This is another in a series of blog posts about
S 3405,
the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of
2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards
(CFATS) program for five years. The other blog posts in the series include:
CFATS Recognition Program
In response to industry requests for CFATS recognition of
industry stewardship programs (
Responsible
Care® or
Responsible Distribution
for example) Sen. Johnson included
§5
of the bill to require DHS to set up a formal recognition program for industry
stewardship programs. Michael Kennedy, in a
recent blog post, suggested that this
could be similar to the OSHA Voluntary Protection Program (VPP), but that is
not clear from the text of
§5.
The bill adds a new subparagraph (5) to
6
USC 622(c). It would give DHS 180 days to establish a CFATS Recognition
Program (CFATS-RP) that would establish {new
§622(c)(5)(B)(i)(II)}:
• Eligibility criteria for industry
stewardship programs seeking to participate in the CFATS Recognition Program;
and
• Performance requirements for
participating facilities; and
• Incentives to encourage participation in the CFATS
Recognition Program.
Industry Program Requirements
The new §622(c)(5)(C)(i) establishes broad the industry
program requirements that DHS would be required to incorporate into the
CFATS-RP. First the ‘industry program’ would have to be sponsored/run by a §501(c) tax exempt
organization with a “a documented top management commitment to chemical
facility security” {new §622(c)(5)(C)(i)(II)}. Additionally, the DHS rules
would be required to define the criteria that the ‘industry program’ would have
to address concerning {new §622(c)(5)(C)(i)(III)}:
• Auditing requirements and
frequency;
• Security vulnerability assessment
requirements and frequency;
• Security measures; and
• Reporting required to be done by
any industry stewardship program desiring to participate in the CFATS
Recognition Program.
With regards to the ‘security measures’ mentioned above, the
bill would require that they address {new §622(c)(5)(C)(i)(III)(cc)}:
• Detection measures;
• Delay measures;
• Response measures; and
• Security management.
Facility Performance Requirements
The new §622(c)(5)(C)(ii) establishes the facility
requirements that DHS would incorporate into the CFATS-RP regulations. The new
regulations would require that participating organizations:
• Provide proof of program
participation to include being in “full compliance with the requirements of the
industry stewardship program” §622(c)(5)(C)(ii)(bb);
• Conduct initial and periodic (3
year) vulnerability assessments; and
• Develop and maintain site
security plan using the same scope of security measures described above.
Program Incentives
The new §622(c)(5)(C)(iii) establishes the incentives that
DHS would incorporate into the CFATS-RP regulations. Those incentives would
include:
• Reduction of Tier level of
participating facilities;
• Reduction in the frequency of
compliance inspections;
• Streamlined site security plan
process; and
• ‘Other’ incentives developed by
DHS.
Regulatory Process
With the 180-day deadline provided for in this bill for
establishing the CFATS-RP, there is certainly not time for that standard
publish, comment and revise process normally required for the regulatory
process. The bill provides for an exemption for “developing and issuing, or
amending, the guidance relating to carrying out the CFATS Recognition Program” {new
§622(c)(5)(B)(ii)}.
Commentary
There are some major holes in the CFATS-RP as outlined in
this bill. First, there are no provisions for making any regulatory changes in the
CFATS program. All of the requirements provided in the bill for this
recognition program are intended to be embodied in a ‘guidance’ document. This
means that the process would have to be shoe-horned into
6
CFR 27.235, Alternative Security Plans (ASP).
In many ways the ASP process is a good fit for these
recognition programs except that it provides no room for the incentive program
required by the bill, but those incentives could be addressed by other parts of
the CFATS regulations. For example, the tiering reduction can be seen to be
included in the authority/process outlined in
§27.220(b)
and the inspection frequency change is already allowed under
§27.210(c).
The big question here, however, is how the CFATS-RP affects
the current risk-based performance standards (RBPS) incorporation into any
recognition program ASP. There is nothing in the bill that would specifically
exempt facilities from complying with current RBSP requirements. Actually, the
description of ‘security measures’ in §622(c)(5)(C)(i)(III)(cc)} very closely
follows the description DHS uses of their “RBPS Overarching Security
Guidelines” on their
Risk-Based
Performance Standards web site. The exception, of course, is the failure to
include ‘Cyber’ in the bills description of security measures, but that is due
to the removal of cybersecurity measures from the RBPS effected elsewhere in
the bill.
This CFATS-RP looks to be a natural extension of the ASP
process already in existence in the CFATS program. The American Chemistry Council
(ACC) has established {and the National Association of Chemical Distributors
(NACD) has signed onto}
an
ASP that could be expanded to form the basis of an industry program under
the CFATS-RP.
My biggest problem with the proposed CFATS-RP deals with the
Tier reduction. While this certainly seems to be a reasonable ‘incentive’,
there are some issues that would have to be resolved for it to be effective. If
the Tier reduction is made after the site security plan is approved, the
facility would already have put most of the security measures in place that a
Tier reduction might be expected to reduce. If the Tier reduction is applied before
the site security plan is submitted, the facility would have no way of knowing
how much of an incentive the reduction would be. To be effective the Tier
reduction would have to be effected after the SSP was authorized but before it
was approved. This would allow the facility to amend the SSP to reflect the
lowered Tier level. Unfortunately, this would complicate the inspection/approval
process, not make it easier.
The other question with regards to Tier reduction has to do
with what happens with Tier 4 facilities? The only tier reduction available
would be to drop them out of the CFATS program. It is not clear whether or not
Johnson intended that to happen as a result of the CFATS-RP. The deeper
question is how would DHS ensure that facilities remained compliant with the CFATS-RP
program if they were dropped from the program?
For this CFATS-RP to be truly effective in both reducing the
regulatory burden on the participating, the program would need to use the industry
association (or its designated contractors) for at least part of the inspection
burden. That would be much closer to Kennedy’s OSHA VPP reference. This is, of
course, already authorized by §622(d)(1)(B),
but to the best of my knowledge the Department has not yet utilized
non-governmental inspectors.