[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]


   INDUSTRY VIEWS OF THE CHEMICAL FACILITY ANTI-TERRORISM STANDARDS 
                                PROGRAM

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                           CYBERSECURITY AND
                       INFRASTRUCTURE PROTECTION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED FIFTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           FEBRUARY 15, 2018

                               __________

                           Serial No. 115-49

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                                    

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                               
                   U.S. GOVERNMENT PUBLISHING OFFICE                    
30-483 PDF                  WASHINGTON : 2018                     
          
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, 
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). 
E-mail, gpo@custhelp.com                             
                               

                     COMMITTEE ON HOMELAND SECURITY

                   Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Peter T. King, New York              Sheila Jackson Lee, Texas
Mike Rogers, Alabama                 James R. Langevin, Rhode Island
Lou Barletta, Pennsylvania           Cedric L. Richmond, Louisiana
Scott Perry, Pennsylvania            William R. Keating, Massachusetts
John Katko, New York                 Donald M. Payne, Jr., New Jersey
Will Hurd, Texas                     Filemon Vela, Texas
Martha McSally, Arizona              Bonnie Watson Coleman, New Jersey
John Ratcliffe, Texas                Kathleen M. Rice, New York
Daniel M. Donovan, Jr., New York     J. Luis Correa, California
Mike Gallagher, Wisconsin            Val Butler Demings, Florida
Clay Higgins, Louisiana              Nanette Diaz Barragan, California
John H. Rutherford, Florida
Thomas A. Garrett, Jr., Virginia
Brian K. Fitzpatrick, Pennsylvania
Ron Estes, Kansas
Don Bacon, Nebraska
                   Brendan P. Shields, Staff Director
                    Steven S. Giaier, Chief Counsel
                    Michael S. Twinchek, Chief Clerk
                  Hope Goins, Minority Staff Director
                                 ------                                

      SUBCOMMITTEE ON CYBERSECURITY AND INFRASTRUCTURE PROTECTION

                    John Ratcliffe, Texas, Chairman
John Katko, New York                 Cedric L. Richmond, Louisiana
Daniel M. Donovan, Jr., New York     Sheila Jackson Lee, Texas
Mike Gallagher, Wisconsin            James R. Langevin, Rhode Island
Brian K. Fitzpatrick, Pennsylvania   Val Butler Demings, Florida
Don Bacon, Nebraska                  Bennie G. Thompson, Mississippi 
Michael T. McCaul, Texas (ex             (ex officio)
    officio)
             Kristen M. Duncan, Subcommittee Staff Director
                            
                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Oral Statement.................................................     1
  Prepared Statement.............................................     2
The Honorable Cedric L. Richmond, a Representative in Congress 
  From the State of Louisiana, and Ranking Member, Subcommittee 
  on Cybersecurity and Infrastructure Protection:
  Oral Statement.................................................     9
  Prepared Statement.............................................    10
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................    11

                               Witnesses

Mr. Chet Thompson, President, American Fuel and Petrochemical 
  Manufacturers:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14
Ms. Kirsten Meskill, Director, Corporate Security, BASF 
  Corporation, Testifying on Behalf of the American Chemistry 
  Council:
  Oral Statement.................................................    18
  Prepared Statement.............................................    19
Mr. Pete Mutschler, Environment, Health, and Safety Director, CHS 
  Inc.:
  Oral Statement.................................................    21
  Prepared Statement.............................................    22
Mr. Paul Orum, Chemical Safety Advocate, Coalition to Prevent 
  Chemical Disasters:
  Oral Statement.................................................    24
  Prepared Statement.............................................    25

                             For the Record

The Honorable John Ratcliffe, a Representative in Congress From 
  the State of Texas, and Chairman, Subcommittee on Cybersecurity 
  and Infrastructure Protection:
  Statement of the National Association of Chemical Distributors.     3
  Statement of the Institute of Makers of Explosives.............     4

                                Appendix

Questions From Honorable James R. Langevin for Chet Thompson.....    43
Questions From Honorable James R. Langevin for Kirsten Meskill...    43
Questions From Honorable James R. Langevin for Paul Orum.........    44

 
   INDUSTRY VIEWS OF THE CHEMICAL FACILITY ANTI-TERRORISM STANDARDS 
                                PROGRAM

                              ----------                              


                      Thursday, February 15, 2018

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Cybersecurity and 
                                 Infrastructure Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10:04 a.m., in 
room HVC-210, Capitol Visitor Center, Hon. John Ratcliffe 
(Chairman of the subcommittee) presiding.
    Present: Representatives Ratcliffe, Bacon, Fitzpatrick, 
Donovan, Richmond, and Demings.
    Mr. Ratcliffe. The Committee on Homeland Security, 
Subcommittee on Cybersecurity and Infrastructure and Protection 
will come to order. The Chair welcomes those joining us today 
in the audience. I want to remind everyone that is here as a 
guest of the committee that we do not allow anyone to disrupt 
the proceeding in any manner with signs or placards.
    The subcommittee is meeting today to receive testimony 
regarding the Chemical Facility Antiterrorism Standards 
program, more commonly referred to as CFATS. I will recognize 
myself for an opening statement.
    Before we begin, though, I would like to say I know that I 
speak for everyone on this subcommittee in extending our 
heartfelt condolences to the victims of yesterday's shooting in 
Florida. A school should never be a place where students or 
teachers fear for or lose their lives. As we learn more I 
certainly hope that no other family will be forced to endure 
this type of senseless tragedy.
    The Chemical Facility Anti-Terrorism Standards program 
began in 2007 in order to keep dangerous chemicals out of the 
hands of terrorists seeking to do our Nation harm. Since then, 
the program has grown and strengthened through the tireless 
work put in by the men and woman at DHS and through the 
relentless effort of industry to keep their facilities secure.
    The daily management and security of high-risk chemicals is 
not an issue that the Government can solve on its own. Working 
with industry stakeholders in this area is an integral part and 
aspect of our Nation's continuing counterterrorism efforts.
    By identifying high-risk facilities and ensuring that they 
have appropriate security measures in place, the risks 
associated with these chemicals can be heavily mitigated. 
Especially after recent tragedies, greater collaboration 
between the Government and facility owner-operators also can 
provide confidence and peace of mind to the American public.
    It is important to point out that CFATS is a broad program 
that covers facilities that use, manufacture, store, or handle 
specific quantities of chemicals that DHS has identified as 
being extremely dangerous.
    As shown by the various industries that our witnesses come 
from, facilities under this program touch all aspects of our 
economy, such as energy and health care, mining, agriculture, 
electronics, and plastics. The need for Congress and DHS to get 
this program right is both a National security and economic 
imperative.
    The CFATS program has used risk-based performance 
standards, such as perimeter security, access control, and 
cybersecurity, to examine and evaluate a facility's security 
posture.
    While it is up to individual owner-operators of a CFATS-
covered facility to choose what programs best ensure the 
security of stored chemicals, a high-risk facility ultimately 
must implement stringent standards as set forth in CFATS.
    As DHS previously stated before this subcommittee, ``the 
significant reduction in the number of chemical facilities that 
represent the highest risk is an important success in the CFATS 
program and is attributable both to the design of the program 
and the work of CFATS personnel and industry at thousands of 
chemical facilities.''
    Through engagement and collaboration with industry 
stakeholders over the past few years, this committee is hopeful 
that the CFATS program can continue to protect chemicals from 
those who mean to do us harm.
    I would like to thank our panel for taking time today to 
testify. Your thoughts and opinions are very important as we 
oversee the Department of Homeland Security in meeting its 
duties under the Chemical Facilities Anti-Terrorism Standards 
program.
    As stakeholders, you offer a unique and integral insight 
into the interworkings of this program, which is set to expire, 
by the way, at the end of this year. I look forward to a robust 
conversation with our distinguished panel today that will 
support our efforts in overseeing the CFATS program.
    [The statement of Chairman Ratcliffe follows:]
                  Statement of Chairman John Ratcliffe
                           February 15, 2018
    The Chemical Facility Anti-Terrorism Standards program, or CFATS 
program, began in 2007 in order to keep dangerous chemicals out of the 
hands of terrorists seeking to do our Nation harm. Since then, the 
program has grown and strengthened through the tireless work put in by 
the men and woman of DHS, and through the relentless effort of industry 
to keep their facilities secure. The daily management and security of 
high-risk chemicals is not an issue that Government can solve on its 
own. Working with industry stakeholders in this area is an integral 
aspect of our Nation's continuing counterterrorism efforts. By 
identifying high-risk facilities and ensuring that they have 
appropriate security measures in place, the risks associated with these 
chemicals can be heavily mitigated.
    Especially after recent tragedies, greater collaboration between 
the Government and facility owner-operators also can provide confidence 
and peace of mind to the public.
    It is important to point out that CFATS is a broad program that 
covers facilities that use, manufacture, store, or handle specific 
quantities of chemicals that DHS has identified as being extremely 
dangerous. As shown by the various industries that our witness come 
from, facilities under this program touch all aspects of our economy, 
such as energy, health care, mining, agriculture, electronics, and 
plastics. The need for Congress and DHS to get this program right is 
both a National security and economic imperative.
    The CFATS program has used Risk-Based Performance Standards, such 
as perimeter security, access control, and cybersecurity, to examine 
and evaluate a facility's security posture. While it is up to the 
individual owner-operators of a CFATS-covered facility to choose what 
programs best ensure the security of stored chemicals, a high-risk 
facility ultimately must implement stringent standards set forth in 
CFATS. As DHS previously stated before this subcommittee, the 
significant reduction in the number of chemical facilities that 
represent the highest risk is an important success of the CFATS program 
and is attributable both to the design of the program and to the work 
of CFATS personnel and industry at thousands of chemical facilities.
    Through engagement and collaboration with industry stakeholders 
over the past few years, this committee is hopeful that the CFATS 
program can continue to protect chemicals from those who mean to do us 
harm.
    I would to thank our panel for taking the time today to testify. 
Your thoughts and opinions are very important as we oversee the 
Department of Homeland Security in meeting its duties under the 
Chemical Facility Anti-Terrorism Standards program. As stakeholders, 
you offer a unique and integral insight into the interworkings of this 
program which is set to expire at the end of this year. I look forward 
to a robust conversation with our distinguished panel that will support 
our efforts in overseeing the CFATS program.

    Mr. Ratcliffe. Before I recognize the Ranking Member I ask 
unanimous consent to insert statements from the National 
Association of Chemical Distributors and the Institute of 
Makers of Explosives. Without objection, so ordered.
    [The information follows:]
     Statement of the National Association of Chemical Distributors
                           February 15, 2018
    The National Association of Chemical Distributors (NACD) is pleased 
to provide the following statement for inclusion in the record of the 
February 15, 2018, hearing, Industry Views of the Chemical Facility 
Anti-Terrorism Standards Program.
    NACD commends the subcommittee for holding this important hearing 
as a first step in reauthorizing the Chemical Facility Anti-Terrorism 
Standards (CFATS) program--NACD strongly urges you to introduce CFATS 
reauthorization legislation as soon as possible so it can proceed 
through Congress and be signed into law well before the program's 
January 2019 expiration date.
                               about nacd
    NACD is an international association of nearly 440 chemical 
distributors and their supply-chain partners. NACD members represent 
more than 85 percent of the chemical distribution capacity in the 
Nation and generate 93 percent of the industry's gross revenue. NACD 
members, operating in all 50 States through more than 2,800 facilities, 
are responsible for nearly 130,000 direct and indirect jobs in the 
United States. NACD members are predominantly small regional 
businesses, many of which are multi-generational, and family-owned.
    NACD members meet the highest standards in safety and performance 
through mandatory participation in NACD Responsible Distribution, the 
association's third-party-verified environmental, health, safety, and 
security program. Through Responsible Distribution, NACD members 
demonstrate their commitment to continuous performance improvement in 
every phase of chemical storage, handling, transportation, and disposal 
operations.
    While security has always been an inherent element of Responsible 
Distribution, following the terrorist attacks of September 11, 2001, 
distributors were the first sector of the chemical industry to mandate 
security measures for its members. NACD continues to assess Responsible 
Distribution's security measures against current threats. In 2013, NACD 
added a specific Security Code to Responsible Distribution that 
consolidated many prior requirements and enhanced others. These 
requirements apply to all NACD members, including those who do not have 
facilities subject to the CFATS regulations. Over the past 16 years, 
NACD members--both CFATS-regulated and non-CFATS-regulated companies--
have made substantial investments to make their facilities more secure.
            nacd supports long-term reauthorization of cfats
    The CFATS program has made the chemical industry and our Nation 
much more secure. Since its establishment in 2007, the industry has 
invested millions of dollars and instituted thousands of new security 
measures at our facilities.
    From the beginning, the Department of Homeland Security (DHS) has 
taken a collaborative, common-sense approach in implementing the CFATS 
regulations. Despite being dependent on temporary appropriations 
measures during the first 7 years of the program, the agency did a 
commendable job in writing the regulations and setting up the internal 
infrastructure to be able to implement and enforce the new standards.
    One reason for the success of the CFATS program is the fact that 
DHS has taken the time to truly learn about the diverse chemical 
industry and work with companies on security measures that meet the 
CFATS Risk-Based Performance Standards while providing flexibility to 
each unique chemical facility in doing so. DHS has excelled in outreach 
to the industry by publishing numerous fact sheets and ``lessons 
learned'' documents; interacting with facility owners and operators 
during the Chemical Sector Security Summits and other trade association 
meetings; and always making inspectors and headquarters personnel 
available to talk through issues and answer questions.
    In addition, DHS worked with NACD and the American Chemistry 
Council to develop a CFATS Alternative Security Program (ASP) Guidance 
Document and Template to enhance the process for submitting site 
security plans. The ASP provides DHS with greater clarity about 
regulated facilities' security measures and how they meet or exceed 
CFATS requirements, while simplifying the compliance process and giving 
facility owners and operators a comprehensive security document to 
follow.
    The ``Protecting and Securing Chemical Facilities from Terrorist 
Attacks Act'' of 2014 (Pub. L. No. 113-254), which for the first time 
provided CFATS a multi-year authorization, further enhanced security 
efforts by providing regulatory certainty to both industry and DHS. 
This stability allowed DHS to increase efficiencies in the program 
while streamlining the information submission process for regulated 
facilities.
    For example, in 2016, DHS rolled out an enhanced risk-tiering 
methodology to identify more accurately high-risk facilities and assign 
them to appropriate risk tiers. DHS notified all facilities with 
threshold quantities of CFATS chemicals of interest that they must 
submit new Top-Screen surveys to the agency. At the same time, the 
agency launched version 2.0 of the Chemical Security Assessment Tool 
(CSAT 2.0), the on-line portal facilities use to submit Top Screens, 
Security Vulnerability Assessments, and Site Security Plans/ASPs. CSAT 
2.0 is much more streamlined and user-friendly than the old version, 
which allows facilities to submit their information and DHS to analyze 
the material more easily. DHS has virtually completed this re-tiering 
process and is conducting authorization inspections and compliance 
inspections of facilities assigned to different tiers as well as newly-
regulated facilities.
    A long-term reauthorization of CFATS in the next few months would 
allow for the continuation of this positive momentum. NACD urges the 
subcommittee leadership to introduce CFATS reauthorization legislation 
as soon as possible so it can move through the process and be signed 
into law before there is a threat of a program lapse. Doing so will 
provide needed certainty and enhance the security of chemical 
facilities and our Nation.
    NACD looks forward to working with the subcommittee and Congress on 
CFATS reauthorization legislation in the coming weeks and months.
    Thank you for the opportunity to submit these comments.
                                 ______
                                 
