As I
mentioned yesterday the Environment and the Economy Subcommittee of the
House Energy and Commerce Committee will be holding their semi-annual hearing on
the progress of the CFATS program. In that blog post I noted that the witness
list had not yet been posted to the Committee web site. It still isn’t but it
is included in a Hearing
Memorandum document posted to the Documents.House.Gov web site.
Witness List
As everyone expected, Under Secretary Beers and ISCD
Director Wulf are the first panel that will face questioning. A separate second
panel will have one witness Stephen L. Caldwell, Director, Homeland Security
and Justice, GAO. This certainly means that the GAO has updated their report on
the CFATS program.
The third is the expected industry panel, with three
witnesses:
• Bill Allmond, SOCMA;
• Timothy J. Scott, The Dow
Chemical Company; and
• Charlie Drevna, American Fuel
& Petrochemical Manufacturers
It is kind of unusual that there isn’t anyone from labor or
an environmental activist group to provide a counter view-point on the CFATS
program. We can safely assume that no one is going to bring up inherently safer
technology on this panel.
Important Issues
The Committee Staff has provided a list of issues that
presumably Chairman Shimkus is interested in having addressed at this hearing.
Those issues include:
• Is progress being made in
securing high-risk facilities against terrorism?
• What are the current steps in the
CFATS process of ensuring that regulated facilities meet the risk-based
performance standards? How many facilities have attained each such step?
• How does the DHS practice of
assessing risk of terrorist incident for individual facilities compare to what
is called for in the National Infrastructure Protection Plan?
• How does the recent experience of
the regulated community with the CFATS program compare with its experience at
the time of the Subcommittee’s last hearing on September 11, 2012? Are there
improvements and, if so, what are they?
• What is the status of the
personnel surety component of the risk-based performance standards?
• What is the quality of
communication between DHS and the regulated community? Is feedback systematic
or based more on occasional, informal contacts?
This is a pretty comprehensive list of issues to be
addressed in a Congressional Hearing. Even if these are the only topics
addressed, and the witnesses and other Subcommittee members will all have their
own variations on the agenda, it may be a lengthy hearing.
Cybersecurity
There is one important topic missing on the Issues List,
cybersecurity. As I noted in Sunday’s blog post, the CFATS program is certainly
one of the programs that President Obama had in mind when he included §10(a) in
Executive Order 13636, Improving Critical Infrastructure Cybersecurity. That
section reads:
“Agencies with responsibility for
regulating the security of critical infrastructure [certainly includes ISCD] shall
engage in a consultative process with DHS, OMB, and the National Security Staff
to review the preliminary Cybersecurity Framework and determine if current
cybersecurity regulatory requirements [rather weak in the current Risk-Based
Performance Standards guidance document] are sufficient given current and
projected risks. In making such determination, these agencies shall consider
the identification of critical infrastructure required under section 9 of this
order. Within 90 days of the publication of the preliminary Framework [chemical
industry is in luck here, ISCD can’t get anything done in 90 days], these
agencies shall submit a report to the President, through the Assistant to the
President for Homeland Security and Counterterrorism, the Director of OMB, and
the Assistant to the President for Economic Affairs, that states whether or not
the agency has clear authority to establish requirements based upon the Cybersecurity
Framework to sufficiently address current and projected cyber risks to critical
infrastructure, the existing authorities identified, and any additional
authority required.”
I have been hearing rumors that officials in NPPD, as part
of their refocusing the Directorate’s priorities to cybersecurity, are trying
to upgrade the effectiveness of the cybersecurity portion of the CFATS program.
This would probably require a re-write of RBPS #8 portion of the guidance
document, but that would be justified to bring it up to the ‘standards’ of the
Framework.
The Memorandum of Understanding (MOU) between NIST and NPPD
does not specifically mention ISCD or CFATS, but ISCD is undoubtedly one of the
organizations that will be providing input to NIST on current cybersecurity
programs, particularly since it is the only regulatory agency in NPPD that
currently looks at cybersecurity.
Having said all of this, I am more than a little
disappointed that the cybersecurity issue missed the short list for issues to
be addressed at this hearing. It will be interesting to see if Beers or Wulf
voluntarily mention it in their opening statements.
Posts
No comments:
Post a Comment