[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS
UPDATE
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON ENVIRONMENT AND THE ECONOMY
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
MARCH 14, 2013
__________
Serial No. 113-15
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
----------
U.S. GOVERNMENT PRINTING OFFICE
80-377 PDF WASHINGTON : 2013
COMMITTEE ON ENERGY AND COMMERCE
FRED UPTON, Michigan
Chairman
RALPH M. HALL, Texas HENRY A. WAXMAN, California
JOE BARTON, Texas Ranking Member
Chairman Emeritus JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky Chairman Emeritus
JOHN SHIMKUS, Illinois EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska ANNA G. ESHOO, California
MIKE ROGERS, Michigan ELIOT L. ENGEL, New York
TIM MURPHY, Pennsylvania GENE GREEN, Texas
MICHAEL C. BURGESS, Texas DIANA DeGETTE, Colorado
MARSHA BLACKBURN, Tennessee LOIS CAPPS, California
Vice Chairman MICHAEL F. DOYLE, Pennsylvania
PHIL GINGREY, Georgia JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana ANTHONY D. WEINER, New York
ROBERT E. LATTA, Ohio JIM MATHESON, Utah
CATHY McMORRIS RODGERS, Washington G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi JOHN BARROW, Georgia
LEONARD LANCE, New Jersey DORIS O. MATSUI, California
BILL CASSIDY, Louisiana DONNA M. CHRISTENSEN, Virgin
BRETT GUTHRIE, Kentucky Islands
PETE OLSON, Texas KATHY CASTOR, Florida
DAVID B. McKINLEY, West Virginia JOHN P. SARBANES, Maryland
CORY GARDNER, Colorado JERRY McNERNEY, California
MIKE POMPEO, Kansas BRUCE L. BRALEY, Iowa
ADAM KINZINGER, Illinois PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida PAUL TONKO, New York
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
Subcommittee on Environment and Economy
JOHN SHIMKUS, Illinois
Chairman
PHIL GINGREY, Georgia PAUL TONKO, New York
Vice Chairman Ranking Member
RALPH M. HALL, Texas FRANK PALLONE, Jr., New Jersey
ED WHITFIELD, Kentucky GENE GREEN, Texas
JOSEPH R. PITTS, Pennsylvania DIANA DeGETTE, Colorado
TIM MURPHY, Pennsylvania LOIS CAPPS, California
ROBERT E. LATTA, Ohio JERRY McNERNEY, California
GREGG HARPER, Mississippi JOHN D. DINGELL, Michigan
BILL CASSIDY, Louisiana JANICE D. SCHAKOWSKY, Illinois
DAVID B. McKINLEY, West Virginia JOHN BARROW, Georgia
GUS M. BILIRAKIS, Florida DORIS O. MATSUI, California
BILL JOHNSON, Missouri HENRY A. WAXMAN, California, ex
JOE BARTON, Texas officio
FRED UPTON, Michigan, ex officio
C O N T E N T S
----------
Page
Hon. John Shimkus, a Representative in Congress from the State of
Illinois, opening statement.................................... 1
Prepared statement........................................... 2
Hon. Paul Tonko, a Representative in Congress from the State of
New York, opening statement.................................... 2
Hon. Henry A. Waxman, a Representative in Congress from the State
of California, prepared statement.............................. 113
Witnesses
Rand Beers, Under Secretary, National Protection and Programs
Directorate, U.S. Department of Homeland Security.............. 5
Prepared statement........................................... 7
Answers to submitted questions............................... 117
David Wulf, Director, Infrastructure Security Compliance
Division, U.S. Department of Homeland Security................. 14
Prepared statement........................................... 7
Answers to submitted questions............................... 117
Stephen L. Caldwell, Director, Homeland Security and Justice,
Government Accountability Office............................... 34
Prepared statement........................................... 36
Answers to submitted questions............................... 143
William E. Allmond, IV, Vice President, Society of Chemical
Manufacturers and Affiliates................................... 63
Prepared statement........................................... 65
Answers to submitted questions............................... 149
Timothy J. Scott, Chief Security Officer and Corporate Director,
the Dow Chemical Company, on Behalf of the American Chemistry
Council........................................................ 71
Prepared statement........................................... 73
Answers to submitted questions............................... 157
Charlie Drevna, President, American Fuel and Petrochemical
Manufacturers.................................................. 78
Prepared statement........................................... 80
Answers to submitted questions............................... 168
Rick Hind, Legislative Director, Greenpeace...................... 86
Prepared statement........................................... 88
Answers to submitted questions............................... 175
Submitted Material
Letter of March 12, 2013, from the National Association of
Chemical Distributors to Mssrs. Shimkus and Tonko.............. 117
CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS
UPDATE
----------
THURSDAY, MARCH 14, 2013
House of Representatives,
Subcommittee on Environment and Economy,
Committee on Energy and Commerce
Washington, DC.
The subcommittee met, pursuant to call, at 10:07 a.m., in
room 2322 of the Rayburn House Office Building, Hon. John
Shimkus (chairman of the subcommittee) presiding.
Members present: Representatives Shimkus, Pitts, Murphy,
Latta, Harper, Cassidy, McKinley, Bilirakis, Johnson, Barton,
Tonko, Green, Schakowsky, McNerney, Barrow ,and Waxman (ex
officio).
Staff present: Nick Abraham, Legislative Clerk; Charlotte
Baker, Press Secretary; Matt Bravo, Professional Staff Member;
Jerry Couri, Senior Environmental Policy Advisor; David
McCarthy, Chief Counsel, Environment and the Economy; Chris
Sarley, Policy Coordinator, Environment and the Economy; Tom
Wilbur, Digital Media Advisor; Jacqueline Cohen, Democratic
Counsel; Greg Dotson, Democratic Staff Director, Energy and
Environment; and Caitlin Haberman, Democratic Policy Analyst.
OPENING STATEMENT OF HON. JOHN SHIMKUS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Mr. Shimkus. I would like to call the hearing to order.
We want to welcome our first panel, and I would like to
recognize myself for 5 minutes for an opening statement.
Good morning. The Subcommittee is now in order and I want
to recognize myself for 5 minutes. Today marks the fourth
hearing we have had on CFATS and the third consecutive one we
have had since I became the subcommittee chairman.
Sadly, it has been a very painful process to see how badly
CFATS had fallen short of our expectations and to see the
struggle, both inside of DHS as well as externally, to get the
program back on track. There are some positive reports about
progress from DHS, GAO, and the regulated stakeholders, but we
have uncovered more details showing that in key areas the
suggested progress is not what we had hoped. I think strides
have been made to remedy many of the managerial concerns of 1
year ago, and some of our testimony will suggest communication
lines have been opened in a way that could lead to longer-term
achievements for the program.
By many accounts, Infrastructure Security Compliance
Division Director David Wulf deserves a great deal of credit.
Mr. Wulf, we appreciate your tireless, consistent, candid, and
long-standing commitment to improving CFATS when others could
not. I also think this process is merely meant to get us back
to a semi-functional program, not a perfect or fully
implemented program.
Unfortunately, underlying programmatic issues we discussed
in the last hearing--such as the fact that CFATS risk
assessment falls far short of DHS' own National Infrastructure
Protection Plan and the CFATS regulations, and the long time
frame for evaluating Site Security Plans, despite the
incomplete risk assessment--continue to threaten the
credibility of the program not only on the Hill, but with
regulated stakeholders who are confused by many decisions made
within the program.
As Chairman Upton has said before to DHS, we are all on the
same side. The enemy here is the terrorists who would seek to
harm our Nation. We need to work together to determine the best
path forward for CFATS and its reauthorization, but we can't do
so if we aren't fully informed and in a way that verifies the
details coming forward. That is why we are going to have some
tough and balanced assessment of the program delivered by DHS,
the Government Accountability Office, and the CFATS stakeholder
community.
Our witnesses today may not tell us exactly what we want to
hear, but they will tell us what we need to know. I want to
thank all of these witnesses for appearing before our panel
here today. I believe we are at a critical juncture for the
success of the CFATS program in that the internal issues
distracting the program are not our focus, but rather getting
the program right, functioning effectively, efficiently, as
Congress drafted the law. Their perspective will be crucial in
getting serious questions answered by the program and our
ability to work together.
[The prepared statement of Mr. Shimkus follows:]
Prepared statement of Hon. John Shimkus
Today marks the fourth hearing we have had on CFATS, and
the third consecutive one we have had since I became
subcommittee Chairman.
Sadly, it has been a very painful process to see how badly
CFATS had fallen short of our expectations and to see the
struggle, both inside DHS as well as externally, to get the
program back on track. There are some positive reports about
progress from DHS, GAO and the regulated stakeholders, but
we've uncovered more details showing that in key areas the
suggested progress is not what we had hoped.
I think strides have been made to remedy many of the
managerial concerns of one year ago and some of our testimony
will suggest communication lines have been opened in a way that
could lead to longer term achievements for the program. By many
accounts, Infrastructure Security Compliance Division (ISCD)
Director David Wulf deserves a good deal of credit. Mr. Wulf,
we appreciate your tireless, consistent, candid, and long-
standing commitment to improving CFATS when others could not.
I also think this progress is merely meant to get us back
to a semi-functional program, not a perfect or fully
implemented program. Unfortunately, underlying programmatic
issues we discussed in the last hearing--such as the fact that
CFATS risk assessment falls far short of DHS's own National
Infrastructure Protection Plan and the CFATS regulations, and
the long time frame for evaluating site security plans, despite
the incomplete risk assessment--continue to threaten the
credibility of the program not only on the Hill, but with
regulated stakeholders who are confused by many decisions made
within the program.
As Chairman Upton has said before to DHS, we are all on the
same side, the enemy here is the terrorists who would seek to
do harm to our nation. We need to work together to determine
the best path forward for CFATS and its reauthorization, but we
can't do so if we aren't fully informed and in a way that
verifies the details coming forward. That's why we are going to
have some tough but balanced assessments of the program
delivered by DHS, the Government Accountability Office, and the
CFATS stakeholder community.
Our witnesses today may not tell us exactly what we want to
hear, but they will tell us what we need to know. I want to
thank all of these witnesses for appearing before our panel
here today.
I believe we are at a critical juncture for the success of
the CFATS program, in that the internal issues distracting the
program are not now our focus, but rather getting the program
right, functioning effectively, efficiently, as congress
drafted the law. Their perspective will be crucial to getting
serious questionsanswered by the program and our ability to
work together.
# # #
Mr. Shimkus. And with that I would like to yield 1 minute
to the gentleman from Texas, Mr. Barton.
Mr. Barton. Thank you, Mr. Chairman, for holding this
hearing today.
Two years in a row this subcommittee has convened a hearing
to discuss the concerns with the CFATS program. Last year, we
became aware of an internal DHS memorandum which detailed an
array of management flaws and achievement gaps with that
program. One of the witnesses today was a co-author. When news
of these problems surfaced, several Members of Congress,
including myself, asked the GAO to determine what actions DHS
was taking to address the problems. We learned in the GAO
report that resulted of a 94-item Action Plan that DHS
developed to address those various issues. I understand today
that the most egregious examples of waste of taxpayer dollars
have been addressed but there is still work to do. We are at a
critical juncture.
DHS has been reviewing information since 2007 by operators
of over 40,000 facilities. By January of this year, they had
identified about 4,400 as high-risk facilities. Of those, about
90 percent were tier-based on the risk that they presented--
meaning that they would have to submit Site Security Plans for
DHS review. We now know that there have been significant errors
in the risk assessment methodology. We also know that only a
few dozen of the 3,100 high-risk security plans have been
reviewed and approved. There is much work to be done. I hope
this hearing will facilitate some of that work.
Thank you for the hearing and thank you for the time and I
yield back.
Mr. Shimkus. The gentleman yields back his time.
The chair now recognizes the ranking member of the
subcommittee, Mr. Tonko, for 5 minutes.
OPENING STATEMENT OF HON. PAUL TONKO, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF NEW YORK
Mr. Tonko. Thank you. Thank you, Mr. Chairman. And good
morning and thank you to our chair for convening this hearing
and certainly to our witnesses for participating today and
providing your insight and offering very important information.
Ensuring the safety of our citizens and avoiding serious
disruption of our economy requires us to remain vigilant and to
anticipate potential targets and actions of violent individuals
and groups. The goal of the Chemical Facility Anti-Terrorism
Standards, the CFATS program, is to ensure that chemical
facilities have robust plans to prevent terrorists from
sabotaging them and to minimize the impacts should that
prevention fail.
Two years ago, an internal memorandum revealed serious
problems with the CFATS program. While some progress has been
made to address some of the shortcomings, there is still much
more work to be done. That work surely falls to the Department
of Homeland Security, clearly having more work to do, but also
it falls to Congress. Congress created the Department of
Homeland Security in 2002 and charged DHS with coordinating
federal policy to protect this Nation's critical
infrastructure. This is a complex task involving not only the
Federal Government but a partnership with state and local
governments, as well as the private sector.
Congress defined this complex and essential task of
protecting chemical facilities with a paragraph in an
appropriations bill. The deficiencies in this program are
partly a reflection of our failure to come together and provide
clear guidance to the administration.
The industry has been active in this area. They have taken
many steps through initiatives such as the Responsible Care
Program to develop and disseminate best practices to member
companies of industry organizations. These programs are,
however, voluntary. Private industry does not have the tools of
surveillance and intelligence as that which the Federal
Government has. In order to be most effective, we must have
partnerships working together and the program must have the
public's confidence that their communities are indeed safe. The
public and the industry will benefit from a federal program
that is developed with their input and in which standards,
practices, and policies are defined clearly by the Department
of Homeland Security.
The CFATS program is not the only federal program
regulating chemical facilities. Other federal departments and
agencies have programs with longer histories and well-
established protocols. There should be a consultation amongst
federal agencies to apply best practices, identify gaps in
responsibility, and to avoid conflicting regulations and
policies.
I hope this will not be the last hearing on this issue.
This committee should develop legislation that provides clear
direction to DHS, certainty to the regulated industry, and
confidence to the public that the CFATS program is providing
the protection we require and deserve. A paragraph in an
appropriations bill that must be renewed annually simply does
not meet those needs.
I would like to thank all of our witnesses for appearing
before us today. I look forward to your testimony and to
hearing your views on how we can improve this most essential
program.
With that, I thank you. Mr. Chairman, I yield back.
Mr. Shimkus. I want to thank my colleague. And I can
guarantee it will not be last hearing on this issue, and we
would like to authorize a program.
So with that, I would like to turn to my colleagues on my
side and ask if anyone would like to submit an opening
statement.
Seeing none, I turn to your side. No one? Thank you very
much.
Now, I would like to recognize Mr. Rand Beers, the Under
Secretary for the National Protection and Programs Directorate
of the United States Department of Homeland Security.
Sir, your full statement is in the record. You are
recognized for 5 minutes.
STATEMENT OF HON. RAND BEERS, UNDER SECRETARY, NATIONAL
PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF
HOMELAND SECURITY; AND DAVID WULF, DIRECTOR, INFRASTRUCTURE
SECURITY COMPLIANCE DIVISION, U.S. DEPARTMENT OF HOMELAND
SECURITY
STATEMENT OF HON. RAND BEERS
Mr. Beers. Thank you, Chairman Shimkus and Ranking Member
Tonko and other members of the committee. I appreciate the
opportunity to be before you today to talk about the
Department's regulation of high-risk chemical facilities.
Let me start by emphasizing that the CFATS program has
already made the Nation more secure. The program has identified
high-risk chemical facilities across the country. It has
provided them with the tools to identify their vulnerabilities,
and it has helped them to develop plans to reduce the risks
associated with these chemicals.
Since its inception, CFATS has helped 3,000 chemical
facilities eliminate, reduce, or otherwise modify their
holdings so that they no longer possess potentially dangerous
chemicals and are no longer considered high-risk. The
significant reduction in the number of chemical facilities that
represent the highest risk is an important success of the CFATS
program and is attributable both to the design of the program
as enacted by Congress and to the work of the CFATS personnel
and industry at the thousands of chemical facilities that we
work with on a regular basis.
