Chemical Security Legislation: First Steps Towards CFATS Reauthorization
Last week, the Senate took the first step towards reauthorizing the Chemical Facility Anti-Terrorism Standards (CFATS) program, which is set to expire on January 19, 2019. The big question on everyone’s mind is what’s in it? How will it impact the current program and will there be enough time to reauthorized the program before it expires?
To start, Sen. Johnson (R-Wis.), chairman of the Senate Homeland Security and Governmental Affairs Committee introduced (S.3405) the “Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2018”. “This bill reauthorizes the CFATS program, which regulates ‘high-risk’ chemical facilities to reduce the risk of terrorist attacks” said Johnson.
The legislation contains many impactful changes to the current program, including:
The elimination of the cyber provision (RBPS-8)
The CFATS Recognition Program (Think OSHA’s VPP Program but for Security)
Personnel Surety Program limitation to Tier 3s and 4s
The Expedited Approval Program (that is used by less than 7 facilities)
Changes to Appendix A (or lack thereof)
Limitation of the frequency of inspections (and unintended consequences)
Small covered facilities – (reduction in cyber coverage)
Adaptation to regulated explosive materials (examining the duplicity)
Performance reporting / 3rd party studies (the catch 22)
DHS/CFATS assistance for small businesses
Measured outreach: Ensuring Quality over Quantity
Gasoline terminal issues
GAO report issues
I will be analyzing a couple of these above provisions, but this will take some time to dig into the details.
PJ Coyle recommended that cyber should be not be removed from the CFATS program in his blog post “Sen Johnson Proposes Gutting Cybersecurity Provisions of CFATS Program” Personally, I see no reason to remove the cyber component from the program, especially given Sen. Johnson’s CFATS/cyber stance during the 2014 reauthorization. Additionally, given the growing threat of cyber there’s no voluntary assistance for smaller businesses contained in the bill that would replace the removal. The non-prescriptive nature of Risk Based performance 8: Cyber might not be wildly beneficial to larger companies with robust cyber capabilities, but it does guide smaller owners and operators towards overall cyber risk management.
Further, there was no push towards the “framework” in the legislation. Currently there is broad consensus in the chemical sector that the joint industry-National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (the Framework) is a sound baseline for businesses’ cyber practices. However, the legislation was silent to that regard.
At the very least, Public-private response coordination could be tightening. I would emphasize the delineation of roles and responsibilities. The U.S. Chamber wrote a good article describing the details on this topic. These types of initiatives could be codified in CFATS, without hesitation.
In sum, voluntary efforts do have their advantages to prescriptive cyber regulations and legislation, but here the “Risk Base Performance Measure 8: Cyber” is purposefully broad and intended to guide the industry. There are other programs that fill the gaps in terms of cyber, but there no reason for elimination. If rising tides lift all ships, then we should reconsider keeping this cyber in future reauthorizations.