Friday, August 31, 2012

ISCD Updates FAQ Response for CVI

Earlier this week (Wednesday I think, but I was basically without internet service due to Isaac) the folks at the Help Desk for ISCD updated one of the responses to a frequently asked question (FAQ) about the Chemical-terrorism Vulnerability Information (CVI) program, FAQ # 1588 (Note: Normally I would provide a copy of the link to this information, but the FAQ links are not permanent links. To access this FAQ# use the search engine on the CFATS Knowledge Center page). The change updated the link to the CVI website.

Since the old link took one to the chemical security landing page that no longer exists on the DHS web site, DHS had to update the link in the response to FAQ 1588. I’ve checked the other CVI FAQ and they all have workable links to the new pages.

A special note to the ISCD folks: There is no mention of this FAQ update anywhere on the CFATS Knowledge Center page. You have to use the search tools to find that it was updated. Now most people who use this information will be probably be using the search feature, so I guess it isn’t too big of an issue. I would like to suggest, however, that any change to a FAQ response should be mentioned in the ‘Latest News’ section of the page.

CSSS Presentations Available… Sometime

(OOPS I got the acronym wrong in the title and no one called me on it, Corrected 09-01-12 8:30 EDT)
This morning the folks at DHS NPPD posted links to many of the presentations made at last month’s Chemical Sector Security Summit. I have a feeling that I saw the page just after it went live because none of the links are active yet (as of 06:15 EDT). I’m still hoping against hope that at least some of the links are to videos of the presentation instead of just the slide shows as DHS has done in the past.

In any case, once the links are live (and I’ll note that on my TWITTER feed ( when I see it) there are a number of presentations that should, hopefully, provide some interesting information. Ones that I’ll particularly watch for (and probably report on here) are:

Suspicious Activity Reporting (DHS presentation);

SSP Lessons Learned (DHS presentation);

Compliance Lessons Learned (DHS presentation) and;

Fact Sheet: SSP Lessons Learned (DHS presentation).

The one thing missing from this page is the links to the presentations from the previous Summits. This information used to be available on the DHS web site, but the links that I have no longer work.

Tuesday, August 28, 2012

Senate Judiciary Committee Jurisdiction

I’ve recently written a couple of blog posts about Sen. Grassley’s (R,IA) new found interest in the CFATS program problems (8-3-12, 8-7-12, 8-22-12). Since Grassley is the Ranking Member of the Senate Judiciary Committee I have been trying to figure out his interest in investigating the problems at ISCD; after all his Committee has no specific NPPD or security oversight responsibilities.


I have looked at the Committee’s web site and its description of the jurisdiction of the Committee. There doesn’t seem to be anything there that would be directly applicable to the problems at ISCD. So I started asking around and have been told by a couple of people that the Committee has historically taken its oversight of the Department of Justice to include the responsibility for looking into criminal activity within the government that one would expect that the DOJ should be investigating.

Illegal Activity?

Now the cronyism charge made by the anonymous reader that I described in my latest Grassley related post, could be seen as a violation of one or more of the Civil Service rules applicable to the hiring of an ISCD Director, but that is a bit of a stretch to consider that worthy of a Senate Judiciary Committee investigation. Lying to Congress about the status of the CFATS implementation could be a serious charge, but one would be hard pressed to prove that the statements before various committee hearings by Under Secretary Beers or various ISCD personnel over the years were actual lies rather than political spin.

Now there might be something that we haven’t seen mentioned in the press yet that might provide fodder for such an investigation. It seems that someone at NPPD (most likely Beers, I suppose) ordered an investigation into the leak of the Anderson-Wulf memo to Fox News. Now a leak investigation would certainly be appropriate, but it seems that the investigation was conducted by investigators from the Federal Protective Service; sworn law enforcement personnel. Those investigators were getting sworn statements from everyone in ISCD stating that they were not the source of the leak. And everyone was reminded that falsely swearing to Federal law enforcement officers is a Federal offense in its own right.

To me that seems to be a possible abuse of power, but not really illegal. A couple of people have told me (not for attribution unfortunately) that it is actually against the law, but no one has provided me with a cite for the law that is being broken, so I don’t really know. If it is it seems odd that Grassley or his anonymous reader friend has mentioned any investigation into this matter.

General Malfeasance

Then again, committees in both the House and Senate have a tendency to make up their rules as they go along, guided by political expediency more than actual written policy. That may make the general malfeasance described in my second Grassley post an adequate justification for a Senate Judiciary Committee investigation; especially since it came from a ‘whistleblower’.

Outside Investigation

Since Chairman Leahy (D,VT) and Grassley were both re-elected last year, this certainly won’t be about election year grand-standing. Any investigation carried out by the Committee will probably not see hearings until after the election. The people that I have talked to in Washington have been fairly generous of their praise in the investigators on the Judiciary Committee Staff; if there is some serious wrong doing to be found they will likely find it.

Unfortunately, they will be looking for illegal activities or official malfeasance, not real problems with the CFATS program. I’m afraid that we’ll have to wait for the House and Senate Homeland Security Committees to look into that. Or perhaps the House Appropriations Committee will be the one to take a real look; they have yet to complete their hearing on the ISCD problems.

Monday, August 27, 2012

Flammable Gas Tanker Explosion

This is an interesting film from a local TV station ( of a tanker of isobutane exploding on Interstate 10 in Baton Rouge, LA last week. The tanker was deliberately exploded by authorities after it was rear-ended in a freeway accident and its unloading line was damaged and leaking. There had been numerous attempts made to unload the damaged trailer, but they had been unsuccessful; leaving the authorities with no choice but to detonate the trailer in place.
Explosion Video

Planned Detonation

Needless to say the freeway was blocked off and local homes and businesses were evacuated as a precaution well before the detonation. Fire crews were in place and the plan for fighting the fire was worked out in advance. Even with all of the precautions that were taken, it took fire fighters almost two hours to put the fire out.

It looks to me that the explosives that were used were emplaced to direct the main force of the explosion upwards. This would have been done to minimize the potential for flames to spread beyond the confines of the freeway. The folks that did this really knew what they were doing.

Security Lessons

This video should be viewed by all security managers for chemical facilities that receive flammable liquids and flammable gasses. It gives a very good idea of the extent of the fireball from a tank wagon that has been turned into a vehicle borne improvised explosive device (VBIED). Security processes, procedures and protective measures need to take into account the extent of fire ball seen in this video. It should also take into account that it took fire department teams two hours to control the flames when they had equipment on site ready and prepared to act.

Tank Wagons as Terror Weapons

The next security issue takes just a little more imagination. Instead of this occurring on a closed Interstate with the surrounding buildings evacuated for a safe distance in advance, watch the video and try to imagine the freeway being packed with rush hour traffic. Imagine that fireball covering the adjacent lanes and engulfing every car around the truck in both directions to the extent of the fireball. Then imagine the effects of the secondary fires and explosions as those cars burst into flames.

