Sunday, June 17, 2018

The Other CFATS Hearing

On Thursday the Environment Subcommittee of the House Energy and Commerce Committee held a status hearing on the Chemical Facility Anti-Terrorism Standards (CFATS) program. Readers who watch the video of the hearing will notice a marked difference between this hearing and the Senate hearing from earlier in the week. This hearing included lots of testimony and Committee questions about chemical worker safety (OSHA) and environmental safety (EPA). Like in Tuesday’s hearing, the industry witnesses were looking for a long-term extension of the CFATS authority and the two government witnesses (David Wulf, DHS; and Chris P. Currie, GAO) provided nearly identical testimony to what they provided on Tuesday.


There was no direct testimony about cybersecurity in the CFATS environment in this hearing. Two of the Congressmen, however, did have some questions about the topic.

Rep. McNerney (D,CA) had questions about cybersecurity and information sharing (1:05:52 thru 1:08:53). Because of his past work in the energy sector, he focused on the time it took to get a security clearance approved so that facilities could get access to classified cybersecurity intelligence. Wulf was not able to provide detailed information about the time involved; just a generic description of the private sector security clearance process at DHS. Both agreed that this was an impediment to information sharing.

Rep. Olson (R,TX) had a question about cybersecurity risk, pointing out that the Arkema incident after Hurricane Harvey could have similarly been caused by a cyberattack. Wulf agreed to the importance of protecting cyber controls at CFATS facilities and outlined the company line on the training that Chemical Security Inspectors (CSI) received on cyber inspection techniques. There was no mention of (or questions about) the problems about which CSI LeGros testified on Tuesday.

Emergency Response Planning

There were lots of talk about the need for communications between CFATS facilities and local first responders. The testimony of two of the witnesses (Yvette Arellano, Texas Environmental Justice Advocacy Services; and Mike Wilson, BlueGreen Alliance) focused heavily on this topic and general safety communications with the local community.

Rep. Flores (R,TX) had questions about communicating Chemical-Terrorism Vulnerability (CVI) information with Local Emergency Planning Committees (LEPCs). Wulf explained that only LEPC members such as emergency response planners and first responders would have the ‘need-to-know’ to gain access to CVI information. Lack of time stopped a more complete explanation.

Towards the end of the hearing (when similar questions were raised with the second panel) James Conrad {representing Society of Chemical Manufacturers and Affiliates (SOCMA)} reminded everyone that the information that LEPC’s (hazardous material Safety Data Sheets and inventory information) require are not CVI, they are required to be supplied to SERCs, LEPCs and local fire departments by EPA regulations (see for example 40 CFR 370.30). Conrad then went on to explain that the CVI procedures manual clearly states that (pg 8) “Thus, information that a facility develops in accordance with other statutory or regulatory obligations, or information that pre-dates DHS regulation under Section 550, is not CVI.”

Enforcement Activity

Long time readers of this blog are probably familiar with my calls for additional information about the results of Compliance Inspections; wanting to know how many facilities have failed the initial inspection and the actions that the Infrastructure Security Compliance Division (ISCD) to get facilities into compliance.

Wulf provided some of that information under questioning on Thursday. He was broadly uncommunicative about the results of inspections. He did note, however, that ISCD has had to resort to issuing 70 compliance letters giving facilities dates certain to come into compliance. Of those all but three met the final deadline. Those remaining three had to have civil penalties assed before they came into compliance. That is a pretty good compliance record with 3,553 compliance inspections having been conducted to date.


This hearing was disappointing on so many levels. First and foremost was the decided lack of knowledge about the CFATS program amongst the questioning Representative. Too many congresscritters expected CFATS to protect the community from chemical releases due to hurricanes, earthquakes or corporate ineptitude. More than one congresscritter suggested that the CFATS program ought to be expanded to include such problems.

On one hand, I can sympathize. The CFATS program has a good relationship with the regulated community, including (in many cases) personal relationships between facility personnel and CSI. Facility management and ISCD has a solid record of working with facilities and industry in general to cooperatively work towards increasing the chemical security at covered facilities.

There are two reasons for this successful relationship. First ISCD is forbidden from issuing regulations requiring specific security measures rather they are required to issue risk-based security guidance that tells facilities what they must accomplish. Facilities then prepare draft site security plans and negotiate with ISCD to achieve a plan that meets the appropriate standards. This process insures that the facility has a solid understanding of what the regulatory requirements for their facility are. Also, the CSI for a facility have a greater, in-depth understanding of what the facility does and how it intends to accomplish its security goals than a one-time inspector from OSHA or EPA can ever achieve.

Now, I am a long-time advocate for effective emergency planning and that planning can only be effective if all of the potentially affected parties (okay ‘all’ is never really achievable, but I still want to attempt to include ‘all’) know the potential hazards involved and what actions they can reasonably be asked to take in the event of an incident.

None of that information should fall under CVI protections. SDS provide open source information on the hazards involved and the local LEPC should be determining what actions would take place in the event of incidents at different levels of severity. Unfortunately, neither the facility nor ISCD have any way of compelling an LEPC to do its emergency planning job. Nor does the agency responsible for oversight of LEPCs. Congress never provided EPA with that authority nor LEPCs with funding to under take the emergency planning necessary to protect the community from unintended (accidental or as a result of an attack) chemical releases.

If Congress really wants to do something to improve the CFATS program’s handling of emergency response planning, they should remove that planning from LEPCs and delegate responsibility to FEMA with a concurrent increase in funding and manning for FEMA to accomplish the task. I would suggest that FEMA be specifically authorized to work through LEPC’s where the local agency is up to the task.

On a separate matter: I was a little confused listening to everyone at this hearing referring to the expiration of the current CFATS authorization coming in January 2019. I have been reporting that date as December 18th, 2018 because of the 4-year expiration term set in §5 of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (PL 113-254). I have been remiss in not closely examining the wording of that section. It states:

“The authority provided under title XXI of the Homeland Security Act of 2002, as added by section 2(a), shall terminate on the date that is 4 years after the effective date [emphasis added] of this Act.”

The effective date was set in §4(a) as “30 days after the date of enactment of this Act”. The enactment date was December 18th, 2014, which would make the effective date January 17th, 2015 and the expiration date January 17th, 2019.

Finally, this hearing points out another problem with the congressional hearing process. The exchange of information in the Senate hearing earlier this week was fairly effective. This was due in large part to only four Senator’s taking part in the questioning and a very loose hand on the clock by the Chair. This allowed for information exchanges and actual dialogs to occur. The large venue on Thursday meant that the Chair had to keep a tight hand on the stop-watch to keep the hearing under three hours. Combine that with congresscritters popping in and out of the hearing resulting in duplicative questions and the natural tendency of any politician to speechify instead of asking a simple question and you have a very limited exchange of information. Congress needs to come up with a solution to this problem if they want hearings to be an actual method of acquiring information on complex topics.

No comments:

/* Use this with templates/template-twocol.html */