CISA Publishes Retrospective CFATS Cost Analysis

The DHS Cybersecurity and Infrastructure Security Agency published a notice in Monday’s (available on line yesterday) Federal Register (85FR 37393-37394) announcing the availability of the “Retrospective Analysis of the 2007 Chemical Facility Anti-Terrorism Standards” for public review and comment. The review looks at the estimated costs of the CFATS program as identified in the 2006 rulemaking that established the program and the actual costs that were incurred by facilities in the first ten years of the program.

The notice makes the point that:

“The retrospective analysis updates cost estimates from the 2007 CFATS IFR [link added] with new estimates based on data observed from the implementation and operation of CFATS over the last decade. CISA intends to use the retrospective analysis: (1) To improve the accuracy of cost estimates incurred by regulated facilities since 2007; (2) as a basis for future regulatory changes to the CFATS program; and (3) to perform cumulative impact analysis on the full costs of the program as it evolves.”

CISA is soliciting public comment on this document. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; Docket #DHS-2014-0016). Comments should be submitted by September 21^st, 2019. Note: this is the 2014 CFATS advanced notice of proposed rulemaking docket.

Commentary

This is another detailed and informative product from the CFATS folks. Well worth the read for anyone involved in the program or interested in critical facility security in any form.

The important thing here is that CISA has gone back and questioned the regulatory assumptions made before the program was started. Those of us who have watched this program since its inception know that DHS was starting a unique security program with little knowledge about the scope of industries that would ultimately be covered or the initial security level of the facilities to be regulated.

What makes this assessment possible is the online Chemical Security Assessment Tool (CSAT) and the data base (CHEMSEC) where the data from that tool is collected. The use of CSAT is nothing short of a regulatory revolution. Each potentially covered facility provides CISA with extensive information on their inventories of DHS chemicals of interest (COI) as well as information about their neighbors, local law enforcement and first responders. This information, along with the details about security measures employed at all covered facilities, allow CISA to provide a heretofore unprecedentedly detailed estimate of the actual cost of the regulatory program.

After a quick overview of the document it would seem to me that there are two areas where the CSAT information is lacking about costs of the program. The first is the cost of outside security expertise. While the largest chemical companies certainly have the in-house security expertise available to assess, plan and execute an effective CFATS security program, the same cannot be said for perhaps most covered facilities. CISA needs to consider how it should assess the extent that consultants and other outside security expertise has been used in support of covered CFATS facilities and the costs associated with that support. I do not think that those costs will have any serious impact on the overall assessment of the cost of the program, but it should still be examined.

The other area that is apparently short-changed in this assessment is the cost of cybersecurity measures. While the purchase of specific cybersecurity hardware would certainly be included in the list of planned security measures that CISA used to assess new security costs, most of the costs of improving cybersecurity would not be going into hardware. Again, for the majority of facilities, outside consultants, integrators and programmers would be doing the bulk of the work in upgrading cybersecurity tools, processes and equipment. I suspect that the universe of CFATS facilities using outside cybersecurity resources would probably be larger than those just using outside physical security expertise. Again, CISA needs to consider how it would capture these costs.

I fully encourage all past and present covered CFATS facilities, as well as the consultants, integrators and suppliers that have supported CFATS facilities for the last 14 years to take a close, critical look at this document and to provide an appropriate assessment to CISA, especially if CISA got anything dramatically wrong in their assessment process. Remember, if the cost of the program is substantially lower than originally estimated, it would be much easier for Congress to consider expanding the coverage of the facility to more facilities.