Thursday, January 17, 2019

Reader Comment – Move CFATS to EPA

I received an interesting comment on a post from last week about the passage of HR 251 in the House. The comment was a short question: “Why not move the entire program under EPA?”

This question has been asked many times in the 10-year history of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The short (and less than satisfying answer) is that security is the purview (for better or worse) of the Department of Homeland Security while the EPA is tasked with helping to prevent accidental discharges of hazardous chemicals. The reason that this answer is less than satisfying is that there is a great deal of practical overlap between these two missions.

The Differences

The better way to explain why CFATS should remain in DHS and not the EPA is to look at the differences between the CFATS program and the EPA’s Risk Management Program (RMP). While there is certainly a degree of commonality in the chemicals of concern between the two programs, there is a significant difference in the function of the two programs. The CFATS program is a risk management program and the RMP (despite the name) is a chemical management program.

If a facility has a designated minimum inventory of a covered chemical under the RMP program they are required to institute a number of internal programs to protect that chemical from accidental release as well as measures to coordinate with the local community to allow for an adequate response if those protections fail. The EPA will probably not get around to inspecting that facility for RMP program compliance unless there is a reportable release of a covered chemical. The result of that after-the-fact inspection will be a notice of non-compliance with one or more of the requirements of the program, a fine, and then a resumption of official ignorance until the next reportable release occurs.

That same inventory amount of the same chemical under the CFATS program triggers a reporting requirement to the DHS Infrastructure Security Compliance Division (ISCD). ISCD takes the required elements of that report and evaluates the risk that that facility might be a target of a terrorist attack. IF ISCD finds that the facility is at high-risk of such an attack, the facility is notified and is required to develop a site security plan to substantially reduce that risk. CFATS Chemical Security Inspectors will inspect the facility during the development process to help ISCD to determine if the SSP provides an adequate level of security for the facility in question. Once the plan is approved, ISCD will conduct periodic compliance inspections to ensure that the facility maintains their security program to the agreed upon standards.

Clearly, the CFATS program is a much more regulatorily hands-on program with a lot more interaction between inspectors and facility personnel. This is only possible because of the relatively small number of facilities covered by the program. Thus, 160 CSI can cover the 3,300+ facilities in the CFATS programs. The EPA would require thousands of inspectors to provide similar levels of coverage for the facilities covered by the RMP.

More Chemicals Covered

The CFATS program chemicals of interest (COI) is similar in many ways to the RMPs list of covered chemicals. The most toxic and most flammable chemicals are found on both lists with similar inventory levels triggering regulatory interest. The CFATS program, however, also includes chemicals in their COI list that could be used to make chemical warfare agents or improvised explosive devices.

This provides for some interesting differences between the two programs. Chlorine, for example, is covered by both programs as a toxic release hazard at similar inventory levels. Under the CFATS program it is also covered as a potential theft/diversion risk for use as a chemical weapon away from the covered chemical facility at much smaller inventory levels when packaged in portable containers. Again, this is a security risk (and an off-site security risk at that) not an environmental hazard.

Emergency Response Planning

Another area where there is some apparent overlap between the two programs is in the area of emergency response planning. Both programs contain an awareness that they will eventually fail in preventing an incident with serious off-site consequences. This will require that local emergency response personnel take some sort of action to mitigate the harm to local neighbors of the facility.

To date, neither program has a real strong history of ensuring that the covered facilities are providing local emergency response planners with all of the pre-incident assistance that would be needed to plan for an effective response to a hazardous chemical release. There are similar reasons for that failure. First, neither the program officials nor the facility management have any control over the local emergency planning process. Secondly, neither program has the congressional funding to provide the financial resources that the planning process requires.

Again, the CFATS program does have an advantage over the RMP; the CSI should be insuring as part of their inspection process that the facilities have at least provided the necessary information to the local emergency response folks. Again, the RMP only really provides for checking on this post-incident when it is too late to correct the problem.


The big question for me is not the ‘why not move it’ question provided by this reader, but why bother to try? Before the CFATS program was started, one could make the argument that at least the EPA had people with chemical safety knowledge that would be useful to setting up the CFATS program. The problem was (and remains) that the CFATS program is not mainly a safety program, it is much more about security than safety. If the CFATS program had been started in the EPA, the agency would have had same type initial problems with security that the folks at DHS had with chemical safety.

At this point, however, those types of safety vs security problems have been pretty much overcome. ISCD now has a pretty good mix of security and safety expertise in its CSI force. Their major problem now seems to be a lack of computer security (particularly for control systems) expertise, but that problem would be even worse in the EPA. ISCD is part of CISA and the control system security experience found in parts of that organization could be valuable for correcting the current ISCD cybersecurity shortcomings.

No, the CFATS folks need to remain as part of DHS; a move to EPA would solve almost no problems and create too many new ones. What we need now is for Congress to take a realistic look at the current program and decide what needs to be fixed and how best to take care of those issues. Unfortunately, in the current confrontational political environment we are working under, I expect that it will take longer than 15 months to accomplish that. I hope that I am wrong.

No comments:

/* Use this with templates/template-twocol.html */