Monday, November 30, 2009
DHS Holds Third SCC Meeting
Also on Tuesday, DHS announced that Secretary Napolitano will meet with leaders in New York later this week from the real estate, professional sports, financial, and media industries to discuss ways to jointly protect the nation's critical infrastructure.
Homeland Security Presidential Directive 7 (HSPD-7), released December 17, 2003, identified seventeen CIKR sectors: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Healthcare and Public Health; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems (including mass transit); and Water. An eighteenth CIKR, Critical Manufacturing, was formally established in 2008 by former DHS Secretary Michael Chertoff. The majority of the eighteen CIKRs are owned and operated by the private sector, creating a need for close collaboration between industry and DHS. SCCs from the CIKRs serve as coordinating entities.
Monday, November 23, 2009
DHS Announces 2010 Chemical Sector Security Summit
The annual Chemical Sector Security Summit is a chance for members of the security industry to network and share information with other professionals, as well as to ask questions specific to chemical security. In particular, DHS expects significant discussion surrounding the current version of the Chemical Facility Anti-Terrorism Standards (CFATS) as well as the future of chemical security, including the recent passage of H.R. 2868 by the House of Representatives. The Summit should be particularly important for those involved with corporate and facility security, health and safety, and the transportation of chemical products. Key topics of discussion will include:
- Agency Update on Chemical Security Regulations;
- Chemical Industry Resiliency;
- Cybersecurity; and
- Industry Practices
Thursday, November 19, 2009
TSA Proposes Aircraft Repair Station Security Rule
The FAA currently implements extensive safety requirements for both domestic and foreign aircraft repair stations. However, TSA recognizes the distinction between safety and security, and stated in its NPRM on Wednesday that:
supplementing [FAA's] requirements with specific security measures for both foreign and domestic repair stations would further reduce the likelihood that terrorists would be able to gain access to aircraft under repair . . . the importance of requiring all aircraft repair stations to have measures in place to prevent persons from commandeering, tampering, or sabotaging aircraft has increased . . Enhancement of repair station security will mitigate the potential threat that an aircraft could be used as a weapon or that an aircraft could be destroyed.Among other things, the proposed rule would:
- Require repair stations to adopt and carry out a "standard security program" issued by TSA;
- Require each security program to describe specific measures being implemented to 1) identify individuals with authorized access to the repair station, aircraft, and aircraft components; 2) control access to the repair station, aircraft, and aircraft components; 3) use escort measures for authorized visitors; 4) provide security awareness training to all employees; 5) verify employee background information; and 6) designate a security coordinator;
- Require repair stations to allow TSA and DHS officials to enter, inspect, audit, and test property, facilities, and records relevant to repair stations; and
- Amend 49 CFR Part 1520 to include repair station security programs as Sensitive Security Information (SSI).
TSA solicits comments to the NPRM, which must be submitted by January 19, 2010. Comments should be identified by Docket No. TSA-2004-17131, and may be submitted electronically using the Federal eRulemaking portal.
Wednesday, November 18, 2009
Cybersecurity Act Passes House Committee
Cybersecurity has become a major topic of concern among legislators and executive agencies in recent months. On Tuesday, the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security held a two-panel hearing called “Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace" to discuss the growing risk of cyber attacks. The first panel included representatives from the Department of Homeland Security (DHS), Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Department of Defense (DOD). The second panel included Senior Counsel of the Center for Democracy and Technology and the President of the Internet Security Alliance. During the hearing, Deputy Assistant Director of the FBI's Cyber Division, Steven Chabinsky, testified that:
the FBI is aware of and investigating individuals who are affiliated with or sympathetic to al-Qaeda who have recognized and discussed the vulnerabilities of the U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities . . . [I]t is worth remaining mindful that terrorists do not require long term, persistent network access to accomplish some or all of their goals. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks.Philip Reitinger, Deputy Under Secretary of DHS's National Protection and Programs Directorate, agreed, adding that gaps exist in current cybersecurity laws such that new and growing threats are not being addressed.
Members of the panels disagreed, however, on how to best address cybersecurity in new legislation. Larry Clinton of the Internet Security Alliance spoke out against federally-regulated cybersecurity measures at private businesses and in favor of market-based initiatives, stating that "[f]ederally-imposed mandates on the broad private sector will not work and will be seriously counterproductive to both our economic security and our national security." However, Larry Wortzel, Vice Chairman of the U.S.-China Economic and Security Review Commission, testified in favor of some federal mandates of private cybersecurity measures, supporting the position that the National Security Agency (NSA) - as opposed to some other federal agency - should be in charge of regulating cybersecurity, with assistance from DHS.
The Government Accountability Office (GAO) also submitted testimony to the subcommittee, pinpointing weaknesses in federal information system security controls at federal agencies and reiterating previously-made suggestions for cybersecurity improvements.
Tuesday, November 17, 2009
DHS Holds SCC Meeting, Launches New Critical Infrastructure Website
Also Tuesday, DHS launched a new website designed to increase public awareness of critical infrastructure security. Among other things, the new website provides publicly-accessible information regarding the need to safeguard the nation's critical infrastructure and key resources (CIKR), including potential vulnerabilities at chemical facilities and information about the National Response Framework.
