On Thursday the Environment Subcommittee of the House Energy
and Commerce Committee held a status hearing on the Chemical Facility Anti-Terrorism
Standards (CFATS) program. Readers who watch the
video of the hearing will notice a
marked difference between this hearing and the
Senate
hearing from earlier in the week. This hearing included lots of testimony
and Committee questions about chemical worker safety (OSHA) and environmental
safety (EPA). Like in Tuesday’s hearing, the industry witnesses were looking
for a long-term extension of the CFATS authority and the two government
witnesses (David Wulf, DHS; and Chris P. Currie, GAO) provided nearly identical
testimony to what they provided on Tuesday.
Cybersecurity
There was no direct testimony about cybersecurity in the
CFATS environment in this hearing. Two of the Congressmen, however, did have
some questions about the topic.
Rep. McNerney (D,CA) had questions about cybersecurity and
information sharing (1:05:52 thru 1:08:53). Because of his past work in the
energy sector, he focused on the time it took to get a security clearance
approved so that facilities could get access to classified cybersecurity
intelligence. Wulf was not able to provide detailed information about the time
involved; just a generic description of the private sector security clearance
process at DHS. Both agreed that this was an impediment to information sharing.
Rep. Olson (R,TX) had a question about cybersecurity risk,
pointing out that the
Arkema
incident after Hurricane Harvey could have similarly been caused by a cyberattack.
Wulf agreed to the importance of protecting cyber controls at CFATS facilities
and outlined the company line on the training that Chemical Security Inspectors
(CSI) received on cyber inspection techniques. There was no mention of (or
questions about) the problems about which CSI LeGros testified on Tuesday.
Emergency Response Planning
There were lots of talk about the need for communications
between CFATS facilities and local first responders. The testimony of two of
the witnesses (Yvette Arellano, Texas
Environmental Justice Advocacy Services; and Mike Wilson, BlueGreen Alliance) focused heavily on this topic and
general safety communications with the local community.
Rep. Flores (R,TX) had questions about communicating
Chemical-Terrorism Vulnerability (CVI) information with Local Emergency
Planning Committees (LEPCs). Wulf explained that only LEPC members such as
emergency response planners and first responders would have the ‘need-to-know’
to gain access to CVI information. Lack of time stopped a more complete
explanation.
Towards the end of the hearing (when similar questions were
raised with the second panel) James Conrad {representing Society of Chemical
Manufacturers and Affiliates (SOCMA)} reminded everyone that the information that
LEPC’s (hazardous material Safety Data Sheets and inventory information) require
are not CVI, they are required to be supplied to SERCs, LEPCs and local fire
departments by EPA regulations (see for example
40
CFR 370.30). Conrad then went on to explain that the
CVI
procedures manual clearly states that (pg 8) “Thus, information that a
facility develops in accordance with other statutory or regulatory obligations,
or information that pre-dates DHS regulation under Section 550, is not CVI.”
Enforcement Activity
Long time readers of this blog are probably familiar with my
calls for additional information about the results of Compliance Inspections;
wanting to know how many facilities have failed the initial inspection and the
actions that the Infrastructure Security Compliance Division (ISCD) to get
facilities into compliance.
Wulf provided some of that information under questioning on
Thursday. He was broadly uncommunicative about the results of inspections. He
did note, however, that ISCD has had to resort to issuing 70 compliance letters
giving facilities dates certain to come into compliance. Of those all but three
met the final deadline. Those remaining three had to have civil penalties assed
before they came into compliance. That is a pretty good compliance record with
3,553 compliance inspections having been conducted to date.
Commentary
This hearing was disappointing on so many levels. First and
foremost was the decided lack of knowledge about the CFATS program amongst the
questioning Representative. Too many congresscritters expected CFATS to protect
the community from chemical releases due to hurricanes, earthquakes or
corporate ineptitude. More than one congresscritter suggested that the CFATS
program ought to be expanded to include such problems.
On one hand, I can sympathize. The CFATS program has a good
relationship with the regulated community, including (in many cases) personal
relationships between facility personnel and CSI. Facility management and ISCD
has a solid record of working with facilities and industry in general to
cooperatively work towards increasing the chemical security at covered
facilities.
There are two reasons for this successful relationship.
First ISCD is forbidden from issuing regulations requiring specific security measures
rather they are required to issue risk-based security guidance that tells
facilities what they must accomplish. Facilities then prepare draft site security
plans and negotiate with ISCD to achieve a plan that meets the appropriate
standards. This process insures that the facility has a solid understanding of what
the regulatory requirements for their facility are. Also, the CSI for a
facility have a greater, in-depth understanding of what the facility does and
how it intends to accomplish its security goals than a one-time inspector from
OSHA or EPA can ever achieve.
Now, I am a long-time advocate for effective emergency
planning and that planning can only be effective if all of the potentially
affected parties (okay ‘all’ is never really achievable, but I still want to
attempt to include ‘all’) know the potential hazards involved and what actions
they can reasonably be asked to take in the event of an incident.
None of that information should fall under CVI protections. SDS
provide open source information on the hazards involved and the local LEPC
should be determining what actions would take place in the event of incidents
at different levels of severity. Unfortunately, neither the facility nor ISCD
have any way of compelling an LEPC to do its emergency planning job. Nor does
the agency responsible for oversight of LEPCs. Congress never provided EPA with
that authority nor LEPCs with funding to under take the emergency planning necessary
to protect the community from unintended (accidental or as a result of an
attack) chemical releases.
If Congress really wants to do something to improve the CFATS
program’s handling of emergency response planning, they should remove that
planning from LEPCs and delegate responsibility to FEMA with a concurrent
increase in funding and manning for FEMA to accomplish the task. I would
suggest that FEMA be specifically authorized to work through LEPC’s where the local
agency is up to the task.
On a separate matter: I was a little confused listening to
everyone at this hearing referring to the expiration of the current CFATS
authorization coming in January 2019. I have been reporting that date as December
18
th, 2018 because of the 4-year expiration term set in
§5 of the Protecting and
Securing Chemical Facilities from Terrorist Attacks Act of 2014 (
PL
113-254). I have been remiss in not closely examining the wording of that
section. It states:
“The authority provided under title
XXI of the Homeland Security Act of 2002, as added by section 2(a), shall
terminate on the date that is 4 years after the effective date [emphasis
added] of this Act.”
The effective date was set in §4(a) as “30 days after the date of enactment of this
Act”. The enactment date was December 18th, 2014, which would make
the effective date January 17th, 2015 and the expiration date
January 17th, 2019.
Finally, this hearing points out another problem with the congressional
hearing process. The exchange of information in the Senate hearing earlier this
week was fairly effective. This was due in large part to only four Senator’s
taking part in the questioning and a very loose hand on the clock by the Chair.
This allowed for information exchanges and actual dialogs to occur. The large
venue on Thursday meant that the Chair had to keep a tight hand on the
stop-watch to keep the hearing under three hours. Combine that with
congresscritters popping in and out of the hearing resulting in duplicative questions
and the natural tendency of any politician to speechify instead of asking a
simple question and you have a very limited exchange of information. Congress
needs to come up with a solution to this problem if they want hearings to be an
actual method of acquiring information on complex topics.