Then imagine the traffic behind those cars plowing into the fire ball and contributing their own impressive fireworks to the conflagration. The cars that are able to stop before running into the actual flames may still feel the effects of the blast over pressure and flash burns. Some of those cars will burst into flames because the high temperature of the fire will heat combustible and flammable materials to their autoignition temperatures.

Most of the vehicles will be able to stop beyond the direct effects of the fires and explosions, but they will face hazards of their own. In any freeway accident at rush hour there will be multiple collisions because drivers were following too close, driving too fast, were distracted by other things going on, or, in this case in particular, were stunned by the visual effects to their front. The freeway will quickly become a parking lot.

If the person with the detonator switch in hand was sufficiently devious, the tanker would have been underneath an overpass when the contents were detonated. While the overpass structure would have protected most of the traffic above from the direct effects of the blast, the accidents and the casualties would be significant.

More importantly, the fire could weaken the structure of the overpass enough to make it unsafe for traffic for weeks and months to come. The potential damage to the roadway underneath and around the truck might also prevent its use for extended periods of time. The immediate effects of the attack would affect the community for months; quite a successful terrorist attack.

HAZMAT Trucking Security Rules

TSA does not currently have any regulatory power over the security of the trucking industry. They do have a few unofficial programs in place to look at corporate security planning and risk assessment, but no authority to require even the basic security measures.

The Pipeline and Hazardous Material Safety Administration (PHMSA) does have a regulatory program (49 CFR §172.800) that addresses security for certain hazardous materials shipped by truck. The program is vague with little in the way of descriptions of what types of risk need to be addressed or what types of security measures might be required.

Section 172.802 describes the security plan this way:

“The security plan must include an assessment of transportation security risks for shipments of the hazardous materials listed in § 172.800, including site-specific or location-specific risks associated with facilities at which the hazardous materials listed in § 172.800 are prepared for transportation, stored, or unloaded incidental to movement, and appropriate measures to address the assessed risks. Specific measures put into place by the plan may vary commensurate with the level of threat at a particular time.”

It does require that the plan address (in the most general terms) the following topics:

• Personnel security {§172.802(a)(1)};

• Unauthorized access {§172.802(a)(2)}; and

• En route security {§172.802(a)(3)}.

Carriers are required to have copies of these security plans on file at their corporate headquarters where they may be inspected by PHMSA inspectors or their State counterparts. Since those inspectors are safety inspectors it is hardly likely that they have received any significant security training to equip them to provide a knowledgeable review of the provisions. One would assume that they might actually ask to see these plans on occasion and would be satisfied if they were present.

The question becomes, is this adequate to prevent attacks like the one I described above? The answer is left as an exercise for the student……

Sunday, August 26, 2012

A Closer Look at the Heritage Foundation Report – Conclusions

This is the final blog in a series taking a critical look at the recent Heritage Foundation report on the problems with the CFATS program. While the report authored by Jessica Zuckerman is not up to the usual editorial standards of the Heritage Foundation it does raise some interesting issues. The earlier blog posts can be found here:

The final section of the Heritage Foundation report on the CFATS program is called “Developing Market-Oriented Chemical Security Solutions”. As one would expect with a concluding section of a report it summarizes the author’s conclusions. This post will address those conclusions and some of the other shortcomings of the report.

Report Conclusions

Here is my summary of those conclusions (okay, I stole them from the subheading in the section):

• Take a truly risk-based approach to chemical security;

• Reject calls for greater regula­tion;

• Expand SAFETY Act protec­tions to encourage greater inno­vation;

• Promote public–private part­nerships to enhance aging U.S. infrastructure; and

• Foster greater transparency and cooperation.

I have dealt with most of these conclusions in earlier the earlier posts on this report, so I will not dwell on them further here. There is one new area found in this concluding section that it not addressed anywhere else in the report and that is the one dealing with ‘aging U.S. infrastructure’. It is a shame that Ms. Zuckerman forgot to address this issue in the body of her report because she may have made a potential contribution to the discussion of chemical facility security. Unfortunately, we are left with glittering generalities such as:

“The United States’ overall critical infrastruc­ture, including the chemical sector, is inadequate and aging. Greater investment is needed not only to ensure that U.S. critical infrastructure is protected but that it is capable of bouncing back quickly when disaster strikes.” (pg 10)

In general there is more than a little truth in the description of critical infrastructure as ‘aging’ and ‘inadequate’ covers a wide range of perceived and actual problems. The conclusion that ‘greater investment is needed’ is hardly revolutionary, but it begs the question of where the money is going to come from for that investment. This issue is one that deserves a whole host of reports about specific areas of infrastructure, public and private, that could have a potential effect on chemical facility security.

Industry Response

One would be forgiven for concluding, after reading this report, that industry was widely disillusioned with the CFATS program and wanted to see it replaced with a radically different program. This is never specifically stated in the report, but Ms. Zuckerman does repeatedly talk about the burdens that the program places upon industry.

In the last couple of days, however, the chemical industry has started to respond to this report, and it hasn’t been favorable. An article over at (Government Security Newswire, GSN) quotes representatives from two of the largest organizations representing chemical facility owners, the American Chemistry Council (ACC) and the Society of Chemical Manufacturers & Affiliates (SOCMA) as being generally supportive of continuing the CFATS program. They acknowledge problems with the current implementation, but support the basic premise and design of CFATS.

These two organizations certainly don’t represent all of the chemical facilities that are covered under CFATS, but I would be willing to bet that they cover a majority of the Tier 1 and Tier 2 facilities that are having to spend the greatest amount of money on upgrading the security measures at their facilities to comply with the program.

Now part of that support is simply fear of the unknown. Not knowing what type of program would replace CFATS, and Ms. Zuckerman provides nothing beyond glittering generalities, industry would rather deal with the devil they know than accept the potential for an entirely new program.

Given the fact that Congress has been unable to craft comprehensive chemical security legislation since 2001, it is unlikely that it would be able to do so any time in the foreseeable future. Eliminating the CFATS program would leave a void with unpredictable consequences. The GSN article notes that industry fears that an EPA based program might result in requiring IST implementation. What is even more likely is that several State and local governments, no longer restricted by the supremacy of the CFATS program, would craft a patchwork of local regulations that would leave selected facilities with onerous requirements (certainly including IST provisions in many localities) while leaving their competitors with no regulations.

Areas That Were Not Addressed

There are a number of problem areas in the CFATS program that were glossed over, minimally mentioned, or completely ignored in this report. While I have addressed most of these in some details in various posts over the years, I would like to take this opportunity to mention some of the more important ones (in my opinion) so that future researchers might have a better chance of preparing a report that deals with actual issues and problems in the CFATS implementation.


