Monday, September 10, 2018

S 3405 CFATS Reauthorization – CFATS Recognition Program

This is another in a series of blog posts about S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. The other blog posts in the series include:

CFATS Recognition Program

In response to industry requests for CFATS recognition of industry stewardship programs (Responsible Care® or Responsible Distribution for example) Sen. Johnson included §5 of the bill to require DHS to set up a formal recognition program for industry stewardship programs. Michael Kennedy, in a recent blog post, suggested that this could be similar to the OSHA Voluntary Protection Program (VPP), but that is not clear from the text of §5.

The bill adds a new subparagraph (5) to 6 USC 622(c). It would give DHS 180 days to establish a CFATS Recognition Program (CFATS-RP) that would establish {new §622(c)(5)(B)(i)(II)}:

• Eligibility criteria for industry stewardship programs seeking to participate in the CFATS Recognition Program; and
• Performance requirements for participating facilities; and
Incentives to encourage participation in the CFATS Recognition Program.

Industry Program Requirements

The new §622(c)(5)(C)(i) establishes broad the industry program requirements that DHS would be required to incorporate into the CFATS-RP. First the ‘industry program’ would have to be sponsored/run by a §501(c) tax exempt organization with a “a documented top management commitment to chemical facility security” {new §622(c)(5)(C)(i)(II)}. Additionally, the DHS rules would be required to define the criteria that the ‘industry program’ would have to address concerning {new §622(c)(5)(C)(i)(III)}:

• Auditing requirements and frequency;
• Security vulnerability assessment requirements and frequency;
• Security measures; and
• Reporting required to be done by any industry stewardship program desiring to participate in the CFATS Recognition Program.

With regards to the ‘security measures’ mentioned above, the bill would require that they address {new §622(c)(5)(C)(i)(III)(cc)}:

• Detection measures;
• Delay measures;
• Response measures; and
• Security management.

Facility Performance Requirements

The new §622(c)(5)(C)(ii) establishes the facility requirements that DHS would incorporate into the CFATS-RP regulations. The new regulations would require that participating organizations:

• Provide proof of program participation to include being in “full compliance with the requirements of the industry stewardship program” §622(c)(5)(C)(ii)(bb);
• Conduct initial and periodic (3 year) vulnerability assessments; and
• Develop and maintain site security plan using the same scope of security measures described above.

Program Incentives

The new §622(c)(5)(C)(iii) establishes the incentives that DHS would incorporate into the CFATS-RP regulations. Those incentives would include:

• Reduction of Tier level of participating facilities;
• Reduction in the frequency of compliance inspections;
• Streamlined site security plan process; and
• ‘Other’ incentives developed by DHS.

Regulatory Process

With the 180-day deadline provided for in this bill for establishing the CFATS-RP, there is certainly not time for that standard publish, comment and revise process normally required for the regulatory process. The bill provides for an exemption for “developing and issuing, or amending, the guidance relating to carrying out the CFATS Recognition Program” {new §622(c)(5)(B)(ii)}.


There are some major holes in the CFATS-RP as outlined in this bill. First, there are no provisions for making any regulatory changes in the CFATS program. All of the requirements provided in the bill for this recognition program are intended to be embodied in a ‘guidance’ document. This means that the process would have to be shoe-horned into 6 CFR 27.235, Alternative Security Plans (ASP).

In many ways the ASP process is a good fit for these recognition programs except that it provides no room for the incentive program required by the bill, but those incentives could be addressed by other parts of the CFATS regulations. For example, the tiering reduction can be seen to be included in the authority/process outlined in §27.220(b) and the inspection frequency change is already allowed under §27.210(c).

The big question here, however, is how the CFATS-RP affects the current risk-based performance standards (RBPS) incorporation into any recognition program ASP. There is nothing in the bill that would specifically exempt facilities from complying with current RBSP requirements. Actually, the description of ‘security measures’ in §622(c)(5)(C)(i)(III)(cc)} very closely follows the description DHS uses of their “RBPS Overarching Security Guidelines” on their Risk-Based Performance Standards web site. The exception, of course, is the failure to include ‘Cyber’ in the bills description of security measures, but that is due to the removal of cybersecurity measures from the RBPS effected elsewhere in the bill.

This CFATS-RP looks to be a natural extension of the ASP process already in existence in the CFATS program. The American Chemistry Council (ACC) has established {and the National Association of Chemical Distributors (NACD) has signed onto} an ASP that could be expanded to form the basis of an industry program under the CFATS-RP.

My biggest problem with the proposed CFATS-RP deals with the Tier reduction. While this certainly seems to be a reasonable ‘incentive’, there are some issues that would have to be resolved for it to be effective. If the Tier reduction is made after the site security plan is approved, the facility would already have put most of the security measures in place that a Tier reduction might be expected to reduce. If the Tier reduction is applied before the site security plan is submitted, the facility would have no way of knowing how much of an incentive the reduction would be. To be effective the Tier reduction would have to be effected after the SSP was authorized but before it was approved. This would allow the facility to amend the SSP to reflect the lowered Tier level. Unfortunately, this would complicate the inspection/approval process, not make it easier.

The other question with regards to Tier reduction has to do with what happens with Tier 4 facilities? The only tier reduction available would be to drop them out of the CFATS program. It is not clear whether or not Johnson intended that to happen as a result of the CFATS-RP. The deeper question is how would DHS ensure that facilities remained compliant with the CFATS-RP program if they were dropped from the program?

For this CFATS-RP to be truly effective in both reducing the regulatory burden on the participating, the program would need to use the industry association (or its designated contractors) for at least part of the inspection burden. That would be much closer to Kennedy’s OSHA VPP reference. This is, of course, already authorized by §622(d)(1)(B), but to the best of my knowledge the Department has not yet utilized non-governmental inspectors.

No comments:

/* Use this with templates/template-twocol.html */