The GPO does not have the CFATS bill, HR 4007, available
yet, but we can see the final
draft language of the bill on the Homeland Security Committee web site. It
is certainly not a comprehensive chemical facility security bill, but it does
attempt to address some of the issues facing the CFATS program.
Two Year CFATS
Authorization
First off it would take the bill out of the DHS spending
bill authorization process. The CFATS program was initially authorized in §550
of the Homeland Security Appropriations Act of 2007 (PL
109-295). That initial authorization expired on October 4th,
2010 and has been extended by a clause in each DHS spending bill (including all
of the continuing resolutions) ever since.
The crafters of this bill were responding to industry
complaints about the one year re-authorization process adding too much
uncertainty to the life of the program when long term capital expenditures were
being made for security processes and procedures in response to the program. If
the program ever failed to get extended in the spending process, the feeling
has been expressed, many facilities would be ‘stuck with unnecessary’ security
infrastructure. Interestingly, there has been no wide spread industry
complaints about unnecessary security requirements, so it would seem that there
is actually very little ‘unnecessary security infrastructure’ being installed.
What is actually driving the industry uneasiness about the
yearly authorization process is that if the CFATS program is ever really
cancelled, it will only be removed to put some other chemical facility security
program in place. The general fear in the industry is that the replacement
program would be likely to be more intrusive and expensive. One only has to
look at the industry’s reaction to HR
2868 which passed in a Democrat controlled House in 2009.
While this current bill would remove the CFATS program from
the §550 process and extends the program to a two year reauthorization, the
crafters of this bill still kept the program in political limbo by not choosing
to make the provisions of this bill amendments to the Homeland Security Act of
2002. This was done with the best of intentions (as was the initial 3 year
authorization in §550) partially as a chance for ISCD to show that it has
recovered from some of the administrative issues in the middle years of the
program and also to give Congress a chance to work out a permanent chemical
facility program, the comprehensive program of legislative legend.
Changes to CFATS
Most of the §550 language has made it back into this bill.
And the bill specifically requires the current regulations (49 CFR Part 29) to
remain intact except where this bill requires changes to those regulations {§9(a)}.
And facilities that have approved site security plans as of the date of
enactment will not have to resubmit those plans for approval just because the
bill was enacted {§2(c)(3)}.
There have been some significant changes made to the
authorization language to address some of the short comings and issues that
have arisen with the current program. Those changes address:
• The expansion of the inspection
force to include contractors;
• The use of other Department
security vetting programs;
• The coordination of facility coverage
with other agencies;
• The implementation of the risk
assessment process; and
• Reports to Congress
Inspections Not an Inherently
Governmental Function
Section 2(d)(1) specifically authorizes the Secretary to
designate inspectors that are not DHS employees. The language says that the
audit and inspection processes “may be carried out by a non-Department or
nongovernmental entity, as approved by the Secretary”. This is clearly being
done to aid the Department in accelerating the site security authorization –
approval – compliance process with a limited number (about 120 currently)
chemical security inspectors.
Contract inspectors lower the personnel cost to the
Department and once the heavy load associated with the initial authorization –
approval process is complete, it is much easier to reduce the number of
contract personnel associated with the program.
The problem, of course, with this is that inspections are an
inherently governmental function, particularly when the results of those
inspections form the basis for civil actions and possibly facility cease and
desist orders. ISCD could take care of this by ensuring that their regulations
call for the use of contract inspectors only during authorization visits which
are less about inspecting and more about looking and talking. This is the area where
ISCD currently needs the most manpower help and the area where that need will
quickly disappear in a couple of years,
Personnel Surety
We haven’t yet seen any industry replies to the latest
version of the ISCD Personnel Surety Program, but there will certainly be some
of the same complaints heard against the earlier versions since little has been
changed. One of those unchanged areas that has met with industry resistance is
the requirement for facilities to provide personally identifiable information
(PII) on employees that hold a current DHS security credential.
Section 2(d)(3) specifically authorizes any facility, as
part of their personnel surety program, to “utilize any Federal screening
program that periodically vets individuals against the terrorist screening
database [TSDB], or any successor”.