           Statement of the Institute of Makers of Explosives
                           February 15, 2018
    Dear Chairman Ratcliffe and Ranking Member Richmond: The Institute 
of Makers of Explosives (IME) would like to provide the following 
information for your edification as you conduct the hearing Industry 
Views of the Chemical Facility Anti-Terrorism Standards (CFATS) 
Program. As an industry regulated by both the Department of Homeland 
Security (DHS/the Department) and the Department of Justice, Bureau of 
Alcohol, Tobacco, Firearms and Explosives (ATF), we believe we can 
provide a unique view for the subcommittee.
    Founded in 1913, IME is a nonprofit association that provides 
comprehensive recommendations concerning the safety and security of 
commercial explosive materials. IME represents U.S. manufacturers and 
distributors of commercial explosive materials as well as other 
companies that provide related services. IME provides technically 
accurate and reliable information and recommendations concerning 
commercial explosive materials through our Safety Library Publications 
and other guidelines. A significant number of IME best practices have 
been adopted into the regulations of Federal and State agencies.
    IME has supported the CFATS program, as a matter of policy, since 
Congress created the program in Section 550 of the 2007 Appropriation 
process. When it was time to reauthorize the program during the 113th 
Congress (H.R. 4007/Pub. L. No. 113-254), IME was there supporting it. 
IME has also worked closely with DHS personnel and, we believe, have 
developed a good working relationship based on professionalism, and a 
respect for each other's focus on security. IME is a member of the 
Chemical Sector Coordinating Council, participates in the annual 
Chemical Security Summits, and regularly invites DHS personnel to speak 
to our members at industry meetings.
    In regard to the CFATS program, overall, we can, in all good 
conscience, say that the CFATS program is in a much better place in 
2018, than it was 4 years ago. The Department has rolled out the 
Chemical Security Assessment Tool (CSAT) 2.0 and, according to our 
members' experience and feedback, has done a good job screening 
explosive manufacturing facilities. While there may be differences over 
whether or not a facility should be tiered, the process used is 
efficient and effective. If we were to give it a grade, it would be a 
firm ``B'' for solid accomplishment. Nevertheless, we have detailed 
four areas below where the agency can improve.
       duplicative regulation of explosives should be eliminated
    IME's highest concern is that DHS regulations on explosive 
materials duplicate security regulations under the jurisdiction of ATF. 
Duplicative regulatory requirements impose significant costs that are 
impacting jobs and industry investment without a commensurate increase 
in security of commercial explosives.
    When the Department promulgated the CFATS Chemicals of Interest 
(COI), Appendix A, they included explosive materials that have been 
regulated by ATF for safety and security purposes for nearly a half 
century under the Organized Crime Control Act of 1970 (OCCA), and later 
by the Safe Explosives Act of 2002 (SEA). In fact, explosives are the 
only materials on the COI for which security regulations already 
existed under the jurisdiction of another agency. Given that ATF 
regulatory requirements, along with our industry's best practices, have 
resulted in a sustained and exemplary security record for the 
commercial explosives industry, the costs incurred under the 
duplicative CFATS requirements far exceed any benefits.
    As mentioned above, per the OCCA, 18 U.S.C. Chapter 40, and the 
SEA, also known as Federal Explosives Law (FEL), ATF regulates 
explosives under 27 CFR Part 555 for safety and security. ATF's 
explosives mission involves preventing terrorists and other criminals 
from accessing explosives. ATF regulations (based on IME's American 
Table of Distances) are also designed to ensure that there would be no 
significant impact to the public from an unintended detonation at an 
explosives facility.
    There is no rationale for DHS to include explosives on the COI, as 
evidenced by the Government's own data on explosive incidents. The U.S. 
Bomb Data Center (USBDC), established by Congress in 1996 as a National 
collection center for information on arson and explosives-related 
incidents throughout the United States, incorporates information from 
various sources such as ATF; the Federal Bureau of Investigation; and 
the United States Fire Administration. The USB DC publishes annually 
the Explosives Incident Report (EIR) (Unclassified), providing 
analytical data regarding explosives-related incidents, bombings, 
recoveries, and thefts/losses reported through the Bomb Arson Tracking 
System (BATS).
    According to available EIRs, commercial explosives, as components 
of Improvised Explosive Devices in the United States, have remained at 
less than 2% for 20 years. Explosives thefts have been on a consistent 
downward trend. Over the past 20 years, thefts of explosives reported 
by licensees/permittees have plummeted 92%. The EIR data further 
underscores the excellent security record of the commercial explosives 
industry by reporting only 8 thefts of commercial explosives in 2015, 
and 61 from 2011-2015. Although the industry strives for zero thefts, 
the number is infinitesimal considering that 14,550,000 pounds of 
commercial explosives were consumed in the United States during the 
2011-2015 period.\1\ Clearly, the record shows that ATF regulations and 
industry best practices effectively ensure the security of commercial 
explosives and prevent diversion for criminal or other illicit use. The 
fact that a negligible amount of commercial explosives have been used 
for illicit purposes illustrates the effectiveness of regulations and 
industry best practices in place long before explosives were 
redundantly included under the CFATS regulations.
---------------------------------------------------------------------------
    \1\ USGS, Mineral Yearbook--Explosives. By Lori E. Apodaca (2015).
---------------------------------------------------------------------------
    While there is no empirical data showing a need for regulation, IME 
was able to gather data on how much CFATS-duplicative compliance costs 
the industry at ATF-regulated sites. Below are four case studies of 
estimated or expended resources that illustrate our concern:
IME Member Company--Case Study 1, CFATS Expenses $350,000-370,000 
        (est.)
   Area perimeter fencing
     $65,000 for fence and labor
     $60-80,000 to clear brush and trees for fence installation
     $30,000 for gate with remote entry access camera system
   $50,000 camera system per each magazine location on the site
   Employee development and implementation time
   Travel expenses for assessment and DHS inspection
IME Member Company--Case Study 2, CFATS Expenses $433,820 (actual)
   Signage--$6,800
   DHS-approved locks & construction to accept new locks--
        $29,600
   Travel for training and inspections--$1,800
   Gate replacement--$10,000
   Fence installation--$3,500
   Solar lighting--$4,600
   Video verified Intruder Detection System (IDS)--$223,650
   Video verified monitoring--$151,470
   Video verified maintenance (to date)--$2,400
    Yearly Recurrent Cost $70,400
   Video-verified monitoring and maintenance and lighting
IME Member Company--Case Study 3, CFATS Expenses $837,400 (actual)
   Fencing--$679,200
   New locks--$3,200
   Reinforce gates--$1,200
   Install IDS--$151,500
   Signage--$2,300
IME Member Company--Case Study 4, CFATS Expenses $500,000-$1 Million 
        (est.)
* Subject to DOD Contractual Requirements
   Underground power and communication conduit for security 
        systems required by DOD 4145.26-M.
     Alternate option, $300,000 per magazine site at 10 
            sites=$3 million.
CFATS Total estimates and actual expenses of $2.64 million (estimate).

    Considering all four sites were already regulated for security by 
the ATF, CFATS requirements provided minimal additional security 
benefits. The industry, with hundreds of sites Nation-wide, only has an 
estimated 2 dozen tiered facilities, with nearly half of those being 
tiered under the new CSAT 2.0 process. IME is still working to generate 
an accurate accounting of the costs that the duplicative regulations 
impose on the explosives industry. When that number is finalized we 
will share it with the subcommittee. Nevertheless, we are sure you 
would agree with us that one wasted dollar on duplicative regulations 
is too much, let alone $2.64 million.
    IME has repeatedly requested the Department relieve the industry 
from this duplicative and burdensome regulation. Most recently, IME met 
with Mr. Robert Kolasky, Deputy Under Secretary (acting), National 
Protection and Programs Directorate, in his position as regulatory 
reform officer (RRO) for the Department. The meeting was held on 
October 30, 2017 to discuss regulatory reform per Executive Order (EO) 
13771 on Reducing Regulation and Controlling Regulatory Costs and EO 
13777 on Enforcing the Regulatory Reform Agenda. IME briefed Mr. 
Kolasky on the situation and explained how removal of this duplicative 
regulation would allow DHS to focus valuable resources on other 
critical risks to our Nation. The Department did respond, informally, 
that they will not pursue rulemaking to remove what IME has identified 
as unnecessary regulation that imposes costs which exceed benefits; 
however they indicated they would not object to a legislative fix if 
IME chooses to pursue that route.



    For this reason, IME requests Congress amend 6 U.S.C. Chapter 1, 
Subchapter XVI, Chemical Facility Anti-Terrorism Standards, Section 
621(4) to include as an excluded facility ``(F) a business premises 
where explosive materials are manufactured, imported, stored or 
distributed subject to the regulation of the Department of Justice, 
Bureau of Alcohol, Tobacco, Firearms and Explosives, under 18 U.S.C. 
Chapter 40 and 27 CFR Part 555.''
    As an association that is globally recognized and respected for 
advancing the security and safety of commercial explosives, we are 
confident that removing these materials from the redundancy of the 
CFATS program would not negatively impact public safety and security. 
Regulations and practices that long predate the CFATS program have 
effectively ensured explosives security and safety for decades. 
Additionally, the amendment of CFATS regulations in deference to the 
explosives regulatory scheme mandated by ATF would alleviate burden on 
DHS and allow resources to be appropriately focused on legitimate 
security threats.
                chemicals of interest should be reviewed
    During promulgation of the CFATS regulations, DHS included in the 
list Chemicals of Interest (COI), Appendix A, a chemical that is not 
commercially manufactured and which listed is causing tiering errors 
and needless confusion and concern.

``Ammonium nitrate (AN), [with more than 0.2 percent combustible 
substances, including any organic substance calculated as carbon, to 
the exclusion of any other substance] with a Chemical Abstract Service 
(CAS) number of 6484-52-2.''

    First, to the best of IME's determination, this product is not and 
never has been commercially manufactured. Per our research, the product 
was inadvertently created during a site clean-up operation where the AN 
had become contaminated. However, in order to transport the material 
for disposal, a CAS number was required. The duplicative listing of the 
CAS number 6484-52-2 to also identify the solid form of AN used in the 
industry causes confusion often resulting in mistakes made in top 
screens and additional efforts expended to correct them. Each time this 
happens, it causes great confusion and concern as the ramifications of 
being tiered are discovered, and eventually additional effort is 
expended to figure out how to correct the mistake.
    Second, the solid form of AN is an oxidizer, whereas the mixture of 
contaminated AN listed on the COI is identified as an explosive 
material. This is a significant concern for the industry, given that AN 
is a commonly-used product and its generally insensitive 
characteristics make it safe to handle, transport, and distribute under 
normal circumstances. The misleading description of contaminated AN 
causes needless concern to those outside of the commercial explosives 
industry that AN itself poses a serious danger to communities where it 
is manufactured, stored, and used, when, in fact, it does not. IME did 
bring this problem to the attention of DHS personnel; however, they 
were not receptive to our request to remove the non-commercial product 
from the list. For this reason, IME recommends the subcommittee require 
DHS to open the COI list to notice and comment.
       personnel surety program should retain all vetting options
    As DHS rolls out its second phase of its Personnel Surety Program 
(PSP), from compliance by CFATS Tier 1 and 2 facilities to Tier 3 and 4 
facilities, the transition is expected to be smooth. DHS appears to 
have done an adequate job of preparing to add more than 3,000 
facilities into the PSP, and by phasing-in compliance over 3 years, the 
agency will prevent a tidal wave of compliance issues hitting the 
Department in a very short time frame.
    Nevertheless, IME is planning to submit comments to the Information 
Collection Request for the PSP (1670-0029) issued on December 26, 2017. 
IME has submitted multiple comments over the past 5 years explaining 
our concerns and opposition to certain elements of the program. While 
many of those concerns have been addressed, we urge the subcommittee to 
focus on the following:
    First, while the Personnel-Surety-focused language of the CFATS Act 
of 2014 (HR 4007) directed the Department to accept visual verification 
as a method to comply with Risk-Based Performance Standard (REPS) 
12(iv)--Personnel Surety, as an additional option to the other three 
options already proposed, DHS continues to be resistant to the option. 
As a matter of fact, in the Information Collection Request for the PSP 
(1670-0029), the Department wrote:

``Option 4. High-risk chemical facilities may visually verify certain 
credentials or documents that are issued by a Federal screening program 
that periodically vets enrolled individuals against the TSDB. The 
Department continues to believe that visual verification has 
significant security limitations and, accordingly, encourages high-risk 
chemical facilities choosing this option to identify in their SSPs the 
means by which they plan to address these limitations.''

    IME fought for this vetting option based on the fact that the 
safety and security of explosives is closely regulated by ATF under the 
FEL. The FEL requires persons who import, manufacture, store, or 
distribute explosives to obtain a license, and those who receive or use 
explosives and do not have a license, to obtain a permit. Among the 
many requirements that these business entities or persons must meet in 
order to obtain a license or a permit is to submit to ATF for a 
background check the names of all employees who are authorized to 
possess \2\ explosives or those empowered to make management decisions 
or set company policies. The FEL standards for the background checks 
conducted by ATF are the forerunner of the background check standards 
that were subsequently adopted by DHS for the plethora of programs it 
administers for transportation workers.\3\ These same standards are the 
basis for RBPS 12. All of these programs include a check for 
``terrorist ties'' by vetting against the terrorist screening database 
(TSDB) the names of individuals needing access privileges to security-
sensitive areas, assets, or activities.\4\ These programs are 
operational and have been used to successfully vet populations in need 
of comprehensive security assessments.
---------------------------------------------------------------------------
    \2\ ``Possession'' is interpreted as both actual and constructive.
    \3\ Hazardous Materials Endorsement (HME) threat assessment, 
Transportation Worker Identification Credential (TWIC), Free and Secure 
Trade credential, and Trusted Traveler programs.
    \4\ The TSDB is a consolidated database of terrorist watch list 
information administered by the Federal Bureau of Investigation (FBI) 
through the Terrorist Screening Center (TSC). The TSC was created by 
the September 16, 2003, Homeland Security Presidential Directive--6 
(HSPD-6), which directed the TSC to integrate all existing U.S. 
Government terrorist watch lists.
---------------------------------------------------------------------------
    IME had to work through the legislative process to ensure that our 
members would not be required to vet their employees through yet 
another Federal program to be able to do their jobs. We urge the 
subcommittee to remain vigilant that DHS does not add additional 
conditions or requirements to companies using this option, such that it 
becomes an unachievable option.
    Second, it is worth taking a step back to examine the 
appropriateness and need for the PSP. To begin with, it is important to 
understand how terrorist ties have been identified and addressed since 
the tragic events of 9/11. Since the TSDB was created and delegated to 
the FBI, the Transportation Security Administration (TSA) and the 
Customs and Border Protection (CBP) agency, among other DHS components, 
were authorized to link into this system. TSA obtains a ``mirror copy'' 
of the TSDB from the FBI to facilitate vetting under the programs 
administered by the agency.
    TSA's Office of Intelligence and Analysis (I&A) oversees all 
security threat assessments required by programs the agency 
administers, such as TWIC, HME, Secure Flight, etc. The Infrastructure 
Security Compliance Division (ISCD) asked I&A to conduct the TSDB check 
of individuals under the PSP. Since TSA, not ISCD, will be conducting 
these TSDB checks, it begs the question as to why ISCD did not pursue 
options to leverage the vetting programs that I&A already oversees, 
rather than setting up another stand-alone program, the PSP, which is 
nothing more than a portal to funnel information to I&A.
    In addition to monitoring DHS to ensure that option 4--visual 
inspections of credentials remains viable; the subcommittee should 
ensure the program is serving the public well. A well-run duplicative 
program is still a duplicative program. If another option that would be 
more cost-effective and achieve the same goal is in existence, the 
subcommittee should consider using it.
            field staff need additional training, oversight
    It is understandable that the CFATS program may experience staffing 
inconsistencies with field inspectors as it matures and transforms from 
mainly assessing site security plans to one conducting inspections. 
With a large and diverse field staff, it is to be expected there may be 
occasional confusion and misinterpretation of the regulations and 
policies, and questions regarding their proper implementation. 
Nevertheless, without careful vetting of employees and consistent 
oversight, field staff may become self-empowered to interpret and apply 
the rules as they see fit.
    Over the past year two instances have been brought to our attention 
where additional training and oversight were needed to correct 
conclusions reached by inspectors. In both these instances, the 
inspectors may have been aware of the DHS regulation, but they were not 
aware of the other regulations explosives operations must also comply 
with, and after the proper consultations were made, the Department's 
excessive demands were rescinded.
    Neither of these examples are meant to characterize the field staff 
in general, but simply to illustrate that the commercial explosives 
industry must follow duplicate sets of rules and regulations between 
the ATF and DHS, and because of the duplicity--problems will arise. We 
urge the Department and the subcommittee to maintain vigilance in 
oversight and training of field staff and communication of policy.
    We believe that by taking the actions outlined above the 
subcommittee can ensure the program will be well-functioning and help 
keep our Nation safe through the entirety of the next authorization 
time line.
    Thank you for your consideration of these views, if you have any 
questions please contact us and we will be happy to discuss it with 
you.

