Compliance scorecard

April 28, 2010
CFATS continued

In November, the U.S. House of Representatives passed H.R.2868, the Chemical and Water Security Act of 2009. As of this writing, the Act is in committee in the Senate and may or may not come out. A bipartisan group of senators has already announced separate legislation, which has been referred to as the "Continuing Chemical Facilities Antiterrorism Security (CFATS) Act" (S.2996), that it says addresses some of the "problems" inherent in the House version. It is currently unclear how or whether the two bills will be reconciled, but chemical, water and wastewater facilities, as well as other facilities subject to CFATS, should pay attention.

Both of these bills would basically extend the Department of Homeland Security's Chemical Facility Anti-Terrorism Standards (CFATS) program. Through CFATS, DHS screens facilities to identify those that deal with "chemicals of interest," ranks them into one of four tiers according to the level of risk they present, and then requires them to complete risk assessments that must be approved by DHS. They must then develop security plans that specifically address the vulnerabilities they have identified; these plans must in turn be approved and must then be implemented on an approved schedule. DHS is responsible for inspection and monitoring. So far, both bills seem to agree that this process needs to continue; however, they agree on little else.

H.R. 2868, according to co-sponsor Rep. Ed Markey (D-Mass.), seeks to close "several glaring security loopholes" in the 2006 legislation that created CFATS, including the exemption of water facilities, and the fact that it prevented DHS from requiring specific security measures at specific facilities.

This House bill places water and wastewater facilities under CFATS-like requirements (including the risk-based tiering system, mandatory assessments and site security plans, and risk-based performance standards), with the authority for enforcement falling on the Environmental Protection Agency. Because water facilities handle many chemicals of interest, such as chlorine, and tampering could endanger whole communities at a time, the bill's authors felt they should be regulated with the same rigor as the chemicals industry.

H.R. 2868 will apply to public water systems serving a population greater than 3,300 and wastewater treatment facilities that treat at least 2.5 million gallons per day. Those thresholds are relatively low, and according to John Piper, risk and security consultant and subject matter expert faculty for the Security Executive Council, the passage of such requirements would leave many in the water and wastewater industry in shock. "Many facilities in these sectors have no security at all. Under this law, if it passes, they are going to have to protect their sites, based on their tier designations, at the same level that the bigger chemical facilities must do," he says.
"They will be expected to have access control, alarm systems and even cyber security. Your unwitting local municipality will see this jump into their inbox like a B-52. It would be a huge and expensive undertaking."

It is actually another part of the House bill that has raised the ire of some in the Senate: it opens up the door for DHS to require Tier 1 and Tier 2 facilities to implement specific "methods to reduce the consequences of a terrorist attack" that DHS deems necessary based on the facilities' assessments. Senator Susan Collins (R-ME) sponsored S.2996 in part to quash this possibility. Sen. Collins claimed that allowing the government to mandate what she calls "Inherently Safer Technology (IST)" could actually increase the security threat. In statements on the Senate floor, she said, "The decision to implement IST should be that of the owner or operator - not a Washington bureaucrat."

All organizations that deal with chemicals of interest in any quantity should keep an eye on this legislative battle and make their voices heard.
Marleah Blades is senior editor for the Security Executive Council, a problem-solving research and services organization that involves a wide range of risk management decision makers. Its community includes forward-thinking practitioners, agencies, universities, NGOs, innovative solution providers, media companies and industry groups. Backed by a Faculty of more than 100 successful current and former security executives, the Council creates groundbreaking Collective Knowledge(tm) research, which is used as an essential foundation for its deliverables. For more information about the Council, visit www.securityexecutivecouncil.com/?sourceCode=std.