Thursday, October 10, 2019

CISA Updates Chemical Security Pages – 10-09-19

Yesterday the DHS Cybersecurity and Infrastructure Security Agency (CISA) continued their on-going process of brand updating various web sites affecting chemical sector security. The changes made yesterday included the addition of some new pages and updates on information on other pages.

The two main pages updated (including new URLs) were:

NOTE 1: CISA continues to have problems with dating their web pages. Most web pages do not have dates of last changes; this makes it hard to keep up with changes on the web sites. Other sites have dates but they are not accurate; for example the Chemical Security page was dated for today and was live yesterday.

NOTE 2: If you save .PDF copies of the web pages (as I do), CISA has made some changes that will affect that effort. The old pages automatically expanded the ‘hidden’ information, the pages do not. You have to manually ‘expand all’ before saving the page in order to see that information on the .PDF document.

The new pages (at least I have not seen them before) are found associated with the Chemical Security page. They include:


The CFATS landing page is reformatted, but most of the same information and links remain. One odd (and rather inconsequential) bit of information was removed from the new page. Under the ‘CFATS Monthly Statistics’ header the following paragraph was removed, and the remaining two paragraphs were combined into one:

“After the Top-Screen submission, facilities determined to be high-risk and tiered go through the process of authorization and approval. These high-risk facilities are divided into four tiers (/cfats-tiering-methodology) , with Tier 1 facilities posing the highest security risk.”

As best I can tell (I did not click on all of the supporting pages, there are too many and not enough time), all of the linked pages on the landing page have been reformatted to the format; this includes new links for all of the pages. The old pages appear to remain available, but there is no telling for how long those links will work or if they will automatically re-link to the new pages. If you are maintaining a URL link file, you will certainly want to update it.

There are only two pages that I have found to contain new information:

Neither of the old links to these sites go to the new information. I suspect that this is a harbinger of the way CISA will be treating all of the old links.

Monthly Statistics

The Infrastructure Security Compliance Division stopped updating the Monthly Statistics page after posting the July information. Long-time readers of this blog will note that I stopped covering the monthly updates a bit earlier than that (March). I keep looking at the information, but it is hard to come up with new words each month to report the new numbers and apparently no one notice (or at least did not complain about) the fact that I stopped the reporting.

The new page does provide updated information through September. The two tables below show the data from July (for June) and the most recent data.

CFATS Activities
June 2019
Sept 2019
Authorization Inspections to Date
Authorization Inspections Month
Compliance Inspections to Date
Compliance Inspections Month
Compliance Assistance Visits to Date
Compliance Assistance Visits Month

CFATS Facility Status
June 2019
Sept 2019

The gap in data points between June and September is going to make continued statistical analysis of the reported data very difficult, so I will stop trying; it is not worth the effort especially with all of the information that ISCD cannot or will not provide in their reporting. Hopefully, the GAO will have access to the missing data for their own internal analysis for their annual reports to Congress.

Advisory Opinions

Back in October 2016 ISCD added a new page to its CFATS web site; Advisory Opinions. The idea was not new, PHMSA had published such a page years earlier, but it did provide a new way for ISCD to share information about how it was interpreting the CFATS rules and regulations. Unfortunately, once those first three advisories were published, ISCD stopped adding new advisories. Until yesterday; the new page provides a link to CFATS Advisory Opinion 2019-001, discussing ‘Top-Screen Reporting of Theft/Diversion EXP/IEDP Mixtures’.
The advisory notes that:

“Read together, Appendix A and 6 C.F.R. § 27.204(b)(3) require that any mixture containing the COI at the minimum concentration specified must be reported should the facility possess the screening threshold quantity of that total mixture. Reporting of the mixture is required notwithstanding the fact that the exact name of the mixture does not appear on Appendix A with its own unique entry”

It then goes on to provide what is probably the most important part of the advisory; the specific example that almost certainly caused the original question to be asked:

“As one example, Appendix A does not explicitly list Calcium Ammonium Nitrate (CAN) as a COI. Appendix A does, however, list solid ammonium nitrate, the primary component of CAN for the security issue of Theft – EXP/IEDP. Appendix A provides  that a chemical facility of interest must report a mixture of solid AN if the mixture contains the minimum concentration of 33% AN and the facility possesses the screening threshold quantity of 2,000 pounds. Most formulations of CAN available in commerce meet or exceed the 33% minimum concentration of AN and therefore the majority of CAN formulations would be reportable if they are solid AN and the facility possesses the screening threshold quantity of 2,000 pounds.

CAN has some slightly different agricultural applications than ammonium nitrate (AN), but its use has expanded where AN has been banned because of it’s use in improvised explosive devices. CAN has to be converted to AN to be used in IED’s, but that still makes it an IED precursor which is certainly a concern under the intended purpose of the CFATS program.

No comments:

/* Use this with templates/template-twocol.html */