Committee Hearings – Week of 1-9-22

This week, with both the House and Senate meeting in Washington, there is a light hearing schedule. Most of the Senate hearings deal with confirmations. There is one cybersecurity hearing scheduled in the House.

Cybersecurity Hearing

On Tuesday the House Committee on Oversight and Reform will hold a hearing on “Cybersecurity for the New Frontier: Reforming the Federal Information Security Modernization Act”. The witness list includes:

• Gordo Bitko, Information Technology Industry Council (formerly CIO FBI),

• Jennifer Franks, GAO,

• Ross Nodurft, Alliance for Digital Innovation (formerly OMB Cybersecurity Team Chief),

• Grant Schneider, Vanable, (formerly NSC Cybersecurity Policy Director),

• Renee Wynn, RP Wynn Consulting LLC (formerly NASA CIO)

This hearing is about FISMA so it will contain little or no discussion about operation technology issues. It will, however, be the first chance for congresscritters to ask questions about the various log4j vulnerabilities (pg4) that are causing so many problems. It will be interesting to see how good the staff work is on Log4Shell by seeing how intelligent the questions are.

On the Floor

Lite schedule on the floor of the House this week. Interestingly, there are no scheduled bills to be considered under the suspension of the rules process. This may be due to the large number of  congressional Covid cases reported this weekend. The House is tightening down of Covid restrictions again. Unfortunately, no one is reporting on member or committee staffer infections, I suspect that those numbers are quite high.

Another Chemical Supply Issue Hitting Water Processing Facility

I ran into an interesting statement in an article over at NYTimes.com about a chemical supply issue for water treatment plants:

Orlando Mayor Buddy Dyer and utility officials asked residents to conserve water Friday to preserve the city’s supply of liquid oxygen, which is being used to treat a surging number of Covid-19 patients.

Digging into the linked article at OUC.com I confirmed that no one is treating COVID cases with liquid oxygen (at -297˚F that would be VERY dangerous) nor are they adding it to water in water treatment plants (even in Florida it would almost instantaneously freeze water and cause ‘explosions’ as the liquid O₂ was converted to gas). But it is a real supply chain problem.

Liquid oxygen is a cost-effective way of transporting oxygen gas; it takes up smaller transportation volume. Hospitals would receive liquid oxygen deliveries and on-site systems would allow it to heat up and convert to oxygen gas that would be used in ventilators and other oxygen breathing aids.

The liquid oxygen is used to create ozone (O₃) at the drinking water treatment plant. That ozone is then used to remove hydrogen sulfide (H₂S) by oxidation. Before folks became concerned about the storage of chlorine gas at water treatment facilities, the chlorine used for disinfection would also oxidize the hydrogen sulfide. It would also kill bacteria that produce the noxious gas in some systems.

The large increase in COVID required breathing assistance support in Florida and the southeast, is cutting into the supply of cryogenic oxygen. Just another supply chain issue that needs to be dealt with.

TSA Extends Surface Transport Security Training Rule Compliance Date Again

Yesterday the TSA published a final rule in the Federal Register (86 FR 23629-23633) amending their Security Training for Surface Transportation Employees rule which was published last year and amended similarly twice, in May 2020 and October 2020. Yesterday’s rule also extends two of the compliance dates in the amended rule. It also corrects what TSA is calling ‘citation errors’ in the original rule.

Extension Dates

First, the rule extends the compliance deadline in §1570.109(b) for security program submission from March 22, 2021, to June 21, 2021.

For owner/operators that have already submitted their security program to TSA (about 30% of the affected organizations), the rule provides an additional 90 days (15 months instead of 12 months) from the date of TSA approval to complete the initial training required by 49 CFR 1570.111(a)(1).

Citation Errors

The first error being corrected is in §1570.203(a). TSA is (as it described in the preamble to the original rule) specifically adding bus operations of a public transportation owner/operator and OTRB owner/operator that are required to provide security training under the rule to the “reporting significant security concerns” requirements of §1570.203(a).

Secondly, the rule addresses an incorrect citation in §1582.101(c). It changes “described in §1580.301” to read “described in § 1580.101”.

Finally, again in §1582.101(c), it changes “paragraph (a)(1) or (a)(2)” to read “paragraph (a) or (b)”.

Effective Date

This direct final rule became effective yesterday, May 4^th, 2021.

CFATS Post-Pandemic

We are getting close to the end of the COVID-19 Pandemic and all of the changes that it has wrought on the world in general and the Chemical Facility Anti-Terrorism Standards (CFATS) program in particular. What will that brave new world look like?

