You are here
(Editor’s Note: 3E is expanding news coverage to provide customers with insights into topics that enable a safer, more sustainable world by protecting people, safeguarding products, and helping businesses grow. Deep Dive articles, produced by reporters, feature interviews with subject matter experts and influencers as well as exclusive analysis provided by 3E researchers and consultants.)
As global geopolitical tensions escalate and risks posed by cyberattacks and other threats to the global supply chain increase, leaders of chemical industry associations are pushing to revive a 15-year-old regulatory framework designed to prevent the weaponization of hazardous chemicals.
The Chemical Facility Anti-Terrorism Standards (CFATS) program, which regulated covered chemical facilities for security, was sunset on 28 July 2023 after Congress allowed its statutory program authorization to expire. The program was the nation's first to focus on security at high-risk chemical facilities and has mostly enjoyed bipartisan support in Congress, as well as among industry groups that typically advocate for a more hands-off regulatory approach.
“When industry and the federal government get together and essentially agree on a common thread, which is the CFATS program, it’s almost historic,” said Alliance for Chemical Distribution (ACD) President Eric Byer during a 16 January 2024 media briefing. “You don’t see small businesses, or any businesses, sitting there saying, ‘we want to be regulated.’ Yet here we are, having successfully seen the program reauthorized four times over the last [16] years to say, ‘Look, this is a program that is a real benefit not only to our member companies but also to the customers and end-users in conjunction with the inspectors and CFATS personnel under [the U.S. Department of Homeland Security (DHS)].’ That can’t be understated.”
Building the Foundation
CFATS was launched as a result of the Homeland Security Act of 2002, which led to the creation of the Department of Homeland Security as a cabinet-level department the following year. The terrorist attacks of 11 September 2001 led to increased scrutiny over the potential weaponization of chemicals, and the CFATS interim final rule was published 9 April 2007.
The CFATS Act of 2014 (H.R. 4007) directed the DHS Secretary to establish an outreach implementation plan in coordination with relevant federal and state agencies, business associations, and public and private labor organizations. This included establishing risk-based performance standards, security vulnerability assessments, site security plans, and audits and inspections.
The CFATS program has received bipartisan support in the past. The American Chemistry Council (ACC) and its members are long-time supporters of CFATS because they view it as critical to the security of their industry and the nation.
“[CFATS] is not overly prescriptive,” ACC spokesperson Scott Jensen said. “It sets up the performance standards and allows you to figure out how you’re going to achieve the goals that have been set out by CFATS. That flexibility is one of its strengths.”
With the CFATS authorization expired for almost half a year, a renewed reauthorization push has made its way to Congress. The House passed a bill (H.R. 4470) sponsored by Rep. Laurel Lee (R-Fla.) on 25 July 2023 on a 409-1 vote that would extend the authorization for two years. However, a companion Senate bill (S. 2499) did not advance past introduction.
U.S. Senators Gary Peters (D-MI), Chairman of the Homeland Security and Governmental Affairs Committee (HSGAC), and other key members such as Shelley Moore Capito (R-WV), Tom Carper (D-DE), and James Lankford (R-OK) have all voiced their support for restoring the program.
However, the Senate left for its August recess without first taking up House legislation to reauthorize the CFATS. A roadblock for its reinstatement is Sen. Rand Paul (R-Ky.), the ranking member of the committee, who has been a consistent “no” vote on several cybersecurity proposals, arguing in the Senate chamber in July 2023 that CFATS placed an undue burden on smaller companies. He also said the program was inefficient and redundant, citing a 2021 audit from the U.S. Government Accountability Office (GAO).
Byer said Paul’s opposition to CFATS is harmful and that many of ACD’s members are smaller companies that support reauthorizing the chemical screening program.
“In fact, 98% of our members are quintessential SBA-definition small businesses,” Byer said. “One of the huge values of this program has always been the fact that there was always a touch point within the CFATS staff to have our members reach out to them if they have concerns about security, about working with the terrorist screening database, all of those invaluable components of the CFATS program that expired back in July and that they really have not had access to.”
Adapting to a New Regulatory Environment
Caitlin Durkovich, senior director for resilience and response at the National Security Council, said reauthorizing CFATS was one of the White House’s “highest legislative priorities.”
Kelly Murray, the associate director for chemical security at the Cybersecurity and Infrastructure Security Agency (CISA) who helped develop and implement the CFATS program, said the six-month lapse presents several challenges that have put the agency closer to a year behind its targets, having missed more than 900 inspections, leaving 300 facilities without adequate screening measures.
“Our nation was more secure when CFATS was in place,” Murray said.
CFATS resulted in a 60% increase in security at chemical facilities, according to a DHS study Murray cited.
Without the CFATS program, experts say, there will be several gaps in enforcement, including things like inadequate security controls, an inability to detect intruders, insufficient access controls, inadequate security training, and insufficient cybersecurity patching and vulnerability scanning. The loss of CFATS creates immediate risks and problems by limiting the ability to vet personnel, increasing exposure to cyber threats, and opening the door to a patchwork of incompatible federal and state regulations.
ACC’s Chris Jahn said that industry partners can no longer vet against the FBI’s watchlist during the lapse.
While CISA cannot enforce CFATS, there are appropriations in place that have allowed CFATS employees to work on other chemical security projects within CISA, Murray added. She also noted that she was concerned about employee turnover and staffing if CFATS were to be reimplemented.
Despite the fact that companies no longer are required to comply with CFATS due to the lapse in authorization, Murray said some companies continue to demonstrate their interest in remaining in compliance with the best practices established by the CFATS program by finding creative solutions such as switching from a bleach alternative solution to a purer form of chlorine, for example.
Both Murray and Byer underscored the support from local law enforcement and first responders for CFATS and its emergency preparedness and safety initiatives.
“It is critical we get this program back online,” Byer said. “The first responders want this program. [Law enforcement and fire departments] participating in the CFATS program, along with our members and DHS, is a huge service. They all get on the same page in understanding the layout of warehouses, where chemicals are, and making sure that things like breakaway doors are in place versus not. All of these things are so critical to the nature of what we do within CFATS.”
About the author: Stefan Modrich is a Washington, D.C.- based reporter for 3E. He covers the latest developments in environmental health and safety policy and regulation. Modrich previously wrote for S&P Global Market Intelligence, The Arizona Republic and Chicago Tribune. He is an alumnus of Arizona State University and the University of Zagreb.
Top