S 3405 CFATS Reauthorization – EAP

This is the third in a series of blog posts about S 3405, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018, which would reauthorize the Chemical Facility Anti-Terrorism Standards (CFATS) program for five years. The other blog posts in the series include:

Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program; and

S 3405 Introduced – CFATS Authorization

Expedited Approval Program (EAP)

Section 4 of the bill makes a large number of changes to 6 USC 622(c)(4), the Expedited Approval Program. This subparagraph was added by the 2014 bill as a method to allow Tier 3 and Tier 4 facilities a smoother path to having a site security plan approved by DHS. There are almost three pages of changes made to the EAP language by §4 and they are difficult to understand without looking at how the language of §622(c)(4) will actually look once these changes are put into place. So here goes; stricken language is lined through, added language is highlighted and the ‘• • •’ indicates where extended portions of the language have not been changed.

(4) Expedited approval program

(A) In general  

A covered chemical facility assigned to tier 3 or 4 may meet the requirement to develop and submit a site security plan under subsection (a)(2)(D) by developing and submitting to the Secretary—

(i) a site security plan and the certification described in subparagraph (C)(i); or

(ii) a site security plan in conformance with a template authorized under subparagraph (H).

(B) Guidance for expedited approval facilities

(i) In general Not later than 180 days after December 18, 2014, the Secretary shall issue The Secretary shall maintain guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards.

(ii) Material deviation from guidance If a security measure in the site security plan of an expedited approval facility materially deviates from a security measure in the guidance for expedited approval facilities, the site security plan shall include an explanation of how such security measure meets the risk-based performance standards.

(iii) Applicability of other laws to development and issuance of initial guidance During the period before the Secretary has met the deadline under clause (i), in developing and issuing, or amending, the guidance for expedited approval facilities under this subparagraph and in collecting information from expedited approval facilities, the Secretary shall not be subject to—

(I) section 553 of title 5;

(II) subchapter I of chapter 35 of title 44; or

(III) section 627(b) of this title.

(C) Certification The owner (i) In general the owner operator of an expedited approval facility shall submit to the Secretary a certification, signed under penalty of perjury, that—

(i) (I) The owner or operator is familiar with the requirements of this subchapter and part 27 of title 6, Code of Federal Regulations, or any successor thereto, and the site security plan being submitted;

(ii) (II) the site security plan includes the security measures required by subsection (b);

(iii) (III) (I) (aa) the security measures in the site security plan do not materially deviate from the guidance for expedited approval facilities except where indicated in the site security plan;

(II) (bb) any deviations from the guidance for expedited approval facilities in the site security plan meet the risk-based performance standards for the tier to which the facility is assigned; and

(III) (cc) the owner or operator has provided an explanation of how the site security plan meets the risk-based performance standards for any material deviation;

(iv) (IV) the owner or operator has visited, examined, documented, and verified that the expedited approval facility meets the criteria set forth in the site security plan;

(v) (V) the expedited approval facility has implemented all of the required performance measures outlined in the site security plan or set out planned measures that will be implemented within a reasonable time period stated in the site security plan;

(vi) (VI) each individual responsible for implementing the site security plan has been made aware of the requirements relevant to the individual’s responsibility contained in the site security plan and has demonstrated competency to carry out those requirements;

(vii) (VII) the owner or operator has committed, or, in the case of planned measures will commit, the necessary resources to fully implement the site security plan; and

(viii) (VIII) the planned measures include an adequate procedure for addressing events beyond the control of the owner or operator in implementing any planned measures.

(ii) RISK-BASED PERFORMANCE STANDARDS.—In submitting a site security plan and certification under subparagraph (A)(i), an owner or operator of an expedited approval facility should consider using the guidance for expedited approval facilities to determine appropriate measures for the site security plan of the expedited approval facility.

(D) Deadline (i) In general Not later than 120 days after the date described in clause (ii), the owner or operator of an expedited approval facility shall submit to the Secretary the site security plan and the certification described in subparagraph (C) subparagraph (C)(i).

(ii) Date The date described in this clause is—

(I) for an expedited approval facility that was assigned to tier 3 or 4 under existing CFATS regulations before December 18, 2014, the date that is 210 days after December 18, 2014; and

(II) for any expedited approval facility not described in subclause (I), the later of—

(aa) the date on which the expedited approval facility is assigned to tier 3 or 4 under subsection (e)(2)(A); or

(bb) the date that is 210 days after December 18, 2014.