Ms. Zuckerman briefly mentions the problem with the qualifications of Chemical Facility Security Inspectors (CFSI). The initial members of the CFSI were drafted from the Federal Protective Service. These were law enforcement personnel with a background in physical security, they had little or no background in dealing with chemical facilities. The folks at ISCD realized this problem and established a Chemical Security Academy. I did an initial blog posting on that topic a number of years ago. Since then I have done a number of other blog postings on the issues related to training of CFSI. They include topics such as:

Armed Security Forces

A number of commenters on the Anderson Memo about the problems associated with the current CFATS program have taken particular issue with the problem of current CFSI who started out as sworn law enforcement personnel wanting to continue carrying their side arms. Leaving aside for the moment the definition of enforcement in the CFATS environment, the failure of ISCD to address the issue of the use of armed security personnel to stop terrorist attacks on high-risk chemical facilities is a much unnoticed failing of the program. I have dealt with this issue in a number of blog posts:

SSP Shortcomings

The biggest current problem with ISCD is their apparent inability to effectively authorize any Site Security Plans. While many commenters have noted this problem, no one has attempted to determine the root cause. While I have not had the opportunity to do a detailed study of the problems on the ground, it is clear from the limited comments we have heard from DHS and the inspected community that there is a serious shortcoming with the current SSP tool in CSAT; it is not adequately soliciting the information needed by ISCD to conduct a paperwork evaluation of the programs at the facility.

Any security professional that looks at the questions asked in the SSP tool would realize that the level of detail required for an adequate assessment of the security plans at the facility would not be provided by those questions as asked. This has resulted in DHS establishing the Pre-Authorization Inspection program where presumably the CFSI are tasked with seeking out the necessary information.

I have addressed the ways that this problem might be addressed by facilities in submitting their SSPs, but it seems to me that the SSP tool needs a fairly extensive revision if it is ever going to provide the level of detail necessary for ISCD or its contractors to evaluate the security planning at CFATS covered facilities. Lacking that ISCD should institute a program where they send a detailed letter to the facility seeking the specific information they need to make their evaluation rather than sending the CFSI out to get the information.

Personnel Surety

While there are any number of other security related issues that might be addressed by any reasonable revamp of the administration of the CFATS program, I’ll just address one more in this posting, the lack of an approved personnel surety program. RBPS #12 requires facilities to conduct background checks on all facility employees and contractors and any visitors requiring unaccompanied access to critical areas of the facility. The provisions for checking identity, criminal history and legal authorization to work can be adequately complied with by using any of a number of commercial organizations to conduct background investigations. The one area that cannot be accomplished by such organizations is the identification of people with terrorist ties.

The failure of ISCD to come up with a reasonable program for allowing facilities to have ISCD or some other agency of DHS to vet personnel against the Terrorist Screening Database is inexcusable. Such a program should allow for the use of any of the currently available TSA vetted identification programs (TWIC, HME, etc) and/or provide a simple method of submitting individual information to ISCD for such vetting. ISCD tried to make their program much more complicated than was necessary. Since that program was recently withdrawn, ISCD’s delay in getting such a program established will continue to put off establishing a terrorist screening program for an even longer period of time.

Moving Forward

ISCD and the CFATS program have a number of challenges and problems to overcome. Documents that are purportedly comprehensive looks at the program like this Heritage Foundation report could provide a basis for the discussion of how to move proceed with developing a workable chemical security program for high-risk chemical facilities. Unfortunately, Ms. Zuckerman did little to move the discussion forward.

PHMSA to Renew Two Pipeline Safety ICRs

The Pipeline Safety and Hazardous Material Safety Administration post a 60-day notice in the Federal register (77 FR 51848-51849) of their intent to renew two information collection requests (ICRs) that were approved earlier this year to allow data collections mandated in two recently approved pipeline safety rules on control room management (2137-0624) and integrity management for gas distribution pipelines (2137-0625). The current ICR approvals expire on January 31st, 2013.

There is a major change in the record keeping burden numbers being reported in the control room management ICR. The current ICR predicts 2,702 annual responses will be required under these reporting requirements and estimates that the data collection and reporting for those responses will take 127,328 hours. This notice reports the same number of responses but greatly increases the burden hours to 1,018,807 hours (77FR 51849), an eight-fold increase in the burden to 377 hours per response. No explanation is given for this increase.

PHMSA is soliciting public comments on the renewal of these two ICRs. Comments can be submitted via the Federal eRulemaking Portal (; Docket # PHMSA-2012-0215). Comments need to be submitted by October 26th, 2012.

Saturday, August 25, 2012

Coast Guard Announces NMSAC Meeting Agenda

The Coast Guard is publishing in Monday’s Federal Register (available online today) a notice (77 FR 51817-51818) announcing the upcoming two-day meeting of the National Maritime Security Advisory Committee on September 11th and 12th in Washington, D.C.. This meeting will cover chemical security and cybersecurity topics along with the typical maritime topics.

Topics of specific interest to the chemical and cybersecurity communities include:


The information provided on the cybersecurity topic of the agenda is more than a little vague. It states that:

“The Committee will discuss the parameters of a new tasking from the Coast Guard to provide guidance/recommendations on cyber-security initiatives within the maritime sector.” (77 FR 51817)

This wording would seem to indicate that there is a potential to include control system security issues in the discussion as there are a wide variety of water-side and shore-side control systems used in the ‘maritime sector’. It would be particularly interesting to see if the discussion included the cyber-security of various security systems.

Information Sharing

The Coast Guard probably has a better history of information sharing about security matters than any other organization in DHS. This makes it particularly interesting to see how the NMSAC uses the community feedback that it has obtained to suggest further improvements in that information sharing process.

Integration of Security Plans and Systems

Section 822 of the Coast Guard Authorization Act of 2010 required that the owner/operator of an MTSA covered facility (Congress did not include ‘vessels’ in this requirement) to “integrate, to the maximum extent practical, any security system for the facility with compatible systems operated or maintained by the appropriate State, law enforcement agencies, and the Coast Guard” {46 USC §70102(c)(2)}.The Coast Guard is asking the NMSAC to help develop guidance for implementing this rather vague requirement.

One would like to think that ‘integrating facility security systems’ would include such things as linking alarm notifications (both intrusion and chemical release) to local law enforcement and emergency response dispatch centers, ensuring that first responders are familiar with local facility procedures, and that emergency response plans are fully coordinated and exercised with local authorities.