The End of the Pandemic

It is unlikely that the pandemic will just stop being. We are likely to see a continuing loosening of restrictions as more people get completely vaccinated. We already see a gradual decline in the vaccination rate, and it is becoming clear that we will have a relatively large segment of the population that will not accept a free vaccination for a variety of reasons.

At this point it is not clear if that anti-vax sentiment will prevent the country from reaching ‘herd immunity’. That is the point where the rapid spread of COVID-19 would no longer be possible because the likelihood of an unprotected person coming in contact with an infected person is low enough that most cases will not result in another person becoming infected.

Scientists still do not know enough about the COVID virus to be able to give us (and more importantly the government) a firm figure about how many people have to be protected (either by vaccine or previous infection) to be able to declare the pandemic over. And making the problem even more difficult the ongoing mutation of the virus is going to continue to produce new strains that will inevitably have an effect on the transmissibility of the bug. The more transmissible, the larger number of people that will have to be protected before herd immunity could be declared.

The End and CFATS

The managers for the CFATS program did not really put an awful lot of changes in place because of the pandemic. They did modify their compliance inspection regime somewhat, including adding a remove audit process. Other than that, there were not any other real programmatic changes to the CFATS process. I expect that at some point we will see the Office for Chemical Security (OCS) announce that those inspection regime changes would be terminated.

Unofficially, OCS let the covered chemical facilities know that they understood that there were going to be process modifications made by facilities to cope with the staffing issues associated with the running of their facilities. In some cases, those changes were coordinated with chemical security inspectors (CSI) and in others not. In any case OCS accepted the reality of the situation and essentially turned a blind eye when those changes had minor impacts on the site security plans (SSPs) that facilities had negotiated with DHS.

I doubt that we will see any centralized notifications that those facility led changes are no longer acceptable. Rather, I think that contact will be made by CSI and they will work with facilities to transition back to where their SSPs were before the pandemic struck.

The COVID Reality

One thing is becoming increasingly evident, COVID-19 will be with us for quite some time, if it is ever in fact eliminated. We are seeing people previously infected with the virus becoming re-infected. The rate is relatively low at this point, but how much of that is because the potential rate is low and how much is related to the protection provided by social distancing and mask wearing has yet to be determined.

Additionally, we are seeing a small number of people who were successfully vaccinated becoming infected. This is not unusual in any vaccination program. There is just too much variability in people’s immune systems to achieve 100% success rate.

As I mentioned before, we are continuing to see mutations within the virus producing different strains. So far, there has not been a strain publicly identified that is significantly changed to be able to infect large numbers of vaccinated people. It would seem inevitable, especially with the huge number of new infections that we are seeing in India and South American, that such mutations will arise. The more infections that occur, the more the virus will mutate.

All of this is going to mean that facility management is going to have to plan for local outbreaks of COVID-19, especially in areas of the country with higher non-vaccination rates. Since management has a pretty good idea of the potential effects of such outbreaks based upon their COVID experiences, they should be able to come up with a reasonable plan to respond to such outbreaks.

I would not be surprised to see OCS mandate that facilities develop a pandemic/epidemic response plan under Risk-Based Performance Standard 14, Specific Threats, Vulnerabilities, or Risks. Taking a hard look at what worked and did not work in the last year, facilities should not have too much of a problem developing such a response plan. The approved plan should be able to be implemented by the facility with notice to OCS or when directed by OCS.

Such a response plan would be developed and approved in much the same way that any revision to the facility’s SSP is done. Facilities would come up with their proposed plan and negotiate an approve through OCS. It would then become an inspectable part of their SSP during compliance inspections.

COVID-19 Endemic and CFATS

Last March at the start of the COVID-19 pandemic I wrote a blog post about the potential effects of the pandemic on facilities covered by the Chemical Facility Anti-Terrorism Standards (CFATS) program. Looking back at that post I am really happy with many of the forward-looking comments that I made. Today, with the rollout of vaccines well (if slowly) underway I hope for the same level of prescience in looking at the next stage of the evolution of this medical problem, the COVID-19 endemic. An article on the Wall Street Journal website describes that potential evolution.

Vaccine Mandates

While there are political and legal realities that prevent the Federal government from mandating widespread COVID vaccination there has been an increasing discussion of whether or not private companies can insist that their employees get vaccinated as a condition of employment. I am certainly not an employment lawyer (not any kind of lawyer), but I suspect that there would be all sorts of problems for chemical facilities that attempted to enforce such a mandate, union contracts and employee resistance being the two most obvious.

