HR 3256 Introduced – CFATS Reauthorization – Part 2

This is the second installment of a look at HR 3256 (note: an official copy of the bill is now available), the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019. The initial post was made on Sunday. The House Homeland Security Committee will markup this bill tomorrow and substitute language for the bill will be considered. Things are moving fast here.

New Sections Added

The substitute language is adding the following new sections:

§11. Review of tiering methodology.

§15. Voluntary program.

§16. Study on local emergency response capacity to respond to chemical security incidents.

§17. Previously approved facilities.

Changes to Previously Reported Provisions

The substitute language does change some of the provisions that I reported upon in my last post.

Section 4 of the bill is substantially changed. The new version removes the rewrite of paragraph (a) that I previously described. It also rewrites paragraph (b), but the new version (along with a small format change) revises the language on State and local government officials by clarifying that the information sharing will take place only “with respect to information on any chemical facility of interest within the jurisdiction of the official, but only if such information may not be disclosed pursuant to any State or local law” {new §623(b)(1)}. It also clarifies the information sharing with the new Chemical Security Advisory Committee will only be for the purposes of “conducting official duties and responsibilities as described in such section” {§623(b)(3)}.

Comment: These changes clearly protect the current Chemical-Terrorism Vulnerability Information (CVI) program.

No significant changes were made to the other two sections which I discussed. The remainder of this post will only deal with the provisions found in the substitute language that the Committee will markup tomorrow.

Chemical Security Advisory Committee

Section 7 of the bill would add a new section (§2110) to the Homeland Security Act of 2002 which would become (probably) 6 USC 630. The new section would require DHS to form the Chemical Security Advisory Committee. The new CSAC would consist of 12 members representing {new §630(b)(1)}:

• Industry;

• Academia;

• Labor;

• Emergency response providers;

• Local emergency planners;

• Environmental, community, or public health advocates, particularly for communities with high concentrations of covered chemical facilities; and

• Cybersecurity and information policy.

The purpose of the CSAC is broadly written; to “advise the Secretary on the implementation of this title” {§630(a)}. The only other operational guidance provided is the recommendation that the Committee “may establish subcommittees to assesses and recommend improvements to the risk tiering methodology for chemical facilities, the risk-based performance standards for chemical facilities, risk reduction strategies, and other aspects of the program under this title as the Secretary determines appropriate” {§630(c)}.

Comment: Other advisory committees have been very helpful to their Federal Agency in providing insight and technical support for policy development. One provision that is sometimes seen (particularly for DOT advisory committees) is a requirement for the Secretary to seek advice from the committee on all proposed rulemakings under the committee’s charter. That might be a useful addendum to this section.

Review of Tiering Methodology

I generally do not worry too much about mandated studies and reports to Congress in authorization bills, but I do want to briefly mention the provisions of §11 of this bill because of one of the requirement. This section would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to conduct a review of the current tiering methodology used by the Infrastructure Security Compliance Division (ISCD) to assess the relative risk of terrorist attack at a facility covered by the CFATS program. One of the items that the review is supposed to take into account is {§11(a)(1)(c)}:

The vulnerabilities of chemical facilities to cybersecurity threats, including the vulnerabilities of facilities’ information technology and operational technology and the implications on the potential for penetration of both the physical security and cybersecurity of facilities.

Comment: I generally applaud this idea, but it would pose some significant challenges to expand the Top Screen submission to provide adequate information for ISCD to properly asses this risk. What might be need to implement this would be to go back to the requirement to submit a security vulnerability assessment report to DHS prior to ISCD making a tiering decision. That is not, however, something that the lawmakers would necessarily want to consider in requiring this review and report.

COI Mixture Appeals

Section 14 of the revised bill would require DHS to establish “a process through which the Secretary can be petitioned to exclude a product or mixture” from consideration in the risk assessment process used to establish that a facility is a covered facility or to tier the facility. The only guidance provided on this process is that the information collected will not be subject to the requirements of 44 USC Chapter 35 (presumably the information collection requirements of §3507) or the Freedom of Information Act requirements.

This requirement supports a change made to §622 {a new paragraph (f)} by §3 of the bill. That new paragraph would authorize DHS to exclude a product or mixture from the Top Screen reporting requirements if DHS determines “determines that the product or mixture does not present a terrorism risk for which the chemical of interest contained within the product or mixture was included on Appendix A [COI list for 6 CFR 27]”.

Comment: The current mixture rules used by ISCD are very broadly written and almost certainly cause reporting of mixtures that do not pose the hazards associated with the underlying DHS Chemical of Interest. I am thinking primarily of flammable liquids; a mixture containing 2% of a flammable COI may not itself be flammable. The problem is that the way (f) is written this would affect Top Screen submissions. This would require additional access to the Chemical Security Assessment Tool prior to CVI training.

Moving Forward

This bill will probably amended further tomorrow, but it will certainly be adopted by the Committee. The only question is how much support it will receive from the Republicans. It looks to me that the Democrats have moderated their changes enough that there could be some support, or at least acquiescence by the part of the business community. This would allow some of the Republicans to vote in favor of the bill.

The main problem will be in the Senate. This bill will almost certainly not be considered in the Senate Homeland Security and Governmental Affairs Committee. Sen. Johnson (R,WI) will almost certainly introduce his own legislation and the Committee will consider that instead of this bill. The question will then be how the Senate leadership decides (if it decides) to proceed; it could bring Johnson’s bill to the floor and send it to the House for consideration, consider the House bill as passed, or (more likely) consider the House bill by substituting Johnson’s language.

I do not expect the Senate to take any action of CFATS authorization until just before the current expiration next year. And that may just take the form of another extension.