Saturday, May 3, 2014

CFATS and Cybersecurity – Spaulding’s Testimony

Earlier this week Undersecretary Suzanne Spaulding testified at a closed hearing before the Homeland Security Subcommittee of the House Appropriations Committee about the cybersecurity budget for DHS. A portion of the unclassified written testimony dealt specifically with the Departments Chemical Facility Anti-Terrorism Standards (CFATS) program.

Spaulding’s testimony did not specifically address cybersecurity at high-risk chemical facilities or how the Department intended to address the assessment of that portion of the security risk. It did, however, address some information sharing activities that are being undertaken by the National Protection and Programs Directorate (NPPD) of the Department as a result of the President’s Executive Order on Increasing the Safety and Security of Chemical Facilities (EO 13650).

Internal Information Sharing

As part of the mandated review of the intra-Executive Branch information sharing initiative started by that EO Spaulding noted that:

“Specifically, ISCD [Infrastructure Security Compliance Division] will run comparisons on the EPA Risk Management Program and the Superfund Amendments and Reauthorization Act Title III data from all 50 individual state data sets on an annual basis to identify facilities that are potentially non-compliant with the CFATS regulation.”

The intention of this information sharing exercise is to identify facilities that have filed RMP and CERCLA information with the EPA that could help identify facilities (like last year’s West Fertilizer) that had not submitted Top Screens required under the CFATS Program.

Interestingly there is no mention of similar information sharing exercises with the Department of Labor’s Occupational Safety and Health Administration (OSHA) that maintains a similar listing of chemical facility information as part of its Process Safety Management (PSM) program. I understand that the database used by OSHA is so much different from those used by EPA and DHS that the Department is having a great deal of difficulty establishing the ability to compare information in the CFATS and PSM databases.

Another part of the intra-Federal information sharing process is the coordination of inspection programs. Spaulding promised that: “ISCD will coordinate inspections with EPA and Occupational Safety and Health Administration and participate in cross-training activities to integrate and improve the outreach of Federal regulatory programs”.

The Federal Government’s inspection cadres for all three programs (CFATS, RMP, and PSM) are not large enough individually to ensure that all chemical facilities housing hazardous chemicals are visited on a routine basis by Federal inspectors. For the sake of efficiency sharing of inspection information between these three programs could help identify facilities that require more frequent and/or detailed inspections by the other programs.

External Information Sharing

While sharing within the Federal government is important to increase the efficiency of these three regulatory programs, it is not usually the Federal government that is responsible for responding to catastrophic failures of these programs. That responsibility lies with the State and local emergency response agencies. Spaulding told the Subcommittee that:

“In addition, ISCD will coordinate and work with each of the 50 State Emergency Response Commissions and the 3,000 (+) Local Emergency Planning Committees to ensure communities can meet their responsibilities in regard to potential chemical emergencies.”

SSP Review

In addition to the improved information sharing process the Under Secretary updated the Subcommittee on the progress seen in the implementation of the CFATS program; specifically the progress in authorizing and approving site security plans. The data provided was based on information as of April 1st, which coincides with the last CFATS Update (I’m expecting to see the update for the month of April published next week). She was able to supply the Subcommittee with some additional details that were not included in that monthly report.

She reported that all of the Tier 1, 2, and 3 facilities have had their initial review of the facility SSPs. The table below shows the authorization and approval numbers for Tiers 1 and 2. I would certainly suspect that these numbers are now higher. She also provided information on the number of compliance inspections that had been completed for facilities that have had the Site Security Plan approved.

# in Tier
Tier 1
Tier 2
SSP Numbers as of April 1st

She also reported that 450 facilities have submitted Alternative Security Plans (ASP). These plans are held to the same performance standards (and approval processes) as the Site Security Plans but are prepared in a more user friendly format. To my knowledge, the only ASP format that is currently ‘approved’ (ASP format approval is not technically necessary) is the ASP designed by the American Chemistry Council (ACC).

Reason for this Testimony

Now none of the above information was really about cybersecurity. Spaulding can be forgiven, however, for drifting from the purpose of the hearing in presenting this data to the Homeland Security Subcommittee in this venue. The Subcommittee has been a vocal critic of the CFATS program implementation and has on multiple occasions threatened to withhold funds from the program. As the program is under her purview, Spaulding can be forgiven for taking any opportunity provided to praise the progress that is being made.

I will not be surprised, however, to see her and ISCD Director Wulf back before this Subcommittee to address specific questions about the CFATS program before the DHS budget is marked up.

No comments:

/* Use this with templates/template-twocol.html */