I am hearing rumors that a CFATS reauthorization bill
currently being drafted might include provisions that would eliminate the
Chemical-Terrorism Vulnerability Information (CVI) program from the Chemical
Facility Anti-Terrorism Standards (CFATS) program. The CVI program is
authorized under 6
USC 623 and regulated under 6
CFR 27.400 and a detailed guidance
document here. The CVI program protects security information about
facilities in the CFATS program from public disclosure.
There have been complaints in Congress over the years that
the presence of the CVI program interferes with facilities sharing information
with emergency responders. Not having seen the specific wording of possible CVI
removal provisions, I can only suppose that these provisions would be an
attempt by congressional staffers to remove such impediments to information
sharing.
CVI Background
The CVI program is one of the most unusual Controlled
Unclassified Information (CUI) programs in the Federal government. Most CUI
programs limit the Federal Government’s sharing of information provided to the
government by the private sector or developed in house by government agencies.
The CVI program, on the other hand, requires both the covered private sector
organizations and the government to protect the covered information regardless
of who initiates the information.
Information developed by covered facilities that is
considered to be CVI (and thus protected from disclosure) includes all
submissions made by the facility to DHS through the CFATS Chemical Security
Assessment Tool (CSAT), copies of security vulnerability assessments and site
security plans, and the working papers supporting those documents. Certain of
those supporting documents are exempted from CVI classification; specifically,
any records that are required to be maintained by other regulatory programs
including chemical inventory information and emergency response plans are exempted
from CVI protections.
Disclosures of CVI information can only be made to personnel
who have received CVI Certification
and have a verified ‘need-to-know’ the specific information. The ‘need-to-know’
requirements are outlined in §27.400(e)
and specifically includes State and local officials.
CVI and Emergency Response Planning
Emergency response planning for chemical releases is covered
briefly in the CFATS regulations as
part of the Risk-Based Performance Standard #9 {§27.230(a)(9)},
but both the regulation and the CFATS RBPS
Guidance document make it clear that those requirements are only response
plans for security breaches, not accidental chemical releases. Even then, the CFATS
planning process envisions inclusion of law enforcement personnel in preventing
the attack or arresting the perpetrators, NOT fire or emergency medical
technicians responding to the affects of the potential attack. That chemical
emergency response is already covered under EPA regulations.
Law
enforcement personnel working with facility personnel to develop security
response plans at a CFATS covered facility would be expected to be covered by CVI
rules including CVI training and certification requirements. Emergency medical
technicians and fire fighters participating in planning for chemical releases (either
accidental or deliberate) would be covered under the EPA regulations and would
not require CVI clearances.
Members
of a Local Emergency Response Committee (LEPC) would not require CVI
certification to receive chemical inventory data from local chemical facilities
covered by the CFATS program because the LEPC notification requirements are
covered under the EPA regulations and are exempted from CVI classification {§27.405(1)}.
Continued Need for a CVI Process
The purpose of the CVI program is to ensure that critical security
information about a CFATS covered facility is not made publicly known and thus
become available to nefarious personnel who could use that information in the
planning and execution of an attack on a chemical facility. The mere knowledge
of the existence of an inventory of items on the DHS chemicals of interest
(COI) list is not critical safety information. That information is generally already
publicly available through the EPA (a discussion of the EPA’s limiting of the
sharing of that information is an entirely separate topic).
I suppose that the CVI program could be replaced with
another of the existing CUI programs, probably the DHS Protected
Critical Infrastructure Information (PCII) program. That would also protect
the information originating at the facility level from disclosure by Federal, State
and local governments. What it would not do, however, is to establish standards
for facility personnel to protect the required information. Without information
protection requirements like those in the CVI program, it would be easy enough
for attackers to get the information that terrorists need to circumvent the
security procedures at CFATS covered facilities.
Rather than abolishing the CVI program, Congress might want
to make clear that certain information will be freely shared with LEPCs, local
law enforcement, fire departments and hospitals. Last year I
suggested language for that information sharing that operates within the
bounds of the CVI program. This would be in addition to any information sharing
already required between facilities and LEPCs and fire departments by EPA
regulations.