The U.S. Government Accountability Office (GAO) has just issued a report on Critical Infrastructure Protection with a finding that Department of Homeland Security (DHS) action is needed to verify chemical facility information and to better manage its compliance process. Report to Congress, GAO-15-614 (July 2015).

Risk Level for Facilities

The Report states that since 2007, DHS has identified and collected information from approximately 37,000 chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) program, and categorized approximately 2,900 of those as high-risk based on the collected data. The Report indicates, though, that DHS had used unverified and self-reported data to categorize the risk level for facilities evaluated for a toxic release threat. DHS defined a toxic release as one where if released, the chemicals could harm the surrounding populations.

One key input for determining a facility’s toxic release threat is the “Distance of Concern” that facilities report. That distance would be the area in which exposure to a toxic chemical cloud could cause serious injury or fatalities from short-term exposure. DHS required facilities to calculate the distance using a web-based tool and by following DHS guidance.

Following the DHS guidance and using a generalizable sample of facility-reported data in the DHS database, the GAO “estimated that more than 2,700 facilities (44 percent) of an estimated 6,400 facilities with a toxic release threat misreported the distance.” GAO suggests that by verifying that the data DHS used in its risk assessment, it could better ensure it has identified the high-risk chemical facilities.

Chemical Facilities Compliance Implementation

While DHS began conducting compliance inspections in September 2013, according to the GAO, it did not have a documented processes and procedure for managing the compliance of facilities that had not implemented planned measures outlined in their site security plans. As a result, GAO found that almost half (34 of 69) of facilities inspected as of February 2015 “had not implemented one or more planned measures by deadlines specified in their approved site security plans and therefore were not fully compliant with their plans.”

Additionally, GAO found variations in how DHS addressed 34 facilities, such as how much additional time the facilities had to come into compliance and whether or not a follow-on inspection was scheduled. While the variations may have corresponded with the DHS’s case-by-case approach, GAO suggested that having documented processes and procedures would ensure that DHS could manage noncompliant facilities and close security gaps in a timely manner. Also, because DHS still needed to inspect about 2,900 facilities, having documented processes and procedures could provide DHS with a “more reasonable assurance that facilities implement planned measures and address security gaps.”