Monday, July 13, 2009

SSI Language in Senate Version of HR 2892

The Senate included a number of new amendments when they passed the DHS FY 2010 budget last week. Adding these amendments to HR 2892 ensured that each house will have to consider the bill one more time after the conference committee works out the differences between the two versions of the bill. Friday afternoon the GPO still did not have the version of the bill passed in the Senate available on their web site so it is difficult to tell exactly what was included in the bill, but two things seem to be clear, the CFATS extension remains intact and Senators Rockefeller and Byrd (D, WV) managed to get Sensitive Security Information (SSI) clarifying language (Senate Amendment 1401) added to the Senate’s version of the bill (thanks to Ken Ward for pointing this out in his blog). SSI Clarification This amendment adds the same language to three different sections of 49 USC; §114(r), §40119(b), and §70103(d). The language is identical to that found in S. 1274 that had been introduced by Sen. Rockefeller. That language reads:
“(3) Nothing in paragraph (1) shall be construed to authorize the designation of information as sensitive security information (as defined in section 15.5 of title 49, Code of Federal Regulations)-- “(A) to conceal a violation of law, inefficiency, or administrative error; “(B) to prevent embarrassment to a person, organization, or agency; “(C) to restrain competition; or “(D) to prevent or delay the release of information that does not require protection in the interest of transportation security, including basic scientific research information not clearly related to transportation security.”
The intention of this language is to prevent a repeat of the situation that happened earlier this year when Bayer CropScience applied the SSI label to huge quantities of information requested by the Chemical Safety Board (CSB) in their investigation of the deadly accident at the Bayer CropScience facility last year. In the end Bayer relented and admitted they were attempting to control the public release of information to avoid having a public discussion about the safety and security of their methyl isocyanate (MIC) production and storage. This language should make it clear that the intention of the SSI ‘classification’ is not to protect a facility like Bayer CropScience from public scrutiny of their potential effect on the health and safety of the surrounding communities. Unfortunately, from the House testimony it is clear that Bayer knew that much of the information that they were marking as SSI should not have been marked that way. Thus, it is not clear that this would have prevented the SSI classification fiasco seen earlier this year. Short of adding some sort of punitive language to these clarifications, I don’t see how this amendment to the DHS budget is going to solve the underlying problem. The Underlying Problem The problem wasn’t really that Bayer was inappropriately classifying the information (though they were certainly doing that), but that there were no provisions in the regulations for the Chemical Safety Board’s use of SSI information. The Coast Guard was quick to point out that the CSB certainly had a ‘need to know’, but it would have helped if that had been codified in the regulations. The CSB has a statutory mission of investigating chemical related accidents and disseminating information from those investigations to prevent similar incidents at other facilities. This caused a problem in this case because CSB did not have any guidance on what SSI information that it could disclose while fulfilling its reporting mission. The CSB was afraid that it would run into legal problems publicly disclosing security information. Ultimately, the CSB did get Coast Guard approval for the specific information they would provide in their public meeting, but there are still questions about how to deal with potential legitimate SSI in the final report. Suggested Solution What is needed is for the SSI rules {and the Chemical-Terrorism Vulnerability Information (CVI) rules} to be amended to specifically provide for the handling of ‘classified’ data in CSB investigations and for SSI/CVI handling rules to be built into the CSB rules. This will probably have to be handled as stand alone legislation rather than trying to incorporate it into some spending bill; the CSB is funded under the EPA budget bill, while the Coast Guard is funded under the DHS budget. First, and maybe most importantly, CSB needs to be added to the list of agencies to which disclosure of mandated information means that that information automatically removed from either SSI or CVI protection. Other agencies on the current lists include EPA, and OSHA. The intent is to insure that facility security information does not become justification for avoiding other regulatory responsibilities. Next provisions need to include a requirement for CSB to formally notify DHS of the initiation of all formal investigations. DHS would then be required to determine if the facility in question was a covered facility under MTSA, CFATS, or a variety of TSA administered security programs. DHS would be required to notify the CSB of the facility’s covered status and to provide liaison officers from the appropriate agencies. The CSB investigation team and supporting staff would be authorized to ask for (and receive) any documentation that they deem appropriate to their investigation. During the investigation they would be required to protect all appropriately marked documents in accordance with the appropriate regulations. All notes made from appropriately marked ‘controlled’ documents would include identification of the source document and security markings. When the same information is found in an uncontrolled document, the information cite should reference the uncontrolled document and not mention the classification from the controlled source. If at any point during the investigation, it becomes evident that the accident was the result of a deliberate attack rather than a process accident, CSB would cease to be the lead agency in the investigation. The properly protected and controlled documents could then be turned over to the new agency lead or remain with the CSB personnel still supporting the investigation. In any case, all security information would still be protected in accordance with the appropriate regulations. In writing their final report on a chemical accident, CSB would strive to avoid mention of security measures, unless, in their opinion, those security measures directly contributed to the cause of the accident or hindered the response to the accident. In any case, the final report would not be classified. Security measures that contribute to the cause of a serious chemical accident or result in additional deaths, serious injuries, or property damage because they hindered the emergency response to that accident require a public discussion to prevent similar occurrences at other facilities. While security measures may be compromised, the results of a severe chemical accident will do more to compromise security while they endanger the public health and safety. A classified annex could be prepared to allow CSB investigators (and or DHS liaisons) to comment on any security measures that might cause issues in other instances, but do not pose an imminent danger. Like wise, the classified annex could also be used to point out short comings in the security program at the covered facility. In either case DHS should ensure that such a classified annex be given the widest possible distribution within the chemical facility security community so that other facilities can correct similar problems at their facility. The Importance of Security and Safety While there will be the inevitable discussion about which is more important, safety or security, it must be remembered that as far as high-risk chemical facilities are concerned they are two sides of the same coin. The purpose of both is to protect employees at the facility and their neighbors in the community from the threat of exposure to the consequences of an unplanned release of hazardous chemicals. An unsafe facility is a security risk; a severe accident will compromise security measures. An insecure facility is an unsafe facility; a chemical release will do the same damage whether it is caused by an accident or a terrorist attack. The safety and security communities must come together and work as a team to protect the greater community.

No comments:

/* Use this with templates/template-twocol.html */