A very poorly worded §2(d)(4) tries to make it clear that if
an individual holds one of the other security credentials listed in subsection
(3) the facility does not have to submit PII to ISCD for purposes of vetting
that person. Actually, a less convoluted reading of the exact language seems to
say that after a person has been vetted against the TSDB and granted access (the
vetting after all precedes the granting of access) ISCD cannot require the
facility to provide any additional information about employees unless they have
“been identified as presenting a terrorism security risk” {§2(d)(4)(B)}.
I have been assured that the intent of the language was to
stop facilities from having to submit information about employees that already
possess an DHS security credential that includes periodic TSDB vetting. The
problem with this requirement is that it does not adequately address the
appearance on the TSDB of someone that already has a credential. Without being
able to require facilities to submit information on people with alternative
security credentials there is no way for ISCD to check that those credentials
are current and the most recent TSDB vetting was negative. And for already
cleared employees/visitors there is no way to tie a new appearance on the TSDB
back to a chemical facility at which access has already been granted.
Facility Coverage
Congress was very upset when it became clear that the folks
at ISCD were completely unaware that the West Fertilizer facility had a
sufficient amount of fertilizer grade ammonium nitrate on hand to require the
submission of a Top Screen. The fact that even if ISCD had known about the
facility, its inspectors have no authority or training to address the safety
issues that caused the explosion last summer. This means that it would have
been extremely unlikely to have had any preventative effect, but Congress, and
to a lesser extent the White House, was outraged none the less.
Section2(e)(1) was added to this bill as an attempt to
address the issue of information sharing between government agencies (at the
federal, State, and local levels) to ensure that all potentially covered facilities
are identified. It requires the Secretary to “consult with the heads of other
Federal agencies, States and political subdivisions thereof, and relevant
business associations to identify all chemical facilities of interest”.
As part of the President’s Improving Chemical Safety and
Security Executive Order (EO 13650) the National Protection and Programs
Directorate (NPPD), the group to which ISCD reports within DHS, is working with
the EPA and OSHA to try to develop mechanisms to accomplish this particular
requirement.
Risk Assessment
The DHS Inspector General’s office has identified
shortcomings in the process by which ISCD determines the relative risk of
terrorist attack at a chemical facility. This risk assessment is used to
determine which facilities that submit Top Screens are given the preliminary
designation as a high-risk and required to proceed within the CFATS program.
After the security vulnerability assessments are submitted, ISCD uses a similar
process to assign facilities to the risk tiers that determine how effective
their security controls must be.
ISCD has been using an essentially single factor risk
assessment process, looking mainly at the consequences of an attack on a
facility and using that to determine the relative risk of terrorist attack; the
higher the off-site consequences in lives or dollars the higher level of risk.
ISCD correctly maintains that this is the simplest measure of risk particularly
since there appears not to have been specific credible threats of attacks on
chemical facilities within the United States. ISCD has also maintained that
vulnerability can only be properly determined after a facility has established
a site security plan and had that plan evaluated.
In §2(e)(2) this bill would require the Secretary to “develop
a risk assessment approach and corresponding tiering methodology that
incorporates all relevant elements of risk, including threat, vulnerability and
consequence” {§2(e)(2)}. Specifically the risk assessment criteria must address
{§2(e)(2)(B)}:
• The threat to the facility based
upon available intelligence techniques;
• The potential economic
consequences and the potential loss of human life in the event of the facility
being successfully attacked by terrorists; and
• The vulnerability of the facility
to attack.
Reports to Congress
The ‘oversight’ responsibility for the CFATS program was
shared between three committees in Congress; Homeland Security, Energy and
Commerce, and Appropriations. Until early 2012 all three Committees were
apparently satisfied with the progress being made by the Department in the
implementation of the CFATS program. ‘Oversight’ hearings up until that time
were more focused on how to move forward with various plans for a comprehensive
chemical facility security program.
It wasn’t until Fox News did a story in
December 2011 on a leaked internal ISCD memo that the congressional
oversight finally started to take a hard look at the management of the CFATS
program and the total lack of progress made to date in implementing the site
security plan portion of the program. Since that time they have focused closely
on the numbers of facilities with approved or authorized site security plans
(and clearly ignoring their part in the inherent problems with that program).
