HR 3258 Analysis – Vulnerability Assessments

This is another in a continuing series of blog postings about the recently introduced HR 3258, the Drinking Water System Security Act of 2009. This bill is designed to be a companion bill to HR 2868, the Chemical Facility Anti-Terrorism Act of 2009, extending chemical facility security rules to water treatment facilities. Previous postings in this series include: HR 3258 Section-by-Section Analysis HR 3258 Analysis – Political Background HR 3258 Analysis – 50 Enforcement Agencies HR 3258 Analysis – Substance of Concern HR 3258 requires each covered facility to complete a vulnerability assessment and update that VA every five years or whenever a facility change is made that “could cause the reassignment of the system to a different risk-based tier” {§1433(a)(1)(B)(ii)}. Since the Administrator is required {§1433(d)(2)} to explain the reason for the tier ranking assigned to the facility (which is significantly different that the process under CFATS where the Secretary has decided to keep the reasons for tier assignments restricted information), the facility would presumably be able to determine what changes would result in a reduction in tier ranking. It is less clear that they would be able to determine what changes would raise their tier ranking. Chemical and Non-Chemical Risks Unlike the CFATS regulations, regulations developed to support this legislation would be required to address chemical and non-chemical risks. Section 1433(c) requires facilities to assess the water system’s vulnerability to a range of ‘intentional acts’. While HR 3258 does not define the term ‘intentional acts’ it is generally accepted to mean a terrorist attack. Having said that it could reasonably be stretched to include thefts of anhydrous ammonia for the production of methamphetamines, or even less reasonably stretched to include acts of vandalism. As one would reasonably expect, the vulnerability assessments will be specifically required to address chemical risks. The wording of §1433(c) addresses the issue of chemical security by requiring the vulnerability assessments to look at intentional acts “that results in a release of a substance of concern that is known to cause or may be reasonably anticipated to cause death, injury, or serious adverse effects to human health or the environment”. As far as I can tell, the term ‘release’ in environmental regulations does not typically include theft, so the resulting regulations might not require the prevention of the theft of anhydrous ammonia, chlorine gas cylinders or other dangerous chemicals. Assessment Requirements This bill does provide a list of seven areas that the vulnerability assessment must address. Those areas are:

“(1) pipes and constructed conveyances; “(2) physical barriers; “(3) water collection, pretreatment, treatment, storage, and distribution facilities; “(4) electronic, computer, and other automated systems that are used by the covered water system; “(5) the use, storage, or handling of various chemicals, including substances of concern; “(6) the operation and maintenance of the covered water system; and “(7) the covered water system’s resiliency and ability to ensure continuity of operations in the event of a disruption caused by an intentional act.”

It can be readily seen that these requirements cover a great deal more ground than the CFATS SVA requirements. This is understandable since this revision of the Safe Water Drinking Act replaces the current requirements for protecting water treatment facilities from terrorist attack. Those current requirements are designed to insure that an attack would not compromise the production of potable water for the served community. This revision of that law must continue those protections and while adding protection of dangerous chemicals used at those facilities. State Enforcement Issues This multifaceted approach is one of the main reasons that the drafters of this legislation kept the chemical security coverage of these facilities under the EPA rather than placing it under the CFATS rules at DHS. So many of these requirements are already addressed under EPA regulations that it would seem reasonable to add relatively limited chemical security regulations to the extensive EPA body of regulations for these facilities. The major drawback to this approach is that EPA has already delegated enforcement of water treatment regulations to the states, and continues that delegation in this proposed legislation. Adding chemical security regulatory enforcement to the overloaded state governments is going to result in uneven enforcement at best. The added chemical security issues and the increased enforcement requirements are going to require additional assets at the State level.