ISCD Publishes CFATS Fact Sheet – October 2017

Today the DHS Infrastructure Security Compliance Division (ISCD) published their latest version of the Chemical Facility Anti-Terrorism Standards (CFATS) Fact Sheet. The data continues to show a net increase in the number of facilities covered under the program and a similar increase in the number of compliance inspections completed to date. The data still paints a confusing picture that would seem to indicate a high rate on CFATS non-compliance.

The Data

Table 1 shows the comparison between the data reported today and that reported last month for facilities currently covered by the CFATS program. For the first time since reporting resumed we see a positive month-to-month change in all of the reported categories

Current Facilities	Sept 2017	Oct 2017	∆
Covered Facilities	3,441	3,492	+51
Authorization Inspections	2,354	2,374	+20
Approved Security Plans	2,266	2,270	+4
Compliance Inspections	2,071	2,106	+35

Table 1: Current Facility Data

Table 2 shows the similar comparison of monthly data for the total numbers for each category since the inception of the CFATS program. As expected the month-to-month change in each category is positive, but we continue to see a significant disparity between the two tables in differences (∆) for compliance inspections and both authorization inspections and approved security plans.

Total Facilities	Sept 2017	Oct 2017	∆
Authorization Inspections	2,946	2975	+29
Approved Security Plans	2,756	2766	+10
Compliance Inspections	2644	2807	+163

Table 2: Total Facility Data

Compliance Inspections

If I update the graph that I used last month to include the current data (Graph 1) we can see the sharp differences between the rate of change in current approved site security plans (a pre-requisite for having a compliance inspection), the total number of compliance inspections completed to date, and the current compliance inspection numbers.

Graph 2: Compliance Inspection Data

As with last month, it is hard to come up with any explanation of the data presented by ISCD other than to conclude that ISCD is finding a disturbing number of facilities non-compliant with the implementation of their site security plans. What makes this so disturbing is that facilities negotiated with ISCD on setting the content of their site security plans, so it is hard to believe that they were ‘not aware of program requirements’.

Security of Non-Compliant Facilities

The big question that this raises is how secure are these non-compliant facilities? That is a question that is next to impossible to answer from the data that ICSD is allowed to share with the public. ISCD is not about to, nor can they legally, share any data about the security of covered facilities.

Of course, I am under no restrictions about the conjectures that I raise in attempting to answer this question. So here goes an uninformed, but educated guess as to what is going on…

First, I think that basic security measures are in place to deter, detect and delay terrorists desiring to attack these facilities. Those are all fairly straightforward and would have been in place before ISCD authorized or approved the site security plans (SSP) under which these facilities operate. I suspect that the non-compliances fall into three categories:

• Planned security measure failures;

• Changes is security posture; and

• Cybersecurity

Planned Security Measures

The first category covers those high-expense capital expenditures that facilities could not immediately implement because of budgeting constraints. ISCD gave facilities credit for these security measures when approving the SSP, because specific plans and budgeting approvals were in place. As with any plan, things can go wrong and those plans may not have been at an appropriate level of completion when the Chemical Security Inspectors (CSI) showed up for the compliance inspection will be a problem. Those would certainly make the facility non-compliant.

How badly that would affect the actual security of the facility is hard to tell without knowing the details. ISCD would have required some sort of interim compensatory controls to be in place to mitigate the vulnerabilities while the planned action is implemented. So, while there may be a hole in the security plan, it should not be gaping nor readily identifiable.

I do know that ISCD has no quota of non-compliances to issue and would I would bet that, if facilities in this situation had previously talked with ISCD about the problem they were having with their planned security measures, they would have been able (in most reasonable cases) negotiate a new time frame for implementation. When the inspector gets there, it is certainly too late.

Material Modifications

I suspect that the second category is probably the most common reason for non-compliance. The CFATS program requires {6 CFR 27.210(d)} facilities to submit a new Top Screen whenever it “makes material modifications to its operations or site”. This allows ISCD to determine if a new or revised security plan is required to mitigate any security vulnerabilities associated with those changes. Since ‘material modifications’ is not a defined term in 6 CFR 27, it would not be surprising to hear that facility or operational changes that the facility made without an apparent security purpose might be considered a ‘material modification’ in light of the undisclosed risk assessment process that ISCD uses to evaluate facilities for program coverage and risk tiering.

CFATS covered facilities need to take a hard look at any facility, chemical process, or business procedures changes with a specific eye to its potential effect on the efficacy of the site security plan. This especially applies to any procedure or device specifically mentioned in the SSP. This is one of the reasons why it is important to have a site security manager who is an integral member of the facility management team.

Cybersecurity

The final category is more of a stretch of my intuition, but with an increasing focus across DHS on cybersecurity issues, it would not be hard to guess that implementing Risk Based Performance Standard (RBPS) 8, Cybersecurity, would be an item on specific interest on compliance inspections. Facilities with access to a well-trained cybersecurity team, would probably have no problems implementing the agreed upon cybersecurity measures in the SSP. Facilities without such support would have a much more difficult time in meeting the cybersecurity requirements of a reasonable cybersecurity plan.

This is the one area that I am not as confident in the overall security posture of non-compliant facilities. Again, it would depend in large part about the chemicals of interest involved and how much control systems and inventory controls played in the security of those COI at the site. But, there are so many ways that either informational or operational computer systems could impact security plans that I suspect that this is the area with the widest variation in actual the security of dangerous chemicals across the country. Which would be why ISCD would be specifically focusing on the security of these systems in any compliance inspection.

Moving Forward

We are a little more than a year away from the current expiration of the CFATS program (12-18-18). Congress is likely to start looking at this program again as they consider reauthorizing the program. If ISCD is having the high non-conformance rate that I think the current data indicates, there will certainly be questions asked on the Hill about this topic. I hope ISCD has some good answers.