    Mr. Ratcliffe. With that, the Chair now recognizes my 
friend, the gentleman from Louisiana, Mr. Richmond, for his 
opening statement.
    Mr. Richmond. Thank you, Mr. Chairman. Good morning and I 
want to thank the Chairman for having this very important 
meeting with this subcommittee's oversight of the Chemical 
Facility Anti-terrorism Standards, CFATS program.
    Twelve years ago, the Bush administration issued a call to 
action to address credible terrorist threats to high-risk 
chemical facilities across the country. At the time, chemical 
facilities security was considered one of the most significant 
security gaps in the post-9/11 era.
    Secretary Chertoff asked Congress to pass a balanced, risk-
based security measure for the chemical industry. Within a 
year, Congress attached language to the CHS appropriations bill 
giving DHS temporary authority to implement a chemical security 
program.
    CFATS survived on annual authorizations through the 
appropriations process for 8 years. The lack of certainty and 
stability stunted the program's growth.
    Congress finally passed a 4-year authorization bill in 2014 
following the tragic explosion at the West Texas Chemical 
facility. Since then, the CFATS program has invested in better 
tools, better-trained personnel and a better strategic vision 
for the future. In short, the CFATS program has matured.
    Today the program has buy-in of industry and bipartisan 
support on the Hill. Although I think we can do more to advance 
the objectives of the program, it is clear that CFATS has made 
us safer.
    Authorization for CFATS expires in December of this year. 
If Congress does not act, CFATS will be relegated once again to 
annual authorizations through the appropriations process or 
worse.
    Last year, this subcommittee began its reauthorization 
efforts with a series of candid, closed-door roundtables. I am 
encouraged that today we will begin hearing these stakeholder 
perspectives on the record.
    As the subcommittee's reauthorization efforts continue, I 
hope we will have an opportunity to hear from the Department. 
In the mean time, I look forward to hearing from the witnesses 
here today on how we can translate the lessons learned from the 
first 12 years of the CFATS program into proposals to make it 
more efficient, more effective, and more impactful.
    Toward that end, there are three topics I would like to 
hear more about. First, as of today, high-risk targets with 
significant chemical holdings, like public water systems, are 
exempt from CFATS. Every head of DHS from Secretary Chertoff to 
Secretary Johnson have said those exemptions should be 
eliminated.
    I would be interested to learn if the witnesses here today 
agree with our former DHS Secretaries.
    Second, as I have mentioned, CFATS has matured into a more 
stable program than what it was just 4 years ago. I will be 
interested to know how the stakeholders here today would like 
to see the program evolve.
    Finally, I would like to know what the Federal Government 
can do to help chemical facilities adapt their security 
operations in response to evolving threats and technologies 
like drones.
    Like many of my colleagues on this panel, my district is 
home to a number of chemical facilities. They play a crucial 
role in the local economy but with that comes risk.
    The CFATS program helps address that risk and makes 
communities like mine safer without being overly burdensome.
    I look forward to continuing this subcommittee's 
reauthorization efforts, and I yield back the balance of my 
time.
    [The prepared statement of Ranking Member Richmond 
follows:]
             Statement of Ranking Member Cedric L. Richmond
                           February 15, 2018
    Good morning. I want to thank Chairman Ratcliffe for continuing 
this subcommittee's oversight of the Chemical Facility Anti-Terrorism 
Standards (CFATS) program.
    Twelve years ago, the Bush administration issued a call to action 
to address credible terrorist threats to high-risk chemical facilities 
across the country.
    At the time, chemical facility security was considered one of the 
most significant security gaps in the post-9/11 era, and Secretary 
Chertoff asked Congress ``to pass a balanced, risk-based security 
measure for the chemical industry.''
    Within the year, Congress attached language to the DHS 
appropriations bill, giving DHS temporary authority to implement a 
chemical security program.
    CFATS survived on annual authorizations through the appropriations 
process for 8 years--and the lack of certainty and stability stunted 
the program's growth.
    Congress finally passed a 4-year authorization bill in 2014 
following the tragic explosion at the West, Texas chemical facility.
    Since then, the CFATS program has invested in better tools, better-
trained personnel, and a better strategic vision for the future.
    In short, the CFATS program has matured.
    Today, the program has the buy-in of industry, and bipartisan 
support on the Hill.
    And although I think we can do more to advance the objectives of 
the program, it is clear that CFATS has made us safer.
    Authorization for CFATS expires in December of this year.
    If Congress does not act, CFATS will be relegated once again to 
annual authorizations through the appropriations process, or worse.
    Last year, this subcommittee began its reauthorization efforts with 
a series of candid, closed-door roundtables.
    And I am encouraged that today we will begin hearing these 
stakeholder perspectives on the record.
    As the subcommittee's reauthorization efforts continue, I hope we 
will have an opportunity to hear from the Department.
    In the mean time, I look forward to hearing from the witnesses here 
today on how we can translate the lessons learned from the first 12 
years of the CFATS program into proposals to make it more efficient, 
more effective, and more impactful.
    Toward that end, there are three topics I would like to hear more 
about.
    First, as of today, high-risk targets with significant chemical 
holdings--like public water systems--are exempt from CFATS.
    Every head of DHS from Secretary Chertoff to Secretary Johnson has 
said those exemptions should be eliminated.
    And I will be interested to learn if the witnesses here today agree 
with our former DHS Secretaries.
    Second, as I have mentioned, CFATS has matured into a more stable 
program than it was just 4 years ago.
    I will be interested to know how the stakeholders here today would 
like to see the program evolve.
    Finally, I would like to know what the Federal Government can do to 
help chemical facilities adapt their security operations in response to 
evolving threats and technologies, like drones.
    Like many of my colleagues on this panel, my district is home to a 
number of chemical facilities.
    They play a crucial role in the local economy, but with that, comes 
risk.
    The CFATS program helps address that risk, and makes communities 
like mine safer, without being overly burdensome.
    I look forward to continuing this subcommittee's reauthorization 
efforts, and I yield back the balance of my time.

    Mr. Ratcliffe. I thank the gentleman.
    Other Members of the committee may have opening statements. 
If they do, those may be submitted for the record as I 
mentioned.
    [The statement of Ranking Member Thompson follows:]
             Statement of Ranking Member Bennie G. Thompson
                           February 15, 2018
    Good afternoon. I want to thank Chairman Ratcliffe and Ranking 
Member Richmond for holding this hearing today to examine the Chemical 
Facility Anti-Terrorism Standards program, or ``CFATS.''
    Through this program, DHS works with operators of high-risk 
chemical facilities to ensure that security measures are in place to 
prevent a bad actor from using on-site chemicals in a terrorist attack.
    Make no mistake--the possibility that a terrorist could use a 
chemical plant as a weapon of mass destruction is not mere conjecture.
    It is a credible threat that has been echoed by security experts at 
the National Infrastructure Protection Center, the Homeland Security 
Council, and high-ranking officials throughout the U.S. Government, 
including former Homeland Security Secretary Michael Chertoff, 
President Barack Obama, and even the Chairman of this Committee.
    We have seen terrorist plots targeting chemical facilities 
including one of the 
9/11 hijackers who we later learned had been scouting U.S. chemical 
plants.
    Many of these at-risk facilities are not located in remote areas.
    In a 2014 study, the Environmental Justice and Health Alliance for 
Chemical Policy Reform found that more than 130 million Americans live, 
work, and go to school in the shadow of at-risk chemical facilities.
    The study also found that there is a concentration of such 
facilities in low-income communities and communities of color--with 
higher poverty rates and lower housing values.
    In the event of a terrorist attack on a chemical facility, these 
Americans would most directly be harmed.
    Indeed, in 2013, a fertilizer plant explosion in sparsely-populated 
West, Texas leveled nearby schools, houses, commercial buildings, and 
even retirement homes.
    A dozen first responders lost their lives, in part because they did 
not know the chemical composition of the fire.
    Despite the fact that this facility had reported its holdings to 
other Federal and State regulators, DHS was not aware that this at-risk 
facility even existed.
    We learned some hard lessons after West--and tragically, I fear we 
may not be done learning them.
    I worry that the Department is still not sharing CFATS information 
with State and local emergency responders, police departments, and 
firefighters.
    I also worry that the program may be too focused on large 
operations with security teams and regulatory affairs departments and 
may not be giving needed attention to small so-called ``outlier'' 
facilities, those facilities that fly under the Federal radar but could 
nonetheless are at risk.
    Many of these facilities operate in areas with volunteer 
firefighters without specialized training and resources.
    As the Congressman for a rural area and a former volunteer 
firefighter, I am deeply troubled by this.
    The authorization for the CFATS program expires in December of this 
year.
    Although we are late in beginning our reauthorization efforts, I 
believe we still have time to identify opportunities to incrementally 
improve the program.
    As authorizers, however, the most important thing we must do is 
actually get reauthorization across the finish line.
    We cannot afford to tie CFATS to temporary reauthorizations through 
the annual appropriations process again as we did in the first 7 years 
of the program.
    I look forward to hearing from the panel about their experience 
with CFATS, and I hope that I can impress upon my colleagues across the 
aisle the need to take swift action to move forward with 
reauthorization.
    With that, I yield back the balance of my time.

    Mr. Ratcliffe. We are fortunate to have a very 
distinguished panel of witnesses before us today on this 
important topic. Mr. Chet Thompson is the president of the 
American Fuel and Petrochemical Manufacturers. Mr. Thompson 
previously served as deputy general counsel at the 
Environmental Protection Agency, so I look forward to hearing 
how the CFATS program and EPA regulations interact with each 
other from you. Thanks for being here.
    Ms. Kirsten Meskill is the director of corporate security 
for the BASF Corporation, but is here testifying on behalf of 
the American Chemistry Council. Ms. Meskill comes to us from 
BASF, the largest chemical producer in the world, as she was 
names one of the most influential people in security in 2016 by 
Security Magazine. Welcome. We are glad to have you.
    Mr. Peter Mutschler is environment, health, and safety 
director of CHS, Inc. Mr. Mutschler also serves as the 
secretary of the board of directors for the ResponsibleAg 
program. Glad to have you here, Mr. Mutschler.
    Finally, Mr. Paul Orum is the chemical safety advocate for 
the Coalition to Prevent Chemical Disasters. Thank you for 
agreeing to be with us today, sir.
    I would now ask each of the witnesses to stand and raise 
your right hand so I can swear you in to testify.
    [Witnesses sworn.]
    Mr. Ratcliffe. Let the record reflect that the witnesses 
have answered in the affirmative. You all may be seated. Thank 
you. Witnesses' full written statements will appear in the 
record.
    The Chair now recognizes Mr. Thompson for his opening 
statement.

   STATEMENT OF CHET THOMPSON, PRESIDENT, AMERICAN FUEL AND 
                  PETROCHEMICAL MANUFACTURERS

    Mr. Thompson. Thank you, Chairman Ratcliffe, Ranking Member 
Richmond, and Members of the subcommittee. Again, it is a real 
honor and privilege to be here. As you mentioned, my name is 
Chet Thompson. I am the president of the American Fuel and 
Petrochemical Manufacturers.
    AFPM represents 97 percent of the Nation's refining and 
petrochemical manufacturing capacity in this county. That 
includes 118 refineries, 248 petrochemical facilities. We are 
located in 33 States across the country. We support more than 3 
million jobs and bring about $600 billion to the U.S. economy 
each year.
    Our members make the gasoline, the jet fuel, the 
petrochemicals that power our economy, power the world's 
economy and make modern life possible. America's refining and 
petrochemical companies play an important role in ensuring and 
maintaining the security of our energy and petrochemical 
infrastructure.
    As I sit here today I can tell you without hesitation that 
nothing is more important to our members than the safety and 
security of their work force, their employees, their 
contractors, and certainly their surrounding communities.
    This safety and their safety requires that we protect our 
facilities and critical infrastructure against potential 
security threats.
    Accomplishing this is the shared responsibility of the 
Government and our member companies. We have a great 
partnership with DHS at the moment and we believe they have 
done a great job implementing the CFATS program.
    For all these reasons, we fully support the reauthorization 
of the CFATS program and urge Congress not to let this 
important program lapse.
    Mr. Chairman, I would like to use my limited time today, I 
just want to highlight a few points of my written testimony. 
First, the overall structure of the CFATS program is sound and 
is not in need of a major statutory overhaul. Again, our 
members support the mission and the goal of CFATS and believe 
that the United States of America is far safer as a result of 
this program.
    We strongly endorse the program's performance-based 
approach that allows facilities to develop security plans that 
fit their specific risk profiles as opposed to a one-size-fits-
all approach that other agencies often adopt.
    Second, Congress' CFATS reauthorization in 2014 
dramatically improved the program. Some of the larger 
improvements included the revisions to DHS's risk assessment 
tools, their tiering methodology, the establishment of the 
Expedited Approval Program for Tier 3 and Tier 4 facilities, 
and certainly streamlining the personnel vetting for Tier 1 and 
2 facilities.
    Your 4-year reauthorization was also critically important. 
It provided us, industry, with the certainty needed to make the 
long-term investments that we have made, and it certainly 
provided DHS the support and resources they need to improve the 
program. We support another multi-year reauthorization to 
continue this positive momentum.
    So in addition to reauthorizing the program for another 
multi-year period, we offer the following recommendations as 
you move forward with your deliberations.
    First, we urge Congress to continue protecting the 
confidentiality of CFATS site security information. DHS and 
covered facilities should not be required to publicly disclose 
or provide site security information to persons who lack the 
requisite security clearances.
    CFATS at its core is a security program. Mandating the 
public disclosure of sensitive information, such as security 
system designs, control system schematics, worst-case scenario 
discharge data, COI records and other technical response 
information could threaten the safety of not only our 
facilities but the security of the Nation's critical energy 
infrastructure.
    Second, we also urge Congress to continue to subject CFATS 
program, particularly Appendix A, to the formal notice and 
comment rule-making process under the Administrative Procedures 
Act. Revisions to Appendix A would have broad implications for 
the chemical facilities, including whether they are subject to 
the program and how they get tiered.
    As such, proposed changes to Appendix A should be 
transparent and it should be open to public review and public 
comment.
    Finally, we caution against adding new and extraneous 
provisions that will slow or diminish the progress DHS has made 
in implementing the CFATS program. More specifically, Congress 
should not mandate or authorize DHS to require facilities to 
undergo inherently safer technology review as part of the 
security planning process and nor should it mandate additional 
stakeholder involvement in the security plan development 
process.
    So thank you again for the opportunity to be here. I look 
forward to working with this committee and with DHS in the 
months ahead.
    [The prepared statement of Mr. Thompson follows:]
                  Prepared Statement of Chet Thompson
                           February 15, 2018
    The American Fuel & Petrochemical Manufacturers (AFPM) appreciates 
the opportunity to provide testimony on the Chemical Facility Anti-
Terrorism Standards (CFATS) program. AFPM is proud to represent 97 
percent of the Nation's refining and petrochemical manufacturing 
capacity, including 118 refineries and 248 petrochemical manufacturing 
facilities in 33 States. Our members make the gasoline, diesel, jet 
fuel, and petrochemicals that make modern life possible. AFPM member 
companies meet the needs of our Nation and local communities, 
strengthening economic and National security, and supporting more than 
3 million U.S. jobs and adding $568 billion each year to the U.S. 
economy.
    America's refining and petrochemical companies play an important 
role in ensuring and maintaining the security of America's energy and 
petrochemical infrastructure. The safety and security of our member 
company employees, contractors, and surrounding communities are of the 
highest importance, and as a result our companies invest in some of the 
most advanced technologies, safety, and security practices in the 
world. The protection of critical infrastructure against potential 
threats is a shared responsibility between Government and stakeholders 
that our members take seriously.
    Despite well-documented early challenges with the CFATS program, 
the Department of Homeland Security (DHS) has made significant 
improvements to the program in the time since Congress reauthorized 
CFATS in 2014. In particular, the 2014 statute addressed major 
impediments to completing site security plans and streamlined the 
vetting process for facility access, updates that AFPM members 
supported. Most importantly, the 4-year reauthorization provided 
industry with the certainty needed to make long-term facility security 
investments and enabled DHS to efficiently run the CFATS program and 
appropriately re-tier sites.
    The strength of the CFATS program lies in its flexibility. No two 
facilities are alike, and so each of the approximately 4,000 facilities 
covered by the CFATS program will have different threat profiles and 
security needs. Additionally, the threat environment is always 
changing. As terrorists and other bad actors evolve their tactics, so 
must facilities adapt their security procedures. A command-and-control 
regulatory structure would not only add additional cost to complying 
with regulations, but will also likely lead to less security and 
increased risk.
    With performance-based standards comes an increased need for 
cooperation. To that end, AFPM appreciates the long-standing 
cooperative relationship--spanning multiple administrations--with DHS 
and commends the professionalism of the DHS program offices. AFPM and 
its members have participated in multiple advisory groups within DHS, 
such as the Chemical Sector Security Council, the Oil and Natural Gas 
Sector Security Council, and were members of the Risk-Tiering 
Methodology Working Group. These forums provide opportunities for 
shared learning and have proven extremely beneficial given the data-
driven nature of security risk assessment. For example, these forums 
helped DHS to develop robust, risk-based performance standards (RBPS) 
that avoid being too prescriptive for an industry as diverse in size 
and function as the chemical sector, but that also include strict 
enforcement penalties for noncompliance.
    The current CFATS authorization will expire in January 2019, 
providing both an impetus for action in 2018 and an opportunity to make 
modest improvements to the program. AFPM urges Congress to enact a 
multi-year reauthorization that retains the core elements of the 2014 
legislation.
          the 2014 cfats reauthorization improved the program
    The CFATS program was originally authorized in the 2007 
appropriations bill and gave DHS the imperative, but little statutory 
guidance, on how to establish the new security program. DHS eventually 
developed the top-screen program, tiering, and RBPS approach, but 
struggled to approve site security plans and ran into issues with both 
tiering and governance. The 2014 statutory changes helped DHS 
dramatically improve the program. Improvements included updates to risk 
assessments and the tiering methodology, the establishment of an 
Expedited Approval Program (EAP) for Tier 3 and 4 facilities, the 
reinforcement of coordination with State and local officials, and 
streamlining the vetting process through the Personnel Surety Program 
(PSP) for Tiers 1 and 2.
    The structure of the CFATS framework is sound. AFPM supports the 
performance-based approach that has been applied to CFATS 
implementation and regulation, and believes this approach has worked 
well for facilities from a compliance and efficiency standpoint. As a 
result, major changes are not necessary.
    The past 4 years have allowed covered facilities to develop an 
informed understanding of the implications of the 2014 statutory 
changes. This has provided AFPM members an opportunity to offer 
suggestions for assessing and reviewing the effectiveness of the 
changes made in the 2014 law.
Updated Risk Assessments and Tiering Methodology.
    The 2014 Act directed DHS to develop a security risk assessment 
approach and corresponding tiering methodology for covered chemical 
facilities that take into consideration relevant threat information, 
potential off-site consequences, and loss of human life. The re-tiering 
process began in early April 2017.
    Updates made by the 2014 Act to the Chemical Security Assessment 
Tool (CSAT), required by the Office of Infrastructure Protection's 
Infrastructure Security Compliance Division (ISCD) for Top-Screen 
completion, made the CSAT 2.0 process more user-friendly and less 
burdensome to facilities. The revised CSAT 2.0 process also does a more 
effective job of collecting relevant data while cutting out waste, 
making the process more efficient.
Streamlined Vetting Process Through the Personnel Surety Program (PSP).
    The 2014 statutory changes also streamlined the PSP vetting process 
for Tier 1 and 2 facilities. Under the current statute, the program 
vets an individual against the terrorist screening database, eliminates 
duplicative applications, and provides redress if an individual 
believes their information submitted for screening is inaccurate.
    While improvements to the vetting process for Tiers 1 and 2 were 
welcome, it should be noted that similar application to Tiers 3 and 4 
is not necessary for lower-risk facilities. DHS should pause before 
extending personnel surety to Tier 3 and 4 facilities until it has had 
time to evaluate the effectiveness of this requirement at Tier 1 and 2 
facilities. Such evaluation by DHS should be based on available DHS 
data, and undertaken in a manner that shows an overwhelming need for an 
increased regulatory burden that would achieve demonstrable security 
results.
    As such, AFPM urges lawmakers to clarify that Tier 3 and 4 
facilities are exempt, or alternatively would welcome a GAO study on 
the value of expanding PSP to Tiers 3 and 4.
Expedited Approval Program (EAP).
    The current statute also established an Expedited Approval Program 
(EAP) for chemical facilities that fall under Tiers 3 and 4. The EAP 
enables those facilities to move to an approved site security plan more 
quickly. AFPM supports the EAP program and recommends no further 
changes.
Coordination with State and Local Officials.
    Updates in the 2014 statute reinforced better coordination with 
State and local officials to improve emergency management operations.
    AFPM members also support the establishment of regional offices to 
improve further coordination between State and local officials. 
Establishing regional offices would mirror what other regulatory 
agencies have done and will provide DHS greater reach and understanding 
of regional sites. At the same time, AFPM cautions against overly 
prescriptive or duplicative programs. Policy makers must balance the 
need for sharing truly critical information with the risk associated 
with more individuals knowing potential sensitive security information. 
In addition, there are other statutes better suited for information 
coordination, including EPA's Risk Management Plan program, that deal 
with community ``right to know'' policies. CFATS should remain focused 
on preventing terrorist attacks.
           recommendations for the 2018 cfats reauthorization
    As policy development for a CFATS reauthorization bill gets under 
way, AFPM looks forward to continuing to work with lawmakers, 
stakeholders, and DHS. As Congress considers potential changes to the 
CFATS program, AFPM offers the following recommendations:
(1) Enact a multi-year, but not permanent, reauthorization.
    AFPM urges Congress to pass another multi-year reauthorization bill 
that would provide industry with the continued certainty it needs to 
make long-term facility security investments. A multi-year 
reauthorization would enable DHS to efficiently run the CFATS program. 
However, given historic challenges with the program's implementation, 
AFPM would recommend a sunset to allow Congress to address any needed 
changes at a future date.
(2) Protect the confidentiality of site security information.
    Reauthorization legislation should not permit the disclosure of 
site security information to the general public, or anyone who does not 
have a need to know or the required security clearances to obtain such 
information. Facilities must protect sensitive information from 
individuals that might pose a threat to the facility's employees or 
property. Sensitive information--such as security system designs, 
control system schematics, COI records, and tactical response 
information for emergency personnel--could threaten National security 
if it falls into the wrong hands.
(3) Promote transparency in any changes to Appendix A and Chemicals of 
        Interest (COI).
    A facility is considered a ``covered facility'' under CFATS if it 
is engaged in the manufacturing, storage, and distribution of COIs 
listed under Appendix A of CFATS. Currently, if DHS wants to modify 
Appendix A, it must undergo notice and comment rule making. AFPM 
encourages Congress to maintain this requirement.
    Changes to COI, threshold quantities, and concentrations in 
Appendix A are critical decisions with broad applicability governing 
whether facilities are subject to CFATS and, in part, how they are 
tiered. Therefore, allowing changes to be made to Appendix A without 
going through notice and comment would greatly undermine transparency 
in the designation process and deprive DHS of potentially important 
information in its decision making. Any changes should be clearly based 
on risk, scientific data, and take into consideration current industry 
mitigation practices. For these reasons Congress should ensure that 
proposed changes to Appendix A continue to be subject to the formal 
notice and comment rule-making process.
    Additionally, AFPM would support establishing an advisory council 
and subjecting chemicals in question under Appendix A to peer review. 
This would further enhance the transparency of the designation process 
and stakeholder engagement.
(4) Avoid major changes that will further hamper implementation of the 
        CFATS program and divert resources to duplicative or otherwise 
        wasteful policies.
    DHS has made significant progress in implementing the CFATS 
program, but work remains. AFPM cautions against adding new and 
extraneous provisions that will slow or diminish the progress to date, 
including expansion of stakeholders involved in SSP development, 
resubmission of top-screen information untethered from a material 
change to a facility's profile, requirements for further credentials, 
or other related changes.
    AFPM appreciates the opportunity to provide its views on CFATS, and 
looks forward to working with Congress and the administration to 
reauthorizing this important program.
 the 2014 cfats reauthorization improved the program and major changes 
                            are unnecessary.
    The statutory changes to CFATS passed by Congress in 2014 have 
helped DHS improve the program dramatically. These include updates to 
risk assessments and tiering methodology, the establishment of an 
Expedited Approval Program (EAP) for Tier 3 and 4 facilities, the 
reinforcement of coordination with State and local officials, and 
streamlining the vetting process through the Personnel Surety Program 
(PSP) for Tiers 1 and 2.
    The structure of the CFATS framework itself is sound. AFPM supports 
the performance-based approach that has been applied to CFATS 
implementation and regulation, and believes this approach has worked 
well for facilities from a compliance and efficiency standpoint. As a 
result, major changes to the program are not necessary.
       policy recommendations for the 2018 cfats reauthorization.
    The 2014 CFATS reauthorization bill addressed a number of issues, 
including major impediments to completing site security plans and a 
streamlining of the vetting process for facility access. Most 
importantly, the 4-year reauthorization provided industry with the 
certainty needed to make long-term facility security investments and 
enabled DHS to efficiently run the CFATS program.
    As policy development for a CFATS reauthorization bill gets under 
way, AFPM looks forward to continuing to work with lawmakers, 
stakeholders, and DHS. As Congress considers potential changes to the 
CFATS program, AFPM offers the following recommendations:
    (1) Enact a multi-year, but not permanent, reauthorization.--CFATS 
authorization expires in January 2019. Congress should pass another 
multi-year reauthorization bill, as this would provide industry with 
the continued certainty it needs to make long-term facility security 
investments. A multi-year reauthorization would also enable DHS to 
efficiently run the CFATS program. Additionally, AFPM would recommend a 
sunset to allow Congress to address any needed changes at a future 
date.
    (2) Protect the confidentiality of site security information.--
Reauthorization legislation should not permit the disclosure of site 
security information to the general public, or anyone who does not have 
a need to know or the required security clearances to obtain such 
information. Facilities must protect sensitive information from 
individuals that might pose a threat to the facility's employees or 
property. Sensitive information--such as security system designs, 
control system schematics, COI records, and tactical response 
information for emergency personnel--could threaten National security 
if it falls into the wrong hands.
    (3) Promote transparency in any changes to Appendix A and Chemicals 
of Interest (COI).--Currently, if DHS wants to modify Appendix A, it 
must undergo notice and comment rule making. AFPM encourages Congress 
to maintain this requirement.
    Allowing changes to be made to Appendix A without going through 
notice and comment would greatly undermine transparency in the 
designation process and deprive DHS of potentially important 
information in its decision making. Congress should ensure that 
proposed changes to Appendix A continue to be subject to the formal 
notice and comment rule-making process.
    Additionally, AFPM would support establishing an advisory council 
and subjecting chemicals in question under Appendix A to peer review. 
This would further enhance the transparency of the designation process 
and stakeholder engagement.
    (4) Avoid major changes that will further hamper implementation of 
the CFATS program and divert resources to duplicative or otherwise 
wasteful policies.--DHS has made significant progress in implementing 
the CFATS program, but the work is still on-going. AFPM cautions 
against adding new and extraneous provisions that will slow or diminish 
the progress to date, including expansion of stakeholders involved in 
SSP development, resubmission of top-screen information untethered from 
a material change to a facility's profile, requirements for further 
credentials, or other related changes.

