Cannon House Office Building

Introduction Thank you, Chairman King, Ranking Member Thompson, and distinguished Members of the Committee. It is a pleasure to appear before you today to discuss the Department of Homeland Security's (DHS) efforts to secure high-risk chemical facilities. As you are aware, the Department's current authority under Section 550 of the Fiscal Year 2007 Department of Homeland Security Appropriations Act, as amended, was set to expire in October 2010, but has been temporarily extended under the current Continuing Resolution. DHS is eager to work with this Committee, Congress, and all levels of government and the private sector to achieve passage of legislation that permanently authorizes and appropriately matures the Chemical Facility Anti-Terrorism Standards (CFATS) program. In the interest of facilitating that collaboration, my testimony focuses on the current program and the key principles that DHS would like to see guide the program's maturation.

Chemical Security Regulations Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act directed the Department to develop and implement a regulatory framework to address the high level of security risk posed by certain chemical facilities. Specifically, Section 550(a) of the Act authorized the Department to adopt rules requiring high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop Site Security Plans (SSPs), and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published an Interim Final Rule, known as CFATS, on April 9, 2007. Section 550, however, expressly exempts from those rules certain facilities that are regulated under other federal statutes, including those regulated by the United States Coast Guard pursuant to the Maritime Transportation Security Act (MTSA), drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Departments of Defense and Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC).

The following core principles guided the development of the CFATS regulatory structure:

1. Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders - federal, state, local, tribal and territorial government partners as well as the private sector - is essential to securing our critical infrastructure, including high-risk chemical facilities. Implementing this program means tackling a sophisticated and complex set of issues related toentifying and mitigating vulnerabilities and setting security goals. This requires a broad spectrum of input, as the regulated facilities bridge multiple industries and critical infrastructure sectors. By working closely with experts, members of industry, academia, and federal government partners, we leveraged vital knowledge and insight to develop the regulation.
2. Risk-based tiering to guide resource allocations. Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk - those that, if attacked, would endanger the greatest number of lives.
3. Reasonable, clear, and calibrated performance standards will lead to enhanced security. The current CFATS rule includes enforceable risk-based performance standards. High-risk facilities have the flexibility to develop appropriate site-specific security measures that will effectively address risk. The Department will analyze each final tiered facility's SSP to see if it meets CFATS performance standards. If necessary, DHS will work with the facility to revise and resubmit an acceptable plan.
4. Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies have made significant capital investments in security since 9/11. Building on that progress in implementing the CFATS program will raise the overall security baseline at high-risk chemical facilities.

On Nov. 20, 2007, the Department published Appendix A to CFATS, which lists 322 chemicals of interest - including common industrial chemicals such as chlorine, propane, and anhydrous ammonia - as well as specialty chemicals, such as arsine and phosphorus trichloride. The Department included chemicals based on the consequences associated with one or more of the following three security issues:

1. Release – Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated;
2. Theft/Diversion – Chemicals that have the potential, if stolen or diverted, to be used or converted into weapons that could cause significant adverse consequences for human life or health; and
3. Sabotage/Contamination – Chemicals that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health.

The Department also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways.

Implementation and execution of the CFATS regulation requires the Department toentify which facilities it considers high-risk. The Department developed the Chemical Security Assessment Tool (CSAT) toentify potentially high-risk facilities and to provide methodologies that facilities can use to conduct SVAs and to develop SSPs. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the initial consequence-based screening tool (Top-Screen), an SVA tool, and an SSP template. Through the Top-Screen process, the Department initiallyentifies and sorts facilities based on their associated risks.

If a facility is initiallyentified during the Top-Screen process as potentially having a level of risk subject to regulation under CFATS, the Department assigns the facility to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk. Those facilities must then complete SVAs and submit them to the Department, although facilities preliminarily designated as Tier 4 facilities also have the option of submitting an Alternative Security Program (ASP). Results from the SVA inform the Department's final determinations as to whether a facility is in fact high-risk and, if so, of the facility's final tier assignment. Each SVA is carefully reviewed for its description of how chemicals of interest are actually held at the site, how those chemicals are managed, and for physical, cyber, and chemical security risks.

After completing its review of a facility's SVA, the Department makes a final determination as to whether the facility is considered high-risk and assigns the facility a final risk-based tier. Final high-risk facilities are then required to develop an SSP or, if they so choose, an ASP that addresses itsentified vulnerabilities and security issues. Only facilities that receive a final high-risk determination letter under CFATS will be required to complete and submit an SSP or, if the facility so chooses, an ASP. DHS' final determinations of which facilities are high-risk are based on each facility's individual consequentiality and vulnerability as determined by its Top-Screen, SVA, and any other available information. The higher the facility's risk-based tier, the more robust the security measures and the more frequent and rigorous the inspections will be. The purpose of inspections is to validate the adequacy of a facility's SSP and to verify that measuresentified in the plan are being implemented.

Implementation Status To date, the Department has reviewed more than 39,000 Top-Screen consequence assessment questionnaires submitted by potentially high-risk chemical facilities. Since June 2008, we have notified more than 7,000 preliminarily tiered facilities that they have been initially designated as high-risk and are thus required to submit SVAs; we have nearly completed our review of the almost 6,200 SVAs that have been submitted. In May 2009, we began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or ASP.