Public Participation

As we have come to expect with the NMSAC, there are multiple modes available for public participation in this two-day meeting. First written comments on the topics may be submitted via the Federal eRulemaking Portal (; Docket # USCG-2012-0797). People may attend the meeting in person (limited seating available, contact Mr. Ryan Owens,, via teleconference {(866) 810-4853; the pass code to join is 9760138#.}, or webcast ( There will be a public comment period at the end of each day’s session.

Friday, August 24, 2012

DHS S&T Withdraws First Responders Community of Practice ICR

Yesterday the Office of Management and Budget announced that the DHS Science and Technology Directorate (S&T) had withdrawn their information collection request (ICR) supporting the on-line First Responders Community of Practice being developed to establish “a collaborative environment for the first responder community to share information, best practices, and lessons learned” (76 FR 11254).

I mentioned the publication of the 60-day notice of the intent to submit this ICR over a year ago. I have still not seen any information on this program (but I haven’t really looked for any either) beyond the two earlier Federal Register publications. It sounds like a worthwhile information sharing exercise, but in the current budget situation it is probably not being funded. That is a guess on my part as the OMB notice does not provide any reason for the withdrawal of this ICR.

I really hope that this ICR withdrawal is not due to a cancellation of this program. First responders are the people that we count on in any emergency to protect us from whatever danger is coming our way. Generally speaking, these folks are under trained and underfunded, and their professionalism is based, in large part, upon the experiences they have individual accumulated over the years.

Fortunately, terrorist attacks, particularly those using hazardous chemicals, are rare events. But that means that very few of our first responders have the requisite knowledge of, or experience in, responding to these events. Establishing a methodology for sharing that experience would be a valuable tool for increasing the ability of these brave men and women to appropriately respond when they are faced with these infrequent events.

Thursday, August 23, 2012

CG Establishes Maritime Security Zones for RNC

Today the Coast Guard published a temporary final rule in the Federal Register (77 FR 50926-50929) concerning security zones for vessels carrying certain dangerous cargo. This rule is being issued as part of the DHS security support for the Republican National Convention taking place in Tampa, FL from August 25, 2012, through August 31, 2012.

While the term ‘certain dangerous cargo’ (CDC) may apply to a variety of extremely hazardous chemicals on vessels, the rule makes it clear that it specifically applies to only to vessels carrying “carrying anhydrous ammonia, liquefied propane gas, and ammonium nitrate” {77 FR 50927}. These are common bulk chemicals that transit Tampa Bay. Such CDC vessels will be escorted by Coast Guard vessels during their transit of the area.

Instead of requiring such CDC vessels to stay away from the Port of Tampa Bay during the Convention, the rule establishes a moving security zone around such vessels as they move through the Port area. The discussion in the rule notes that:

“Security measures have been limited to the minimum necessary to mitigate risks associated with the identified threats.” {77 FR 50927}

Because of the short notice period, there has not been a public comment period provided for this rule. Anyone with questions about the rule should contact Marine Science Technician First Class Nolan L. Ammons;

A Closer Look at the Heritage Foundation Report – More Regulations

This is the third blog in a series taking a critical look at the recent Heritage Foundation report on the problems with the CFATS program. While the report authored by Jessica Zuckerman is not up to the usual editorial standards of the Heritage Foundation it does raise some interesting issues. The earlier blog posts can be found here:

In this posting I will look at the “Calls for Further Regulations” section of the Heritage Foundation report. Generally Ms. Zuckerman gets the cart before the horse in this section and jumps to early conclusions as has been her writing style throughout the report.

She opens her discussion by stating:

“In spite of the critical issues that have ensued after the implementa­tion of the CFATS program, there have been many calls for further regulation of the chemical sector. While generally misguided, many of these measures have received a good deal of attention in Congress.” (pgs 7-8)

Because she is a late comer to the chemical facility security issue she just doesn’t realize that all of these calls for additional regulation pre-date the formation of CFATS and form the basis for the political wrangling that delayed chemical security legislation for so long and caused the poorly conceived interim congressional authorization for the current program.

Regulation of Exempted Facilities

In this portion of the report Zuckerman identifies the five categories of facilities exempted from CFATS coverage. She ignores the current DHS efforts to harmonize chemical security coverage at two of these categories (MTSA and NRC regulated facilities) and singles out water related facilities for her examples of the errors of expanding the CFATS coverage.

She starts off her argument by stating that:

“These facilities currently fall under the regulatory authority of the Environmental Protection Agency (EPA) and are already subject to risk management and emergency plan­ning requirements under the Safe Drinking Water and Clean Water Acts.” (pg 8)

There are two problems with this tired argument. First the majority of the CFATS covered facilities also come under risk management and emergency planning requirements under a variety of EPA and OSHA regulations. Of course none of these cover prevention of terrorist attacks; that is why chemical security regulations were deemed necessary.

Secondly, the weak and unenforceable (even if EPA did have security inspectors) water security regulations only require larger water facilities (with more than 3500 customers) to conduct a security vulnerability assessment of threats to water quality. There are no security standards set with which these facilities must comply and certainly no EPA effort to regulate the security of toxic chemicals (principally chlorine gas, but a number of other toxic release hazards as well) at these facilities.

She concludes with the tired argument that “any shutdown due to regula­tory non-compliance would likely have large effects on public health and well-being” (pg 8). The suggestion that DHS would shut down non-compliant water treatment facilities is a non-argument that has been specifically addressed in every legislative effort to add water treatment facilities to the CFATS program.

Finally, Ms. Zuckerman ignores the most powerful argument against adding the water treatment industry to the CFATS program. Such coverage would more than double the number of facilities covered under the program with the vast majority of those facilities falling under Tier 1 or Tier 2 coverage. This would certainly exacerbate the current work-load problems ISCD is experiencing.

Of course, DHS is well aware of this problem and have included in all of their latest suggestions for CFATS coverage of water facilities that EPA actually take charge of the security at those facilities using the CSAT tools for the administration of that program. Unfortunately, DHS and EPA can begin working out the details of such a program but it would take specific congressional authorization to implement as EPA has even less authority to require security measures than does DHS.

Inherently Safer Technology Mandate

Zuckerman reports the rhetoric of the IST debate fairly well. Unfortunately no effort was made to examine any of the actual legislative proposals that have been submitted in either the House or the Senate over the years. The political proponents of mandating the consideration of IST implementation have been careful to moderate their proposals by having the implementation requirements to be based upon the assessment of potential methods done by facility management. Industry and its political supporters have generally been unwilling to discuss how such proposals could be modified into a workable proposal.

