Monday, November 30, 2009

DHS Holds Third SCC Meeting

Posted by Roberts Law Group, PLLC at 3:49 PM 0 comments
Department of Homeland Security (DHS) Secretary Janet Napolitano on Tuesday held the last of a series of three meetings with members of the private sector in an effort to improve security of the nation's critical infrastructure. Leaders from several Sector Coordinating Councils (SCCs) were present, including those from the Information Technology, Communications, Manufacturing, Agriculture and Food, Defense Industrial Base, Dams, and Commercial Facilities Sectors. Secretary Napolitano asked members of the private sector for feedback on ways to improve public-private sector collaboration for the shared responsibility of protecting critical infrastructure and key resources (CIKR).

Also on Tuesday, DHS announced that Secretary Napolitano will meet with leaders in New York later this week from the real estate, professional sports, financial, and media industries to discuss ways to jointly protect the nation's critical infrastructure.

Homeland Security Presidential Directive 7 (HSPD-7), released December 17, 2003, identified seventeen CIKR sectors: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Healthcare and Public Health; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems (including mass transit); and Water. An eighteenth CIKR, Critical Manufacturing, was formally established in 2008 by former DHS Secretary Michael Chertoff. The majority of the eighteen CIKRs are owned and operated by the private sector, creating a need for close collaboration between industry and DHS. SCCs from the CIKRs serve as coordinating entities.

Monday, November 23, 2009

DHS Announces 2010 Chemical Sector Security Summit

Posted by Roberts Law Group, PLLC at 11:59 PM 0 comments
The Department of Homeland Security (DHS) on Monday announced its 2010 Chemical Sector Security Summit, to take place July 7 and 8 in Baltimore, Maryland. The summit is co-sponsored by DHS's Office of Infrastructure Protection and the Chemical Sector Coordinating Council.

The annual Chemical Sector Security Summit is a chance for members of the security industry to network and share information with other professionals, as well as to ask questions specific to chemical security. In particular, DHS expects significant discussion surrounding the current version of the Chemical Facility Anti-Terrorism Standards (CFATS) as well as the future of chemical security, including the recent passage of H.R. 2868 by the House of Representatives. The Summit should be particularly important for those involved with corporate and facility security, health and safety, and the transportation of chemical products. Key topics of discussion will include:
  • Agency Update on Chemical Security Regulations;
  • Chemical Industry Resiliency;
  • Cybersecurity; and
  • Industry Practices
Click here to sign up for DHS email notifications regarding the Summit.

Thursday, November 19, 2009

TSA Proposes Aircraft Repair Station Security Rule

Posted by Roberts Law Group, PLLC at 2:47 PM 0 comments
The Transportation Security Administration (TSA) on Wednesday published a Notice of Proposed Rulemaking (NPRM) in the Federal Register that would effect security regulations for domestic and foreign aircraft repair stations, as required by the Vision 100-Century of Aviation Reauthorization Act. The NPRM, published at 74 Fed. Reg. 59874-90, would amend 49 CFR Part 1520 and add new Part 1554, to establish security requirements for aircraft repair stations certified by the Federal Aviation Administration (FAA).

The FAA currently implements extensive safety requirements for both domestic and foreign aircraft repair stations. However, TSA recognizes the distinction between safety and security, and stated in its NPRM on Wednesday that:
supplementing [FAA's] requirements with specific security measures for both foreign and domestic repair stations would further reduce the likelihood that terrorists would be able to gain access to aircraft under repair . . . the importance of requiring all aircraft repair stations to have measures in place to prevent persons from commandeering, tampering, or sabotaging aircraft has increased . . Enhancement of repair station security will mitigate the potential threat that an aircraft could be used as a weapon or that an aircraft could be destroyed.
Among other things, the proposed rule would:
  • Require repair stations to adopt and carry out a "standard security program" issued by TSA;
  • Require each security program to describe specific measures being implemented to 1) identify individuals with authorized access to the repair station, aircraft, and aircraft components; 2) control access to the repair station, aircraft, and aircraft components; 3) use escort measures for authorized visitors; 4) provide security awareness training to all employees; 5) verify employee background information; and 6) designate a security coordinator;
  • Require repair stations to allow TSA and DHS officials to enter, inspect, audit, and test property, facilities, and records relevant to repair stations; and
  • Amend 49 CFR Part 1520 to include repair station security programs as Sensitive Security Information (SSI).
The proposed rule would exempt repair stations operating on a Federal government facility, and would require different security measures for repair stations located on or adjacent to airports from those located at off-airport locations. In order to conduct a security assessment prior to implementing the standard security program, TSA would require each regulated repair station to provide assessment information, including location information and employee number and aircraft access information.

