Last week the Government Accountability Office (GAO) published their latest report on the Chemical Facility Anti-Terrorism Standards (CFATS) program. This report looks at how the CFATS program interacts with eight other Federal chemical safety and security programs at both the Agency and installation levels. Includes recommendation to legislate additional chemical security requirements for water treatment facilities.
Other Programs
The report looks at how much of an overlap there is in security requirements between the CFATS program and eight other Federal regulatory programs. Those programs are:
• Explosives materials Program (ATF),
• Maritime Transportation Security
Act program (Coast Guard),
• Hazardous materials transportation
program (DOT),
• Resource Conservation and
Recovery Act program (EPA),
• Risk Management Program (EPA),
• America’s Water Infrastructure Act
program (EPA),
• Pipeline Security Program (TSA),
and
• Rail Security program (TSA)
Using a very broad (and loosely defined as “engage in similar activities") term ‘align’ the GAO reports that all eight programs align with “six of 18 CFATS standards regarding restricting area perimeter; securing site assets; screening and controlling access; deterring, detecting, and delaying an attack; deterring theft and diversion, and deterring insider sabotage” {pg 21, using .PDF page numbers}. A table spanning three pages outlines which CFATS risk-based performance standards (RBPS) each of the Federal programs align with.
What is clear from a detailed reading of the report is that GAO, in looking for alignment, was looking for areas where regulatory compliance with another program could be used, at least in part, to comply with CFATS security plan requirements under the RBPS. While the GAO admits that some program coordination has taken place under the EO 13650 Working Group (see their lite web page) it takes DHS to task for not continuing to work on clarifying where compliance with other programs fits into CFATS compliance. The first GAO recommendation addresses this:
“The Secretary of DHS should direct its chemical safety and security programs to collaborate with partners and establish an iterative and ongoing process to identify the extent to which CFATS-regulated facilities are also covered by other programs with requirements or guidance that generally align with some CFATS standards.” {pg 53}
More specifically, recommendation five goes on to say:
“The Director of DHS’s Cybersecurity and Infrastructure Security Agency should update CFATS program guidance or fact sheets to include a list of commonly accepted actions facilities may have taken and information they may have prepared pursuant to other federal programs, and disseminate this information.” {pg 54}
Further recommendations are made to EPA, ATF and DOT to look at how their programs interface with the CFATS program.
DHS concurred with both of the above recommendations and had this specific response to recommendation five:
“DHS concurred with recommendation 5, stating in its letter that, among other actions, CISA will update or create a new guidance document or fact sheet by December 31, 2021, that includes a list of commonly accepted actions CFATS-regulated facilities may have taken and information they may have prepared pursuant to other federal programs and disseminate this information.” {pg 56}
Water Treatment Facility Security
This report states that water treatment and wastewater treatment facilities that are exempt from the coverage of the CFATS program “may present attractive terrorist targets due to their large stores of potentially high-risk chemicals and their proximities to population centers” {pg 47}. They go on to note that an earlier report “found that the Risk Management Program regulates at least 1,100 public water system and 500 wastewater treatment works facilities for many of the same chemicals at the same threshold quantities as the CFATS program’s chemical release attack scenario” {pgs 47-8}.
There are significant differences in the security aligned requirements of both the Risk Management Program and Water Infrastructure Act programs, and the CFATS program. “For example, the Risk Management Program and Water Infrastructure Act programs do not contain requirements or guidance regarding security training or background checks. In addition, while the Water Infrastructure Act program contains guidance on cybersecurity, the Risk Management Program does not.” {pg 48}
Water treatment facilities are also subject to the voluntary security guidelines of the American Water Works Association’s security practices management standard. They go on to note that EPA program officials reported that “the voluntary water and wastewater standards are not as comprehensive as the CFATS program’s 18 standards, and it is unclear the extent to which public water systems and wastewater treatment works implement the standard because its use is entirely voluntary” {pg 50}. Further, the report notes that DHS officials stated that “the general alignment of Water Infrastructure Act requirements or guidance with some CFATS standards may not reflect the level of security achieved because, unlike the CFATS program, the Water Infrastructure Act program does not include verification measures” {pg 51}.
The GAO makes two similar recommendations (#6 and #7) to DHS and the EPA about working with the other agency to “to assess the extent to which potential security gaps exist at water and wastewater facilities and, if gaps exist, develop a legislative proposal for how best to address them and submit it to the Secretary of Homeland Security and Administrator of EPA, and Congress, as appropriate” {pg 54}.
Commentary
The Working Group formed under Obama’s chemical safety and security executive order kind of faded away during the Trump administration. There was certainly some ongoing coordination there was no incentive (and many political disincentives) to forge any new regulatory efforts. This is very likely to change under the Biden Administration, though it will not likely be a top priority. Congressional efforts, if the two committees in the House can better their coordination, may be more persuasive.
The one CFATS legislative initiative that I think may be
possible this session may be the introduction of bills to address the water facility
security issue. The chance of their passage is still rather small given the
CFATS three-year extension passed last year, but significant committee work and
hearings this session may bear fruit in the 118th Congress.
No comments:
Post a Comment