This does not mean that management cannot take measures to encourage voluntary vaccination. The simplest and most important will likely to be to provide employees time-off to stand in the vaccination lines; larger facilities may want to consider offering monetary or material support for mass vaccination sites. All of these outreach efforts should certainly include encouraging employee families to get vaccinated.

Industry associations should become politically involved in advocating for staff at critical infrastructure facilities to be included in priority vaccination programs.

Testing

While we have lived with other endemic infections facility management needs to remember that with most of these other diseases people are most infectious after the disease is physically manifested, the same cannot be said about COVID-19. Facility management is going to have to consider the advisability of being able to conduct testing of employees as local infection rates rise. Testing and tracing are going to be a long-term requirement to contain COVID-19 outbreaks in the future. This testing could be done on-site at facilities that have professional medical staffing (typically nurses or EMTs); smaller sites may want to consider contracting testing support with their current industrial hygiene supplier.

This medical testing is going to have to comply with local, State and federal privacy regulations. Facilities need to fully understand those requirements before implementing such a program.

Security Measures

Security is going to be affected by the waning and surging of COVID-19. Facilities will have learned a lot of security lessons over the past ten months. While the CISA chemical security inspectors have been allowed a certain amount of leeway in accepting temporary changes to site security plans to reflect changes in staffing and operations during the uneven progress of the pandemic, that will not continue as the pandemic transforms into an endemic. Facilities need to take a concerted look at their security processes over the last year and determine which ones they want to formally memorialize in their site security plans, either as permanent changes or as optional changes when changes in the medical environment warrant.

Where a facility wants to include COVID-reactive security changes in their security plans, they need to be careful in how they describe the conditions that would require their implementation. Failure to implement those changes when the described conditions apply would then be a violation of the facility’s SSP. One thing that facilities must include in these changes is a clear delineation of responsibilities for notifying CISA’s Infrastructure Security Compliance Division of the intent to implement the changes and when those changes revert to standard procedures.

This would also be a good time for facilities to start thinking about their future plans for new pandemics. The next pandemic will probably not be COVID-2X, the virus will likely be different as will the infection rate, the timing of infection, and the mortality rates. A pandemic response plan is going to have to deal with the different scenarios dealing with those variabilities. Lessons learned from COVID will be a starting point for those plans, but those lessons should not be the endpoint. Higher mortality rates, in particular, or going to have be seriously considered as they will have major impacts on facility slowdowns and closures.

The Insurrection

While there has been a definite pull-back in operations being conducted by right-wing radicals since January 6^th, the conditions that drive much of the support for those groups have not really changed. If there is another pandemic in the near future (and the timing of the next pandemic cannot be predicted), those socio-economic conditions will worsen quickly. Security planning for future pandemics will have to take that into account.

In the near term we are going to start seeing a new problem arise as federal officials really begin to look at these groups in ways that were not encouraged under the Trump administration. More people in the United States are going to be identified as being associated with various groups and a significant number of those so identified will start to show up on the lists that the TSA uses to vet people as being associated with terrorist organizations. That means that there will inevitably be current employees at CFATS facilities that will be so identified under the CFATS personnel surety program.

There is not much facility management can do in the advance of such notifications unless they are specifically aware of illegal activities being conducted on their premises. Facilities would run into all sorts of legal obstacles to firing employees for political views, even in the most ardent ‘right-to-work’ states. Facility management is going to need to have plans in place for what they intend to do when notified by ISCD that a current employee or contractor with unaccompanied access to their facility is identified by the TSA as having ‘terrorist ties’.

House and Senate Pass Another 1-day CR – HJ Res 110

This evening the House took up HJ Res 110, another one-day continuing resolution to continue funding the government through midnight tomorrow night. According to news reports (no official Senate records are yet available for today) the Senate subsequently took up the bill under their unanimous consent process and forwarded it to the President. As of this writing, there is no word on the President’s action on the CR.

The House and Senate leadership have apparently worked out a deal on both the final FY 2021 spending bill and a COVID-19 relief bill. The later will apparently be introduced and passed in the House tomorrow along with a 7-day CR to allow for a spending bill to be printed and then subsequently considered in the House and Senate. There is not yet a version of the legislation available for public view. We will probably see a Committee Print available tomorrow on the House Rules Committee web site.

OIRA Approves CISA COVID-19 Tracing Reporting Form

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced [.PDF download link] that it had approved an information collection request (ICR) from the DHS Cybersecurity and Infrastructure Security Agency (CISA) for a “COVID-19 Tracing Reporting Form”. CISA will use this ICR to collect voluntary information on digital contact tracing tools (DCTT) used by various State and local government agencies to track potentially affected personnel during the COVID-19 pandemic. This ICR was submitted to OIRA earlier this week on an emergency basis without the standard publish, comment and review process.

