier versions since little has been changed. One of those unchanged areas that has met with industry resistance is the requirement for facilities to provide personally identifiable information (PII) on employees that hold a current DHS security credential.

Section 2(d)(3) specifically authorizes any facility, as part of their personnel surety program, to “utilize any Federal screening program that periodically vets individuals against the terrorist screening database [TSDB], or any successor”.

A very poorly worded §2(d)(4) tries to make it clear that if an individual holds one of the other security credentials listed in subsection (3) the facility does not have to submit PII to ISCD for purposes of vetting that person. Actually, a less convoluted reading of the exact language seems to say that after a person has been vetted against the TSDB and granted access (the vetting after all precedes the granting of access) ISCD cannot require the facility to provide any additional information about employees unless they have “been identified as presenting a terrorism security risk” {§2(d)(4)(B)}.

I have been assured that the intent of the language was to stop facilities from having to submit information about employees that already possess an DHS security credential that includes periodic TSDB vetting. The problem with this requirement is that it does not adequately address the appearance on the TSDB of someone that already has a credential. Without being able to require facilities to submit information on people with alternative security credentials there is no way for ISCD to check that those credentials are current and the most recent TSDB vetting was negative. And for already cleared employees/visitors there is no way to tie a new appearance on the TSDB back to a chemical facility at which access has already been granted.

Facility Coverage

Congress was very upset when it became clear that the folks at ISCD were completely unaware that the West Fertilizer facility had a sufficient amount of fertilizer grade ammonium nitrate on hand to require the submission of a Top Screen. The fact that even if ISCD had known about the facility, its inspectors have no authority or training to address the safety issues that caused the explosion last summer. This means that it would have been extremely unlikely to have had any preventative effect, but Congress, and to a lesser extent the White House, was outraged none the less.

Section2(e)(1) was added to this bill as an attempt to address the issue of information sharing between government agencies (at the federal, State, and local levels) to ensure that all potentially covered facilities are identified. It requires the Secretary to “consult with the heads of other Federal agencies, States and political subdivisions thereof, and relevant business associations to identify all chemical facilities of interest”.

As part of the President’s Improving Chemical Safety and Security Executive Order (EO 13650) the National Protection and Programs Directorate (NPPD), the group to which ISCD reports within DHS, is working with the EPA and OSHA to try to develop mechanisms to accomplish this particular requirement.

Risk Assessment

The DHS Inspector General’s office has identified shortcomings in the process by which ISCD determines the relative risk of terrorist attack at a chemical facility. This risk assessment is used to determine which facilities that submit Top Screens are given the preliminary designation as a high-risk and required to proceed within the CFATS program. After the security vulnerability assessments are submitted, ISCD uses a similar process to assign facilities to the risk tiers that determine how effective their security controls must be.

ISCD has been using an essentially single factor risk assessment process, looking mainly at the consequences of an attack on a facility and using that to determine the relative risk of terrorist attack; the higher the off-site consequences in lives or dollars the higher level of risk. ISCD correctly maintains that this is the simplest measure of risk particularly since there appears not to have been specific credible threats of attacks on chemical facilities within the United States. ISCD has also maintained that vulnerability can only be properly determined after a facility has established a site security plan and had that plan evaluated.

In §2(e)(2) this bill would require the Secretary to “develop a risk assessment approach and corresponding tiering methodology that incorporates all relevant elements of risk, including threat, vulnerability and consequence” {§2(e)(2)}. Specifically the risk assessment criteria must address {§2(e)(2)(B)}:

• The threat to the facility based upon available intelligence techniques;
• The potential economic consequences and the potential loss of human life in the event of the facility being successfully attacked by terrorists; and
• The vulnerability of the facility to attack.

Reports to Congress

The ‘oversight’ responsibility for the CFATS program was shared between three committees in Congress; Homeland Security, Energy and Commerce, and Appropriations. Until early 2012 all three Committees were apparently satisfied with the progress being made by the Department in the implementation of the CFATS program. ‘Oversight’ hearings up until that time were more focused on how to move forward with various plans for a comprehensive chemical facility security program.

It wasn’t until Fox News did a story in December 2011 on a leaked internal ISCD memo that the congressional oversight finally started to take a hard look at the management of the CFATS program and the total lack of progress made to date in implementing the site security plan portion of the program. Since that time they have focused closely on the numbers of facilities with approved or authorized site security plans (and clearly ignoring their part in the inherent problems with that program).

