S 3416 Introduced – CFATS Reauthorization and Cybersecurity

Earlier this month Sen. Johnson (R,WI) introduced S 3416, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2020. The bill would modify and reauthorized the Chemical Facility Anti-Terrorism Standards (CFATS) program for five-years. While there are some similarities to S 3405 that Johnson introduced in the 115^th Congress, it would not be fair to state that this is a re-write of that bill.

This is a complex bill that covers a wide variety of different topic related to the CFATS program. Those topics include:

• Employee input regarding security measures.
• Strategy to improve cybersecurity and outreach to local emergency responders.
• Site security plan assessments.
• Expedited approval program.
• CFATS recognition program.
• Standards for auditors and inspectors.
• Personnel surety program.
• Security risk assessment approach and corresponding tiering methodology.
• Amendments relating to Appendix A of part 27 of title 6, USC

• Bidirectional information sharing platform.
• CFATS security harmonization waiver program.

Cybersecurity

Rather than eliminate CFATS coverage of cybersecurity issues as was initially proposed in S 3405, §6 of the bill would require DHS to periodically (initially 1 year and then every 2 years) to publish “a strategy that includes the strategic and operational goals and priorities of the Department of Homeland Security for covered chemical facilities to improve the cybersecurity of covered chemical facilities” {§6(a)}. That strategy would include an assessment of cybersecurity threats to {§6(b)(1)}:

• The information technology or operational technology affecting the security risk of a chemical of interest of the covered chemical facility;

• Processes and operations relating to a chemical of interest (COI); and

• Security measures of the covered chemical facility relating to a COI;

The strategy would also include “processes for periodic mitigation of (the) security vulnerabilities” {§6(b)(2)} affecting those areas listed above.

Additionally, §3 of the bill would amend the stated purpose of the CFATS program in 6 USC 622 to specifically include cybersecurity. Paragraph (a)(2)(C) would be amended to read:

(C) establish risk-based performance standards designed to eliminate or mitigate physical, cybersecurity, and hybrid physical-cybersecurity vulnerabilities in order to address high levels of

security risk at covered chemical facilities; and

Cybersecurity Definitions

Section 2 of the bill would add two new cybersecurity related definitions to 6 USC 621; ‘hybrid physical-cybersecurity vulnerability’ and ‘security vulnerability assessment’.

The term ‘hybrid physical-cybersecurity vulnerability’ is defined as “a vulnerability in the security of a covered chemical facility that relates to the combination of the physical operations and cybersecurity operations of the covered chemical facility” {new §621(10)(A)}. It would also include a vulnerability of a covered chemical facility to {new §621(10)(B)}:

• A physical threat to a cybersecurity operation affecting the chemical of interest of the covered chemical facility; or

• A cybersecurity threat to a physical operation of the covered chemical facility.

The second term, ‘security vulnerability assessment’, is defined as an assessment of the vulnerabilities of a covered chemical facility to physical threats and cybersecurity threats to the information technology or operational technology of the covered chemical facility as those technologies relate to {new §621(12)(ii)}:

• A chemical of interest;

• An operation involving a chemical of interest; or

• A security measure of the covered chemical facility;

Moving Forward

Johnson is the Chair of the Senate Homeland Security and Governmental Affairs Committee to which this bill was assigned for consideration. Typically, this would ensure that this bill would receive coverage by that Committee. The bill was initially listed as being included in the Business Meeting that occurred right after the bill was introduced, but it was removed from the agenda shortly thereafter. I discussed this in some detail in my earlier post about that hearing.

I will be very surprised if this bill does get considered in Committee. While it looks like Johnson has made several attempts to address the concerns of Democrats in this bill (more on those is subsequent posts), there are still changes that the opposition party would like to see made in this bill. If the bill is brought up, I would expect to see substitute language offered by Johnson to address at least some of those concerns.

As I mentioned earlier, the only way that this bill is going to make it to the floor of the Senate, is for it to be considered under the Senate’s unanimous consent process. A single Senator can stop that process by objecting and those objections need not have anything to do with the provisions of the bill. This has been a contentious session of Congress and the COVID-19 epidemic is not making it any less so.

The introduction of S 3506 (the language for which is still not available) by Sen. Lankford (R,OK), a Subcommittee Chair on the HGSA is, it seems to me, a clear recognition that S 3416 will not move forward.

Commentary

While I do not think that this bill will move forward, I will still be making additional posts about the provisions of this bill as it is an interesting look at the changes in Johnson’s outlook on the CFATS program.

The cybersecurity provisions are an important case in point. First off, Johnson has made a complete turnaround on his support for cybersecurity coverage in the Program from last session. Where he was prepared to eliminate cybersecurity coverage, he is now making it a key point in the purpose and scope of the program. Nothing in this bill will directly require a change in the current cybersecurity processes in the CFATS program or individual site security plans, but it does specifically require DHS to take a hard look at those processes and security measures and periodically re-address them in the future.

Second, Johnson’s emphasis on cybersecurity in this CFATS reauthorization bill (and in fact, the actual publication of the bill at all) is a direct slap at the President’s attempt to deauthorize the CFATS program and use its inspectors as additional Protective Security Advisors. If there were any thought that Congress was going to go along with this eradication of the CFATS program, this bill is certainly a clear sign that it is not going to happen without a fight.

The one odd thing about the ‘new’ cybersecurity review requirements under §6 is the conspicuous absence of the Cybersecurity and Infrastructure Security Agency (CISA). While the program is currently included under the ‘infrastructure security’ wing of the Agency, the bill keeps referring to the ‘Secretary’ as being the responsible party for effecting changes in the program. I thought that the whole purpose of elevating the old NPPD to Agency status was to raise the status and level of responsibility for the newly crowned Director.

I am particularly happy to see Johnson acknowledge that there are three components to cybersecurity at chemical facilities, IT security, OT security and Security security, the cybersecurity of facility security controls. While there are certainly those in the control system security field that will object to the use of ‘operations technology’ to describe the full gamut of the control system security realm, it is important to note that Johnson (not a techy) is apparently using the undefined term in the broadest sense. And I like the way that he spells out the dual importance of physical security of cybersecurity controls and the cybersecurity of physical security controls.

There is a lot of interesting stuff in this bill, and it is a shame that the effort currently appears to have been wasted.