This is the second blog in a series taking a critical look
at
the recent
Heritage Foundation report on the problems with the CFATS program. While
the report authored by Jessica Zuckerman is not up to the usual editorial
standards of the Heritage Foundation it does raise some interesting issues. The
earlier blog post can be found here:
In this post I will be looking at the discussion in the
Report under the heading of ‘Right in Principle, Wrong in Practice’. This
section looks at the program from the perspective of how well the CFATS
implementation has followed the four principles outlined by Under Secretary
Beers in his
March
30th, 2011 testimony before the House Homeland Security
Committee (Oops, it was before the House Energy and Commerce Committee on March
31
st, 2011 and the link provided in the report is bad, DHS web site
change not Ms. Zuckerman’s fault there, but the rest is just poor scholarship).
Cross-Collaboration
Zuckerman properly points out that the individual
facilities, the Federal government as well as State and local governments all
have interests in securing high-risk chemical facilities. She then takes the
CFATS program to task for centralizing the responsibility for security at the
Federal level. She notes that:
“The government must determine
facilities’ risk levels, set performance standards, and assess security plans
and compliance.”
Congress provided in §550 that DHS was supposed to develop a
security program targeted at just those chemical facilities that were
determined to be at the high risk for terrorist attack. Furthermore, the
program should be risk-based with the highest risk plants getting the earliest
attention. All of these require DHS to determine facility risk levels.
The performance standards were published by DHS as one would
expect since they would be judging if facilities met these performance standards
in the implementation of their security plans. DHS developed the standards in
conjunction with industry input and published a draft of the Risk-Based
Performance Standards. Extensive industry comments were received on that draft
(see my blog posts from
11-28-08,
12-05-08,
12-05-08,
01-09-09
and
01-13-09)
and were
taken
into account when the final version was published.
Furthermore, DHS worked hand-in-hand with industry in
developing, fielding and modifying the Top Screen and Security Vulnerability
Assessment Tools. For both of these portions of the CFATS process the first ten
or so facilities to complete submissions had DHS personnel on site in the
information development and submission process to work out the inevitable bugs
in the system. The lessons learned in those shared submission efforts were put
into modifying the tools and documentation before those systems went live for
the remainder of the CFATS community. That this was not done in the SSP
submission process probably goes a long way to explain the problems in that
system.
Ms. Zuckerman closes this section by claiming that:
“Enhancing chemical security does
not mean that the private sector should yield its responsibility to the
federal government.” (pg 5)
Nowhere in her arguments does she show where the private
sector has been required to yield its responsibility for the security of their
facilities. The CFATS program does not specify how a security program should be
put together, it simply provides standards by which the government will judge
the success of that program. That those standards are vague at best is at least
partially the responsibility of private industry. They were the ones that
demanded performance based standards and complained about anything coming close
to specifics in the draft version of the RBPS Guidance Document.
Risk-Based Tiering
Zuckerman takes DHS to task for not sharing the basis for
the Department’s risk tiering process, a complaint that has been made a number
of times over the years since the first NPRM was published for the CFATS
regulations. Actually this complaint has been combined with the lack of
openness about the process for establishing the ‘high-risk’ status of
facilities in the first place.
The report properly notes that the details of the
risk-ranking methodology is not shared with owners. This does not allow an
owner to do more than to make a reasonable guess as to what actions the
facility can take to have their Tier ranking lowered or even to be removed from
the CFATS list all together. There is a process in place to submit information
to have either the Tier ranking or CFATS listing reconsidered, but it is an
iterative process at best.
While I agree with Ms. Zuckerman’s assertion in this case,
she does her report ill service by not addressing, even in passing, the
reasoning that DHS has used to avoid publicizing the details of their
methodology. This lack of addressing opposing arguments is another of the
reasons that this Heritage Foundation report is probably more useful as a
political document than a real study of the issues involved.
Any discussion of the sharing of information about the
security tiering or assessment process must take into account the official DHS
response to such questions in the regulatory comment process. DHS outlines
their position quite clearly in the preamble to the
Interim Final
Rule published in the Federal Register (72 FR 17700 – 17701).
Zuckerman also addresses the failure of DHS to share tiering
information with State and local authorities; stating that:
“In addition, first responders and
community leaders have also expressed concern about the lack of transparency of
facility tiering and risk assessments, citing the fact that the lack of
information sharing may impede emergency response and community preparedness.”
(pg 5)
While one might suppose that State and local officials might
want some input on the evaluation process of facilities within their
jurisdiction, the claim of lack of transparency of the facility tiering and
risk assessment process fails to address the efforts made to share that
information with local authorities. DHS has made it clear that facilities have
an inherent responsibility for coordinating with local emergency response
officials and provides the State Homeland Security Directors with access to an
online tool in CSAT to check on the CFATS status of chemical facilities within
the State.
Finally, Ms. Zuckerman takes DHS to task for the problem it
discovered last year in its risk model. While there should be some discussion
on the internal delays in responding to the discovery of the model discrepancy,
it really is disingenuous to complain about the problem with the model. Any
researcher or academic knows that a model is only an approximation of reality
and adjustments have to frequently be made to models to ensure their accurate
reflection of reality. ISCD should be commended on monitoring their system
closely enough to detect and correct the problem.
On an editorial note there are many claims of comments by
unnamed industry or local government officials within this section. The
footnotes to those claims almost uniformly point to the book “Chemical Facility
Security” by Shea, but not a single page citation is provided. This is just
another continuing example of the poor scholarship exhibited throughout this
work.
