Thoughts on CFATS Hearing

I finally got a chance to sit down and watch the video of last Thursday’s hearing about the CFATS program before the Environment and the Economy Subcommittee of the House Energy and Commerce Committee. I didn’t have time to stop and replay sections to get detailed and accurate quotes, so this discussion will be more about what I heard than about accurate detailed reporting of what was said.

I do want to say that I was generally impressed with the conduct of the hearing. There was very little of the talking past each other that one sees in the typical congressional hearing. The witnesses generally attempted to answer questions directly and it seemed that the Congressmen (and only men, that was odd) actually listened to the answers, even if they didn’t like everything that they heard.

Progress in Inspections

Everyone was impressed with the recent improvement in the CFATS authorization and approval rate, but no one was satisfied. Even ISCD Director Wulf said that the 6 to 9 years that the GAO said it would take to complete authorizations at the current rate was “unacceptable”. He did note that he expected that the rate of inspections would continue to increase as more facilities began using Alternative Security Programs for their SSP submission and further improvement were made to the evaluation process.

Interestingly there was no mention in the effects of the change in mix of facilities that would be seen as more Tier 3 and Tier 4 facilities were addressed. I would expect that the average size of these facilities would be smaller and the types of risks addressed would change as more of the facilities would have just theft/diversion chemicals of interest on site. Smaller facility size may allow for a reduced number of Chemical Security Inspectors (CSI) per site which may allow for an increased rate of authorization inspections.

Cybersecurity

For the first time I heard questions being asked of Under Secretary Beers and Director Wulf addressing the cybersecurity aspects of the CFATS process. It seemed to catch them a little bit by surprise. Beers did impress me by his comments about control systems (specifically including security systems) being the primary concern about cybersecurity in CFATS facilities.

He then negated some of that when he bragged about NPPD having some of the world’s best control system security folks in ICS organization (certainly a reference to ICS-CERT). Bragging about ICS-CERT maybe justified, but I haven’t seen anything indicating that they are involved in the CFATS inspection process.

I do know that there are at least three CSI that have some background in control systems applications, but that is hardly enough to form a reasonable cadre of control systems inspectors to cover the large number of high-risk facilities that have industrial control systems impacting the use of DHS chemicals of interest (COI).

There was an interesting exchange between Beers and an unnamed (because I didn’t catch his name) Congressman about the potential for retaliation against someone who conducted a cyber-attack on a CFATS facility. Beers rightly passed that response off to DOD (who, of course, had no one present to answer), but the slightly surreal conversation did show the increased interest in cybersecurity in Congress.

Personnel Surety Program

I was disappointed that Chairman Shimkus (R,IL) did not take Rand Beers to task for failing to live up to his promise at the last hearing of having the personnel surety program (PSP) ICR printed within 30 days. He did accept at face value the new promise that the PCP ICR had been sent to the Federal Register and would be printed next (now this) week.

There were the expected questions about the use of the TWIC and assurances by Beers that the new PSP would accept the use of the TWIC. Of course, the old PSP that was withdrawn ‘accepted the use’ of the TWIC, but the implementation of that was unacceptable to most of the regulated community because data submissions were still required for TWIC holders. It is not yet clear that that has changed because no one specifically asked about it.

There was an interesting question asked by Ranking Member Tonko (D,NY) about the PSP. He asked if ISCD had included any unions in their discussion about the new PSP program. Wulf was forced to answer in the negative. This is surprising because of the involvement of labor organizations in the opposition to the old proposed program. For a federal agency in a Democratic administration to not consult with unions on a program of clear interest to them is quite unusual. I’m not sure if this is a sign of political ineptitude on the part of ISCD or a general lack of attention to labor issues by the Obama Administration.

Risk Model

I think that it is fair to say that the main focus of the hearing was the risk model that DHS is using for the Tiering of facilities. I partially addressed this in my earlier post about the GAO report presented at the meeting. Chairman Shimkus and Congressmen on both sides of the dais were concerned that the risk model currently being used focused almost entirely on consequences to the exclusion of threat and vulnerability.

Beers and Wulf had a consistent response that the approach of holding threat and vulnerability as constants in the risk equation was reasonable in the tiering area because the remainder of the process addressed the vulnerability issue. The threat issue was kind of glossed over until an industry witness noted that DHS had admitted to industry that there was not current credible specific threat of an impending attack on any chemical facility.

Wulf and Beers consistently fell back on the position that the peer review process being carried out by Sandia Labs would provide a disinterested evaluation of the model and DHS would make appropriate adjustments based upon the report of that peer review. This sounded reasonable until the GAO witness in the second panel questioned whether or not the peer review included a validation and verification (V&V) review, with the clear implication that it did not.

The Subcommittee members were clearly not happy with the responses to their questions. The point was raised that significant changes to the risk model used in the tiering process would probably result in changes to the tier assignment of at least some facilities and that could require significant changes in site security plans. As he was in the process of dismissing Beers and Wulf, Chairman Shimkus mentioned that they Subcommittee was likely to hold a future hearing to specifically address the risk model questions.

TWIC Reader

One of the most surprising things that I heard at the hearing was virtually ignored by most observers; Rand Beers announced that DHS had sent the TWIC Reader NPRM to the Federal Register. That is surprising on two levels, first his organization has nothing to do with the TWIC Reader Rule; it is a Coast Guard rule with TSA input. Both are part of DHS to be sure, but they have nothing to do with NPPD.

The second surprise in that is that the OMB just approved that NPRM just last Tuesday and they approved it with changes. That typically means a delay of at least a couple of weeks while the changes are made and reviewed within the Department. Turning the NPRM around in just a couple of days would be remarkable.

Having said all of that, there is another possible explanation that is remotely possible. ISCD could be floating their own TWIC Reader Rule for use at CFATS facilities (clearly not included in the Coast Guard rule). If that is the case it would be a remarkable about-face on the use of TWICS; potentially signifying a wholesale shift to the use of that as the personnel surety program. Such a shift would cause a huge up-tick in the number of TWIC applications that would have to be processed by TSA.

End of CFATS

Okay, that is a little over-the-top, even for a headline. But this is a point that needs to be mentioned. For the longest time there was nearly unanimous support for the CFATS program; differences in how the program should address certain issues to be sure, but general support for the program. That has been eroding as ISCD problems with implementation of the program are being better understood.

Last week Beers was pressed on a peculiar question; does any European nation have a CFATS-like program? The clear implication (dutifully ignored by Beers) was that if Europe, which has experienced many more terrorist attacks than the United States, did not need chemical facility security regulations, then perhaps neither does the US.

Continued problems at ISCD, combined with the lack of any clear, specific terrorist threat against chemical facilities will inevitably lead to an evolving lack of support for the program. I don’t think this will be a serious issue until we start to hear complaints from industry about the program.

To date, the chemical industry has been firmly supportive of the CFATS framework even while they complain about specific implementation issues. The main reason has been that industry has feared the imposition of a more comprehensive program that could include things like inherently safer technology (IST) mandates and civilian enforcement suits. If the drive for those measures lessens then industry is going to start complaining about the costs of burdensome regulation, and CFATS is costly, not only in added security costs, but also in administrative costs.

ISCD has a short window of time to get their act together. It appears that they are taking some steps in that direction, but they need to be running, not baby-stepping. Beers and Wulf had better have some more acceptable answers about the risk model the next time they come before this Subcommittee, or they may see their program whittled away in cost saving measures until it is no longer supportable.