Over the past year, NPPD has worked diligently to turn a
corner and has addressed many of the challenges identified by
the program's leadership. The CFATS program has made
significant progress advancing programmatically while
simultaneously addressing the internal operational concerns.
Equally important, the Department remains committed to working
with stakeholders and with the Congress on a path forward to
ensure that the CFATS program continues to build upon the
successes to date.
Over the last 6 months ISCD has made considerable progress
in conducting authorization inspections and approving Site
Security Plans. When I was here in September, we had authorized
73 Site Security Plans. Today, we have authorized 261. That is
a 400 percent increase. In September we had conducted 19
authorization inspections; today, we have conducted 141. That
is a 700 percent increase. In September we had approved only
two Site Security Plans; now, we have approved 52, including 3
Alternative Security Programs.
While these are significant achievements in the last 6
months, we recognize that we need to do much more and we need
to increase the pace at which we are doing it. And we are
looking at potential approaches for increasing the pace of
security plan reviews and inspections for the lower Tier 3 and
Tier 4 facilities without sacrificing quality and consistency.
NPPD will work with the regulated community to gather
feedback and thoughts on how best to increase the pace of the
lower tiers. For example, we have been looking with industry on
the development of templates, or corporate alternative Security
Programs, and we believe that the use of ASPs will
significantly increase the pace and improve our security plans.
We have also discussed ASPs with the Coast Guard and will apply
the lessons that they have learned regarding their use of ASPs
to take your point, Ranking Member Tonko, about talking to our
partners who also have regulatory programs.
Regarding our private sector partners, the Department has
received primarily positive feedback on outreach and
communications efforts from the regulated community. And we
will continue to address specific areas of interest to the
CFATS community. For instance, recognizing that regulated
facilities best understand their risk drivers and in support of
increased transparency, the Department is analyzing what
aspects of the classified risk tiering methodology it can and
should share with members of the regulated community. In fact,
that particular question has been presented to the risk
methodology external Peer Review Panel for analysis. And I
might add that this is a peer review that includes private
sector participation. And the Department is looking forward
very much to the panel's recommendations with respect to this.
The Department has also actively engaged stakeholders
regarding personnel surety. During the last 6 months, we have
been listening to stakeholder feedback on personnel surety and
we have revised our program based on this feedback. We now
believe we have a proposal which provides the regulated
community with flexibility for carrying out the outstanding
requirement for personnel surety and reflects input from
facilities of all sizes. This proposal balances the need to
conduct thorough vetting of personnel for national security
purposes with a desire to minimize the burden on facilities.
Our engagement with the private sector will be reflected in two
department Notices that have gone from the Department to the
Federal Register and will be published in the coming days.
I close with a note regarding the Department's current
statutory authority to implement CFATS. As you are aware, the
CFATS authorization currently extends through March 27 of this
year. The Department supports a permanent authorization for the
CFATS program and we are committed to working with the Congress
and other security partners to establish a permanent authority
for the CFATS program in federal law. Overall, I am here before
you today convinced that we have positioned the program firmly
on the right track and I would be happy to respond to any
questions that you may have.
Thank you.
[The prepared statement of Mr. Beers and Mr. Wulf follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Shimkus. Thank you.
Also joining at the first panel is Mr. David Wulf, who is
the director of the Infrastructure Security and Compliance
Division. Obviously, you didn't submit an opening statement,
nor do you have one, but if you want to have anything just for
the record, I would like to recognize you for a few minutes.
STATEMENT OF MR. WULF
Mr. Wulf. That would be great. Thank you so much, Chairman
Shimkus. I would like to thank you, Ranking Member Tonko, and
the other members of the subcommittee for the opportunity to
testify here today.
ISCD has made great progress in addressing the challenges
described in the internal memo and associated Action Plan that
we presented to Under Secretary Beers in the fall of 2011. With
strong support from leadership in the National Protection and
Programs Directorate and the Office of Infrastructure
Protection and through much hard work on the part of the
talented men and women of ISCD, we have completed 88 of the 95
items outlined in our Action Plan. We have developed improved
policies, procedures, and training to ensure that inspections
are conducted in a consistent and thorough fashion. We have
implemented an effective streamlined SSP review process, a
process that has greatly enhanced our ability to authorize, and
as appropriate, grant final approval for Site Security Plans.
We have also done much to stabilize our organization and
our leadership cadre by hiring permanent supervisors, including
a permanent deputy director, and we continue to foster
transparency and open communication throughout our
organization.
I would like to recognize our workforce, which truly has a
passion for the mission of chemical facility security. And I
would like to recognize also the American Federation of
Government Employees which represents our bargaining unit
employees in the field, and has done much to expedite its
review of key policies and procedures over the past several
months.
In September I reported that we had turned an important
corner in the implementation of CFATS. I am pleased to be able
to report today that not only has that corner been turned, but
we are moving confidently down the road to realizing the full
potential of the program. ISCD and the CFATS program are moving
forward in a way that will foster continued advances in the
security of America's highest-risk chemical facilities. We have
achieved a marked increase in the pace of SSP authorizations,
facility inspections, and approved Site Security Plans.
As the Under Secretary noted, we have authorized more than
260 SSPs and granted final approval for 52 of those. We
anticipate completing approvals of Site Security Plans for
facilities in the highest-risk tier, Tier 1, by September of
this year and completing final approvals of Tier 2 SSPs by May
of 2014. Reviews and authorizations of Tier 3 SSPs are now
underway as well.
However, recognizing that we must find ways to become ever
more efficient and effective in our inspection and SSP review
processes, we will be looking closely at, and soliciting
stakeholder input on, options to streamline the review and
approval cycle for facilities in Tiers 3 and 4. I do anticipate
that ASP templates will be an important tool to enhance the
efficiency of our reviews. The American Chemistry Council
recently worked with us to develop an ASP template and we
continue to work with industry associations such as SOCMA,
AFPM, and the National Association of Chemical Distributors,
who are all considering the adoption of ASP templates for their
member companies.
So even as we continue to seek ways to improve, it does
bear noting that ISCD's chemical security inspectors are today
providing compliance assistance to facilities and conducting
inspections at an unprecedented rate. And I am pleased to
report that I have received much favorable feedback from our
industry stakeholders about their experience with these
inspections. As you know, and this is something for which I am
profoundly grateful, our stakeholders are not shy when it comes
to expressing their candid thoughts and concerns about the
program. So I am confident that when I am hearing positive
things from industry about their facilities inspections-related
experiences, we are on the right track.
I would like to share one quote from Cathi Cross, Director
of Security for Phillips 66 regarding a recent inspection in
Oklahoma. Ms. Cross conveyed to me that her facility's
experience with the DHS inspectors ``was a very positive
one...that the members of the ISCD inspection team were
knowledgeable, courteous, and quite helpful in their
collaborative approach as they evaluated the facility, its SSP
draft, and planned measures.'' Continuing, Ms. Cross noted that
``the inspectors provided thoughtful comments and were
receptive to alternate proposals for meeting security
objectives.''
So ISCD continues to fully engage with our industry
stakeholders, and I very much appreciate industry's continued
support for the program. And our stakeholder engagement
continues to take many forms. At the facility level, in
addition to inspections, we continue to conduct compliance
assistance visits and other outreach to work with the
facilities as they develop their Site Security Plans. We also
engage with stakeholders on important programmatic issues. We
continue to work on the development of ASP templates, and we
are in the process of gathering industry feedback as we move
forward to improve our suite of online tools.
Also, as the Under Secretary noted, we recently concluded a
productive and extensive series of discussions on the important
issue of personnel surety. Ensuring that those who seek
unescorted access to high-risk chemical facilities are vetted
for terrorist ties is a critical piece of the CFATS effort and
one that we must move forward to implement in the near term.
I am also appreciative of the work done by GAO and the
perspectives GAO has offered us on the CFATS risk-tiering
methodology and on the management and tracking of our
stakeholder outreach activities. With regard to our risk-
tiering efforts, while I am confident that our current
methodology, with its focus on the consequences of a potential
terrorist attack, is appropriate for a regulatory compliance
program such as CFATS, considering ways in which our tiering
efforts may be enhanced is something to which we are very much
open at ISCD.
I am very much eagerly anticipating the results of our
external peer review in this regard on risk-tiering and any
recommendations that may be forthcoming from the Peer Review
Panel.
As for our external outreach, ensuring that we
appropriately track and manage our outreach activities is an
important priority for ISCD and one that we will pursue.
Thank you again for the opportunity to provide an update on
the forward progress the CFATS program continues to make. It is
an honor and a privilege to serve with the dedicated
professionals at ISCD. I firmly believe we have made much
progress in coming together as a regulatory compliance
organization, and along with rest of the ISCD team, I am
excited and optimistic about the future of the CFATS program.
Thank you again for the opportunity and I welcome any
questions that you may have. I apologize for the extra 30
seconds.
Mr. Shimkus. Oh, you are fine. Thank you, Mr. Wulf.
And before I recognize myself for the first round of
questions, I think just a comment for staff--especially, I
think we have some guests in the room--is that maybe we need to
put up a placard that defines these acronyms, because if you
are visiting this room and you have no idea what these acronyms
are, you are like probably listening to Chinese. So stuff like
CFATS--Chemical Facility Anti-Terrorism Standards. We will talk
about NIPP, which is the National Infrastructure Protection
Plan. We will talk about ASP, Alternate Security Plan. So we
know there are a lot of you that are well knowledgeable out
there, but we probably could do better by having a display of
some of these acronyms out there. So I am from the military a
long time ago so we were acronym-focused also.
So I will recognize myself for the first 5 minutes of
questions and my questions will be directed to Mr. Beers.
Mr. Beers, GAO says CFATS does not consider or analyze
vulnerability threat or economic consequence during the tiering
process. We knew about the vulnerability gap but not the
others. But in GAO's testimony--Government Accounting Office--
when would the regulated community, the Hill, and others have
learned of this?
Mr. Beers. Sir, I do not know when the vulnerability issue
surfaced specifically, but I do know that it surfaced within at
least the last year as far as I am aware. With respect to the
economic consequences issue, as I was not present when the
program was originally briefed to this committee and other
committees, I am simply unaware of when or whether that might
have been brought to the Committee's attention.
Mr. Shimkus. Yes. So the follow-up is, had not Chairman
Upton, Joe Barton, Henry Waxman not asked for this GAO report,
we on the Hill and stakeholders may not have learned of the
vulnerability gap. Is that safe to say?
Mr. Beers. Sir, that is certainly a conclusion that can be
drawn from that. But one thing that I would add to that, which
David and I have both spoken of, is that one of the things that
we have asked of the peer review committee after our own
internal review is that this methodology be looked at
independently. Obviously, we are going to take note of the
GAO's comments on this and it is certainly our intention to
have full disclosure with you all, and if some of the material
is classified, we will do that in a classified setting.
Mr. Shimkus. Thank you. According to the National
Infrastructure Protection Plan, risk is a function of three
components: consequence, threat, and vulnerability--we did this
in the last hearing--and a risk assessment approach must assess
each one. Have you analyzed the effect of not considering
vulnerability for all the regulated facilities?
Mr. Beers. Sir, we have. The rationale behind that is that
while we have----
Mr. Shimkus. Did your mike go off or it is not pulled close
enough?
Mr. Beers. Let me start over again. We looked at
consequences and threats and gave them a definition in the
tiering methodology, but because vulnerability was what the
whole program was about reducing and because we did not have
the kind of data that we needed in order to be able to assign
vulnerability factors with specific and differentiated levels,
we chose to hold that constant, tier on the basis of threat and
consequence, and ask the facilities then to come back to us
with an indication of what their vulnerabilities were and to
work with them on Site Security Plans to deal with those
vulnerabilities.
The consequence of this is that the tiering works to set
them aside by threat and vulnerability and the whole endgame is
about reducing vulnerability or risk. So we chose to hold that
constant in the tiering; we chose to deal with that through the
Site Security Plan process.
Mr. Shimkus. And I guess then our follow-up would be we
think you have evaluated part of the threat, not the entire
threat, and there is no economic process that has been defined
so far which is a part of that whole calculation. But you did
identify in your comment about up-to-date data. So what is the
effect of not using up-to-date threat data in the risk-tiering
approach?
Mr. Beers. Sir, as we go through this process, if there is
additional threat data or altered threat data, our intention is
to include that. That is certainly something that we are
talking with the Peer Review Committee about and my guess is we
will get some different information.
David, do you want to add to that?
Mr. Wulf. Yes, I would. Yes, the tiering methodology, as it
currently exists, is certainly very much consequence-based. I
think that consequence is tied very much directly to threat as
we use the threat in the tiering engine. Targets that have high
value from a terrorist perspective in terms of the consequence
will also typically have a pretty high score on the threat
side. We are certainly very much open to ways in which we can
enhance the tiering methodology and that is the very reason we
are having this external peer review.
But I think focusing principally on consequence in a
regulatory compliance framework is an appropriate way to tier
facilities. If we focused heavily on vulnerability in the
actual tiering, we would have potential situations in which a
facility would tier highly because of a heightened
vulnerability that it identified. As a result of tiering
highly, it would put into place hopefully significant and
successful security measures to address the vulnerability. The
vulnerability would then be diminished and theoretically that
facility would tier out, not have those requirements any
longer, conceivably have its vulnerability go up again, tier
back in, and we would have sort of a roller coaster effect.
So I think the way in which we and the CFATS program have
woven the vulnerability factor into the remainder of the
program in the facilities, assessment of vulnerabilities, in
the development of their security vulnerability assessments,
and in their development of Site Security Plans makes sense.
That is not to say there isn't room for improvement and I
certainly anticipate we will get some solid recommendations in
those regards from the Peer Review Panel.
Mr. Shimkus. Thank you. My time has expired. The chair now
recognizes Mr. Tonko for 5 minutes.
Mr. Tonko. Thank you, Mr. Chair.
It appears that the Department of Homeland Security has
good progress to report implementing their Action Plan to
strengthen the CFATS program, but I am concerned that
fundamental problems may still exist. I would like to focus on
one of those concerns and that has just been the focus of the
chair's address and that being the tiering of facilities.
CFATS is a risk-based program meaning that facilities
placed in a high-risk tier have to meet higher standards, I am
told, for security. Lower-tiered facilities then meet lower
standards. An error in tiering could mean that a high-risk
facility is not adequately secured or that the owners and
operators of a low-risk facility have to invest in unnecessary
security measures. The tiering process must be, therefore, as
accurate as possible.
The Department published a National Infrastructure
Protection Plan in 2006 and I believe revised it in 2009. This
plan discusses how risk analysis for terrorism threats should
be conducted. Under Secretary Beers, should the CFATS program
be consistent with that plan, the developed plan of 2006, and
improved in '09?
Mr. Beers. Sir, the National Infrastructure and Protection
Plan is a global statement of risk. All of the programs in the
Department of Homeland Security should be in rough alignment
with that. But we also have to recognize that different sectors
and different companies may have some specifics that cause some
alteration or some specific requirement relevant to them and
perhaps only to them. But as a general measure, yes, that is
correct, sir.
Mr. Tonko. So as a general measure, we say yes. And
according to the National Infrastructure Protection Plan, risk
assessments must account for threat, vulnerability, and
consequences. But that is not what CFATS, as a program,
currently does. GAO is critical of the fact that apparently DHS
completely ignores the potential economic consequences of a
terrorist attack when conducting a risk assessment. And GAO is
not the first to say this. In 2010, the National Academies
published a report, requested by Congress, on department-wide
efforts to analyze risk. And the Academies approved of the
framework in the National Infrastructure Protection Plan but
found that ``many of the Department's risk-analysis models and
processes are weak and are not on a trajectory to improve.''
According to Academies, the methods were not ``documented,
reproducible, transparent, or defensible.''
These are very serious criticisms and to address these
issues the National Academies made a number of specific
recommendations. So my question to you, Under Secretary, is
that did the Department ever provide a formal response to the
National Academies' report?
