Thursday, January 30, 2014

Latest CRS Report on CFATS

Earlier this month the Congressional Research Service (CRS) published their latest version of their report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This periodic report by Dana Shea summarizes the current state of the CFATS program, explains current problems facing the program. Past reports included an analysis of various potential solutions for CFATS problems that may require Congressional action, that is missing from this version.

SSP Process

Given the on-going congressional concern about the progress being made on the Site Security Plan (SSP) front Shea takes a detailed look at that portion of the program. This discussion begins very good, concise summary of the SSP regulatory process:

“Over time, the DHS has attempted to develop a consistent nomenclature for its review and inspection process. The DHS authorizes an SSP (issuing the facility a letter of authorization) when the submitted SSP is satisfactory under CFATS. The DHS conducts an authorization inspection of a facility with an authorized SSP to compare the authorized SSP to the conditions of the facility. Following a successful authorization inspection, the DHS approves the SSP (issuing the facility a letter of approval). At a later date, expected to be one year after approval of the SSP, the DHS will conduct a compliance inspection of a facility to determine whether the facility has fully implemented its approved SSP. Compliance inspections then occur on a periodic basis depending on the risk tier to which the facility is assigned.” [Footnotes removed]

What is missed in this discussion is why such a complicated SSP process is necessary. Since Congress declared in the CFATS authorization that DHS may not specify what security measures are required for SSP approval, DHS was forced to publish a rather vague Risk-Based Performance Standards (RBPS) guidance document and facilities were left to guess what security measures to put into their proposed SSP. Since security is not a profit center, the apparent actual risk of a terrorist attack is low (no attacks to present and no reports of credible threats against chemical facilities), and security measures usually complicate day-to-day operations, facilities want to establish just the minimum security measures required to assure compliance with CFATS. As a result, there is a natural tendency to under-guess what is required for compliance.

Further complicating the process is the fact that the current SSP data submission tool in the on-line Chemical Security Assessment Tool (CSAT) uses a question/response format that solicits a limited amount of specific information about the proposed SSP and relies on the addition of narrative submissions for the bulk of the details about the program. Facility security managers have every incentive to limit the amount of information that they provide since any changes to that information after the SSP is approved will have to be vetted through DHS before it can be changed. Limiting the scope of that DHS operational veto is in the best interest of the facility management.

The disjointed and frequently duplicative organization of the information in the SSP tool further aggravates the approval process by making it difficult for inspectors to preview the submitted data before they conduct their authorization inspections. Since large chemical facilities are already complicated physically and operationally, inspectors have to become familiar with the unique operational aspects of the facility and become familiar with the proposed SSP at the same time during the scope of a three day inspection.

Digesting that inspection information and preparing a coherent report on how well the facility complies with the RBPS is a time consuming process. This is complicated by the fact that every chemical facility is unique in its surroundings, operations, hazards and susceptibility to terrorist attack. Further, the Chemical Security Inspector (CSI) needs to have an operational understanding of chemical safety, physical security, operations security, and cybersecurity to adequately understand all of the implications of the proposed SSP.

Finally, the CSI workforce is limited to about 160 personnel which include regional commanders who would be expected to spend only limited amounts of time in actual inspection activities. Authorization inspections are typically conducted by 3 to 5 inspectors depending on the size and location of the facility.

Inspection Rate

Shea spends a great deal of time analyzing the rates of authorization, inspection and approval and their inter-relationships. I would assume that this was done at the request of various Committee Chair who are legitimately concerned with the progression of that process. Looking strictly at statistical data Shea has provided detailed information about the number of actions that are necessary to complete the SSP process in a variety of time frames. Table 1 below summarizes the Shea data for the average monthly rates for achieving completion of the SSP authorizations and approvals for the facilities currently the program.

1 year
2 year
5 year
10 year
Table 1: SSP Authorization and Approval Rates

As I have discussed in various posts (see the latest here) about the monthly reports the Infrastructure Security Compliance Division (ISCD) has been publishing on the SSP approval process, there are a lot of things beyond the control of DHS that have caused significant month-to-month variations in the approval rates. It is also not clear how the changes in types of facilities being inspected (alluded to in the CRS report). One would think that the process would be easier at smaller less complicated facilities, but as I recently noted the lack of administrative resources at those facilities is also going to impact the approval process.