The report does briefly address the fact that a number of facilities have already availed themselves of IST implementation measures to remove themselves from the CFATS regulatory regime; noting that:

In fact, more than 2,000 chemical facili­ties are no longer deemed high-risk and are no longer subject to CFATS, due to voluntary risk-reduction measures.” (pg 8)

She doesn’t address, however, the problem that ISCD doesn’t have a formal mechanism for reviewing those changes to determine how those ‘risk reductions’ were achieved. Many methods of risk reduction at a facility are really nothing more than risk transfer; moving the risk to other manufacturing facilities, storage facilities or transportation nodes. Other risk reduction moves are little more than gaming the system like the industry change of a standard 20% aqueous ammonia concentration to 19% to avoid the material being covered under CFATS.

The issue of IST as a security measure is more complex than the discussion provided in this report. It deserves a more detailed review that provides both sides with a clearer understanding of the positions of the two sides so that a compromise might be achieved in this area where there is legitimate potential for gains in absolute security for many chemical facilities.

EPA Authority Under the Clean Air Act

This final heading under the section concerning potential legislation provides Ms. Zuckerman another chance to provide a superficial examination of the rhetoric of the situation rather than address the actual issues involved. She focuses on the fact that this suggested regulation is an alternative method of enforcing IST requirements that are being politically stalled in Congress, but fails to address the precarious legal justification being used (see my more detailed discussion in my blog post on HR 6345) to forward this proposal. She also fails to mention that the proponents of this idea have gone beyond addressing a letter to the President; there are reports that a formal petition has been filed with the EPA requesting enforcement under the General Duty Clause.

The superficial discussion of the issues involved allows Ms. Zuckerman to jump to another conclusion based upon facts not addressed in the report. She closes this section by stating that:

“But, not only would the Clean Air Act proposal undermine one of the few things CFATS gets right—the restriction on the federal govern­ment from proscribing specific secu­rity measures—it would also likely impose overlapping and confusing requirements and additional cost burdens [emphasis added] on facilities already regu­lated by CFATS.” (pg 9)

While almost anyone in industry would agree with this statement by Ms. Zuckerman there is nothing in the preceding paragraphs that addresses these issues. A political commentator might be able to get away with such a leap in a blog post or editorial, it is considered ill form in a purported background information report.

Almost to the End

Well there is just one more section of this Heritage Foundation report left to look at and I’ll cover it in a later blog.

Wednesday, August 22, 2012

Deputy Director ISCD Job Opening

I ran across the official job posting on for the position of Deputy Director of ISCD last night during a routine Google search. The posting was opened on August 15th and closes on August 31st.  Applications may be submitted on-line.

The job description is lengthy and includes all of the typical bureaucratic requirements. For example the DD:

“Provides guidance and direction to subordinates in the broad areas of Equal Opporuty(sic)/Equal Employment Opportunity (EO/EEO), human resources programs, and employee development to ensure ISCD's efforts in these areas achieve the goals of the designated programs.”

There are a couple of interesting omissions in job description and requirements. First there is no mention of having any background in chemical security operations or planning or even any kind of security enforcement. Oh well, I suppose that an executive at this level is more of a program manager and doesn’t really need to know what the troops in the field are doing. Then again, this may be why ISCD is clueless as to why the SSP questionnaire is not eliciting the types of information needed for the reviewers to authorize the SSPs; there is no one at the management level with the requisite expertise to make that evaluation.

The second oddity is that the job description does not include any mention of the Ammonium Nitrate Security Program. Now I know that DHS is woefully behind schedule on completing this program, but this will (maybe?) be an important part of the ISCD mission if the program ever actually gets off the ground.

Anyway if you are an American Citizen and are looking for a new job in the $119,554.00 to $179,700.00 per year range, take a look at this job posting.

Reader Comment – 08-21-12 – More Sen. Grassley Disclosures

I just allowed the posting of a real interesting anonymous comment to my earlier blog posting on Sen. Grassley’s (R,IA) letter to Sec. Napolitano about mismanagement in ISCD. This new comment maintains that Grassley has uncovered “yet another egregious abuse of authority in the DHS Office of Infrastructure Protection”. As of midnight EDT there was nothing on the Grassley web site about these claims.

This anonymous reader maintains that:

“The political assistant secretary illegally removed his career deputy from office just before the 2008 election, enabling him to move his unqualified crony into the CFATS Director position, where she proceeded to practice more of the cronyism that got her there and to waste hundreds of millions of dollars, all while falsely reporting compliance with the law.”

Now if my memory (and a brief Google search) serves me correctly, the Assistant Secretary for the Office of Infrastructure Protection in 2008 was Robert Stephan, a Bush appointee. The ISCD Director would have been Sue Armstrong.

It will be interesting to see if Sen. Grassley actually has any information beyond the political cronyism charge. While we are supposed to have mechanisms in place to ensure that such things as are being alleged here never take place, no one with any experience in politics would be surprised if such things actually did take place. What is interesting here is that the cronyism started in the Bush Administration and continued into the Obama Administration. That doesn’t seem to be strictly ‘political cronyism’.

I will make one comment on one of the charges here; that of “falsely reporting compliance with the law”. If the anonymous reader is talking about Ms. Armstrong’s testimony about the CFATS program before various Congressional committees during her tenure as Director of CFATS, I don’t recall any of those appearances where she claimed anything about the program that wasn’t subsequently verified. The serious problems with the SSP authorization process didn’t really happen on her watch.

In any case, if anything more comes of this it will be just one more problem that the CFATS program will have to overcome in the next year.

Another RuggedCom ICS-CERT Alert

Yesterday ICS-CERT published another alert for the RuggedCom Rugged Operating System that was based upon a vulnerability that was publicly disclosed by Justin W. Clarke of Cylance Inc. The public report (once again there is no link to the report and the Cylance web site is very discrete) identifies a hard-coded RSA SSL private key vulnerability in the RuggedCom ROS. This is the second serious vulnerability that Clarke has identified in this system.

NOTE: Just got an email from Justin and he provides this information about why I can find no link to this public disclosure: "The reason there’s no link to the report is that the Friday disclosure was actually a live presentation at BSidesLA 2012 on Friday ( The relevant slides were written by me and presented by Stuart McClure, Founder/CEO of my employer. Former Global CTO of McAfee, and Founder/CEO of FoundStone (acquired by McAfee sometime after 2000)." So maybe ICS-CERT should have mentioned the BSidesLA 2012. Updated 8-22-12 0615 EDT.

The earlier vulnerability report concerned an undocumented backdoor account in the system. Clarke had attempted to coordinate the disclosure on the earlier vulnerability but was rebuffed. It would be interesting to hear from Clarke if he attempted a coordinated disclosure this time or if he just decided to go directly to a public disclosure because of his past experience with RuggedCom.

It will be interesting to see how quickly RuggedCom responds to this disclosure.