TSA solicits comments to the NPRM, which must be submitted by January 19, 2010. Comments should be identified by Docket No. TSA-2004-17131, and may be submitted electronically using the Federal eRulemaking portal.

Wednesday, November 18, 2009

Cybersecurity Act Passes House Committee

Posted by Roberts Law Group, PLLC at 8:32 PM 0 comments
Members of Congress introduced legislation earlier this month that would address the increasing need for revamped cybersecurity measures in both the public sector and among industry. H.R. 4061, the Cybersecurity Enhancement Act of 2009, is actually a consolidated version of two separate Committee discussion drafts: the Cybersecurity Research and Development Amendments Act of 2009 and the Cybersecurity Coordination and Awareness Act of 2009. It was referred to the House Committee on Science and Technology on November 7 and passed the committee by a voice vote on Wednesday. The bill would extend and amend the Cyber Security Research and Development Act passed in 2002 to streamline federal investments in cybersecurity research and development. H.R. 4061 would also improve cybersecurity and technical standards in the workforce and encourage cybersecurity partnerships between the public and private sectors.

Cybersecurity has become a major topic of concern among legislators and executive agencies in recent months. On Tuesday, the Senate Committee on the Judiciary's Subcommittee on Terrorism and Homeland Security held a two-panel hearing called “Cybersecurity: Preventing Terrorist Attacks and Protecting Privacy in Cyberspace" to discuss the growing risk of cyber attacks. The first panel included representatives from the Department of Homeland Security (DHS), Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), and the Department of Defense (DOD). The second panel included Senior Counsel of the Center for Democracy and Technology and the President of the Internet Security Alliance. During the hearing, Deputy Assistant Director of the FBI's Cyber Division, Steven Chabinsky, testified that:
the FBI is aware of and investigating individuals who are affiliated with or sympathetic to al-Qaeda who have recognized and discussed the vulnerabilities of the U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities . . . [I]t is worth remaining mindful that terrorists do not require long term, persistent network access to accomplish some or all of their goals. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks.
Philip Reitinger, Deputy Under Secretary of DHS's National Protection and Programs Directorate, agreed, adding that gaps exist in current cybersecurity laws such that new and growing threats are not being addressed.

Members of the panels disagreed, however, on how to best address cybersecurity in new legislation. Larry Clinton of the Internet Security Alliance spoke out against federally-regulated cybersecurity measures at private businesses and in favor of market-based initiatives, stating that "[f]ederally-imposed mandates on the broad private sector will not work and will be seriously counterproductive to both our economic security and our national security." However, Larry Wortzel, Vice Chairman of the U.S.-China Economic and Security Review Commission, testified in favor of some federal mandates of private cybersecurity measures, supporting the position that the National Security Agency (NSA) - as opposed to some other federal agency - should be in charge of regulating cybersecurity, with assistance from DHS.

The Government Accountability Office (GAO) also submitted testimony to the subcommittee, pinpointing weaknesses in federal information system security controls at federal agencies and reiterating previously-made suggestions for cybersecurity improvements.

Tuesday, November 17, 2009

DHS Holds SCC Meeting, Launches New Critical Infrastructure Website

Posted by Roberts Law Group, PLLC at 11:19 PM 0 comments
Department of Homeland Security (DHS) Secretary Janet Napolitano on Tuesday held the first of a series of three meetings with members of the private sector in an effort to improve security of the nation's critical infrastructure. Leaders from several Sector Coordinating Councils (SCCs) were present, including those from the Energy, Nuclear, Water, and Chemical Sectors.

Also Tuesday, DHS launched a new website designed to increase public awareness of critical infrastructure security. Among other things, the new website provides publicly-accessible information regarding the need to safeguard the nation's critical infrastructure and key resources (CIKR), including potential vulnerabilities at chemical facilities and information about the National Response Framework.

