Chemical Facilities Antiterrorism Security Act of 2011

Last week a tweet by Mae Stevens, a frequent reader of this blog, pointed her followers at a new web site, WriteTheBillWiki.com [corrected site name 3:30 pm EST 11-15-10]. It is a wiki site where a wide variety of people can contribute to a project, in this case write a piece of legislation. Today I posted an initial draft of a proposal for the Chemical Facilities Antiterrorism Security Act of 2011.

CFATSA 2011

With a new Congress convening on January 3rd, it will be time to start over with all new legislation; a brand new slate if you will. Since I have been critical of everything that has come out of Congress to date on CFATS (well, that is what bloggers do), I decided that I would try my hand at writing the kind of bill that I would like to see.

First off, I did not want to write a bill for a permanent CFATS program. I think that the kind of vigorous discussion that we have been having the last two years, inside Congress and out, provides a lot of give and take about what is important in a chemical security program. Making Congress go back and periodically re-visit the issues is, in my mind, an important part of making for a vigorous program.

So I started off copying and pasting S 2996, the original legislation proposed early this year by Sen. Collins (R, ME). I did this first because I wanted to make sure that I started out with the typical legislative format and wording. Second, I kind of liked her basic ideas about training and exercises. These were things that I think should be in a chemical facility security bill.

Next, I wanted to make sure that this was not a ‘comprehensive bill’; I didn’t want to include everything and the proverbial kitchen sink. Since this is going to be layered on top of CFATS, it is going to require ISCD to draft a revision to 6 CFR 27. That will take valuable time away from their other job of helping to keep high-risk chemical facilities safe. Additionally, any changes to the CFATS regulations are going to have to be implanted at 6,000 plus chemical facilities across the country. Again, they have other things that they are going to be doing as well.

So, I picked five programs that I would like to see added to the current CFATS mix. None of these should come as any surprise to readers of this blog. They are:

● Chemical security training program
● Chemical security exercise program
● Methods to reduce the consequences of a terrorist attack
● Emergency response planning
● Industrial control system cyber security

Chemical security training program

Again, I took the basic training program that was in the Collins’ Bill and made very few changes. The one major change was that I made participation in the program mandatory for all Tier 1 and Tier 2 facilities. Ultimately I would like to see a training program like this required for all high-risk chemical facilities with provisions for any other chemical facility to opt in.

Chemical security exercise program

As with the training program I stole most of this from the Collins’ Bill. Once again I made it mandatory for Tier 1 and Tier 2 facilities and my earlier comments apply here as well. I did add a little more detail to §2103(b)(2), listing the types of exercises that I believe are necessary and a description of the people that should be expected to participate. A lot of this comes from my military background.

Methods to reduce the consequences of a terrorist attack

You’ll notice that I have avoided the ‘IST’ term. I hate to be accused of being politically correct, but this title describes what the program is trying to do better than ‘inherently safer technology’. There is no implementation mandate in this section; mainly because I don’t think that anyone currently has enough real world data on this subject to allow a government agency to legitimately require any given facility to implement specific process changes.

This can be thought of as an Investigate, Report and Review program. Requiring facilities with release toxic chemicals on site to take a real look at alternatives that could reduce their viability as a target, or a source of accidental release. Facilities would report this data to DHS who would tabulate the data and start to do some serious looking at what an IST program might actually look like.

Emergency response planning

Nothing new here that I haven’t been discussing for the last month or so in the blog. First I set-up communications requirements for the facility emergency response plan that can be checked by Chemical Security Inspectors. Next I established a federal official with the responsibility to oversee the emergency planning process for the area around the facility. I included a submission, review and approval requirement at the local level

Industrial control system cyber security

This one is a little new to readers here. I haven’t written much about what kind of cyber security program I would like to see at high-risk chemical facilities; just too much to get my hear around. So I did like any good Congress Critter should do, I punted to the experts. Let’s just put the DHS ICS-CERT people in charge of establishing the basic ICS cyber security program.

I did add a requirement for facilities to report the details of their program; equipment, policies and procedures, that sort of thing. I kind of envision the ICS-CERT people using this data to set up a network to push ICS alerts and advisories out to the people who really need to be warned about the vulnerabilities, the end user.

This is a Wiki

This WriteTheBill site is a wiki site. That means that anyone who signs up can put their two cents worth in. You can take part in a discussion about the bill. You can change the bill, either minor grammatical changes or major policy changes. It’s kind of like Congress like that. You submit a bill and what happens to it between that introduction and final passage is largely out of the control of the person who drafted it.

I would like to think that I got this mainly right. Who knows how many people will agree with that? I’m sure that is probably the way most Congress Critters feel about their bills. Let’s see what happens here.

BTW: I know that about 20% of the readers of this blog sign in from computers located within about 50 miles of the Washington Monument. That means that most of you are insiders or one sort or another. You are certainly welcomed to participate as well. In fact, I would like to solicit your assistance. You have the knowledge of all of the things that legislation like this really needs, those little details that make these things work. Please, help me polish this up.

You see, my real goal is to have a chemical facility security bill get introduced in the first week or two of the 112th Congress, something that is recognizably derived from this draft. We’ve got just about 2 ½ months to go before the first gavel drops. Let’s get to work.