According to the ICR supporting document [.PDF download link], CISA will use this information to conduct an initial assessment of “the vulnerabilities and mitigation options needed to conduct a safe digital contact tracing campaign in order to provide best practices for the public for the most popular types of tools used by stakeholders”. That document further explains (pg 1):

“In response to the enduring nature of the pandemic, state, local, tribal and territorial (SLTT) governments and owners and operators of critical infrastructure, have been developing, promoting, and using various forms digital contact tracing tools as a key part of their virus response. However, this is the first use of these digital tools at a large scale or for the purposes of contact tracing. This novel use of existing technology paired with the federal nature of the United States creates a patchwork of digital contact tracing programs and tools that use different means, have different security, and collect different information.  To help provide order to this issue and best practices on how to employ these new technologies, CISA needs to know what digital contact tracing tools these entities are employing. Many SLTT governments have already employed or are considering employing a digital contact tracing tool.  CISA needs additional back-end development information, which can only be done through a survey, on the type of contact tracing tool used in order to provide cybersecurity and best practices for the large and varied digital contact tracing landscape.”

CISA expects to receive 166 responses to this voluntary survey (draft form located here - .PDF download link, file can only be read via Adobe Reader 8 or higher, it will not download if you are using another .PDF reader). They expect 60 responses from State, local, tribal, and territorial (SLTT) government agencies and 106 responses from the private sector (presumably application developers?).

CISA is expected to publish an ICR collection notice in the Federal Register in the coming week to support this emergency ICR.

TSA Extends HME Renewal Exemption – 10-28-20

Today the Transportation Security Administration (TSA) published a notice in the Federal Register (85 FR 68357-68358) providing a further exemption for States to allow holders of a Hazardous Material Endorsement (HME) for a commercial drivers license to extend that HME for 180-days without requiring a new security threat assessment. The exemption would be extended through December 31^st, 2020. This exemption was initiated in March and earlier renewed in July. This extension, like the earlier TSA revision of surface transportation security training compliance dates, has been undertaken due to the impact of the COVID-19 pandemic.

The extension would allow States to provide a 180-day renewal extension without requiring a new security threat assessment for HME’s that expire after March 1^st, 2020. The new termination date for that authority would be December 31^st, 2020. HME holders would still be required to begin the security threat assessment process 60-days before the end of the State granted exemption.

The notice does make it clear that individuals “who were eligible for an extension of their HMEs during the initial exemption may continue to be eligible under this notice of extension of the exemption.” However, HME holders that were granted extensions in April and May of this year would have been required to have already begun the security threat assessment process to meet the 60-day deadline, so they may not need the new extension.

TSA Amends Surface Security Training Compliance Dates

The TSA published a notice in Monday’s Federal Register (available online today; 85 FR 67681-67683) announcing the extension of compliance deadlines for the “Security Training for Surface Transportation Employees” final rule. This notice further extends one of the compliance deadlines that was revised in May. Both sets of extensions were established because of complications in the transportation sector due to the COVID-19 pandemic.

In this latest extension the TSA keeps the effective date of the regulation at the extended date of September 21^st, 2020. The deadline for notifying TSA of applicability determination (1570.105) remains October 21st, 2020. The deadline for providing security coordinator information (49 CFR 1570.201) remains October 28th, 2020. The notice states that the deadline for §1570.203 (security incident reporting requirement) compliance has not been changed. There was no specific date set in the regulation for that requirement, so the effective date for that requirement is the effective date of the regulation; 9-21-20.

The only change then is the deadline for submission of security training program to TSA for approval {§1570.109(b)}; it is being changed from December 21st, 2020 to March 22^nd, 2021.

TSA is making this change in the regulation without going through the publish and comment process under provisions of 5 USC 553 (b) and (d). They note that:

“TSA has good cause to delay the compliance deadline for submission of security training programs without advance notice and comment or a delayed effective date. To delay taking this action while waiting for public comment would be impracticable and contrary to the public interest. The owner/operators subject to the requirements of the final rule need immediate certainty regarding the deadlines of the final rule so that they may focus on other urgent issues affecting their operations.”

ISCD Updates 9 FAQ Responses – 7-20-20

Today the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to six frequently asked questions on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center. There were also two news items on today’s CFATS Knowledge page; first, a note about the 30-day ICR renewal notice published in today’s Federal Register for the Chemical-Terrorism Vulnerability Information (CVI) program. The second note is an update of information about the COVID-19 modified compliance inspection program.