    Mr. Ratcliffe. Thank you, Mr. Thompson.
    Ms. Meskill, you are recognized for 5 minutes for your 
opening statement.

  STATEMENT OF KIRSTEN MESKILL, DIRECTOR, CORPORATE SECURITY, 
    BASF CORPORATION, TESTIFYING ON BEHALF OF THE AMERICAN 
                       CHEMISTRY COUNCIL

    Ms. Meskill. Thank you, Mr. Chairman, and Members of the 
subcommittee for the opportunity to testify today. I am Kirsten 
Meskill. I am director of corporate security at BASF 
Corporation.
    BASF Corporation is headquartered in Florham Park, New 
Jersey. We have over 100 facilities throughout North America, 
and in 28 States, and more than 17,000 employees in North 
America.
    I am the immediate past chairman of the Chemical Sector 
Coordinating Council and the current chair of the security 
committee for the ACC, American Chemistry Council. I am here 
today on behalf of the ACC to voice general support for a long-
term reauthorization of the Chemical Facility Anti-Terrorism 
Standards, CFATS.
    ACC member companies manufacture products that are critical 
to the everyday health and well-being of the Nation and 
essential for developing a more sustainable and competitive 
economy. Because of our critical role in the Nation's economy 
and our responsibility to our employees and to the communities, 
security is a top priority for my company and for the ACC.
    In 2001, ACC created a stringent mandatory security program 
called the Responsible Care Security Code. Since its creation, 
ACC members have invested more than $17 billion under the 
security code to further enhance site security, transportation 
security and cybersecurity at our facilities. The security code 
has become a gold standard for the industry and serves as a 
model for regulatory programs.
    Today, chemical manufacturing is experiencing a renaissance 
thanks to the increase in domestic shale gas production. ACC 
has identified more than 300 new capital projects worth more 
than $185 billion, which will add thousands of jobs and 
generate billions of dollars of economic activity.
    Ensuring that clear and workable Federal programs, such as 
CFATS, remain in place is an important part of establishing a 
stable regulatory environment needed to foster these new 
investments.
    Over the past 4 years, the Department of Homeland Security 
has significantly improved its administration of the CFATS 
program, which has had a positive effect on enhancing security 
at chemical facilities. Several factors have led to the recent 
success of the CFATS program, including better site inspections 
and more streamlined authorization process.
    Most importantly, DHS leadership has demonstrated a 
commitment to working with members of the regulated community 
to improve the implementation of the program. While DHS has 
made considerable strides to improve the CFATS program, there 
are additional areas for improvement.
    First, improving transparency in DHS risk determination. 
This comes by being more transparent with facility operators 
about risk determinations and tiering levels and ways to 
potentially reduce the risk or even eliminate it.
    Since the operator is responsible and has authority and 
resources for making security risk management decisions for the 
facility, it is important that they have access to all the 
information about risk tiering.
    Second, reconsider the value of TSDB screening at low-risk 
facilities. Over the past year, DHS has been implementing risk-
based performance standards at 200 high-risk facilities at 
Tiers 1 and 2. This requires facility operators to collect 
sensitive personal information from thousands of employees and 
contractors for DHS to vet against the Terrorist Screening 
Database.
    DHS is now planning to extend that program to an additional 
37 low-risk facilities at Tiers 3 and 4. This will expand 
vetting to thousands of more employees and contractors. ACC and 
its members are concerned that such an expansion is unnecessary 
and will put personal information at risk. It is unclear what 
benefit is associated with the additional vetting given the 
cost.
    While we support vetting at high-risk Tier 1 and 2 
facilities, we hope DHS can reconsider this requirement at 
lower-tier levels 3 and 4.
    Finally third, establish a CFATS public-private 
partnership. DHS should leverage CFATS and industry stewardship 
programs such as ACC Responsible CARE program with the goal of 
further enhancing the safety and security of hazardous 
chemicals.
    By doing so, DHS would be able to recognize responsible 
operators that go beyond regulatory compliance and incentivize 
them to continue development of chemical security programs that 
enhance security beyond the universe of CFATS.
    I would like to close by saying that CFATS has helped make 
our industry and our communities more secure. It is a program 
that will grow stronger by adopting some additional 
improvements and by the continued engagement of this committee.
    Thank you for the opportunity to testify today, and I am 
looking forward to answering any questions you might have.
    [The prepared statement of Ms. Meskill follows:]
                 Prepared Statement of Kirsten Meskill
                           February 15, 2018
    Kirsten Meskill is the director of corporate security, for BASF 
Corporation. BASF Corporation is headquartered in Florham Park, New 
Jersey with over 100 production facilities in 28 States and more than 
17,000 employees in North America. The largest sites are located in 
Geismar, Louisiana and Freeport, Texas. Kirsten is the immediate past 
chairperson of the Chemical Sector Coordinating Council and the current 
chairperson of the security committee of the American Chemistry Council 
(ACC).
    ACC offers general support for long-term reauthorization of the 
Chemical Facility Anti-Terrorism Standards (CFATS). ACC member 
companies manufacture products that are critical to the everyday health 
and well-being of our Nation and essential to developing a more 
sustainable and more competitive economy. Because of our critical role 
in the Nation's economy and our responsibility to our employees and 
communities, security is a top priority for my company and for ACC 
member companies.
    In 2001, ACC created a stringent, mandatory security program called 
the Responsible Care Security Code. Since the program was created, ACC 
members have invested more than $17 billion under the Security Code to 
further enhance site security, transportation security, and 
cybersecurity at their facilities. The Security Code has become a gold 
standard for the industry and serves as a model for regulatory 
programs.
    The business of chemistry is a $768 billion enterprise that 
provides more 800,000 skilled, good-paying American jobs. I am happy to 
report that chemical manufacturing is experiencing a renaissance in the 
United States thanks to the increase in domestic shale gas production. 
In fact, ACC has identified more than 300 new capital investment 
projects that are worth more than $185 billion, which will add 
thousands of jobs and generate billions of dollars in economic 
activity. Ensuring that clear and workable Federal programs such as 
CFATS remain in place is an important part of establishing the stable 
regulatory environment needed to foster these new investments.
    Over the past 4 years, the Department of Homeland Security (DHS) 
has significantly improved its administration of the CFATS program, 
which has had a positive impact on enhancing security at chemical 
facilities. Several factors have led to the recent success of CFATS 
program, including better site inspections and a more streamlined 
authorization process. Most importantly, DHS leadership has 
demonstrated a commitment to working with members of the regulated 
community to improve the implementation of the CFATS program.
    While DHS has made considerable strides to improve the CFATS 
program, more work needs to be done.
    1. Improve transparency in DHS risk determinations.--DHS should be 
        more transparent with facility operators regarding what is 
        driving risk determinations for establishing how facilities 
        fall into a certain tier level and potentially what they may 
        consider to reduce that risk or even eliminate it all together. 
        More often than not, facility operators are left in the dark as 
        to why they are tiered at a specified level, when in fact it is 
        the operator who has the overall responsibility and authority 
        for making security risk management decisions for that 
        facility.
    2. Reconsider the value of TSDB Screening at low-risk facilities.--
        Over the past year, DHS has been implementing Risk-Based 
        Performance Standard 12(iv) at 200 High-Risk Facilities, Tiers 
        1 and 2. This process requires facility operators to collect 
        sensitive personal information from thousands of employees and 
        contractors and send that information to DHS for vetting 
        against the Terrorist Screening Database (TSDB). Now DHS is 
        planning to extend the program to an additional 3,700 low-risk 
        Tier 3 and 4 facilities involving tens of thousands of 
        employees' and contractors' personal information. ACC and its 
        members are concerned that such an expansion is unnecessary and 
        will put people's personal information at risk. It is not clear 
        that the benefit associated with the TSDB vetting is worth the 
        cost and risk. While we support TSDB vetting at high-risk Tier 
        1 and 2 facilities we want DHS to reconsider this requirement 
        for lower-risk Tier 3 and 4 facilities.
    3. Establish a CFATS Public/Private Partnership.--DHS should 
        leverage the benefits of CFATS and Industry Stewardship 
        Programs, such as the ACC Responsible Care program, with the 
        goal of further enhancing the safety and security of hazardous 
        chemicals. By doing so, DHS would be able to recognize 
        responsible operators for going beyond mere regulatory 
        compliance and incentivize the use of chemical security 
        programs that enhance security beyond the universe of CFATS-
        regulated facilities.
    CFATS has helped make our industry and communities more secure. 
It's a program that will grow stronger by adopting the improvements 
outlined in my testimony and by the continued engagement of this 
committee to make sure CFATS stays on track.
    ACC and its members encourage you to support this important program 
and make the improvements that are needed to take CFATS to the next 
level while providing DHS with the appropriate Congressional oversight 
and guidance.

    Mr. Ratcliffe. Thank you, Ms. Meskill.
    The Chair now recognizes Mr. Mutschler for 5 minutes for 
his opening statement. Yes, the mic, the button there.

  STATEMENT OF PETE MUTSCHLER, ENVIRONMENT, HEALTH AND SAFETY 
                       DIRECTOR, CHS INC.