In May 2009, the Department issued 141 final tier determination letters to the highest risk (Tier 1) facilities, confirming their high-risk status and initiating the 120-day time frame for submitting an SSP. After issuing this initial set of final tier determinations, the Department periodically issued notifications to additional facilities of their final high-risk status. To date, more than 4,000 additional facilities have received final high-risk determinations and tier assignments, and several hundred that were preliminarily tiered by DHS were informed that they are no longer considered high-risk.

CFATS currently covers 4,755 high-risk facilities nationwide across all 50 states, of which 4,094 facilities have received final high-risk determinations and due dates for submission of an SSP or ASP. More than 4,000 facilities have submitted SSPs (or ASPs) to date, and the Department is in the process of reviewing these submissions. The Department continues to issue final tier notifications to facilities across all four risk tiers as additional final tier determinations are made by the Department.

In February 2010, the Department began conducting inspections of final-tiered facilities, starting with the Tier 1-designated facilities, and has completed more than 175 pre-authorization inspections to date. The Department intends to use these initial inspections to help gain a comprehensive understanding of the processes, risks, vulnerabilities, response capabilities, security measures and practices, and any other factors that may be in place at a regulated facility that affect security risk in order to help facilities submit SSPs that can be approved under CFATS. After DHS issues a letter of authorization for a facility's SSP, DHS will conduct a comprehensive and detailed compliance inspection before making a final determination as to whether the facility has appropriately enacted their SSP. Facilities that have successfully implemented their approved SSPs and have passed an inspection will be considered in compliance with the required performance standards.

A critical element of the Department's efforts to secure the nation's high-risk chemical facilities, the SSP enables final high-risk facilities to document their individual security strategies for meeting the Risk-Based Performance Standards (RBPS) established under CFATS. Each high-risk facility's security strategy will be unique, as it depends on the facility's risk level, security issues, characteristics, and other factors. Therefore, the SSP tool collects information on each of the 18 RBPS for each facility. The RBPS cover the fundamentals of security, such as restricting the area perimeter, securing site assets, screening and controlling access, cybersecurity, training and response. The SSP tool is designed to take into account the complicated nature of chemical facility security and allows facilities to describe both facility-wide and asset-specific security measures. The Department understands that the private sector generally, and CFATS-affected industries in particular, are dynamic. The SSP tool allows facilities to involve their subject-matter experts from across the facility, company and corporation, as appropriate, in completing the SSP and submitting a combination of existing and planned security measures to satisfy the RBPS. The Department expects that most approved SSPs will consist of a combination of existing and planned security measures. Through a review of the SSP, in conjunction with an on-site inspection, DHS will determine whether a facility has met the requisite level of performance given its risk profile and thus whether its SSP should be approved.

Along with the initial group of final Tier 1 notifications and the activation of the SSP tool in May 2009, DHS issued the Risk-Based Performance Standards Guidance document. The Department developed this guidance to assist high-risk chemical facilities subject to CFATS in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the appropriate level of performance for the RBPS at each tier level. The Guidance also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose - whether or not in the Guidance - provided that they achieve the requisite level of performance under the CFATS RBPS. The Guidance will, however, help high-risk facilities gain a sense of what types and combination of security measures may satisfy the RBPS. The Department has also offered regular SSP training webinars to assist high-risk facilities with completing their SSPs.

For additional context, I would like to provide you with an example of how some facilities may be approaching the development and submission of their SSPs: in the case of a Tier 1 facility with a release hazard security issue, the facility is required to restrict the area perimeter appropriately, which may include preventing breach by a wheeled vehicle. To meet this standard, the facility is able to consider numerous security measures, such as cable anchored in concrete block along with movable bollards at all active gates or perimeter landscaping (e.g., large boulders, steep berms, streams, or other obstacles) that would thwart vehicle entry. The Department will approve the security measure as long as it is determined by the Department to be sufficient to address the applicable performance standard. Under Section 550, the Department cannot mandate a specific security measure to approve the SSP.

In June 2010, the Department issued its first Administrative Orders under CFATS to 18 chemical facilities for failure to submit an SSP. Throughout the remainder of the year, the Department issued an additional 47 Administrative Orders to chemical facilities that had failed to submit an SSP in a timely manner. Administrative Orders are the first step toward enforcement under CFATS.  An Administrative Order does not impose a penalty or fine, but directs the facility to take specific action to comply with CFATS - in this case, to complete the SSP within 10 days of receipt.  If the facility does not comply with the Administrative Order, however, the Department may issue an Order Assessing Civil Penalty of up to $25,000 each day the violation continues, or an Order to Cease Operations. All 65 facilities that received an Administrative Order ultimately completed their SSPs following receipt of the Administrative Order, or providing amplifying information to the Department, that satisfactorily explained why they had failed to meet the deadline for submitting their SSPs, and thus, no further enforcement action was necessary. As CFATS implementation progresses, the Department expects to continue to exercise its enforcement authority to ensure CFATS compliance.

Outreach Efforts Since the release of CFATS in April 2007, the Department has taken significant steps to publicize the rule and ensure that the regulated community and our security partners are aware of its requirements. As pa