On April 9, 2007, the Department of Homeland Security (DHS) published its Interim Final Rule on Chemical Facility Anti-Terrorism Standards (IFR or the Rule) . This is a significant new security regulation. Because this Rule may become the standard for future security regulation in other industries and critical infrastructures, corporate leaders – regardless of their core business – should monitor its implementation closely. It is conceivable that Congress will begin regulating other high consequence and high vulnerability industries (e.g., rail) in the near future. Learning lessons from the chemical industry’s experience with security regulation may save companies time and money if and when regulation expands to other industries.
Other than Appendix A (discussed below) this Rule becomes effective on June 8, 2007. The IFR makes revisions and other policy changes to the proposed rule contained in the Advance Notice of Rulemaking (ANRM or Proposed Rule) published at the end of 2006. The most significant change to the Proposed Rule is the inclusion of a proposed appendix entitled “DHS Chemicals of Interest” (Appendix A). Appendix A addresses a perceived weakness in the ANRM because the Proposed Rule did not specifically identify the chemical substances that DHS considered potentially dangerous. DHS invites comments on Appendix A until May 9, 2007.
While Section 550 of the recently passed Department of Homeland Security Appropriations Act of 2007 provides the statutory authority for this Rule, members of the 11110th Congress have already proposed amending last year’s chemical security legislation. With this significant congressional interest, it will be important to monitor legislative developments that may impact the Rule as currently drafted. Additionally, Section 550 has a three-year sunset provision and will need to be reauthorized either by this Congress or the 111th Congress.
The Rule establishes risk-based performance standards for the security of high-risk chemical facilities. Chemical facilities that meet the threshold requirements of Appendix A, or are otherwise identified by DHS as potentially high-risk, must complete a questionnaire. The questionnaire elicits information to help DHS determine whether a chemical facility needs to meet the additional requirements of the Rule. If DHS determines that a facility is high-risk, it will be regulated.
As such, it will be referred to as a “Covered Facility,” which the Rule defines as “a chemical facility determined by the Assistant Secretary to present high levels of security risk, or a facility that the Assistant Secretary has determined is presumptively high risk….”
Depending upon the perceived risk, Covered Facilities will be placed in one of four risk tiers with commensurate security obligations. DHS will provide the specific tier requirements to Covered Facilities through forthcoming guidance documents. Covered Facilities will be required to prepare Security Vulnerability Assessments (SVA) and Site Security Plans (SSPs) that must be approved by DHS. In short, the SVA identifies facility security vulnerabilities. The SSP includes measures that satisfy the identified risk-based performance standards. In certain circumstances, Covered Facilities are permitted to submit Alternate Security Programs (ASPs), rather than an SVA or SSP or both. The Rule also contains provisions concerning inspections, audits, recordkeeping and the protection of sensitive information. It also provides DHS with the authority to enforce the Rule’s requirements, including assessment of fines and, in extreme cases, the issuance of an order for the cessation of operations. The Rule has a section addressing the issue of review and preemption of state and local law. Finally, the Rule prohibits third party actions; only the Secretary of DHS may seek remedies under the Rule.
The IFR describes a regulatory agenda divided among several steps.
# Chemical Facility. DHS defines chemical facility as “any establishment that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criterion identified by the Department.”
# Exemptions. Pursuant to Section 550, Congress statutorily exempts five types of facilities from this regulatory regime:
- facilities regulated by the Maritime Transportation Security Act of 2002;
- Public Water Systems, under section 1401 of the Safe Drinking Water Act;
- Treatment Works, under section 212 of the Federal Water Pollution Control Act;
- any Department of Defense or Department of Energy owned or operated facility; and
- any facility regulated by the Nuclear Regulatory Commission.
# Implementation. DHS will implement the regulatory program in phases. A Coordinating Official will be appointed “who will be responsible for ensuring that these regulations are implemented in a uniform, impartial, and fair manner.” The Coordinating Official and the Coordinating Official’s staff will provide guidance to facilities regarding compliance; resources permitting, the Coordinating Official will also provide consultation and technical assistance to Covered Facilities.
