[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]


SECURING OUR NATION'S CHEMICAL FACILITIES: BUILDING ON THE PROGRESS OF 
                           THE CFATS PROGRAM

=======================================================================

                                HEARING

                               BEFORE THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           FEBRUARY 27, 2019

                               __________

                            Serial No. 116-3

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                     

        Available via the World Wide Web: http://www.govinfo.gov
        
        
                               __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
35-379 PDF                  WASHINGTON : 2019                     
          
--------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, po@custhelp.com.                 
        

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            Mike Rogers, Alabama
James R. Langevin, Rhode Island      Peter T. King, New York
Cedric L. Richmond, Louisiana        Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     John Katko, New York
Kathleen M. Rice, New York           John Ratcliffe, Texas
J. Luis Correa, California           Mark Walker, North Carolina
Xochitl Torres Small, New Mexico     Clay Higgins, Louisiana
Max Rose, New York                   Debbie Lesko, Arizona
Lauren Underwood, Illinois           Mark Green, Tennessee
Elissa Slotkin, Michigan             Van Taylor, Texas
Emanuel Cleaver, Missouri            John Joyce, Pennsylvania
Al Green, Texas                      Dan Crenshaw, Texas
Yvette D. Clarke, New York           Michael Guest, Mississippi
Dina Titus, Nevada
Bonnie Watson Coleman, New Jersey
Nanette Diaz Barragan, California
Val Butler Demings, Florida
                       Hope Goins, Staff Director
                 Chris Vieson, Minority Staff Director
                           
                           
                         C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Mike Rogers, a Representative in Congress From the 
  State of Alabama, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................     4
  Prepared Statement.............................................     6

                               Witnesses

Mr. David Wulf, Director, Infrastructure Security Compliance 
  Division, Cybersecurity and Infrastructure Security Agency, 
  U.S. Department of Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Nathan Anderson, Acting Director, Homeland Security and 
  Justice, U.S. Government Accountability Office:
  Oral Statement.................................................    12
  Prepared Statement.............................................    14

                             For the Record

The Honorable Mike Rogers, a Representative in Congress From the 
  State of Alabama, and Ranking Member, Committee on Homeland 
  Security:
  Letter.........................................................     4

                                Appendix

Questions From Chairman Bennie G. Thompson for David Wulf........    51
Question From Honorable Xochitl Torres Small for David Wulf......    52
Questions From Honorable Cedric Richmond for David Wulf..........    52
Questions From Honorable Michael Guest for David Wulf............    53
Question From Honorable Michael Guest for Nathan Anderson........    54
Questions From Ranking Member Mike Rogers for Nathan Anderson....    54

 
SECURING OUR NATION'S CHEMICAL FACILITIES: BUILDING ON THE PROGRESS OF 
                           THE CFATS PROGRAM

                              ----------                              


                      Wednesday, February 27, 2019

                     U.S. House of Representatives,
                            Committee on Homeland Security,
                                                    Washington, DC.
    The committee met, pursuant to notice, at 10:08 a.m., in 
room 310, Cannon House Office Building, Hon. Bennie G. Thompson 
(Chairman of the committee) presiding.
    Present: Representatives Thompson, Langevin, Richmond, 
Correa, Torres Small, Rose, Underwood, Slotkin, Cleaver, Green, 
Clarke, Barragan, Demings, Rogers, McCaul, Walker, Higgins, 
Lesko, Taylor, Joyce, Crenshaw, and Guest.
    Chairman Thompson. The Committee on Homeland Security will 
come to order. At the request of the Ranking Member, we will 
begin the hearing. He will join us momentarily.
    The committee is meeting today to receive testimony on 
securing our Nation's chemical facilities, building on the 
progress of the CFATS program. Since 2007, the Department of 
Homeland Security has administered a regulatory program that 
covers security measures at high-risk chemical facilities to 
protect against the threat of terrorist attack.
    Through CFATS, DHS works with chemical facility owners and 
operators to make sure they have safeguards in place to prevent 
a bad actor from gaining access to dangerous chemicals stored 
on-site. In the past, this program has enjoyed broad bipartisan 
support on and off the Hill.
    Officials in the Bush administration, including former 
Homeland Security Secretary Michael Chertoff, were among the 
first to call for a Federal rule to secure chemical facilities. 
Officials from the Trump administration, among the most recent, 
last November, DHS Secretary Kirstjen Nielsen wrote to Congress 
urging us to reauthorize CFATS.
    We continue to face one of the most serious terrorist 
threat environments since 9/11. Foreign terrorist organizations 
are urging recruits to use simple weapons, including toxic 
chemicals, to target public spaces and events. Clearly, this 
threat has not abated.
    Yet the Department's authority to carry out CFATS came very 
close to lapsing last month which caused this committee to pass 
a short-term bill extending the program until 2020. For 8 
years, CFATS was tied to the annual appropriations cycle.
    Lacking the certainty of a multi-year authorization, DHS 
struggles to keep staff, develop long-term policies and work 
with a regulated community that did not know if the rules would 
apply the following year. In 2014, Congress worked on a 
bicameral, bipartisan basis to finally put an end to this 
pattern by passing a multi-year authorization.
    I had hoped to work collaboratively in the last Congress, 
as we did in 2014, to give CFATS a long-term reauthorization. 
Unfortunately, that did not come to pass, and we once again 
found ourselves with no alternative but to pass another short-
term extension. As Chairman, I do not intend to let that happen 
again.
    This committee is acting early this Congress to get a 
reauthorization bill across the finish line. However, I do not 
plan to let reauthorization become an excuse to water down 
regulatory requirements or diminish the overall security value 
of the program.
    CFATS is already designed to give flexibility and deference 
to facility owners and operators. The requirements are non-
prescriptive, meaning that regulated facilities can choose 
security measures that work for their unique environment so 
long as their site security plan generally adheres to a set of 
risk-based security principles. When DHS inspectors go out and 
find that a facility's security plan falls short, they work 
with that facility to address vulnerabilities.
    Thanks in part to the leadership of Director Wulf, who is 
testifying here today, the CFATS program is in place where 
Congress can build on a foundation that has already been laid. 
For example, there are currently half as many high-risk 
facilities in the United States as there were in 2007.
    I would like to understand how DHS is encouraging 
facilities to voluntarily reduce and remove chemical security 
risk and how we might put that data to good use.
    I also see reauthorization as an opportunity to figure out 
what is working and what is not. That may mean taking another 
look at how CFATS handles whistleblowers or deciding if an 
expedited approval program is a good use of DHS's limited 
resources.
    Finally, there are some areas where the program continues 
to fall short. Six years ago, there was a fertilizer plant 
explosion in West, Texas, that caused catastrophic damage and 
took the lives of first responders who had been called to the 
scene.
    On the screen above you is a picture of that scene where 
volunteer firemen went to that location not knowing what they 
were going to, and they lost their lives. So we need to close 
that loophole because as a volunteer fireman myself, those 
public-spirited first responders did not know what they were 
going to until it was too late.
    So if CFATS had been in place, those individuals probably, 
given the information available, would not have approached it 
in the same light. So whatever we need to do to make sure 
information is being shared, this is a challenge we will 
address.
    I look forward to hearing from the panel today about how we 
might improve CFATS and make sure we give DHS and the regulated 
community the civility and certainty of a long-term 
reauthorization program.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                           February 27, 2019
    Since 2007, the Department of Homeland Security has administered a 
regulatory program that covers security measures at ``high-risk'' 
chemical facilities to protect against the threat of terrorist attack. 
Through CFATS, DHS works with chemical facility owners and operators to 
make sure they have safeguards in place to prevent a bad actor from 
gaining access to dangerous chemicals stored on-site.
    In the past, this program has enjoyed broad, bipartisan support on 
and off the Hill. Officials in the Bush administration, including 
former Homeland Security Secretary Michael Chertoff, were among the 
first to call for a Federal rule to secure chemical facilities. And, 
officials from the Trump administration are among the most recent.
    Last November, DHS Secretary Kirstjen Nielsen wrote to Congress 
urging us to reauthorize CFATS: ``[W]e continue to face one of the most 
serious terrorist threat environments since 9/11. Foreign terrorist 
organizations are urging recruits to use simple weapons, including 
toxic chemicals, to target public spaces and events.''
    Clearly, this threat has not abated.
    Yet, the Department's authority to carry out CFATS came very close 
to lapsing last month--until this committee passed a short-term bill 
extending the program until April 2020.
    For 8 years, CFATS was tied to annual appropriations cycles. 
Lacking the certainty of a multi-year authorization, DHS struggled to 
keep staff, develop long-term policies, and work with a regulated 
community that did not know if the rules would apply the following 
year. In 2014, Congress worked on a bicameral, bipartisan basis to 
finally put an end to this pattern by passing a multi-year 
authorization.
    I had hoped to work collaboratively in the last Congress, as we did 
in 2014, to give CFATS a long-term reauthorization. Unfortunately, that 
did not come to pass, and we once again found ourselves with no 
alternative but passed another short-term extension.
    As Chairman, I do not intend to let that happen again. This 
committee is acting early this Congress to get a reauthorization bill 
across the finish line. However, I do not plan to let reauthorization 
become an excuse to water down regulatory requirements or diminish the 
overall security value of the program.
    CFATS is already designed to give flexibility and deference to 
facility owners and operators. The requirements are non-prescriptive, 
meaning that regulated facilities can choose security measures that 
work for their unique environment, so long as their site security plans 
generally adhere to a set of risk-based security principles. When DHS 
inspectors go out and find that a facility's security plan falls short, 
they work with that facility to address vulnerabilities.
    Thanks in part to the leadership of Director Wulf, who is 
testifying here today, the CFATS program is in a place where Congress 
can build on the foundation that has already been laid. For example, 
there are currently half as many ``high-risk'' facilities in the United 
States as there were in 2007.
    I would like to understand how DHS is encouraging facilities to 
voluntarily reduce or remove chemical security risks, and how we might 
put that data to good use. I also see reauthorization as an opportunity 
to figure out what's working, and what's not. That may mean taking 
another look at how CFATS handles whistleblowers or deciding if the 
expedited approval program is a good use of DHS's limited resources.
    Finally, there are some areas where the program continues to fall 
short.
    I was extremely troubled by a report GAO released last year showing 
that first responders and emergency planners are still not getting the 
information they need to respond to an incident at a CFATS facility. As 
a former volunteer fire fighter, I am deeply concerned that--6 years 
after the tragic fertilizer plant explosion in West, Texas--we still 
have not yet figured out how to put the right information in the hands 
of the brave men and women running into a building in an emergency 
while everyone else is running out. When first responders show up at an 
incident, they need to know what's on the other side of the door. 
Period.
    Whatever we need to do to make sure information is being shared--
this is a challenge we will address.
    I look forward to hearing from the panel today about how we might 
improve CFATS and make sure we give DHS--and the regulated community--
the stability and certainty of a long-term reauthorization for the 
program.

    Chairman Thompson. I now recognize the Ranking Member of 
the full committee, the gentleman from Alabama, Mr. Rogers, for 
an opening statement.
    Mr. Rogers. Thank you, Mr. Chairman. Sorry I am late. Thank 
you for holding this important hearing.
    Before I begin, I would like to express my extreme 
disappointment that the Majority staff denied the Minority's 
request for a witness at today's hearing. Under Rule 11 of the 
rules of the House, the Minority is afforded at least one 
witness at each committee hearing. If denied a witness, the 
Minority is entitled to separate hearing to take testimony from 
its witnesses.
    So pursuant to rule of the House, I am providing the 
Chairman with a letter signed by the Republican Members of the 
committee formally invoking our right to a separate hearing of 
the full committee to hear from Minority witnesses. I ask 
unanimous consent that a letter be made part of the record.
    Chairman Thompson. Without objection.
    [The information follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Rogers. The rules require the Chairman to schedule a 
hearing in a reasonable period of time. We request a hearing as 
soon as possible.
    CFATS is a critical program aimed at keeping dangerous 
chemicals out of the hands of terrorists. In the past, 
Republicans and Democrats have worked together to reauthorize 
CFATS and make improvements to the program. I hope the 
tradition of bipartisanship on this issue can continue, despite 
the actions taken by the Majority today.
    CFATS has been a successful program because it gives 
industry flexibility to secure their facilities with guidance 
from the Department of Homeland Security based on each 
facility's unique risks and attributes. Fortunately, we have a 
solid program that works well as a starting point. Only small 
tweaks are needed to make an already good program even better.
    I believe that with bipartisan, bicameral process we can 
quickly give stakeholders the certainty they need and move a 
long-term reauthorization of CFATS to the President's desk. I 
hope the Chairman will join me in providing stability and 
certainty regarding chemical security and avoid taking actions 
which would undermine enactment of a bipartisan long-term 
reauthorization.
    I look forward to working collaboratively with the 
Majority, the Senate, the stakeholders, and DHS to reauthorize 
CFATS program. I also look forward to today's witnesses.
    With that, I yield back, Mr. Chairman.
    [The statement of Ranking Member Rogers follows:]
                Statement of Ranking Member Mike Rogers
                           February 27, 2019
    CFATS is a critical program aimed at keeping dangerous chemicals 
out of the hands of terrorists. In the past, Republicans and Democrats 
have worked together to reauthorize CFATS and make improvements to the 
program.
    I hope the tradition of bipartisanship on this issue can continue, 
despite the actions taken by the Majority today. CFATS has been a 
successful program because it gives industry flexibility to secure 
their facilities, with guidance from the Department of Homeland 
Security, based on each facility's unique risk and attributes.
    Fortunately, we have a solid program that works well as a starting 
point. Only small tweaks are needed to make an already good program 
better. I believe that with a bipartisan, bicameral process we can 
quickly give stakeholders the certainty they need and move a long-term 
reauthorization of CFATS to the President's desk.
    I hope the Chairman will join me in providing stability and 
certainty regarding chemical security--and avoid taking actions, which 
would undermine enactment of a bipartisan, long-term reauthorization. I 
look forward to working collaboratively with the Majority, the Senate, 
stakeholders, and DHS to reauthorize the CFATS program.

    Chairman Thompson. Thank you very much. In response to the 
Ranking Member's request, we will do so in writing. But 
consistent with the rules that we adopted for this committee, 
similar to the rules we have had before, we offered a 
Government witness to this Government panel.
    From my understanding, that was not accepted, but you could 
have had a Government witness. It was--we will respond in 
writing, but the rules we apply are the same rules that this 
committee has always operated under. Other Members of the 
committee are reminded that under the committee rules, opening 
statements may be submitted for the record.
    I welcome our panel of witnesses. First, I would like to 
welcome David Wulf, the director of the Infrastructure Security 
Compliance Division at the DHS Cybersecurity and Infrastructure 
Security Agency, CISA.
    Mr. Wulf has been CFATS through some of its difficult 
challenges and helped it mature into an internationally-
renowned chemical security program. I am thankful for his 
leadership on CFATS and look forward to his testimony.
    Next, I would like to welcome Mr. Nathan Anderson from the 
Government Accountability Office Homeland Security and Justice 
Team. Mr. Anderson has contributed to GAO's substantial body of 
work on the CFATS program, including a report GAO issued last 
July, which I expect will play a major role in informing CFATS' 
reauthorization and provide important context to our 
conversation today.
    Without objection, the witnesses' full statement will be 
inserted in the record. I now ask each witness to summarize his 
or her statement for 5 minutes, beginning with Mr. Wulf.