Mr. Beers. Sir, there was a response by the Department to
that. I can get you a copy of that. I don't have it on hand at
this particular point in time. But we were certainly aware of
the Academies' report and we did respond to it.
Mr. Tonko. Under Secretary Beers, can you please explain
the process you are currently engaged in to improve the risk
assessment done in the CFATS program and whether it will
respond to the recommendations made by GAO and the National
Academies?
Mr. Beers. Sir, let me respond on two levels here, first,
to go back to the original premise, which is the threat,
consequences, and vulnerability address how one should be
dealing with risk and simply say we believe in the CFATS
program that we do address all three of those aspects even
though the tiering methodology, which is not the entire dealing
with risk, only focuses on consequences and threat and holds
vulnerability constant. But as I said in my earlier response to
the chairman's question, we believe that the vulnerability part
of that equation is dealt with in the development of the Site
Security Plans.
With respect to the larger question, I think that what we
are trying to do here is work through a regulatory program
which is different--the NIPP was really written in association
with voluntary programs, which meant that while we could lay
out best practices or standards or thoughts on how to deal with
this, it was really entirely up to the companies in order to do
that. And in the regulatory program, we have the ability to
state whether or not their response is in fact adequate to the
regulatory requirement that we have. And that makes it somewhat
different from the framework in which the NIPP was written.
But let me also turned to David Wulf to add anything that
he may wish to add.
Mr. Wulf. I would just add a couple of things. We committed
to do three things when we encountered some issues with the
tiering methodology. One was to do an internal documentation of
our processes and our methodology, do sort of an internal
department look at the CFATS methodology and to do what is
ongoing right now, the external peer review. As we conducted
our documentation, we have tried to be transparent about what
we found. We have talked through issues with staff up here,
with our industry stakeholders, and have tried to keep everyone
abreast of the progress we are making on the economic
criticality piece of this, of the consequence assessment in the
tiering methodology.
In that regard, I would note for the Committee that we are
actively engaged in trying to address the economic consequence
part of the equation. We are working with Sandia National Labs
on that effort. I received a briefing I want to say a couple of
months ago. Our expectation is that Sandia's work--and it is
difficult stuff assessing economic consequences of potential
terrorist attack--will be complete in early 2014. We anticipate
talking through the Sandia findings with our stakeholders. We
are not going to proceed in a vacuum as we look to incorporate
economic consequence into the model, but I do believe, as I
think you do as well, that it is an important piece to the
puzzle. So we are going to continue to seek to improve the
methodology.
The thing we struggle with is trying to be a continually
improving program, at the same time trying to afford a degree
of certainty to our industry stakeholders for whom it would be
difficult to have an ever-changing target in terms of the
tiering. So we have to balance all of that, but we are taking a
hard look at it all.
Mr. Tonko. Thank you.
Mr. Shimkus. The gentleman's time has expired.
Again the NIPP is the National Infrastructure Protection
Plan again for our guests who are now leaving.
So the chair now recognizes the gentleman from
Pennsylvania, Mr. Pitts, for 5 minutes.
Mr. Pitts. Thank you, Mr. Chairman. Under Secretary Beers,
according to the NIPP, risk management should help focus
planning and allocate resources. How can you prioritize
resources and manage risk if you don't differentiate between
threat or vulnerability?
Mr. Beers. Sir, we definitely do differentiate between
threat and vulnerability. What we have tried to do here is
ensure that the compliance part of the effort which is to buy
down risk, it was measured against the threat-and-consequence
tiering of the tiering methodology. So the whole program is
designed to reduce the vulnerability to the American people, to
the communities that surround those facilities. And every
effort is made through the risk-based performance standards to
help those facilities produce Site Security Plans that in fact
protect the communities in which they live far more than when
there was no regulation on those facilities. Which is not to
say that they weren't trying in their own way to do that, but
what we have tried to do is to provide a general way in which
they can approach that to help them or to give them thoughts
about other ways that they might think about buying down that
risk by reducing the vulnerabilities through their Site
Security Plans.
David, would you add anything?
Mr. Wulf. No. I think that pretty well covers it. The
vulnerability is, as I have expressed, woven through the fabric
of the program in the security vulnerability assessments that
facilities conduct, and in their development of Site Security
Plans.
Mr. Pitts. Given incomplete aspects of your risk assessment
model, are you confident that the CFATS risk-tiering approach
adequately tiers facilities?
Mr. Beers. Based on the way that we have put forward the
methodology, we are confident that the general model is
correct, as has been indicated here. We are going to look at
economic consequences to see whether or not--and if so, how--
that ought to be injected into the methodology. And we are
reviewing the threat information as well. So this, as David
just said, is not a static program and we are looking for
assistance and help from the peer review effort to see how we
might do a better job. But as David also said, we want to do
this in a fashion in which we are not constantly changing and
moving everything because industry also needs a degree of
stability as they consider how to improve their own site
security.
Mr. Pitts. Now why do you collect data, information that
you do not use? Regulated facilities are required to provide
substantial information to facilitate the tiering process but
ISCD only uses a small amount of this data.
Mr. Wulf. My assessment is that all of the data that we
take in is valuable to the program, and it is useful as we
evaluate, not only the tiering as we assign risk tiers but as
we look at evaluation of Site Security Plans. So the questions
and the information that is provided in response to those
questions I think goes a long way toward prompting facilities
to give thought to their vulnerabilities and to incorporate
appropriate responses to those vulnerabilities and to implement
security measures appropriate to respond to those
vulnerabilities as they develop their Site Security Plans.
Mr. Pitts. My time has expired. Thank you.
Mr. Shimkus. The gentleman's time has expired. I would hope
that he will pay close attention to the GAO report because they
say, obviously, there is a lot of data that is not used and
that is the reason why that question is asked.
Five minutes to Mr. Green.
Mr. Green. Thank you, Mr. Chairman.
Welcome to our panel. Under Secretary Beers, in your
testimony for today's hearing you state that DHS will be
publishing a revised Personnel Surety Program rule next week.
Regarding the PSP, are you able to commit today that the new
rule will allow similar credential programs like the TWIC
program for land-based--so we would have one ID for employees
whether they work for a company's land-based site or the water-
based site?
Mr. Beers. Sir, you are correct. We have provided our
Personnel Surety Program notice to the Federal Register and the
Department has provided a TWIC Reader Rule Requirement Program
to the Federal Register also this week. Those will be
published, I am told, next week. It takes that long to actually
put it out. It will include the ability to use a TWIC card as a
personnel identification and personnel surety credential within
the program for those who qualify for the program. The larger
TWIC reader rule will allow companies, facilities to know what
kind of a validation system they have in order for those TWIC
cards to be validated as individuals pass into those
facilities. That was, as you will recall, an original
requirement of the whole TWIC program, which has been operating
unfortunately without that reader rule requirement up to this
point in time.
Mr. Green. Well, and we have talked about this for a couple
of years now and I appreciate the agencies doing that because a
lot of plants have waterside and land-based--and employees move
back and forth and most of the time the employees have to buy
those cards themselves and it just seems like it did not make
any sense to make an employee, you know, have to buy two cards
that really should be issued by the Federal Government. You
only need one.
Mr. Beers. I couldn't agree with you more, sir.
Mr. Green. And can you share the efforts the Department
made to incorporate both employee and union interest, because I
know of some in my area--we have steelworkers that represent my
refiners and chemical plants, a number of them. Were they
involved in this decision or received input?
Mr. Wulf. The earlier information collection request that
was withdrawn during the summer was open for comment across the
board. We did not work specifically or discuss any of this
specifically with labor unions.
Mr. Green. OK. Well, I know one of their concerns is that
their members would have to have these two cards. And when does
your agency anticipate to complete the site security program
review for all facilities and including Tier 3 and 4?
Mr. Wulf. As I mentioned, we are looking to be through with
Tiers 1 and 2 by the first part of 2014. With regard to Tiers 3
and 4, we are looking at ways that we can increase the pace of
the review. I know the GAO, looking at sort of the current
pace, has projected it could take between 6 to 9 years. That is
a pace that is, in our view, not an acceptable one. I think
that we are going to continue to see the pace quicken. I don't
want to provide a certain date because I am sure I will be
slightly off.
But I think as we move forward with the heightened pace of
inspections as we learn more about how to achieve efficiencies
in the SSP reviews and the inspection process, we will get
better at doing them and be able to inspect, review, and
approve larger numbers of SSPs. I think the alternative
security programs will provide a means to heighten the pace as
well. So as those templates come into greater use, and
particularly as they are used by multiple facilities within the
same company, I think we will see the pace quicken
significantly. We will also continue to look at the resources
we have to do those inspections. We are bringing on board
another 18 inspectors which will increase our capacity. We will
continue to look at whether there might be a possibility of
getting some additional folks on board as well.
Mr. Green. Mr. Chairman, I know my time is--but there has
been a substantial public sector investment and private sector
investment and we would hope to see some of that, that they
would have their security plans at least on what they have
invested literally hundreds of millions of dollars on, both,
like I said, public money and private money.
Thank you, Mr. Chairman.
Mr. Shimkus. The gentleman's time has expired. Before I
move to Mr. Cassidy, just for clarification, Mr. Wulf, and for
the transcriber, when you said the 6 to 9 years did you say is
not an acceptable or did you say not unacceptable?
Mr. Wulf. I said it is not acceptable.
Mr. Shimkus. OK.
Mr. Wulf. It is not an acceptable----
Mr. Shimkus. Great. Thank you. It caught my attention there
for a second.
So now the chair recognizes the gentleman from Louisiana,
Mr. Cassidy, for 5 minutes.
Mr. Cassidy. Hey, gentlemen. Thank you for being here. I
understand that you all have done a heck of a lot of work to
address some of the issues and as I have obviously been a sharp
critic, so first, I thank you for your hard work that you have
done.
With that said, you might guess I have got a couple other
concerns. The fact that you can----
Mr. Wulf. I said I suspected you might.
Mr. Cassidy. The fact that you can buy down risk or buy
down vulnerability by decreasing threat suggests that risk is
some constant. You have some number for risk, however you
calculate that number, that you would like to address. It is
also my understanding, I think you said earlier, the review
panel will come up with a new model in which they will assess
both the economic consequences and life consequences and all
these other factors in a more sophisticated fashion than
currently you are doing. Are they going to have access to your
data--this category of data, this continuum of data that you
have--in order to see the robustness of their model?
Mr. Wulf. Yes, sir. The Peer Review Panel has access to
everything that we have, classified and otherwise.
Mr. Cassidy. Now, is it possible that that will show that
what you are currently doing is--I suppose that means if they
are coming up with a new model, it will show either that you
are doing a good job or that you are not doing a good job.
Correct?
Mr. Wulf. Well, I don't know that it is fair to say that
the panel's charter is to come up with a new model. The charter
is to take a fresh look at what we are doing.
Mr. Cassidy. But if you don't currently have--I don't mean
to interrupt, I am sorry. It is limited time. If you don't have
economic consequences in there, and I understand at some point,
reading the testimony or GAO report, that population density
wasn't factored in some places. It certainly seems that you
need a new model. Does that make sense? I mean if we are going
to include economic consequences, and what you are doing now
does not do so, then clearly you need new model.
Mr. Wulf. As we look to incorporate economic consequences--
and I should mention that at Sandia National Labs that is doing
the work for us on economic consequences--but certainly
something the Peer Review Panel can, and I suspect will, look
at as well. As we move to incorporate that into the model
certainly we would have to revise the model.
Mr. Cassidy. So you do anticipate giving them access to
your compendium of information for them to check to see the
robustness of the model?
Mr. Wulf. Absolutely.
Mr. Cassidy. And will you share that with the Committee?
Mr. Wulf. We can certainly look at that----
Mr. Cassidy. I mean, like, why wouldn't you?
Mr. Wulf. I don't see why not.
Mr. Cassidy. Yes. Now, if you decide upon this model as
being that model which you should use, would you share it with
the industry?
Mr. Wulf. The underlying information?
Mr. Cassidy. No, not the underlying information, the model
itself. Because if, Mr. Beers, you say that they can buy down
vulnerability by whatever--addressing in a greater way threat--
I imagine you have some retrogression analysis and that you can
plug these things in. Really, right now, it appears that there
is a certain degree of subjectivity.
Mr. Wulf. Well, looking----
Mr. Beers. Sir, we are committed. And that is one of the
questions that we have asked the peer review to look at is,
what should we share from the tiering methodology with them?
Now, we have some parts of it which are currently classified.
We are also looking at the possibility of declassifying some of
that information as well. Because we firmly believe as the
program has matured that the transparency of the tiering model
is important. That will help them think about their own Site
Security Plans in a better way than to simply use the risk-
based performance standards by themselves. The objective here
is to reduce risk. The objective here is to reduce
vulnerability and we believe as we have considered this, that
that kind of transparency is necessary.
If there remains classified parts of the program, we will
look at whether or not we can at least have some industry
representatives, as we do generally with the National
Infrastructure Protection Plan, cleared to receive classified
information even if we can't make it broadly available.
Mr. Cassidy. So I am asking now, not to challenge but
rather for information, if you have a formula by which someone
can decide what their relative risk is, you plug in these
variables and you come up risk, it seems to me that--I don't
know whether that would be classified. Listen, a 15-foot fence
will get you here and a 30-foot fence will get you there and
video cameras will get you here and armored cars will get you
there. So knowing that some of the information is classified,
are the variables that you plug in classified?
Mr. Beers. David?
Mr. Wulf. Some of the factors that go into the calculation
of the risk score are classified. But I would just echo the
Under Secretary's comments that fostering greater transparency
for our stakeholders in tiering is one of our goals and
certainly one that we are going to pursue.
Mr. Cassidy. Last question--and you may have mentioned this
earlier--when do you expect the panel to come back with their
report and then ideally to run some of those compendium of
information to check out what you have been currently doing and
et cetera?
Mr. Wulf. We are anticipating a report from the Peer Review
Panel this summer.
Mr. Cassidy. OK. Thank you. I yield back.
Mr. Shimkus. The gentleman yields back his time. The chair
now recognizes the ranking member of the full committee, Mr.
Waxman, for 5 minutes.
Mr. Waxman. Thank you, Mr. Chairman. Today's hearing
underscores the need for reform of this program, and in my
view, this committee should develop comprehensive
reauthorization legislation.
Today, GAO will testify that it will take 8 to 10 years
before the Department can review and approve the Site Security
Plans it has already received. Additionally, the Department
must revise its risk analysis model, which could mean that the
current tiering of facilities will have to be revised,
requiring many facilities to begin the process over again.
In the 111th Congress, the Committee produced a
comprehensive Chemical and Water Facility Security Bill to
finally set this program on the path to sustainable success.
Mr. Beers, you testified in support of that bill as did
representatives of the labor community, the environmental
community, water utilities, and the chemical industry. At that
time you said, ``given the complexity of chemical facility
regulation, the Department is committed to fully exploring all
issues before the program is made permanent.'' I agree with
that statement and I would like to explore some of those issues
with you today.
Mr. Beers, does the administration still support closing
security gaps for wastewater and drinking water facilities?
Mr. Beers. Yes, sir.
Mr. Waxman. Does the administration still support
maintaining EPA as the lead agency for drinking water and
wastewater facilities with the Department supporting EPA's
efforts?
Mr. Beers. That is our position.
Mr. Waxman. Does the administration still believe that all
high-risk chemical facilities should assess inherently safer
technology and that the appropriate regulatory entity should
have the authority to require the highest-risk facilities to
implement those inherently safer technologies if feasible?
Mr. Beers. The statement at that time still remains the
administration's position, sir.
Mr. Waxman. Since we worked on that bill 3 years ago,
additional challenges have come to light. Specifically, the
internal review and memorandum prepared in November 2011 found
serious problems. The Department produced an Action Plan to
address these problems. That Action Plan included the formation
of a task force to develop recommendations for legislative and
regulatory changes to the CFATS program. My understanding is
that the Department reports that it has completed development
of those recommendations. Mr. Beers, when can we expect to see
those recommendations?
