CFATS Update

Here we are half-way through the month of June and the folks at the DHS Infrastructure Security Compliance Division (ISCD) have not yet published their monthly update for the CFATS site security plan (SSP) implementation. Since April of 2013 they have been publishing this monthly compilation of the number of facilities which have had their SSP authorized and approved. If it is published on Monday it will be the latest the update was published since the congressional funding fiasco of 2013.

Is something wrong at ISCD? Probably not. What we are probably seeing is a move to the next phase of the CFATS program implementation. After all, June 16^th will mark a milestone in the CFATS program, effectively being the date that the program will make a substantial change in the way the program is authorized and implemented.

Brief CFATS History

The Chemical Facility Anti-Terrorism Standards (CFATS) was the last major anti-terrorism program that can be directly traced back to the attacks in September 2001. In 2006 Congress was finally able to put serious disagreement about how a chemical security plan would be run behind themselves long enough to establish an interim program to get some sort chemical security effort underway while the nearly theological battle in Congress proceeded.

The chemical security program was authorized in a single, short section in the FY 2007 DHS spending bill (§550, PL 109-295). It provided minimal guidance to DHS on how to establish the program and provided some significant limitations as to what DHS could require chemical facilities to do as part of the program.

DHS got off to a fast start standing up the CFATS program. In less than six months they wrote a new set of regulations establishing an innovative new regulatory program that utilized state of the art on-line data collection tools. In the next couple of years they looked at the initial reporting data from over 40,000 chemical facilities that had significant amounts of 300+ DHS chemicals of interest (COI) on hand and determined that just over 4000 of those facilities met the regulatory standard of being ‘at high risk of terrorist attack’.

Those covered facilities completed security vulnerability assessments, again submitting the data to ISCD via the on-line Chemical Security Assessment Tool (CSAT). DHS took the information provided and threat ranked the facilities into four risk tiers. ISCD developed a guidance document for how those facilities should implement the risk-based performance standards required by Congress, and then there was a major hiccup; the program stalled.

For a number of reasons, including some management issues that have not yet been fully reported to the public, the program stopped advancing. Work was being done by the ISCD staff, Chemical Security Inspectors were visiting facilities. Facilities were submitting SSPs, but effectively no site security plans were being approved by ISCD.

In early 2013 the new management team at ISCD finally started making some headway and the authorization and approval of site security plans began in earnest. The program was starting to get back on track. In April of 2007 they started reporting that progress with their monthly updates of status of the CFATS site security plan implementation.

The Fight in Congress

In the meantime Congress continued their in-fighting about how a chemical facility security program should proceed. On one hand, the Democrats (supported by labor and environmental activists) wanted to use the security program to severely limit the chemicals and processes that the industry could use. They argued that if dangerous chemicals and processes could be reduced or eliminated then the facilities would no longer be potential terrorist targets. The Republicans (supported by facility owners) countered that only the engineers and business owners could determine what chemicals and processes would be commercially viable. They argued that DHS did not have the manpower or expertise to make judgements about inherently safer technology.

The importance of this philosophical difference declined as Congress realized that the interim program that they had turned loose on the country was stalled. Their concern about the slow pace of SSP implementation finally overcame the philosophical discussion and Congress finally passed a stand-alone chemical facility security bill last December; HR 4007 was signed by the President on December 18^th, 2014.

Moving Forward

The one change from HR 4007 that will most affect the site security plan implementation is the establishment of an expedited approval process for Tier 3 and Tier 4 facilities. These are the lowest risk facilities covered by the CFATS program and the last ones that DHS has started working on for the SSP implementation process. The bill gave ISCD until June 16^th, 2015 to publish the guidance for this program and to establish the reporting process that the new program would use to process SSP’s for those facilities that opted to use the EAP program.

The EAP guidance document was published last month. This week we should see a new tool established in the CSAT that will allow facilities to report to ISCD their intention to use the EAP program to develop and submit their SSP. Thirty days after that intention is reported to ISCD those facilities will be able to start submitting their EAP SSPs. This will either require the modification of the current SSP tool in CSAT or the publication of a new tool. I suspect that ISCD will go with the new tool using the general format of the checklist provided in the EAP guidance document.

CFATS Updates?

ISCD is going to allow all Tier 3 and Tier 4 facilities the option to use the EAP process. Even those that already have authorized or approved site security plans. This means that the statistics that ISCD has been reporting in their monthly updates will no longer mean much from the perspective of tracking SSP implementation. Starting on Tuesday some number of currently authorized or approved SSPs will be invalidated as facilities make the decision that their SSP could be simplified or made cheaper by joining the EAP process. So tracking those numbers, at least in the short term, probably does not make much sense.

This is going to be further complicated by the fact that current CFATS facilities (as of December 18^th, 2014) have until November 13^th, 2015 to complete the EAP process. This means that they would have until October 14^th, 2015 to notify ISCD of their intent to complete the EAP process. So, during the period of June 16^th to October 14^th watching the simple change in numbers of facilities with authorized or approved SSPs is going to be very confusing.

And I can’t let this topic go without at least mentioning the reporting of compliance inspection results. ISCD has been working on compliance inspections now for a little over two years. Well, they are supposed to have been anyway since compliance inspections were supposed to start one year after the SSP was approved at the facility level. Unfortunately, ISCD has not been publicly reporting any statistics on their compliance inspections.

I would assume (I know; a very dangerous word) that there have not yet been any compliance inspections at Tier 3 or Tier 4 facilities (priority was legitimately given to Tier 1 then Tier 2 facilities), but we should start to see some Tier 3 facilities become eligible for such inspections in the near future. Since those facilities have the option to opt out of their current SSPs by selecting the EAP process, future changes in compliance inspection numbers may also be misleading, at least through October 14^th.

So, are we going to see a CFATS update this week or not. I don’t really know, I haven’t asked anyone at ISCD. I know that they are busy with the HR 4007 implementation process as well as the on-going SSP authorization, approval and inspection process. I don’t think that checking on a reporting system that they voluntarily started as essentially a PR exercise is really worth bothering them about.

If I had to bet, however, I would say probably not. If I were in Director Wulf’s shoes, I wouldn’t report on any data until I was called to testify about the implementation of the HR 4007 requirements later this year.