  STATEMENT OF DAVID WULF, DIRECTOR, INFRASTRUCTURE SECURITY 
COMPLIANCE DIVISION, CYBERSECURITY AND INFRASTRUCTURE SECURITY 
          AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Wulf. Thank you so much, Mr. Chairman, Ranking Member 
Rogers, and other Members of the committee. I really do 
appreciate the opportunity to be here today to provide an 
update on the progress of the Chemical Facility Anti-Terrorism 
Standards program, or CFATS, the progress that the CFATS 
program continues to make in fostering security at high-risk 
chemical facilities across the Nation.
    When I last testified before this committee in 2014, the 
CFATS program was in a very different place, having faced some 
significant challenges in its early years. But we had 
implemented a comprehensive corrective action plan and had made 
some measurable forward progress. At that time, I emphasized 
the importance of long-term authorization for this critical 
National security program.
    I am very grateful for the leadership you and the committee 
demonstrated in securing the 4-year CFATS authorization that 
was signed into law in December 2014. I am grateful, of course, 
as well for your role in attaining the 15-month extension of 
that authorization through April 2020 that was enacted last 
month.
    I am very appreciative that this committee is holding 
today's hearing and is again taking a lead role to ensure 
continuing long-term authorization of CFATS. I look forward to 
working with you to continue to enhance and to evolve our 
program.
    Now, as I am sure you will hear me say once or twice today, 
the stability that has come along with long-term authorization 
has driven unprecedented progress as our team has worked with 
CFATS-covered facilities to make America's high-risk chemical 
infrastructure a truly hard target with literally tens of 
thousands of security measures having been put in place at 
high-risk chemical facilities across the Nation.
    These facilities have achieved, on average, a 55 percent 
increase in their security posture as a direct result of CFATS. 
The stability afforded by long-term authorization has 
facilitated our planning and execution of important 
programmatic improvements, a few of which I will detail in a 
moment, while it has also afforded regulated industry 
stakeholders with the certainty they deserved as they planned 
for and made significant investments in CFATS-related security 
measures.
    Now, I know that as the reauthorization process proceeds, 
you will have the opportunity to hear directly from industry 
and other stakeholders about their experience with CFATS.
    The gains I have just noted would not have been possible 
without the commitment and hard work of companies and our 
various other stakeholders across the Nation who have put into 
place CFATS-focused security measures and, in many cases, have 
provided important feedback and ideas that have helped us to 
improve our processes and our effectiveness as we have evolved 
and enhanced the program over the past 4 years.
    So I see many of those stakeholders in the room, and I 
appreciate their presence here today. I would also like to 
acknowledge Nathan Anderson and the important role the GAO has 
played in reviewing our operations and making many helpful 
recommendations over the past several years.
    Of course, I want to acknowledge our hard-working CFATS 
team, some 250 folks here in Washington and across the Nation 
who have built a truly world-class program and who are laser-
focused on securing America's highest-risk chemical 
infrastructure.
    So about those programmatic improvements I mentioned, what 
have we been doing to make CFATS even stronger as we have 
enjoyed the stability of long-term authorization over the past 
4 years? Well, we have improved processes. We have eliminated 
bottlenecks.
    We have seen unprecedented progress in the pace of 
inspections and in the review and approval of facility site 
security plans, eliminating a backlog of security plan reviews 
6 years ahead of earlier GAO projections.
    We have developed and launched an improved risk assessment 
methodology that effectively accounts for all relevant elements 
of risk. We have reassessed the level of risk associated with 
nearly 30,000 facilities across the country.
    We have implemented the CFATS personnel surety program, 
affording the highest-tiered CFATS-covered facilities the 
ability to ensure that individuals with access to critical 
assets have been vetted for terrorist ties.
    We have dramatically reduced burden across our stakeholder 
community, having built and launched a streamlined, more user-
friendly suite of on-line tools through which facilities submit 
risk assessment surveys, also known as Top Screens, and develop 
their site security plans.
    While the stability afforded by long-term authorization has 
yielded all of this progress over the past 4 years, we are 
certainly not done yet. Continued long-term authorization will 
be absolutely critical to ensuring that we are able to focus on 
driving even more effective and even more efficient approaches 
to fostering chemical security across the Nation.
    Now, as we are all too aware, the threat of chemical 
terrorism remains a real and a very relevant one. Around the 
globe, our adversaries continue to seek, to acquire, and to use 
in attacks chemicals of the sort that trigger coverage under 
CFATS. The threat stream continues to reflect that chemical 
facilities themselves remain an attractive target for our 
adversaries.
    I can tell you with certainty that the work we are doing in 
concert with our committed stakeholders across the wide variety 
of industries and facilities that compose the CFATS-covered 
universe is making a real difference in protecting the Nation.
    Having had the opportunity to work closely with my 
counterparts in other nations and to co-chair the G7 Global 
Partnership's Chemical Security Working Group, I can tell you 
as well that what we are doing here in the United States 
through CFATS, the culture of chemical security you have helped 
us to build with your support for long-term CFATS 
authorization, is absolutely the envy of the world.
    With its targeted focused on the highest-risk facilities, 
with its 18 comprehensive risk-based performance standards 
addressing physical, cyber, and insider threats, and with its 
non-prescriptive flexible approach to regulation, CFATS is 
well-suited to enhancing security across the very diverse 
universe of high-risk chemical facilities.
    So before I wrap up, I would like to again thank the 
committee and your top-notch staff for your leadership on CFATS 
and on chemical security writ large.
    We are fond of saying that chemical security is a shared 
commitment, and not unlike the role that industry and other 
stakeholders who have embraced and helped us to build this 
program in so many ways, and the role of our committed and very 
talented team at DHS, the role of Congress and the role of this 
committee in shaping and authorizing CFATS for the long-term 
has been hugely important.
    I am looking forward to working further with you, as we 
drive toward reauthorization this year.
    So thanks again. Thank you so much. I look forward to your 
questions, and to the dialog here today.
    [The prepared statement of Mr. Wulf follows:]
                    Prepared Statement of David Wulf
                           February 27, 2019
                              introduction
    Chairman Thompson, Ranking Member Rogers, and Members of the 
committee, I appreciate the opportunity to appear before you today to 
discuss the development and maturation of the Department of Homeland 
Security's (DHS) regulation of high-risk chemical facilities under the 
Chemical Facility Anti-Terrorism Standards (CFATS) Program.
    I also want to thank you for your efforts in extending the 
program's authorization for an additional 15 months so that we may 
continue to work together toward the long-term reauthorization of this 
critical National security program. Since the program's inception, 
CFATS has fundamentally improved chemical security in the United 
States. Our threat landscape is constantly evolving and the threat of 
chemical terrorism remains a very real and very relevant one. For this 
reason, fostering the security of high-risk chemical facilities 
continues to be of the utmost importance. Given the wide diversity of 
facilities that store chemicals, CFATS--and its flexible, targeted 
approach, is an essential tool in this effort.
                         cfats program overview
    The CFATS Program is a vital part of our Nation's counterterrorism 
efforts, addressing physical, cyber, and insider threats to our 
Nation's highest-risk chemical facilities. Since the CFATS Program's 
creation, we have engaged with industry to identify and regulate high-
risk chemical facilities to ensure they have security measures in place 
to reduce the risks associated with the possession of chemicals of 
interest and to keep dangerous chemicals out of the hands of those who 
wish to do us harm.
    The cornerstone of the CFATS Program is the development, 
submission, and implementation of Site Security Plans (SSPs), or 
Alternative Security Programs in lieu of SSPs, documenting the security 
measures that high-risk chemical facilities utilize to satisfy the 
applicable Risk-Based Performance Standards (RBPS) under CFATS. Due to 
the diversity of facilities that hold chemicals of interest, it is 
important to note these plans are not ``one-size-fits-all,'' but are 
in-depth, highly customized, and account for each facility's unique 
circumstances.
    In order to determine whether a facility is covered under CFATS, 
DHS utilizes a risk-assessment methodology that takes into account 
threat, vulnerability, and the consequences of a potential attack. To 
begin the process, a facility in possession of threshold quantities of 
CFATS chemicals of interest submits a Top Screen to the Department's 
Infrastructure Security Compliance Division. Since we began collecting 
this information in 2007, more than 40,000 unique facilities have 
reported chemical holdings. Based on the information received in the 
Top Screens, DHS determines which facilities are at high-risk of 
terrorist attack or exploitation and assigns each of these to a tier.
    Facilities determined to be high-risk must submit a Security 
Vulnerability Assessment (SVA) and a SSP, or a SVA and an Alternative 
Security Program (ASP), to DHS for approval. Tier 3 and 4 facilities 
also have the option of submitting an Expedited Approval Program (EAP) 
SSP in lieu of an SSP or ASP. The plan must include security measures 
meeting the RBPS established in the CFATS regulation. For facilities 
other than those submitting an EAP SSP, the Department performs an 
authorization inspection at the facility prior to approving a security 
plan to ensure that the measures contained in the security plan are 
appropriate given the facility's specific security issues and unique 
characteristics. Once a facility's plan is approved, DHS conducts 
regular compliance inspections to verify that the facility is 
implementing the agreed-upon security measures.
       cfats act of 2014 afforded crucial stability and certainty
    In December 2014, Congress passed the Protecting and Securing 
Chemical Facilities from Terrorist Attacks Act of 2014 (CFATS Act of 
2014). This statute, which enjoyed strong bipartisan and stakeholder 
support, brought stability for both the Department and the regulated 
community and provided stakeholders with confidence in the program's 
future. Enacting a multi-year CFATS authorization as Congress did in 
2014 marked an important turning point for the program. Among other 
things, it:
   Provided industry stakeholders with the certainty they 
        needed to plan for and invest in CFATS-related security 
        measures to harden their critical sites against possible 
        terrorist attack or exploitation;
   Afforded the stability needed to enable the Department to 
        make programmatic improvements as well as strategic, long-term 
        planning decisions regarding staffing, program development, and 
        process efficiencies; and,
   Sent a clear message to potentially covered ``outlier'' 
        facilities that the CFATS Program is here to stay.
    With long-term authorization, chemical facilities have become 
further incentivized to engage with the Department with regard to 
facility security. Returning to the instability of short-term renewal 
of CFATS Program either through regular order or the appropriations 
process would represent a significant step backwards for the Nation's 
chemical security efforts, inhibit programmatic progress and long-term 
planning, and undermine stakeholder confidence in the longevity of the 
program. In short, the absence of long-term CFATS authorization puts 
America's chemical security--and the security of our communities--at 
risk.
              accomplishments since the cfats act of 2014
    Due in large part to the stability afforded by passage of the CFATS 
Act of 2014, I am pleased to report today that much has been 
accomplished and that our program continues to make significant forward 
progress. Through the collective efforts of our dedicated workforce, 
industry, and other stakeholders, and through the support and 
leadership of Congress, the CFATS program has matured significantly in 
this time and is poised to continue this progress in the coming years.
    Clear examples of the gains made by the CFATS Program since the 
passage of the CFATS Act of 2014 include:
   A dramatic improvement in the pace of inspections, reviews, 
        and approvals resulting in the elimination of a backlog once 
        projected to take 7 to 9 years to clear, nearly 6 years ahead 
        of schedule;
   Development and deployment of an enhanced risk-tiering 
        methodology that affords a more accurate reflection of a 
        facility's risk--a methodology that is grounded in science and 
        has been vetted by external experts from across Government, 
        industry, and academia;
   Streamlining of the SSP-development process and the 
        stakeholder ``user experience,'' reducing the burden on 
        facility operators without sacrificing security through the 
        launch of the CSAT 2.0 suite of on-line tools; and,
   The closing of a critical gap in the security of our 
        Nation's highest-risk facilities through the implementation of 
        the CFATS Personnel Surety Program (screening for terrorist 
        ties).
                           extensive outreach
    DHS continues to prioritize outreach designed to ``get the word 
out'' about the program, share information with partners, make 
available compliance assistance materials, provide education and 
training, and to otherwise foster chemical security. This outreach, 
which has been central to the success of CFATS, has involved extensive 
engagement with a diverse group of representatives across the chemical 
security community, including industry stakeholders; law enforcement 
and emergency responders; Federal and State partner agencies; labor 
organizations, Federal partners, industry associations, labor and 
interest groups, and international partners among many others.
    DHS conducts outreach to members of the chemical industry, other 
industries whose members routinely use threshold levels of CFATS 
chemicals of interest, and stakeholders with an interest in chemical 
facility security. The Department has also prioritized coordinating 
with Federal and State, local, Tribal, and territorial (SLTT) 
regulatory agencies to provide resource materials and to obtain data to 
assist with identifying Chemical Facilities of Interest. In fiscal year 
2018, as a result of the data set comparisons, we identified 
approximately 697 potential chemical facilities of interest. From the 
program's inception, DHS has made more than 3,500 presentations to its 
regulated community and attended more than 16,600 meetings with our 
Federal, SLTT, and industry stakeholders.
    The Department has developed strong relationships with national 
organizations to leverage their networks and outreach activities and, 
in fiscal year 2018, DHS conducted Nation-wide outreach to more than 
350 State and local offices and more than 850 Local Emergency Planning 
Committees/Tribal Emergency Planning Committees across the Nation.
    Also, outreach to first responders is incorporated into the 
development of SSPs through Risk-Based Performance Standard 9 (RBPS 
9)--Response. This standard requires covered facilities to have a 
documented, comprehensive crisis management plan that details how the 
facility will respond to security incidents and requires the facility 
to run exercises and drills--and make contact with local first-
responders. DHS verifies this outreach during on-site compliance 
inspections. In many instances, the Department has facilitated contact 
between the first responders and the facilities.
    During the summer of 2018, as part of the Department's on-going 
efforts to maximize outreach to critical stakeholder communities and as 
a supplement to 11 previous annual Chemical Security Summits, the 
Cybersecurity and Infrastructure Security Agency's (CISA) Office of 
Infrastructure Security held a series of DHSChemSecurityTalks in which 
we reached more than 300 facility owners and operators, Government 
partners, and industry stakeholders. This inaugural series of three 1-
day events, held in Oakland, California, Chicago, Illinois, and 
Philadelphia, Pennsylvania, was designed to take the chemical 
infrastructure security discussion and CISA's largest regulatory 
program, CFATS, beyond the National Capital Region and into the very 
communities that CFATS protects.
    The Department also continues to play a leadership role in 
encouraging a global culture of chemical security. In support of this, 
I am privileged to co-chair the Chemical Security Working Group of the 
G7 Global Partnership Against the Spread of Weapons and Materials of 
Mass Destruction, leading the U.S. engagement with the G7 on chemical 
security and helping to ensure cooperation among the international 
community on chemical security efforts. Additionally, in 2018, the 
Department, along with the Federal Bureau of Investigation and 
INTERPOL, co-hosted the inaugural Global Congress on Chemical Security 
and Emerging Threats in Lyon, France. The Global Congress convenes a 
community intent on countering chemical and explosive terrorism by non-
State actors and their access to chemical agents. The Congress explored 
specialized case studies highlighting emerging trends, identified 
lessons learned and best practices relating to chemical incident 
attribution and response and discussed evolving technologies and 
tactics. CFATS is recognized globally as a model chemical-security 
framework world-wide and the Department regularly responds to requests 
to work with other governments as they strive to build cultures of 
chemical security on a par with the security-culture CFATS has fostered 
in the United States.
                        personnel surety program
    Vetting those who have access to chemicals of interest and other 
sensitive parts of high-risk chemical facilities is a key aspect of 
facility security. Under RBPS 12, Personnel Surety, facilities must: 
(1) Implement measures to verify and validate identity, (2) check 
criminal history, (3) validate legal authorization to work in the 
United States, and (4) identify people with terrorist ties. While all 
Tier 1 through 4 facilities have been implementing the first three 
elements of RPBS 12, in December 2015 the Department began working with 
Tier 1 and Tier 2 facilities to implement the fourth element. This 
effort was begun in December 2015, after the Office of Management and 
Budget (OMB) approved the Department's Information Collection Request 
for the CFATS Personnel Surety Program (RPBS 12[iv]) in accordance with 
the requirements of the Paperwork Reduction Act (PRA).
    The CFATS Personnel Surety Program closed a critical gap by 
enabling facilities in these two tiers to submit names to DHS for 
vetting individuals' potential terrorist ties. Going forward, the 
Department is planning to expand its implementation to tiers 3 and 4, 
to enable all high-risk chemical facilities to ensure that those with 
access to critical assets have been vetted for terrorist ties. The 
Department is in the process of requesting OMB's approval, through the 
PRA process, to collect information on individuals who have or who are 
seeking access to high-risk chemical facilities for all four Tiers.
                               conclusion
    Through CFATS and the hard work of our industry stakeholders who 
continue to put in place security measures to harden America's highest-
risk chemical facilities, we have collectively accomplished much since 
2014. This progress would not have been possible without the stability 
and certainty afforded by enactment of the Protecting and Securing 
Chemical Facilities from Terrorist Attacks Act of 2014.
    Long-term reauthorization will allow the Department and the 
chemical security community to continue to work together to secure the 
Nation's chemicals and keep them out of the hands of our adversaries. 
The Department will be able to continue to focus on pursuing more 
efficient ways to implement the program, to include the enhancement of 
existing materials and tools, while industry will have the confidence 
to continue to make important investments in security.
    Chemical security is very much a pressing need, and, in view of the 
continuing high level of chemical-terrorism threats, must remain a 
continuing high priority for the Nation. The CFATS program has 
positioned the United States as a world-leader in building the culture 
of security necessary to secure our Nation's highest-risk chemical 
facilities. I look forward to working with this committee to chart a 
path toward long-term--or permanent--reauthorization of this critical 
National security program, and I thank you in advance for your 
continuing leadership on this issue. I look forward to your questions.

    Chairman Thompson. Thank you, Mr. Wulf. We feel your 
passion.
    We now recognize Mr. Anderson to summarize his statement 
for 5 minutes.

