CFATS – Should We Get Rid of 7 RBPS’s?

After writing this week’s review of comments submitted to the CFATS Explosive Removal ANPRM I have been thinking hard about the potential consequences of this ANPRM moving forward. As I continue considering the implications, I think I may be changing my mind about my support for the ANPRM.

General Justification

From the perspective of the 24 facilities that CISA says will be favorably impacted by removing the Division 1.1 chemicals from the Appendix A list of DHS chemicals of interest, support for this rulemaking is easy to justify. They will no longer have to maintain all of the security measures that they put into place for the Chemical Facility Anti-Terrorism Standards (CFATS) site security plans. This will save them significant amounts of money and the time and effort necessary to keep up with the administrative aspects of the program. Easy, peasy.

CISA justifies this deregulatory action by stating that the rules the security and safety rules that the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) has in place has ensured that no facility has been placed in the CFATS program for simply for possession of these 49 explosives as a release-security issue. The 24 facilities in the program for just having these explosives on site as a theft/diversion security issue would similarly be adequately protected by those same safety and security measures. Sounds good, but wait.

ATF Generally Aligns with CFATS

Now, all of the recent posts supporting the rulemaking as part of an apparent letter-writing campaign have referenced the same Government Accounting Office report that they claim states that the CFATS program duplicates the BATFE regulations. As I noted in Saturday’s post, that is not what the report actually says.

“ATF’s explosive materials program and TSA’s rail security program contain requirements or guidance that generally align with 11 of 18 CFATS standards.” (pg 21 – .PDF page #)

Now, the key phrase is ‘generally align with’. According to the report (earlier in the same paragraph) that means that they “engage in similar activities”. Later in the report (pg 27) they provide an example of what this means in practice:

“For example, both programs require restricted areas to be secured. Under CFATS, facilities must secure and monitor restricted areas or potentially critical targets within a facility. Security measures may include, for example, physical barriers, guard forces, or intrusion-detection systems. Similarly, ATF requires explosives to be secured. According to ATF, its regulations focus solely on where explosives are stored, rather than the entire facility. In general, ATF requires that its licensees and permittees secure all explosive materials in locked structures meeting ATF-specified criteria.”

If the ATF security rules are adequate for the explosives covered in this rulemaking, would they also not be adequate for all of the other CFATS theft/diversion chemicals of interest? Why should a facility have to pay the cost for the additional security requirements outlined in the CFATS program when cheaper ATF are adequate?

ATF Does Not Address 7 Different RBPS Standards

But remember, the ATF regulations only “generally align with 11 of 18 CFATS standards”. That leaves 7 different risk-based performance standards (RBPS) that the ATF safety and security rules do not address. They are listed on pages 23 thru 26 of the report:

• RBPS #8 – Deter cyber sabotage,

• RBPS #9 – Develop and exercise an emergency response plan,

• RBPS #10 – Maintain effective monitoring, communications, and warning systems,

• RBPS #11 – Ensure proper security training,

• RBPS #13 – Escalate the level of protective measures for periods of elevated threat,

• RBPS #14 – Address specific threats, vulnerabilities or risks, and

• RBPS #17 – Establish officials and an organization responsible for security

Again, if the ATF safety/security program provides adequate security for the Division 1.1 explosives without addressing these seven RBPS, why should any other facility in the program have to comply with these requirements?

Lack of Cybersecurity is Acceptable?

I find it odd in this day and age that the ATF security rules do not address cybersecurity concerns. But what cybersecurity are we really worried about with facilities that store/use the explosives rather than manufacture them? Well, there are two types of cyber systems that a facility that only possesses theft/diversion chemicals would expect to be covered under their site security plan, access control system and the order/delivery systems that route and record sales of the covered chemicals.

Systems that monitor and/or control access to the portions of the facility where covered chemicals or explosives are stored could be a primary target of any adversary that was trying to get unauthorized access to those items. Why wouldn’t these systems have to be protected by adequate cybersecurity? But the ATF does not think that the security of these systems should be regulated (or maybe they were just not given authority to regulate those systems)?

Both the ATF and CISA want their covered facilities to ensure that the facilities vet their customers before delivering chemical/explosives to them. Where that vetting, or more importantly the record of that vetting, is checked on an electronic order approval system, CISA will demand that a CFATS covered facility address the cybersecurity of that system in their site security plan.

How could an adequate security program not address the cybersecurity of these systems? According to this rulemaking, CISA accepts that the lack of cybersecurity in the ATF programs does not affect the adequacy of those security systems. Why then should any other CFATS covered facility be required to address those cybersecurity concerns.

More Comments Coming

We have one more week before the comment period on this ANPRM closes. I will be watching the comment submissions closely over the next week. If I do not see anything that addresses these concerns in that time, I will be submitting a copy of this blog post as a second comment. I think that CISA needs to address these concerns before this rulemaking moves forward to the next stage.