Homeland Security Presidential Directive 7 (HSPD-7), released December 17, 2003, identified seventeen CIKR sectors: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Healthcare and Public Health; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems (including mass transit); and Water. An eighteenth CIKR, Critical Manufacturing, was formally established in 2008 by former DHS Secretary Michael Chertoff. The majority of the eighteen CIKRs are owned and operated by the private sector, creating a need for close collaboration between industry and DHS. SCCs from the CIKRs serve as coordinating entities.
Thursday, November 12, 2009
CFATS Facility Material Modifications
That being said, the term "material modification" is not as straightforward as it might seem.Material modifications can include a whole host of changes, and for that reason, the Department cannot provide an exhaustive list of material modifications. In general, though, DHS expects that material modifications would likely include changes at a facility to chemical holdings (including the presence of a new chemical, increased amount of an existing chemical, or the modified use of a given chemical) or to site physical configuration, which may (1) substantially increase the level of consequence should a terrorist attack or incident occur; (2) substantially increase a facility’s vulnerabilities from those identified in the facility’s Security Vulnerability Assessment; (3) substantially effect [sic] the information already provided in the facility’s Top-Screen submission; or (4) substantially effect [sic] the measures contained in the facility’s Site Security Plan.
Material Modifications Triggering Resubmission
Some changes at the facility are tied directly to the CFATS Appendix A Final Rule, which lists the Chemicals of Interest (COI) and their Screening Threshold Quantities (STQs) that trigger initial Top-Screen submission. These modifications would, undoubtedly, be considered "material," since they are tied directly to the initial CFATS trigger (i.e. the Top-Screen). For example, a facility that acquires a new COI at or above the requisite STQ has a "material modification" that triggers re-submission of its Top-Screen. Alternatively, a facility that reduces a COI below its STQ or eliminates a COI entirely has made a "material modification" that could act in its favor, and should re-submit its Top-Screen.
Potentially Material Modifications
Other potential modifications made at the facility, however, are less clear as to their materiality. In essence - what does "material" mean?
For example, a facility that stores 5,000,000 pounds of Methane, which is listed as a Release-Flammable COI, in below-ground tanks, responds to demand spikes by adding 250,000 additional pounds of Methane, for a total increase of 5%. Methane is the only COI stored by the facility. Is this a "material modification" as envisioned by DHS and CFATS? On the one hand, the facility is increasing the amount of Methane being stored, which reflects, as explained in the CFATS Preamble, an "increased amount of an existing chemical." On the other hand, the increase does not change the facility's initial storage of Methane at an amount significantly above the Appendix A STQ, which would arguably not substantially affect the facility's original Top-Screen and/or security vulnerability.
Another example of a facility modification that may or may not be considered "material" for purposes of 6 C.F.R. §27.210(d) is the replacement of one National Fire Protection Association (NFPA) 4 material with another NFPA 4 material, where all other factors (such as storage location, volume, facility security measures, etc.) remain the same.
Facility Compliance
In light of the gray areas surrounding "material modifications" and resubmission of Top-Screens, many companies may face facility-specific questions regarding modifications and whether they merit a new Top-Screen submission. To be on the safe side, facilities should err on the side of resubmission when in doubt. However, they should do so knowing that resubmission opens the door for resubmission of a new Security Vulnerability Assessment (SVA) and, possibly, resubmission and alteration of an already-approved Site Security Plan (SSP).
Wednesday, November 11, 2009
MTSA Provisions in H.R. 2868
Congress was concerned that, while MTSA does require general security measures for all covered maritime facilities, the specific security risks associated with high-risk chemical facilities are not adequately addressed in MTSA. Congress did recognize that significant security actions have been taken by such MTSA-regulated facilities; thus, special provisions were included in H.R. 2868 to address the coordination of CFATS and MTSA.
Regulation of Maritime Facilities
Section 2103(f)(1) of Title 1 of H.R. 2868 would give the DHS Secretary authorization to add coverage of maritime chemical facilities to the current CFATS regulations. The Secretary would be required to revise CFATS to provide for:
- Requiring MTSA chemical facilities to submit information to the Secretary to allow for determination of whether the facility is a covered, high-risk chemical facility and determination of the appropriate tier ranking for such covered facilities (§2103(f)(1)(A));
- Requiring covered facilities to update vulnerability assessments and facility security plans approved under MTSA regulations to “to ensure an equivalent level of security for substances of concern” (§2103(f)(1)(B));
- Providing that the fulfillment of the personnel surety requirements set forth in the MTSA regulations will satisfy the §2115 requirements of HR 2868 for MTSA covered facilities (§2103(f)(1)(C)); and
- Requiring covered facilities regulated under MTSA to “apply the information sharing and protection requirements in section 2110” (§2103(f)(1)(D)).