This bill clearly intends to expand the congressional oversight of the CFATS program implementation. Section 6 of the bill (titled simply ‘REPORTS’) addresses a number of reporting mechanisms that will be used by Congress (odd that there is no mention of which committees are to receive these reports; that is usually clearly delineated in these cases) to keep track of progress being made in implementing this program.

There will be reports by GAO, and the Secretary. The GAO report will be a generic semiannual report on implementation of the CFATS program. Eighteen months after passage of this bill the Secretary would be required to:

• Certify that significant progress has been made on identifying all potentially covered facilities;
• Certify that the DHS has developed an appropriate risk assessment protocol and implemented it in the tiering process;
• Provide an assessment of the implementation of recommendations made by the Homeland Security Studies and Analysis Institute

Program Termination

Section 7 closes out the bill by closing out the CFATS program. This section simply states:

The authority under this Act shall terminate on the date that is two-years after the date of the enactment of this Act.

Now I am fairly certain the crafters did not intend for the CFATS program to actually terminate in two years unless it failed to accomplish the mission of getting approved – authorized and inspected site security plans into place at high-risk chemical facilities. But, that is not what Section 7 says. What it says is that facilities without an approved SSP should game the system to delay the process as long as possible so that it can avoid the costs associated with implementing an approved SSP.

This could be corrected easily enough by prefacing the current sentence with “Unless otherwise extended by Congress…” That makes it clearer that Congress has the option, and intends to exercise the option, to extend the program as long as certain political goals are accomplished.

The big problem here is that the time frames in §6 and §7 do not match, politically. The Secretary is given 18 months to report to congress on the key measures of performance that the bill establishes for further program extension, but §7 kills the program just six months later unless Congress acts. There is very little that anyone expects Congress to act upon within just six months. Relatively minor programs like CFATS, especially when they are politically sensitive, cannot be handled within that time frame. It will take at least a year (more likely 2) from the time that DHS submits their reports to the time that a new reauthorization bill is passed.

Typically what happens with small programs like this is that get periodic authorization extensions as parts of larger pieces of legislation. If there were a history of passing DHS authorization bills (and the only history here is not passing or even considering such bills) then this would get a short mention in one of the ‘other’ program sections of the bill. Here is it would be more likely to continue getting the annual authorization approvals in the DHS spending bill.

Again, no one wants to see this bill fail. No one in Congress is going to let this program be cancelled unless another one is put in its place. No one wants to be responsible for there being ‘no security’ at a high-risk chemical facility when it is attacked by terrorists. That would be a certain career ender. A bad program (especially one as cheap as CFATS) is always going to be better politically than no program.

Missing Authorization

What is clearly missing from this bill is the typical language you see at the end of any program authorization, the spending plan. You would expect to see either wishy-washy spending-neutral language such as “the Secretary is authorized to expend such funds as are necessary to implement this program” or specific annual spending limits for the program. I really would have expected to see this language in §7 preceding the program termination language discussed above.

Moving Forward

Chemical facility security is much like cybersecurity politically speaking. The issues are technically complex and reach across a wide spectrum of specialties. The consequences of a successful attack will be catastrophic and could have an economy shattering impact. There are a variety of politically sensitive side issues that make it difficult to reach a compromise position that actually accomplishes anything.

We have seen difficulties getting any significant legislation passed on this topic in every Congress since 2001. This year will be no different and the sponsorship of this bill provides little hope for passage. Of the six sponsors only one is a Democrat and while all of the others are in the Committee leadership Rep. Green (D,TX) is not even a member of the Homeland Security Committee and is not a ranking member on any Committee or Subcommittee. The lack of support from the ranking members of the Homeland Security Committee is a sure sign that the bill will not get out of committee in the Senate.

All five Republicans are leaders in the Homeland Security Committee, but there is no one from the leadership of the competing chemical security committee the Energy and Commerce Committee. For this bill to get to the floor it will have to be okayed by that Committee. It would have a much better chance of getting to the floor if there were the name of at least one influential member of the Energy and Commerce Committee on the co-sponsor’s list.

Having said that, the fix may be in in the House. It seems obvious that Chairman McCaul is going to try to push this bill forward. A copy of the bill is already available on Thomas.LOC.Gov which is impressive given that it was introduced on Thursday. This usually means that the bill will be coming to the floor sooner rather than later. I expect that we will see this in Committee markup later this month.

No comments:

/* Use this with templates/template-twocol.html */