This bill clearly intends to expand the congressional
oversight of the CFATS program implementation. Section 6 of the bill (titled
simply ‘REPORTS’) addresses a number of reporting mechanisms that will be used
by Congress (odd that there is no mention of which committees are to receive
these reports; that is usually clearly delineated in these cases) to keep track
of progress being made in implementing this program.
There will be reports by GAO, and the Secretary. The GAO
report will be a generic semiannual report on implementation of the CFATS
program. Eighteen months after passage of this bill the Secretary would be
required to:
• Certify that significant progress
has been made on identifying all potentially covered facilities;
• Certify that the DHS has
developed an appropriate risk assessment protocol and implemented it in the
tiering process;
• Provide an assessment of the
implementation of recommendations made by the Homeland Security Studies and
Analysis Institute
Program Termination
Section 7 closes out the bill by closing out the CFATS
program. This section simply states:
The authority under this Act shall
terminate on the date that is two-years after the date of the enactment of this
Act.
Now I am fairly certain the crafters did not intend for the
CFATS program to actually terminate in two years unless it failed to accomplish
the mission of getting approved – authorized and inspected site security plans
into place at high-risk chemical facilities. But, that is not what Section 7
says. What it says is that facilities without an approved SSP should game the
system to delay the process as long as possible so that it can avoid the costs
associated with implementing an approved SSP.
This could be corrected easily enough by prefacing the
current sentence with “Unless otherwise extended by Congress…” That makes it
clearer that Congress has the option, and intends to exercise the option, to
extend the program as long as certain political goals are accomplished.
The big problem here is that the time frames in §6 and §7 do
not match, politically. The Secretary is given 18 months to report to congress
on the key measures of performance that the bill establishes for further
program extension, but §7 kills the program just six months later unless
Congress acts. There is very little that anyone expects Congress to act upon
within just six months. Relatively minor programs like CFATS, especially when
they are politically sensitive, cannot be handled within that time frame. It
will take at least a year (more likely 2) from the time that DHS submits their
reports to the time that a new reauthorization bill is passed.
Typically what happens with small programs like this is that
get periodic authorization extensions as parts of larger pieces of legislation.
If there were a history of passing DHS authorization bills (and the only
history here is not passing or even considering such bills) then this would get
a short mention in one of the ‘other’ program sections of the bill. Here is it
would be more likely to continue getting the annual authorization approvals in
the DHS spending bill.
Again, no one wants to see this bill fail. No one in
Congress is going to let this program be cancelled unless another one is put in
its place. No one wants to be responsible for there being ‘no security’ at a
high-risk chemical facility when it is attacked by terrorists. That would be a
certain career ender. A bad program (especially one as cheap as CFATS) is
always going to be better politically than no program.
Missing Authorization
What is clearly missing from this bill is the typical
language you see at the end of any program authorization, the spending plan. You
would expect to see either wishy-washy spending-neutral language such as “the
Secretary is authorized to expend such funds as are necessary to implement this
program” or specific annual spending limits for the program. I really would have
expected to see this language in §7 preceding the program termination language
discussed above.
Moving Forward
Chemical facility security is much like cybersecurity
politically speaking. The issues are technically complex and reach across a
wide spectrum of specialties. The consequences of a successful attack will be
catastrophic and could have an economy shattering impact. There are a variety
of politically sensitive side issues that make it difficult to reach a
compromise position that actually accomplishes anything.
We have seen difficulties getting any significant
legislation passed on this topic in every Congress since 2001. This year will
be no different and the sponsorship of this bill provides little hope for
passage. Of the six sponsors only one is a Democrat and while all of the others
are in the Committee leadership Rep. Green (D,TX) is not even a member of the
Homeland Security Committee and is not a ranking member on any Committee or
Subcommittee. The lack of support from the ranking members of the Homeland
Security Committee is a sure sign that the bill will not get out of committee
in the Senate.
All five Republicans are leaders in the Homeland Security
Committee, but there is no one from the leadership of the competing chemical
security committee the Energy and Commerce Committee. For this bill to get to
the floor it will have to be okayed by that Committee. It would have a much
better chance of getting to the floor if there were the name of at least one
influential member of the Energy and Commerce Committee on the co-sponsor’s
list.
Posts
No comments:
Post a Comment