Wednesday, June 17, 2009

HR 2868 Analysis

As I noted yesterday, Monday afternoon Chairman Thompson announced the introduction of HR 2868 (actually that announcement was of the “June 15 version of discussion draft”). Since HR 2868 is available on the GPO website (access through the Thomas Website) I downloaded a copy and compared it to the draft version that I have (06-04-09 version). I have found 24 distinct changes in the two versions. Most of the changes are not significant, but there are a few that are worth looking at. No Title II The June 4th version of the committee draft included a two line mention of Title II: Community Drinking Water Systems and that is not shown in HR 2868. Presumably the original intent was that the House Energy and Commerce Committee would be writing the Title II requirements for adding requirements for the EPA to produce rules to secure the hazardous chemicals at water treatment plants. I expect that this is still being done, but it will be a stand alone bill. One interesting point is that HR 2868 will remove all of the §550 (Homeland Security Appropriations Act of 2007 Public Law 109-295) language from the Homeland Security Act. This removes the water treatment facility exemption from the CFATS program. Since I cannot find any language in HR 2868 that exempts those facilities from CFATA 2009, those facilities will presumably be covered. I expect that the yet to be introduced water treatment facility security bill will change that. That may be a ‘risky’ move, since failure to pass that bill will put water treatment facilities under the ‘control’ of DHS. Both Chairman Waxman and Congressman Markey are co-sponsors of this bill, so I expect that they know what they are doing. Another New RBPS CFATA has always included a ‘new’ risk-based performance standard; methods to reduce consequences of a terrorist attack (the popularly named ‘IST’ provision). HR 2868 adds another new RPBS; §2101(2)(T), methods to recover or mitigate the release of a substance of concern in the event of a chemical facility terrorist incident. I am a firm believer that any emergency response plan for a chemical facility should address methods to mitigate a release of hazardous chemicals. It only makes sense then that high-risk chemical facilities should include this mitigation as part of their SSP. One point that has not been included in the discussion of the time frame for implementation for CFATA is that these two new RBPS will require a re-write of the RBPS Guidance document. That cannot really begin in earnest until the final rule is published. Both of these new RBPS will mark a completely new area of concern for the document and this could easily add another year to the implementation process. This Guidance document re-write may be more extensive than just adding two new RBPS. Since the § 550 language is being removed, there will no longer be the statutory prohibition of DHS specifying specific security measures. While I have seen no other discussion of this issue, there is a natural tendency for regulatory agencies to ‘regulate’ so some of the security measures that DHS has been ‘urging’ may slip into being required. Alternative Security Program There has been a subtle word change in §2103(d)(1). The old language stated that the Secretary may accept an ASP “in lieu of all or part of the requirements of a security vulnerability assessment and site security plan otherwise required under this section”. The new wording allows the Secretary to accept an ASP “in combination with other components of the security vulnerability assessment and site security plan”. This makes it more explicit that DHS will require that parts of the CSAT tools be completed for the SVA or SSP submission even when an ASP is being submitted. This is actually the current case, but this explicitly requires this to happen. Personnel Surety Alternate Security Program HR 2868 adds a new section, §2103(d)(4), that allows for “a personnel surety alternate security program”. There is an interesting limitation to this ASP; the wording requires that the application must come from “a non-profit, personnel surety accrediting organization acting on behalf of, and with written authorization from, the owner or operator of a covered chemical facility”. I do not understand why this excludes commercial organizations that are doing background checks. There are three other limiting restrictions included in this section. The first is nearly meaningless since the Secretary would not presumably be able to evaluate if the process is “expedited, affordable, reliable, and accurate”, but the individual facility has an incentive to ensure this. The final restriction, “is a single background check consistent with a risk-based tiered program”, will also be difficult for the Secretary to evaluate and there is no real incentive for the facility to enforce this. The middle restriction {§2103(d)(4)(B)} is probably the most important from the individual’s point of view. This requires that the process is “fully protective of the rights of covered individuals through procedures that are consistent with the privacy protections available under the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.)”. This, unfortunately, will be equally difficult for the Secretary to enforce unless there is a vetting process established to ‘approve’ these agencies in advance of their use by facilities. This vetting process could certainly be written into the resulting regulations. Training Requirements There are three additions to the training program requirements. The first, §2103(f)(2)(G), requires that ‘employee representatives’ are involved in the selection of ‘existing national voluntary consensus standards’ that are used in training. This is undoubtedly being used to encourage the use of training programs developed by a variety of labor organizations. The other two additions increase the items that must be covered in the training. Section 2103(f)(2)(J) requires coverage of the “identification and assessment of methods to reduce the consequences of a terrorist attack”. This is being done to ensure that employees have a chance to ‘verify’ that the employer has looked at all appropriate IST possibilities. Finally §2103(f)(2)(K) requires that there is a “discussion of appropriate emergency response procedures”. Anyone with any sense would train employees on ‘emergency response procedures’, but I’m sure that there would facilities would overlook this if it were not for it being included in a DHS compliance checks. It certainly isn’t being checked in OSHA or EPA compliance inspections. Threat Information There was an addition made to §2106(a). This section requires that the Secretary is to provide covered facilities with information about any terrorist threats relative to that facility. The addition requires the Secretary to provide that information to “a representative of each recognized or certified bargaining agent at the facility, if any.” I think that this is being done to insure that facilities take threat information seriously. The only problem that I see with this, and many of the other sections that require sharing of information with ‘employee representatives’ and/or employees, is that this extends the number of people that must be vetted and cleared for access to the information. There is already a problem of lack of security clearances in the private sector hampering the sharing of classified intelligence information. It will also inevitably set up labor disputes when designated labor representatives cannot be cleared for some reason. It would seem that the intent of this language is that ‘employee representatives’ receive the same information as management. If DHS treats the requirement that way and refuses to share intelligence information with properly cleared management because there are no properly cleared ‘employee representatives’ then this will hamper security efforts.

No comments:

/* Use this with templates/template-twocol.html */