    Mr. Mutschler. Sorry. Yes, good morning, Chairman Ratcliffe 
and Ranking Member Richmond, Members of the subcommittee, thank 
you for the opportunity to be here today. My name is Pete 
Mutschler, and in addition to my position as the director of 
environment and safety for CHS and my position on the Board of 
Directors for ResponsibleAg, I am also here representing The 
Fertilizer Institute and the Agricultural Retailers 
Association.
    CHS is a leading global agribusiness owned by farmers, 
ranchers, and cooperatives across the United States. CHS 
supplies the farmers with what they need to produce and market 
their products. We are committed to helping our farmer-owners 
succeed.
    CHS is a member of The Fertilizer Institute, which is the 
national trade association representing the fertilizer 
industry. TFI represents companies engaged in all aspects of 
the fertilizer supply chain. Commercial fertilizers account for 
50 percent of the current crop yields that we see today.
    CHS is also a member of the Agricultural Retailers 
Association and ARA represents the interests of agriculture 
retailers. Products and services agricultural retailers provide 
are critical to the success of our Nation's farmers.
    We are grateful for your efforts to ensure the passage of 
H.R. 4007, which provided the Department of Homeland Security 
and the industry with much-needed certainty for the CFATS 
program. With the current reauthorization expiring in December 
2018, we express our support for a multi-year reauthorization 
that continues to provide the industry with certainty needed to 
make long-term investments and enables the Department to 
efficiently run the program.
    We also believe that there is a need for reauthorization in 
the future to allow Congressional oversight in review of the 
program.
    Approximately one-third of the 6,500 agriculture facilities 
are regulated under the CFATS program in this country. TFI 
estimates that the agriculture sector accounts for about half 
of all CFATS-registered facilities.
    CHS has 390 of these facilities registered under CFATS, so 
we have a great deal of experience with this program.
    We are pleased with the Department's efforts to improve the 
program and to enhance stakeholder engagement. We did need to 
expend additional resources to comply with the program, but we 
have seen a real return on that investment.
    Today, DHS and the industry are focused on the common goal 
of ensuring that the products we handle are used appropriately 
and safely. Working with DHS and the CFATS program, CHS now has 
a better idea of the security risk at our facilities.
    Our security risks are prioritized now so we can focus our 
efforts on the highest-risk facilities first. Moreover, CFATS 
has allowed us to build stronger relationships with our 
neighbors and communities, which is incredibly important to the 
cooperative system.
    It is important that any reauthorization does not permit 
the disclosure of sensitive site security information to anyone 
that does not have a critical need to know.
    In addition, we are strong supporters of a robust public 
engagement and believe that any changes to the CFATS program, 
including Appendix A, should be done through a formal notice 
and comment rulemaking process.
    I am also here to represent a relatively new program to our 
industry, ResponsibleAg. ResponsibleAg is a voluntary industry 
stewardship program that launched in 2015 to help 
agribusinesses comply with Federal environment, safety, and 
security rules, including the CFATS program.
    At the core of the program is a compliance assessment 
process and a robust suite of resources designed to assist 
retailers in their compliance efforts. ResponsibleAg is 
designed to help protect employees, first responders, and the 
public.
    Currently, CHS has 200 facilities that participate in the 
program and over 100 ResponsibleAg-certified facilities. 
Overall in the industry, 2,600 agriculture retail facilities 
have signed up to be a part of ResponsibleAg. Nineteen hundred 
of them have been assessed and nearly 1,000 have been 
certified.
    Over one-third of the agriculture retail facilities in the 
country are ResponsibleAg participants. We continue to 
encourage more facilities to participate in the program, but we 
are very pleased with the progress we have made to date.
    As a part of the reauthorization of the CFATS program, I 
respectfully ask the Members of this subcommittee to consider 
how ResponsibleAg and other stewardship programs can complement 
and enhance the limited resources of the CFATS program. For now 
I simply ask that you be willing to work with us to potentially 
find a way to recognize these stewardship programs in the 
reauthorization.
    Finally, as Members of this committee work to 
reauthorization the CFATS program, I want to stress that any 
lapse in the program would be a serious concern to us. It would 
be highly disruptive to both the industry and the regulated 
community.
    Thank you very much for the opportunity to share the views 
of CHS, TFI, and ARA.
    [The prepared statement of Mr. Mutschler follows:]
                  Prepared Statement of Pete Mutschler
                           February 15, 2018
    Good morning, Chairman McCaul, Subcommittee Chairman Ratcliffe, 
Ranking Member Thompson, Subcommittee Ranking Member Richmond, and 
Members of the subcommittee. Thank you for the opportunity to be here 
today.
    My name is Pete Mutschler. I am a director of environment, health, 
and safety for CHS Inc. and the secretary of the Board of Directors for 
ResponsibleAg. I am also here on behalf of The Fertilizer Institute 
(TFI) and Agricultural Retailers Association (ARA). CHS Inc. is a 
member of both associations.
    CHS Inc. is a leading global agribusiness owned by farmers, 
ranchers, and cooperatives across the United States. Diversified in 
energy, grains, and foods, CHS is committed to helping its customers, 
farmer-owners, and other stakeholders grow their businesses through its 
domestic and global operations. CHS supplies energy, crop nutrients, 
grain marketing services, animal feed, food and food ingredients, along 
with business solutions including insurance, financial, and risk 
management services. The company operates petroleum refineries/
pipelines and manufactures, markets, and distributes Cenex brand 
refined fuels, lubricants, propane, and renewable energy products.
    As I mentioned earlier, CHS is a member of The Fertilizer Institute 
(TFI), which is the national trade association representing the 
fertilizer industry. TFI represents companies that are engaged in all 
aspects of the fertilizer supply chain. Approximately 50 percent of 
crop yields are attributable to the use of commercial fertilizers.
    CHS is also a member of the Agricultural Retailers Association 
(ARA). ARA represents the interests of agricultural retailers, who 
provide farmers with crop nutrients, crop protection, seeds, and other 
products and services to support our Nation's farmers.
    We are grateful for your efforts to ensure passage of H.R. 4007 
which provided the Department of Homeland Security (DHS) and industry 
with much-needed certainty for the CFATS program. With the current 
authorization expiring in December 2018, we express our support for a 
multi-year reauthorization that continues to provide industry with the 
certainty needed to make long-term facility investments and enables the 
Department to efficiently run the program. We believe periodic 
reauthorization is important to allow continued Congressional oversight 
and review of the program.
    It is estimated that there are approximately 6,500 agricultural 
retail facilities in the United States. Approximately one-third of 
these facilities are regulated under the CFATS program because they 
store or handle fertilizer products included in Appendix A: Chemicals 
of Interest (COI). TFI estimates that the agricultural retail sector 
accounts for about half (50 percent) of all CFATS-regulated facilities. 
CHS has approximately 390 facilities registered with CFATS, so we have 
a great deal of experience with the program.
    While the initial roll-out of the CFATS program was challenging, we 
are pleased with the Department's efforts to improve the program and 
enhance stakeholder engagement. We did need to expend capital resources 
to comply with the program, but we have seen benefits from our 
participation. Today, we are focused on the common goal of both DHS and 
industry, namely to ensure that the products we handle, and that are 
critical to America's farmers, are used appropriately. In considering 
the benefits of our participation, CHS now has a better idea of the 
security risks at our facilities. Our risks are prioritized which 
allows us to focus our efforts on the most high-risk facilities and 
commit the appropriate level of human and financial resources on our 
low-risk locations. Moreover, CFATS allows us to build stronger 
relationships with our neighbors and communities, a hallmark of the 
cooperative system.
    We believe it is important that any reauthorization not permit the 
disclosure of sensitive site security information to the general 
public, or to anyone who does not have a need to know, or the required 
security clearance to obtain, such information. The program must ensure 
that this highly-sensitive information is protected from individuals 
that might pose a threat to the facility's employees or property.
    In addition, we are strong supporters of robust public engagement 
and believe any changes to the CFATS program, including Appendix A, 
should be done through a formal notice and comment rule making.
    As I mentioned previously, I also serve on the board of directors 
for ResponsibleAg. ResponsibleAg is a voluntary, industry stewardship 
program that launched in 2015 with the goal of assisting agribusinesses 
to comply with Federal environmental, health, safety, and security 
rules focused on the safe handling and storage of fertilizer products, 
including the CFATS program. At the core of the program is a Federal 
regulatory compliance assessment addressing current Federal 
regulations. These assessments identify any issues of concern, 
recommendations for corrective action if needed, and provide a robust 
suite of resources to assist in compliance. ResponsibleAg is designed 
to protect employees, first responders, and the general public through 
an organized program of periodic and thorough assessments.
    CHS is very supportive of ResponsibleAg. Currently, we have 200 
facilities that participate in the program and over 100 ResponsibleAg-
certified facilities. Overall, almost 2,600 agricultural facilities 
have signed up with ResponsibleAg, 1,900 facilities have been assessed, 
and nearly 1,000 facilities have been certified. Over one-third of 
agricultural retail facilities are ResponsibleAg participants. While we 
continue to encourage more facilities to participate, we are very 
pleased with the progress to date.
    As part of the reauthorization of the CFATS program, I respectfully 
ask that Members of this subcommittee consider how ResponsibleAg and 
other third-party audited stewardship programs can complement and 
enhance the limited resources of the CFATS program. For now, I simply 
ask that you be willing to work with us to potentially find a way to 
recognize these stewardship programs in a reauthorization.
    Finally, as Members of this committee work to reauthorize the CFATS 
program, I want to stress that any lapse in the program would be a 
serious concern. It would be highly disruptive to both the regulated 
community and the Department's efforts to address any potential risks 
to National security.
    Thank you again for the opportunity to share the views of CHS, TFI, 
and ARA. Protecting the public, our employees, and our communities is 
paramount to us all, and we look forward to working with the committee 
on this shared goal and a successful reauthorization of the CFATS 
program.

    Mr. Ratcliffe. Thank you, Mr. Mutschler.
    The Chair now recognizes Mr. Orum for 5 minutes.

STATEMENT OF PAUL ORUM, CHEMICAL SAFETY ADVOCATE, COALITION TO 
                   PREVENT CHEMICAL DISASTERS

    Mr. Orum. Good morning. My name is Paul Orum and I thank 
you for this opportunity to address the effectiveness of the 
Chemical Facility Anti-Terrorism Standards program. The dangers 
of chemicals and terrorists are well-known. The question today 
is whether CFATS solutions are sufficiently protective and 
efficient and resourceful.
    Congress should reauthorize CFATS for a limited term. But 
Congress should also recognize the significant risks of simple 
reauthorization. While CFATS has improved fence line security 
to some degree, strategies to protect rather than reduce 
chemical targets are inevitably fallible.
    Better strategies are available.
    The program should generate solutions, not just control 
problems. It should use all available options: Improve public 
confidence by respecting community concerns, better optimize 
solutions, and more effectively use available resources, such 
as employee expertise.
    Even small changes could make the current program much more 
effective. Here are 5 general areas and 10 practical 
recommendations to build on the current program.
    First, use all available options, not just management and 
control strategies. Current CFATS standards focus on risk-based 
management and control while neglecting prevention. As a 
result, the chemical industry spends billions protecting 
chemical targets. This is not only a high-risk strategy in 
terms of terrorism, but also wasteful in an economic sense. 
Modernizing facilities in ways that remove chemical targets can 
reduce the need for such expenditures.
    CFATS can better align production and security by first 
seeking to avoid the need for security measures and then 
addressing residual vulnerabilities. Specifically, DHS should 
compare target reduction practices that companies are already 
using, help other facilities evaluate these practices and 
involve qualified private-sector solutions developers in the 
process.
    Second, continue to exercise oversight, especially though 
of the ability of CFATS to realistically ensure protection. 
U.S. Government Accountability Office has produced useful 
reports about the program. However, GAO reports to date have 
evaluated CFATS program implementation rather than the adequacy 
of the standards to realistically ensure protection.
    Congress should ask GAO to investigate whether CFATS 
standards actually protect life, property, and security against 
known and evolving threats.
    Third, use all available resources, especially make better 
use of employee input. Facility employees are often the most 
vulnerable in a chemical release, but also the most 
knowledgeable about problems and remedies. There are existing 
employee input requirements in CFATS but more systematic and 
substantial employee input will improve security planning.
    Fourth, to improve public confidence, respect community 
concerns. The lack of public information under CFATS admittedly 
makes it difficult for DHS to address public concerns. While 
site security plans are understandably protected information, 
chemical hazards are often at the same time well-known.
    Secrecy is at once not a real option and not responsive to 
communities. When evident problems are not addressed, public 
confidence wanes. The program should respect the public's 
fundamental interests in disaster preparedness and knowledge of 
solutions that can reduce well-known hazards.
    Fifth, support other programs that improve chemical 
security. EPA's Risk Management Planning requirements are also 
important to chemical security because the RMP program engages 
civil society in prevention and preparedness in ways that CFATS 
does not. We are very concerned with the administration's 20-
month delay of modest but important amendments to the RMP 
program.
    We are concerned that the delay endangers police, fire, and 
other emergency responders, impedes local disaster planning, 
and delays preparations for safer technology assessments that 
could help reduce terrorist targets.
    Congress should also be aware of the need for credible 
independent evaluation of new developments in Federally-funded 
toxic gas science and should assert its interest in assuring 
the integrity of Federal research.
    I would be pleased to answer any questions or otherwise 
follow up about how these recommendations might be achieved.
    [The prepared statement of Mr. Orum follows:]
                    Prepared Statement of Paul Orum
                           February 15, 2018
    Good morning, my name is Paul Orum. Thank you for this opportunity 
to address the effectiveness of the Chemical Facility Anti-Terrorism 
Standards (CFATS) program of the Department of Homeland Security (DHS).
    The dangers of chemicals and terrorists are well known. The 
question today is whether CFATS' solutions are sufficiently protective, 
efficient, and resourceful.
    Congress should reauthorize CFATS, for a limited term. But Congress 
should also recognize the significant risks of simple reauthorization. 
While CFATS has improved fence line security to some degree, strategies 
that protect rather than reduce chemical targets are inevitably 
fallible. (See Chemical Security Breaches in the News in Attachment A.) 
Better strategies are available.
    The program should generate solutions, not just control problems; 
use all available options; improve public confidence by respecting 
community concerns; better optimize solutions; and more effectively use 
available resources such as employee expertise.
    Even small changes could make the current program much more 
effective. Here are 5 general areas and 10 practical recommendations to 
build on the current program.
Use all available options--not just management and control strategies.
    Current CFATS standards focus on risk-based management and control 
strategies, while neglecting prevention. As a result, the chemical 
industry spends billions protecting chemical targets.\1\ This is not 
only a high-risk strategy in terms of terrorism, but also wasteful in 
an economic sense. Modernizing facilities in ways that remove chemical 
targets can reduce the need for such expenditures. CFATS can better 
align production and security by first avoiding the need for security 
measures and then addressing residual vulnerabilities. Specifically, 
DHS should compare target reduction practices that companies already 
use, help facilities evaluate these practices, and involve qualified 
private-sector solutions developers.
---------------------------------------------------------------------------
    \1\ Since 2001, member companies of the American Chemistry Council 
industry trade association have spent more than $17 billion on chemical 
security, www.americanchemistry.com/policy/security, accessed February 
12, 2018.
---------------------------------------------------------------------------
    CFATS' 18 performance standards are important but incomplete. The 
standards encourage chemical facilities to overly commit resources to 
conventional security measures. These sunk costs can then become a 
barrier to target reduction strategies that could more effectively 
protect people, property, and security. In this way, CFATS tends to 
perpetuate terror targets that could be removed by a more complete 
strategy. No amount of fence line security will assure protection, 
address supply chain risk, or modernize facilities. Conventional 
security will also inevitably attenuate over time.
    There has been some reduction in the need for chemical security 
measures, but the exact extent is hard to determine. Several thousand 
facilities have tiered out of high-risk status by removing or modifying 
chemical holdings.\2\ But what are the lessons learned about target 
reduction opportunities from practices at these facilities?
---------------------------------------------------------------------------
    \2\ Between 2007 and 2017 DHS redeterminations cut the number of 
high-risk facilities by about half from more than 7,000 to about 3,500. 
Figures have fluctuated as DHS re-determined the status of some 
facilities.
---------------------------------------------------------------------------
    Independent surveys show hundreds of facilities across some 20 
industry sectors reducing chemical targets, including bleach producers, 
water utilities, power plants, oil refineries, aluminum smelters, and 
many manufacturers, among other industries.\3\ (See sector list in 
Attachment B.)
---------------------------------------------------------------------------
    \3\ Survey reports by Paul Orum include: Preventing Toxic 
Terrorism, Center for American Progress, 2006; Toxic Trains and the 
Terrorist Threat, Center for American Progress, 2007; Chemical Security 
101, Center for American Progress, 2008; Safer Chemicals Create a More 
Secure America, Center for American Progress, 2010; Who's in Danger? 
Race, Poverty, and Chemical Disasters, Environmental Justice and Health 
Alliance for Chemical Policy Reform, 2014.
---------------------------------------------------------------------------
    Successful companies commonly adopt an alternate chemical or 
process, use a chemical in a less dangerous or less concentrated form, 
or generate a chemical only as needed without storage. Other options 
may co-locate chemical suppliers with users, improve inventory control, 
or consolidate and minimize bulk storage. These changes remove 
unnecessary dangers and avoid some costs of regulatory compliance, 
liability insurance, personal protective equipment, community 
notification, emergency planning, and site security. When fully 
considered, these measures often save money, and can help get companies 
off the treadmill of expensive partial solutions.
    Congress should direct DHS to:

