Resilience in a Time of Uncertainty: National Chemical Security During the CFATS Lapse
November is a big month for Cybersecurity and Infrastructure Security Agency (CISA) Chemical Security every year. It marks the anniversaries of CISA’s two cornerstone chemical security programs, as well as the anniversary of CISA as an organization, and it is also the nation’s Critical Infrastructure Security and Resilience Month. Under normal circumstances, the CISA Chemical Security team is hard at work every November celebrating the annual accomplishments of our teammates, developing strategic plans for the coming year, and setting new programmatic milestones to keep the American people safe and secure from the threat of chemical terrorism.
But 2023 is not a normal November for CISA Chemical Security. This summer, Congress allowed the Chemical Facility Anti-Terrorism Standards (CFATS) program’s statutory authority to expire, leaving our nation without a regulatory chemical security program for the first time in 15 years. Rather than celebrating the program’s 16th anniversary Nov. 20, we are facing a more somber milestone: today marks four months since the expiration of the CFATS program.
As we call on all Americans to Resolve to be Resilient, we are also testing our own resilience within the CISA Chemical Security family. CISA continues to urge Congress to reauthorize the CFATS program. CFATS provides essential resilience for the chemical industry by enabling chemical facility owners and operators to understand the risks associated with their chemical security holdings, develop site security plans and programs, conduct site inspections, coordinate with local law enforcement and first responders, and continue to reevaluate each facility’s security posture based on changes in its chemical holdings and threat nexus. We at CISA follow our own advice: we believe in putting the right security plans and countermeasures in place before an incident occurs to reduce the risk of incidents occurring and improving resilience during and after incidents to reduce the impact on our communities and our nation. You can learn more about these security and resilience principles through CISA’s Shields Ready campaign, which includes four key pillars:
Identifying Critical Assets
Through CFATS, CISA screened more than 40,000 chemical facilities, identified 3,200 of those sites as high-risk, and worked with those facilities to understand the risks posed by their chemical holdings and develop appropriate security plans. CISA was constantly monitoring the landscape of dangerous chemicals across the nation as individual facilities tiered in and out of the program based on increases or decreases in these chemical holdings. Without CFATS, our agency no longer has an accurate national profile of the locations of these dangerous chemicals. We estimate that over the past four months, a minimum of 200 new chemical facilities have already acquired dangerous chemicals that ought to be more carefully secured; other facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation.
The ability to screen personnel is an essential component of security when a chemical facility is deciding whether to grant an employee unescorted access to dangerous chemicals or critical assets. Under CFATS’s Personnel Surety Program, chemical facilities could submit names of personnel with or seeking access to dangerous chemicals and critical assets; CISA would then vet those names against the Terrorist Screening Database. As of July 2023, CISA was conducting terrorist vetting on an average of 9,000 names per month. Based on this rate of vetting, CISA estimates that in the past four months, facilities have had to make decisions on granting access to about 36,000 employees without their being vetted beforehand by CISA for terrorist ties. Prior to the lapse in authority, CFATS identified more than 10 individuals with possible ties to terrorism over the lifetime of the Personnel Surety Program. Given that rate of vetting, CISA likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months. We cannot sound the alarm loudly enough: every day this program is offline is too long.
Under CFATS, chemical facilities were required to develop site-specific security plans to mitigate the risks associated with possession of dangerous chemicals. Without CFATS, we cannot inspect high-risk sites or assist these facilities with security planning efforts unless they approach the agency voluntarily for an assessment via the ChemLock program. We were conducting an average of 160 site inspections every month under CFATS; of those, more than a third identified security gaps, which were then added to site security plans for remediation. We can safely estimate that hundreds of security gaps have gone unidentified since July, meaning that chemical facilities are operating with no knowledge of these gaps or guidance on how to address them.
CISA Chemical Security and the high-risk facilities previously regulated by CFATS worked together to ensure continuous improvement and adapt to the changing threat environment. Through regular and recurring CFATS compliance inspections, we were able to provide lessons learned and best practices to address emerging threats and challenges and, based on the performance-based nature of the regulation, require facilities to amend security plans to account for these risks. This, in conjunction with updated guidance and resources, helped to ensure continuous growth in the chemical security community. Prior to the lapse in authority, this process was going to be further enhanced by a proposed rulemaking effort to enhance the physical and cybersecurity standards required of CFATS.
For facilities, the steady continuity of the CFATS program meant that they could project their security budgets years in advance; this is why CISA has traditionally supported long-term program reauthorization. Reliable and reasonable regulation bolsters resilience by allowing industry to make wise choices and build security into their budgets. Suddenly allowing the program to expire with no alternative in place has already led to confusion and concern across the chemical industry, reducing the chemical sector’s resilience in the face of an ever-changing threat landscape.
For CISA Chemical Security, resilience means showing up to work, day after day, determined to keep dangerous chemicals out of the hands of terrorists by fighting for the reauthorization of CFATS and doing everything that we can on a voluntary basis in the meantime. Our staff have been unwavering in their dedication to the chemical security mission. While the CFATS program is lapsed, we continue to offer expertise to chemical facilities on a voluntary basis through the ChemLock program, which is available to any facility with dangerous chemicals regardless of whether they were previously tiered under CFATS. Inspectors nationwide continue to offer on-site assessments and assistance, which chemical facilities may request via the ChemLock Services Request Form on the ChemLock homepage. Let me be clear, however: while the voluntary ChemLock program complements the CFATS program, it is in no way a replacement for CFATS.
We know the threat of chemical terrorism did not go away simply because the CFATS program expired. We know the best practices to protect dangerous chemicals against terrorist exploitation still work, and we continue to strive to share that knowledge with the chemical industry via the ChemLock program on a voluntary basis. But as we ask the nation to reflect on its security posture and Resolve to #BeResilient, we must face the fact that the absence of the CFATS program is a national security gap too great to ignore. As we call on the American people to examine the resiliency plans for the critical infrastructure that supports our everyday lives, we at CISA also call on Congress to reauthorize CFATS as a pillar of security and resilience for the nation’s chemical sector. This is a resolution we cannot afford to break.
To stay up to date about CISA’s chemical security programs, be sure to follow CISA on Twitter and LinkedIn, and follow the hashtags #CFATS and #ReauthorizeCFATS for the latest news about CFATS reauthorization.