    STATEMENT OF NATHAN ANDERSON, ACTING DIRECTOR, HOMELAND 
  SECURITY AND JUSTICE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Anderson. Chairman Thompson, Ranking Member Rogers, and 
Members of the committee, good morning. My testimony today is 
primarily based on work we have conducted over the past few 
years.
    Compared to where CFATS' program was shortly after its 
inception, DHS has made substantial progress in a number of 
areas. There is room for improvement, particularly in reaching 
out to first responders.
    I will speak first to the Department's efforts to identify 
high-risk chemical facilities. Just identifying the universe of 
facilities that should even be regulated under CFATS, has been 
and may always be a huge challenge.
    There is no one complete data source of facilities that 
have chemicals. In 2014, we found that DHS used self-reported 
and unverified data to determine the risk of facilities holding 
toxic chemicals that could threaten surrounding communities if 
released. We recommended that DHS should better verify the 
accuracy of facility-reported data.
    DHS implemented this recommendation by revising its 
methodology so it now calculates the risk of toxic release, 
rather than relying on facilities to do so.
    We have also reviewed the Department's access to assess 
regulated facilities' risks. We did those to place chemical 
facilities into the appropriate risk tier.
    Several years ago, we found that the Department's risk 
assessment approach did not consider all of the elements of 
risk associated with a terrorist attack involving certain 
chemicals. They treated every facility as equally vulnerable to 
a terrorist attack, regardless of location or on-site security.
    We recommended that DHS enhance its risk-assessment 
approach to incorporate all elements of risk and conduct a peer 
review after doing so.
    DHS agreed with both recommendations and has implemented 
actions to address both of them. For example, DHS worked with 
Sandia National Lab to develop a model to more comprehensively 
estimate the consequences of a chemical attack.
    Our assessment of the Department's efforts to review and 
approve chemical facilities' security plans also identified 
challenges that DHS has taken steps to address. DHS is to 
review security plans and visit facilities to ensure their 
security measures meet DHS standards.
    In April 2013, we reported a 7- to 9-year backlog for those 
reviews and visits. At that time, DHS officials told us they 
were exploring ways to reprioritize resources and streamline 
inspection requirements. Recently, DHS reported to Congress 
that it had eliminated its backlog by realigning resources 
toward security plan reviews.
    A key quality assurance function involves actions to ensure 
compliance. In 2015, we reported that DHS had conducted 
compliance inspections of 83 of the roughly 1,700 facilities 
with approved security plans at that time.
    We found that nearly half of the inspected facilities were 
not fully compliant with their approved security plans, and 
that DHS did not have documented procedures for managing 
facilities' compliance.
    We recommended that DHS document procedures from managing 
compliance. As a result, DHS revised CFATS procedures, which we 
are currently reviewing to determine if they sufficiently 
document the processes being used to track uncompliant 
facilities and ensure facilities implement plan measures as 
outlined in their security plans.
    On a positive note, DHS recently told us that they have 
conducted more than 2,000 compliance inspections.
    Let me now turn to our most recent work, which addresses 
DHS's efforts to conduct outreach with stakeholders and first 
responders.
    In late 2018, we reported that DHS assured that some CFATS 
information that first responders and emergency planners may 
not have all the information they need to minimize the risk of 
injury or death when responding to incidents at high-risk 
facilities.
    We recommended that DHS should, among other things, take 
actions to improve information sharing with first responders 
and emergency planners. DHS concurred with this recommendation 
and reported in September 2018 that they are taking actions to 
implement it.
    In closing, our work has found that DHS has made progress 
in efforts to implement and manage its CFATS program. As CFATS 
continues to evolve, it will be important to focus on how DHS 
should measure the security impact of the program, what DHS is 
doing with all of the information it collects, and how such 
information is being communicated to the industry, first 
partners, and others.
    It will also be important to focus on how the program 
evolves to face new challenges, such as cybersecurity.
    Mr. Chairman, Ranking Member Rogers, Members of the 
committee, this concludes my statement. I will be happy to take 
any questions you may have.
    [The prepared statement of Mr. Anderson follows:]
                 Prepared Statement of Nathan Anderson
                           February 27, 2019
 critical infrastructure protection.--progress and challenges in dhs's 
          management of its chemical facility security program
    Chairman Thompson, Ranking Member Rogers, and Members of the 
committee: Thank you for the opportunity to discuss our past work on 
the Department of Homeland Security's (DHS) efforts to manage its 
Chemical Facility Anti-Terrorism Standards (CFATS) program. Thousands 
of facilities that produce, use, or store hazardous chemicals could be 
of particular interest to terrorists who might seek to use toxic 
chemicals to inflict mass casualties in the United States. These 
chemicals could be released from a facility to cause harm to 
surrounding populations; they could be stolen and used as chemical 
weapons or as their precursors (the ingredients for making chemical 
weapons); or they could be stolen and used to build an improvised 
explosive device. Past incidents remind us of the danger that these 
chemicals pose, including the 2013 ammonium nitrate explosion at a 
fertilizer storage and distribution facility in West, Texas, which 
killed at least 14 people and damaged or destroyed at least 200 homes, 
and the 1995 domestic terrorist attack on the Federal building in 
Oklahoma City, Oklahoma, where 168 people were killed using ammonium 
nitrate fertilizer mixed with fuel oil.
    The Department of Homeland Security Appropriations Act, 2007, 
required DHS to issue regulations to establish risk-based performance 
standards (performance standards) for securing high-risk chemical 
facilities.\1\ DHS subsequently established the CFATS program in 2007 
to, among other things, identify high-risk chemical facilities and 
assess the risk posed by them; place facilities considered to be high-
risk into 1 of 4 risk-based tiers (with tier 1 being the highest risk 
tier and 4 being the lowest); assess facility security; approve 
security plans prepared by facilities; and inspect facilities to ensure 
compliance with regulatory requirements.\2\ DHS's CFATS rule 
established 18 performance standards that identify the areas for which 
a facility's security posture are to be examined, such as perimeter 
security, access control, and cybersecurity.\3\ To meet these 
standards, facilities are free to choose whatever security programs or 
processes they deem appropriate so long as DHS determines that the 
facilities achieve the requisite level of performance in each of the 
applicable areas. The Protecting and Securing Chemical Facilities from 
Terrorist Attacks Act of 2014 (CFATS Act of 2014), enacted in December 
2014, in effect, reauthorized the CFATS program for an additional 4 
years, while also imposing additional implementation requirements on 
DHS for the program.\4\ In January 2019, the Chemical Facility Anti-
Terrorism Standards Program Extension Act, was enacted and extended the 
authorization by 15 months.\5\
---------------------------------------------------------------------------
    \1\ Pub. L. No. 109-295,  550, 120 Stat. 1335, 1388-89 (2006).
    \2\ See 72 Fed. Reg. 17,688 (Apr. 9, 2007) (codified as amended at 
6 C.F.R. pt. 27).
    \3\ DHS has enumerated 18 risk-based performance standards that 
chemical facilities must meet to comply with CFATS. See 6 C.F.R.  
27.230.
    \4\ See Pub. L. No. 113-254, 128 Stat. 2898 (2014); 6 U.S.C.  
621-629. The act amended the Homeland Security Act of 2002, Pub. L. No. 
107-296, 116 Stat. 2135 (2002), as amended, by adding Title XXI--
Chemical Facility Anti-Terrorism Standards--and expressly repealing the 
program's authority under the fiscal year 2007 DHS appropriations act.
    \5\ See Pub. L. No. 116-2, 113 Stat. 5 (2019).
---------------------------------------------------------------------------
    DHS's Cybersecurity and Infrastructure Security Agency's 
Infrastructure Security Compliance Division (ISCD) manages the CFATS 
program. According to DHS, the Department received approximately $911 
million for the CFATS program for the period beginning fiscal year 2007 
through fiscal year 2018.
    My testimony today summarizes our past work examining DHS's 
management of the CFATS program, and provides updates on actions DHS 
has taken to address our prior recommendations. This testimony is based 
on our reports issued from July 2012 through August 2018.\6\ For these 
reports, we reviewed applicable laws and regulations, DHS policies and 
procedures, DHS data on tiered facilities, information on the approach 
DHS used to determine a facility's risk, and process for reviewing 
security plans. We also interviewed DHS officials about how facilities 
are placed in risk-based tiers, how DHS assesses risk, and how it 
reviews and approves facility security plans. Additional details on the 
scope and methodology are available in our published reports. In 
addition, this statement contains updates as of September 2018 from DHS 
on actions it has taken to address the recommendations made in our 
prior reports.
---------------------------------------------------------------------------
    \6\ GAO, Critical Infrastructure Protection: DHS Is Taking Action 
to Better Manage Its Chemical Security Program, but It Is Too Early to 
Assess Results, GAO-12-515T (Washington, DC: July 26, 2012); Critical 
Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk 
and Gather Feedback on Facility Outreach Can Be Strengthened, GAO-13-
353 (Washington, DC: Apr. 5, 2013); Critical Infrastructure Protection: 
DHS Efforts to Identify, Prioritize, Assess, and Inspect Chemical 
Facilities, GAO-14-365T (Washington, DC: Feb. 27, 2014); Critical 
Infrastructure Protection: Observations on DHS Efforts to Implement and 
Manage Its Chemical Security Program, GAO-14-608T (Washington, DC: May 
14, 2014); Chemical Safety: Actions Needed to Improve Federal Oversight 
of Facilities with Ammonium Nitrate, GAO-14-274 (Washington, DC: May 
19, 2014); Critical Infrastructure Protection: DHS Action Needed to 
Verify Some Chemical Facility Information and Manage Compliance 
Process, GAO-15-614 (Washington, DC, July 22, 2015); Critical 
Infrastructure Protection: Improvements Needed for DHS's Chemical 
Facility Whistleblower Report Process, GAO-16-572, (Washington, DC: Jul 
12, 2016); Critical Infrastructure Protection: DHS Has Implemented Its 
Chemical Security Expedited Approval Program and Participation Has Been 
Limited, GAO-17-502 (Washington, DC: June 29, 2017); Critical 
Infrastructure Protection: Progress and Challenges in DHS's Management 
of Its Chemical Facility Security Program, GAO-18-613T (Washington, DC: 
June 14, 2018); and Critical Infrastructure Protection: DHS Should Take 
Actions to Measure Reduction in Chemical Facility Vulnerability and 
Share Information with First Responders, GAO-18-538 (Washington, DC: 
Aug. 8, 2018).
---------------------------------------------------------------------------
    The work upon which this statement is based was conducted in 
accordance with generally accepted Government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives.
dhs has made progress addressing past challenges, but some actions are 
                            still under way
    Our past work has identified progress and challenges in a number of 
areas related to DHS's management of the CFATS program, including: (1) 
The process for identifying high-risk chemical facilities; (2) how it 
assesses risk and prioritizes facilities; (3) reviewing and approving 
facility site security plans; (4) inspecting facilities and ensuring 
compliance; and (5) efforts to conduct outreach with stakeholders and 
first responders.
Identifying High-Risk Chemical Facilities
    In May 2014, we found that more than 1,300 facilities had reported 
having ammonium nitrate to DHS. However, based on our review of State 
data and records, there were more facilities with ammonium nitrate 
holdings than those that had reported to DHS under the CFATS 
program.\7\ Thus, we concluded that some facilities weren't required to 
report to DHS and some that were required may have failed to do so.\8\ 
We recommended that DHS work with other agencies, including the 
Environmental Protection Agency (EPA), to develop and implement methods 
of improving data sharing among agencies and with States as members of 
a Chemical Facility Safety and Security Working Group.\9\ DHS agreed 
with our recommendation and has since addressed it. Specifically, DHS 
compared DHS data with data from other Federal agencies, such as EPA, 
as well as member states from the Chemical Facility Safety and Security 
Working Group to identify potentially noncompliant facilities. As a 
result of this effort, in July 2015, DHS officials reported that they 
had identified about 1,000 additional facilities that should have 
reported information to comply with CFATS and subsequently contacted 
these facilities to ensure compliance. DHS officials told us that they 
continue to engage with States to identify potentially non-compliant 
facilities. For example, as of June 2018, DHS officials stated that 
they have received 43 lists of potentially noncompliant facilities from 
34 State governments, which are in various stages of review by DHS. DHS 
officials also told us that they hired an individual to serve as the 
lead staff member responsible for overseeing this effort.
---------------------------------------------------------------------------
    \7\ GAO-14-274. We reviewed Emergency Planning and Community Right-
to-Know Act of 1986 data from Texas and Alabama, which have different 
reporting criteria than CFATS. Under section 312 of the act and 
Environmental Protection Agency's regulations, facilities with 10,000 
pounds or more of ammonium nitrate generally must submit an annual 
chemical inventory report to their designated State and local 
authorities. 42 U.S.C.  11022, 40 C.F.R.  370.10(a)(2)(i).
    \8\ Consistent with law and regulation, certain facilities--
including, in general, facilities regulated under the Maritime 
Transportation Security Act of 2002 (Public Law 107-295, 116 Stat. 
2064), public water systems or wastewater treatment facilities, 
facilities owned and operated by the Department of Defense or the 
Department of Energy, and facilities subject to regulation by the 
Nuclear Regulatory Commission or in accordance with the Atomic Energy 
Act of 1954--are not subject to regulation under CFATS and are referred 
to as excluded facilities. See 6 U.S.C.  621(4); 6 C.F.R.  27.110(b). 
In addition, pursuant to its authority under 6 C.F.R.  27.210(c), DHS 
has extended the deadline for submitting CFATS reports until further 
notice for certain agricultural production facilities, such as farms, 
ranches, turfgrass growers, golf courses, nurseries, and public and 
private parks. See Notice to Agricultural Facilities About Requirement 
To Complete DHS's Chemical Security Assessment Tool, 73 Fed. Reg. 1640 
(Jan. 9, 2008).
    \9\ Executive Order 13650--Improving Chemical Facility Safety and 
Security established a Chemical Facility Safety and Security Working 
Group, composed of representatives from DHS; EPA; and the Departments 
of Justice, Agriculture, Labor, and Transportation, and directed the 
working group to identify ways to improve coordination with State and 
local partners; enhance Federal agency coordination and information 
sharing; modernize policies, regulations, and standards; and work with 
stakeholders to identify best practices. See Exec. Order No. 13,650 
(Aug. 1, 2013), 78 Fed. Reg. 48,029 (Aug. 7, 2013).
---------------------------------------------------------------------------
    DHS has also taken action to strengthen the accuracy of data it 
uses to identify high-risk facilities. In July 2015, we found that DHS 
used self-reported and unverified data to determine the risk 
categorization for facilities that held toxic chemicals that could 
threaten surrounding communities if released.\10\ At the time, DHS 
required that facilities self-report the Distance of Concern--an area 
in which exposure to a toxic chemical cloud could cause serious injury 
or fatalities from short-term exposure--as part of its Top Screen.\11\ 
We estimated that more than 2,700 facilities with a toxic release 
threat had misreported the Distance of Concern and therefore 
recommended that DHS: (1) Develop a plan to implement a new Top Screen 
to address errors in the Distance of Concern submitted by facilities, 
and (2) identify potentially miscategorized facilities that could cause 
the greatest harm and verify that the Distance of Concern of these 
facilities report is accurate.\12\ DHS has fully addressed both of 
these recommendations. Specifically, in response to the first 
recommendation, DHS implemented an updated Top Screen survey in October 
2016 and now collects data from facilities and conducts more accurate 
modeling to determine the actual area of impact (formerly called the 
Distance of Concern), rather than relying on the facilities' 
calculation. In response to the second recommendation, DHS officials 
reported in November 2016 that they reassessed all facility Top Screens 
that reported threshold quantities of chemicals posing a toxic release 
threat, and identified 158 facilities with the potential to cause the 
greatest harm. In April 2018, DHS officials reported that all of these 
facilities have since been reassessed using updated Top Screen 
information and, where appropriate, assigned a risk tier.
---------------------------------------------------------------------------
    \10\ GAO-15-614.
    \11\ Any chemical facility that possesses any of the 322 chemicals 
in the quantities that meet or exceed the threshold quantity or 
concentration outlined in Appendix A to the DHS CFATS rule is required 
to complete the Chemical Security Assessment Tool (CSAT) Top Screen--
which is the initial screening tool or document whereby the facility is 
to provide DHS various data, including the name and location of the 
facility and the chemicals and their quantities at the site. See 6 
C.F.R.  27.200(b); see also 72 Fed. Reg. 65,396 (Nov. 20, 2007) 
(codified at 6 C.F.R. pt. 27, App. A).
    \12\ We recalculated the Distance of Concern for a generalizable 
sample of facilities--a simple random sample of 475 facilities from the 
population of 36,811 facilities that submitted Top Screens since the 
inception of the CFATS program in 2007 through January 2, 2015--and 
compared these results to what facilities reported in their Top Screen 
submission. Based upon this sample, we estimated that 4,173 facilities 
with a toxic release chemical misreported the Distance of Concern, with 
an associated 95 percent confidence interval of 2,798 to 5,822 
facilities.
---------------------------------------------------------------------------
Assessing Risk and Prioritizing Facilities
    DHS has also taken actions to better assess regulated facilities' 
risks in order to place the facilities into the appropriate risk tier. 
In April 2013, we reported that DHS's risk assessment approach did not 
consider all of the elements of threat, vulnerability, and consequence 
associated with a terrorist attack involving certain chemicals. Our 
work showed that DHS's CFATS risk assessment methodology was based 
primarily on consequences from human casualties, but did not consider 
economic consequences, as called for by the National Infrastructure 
Protection Plan (NIPP) and the CFATS regulation. We also found that: 
(1) DHS's approach was not consistent with the NIPP because it treated 
every facility as equally vulnerable to a terrorist attack regardless 
of location or on-site security, and (2) DHS was not using threat data 
for 90 percent of the tiered facilities--those tiered for the risk of 
theft or diversion--and using 5-year-old threat data for the remaining 
10 percent of those facilities that were tiered for the risks of toxic 
chemical release or sabotage. We recommended that DHS enhance its risk 
assessment approach to incorporate all elements of risk and conduct an 
independent peer review after doing so. DHS agreed with our 
recommendations and has implemented actions to address both of them.
    Specifically, with regard to our recommendation that DHS enhance 
its risk assessment approach to incorporate all elements of risk, DHS 
worked with Sandia National Laboratories to develop a model to estimate 
the economic consequences of a chemical attack. In addition, DHS worked 
with Oak Ridge National Laboratory to devise a new tiering methodology, 
called the Second Generation Risk Engine. In so doing, DHS revised the 
CFATS threat, vulnerability, and consequence scoring methods to better 
cover the range of CFATS security issues. Additionally, with regard to 
our recommendation that DHS conduct a peer review after enhancing its 
risk assessment approach, DHS conducted peer reviews and technical 
reviews with Government organizations and facility owners and 
operators, and worked with Sandia National Laboratories to verify and 
validate the CFATS program's revised risk assessment methodology.
    To further enhance its risk assessment approach, in the fall of 
2016, DHS also revised its Chemical Security Assessment Tool (CSAT), 
which supports DHS efforts to gather information from facilities to 
assess their risk. According to DHS officials, the new tool--called 
CSAT 2.0--is intended to eliminate duplication and confusion associated 
with DHS's original CSAT. DHS officials told us that they have improved 
the tool by revising some questions in the original CSAT to make them 
easier to understand; eliminating some questions; and pre-populating 
data from one part of the tool to another so that users do not have to 
retype the same information multiple times. DHS officials also told us 
that the facilities that have used the CSAT 2.0 have provided favorable 
feedback that the new tool is more efficient and less burdensome than 
the original CSAT. Finally, DHS officials told us that, as of June 
2018, DHS completed all notifications and processed tiering results for 
all but 226 facilities. DHS officials did not provide an estimated 
target completion date for these pending risk assessments, noting that 
completing the assessments is highly dependent on the facilities 
providing the necessary Top Screen information.
Reviewing and Approving Facility Site Security Plans
    DHS has also made progress reviewing and approving facility site 
security plans by reducing the time it takes to review these plans and 
eliminating the backlog of plans awaiting review. In April 2013, we 
reported that DHS revised its procedures for reviewing facilities' 
security plans to address DHS managers' concerns that the original 
process was slow, overly complicated, and caused bottlenecks in 
approving plans.\13\ We estimated that it could take DHS another 7 to 9 
years to review the approximately 3,120 plans in its queue at that 
time. We also estimated that, given the additional time needed to do 
compliance inspections, the CFATS program would likely be implemented 
in 8 to 10 years. We did not make any recommendations for DHS to 
improve its procedures for reviewing facilities' security plans because 
DHS officials reported that they were exploring ways to expedite the 
process, such as reprioritizing resources and streamlining inspection 
requirements. In July 2015, we reported that DHS had made substantial 
progress in addressing the backlog--estimating that it could take 
between 9 and 12 months for DHS to review and approve security plans 
for the approximately 900 remaining facilities.\14\ DHS officials 
attributed the increased approval rate to efficiencies in DHS's review 
process, updated guidance, and a new case management system. 
Subsequently, DHS reported in its December 2016 semi-annual report to 
Congress that it had eliminated its approval backlog.\15\
---------------------------------------------------------------------------
    \13\ GAO-13-353.
    \14\ GAO-15-614.
    \15\ Department of Homeland Security, National Protection and 
Programs Directorate, Implementation Status of the Chemical Facility 
Anti-Terrorism Standards: Second Semiannual, Fiscal Year 2016 Report to 
Congress (Washington, DC: December 9, 2016).
---------------------------------------------------------------------------
    Finally, we found in our 2017 review that DHS took action to 
implement an Expedited Approval Program (EAP).\16\ The CFATS Act of 
2014 required that DHS create the EAP as another option that tier 3 and 
tier 4 chemical facilities may use to develop and submit security plans 
to DHS.\17\ Under the program, these tier 3 and 4 facilities may 
develop a security plan based on specific standards published by DHS 
(as opposed to the more flexible performance standards using the 
standard, non-expedited process). DHS issued guidance intended to help 
facilities prepare and submit their EAP security plans to DHS, which 
includes an example that identifies prescriptive security measures that 
facilities are to have in place. According to committee report 
language, the EAP was expected to reduce the regulatory burden on 
smaller chemical companies, which may lack the compliance 
infrastructure and the resources of large chemical facilities, and help 
DHS to process security plans more quickly.\18\ If a tier 3 or 4 
facility chooses to use the expedited option, DHS is to review the plan 
to determine if it is facially deficient, pursuant to the reporting 
requirements of the CFATS Act of 2014.\19\ If DHS approves the EAP site 
security plan, it is to subsequently conduct a compliance inspection.
---------------------------------------------------------------------------
    \16\ GAO-17-502.
    \17\ See 6 U.S.C.  622(c)(4). Under the CFATS rule, once a 
facility is assigned a final tier, it is to submit a site security plan 
or participate in an alternative security program in lieu of a site 
security plan. An alternative security program is a third-party or 
industry organization program, a local authority, State, or Federal 
Government program, or any element or aspect thereof that DHS 
determines meets the requirements of the regulation and provides an 
equivalent level of security to that established by the regulation. See 
6 C.F.R.  27.105. Chemical facilities assessed by DHS and considered 
to be high-risk are placed into one of four risk-based tiers (with tier 
1 being the highest-risk tier and 4 being the lowest).
    \18\ S. Rep. No. 113-263, at 9-10 (Sept. 18, 2014).
    \19\ A facially-deficient site security plan is defined as a 
security plan that does not support a certification that the security 
measures in the plan address the security vulnerability assessment and 
risk-based performance standards, based on a review of the facility's 
site security plan, the facility's Top Screen, the facility's security 
vulnerability assessment, or any other information that the facility 
submits to ISCD or ISCD obtains from a public source or other source. 6 
U.S.C.  621(7). Specifically, ISCD determines that an EAP site 
security plan is deficient if it: Does not include existing or planned 
measures which satisfy applicable Risk-Based Performance Standard; 
materially deviates from at least one EAP security measure without 
adequately explaining that the facility has a comparable security 
measure; and/or contains a misrepresentation, omission, or inaccurate 
description of at least one EAP security measure. A facility is to 
implement any planned security measures within 12 months of the EAP 
site security plan's approval because ISCD has determined that it is 
unlikely that all required security measures will be in place when a 
facility submits its plan to ISCD.
---------------------------------------------------------------------------
    In 2017, we found that DHS had implemented the EAP and had reported 
to Congress on the program, as required by the CFATS Act of 2014.\20\ 
In addition, as of June 2018, according to DHS officials, only 18 of 
the 3,152 facilities eligible to use the EAP had opted to use it. DHS 
officials attributed the low participation to several possible factors 
including:
---------------------------------------------------------------------------
    \20\ GAO-17-502.
---------------------------------------------------------------------------
   DHS had implemented the expedited program after most 
        eligible facilities already submitted standard (non-expedited) 
        security plans to DHS;
   facilities may consider the expedited program's security 
        measures to be too strict and prescriptive, not providing 
        facilities the flexibility of the standard process; and
   the lack of an authorization inspection may discourage some 
        facilities from using the expedited program because this 
        inspection provides useful information about a facility's 
        security.\21\
---------------------------------------------------------------------------
    \21\ An authorization inspection consists of an initial, physical 
review of the facility to determine if the Top Screen, security 
vulnerability assessment, and site security plan accurately represent 
and address the risks for the facility.
---------------------------------------------------------------------------
    We also found in 2017 that recent changes made to the CFATS program 
could affect the future use of the expedited program.\22\ As discussed 
previously, DHS has revised its methodology for determining the level 
of each facility's security risk, which could affect a facility's 
eligibility to participate in the EAP.
---------------------------------------------------------------------------
    \22\ GAO-17-502.
---------------------------------------------------------------------------
Inspecting Facilities and Ensuring Compliance
    In our July 2015 report, we found that DHS began conducting 
compliance inspections in September 2013, and by April 2015, had 
conducted inspections of 83 of the inspected 1,727 facilities that had 
approved security plans.\23\ Our analysis showed that nearly half of 
the facilities were not fully compliant with their approved site 
security plans and that DHS had not used its authority to issue 
penalties because DHS officials found it more productive to work with 
facilities to bring them into compliance. We also found that DHS did 
not have documented processes and procedures for managing the 
compliance of facilities that had not implemented planned measures by 
the deadlines outlined in their plans. We recommended that DHS document 
processes and procedures for managing compliance to provide more 
reasonable assurance that facilities implement planned measures and 
address security gaps. DHS agreed and has since taken steps toward 
implementing this recommendation. Specifically, DHS revised CFATS 
Standard Operating Procedures that, as of February 2019, we are 
reviewing to determine if they sufficiently document the processes and 
procedures currently being used to track noncompliant facilities and 
ensure facilities implement planned measures as outlined in their 
approved site security plans.
---------------------------------------------------------------------------
    \23\ GAO-15-614.
---------------------------------------------------------------------------
    In August 2018, we reported that our analysis of DHS data since our 
2015 report showed that DHS has made substantial progress in conducting 
and completing compliance inspections.\24\ Specifically, our analysis 
showed that DHS increased the number of compliance inspections 
completed per year since DHS began conducting compliance inspections in 
2013 and that, for the 2,466 high-risk facilities with an approved site 
security plan as of May 2018, DHS had conducted 3,553 compliance 
inspections.\25\ Of these, DHS issued corrective actions to 2 
facilities that were not in compliance with their approved site 
security plan.\26\
---------------------------------------------------------------------------
    \24\ GAO-18-538.
    \25\ In accordance with the CFATS regulations, as a general matter, 
DHS intends to require facilities in Tiers 1 and 2 to update their Top 
Screen every 2 years, and for Tiers 3 and 4 every 3 years. DHS conducts 
compliance inspections on a regular and recurring basis. DHS officials 
stated that compliance inspections are prioritized based on several 
factors including tier and the number of planned security enhancements 
required at facilities.
    \26\ In addition to these two corrective actions, we reported in 
August 2018 that, since fiscal year 2015, DHS has issued 5 additional 
orders to 4 high-risk facilities with final penalties totaling 
$38,691.88. Of these 5 orders, 3 included the failure of a facility to 
submit an approvable security plan and 2 included the failure of a 
facility to submit a Top Screen.
---------------------------------------------------------------------------
    In our August 2018 report, we also found that DHS developed a new 
methodology and performance measure for the CFATS program in order to 
evaluate security changes made by high-risk chemical facilities, but 
that the methodology does not measure the program's impact on reducing 
a facility's vulnerability to an attack. We found that DHS could take 
steps to evaluate vulnerability reduction resulting from the CFATS 
compliance inspection process. We recommended that DHS incorporate 
vulnerability into the new methodology to help measure the reduction in 
the vulnerability of high-risk facilities to a terrorist attack, and 
use that data in assessing the CFATS program's performance in lowering 
risk and enhancing National security. DHS agreed and is taking steps to 
implement this recommendation. Specifically, in September 2018, DHS 
reported making progress toward the implementation of 2 new performance 
metrics by the end of the first quarter of fiscal year 2019. DHS 
officials stated that these metrics should, among other things, 
evaluate the progress of individual facilities in enhancing their 
security while part of the CFATS program and be used to demonstrate an 
increase in the security posture across the population of CFATS 
facilities.
Conducting Stakeholder and First Responder Outreach
    In April 2013, we reported that DHS took various actions to work 
with facility owners and operators, including increasing the number of 
visits to facilities to discuss enhancing security plans, but that some 
trade associations had mixed views on the effectiveness of DHS's 
outreach.\27\ We found that DHS solicited informal feedback from 
facility owners and operators in its efforts to communicate and work 
with them, but did not have an approach for obtaining systematic 
feedback on its outreach activities. We recommended that DHS take 
action to solicit and document feedback on facility outreach consistent 
with DHS efforts to develop a strategic communication plan. DHS agreed 
and has implemented this recommendation by developing a questionnaire 
to solicit feedback on outreach with industry stakeholders and began 
using the questionnaire in October 2016.
---------------------------------------------------------------------------
    \27\ GAO-13-353.
---------------------------------------------------------------------------
    In August 2018, we reported that DHS shares some CFATS information 
with first responders and emergency planners, but these stakeholders 
may not have all of the information they need to minimize the risk of 
injury or death when responding to incidents at high-risk 
facilities.\28\ While certain facilities are required under the 
Emergency Planning and Community Right-to-Know Act of 1986 to report 
some chemical inventory information, which local officials told us they 
rely on to prepare for and respond to incidents at chemical facilities, 
we found over 200 chemicals covered by CFATS that may not be covered by 
these reporting requirements.\29\ We also reported that DHS developed a 
secure interface called the Infrastructure Protection (IP) Gateway that 
provides access to CFATS facility-specific information that may be 
missing from required reporting. However, we found that the IP Gateway 
is not widely used at the local level and officials from 13 of 15 
selected Local Emergency Planning Committees we contacted--consisting 
of first responders and covering 373 CFATS high-risk facilities--said 
they did not have access to CFATS data in the IP Gateway. We 
recommended that DHS should take actions to encourage access to and 
wider use of the IP Gateway and explore other opportunities to improve 
information sharing with first responders and emergency planners. DHS 
concurred with this recommendation and reported in September 2018 that 
they are taking actions to implement it. Specifically, DHS has revised 
3 fact sheets and an outreach presentation to include information on 
the IP Gateway and how to request access to it. In addition, DHS plans 
to ensure contact is made with first responders representing the top 25 
percent of CFATS high-risk chemical facilities by no later than March 
2019 so that they are properly prepared to respond to incidents at 
these facilities.
---------------------------------------------------------------------------
    \28\ GAO-18-538.
    \29\ Under Section 312 of the Emergency Planning and Community 
Right-to-Know Act of 1986 (EPCRA), facilities are required to submit an 
emergency and hazardous chemical inventory form--referred to as a Tier 
2 form. See 42 U.S.C.  11022. The purpose of this form is to provide 
State and local officials and the public with specific information on 
potential hazards. This includes the locations and amount of hazardous 
chemicals present at a facility during the previous calendar year.
---------------------------------------------------------------------------
    Chairman Thompson, Ranking Member Rogers, and Members of the 
committee, this completes my prepared statement. I would be pleased to 
respond to any questions that you may have at this time.