Performance Standards
Zuckerman’s section on performance standards, or more
appropriately the Risk-Based Performance Standards (RBPS) actually addresses
the core issue of the current ISCD problems. She acknowledges that the theory
behind the RBPS is good but notes that in practice “chemical facilities have
largely been left uncertain over what is expected of them in meeting the DHS’s
standards” (pg 6). Unfortunately, industry is largely to blame for these
problems. They insisted on risk-based performance standards instead of concrete
security measures and even convinced their politicians in Congress to prohibit
DHS from specifying any security measure as being necessary for SSP approval.
As I noted earlier, when DHS published the
draft of
the RBPS Guidance document in October 2008, the industry comments came fast
and furious. While many of the comments were constructive the vast majority
were complaining that this or that was too specific and wouldn’t or shouldn’t
apply to their industry or company. Once again DHS gave in to the political
pressure (which is never mentioned in Ms. Zuckerman’s report), and produced a
very vague RBPS Guidance document.
Ms. Zuckerman blames the problem, in part, on the Chemical
Facility Security Inspectors (CFSI’s; oh, she never does use their proper
title; a small thing to be sure); noting that:
“Similarly, issues in training and
hiring capable and experienced inspectors has resulted in confusing and
conflicting feedback from ISCD inspectors in the course of pre-authorization
visits and authorization inspections.”
I’ll address the CFSI specific issues in a later post, but
this complaint (not unique to Zuckerman) misses the important point. In the
pre-authorization and Authorization inspections, the inspectors are just the
eyes and ears of the ISCD staff. It is that staff (and frequently contractors)
that never sees the facility that makes the decision on whether or not an SSP
is approved or not. Thus, the person the plant talks to is not the person
making the decisions.
DHS has tried to clarify this on a number of occasions, but
I seriously don’t think that it has really gotten through to the folks in the
inspected facilities. Thus this reported confusion in the field. Oh by the way, Ms. Zuckerman provides no
source for her comments about ‘confusing and conflicting feedback from ISCD
inspectors’.
Leveraging Existing Advancements
This section of the report deals with the usage of
‘Alternative Security Plans’ or ASPs. Ms. Zuckerman falls into the same
language trap that most people do when the discuss ASPs. When most of the chemical
industry talks about ASPs they mean security programs like the American
Chemistry Council’s Responsible Care Security program. This is a set of
standards along with a third party verification of compliance for security
related issues. When industry talks about ‘accepting’ such a plan it appears
that they mean the facility should be given credit for that plan when they have
been certified by the third party and DHS should accept that as an approved
SSP.
DHS, on the other hand misnamed their SSP; it is not a site
security plan. What the SSP is is a series of questions about the security set
up at a particular facility to determine if that security program meets the
requirements of the Risk-Based Performance Standards. DHS doesn’t care if the
security measures are part of another certified site security plan; great, just
so long as your answers to the questions show the facility meets the RBPS.
The problem is that ISCD does not have the time nor the
manpower to read the documents associated with a real security plan; a 100+
page document with annexes describing emergency response, personnel surety, key
control, etc. Adding a variety of formats from different security programs will
only add to that problem.
Ms. Zuckerman manifests her misunderstanding of the problem
by stating that:
“This lack of motivation on the
part of the DHS to seriously consider ASPs inhibits the ability of companies
to continue to employ security measures in which they have already invested
time and effort, thereby discouraging the innovation and creative thinking that
have been critical to the security of the private sector in the past. As such,
it limits the field of security options to those rigidly established by the
federal government.” (pg 6)
Nothing that DHS is doing is limiting the ability of
facilities to continue to use existing security measures, either to completely
or partially fulfill their compliance with the 18 risk-based performance
standards set forth in the CFATS regulations. And DHS is specifically
prohibited from establishing rigid security options.
What industry really wants is for the currently established
voluntary security programs to be accepted without review by DHS. In essence
what they want is to have these third-party certification agencies to perform
the inherently governmental function of examining and approving the security
plan for CFATS covered facilities. Unfortunately, DHS has been given the responsibility
for performing this function and does not have authority to transfer that responsibility
to a private sector entity (okay, we’ll ignore for the moment that they are
using contractors for the information processing necessary to make that
decision; oh, that isn’t in the Heritage Foundation report).
In the closing paragraph in this section of the report Ms.
Zuckerman brings up an interesting point that I must admit I haven’t seen
mentioned in reference to the CFATS program. She mentions that “the department
should encourage companies to apply for certification under the Support
Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002”.
Actually I have heard of the SAFETY Act program and I seem to recall that it is
run by DHS S&T, not NPPD.
Still if NPPD could identify areas where new technology
would benefit facilities covered under the CFATS program, it would certainly be
helpful if a SAFETY Act program could be put together to fulfill that need.
Okay, I’ll remake a suggestion here; chemical facility response forces need a
weapon that can be used to stop violent attackers without posing a safety
hazard when used within the high-risk environment of a chemical facility. Sorry
that’s a pet peeve of mine and doesn’t really have anything to do with the
review of this report. It won’t happen again.
Other Critical Concerns
This section deals with the issues raised in the
so called Anderson memo that was made public last December. Ms. Zuckerman has
had no more access to that memo than have any of the rest of us that have
commented on the problems at ISCD. So I’ll give her a pass on all of the errors
in this section as they are the same ones that just about everyone has made.
She has no background working with this program so she can only repeat the same
unfounded charges.
See my
blog post from last December on my reporting on the ISCD issues.