(iii) Notice An owner or operator of an expedited approval facility shall notify the Secretary of the intent of the owner or operator to certify the site security plan for the expedited approval facility not later than 30 7 days before the date on which the owner or operator submits the site security plan and certification described in subparagraph (C) subparagraph (C)(i).

(E) • • • (no change)

(F) Amendments to site security plan (i) Requirement (I) In general If the owner or operator of an expedited approval facility amends a site security plan submitted under subparagraph (A), the owner or operator shall submit the amended site security plan and a certification relating to the amended site security plan that contains the information described in subparagraph (C) subparagraph (C)(i). • • •

(G) • • • (no change)

(H) • • • (no change)

(I) Evaluation

(i) In general Not later than 18 months after December 18, 2014, the Secretary shall take any appropriate action necessary for a full evaluation of the expedited approval program authorized under this paragraph, including conducting an appropriate number of inspections, as authorized under subsection (d), of expedited approval facilities.

(ii) Report Not later than 18 months after December 18, 2014, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security and the Committee on Energy and Commerce of the House of Representatives a report that contains—

(I)(aa) the number of eligible facilities using the expedited approval program authorized under this paragraph; and

(bb) the number of facilities that are eligible for the expedited approval program but are using the standard process for developing and submitting a site security plan under subsection (a)(2)(D); (II) any costs and efficiencies associated with the expedited approval program;

(III) the impact of the expedited approval program on the backlog for site security plan approval and authorization inspections;

(IV) an assessment of the ability of expedited approval facilities to submit facially sufficient site security plans;

(V) an assessment of any impact of the expedited approval program on the security of chemical facilities; and

(VI) a recommendation by the Secretary on the frequency of compliance inspections that may be required for expedited approval facilities.

(I) NOTICE BY THE SECRETARY.—The Secretary shall provide notice to each covered chemical facility of the expedited approval program under this paragraph.’’.

Commentary

The basic outline of the EAP remains the same. The DHS ISCD is to maintain the current guidance document. Tier 3 and Tier 4 facilities would continue to have the option to use the EAP instead of going through the normal site security plan submission process. And ISCD would enforce the EAP in the same manner as is currently in use.

There are two administrative changes to the EAP that affect actions by ISCD. First, any revisions to be made to the guidance document will no longer be exempt from the publish, comment and response process normally used in regulatory affairs. The original EAP was exempted from that processes because facilities could choose to participate or not and Congress wanted DHS to get the EAP process up and running quickly. This change protects the small handful of facilities that are operating under the EAP from DHS making ad hoc changes to the security requirements for the program.

The second administrative requirement is that DHS would be required to notify ‘each covered chemical facility’ about the EAP process. Typically, the term ‘covered facility’ means a facility that has submitted a Top Screen and has been notified by ISCD that they are required to submit a site security plan. The EAP process remains available to only Tier 3 and Tier 4 facilities, so I do not see why Johnson would want the Tier 1 and Tier 2 facilities notified, but the provision is easy enough to comply with and could arguably already be considered completed because of the current EAP web page.

There is one change to the existing EAP process for submitting facilities that would be made by §4 of the bill. Instead of notifying ISCD 30 days before they submit an EAP security plan and certification, the bill would now only require that notification 7 days before the submission. This notification requirement was a provision that never really made much sense. As long as the facility submitted the EAP documents prior to the required date for submitting a site security plan I cannot fathom why DHS would need any additional prior notification.

There is one oddity in the §4 changes to the EAP language. The new §622(c)(4)(C)(ii) statement does not make much legislative sense. It looks like Johnson was trying to provide facilities with some wiggle room on what security measures that they could select from the EAP guidance, but the way the sub-paragraph was added it does not do that. In fact, Johnsons changing all reference to ‘subparagraph (C)’ to read ‘subparagraph (C)(i)’ specifically removes the new subparagraph (C)(ii) from having any impact on facilities or in any way modifying how ISCD enforces the program.

The one thing that I am surprised not to see in the language of §4 is a revocation of the subparagraph (H)(ii). This is the nearly identical to the language in (B)(iii) which was deleted. Since this clause is found in the section on ‘Templates’ it could be argued that it only provides DHS with an exemption to the publish comment and revise process for changes made to templates. Since DHS has not yet really published any templates (other than the ‘example’ in

Attachment 2 to the EAP guidance document), perhaps Johnson wanted to preserve the ability of DHS to formulate a formal template without having to go through the full administrative process. If that were the case, he should have revised the language in (H)(ii) because it relies on a date in (B)(iii) which would be removed by this bill.