    Chairman Thompson. I thank all the witnesses for their 
testimony. I remind each Member that he or she will have 5 
minutes to question the panel.
    Now, I will recognize myself for questions. You saw the 
picture on the screen earlier about the 12 first responders in 
West, Texas who, unfortunately, lost their life because they 
were basically responding to an incident that we could possibly 
cover on the CFATS.
    Now, the law requires DHS to share such information as is 
necessary. So, Mr. Anderson, you indicated in your testimony 
that GAO surveyed first responders and emergency planners last 
year about whether such critical information is getting shared. 
Tell us what you found in that survey?
    Mr. Anderson. Of course. As part of our work, we looked at 
13 or interviewed 13 to 15 local emergency planning committees. 
These committees cover about 373 high-risk facilities. Thirteen 
of those 15 local emergency planning committees did not have 
access to the information in CFATS that could potentially be 
useful to first responders and emergency planners.
    Chairman Thompson. So the majority of the information that 
was available, just was not being shared?
    Mr. Anderson. I think it is a situation of access. DHS has 
stood up something called the IP Gateway, which is a forum and 
a vehicle for communicating that kind of information to first 
responders. I think this is a situation where the first 
responders either did not have access or were not familiar with 
how to use the IP Gateway system.
    Chairman Thompson. So Mr. Wulf, can you provide the 
committee with what do you see as a way forward in this 
respect?
    Mr. Wulf. Absolutely, Mr. Chairman. I appreciate the 
opportunity.
    So obviously the sharing of information with first 
responders is of the utmost importance and is something that we 
highly prioritize as a result. Those who may be called upon to 
respond to incidents at facilities, high-risk facilities, or 
other facilities, holding chemicals, need information about 
those facilities.
    They need information about the chemical holdings so they 
know what they are walking into when they attempt to save lives 
and property.
    So we have redoubled our efforts over the past couple of 
years, to reach to local emergency planning committees.
    In fact, in 2018, we visited more than 800 of those local 
emergency planning committees, and we are right now in the 
midst of a push to reach emergency planning committees 
associated with the highest population, CFATS-covered 
facilities in the various counties, the top 25 percent of those 
counties across the country.
    I think another important thing to remember is that CFATS 
and our chemical security inspectors across the country promote 
sharing of information with first responders and do that in a 
way that connects them directly with facilities.
    So one of the CFATS risk-based performance standards, RBPS 
9, is focused on response, and it requires that every high-risk 
facility reach out to make contact with their local first 
responders. In many cases our inspectors, our CFATS team, 
facilitates that contact and that communication.
    So I think that is another important way in which we are 
continuing to get the word out. We are pushing, as well, 
information about that IP Gateway and signing more and more 
folks up every day----
    Chairman Thompson. So----
    Mr. Wulf. To gain access to the portal.
    Chairman Thompson. Before I lose my time, you know, that 
was this requirement that at least 25 percent that you 
referenced in your comments would be done by the end of March. 
Where are you percentage-wise with hitting that target?
    Mr. Wulf. We are on track to have that done by the end of 
March.
    Chairman Thompson. After that, what is the next target?
    Mr. Wulf. We will continue, you know, circling back. We 
have met with literally thousands of local emergency planning 
committees.
    We are committed to continuing to ride that circuit and to 
ensure that relevant folks, those who have a need-to-know 
information about chemical facilities and chemical holdings, 
because they may be called to run into those facilities, have 
the information----
    Chairman Thompson. Well, the reason I said that, as I look 
at the membership of the committee present, a lot of us 
represent volunteer fire departments in our respective 
districts.
    So I think it is really incumbent upon us to push this 
information out to those departments so that those first 
responders who are unpaid, doing their civic duty, would not be 
put at risk simply because the information that is available is 
not being shared.
    Can you give the committee some kind of a guestimate as to 
when the process can be completed?
    Mr. Wulf. Well, you know, I would say that it is going to 
be an on-going kind of continuing effort. I don't think we will 
ever stop the outreach.
    But we will get through those 25 percent highest-density 
counties in the next month. I would suspect that, you know, 
toward the end of this calendar year we will have gotten to 
most of the other LEPCs across the country, as well. In many 
cases, those will be repeat visits.
    Chairman Thompson. Thank you.
    I will now recognize the Ranking Member of the full 
committee is the gentleman from Alabama, Mr. Rogers, for 
questions.
    Mr. Rogers. Thank you, Mr. Chairman. I gather from your 
opening statements that CFATS is working well. Is that a fair--
now you suggested some improvements, but generally, it is 
working well?
    Mr. Anderson. The program has progressed over the years and 
has implemented the majority of GAO's recommendations so on 
that score, yes.
    Mr. Rogers. You mentioned some recommendations, but I 
didn't hear anything major that you thought needed to be 
improved. Is that accurate?
    Mr. Anderson. We don't have any open recommendations that 
would be easily directed to, you know, like the safety of a 
facility itself.
    Our recommendations that are open and not implemented do 
deal with whether or not first responders have all the 
information they need. So on that score, I would consider that 
a major recommendation, ensuring that the people who respond to 
these events have the right kind of information.
    The other recommendation that we have that is currently 
open is on whether or not the program itself can speak to just 
how much risk is reduced.
    As the program evolves, we would like to see them get to 
the point where they can say, for X number of dollars invested, 
here is how much risk has been reduced through this process, 
through CFATS.
    Mr. Rogers. OK.
    Mr. Wulf, how would you distinguish CFATS from other 
security regulatory programs, like EPA, OSHA, ATF?
    Mr. Wulf. Yes, so I appreciate the question. CFATS is a 
very comprehensive, very security-focused regulatory program. 
So programs administered by EPA and OSHA focus primarily on 
safety. Our program, the CFATS program, is a security-focused 
anti-terrorism program.
    At its core our 18 risk-based performance standards 
addressing physical security measures to deter, detect, delay 
terrorist attacks, cybersecurity, insider threat, and the 
various security-focused threat streams.
    So I think it is a program that is flexible in its 
approach, which I think is well-suited to the wide diversity of 
facilities that compose the CFATS-regulated universe. It is a 
program that is very well-suited to its task.
    Mr. Rogers. Great. Mr. Wulf, do you feel that any CFATS 
facilities are subject to duplicate security regulations from 
the jurisdiction of other Federal agencies?
    Mr. Wulf. So that is a a good question. I would say that 
given the comprehensive nature of the CFATS program, although 
there are certainly facilities that are touched by a variety of 
different programs, CFATS is in all cases bringing something 
additional to the table.
    Where facilities are, perhaps, doing things under a 
different program, if they are putting in place measures, say, 
to satisfy ATF requirements, but those measures also work to 
satisfy our DHS CFATS requirements, we absolutely encourage 
facilities to take credit for and apply those measures within 
CFATS. They are not required to duplicate work for CFATS.
    Mr. Rogers. Great, thank you. That is all I have.
    I yield back.
    Chairman Thompson. Thank you very much.
    The Chair now recognizes other Members for questions they 
may wish to ask the witnesses. In accordance with our committee 
rules, I will recognize Members who were present at the start 
of the hearing, based on seniority on the committee, 
alternating between Majority and Minority. Those Members coming 
in later will be recognized in the order of their arrival.
    The Chair now recognizes for 5 minutes the gentleman from 
Rhode Island, Mr. Langevin.
    Mr. Langevin. Thank you, Mr. Chairman. I want to thank you 
for holding this important hearing.
    I want to thank our witnesses for your testimony this 
morning.
    I am glad we touched on the issue of cybersecurity in the 
facility issues and inspections that are done.
    So I want to start with Mr. Wulf, if I could? DHS does 
provide that cyber is one of the l8 performance standards 
facilities must address.
    So I want to start out with the question of what 
cybersecurity guidance does the CFATS program actually provide 
to facilities? What cybersecurity requirements does CFATS make 
of facilities?
    Mr. Wulf. I appreciate that question. CFATS has been in 
many ways, I think, ahead of the curve with cybersecurity. So 
cybersecurity has been an important part of the program since 
its inception.
    I would say broadly speaking our focus is on working with 
facilities to ensure that they have policies and procedures in 
place essentially to deter, to detect, and/or to delay cyber 
intrusions.
    So, you know, we work with them. We have our inspectors 
trained. Many of our inspectors have been provided advanced 
cybersecurity training.
    We have cybersecurity experts in our headquarters who work 
with facilities as they develop their site security plans, as 
they think through ways in which they can appropriately 
restrict access to critical cyber systems, ways in which they 
can restrict privileges, ensure that they have appropriate 
patches in place, that they are, you know, that they are in the 
best position possible to protect themselves against malware, 
against ransomware, against the, you know, the panoply of cyber 
threats that are out there.
    Mr. Langevin. So what are the specific requirements, the 
cyber requirements that you put on these facilities? How do you 
audit those requirements to determine compliance?
    Mr. Wulf. Yes, so we will conduct inspections of facilities 
across all of their risk-based performance standards and that 
includes cyber.
    So, you know, even before a facility site security plan is 
improved, our inspectors will be out helping facilities to 
develop the policies and procedures they will put in place from 
a cybersecurity perspective. When their plans have been 
approved, we will be back on a regular cycle of compliance 
inspections.
    So as I mentioned earlier, CFATS is a non-prescriptive, 
flexible program. So we don't have hard and fast requirements. 
We have standards that facilities need to meet.
    So, you know, we will work with facilities to assess what 
works for a particular facility given its particular operations 
and the level of integration of its cyber systems with its 
chemical processes and industrial control systems, et cetera.
    Mr. Langevin. So am I to understand that they are setting 
their own standards?
    Mr. Wulf. They are not setting their own standards. They 
have some flexibility in the types of policies and procedures 
they can apply to meet the spirit of the cybersecurity standard 
under CFATS.
    But no two chemical facilities are alike. So some 
facilities have cyber systems that are very highly integrated 
with their industrial control systems, with their chemical 
processes. Some have no integrations whatsoever. So there may 
be a difference from facility to facility, as to what we are 
going to ask them to have in place to get to a place where we 
can approve their site security plan.
    Mr. Langevin. OK. I have other questions for you, but I am 
going to go to Mr. Anderson, if I could?
    Mr. Anderson, staying on the topic of cybersecurity, what 
does GAO evaluate the maturity of the CFATS cybersecurity 
reviews to be? Do you have suggestions on how those elements of 
SSPs can be improved?
    Mr. Anderson. Thank you. We haven't done a deep dive audit 
into the cyber realm. But we have touched on it in our recent 
work. I think our conclusion is that this may be an area, cyber 
specifically, where there may be a capability gap.
    As you may know, GAO produces a high-risk list every 2 
years highlighting certain programs that are vulnerable and at 
high risk for fraud, waste, abuse, and mismanagement.
    The cyber area within DHS is one of those where recently we 
did raise the question about whether or not they have the right 
human capital resources to address the cyber threat.
    Mr. Langevin. Thank you.
    Mr. Chairman, we may want to ask for a specific GAO report 
on this particular topic with respect to cyber to make sure 
that there is no gap, if we could--something you would 
consider?
    Chairman Thompson. Absolutely. I will work with Tim Richman 
on making sure we get that request.
    Mr. Langevin. Thank you.
    Chairman Thompson. Thank you.
    The Chair now recognizes the gentleman from North Carolina, 
Mr. Walker.
    Mr. Walker. Thank you, Mr. Chairman.
    Thank you to our panel today.
    Mr. Wulf, as the director of the infrastructure security 
compliance division, my question for you is does every employee 
at each location have access to all areas of the facility? Or 
do certain chemical facilities have Classified areas? Could you 
address that for me?
    Mr. Wulf. Sure, I appreciate the question. The short answer 
is, it varies from facility to facility based upon, you know, 
the facility management, the facility security officers' 
assessment as to what makes sense given that facility's 
particular operation.
    So you may find a facility with restricted access to 
certain critical assets. You may have a facility on which all 
employees have access to all parts of the facility.
    Mr. Walker. Are there any of those scenarios that concern 
you? Or are you familiar with enough to know, as you said, the 
varying scenarios? Can you deep dive a little bit more for me?
    Mr. Wulf. Yes. So, you know, as we work with facilities on 
an individual basis, which we do as each one develops its 
comprehensive site security plan, you know, we assess whether 
it makes sense to have a more restricted area where high-risk 
chemicals of interest are stored.
    Whether it makes sense for a particular facility to more 
fully restrict access to some of its employees or perhaps to 
contractors who are, you know, coming in and out of the 
facility.
    Mr. Walker. Yes. Do you have any concerns of any of the 
areas that you have overlooked or reviewed?
    Mr. Wulf. I would say that we have, you know, identified 
areas of concern as we have worked with facilities to develop 
their site security plans. We have been able to address those 
in the course of that SSP development process.
    So I would not approve a plan about which I had concerns.
    Mr. Walker. So let me make sure. Is that process in 
development or are you saying that it is past tense, that those 
have been resolved in those concerns?
    Mr. Wulf. Those have been resolved and the site security 
plans have been approved.
    Mr. Walker. Some proposed reforms have included requiring 
all employees at a facility to be notified of the security 
requirements under CFATS. Do you agree, Mr. Wulf, that having 
front office staff, like an accountant or receptionist, know 
the CFATS plan would add additional security to a chemical 
facility? Do you agree with that?
    Mr. Wulf. So the law requires facilities, to the extent 
practical, to involve employees who have relevant security 
expertise in the development of their site security plans. That 
is, I would say, not likely to include administrative staff.
    Mr. Walker. So going back to my previous question, that 
wouldn't be a concern for you? That in this case the accountant 
or the receptionist know the CFATS plan? You don't think that 
would help as far as adding additional security to a chemical 
facility?
    Mr. Wulf. I don't imagine that would be particularly 
helpful.
    Mr. Walker. OK. Could you describe the additional security 
risks that may arise from a proposal like this? Can you go in a 
little bit more detail? What--would be the issue here?
    Mr. Wulf. Yes. So I think the core of the issue on the 
sharing of information in the employee context or otherwise is, 
you know, the importance of ensuring that those folks who have 
a need-to-know information, that includes certainly the first 
responders we discussed earlier, or sort-of a key facility 
security-focused personnel have the information that they need 
to develop plans and to execute security plans.
    There are processes in place within CFATS, within our risk-
based performance standards, that ensure that other employees 
at facilities, even those who, you know, might not be privy to 
all the details of a security plan or of chemical holdings on 
the facility are, you know, are brought into training, are 
brought into exercises and drills on incident response so they 
have what they need in the event of an incident.
    But I don't believe that all employees need access to the 
security features of a plan.
    Mr. Walker. Thank you, Mr. Wulf.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you very much.
    The Chair now recognizes the gentlelady from New Mexico, 
Ms. Torres Small.
    Ms. Torres Small. Thank you, Chairman Thompson.
    Mr. Wulf, you spoke about--and I was glad to see that you 
mentioned DHS outreach to the chemical security community in 
your prepared statement and also to see that you had talked 
with over 800 local emergency planning communities, based on 
your questions with Chairman Thompson.
    I would like you to speak specifically to outreach to rural 
communities. If there are any--I represent the bottom, more 
than one-half, of New Mexico. So we have a fair number of large 
rural communities there.
    So I would like you to speak slightly to if there is any 
additional outreach you do in these communities where volunteer 
firefighting departments are in a deeper need.
    Mr. Wulf. Absolutely. I appreciate that, and we certainly 
want to and do get out, you know, to both urban, suburban, and 
rural communities. We want to ensure that all who have a need-
to-know information about high-risk chemical facilities, about 
the chemical holdings have access to that information.
    So absolutely, we make an extra effort to get out to rural 
communities. We have about 150 inspectors across the country. 
We have actually put in place across the country some new 
regional offices at which we have put in place regional 
outreach coordinators, training, and exercise coordinators.
    We have additional firepower at the kind-of agency level as 
well now to help with that outreach. So very much committed to 
continuing on that path.
    Ms. Torres Small. Do you have any specific resources 
tailored toward these rural communities?
    Mr. Wulf. I think they are, essentially, the same resources 
that we provide to all first responders, so access to the IP 
Gateway tool. You know, we facilitate connections between those 
first responders and facilities in their areas of 
responsibility and ensure that that happens for each and every 
facility, rural or otherwise.
    Ms. Torres Small. In the questions that Chairman Thompson 
asked, I am glad to hear that DHS is on track for the March 
2019 deadline for doing the outreach to the high-risk chemical 
facilities. Does that information sharing include the specific 
chemical holdings stored on the sites that the first responders 
would be responding to?
    Mr. Wulf. Yes, it does. So first responders who have a 
facility in their sort-of area of jurisdiction can have access. 
We want them to have access to that information.
    Ms. Torres Small. Right. I want to switch gears just a 
little bit in terms of it appears that DHS relies heavily on 
the CFATS facilities to reach out to local emergency 
responders. Then you have inspectors who come in and confirm 
that that has occurred. Is that accurate?
    Mr. Wulf. In some cases, that is accurate. We will confirm 
in every case. In some cases we will actually proactively 
facilitate the introduction and make sure that that happens and 
in many cases participate in those meetings.
    Ms. Torres Small. If it turns out that there hasn't been 
outreach by the facility, would that result in disproving of a 
facility's site security plan?
    Mr. Wulf. It absolutely would. We would not approve a plan 
where that outreach connection has not been made.
    Ms. Torres Small. Great. We also discussed a little bit the 
outreach that is done to employees of facility plans, so the 
training and exercise and drills that are done, but also 
limiting access on a need-to-know basis.
    I would like to know a little bit about the input 
requirement, that there is a requirement to get input from at 
