Updated GAO Report on CFATS Program

Yesterday the GAO made available their report on DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened. As with the earlier DHS IG report, ISCD Director Wulf forwarded a copy of the report to CFATS stakeholders (presumably including covered facilities) with a note saying: “The report includes three recommendations, with which the Department concurs.”

The Report

This latest report is essentially an update on the interim report presented last month at the March 14^th hearing before the Environment and Economy Subcommittee of the House Energy and Commerce Committee. The areas addressed in that earlier report informed much of the discussion that took place in that hearing. Three general areas of concern were reviewed in this report:

• An incomplete risk assessment process is used to assign facility Tier rankings;

• The SSP assessment process is time consuming; and

• ISCD communications with industry lacks an adequate feedback mechanism.

Risk Assessment

The report discusses the general approach that ISCD uses to assign a facility a CFATS risk score which is then used to assign a facility to one of four possible risk Tiers. It notes that the risk assessment process is slightly different based upon the type of chemical risk at the facility; release, theft/diversion or sabotage. It also briefly describes the two problems with the models used in that assessment that were discovered and addressed by ISCD in the last two years.

The GAO continues to take ISCD to task for not utilizing the three factor approach to risk assessment; consequence, threat and vulnerability. ISCD’s current methodology currently only utilizes consequence in its risk assessment model and then only human casualties not economic. Even when analyzing human casualty consequences from an attack the report notes that the data used for that assessment is based upon 5-year old Metropolitan Statistical Area information not the annually updated Urban Areas Security Initiative data.

As a side note, one would assume that if ISCD did use the annually updated data there would be the possibility that some facility tier rankings could change as the population density around them changed. This could result in a requirement for periodic changes in facility security plans to reflect changes in risk. While a theoretical argument could certainly be made that this would provide for more effective security, it would certainly lead to an burden increase on affected facilities and ISCD.

The report notes that ISCD has some programs in place to begin to address this issue, but reports that there does not appear to be a comprehensive plan in place to move these efforts forward. Two of the three recommendations included in the report address these issues:

• Develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD’s risk assessment approach consistent with the NIPP and the CFATS rule, and

• Conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach, that fully validates and verifies ISCD’s risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.

SSP Evaluations

The second area addressed in this reports looks at the problems that ISCD has had with its site security plan authorization and approval process. It includes a fairly detailed description of the original review process and the two subsequent revisions to that process that have brought us to where we are today, approving 30 to 40 plans per month.

The report doesn’t really address the process, however. It is more concerned with being able to measure the improvement in the effectiveness of the process since the changes have been made. It does make the point that there are no records of efficacy (or lack thereof) from before the changes were made, so there can be no real evaluation of whether the new process is ‘better’.

Having spent most of my chemical life working as a process chemist, I know the value of being able to evaluate the effects of the changes made. But, when you go from 0 authorizations in two years to 50 in six months to 230 in three months, I think we can all agree that an improvement has been made.

ISCD is beginning to establish project metrics so that they will be able to better document the effects of future changes. The GAO was obviously satisfied; they made no recommendations in this area.

Community Outreach

The final area that this GAO report looks at is the efficiency of the Department’s communications with the regulated community and other entities (local communities, first responders, emergency planners, etc) affected by the CFATS program. The GAO notes that the number of the Department’s outreach contacts appears to have been increasing over the life of the program, but reported that ISCD was doing nothing in the way of evaluating how effective those efforts were.

The GAO conducted a very limited study of how the regulated community viewed those communications efforts. The study wouldn’t have passed muster in any of the statistics classes or the commercial polling class that I have taken, but it certainly seems to indicate that there is room for improvement in how ISCD communicates with the regulated community. And we certainly don’t want to get into their communications over the years with Congress.

With that in mind the report recommends that ISCD should “explore opportunities and take action to systematically solicit and document feedback on facility outreach consistent with ISCD efforts to develop a strategic communication plan” (pg 40).

Moving Forward

As I noted earlier, ISCD and NPPD have generally agreed with the report and its recommendations. Director Wulf has made the appropriate acknowledgement and acceptance of the recommendations. Now we can only sit and wait to see how well he will be able to make the systemic changes needed to comply. An remember that his organization must do this while authorizing and inspecting facilities at an increased pace, put a personnel surety program into place, and stand up an ammonium nitrate security program That is a lot of stuff to get done, but the backlog is of their own making in most instance. Still, the best of luck to David and his folks.