It seems likely that DHS will be able to complete the authorization process in somewhere between two and five years, particularly since that portion of the process includes only limited CSI involvement. The projection for the approval process is less sanguine. Shea notes that ISCD has recently begun the process of compliance inspections which will cut into the number of authorization inspections that the limited CSI force can conduct. Also noted as a force time-consumer is the current regulatory requirement to begin the reauthorization/re-approval process for Site Security Plans. That should begin in very limited numbers this fall.

New Facilities

Further compounding this issue is a discrepancy between the number of covered facilities and the number of facilities with a final tier assignment. Facilities become regulated when they submit a Top Screen that DHS decides provides presumption of being at high-risk. In the initial Top Screen submissions in January of 2008 40,000+ facilities submitted Top Screens, but only about 7,000 were notified by DHS that they were preliminarily determined to be at high-risk and would have to enter the initial evaluation process of the regulated chemical companies, the Security Vulnerability Assessment (SVA).

What is not clear in Shea’s discussion is the fact that not all of those facilities submitting SVA will be confirmed as high risk and be given a tier ranking assignment. It is only at that point that the facility joins the cue of facilities in the SSP authorization/approval process. Of the original 7,000 covered facilities only about 4,000 were required to submit sight security plans, the remainder were dropped from the CFATS program because the additional data submitted demonstrated that they were not at high-risk of terrorist attack.

Shea appears to assume that all of the currently regulated facilities will be required to submit SSPs that will require future action. That is not supported by past history. Only about half of the currently regulated facilities that do not have tier assignments would be expected to have to submit SSPs.


What is disappointingly lacking in this version of the CRS report is a look at potential alternatives. With a new CFATS authorization bill currently in the works it would have been nice to see a look at possible congressional actions that could address this process.

The simplest action (and the least likely) is for Congress to increase the funding and authorized head count for CSI. Clearly the limited number of CSI has got to be a factor slow rate of approvals. Whether or not it is the only factor has yet to be seen. Shea acknowledges this, noting (pg  16):

“Increasing authorization inspection capacity might serve to highlight other potential issues within the CFATS process, such as delays in processing information from authorization inspections and issuing letters of approval.”

Congress is unlikely to significantly change the number of CSI. The CFATS program already has more full-time federal inspectors than does the EPA’s RMP program or OSHA’s PSM program which address similar (yet a far larger number) facilities. Federal employee costs are high and there appears to be a general reluctance to pay that cost for enforcement personnel.

Last summer I proposed another alternative to speed up the SSP authorization and approval process; adjust the standards by which those actions are reviewed for Tier 3 and Tier 4 facilities. Since these facilities are lower risk, it would seem reasonable that while the RBPS are lower the standards for review of the submissions should also be less stringent. While this would not technically need congressional approval it would certainly need congressional acquiescence.

Personnel Surety

There was one SSP issue that was completely ignored in the Shea report, technically there have been no site security plan approvals; they all have been conditional because facilities have not been able to fulfill all of the standards for RBPS # 12 Personnel Surety. The reason for this is that DHS has yet to establish a means for facilities to vet personnel given unaccompanied access to critical areas of the facility against a list of known or suspected terrorists. ISCD has been at work on this program with little success for over four years now.

I understand that this will be addressed by CFATS authorization legislation that will be introduced in the next couple of weeks. It remains to be seen whether or not that bill would, if passed (more than iffy in an election year), ease or compound the difficulties that DHS is having getting a plan that is acceptable to industry and accomplishes the requirements for personnel surety established in the current authorization.

In any case, some sort of reauthorization/re-approval process will have to be implemented once a CFATS personnel surety program is put into place by DHS. This should be able to be an almost completely administrative review, requiring little or no CSI involvement.

No comments:

/* Use this with templates/template-twocol.html */