ISCD Publishes CFATS Update – Sept 2017

Yesterday the DHS Infrastructure Security Compliance Division (ISCD) published their September update of the data for the implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The data shows that the implementation of the new data collection tool (CSAT 2.0) and risk assessment process continues to increase the number of facilities covered under the CFATS program while the Chemical Security Inspectors (CSI) continue the ongoing compliance inspections of facilities under the program.

The Current Report

Table 1 shows the data reported for the facilities currently covered under the CFATS program. It shows a net increase in the number of facilities covered under the program. The numbers for the remaining activities reported would seem to be disappointing except for the fact that we have seen a continuing removal of facilities from the program. Part of this removal is due to the change in the risk assessment process that accompanied the implementation of CFATS 2.0 and the remainder is due to proactive actions taken by chemical facilities to reduce the risk associated with their chemical inventories.

Current Facilities	August 2017	Sept 2017	∆
Covered Facilities	3,381	3,441	+60
Authorization Inspections	2,346	2,354	+8
Approved Security Plans	2,271	2,266	-5
Compliance Inspections	2,070	2,071	+1

Table 1: Current Facility Status

To provide a better look at the actual activities undertaken by ISCD in August you need to look at Table 2. This provides data on activities conducted since the program began in 2007. Looking at differences between last month’s data we can see that there has been significant work done on ensuring that facilities with approved site security plans are actually complying with the provisions of those plans.

Total Facilities	August 2017	Sept 2017	∆
Authorization Inspections	2,932	2,946	+14
Approved Security Plans	2,750	2,756	+6
Compliance Inspections	2,544	2644	+100

Table 2: Program Data to Date

Data Analysis

With five CFATS Updates published since CSAT 2.0 was implemented, I think we now have enough data points to be able to start to take a look at the CFATS implementation process over time. I will start with Graph 1 which shows all of the data reported to date. The initial data set is from the final CFATS update when the old CSAT was shut-down last October.

Graph 1: CFATS 2.0 Update Data

Okay, this graph is more than a little busy but it does demonstrate that most of the data has changed relatively little since the implementation of CSAT 2.0. Only two data streams show a significant change, covered facilities and total compliance inspections. The first is expected from the large number of previously uncovered facilities that ISCD required to re-submit Top Screens. The second is attributable to the ongoing work of CSI mentioned above.

Looking at the compliance inspection data in Graph 2 we can see that there is a rate of inspection disparity between to total number of inspections completed as compared with existing facility data. Assuming that the existing facility data reports the number of facilities with a current compliance inspection (an apparently reasonable assumption based upon the current SSP data also shown in the graph) we might expect that the difference between the total and existing data reflects the number of previously covered facilities that have left the program.

Graph 2: Compliance Inspection Data

The problem with that expectation is that it assumes a one-to-one correlation between the number of inspections and the number of facilities inspected. We know from the 2015 GAO report on the CFATS program that the CFATS program, at least initially, had a very high compliance inspection failure rate. Each of those facilities that failed their compliance inspection would require a subsequent re-inspection. If ISCD reports re-inspections as a compliance inspection (a reasonable reflection of agency resource utilization), then we can no longer assume that the difference between the two sets of reported data simply reflects facilities that have left the CFATS program.

Graph 3 shows the data for authorization inspections. The data here is relatively flat over the reporting period. This is because ISCD has been having to do very few authorization inspections for facilities that were already in the program before the CSAT 2.0 implementation. Most of those facilities had already moved beyond that point in their facility implementation of the CFATS program. It does, however, look like we are starting to see an uptick in the number of authorization inspections. This is to be expected as the then CSAT 2.0 facilities start to submit their site security plans for review.

 Graph 3: Authorization Inspection Data

Similarly, the data for approved site security plans (Graph 4) shows relatively little change over the period to date. The numbers are a little different, but neither the approved SSP data nor the authorization inspection data indicates that there has been a large number of facilities exiting the CFATS program since May.

Graph 4: SSP Data

With that in mind, I have tried to use the data presented to determine how many facilities have left the program since ISCD presented their initial CSAT 2.0 results. Table 3 shows my results. The data was calculated from the month-to-month changes in both total facility and current facility data provided in the CFATS updates.

Lost Facilities	June 2017	July 2017	Aug 2017	Sep 2017	Total to Date
Authorization Insp	-41	-7	-10	-6	-64
Approved SSP	-6	-22	-13	-11	-52
Compliance Insp	-73	-93	-176	-99	-441

Table 3: Lost Facility Estimates

Commentary

The data from authorization inspections and site security plan approvals would seem to indicate that there has generally been very little loss of facilities from the CFATS program since May. It looks like the 5% tiering out rate that ISCD had reported in their initial report on the CSAT 2.0 implementation. That may be because facilities that had taken actions to reduce their risk may have voluntarily submitted the new Top Screens early in the process.

I cannot, however, explain why there are significant discrepancies between the two data sets. Interestingly, there is a fairly constant (182 to 195) difference between the total data for authorization inspections and approved site security plans over the reporting period. The range is significantly larger (67 to 105) for the current facility differences and there is no correlation between the data sets (R² = .25).

The compliance inspection data seems to indicate that ISCD is still seeing a relatively large percentage of facilities failing their initial CFATS compliance inspections and perhaps some subsequent re-inspections. This is disconcerting if true. Approved site security plans are a negotiated agreement between the facility and ISCD on how the facility will meet the facility security requirements of the CFATS program.