Tuesday, April 30, 2019

Eliminating CVI in CFATS Reauthorization Bill?

I am hearing rumors that a CFATS reauthorization bill currently being drafted might include provisions that would eliminate the Chemical-Terrorism Vulnerability Information (CVI) program from the Chemical Facility Anti-Terrorism Standards (CFATS) program. The CVI program is authorized under 6 USC 623 and regulated under 6 CFR 27.400 and a detailed guidance document here. The CVI program protects security information about facilities in the CFATS program from public disclosure.

There have been complaints in Congress over the years that the presence of the CVI program interferes with facilities sharing information with emergency responders. Not having seen the specific wording of possible CVI removal provisions, I can only suppose that these provisions would be an attempt by congressional staffers to remove such impediments to information sharing.

CVI Background

The CVI program is one of the most unusual Controlled Unclassified Information (CUI) programs in the Federal government. Most CUI programs limit the Federal Government’s sharing of information provided to the government by the private sector or developed in house by government agencies. The CVI program, on the other hand, requires both the covered private sector organizations and the government to protect the covered information regardless of who initiates the information.

Information developed by covered facilities that is considered to be CVI (and thus protected from disclosure) includes all submissions made by the facility to DHS through the CFATS Chemical Security Assessment Tool (CSAT), copies of security vulnerability assessments and site security plans, and the working papers supporting those documents. Certain of those supporting documents are exempted from CVI classification; specifically, any records that are required to be maintained by other regulatory programs including chemical inventory information and emergency response plans are exempted from CVI protections.

Disclosures of CVI information can only be made to personnel who have received CVI Certification and have a verified ‘need-to-know’ the specific information. The ‘need-to-know’ requirements are outlined in §27.400(e) and specifically includes State and local officials.

CVI and Emergency Response Planning

Emergency response planning for chemical releases is covered briefly in the CFATS regulations as part of the Risk-Based Performance Standard #9 {§27.230(a)(9)}, but both the regulation and the CFATS RBPS Guidance document make it clear that those requirements are only response plans for security breaches, not accidental chemical releases. Even then, the CFATS planning process envisions inclusion of law enforcement personnel in preventing the attack or arresting the perpetrators, NOT fire or emergency medical technicians responding to the affects of the potential attack. That chemical emergency response is already covered under EPA regulations.

Law enforcement personnel working with facility personnel to develop security response plans at a CFATS covered facility would be expected to be covered by CVI rules including CVI training and certification requirements. Emergency medical technicians and fire fighters participating in planning for chemical releases (either accidental or deliberate) would be covered under the EPA regulations and would not require CVI clearances.

Members of a Local Emergency Response Committee (LEPC) would not require CVI certification to receive chemical inventory data from local chemical facilities covered by the CFATS program because the LEPC notification requirements are covered under the EPA regulations and are exempted from CVI classification {§27.405(1)}.

Continued Need for a CVI Process

The purpose of the CVI program is to ensure that critical security information about a CFATS covered facility is not made publicly known and thus become available to nefarious personnel who could use that information in the planning and execution of an attack on a chemical facility. The mere knowledge of the existence of an inventory of items on the DHS chemicals of interest (COI) list is not critical safety information. That information is generally already publicly available through the EPA (a discussion of the EPA’s limiting of the sharing of that information is an entirely separate topic).

I suppose that the CVI program could be replaced with another of the existing CUI programs, probably the DHS Protected Critical Infrastructure Information (PCII) program. That would also protect the information originating at the facility level from disclosure by Federal, State and local governments. What it would not do, however, is to establish standards for facility personnel to protect the required information. Without information protection requirements like those in the CVI program, it would be easy enough for attackers to get the information that terrorists need to circumvent the security procedures at CFATS covered facilities.

Rather than abolishing the CVI program, Congress might want to make clear that certain information will be freely shared with LEPCs, local law enforcement, fire departments and hospitals. Last year I suggested language for that information sharing that operates within the bounds of the CVI program. This would be in addition to any information sharing already required between facilities and LEPCs and fire departments by EPA regulations.

No comments:

/* Use this with templates/template-twocol.html */