# Initial Screening. DHS would require non-exempted chemical facilities that may present “high levels of security risk” to complete a risk assessment, coined “Top-screen,” which is one part of an overall process of collecting data referred to as the Chemical Security Assessment Tool (CSAT).
# Selection for Top-screen. The presence or amount of chemicals listed in Appendix A will serve as a baseline threshold to require a facility to complete the Top-screen. However, DHS has been careful to say that the “presence or amount of a particular chemical listed in Appendix A is not the sole factor in determining whether a facility presents a high-level of security risk and is not an indicator of a facility’s coverage under this rule.” DHS may also notify facilities – either directly or through a Federal Register notice – that they need to complete and submit a CSAT Top-screen. Facilities that meet the threshold baseline will have 60 calendar days from the effective date of publication of the final Appendix A to complete Top-screen.
# Top-screen Questions. The questions presented by Top-screen will solicit broad information related to security and emergency preparedness issues, and may include questions such as the “nature of the business and activities conducted at the facility; the names, nature, conditions of storage, quantities, volumes, properties, customers, major uses and other pertinent information about specific chemicals or chemicals meeting a specific criteria; information concerning facilities’ security, safety and emergency response practices, operations and procedures; information regarding incidents, history, funding and other matters bearing on the effectiveness of the security and response programs, and other information as necessary.”
# Submission of Top-screen. Chemical facilities would submit Top-screen results via a secure Web portal or through other means approved by DHS.
# Presumption of High-Risk. Chemical facilities that are required or ordered to provide information or complete the Top-screen – but fail to do so in a timely manner – may be classified as presumptively “high risk” and be subject to civil penalties and ordered to cease operations.
# Non-High-Risk Facilities. If, after reviewing the Top-screen results, DHS determines that a particular chemical facility does not present a high level of security risk, then DHS would notify the chemical facility of this finding. The chemical facility would have no further regulatory obligation under this Rule.
# Covered Facilities. Top-screen is only one of several factors that DHS will consider when determining whether a facility is “high-risk” and thus covered by the Rule. If after considering those factors, DHS determines that a chemical facility does present a high level of security risk, then DHS would notify the chemical facility of this finding and may also notify the facility of its preliminary placement in a risk-based tier (highest Tier 1 to lowest Tier 4).
These Covered Facilities would be required to take additional steps pursuant to the CSAT. The Covered Facility must complete and submit an SVA and an SSP within 90 days and 120 days, respectively, of written notification from DHS or Federal Register notice.
According to DHS’ Web site “Covered facilities contacted by the department will have 120 days from the publication of the regulation in the Federal Register to provide information for the risk assessment process. Other requirements follow that time period. Additional facilities will follow a similar timeframe after future Federal Register publications.”
# Resubmissions. Tier 1 and Tier 2 Covered Facilities must resubmit a new Top-screen every two years. Tier 3 and Tier 4 Covered Facilities must resubmit a new Top-screen every three years. Upon resubmission of Top-screen, Covered Facilities are also required to resubmit SVAs and SSPs within 90 and 120 days, respectively. Facilities may also have to make a resubmission if there has been a “material modification.”
# Security Vulnerability Assessment. An SVA evaluates risk by considering diverse factors. An SVA includes features such as asset characterization, threat assessment, security vulnerability analysis, risk assessment and countermeasure analysis. In the proposed rule, DHS had emphasized the Risk Analysis and Management for Critical Asset Protection (RAMCAP) vulnerability assessment methodology to complete the vulnerability assessment, though alternative vulnerability assessment methodologies (e.g., Alternative Security Programs as discussed below) may satisfy the requirement.25 Under the Rule, DHS has decided to employ a modified version of RAMCAP (i.e., CSAT) and, with limited, exception has made CSAT the preferred methodology.