Mr. Beers. Sir, I will have to get back to you on that. I
don't have specific answer on that question.
Mr. Waxman. OK. Well, I look forward to you getting back
and to have the record held open so that we can get that
response.
Mr. Shimkus. Without objection. So ordered.
Mr. Waxman. As the Committee further considers the CFATS
program, having your legislative recommendations for reforming
the program would obviously be very helpful.
Thank you, Mr. Chairman. I yield back my time.
Mr. Shimkus. The gentleman yields back his time. The chair
now recognizes the other gentleman from Pennsylvania, Mr.
Murphy, for 5 minutes.
Mr. Murphy. Thank you, Mr. Chairman. And thank you, to the
panel.
According to the CFATS rule, a high-risk chemical facility
is one that, in the discretion of the Under Secretary, presents
a high risk of significant consequences for human life and
health and now security and critical assets. Let me ask you a
few comments on this. If, as a result of your work with Sandia
National Laboratories economic consequences are incorporated
into the CFATS risk-tiering approach, how will this impact the
current list of related facilities and do you expect more
facilities to be covered?
Mr. Wulf. I think it is hard to say right now. Depending on
what we get back and our analysis of Sandia's work, it could
impact the number of facilities that are covered in a few
different ways. Depending on the weighting that is given to the
economic consequence piece of the equation and really the
general fabric of the assessment on economic consequences. So I
don't think I am in a position today to forecast that.
Mr. Murphy. Can you give any estimates at all how much you
think it is going to cost to incorporate the results of the
Sandia National Laboratories work into the current CFATS risk
assessment approach?
Mr. Wulf. I don't at this time, not without the assessment
from Sandia.
Mr. Murphy. Well, given also it is going take approximately
7 to 9 years for ISCD to review plans submitted by regular
facilities, how practical is it for you to expand the program
to include additional facilities?
Mr. Wulf. We are going to, first, as I said, the 6 to 9
years is not an acceptable pace and we are going to do
everything in our power to pick up that pace. I think though
that it is important that we foster enhanced security for all
chemical facilities that are high risk in nature. So, to the
extent the universe of high-risk facilities is framed and
includes in the calculation of that universe or in the
formation of that universe the economic consequences and the
universe grows, we will look at ways to make that work.
As I said, we are bringing on additional inspectors; we are
improving our processes and procedures. We are going to get
better and better at this. So, if that challenge presents
itself, we will meet the challenge.
Mr. Murphy. I know we have talked about these things in
other hearings that the chairman has conducted here, and you
are expecting about 30 to 40 site plan approvals per month.
That is your anticipated goal for the future?
Mr. Wulf. That is our current pace.
Mr. Murphy. The current pace. Well, how may did you approve
in January of 2013?
Mr. Wulf. I would have to get that to you specifically.
Mr. Murphy. February? Just last month, any idea?
Mr. Wulf. I would imagine between 20 and 30 in February.
Mr. Murphy. So you said you expect----
Mr. Wulf. Yes.
Mr. Murphy. You are currently at 30 to 40 but you are half
that in February. I am just trying to----
Mr. Wulf. Yes. I expect it is going to continue to ramp up
because what we are doing more of in January and February was
authorizing plans. And as we authorize the plans, we schedule
the inspections. That is what leads to the approvals. So the
approval pace will pick up. We anticipate by the end of
September being up to upwards of 350 approvals. So that will be
all of Tier 1 and probably about halfway through the Tier 2
facilities. So, actually, in 6 months, 6\1/2\ months from now,
we will likely be doing about 50 approvals a month for the next
foreseeable future.
Mr. Murphy. You have a mechanism for continuous improvement
as you go through these to speed them up, for example, getting
feedback as you go through these approval processes--feedback
from people you have worked on with those saying what we could
have done to make this better, faster, more thorough?
Mr. Wulf. Yes, we sure do. We are constantly evaluating our
processes and looking at ways we can do things better.
Mr. Murphy. Is that an internal process? Do you also get
external feedback on that?
Mr. Wulf. Well, it is an internal certainly within the
division and the relevant branches within the division. But
also we are talking consistently with our stakeholders, and I
was able to share one comment we received back during my
opening statement. But we are always talking to our
stakeholders about improving. And one of the things we have
done to pick up the pace and to increase the pace of SSP
authorizations and approvals specifically has been to include
our field inspectors, who are most familiar with the facilities
in the authorization and approval loop early in the processes.
As issues are identified, those SSPs are kicked out to the
field and squared away and kicked back into the authorization
and approval loop more quickly.
Mr. Murphy. In my remaining time I just want to ask real
quick. We understand there are some documentation issues
regarding the CFATS risk-tiering approach. Can you give me a
little information of what those documentation issues are? Is
that something slowing you down, too, or what are those
documentation issues?
Mr. Wulf. No, I don't think so. The documentation I
referenced earlier was our effort over the past year to
thoroughly document the tiering methodology.
Mr. Murphy. Is that also improving over time? Thoroughly
documenting so you are----
Mr. Wulf. Yes.
Mr. Murphy. Well, I am out of time here I know but I will
follow up on the other questions. Thank you.
Mr. Wulf. OK.
Mr. Shimkus. The gentleman's time has expired.
The chair now recognizes the gentleman from California, Mr.
McNerney, for 5 minutes.
Mr. McNerney. Thank you, Mr. Chairman.
Mr. Wulf, is the ISCD responsible for addressing cyber
threats to chemical plants?
Mr. Wulf. Yes, sir. Yes, sir. One of our Risk-Based
Performance Standards, RBPS 8, relates to cyber.
Mr. McNerney. So are there specific cyber threats for
potential catastrophic results to human beings that you know
of?
Mr. Wulf. I think potentially there could be, which is why
CFATS addresses cyber. It focuses within the CFATS framework on
industrial control systems, on systems that can impact the
release of chemicals, and on systems that can impact the
security of a facility.
Mr. McNerney. So how effective then is the DHS in
addressing these potential cyber threats?
Mr. Beers. Sir, we have the best team in the country to
deal with industrial control systems as announced by Security
magazine. The ICS or Industrial Control Systems team that we
have in our cyber office is absolutely the best in the country.
They provide regular assessments on requests from people. We
are expanding that program. It will also be part of the work
that we are doing with respect to the Executive Order on
cybersecurity and the Presidential Policy Directive that came
out, both for those in February, a major area of concern and a
major area of involvement. We are basically teaching the rest
of the government how to deal with this issue.
Mr. McNerney. Good. Good. In my mind there are two aspects
of cyber defense: protection and retaliation. Maybe that is not
the way that you look at it, but a kinetic attack will almost
certainly involve a strong response from this government. But
on the other hand, a cyber attack may not elicit a response. So
the question I have is, are there rules of engagement for cyber
attacks on chemical facilities in this country?
Mr. Beers. Sir, there are general rules of engagement that
is not part of the DHS activity set. That belongs to the
Department of Defense. But we and the Department of Defense and
the Department of Justice have a very robust effort to work
together on a regular basis at all of those things short of an
actual attack. I mean, we are, as you well know, in a sort of
cold state of a lot of reconnaissance, a lot of intellectual
property theft that is going on now that the three departments
are working mightily to try to deal with. But the offensive
side is the domain of the Department of Defense. We are aware
of what they do in a general sense but it is not part of our
responsibility.
Mr. McNerney. So I mean there must be some coordination
then. I mean cyber attacks are happening on a continuing basis,
some of them less of a threat and some of them more of a
threat. And so what I would like to get is some comfort that
there is going to be a consequence to conducting cyber attacks
at any level on facilities in this country.
Mr. Beers. Sir, I certainly can't comment on that in this
unclassified setting.
Mr. McNerney. OK. Mr. Chairman, I yield back.
Mr. Shimkus. The gentleman yields back the time.
The chair now recognizes the gentleman from West Virginia,
Mr. McKinley, for 5 minutes.
Mr. McKinley. Thank you, Mr. Chairman. This is an
interesting subject.
Mr. Shimkus. Mr. McKinley, can you turn your mike on, I
think?
Mr. McKinley. It is on.
Mr. Shimkus. Oh, you do.
Mr. McKinley. Yes, this is an interesting subject. As an
engineer and as someone who has worked in some of these
chemical plants, I am curious to learn more about what we have
been doing and how long it has been going on. I am just
curious, first, I guess is, do either of you feel are terrorism
threats on the rise? Is it status? What is happening in this
country? I am just curious.
Mr. Beers. Yes, sir. That is a very good question. I think
what we have seen since 9/11, a continued threat within the
country that has been primarily executed by individuals who
have been inspired by the rhetoric of the jihadists to conduct
acts within the country. Fortunately, we have been able to
thwart most of them. Some of them just simply failed because
they weren't very well executed. The Bureau has a very
extensive program trying to detect this. Could something happen
from overseas again? Yes, that is always a possibility, but
that is a major effort that we and the other departments are
working on.
Mr. McKinley. Well, again, are the attacks on the rise?
Threats I should say. Are threats of attacks on the rise?
Mr. Beers. Are threats of attacks on the rise? The threat
and capability, because aspirational threats----
Mr. McKinley. It should be just a yes or no. Isn't it a yes
or no?
Mr. Beers [continuing]. Occur on a regular basis and you
could look--and there is something every day. Threat and
capability matched with one another----
Mr. McKinley. Are threats on the rise?
Mr. Beers [continuing]. I think at this point are not on
the rise.
Mr. McKinley. OK. That is fine.
Mr. Beers. Are not on the rise.
Mr. McKinley. What is their objective? Is it just to have
access? Are they trying to just blow up a facility? What is the
threat that you are hearing? What are they trying to
accomplish?
Mr. Beers. So there is the local objective and there is the
broader objective, and they think in both of these realms. The
local objective is to have an event that is sufficiently
newsworthy, sufficiently damaging, that it causes people to
take notice of it and gives them credit for the ability to
actually execute. The broader issue, though, is to destroy--and
bin Laden and his successors have been very clear about this--
is to destroy the will of the West, and the will of the United
States to oppose them and withdraw from the region.
Mr. McKinley. So if I can continue with the question, can
you give me an example of a chemical facility that has been
attacked successfully in the West?
Mr. Beers. No, sir. Unless you want to include the Amenas
plant in Algeria, which is the one recent one----
Mr. McKinley. OK. That is fair.
Mr. Beers [continuing]. That we had, but other than that, I
can't tell you.
Mr. McKinley. It is one thing if they want to disrupt it,
would we not pose a threat also in where the products that we
are producing in these chemical plants--does it extend your
risk assessment and evaluation? Does that also go to the
distribution centers and transportation or is it just at the
plant?
Mr. Beers. It is in all of those, sir, depending upon the
holdings, where the holdings are----
Mr. McKinley. So you go the whole route. You are not just
on risk assessment----
Mr. Beers. But again, if the holding isn't large enough to
be tiered in by the consequence, then they are not regulated.
But we do look at distribution centers as well. David, you want
to----
Mr. Wulf. But CFATS focuses on facilities. So there are
other agencies that deal with the transportation sectors. So
the transportation of hazardous materials is covered by the
Department of Transportation and the Transportation Security
Administration. CFATS is focused on facilities but certainly
including distribution centers. And among the chemicals of
interest that we assess are those chemicals that could be
successfully used by terrorists in an attack as well as
chemicals that can be released.
Mr. McKinley. In the time frame that I have left, are the
four other European nations, do they have something comparable
to what we are doing here?
Mr. Wulf. I think in many ways we are on the cutting edge
here. And I think CFATS is a sound program and really a model
that, were it implemented elsewhere could be of value to
securing chemical facilities and hardening them against
potential terrorist attacks.
Mr. Shimkus. Gentleman's----
Mr. McKinley. OK. Time has expired on that, but I just want
to say, even though they have not had an attack in Europe and
they don't have anything comparable to this, I am just curious.
Mr. Wulf. I think Congress' assessment and our assessment
as well is that high-risk chemical facilities pose a very
attractive target to terrorists.
Mr. McKinley. Thank you.
Mr. Shimkus. The gentleman's time has expired.
The chair will now recognize the gentleman from Ohio, Mr.
Johnson, for 5 minutes.
Mr. Johnson. Thank you, Mr. Chairman.
Mr. Beers, the Department of Homeland Security has adjusted
its chemicals-of-interest release model because of errors in
the formula. Are you aware of any other issues that may affect
this or any other models within the risk assessment approach?
Mr. Beers. Sir, I am not, but let me turn to my expert here
and ask him if there is anything you want to add to that.
Mr. Wulf. No. Our documentation found some minor issues
that we have briefed staff on and that we have addressed and
that have not led to significant re-tierings or significant
numbers of re-tierings of facilities. So we are looking forward
to receiving the report from the Peer Review Panel and any
recommendations for improvements they may have for the tiering
engine.
Mr. Johnson. Is this the expert panel review that you are
talking about?
Mr. Wulf. That is right.
Mr. Johnson. OK. Before you became aware of problems with
the chemicals-of-interest release model, had you conducted any
evaluations, Mr. Beers, of the risk-tiering approach?
Mr. Beers. Sir, before we became aware of that particular
problem, I am not aware of any reviews that had taken place.
Having said that, it was, as we look backward on when that
matter was brought to my attention, that there were questions
about it a year prior to that. And the review that happened at
that time turned out not to be an accurate review. So in that
sense, there were anomalies that were looked at; unfortunately,
they failed to detect the problem that ultimately surfaced
several years ago.
Mr. Johnson. OK. All right. In regards to the expert panel
review, it is our understanding that the current expert panel
review will not include a formal validation or verification of
the model. How does that impact the value of the review?
Mr. Wulf. We have asked the panel to take a full look at
the program, at the tiering methodology, and to give us an
assessment as to whether it is, in fact, a sound methodology
for assessing risk and also to provide us any recommendations
for potential enhancements and improvements to the methodology.
So I don't anticipate a formal stamp of approval, but I expect
that they will let us know how they feel about what we are
doing in the tiering arena.
Mr. Johnson. But it is important though, right? I mean, it
is important to get that information, to get that stamp of
approval.
Mr. Wulf. I think that is why we are doing this. Not to----
Mr. Johnson. But you said you are not expecting a stamp of
approval.
Mr. Wulf. Well, not----
Mr. Johnson. So there is----
Mr. Wulf [continuing]. An actual stamp, I guess.
Mr. Johnson. Yes.
Mr. Wulf. I am----
Mr. Johnson. We don't want them to just look at it; we want
them to give us a validation and verification that the model is
accurate according to what we know today. Correct?
Mr. Wulf. Yes. We want them to look at the methodology and
let us know their thoughts on whether it works and if there are
ways in which it could work better.
Mr. Johnson. OK. Given that you have not been able to
review the Site Security Plans for the Tier 3 and 4 facilities,
how would you characterize how they are currently being
regulated?
Mr. Wulf. Well, I would mention that we have begun review
of the Tier 3 Site Security Plans and I have authorized some of
those. But that is admittedly in the early stages.
Mr. Johnson. Tier 3 and 4, or just 3?
Mr. Wulf. Tier 3. Tier 3.
Mr. Johnson. OK. So 4 is not being included?
Mr. Wulf. Tier 4 reviews have not begun on the SSPs. But I
would say that across the tiers to include Tiers 3 and 4 CFATS
has had an impact. Those Tier 3 and Tier 4 facilities have gone
through the top screen process, have developed security
vulnerability assessments, have, in most cases, met directly
with CFATS inspectors who have worked with them through
compliance assistance visits and other outreach in the order of
more than 3,000 such visits and encounters to work with them on
the development of their Site Security Plans. So I think in all
cases, even without authorization or approval of those
facilities, their security has been enhanced by CFATS and the
work of our inspectors.
Mr. Johnson. OK. With that I yield back, Mr. Chairman.
Mr. Shimkus. The gentleman's time has expired.
The chair now recognizes the gentleman from Mississippi,
Mr. Harper, for 5 minutes.
Mr. Harper. Thank you, Mr. Chairman.