least one employee, where applicable, or a labor union 
representative informing the facility plan. Do inspectors 
confirm that that input requirement has been complied with?
    Mr. Wulf. Inspectors will raise that issue during an 
inspection and will hear from facilities to what extent they 
have involved employees and/or as kind-of relevant resident 
bargaining unit members in the process. So yes, those 
discussions happen during inspections.
    Ms. Torres Small. Are inspectors required to speak with 
those employees or union representatives?
    Mr. Wulf. It is not a requirement.
    Ms. Torres Small. If it is determined, even if they are not 
speaking with the employees or labor unions, that there was not 
an employee or labor union representative consulted, does that 
result in disproving of the security plan?
    Mr. Wulf. It does not. It does not. So, you know, we sort-
of leave to the discretion of those who are responsible for 
security of the facility the extent to which it actually is 
practical to involve, you know, however many employees in the 
process.
    Ms. Torres Small. Even though the CFATS Act requires that 
input?
    Mr. Wulf. Well, the CFATS Act talks about involvement to 
the extent practical.
    Ms. Torres Small. Thank you.
    Chairman Thompson. Thank you. Thank you very much.
    The Chair now recognizes gentlelady from Arizona, Mrs. 
Lesko.
    Mrs. Lesko. Thank you, Mr. Chairman. My question is for Mr. 
Wulf. The question is, you know, some would say that Department 
of Homeland Security should mandate that CFATS facilities, 
regulated facilities, should adopt inherently safer 
technologies to improve security.
    I have been told that these facilities are opposed to that. 
So I guess I am asking if you think that is necessary and at 
what rate are the facilities already developing these safer 
technologies without Federal mandates?
    Mr. Wulf. Yes, that is a good question. I appreciate it. I 
would say that organically CFATS has promoted the consideration 
and implementation of facilities of inherently safer 
technologies and processes.
    So, you know, over the course of the program's history more 
than 3,000 facilities have either reduced their holdings of 
high-risk chemicals of interest or eliminated them completely, 
substituting other less risky chemicals or have changed their 
processes and have actually come out of the program, been 
determined no longer to be high-risk.
    You know, to my mind that is a success. That is a win for 
the program without really the need for an inherently safer 
technology mandate.
    Mrs. Lesko. I have another question for either one of you 
and that is how do you work? I heard earlier how you work with 
local responders and a gateway program that they look at. I 
don't know if that is on-line or what it was.
    But how do you work with the States and local agencies? How 
do you communicate with them or does every State have an agency 
that deals directly with you? How does this work?
    Mr. Wulf. Yes, it varies by State, so, you know, some 
States have multiple agencies that touch facilities holding 
chemicals. Some States have one. In some States it is the State 
fire marshal, in some States it is the fire marshal plus the 
State Department of Environmental Quality, the State Railroad 
Commission or otherwise.
    So on a State-by-State basis, we engage with the relevant 
agencies both State and local levels. We prioritize the sharing 
of information about the list of facilities we have under our 
purview, both those that we have tiered as high-risk and those 
that we have determined to be not high-risk.
    We kind-of share lists with those State agencies. We 
crosswalk those lists and we strive to identify what we call 
potential chemical facilities of interest, essentially 
potential outlier facilities with an eye toward bringing into 
the program to ensure that we are getting the relevant reports 
to run through our risk assessment methodology from facilities 
that have threshold quantities of chemicals of interest.
    So that is an area in which we have really stepped up our 
efforts in recent years. We have put into place a leader within 
our organization whose full-time responsibility is to 
coordinate the outreach that we do for the purpose of bringing 
into the fold those potential outlier facilities.
    Mrs. Lesko. One last question, Mr. Chairman.
    Yesterday, I think it was yesterday, we had testimony from 
some cybersecurity folks from the Federal Government and one of 
the things that was identified as a problem is in cybersecurity 
there are these different silos. They are always working on 
cybersecurity in just that one area and don't really share 
information.
    Do you see that as a problem in this sector as well? 
Because what they were trying to say is usually attackers, 
hackers or foreign governments will not only attack one area, 
but they will try and attack all of the areas.
    Mr. Wulf. Yes, and I think that is absolutely a concern and 
it is something that the design of CFATS guards very much 
against. So we have 18 risk-based performance standards that 
facilities work with us to, you know, as they work with us they 
put into place security measures focused not only on physical 
security, but also on cybersecurity, on insider threat, on the, 
you know, the wide variety of kind of threat vectors that 
exist.
    So, you know, we believe that a high-risk chemical facility 
that has an improved site security plan and is implementing 
that site security plan has hardened itself very effectively 
against multi-faceted attacks.
    Mrs. Lesko. Thank you, Mr. Chair. I yield back my time.
    Chairman Thompson. Thank you very much.
    The Chair now recognizes the gentlelady from Michigan, Ms. 
Slotkin.
    Ms. Slotkin. Good evening--or good morning--Lord, not good 
evening. Thanks for being here. I really appreciate you guys 
doing this. I am from Michigan and we have a large of number of 
these facilities, including two in my district. Then just 
outside my district in Detroit, we had a big chemical fire in 
years that passed. So this one is really of interest to my 
community.
    I guess my first question, Mr. Wulf, is just on 
accountability. So how would a Member of Congress know after 
March whether the facilities in his or her district have 
communicated effectively with local law enforcement, that there 
is a shared understanding of kind-of the risks? Like, how would 
I know that after March?
    Mr. Wulf. Are you talking about the communication with the 
first responders?
    Ms. Slotkin. Yes, just making sure--yes, because I think we 
had this Detroit fire years ago, years ago. But my 
understanding is we did not have full awareness by the first 
responders. We didn't lose anyone, but it certainly was a 
potential risk. So how would I feel comfort that my local 
responders have been informed with what they need?
    Mr. Wulf. Yes. So I think I can tell you with confidence 
that all facilities within the CFATS program, all facilities 
covered by CFATS, will have made connections with their 
relevant local first responders. It is a requirement of the 
program.
    It is the focus of one of our risk-based performance 
standards, number 9 of 18. It is something that we verify and 
facilitate. So you can rest assured that that is happening 
across the 3,300 highest-risk chemical facilities and their 
relevant first responders across the country.
    Ms. Slotkin. Then are you the senior accountable official 
if for some reason that didn't happen, right? Of course, I want 
that all to happen and I want them to check the box, but if for 
some reason that hasn't happened as it should, are you the 
senior accountable official for making sure?
    Mr. Wulf. Yes. Yes.
    Ms. Slotkin. OK.
    Mr. Wulf. Call me.
    Ms. Slotkin. OK, great. Then on cyber, similarly, so again, 
a Congresswoman was mentioning this. So if we started to see 
trends in, you know, these hacktivists or these cyber threats 
against chemical facilities, would you know about it?
    If we started to see a systematic attempt either in one 
State or in a series of States to go after these facilities, is 
there a reporting mechanism? Are people telling you about the 
threats that they see? Are you capturing the trends?
    Mr. Wulf. Yes, so we have within our broader organization a 
cybersecurity division and National cybersecurity and 
communications integration center that is focused on threats 
Nationally. That is crunching all of the intelligence, the 
threat streams, and that is communicating with us.
    So we are in the mix to get that information and we are 
certainly on a daily basis focused on kind-of the continuing 
cyber and other threat streams that concern our facilities.
    Ms. Slotkin. Then I am a former CIA officer and so I get a 
lot of--I guess they would call them complaints from people 
back home, generally about the lack of information sharing 
between sort-of folks in Washington seeing maybe some of the 
Top Secret- or Secret-level information on threats related to 
cyber and then what actually distills down. It is a consummate, 
you know, complaint that I hear.
    So what is your responsibility to go the other direction 
and inform facilities if you are seeing things that raise your 
eyebrows? What is your mandate to do that?
    Mr. Wulf. Yes, and it something that we take very seriously 
and, you know, as the situation might warrant we have 
mechanisms in place to reach to facilities and talk to them 
about ways in which they can harden, you know, potentially even 
further against specific threats.
    In fact, CFATS program accounts for that, part of a couple 
of our risk-based performance standards are focused on specific 
threats and elevated threats. We require facilities to put into 
their site security plans measures that they would increase in 
the event we reach out to them and tell them that there is a 
specific or a more generalized elevated threat that they need 
to concern themselves with.
    Ms. Slotkin. Last, so again are you the senior accountable 
official if for some reason there was a threat against a 
specific facility or a bunch of facilities in one State and 
that information didn't get to the facility so they could 
protect themselves that is under your mandate?
    Mr. Wulf. For CFATS facilities----
    Ms. Slotkin. Yes.
    Mr. Wulf. Absolutely.
    Ms. Slotkin. OK, great.
    Thank you, Mr. Chairman.
    Chairman Thompson. Thank you very much. But you raised two 
good questions.
    One is, Mr. Wulf, can you provide the committee with how 
many actions you have brought on facilities inspected that have 
been found in noncompliance?
    Mr. Wulf. Sure. I guess it is kind-of a two-part answer 
because of the way the CFATS program and our enforcement 
processes work. Of course, you know, we strive to work with 
facilities to bring them into a compliance, and by and large, 
facilities have done a good job and are in compliance with 
their plans.
    In upwards of 80 cases we have had to resort to our 
enforcement authorities and to issue an administrative order 
that per the law gives facilities a certain amount of time to 
get their act together and alleviate whatever the issue might 
be.
    We have gotten to the point with 5 facilities where we have 
had to issue a civil monetary penalty and that has proven in 
those cases to be the additional impetus facilities needed to 
come into compliance.
    Chairman Thompson. So everybody is in compliance?
    Mr. Wulf. Everybody is currently in compliance. You know, 
it is a dynamic population, right? So facilities are in 
different stages of perhaps working on their site security 
plans, getting them to approval, but facilities against which 
we have enforced and issued civil penalties have come into 
compliance.
    Chairman Thompson. The last question is those 2 facilities 
in Ms. Slotkin's district, is there a directory that she can go 
to or is there is a way that she can get with you and you can 
say these 2 facilities are compliant?
    Mr. Wulf. Yes, absolutely. If they are CFATS facilities we 
are glad to sit down and talk through, you know, what exists 
in----
    Chairman Thompson. Was really what she was trying to get 
to.
    Mr. Wulf. Pardon me?
    Chairman Thompson. That was what she was trying to get to.
    Mr. Wulf. Yes, we are glad to get you that information and 
talk through it with----
    Chairman Thompson. Thank you.
    The Chair now recognizes the gentleman from Texas, Mr. 
Crenshaw.
    Mr. Crenshaw. Thank you, Mr. Chairman. Thank you both for 
being here and giving your testimony. I think we have made some 
important strides in streamlining this program. It is an 
important program for my constituents in Houston.
    We have a lot of these facilities, of course, and look 
forward to giving it a long-term extension to this program so 
that we can have some certainty for the industry and for the 
American people.
    Director Wulf, I want to quickly--I know you answered 
something inherently about safer technologies a minute ago. I 
just want to get a sense from you, if we were to mandate 
inherently safer technologies, how feasible would that really 
be for you to regulate----
    Mr. Wulf. I think that would be a pretty tough--to crack 
from a pure regulatory standpoint.
    Mr. Crenshaw. OK. You can expand on that a little bit if 
you would like.
    Mr. Wulf. Yes. No, so I, you know, I think CFATS by its 
nature promotes the consideration of inherently safer 
technologies and the implementation of inherently safer 
technologies----
    Mr. Crenshaw. It is incentives based on the tiering 
system----
    Mr. Wulf. Right, exactly.
    Mr. Crenshaw. To sort-of have safer technologies.
    Mr. Wulf. So facilities make risk-based decisions to change 
their processes, to change their chemical holdings, maybe to 
substitute safer chemicals. But I would say, you know, we at 
DHS are focused on security. I think it would be difficult for 
us to regulate it in the area of what is safer or not.
    Mr. Crenshaw. Right.
    For Director Anderson, has the GAO assessed how much new 
standards on inherently separate technologies would cost?
    Mr. Anderson. We have not looked at that question 
specifically. You know, just to expand upon what Director Wulf 
was saying, the waterfront of types of facilities is highly 
variable. You have huge, like, petrochemical facilities and 
then very, very small mom-and-shop places that are in rural 
areas. So mandating a specific technology solution may 
encounter challenges.
    I think one of the things we have routinely heard in our 
conversations with industry is about the flexibility of the 
program and the implementation of the 18 risk-based performance 
standards. That is what I can speak to. To answer your question 
directly, we have not looked at the technology.
    Mr. Crenshaw. Right.
    Director Wulf, back to you. Should the risk-based 
performance standards be modified or reflect evolving threats 
from drones or other unmanned aerial vehicles?
    Mr. Wulf. Yes, so the drones question is an important one, 
for sure and it is a continually evolving sort-of threat 
vector. I think as they stand the risk-based performance 
standards account for, and we certainly engage with facilities, 
on the reporting of significant incidents.
    We do take in a, you know, decent number of reports 
associated with overflight or flights nearby high-risk chemical 
facilities of unmanned aircraft systems.
    So I think we have the tools in place from an incidents 
reporting standpoint. Our counterparts at the Federal Aviation 
Administration I know are working toward a broader framework, 
and we are working with them----
    Mr. Crenshaw. Right.
    Mr. Wulf. On that for critical infrastructure.
    Mr. Crenshaw. Because it is prohibited under Federal law to 
interfere with the operation of a drone right now. So is that 
part of the conversation? I mean to allow essentially 
facilities to defend themselves.
    Mr. Wulf. Yes.
    Mr. Crenshaw. Is that conversation on-going?
    Mr. Wulf. I think that is probably part of the broader 
conversation for sure. You know, it is an issue that we at the 
Department are looking at, not just from a chemical facility 
angle, but across all critical infrastructure sectors.
    Mr. Crenshaw. OK. Again, I want to encourage all to focus 
on these new problems with drones as they become more 
prevalent.
    Last question I have for--either one of you can, I think, 
take this. Is there any discussion about the level of scrutiny 
placed on the tier 4 operators and whether that is necessary? 
Whether that really needs to be as stringent as it is, given 
that the low level of danger from tier 4 chemical facilities.
    Is that in discussion at all? What kind of feedback are you 
getting from the industry on this?
    Mr. Wulf. So I think there is pretty broad consensus that 
tier, you know, Tier 4 facilities, Tier 3 facilities as well, 
which make up the majority of our covered chemical facilities 
are high-risk facilities. They are still among the less than 10 
percent of facilities that we have determined to be at high 
risk of terrorist attack or exploitation.
    We do have the tiering system in place, so we do apply 
kind-of different standards to the lower-tiered but still high-
risk facilities. It seems to be an approach and a framework 
that continues to work well.
    Mr. Crenshaw. OK. Thank you very much.
    Mr. Wulf. Absolutely. Thank you.
    Chairman Thompson. Thank you.
    The Chair now recognizes the gentlelady from Orlando, 
Florida, Mrs. Demings.
    Mrs. Demings. Thank you so much, Mr. Chairman.
    Thank you to both of our witnesses for joining us today.
    Mr. Wulf, my questions are for you. When DHS is considering 
whether a facility is high-risk, do you include in that 
methodology, or whatever process you use, would you factor in 
if the facility would be located to an elementary school for 
example or a nursing home or a hospital?
    Mr. Wulf. Yes, so we factor in--that is a good question. We 
tier for a couple of major different threat streams, one of 
which focused on theft and diversion of chemicals, the other 
which is focused on facilities where there could be a release 
into a surrounding community. In those cases of release, we 
absolutely factor in the surrounding population.
    One of the things we were able to make some significant 
headway on, as we kind-of basked in the stability that was 
afforded by long-term authorization, was a complete retooling 
of our risk assessment methodology. So we are now more 
accurately able to model those surrounding populations and tier 
more accurately.
    Mrs. Demings. Also, studies show that chemical facilities 
tend to be concentrated in low-income and minority communities. 
In determining facility risk, does DHS consider whether a 
facility is in close proximity to other chemical facilities 
that could exacerbate the impact of an attack on an already 
vulnerable population?
    Mr. Wulf. We certainly consider what is in the surrounding 
area by way of population as we do our tiering.
    Mrs. Demings. So when you consider the proximity to those 
populations, those low-income, already very vulnerable areas, 
what do you factor into it? What is it exactly that you are 
considering or looking at?
    Mr. Wulf. Well, we are considering where the population is 
located in proximity to a facility and we are kind-of modeling, 
you know, were there to be an incident that caused a release of 
chemicals, you know, what part of that population would be 
impacted and, you know and what number of fatalities could 
potentially occur as we are thinking about the tiering.
    Mrs. Demings. OK, so when you say where the population is 
located, what exactly does that mean? Could you help me with 
that?
    Mr. Wulf. It means, like, how many people are located 
either, you know, during the day or at night in their homes, in 
their businesses, the schools, and how close they are to the 
facility.
    Then we look at what type of chemical we are talking about, 
what quantities of chemicals we are talking about, what the 
prospect is for release of those chemicals, what quantity could 
be released.
    Then, you know, there is sort-of a plume modeling effort 
designed to get us to a place where we can model what the 
consequences would be of a release of chemicals caused by 
terrorists.
    Mrs. Demings. OK. Finally, what are you doing to make sure 
security measures aren't interfering with precautions taken in 
anticipation of extreme weather or natural disasters?
    As the Chairman indicated, I come from Florida, so I wonder 
what are you doing to make sure there are no conflicts there as 
you are implementing your security measures? Or at least that 
you are working together to make sure there are no conflicts?
    Mr. Wulf. Yes, we, you know, we strive to, and we do, in 
fact, work in close cooperation with agencies that are focused 
on safety, that are focused on response to natural disasters.
    So that includes as we continue to implement the provisions 
of an Executive Order from 2014 that followed the West Texas 
incident, to work closely to coordinate with EPA, with OSHA, 
with ATF and to, you know, harmonize to the extent absolutely 
possible our respective programs. So and to communicate as 
frequently and effectively as we possibly can.
    Mrs. Demings. OK, thank you very much.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you.