FAQ Updates

The FAQ updates are part of an on-going effort at ISCD to make FAQ editorial changes designed to: reflect changes in program management (CISA branding), to change URL’s to page links (see the similar 6-22-20 blog post) and to make the responses more helpful; rather than reflecting changes in ISCD policy.

The FAQ responses updated today include:

FAQ #1742 What criteria does the Cybersecurity and Infrastructure Security Agency (CISA) use to determine if a Site Security Plan (SSP) submitted through the Expedited Approval Program (EAP) is facially deficient?

FAQ #1749 What is a “certification” in the Expedited Approval Program (EAP)?

FAQ #1750 What happens after I submit my Expedited Approval Program Site Security Plan (EAP SSP)?

FAQ #1751 If my facility has been issued a “letter of acceptance” through the Expedited Approval Program (EAP), but then the Cyber Infrastructure Security Agency (CISA) discovers that the measures in the Site Security Plan (SSP) insufficiently meet the risk-based performance standards (RBPS) during a Compliance Inspection, what happens?

FAQ #1752 Who can certify a facility’s Expedited Approval Program Site Security Plan (EAP SSP)?

FAQ #1766 Does the Cybersecurity and Infrastructure Security Agency (CISA) allow facilities to contract out the submission of information under Option 1 or Option 2 for the Personnel Surety Program in Risk-Based Performance Standards (RBPS) 12(iv) to third parties?

FAQ #1767 Will the facility be notified if the Agency learns that an affected individual has terrorist ties?

FAQ #1768 When will the Cybersecurity and Infrastructure Security Agency (CISA) grant access to the Chemical Security Assessment Tool (CSAT) Personnel Surety Program application if a facility chooses to meet Risk-Based Performance Standard (RBPS) 12(iv) by selecting Option 1 or Option 2 in its Site Security Plan (SSP)/Alternative Security Program (ASP)?

FAQ #1772 Who will conduct the Chemical Facility Anti-Terrorism Standards (CFATS) Compliance Inspections for facilities in the Expedited Approval Program (EAP)?

Interestingly, FAQ #1742 was previously updated last week. Today’s update simply indents the three subparagraphs in the response.

CVI ICR

The first news item on today’s CFATS Knowledge Center points to today’s CISA information collection request (ICR) renewal notice in the Federal Register for the CVI program. This is the follow-up to the 60-day ICR notice published in March. There is no burden change reported in the renewal notice. CISA is soliciting comments on the ICR notice. Comments may be submitted via email to dhsdeskofficer@omb.eop.gov. All submissions must include the words “Department of Homeland Security” and the OMB Control Number 1670-0015.

Covid-19 Modified Inspections

The second news item for today notes that CISA has completed the pilot of COVID-19 modified compliance inspections that had first been announced on June 11^th, and I more completely detailed two days later. Today’s notice says: “Based on the pilot, CISA is now conducting modified compliance operations and high-priority compliance assistance.” Facilities will be notified of any compliance inspection scheduled by their Chemical Security Inspector or the Infrastructure Security Compliance Division (ISCD) headquarters.

There has been no change made to the CFATS Compliance Inspection Fact Sheet since November 2019.

More Details on Modified CFATS Compliance Inspections

I received a response to my email to CISA Infrastructure Security Compliance Division (ISCD) about the temporary changes that are being made to the Chemical Facility Anti-Terrorism Standards (CFATS) compliance inspection process that I briefly mentioned earlier this week.

First, ISCD makes is clear that they are continuing to work out the details of the modified inspection plan in coordination with each facility being inspected. Not only is ISCD trying to work out an effective compliance inspection regime during the COVID-19 pandemic, but they also realize that each facility is going to have a unique set of circumstances that needs to be taken into account so that the inspections do not unduly endanger facility personnel or chemical security inspectors.

The ‘three options’ reported on CFATS Knowledge Center have been more completely explained in this email. They are:

1. Compliance Audits: Chemical Security Inspectors (CSIs) request, remotely review, and  then lead a discussion with facility personnel on records and documentation related to  the facility’s chemical(s) of interest (COI) and the security measures described in the  facility’s security plan.

2. Compliance Audits with Facility Perimeter Walkaround: In addition to the Compliance Audit, this includes CSIs conducting a walkaround of the covered facility’s perimeter to review in person the facility’s perimeter security measures.