Thank you, gentlemen for being here. I know this is always
an exciting time, but we welcome you and appreciate the
insight. We are obviously concerned about security for these
facilities, how we accomplish that. And as we are looking at
the number of facilities we have, has there ever been any
thought on your side of maybe just limiting the scope of
regulating facilities only to the Tier 1 and Tier 2 facilities?
Has there been any thought on that?
Mr. Wulf. I would say that, no, there hasn't. Inasmuch as
all four tiers represent high-risk chemical facilities and a
relatively small percentage of the total number of chemical
facilities in the country, our assessment is that all four
tiers are worth covering under CFATS.
Mr. Harper. Do you agree with that?
Mr. Beers. Sir, remembering that this is a consequence-
focused----
Mr. Harper. Yes, sir.
Mr. Beers [continuing]. Issue, the original decision on all
four of the tiers were that the consequences, the potential
loss of life in the vicinity of those facilities--this is the
primary reason----
Mr. Harper. Yes, sir.
Mr. Beers [continuing]. Was significant in terms of the
communities that surrounded them. So it is, as you well know,
impossible to put a cost on the loss of even one life. So that
is why this is such an important decision and why we really
haven't gone that step and said, no, that 3 and 4 are not high-
risk.
Mr. Harper. OK. Let me ask this: as you are establishing
these, you do a preliminary tier risk rating and then you do
further evaluation--the SVA--and you determine what the final
rating is.
Mr. Beers. Yes.
Mr. Harper. And once that is established, what is the
review process after that? Is there a time with that final tier
risk rating that it might change in the future? How often are
you going back to review those?
Mr. Wulf. As facilities make changes to their chemical
holdings or to their processes, they may submit a request for
redetermination or may submit a revised top screen to ISCD and
we will, you know, rerun that and assign as appropriate a----
Mr. Beers. So the nearly 3,000 changes that have been
made----
Mr. Harper. Sure.
Mr. Beers [continuing]. Including tiering out are a result
of changes in holdings that have been able----
Mr. Harper. OK.
Mr. Beers [continuing]. To be recognized in that fashion.
Mr. Harper. So is that possible review or change of a tier
risk, is that something that you have to wait on them to notify
you or are you on a schedule? Do you go back and review those
yourself even if you are not notified of any changes on their
part?
Mr. Wulf. To the extent that our inspectors are out working
with these facilities through compliance assistance visits or
other outreach----
Mr. Harper. OK.
Mr. Wulf [continuing]. That is sort of the form that would
take. So our involvement would happen in that way but there is
not a formal process for going back and----
Mr. Harper. Not a calendar date say every 2 years, 3 years
we are going to come back and review? OK. Now, it is my
understanding that if you have two facilities that have the
same chemical of interest, one that has very little physical
security near a major city, and another stored with the same
chemical in an extremely secure location near that same major
city, they would be tiered identically? Is that accurate? If it
is the same chemical of interest, regardless of the level of
security near that major city, in two different facilities,
would they be tiered the same?
Mr. Wulf. I think that is accurate.
Mr. Harper. OK.
Mr. Wulf. The tiering is based on the potential consequence
of that.
Mr. Harper. All right. Is that a good way to manage and
mitigate chemical facility terrorism risk?
Mr. Wulf. Well, I think it is in that the facility, without
the hardened security would, as a result of being tiered, have
to look to implement security measures, develop a Site Security
Plan that would bring it up to an acceptable level of security.
Mr. Beers. The whole notion here is we want to level the
playing field so----
Mr. Harper. Sure, but----
Mr. Beers [continuing]. A secure facility is great. An
unsecured facility is something that we would want to change.
We want to take the unsecured facility and raise it to roughly
equivalent standards to the secure facility.
Mr. Harper. But it appears to me that perhaps we are
discouraging high-risk chemical facilities from increasing
security at their facilities and making them stronger. And I
don't know that that is having the desired effect that you are
saying you want. Is it having that impact? And my time is up,
so I guess I won't get a formal answer from you.
And I yield back.
Mr. Shimkus. The gentleman yields back his time.
And I see no other members. But before I dismiss the panel,
I just want to reference the law. Because, Mr. Beers, you keep
saying a consequence, which is something that we need to be
concerned about. But that is not what the law says. The law
says a risk-based system.
Mr. Beers. Yes, sir.
Mr. Shimkus. Consequence is a part of that but it is not
the whole calculation. I think you have caused more questions
by this testimony today than answered questions.
So I think we will have them back, Mr. Ranking Member, to
keep ferreting this out because the law is pretty clear. And
you can see there are still a lot of questions on how we are
trying to define this.
So we do thank you for coming. We do have the ability to
offer written questions as the ranking member of the full
committee asked. And with that, we would dismiss the first
panel.
Mr. Beers. Sir, may I respond to the question that you
posed in writing?
Mr. Shimkus. Correct. You may. I would be happy to----
Mr. Beers. I think if you are still not satisfied, then we
have more work to do to----
Mr. Shimkus. I think you have a lot more work to do.
So we will dismiss this panel and we will have the second
panel.
Staff, if I can get the back doors closed. Someone? Then we
can move promptly.
We would like to continue the hearing and welcome our
second panel, a one-member panel, so we can put full attention
to the testimony and answer questions. So we would like to
welcome Mr. Stephen Caldwell, Director of Homeland Security and
Justice from the Government Accountability Office.
Sir, your full statement is in the record. You are
recognized for 5 minutes.
STATEMENT OF STEPHEN L. CALDWELL, DIRECTOR, HOMELAND SECURITY
AND JUSTICE, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Caldwell. Thank you very much, Chairman Shimkus and
Ranking Member Tonko. I appreciate being here to talk about
CFATS and the findings in our about-to-be released report on
the program.
As you know, our earlier report focused on an internal DHS
memo documenting management problems with the CFATS program and
agency efforts to come up with corrective actions. But our
current report focuses on agency efforts to do three things
related to its core mission. The first of those is assess risks
at the facility, which we have talked about quite a bit; review
the Site Security Plans; and work with industry to improve
security.
Let me start with the risk assessments. As noted, both the
Department and GAO have established criteria for risk
assessments and these were not followed closely in the CFATS
program. Specifically, the three elements of risk--threat,
vulnerability, and consequence--were not all used. As has been
discussed, vulnerability has not been used even though DHS does
collect extensive information on it. Some of the CFATS program
criteria in its own 2007 rule, including the economic
consequences, also have yet to be implemented.
Regarding the Site Security Plans, we found that the
Department had a cumbersome process in place for reviewing the
security plans which led to a backlog of security plans
awaiting approval. The Department has attempted to streamline
the review process by doing concurrent reviews among its
experts when it had formerly been doing sequential reviews.
However, the impacts of the streamlining is not known because
no metrics were kept on how long the old process was taking.
But even with a more streamlined review process, as we have
noted in our statement, we are estimating 7 to 9 years to
improve those facilities that have been tiered. But our
estimate does exclude some of the important parts of the regime
as a whole, such as the compliance inspections.
Regarding industry, the CFATS program has increased its
outreach, and this was noted in the inquiries we made through
industry associations representing chemical facilities. The
industry also expressed concerns about the burden of submitting
and updating information to DHS, as well as frustration in
wanting more details on the how and why the facilities were
tiered a certain way. Some of these issues, as has been noted,
may be resolved in terms of the Department is considering what
information on its tiering process it might provide to
industry. Nevertheless, the CFATS program could benefit from
systematically monitoring the effectiveness of its outreach
activities.
In closing, I would like to briefly look back at our
previous report, which commented on the serious management
problems within the CFATS program. Because of a lack of
documentation in the earlier years, we were really unable to
determine the root causes for a lot of those problems. And this
condition was found in our current work. As an example, we
found no documentation as to why the current incomplete
approach to risk assessment was chosen. So to some extent, the
current program is still recovering from some of those earlier
management problems.
But we have found the Department to be responsive to our
recent recommendations and our current findings. We hope their
positive attitude continues to result in improvements.
And related to this, I would like to note that my written
statement is titled ``Preliminary Observations.'' Because we
are still awaiting Department comments on the recommendations
in our current draft report, we will finalize that report once
we receive those comments and we anticipate issuing that in
early April.
With that, I am happy to respond to any questions.
[The prepared statement of Mr. Caldwell follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Shimkus. Thank you, Mr. Caldwell.
I would like to recognize myself for 5 minutes for the
first round of questions.
You were in here for the last panel and probably listened
to my last exchange based upon the language of the law. Could
you understand my frustration with the question based upon what
members had said before about the formula for risk and if there
are two variables that are undefined, how do you identify risk?
Mr. Caldwell. Yes. I guess I agree with your point. The law
calls for an assessment of risk, not of consequence. I think
the DHS response we have heard today kind of indicates that the
exclusion of vulnerability was part of a well-laid-out and
thoughtful methodology and analysis that they used from the
start. We certainly found no evidence of this. I mean our early
discussions with methodology with them last year indicated the
fissures did not know why the current methodology was picked or
why vulnerability was left out. And there certainly was no
documentation on that. It was really only when we raised the
issue of the lack of the consideration of vulnerability----
Mr. Shimkus. It was?
Mr. Caldwell [continuing]. That the current narrative
emerged that you heard today. So I think that really reinforces
the need for an independent peer review, preferably earlier in
the process than now because the problems they will have if
they find major changes. And I have some other comments on peer
review I can make as well.
Mr. Shimkus. Did you get any comfort from the response that
the formula is being reviewed by Sandia? And I think the
frustration from my end was that we might take it; we might
consider it. I mean, it was pretty vague as to whether all of
this work that they would even consider is part of a fix to the
formula.
Mr. Caldwell. Yes. Let me make two comments on the peer
review. I think based on our work today--and they have been
sharing a lot of information with us--but we are still not sure
how much of a free hand and leeway this new peer review is
going to have, this expert panel. Will they have the leeway to
really start from scratch and kind of come up with fundamental
changes from the model if they think they are needed?
And then, of course, we are also not really sure and the
Department really hasn't committed to really how they would
receive any major recommendations for changes because of
impacts it could have on the peering process. So that is what I
will call the peer review's need to do a review of the
methodology.
But what the peer review would also need to do to be
comprehensive would be what is called the V and V, or a
verification and validation. We know that there was some
miscalculations found in the formula. This did lead to the re-
tiering of several facilities. Also, in the course of our work,
we found out there was an omission of certain locations such as
Hawaii, Alaska, and Puerto Rico from the data in the model
calculations. And they don't think this will lead to any
changes in tiering, but, I mean, together they certainly don't
give us a warm, fuzzy feeling that they have looked at the
actual mechanics of the model to make sure that even if the
methodology is correct that the model is working the way it was
intended to. So it is also important that the peer review do a
V and V, a verification and validation, to actually look at the
model, play with the numbers, do calculations, ensure they are
correct, and maybe do some sensitivity analysis as well.
Mr. Shimkus. Well, and just kind of following up on this
line of questions because it was asked by one of my colleagues
on data, data collection, and what is it used for. Again, a
pretty vague answer by our first panel as to what they really
needed, what they had, and why they had it. You found that
owners and operators were spending unnecessary resources
complying with CFATS data collection requirements. Can you
elaborate on your findings?
Mr. Caldwell. Well, I will say two things. I think whether
the industry feels that they misspent funds or wasted funds, I
will leave maybe for the third panel. You can ask them that.
But in terms of the question about whether all this
vulnerability data was useful that the Department is capturing
but is not using, I think the way they put it is that it is
data that then the facilities have been able to use or could
use. So again, that is a question for the facilities. I mean,
you could ask the facilities and industry----
Mr. Shimkus. But the facilities are the ones who provide
the data. So it is kind of like we got the data, we gave it to
Homeland Security, and then Homeland Security says we got the
data, here is your data because it is going to help you out, or
the collection of that data will help you out. I mean, it is
just----
Mr. Caldwell. Yes.
Mr. Shimkus [continuing]. Counterintuitive. I am struggling
with this.
Mr. Caldwell. We found that the Department is not using the
vulnerability data at all that it collected from facilities.
One other thing on that point, when we talked to them about
why they were not using the vulnerability data, they said,
well, they were concerned because it was self-reported and thus
might be either exaggerated or not exaggerated. But everything
in this thing is self-reported until--I mean everything going
into tiering about how much chemicals they have and where they
have them and the method of storage--all of that is self-
reported. So I am not sure that I agree with that distinction.
Mr. Shimkus. You are not helping me very much but thank
you. My frustration level continues to mount.
So I would like to recognize the ranking member, Mr. Tonko,
for 5 minutes.
Mr. Tonko. Thank you, Mr. Chairman. I hope you can relax
for a moment.
I thank you, Mr. Caldwell, for appearing here today.
GAO's analysis reveals significant concerns about this
important national security program and the sufficiency of the
Department of Homeland Security's Action Plan to address these
concerns. We heard from the Department on the first panel that
they are taking GAO's findings seriously and intend to follow
GAO's recommendations to strengthen the risk assessment models
used in their programs.
It seems that some of these concerns are long-standing. For
instance, stakeholders have long called for a greater
transparency in the risk assessment process. I welcome the
GAO's testimony today and have a few questions that, I think,
would be helpful in providing the information we require. To
the DHS methodology itself, does it appropriately, in your
opinion, account for threat?
Mr. Caldwell. Threat is a little tougher. And so I think in
our own analysis we have been less critical of the Department
on that. And the reason that threat is more difficult is
because the threat comes from a potentially adaptive adversary
that can see where vulnerabilities have been reduced or maybe
where vulnerabilities still exist and change their targets. But
even more so, when you are looking at these chemical
facilities, the facilities themselves could be attacked or some
of the chemicals at those facilities could be stolen or
diverted and then moved and then used again in a population
center or any other location. So I think it is very difficult,
and also I think in terms of some of the questions about threat
there were asked, there just really is not a lot of actionable,
real intelligence that shows there is a threat against these
facilities or specific facilities.
Mr. Tonko. Thank you. And to that methodology again, does
it account for the two minimum components of consequences, that
being human consequences and economic consequences?
Mr. Caldwell. It does not include economic consequences. As
the Department has stated, they have now engaged Sandia
National Labs to do that but it has been a while. I mean, the
rule came out in 2007 that specifically said that they would
include that at some point. And if you look at the National
Infrastructure Protection Plan it does say at a minimum
consequence needs to include both human casualties and
fatalities, those things, as well as the economic consequences.
Mr. Tonko. Thank you. And I would imagine that GAO has
looked at risk assessments prepared by many different agencies
over the years. How would you say the CFATS risk assessments
compare to the work at those other agencies?
Mr. Caldwell. Well, there are a couple of examples I can
think of. At the Coast Guard, for example, we have done
extensive work on their risk assessment model. It is called the
Maritime Security Risk Assessment Model. And it does include
all the components. And that is probably the most sophisticated
model within DHS because it also takes into account the
mitigation efforts that a facility is doing and how that
impacts the risk.
There have been other cases--I believe it is TSA--I will
have to correct my statement if I find that it is a different
agency--where we found that vulnerability was also being held
constant and we have made those recommendations that they not
do that and that that particular component agreed with that
recommendation.
Mr. Tonko. Thank you. During the first panel Director Wulf
indicated that including vulnerability in risk assessments
would lead to an ever-changing tier assignment for a given
facility. Is this a valid enough reason for leaving the
criteria out of the assessment?
Mr. Caldwell. Well, I think if in the beginning that was
thought through and done on purpose, I could have maybe given
him a little more sympathy if he is trying to design something
to do that. But as I said, that narrative was developed pretty
recently as to why was left out. There is a problem now in that
a lot of these facilities, thousands of these facilities--and
if there are major changes in their model because of the peer
review or things we have said or adding the economic
consequences, this could reasonably change the tiering of those
facilities.
Mr. Tonko. And this committee is aware of two mis-tiering
incidences at the Department were facilities where placed in
the wrong tier because of errors made by the Department. That
is a serious problem. But now we hear from GAO that none of the
more than 3,500 tiering decisions that have been made are
reliable. They are all based on a risk assessment methodology
that is seriously lacking. Is that an accurate assessment?