    The Chair now recognizes the gentleman from Texas, Mr. 
Taylor.
    Mr. Taylor. Thank you, Mr. Chairman.
    Just a question, Mr. Wulf, for you. So I understand that 
there are some facilities that are exempted by statute and some 
that are included. Do you have any thoughts for us on, you know 
these facilities I am worried about that are exempted and I am 
concerned that these facilities that I am doing, I don't really 
see why I am doing that.
    So I mean, we write the laws with the best of intent, but 
not necessarily the implementation is the best. So you are 
implementing so what do you see in terms of what should be in 
the mix and what isn't in the mix?
    Mr. Wulf. Yes.
    Mr. Taylor. Can you speak to that?
    Mr. Wulf. So there are a number of exemptions, of 
exclusions, from the authorities. So, you know, broadly those 
exclusions apply to facilities that are covered by other 
security-focused programs, so nuclear facilities covered by the 
Nuclear Regulatory Commission, facilities owned by the 
Department of Defense and a handful of others. It also includes 
an exemption for water and wastewater facilities.
    I think that, you know, a dozen years into implementation 
of the program, a pretty opportune time to kind-of take a look 
at where we are with the exclusions and maybe to study what 
might make sense going forward with respect to facilities that 
are excluded from the program. We are open as well to talking 
about, you know, about what facilities are included.
    You know, as I mentioned earlier, I think the comprehensive 
nature of CFATS makes it very much value-added across the 
entire universe of 3,300-plus facilities that are currently 
covered as high-risk. I think it is an important program. So I 
would say there are not facilities that which I am saying, why 
are we doing this?
    Mr. Taylor. OK.
    Mr. Wulf. We are adding value across the board.
    Mr. Taylor. Then sort-of building on that conflicts 
discussion, are you finding yourselves duplicating effort with 
other agencies and where they are, you know, where the person 
on the ground is saying, wow, you are telling me to do it this 
way but I have got this other agency telling me to do it 
another way.
    I mean, are you finding conflict or maybe even at the 
statutory level where one law says this and another law says 
that? Are you seeing conflict there that needs to be clarified?
    Mr. Wulf. I don't think we are seeing conflict. I think we 
are seeing rare instances in what is needed to require, what is 
needed to meet our standards, meet the intent and spirit of the 
18 CFATS risk-based performance standards is above and beyond 
what might be required by other programs.
    So I don't view that as a conflict. I view that as a 
facility that has been assessed to be at high risk of terrorist 
attack or exploitation having to have in place security 
measures beyond those that might be required or that might be 
needed by other programs at facilities that aren't high-risk 
CFATS facilities.
    Mr. Taylor. So are you saying that you don't see conflict? 
I mean, you are not running into other agencies in doing what 
you are doing?
    Mr. Wulf. Well, I mean we are certainly covering facilities 
that are covered by other agencies and their programs. No 
question about that. I would say almost every facility we 
regulate is visited as well by, you know, EPA and/or OSHA, in 
some cases by Bureau of Alcohol, Tobacco, Firearms, and 
Explosives, and by State regulators.
    But I think CFATS is unique and it is an extraordinarily 
comprehensive program that is targeted at the highest-risk 
facilities, facilities that are at the highest risk of 
terrorist attack or exploitation.
    So there is some overlap, absolutely, in the universes of 
facilities that we cover as compared to other facilities. You 
know, that is among the reasons we prioritize working closely 
both at the National and regional levels with other regulatory 
agencies.
    Mr. Taylor. Mr. Chairman, actually, one final question.
    How are you handling changes? I mean when a facility wants 
to change something, add a new cracker or whatever it may be, 
is what you are doing getting in the way of that or is 
securities just for the whole structure, doesn't matter if they 
are subtracting or adding people, services, plant on the 
ground?
    Mr. Wulf. Yes, unless they are changing their holdings of 
high-risk chemicals of interest, it should not have an impact. 
We are always, always willing and able to work with facilities 
as they are thinking about design changes, changes to their 
processes to talk them through what impact it might have and 
options they might have, if there is going to be a potential 
impact under CFATS.
    Mr. Taylor. Thank you.
    Mr. Chairman, I yield back.
    Chairman Thompson. Thank you.
    The Chair now recognizes the gentlelady from California, 
Ms. Barragan.
    Ms. Barragan. Thank you, Mr. Chairman. I want to start by 
thanking you for making this a priority and for pushing this 
and having this hearing. When I saw the photo before we 
started, of the explosion in West, Texas, it reminded me very 
much of a facility that is of great concern in my Congressional 
district.
    Now, I represent the Port of Los Angeles, and it is a huge 
economic engine. It touches every Congressional district. 
Should there be an incident there, certainly an explosion like 
that, it would be devastating to the economy and really to the 
surrounding areas.
    Mr. Wulf, I know you and I had a chance briefly to speak 
before the hearing started. I wanted to make sure to get over 
here to follow up. I want to talk a little bit about this 
facility that is of great concern in my district. As you are 
aware of it, it is, I call them the LPG storage tanks, they 
store large amounts of butane and some propane.
    Now, these are tanks that are right next to a park where 
children play, within a very close radius of schools where 
children go to school and not very far at all from residential 
neighborhoods and the Port of Los Angeles.
    I understand that you have been out to the facility, is 
that correct, Mr. Wulf?
    Mr. Wulf. If we are talking about the same facility, then 
yes I have.
    Ms. Barragan. Yes, and is this facility part of the CFATS 
program?
    Mr. Wulf. The facility I visited is part of the program.
    Ms. Barragan. Yes. Do you know if anyone at DHS has 
assessed the devastating impacts that would occur should there 
be a leak or an explosion to that facility?
    Mr. Wulf. So, you know, so that is exactly what CFATS is 
focused on. So, you know, in determining the high-risk status 
of that facility we absolutely would have modeled the potential 
effects of a release caused by a terrorist act on the 
surrounding population, absolutely.
    Ms. Barragan. So one of the questions I often get from 
constituents, will ask questions like how high-risk is it? Is 
that information public that you might be able to share with us 
on what the possible result would be if there was an explosion 
there and the risk level?
    Mr. Wulf. Well, portions of our risk-tiering methodology 
are Classified----
    Ms. Barragan. Yes.
    Mr. Wulf. It is certainly a discussion we could have.
    Ms. Barragan. OK. You know, one group, a consulting group 
that has done a study on it, concludes that the devastation 
from a blast could stretch as far as 6.8 miles from the 
facility, and that is within the realm of not just residential 
homes, but the Port of Los Angeles.
    Again, when I see the photo of what happened in Texas, I 
noticed there wasn't too many residential around there. I 
didn't even see anything around that area. So it is critically 
important for me that we reauthorize the program, but that we 
are also making sure that there is on-going inspections.
    Because I think I read in our report that there had been 
lapses in safety regulations and things like that. Now, my 
understanding is because of CFATS' early instability DHS did 
not begin carrying out compliance inspections for several years 
with the bulk of inspections conducted after 2015.
    However, since that time, compliance inspections have 
spiked to over 3,500, and now the question is whether 
inspectors are being pressured to rush through inspections to 
get numbers up.
    Mr. Wulf, how much time do inspectors have to carry out 
inspections and how can we be sure these inspections are not 
merely a paperwork exercise or rubber stamp?
    Mr. Wulf. Yes, I appreciate that question and inspectors 
are absolutely not pressured to move through inspections 
quickly. We do have time frames in place for the submission of 
reports. I want to say generally about 2 weeks to get a report 
done, but if an inspector for whatever reason needs additional 
time, needs to spend an extra day at a facility, or make a 
return visit to a facility, absolutely is something that we 
make sure can happen under our program.
    You know, I would say as well with regard to the facility 
and potential impacts, I am glad to have additional discussions 
about that specific facility but that, you know, those are 
exactly the sorts of impacts that CFATS is designed to address.
    It is exactly the reason that high-risk facilities are in 
the CFATS program and have to put into place security measures 
focused on 18 comprehensive risk-based performance standards 
and submit to inspections. So absolutely glad to have that----
    Ms. Barragan. Well, thank you, and I will certainly follow 
up with you to have that conversation.
    I yield back.
    Chairman Thompson. Thank you.
    The Chair now recognizes the gentleman from Louisiana, Mr. 
Higgins.
    Mr. Higgins. Thank you, Mr. Chairman.
    Mr. Wulf, Mr. Anderson, thank you both for appearing today.
    I represent south Louisiana. The chemical industry is vital 
to Louisiana's economy. In Louisiana it is a $50.5 billion 
industry. It provides over 25,000 direct jobs and an additional 
83,000 supporting jobs.
    In my district alone, this industry generates nearly $60 
million in Federal tax revenue and employs nearly 7,000 direct 
employees. These are families that I work for.
    State-wide, Louisiana ships 7.9 billion in chemical-related 
products to customers world-wide. Needless to say, ensuring 
these facilities are secure is vital to my State and district 
and by extension the entire country.
    Mr. Wulf, based on your testimony, the CFATS program is 
effective and its success has positioned the United States as a 
world leader in chemical facility security. As with any 
Government program I understand there is always room for 
improvement.
    I am certainly willing to work with my colleagues and I 
thank the Chairman for his leadership and the Ranking Member as 
well. I am willing to work with my colleagues in this body to 
address how we can improve CFATS and provide a long-term 
authorization for this important program. A long-term 
authorization is a significant quest in my mind.
    Mr. Wulf, given the success of the program in its current 
state, do you believe it would be in the best interests of our 
National security to approve a clean, long-term, re-
authorization of CFATS and then address any needed changes as 
issues arise in a bipartisan manner through this body and 
committee?
    Mr. Wulf. I would say that absolutely a long-term 
authorization for CFATS is key to our ability to continue to 
focus on chemical security and it was the foundation for the 
improvements that we were able to make over the last 4 years.
    I think the foundation of the program is a very strong one. 
The program is effective and successful.
    Mr. Higgins. Thank you, sir. Reflective of your answer 
regarding protecting the people's treasure, which we are 
responsible for in this body, do you believe that the increased 
certainty of a long-term or permanent re-authorization would 
allow Government and industry to work more uniformly to develop 
better practices, improve inefficiency of the program and thus 
maintaining the peoples' investment?
    Mr. Wulf. No question about it. So chemical industry 
companies across the country have made significant investments, 
have made capital investments in CFATS-focused security 
measures. They continue to deserve to know that the program is 
here for the long haul.
    Mr. Higgins. Mr. Anderson, do you concur with that 
assessment, sir?
    Mr. Anderson. GAO doesn't take a position on that but we 
would note that----
    Mr. Higgins. You work very closely with CFATS though do you 
not, sir?
    Mr. Anderson. I am sorry, what was that?
    Mr. Higgins. You work very closely with CFATS and you 
recognize that long-term stability encourages efficiency in any 
program, do you not?
    Mr. Anderson. Long-term stability absolutely increases 
certainty in budgets and periodic reauthorization also provides 
a good catalyst for oversight, which is the role we fill.
    Mr. Higgins. Thank you, sir. But oversight is an on-going 
endeavor, is it not? Legislation can be changed as needed to a 
long-term program, a long-term authorization.
    Mr. Anderson. True.
    Mr. Higgins. Yes, sir.
    Mr. Wulf, last question. With political infighting in 
Congress over minor changes, again--and we had a bipartisan 
manner, we are willing to work together--but would political 
infighting in Congress over minor changes to the currently 
effective CFATS program while it remains in limbo under short-
term authorization, be a disservice to our Nation's mission to 
prevent terror attacks?
    Mr. Wulf. We are absolutely better-positioned to secure 
America's highest-risk chemical infrastructure with a long-term 
authorization. No question about it.
    Mr. Higgins. I thank you for your answer.
    Mr. Chairman, I apologize that I have not been able to 
attend the entire hearing. You know that happens sometimes, but 
I respect you, sir, and the Ranking Member, and I yield the 
balance of my time.
    Chairman Thompson. Thank you very much.
    The Chair now recognizes the gentleman from New York, Mr. 
Rose.
    Mr. Rose. Chair, it is Staten Island. Thank you, Chair.
    Chairman Thompson. At some point I will get it right.
    [Laughter.]
    Mr. Rose. Mr. Wulf, thank you again for being here. Thank 
you for your service to this country. Let us talk about fusion 
centers. What has been the role of fusion centers throughout 
the coordination process? Has this been an institutionalized 
role? Have they been your direct point of contact?
    I understand you could reply to that question by saying, 
they have been great and that is it, but I actually want to 
know what their role has been as mandated by the Department and 
if there has been a variable role across States?
    How we can use this as a point of improving the role of 
fusion centers as the lead in terms of coordinating issues such 
as this between the Federal Government, States, localities, and 
the private sector?
    Mr. Wulf. I appreciate that question, and I do think there 
is probably more that we can do on a National basis. So fusion 
centers have been an important focal point for us in 
coordinating, in connecting the CFATS program with State and 
local law enforcement and first responders. So it is a node.
    In some cases we have had chemical security inspectors sit 
at fusion centers. Certainly on the other side of our house, 
the voluntary side of their house, our protective security 
advisors are very much looped in, tied to the fusion centers 
across the country.
    But I think it is important for us to continue to think 
about ways we can even further harness across the country----
    Mr. Rose. So I take it then this has been ad hoc though?
    Mr. Wulf. It has sort-of varied across the various 
jurisdictions, absolutely.
    Mr. Rose. So what has been the best example of a fusion 
center taking the lead? You don't have to name the State but I 
just want to know what the model looked like when that fusion 
center took the lead here.
    Mr. Wulf. Yes, so I think the model looks like, you know, a 
chemical security inspector or a local supervisory inspector or 
chief of regulatory compliance being well-connected with a 
fusion center and being plugged in by virtue of that fusion 
center connection with law enforcement and first responders 
across a given, you know, either metropolitan area or a State 
and pushing tools like the infrastructure protection gateway 
through which first responders and law enforcement can have 
access to CFATS information about the high-risk facilities in 
their jurisdictions.
    So that is what I think the optimal model is.
    Mr. Rose. So that is the optimal best model. What has been 
the worst case you have seen?
    Mr. Wulf. I don't know if I have a--I guess worst case are, 
you know, any situations in which, you know, those 
relationships haven't been built. I am not going to say that 
has happened but it is a discussion of certain----
    Mr. Rose. Theoretically.
    Mr. Wulf. Latitude we continue having. Yes.
    Mr. Rose. OK, so moving on, in terms of the voluntary 
participation of the private sector, it seems as if this is 
actually a great case in which we have been very successful in 
that regard.
    What type of lessons learned can we draw out of this to 
transfer to issues of cybersecurity, general counterterrorism, 
where we have to involve the private sector but we are often 
struggling to get them to come forward? What type of lessons 
learned can we glean from this?
    Mr. Wulf. Right. So I mean, in this case, we do have a 
regulatory framework so there, you know, there is an obligation 
for facilities that, and companies that operate facilities, 
that have threshold quantities of chemicals of interest in our 
regulation to report information to us. If they are assessed as 
high-risk to be part of the program to develop site security 
plans and be subjected to inspections.
    But I would say that on a purely voluntary basis the 
chemical industry writ large, and that cuts across a variety of 
critical infrastructure sectors, has been fully committed and 
bought in to this program and has helped us to drive forward 
key improvements to the program.
    So one of the ways that happens is through something we 
call the Critical Infrastructure Partnership Advisory Council 
framework. So we bring together sector councils of, you know, 
chemical industry or as the case may be, oil and natural gas 
industry folks, to talk about ways in which we can continue to 
enhance our respective critical infrastructure protection and/
or chemical security efforts.
    I do think that is a good model and it is one that the 
Department is also using on the cybersecurity front and across 
others.
    Mr. Rose. Right. I take it that the best model in this case 
was that this was mandatory with private-sector involvement. 
That was the pathway to success then.
    Mr. Wulf. The regulatory framework I think has helped for 
sure.
    Mr. Rose. Thank you.
    I yield my time.
    Chairman Thompson. Thank you, gentleman from Staten Island.
    Now recognize the gentleman from Texas, Mr. McCaul.
    Mr. McCaul. Thank you, Mr. Chairman. It is great to be back 
in the old committee room. It looks kind-of nice.
    Just let me say at the outset, you and I, Mr. Chairman, I 
think enjoyed a very bipartisan relationship. We got along most 
of the time and that is how I think this committee should 
operate.
    It came to my attention that the Minority, and in this case 
our side of the aisle, was not entitled to call a witness at 
this hearing. I believe that both the House and committee rules 
do provide for the Minority to be able to call a witness at the 
hearing, and I hope that we can adhere to that in the future 
moving forward.
    Having said that, I commend both of you, you and the 
Ranking Member, for this hearing. I tried to get this thing, 
long-term extension, and we had resistance in the Senate. The 
best we could get was a 15-month extension.
    When I talk to chemical facilities in the private sector, 
they need that kind of certainty. They don't really want to be 
regulated but if they are, and they prefer CFATS over other 
regulatory entities and they prefer DHS, how important, I 
guess, from--well, Mr. Wulf, I mean, I know how important it 
is.
    I applaud, again, the Chairman and Ranking Member for 
trying to get a long-term extension. I hope Senator Johnson and 
his committee will take this up as a long-term extension rather 
than a short-term because the private sector needs that kind of 
certainty, in my judgment. Can you explain to me how important 
that is?
    Mr. Wulf. Yes, I think the importance cannot be overstated. 
I know we have personally visited CFATS-covered facilities that 
have put in place security measures and they need the certainty 
that comes along with knowing that the program is not going to 
go away.
    That if they are going to make capital investments in 
addressing the 18 CFATS risk-based performance standards, 
putting in place security measures that sometimes require on 
industry budget cycles 2-, 3-, 4-year capital planning, they 
need to know that the program will be around in 3, 4, 5 years.
    So long-term authorization is hugely important, not only 
for industry but for our ability in the Government to plan for 
and execute the program.
    Mr. McCaul. That is a great point. Not only from the 
private sector, any businessman is going to need more long-term 