Coordination of Regulations
The House recognized that having two different security regulations affecting the same facility could cause some requirement conflicts and overlap. In order to avoid duplication and conflicts in security regulations, H.R. 2868 would require DHS's Office of Infrastructure Protection (the agency responsible for CFATS regulations) and the Coast Guard to “enter into a formal agreement detailing their respective roles and responsibilities” in the enforcement of the two regulations. See H.R. 2868 §2103(f)(1)(F)(i).
H.R. 2868 specifically requires that this agreement would specify which agency would be responsible for CFATS enforcement at MTSA-covered facilities. See H.R. 2868 §2103(f)(1)(F)(ii). This would include ensuring that vulnerability assessments and facility security plans are in compliance with CFATS standards as well as enforcing the information sharing and protection requirements of H.R. 2868 §2110.
Senate Action Required
H.R. 2868 has come farther than any other legislation in establishing comprehensive chemical security requirements, but it is not yet law. The Senate has yet to conduct any chemical facility security hearings in the current session; nor are there any companion bills that have been making their way through the legislative process. H.R. 2868 has been assigned to the Senate Committee on Homeland Security and Governmental Affairs for action.
There has not yet been any indication of how the Senate will deal with H.R. 2868's MTSA requirements. MTSA-covered facilities should continue to monitor the progress of this H.R. 2868 as it makes its way through the Senate.
Tuesday, November 10, 2009
Senate Homeland Security Committee Considers New TSA Administrator
The Committee on Tuesday also considered the nomination of Daniel Gordon as Administrator of the Office of Federal Procurement Policy (OFPP) at the Office of Management and Budget (OMB).
Homeland Security Advisory Council Announces December Teleconference
The HSAC advises DHS Secretary Janet Napolitano on homeland security matters. Members of HSAC include state and local government leaders, first responder communities, and individuals from the private sector and from academia. Secretary Napolitano created the Sustainability and Efficiency Task Force in June, in order to incorporate renewable resources and increased efficiency into DHS operations.
Sunday, November 8, 2009
H.R. 2868 Passes in the House
Chemical and Water Security Act
Two different version of H.R. 2868 had been reported by both the House Homeland Security and House Energy and Commerce committees. In the Rules Committee report, those two versions were reconciled in a new version of the bill offered by Chairmen Thompson, Waxman and Oberstar, along with a key sub-committee chair from each of their respective committees. Additionally, the provisions of H.R. 3258 were rolled into Title II of H.R. 2868 and H.R. 2883 provisions were added as Title III.
The Department of Homeland Security (DHS) continues to have primary enforcement authority for chemical facility security, which now includes chemical facilities covered under the Maritime Transportation Security Act (MTSA), while the Environmental Protection Agency (EPA) is given authority for regulating security at drinking water treatment facilities and waste water treatment works. The EPA is required to work with DHS in developing the chemical security portions of the water security regulations. This allows for similar chemical security regulations at all high-risk facilities.
The reconciled version of Title I was based on both reported versions of H.R. 2868. The bulk of the language came from the version reported by the Homeland Security Committee with refining language taken from the Energy and Commerce Committee version. The Energy and Commerce version did provide the basis for the Title I sections dealing with methods to reduce the consequences of a terrorist attack (H.R. 2868 §2111), background checks on covered individuals (H.R. 2868 §2115), and citizen involvement (H.R. §§2116, 2117), again with modifying language from the Homeland Security Committee version.
Floor Amendments
H.R. 2868 was considered on the House floor for over a two-day period. On Thursday, there were ninety minutes of general bill debate. On Friday, ten amendments were offered, debated, and voted upon. The Rules Committee allowed five amendments from both sides of the aisle. As expected, all five amendments offered by the Democrats passed, four of which passed on voice votes with no organized opposition.
Only one of the five amendments offered by Republican representatives passed. That amendment dealt with the employee training grants in §2103(g)(4), which requires that grants be awarded on a competitive basis and prohibits congressional earmarks in the grant process. The four amendments that failed were essentially repeats of amendments that had been submitted in markups in both the Homeland Security and the Energy and Commerce committees. One amendment attempted to replace Title I with a straight extension of the Chemical Facility Anti-Terrorism Standards (CFATS) for an additional two years (beyond the current one-year extension found in the Department of Homeland Security Appropriations Act of 2010). Other amendments would have struck provisions for inherently safer technology (IST) and citizen enforcement and would have strengthened the bill's Federal preemption provisions.
The amendments introduced by the Democrats were led by Chairman Thompson’s amendment to make H.R. 2868 editorial corrections, which was the only one that had to undergo a roll call vote. One of the voice-vote approved amendments required the appointment of a DHS official to liaise with the State and local officials impacted by chemical facility emergency response requirements. Another amendment required that DHS report to Congress on the affects of the IST provisions on agriculture facilities. The other two amendments requires DHS to consider the special circumstances faced by small businesses and academic labs when developing the supporting regulations.
Moving to the Senate
The Chemical and Water Facility Act now moves to the Senate for action. Both the Chair and Ranking Member of the Senate Committee on Homeland Security & Governmental Affairs have expressed interest in seeing the passage of comprehensive chemical facility security legislation during this session. At the least, there will certainly continue to be extensive debate on the IST and citizen enforcement provisions of H.R. 2868.