Mr. Caldwell. I wouldn't use the term that this is a fatal
flaw or things like that. But certainly we are questioning why
they haven't included vulnerability. I think that we have a
concern. Now, we do believe the best way to address that would
be to have a peer review come in externally, review it. As we
have said before, and as you said before, the National
Academies of Sciences came in and found very similar problems
across the Department that we are talking about here within the
CFATS program.
Mr. Tonko. Well, I see that my time has expired so I will
yield back, Mr. Chairman.
Mr. Shimkus. Thank you.
The chair now recognizes the gentleman from Pennsylvania,
Mr. Pitts, for 5 minutes.
Mr. Pitts. Thank you, Mr. Chairman.
Mr. Caldwell, you noted in your statement that it could
take 7 to 9 years before ISCD completes the review of the 3,120
security plans currently in the review queue and that the
estimate does not include work by ISCD on other missioned
activities. What are some examples of these ISCD activities?
Mr. Caldwell. Well, that estimate does not include about
900 facilities that have yet to be assigned into a final tier.
Also, the time required to review the plans to resolve issues
related to personnel surety take some time because some of the
plans have been provisionally or conditionally approved. So
they have to go back and revisit that once the personnel surety
rule is in place. And then there are the compliance inspections
that they would do which are separate from the plan approval,
but those are generally done a year after. So you are looking
at another year out there for individual facilities before they
have the compliance inspections. And really, it is only until
you have the compliance inspection whether you know that the
facility is actually implementing the things in its security
plan.
Mr. Pitts. So will implementing these mission activities
further delay full CFATS program implementation?
Mr. Caldwell. Well, certainly until all of the pieces are
in place, it is not going to be there. And I think several
figures have been thrown out; 8 to 10 years we said in our last
hearing. I mean, now, we are looking at 7 to 9 just for the
approval plan. So it is going to be some time before this
regime is completely in place. It is in contrast to maybe some
of the other programs that were put in place after 9/11.
Mr. Pitts. Now, the regulated industry says that ISCD's
efforts to communicate regarding CFATS-related issues are mixed
in effectiveness. Does ISCD measure the effectiveness of its
outreach efforts and could they?
Mr. Caldwell. No, they don't. They measure some of the
things like how many meetings they have and those kinds of
things, but they haven't outreached really to find out whether
these have been effective so we are considering----
Mr. Pitts. Should they or could they?
Mr. Caldwell. Yes. And we are considering a recommendation
with the Department. We are in discussions with a
recommendation that we ask that they do so.
Mr. Pitts. What should we take away from the input that you
got from trade associations?
Mr. Caldwell. Some of the things are working pretty well.
The meetings with this Sector Coordinating Council seem to be
effective according to industry. Also some of the visits to
facilities, a little bit mixed there. I think the more recent
things based on some of the testimony you will hear later today
is that the officials doing those inspections from DHS do seem
qualified and helpful, whereas I think some of the early
responses that they were very reluctant to actually make useful
concrete suggestions on how to improve security.
Mr. Pitts. Now, you found that owners and operators were
spending unnecessary resources complying with CFATS data
collection requirements. Would you elaborate on that?
Mr. Caldwell. I don't believe we ever said they were
unnecessary. I just think they were worried about a substantial
burden in terms of the cost it was taking to do these,
particularly, if something changed and they did this. I think
one of the things industry may tell you about in the next panel
is the chemical industry can be a complicated business, so
sometimes they change mixes of their chemicals in terms of some
of their processes. And there has been a debate about whether
then do they have to go back to DHS and resubmit everything
because their mixture of chemicals is slightly different? It is
a concern.
Mr. Pitts. And what in your view is the difference between
the current Site Security Plans and Alternative Security Plans?
Mr. Caldwell. Well, I think the Alternative Security Plans
look a little simpler. I think that they have some of the same
information but perhaps in a more useful way because it is
portrayed as a plan as opposed to a data dump of a lot of
individual information that is in the DHS tool.
Mr. Pitts. Thank you, Mr. Chairman.
Mr. Shimkus. Thank you.
The chair now recognizes the gentleman from California, Mr.
McNerney, for 5 minutes.
Mr. McNerney. Thank you, Mr. Chairman.
Mr. Caldwell, we have been hearing this morning a lot about
tiering formulas and about the risk assessment models. How
familiar are you with the details of these models and formulas?
Mr. Caldwell. We have not done the kind of verification and
validation that a peer review of experts might do. So we have
talked through what they use, we have discussed the factors,
but I can't say we have tried to reproduce their models or do
sensitivity analysis.
Mr. McNerney. Are these by-and-large Excel spreadsheets or
what do they look like? What form do they take or how do people
have access to the models?
Mr. Caldwell. It is an online tool so it is some kind of
relational database. But beyond that, I can't tell you too much
about the formulas or what the actual algorithms are.
Mr. McNerney. And what sort of security do the models have
in terms of making changes to parameters--not parameters but
the way the models are executed? Is there a very secure
methodology that is required for someone within DHS to change
the model itself?
Mr. Caldwell. We have not looked at the internal controls
or the security settings on the model.
Mr. McNerney. So as far as you know somebody in one of
these departments can say, well, gee, I think this model is a
little off; I am going to change it? I mean, there has to be
some sort of control on these things.
Mr. Caldwell. There should be, yes, sir.
Mr. McNerney. Is that something you think you can find out
or make an assessment?
Mr. Caldwell. We can certainly ask the Department and
answer that as a question for the record or if you could direct
it to the Department, then that might expedite things or not.
Mr. McNerney. All right. Thank you. I have a question. Were
you assured by the under secretary's declaration that they have
the best teams on cybersecurity and that they are on top of
this issue and we don't have anything to worry about?
Mr. Caldwell. That is not an aspect we looked at. So I have
no comments on that.
Mr. McNerney. So cybersecurity is not within your, sort of,
realm?
Mr. Caldwell. It is one of the many standards that they
apply here. We do have other experts in GAO on cybersecurity
that if you want to ask us a question for the record, we might
be able to take that and answer it for you, sir.
Mr. McNerney. All right. Thank you.
That is all I have, Mr. Chairman.
Mr. Shimkus. The chair thanks the gentleman.
The chair now recognizes, I believe, the gentleman from
Ohio, Mr. Latta, for 5 minutes.
Mr. Latta. Well, thank you very much, Mr. Chairman. And
thank you very much for being here. And we have got a couple of
hearings going on so I am sorry that we are kind of in out
today.
But if I could start with this question: how important is
it for the Infrastructure Security Compliance Division to have
a complete validated and verified risk assessment approach?
Mr. Caldwell. I mean I think our position is that the
current approach is incomplete. So to the extent that they are
using an incomplete model, they don't have an assurance that
they are tiering these in the right fashion appropriate with
the National Infrastructure Protection Plans criteria, which
is, pretty much the Department's criteria in terms of how you
do risk assessments.
Mr. Latta. So how would you have to go about to get that
complete?
Mr. Wulf. You would have to include vulnerability in it and
economic consequences are maybe the two minimum things that
would need to be added into it. We have also asked that they
update some of their threat data. Some of the threat data that
they were using was a few years old, which they have agreed to
do.
Mr. Latta. OK. Thank you. Also, how important is it for the
ISCD to eventually conduct an independent peer-review on CFATS
risk assessment approach?
Mr. Caldwell. We think it is very critical that there be an
independent peer review. And I think you might have missed my
answer talking to the chairman a few minutes ago, but there are
really two factors. One is to make sure they have the
methodology right, and secondly, to make sure the model, once
you have the methodology right or at least with existing
methodology, is the model actually functioning as intended? And
as we have noted, there has been some miscalculations in the
model that have been found which should, again, call for doing
a verification and validation of the model itself.
Mr. Latta. And just to follow up on that, how soon should
that independent peer review occur?
Mr. Caldwell. Well, I think it has already started. At
least the panel that they have now, I think that there is a
statement in Mr. Beers' written comments that if they need to
do a second one, they are willing to do that as well. So the
first one may be to find out where they are now, make some
recommendations, and maybe would require a second peer review
to actually go in and validate the model----
Mr. Latta. OK.
Mr. Caldwell [continuing]. With any changes.
Mr. Latta. OK. Mr. Chairman, I have no further questions.
Thank you.
Mr. Shimkus. And the chair thanks the gentleman.
The chair now recognizes the gentleman from Florida, Mr.
Bilirakis, for 5 minutes.
Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it
very much. I have one question. What is the difference between
the current Site Security Plans and Alternative Security Plans?
Mr. Caldwell. The Alternative Security Plans are written
more like a plan. The Site Security Plans that DHS has I would
describe as more of a data dump. It is a lot of different data
that is in there. I mean, both can be useful, but I think
industry feels--and you can ask the third panel--that the
alternative site plan or the Alternative Security Plan is a
little more user-friendly and still get you there in the end.
Mr. Bilirakis. Thank you, Mr. Chairman.
Mr. Shimkus. Seeing no other members present, we would like
to thank you, Mr. Caldwell, for appearing before us. You have
done great work on this report. It looks like we have got a lot
more work to do.
And with that, we will allow the second panel to be
dismissed and ask the third panel to join us at the table.
Thank you, sir.
Mr. Caldwell. Thank you very much.
Mr. Shimkus. We want to thank the third panel for joining
us and sitting through most of the testimony. I am sure that is
going to be helpful for the remaining members as we listened to
your opening statements and direct questions. And we will do so
now.
The first person that I would like to recognize is--yes, I
am going to recognize Mr. Allmond--that is oK, Jerry, I am
great--Mr. Allmond, who is vice president of the Society of
Chemical Manufactures and Affiliates. Sir, you are recognized
for 5 minutes. Your full statement is in the record.
STATEMENTS OF BILL ALLMOND, VICE PRESIDENT, SOCIETY OF CHEMICAL
MANUFACTURERS AND AFFILIATES; TIMOTHY J. SCOTT, CHIEF SECURITY
OFFICER AND CORPORATE DIRECTOR, THE DOW CHEMICAL COMPANY, ON
BEHALF OF THE AMERICAN CHEMISTRY COUNCIL; CHARLIE DREVNA,
PRESIDENT, AMERICAN FUEL AND PETROCHEMICAL MANUFACTURERS; AND
RICK HIND, LEGISLATIVE DIRECTOR, GREENPEACE
STATEMENT OF BILL ALLMOND
Mr. Allmond. Thank you. And good morning, Chairman Shimkus,
Ranking Member Tonko, and members of the subcommittee.
My name is Bill Allmond and I am the vice president of
Government and Public Relations at the Society of Chemical
Manufacturers and Affiliates. I am pleased to have the
opportunity to provide you with an update on the Department of
Homeland Security's implementation of CFATS from the
perspective of specialty chemical manufacturers, many of which
are small and medium-sized companies.
Since the previous hearing last September, there are
several areas we feel are worthy to highlight in terms of
implementation progress. First, CFATS continues to reduce risk.
Second, authorizing inspections are revealing some positives
about DHS' implementation but also some challenges for small
and medium-sized facilities. Lastly, a collaboration with the
regulated community has improved.
With respect to risk reduction, CFATS continues to drive
facilities to reduce inherent hazards where, in their judgment,
doing so is in fact safer, does not transfer risk to some other
point in the supply chain, and makes economic sense. Today,
nearly 3,000 facilities have changed processes or inventories
in ways that have enabled them to screen out of the regulation.
Furthermore, due to the outstanding cooperation of the
chemical sector, there has been 100 percent compliance with
requirements to date. DHS has not yet had to institute a single
administrative penalty action to enforce compliance. As a
result of CFATS, our Nation is more secure from terrorist
chemical attacks than it was before the regulation's inception.
Turning to DHS' inspection process, the few that so far
have been conducted at SOCMA members reveal some positive
aspects about how the Department is carrying out the
regulation, as well as some challenges being presented among
small and medium-sized facilities. Among the positives is the
level of interaction of DHS inspectors with facilities
scheduled for an inspection. Inspectors are providing
sufficient details with facilities prior to their arrival,
which aids the planning process to ensure resources and
facility personnel are available.
Similarly, facilities are finding DHS inspectors generally
to be reasonable during the onsite inspection, which is perhaps
due to the fact that some of them have chemical facility
experience. Such operational familiarity is necessary when
interpreting how risk-based performance standards apply to, and
could be implemented at, such facilities.
Importantly, inspections have so far appropriately verified
a facility's approach to addressing risk-based performance
standards. Inspectors appear not to be adhering rigidly to the
RBPS guidance and instead to permitting company personnel to
explain from the facility perspective, how they are
appropriately implementing their Site Security Plan.
The principal challenge that SOCMA's smaller facilities are
finding with the inspection process, however, is the enormous
amount of time and resources to meet DHS demands following an
inspection. Of highest concern is an unwillingness by DHS to
reasonably extend deadlines for facility response. In SOCMA's
opinion, DHS should be more willing to extend the time of which
a small and medium-sized facility has to respond to a post-
inspection report.
Facilities are learning that, even if they had an
inspection that went well, they are having to rewrite much of
their Site Security Plans. Under a 30-day deadline, which has
been the usual case, facilities are having to pull two to three
workers for 2 to 3 days each to ensure that they meet the
deadline. To us, this is unreasonable. In small companies,
there simply may not be more than a few people qualified to
work on security measures and all those people have other
obligations which frequently include compliance with other
regulatory programs.
It is still early in the inspections process, and these
burdens are now coming to light. However, DHS still has time to
make adjustments given a willingness to do so.
And lastly, collaboration with facilities on implementation
has improved. We are pleased that DHS has recently worked with
industry to establish an alternative security program template
with possibly more the future.
Additionally, DHS appears prepared this year to co-host
another Chemical Sector Security Summit. For the past 6 years
the Summit has been a collaborative effort by the Department
and the chemical sector to provide an educational forum for
CFATS stakeholders. An overwhelming majority of attendees each
year are industry personnel who, when satisfaction surveys,
consistently rate the Summit as having a high value to them.
Many of the improvements over the past year have occurred
under leadership of Deputy Under Secretary Suzanne Spaulding
and Director David Wulf and their actions to help put CFATS
back on track is worthy of recognition. I appreciate the
opportunity to testify this morning and I look forward to your
questions.
[The prepared statement of Mr. Allmond follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Shimkus. Thank you very much. I would now like to
recognize, as I move my papers all around--where is his name?
Here it is--Mr. Timothy Scott, Chief Security Officer and
Corporate Director of Dow Chemical Company, on behalf of The
American Chemistry Council. Sir, you are recognized for 5
minutes.
STATEMENT OF TIMOTHY J. SCOTT
Mr. Scott. Thank you, Chairman Shimkus, Ranking Member
Tonko, and members of the subcommittee. I am Tim Scott, Chief
Security officer of the Dow Chemical Company, speaking today on
behalf of Dow and the American Chemistry Counsel.
The chemical industry and Department of Homeland Security
have a common goal: to improve the security profile of the
chemical sector and reduce the risk of attack against industry
or the use of chemicals as a weapon. Our positions are that
security is a top priority of the chemical industry. Progress
has been made in all areas of chemical security, but there is
still, obviously, work to be done. ACC will continue to partner
with DHS to achieve success and we need the certainty of a
multiyear extension of DHS authority for a sustainable program.
Progress has been made and we need to build on that progress as
respectful partners with different skills and expertise but
with a common goal.
DHS has evaluated nearly 40,000 chemical facilities across
United States initially identifying more than 7,000 as
potentially high-risk. Since then, more than 3,000 facilities
have lowered their chemical risk profile, clear evidence that
we have made progress. Last year, ACC published an alternative
security program guidance document available at no cost to the
regulated community, the result of a year-long effort and full
cooperation with DHS. This ASP approach offers an efficient
alternative to DHS process and is an excellent example of how
an effective public-private partnership can create smart
regulatory solutions that benefit both partners, while ensuring
the security and safety of our industry.
While we have made progress, there are many more
opportunities for efficient and effective compliance options
that will accelerate CFATS implementation while maintaining the
quality and integrity of the program. Existing industry
security programs such as the Responsible Care Security Code
should be recognized by DHS under their ASP authority as
meeting the initial hurdles for authorization, thus
streamlining and prioritizing reviews, especially at the lower
tiered sites.