Homeland Security Presidential Directive 7 (HSPD-7), released December 17, 2003, identified seventeen CIKR sectors: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Healthcare and Public Health; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems (including mass transit); and Water. An eighteenth CIKR, Critical Manufacturing, was formally established in 2008 by former DHS Secretary Michael Chertoff. The majority of the eighteen CIKRs are owned and operated by the private sector, creating a need for close collaboration between industry and DHS. SCCs from the CIKRs serve as coordinating entities.

Thursday, November 12, 2009

CFATS Facility Material Modifications

Posted by Roberts Law Group, PLLC at 11:23 AM 0 comments
In the Chemical Facility Anti-Terrorism Standards (CFATS) Final Rule, published at 6 CFR Part 27, the Department of Homeland Security (DHS) requires covered facilities to submit a revised Top-Screen within sixty days of any "material modification [made] to its operations or site." DHS will then "notify the covered facility as to whether the covered facility must submit a revised Security Vulnerability Assessment, Site Security Plan, or both." 6 C.F.R. §27.210(d). DHS does not, however, provide a definition of "material modification." In the preamble to CFATS, DHS addressed one commenter's request for such a definition, replying with an explanation that:

Material modifications can include a whole host of changes, and for that reason, the Department cannot provide an exhaustive list of material modifications. In general, though, DHS expects that material modifications would likely include changes at a facility to chemical holdings (including the presence of a new chemical, increased amount of an existing chemical, or the modified use of a given chemical) or to site physical configuration, which may (1) substantially increase the level of consequence should a terrorist attack or incident occur; (2) substantially increase a facility’s vulnerabilities from those identified in the facility’s Security Vulnerability Assessment; (3) substantially effect [sic] the information already provided in the facility’s Top-Screen submission; or (4) substantially effect [sic] the measures contained in the facility’s Site Security Plan.

That being said, the term "material modification" is not as straightforward as it might seem.

Material Modifications Triggering Resubmission
Some changes at the facility are tied directly to the CFATS Appendix A Final Rule, which lists the Chemicals of Interest (COI) and their Screening Threshold Quantities (STQs) that trigger initial Top-Screen submission. These modifications would, undoubtedly, be considered "material," since they are tied directly to the initial CFATS trigger (i.e. the Top-Screen). For example, a facility that acquires a new COI at or above the requisite STQ has a "material modification" that triggers re-submission of its Top-Screen. Alternatively, a facility that reduces a COI below its STQ or eliminates a COI entirely has made a "material modification" that could act in its favor, and should re-submit its Top-Screen.

Potentially Material Modifications
Other potential modifications made at the facility, however, are less clear as to their materiality. In essence - what does "material" mean?

For example, a facility that stores 5,000,000 pounds of Methane, which is listed as a Release-Flammable COI, in below-ground tanks, responds to demand spikes by adding 250,000 additional pounds of Methane, for a total increase of 5%. Methane is the only COI stored by the facility. Is this a "material modification" as envisioned by DHS and CFATS? On the one hand, the facility is increasing the amount of Methane being stored, which reflects, as explained in the CFATS Preamble, an "increased amount of an existing chemical." On the other hand, the increase does not change the facility's initial storage of Methane at an amount significantly above the Appendix A STQ, which would arguably not substantially affect the facility's original Top-Screen and/or security vulnerability.

Another example of a facility modification that may or may not be considered "material" for purposes of 6 C.F.R. §27.210(d) is the replacement of one National Fire Protection Association (NFPA) 4 material with another NFPA 4 material, where all other factors (such as storage location, volume, facility security measures, etc.) remain the same.

Facility Compliance
In light of the gray areas surrounding "material modifications" and resubmission of Top-Screens, many companies may face facility-specific questions regarding modifications and whether they merit a new Top-Screen submission. To be on the safe side, facilities should err on the side of resubmission when in doubt. However, they should do so knowing that resubmission opens the door for resubmission of a new Security Vulnerability Assessment (SVA) and, possibly, resubmission and alteration of an already-approved Site Security Plan (SSP).

Wednesday, November 11, 2009

MTSA Provisions in H.R. 2868

Posted by Roberts Law Group, PLLC at 9:57 AM 2 comments
When the House of Representatives passed H.R. 2868 last week, one of the objectives was to correct the perceived deficiencies in the current Chemical Facility Anti-Terrorism Standards (CFATS), published at 6 CFR Part 27. One specific shortcoming addressed in H.R. 2868 was the removal of the CFATS exemption for facilities covered under the Maritime Transportation Security Act (MTSA). H.R. 2868, as passed in the House, would specifically cover chemical facilities required to submit an MTSA facility security plan, pursuant to Section 70103(c) of Title 46 of the U.S. Code.

