Tuesday, March 12, 2019

CFATS Subcommittee Hearing – 03-12-19

Today the Cybersecurity, Infrastructure Protection, and Innovation Subcommittee of the House Homeland Security Committee held a hearing on “Securing Our Nation's Chemical Facilities: Stakeholders Perspectives on Improving the CFATS Program” (video here). The Subcommittee heard from a panel of labor and safety advocates as well as a representative of the American Chemistry Council (ACC).


Today’s witnesses included (link to prepared testimony):

Mr. John Morawetz, International Chemical Workers Union Council;
Dr. Mike Wilson, Ph.D, MPH, BlueGreen Alliance;
Pamela Nixon, People Concerned About Chemical Safety; and
Kirsten Meskill, BASF

As I mentioned in an earlier blog post, there was a fifth witness originally scheduled to be on the panel. There was no indication today why Randy E. Manner, Manner Analytics, was not present at the hearing.

Expected Coverage

As expected, based upon previous hearings and the change in leadership in the House, much of the questioning today addressed four topics:

• Voluntary ‘best practices’;
• Information sharing;
• Employee involvement; and
• Whistleblower protections

The ‘new’ term ‘best practices’ has apparently replaced the more controversial ‘inherently safer technology (IST)’ that was used extensively in the chemical safety and security discussions in the earlier Democratic lead House. All of the questioners and panel members (even to an extent Meskill) generally agreed that the sharing of ‘best practices’ related to actions that facility could take to reduce their chemical risk was a good idea. There were no concrete ideas (or even suggestions) how those ‘best practices’ could be implemented at other facilities. There was a general agreement that DHS Infrastructure Security Compliance Division (never named in the hearing) should share what information that it did have.

The ‘information sharing’ bit was mainly about how and what CFATS facilities should share with local first responders, emergency planners and local communities to help respond to the release of chemicals or chemical incidents resulting from terrorist attacks, weather emergencies or accidents. Again, there was a general agreement that that information sharing was important and should be expanded. Ranking Member Katko (R,NY) made the point that other regulatory programs had more expansive information sharing requirements where concerns should more probably be addressed. Katko made a vague point about the CVI requirements for first responders.

Employee involvement in safety and security planning has long been a priority for Democrats. The point was made many times by Committee members and panelists that line employees would have valuable insights that should be included in identifying security vulnerabilities and planning for site security plans. Meskill made the point that they included employees at all stages of the security (and safety) planning and implementation process but agreed that she could not speak for all CFATS facilities.

The Democrats again have long had concerns about the whistleblowing protections provided to employees. Member concerns about protecting employees from retaliation due to their reporting security (and safety) problems at facilities. Interesting, none of the panel members could provide any information on the problem when questioned. Katko pointed out (in the only second round of questioning in the hearing) that the CFATS Tip Line provided a way that employees could anonymously report problems at covered facilities (including the lack of initial notification to ISCD).


The one new (and unexpected to me) topic that came up a number of different times was cybersecurity. Langevin (D,RI), Rice (D,NY) and Jackson-Lee (D,TX) all had questions about cybersecurity issues. Langevin questioned cybersecurity training (particularly in control rooms); Rice asked about cybersecurity standards in CFATS and Jackson-Lee announced that she would be introducing the Frank Lautenberg Chemical Facility Cybersecurity. No detailed responses were available from any of the panel members.


In an earlier set of blog posts I identified those items that I though should be addressed in any legislation reauthorizing the CFATS program. Two of those posts are appropriate (in my opinion) responses to some of the questions raised today. Those include:

Best practices (IST); and

There are a couple of things that still need to be addressed here. First is Katko’s comments about the applicability of Chemical-Terrorism Vulnerability Information (CVI) requirements to first responders. ISCD has long maintained that first responders entering a facility in response to an actual emergency situation are not required to be CVI qualified; actual emergency response does not rely on access to CVI controlled information. Emergency planning is something else entirely. There are requirements (§7.02) outlined in the CVI Guidance manual for providing access to CVI information to State and local officials, including emergency response planners. That guidance ends by explaining:

“State, local, and tribal officials, including first responders, must have access to any information that is necessary to plan for and respond to an emergency event at a chemical facility [emphasis added]. It is equally important that this information is available in a form that is readily accessible and easily disseminated. Accordingly, to the extent possible, facilities should provide information to State, local and tribal entities in non-CVI form. In many cases, a facility can provide a product that contains all of the necessary operational and facility-specific information and excludes CVI.”

Katko also made a point that should be remembered by everyone involved in the CFATS reauthorization process; the CFATS regulations are not the only federal rules that require chemical companies to coordinate emergency response planning information with local authorities. Facilities could easily find the necessary information for emergency response planners in their already required information provided to local fire departments and Local Emergency Planning Committees (LEPCs).

There are some exceptions to the EPA reporting requirements that apply to CFATS facilities. Most chemicals on the DHS list of chemicals of interest (COI) that triggers CFATS reporting requirements that are not on the EPA’s Risk Management Program list of covered chemicals are covered by CFATS because they can be used for preparing improvised explosives or improvised chemical weapons. While these chemicals are not generally as much of an off-site hazard as the RMP covered chemicals, the emergency response planning is more of a law enforcement issue than fire department response planning. This would make for some interesting information sharing requirements that are not specifically outlined in any existing regulations.

The other interesting thing that came out of this hearing was the new Committee interest in cybersecurity issues. Richmond’s Subcommittee should probably hold another hearing (maybe two) specifically about cybersecurity issues. This is going to be a complex set of issues and a wide variety of experts and stakeholders are going to have to be involved in the efforts to address it.

One thing that the Committee crafters are going to have to deal with in writing cybersecurity requirements is that the CFATS program is a risk-based program that prohibits DHS from requiring specific security measures. This is due to the recognition that each of the very wide variety of covered facilities (from a number of different chemical and non-chemical manufacturing facilities) require differing security measures to protect against terrorist attacks. This remains true for the varying information and control system technologies that will be found in these facilities.

No comments:

/* Use this with templates/template-twocol.html */