What Now for CFATS?

Michael Kennedy has an interesting blog post about the recent passage of S 4148, extending the current CFATS program through July 27, 2023. He has been hip-deep in the reauthorization/extension process, and his insights are invaluable. As my readers would expect, I will add in my 2-cents worth.

Missed Opportunity

Any program, even one as lately successful as the Chemical Facility Anti-Terrorism Standards (CFATS) program, has room for improvement. This is the value of the congressional authorization process. It provides for a chance for legislators to take a look at a program; to see what it has accomplished, where it is going and most importantly what improvements are needed. Large and important programs like national defense need an annual review and adjustment process like the must pass National Defense Authorization Act. Smaller programs with more limited impact need to be reviewed less often; every three to five years.

In 2014 the CFATS program was reauthorized for five years. Changes were made to the program. Some were successful and others were less so. As Kennedy points out in his valuable CFATS reauthorization timeline, Congress tried unsuccessfully in 2018 to put together a reauthorization package. Interestingly the House and Senate were not nearly as far apart as they had been in the early years of the program, so the one-year extension passed in the closing days of the 115^th Congress looked like it should provide enough time to put a compromise package together.

Unfortunately, neither HR 3256 nor S 3416 made it to the floor of their respective bodies, much less to the ‘other house’, for consideration. Instead, a couple of short-term extensions were enacted and then, Congress kicked the can down the road to the 118^th Congress. Unfortunately, the new deadline, while early enough in the session to avoid election fever, is almost too early in the session for  potentially new committee leadership to craft bills and force them through the subcommittee and committee hearing process.

Expedited Approval Process

I do have to take exception to one of the points that Michael made in his blog post. He suggested that Congress could have: “Eliminated the Expedited Approval Process, which was rarely used.” First, the program was ‘rarely used’ (initially just a couple facilities) because the program was added when most facilities were almost through the site security plan approval process with most of the hard work already having been done. If the program had come out two-years earlier, I suspect that there would have been more facilities using the EAP.

But even if no facilities had ever actually used the EAP, keeping the program available would have one great benefit, it outlines in significant detail what facilities can do to meet the requirements of the Risk Based Performance Standards (RBPS). The current RBPS Guidance document is substantially deficient in this regards. This is due to DHS, in 2008/2009 when the document was written, bending over backwards to ensure that they could not be accused of trying to mandate security measures, a congressional prohibition in the original §550 authorization language.

For Tier 3 and 4 facilities the EAP guidance outlines in some detail what security measures that facilities must employ to implement a site security plan under that program. Facilities looking at potential costs of introducing their first DHS chemical of interest to a facility can use the EAP security guidance to estimate the security costs associated with that introduction. There is nothing in the RBPS Guidance that provides the same level of surety.

In the Meantime

The folks at the CISA Infrastructure Security Compliance Division (ISCD) can take a deep breath now, their program will continue for another three years. They have successfully scaled up the Personnel Surety Program to include Tier 3 and Tier 4 facilities, continued to expand their outreach efforts, and adapted to the COVID-19 enforcement environment. What new initiative can we expect to see ISCD to undertake in the absence of new congressional mandates.

First and foremost, I think, should be a rewrite of the RBPS Guidance document. It is currently over 10-years old and the GAO has already identified (and CISA acknowledged) deficiencies in the cybersecurity portions of the document. That plus old, outdated references to the old color-coded federal terrorism alert system make this document ripe for a re-write.

At this point a new feature should be added to the Guidance document; a listing of innovative techniques that companies have successfully employed to meet the RBPS standards for their site security plans. This type of information (including a modality for updating the list periodically as new information becomes available) could help to spread security innovation throughout the program.

The second thing that should be addressed is the 2014 advanced notice of proposed rulemaking (ANPRM). With no new program mandates from Congress, ISCD should be able to move this rulemaking effort to the next stage, a notice of proposed rulemaking (NPRM). There have yet to be any changes made to the CFATS regulation (6 CFR Part 27) based upon the requirements of the 2014 reauthorization bill and the ANPRM identified some interesting potential changes.

One thing that certainly needs to be addressed is some of the problems with the current mixture rules. Some of these have been addressed in an ad hoc method via 2019 letter concerning a limited number of products containing sodium chlorate. I discussed this issue in some detail. The CFATS regulations should include some process under which facilities could request and ISCD would evaluate whether specific mixtures and/or products could be exempted from Top Screen reporting requirements.

Finally, I think that ISCD should consider making public their guidance documents that they provide to chemical security inspectors that are designed to ensure equivalent enforcement processes are used around the country.