Earlier this week Undersecretary Suzanne Spaulding testified
at a closed hearing before the Homeland Security Subcommittee of the House
Appropriations Committee about the cybersecurity budget for DHS. A portion of
the unclassified
written testimony dealt specifically with the Departments Chemical Facility
Anti-Terrorism Standards (CFATS) program.
Spaulding’s testimony did not specifically address
cybersecurity at high-risk chemical facilities or how the Department intended
to address the assessment of that portion of the security risk. It did,
however, address some information sharing activities that are being undertaken
by the National Protection and Programs Directorate (NPPD) of the Department as
a result of the President’s Executive Order on Increasing the Safety and
Security of Chemical Facilities (EO
13650).
Internal Information
Sharing
As part of the mandated review of the intra-Executive Branch
information sharing initiative started by that EO Spaulding noted that:
“Specifically, ISCD [Infrastructure
Security Compliance Division] will run comparisons on the EPA Risk Management
Program and the Superfund Amendments and Reauthorization Act Title III data
from all 50 individual state data sets on an annual basis to identify
facilities that are potentially non-compliant with the CFATS regulation.”
The intention of this information sharing exercise is to
identify facilities that have filed RMP and CERCLA information with the EPA
that could help identify facilities (like last year’s West Fertilizer) that had
not submitted Top Screens required under the CFATS Program.
Interestingly there is no mention of similar information
sharing exercises with the Department of Labor’s Occupational Safety and Health
Administration (OSHA) that maintains a similar listing of chemical facility
information as part of its Process Safety Management (PSM) program. I
understand that the database used by OSHA is so much different from those used
by EPA and DHS that the Department is having a great deal of difficulty
establishing the ability to compare information in the CFATS and PSM databases.
Another part of the intra-Federal information sharing process
is the coordination of inspection programs. Spaulding promised that: “ISCD will
coordinate inspections with EPA and Occupational Safety and Health
Administration and participate in cross-training activities to integrate and
improve the outreach of Federal regulatory programs”.
The Federal Government’s inspection cadres for all three
programs (CFATS, RMP, and PSM) are not large enough individually to ensure that
all chemical facilities housing hazardous chemicals are visited on a routine
basis by Federal inspectors. For the sake of efficiency sharing of inspection
information between these three programs could help identify facilities that
require more frequent and/or detailed inspections by the other programs.
External Information
Sharing
While sharing within the Federal government is important to
increase the efficiency of these three regulatory programs, it is not usually
the Federal government that is responsible for responding to catastrophic failures
of these programs. That responsibility lies with the State and local emergency
response agencies. Spaulding told the Subcommittee that:
“In addition, ISCD will coordinate
and work with each of the 50 State Emergency Response Commissions and the 3,000
(+) Local Emergency Planning Committees to ensure communities can meet their
responsibilities in regard to potential chemical emergencies.”
SSP Review
In addition to the improved information sharing process the
Under Secretary updated the Subcommittee on the progress seen in the
implementation of the CFATS program; specifically the progress in authorizing
and approving site security plans. The data provided was based on information
as of April 1st, which coincides with the last CFATS
Update (I’m expecting to see the update for the month of April published next
week). She was able to supply the Subcommittee with some additional details
that were not included in that monthly report.
She reported that all of the Tier 1, 2, and 3 facilities
have had their initial review of the facility SSPs. The table below shows the
authorization and approval numbers for Tiers 1 and 2. I would certainly suspect
that these numbers are now higher. She also provided information on the number
of compliance inspections that had been completed for facilities that have had
the Site Security Plan approved.
|
|
# in Tier
|
Authorized
|
Approved
|
Compliance
|
|
Tier 1
|
110
|
107
|
100
|
19
|
|
Tier 2
|
336
|
263
|
211
|
3
|
SSP Numbers as of April 1st
She also reported that 450 facilities have submitted
Alternative Security Plans (ASP). These plans are held to the same performance
standards (and approval processes) as the Site Security Plans but are prepared in
a more user friendly format. To my knowledge, the only ASP format that is
currently ‘approved’ (ASP format approval is not technically necessary) is the
ASP designed
by the American Chemistry Council (ACC).
Reason for this
Testimony
Now none of the above information was really about
cybersecurity. Spaulding can be forgiven, however, for drifting from the
purpose of the hearing in presenting this data to the Homeland Security
Subcommittee in this venue. The Subcommittee has been a vocal critic of the
CFATS program implementation and has on multiple occasions threatened to
withhold funds from the program. As the program is under her purview, Spaulding
can be forgiven for taking any opportunity provided to praise the progress that
is being made.
I will not be surprised, however, to see her and ISCD
Director Wulf back before this Subcommittee to address specific questions about
the CFATS program before the DHS budget is marked up.
Posts
No comments:
Post a Comment