Monday, August 20, 2012

A Closer Look at the Heritage Foundation Report – Four Principles

This is the second blog in a series taking a critical look at the recent Heritage Foundation report on the problems with the CFATS program. While the report authored by Jessica Zuckerman is not up to the usual editorial standards of the Heritage Foundation it does raise some interesting issues. The earlier blog post can be found here:

In this post I will be looking at the discussion in the Report under the heading of ‘Right in Principle, Wrong in Practice’. This section looks at the program from the perspective of how well the CFATS implementation has followed the four principles outlined by Under Secretary Beers in his March 30th, 2011 testimony before the House Homeland Security Committee (Oops, it was before the House Energy and Commerce Committee on March 31st, 2011 and the link provided in the report is bad, DHS web site change not Ms. Zuckerman’s fault there, but the rest is just poor scholarship).


Zuckerman properly points out that the individual facilities, the Federal government as well as State and local governments all have interests in securing high-risk chemical facilities. She then takes the CFATS program to task for centralizing the responsibility for security at the Federal level. She notes that:

“The government must determine facilities’ risk lev­els, set performance standards, and assess security plans and compliance.”

Congress provided in §550 that DHS was supposed to develop a security program targeted at just those chemical facilities that were determined to be at the high risk for terrorist attack. Furthermore, the program should be risk-based with the highest risk plants getting the earliest attention. All of these require DHS to determine facility risk levels.

The performance standards were published by DHS as one would expect since they would be judging if facilities met these performance standards in the implementation of their security plans. DHS developed the standards in conjunction with industry input and published a draft of the Risk-Based Performance Standards. Extensive industry comments were received on that draft (see my blog posts from 11-28-08, 12-05-08, 12-05-08, 01-09-09 and 01-13-09) and were taken into account when the final version was published.

Furthermore, DHS worked hand-in-hand with industry in developing, fielding and modifying the Top Screen and Security Vulnerability Assessment Tools. For both of these portions of the CFATS process the first ten or so facilities to complete submissions had DHS personnel on site in the information development and submission process to work out the inevitable bugs in the system. The lessons learned in those shared submission efforts were put into modifying the tools and documentation before those systems went live for the remainder of the CFATS community. That this was not done in the SSP submission process probably goes a long way to explain the problems in that system.

Ms. Zuckerman closes this section by claiming that:

“Enhancing chemical security does not mean that the private sector should yield its responsibil­ity to the federal government.” (pg 5)

Nowhere in her arguments does she show where the private sector has been required to yield its responsibility for the security of their facilities. The CFATS program does not specify how a security program should be put together, it simply provides standards by which the government will judge the success of that program. That those standards are vague at best is at least partially the responsibility of private industry. They were the ones that demanded performance based standards and complained about anything coming close to specifics in the draft version of the RBPS Guidance Document.

Risk-Based Tiering

Zuckerman takes DHS to task for not sharing the basis for the Department’s risk tiering process, a complaint that has been made a number of times over the years since the first NPRM was published for the CFATS regulations. Actually this complaint has been combined with the lack of openness about the process for establishing the ‘high-risk’ status of facilities in the first place.

The report properly notes that the details of the risk-ranking methodology is not shared with owners. This does not allow an owner to do more than to make a reasonable guess as to what actions the facility can take to have their Tier ranking lowered or even to be removed from the CFATS list all together. There is a process in place to submit information to have either the Tier ranking or CFATS listing reconsidered, but it is an iterative process at best.

While I agree with Ms. Zuckerman’s assertion in this case, she does her report ill service by not addressing, even in passing, the reasoning that DHS has used to avoid publicizing the details of their methodology. This lack of addressing opposing arguments is another of the reasons that this Heritage Foundation report is probably more useful as a political document than a real study of the issues involved.

Any discussion of the sharing of information about the security tiering or assessment process must take into account the official DHS response to such questions in the regulatory comment process. DHS outlines their position quite clearly in the preamble to the Interim Final Rule published in the Federal Register (72 FR 17700 – 17701).

Zuckerman also addresses the failure of DHS to share tiering information with State and local authorities; stating that:

“In addition, first responders and community leaders have also expressed concern about the lack of transparency of facility tiering and risk assessments, citing the fact that the lack of information sharing may impede emergency response and community preparedness.” (pg 5)

While one might suppose that State and local officials might want some input on the evaluation process of facilities within their jurisdiction, the claim of lack of transparency of the facility tiering and risk assessment process fails to address the efforts made to share that information with local authorities. DHS has made it clear that facilities have an inherent responsibility for coordinating with local emergency response officials and provides the State Homeland Security Directors with access to an online tool in CSAT to check on the CFATS status of chemical facilities within the State.

Finally, Ms. Zuckerman takes DHS to task for the problem it discovered last year in its risk model. While there should be some discussion on the internal delays in responding to the discovery of the model discrepancy, it really is disingenuous to complain about the problem with the model. Any researcher or academic knows that a model is only an approximation of reality and adjustments have to frequently be made to models to ensure their accurate reflection of reality. ISCD should be commended on monitoring their system closely enough to detect and correct the problem.

On an editorial note there are many claims of comments by unnamed industry or local government officials within this section. The footnotes to those claims almost uniformly point to the book “Chemical Facility Security” by Shea, but not a single page citation is provided. This is just another continuing example of the poor scholarship exhibited throughout this work.

Performance Standards

Zuckerman’s section on performance standards, or more appropriately the Risk-Based Performance Standards (RBPS) actually addresses the core issue of the current ISCD problems. She acknowledges that the theory behind the RBPS is good but notes that in practice “chemi­cal facilities have largely been left uncertain over what is expected of them in meeting the DHS’s stan­dards” (pg 6). Unfortunately, industry is largely to blame for these problems. They insisted on risk-based performance standards instead of concrete security measures and even convinced their politicians in Congress to prohibit DHS from specifying any security measure as being necessary for SSP approval.

As I noted earlier, when DHS published the draft of the RBPS Guidance document in October 2008, the industry comments came fast and furious. While many of the comments were constructive the vast majority were complaining that this or that was too specific and wouldn’t or shouldn’t apply to their industry or company. Once again DHS gave in to the political pressure (which is never mentioned in Ms. Zuckerman’s report), and produced a very vague RBPS Guidance document.

Ms. Zuckerman blames the problem, in part, on the Chemical Facility Security Inspectors (CFSI’s; oh, she never does use their proper title; a small thing to be sure); noting that:

“Similarly, issues in training and hiring capable and experienced inspectors has resulted in confusing and conflicting feedback from ISCD inspectors in the course of pre-authorization visits and authorization inspections.”

I’ll address the CFSI specific issues in a later post, but this complaint (not unique to Zuckerman) misses the important point. In the pre-authorization and Authorization inspections, the inspectors are just the eyes and ears of the ISCD staff. It is that staff (and frequently contractors) that never sees the facility that makes the decision on whether or not an SSP is approved or not. Thus, the person the plant talks to is not the person making the decisions.