certainty for sure, but the Government to be able to implement 
this effectively. I think the GAO probably points that out as 
an issue. Is that right, sir? Is that----
    Mr. Anderson. While we at GAO don't take a formal position 
on reauthorization, we do note the benefits that can accrue and 
to add to the list that you both have talked about, it helps 
the DHS to retain top talent when there is a longer-term 
reauthorization period and that kind of certainty.
    At the same time I would simply note, though, that in the 
past, reauthorization has been an excellent catalyst for 
program improvement. So that is something that should be noted.
    Mr. McCaul. Thank you. Now, the report itself, though, I 
found some parts troubling and that was identifying high-risk 
facilities, not fully utilizing threat information and ensuring 
compliance.
    Director Wulf, what have you done to address those 
concerns? Can you also touch on your outreach efforts to the 
private sector in the chemical facilities?
    Mr. Wulf. Yes, absolutely. So I think the, you know, I 
think you are referring to our risk-tiering methodology and the 
extent to which in the past we focused largely on the 
consequences of a potential terrorist attack, less so on 
vulnerability and threat.
    Actually one of the things that the long-term 
authorization, the 4-year authorization we attained in 2014 
enabled us to do was to completely retool that risk-tiering 
methodology so that we are now as fully as possible accounting 
for all relevant elements of risk to include not only 
consequences and vulnerability but threat as well. So, you 
know, that was a huge outgrowth of long-term authorization.
    Outreach, we continue very much to prioritize outreach, to 
continue to prioritize working with the various industries that 
are part of the CFATS-covered universe of chemical facilities. 
You know, one of the things we prioritize, you know, within 
that area is getting the word out about the program.
    So we work through National industry associations. We work 
through local chambers of commerce to ensure that we are 
communicating as widely, as broadly as possible the basics of 
the CFATS program so the facilities that are using chemicals, 
that are storing chemicals have the awareness they need to be 
able to meet their obligations to report to us information 
about their holdings----
    Mr. McCaul. If I could just conclude, you know well GAO 
plays an important role. We make these kind of requests, not to 
be adversarial and for, like, gotcha moments, but rather 
working together to improve Government operations. I am glad so 
see that you are adhering to these recommendations to improve 
your operations.
    With that, I will yield back.
    Mr. Wulf. It has been very helpful.
    Chairman Thompson. Thank you very much.
    In order to make sure the record is complete, let me assure 
the former Chairman that the rules we are operating under are 
the same set of rules. Both of these are Government witnesses. 
We offered the Minority a Government witness. They chose not to 
provide a Government witness, so that is really the only reason 
you don't have a witness.
    We now recognize the gentlelady from north Chicago, Ms. 
Underwood.
    Ms. Underwood. Thank you, Mr. Chairman, and thank you for 
organizing this hearing on DHS's Chemical Facility 
Antiterrorism Standards program and for your leadership in 
extending this important program.
    Securing our chemical facilities is vital to our National 
security and to ensure that our communities remain safe. I 
consider it really important to have a robust security plan in 
place for high-risk facilities and am pleased that DHS can 
effectively reduce the risk for potential targeting by bad 
actors.
    So my questions are for Mr. Wulf. Sir, as we look to 
reauthorize the program there is interest in DHS developing 
voluntary best practices informed by lessons learned for 
facilities who may want to lower their risk and possibly their 
regulatory burden. Is that something that you think that 
facilities would find useful?
    Mr. Wulf. I think it is. As I mentioned earlier in these 
proceedings, over the course of the program's existence more 
than 3,000 facilities have either reduced their holdings of 
high-risk chemicals, have eliminated them, have substituted 
safer chemicals or changed their processes such that they are 
no longer considered high risk and are not covered by the 
program's requirements.
    So, you know, we have gathered information as these 
facilities have come out of the program. We have kind-of 
categorized the what, you know, the reduction, the elimination, 
the change in process, the change in sort-of delivery or other 
procedures.
    But, you know, we would certainly be open to discussing 
additional authority to enable us to further mine the how and 
to, you know, put us in a position to share that information on 
a voluntary basis with other facilities.
    Now, keeping in mind that CFATS is focused, you know, I 
think appropriately as a risk-based program, it is targeted at 
America's highest-risk facilities, so those facilities at the 
highest risk of terrorist attack or exploitation. That is less 
than 10 percent of the facilities that submit Top Screens for 
risk assessment by us.
    So the additional 30,000 facilities that aren't covered by 
CFATS could certainly benefit from the lessons that have been 
derived from the practices that have been used at facilities 
that have lowered their risk.
    Ms. Underwood. Thank you. So DHS has said that CFATS has 
encouraged many facilities, as you said, to voluntarily 
eliminate, reduce, or modify their holdings of certain 
chemicals of interest in order to reduce the number of high-
risk facilities throughout the country.
    So does DHS, in fact, capture the data on how facilities 
are reducing the risk? If so, how can DHS use that data to help 
other facilities?
    Mr. Wulf. Yes, I think, you know, we have captured what 
facilities have done, you know, whether they have reduced, 
whether they have eliminated, whether they have changed a 
process, but I think there is more that we can do to kind-of 
mine those practices, mine those approaches----
    Ms. Underwood. Yes.
    Mr. Wulf [continuing]. And share them more broadly.
    Ms. Underwood. OK, thank you. Now, we have seen a rise in 
cyber attacks against U.S. critical infrastructure often 
carried out by foreign governments, criminal organizations, or 
terrorist groups and obviously the chemical sector is among the 
most frequent targets, so what type of cybersecurity measures 
are CFATS facilities required to adopt?
    Mr. Wulf. So that is a good question and cybersecurity is 
an important part of the CFATS program and, you know, our 
inspectors and other personnel are trained specifically in 
carrying out the cyber piece of the CFATS inspections.
    They work with facilities as they develop their site 
security plans and as they put in place policies and procedures 
that are designed to protect their cyber systems, to, you know, 
to detect cyber attacks and to address cyber attacks as they 
might occur.
    So, you know, CFATS is a non-prescriptive program. We 
can't----
    Ms. Underwood. Right.
    Mr. Wulf [continuing]. Require any specific measures, but 
we can require a cybersecurity posture that is appropriate to 
the facility's level of cyber integration. You know, facilities 
vary in the level to which cyber systems impact their chemical 
processes, their industrial control systems, or for that matter 
their physical security systems.
    So, you know, different measures might be appropriate 
depending upon that level of integration of the cyber system. 
So, you know, we work with facilities on an individual basis as 
they tailor cybersecurity postures that are appropriate to 
their operations.
    Ms. Underwood. So how much cybersecurity training do the 
inspectors then receive, the CFATS inspectors?
    Mr. Wulf. So all inspectors receive a kind-of base level of 
training on cybersecurity and for that matter on the other 
risk-based performance standards.
    We have a more advanced cybersecurity training that we have 
run probably about half of our inspectors through. So that is 
an additional week or 2 of advanced cyber training and they are 
then capable of working with the facilities with somewhat more 
integration of their cyber systems with chemical processes.
    For those facilities that have the highest level of 
integration we have folks who focus on nothing but 
cybersecurity at our headquarters. So cyber experts----
    Ms. Underwood. OK.
    Mr. Wulf. Who actually have eyes on every facility's site 
security plan and who are available to work with inspectors as 
they work with facilities that have that sort-of highest degree 
of cyber complexity.
    Ms. Underwood. Well, thank you, Mr. Wulf and Mr. Anderson 
for being here today.
    Thank you, Mr. Chairman. I yield back.
    Chairman Thompson. Thank you, Madam Vice Chair, a good 
question.
    Now, I recognize the gentleman from Houston, Mr. Green.
    Mr. Green. Thank you, Mr. Chairman.
    I thank the witnesses for appearing as well.
    Mr. Chairman, I want to extend a special expression of 
appreciation and gratitude to you because the intelligence that 
has been accorded me indicates that this is the first time 
since the 113th Congress that we have had a full committee 
hearing on this CFATS program and that the program would have 
expired had you not intervened and enacted a stop-gap measure.
    So I appreciate greatly what you have done because this 
program is something that is near and dear to a good many 
Texans because of what happened in the town of West in Texas. 
We had a number of persons who were first responders, and I am 
sure the story has been told, but some things bear repeating.
    First responders didn't know what they were rushing into. 
It is a wonderful thing to accord first responders the proper 
equipment. The equipment is necessary, but they also have to 
have intelligence and they rushed in.
    They were on the site without intelligence. Fifteen persons 
lost their lives, so this is important to a good many of us and 
especially to some of us who are from Texas.
    I would like to start with the CFATS Act of 2014 which 
requires DHS to create an experimental new program. DHS has 
performed diligently and the program has been implemented and 
seems that as of June 2018 only 18 facilities have taken 
advantage of this program.
    My query is does it make good sense to keep a program that 
appeals to 18 facilities? I am sure that there are some other 
projects that merit our attention. There are some other goals 
that we should review in the area of cybersecurity first 
responder outreach. DHS probably has a lot of energy that it 
has put into this that may have been used otherwise.
    So quickly if you would, please, give me some sense of why 
a program that has accommodated 18 facilities at some great 
expense should be maintained?
    Mr. Wulf. Yes, I think it is--I appreciate the remarks, and 
it is a fair question. You are referring to the expedited 
approval program that enables on, I guess, an expedited basis 
the certification of facility security plans where those 
facilities adhere to a prescriptive list of security measures.
    You know, I think it is fair to say, as you noted, that a 
very small number of facilities have taken advantage and 
availed themselves of the program.
    Mr. Green. If I may? Just so that we may understand that is 
the size of the language. When you said small how many could 
have taken advantage of it and juxtapose that to the number 
that have?
    Mr. Wulf. Yes. So it applies to, you know, Tier 3 and 4 
facilities so that would be 90 percent of our regulated 
universe could have taken advantage, so upwards of 2,500 
facilities could have.
    Mr. Green. Of the 2,500, 18 or thereabout?
    Mr. Wulf. Eighteen have.
    Mr. Green. Yes, OK. Continue please.
    Mr. Wulf. I think some of that owes itself to the fact that 
most facilities were well through the process of developing 
their site security plans through the normal process at the 
time the expedited approval program was rolled out, though we 
certainly, you know, did our best to publicize its 
availability.
    The fact that most facilities appreciate the contact that 
they are able to have with inspectors throughout the the normal 
process of developing their site security plan. That tends to 
improve those plans.
    So, you know, although we have had a few additional 
facilities since the re-tiering of facilities occurred within 
the last couple of years that have availed themselves of the 
program, the overall number is very small. The fact of the 
matter is that our on-line system through which facilities 
develop their SSPs is now significantly more streamlined, 
significantly more user-friendly. So it is certainly----
    Mr. Green. Permit me to----
    Mr. Wulf. Less----
    Mr. Green [continuing]. Ask. It is I----
    Mr. Wulf [continuing]. To use this other program.
    Mr. Green. I don't mean to be rude----
    Mr. Wulf. No worries.
    Mr. Green [continuing]. And unrefined, but I have to ask 
because I have another question. Is it time to review this 
program so that we can ascertain whether or not it is something 
that we should continue with?
    Mr. Wulf. I would say yes, it is certainly time to take a 
hard look at it.
    Mr. Green. OK. I am going to leave it at that because I 
have another question. This relates to hexavalent chloride or 
chromium, excuse me, also known as chromium-6, which is quite 
prevalent around the country and is also a carcinogen.
    We have had a scare in my home town of Houston, Texas and 
we have gotten news reporters who have been looking into 
chromium-6. EPA has not provided us with the proper guidelines 
that we have been waiting on for some time. That doesn't mean 
that we won't get them.
    But OSHA not only regulates workplaces that use it, but 
also has referred to it as the most toxic form of chromium. My 
question is, is this something that you should give us some 
additional attention to?
    Mr. Wulf. It is something that we will certainly look at. 
Off-hand, I am not certain that it is one of the 322 chemicals 
of interest that trigger coverage under CFATS, but I will 
absolutely take a look.
    Mr. Green. I would greatly appreciate it.
    Mr. Chairman, I greatly appreciate the times you have 
extended, and I will yield back.
    Chairman Thompson. Thank you very much. If you will provide 
Mr. Green, Mr. Wulf, with whatever information you have on 
that? I am certain, based on Mr. Wulf's comment he will give 
you whatever information in return.
    Mr. Wulf. Absolutely.
    Mr. Green. Thank you, Mr. Chairman. I shall do so.
    Chairman Thompson. The Chair now recognizes the gentleman 
from Kansas City, Mr. Cleaver.
    Mr. Cleaver. Thank you, Mr. Chairman. Thank you for calling 
this hearing because this is something that I am very much 
concerned about and at our hearing yesterday I raised similar 
issues.
    Because the EPA no longer updates its list of the locations 
of these facilities, chemical facilities, it is difficult for 
me to just pinpoint exactly where they are. Now, they have a 
map and you can look at the map and kind-of get an idea.
    I am from Missouri and so I am concerned about what the map 
suggests, which is the rural parts of Missouri. If you put a 
comma there for a moment, one of the things that I am concerned 
about and it has been driving me crazy since the days that I 
was mayor of Kansas City, and it is that for the most part the 
Federal Government ignores the middle of the country as it 
relates to the possibility of terrorist attacks.
    So we lean toward the East Coast, the West Coast, the North 
Coast and I remind people that it was shortly after Easter 
1996, I think it was, when the Murrah Federal Building in 
Oklahoma City, not too far from Kansas City, was the first 
major terrorist attack.
    I can't remember now. It was just under 200 people killed, 
about half of them little children at a preschool inside the 
Federal building. I have a little 3-year-old grandson who is at 
a Federal daycare center right now.
    We just can't seem to get the kind of attention to deal 
with these issues. Now that there is no update we don't know. I 
will also remind everyone, remind you and maybe everyone on the 
committee, that it was ammonium nitrate used by McVey, Timothy 
McVey.
    Ammonium nitrate is fertilizer. I represent a rural area. 
Everybody uses fertilizer to survive. We have 85,000 jobs in 
Missouri related to agriculture. We export about $14 billion a 
year that support those jobs and many of those are in my 
district, the soybeans and corn. I can't tell you how--and so 
you know there are facilities all over.
    A terrorist with a IQ above room temperature can figure out 
the most vulnerable places in our country and the places that 
create the least amount of risk to them. It is, frankly, a part 
of the district I represent.
    I am open for you to tell me how we can correct this by 
next Thursday?
    [Laughter.]
    Mr. Cleaver. Or Wednesday or whatever.
    Mr. Wulf. I appreciate all that. I will take the first 
crack. Absolutely agree that, you know, the terrorist threat is 
not a, you know, bi-coastal threat. It is an all-of-America 
threat.
    You know, for our part, you know, we work closely with 
fertilizer retailers with fertilizer manufacturers, many of 
whom are part of the CFATS program and have put into place 
comprehensive security measures designed to address the CFATS 
risk-based performance standards.
    Our broader organization has placed a regional office in 
Kansas City to focus on some of the Midwestern States. There is 
one in Chicago as well. So, you know, very focused on working 
with retailers of fertilizer, with manufacturers of fertilizer, 
as with all other companies and entities that hold high-risk 
chemicals and that are covered under CFATS.
    Mr. Cleaver. Are the facilities open in Kansas City?
    Mr. Wulf. Pardon me? There is a regional office in Kansas 
City, so our chief of regulatory compliance sits in Kansas 
City.
    Mr. Cleaver. Yes. How many people? I am just curious. 
Because I wasn't even aware.
    Mr. Wulf. There are probably 20 folks across the 
infrastructure protection enterprise in that regional office 
and there are protective security advisors and our chemical 
security inspectors in every State in the region.
    Mr. Cleaver. I will get in touch with them quickly.
    Mr. Wulf. Yes.
    Mr. Cleaver. Thank you, Mr. Chairman. I appreciate it very 
much. This is a major issue in my community, so thank you very 
much for this hearing.
    Chairman Thompson. Absolutely.
    A couple of takeaways, Mr. Wulf, I think based on what I 
heard, I think it would help us if you could provide us with a 
master list of the facilities that have been regulated. I think 
that would help a lot.
    Mr. Wulf. Yes.
    Chairman Thompson. But I heard questions from several 
Members and we can just kind-of share that information.
    So the other has to do with the data of the inspections 
that you make. Do you collect that data?
    Mr. Wulf. Oh, absolutely. Our inspectors produce a report 
of each and every inspection and that runs through our 
compliance branch here in----
    Chairman Thompson. So who do you share that data with? Just 
internally?
    Mr. Wulf. It is for our internal use for making decisions 
about approving site security plans and for, you know, as 
necessary engaging in enforcement activities. But some of that 
data is the type of data, you know, some of the data on the 
chemical holdings and specifics of the facility is the sort of 
information that we share with first responders, law 
enforcement, and others in the local community who have a need 
to know that information.
    Chairman Thompson. OK.
    Mr. Anderson, have you all looked at any of that data 
collection and sharing?
    Mr. Anderson. Well, we have certainly looked at both 
aspects, the data collection piece and the recommendation that 
we made in that report has been implemented by DHS. So from, 
you know, from our view in terms of the data on assessing risk, 
for example, DHS has implemented our recommendations.
    The information sharing point though, that is still open 
and I think that that is, you know, a valid point of emphasis 
from our standpoint. The information sharing with first 
responders so that there is full visibility over what those 
threats may be if there is an incident.
    Chairman Thompson. Well, and I think that is what Mr. 
Cleaver and Ms. Slotkin and Underwood, Rose, a number of 
Members are interested in, whether or not what we collect 
through our CFATS process is actually pushed out to especially 
first responders.
    Mr. Anderson. Absolutely.
    Chairman Thompson. Or communities that are at risk just 
given the location of many of those facilities.
    So I want to thank the witnesses for their testimony and 
the Members for their questions. The Members of the committee 
may have additional questions for the witnesses and we ask that 
you respond expeditiously in writing to those questions.
    Pursuant to the Committee Rule VII(D), the hearing record 
will be held open for 10 days. Hearing no further business, the 
committee stands adjourned.
    [Whereupon, at 12:07 p.m., the committee was adjourned.]