Congress was concerned that, while MTSA does require general security measures for all covered maritime facilities, the specific security risks associated with high-risk chemical facilities are not adequately addressed in MTSA. Congress did recognize that significant security actions have been taken by such MTSA-regulated facilities; thus, special provisions were included in H.R. 2868 to address the coordination of CFATS and MTSA.

Regulation of Maritime Facilities

Section 2103(f)(1) of Title 1 of H.R. 2868 would give the DHS Secretary authorization to add coverage of maritime chemical facilities to the current CFATS regulations. The Secretary would be required to revise CFATS to provide for:

  • Requiring MTSA chemical facilities to submit information to the Secretary to allow for determination of whether the facility is a covered, high-risk chemical facility and determination of the appropriate tier ranking for such covered facilities (§2103(f)(1)(A));

  • Requiring covered facilities to update vulnerability assessments and facility security plans approved under MTSA regulations to “to ensure an equivalent level of security for substances of concern” (§2103(f)(1)(B));

  • Providing that the fulfillment of the personnel surety requirements set forth in the MTSA regulations will satisfy the §2115 requirements of HR 2868 for MTSA covered facilities (§2103(f)(1)(C)); and

  • Requiring covered facilities regulated under MTSA to “apply the information sharing and protection requirements in section 2110” (§2103(f)(1)(D)).

Coordination of Regulations

The House recognized that having two different security regulations affecting the same facility could cause some requirement conflicts and overlap. In order to avoid duplication and conflicts in security regulations, H.R. 2868 would require DHS's Office of Infrastructure Protection (the agency responsible for CFATS regulations) and the Coast Guard to “enter into a formal agreement detailing their respective roles and responsibilities” in the enforcement of the two regulations. See H.R. 2868 §2103(f)(1)(F)(i).

H.R. 2868 specifically requires that this agreement would specify which agency would be responsible for CFATS enforcement at MTSA-covered facilities. See H.R. 2868 §2103(f)(1)(F)(ii). This would include ensuring that vulnerability assessments and facility security plans are in compliance with CFATS standards as well as enforcing the information sharing and protection requirements of H.R. 2868 §2110.

Senate Action Required

H.R. 2868 has come farther than any other legislation in establishing comprehensive chemical security requirements, but it is not yet law. The Senate has yet to conduct any chemical facility security hearings in the current session; nor are there any companion bills that have been making their way through the legislative process. H.R. 2868 has been assigned to the Senate Committee on Homeland Security and Governmental Affairs for action.

There has not yet been any indication of how the Senate will deal with H.R. 2868's MTSA requirements. MTSA-covered facilities should continue to monitor the progress of this H.R. 2868 as it makes its way through the Senate.

Tuesday, November 10, 2009

Senate Homeland Security Committee Considers New TSA Administrator

Posted by Roberts Law Group, PLLC at 2:45 PM 0 comments
The Senate Committee on Homeland Security and Governmental Affairs on Tuesday considered the nomination of Erroll Southers as the next Administrator of the Transportation Security Administration (TSA). Southers, who currently serves as Assistant Chief of Homeland Security and Intelligence at Los Angeles World Airports, would replace current Acting Administrator Gale Rossides. On Tuesday, Senator Joe Lieberman (ID-Conn.) recognized the improvements TSA has made since the September 11 attacks to strengthen security at airports, but commented on the need for TSA to "make more progress on increasing the security of other forms of transportation, particularly for mass transit and railways." Lieberman praised the nomination of Southers, noting his nearly three decades of experience working in public safety, homeland security, and intelligence.

The Committee on Tuesday also considered the nomination of Daniel Gordon as Administrator of the Office of Federal Procurement Policy (OFPP) at the Office of Management and Budget (OMB).

Homeland Security Advisory Council Announces December Teleconference

Posted by Roberts Law Group, PLLC at 10:51 AM 0 comments
The Department of Homeland Security (DHS) announced Tuesday in the Federal Register that its Homeland Security Advisory Council (HSAC) will hold a teleconference meeting on December 4, 2009, in order to review findings and recommendations made by its Sustainability and Efficiency Task Force. All members of the public are welcome to join by dialing into the teleconference, which will take place from 3PM to 4PM EST. Any written comments submitted by the public before the meeting must be received by November 30, 2009.