We must develop a workable process regarding personnel
surety. The goal of the PSP program is to ensure that personnel
accessing sensitive sites of high-risk chemical facilities are
trustworthy and do not pose a security risk. It is essential
that these individuals are properly vetted against the
terrorist screening database. We all agree on that. But is also
essential that the site know these individuals are cleared
before granting access to such sensitive areas.
Under the current proposals, industry submits the
individual's personal information and receives no verification
of any kind. We are supposed to be satisfied that simply
submitting the data is enough to grant site access. This is
simply a poor security practice, especially when solutions
already exist. It is good to hear that we may be making
progress in this area with DHS. By leveraging existing PSP
programs and allowing for corporate and third-party submissions
for vetting against a terrorist screening database, a
significant reporting burden will be minimized and the
integrity of the program will be much improved.
Another opportunity for efficiency that can easily be
implemented is in what we call corporate audits. These audits
cover areas of the risk-based performance standards in which
many companies' sites operate under a single corporate process,
such as cybersecurity or security escalation processes. Current
inspections often have inspectors getting the same corporate
answers site-by-site instead of addressing the issue once at
the corporate level. This can unnecessarily extend the length
of a site inspection. We also heard that DHS is working on
this.
ACC believes that DHS should be more transparent about all
factors related to a covered facility's risk assessment. Trust
is at the core of an effective security partnership and ACC
strongly recommends that DHS improve the transparency of its
risk determinations with the site security managers. A lack of
transparency has been the source for many of the inefficiencies
and missteps during the CFATS implementation.
The CFATS concept is fundamentally sound, risk-based,
focused on the right priorities allowing regulated sites to
choose and apply customized security solutions for DHS review
and evaluation for compliance with the DHS-established risk-
based performance standards. And that is the goal, to meet the
standards. And industry will.
DHS has demonstrated renewed commitment and effort to our
partnership due in part by oversight of this committee. ACC
urges Congress to provide DHS extended statutory authority for
the CFATS program to provide the regulatory certainty and
stability needed for industry to make prudent security
investment and capital planning decisions. Industry and DHS
have made progress in improving the security of the chemical
sector. There have been missteps, but we should acknowledge the
progress and the challenge and commit to making CFATS work.
Thank you.
[The prepared statement of Mr. Scott follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Shimkus. Thank you. Next, I would like to recognize Mr.
Charlie Drevna, President, American Fuel and Petrochemical
Manufacturers.
Sir, you are recognized for 5 minutes.
STATEMENT OF CHARLIE DREVNA
Mr. Drevna. Chairman Shimkus, Ranking Member Tonko, and
members of the subcommittee, thank you for giving me the
opportunity to testify today on today's hearing on the progress
report of the CFATS program. I am Charlie Drevna and I serve as
president of AFPM.
We are a 111-year-old trade association representing high-
tech American manufactures that use oil and natural gas liquids
as raw materials to make virtually the entire supply of U.S.
gasoline, diesel, jet fuel, other fuels such as home heating
oil, as well as the petrochemicals used as building blocks for
thousands of products vital in everyone's daily lives.
America's refining and petrochemical companies play a
pivotal role in ensuring and maintaining the security of
America's energy and petrochemical infrastructure. Nothing is
more important to AFPM member companies than the safety and
security of our employees, facilities, and communities. Our
members have worked extensively with the Department of Homeland
Security and we have invested hundreds of millions of dollars.
And we don't mind investing the money as long as we know it is
going for the right reasons, and again, toward strengthening
facility security.
Our industry also recognizes that protection of critical
infrastructure against potential threats or terrorist attacks
should be a shared responsibility between government and
stakeholders.
AFPM appreciates that DHS conducted an internal review to
identify administrative and implementation problems that
require immediate action and that the Agency developed an
Action Plan for improving CFATS implementation. But it is
important, however, to recognize that the structure of the
CFATS framework itself is sound, even though the leaked report
from GAO revealed the implementation of CFATS program was
somewhat flawed.
Additionally, America's critical infrastructure facilities
are secure and there have been no attacks on chemical
facilities since development of the CFATS program. Nonetheless,
it is clear that DHS needs to better manage its resources and
set priorities to make progress in areas that need immediate
action, including faster approval of Site Security Plans and
finalizing a workable Personnel Surety Program, a PSP. Such
measures would work to strengthen the program and our national
security.
AFPM believes that DHS has made progress over the past year
to address the problems identified in the DHS-leaked report and
Action Plan. However, DHS should continue to make improvements
by addressing issues including personnel surety with the help
of the industry in order to enhance the overall effectiveness
of CFATS implementation in the short-term.
AFPM is pleased that DHS withdrew the personnel surety
proposal from the Office of Management and Budget last July and
then held a series of meetings with industry to take another
look at this issue. Congress intended, and I heard today a
repeat of that intent, that the risk-based performance standard
on personnel surety which governs access to high-risk
facilities, allow facilities the flexibility to determine the
most efficient manner to meet that standard.
Instead, DHS initially proposed and arguably prescribed PSP
program that failed to recognize the Transportation Worker
Identification Credential, or TWIC card, and other established
federal vetting programs. Such a program would have been
burdensome to both DHS and industry, and would be a wasteful
and ineffective use of agency and industry resources. Instead
of proposing a duplicative, burdensome PSP, DHS should remain
focused on fixing the current problems and not expand beyond
the scopes of the core CFATS program.
The PSP program must be fixed soon and we hope that DHS
will honor the TWIC and other federal credentials at CFATS
sites. Facilities should have the option to use federally
secure vetting programs such as TWIC to satisfy CFATS without
submitting additional personnel information. AFPM supports a
PSP program that requires only a one-time submission of
personnel identifying information to DHS, recognition of TWIC
and other federal credentials, and the use of third-party
submitters for corporate submissions. This would lessen the
burden on both DHS and industry, and would potentially account
for half of the population affected by the Personnel Surety
Programs, specifically, contractors coming to CFATS sites who
would already have those cards.
Stakeholder input is necessary. To assist DHS in addressing
CFATS implementation challenges, continued stakeholder input is
necessary. We are encouraged that we are seeing DHS do this
more and more.
In summary, AFPM believes that DHS has made progress over
the year addressing the problems identified in the internal
report. We also acknowledge that there is been far greater
outreach and more detailed discussions with DHS, and we hope
that those continue in the future.
Thank you and I look forward to any questions you may have
regarding my testimony.
[The prepared statement of Mr. Drevna follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Shimkus. Thank you. And now the chair recognizes Mr.
Rick Hind, Legislative Director for Greenpeace. Sir, you are
recognized for 5 minutes.
STATEMENT OF RICK HIND
Mr. Hind. Thank you, Mr. Chairman. My name is Rick Hind. I
am the legislative director of Greenpeace, as you mentioned. I
appreciate the opportunity to talk to you today both to this
committee and with this panel here.
We work with over 100 other organizations, mainly unions,
environmental justice organizations, other environmental
groups, security experts, 9/11 families, and others who, for 10
years, have pushed for disaster prevention. The legislation
that passed the House in 2009--November, actually, 2009--had
that component in it but it also addressed a lot of the
problems that you have been hearing about today. It provided
for regular scheduling of the DHS issuing vulnerability and
security plans as well as keeping regular reports back to
Congress. I think you probably would have been hearing about
any these problems in 2011 at the latest if that legislation
had been enacted in 2010.
That legislation also would have seamlessly replaced the
2006 authorization that you have referred to earlier, which was
never really thought to be adequate. Everybody knew that and
that is why it had a 3-year expiration date on it. And today,
we are extending it now 6 years, 1 or so years at a time, and
therefore, I think you have appropriately given the due that
DHS staff deserved. Their dedication and stick-to-itiveness in
a program that is really inadequate, from the legislative
foundation through to the continuity of its funding by
Congress.
However, the kind of big elephants in the room that we see
unaddressed are the fact that the statute actually prohibits
the government from requiring disaster prevention in the
statute barring any particular security measure for approval of
security plans. In addition, the statute actually exempts
thousands of facilities. So what we are talking about here when
you think of the classic Bhopal disaster of poison gas drifting
out of a plant endangering people--and in this country we have
hundreds of plants that can do that.
In looking at the tiering of DHS, if you separate that by
risk issue, or I should say security issue, the release issue
security facilities in Tiers 1 and 2 totals 35. That is
totaling, in all 4 tiers, 370 facilities. That data is 2011 so
it may be slightly less now. The point is that less than 10
percent of the facilities that you think of as the 3,900 CFATS
facilities may be chemical disasters in the sense we all think
of it as. And that is because they are being regulated by other
programs like the MTSA, which look at more the water access of
the facility.
Major facilities in the country, like this Keeney plant,
probably the highest-risk facility in the United States, is
regulated by MTSA. That facility puts 12 million people at
risk. They, for 2 years on their Web site, say they are
converting. We hope they are. Clorox converted all of their
facilities in 3 years eliminating these risks to 13 million
people. And we say risk, we mean a consequence; we mean the
poison gas like chlorine that can drift 14 to 20 miles from a
facility and put everyone downwind in danger of pulmonary
edema, which would mean your lungs would literally melt. You
would drown in your lung fluid. Those who would survive could
have long-lasting, lifelong health problems.
So when we hear about the rush to approve security plans
now, and were not comforted by the 7- to 9-year schedule GAO
brings out, we are also not comforted by the fact that it is
not a complete deck that we are dealing with here. So approval
of a plan doesn't necessarily make it secure and it certainly
doesn't make it no longer vulnerable. The CEO of DuPont
admitted that if an airplane or a small helicopter coming into
a plant couldn't be stopped by fence-line security, which is
the entire basis of this kind of security.
Similar communities living near these plants are not
comforted by these Alternative Security Plans developed by
industry lobbies. They have heard too often when they have
sheltered in place, or see explosions and flares and fires--
were averaging about 45 a year, by the way, at refineries--that
everything is oK. There are no dangerous levels of chemicals
released.
So when you look at our testimony, look at the people who
we have quoted in there, but also look at the Center for
American Progress reports we sited, which identified hundreds
of facilities that have converted and eliminated these risks to
millions of people. We think any plant that can convert should
be required to convert and, in fact, the CEP studies found that
87 percent of those converted that were surveyed did so for $1
million or less; 1/3 expected to save money. So this is good
business. It also means eliminating liability and regulatory
obligations.
And I have much more to say but I will wait for your
questions. Thank you again for allowing us to appear today.
[The prepared statement of Mr. Hind follows:]
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Mr. Shimkus. Thank you, Mr. Hind.
Now, I would like to recognize myself for the first 5
minutes of questions.
I want to start off whatever script I was given to ask Mr.
Scott a question. Were you in the room when Representative
McKinley was asking about the risk assessment issue? And, of
course, DHS responded that, well, we don't know of any
identifiable risks. And I am paraphrasing here--then the
question went to about European security and DHS responded,
well, we think we are the gold standard. Since you operate
around the globe, does individual European countries or the EU
at large have a CFATS-type program?
Mr. Scott. No, but they are discussing a similar program.
The difference you have there, you are working between various
countries. But they do have regulations in place like the
Seveso regulations that impact offsite types of emergencies.
The EU is having a conversation about are there any general
rules and regulations that we can put in place? They have been
talking. They have talked with DHS in the past. We are working
with----
Mr. Shimkus. Maybe they should talk with our GAO, our
Government Accounting Office, then DHS.
Mr. Scott. Yes. Well, DHS is a standard; I wouldn't say it
is a gold standard. But the folks overseas are looking at
similar directions to go, both in transportation and site
security. But we also have a lot of work that we have done over
there through the Responsible Care Code. It is a global code.
So that has been implemented. And a lot of the same safety and
security cultures that are in place in the U.S. are in place
throughout Europe.
Mr. Shimkus. I appreciate that.
Now, for Mr. Allmond and Mr. Scott and Mr. Drevna, GAO
reports--and you all have heard these conversations earlier
today--that DHS largely disregards vulnerability, economic
criticality, and threat assessments as part of the risk
calculations making CFATS a modified consequence prevention-
only program. Are you concerned your members might be
overregulated or under-tiered? Mr. Allmond?
Mr. Allmond. Well, certainly these revelations are
concerning. And it is going to take me some time to get back to
my members to find out from their perspective how they would
like to proceed. I think completely stopping the CFATS program
from going forward probably would be overboard. Perhaps some
components could go forward. But certainly----
Mr. Shimkus. OK. But you were here during the testimony. Do
you think that some of your folks are overregulated or under-
tiered? It is pretty easy----
Mr. Allmond. Well, at this point it seems like that may be
the case.
Mr. Shimkus. Thank you. Mr. Scott?
Mr. Scott. I would say yes. Looking at the variability in
the sites that we have that are covered, there is a lot of
question on how we got where we got.
Mr. Shimkus. Mr. Drevna?
Mr. Drevna. I concur.
Mr. Shimkus. You have heard from panels one and two that
DHS has collected a lot of information that it will not use in
risk assessment. Are you comfortable with that? Mr. Allmond?
Mr. Allmond. No, we are not.
Mr. Shimkus. And why?
Mr. Allmond. DHS should use the information that is given
to them. As has been testify before, there has been an enormous
amount of resources given to--from our side--given to the
Department that we are compelled to do and there is an
understanding that the Department is going to use that
information.
Mr. Shimkus. Mr. Scott?
Mr. Scott. I agree. The inefficiency in the process caused
a lot of unnecessary work, a lot of information that they have
never used, and we don't know where the information went. It
seems like they felt like they had the answer before we started
the process.
Mr. Shimkus. Mr. Drevna?
Mr. Drevna. Yes. And I would like to add to that, Chairman
Shimkus, that in chemical facilities you are changing processes
constantly. So we are submitting information, it goes
somewhere, lots of information, up to 900 questions on some
things. It goes somewhere. Whether it is used or not, probably
not all of it. Again, if it is vital, perfect. If it is not,
let us work with you to get it done. But then you change your
process again, you may have to go through the whole thing again
because these things are not static kinds of plants. We are
always changing volumes and chemicals.
Mr. Shimkus. Mr. Scott?
Mr. Scott. I would like to add to that. That is one of the
big issues that we have is we typically have larger plants, a
lot of processes in those plants and we are required to submit
any time we change anything in the process, make another
submission. That puts you back to square one in the whole
process.
Mr. Shimkus. And just because my time is getting short, and
Mr. McNerney is not here, but he talked a lot about cyber
stuff. So you have got all this data going somewhere. If it is
not being used, why it is being held and what is the risk of
that being pulled out to make your facilities less secure. Is
that a risk? Mr. Scott?
Mr. Scott. Well, it is a risk whenever you release the
information that you hope it is going to be secure. But in the
earlier panel, we also heard that, well, maybe we can
declassify that so everybody can talk about it. And I am
concerned about the level of declassification. If it is just
open to the public, that is a real security concern.
Mr. Shimkus. Anyone else while my time is expired? Mr.
Drevna?
Mr. Drevna. I would like to add to that. You are probably
one hit of forward or reply all from exactly what Mr. Scott was
just talking about.
Mr. Allmond. Absolutely.
Mr. Shimkus. Mr. Allmond. OK. Thank you. The chair now
recognizes ranking member, Mr. Tonko, for 5 minutes.
Mr. Tonko. Thank you, Mr. Chairman.
And to the gentleman on the panel, thank you for your time
and your input today.
To the industry witnesses, did you participate in GAO's
survey?
Mr. Allmond. Oh, SOCMA did, yes.
Mr. Scott. ACC did, yes.
Mr. Drevna. Yes, sir.
Mr. Tonko. So you all did.
GAO found that transparency in the tiering process should
be improved. Can each of you state whether you agree with this
GAO conclusion?
Mr. Allmond. I will say absolutely. As Mr. Scott was
saying, a lot of times these facilities give information
without getting a really detailed understanding about why they
got the tier level they did.
Mr. Scott. All of the information was submitted. I
absolutely think it should be more transparent with the people
that we were supposed to be working as partners.