DHS has tried to clarify this on a number of occasions, but I seriously don’t think that it has really gotten through to the folks in the inspected facilities. Thus this reported confusion in the field.  Oh by the way, Ms. Zuckerman provides no source for her comments about ‘confusing and conflicting feedback from ISCD inspectors’.

Leveraging Existing Advancements

This section of the report deals with the usage of ‘Alternative Security Plans’ or ASPs. Ms. Zuckerman falls into the same language trap that most people do when the discuss ASPs. When most of the chemical industry talks about ASPs they mean security programs like the American Chemistry Council’s Responsible Care Security program. This is a set of standards along with a third party verification of compliance for security related issues. When industry talks about ‘accepting’ such a plan it appears that they mean the facility should be given credit for that plan when they have been certified by the third party and DHS should accept that as an approved SSP.

DHS, on the other hand misnamed their SSP; it is not a site security plan. What the SSP is is a series of questions about the security set up at a particular facility to determine if that security program meets the requirements of the Risk-Based Performance Standards. DHS doesn’t care if the security measures are part of another certified site security plan; great, just so long as your answers to the questions show the facility meets the RBPS.

The problem is that ISCD does not have the time nor the manpower to read the documents associated with a real security plan; a 100+ page document with annexes describing emergency response, personnel surety, key control, etc. Adding a variety of formats from different security programs will only add to that problem.

Ms. Zuckerman manifests her misunderstanding of the problem by stating that:

“This lack of motivation on the part of the DHS to seriously consider ASPs inhibits the ability of compa­nies to continue to employ security measures in which they have already invested time and effort, thereby discouraging the innovation and creative thinking that have been critical to the security of the private sector in the past. As such, it limits the field of security options to those rigidly established by the federal government.” (pg 6)

Nothing that DHS is doing is limiting the ability of facilities to continue to use existing security measures, either to completely or partially fulfill their compliance with the 18 risk-based performance standards set forth in the CFATS regulations. And DHS is specifically prohibited from establishing rigid security options.

What industry really wants is for the currently established voluntary security programs to be accepted without review by DHS. In essence what they want is to have these third-party certification agencies to perform the inherently governmental function of examining and approving the security plan for CFATS covered facilities. Unfortunately, DHS has been given the responsibility for performing this function and does not have authority to transfer that responsibility to a private sector entity (okay, we’ll ignore for the moment that they are using contractors for the information processing necessary to make that decision; oh, that isn’t in the Heritage Foundation report).

In the closing paragraph in this section of the report Ms. Zuckerman brings up an interesting point that I must admit I haven’t seen mentioned in reference to the CFATS program. She mentions that “the department should encourage companies to apply for certification under the Support Anti-terrorism by Fostering Effective Technologies (SAFETY) Act of 2002”. Actually I have heard of the SAFETY Act program and I seem to recall that it is run by DHS S&T, not NPPD.

Still if NPPD could identify areas where new technology would benefit facilities covered under the CFATS program, it would certainly be helpful if a SAFETY Act program could be put together to fulfill that need. Okay, I’ll remake a suggestion here; chemical facility response forces need a weapon that can be used to stop violent attackers without posing a safety hazard when used within the high-risk environment of a chemical facility. Sorry that’s a pet peeve of mine and doesn’t really have anything to do with the review of this report. It won’t happen again.

Other Critical Concerns

This section deals with the issues raised in the so called Anderson memo that was made public last December. Ms. Zuckerman has had no more access to that memo than have any of the rest of us that have commented on the problems at ISCD. So I’ll give her a pass on all of the errors in this section as they are the same ones that just about everyone has made. She has no background working with this program so she can only repeat the same unfounded charges. See my blog post from last December on my reporting on the ISCD issues.

FBI ICS Threat Indicators Fact Sheet

Bridget O’Grady over at the Association of State Drinking Water Administrators has published a link on the ASDWA’s Security Notes web site to a new FBI/DHS handout on Potential Indicators of Cyber Threats to Industrial Control Systems. It’s nice to see the FBI and DHS cooperating on ICS security issues, but I hope this hand out is not an indicator of the quality of their collaborative work.

To be sure, for a one page handout this does a fairly good job of presenting interesting information about the threat to ICS security. The limited list of potential threat indicators does provide a start to awareness, but it is hardly comprehensive. It also assumes a level of security awareness (eg: no explanation what a ‘targeted phishing email’ is) that may not be appropriate.

They probably could have done without the “How Do They Work” section as it doesn’t provide much in the way of information about threat indicators. The space could have been put to better use describing some recent attacks.

The biggest problem with this hand-out is that it is obviously a draft that should never have seen publication. The contact information for the FBI’s Cyber Task Force is completely missing.

If anyone has seen a more properly vetted version of this sheet, please let me know. It’s not much but it could be of some limited use in communicating information to people in the control system community.

CSAT Security Settings to Change

There is an interesting article over on about a pending change in the NIST standards for federal web site security protocols. The current standard is the use of Transport Layer Security (TLS 1.0). NIST is expected to change that to TLS 1.1 and/or 1.2. Now most Federal web sites do not require security settings as they are one-way information providers. Sites providing secure communications (like the CSAT tool) will be affected by this change.

We can be fairly sure that the folks at ISCD will make an announcement when this change is applied to their CSAT sites. In the meantime it makes sense to verify that the computers that you used to communicate with CSAT are all capable of using TLS 1.1 or 1.2. Check the “Security Settings” under the “Advanced” tab on the Internet Options on Internet Explorer (I’m sorry I don’t know the technique for other browsers; I continue my love-hate relationship with MS).

More when this actually comes to pass.

Sunday, August 19, 2012

A Closer Look at the Heritage Foundation Report – CFATS Description

As I promised earlier this week I am taking a closer look at the report issued earlier this week by the Heritage Foundation on the CFATS program. Jessica Zuckerman presents an overview of the CFATS program that presents a newspaper style review of the program problems and concludes that the program is too complex and overly burdensome. Unfortunately she is weak on the program details, glosses over some real problems, and provides little in the way of details that would actually contribute to the discussion much less justify her conclusions that the CFATS program should be eliminated.

This is the first in what is going to end up being a multi-part look at the Heritage Foundation Report and the real problems with the CFATS program.

CFATS Background

Ms. Zuckerman presents a brief history of the events leading up to the adoption of the authorization of the CFATS program by §550 of the Department of Homeland Security Appropriations Act of 2007. She starts as do most commentators with the Bhopal disaster, but only lists the 1990 Clean Air Act Amendment containing the General Duty Clause as a legislative response to that incident, ignoring the legislation dealing with community right-to-know, emergency planning and process safety management. A number of the current problems in the CFATS program can be traced back to these pieces of legislation and the government’s inability, for both technical and political reasons, to provide for proactive inspection forces to oversee the implementation of those rules.

