CFATS Update

I mentioned last week that I would have some more information on the latest CFATS update. I had a chance to talk to some folks from ISCD headquarters yesterday. I don’t have the details that I had hoped for (though we may see them in the July update), but I did pick-up some interesting tidbits of information about the CFATS program.

Expedited Approval Program

Back in December 2014 when Congress updated the Chemical Facility Anti-Terrorism Standards (CFATS) authorization they included a mandate for the DHS Infrastructure Security Compliance Division (ISCD) to establish an Expedited Approval Program to help ISCD reduce the backlog of site security plan (SSP) approvals. The idea was that the EAP would provide facilities with a specific blue print for a site security plan instead of having to negotiate a site security plan with ISCD. Congress thought that this would speed up the SSP approval process.

Well, it turns out that only one facility has used the EAP to get their SSP approved to date. It is almost exactly a year since facilities could start the EAP process and only one facility decided that it was a worthwhile program. So, did ISCD waste their time in publishing the EAP guidance document? If you look at it from the number of facilities that opted to formally use the program, probably. In a larger sense, probably not.

Long time readers of this blog will know about my concerns with the Risk Based Performance Standards (RPBS) guidance documents that facilities have had to rely on for standing up their SSPs since 2009. The drafters of that document bent over backwards to ensure that they could not be accused of ‘specifying security measures’ because ISCD was prohibited from that particular committing that particular sin by the old §550 program authorization language. For facility security managers that did not have professional security training (most of them), the document was little better than no guidance. It is little wonder that virtually no first time SSP submission was approved by ISCD.

With the publication of the EAP guidance, facility security managers without security training can get a good idea what type of security measures ISCD is looking for. Facilities still have the ability to tailor their security measures to their own unique environment, but they have a clearer measure of what those measures are expected to accomplish.

BTW: When ISCD rolls out their new risk assessment/tier assignment methodology this fall it looks like they are intending to update a number of program documents to properly reflect that methodology. One of those documents is likely to be the RSBP guidance document.

Enforcement

With ISCD now spending 80% of their inspection time on compliance inspection, it is almost inevitable that there will be facilities that are not in compliance. ISCD has a long history of working with facilities to get security properly in place, and that has continued over to compliance inspections. Unfortunately, it seems that there have been some (no one is currently talking about how many) facilities that ISCD may be (have begun) taking enforcement actions against to ensure that they meet their SSP obligations. Hopefully, they will never meet a facility that is so intransigent that the Secretary will be forced to close the facility, but that is still the ultimate enforcement authority available.

BTW: It looks like ISCD will be announcing at the upcoming Chemical Sector Security Summit (CSSS #10) that they have completely cleared the back-log of SSP approvals. Not all facilities will have approved SSPs then, but SSP processing will be proceeding in regular order with no unreasonable delays between SSP submission and authorization/approval inspections.

Risk Assessment Process

DHS has taken a lot of flak since the beginning of the CFATS program about the methodology they use for determining which facilities that submit Top Screens (more than 50,000 to date) are assessed to be at high-risk for terrorist attack (and thus inclusion in the CFATS program) and then used to determine the Tier Ranking for facilities in the program. DHS was not willing to discuss the details of that assessment process and were obviously missing some information necessary to do a “real” risk assessment.

ISCD will be rolling out this fall their updated and more rigorously justified risk assessment process. ISCD has had their processes vetted by an academic review process as well as a stakeholder review process. So there should be fewer complains (anyone that expects no complaints is using too many good drugs) about the new process. One of the reasons for this is that ISCD is planning on sharing more information (NOT details) about that process with the chemical community. They realize that companies need to be able to take that risk assessment process as they plan to construct new or modify existing chemical facilities so that the security costs associated with the project can be included in the facility planning process.

We have seen the first change associated with this new risk analysis process when ISCD held their Top Screen webinar last February. Since a number of questions were moved into the new Top Screen from the Security Vulnerability Assessment, the SVA is also going to have to be changed. I think that we will see the debut of that new SVA tool at the CSSS. Hopefully ISCD will include that debut in the sessions that they share on the web.

CFATS Rulemaking

ISCD is continuing to work on their notice of proposed rulemaking for updating the CFATS regulations. That process began with their advance notice of proposed rulemaking (ANPRM) published in August 2014. The Spring 2016 Unified Agenda projects that the NPRM will be published in September. No details are available on what changes are going to be proposed for the program beyond what was discussed in the ANPRM.

Closely associated with the CFATS program (but a separate regulatory scheme) is the congressionally mandated Ammonium Nitrate Security program (6 USC 488 thru 488i). ISCD issued their NPRM for the program in August of 2011, but has failed to be able to overcome the cost-benefit questions raised about that proposed rule. Congress has taken cognizance of the problem and DHS, Congress and the potentially regulated industries have been working on a solution to the problem. One monkey wrench thrown into the works has been the significant ISIS use of improvised explosives made with other chemicals. I half-way expect to see a new congressional mandate for precursor chemicals for improvised explosive devices; especially if we see a significant domestic IED that does not use ammonium nitrate.

BTW: If there is another Oklahoma City sized ammonium-nitrate truck bomb, the problems of the cost-benefit analysis will be instantly resolved and a regulation based upon the NPRM will probably be quickly forthcoming.

Missing Questions

I did not get a chance to ask all of the interesting questions that I wanted to, maybe in future conversations. But I would like to know if/when the folks at ISCD are going to remove their current ‘temporary’ exemption for agricultural production facilities from filing Top Screens. I still think this will be a ‘minor’ regulatory burden for almost all of the facilities involved because ISCD would be unlikely to determine that they are at high-risk of terrorist attack (for their chemicals anyway; food security is an Ag Department problem). This may be addressed with the roll out of the new Top Screen.

The other important topic that I did not get a chance to address was the progress being made in implementing the Personnel Surety Program. I think that it would be an interesting addition to the CFATS update if ISCD would include the total number of personnel that have been vetted against the terrorist screening database (TSDB). A number that we will probably never hear (for fairly legitimate reasons) is how many folks have turned up as a match against the TSDB during these checks. I personally expect that most of those positives will be false positives and that will cause problems for both ISCD, facility management and the folks improperly identified as having terrorist ties. I really hope that the number isn’t too large.

As always I appreciate the time that folks took to talk with me about the CFATS program. I have had my differences of opinion over the years with exact methodologies used by ISCD in their implementation of the CFATS program, but I have always admired how hard the folks have worked at making the process work especially how diligently they have tried to make the program a cooperative attempt to increase facility security rather than an adversarial program. Let’s hope that that can continue into the future.