3. Modified COVID-19 Compliance Inspections: CSIs conduct an onsite inspection while minimizing face-to-face time and maintaining social distancing as much as possible.

These briefly describe inspection modality changes do not reflect any material change in the CFATS inspection process. These are evolving interim measures that allow DHS inspectors to verify that covered facilities continue to maintain their security programs during this emergency. ISCD can be expected to work closely with facilities to ensure that these modified inspections are effective and safe.

The use of the term ‘audits’ in options 1 and 2 imply (in my opinion) that a successful compliance inspection has already been conducted at the facility. This would allow chemical security inspectors, where a periodic compliance inspection is called for, to assure themselves that the facility is remaining generally in compliance during reduced operations or facility closures during the pandemic.

If ISCD is using any of these three modified inspection modalities at facilities where a compliance inspection has not yet taken place, I would expect that there would be a more complete inspection that would take place after the COVID-19 emergency has passed.

One final point was made in the email I received. ISCD is still not conducting any authorization inspections during the COVID-19 emergency. The detailed inspection and facility review that is required to provide ISCD with the information necessary to authorize a site security plan cannot be safely conducted in a safe social-isolation environment.

I would love to hear from facilities or CSI that have participated in one of these modified inspections, on or off the record.

CISA and 2020 Hurricane Preparations Webinar

Yesterday the DHS Cybersecurity and Infrastructure Security Agency (CISA) announced that it would be holding a webinar on “Critical Infrastructure Hurricane Response During a Pandemic” next week. The webinar on June 18th will be a joint effort by CISA, FEMA and NOA. It will be held on HSIN Connect, part of the DHS Homeland Security Information Network (HSIN).

According to a mass-email I received yesterday about the event presentations will be made by:

• NOAA Liaison to the National Operations Center

• Divisional Representatives from CISA

• FEMA National Business Emergency Operations Center

An email that I received from a representative at CISA’s Infrastructure Security Compliance Division indicated that ISCD will not be one of the divisions providing presentations. A broader look at chemical facility safety information will most likely be presented by “some of our voluntary-focused colleagues”, probably the  Chemical Sector-Specific Agency (SSA).

There is no information currently available about registration for this webinar. While the HSIN is routinely used for sharing Sensitive But Unclassified (SBU) information, unrestricted DHS webinars are frequently held on this site. At this point I do not think that this will be an informationally restricted presentation, that would defeat the purpose.

NOTE: The email reply I received from ISCD contained an interesting ‘new’ (first time I’ve seen it) cybersecurity marking. In the copy of my original email to ISCD that was appended to the reply there was a highlighted text-box that said:

“CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.”

I have not heard of anyone using this method of spreading malicious links, but I guess that anything is possible. I wonder is CISA is just being proactive with this tool or if it has seen something that they have yet to publicly report.

ISCD Announces COVID-19 Modified Inspections

Today the CISA Infrastructure Security Compliance Division (ISCD) published a notice on their Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center announcing that they were planning on resuming modified CFATS compliance inspections this month. The notice states:

“Effective June 2020, CISA will begin piloting three options for modified compliance operations to verify that high-risk facilities are maintaining the security measures in their security plans during this pandemic operational environment while also limiting in-person interactions between Chemical Security Inspectors (CSIs) and facility personnel. CSIs will be in contact if your facility had an inspection postponed or have an upcoming inspection. If you have any questions, please contact your local CSI or email CFATS@hq.dhs.gov.”

While ISCD announced back in March that they were stopping most site visits (including inspections) in support of COVID-19 restrictions, they never did complete stop their inspections. According to the CFATS Monthly Statistics page there were 4 compliance inspections completed last month and the earlier version of that page reported 2 compliance inspections in April. There were no details provided as to why ISCD decided to conduct these six inspections despite the COVID-19 restrictions. My guess is that the inspected facilities had failed previous inspections and CISA decided that it was important to ensure that the facilities were currently in compliance.

No details are available for the three options mentioned in today’s notice. I would expect that facilities that are expecting routinely scheduled re-inspections may be offered an option for an electronic meeting with the CSI assigned to the facility to review the current status of the facility operations and security measures. This might also include a requirement for live videos of security measures.

I would suspect that for facilities that are currently closed, I would expect that ISCD might want to send a CSI to physically visit the facility and tour the facility with a designated representative to ensure that appropriate measures have been taken to keep the facility secure while under limited operations due to the COVID-19 pandemic.

I have not idea what the third (middle?) option would be.

I will see what I can find out. Facility security managers should certainly reach out to their assigned CSI.

