GAO Publishes CFATS Report – 08-08-18

Yesterday the Government Accountability Office (GAO) published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report was requested by Congress as part of the efforts leading up to the re-authorization of the CFATS program. Generally, the GAO was satisfied with the progress that the DHS Infrastructure Security Compliance Division (ISCD) has made with improvements to the CFATS program and issued two Recommendations. GAO provides both a copy of the report and one-page summary on their web site.

Measuring Program Performance

While the GAO report is generally positive in its reporting on improvements made to the CFATS program (and specifically to responses to previous GAO recommendations) they do note one on-going problem that ISCD has only partially addressed. That reflects on the ability of ISCD and DHS to measure the success of the CFATS program in reducing the risk of terrorist attack on high-risk chemical facilities.

Specifically, they recommend that ISCD “should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security.” (pg 33)

DHS has concurred with this recommendation (pg 39) and notes on-going activities to improve the calculation of the change in ‘security score’ that the Department uses to measure and report the program performance in ‘lowering risk and improving national security’. To more fully comply with the recommendation DHS reports that (pgs 39-40):

“To develop a system that could numerically evaluate vulnerabilities likely would require revising the regulatory language describing CFATS vulnerability assessments, modifying CFATS processes, and updating tools used to gather vulnerability assessments. This would be a significant burden on both industry and government and NPPD does not believe this would result in a better measure for evaluating the security enhancing effectiveness of the CFATS program, compared to the new performance measure the Department intends to implement.”

Information Sharing

While the GAO report recognizes that ISCD has taken positive steps to share information about CFATS covered facilities with first responders and emergency planners through the establishment of their IP Gateway, their investigation showed that the information available is not effectively reaching the targeted audience (see the lengthy discussion on pages 29-32.

The GAO recommends that DHS “should take actions to encourage access to and wider use of the IP Gateway and explore other opportunities to improve information-sharing with first responders and emergency planners.” (pg 33-4).

The DHS response to this recommendation includes a discussion (pgs 40-1) of efforts that it has taken to date (mostly identified in the GAO report) including a program requirement (Risk Based Performance Standard 9) that requires facilities to “have regular and recurring contact with their local first responders” (pg 41). DHS then goes on to explain that this last “is the most effective way to get information to first responders as it involves direct communication between the high-risk chemical facilities and their local responders. DHS then notes that they “cannot require first responders to access the IP Gateway or respond to facility requests for visits”. They do report that they “will ensure contact is made with LEPCs representing the top 25 percent of the CFATS high-risk chemical facilities no later than the end of the second quarter FY 2019” (pg 41).

Commentary

The first issue is a program measurement issue that needs to be resolved between DHS and Congress. Congress rightly wants to know that the programs that it authorizes and funds are having a beneficial effect. How to measure that performance in a meaningful way in this particular instance, is going to be difficult to establish. DHS has an important point in that the measures of program performance should not unduly increase the burden on the regulated community.

The second issue is much more problematic and important to the ultimate success of the CFATS program. All CFATS covered facilities have to rely to some extent on the resources of the local community to respond to a successful attack on the facility. Even facilities with dedicated on-site emergency response personnel are going to have to rely on off-site responders to deal with effects of an attack on the local community. Sharing information with local response agencies (including police, ambulance and hospitals serving the area around CFATS facilities) is an important pre-requisite to having an effective response a successful terrorist attack.

I was disappointed in this portion of the GAO report in that the investigators did not apparently dig deeper into why “officials representing 13 of the 15 LEPCs stated that they do not have access to CFATS information within the IP Gateway” (pg 31). While seven of those officials reportedly were not aware of the IP Gateway, it is disconcerting that GAO did not attempt to ascertain why the other 8 could not accesses the available information.

I suspect that the reason has to do with the provisions that require that before an individual can access the most detailed (and important) information they have to be cleared for access to Chemical-Terrorism Vulnerability Information (CVI). This clearance requires completing an on-line training program, establishing a need-to-know (should be a priori established for LEPC members), and maintaining the information security requirements (a post access requirement) of the CVI program {which have yet to be upgraded to comply with Federal controlled unclassified information (CUI) standards}. Gaining the CVI access is not terribly difficult, but it does require some investigation and action by the LEPC officials desiring access to the information.

Much of the information currently protected by the CVI designation in the IP Gateways probably should not be protected as it should be available to LEPCs under the EPA reporting requirements of the Emergency Planning and Community Right-to-Know Act of 1986 (EPCRA). Interestingly, the GAO reports note that 200 of the 300+ chemicals covered under the CFATS program {DHS chemicals of interest (COI)} are not covered under the reporting requirements of EPCRA. Not mentioned in the report is the fact that (presumably most of) these 200 chemicals are covered under the CFATS program because of their potential use in manufacturing improvised chemical munitions or improvised chemical weapons, not because they are an air-pollution release-risk covered under the EPCRA requirements.

Adequately addressing this information sharing problem is not one that ISCD is going to be able to resolve on its own. It will require congressional action as part of the CFATS reauthorization process. I will address this issue more completely in a future blog post.