1. Identify, compile, and compare target reduction practices that are 
already in use in industry (including non-covered and previously 
covered facilities). In this context, the Department is not approving 
or disapproving particular technologies, but rather comparing similar 
facilities and industry sectors and identifying relevant target 
reduction practices. This process will generate opportunity awareness 
and capacity within the Department.
2. Assist chemical facilities in evaluating how target reduction 
options can reduce the need for security measures and reduce the 
potential consequences of a terrorist attack. Security vulnerability 
assessments and site security plans should incorporate the review of 
target reduction options. To the extent that the target reduction 
measures reduce the need for required security measures (under CFATS 
2102(b)(1)), covered facilities should be permitted to use the target 
reduction measure to meet and avoid required risk-based performance 
standards (under CFATS 2102(a)(2)(C)).
3. Establish methods and procedures to facilitate technical assistance 
and the transfer and diffusion of target reduction technologies between 
qualified private-sector entities, covered chemical facilities, and the 
Department. Provide for deliberate information sharing with qualified 
private-sector entities engaged in the design, development, and supply 
of target reduction technologies. This change will help rectify the 
lack of attention to prevention strategies and lack of involvement of 
solutions developers in existing information-sharing provisions (of 
CFATS Section 2103). CFATS information sharing otherwise focuses on 
emergency response.
4. Produce an annual aggregated lessons learned analysis of trends in 
successful target reduction practices and emerging target reduction 
opportunities.
5. Improve interagency coordination by sharing information on risk 
reduction achieved through demonstrated and emerging target reduction 
practices with the Director of National Intelligence as well as 
Federal, State, and local government agencies that have 
responsibilities for security, safety, or natural disaster preparedness 
at chemical facilities.
Exercise oversight--especially of the ability of CFATS standards to 
        realistically ensure protection.
    The Government Accountability Office (GAO) has produced useful 
reports about CFATS. However, GAO reports to date have evaluated CFATS 
program implementation rather than the adequacy of the standards to 
realistically ensure protection. Congress should ask GAO to investigate 
whether CFATS standards actually protect life, property, and security 
against known and evolving threats. GAO should also evaluate how DHS 
manages information about practices at facilities that tier down or out 
of the program.
    Congress should request that GAO:

6. Review the sufficiency of security risk determinations and 
countermeasures under CFATS and the need for revised or additional 
strategies to address evolving security risks (e.g., drones and cyber 
threats).
7. Assess whether local emergency response resources are sufficient to 
credibly respond to a worst-case chemical facility terrorist incident.
8. Evaluate how the Department documents, maintains, and utilizes 
information on instances of changes to facility tier assignments under 
CFATS 2102(e)(3) and how management, utility, and use of the 
information can be improved. Successful practices of facilities that 
tier down or out of the program can inform the Department only if this 
information is organized and usefully retrievable.
    Use available resources--especially make better use of employee 
input.
    Facility employees are often the most vulnerable in a chemical 
release, but also the most knowledgeable about problems and remedies. 
There are existing employee input requirements in CFATS (2102(b)(2) and 
2102(d)(2)(C)(ii)). More systematic and substantial employee input will 
improve security planning.
    Congress and DHS should:

9. Require facility owners to develop and maintain written employee 
input plans to:
   Consult with employees and their representatives in the 
        development of security vulnerability assessments and site 
        security plans, to include employees with technical expertise 
        in design engineering and process operations, whenever 
        available;
   Document and maintain records of the employees involved, the 
        team's recommendations, and the owner or operator's resolution 
        of those recommendations;
   Designate responsible parties and time lines for corrective 
        actions;
   Provide for employee input during audits and inspections; 
        and
   Certify that input is received from employees and their 
        representatives to the greatest extent practicable.
To improve public confidence, respect community concerns.
    The lack of public information under CFATS makes it difficult for 
DHS to address public concerns. While site security plans are 
understandably protected information, chemical hazards are often at the 
same time well-known. Secrecy is at once not a real option and not 
responsive to communities. When evident problems are not addressed, 
public confidence wanes. The program should respect the public's 
fundamental interests in disaster preparedness and knowledge of 
solutions that can reduce well-known hazards.
    Some examples: Prior to the deadly fire and explosion, West 
Fertilizer in West, Texas was well-known in the community yet 
reportedly had no fence, frequent theft of chemicals, and a practice of 
self-service by farmers after hours. The graffiti that is common on 
rail cars attests to their public visibility and accessibility.\4\ The 
chemical release from Arkema in Crosby, Texas after Hurricane Harvey 
was widely publicized, as is the norm for chemical emergencies. 
Residents near the PBF refinery (formerly ExxonMobil) in Torrance, 
Calif., are conducting high-visibility organizing for alternatives to 
hydrofluoric acid that will not endanger the community. (Notably, 
Chevron's Salt Lake City refinery is converting from hydrofluoric acid 
to liquid ionic catalysts, a promising technology that eliminates a 
major potential of an offsite toxic gas release.) Lack of public 
confidence--in CFATS, industry, and Government in general--is one 
reason communities are very interested in fail-safe target reduction 
solutions that are effective even if control strategies fail.
---------------------------------------------------------------------------
    \4\ CFATS does not regulate chemicals in transportation, but 
assessments and plans should address interrelated supply chain risks.
---------------------------------------------------------------------------
    Congress and DHS should:

10. Delimit protected information to the extent that the information is 
already publicly available, readily discoverable, or otherwise lawfully 
disclosed.\5\
---------------------------------------------------------------------------
    \5\ Similar factors have successfully delimited chemical trade 
secret claims for many years under section 322(b) of the Emergency 
Planning and Community Right to Know Act of 1986.
---------------------------------------------------------------------------
    Support other programs that improve chemical security.
    Risk Management Planning (RMP).--EPA's RMP requirements are also 
important to chemical security. Because the RMP program engages civil 
society in prevention and preparedness in ways that CFATS does not, 
risk management planning is also important to chemical security. We are 
very concerned with the administration's 20-month delay of the modest 
but important amendments to the RMP program.\6\ EPA produced the 
amendments after years of public comment and consultation between the 
agency, DHS, OSHA, ATF, and other agencies. We are concerned that the 
delay endangers police, fire, and other emergency responders; impedes 
local disaster planning; and delays preparations for safer technology 
assessments that could help reduce terrorist targets.\7\
---------------------------------------------------------------------------
    \6\ Chemical Disaster Rule, 82 FR 4594, January 13, 2017.
    \7\ The Chemical Disaster Rule requires certain oil refineries, 
paper mills, and chemical plants to conduct safer technology 
alternatives assessments. Information on chemical hazards and 
alternatives in these sectors is found in the report, Who's In Danger? 
(cited above), pp. 33-36.
---------------------------------------------------------------------------
    Over a 10-year period some 2,291 serious chemical facility 
incidents killed 59 people, injured or forced a total of 17,000 people 
to seek medical treatment, forced approximately half a million to 
shelter or evacuate, and caused $2.7 billion in property damages.\8\ 
EPA data show that serious releases occur as often as 2 or 3 times per 
week Nation-wide. Millions of Americans live in danger of a chemical 
release, including 1 in 3 school children.\9\ African American, Latino, 
and low-income populations are disproportionately affected--especially 
in fence-line communities.\10\ A terrorist attack on industrial 
chemicals would likely first impact the same populations.
---------------------------------------------------------------------------
    \8\ EPA Regulatory Impact Analysis exh. 6-5 at 87 (Dec. 2016), 
http://www.regulations.gov/document?D=EPA-HQ-OEM-2015-0725-0734.
    \9\ Kids In Danger Zones, Center for Effective Government, 2014.
    \10\ Who's in Danger? Race, Poverty, and Chemical Disasters, 
Environmental Justice and Health Alliance for Chemical Policy Reform, 
2014.
---------------------------------------------------------------------------
    Toxic gas science.--Congress should also be aware of the need for 
credible, independent evaluation of new developments in Federally-
funded toxic gas release and dispersion science. Concerned 
organizations have warned that industry and Government reevaluation 
efforts could result in changes to the National guidance documents used 
for emergency response planning in a manner that intentionally reduces 
perception of risk and industry costs.\11\ The Chlorine Institute 
issued, and then withdrew, guidance that dramatically-reduced 
dispersion scenario distances for chlorine gas.\12\ Several companies 
relied on the document to starkly reduce estimated RMP vulnerability 
zone distances. Such changes could put at risk emergency responders, 
facility employees, and the public. The National Transportation Safety 
Board and the Chemical Safety and Hazard Investigation Board both have 
clear independent authority to investigate systemic issues affecting 
the chemical industry but neither organization has apparently taken up 
this issue to date. The relevant Congressional committees should assert 
their interest in assuring the integrity of Federal research.
---------------------------------------------------------------------------
    \11\ Washington Fire Chiefs letter to Senator Maria Cantwell, 
August 2, 2017; Columbia Riverkeeper letter to Members of Congress, 
August 28, 2017.
    \12\ Chlorine Institute Pamphlet 74, Edition 6, Guidance on 
Estimating the Area Affected by a Chlorine Release, June 2015.
---------------------------------------------------------------------------
    I would be pleased to answer any questions or otherwise follow up 
on how these recommendations might be achieved.
      Attachment A.--Chemical Plant Security Breaches in the News
    Security agencies and others have repeatedly warned that a 
terrorist attack could release industrial chemicals and harm thousands 
of people around some chemical facilities. In response, Congress 
created security requirements called Chemical Facility Anti-Terrorism 
Standards (CFATS). But year after year, news reports show instances--
more than 100 and counting--of security measures failing to impede 
uninvited news reporters, thieves, or hackers. The ease with which 
reporters and others observe lax security underscores the need for a 
more effective and comprehensive CFATS program that reduces unnecessary 
targets of opportunity whenever feasible. In fact, at least hundreds of 
chemical facilities have successfully switched to safer and more secure 
chemicals and processes that effectively remove ready targets for 
terrorists.
             the real story: security breaches in the news
    ``I parked across the street and walked along the railroad tracks 
[and] spent a half-hour working my way around [a Los Angeles chlorine 
facility], trying doorknobs, squeezing into openings in the fence and 
snapping photos of security weaknesses. An unarmed guard, a contractor, 
was posted at the main entrance, but in the back, out of view of the 
security cameras, only a padlock and chain secured a gate that led 
straight to [chlorine rail] tankers . . . No one stopped or questioned 
me.''--Washington Post, Outlook, Matthew Quirk, April 9, 2017.
    ``The increased number of intrusions into energy computer controls 
last year brings the number of such incidents in the industry to more 
than 400 since 2011, Homeland Security data show. Security specialists 
say that's likely a conservative number because energy companies aren't 
required to report cyber attacks to the U.S. Government.''--
Fuelfix.com, March 22, 2017.
    ``Federal law enforcement investigators are searching in at least 
three States for more than 500 pounds of explosives stolen from a CSX 
train . . . ''--CBS News, April 22, 2016.
    ``A Chinese steel manufacturer faces renewed U.S. criminal charges 
over allegations that it arranged to improperly obtain confidential 
trade secrets from DuPont and got access to hacked information from the 
U.S. company's computers.''--Reuters, January 7, 2016.
    ``A Lockport man was charged Friday with a trespassing violation 
after he allegedly flew a drone near the VanDeMark Chemical Co. plant, 
which produces highly toxic phosgene gas.''--Buffalo News, December 5, 
2015.
    ``The Roberts County Sheriff's Department needs the public's help 
after a reported theft involving two 150-pound Chlorine gas tanks that 
will be harmful, possibly fatal, if exposed. [T]he tanks were reported 
stolen from the rural water pump station.''--KSFY.ABC, Sioux Falls, SD, 
September 11, 2015.
    ``The Calcasieu Parish Sheriff's Office and the Joint Terrorism 
Task Force are investigating a drone flying over an industrial facility 
in Calcasieu Parish. According to the sheriff's office, agencies 
received two separate complaints, one on March 3 at 2 p.m. and the 
other one on Monday morning . . . ''--KATC-TV3, Southwest Louisiana, 
March 18, 2015.
    ``A San Francisco Federal court has sentenced U.S. businessman 
Walter Liew to 15 years in prison for stealing trade secrets from 
chemical giant DuPont and then selling them to a State-owned Chinese 
company.''--Fortune, July 10, 2014.
    ``More than half of all facilities licensed last year by Texas to 
carry ammonium nitrate lacked either secure fencing or locked storage 
areas for the potentially explosive chemical compound . . . [One 
security incident] involved an employee of a fertilizer facility who 
stole 4 tons of ammonium nitrate fertilizer.''--Dallas News, November 
3, 2013.
    ``The Texas fertilizer plant that exploded 2 weeks ago, killing 14 
people and injuring about 200, was a repeat target of theft by 
intruders who tampered with tanks and caused the release of toxic 
chemicals . . . Police responded to at least 11 reports of burglaries 
and five separate ammonia leaks at West Fertilizer Co. over the past 12 
years . . . ''--Milwaukee Journal Sentinel, May 4, 2013.
    ``In rural areas across the United States, the thriving meth trade 
has turned storage facilities like West Fertilizer Co and even 
unattended tanks in farm fields into frequent targets of theft, 
according to several government and fertilizer industry reports issued 
over the past 13 years . . . Chemical safety experts said the recurrent 
security breaches at West Fertilizer are troubling because they suggest 
vulnerability to theft, leaks, fires or explosions.''--Reuters, May 3, 
2013.
    ``A break-in at a small north Georgia water treatment plant is 
raising alarms among security experts. Authorities said sometime last 
weekend, someone broke in and altered the chemical settings in the 
filtration system . . . [T]here are no roaming security guards or 
cameras at the plant, just a rusty barbed wire fence, a sign and a 
small lock.''--Atlanta Journal-Constitution, April 30, 2013.
    ``Two south Georgia chemical companies are still figuring out 
exactly what thieves stole from them. Investigators aren't saying much 
about what the crooks may have been after, but tens of thousands of 
dollars worth of chemicals are gone . . . ''--WMC Action News 5/WALB 
News 10, Southern Georgia, 2013.
    ``There is an interesting chemical theft story over on 
www.lohud.com about the bulk gasoline theft from three retail stores in 
New York. It seems that someone drove a tank truck into three separate 
closed-for-the-night gasoline stations and pumped gasoline out of the 
in-ground tanks into the tanker.''--Chemical Facility Security News 
blog, March 16, 2012.
    ``At least 48 chemical and defense companies were victims of a 
coordinated cyber attack that has been traced to a man in China, 
according to a new report from security firm Symantec Corp. Computers 
belonging to these companies were infected with malicious software 
known as `PoisonIvy,' which was used to steal information such as 
design documents, formulas and details on manufacturing processes . . . 
the victims include 29 chemicals companies . . . ''--Reuters, December 
31, 2011.
    ``A 20-year old Mound man and former Gustavus Adolphus College 
student faces a felony charge for allegations he stole chemicals from a 
classroom with the intent of making an explosive device.''--St Peter 
Herald, Faribault, MN, April 22, 2010.
    ``A few yards off a south county road, with only a chain link fence 
to protect it, sits an ammonia tank big enough to kill thousands.''--
KMOV News 4, St. Louis, MO, January 31, 2008.
    ``A private security company's unarmed guards have been yanked out 
of the city's two water filtration plants amid concerns about 
safeguarding Chicago's drinking water. Water Management employees found 
gaping holes in the company's performance, City Hall sources said. 
`They were sleeping. They weren't where they were supposed to be.' ''--
Chicago Sun Times, October 22, 2007.
    ``One water facility visited this past week had a large hole in its 
protective chain-link fencing, allowing anyone to easily access a 
storage shed where canisters of chlorine gas are stored. The fence had 
been down for more than a month, after a truck from a nearby shipping 
company accidentally rammed it.''--Whittier Daily News, Whittier, CA, 
May 29, 2007.
    ``Frankly, I could toss a rock to these tankers [at Nashville metro 
wastewater plant] so there's no security here--nothing that's going to 
stop a terrorist attack. Last fall, just in the shadow of the State 
Capitol, we spotted this chlorine tanker sitting unattended for 
hours.''--News Channel 5, Nashville, TN, April 10, 2007.
    ``We park [at DuPont's Edge Moor plant] across the street from what 
appear to be eight chlorine tank cars near two storage tanks the size 
of grain elevators. There's a large gap in the fence where railroad 
tracks exit the plant . . . [Once inside] the only barrier between me 
and the chance to unleash possible toxic catastrophe is a striped pole 
bearing a sign that reads Men at Work.''--Washington Monthly, March 
2007.
    ``Five years after terrorists murdered 2,996 people in the Sept. 11 
attacks, the Trib embarked on a probe to see how well railroads and 
their customers secure lethal hazardous materials . . . [T]he Trib 
penetrated 48 plants and the freight lines that service them to reach 
potentially catastrophic chemicals in populated parts of Seattle, 
Tacoma, Atlanta, Pittsburgh, Las Vegas, San Francisco's Bay Area and 
the New Jersey suburbs, as well as two port facilities in Oregon and 
Washington.''--Pittsburgh Tribune, January 14, 2007.
    ``[In New Jersey], surrounded by a tall chain-link fence on a dead-
end street, stands a chemical plant that . . . could pose a potentially 
lethal threat to the 12 million people who live within a 14-mile 
radius. A Discover reporter managed to find the inconspicuous plant, 
take a few photographs, and spend some moments pondering how fragile 
the building was and the havoc that could be caused with a single well-
aimed truck bomb.''--Discover Magazine, July 2006.
    ``Train cars on the fringe of downtown Fresno are right out in the 
open--no fence, no rail police, no security guards. We hung around for 
more than half an hour and no one questioned our being there.''--CBS 
Channel 47, Fresno, CA, April 28, 2006.
    ``Gates to the depot are unlocked and unguarded, allowing unimpeded 
access to tracks where cars loaded with deadly chlorine, ammonia or 
oleum gases are stored . . . Security is so lax that a reporter and 
photographer recently spent 10 minutes driving along a rail bed beside 
cars holding toxic chemicals without being challenged, or even 
approached, by railroad employees.''--New York Times, March 27, 2006.
    ``We began to investigate just how close we could get to one of 
these [rail] tankers. It took us about 1 hour to find out . . . Train 
yards in South Florida are wide open. We walked around this tanker 
holding facility under the cover of darkness for 6 hours.''--CBS 4, 
South Florida, November 14, 2005.
    ``On a recent visit to Chalmette Refining [Louisiana], a Times 
editorial writer had no trouble standing in the nearby park for 15 
minutes with a large knapsack . . . At two plants in Dallas that use 
large amounts of chlorine, the same writer parked a car on the 
periphery and milled about for more than a half-hour without being 
stopped. The fencing was minimal--far less than at a nearby automobile 
factory.''--New York Times, May 22, 2005.
    ``At the Olga Plant in eastern Lee County during a random visit, we 
found the front gate wide open with no workers in sight. `There has 
never been a time at the Olga water plant where I felt secure,' said 
[a] utility worker.''--NBC2, Lee County, FL, May 16, 2005.
    ``[The chemical plant in northern New Jersey] remained loosely 
guarded and accessible. Dozens of trucks and cars drove by within 100 
feet of the tanks. A reporter and photographer drove back and forth for 
5 minutes, snapping photos with a camera the size of a large sidearm, 
then left without being approached.''--New York Times, May 9, 2005.
    ``The chemicals in these facilities have the potential to affect 
hundreds of thousands of valley residents, but in many cases the only 
security being used is a chain link fence . . . Crime reports . . . 
show that the company [Hill Brothers Chemical] called police 35 times 
between 2002 and 2004; 13 of those calls were burglary reports.''--CBS 
5 News, Phoenix, AZ, February 17, 2005.
    ``[F]our tanker cars stood in a row in an unfenced CSX 
Transportation rail yard . . . There were no visible barriers . . . 
except about 100 yards of open space and tracks. There was ample cover 
for someone to hide or stash a weapon. No security personnel stopped to 
question why the visitors were lingering there and why one of them was 
taking pictures. There was no visible security--not even a `no 
trespassing' sign.''--Baltimore Sun, January 16, 2005.
    ``6NEWS investigators walked the fence line at Jones Chemicals . . 
. At a gate there was a gap big enough for a person to crawl under . . 
. At the Transflo terminal . . . we found the front gate wide open.''--
NBC News 6, Charlotte, NC, March 3, 2004.
    ``A tour of Houston-area industrial facilities by a Chronicle 
reporter and photographer, accompanied by a security consultant, found 
obvious, easily corrected and therefore inexcusable security lapses . . 
. Ramshackle gates and unmended fences, the Chronicle's consultant 
said, could not stop cattle, much less a bomb-laden vehicle.''--Houston 
Chronicle Editorial, December 31, 2003.
    ``We found gates unlocked or wide open, dilapidated fences and 
unprotected tanks filled with deadly chemicals in dozens of plants in 
metropolitan areas that could put more than one million people at risk 
in the event of a terrorist attack . . . There was one plant in Chicago 
that I simply sat on top of the tank and waved `Hello, I'm on your 
tank.' ''--CBS `60 Minutes' citing Carl Prine, Pittsburgh Tribune, 
November 16, 2003.
    ``At three [Portland area facilities], a reporter parked his car 
outside of perimeter fencing but within 30 yards of the most dangerous 
chemical tanks or rail tank cars and remained there--in his car or 
outside his car taking pictures of the tanks--for as long as 90 minutes 
without being challenged.''--Portland Oregon Tribune, October 3, 2003.
    ``A reporter and photographer were able to walk within a stone's 
throw of several railroad cars used to store chemicals [at JCI Jones 
Chemicals]. The pair took notes and photographs in plain sight for more 
than 15 minutes--noting the lack of a perimeter fence and several wide-
open warehouse doors . . . ''--Times Herald-Record (Warwick, NY), 
August 3, 2003.
    ``Someone who apparently planned to use anhydrous ammonia to make 
crystal methamphetamine had tampered with a 2,000-gallon tank at 
Channel Chemical plant. About 600 gallons was missing. Last May, an 
ammonia leak caused by a thief who stole the chemical from a food 
processing plant at Arlington, Washington, forced the evacuation of 
about 1,500 people.''--Associated Press, Gulfport, MS, February 23, 
2003.
    ``We decided to put security to the test. We drove our news car 
right into a site that stores tons of chlorine. We had easy access to 
all areas for about 5 minutes before an employee stopped us.''--KVBC 
Channel 3, Las Vegas, November 19, 2002.
    ``[Channel 7 found] wide open gates and doors, automatic fencing 
that doesn't close properly, few or no security guards . . . fences 
that have missing barbed wire, or sizable gaps, or have been trampled 
to the ground, unchallenged access to chemical storage areas.''--ABC 
Channel 7, Chicago, IL, November 6, 2002.
    ``Officials at four chemical plants have confirmed that they have 
no night security guards . . . Within the last year, workers once saw 
two strangers running through the Noveon plant . . . ''--The Louisville 
Courier-Journal, October 14, 2002.
    The International Security Management Association, an industry 
organization, advertised in Roll Call against mandatory National 
chemical security standards and argued instead for voluntary measures. 
One ISMA officer is from Sony Electronics--a company with security so 
lax at its Pittsburgh facility that a news reporter stood next to a 90-
ton rail car of chlorine without rousing any response from company 
security.--Roll Call, Sept. 19, 2002; personal communication with 
Pittsburgh Tribune reporter Carl Prine.
    ``The [Pittsburgh Tribune's] latest foray into 30 chemical 
factories, shippers and warehouses in [Baltimore, Houston, and Chicago] 
buttresses a recent investigation into western Pennsylvania's unguarded 
toxic facilities.''--Pittsburgh Tribune-Review, May 5, 2002.
    ``The security was so lax at 30 sites [in western Pennsylvania] 
that in broad daylight a reporter--wearing a press pass and carrying a 
camera--could walk or drive right up to tanks, pipes and control rooms 
considered key targets for terrorists.''--Pittsburgh Tribune-Review, 
April 7, 2002.
    ``On Jan. 31, [a shotgun wielding] robber had trespassed on 
property owned by Citgo Petroleum Corp., one of several refining 
companies that claimed to have boosted security in the wake of the 
Sept. 11 terrorist attacks.''--San Antonio Express-News, February 16, 
2002.
    ``A CBS investigation found mammoth holes in security. Just last 
week we gained access to several chemical companies including BP 
Chemical and Kinder Morgan.''--CBS 2, New York City, November 6, 2001.
    ``This month infiltrators in frogmen suites [gained access to] a 
Sterling Chemicals, Inc., plant in Texas City. The frogmen were cops 
testing security at the plant. Sterling's recent security upgrades--
prison-like watchtowers, security cameras, concrete barricades at all 
entrances and additional guards--had not kept them out.''--Newsweek, 
November 5, 2001.
    ``At Cleveland Hopkins there are also security gaps around the 
perimeter of the airport . . . Just off the highway, a jet fuel storage 
tank is completely accessible to any passing motorist.''--0990.3 WCPN 
FM, Cleveland, OH, October 23, 2001.
    Compiled by Paul Orum, Revised May 15, 2017.
Attachment B.--Chemical Security; Sample Changes at Chemical Facilities
    Many leading companies are already reducing chemical targets of 
opportunity. Surveys identify existing alternatives used across some 20 
industries:
   Bleach manufacturers eliminate bulk chlorine gas by 
        generating chlorine as needed ``just in time'' on-site, 
        eliminating transportation and storage vulnerabilities.
   Petroleum refineries avoid dangerous hydrofluoric acid 
        alkylation by using less hazardous sulfuric acid; others are 
        moving to liquid ionic or solid acid catalysts.
   Water utilities eliminate bulk chlorine gas by using liquid 
        chlorine bleach, ozone without storage, and ultraviolet light 
        as appropriate.
   Paper mills eliminate bulk chlorine gas by using hydrogen 
        peroxide, ozone, or chlorine dioxide without bulk storage.
   Pool service companies eliminate chlorine gas by using 
        chlorine tabs or liquid bleach.
   Manufacturers of polyurethane foams eliminate bulk ethylene 
        oxide by substituting vegetable-based polyols.
   Soap and detergent manufacturers eliminate bulk oleum and 
        sulfur trioxide by using sulfur burning equipment on-site.
   Manufacturers of ferric chloride eliminate bulk chlorine gas 
        by processing scrap steel with less concentrated liquid 
        hydrochloric acid (<37 percent) and oxygen.
   Titanium dioxide producers eliminate bulk chlorine gas by 
        generating chlorine on-site as needed without storage, or by 
        using the sulfate process.
   Secondary aluminum smelters eliminate bulk chlorine gas by 
        removing impurities with nitrogen gas injected with magnesium 
        salts.
   Manufacturers of semiconductors, silicon wafers, and metal 
        products eliminate concentrated hydrofluoric acid by using less 
        concentrated forms (<50 percent).
   Power plants eliminate bulk anhydrous ammonia gas by using 
        cleaner combustion or by using aqueous ammonia or urea in 
        pollution control equipment; they also remove chlorine gas by 
        using liquid bleach to treat cooling water.
   Refrigerated warehouses reduce anhydrous ammonia gas through 
        low charge ammonia refrigeration systems.
   Wholesale chemical distributors eliminate most bulk chlorine 
        gas and sulfur dioxide gas by distributing alternatives such as 
        liquid bleach and sodium bisulfite.
   Pulp mills, food processors, wastewater plants, and 
        hazardous waste recovery operations eliminate bulk sulfur 
        dioxide gas by, as appropriate, generating sulfur compounds on-
        site or purchasing sodium bisulfite, metabisulfite, 
        hydrosulfite, or other alternatives.
   Diverse manufacturers eliminate bulk chlorine gas by 
        generating chlorine on-site as needed without storage, such as 
        for fuel additives, water treatment chemicals, and aramid 
        polymers used to make bulletproof vests.