Committee Meetings – Week of 5-10-20

With just the Senate in town this week (the House may return next week) there are only twelve hearings scheduled (one House COVID-19 hearing) with COVID-19 or nominations being the focus of all but one of those hearings. The one odd-ball hearing is on cybersecurity.

Solarium Commission Hearing

On Wednesday the Senate Homeland Security and Governmental Affairs Committee will hold a video conference on “Evolving the U.S. Cybersecurity Strategy and Posture: Reviewing the Cyberspace Solarium Commission Report”. All four witnesses are members of the Solarium Commission:

• Angus S. King, JR., Co-Chair;

• Mike Gallagher, Co-Chair;

• Suzanne E. Spaulding; and

• Thomas A. Fanning

There are currently no instructions on the hearing web site on how the public may view the video conference.

The Cyberspace Solarium Commission released their report back in March, but it has been eclipsed by the whole COVID-19 mess. It will be interesting to see how the HSGAC reacts to the recommendations made in this hearing.

CISA Postpones 2020 CSSS

The Cybersecurity and Infrastructure Security Agency (CISA) announced this week that it was postponing the 2020 Chemical Sector Security Summit (CSSS) that had been planned to be held in Atlanta, GA this July. Not surprisingly, concerns around the COVID-19 pandemic are behind this action.

An alternate (almost certainly an on-line) event is being considered.

TSA Extends Security Training Rule Deadlines

Today the Transportation Security Administration (TSA) published a final rule in the Federal Register (85 FR 25315-25317) delaying the effective date of the final rule entitled, “Security Training for Surface Transportation Employees” that was published on April 1^st, 2020. TSA is taking this action because it has determined that covered entities may have difficulties complying with the published deadlines because of actions taken in response to the COVID-19 pandemic.

The effective date of the earlier rule is changed from June 22^nd, 2020 to September 21^st, 2020. As a result of this change the following deadlines within the earlier rule are also being changed. They include:

• Deadline for notifying TSA of applicability determination (1570.105) – from July 22^nd, 2020 to October 21^st, 2020;

• Deadline for providing security coordinator information (49 CFR 1570.201) – from July 29th, 2020 to October 28^th, 2020; and

• Deadline for submission of security training program to TSA for approval (1570.109(b)) – September 20^th, 2020 to December 21^st, 2020.

Because of the nature of the changes made by this new final rule and the imminent nature of the impending deadlines, TSA determined that the normal rule making processes, including OMB review and the publish/public comment process, were not required.

Op Centers and Control Rooms Guide for Pandemic Response

Last week CISA published a new guidance document addressing the operations of Op Centers and Control Rooms during the COVID-19 pandemic. The document provides planning considerations and mitigation measures for the continued operation of these facilities while taking into account the need for protecting critical personnel.

The Guide provides an overview of items to be considered along with links additional information. The topics discussed include:

• Coordination with federal, state, and other authorities.

• Communication and information sharing.

• Key mitigation measures – protecting personnel.

• Key mitigation measures – protecting equipment.

• Key mitigation measures – workforce planning.

• Key mitigation measures – in the event of exposure.

As a footnoted reference, the Guide provides a link to Electric Subsector Coordinating Council’s (ESCC) “Assessing and Mitigating the Novel Coronavirus (COVID-19)” which discusses many of the same topics in more detail.

Commentary

While hindsight is 20:20, this document would have been timelier if it had been issued two-months ago. This would have provided management with some time for planning for and then executing the recommended actions. Implementing them now is going to be problematic without methods in place for identifying personnel that have been exposed to the underlying COVID-19 virus or have successfully fought off the disease. Having said that, I still think this is a worthwhile document.

There is one item in the recommendations in this document to which I take exception. Under “Key mitigation measures – protect personnel” the Guide includes:

“Create greater physical separation of operations center and control room operator workstations, increase ventilation or utilize adjacent rooms where possible, and reduce or eliminate interactions across shifts (emphasis added).”

I completely understand the need for as much internal isolation as possible to restrict the possible spread of the COVID-19 virus, anything that hampers the communication between shifts at shift change increases the chance of misunderstanding the current state of the process and on-going measures to control or monitor that state. I would have worded the final phrase to read:

“… and reduce or eliminate the physical interactions across shifts while ensuring the effective sharing of shift-change information.”

The more detailed information in the ESCC document provides an important discussion about personal protective equipment. It notes that full- and half-face respirators are acceptable substitutes for the N-95 respirator protections. Since these respirators are more readily available at many process facilities and personnel have already been trained on their wear and care, this is probably a more useable protective device for those organizations.