                            A P P E N D I X

                              ----------                              

       Questions From Chairman Bennie G. Thompson for David Wulf
    Question 1a. Since 2007, DHS reports that ``CFATS has encouraged 
many facilities to voluntarily eliminate, reduce, or modify their 
holdings of certain chemicals of interest in order to reduce the number 
of high-risk facilities'' throughout the country.\1\ The total number 
of high-risk facilities in the United States has dropped from 7,000 in 
2008 to only about 3,300 today.
---------------------------------------------------------------------------
    \1\ CFATS Fact Sheet, https://www.dhs.gov/sites/default/files/
publications/cfats-fact-sheet-07-16-508.pdf.
---------------------------------------------------------------------------
    How does DHS verify the accuracy of the information facilities are 
submitting to show a reduction in risk?
    Answer. Response was not received at the time of publication.
    Question 1b. Can you explain some of the primary ways a facility 
might reduce their risk level--for instance by storing chemicals in 
lower quantities, using more secure containers, or building security 
into new constructions?
    Answer. Response was not received at the time of publication.
    Question 1c. Does DHS have a system in place to collect and analyze 
this data to help DHS understand how facilities are reducing risk?
    Answer. Response was not received at the time of publication.
    Question 2a. In your testimony, you agreed that there is an 
opportunity for DHS to use this data to develop voluntary best 
practices that could help other facility owners and operators find ways 
to reduce risk, while also maintaining the program's non-prescriptive, 
risk-based approach.
    Are there additional authorities DHS would need in order to 
aggregate, anonymize, and analyze data on facilities that successfully 
reduce risk?
    Answer. Response was not received at the time of publication.
    Question 2b. Are there additional authorities DHS would need in 
order to use this data to develop best practices for reducing chemical 
security risks?
    Answer. Response was not received at the time of publication.
    Question 2c. Are there additional authorities DHS would need in 
order to share such best practices with other chemical facility owners 
and operators, or with the public?
    Answer. Response was not received at the time of publication.
    Question 3a. The Protecting and Securing Chemical Facilities from 
Terrorist Attacks Act of 2014 (CFATS Act of 2014) requires DHS to share 
``such information as is necessary to help ensure that first responders 
are properly prepared and provided with the situational awareness 
needed to respond to security incidents'' at high-risk chemical 
facilities.\2\ In 2018, GAO surveyed first responders and local 
emergency planners and found that many of them either were not aware of 
CFATS facilities in their district, did not have access to the specific 
chemical holdings at those facilities, and sometimes had not even heard 
of the CFATS program.\3\ Specifically, GAO interviewed 15 local 
emergency planning committees (LEPCs), representing 373 high-risk 
facilities, and found that 13 of the LEPCs interviewed did not have 
access to sufficient CFATS information.
---------------------------------------------------------------------------
    \2\ Pub. L. 113-254.
    \3\ GAO-18-538.
---------------------------------------------------------------------------
    You testified that you can say ``with confidence'' that all 3,300 
CFATS facilities ``have made connections with their relevant local 
first responders,'' and that inspectors verify these connections in 
each and every case. How do you reconcile this with GAO's recent 
reporting?
    Answer. Response was not received at the time of publication.
    Question 3b. Has DHS made contact with all 13 of the LEPCs GAO 
interviewed and found did not have access to information on CFATS 
facilities? Have those LEPCs been given an IP Gateway account?
    Answer. Response was not received at the time of publication.
    Question 3c. What training does DHS provide new IP Gateway account 
holders on how to utilize the portal effectively?
    Answer. Response was not received at the time of publication.
    Question 3d. Has DHS successfully completed its goal of conducting 
outreach to LEPCs in the top 25 percent of districts with the highest 
number of CFATS facilities? What is the next milestone?
    Answer. Response was not received at the time of publication.
    Question 3e. Does DHS prioritize outreach to LEPCs in districts 
with one or more Tier 1 facilities, or is it based on the number of 
CFATS facilities, regardless of Tier?
    Answer. Response was not received at the time of publication.
    Question 3f. In your testimony, you agreed that first responders 
``need information about the chemical holdings so they know what they 
are walking into when they attempt to save lives and property.'' Are 
there any circumstances where a facility would be justified in 
withholding such information on the grounds that it is protected 
chemical terrorism vulnerability information (CVI)?
    Answer. Response was not received at the time of publication.
    Question 3g. Are you aware of instances where a facility has 
withheld information on chemical holdings, or other information 
important for first responders to properly respond to an emergency or 
security incident, on the grounds it is protected under another Federal 
or State regulation?
    Answer. Response was not received at the time of publication.
    Question 3h. Is DHS currently working with Federal and State 
regulators, and chemical facilities, to harmonize information 
protection regimes and make sure first responders and LEPCs are given 
appropriate access to information?
    Answer. Response was not received at the time of publication.
    Question 3i. Going forward, does DHS plan to be more proactive in 
making sure first responders and LEPCs have IP Gateway access? Will the 
IP Gateway feature more specific information, and do so more broadly, 
on the basis of GAO's 2018 report?
    Answer. Response was not received at the time of publication.
    Question 4. On December 6, 2016, I wrote to the Secretary of DHS 
requesting an IP Gateway account. On January 11, 2017, then-Under 
Secretary of the National Protection and Programs Directorate Suzanne 
Spaulding responded that ``a representative of the Department's Office 
of Legislative Affairs will contact your staff to coordinate the 
provision of access to the IP Gateway.'' Despite multiple follow-up 
requests, I have yet to receive an IP Gateway account. Please provide 
the aforementioned IP Gateway account, as well as:
    (a) a master list of CFATS regulated facilities, per your testimony 
before the committee on Feb. 27, 2019;
    (b) a master list of facilities that were at one point covered by 
CFATS, but have since been determined to no longer present a high level 
of risk, and thus were released from the program; and
    (c) the standard operating procedures currently used by CFATS 
inspectors.
    Answer. Response was not received at the time of publication.
      Question From Honorable Xochitl Torres Small for David Wulf
    Question. Mr. Wulf, during the hearing you stated that DHS makes 
``an extra effort'' to reach out to rural communities to ensure they 
have access to information on high-risk chemical facilities. Can you 
please elaborate on what these ``extra efforts'' entail and how they 
differ from DHS outreach efforts to non-rural communities?
    Answer. Response was not received at the time of publication.
        Questions From Honorable Cedric Richmond for David Wulf
    Question 1a. The CFATS Act of 2014 requires facilities to seek 
input from at least one knowledgeable employee, and where applicable, 
labor union representatives, in the development of site security plans.
    At this time, do CFATS inspectors confirm, as part of each 
inspection, that a facility has complied with this requirement?
    Answer. Response was not received at the time of publication.
    Question 1b. Are inspectors required to speak with the employees or 
union representatives consulted, or check any records at the facility?
    Answer. Response was not received at the time of publication.
    Question 1c. Would failing to consult with an employee or union 
representative be grounds for disapproving a site security plan?
    Answer. Response was not received at the time of publication.
    Question 1d. In your testimony, you mentioned that DHS gives 
facilities discretion on whether to consult with employees because the 
law provides for consultation only ``to the greatest extent 
practicable.'' What authorities would DHS need to verify that this 
consultation is truly happening to the greatest extent practicable?
    Answer. Response was not received at the time of publication.
    Question 2a. In 2018, GAO found that DHS was missing an opportunity 
to show its value as a National security program by tracking and 
measuring facility security pre-CFATS, compared to security post-
implementation of a CFATS site security plan.
    How is DHS planning to measure the extent to which facilities 
reduced vulnerabilities as a result of the CFATS program?
    Answer. Response was not received at the time of publication.
    Question 2b. Are there other Federal programs that have adopted 
similar mechanisms to track vulnerability reduction that the Department 
can use as a model?
    Answer. Response was not received at the time of publication.
    Question 2c. How might this recommendation help DHS understand the 
ways in which CFATS facilities are eliminating or reducing on-site 
vulnerabilities?
    Answer. Response was not received at the time of publication.
    Question 3a. We have seen a rapid rise in the frequency and 
sophistication of cyber attacks against U.S. critical infrastructure, 
often carried out by well-resourced, determined foreign governments, 
criminal organizations, or terrorist groups. The U.S. chemical sector 
is among the most frequent targets.
    What cybersecurity measures are CFATS facilities required to adopt? 
Are facility site security plans ever disapproved due to cybersecurity 
deficiencies?
    Answer. Response was not received at the time of publication.
    Question 3b. How much cybersecurity training do CFATS inspectors 
receive?
    Answer. Response was not received at the time of publication.
    Question 4. The CFATS program is carried out by a division of the 
Cybersecurity and Infrastructure Security Agency (CISA), which is DHS's 
main cybersecurity arm. Does CFATS leverage the cyber resources and 
expertise of the NCCIC, the US-CERT, the ICS-CERT? Are there 
opportunities to do so?
    Answer. Response was not received at the time of publication.
    Question 5a. In the past, there have been questions about the CFATS 
risk-tiering methodology, and whether the program is capturing the 
Nation's highest-risk facilities.
    When DHS is considering whether a facility is high-risk, does it 
consider characteristics about the neighboring infrastructure? For 
instance, would it matter if the facility was located next door to an 
elementary school, nursing home, hospital, or sensitive Government 
building (e.g., a military base)?
    Answer. Response was not received at the time of publication.
    Question 5b. Does the methodology consider the potential health 
consequences that could result from exploitation of chemicals of 
interest, or strictly potential loss of life?
    Answer. Response was not received at the time of publication.
    Question 5c. Studies show chemical facilities tend to be 
concentrated in low-income and minority communities. In determining 
risk, does DHS consider whether a facility is in close proximity to 
other chemical facilities that could exacerbate the impacts of an 
attack?
    Answer. Response was not received at the time of publication.
    Question 6. Because of CFATS early instability, DHS did not begin 
carrying out compliance inspections for several years, with the bulk of 
inspections conducted after 2015. However, since that time compliance 
inspections have spiked to over 3,500, and now the question is whether 
inspectors are being pressured to rush through inspections to get 
numbers up. How much time do inspectors have to carry out inspections?
    Answer. Response was not received at the time of publication.
    Question 7. What should lawmakers be doing to address the statutory 
exemptions for certain types of potentially high-risk facilities like 
water treatment systems and nuclear power plants? Is there an 
opportunity to study security gaps?
    Answer. Response was not received at the time of publication.
         Questions From Honorable Michael Guest for David Wulf
    Question 1. Of the 40,000 unique facilities that have reported 
chemical holdings since 2007, how many of them ultimately were secured 
through CFATS?
   How many of them are still secured through the CFATS 
        program?
   What are some of the reasons a facility may no longer be in 
        the CFATS program?
    Answer. Response was not received at the time of publication.
    Question 2. Why has participation in the Expedited Approval Program 
been so low?
   What improvements can be made to encourage more 
        participation?
    Answer. Response was not received at the time of publication.
    Question 3. How does DHS work with facilities to improve 
compliance?
    Answer. Response was not received at the time of publication.
       Question From Honorable Michael Guest for Nathan Anderson
    Question. How does the CFATS program account for vulnerability in 
its performance measures, and what is the program's methodology to 
improve security?
    Answer. In August 2018, we reported that DHS began development of a 
new methodology and performance measure for the CFATS program in 2016 
called the guidepost-based site security plan scoring methodology.\1\ 
DHS officials stated they planned to use the methodology to evaluate 
the security measures a facility implemented from initial state--when a 
facility submits its initial site security plan--to the facility's 
approved security plan. DHS officials stated the purpose of the 
methodology is to measure the increase in security attributed to the 
CFATS program and stated that the methodology is not intended to 
measure risk reduction.
---------------------------------------------------------------------------
    \1\ GAO, Critical Infrastructure Protection: DHS Should Take 
Actions to Measure Reduction in Chemical Facility Vulnerability and 
Share Information with First Responders, GAO-18-538 (Washington, DC: 
Aug. 8, 2018).
---------------------------------------------------------------------------
    We found that DHS's new methodology and performance measure for the 
CFATS program does not measure the program's impact on reducing a 
facility's vulnerability to an attack and that DHS could take steps to 
evaluate vulnerability reduction resulting from the CFATS compliance 
inspection process. We recommended that DHS incorporate vulnerability 
into the new methodology to help measure the reduction in the 
vulnerability of high-risk facilities to a terrorist attack, and use 
that data in assessing the CFATS program's performance in lowering risk 
and enhancing National security. DHS agreed and is taking steps to 
implement this recommendation. Specifically, in September 2018, DHS 
reported making progress towards the implementation of two new 
performance metrics by the end of the first quarter of fiscal year 
2019. DHS officials stated that these metrics should, among other 
things, evaluate the progress of individual facilities in enhancing 
their security and be used to demonstrate an increase in the security 
posture across the population of CFATS facilities. We are currently in 
the process of obtaining an update from DHS on the status of efforts to 
implement this recommendation.
     Questions From Ranking Member Mike Rogers for Nathan Anderson
    Question 1. In regards to access to information for first 
responders: What is the difference between ``did not use'' and ``did 
not have access to'' Chemical Vulnerability Information through the 
portal?
    Answer. In August 2018, we reported that while the Infrastructure 
Protection (IP) Gateway is a mechanism for sharing names and quantities 
of chemicals at CFATS high-risk facilities with first responders and 
emergency planners, we found it is not widely used by officials at the 
local level.\2\ For example, according to DHS, there were 14 accounts 
categorized at the local level whose access to the IP Gateway layer 
includes the names and quantities of chemicals at CFATS facilities. A 
local account indicates the individual with access is a county- or 
city-level employee or contractor.\3\ Additionally, while not 
generalizable to all Local Emergency Planning Committees (LEPCs), 
officials representing 7 of the 15 LEPCs we interviewed were not aware 
of the IP Gateway and officials representing 13 of the 15 LEPCs stated 
that they do not have access to CFATS information within the IP 
Gateway. Of the 13 officials that reported they did not have access, 11 
said that it would be helpful or critical to have access for several 
reasons. Specifically, officials representing these LEPCs stated that 
this information would assist them to better prepare and respond to 
incidents and help emergency planners prioritize the most critical 
sites among the thousands of facilities that they oversee. We 
recommended that DHS should take actions to encourage access to and 
wider use of the IP Gateway and explore other opportunities to improve 
information sharing with first responders and emergency planners. DHS 
concurred with this recommendation and reported in September 2018 that 
they are taking actions to implement it.
---------------------------------------------------------------------------
    \2\ GAO-18-538.
    \3\ Account requests for access to the IP Gateway are made via a 
web-based registration form that asks the individual requesting access 
to identify the type of employee they are. Options include: Federal, 
State, Local (City/County), and Tribal/Territory.
---------------------------------------------------------------------------
    Question 2. Of the first responders surveyed, how many of them 
failed to obtain statutorily-required training to review Chemical 
Vulnerability Information?
    Answer. We reported in August 2018 that CFATS data available in the 
IP Gateway includes, among other things, facility name, location, risk 
tier, and chemicals on-site and is accessible to authorized Federal and 
other State, local, Tribal, and territorial officials and responders 
with an established need to know, which is determined by DHS.\4\ We did 
not audit DHS officials nor the officials representing the 15 LEPCs we 
interviewed to determine if any of them failed to obtain statutorily-
required training to review Chemical Vulnerability Information.
---------------------------------------------------------------------------
    \4\ GAO-18-538.
---------------------------------------------------------------------------
    Question 3. Besides the Emergency Planning and Community Right to 
Know Act, first responders have access to chemical hazard information 
under the Clean Air Act's Risk Management Plan, the Toxic Release 
Inventory, Toxic Substances Control Act, and other Federal statutes. 
Did GAO ask the first responders if they used these authorities to 
obtain information necessary to respond to facilities?
    Answer. In August 2018, we reported that in our interviews with 15 
LEPCs--whose jurisdictions included 373 high-risk chemical facilities 
regulated by the CFATS program--we found that officials rely on 
information reported on chemical inventory forms required by the 
Emergency Planning and Community Right-to-Know Act of 1986 in order to 
prepare for and respond to incidents at CFATS facilities.\5\ While we 
interviewed officials to determine what Federal Government and other 
resources and information they have access to or may receive in order 
to prepare for or respond to an incident at chemical facilities in 
their area, we did not ask about each individual authority outlined 
above. Additionally, we did not review the extent to which the CFATS 
chemicals of interest are covered by the disclosure requirements 
outlined in the above-listed authorities.
---------------------------------------------------------------------------
    \5\ We interviewed officials representing 15 LEPCs out of more than 
3,000 known LEPCs. We selected LEPCs from different States to include 
counties with some of the highest number of facilities in each State. 
The number of high-risk CFATS facilities located in each LEPC ranges 
from a low of 11 to a high of 88 across our sample.
---------------------------------------------------------------------------

                                 [all]