Mr. Drevna. I agree, Mr. Tonko. But I will say that the
process has somewhat improved. We have got a long way to go,
but we weren't where we were before this report came out.
Mr. Tonko. Mr. Drevna, you talked about the PSP process----
Mr. Drevna. Yes, sir.
Mr. Tonko [continuing]. And utilizing it more readily.
Mr. Drevna. Yes, sir.
Mr. Tonko. Can you just develop that a bit for me?
Mr. Drevna. Well, at refineries and petrochemical
facilities, you have constantly--you have your own employees--
but you have constant, contractors coming in and out,
turnarounds, changeovers, et cetera, and they are authorized,
the contractors, under TWIC, Transportation Worker
Identification Credential. And what the DHS will tell us is
that, well, we are coming up with a remedy for that but those
rules aren't going to be ready for who knows how many more
years. Meanwhile, we have to, perhaps, have other
identification notices or identification cards for the various
employees and contractors.
It is sort of like if I can make some sort of an analogy,
sort of like me or you going through an airport and you have to
have your passport to go through the first gate, and your
driver's license you through the second, and maybe your voter
ID card to go through the third or whatever. But it doesn't
make any sense. So you talk to us in industry and we usually
object to the one-size-fits-all approach and maybe that is not
applicable. But we need something that is not duplicative,
time-consuming, and sometimes conflicting.
Mr. Tonko. Thank you. Thank you, Mr. Drevna.
Mr. Hind, you made mention, or I think to use your words,
we are not dealing with a complete deck. Can you elaborate on
that? What else should be done to make certain that we are
providing for the public safety elements out there or in
keeping with the mission of the legislation?
Mr. Hind. Well, if you look at the EPA's database through
its risk management program, which is really kind of an
imperfect larger universe of the facilities we are worried
about, those that have off-site consequences, the total number
of facilities in that program is 12,440 according to CRS'
latest update in November. Of those, 2,500 plants each put
10,000 people or more at risk. Of the 2,500, some of them could
put over a million at risk. In fact, 473 put 100,000 at risk.
And so my question to the panel here is, which of your member
companies are actually part of MTSA and exempt from CFATS or
part of a DOE program or even Defense Department? And I think
that the numbers would be rather revealing in terms of which
they are.
We have heard that Dow's largest plant the country at
Freeport, Texas, is that MTSA facility. So that means there are
huge holes, or as Congressman Waxman called them, gaps in the
security and in terms of the continuity of security by the
government accountability over the industry.
Mr. Tonko. Thank you. And from the public interest
perspective, what are the problems with incorrect tiering of
facilities?
Mr. Hind. You mean in terms of the way that the risk
assessment has been conducted and so forth? Well, in our view,
we are a little bit nervous to hear about economic
considerations being added and also vulnerability. I think that
all of these facilities are vulnerable. If somebody takes a
small plane or hijacked it, all of the guards and cameras and
gates are not going to be enough to stop a small plane, as the
CEO of DuPont admitted years ago. So I think that, as the
former EPA administrator Ruckels has warned, risk assessment is
like a captured spy. If you torture it enough, you can get to
say anything. And I fear that we are going down a slippery
slope here, and what needs to be done is adding alternative
assessment to the process. Each company should be going out and
saying to the DHS, we have looked at all the alternatives and
there is nothing feasible for facility, or we are like Clorox
and we can convert. And then you have zero risk.
Mr. Tonko. Thank you. I think some of you might have a
comment to that, too, or----
Mr. Scott. Yes, I just----
Mr. Shimkus. Without objection, we will continue for a
minute to get a response. Mr. Scott?
Mr. Scott. OK. Yes, I would just like to reply on the MTSA
question. There are several sites that are covered by MTSA, but
rightly so. They have waterside security included on their
security. But the Texas operation site is the one that Mr. Hind
mentioned, which is our largest site. It is the largest
chemical site in the United States. It is covered by MTSA so it
does have different requirements. It also has exactly the same
security upgrades already in place that are required of a Tier
1 CFATS site. So if you come down to Freeport operations or
Texas operations, you will see we would be in full compliance
with CFATS right now as a Tier 1 site. All of our MTSA sites
are upgraded security-wise exactly the same as our CFATS sites.
And all of our sites globally are tiered the same way and have
security upgrades in place the same way. So I think that
addresses the issue that we can have integration of the two
systems very well.
Mr. Shimkus. Thank you very much.
The chair now recognizes the gentleman from Pennsylvania,
Mr. Pitts, for 5 minutes.
Mr. Pitts. Mr. Drevna, did you want to add to that?
Mr. Drevna. Well, if you don't mind, Mr. Chairman, thank
you.
I agree with everything that Mr. Scott had said
exponentially. But since the question was asked from the panel
to the panel, in short of installing Patriot missile batteries
at all facilities, I don't see how we are going to stop
anything from coming in from outside the gate like an airplane
or helicopter.
Mr. Pitts. Mr. Allmond, you testified that DHS should be
more willing to extend the amount of time a small or medium-
sized facility has to respond to a post-inspection report. How
much time is reasonable so that the small and medium-sized
facility still feels the urge to promptly respond while also
giving them the chance to provide a quality response?
Mr. Allmond. Yes. Thank you for that question. I think a
minimum of 90 days will be sufficient.
Mr. Pitts. Do you believe DHS still has time to make
program adjustments and will consider your perspective, and if
so, what gives you that confidence?
Mr. Allmond. I do. In fact, I have already broached this
concern with the Department and they have been receptive to
hearing our proposal.
Mr. Pitts. Thank you. Mr. Drevna, your testimony discusses
the importance your members place on getting a workable
Personnel Surety Program. Is DHS addressing your particular
concerns?
Mr. Drevna. Well, we have been working with them, and as I
said previously, ever since, the report came out and we have
sat down--and I have to admit, there has been more transparency
and they are willing to work with us. But we have got to
establish the fact that we--you know, as I said before, the
TWIC reader card implementation is years away. But we are in
the process of doing all this now. So there has to be some
meeting of the minds here that says, oK, let's get this done in
a timely fashion so we can move on.
Mr. Pitts. Has AFPM tried to get an Alternative Security
Plan approved by DHS for its members? What has been your
experience with DHS in trying to advance----
Mr. Drevna. Well, we support the alternative plans. We
haven't particularly as an association done it, but our members
have. And that is one of the things we keep, the tiering
process, the kind of data that is needed. It is a little bit
confusing between what is needed for the full assessment, what
is needed to get you into a quicker AV alternative plan. So we
are working with them. We support it and again, we are seeing
the light at the end of this tunnel but we still have a ways to
go.
Mr. Pitts. Assuming DHS, with the help from a Peer Review
Panel, comes up with a better risk assessment model, when
should it be applied to CFATS activities? Does it affect the
speed with which your members would have their Site Security
Plans reviewed and approved?
Mr. Drevna. Is that for me, sir?
Mr. Pitts. Yes.
Mr. Drevna. I believe it would. I mean, we have three
members companies on that tiering panel. And we are confident
that we are getting joint cooperation. Anytime you get three
companies on the panel, a government panel, we are happy with
that. But the proof is going to be at the end of the day with
what is accepted and what isn't.
Mr. Pitts. All right. Mr. Scott, your testimony raised
concerns about transparency by DHS officials because they did a
poor job of communicating threat information to CFATS-regulated
facilities. Do you think DHS can formulate credible threat
information and assessments?
Mr. Scott. I think they can give us the information that
they have available to us. There is a NIAC study out that is on
communications amongst the intelligence communities in the D.C.
area and DHS did not come out very highly on that panel.
Mr. Pitts. Does it surprise you that GAO found that DHS
really doesn't assess threat for 90 percent of terror threats
at facilities with chemicals?
Mr. Scott. Threat typically is not discussed, and when you
have a meeting with DHS, typically, it starts with there are no
credible threats to the chemical industry at this time. We go
on the premise that because we are part of the critical
infrastructure, we are a potential threat or there is always a
potential threat. That is the discussions we have always had.
Mr. Pitts. What recommendations do you have for DHS to
improve its threat characterizations and communications?
Mr. Scott. You have to identify the baseline on the threats
that you are going to address, and then you have to have plans
in place to escalate your security programs accordingly as the
risk increases.
Mr. Pitts. Do you agree with GAO that DHS assessment tools,
particularly threat consequence and vulnerability ones, should
be verified and valid before being deployed?
Mr. Scott. Yes, I do. Validity is important, yes.
Mr. Pitts. My time has expired. Thank you.
Mr. Shimkus. The gentleman's time has expired.
The chair now recognizes the gentleman from Texas, Mr.
Green, for 5 minutes.
Mr. Green. Thank you, Mr. Chairman. And obviously, our
threat assessments are a work in progress because I remember in
late 2001 there was in one of the caves in Afghanistan there
was information on an attack on a refinery in Pasadena,
California. It didn't take too long to know there are no
refineries in Pasadena, California. But I represent Pasadena,
Texas, and we have no shortage of refineries. And that was
right after 9/11. Obviously, it was infancy.
And today, though, there is a lot--and I know at least in
the industries that I work with in my area in East Harris
County, the coordination between the federal agencies and our
local police agencies is amazing. Now, I don't know what DHS
does with the local law enforcement, the FBI, the Customs and
Border Protection, the Coast Guard. In fact, I was at the Coast
Guard facility in our district that now is co-located at a
Coast Guard facility with the Harris County Sheriff's office
boats, along with the Houston Police Department boats at the
same location in our district in Galena Park, Texas. So, I
mean, it is a work in progress.
Were you all here for the first panel? Do you feel
confident that we are going to end up not having to jump
through second hoops on your non-MTSA facilities and that the
TWIC card is going to be able to be used? If you have a site
that Dow does, for example, in Freeport, that the TWIC card
works and you have a land-based site, the TWIC card will also,
ultimately when they get through, will also be able to be used
for an ID at that land-based facility for Dow?
Mr. Scott. That is the direction that they are moving in.
So yes, a TWIC card would be acceptable and usable at any of
those sites. Yes.
Mr. Green. Well, Mr. Chairman, we need to just monitor that
because I know we in the Subcommittee had that discussion for a
number of years, and frankly, we probably wouldn't have gotten
where we are without a great GAO study to show that the problem
is within DHS.
For Mr. Drevna and Mr. Scott, over the past year, have you
seen changes in outreach and cooperation from DHS and the
industry, particularly as they relates to chemical and fuel and
petrochemical manufacturers in the last year?
Mr. Drevna. Yes. In the last year they have significantly
improved the communications from DHS to their people in the
field and from the people in the field to the sites. Yes.
Mr. Green. Well, and I understand in your testimony you are
concerned that the transparency on the decision-making ought to
be much better and our committee ought to be encouraging that.
Now, I do have some concern about the information provided on
your plant facilities, because again, the experience we have
over the last 12 years is that if a lot of your information is
given to DHS, it is public record. There are folks in part of
the world who can, with the punch of a button, look up plant
design and plant vulnerability. That should not be public
record. And I am concerned about that.
We want transparency in the approval process but as much as
I want as much public information for my constituents that live
around and work on those plants, I also know I don't want to
give a guide to somebody who wants to fly that Piper Cub over
it. Is that some of your concern?
Mr. Drevna. Absolutely. Like I said before, Congressman
Green, we submit information and we submit it in good faith
and----
Mr. Green. Well, you are required to.
Mr. Drevna. But like I say, it is either one reply all or
one forward button away from getting into the wrong hands.
Mr. Green. Well, I think in follow-up hearings we might
have DHS come talk about what they do with information that is
provided so it is protected. But I have to admit, Charlie, it
is interesting, the ultimate 2nd Amendment is somebody having a
Stinger missile to protect their plant or their house from a
Piper Cub flying over it. I don't think we are going to get to
that point. But I see planes fly over my plants literally every
day when I am at home. And there is a special protection,
though, you have to have special access to be able to fly over
those facilities and no system is foolproof. But also, I don't
know if I really want us to have to train our plant personnel
to have a Stinger missile on their shoulder.
Mr. Drevna. I would concur, Congressman Green.
Mr. Green. But Mr. Chairman, I appreciate the hearing. It
seems like we made progress, but obviously DHS needs to come a
little more with plants who, as I have said before, have made a
million dollars in federal tax dollars, millions of dollars of
investments and partnerships with our local communities that we
still don't know what hoops and what will be approved, whether
it be Tier 1, 2, 3, or 4. And I would like to have some
certainty there, and I know Greenpeace would like that to, and
so would my constituents. Thank you.
Mr. Shimkus. The gentleman yields back his time.
We want to thank the third panel for being here and ask
unanimous consent for 5 days for subcommittee members to submit
opening statements for the record. Without objection, so
ordered. We would also ask unanimous consent for 10 days to
submit written questions for submittal to witnesses for an
inclusion in the records. That also pertains to you all.
And inclusion of a letter, I ask unanimous consent for the
inclusion of a letter from the National Association of Chemical
Distributors to myself and Mr. Tonko--your staff has approved--
dated March 12, 2013, on the CFATS program. Without objection,
so ordered.
[The information appears at the conclusion of the hearing.]
Mr. Shimkus. And the hearing is now adjourned.
[Whereupon, at 12:43 p.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
Prepared statement of Hon. Henry A. Waxman
I thank the Chairman for calling this hearing on this very
important program. The Chemical Facilities Anti-Terrorism
Standards Program, or CFATS, is a critical national security
program designed to protect communities from potential
terrorist attacks on industrial facilities with significant
stores of dangerous chemicals.
Since 2001, federal officials, the Government
Accountability Office (GAO), and outside experts have warned
that the nation's drinking water utilities and chemical
facilities remain vulnerable to terrorist attack.
Unfortunately, the CFATS program is a grave disappointment.
At the end of 2011, we learned the program was in disarray. No
facilities had approved site security plans. Homeland Security
officials felt their enforcement authority was insufficient and
ineffective. There were no procedures in place to document
important programmatic decisions. No one on staff was even
qualified to conduct a compliance inspection.
There has been some progress. We will hear from the
Department today about their efforts to strengthen the CFATS
program and the advances the Department has made since
undertaking a serious internal examination of the program in
2011.
But today we will also hear from the Government
Accountability Office, which has undertaken the first rigorous
external accounting of the program. GAO has found that
fundamental problems still plague the program. More work is
needed before Congress and the American public can have
confidence in the risk assessments that determine the potential
dangers facilities pose.
Perhaps we shouldn't be surprised. CFATS was created in the
sloppiest legislative fashion possible. It was established in
2006 by a provision tucked into an appropriations bill without
the benefit of hearings or markups by the Committee.
The problems with the program are not all Congress' fault.
Both the current and previous administrations have failed to
implement the program effectively. The Department issued an
interim final rule within six months of the law's passage. This
rule determined what chemicals might be targets, how risk would
be assessed, and what security standards would be applied.
Given the quick action and limited statutory guidance, the rule
was flawed. But now--six years later--it still hasn't been
updated and improved.
In the 111th Congress, we worked on a bipartisan basis with
industry, labor, and other affected stakeholders to
methodically resolve each of the issues surrounding the CFATS
program.
The result was H.R. 2868, the Chemical and Water Security
Act of 2009, which passed the House by a vote of 230-193. That
legislation would have addressed many of the challenges the
program now faces, increased transparency and accountability,
clarified the process for approving or disapproving site
security plans, and set enforceable deadlines. It also would
have strengthened security at covered facilities by requiring
assessment, and in particular circumstances, adoption of safer
chemicals, processes, or technologies to reduce the
consequences of a terrorist attack.
Unfortunately, that bill did not become law, and that
opportunity to set this program on a more successful path was
missed.
In the years since, this Committee has failed to develop
comprehensive legislation to reform the CFATS program. It has
also failed to offer any legislation to close security gaps or
address security at water facilities.
This Committee needs to do more. Comprehensive legislation
is long overdue.
I look forward to the testimony of the witnesses today, and
I invite all of them and other stakeholders to engage with this
Committee and help us seek solutions to a troubled, yet
critically important anti-terrorism program.
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