# Tiers. Upon review of information it receives, including Top-screen submissions, DHS will make a preliminary decision regarding placement of each Covered Facility in a risk tier. The risk tier will include Covered Facilities with similar risk profiles. DHS has identified four tiers, with Tier 1 representing the highest-risk facilities. DHS will confirm or alter its preliminary tier decision after reviewing a Covered Facility’s SVA. The assigned tier will determine which risk-based performance standards apply.
# Site Security Plan. The SSP is a security and emergency preparedness roadmap. Specifically, the SSP must remediate deficiencies identified by the vulnerability assessment and satisfy the applicable risk-based performance standard. Because a performance standard, by definition, seeks a specific result or outcome but does not direct the manner or means to achieve it, precise security measures are not mandated. For example, DHS can mandate that all Tier 1 facilities achieve a required level of protection (i.e., meet the risk-based performance standard). DHS cannot mandate that all Tier 1 facilities install specific vehicle barricades or perimeter intrusion detection systems to do so. Accordingly, DHS cannot disapprove a SSP based on the presence or absence of a specific security measure. DHS can only disapprove a SSP if the plan, as a whole, fails to satisfy the applicable risk- based performance standard.
# Alternative Security Program. Many Covered Facilities have enhanced their security voluntarily since 9/11. Robust security vulnerability assessments, site security plans and other preexisting emergency initiatives have resulted in a level of preparedness that, in some cases, meets or exceeds the requirements of the Rule. Additionally, industry associations have undertaken significant efforts to develop security benchmarks unique to the chemical sector (e.g., Responsible Care®) to help member companies increase security and work with DHS and other government departments. Recognizing the progress that has already been made, DHS may accept an ASP as a substitute for some of the mandates proposed by this regulatory scheme. An approved ASP must provide an equivalent level of security as would the requirements of the Rule. Depending upon a Covered Facilities’ tier, the Rule permits submission of an ASP for DHS approval in lieu of an SVA or SSP or both. DHS will not accept an ASP in lieu of an SVA for Tiers 1-3 (higher risk facilities), but may accept an ASP as substitute for an SSP for Tiers 1-3. Tier 4 – the lowest risk facilities - may submit an ASP rather than an SVA, SSP or both. DHS explains its rationale for these distinctions in the Rule.
# Approvals. DHS must review and approve all SVAs, SSPs and ASPs. If any submission is deemed inadequate, DHS will notify the Covered Facility of the deficiencies and provide a deadline for resubmission.
# Material Modifications to Operations or Site. Because threats, vulnerabilities and consequences change, Covered Facilities have an affirmative obligation to amend and resubmit SVAs and SSPs, as situations warrant or as required by DHS. A facility will have 60 days from the date of the “material modification” to make its resubmission.
# Audits and Inspections. Following initial approval of a Site Security Plan, DHS proposes to ensure compliance through audits and inspections. These audits and inspections will be conducted at a “reasonable time” and in a “reasonable manner” and typically with 24-hour notice. However, in exigent circumstances, DHS may conduct unannounced inspections. DHS will be issuing more guidance regarding inspections. DHS will use its own auditors and inspectors to inspect high-risk tier facilities, but will be issuing a future rulemaking about how it plans to use third-party auditors.
# Recordkeeping. Covered Facilities are required to maintain records related to security and emergency preparedness for three years (e.g., training, drills and exercises, incidents and breaches of security, maintenance records regarding security equipment, audits, letters of authorization and approval).
# Orders and Adjudications. If facilities are found in violation of the Rule, DHS may assess fines (up to $25,000 per day) or require the cessation of operations. A Covered Facility has a right to seek administrative review of such determinations. The Assistant Secretary who took the administrative action under adjudication will bear the initial burden of proving the facts supporting the administrative action in dispute.