ISCD Publishes April 2020 CFATS Quarterly

Yesterday the CISA Infrastructure Security Compliance Division (ISCD) published an link on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center for their April 2020 CFATS Quarterly. This somewhat periodic publication provides timely information on the CFATS program. Included in this issue are short articles on:

• Short term CFATS reauthorization;

• CFATS Requirements During COVID-19;

• Maintaining Your Facility’s Security During COVID-19;

• In Development: Additional Voluntary Chemical Security Resources;

• Personnel Surety Program: Uploading Affected Individuals Under Option 1 and Option 2;

• Compliance Close-up: Resubmitting Your Top-Screen; and

• New and Updated CFATS Resources

TSA Announces COVID-19 Related TWIC Extensions

The Transportation Security Administration (TSA) published an announcement in today’s Federal Register (85 FR 21017-21018) concerning the “Exemption To Extend the Expiration Date of Certain Transportation Worker Identification Credentials”. The TSA is providing a 180-day extension of all current TWICs that expire between April 10^th, 2020 and July 31^st, 2020.

The notice does reaffirm that:

“For the duration of the exemption, TSA will continue to recurrently vet the holders of the eligible TWIC®s against governmental watch lists for security threat, criminal history, and immigration status. TSA retains its full authority to suspend or immediately revoke an individual's TWIC® if the agency determines the holder is no longer eligible, in accordance with 49 CFR 1572.5(b) and 1572.19(c).”

Additional information can be found here on the TSA TWIC web site. Thanks to Laurie Thomas for pointing out this site.

NOTE: Today’s notice is very similar in wording to the notice last week giving States the authority to provide a similar extension to holders of Hazardous Materials Endorsements for commercial drivers licenses.

COVID-19 and Facility Security

Laurie Thomas has an excellent article over on LinkedIn about COVID-19 and the Maritime Transportation Security Act (MTSA). While there are many technical and administrative details about that program that are different from the Chemical Facility Anti-Terrorism Standards (CFATS) program, many of the points that Laurie makes apply to the CFATS program as well.

Communications

Communications is a key to maintaining regulatory compliance in this unusual situation. With both programs there are two different levels of important communications. The first is program level communications. For the MTSA covered facilities, Laurie notes that following the Maritime Commons blog is a good source for near real time information about program information. For the CFATS program the go-to source is the CFATS Knowledge Center. For unofficial program level news, Laurie has an excellent blog and this blog is a good source for CFATS news.

The second level is communications directed towards the regulators. For MTSA facilities this is communications directed at the Captain of the Port (COTP). For CFATS facilities this would be communication directed at the Infrastructure Security Compliance Division. In both cases, your local inspector is probably a good communications tool.

Compliance Issues

At the facility level, both programs require adherence to an approved security plan for the facility, and the COVID-19 pandemic may cause unexpected problems with those security plans. Neither the Coast Guard nor CISA is going to be surprised if your facility has some compliance issues arise during this pandemic. Personnel issues with security plans are going to be a very common concern. Neither agency has any official plans to waive compliance with the regulatory requirements of either program, but both programs will be willing to work with facilities on alternative methods of compliance.

The key here will be the early identification of problems with the current security plans and communicating those problems to the program authorities. Laurie makes an important point in her article when she says: “If something happens to bring you out of compliance, have an equivalent security measure ready at hand to replace the one that is the issue.” While the COPT or ISCD may not fully accept that ‘equivalent security measure’ it shows that you are interested in maintaining compliance and may make it easier for them to suggest a more appropriate response. Remember, they are hearing about these problems from a number of facilities and will have heard other options that may apply to your situation.

One of the most common problems that will arise during this pandemic will be a shortage of security personnel, especially at facilities that are shut down or working reduced shifts. COVID-19 quarantines are going to inevitably put some security officers off-line because of having COVID-19 symptoms or being exposed to someone with the disease. Some common mitigation measures will be:

• Increasing patrols by local law enforcement;

• Sharing patrol resources with other local facilities; or

• Using facility personnel to fill in for security officers.

Shutdown Alternative

For CFATS facilities, remember that status as a covered facility is dependent on the presence of chemicals of interest. Working down inventory levels to below the screening threshold quantity (STQ) may allow ISCD to remove the facility from the CFATS program. Even drastically reducing the on-hand levels without achieving sub-STQ levels may allow ISCD to reduce the Tier ranking for the facility or even remove the facility from the CFATS program. Talk with your chemical security inspector about this possibility. If you take this route, remember that a new Top Screen will have to be initiated when the facility goes back into operation.