Wednesday, July 29, 2009

HR 3258 Analysis – 50 Enforcement Agencies

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background As I noted in the previous posting in this series, one of the political realities that led to the writing of HR 3258 is that the US EPA is already responsible for a significant portion of the regulation of water treatment facilities, including security against deliberate contamination of the water supply. While the leadership of the House Energy and Commerce Committee obviously feels that this is a logical extension of EPA authority, this does result in some inherent regulatory complications. Covered Facilities When DHS was looking at the possibility of the water treatment facility exemption being removed by HR 2868 they estimated that there would be an additional 3,000 facilities added to the CFATS program based on the presence of COI (typically chlorine, or anhydrous ammonia) at or above the screening threshold quantity (STQ). This would have almost doubled the number of covered facilities. HR 3258 uses an entirely different standard to determine what facilities would be considered ‘covered facilities’. Instead of relying on the presence of a quantity of specific chemicals on-site, the standard set forth in this legislation is the size of the served community. It makes any “community water system serving a population greater than 3,300’ {§1433(a)(2)(A)} a covered facility. While I have not seen any specific figures for the number of facilities that this would cover, but it would be substantially more than 3,000. The reason for this is that these regulations would cover more than just the security of chemicals at these facilities. This legislation would extend and expand the current physical security requirements for protecting the water supply to the protection of the hazardous chemicals used at many of these facilities. This was done to ensure that there would only be one set of security rules covering these facilities. Duplication of Efforts This, of course, raises the question about duplication of regulatory efforts in the EPA and DHS. The argument can certainly be made that DHS has expended a great deal of time, effort, and money setting up the regulatory tools needed to enforce CFATS. Regulations have been written. Innovative on-line reporting and evaluation tools have been developed and supporting documentation has been written and revised. And, the Chemical Security Academy has been developed to train a professional staff of chemical security inspectors. The counter to that argument is that substantial portions of the CFATS program will not actually apply to water treatment facilities. The list of 300+ chemicals of interest (COI) is certainly over-kill when it comes to the limited chemical inventories of these treatment plants. Nor will there be the complexity and variety found in the loosely defined chemical industry; the regulations and reporting tools will be easier to develop for a this relatively uncomplicated industry. This should also make those tools easier to understand and use. One way to look at this issue is to ask would it be easier to add chemical security to existing water security regulations or to add water facility security to existing chemical security regulations. Obviously, Chairman Waxman decided that the former would make more sense, especially since he took the opportunity provided to increase substantially the water security requirements. Enforcement Activities The US EPA currently uses a distributed enforcement model when dealing with water treatment facilities. This means that the Administrator has delegated enforcement authority to the individual States where they have expressed a willingness, and presumably demonstrated an ability, to take on that task. Forty-nine states (Wyoming is the exception) have accepted that delegation. This enables the EPA to have a very small enforcement staff. That delegation has been specifically included in the language of one portion of this legislation. Section 1433(g) gives authority to the State (where the State has primary enforcement authority) the responsibility for determining if a high-risk (Tier 1 or 2) water treatment facility must implement ‘methods to reduce the consequences of a chemical release from an intentional act ‘methods to reduce the consequences of a chemical release from an intentional act’. While provisions have been made to require the reporting of that decision to the Administrator, there is nothing allowing the Administrator to overturn that decision. This is the only portion of the regulation that addresses the use of delegated enforcement authority. But, since the US EPA routinely uses this enforcement model for water facility regulations, I would suspect that the EPA would rely on State officials to enforce this regulation as well. Lacking specific authority to hire and train a significant enforcement staff, it would not only be reasonable, but it would necessary if there is to be even a minimal effort to enforce these requirements. This comes with it own set of problems. First there is the question of uneven enforcement activities. How is the EPA going to ensure a minimal level of training for the inspectors from 49 states? This will be especially important since the Administrator is required to establish risk-based performance standards rather than prescriptive standards for site security plans. The EPA could establish a training program similar to the Chemical Security Academy being run by DHS. Or perhaps they could contract with DHS to conduct that training. The next surmountable problem is the sharing of information with State agencies. The language in HR 3258 requires the submission of ‘Top Screen’ type information, vulnerability assessments and site security plans to the Administrator. All of this information will be protected information under rules that should be similar to the Sensitive Security Information rules established by TSA. Secure methods of sharing that information with States will have to be developed. There will undoubtedly be other issues that will have to be dealt with due to this distributed enforcement model used by the EPA. I can’t think of any that would be insurmountable, but they will complicate the development and enforcement of the regulations that will have to be written to implement these regulations.

No comments:

/* Use this with templates/template-twocol.html */