The HSAC advises DHS Secretary Janet Napolitano on homeland security matters. Members of HSAC include state and local government leaders, first responder communities, and individuals from the private sector and from academia. Secretary Napolitano created the Sustainability and Efficiency Task Force in June, in order to incorporate renewable resources and increased efficiency into DHS operations.

Sunday, November 8, 2009

H.R. 2868 Passes in the House

Posted by Roberts Law Group, PLLC at 1:40 PM 0 comments
Late Friday afternoon, the House of Representatives passed H.R. 2868, The Chemical and Water Security Act, in a vote divided along party lines. The version of the bill that made its way to the House floor included provisions for chemical facility security, drinking water facility security, and security at waste water treatment works. The bill provides for comprehensive chemical security provisions at all three types of facilities while also addressing the unique security requirements for the water facilities.

Chemical and Water Security Act

Two different version of H.R. 2868 had been reported by both the House Homeland Security and House Energy and Commerce committees. In the Rules Committee report, those two versions were reconciled in a new version of the bill offered by Chairmen Thompson, Waxman and Oberstar, along with a key sub-committee chair from each of their respective committees. Additionally, the provisions of H.R. 3258 were rolled into Title II of H.R. 2868 and H.R. 2883 provisions were added as Title III.

The Department of Homeland Security (DHS) continues to have primary enforcement authority for chemical facility security, which now includes chemical facilities covered under the Maritime Transportation Security Act (MTSA), while the Environmental Protection Agency (EPA) is given authority for regulating security at drinking water treatment facilities and waste water treatment works. The EPA is required to work with DHS in developing the chemical security portions of the water security regulations. This allows for similar chemical security regulations at all high-risk facilities.

The reconciled version of Title I was based on both reported versions of H.R. 2868. The bulk of the language came from the version reported by the Homeland Security Committee with refining language taken from the Energy and Commerce Committee version. The Energy and Commerce version did provide the basis for the Title I sections dealing with methods to reduce the consequences of a terrorist attack (H.R. 2868 §2111), background checks on covered individuals (H.R. 2868 §2115), and citizen involvement (H.R. §§2116, 2117), again with modifying language from the Homeland Security Committee version.

Floor Amendments

H.R. 2868 was considered on the House floor for over a two-day period. On Thursday, there were ninety minutes of general bill debate. On Friday, ten amendments were offered, debated, and voted upon. The Rules Committee allowed five amendments from both sides of the aisle. As expected, all five amendments offered by the Democrats passed, four of which passed on voice votes with no organized opposition.

Only one of the five amendments offered by Republican representatives passed. That amendment dealt with the employee training grants in §2103(g)(4), which requires that grants be awarded on a competitive basis and prohibits congressional earmarks in the grant process. The four amendments that failed were essentially repeats of amendments that had been submitted in markups in both the Homeland Security and the Energy and Commerce committees. One amendment attempted to replace Title I with a straight extension of the Chemical Facility Anti-Terrorism Standards (CFATS) for an additional two years (beyond the current one-year extension found in the Department of Homeland Security Appropriations Act of 2010). Other amendments would have struck provisions for inherently safer technology (IST) and citizen enforcement and would have strengthened the bill's Federal preemption provisions.

The amendments introduced by the Democrats were led by Chairman Thompson’s amendment to make H.R. 2868 editorial corrections, which was the only one that had to undergo a roll call vote. One of the voice-vote approved amendments required the appointment of a DHS official to liaise with the State and local officials impacted by chemical facility emergency response requirements. Another amendment required that DHS report to Congress on the affects of the IST provisions on agriculture facilities. The other two amendments requires DHS to consider the special circumstances faced by small businesses and academic labs when developing the supporting regulations.

Moving to the Senate

The Chemical and Water Facility Act now moves to the Senate for action. Both the Chair and Ranking Member of the Senate Committee on Homeland Security & Governmental Affairs have expressed interest in seeing the passage of comprehensive chemical facility security legislation during this session. At the least, there will certainly continue to be extensive debate on the IST and citizen enforcement provisions of H.R. 2868.