# Chemical-terrorism Vulnerability Information. Chemical facility security information – such as SVAs, SSPs, Alternative Security Programs and inspections and audits – is sensitive. It may be characterized not only as national security information but also as proprietary and confidential business information. Current law protects both from unauthorized disclosure. Because of the security concerns regarding the types of information developed, maintained and submitted in compliance with this new Rule, DHS has developed a new form of protected information. Only individuals with a need to know will have access to or otherwise obtain Chemical-terrorism Vulnerability Information (CVI). CVI is intended to protect the most sensitive information exchanged between DHS and Covered Facilities, including documentation regarding: (1) SVAs; (2) SSPs; (3) DHS’ review or approval of SVAs or SSPs; (4) Alternate Security Programs; (5) Inspections or Audits; (6) Recordkeeping Requirements; (7) sensitive portions of orders, notices or letters; (8) Top-screen or other similar documents related to tier determination; and (9) other sensitive information. CVI has specific access, marking, handling and destruction requirements; CVI disclosure is further limited in administrative and judicial proceedings.
# Preemption. While Section 550 of the Homeland Security Appropriations Act does not contain an express preemption provision, well established principles of federalism preempt state or local laws that conflict with or frustrate the purpose of DHS’ proposed regulatory scheme. DHS proposes to permit any Covered Facility or any state to “petition the Department by submitting a copy of a State law, regulation, or administrative action, or decision or order…” for a DHS-authored preemption opinion
# Third Party Actions. Only the Secretary has a right of action under this Rule. There is no private right of action.
Congressional Role in Chemical Security Regulatiation and Proposed changes to section 550
The 109th Congress, with the support of Secretary Chertoff, determined that only a legislative solution could address security deficiencies and provide uniform standards in the chemical industry. Despite stand-alone legislative proposals in 2005 and 2006 (most notably S. 214145 and H.R. 5695), DHS’ authority to regulate chemical security originates in the Department of Homeland Security Appropriations Act of 2007. Section 550 of the act required DHS to implement chemical security regulations no later than April 4, 2007. The publication of the Rule on April 9, 2007, represents DHS’ effort to meet its statutory mandate. However, some members of Congress are already considering making changes to Section 550. DHS has raised concerns about the proposed changes.
On March 27, 2007, Secretary Chertoff wrote Senator Byrd about the war supplemental bills pending in both houses that contain language affecting Section 550: Section 1502 of the Senate war supplemental, S. 965 (Section 1502) and Section 1501 of the House war supplemental, H.R.1591 (Section 1501).
The letter raises several key concerns:
# strong opposition to Section 1502 and Section 1501 because both seek “to modify the concept of conflict preemption founded on the Supremacy Clause of the U.S. Constitution”
# Section 1501 weakens DHS’ ability to protect sensitive vulnerability information
# Section 1501 “leaves the door open for third-party lawsuits”
President Bush has threatened to veto the war supplemental in its present form. Yet, it is anticipated that changes to Section 550 will continue to be discussed and will likely be included again in future war supplemental bills or other legislation.
Also, it should be noted that DHS’ power to regulate chemical facilities is not absolute: assuming no further congressional action, Section 550(b) limits DHS’ authority to a three-year period. This is significant, as the composition of the 110th Congress – and the upcoming 2008 election cycle – could alter DHS’ regulatory agenda and limit DHS’ broad discretion to define implementing regulations.
The Interim Final Rule on Chemical Facility Anti-Terrorism Standards is a major homeland security development. For the first time, it imposes comprehensive federal security regulations for high risk chemical facilities. Rather than being prescriptive (i.e., requiring that facilities take specific security measures), the Rule establishes risk-based performance standards.
# It requires chemical facilities that meet certain threshold requirements to submit answers to a questionnaire that helps DHS assess and categorize the risk level for each facility;
# If designated a Covered Facility, the Rule requires the preparation of an SVA, which identifies facility security vulnerabilities;
# Covered Facilities must also implement an SSP, which includes measures that satisfy the identified risk-based performance standards; and
# The Rule does allow certain Covered Facilities, in specific circumstances, to submit ASPs in lieu of an SVA, SSP or both.
Companies should keep a careful eye on this new Rule and the resulting regulatory regime, as it may serve as the template for regulating security in other industries and critical infrastructure.