    Mr. Ratcliffe. Thank you, Mr. Orum.
    I now recognize myself for 5 minutes for questions. I want 
to ask a question about the Expedited Approval Program, but 
before I do, very quickly if I can get each of you to answer 
this as briefly as possible.
    We have heard a lot about facilities that are either newly-
tiered or that have changed tiers. So I want, as quickly as 
possible again, whether you feel the CFATS program right now is 
correctly considering variables like consequences and threats 
and vulnerabilities when we are assessing the risk? I guess, 
more specifically, has this re-tiering initiative methodology 
from your perspective been successful?
    I will just go across the board. Mr. Thompson.
    Mr. Thompson. Thank you for the question. Certainly our 
members believe that since the reauthorization in 2014 that the 
re-tiering process has been improved and folks believe that 
that risk are better being assessed. A number of our facilities 
have been re-tiered, so we are pleased with the direction.
    Mr. Ratcliffe. Great.
    Ms. Meskill.
    Ms. Meskill. I agree with that. Many of ACC's members are 
also pleased. We have seen a general over-the-industry 
reduction in the number of higher-risk facilities.
    However, going back to the point that I made in my opening 
statement, there is really a lack of transparency so as 
industry we don't quite know how these risk tierings were 
applied to the general sites and so it is difficult for me to 
comment on whether or not it has addressed the real hazards and 
risks out there without really having full transparency to how 
these conclusions were made.
    Mr. Ratcliffe. Thank you.
    Mr. Mutschler.
    Mr. Mutschler. Our experience on the re-tiering has been 
very positive actually and the engagement between our 
facilities and DHS has been positive. I will agree we don't 
always understand why, but they have been very willing to open 
up a dialog and answer our questions as to why we are moving 
around to the point that they can. So it has been very positive 
for us.
    Mr. Ratcliffe. OK.
    Mr. Orum.
    Mr. Orum. There is not much public information as others 
have pointed out, for evaluating this. For that reason I have 
suggested that GAO should be reviewing sufficiency of the 
tiering and of the overall protectiveness of the program.
    Mr. Ratcliffe. OK. So you mentioned GAO. The GAO also 
reported in 2017 that very few facilities have participated in 
DHS's Expedited Approval Program, which, as you all know, is 
intended to reduce the burden and expedite the processing of 
security plans for Tier 3 and Tier 4 facilities.
    So I really want to find out why you think that that 
participation in the Expedited Approval Program has been so 
limited? If you have thoughts on the implementation by DHS 
about what we can do to enhance participation, I would like to 
hear that.
    Again, I will just go across the board.
    Mr. Thompson. Well, quickly, I will say that we certainly 
believe through this re-tiering process, and as more of our 
facilities get re-tiered and moved potentially to that 3 and 4 
category, you are going to see a greater use of the Expedited 
Approval Process.
    Mr. Ratcliffe. OK.
    Ms. Meskill. I agree with that as well. As new sites and 
companies, particularly small and medium, come into the CFATS 
regulatory area, I think we will see more expedited approval 
process for those companies like mine and for other member 
companies of ACC that have been with CFATS from the very 
beginning, to go back into the expedited approval process is 
really backtracking and so it doesn't make a lot of sense for 
us.
    Mr. Ratcliffe. Thank you.
    Mr. Mutschler. From the agricultural retailers' position, 
the expedited approval process has actually worked very well 
for us and I can see that continuing on. We have actually had 
no problem once we have gone into the tier side of the program.
    Mr. Orum. I have no strong bias about the Expedited 
Approval Process other than that it should be as substantial as 
the rest of the process. Our overall concern is just the 
sufficiency of what facilities look at when they do their 
evaluations and their Site Security Plans, rather than that 
process.
    Mr. Ratcliffe. OK. My time is about to expire.
    Mr. Mutschler. I want to give you a quick opportunity. You 
mentioned that ResponsibleAg program as being a voluntary 
stewardship program that has been successful in your industry.
    I am wondering, are the requirements under that program, do 
you think they are more stringent on security issues than the 
CFATS program is? Why would facilities opt to participate in 
that ResponsibleAg program if they are regulated by CFATS?
    Mr. Mutschler. I don't think it is more or less. I think 
the regulations are there and compliance is pretty standard 
across the board. Why would they choose to participate in that? 
It is because, you know, with under CFATS or any regulatory 
program our operations only get evaluated every so often. The 
resources just are not there to get onto every site.
    We can use ResponsibleAg to cover, you know, like I said, 
1,900 of them have been assessed and that just assures them 
that they are complying with the regulations and gives the 
communities a comfort level that we are doing the right thing.
    Mr. Ratcliffe. Terrific, thank you. My time is expired.
    The Chair now recognizes the Ranking Member, Mr. Richmond.
    Mr. Richmond. Let me kind-of pick up where the Chairman 
left off. Since CFATS was established, I guess over a decade 
ago, we had about 70,000 facilities covered. Now it is down to 
3,500 today in terms of high-risk. That has been reduction 
largely in response to facilities voluntary reducing or 
removing dangerous chemicals and thereby hopefully eliminating 
a potential terrorist target.
    Are there ways that you think we can leverage that data or 
looking at those 3,500 facilities that have reduced their risk? 
Maybe trying to figure out if there are any metrics or 
similarities across the line without compromising security or 
the proprietary interests of those companies?
    We will start with you, Mr. Thompson.
    Mr. Thompson. Well, I certainly would support, you know, 
more information and my members will welcome the information 
that other facilities have used in order to exit the program. 
We see no downside to that whatsoever.
    Mr. Richmond. Well, the question is: Do you think you could 
do it without giving up any proprietary information of those 
companies?
    Mr. Thompson. Well, again, it depends. Without knowing 
precisely the information we are talking about I couldn't 
answer that of course. Certainly there would have to be a 
balance between not releasing proprietary information or, you 
know, security-related information.
    But to the extent that DHS could synthesize this into 
something that could be released publicly I think that would 
help. But competing against this train is this notion of 
driving at this, you know, as I said in my testimony, I don't 
believe they should force inherently safer technology reviews.
    You know, that is not appropriately a part of this program. 
But certainly other aspects of what facilities have done we 
would welcome it.
    Mr. Richmond. Mr. Orum.
    Mr. Orum. Yes, there are ways to make better use of that 
information without just compromising proprietary information. 
First, I think DHS should be producing lessons learned 
analyses, which can be done simply by aggregating and 
anonymizing information rather than including facility-specific 
information about those lessons learned.
    Second, remember that trade secret factors have been used 
for many years to successfully deal in public information. 
Where information is already available or readily discoverable 
it basically is not secret, can't be kept secret. For example, 
under the Emergency Planning and Community Right To Know Act, 
those criteria have been used very successfully.
    Third, I think that the need-to-know information sharing 
under Section 2103 of CFATS should be specifically broadened 
such that private-sector developers of target reduction 
technologies can have an access to that information for 
purposes of technology transfer and diffusion and technical 
assistance.
    Otherwise, that section is all focused on emergency 
response. That is part of the failure, I think, of imagination 
of the program as a whole, that it is not focused more on the 
prevention side.
    Mr. Richmond. Speaking of prevention, what should we be 
doing to address the statutory exemptions for certain types of 
high-risk facilities like water treatment systems and nuclear 
power plants?
    Mr. Orum. Drinking water and wastewater facilities just 
should definitely be included in the program. Half of large 
drinking water facilities already don't use bulk chlorine gas 
and there is a trend in that direction.
    The others two-thirds of wastewater facilities do not use 
bulk chlorine gas. The bleach manufacturers that serve them are 
an increasing number, although still relatively small, no 
longer bringing in rail cars and 90 tons of chlorine gas.
    That whole system and the supply chain of transportation 
that serves it could very effectively be brought under the 
program. It is just a matter of Congress doing it.
    Mr. Richmond. I see my time is running out, and I just hope 
at some point we have a conversation about whether you all 
think we have adequately--or, the conversation about drones and 
these facilities.
    My district is the largest petrochemical footprint in the 
country, and I worry about drones and security in the 
neighborhood security every day. So I hope that comes up in 
questions or later testimony.
    With that, I yield back.
    Mr. Ratcliffe. Thank the gentleman.
    The Chair now recognizes the gentleman from New York, Mr. 
Donovan, for 5 minutes.
    Mr. Donovan. Thank you, Mr. Chairman, and just my friend 
from Louisiana just hit on something I was gonna speak on, too. 
Since the reauthorization in 2014, our enemies' methods of 
threatening our systems have changed, drones being one of them.
    Are there any things that this committee could do to help 
in your efforts to protect the facilities that we are talking 
about here with these new rising threats, whether it be in the 
field of physical security or cybersecurity?
    I would ask the entire panel. I would be very interested in 
hearing your expertise.
    Mr. Thompson. Well, let me certainly echo what the Ranking 
Member and what you just said about drones. Drones is certainly 
a high threat and concern of our industry as well. We have been 
working closely with the FAA on drone issues.
    We encourage DHS to work with FAA on drone issues, you 
know, to coordinate between the two agencies, you know, who 
should lead and how to protect the airspace above our 
facilities. It is a very important issue.
    We also believe that DHS should implement a voluntary 
program for our facilities to report potential drone attacks so 
there can be more of a collection of data to help us going 
forward.
    Ms. Meskill. I agree. We are all very worried about drones, 
particularly the weaponization and arming of drones. Those 
drones entering airspace over our chemical facilities.
    Currently in many States, some States have passed 
regulation putting that area restricted so that drones cannot 
cross it, but that is not uniform across all our States. So we 
are looking for that.
    Drone technology is great. It is advancing quickly and it 
is really completing our security and safety programs. It is 
fantastic. The ability to use drones to do inspections of 
smokestacks and other structures without putting other 
scaffolding in place is really great.
    As we watch security advancement we can even implement 
drone technology to do perimeter checks and things like that. 
So it is really great, but we are paralyzed because we are very 
concerned about weaponized drones coming over our facilities. 
We don't have a way to defend ourselves against that right now.
    Mr. Donovan. Thanks.
    Mr. Mutschler. Again, from the agricultural side of the 
industry, you know, we agree with everything I have heard here, 
but I really believe highly in the public-private partnerships 
to address any new risk that is coming our way. I think DHS has 
done a very good job working with us, and particularly looking 
at the risk to the agricultural sector.
    We are remote facilities. We are scattered all over the 
countryside, and we have some unusual risk. They have been very 
open to work with us on assessing those risks, and I think what 
the committee can do is encourage these public-private 
relationships using some of the stewardship programs to look at 
best management practices in addition to just regulatory 
requirements.
    Mr. Orum. Here again I think you have a prime issue to put 
to the Government Accountability Office for an in-depth study 
on whether current existing CFATS standards are, in fact, 
sufficient to address evolving risks of concern.
    Mr. Donovan. Quickly, could each of you just speak 15, 20 
seconds on cybersecurity and what you feel could be an 
assistance to you in protecting your facilities from a cyber 
attack?
    Ms. Meskill. Sure. Access to intelligence, so it is a 
continuing theme that we have heard over and over again. We 
need information. Clearly we need declassified or Classified 
information. We need to share that information. We need to 
understand where those risks are, where they are evolving, 
where they are happening in the industry so that we can then 
design our security programs to address those risks.
    Mr. Thompson. I certainly wasn't avoiding the question. I 
was trying to be a gentleman.
    [Laughter.]
    Mr. Thompson. But like I say, there is a certain way this 
ranks high with the drone issue, cybersecurity as well. AFP and 
our members have been actively involved with this. Certainly 
there is a risk-based performance, I believe No. 8, that deals 
with this issue. So our security plans address cyber.
    We have also been working closely with NIST and their 
framework for this issue and so we are actively involved and 
certainly the Government in sharing information, finding ways 
voluntarily to share amongst ourselves would be the way the 
Government could help.
    Mr. Mutschler. Again, I get back to that public-private 
partnership deal and on cybersecurity we are currently at the 
table with DHS talking about precision agriculture and what is 
the vulnerabilities of those systems. I think those dialogs are 
incredibly healthy for us as the industry to protect the 
systems. It is doing a good job on opening the eyes of the 
regulatories to us as to what is actually out there right now, 
so----
    Mr. Donovan. I thank you all and I also invite each of you 
to share with us anything that comes up after this hearing on 
how we could help you protect those facilities. Thank you for 
your testimony.
    Mr. Chairman, I yield back the time that I don't have 
remaining.
    Mr. Ratcliffe. I thank the gentleman.
    The Chair now recognizes the gentlelady from Florida, Chief 
Demings.
    Mrs. Demings. Thank you so much, Mr. Chairman and thank you 
to our witnesses for joining us here today.
    The CFATS Act of 2014 includes protection for workers, 
including a requirement that facilities to the extent practical 
consult with at least one knowledgeable employee or labor union 
representative in security planning and vulnerability 
assessments.
    Mr. Orum, can you elaborate on the benefit of having 
employees on the ground contribute to security plans and 
service force multipliers for monitoring compliance?
    Mr. Orum. Yes, employees tend to get hurt first and worst 
by chemical releases. They also observe problems every day and 
are knowledgeable about remedies. Basically the more involved 
employees are the more fixes to the problems.
    There are a number of things that CFATS could do more 
substantially, including employees routinely in inspections, 
for example. Making sure that companies certify that they have 
consulted with employees, requiring an input plan in which 
employee recommendations are documented as well as the 
responses to those recommendations.
    DHS could also do a sort-of ``See Something, Say 
Something'' educational campaign for employees. It is possible 
also that transferring the whistleblower protection provisions 
to OSHA, which administers such programs for a couple dozen 
agencies, could help make them more effective.
    Mrs. Demings. You know, as a former police chief, I 
frequently ask the men and the women on the ground who were 
doing the job for their opinions on how we could do it better 
and how we could keep them safer. For the other panelists, what 
are the circumstances that would make it impractical for a 
facility to ask an employee for help with a security or site 
security plan?
    We will start with you, Mr. Thompson.
    Mr. Thompson. Well, it is not as much whether it is 
impractical. I think what we are always striving to do is find 
the appropriate balance. We are dealing with highly-sensitive 
security information and so we need to balance that and the 
need to limit that information from getting out more publicly 
where it could pose greater risks with, you know, balance that 
with certainly the expertise that some of our work force could 
bring to bear.
    So our facilities, you know, are always looking for that 
balance. If there are folks within the work force that can add 
to the development of vulnerability assessments or security 
plans, certainly we bring that expertise to bear. But again, it 
is a balance and there is not a one-size-fits-all answer here.
    This isn't about what Mr. Orum said about identifying 
problems and releases. This is about security. So we need to 
take a different account.
    Mrs. Demings. Isn't identifying problems a part of a 
security plan?
    Mr. Thompson. Absolutely, but some of the releases that 
were being referenced there are other programs like EPA's Risk 
Management Planning program and EPGA. There are lots of other 
programs.
    I think it is important for us when we talk about this to 
remember we are talking about CFATS and security and the 
highly-sensitive information that we are dealing with. Again, 
that is what makes us want to--this isn't an issue of just 
stiff-arming our employees. This, again, is the issue of 
finding the appropriate balance to deal with highly-sensitive 
information.
    Ms. Meskill. So I agree with everything Mr. Thompson said, 
but in addition, across the industry, plans are developed at a 
site level. It is that site director who is ultimately 
accountable and responsible for safety and security at his 
facility. So there is immediately on-site employee engagement 
and involvement in development of those plans.
    Of course you need some technical skill as well. At my 
company, and I know at other member companies at ACC, you have 
individuals like me and teams like me that advise and give that 
technical skill.
    But ultimately it is the people on the ground that are 
coming up with those plans because, like Mr. Orum said, they 
are the first ones who know the risks. They are really in the 
best position to develop those plans.
    Mrs. Demings. Yes.
    Mr. Mutschler. I kind-of agree with everything I have 
heard. One thing is, you know, I truly believe that there is 
not an adequate safety and security plan that doesn't include 
the input from all employees at certain phases of the project. 
We have had tremendous luck with DHS on this issue, and 
particularly with our outreach program for non-regulated 
facilities.
    They will sit down with all our employees and we will go 
through a vulnerability assessment and the only thing that 
where it starts crossing the line is when you have this road 
map that shows you exactly how to damage the facility.
    That is the area that we need to protect. But we take input 
on all levels of our safety programs and security from not only 
the employees but the communities we work with. You know, we 
have law enforcement involved in that same process. They need 
to be.
    Mrs. Demings. Excellent. Thank you very much and I am out 
of time.
    I will yield back.
    Mr. Ratcliffe. Thank the gentlelady.
    The Chair now recognizes the gentleman from Nebraska, Mr. 
Bacon.
    Mr. Bacon. Thank you all for being here and this is a new 
subject matter for me, so I am trying to learn as fast as I 
can. Could you give me an example, any of you, of a Tier 1 
facility versus a Tier 2? What kinds of things are we looking 
at that are different? I don't know if I understand it?
    Mr. Mutschler. I will start with that. It is not completely 
known by the regulated party, but, you know, the amount of work 
that they do analyzing the vulnerabilities and what possibly 
could be in there as multiple factors. Not only what is stored 
on the site, where it is located, what is the general make-up 
of the geography, and the population in the area.
    I have always been surprised to see which ones are tiered 
at which levels, so----
    Mr. Bacon. That is interesting that it is hard for you to 
ascertain in you are having to live it.
    Any other thoughts on that question?
    Ms. Meskill. No, I agree with that. You know, and I made 
reference to this earlier, during the reauthorization process 
there were sites that fell out of tiering, which did surprise 
us. So oftentimes it is a bit of a surprise to us, industry.
    Because we don't have sufficient transparency or knowledge 
as to what exactly is being looked at.
    Mr. Bacon. Mr. Thompson, you talk about flexibility and how 
important it is. Can you describe what does that really mean 
and why is that so important to you for CFATS?
    Mr. Thompson. Well, again, it is important as I said in my 
testimony about, you know, this being performance standards and 
not one-size-fits-all. Every facility is different, every work 
force is different.
    I don't disagree with any, you know, what the panel has 
said. I think we were consistent about getting input from our 
work force. What we, you know, are opposed to are mandates that 
tell us exactly how to go about it.
    So, you know, that is the main point here. We need the 
flexibility to develop the best plan that we can to provide the 
maximum security. In some situations that will involve lots of 
work force involvement and in other situations maybe less so.
    So we just need the flexibility to develop the best plan we 
can working with DHS.
    Mr. Bacon. Ms. Meskill, on the DHS CFATS officials are they 
helpful to you? I mean, are they good advisors? Are they a 
little bit ambiguous or----
    Ms. Meskill. No.
    Mr. Bacon [continuing]. Help you get to the solution?
    Ms. Meskill. No, they have been extremely helpful, and we 
do work extremely closely with them, both at the chem sector 
level but also at the ACC level and then at the site level. 
They have been very gracious in responding to questions, very 
responsive and overall, yes.
    I think they try very hard to understand and relate to the 
challenges that industry has and complications that those 
challenges present sometimes to make us comply with the 
regulation.
    Mr. Bacon. To the remaining three, have you found them 
helpful as well?
    Mr. Mutschler. I would like to lead off with that one. I 
have found them extremely helpful.
    Mr. Bacon. Good.
    Mr. Mutschler. In our industry we have a lot of people that 
are not security experts. They are selling fertilizer. They are 
giving farmers advice. They are trying to, you know, market 
grain and that is their main job.
    Every time we have interacted with the DHS personnel they 
have been very professional, very informative. They have really 
helped ease the anxiety of our locations. In my overall opinion 
it has been a tremendous success because of the people that are 
involved.
    Mr. Bacon. Thank you. That is good to hear. Anybody else.
    Mr. Thompson. Well, I certainly won't miss the opportunity 
to echo our thanks to DHS. They do a terrific job. This is a 
hard program. They have done, you know, we can't say enough.
    Mr. Orum. I would add that average community member has 
never met a DHS CFATS employee, I presume. My impression is 
though, however, and I keep harping on this, there is a kind-of 
a mindset failure that is too much focused on conventional 
security and not enough on the reduction of risk profiles as a 
potential security measure. More should be done to use that 
aspect.
    Mr. Bacon. OK, thank you very much. I would just wish all 
of our agencies had that kind of feedback for helping out their 
customers.
    I yield back.
    Mr. Ratcliffe. Thank the gentleman.
    I thank all the witnesses for your testimony today, and I 
thank the Members for all their questions.
    I can relate to you all that the combination of the 
National shooting tragedy and a change in the House calendar 
prevented some Members of the subcommittee from attending our 
hearing today. Some of those Members will likely have 
additional questions for you as witnesses and we will ask you 
to respond to those in writing.
    Pursuant to committee rule VII(D), the hearing record will 
remain open for a period of 10 days. Without objection, the 
subcommittee stands adjourned.
    [Whereupon, at 11:01 a.m., the subcommittee was adjourned.]



