← Browse

Chemical Facility Anti-Terrorism Standards

Congressional Research Service · Published 2020-02-14 · Resources · 1,339 words · ~7 min read
Frank Gottron
View on Congress.gov · PDF
Chemical Facility Anti-Terrorism Standards
Updated February 14, 2020 (IF10853)

State and federal governments have long regulated safety practices at facilities that store large amounts of hazardous chemicals to reduce the risk of harm from an accidental release. In 2006, the Department of Homeland Security Appropriations Act, 2007 (P.L. 109-295) authorized the Department of Homeland Security (DHS) to regulate security practices at chemical facilities to reduce the risk of terrorists triggering an intentional release or stealing chemicals for use in attacks elsewhere. Congress extended and modified this authority through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (P.L. 113-254). This authority is currently set to expire in April 2020. The Administration's proposed FY2021 budget would eliminate funding for this DHS program.

Chemical Facility Anti-Terrorism Standards

In 2007, DHS promulgated the Chemical Facilities Anti-Terrorism Standards (CFATS, 6 C.F.R. Part 27). These regulations require certain "high-risk" chemical facilities to meet risk-based performance standards in 18 areas (Table 1). The statute does not permit DHS to require any particular security measure. Facilities may implement any security program or process that adequately meets the requisite performance level for its risk level.

Each covered facility must meet standards based on its specific risk, i.e., higher risk facilities must meet more stringent standards than lower risk facilities.

Table 1. CFATS Risk-Based Performance Standards

  • Restrict Area Perimeter
  • Secure Site Assets
  • Screen and Control Access
  • Deter, Detect, and Delay
  • Shipping, Receipt, and Storage
  • Theft and Diversion
  • Sabotage
  • Cyber
  • Response
  • Monitoring
  • Training
  • Personnel Surety
  • Elevated Threats
  • Specific Threats, Vulnerabilities, or Risks
  • Reporting of Significant Security Incidents
  • Significant Security Incidents and Suspicious Activities
  • Officials and Organization
  • Records

Source: 6 C.F.R. §27.230

Covered Facilities

Most chemical facilities do not have to meet these standards. The statute specifically excludes all facilities defined as a water system or waste water treatment works, owned or operated by the Department of Defense or Department of Energy, regulated by the Nuclear Regulatory Commission, or regulated under the Maritime Transportation Security Act of 2002 (P.L. 107-295). Any non-excluded facility that possesses more than a defined threshold of any of the 322 "chemicals of interest" (6 C.F.R. Part 27, Appendix A) must submit information to DHS through an online survey known as Top-Screen. DHS uses Top-Screen data to determine each facility's risk level. Only facilities DHS deems high risk must meet the risk-based performance standards. As of December 2019, approximately 42,000 unique facilities had submitted Top-Screen data. DHS has determined that 3,310 (<8%) of these are high-risk facilities.

DHS assigns each high-risk facility to one of four graduated risk tiers (Figure 1). About 5% of the high risk facilities are in the highest tier, Tier 1.

Figure 1. CFATS Facility Risk Tier Distribution
media/image2.png

Source: CRS analysis of DHS data, January 2020.

Each covered facility must prepare and submit a Security Vulnerability Assessment that describes its vulnerability to DHS-defined attack scenarios and a Site Security Plan that details how the facility will meet each of the 18 risk-based performance standards appropriate for its risk tier. Following evaluation of the Site Security Plan and an on-site authorization inspection, DHS may issue a letter of approval. The approved facilities must implement the Site Security Plan and conduct annual implementation audits. DHS inspects each covered site every two years.

Potential Reauthorization Issues

The 116th Congress is considering whether the CFATS authority should be reauthorized, modified, or allowed to expire. The Administration's FY2021 budget proposes eliminating funding for the CFATS program.

Congress may consider whether the CFATS and associated regulations appropriately balance homeland security and stakeholder needs. Congress may also consider how well DHS has implemented the program and whether the implementation is aligned with current congressional intent.

If Congress decides to reauthorize, it may also consider modifying aspects of the program.

Reauthorization

According to industry groups, complying with this program imposes significant costs on regulated facilities. Additionally, DHS spends approximately $70 million annually implementing CFATS. Congress might decide that these costs outweigh the benefits and allow the CFATS program to end. Although this would lower the recurring costs of compliance for the currently regulated facilities, it would not affect the sunk costs for changes to processes and security infrastructure that facilities have already spent to come into initial compliance. Those costs and process changes might place formerly regulated facilities at a competitive disadvantage to facilities entering the market after the CFATS program ends.

Make Authority Permanent?

Congress specifically established a termination date for this program when it codified the previously existing DHS CFATS program through the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (P.L. 113-254). Additionally, the 116th Congress decided to maintain a termination date when it enacted the Chemical Facility Anti-Terrorism Standards Program Extension Act (H.R. 251) to extend the program to April 2020. Including a termination date in a reauthorization of the program would require a future Congress to make an affirmative decision that the program is worthy of continuance. However, retaining a termination date might also increase uncertainty for the regulated community.

Modify Exclusions?

The current statute exempts some public water systems and waste water treatment works from CFATS regulations. In 2019, DHS estimated that this exempted more than 9,700 high-risk facilities and represented a critical gap in CFATS coverage. Lifting this exclusion could nearly quadruple the number of regulated facilities.

Representatives of the water sector have previously asserted that their role in public health and safety could make sanctions under CFATS counterproductive. They cite, for example, loss of public sanitation, potable water, and fire protection if DHS ordered a water or waste water utility to cease operations for security reasons or failure to comply with the CFATS regulations.

Inherently Safer Technologies

The term inherently safer technologies refers to the concept of chemical facilities lowering risk by making changes such as switching to non-CFATS regulated chemicals, or using lower concentrations or amounts of regulated chemicals. Proposals that would have required chemical facilities to adopt inherently safer technologies were debated during previous congressional CFATS consideration, but were not included in the statute. Similar proposals are likely to be considered during any reauthorization debate. Some of the past criticism of a proposed statutory requirement to adopt inherently safer technology focused on the difficulty the government would have determining useful requirements that could feasibly be applied given the complicated context of each facility and process.

Even without a legal requirement, hundreds of facilities have adopted changes to move from regulated to non-regulated status or to lower their high-risk tier. DHS has identified some common approaches that these facilities have adopted and has disseminated information about these practices to the regulated community. Regulated and potentially regulated facilities can factor in this information when determining the potential costs and benefits of such practices in the context of their individual security, safety, efficiency, and other business needs.

Options for congressional consideration include requiring DHS to establish inherently safer technology standards; codifying DHS's current practice of disseminating lessons learned; or continuing to allow DHS the discretion to continue or change its programs as it sees fit.

Legislation

The House Committee on Homeland Security reported the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2019 (H.R. 3256) on December 12, 2019 (H.Rept. 116-341). As reported, this bill would, among other provisions

  • reauthorize CFATS until May 1, 2025,
  • require DHS to verify facility-submitted information before lowering risk tier,
  • increase requirements for facility employee input in vulnerability assessments and security plans,
  • increase requirements for facility communication with local emergency responders,
  • eliminate the expedited approval plan program that allowed tier 3 and 4 facilities to adopt DHS-prescribed measures instead of developing individual security plans,
  • require DHS to collect and disseminate common security practices facilities use to lower risk,
  • authorize exemption of specific products or mixtures DHS deems to pose no security threat,
  • create the Chemical Security Advisory Committee to advise DHS on CFATS implementation, and
  • require an independent assessment of the national security effects of the statutory facility exclusions.

Document ID: IF10853