Thousands of companies nationwide that handle hazardous chemicals are entering a new chapter in the implementation of federal security regulations as they submit site security surveys and await site inspections by the U.S. Department of Homeland Security (DHS).
DHS’s Chemical Facility Anti-Terrorism Standards (CFATS) program represents the first-ever security regulation of the chemical sector by a still-young federal agency. Further, CFATS compliance is performance based, whereas the covered industries are far more accustomed to prescriptive safety and environmental regulations.
Houston-based chemical sector attorney Steven E. Roberts says there’s “still a lot of uncertainty” about what to expect. The stakes are high as noncompliance penalties can include fines of up to $25,000 per day or cessation of operations.
Using mandatory, Web-based vulnerability assessments, DHS has determined that more than 6,000 operations are subject to CFATS and has divided them into four risk-based tiers. The 140 highest-risk facilities fall into Tier 1, the next 681 into Tier 2, and roughly 1,600 in Tier 3. The more than 3,900 facilities that fall into Tier 4 began receiving notification late last year.
Upon receiving their tiering designation, the facilities have 120 days—roughly four months—to submit mandatory site security plans (SSPs) to DHS.
During a recent Webcast on CFATS hosted by IndustryWeek and PriceWaterhouseCoopers, David Moore of AcuTech Consulting Group explained that the SSP is really not a plan at all, so much as a 1,500-item questionnaire about security at regulated sites. The questionnaire is based on the 18 risk-based performance standards laid out in the CFATS regulations issued by DHS; they cover topics ranging from perimeters and access controls to cybersecurity and records.
Through review of the SSPs, regulators, together with operators, plan to work toward measures that adequately mitigate vulnerabilities, which will then be the subject of DHS site inspections to follow.
Bob Stephan, former DHS assistant secretary for infrastructure protection who oversaw CFATS for its first two years, said during the Webcast that regulated operators should view DHS as a partner in achieving compliance, not an adversary.
“This is not a ‘gotcha’ process,” said Stephan, now a consultant with Dutko Global Risk Management. “Everything about CFATS, from DHS’s perspective, is an open-book exam. They’re attempting to find out what you do now…not trying to goad you into lots of expensive unnecessary measures,” he said.
Similarly, Moore described the SSP process as a “negotiation between you—the site—and DHS, for compliance. So there is no one-size-fits-all solution.” He warned, however, that operators should be prepared to pass an intensive review when inspectors finally arrive on site. “They expect layering. The higher the risk they perceive, the more you’re going to have to prove that it’s very difficult to achieve a terrorist act,” he said.
Stephan also drew attention to an enticing, if little-understood, option in the final rule: submission of an alternative security program (ASP) in lieu of an SSP “to leverage existing security investments.”
DHS spokeswoman Amy Kudwa tells Security Management that any regulated operation can submit an existing security program that satisfies the risk-based performance standards for consideration by DHS as an ASP. “We also are willing to consider ASP submissions by facilities that may need to comply with CFATS for, for example, possession of a single chemical of interest that represents one security issue,” she says.
Highlighting the point that compliance with CFATS requires that chemical facilities report themselves to DHS, industry attorney Evan Wolff of the firm Hunton & Williams urged that operators who believe they are subject to CFATS file an initial “top-screen” risk assessment with DHS. If they have not already done so, Wolff noted the old adage, better late than never.
Further easing compliance anxiety, Wolff urged regulated entities to apply for extensions based on cause. “DHS has always been reasonable about granting them,” Wolff said.
@ For more detailed CFATs compliance analysis, see “CFATS and Comprehensive Chemical Security Management,” by Lee Salamone, Brad Fuller, and H.M. Leith in a July online exclusive for Security Management. You can also read the list of CFATS-regulated chemicals and quantities and DHS’s Risk-Based Performance Standards Guidance at "Beyond Print."