                            A P P E N D I X

                              ----------                              

      Questions From Honorable James R. Langevin for Chet Thompson
    Question 1a. One of the risk-based performance standards imposed by 
CFATS is cybersecurity. In your experience, is DHS providing your 
member with the information and support that they need in order to 
secure their systems against evolving cyber threats?
    Answer. Response was not received at the time of publication.
    Question 1b. How do your members account for cybersecurity in their 
security plans?
    Answer. Response was not received at the time of publication.
    Question 1c. How has the CFATS program improved cybersecurity for 
chemical facilities?
    Answer. Response was not received at the time of publication.
    Question 2a. DHS published its standards guidance for CFATS in 
2009. While updated guidance has been provided for some of those 
standards in the past 9 years, one more recent threat that seems to 
remain unaddressed by the area perimeter standard is the threat posed 
by unmanned aerial systems, or drones. In the wrong hands, drones can 
be used to surveil perimeter security systems to discover weaknesses, 
or--in the worst case--to carry explosives over barriers designed to 
stop ground vehicles. What are your respective groups doing to educate 
your members about drone threats to their facilities and about the 
countermeasures they can employ?
    Answer. Response was not received at the time of publication.
    Question 2b. Have facility operators found that the law allows them 
to effectively defend their facilities against unauthorized drone 
activity?
    Answer. Response was not received at the time of publication.
    Question 2c. What more do you feel DHS can do to help chemical 
facilities successfully manage the risks posed by drones?
    Answer. Response was not received at the time of publication.
     Questions From Honorable James R. Langevin for Kirsten Meskill
    Question 1a. One of the risk-based performance standards imposed by 
CFATS is cybersecurity. In your experience, is DHS providing your 
members with the information and support that they need in order to 
secure their systems against evolving cyber threats?
    Answer. Response was not received at the time of publication.
    Question 1b. How do your members account for cybersecurity in their 
security plans?
    Answer. Response was not received at the time of publication.
    Question 1c. How has the CFATS program improved cybersecurity for 
chemical facilities?
    Answer. Response was not received at the time of publication.
    Question 2a. DHS published its standards guidance for CFATS in 
2009. While updated guidance has been provided for some of those 
standards in the past 9 years, one more recent threat that seems to 
remain unaddressed by the area perimeter standard is the threat posed 
by unmanned aerial systems, or drones. In the wrong hands, drones can 
be used to surveil perimeter security systems to discover weaknesses, 
or--in the worst case--to carry explosives over barriers designed to 
stop ground vehicles. What are your respective groups doing to educate 
your members about drone threats to their facilities and about the 
countermeasures they can employ?
    Answer. Response was not received at the time of publication.
    Question 2b. Have facility operators found that the law allows them 
to effectively defend their facilities against unauthorized drone 
activity?
    Answer. Response was not received at the time of publication.
    Question 2c. What more do you feel DHS can do to help chemical 
facilities successfully manage the risks posed by drones?
    Answer. Response was not received at the time of publication.
        Questions From Honorable James R. Langevin for Paul Orum
    Question 1a. In your testimony, you suggest not enough has been 
done to investigate the efficacy of the performance requirements DHS 
has established in the CFATS program. How might the CFATS performance 
standards fall short in addressing evolving cybersecurity threats?
    Answer. Response was not received at the time of publication.
    Question 1b. How might the CFATS performance standards fall short 
in addressing the threats posed by drones?
    Answer. Response was not received at the time of publication.

                                 [all]