The Report goes on to look at the political conflict that prevented the establishment of a comprehensive chemical security program. Unfortunately, Ms. Zuckerman only mentions (without ever providing the name or bill number; S 1602, the Chemical Security Act of 2001) the original legislation proposed by Sen. Corzine (D,NJ), but never mentions the alternative proposals that did not contain inherently safer technology proposals (such as Sen. Inhofe’s (R,OK) S 993, the Chemical Facilities Security Act of 2003).

Thus she provides only a one-sided view of the debate that held up passage of any chemical security legislation until §550 provided for an interim final rule (IFR) that resulted in the CFATS program. This provision for an IFR clearly indicated that Congress was cobbling together a short-term measure that would be replaced at some later date by more comprehensive legislation. Many of the problems of the current program can be traced back to this ‘interim’ nature of the legislation.

She also ignores the political implications of establishing a chemical security program through a short paragraph in an appropriations bill. This has provided for a singular lack of Congressional oversight of the program because there is no clear delineation of which House committee would be responsible for that oversight.

‘Overly Burdensome’

The Zuckerman report provides an adequate overview of the CFATS program under a section entitled ‘Overly Burdensome and Confusing Standards’. This conclusive (and misleading) section title is a perfect example of the low standards of scholarly work exhibited throughout this report. She starts in the opening paragraph by describing the current ‘chemical terrorism threat’ by claiming that:

“Indeed, of the 51 publicly known Islamist-inspired thwarted terrorist plots against the United States since 9/11, at least three have involved chemical facilities or the diversion of potentially dangerous chemicals.” (pgs 2-3)

She cites no source for these numbers nor does she even provide a footnote with a brief description of the three chemical related attacks. Now I have been following chemical security issues for some time now and I don’t recall any publicly-acknowledged thwarted-attacks on any chemical facilities. The closest that I can remember is the plot on the New York airport fuel lines, hardly a chemical facility under any of the currently accepted definitions.

Then before she can even begin to describe the current program she concludes that:

“While a degree of government oversight over chemical security is needed, current standards are exceedingly burdensome and com­plicated, and overprescribe federal solutions with which the private sec­tor must comply, threatening innova­tion and economic expansion.” (pg 3)

Zuckerman does provide a reasonably concise explanation of the four stages of the CFATS process. Her description continues to pre-judge the process, however, starting her description by stating that:

"Currently, CFATS requires that each facility undergo a complicated and often confusing four-step pro­cess, any aspect of which the facility can be required to repeat, should its chemical supplies change….” (pg 3)

This statement clearly exhibits her misunderstanding of both the CFATS process and the nature of the chemical industry and the potential threats that it faces. She clearly misunderstands that chemical facilities are not what are really at risk of terrorist attack (or at least not more so than any other critical infrastructure facility); but that terrorists would attack chemicals produced, used or stored at those facilities to achieve an even larger chemical munitions effect on the surrounding community.

Tier Ranking Confusion

She is a little loose in her description of the Tier ranking process, but it isn’t clear if this is because of a fundamental misunderstanding of the process or poor writing skills. In describing the Top-Screen process she states that:

“These facilities then received an ini­tial risk ranking, with Tier 1 indicat­ing the highest level of risk and Tier 4 the lowest.” (pg 3)

DHS clearly refers to this as a ‘preliminary’ Tier ranking in their discussion of the Top Screen results. The difference between ‘preliminary’ and ‘initial’ may seem to be nit-picking on my part, but she later exemplifies her apparent confusion when she states in her description of the SVA process that:

“From the submitted SVA informa­tion, the DHS ultimately determined that 4,569 of the more than 7,000 initial facilities should in fact be des­ignated high-risk, and gave them a preliminary-tier or final-tier ranking.”

A misunderstanding of such a simple yet important part of the CFATS process exemplifies a low level of process knowledge that brings the remainder of her critique into question.

SSP Preauthorization Visit

In her description of the SSP ‘Authorization and Compliance’ step of the CFATS program, Ms. Zuckerman glosses over the first indication of the current problems with the CFATS program. She describes the SSP approval process this way:

“In order for an SSP to be approved and a facility to be considered fully CFATS-compliant, the ISCD must conduct a pre-authorization visit and an authorization inspection.”

There is nothing in the CFATS regulations or SSP documentation provided by ISCD that describes the use of or requirement for a ‘pre-authorization visit’. This was a compliance tool that DHS added when it became clear that the information being submitted in the SSP process by facilities was inadequate for judging the compliance of SSP with the Risk-Based Performance Standards. The addition of this ‘visit’ as part of the compliance process was the first real indicator that we had about the current problems with the CFATS process.

Misses the Program Strengths

While Ms. Zuckerman’s description of the CFATS process is adequate, as part of a serious look at the efficacy of the regulatory regime it falls well short of being comprehensive. There is no description of the development of the Chemical Security Assessment Tool, the series of on-line tools that allow for the electronic submission of information to DHS. The success of the tools for the Registration, Top Screen and Security Vulnerability Assessment is often overlooked in critical reviews of the CFATS program.

The use of the Registration and Top Screen tools made it relatively easy for facilities that met the initial operational definition of a potentially at-risk chemical facility (possession of a significant quantity of potentially hazardous chemicals) to submit the required information to allow DHS to remove the vast bulk of those facilities from further consideration under the CFATS program.

Furthermore, the internal computer-based modeling made the complex decision-making process based upon the Top Screen information much more efficient. The process of whittling down the initial 38,000 facilities to little more than 7,000 potentially at risk facilities was accomplished in remarkably short order, a process that couldn’t have been done in nearly the same amount of time, or by the same small staff, by the old-fashioned paper-based information submissions.

The Top Screen tool and the ISCD modeling work do not get near the credit that they deserve in the CFATS process. The SVA submission tool provided another innovative information submission and analysis capability that Ms. Zuckerman can only find fault with because it might take as much as 250 hours to complete. She also notes that that is a DHS pre-implementation estimate and forgets to mention that there has been no effort to document the actual amount of time that it took facilities to complete their submissions.

Furthermore, it is clear to anyone that has looked at the CFATS process in any detail that the success of the Top Screen and Security Vulnerability Assessment tool inevitably led the leadership at ISCD to try to extend that methodology to a process that was so much more complex that the same type tools could not provide the level of information necessary to adequately judge the level of compliance with the established RBPS.

Again, Ms. Zuckerman’s misunderstanding of the strengths and weaknesses of this program weaken the importance of the conclusions that she draws; conclusions that I will address in subsequent blog posts.
/* Use this with templates/template-twocol.html */