EPA Chemical Facility Anti-Terrorism Standards Lapse
It has now been more than six months since Congress allowed the statutory authority for the Chemical Facility Anti-Terrorism Standards (CFATS) program (6 CFR Part 27) to expire on July 28, 2023. EPA recently advised all Chemical Facilities the CFATS program is currently not being enforced due to this inaction by Congress. Accordingly, the federal administrative body responsible for enforcing CFATS, the Cybersecurity and Infrastructure Agency (CISA), may not require compliance with applicable regulations unless and until Congress acts.
CFATS Applicability
The CFATS program applies to Chemical Facilities with a requisite amount of chemicals. A “chemical facility” is any establishment or individual that possesses or plans to possess any of the more than 300 chemicals of interest (COI) at or above screening threshold quantities (STQ) and concentrations for the chemicals. EPA estimates CFATS regulations broadly apply to chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, colleges and universities, laboratories, paint and coatings, and healthcare and pharmaceuticals, among others.
The list of COI is extensive. It includes chemicals common to many manufacturers such as ammonia (anhydrous), ammonia nitrate, acetaldehyde, chlorine, chlorine dioxide, ethane, ethyl ether, fluorine, formaldehyde (solution), hydrogen chloride (anhydrous), methyl chloride, methyl ether, nitric acid, nitric oxide, phosphorous, silane, and vinyl chloride. See 6 CFR 27, Appendix A (complete list of COIs).
The STQ for any given COI may be sufficiently low that even small manufacturers may be covered. For example, phosgene has an STQ of 500 lbs., while hydrogen cyanide’s STQ is 1,000 lbs. Most chemical STQs, however, are in the 5,000 lbs. or higher range, including propone with an STQ of 60,000 lbs.
CFATS Requirements
Under the terms of the currently expired CFATS program, covered facilities must report their chemicals to CISA via an online survey, known as a “Top-Screen.” CISA uses the Top-Screen information a facility submits to determine if the facility is considered high-risk and must develop a security plan.
The reporting process may fall into one of several categories:
Top-Screen. All covered facilities were required to complete a Top-Screen filing within 60 calendar days of November 20, 2007, for facilities that possess any of the chemicals listed in Appendix A at or above the STQ for any applicable Security Issue and within 60 calendar days for facilities that come into possession of any of the chemicals listed in Appendix A at or above the STQ for any applicable Security Issue. The term “Security Issue” refers to the type of risks associated with a given chemical. There are four main security issues identified in the regulations:
- Release (including toxic, flammable, and explosive);
- Theft and diversion (including chemical weapons and chemical weapons precursors, weapons of mass effect, and explosives and improvised explosive device precursors);
- Sabotage and contamination; and
- Critical to government mission and national economy.
6 CFR 27.105.
Security Vulnerability Assessment. Unless otherwise notified, a covered facility must complete and submit a Security Vulnerability Assessment within 90 calendar days of written notification from the Department of Homeland Security (Department) or within the time frame specified in any subsequent Federal Register notice.
Site Security Plan. Unless otherwise notified, a covered facility must complete and submit a Site Security Plan within 120 calendar days of written notification from the Department or within the time frame specified in any subsequent Federal Register.
Congress Failure to Renew
The consequences of this lapse in CFATS statutory authority are significant. CISA cannot enforce compliance with the CFATS regulations at this time. This means that CISA will not require facilities to report their chemicals of interest or submit any information in the Chemical Security Assessment Tool (CSAT), perform inspections, or provide CFATS compliance assistance, amongst other activities.
The current impacts to our nation’s chemical security, the 3,200 facilities previously designated as high-risk, and the communities surrounding these locations include the following:
- CISA has not received information on dangerous chemicals from more than two hundred chemical facilities, meaning the locations of dangerous chemical may be unknown to CISA and local first responders.
- CISA cannot inspect high-risk sites, meaning more than 750 facilities have not been inspected. On average, 35% of inspections turn up security gaps, meaning that more than 260 facilities currently have security gaps that CISA has been unable to identify, or to work with those facilities to prevent bad actors from exploiting those gaps.
- Previously, more than 90% of CFATS visits ensured outreach with law enforcement and local fire department. CISA can no longer require these important relationships to ensure critical information sharing and preparedness.
- CISA cannot require the implementation of cyber and physical security measures, nor can CISA assess the risk to these facilities. On average, facilities improve their security posture by nearly 60% to comply with CFATS.
- CISA has not conducted terrorist vetting for around 45,000 personnel who have gained access to dangerous chemicals—that’s 9,000 names each month going unvetted. Over the lifespan of the Personnel Surety Program, CISA has identified more than 10 individuals with possible ties to terrorism. Given that rate of vetting, CISA would have likely identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist in the last four months.
Conclusion and Recommended Action
Failure of Congress to act provides an opportunity for facilities subject to the CFATS program. Where a plant has a COI present at STQs, it should take this interim period of relief to “get its house in order” by taking the following measures:
Measure No. 1: Audit. Use the requisite steps to protect information from disclosure and audit your facility’s compliance with the CFATS program.
Measure No. 2: Corrective Action. Remedy any deficiencies with guidance from legal counsel to protect from premature release of confidential information to agencies and departments.
Measure No. 3: Voluntary Disclosure Decision. Because the CFATS program is not in effect, your facility may have a unique opportunity to comply with the Federal self-policing policies adopted by the Department of Justice and EPA to report the potential for noncompliance and mitigate or eliminate civil liability.