The Department of Homeland Security has been dogged by persistent criticism over excessive bureaucracy, waste, ineffectiveness and lack of transparency. Congress estimates that the department has wasted roughly billions in failed contracts.
A terrorist attack on the nation’s high-risk chemical facilities could prove catastrophic. Toxic chemicals could be released from the facility or stolen to produce chemical weapons which could be used to inflict mass causalities in the United States.
Although the US established the Chemical Facility Anti-Terrorism Standards (CFATS) over a decade ago, CFATS has struggled with a laundry list of significant challenges—including backlogs, mismanagement, and missed goals—hindering the program’s mission to protect the nation against chemical terrorism.
And CFATS is still struggling, according to a recent Government Accountability Office (GAO) audit report. After conducting a recent assessment of the current status of CFATS, GAO auditors determined errors in facility-reported data may be preventing the program from lessening the nation’s risk of a terrorist attack on chemical facilities.
“Individuals intent on using or gaining access to hazardous chemicals to carry out a terrorist attack continue to pose a threat to the security of chemical facilities and surrounding populations,” GAO said “DHS, through the CFATS program overseen by the Office of Infrastructure Protection’s Infrastructure Security Compliance Division (ISCD, has made progress in identifying chemical facilities that pose the greatest risks and in expediting the time it takes to approve security plans.”.
“However,” GAO continued, “DHS has not taken steps to mitigate errors in some facility-reported data and does not have reasonable assurance that it has identified all of the nation’s highest-risk chemical facilities.”
Sen. Tom Carper (D-Del.), ranking member of the Senate Committee on Homeland Security and Governmental Affairs said GAO’s audit “shows DHS has made real progress and has significantly accelerated its pace for reviewing security plans and chemical facilities since the law went into effect. However, GAO also noted numerous challenges remain.”
Carper said DHS still “needs to shore up its processes for addressing noncompliant facilities, and verify key information in order to accurately assess risk. DHS should take GAO’s recommendations to heart. My staff and I plan to engage the department early and often in order continue to make the program better. If Congress, the administration and industry work together, as we’ve done before, we can continue to make progress and “shape a program” that keeps these vital facilities and the jobs they provide secure, protects our communities and the environment, and allows our businesses to thrive.”
The CFATS program was established pursuant to the Department of Homeland Security Appropriations Act in 2007. Then, in December 2014, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act reauthorized the CFATS program for an additional 4 years while also imposing a number of requirements to improve the program.
Prior to the legislation’s approval, Homeland Security reported a congressional report produced by former Senate Committee on Homeland Security and Governmental Affairs ranking member Sen. Tom Coburn (R-Okla.) determined the recent DHS’s $600 million effort to improve the nation’s resiliency in the fact of an attack on chemical facilities was a “near total failure.”
In 2013, a Government Accountability Office (GAO) audit report disclosed it had found “critical flaws still existed in DHS’s approach to calculating risk, meaning DHS could be focusing and regulating the wrong facilities; a seven to nine year backlog of chemical facilities’ security plans in the CFATS program; and poor engagement and transparency with regulated companies.”
In addition, a 2013 DHS Inspector General audit identified “thirteen major deficiencies in the CFATS program, including a continuing backlog, lack of appropriate employee training, wasted funds and a culture of management-retaliation and suppression of opposing opinions against employees.”
“Today there is little, if any, evidence to show that the more than half a billion dollars DHS has spent created an effective chemical security regulatory program or measurably reduced the risk of an attack on our chemical industrial infrastructure,” Coburn said at the time.
Coburn added, “Since its creation, the CFATS program has been beset by chronic mismanagement, missed goals, backlogs and regulatory excess. This program exists to increase our nation’s security against attacks on chemical facilities, but it hasn’t adequately met that goal. Combined with the current leadership at CFATS, I am confident this bill will provide the necessary fixes to put the program on track to reducing our nation’s vulnerability to chemical terrorism.”
GAO’s most recent audit indicated the CFATS program continues to struggle to overcome some of these challenges. Specifically, Infrastructure Security Compliance Division (ISCD) categorized approximately 2,900 facilities as high-risk based on unverified and self-reported data in evaluating facilities for a toxic release threat, which is essentially the threat posed to surrounding populations if the toxin was released.
One of the aspects considered in determining the toxic release threat is the distance of concern— an area in which exposure to a toxic chemical cloud could cause serious injury or fatalities from short-term exposure. ISCD requires facilities to calculate this distance using a web-based tool, but ISCD does not verify facility-reported data for facilities it does not categorize as high-risk for a toxic release threat.
However, GAO estimated more than 2,700 facilities (44 percent) of an estimated 6,400 facilities with a toxic release threat misreported the distance. Consequently, the audit recommended DHS verify the distance of concern reported by facilities is accurate.
In addition, GAO also discovered ISCD has made substantial progress in approving site security plans and conducting compliance inspections. However, ISCD does not consistently ensure compliance and effectively measure program results. Compliance with site security plans is essential, since these outline the planned measures that facilities agree to implement to address security vulnerabilities.
To ensure consistency in addressing non-compliance with the CFATS program, DHS must make sure it has documented processes and procedures for managing non-compliant facilities.
Currently, ISCD addresses compliance issues on a case-by-case basis. GAO revealed almost half (34 of 69) of the facilities ISCD inspected as of February 2015 had not implemented one or more planned measures by deadlines specified in their approved site security plans and therefore were not fully compliant with their plans.
The audit report stated, “Given that ISCD will need to inspect about 2,900 facilities in the future, having documented processes and procedures could provide ISCD more reasonable assurance that facilities implement planned measures and address security gaps.”
As an important part of the nation’s counter-terrorism efforts, strengthening the CFATS program will continue to be a critical way to keep dangerous chemicals out of the hands of those who wish to do us harm. DHS concurred with GAO’s recommendations and has outlined steps to address them.
DHS concurred with GAO’s recommendations and has taken steps to address them. According to Bob Davis, National Protection and Programs Directorate, DHS believes that documenting processes to track non-compliant facilities is worthwhile and, as had previously been done with all other major aspects of CFATS implementation, the Department is in the process of developing and documenting such procedures for this final stage of the CFATS process.
In addition, as recommended by GAO, the Department will develop a performance measure that includes only planned measures that have been implemented and verified. Davis explained that, “It is important to note there is no single measure that can fully capture the impact of CFATS. This is due to the complexity of the CFATS program and the many ways in which it reduces risks.”
Finally, DHS has begun developing a revised Top-Screen application and supporting tiering methodology that eliminates the need for facilities to calculate and self-report Distances of Concern. While this is in development, DHS will establish a process through which it will verify Distances of Concern submitted in new Top-Screens for accuracy before finalizing a preliminary tiering result for any facility with threshold quantities of a release-toxic chemical of interest.
The third leg of the Site Security Plan (SSP) compliance program, the compliance inspection results, also continues to be ignored in the CFATS Fact Sheet. The compliance inspection program determines if the facility is actually living up to its obligations outlined in the authorized and approve site security plan. This is the only real measure of whether or not a facility is secured against potential terrorist attack.
A copy of the codified CFATS Act of 2014 can be found online at the House of Representatives’ Website
Levels of Concern guide for information on AEGLs