On December 28, 2006, the Department of Homeland Security (DHS) published an Advance Notice of Rulemaking seeking comments on the proposed text for Interim Final Regulations as well as related policy considerations for chemical facility security. Parties wishing to comment must do so by February 7, 2007.

This proposal is the latest initiative to reduce the threat of terrorism throughout the chemical supply and transportation infrastructure. In separate December 21 , 2006, Notices of Proposed Rulemakings, the Transportation Security Administration, a component of DHS, and the Pipeline and Hazardous Materials Safety Administration, a component of the Department of Transportation, published complementary security proposals for hazardous materials, including certain classes of chemicals.  The proposed regulations to increase chemical facility security should be considered in conjunction with the December 21 notices.

Executive Summary

The proposed Interim Final Regulations describe a regulatory agenda divided among several steps:

  • Initially, DHS would require chemical facilities that may present “high levels of security risk” to complete a risk assessment, coined “Top-screen.” The questions presented by the Top-screen will solicit broad information related to security and emergency preparedness issues, such as the “nature of the business and activities conducted at the facility; the names, nature, conditions of storage, quantities, volumes, proprieties, major customers, major uses, and other pertinent information about specific chemicals or chemicals meeting a specific criteria.”
  • DHS intends to notify chemical facilities that must complete the Top-screen through individual notifications or publication in the Federal Register. Chemical facilities would submit Top-screen results to DHS via a secure Web portal. Chemical facilities that are required to complete the Top- screen – but fail to do so in a timely manner – may be classified as presumptively “high risk.”
  • If, after reviewing the Top-screen results, DHS determines that a particular chemical facility does not present a high level of security risk, then DHS would notify the chemical facility of this finding. The chemical facility would have no further regulatory obligation under this program.
  • To the contrary, if after reviewing the Top-screen results, DHS determines that a chemical facility does present a high level of security risk, then DHS would notify the chemical facility of this finding and require these “covered facilities” to take additional steps. The covered facility must complete and submit (1 ) a vulnerability assessment and (2) a Site Security Plan within 60 days and 20 days, respectively. 
  • By considering diverse factors, a vulnerability assessment evaluates risk. DHS proposes to require vulnerability assessments that include asset characterization, threat assessment, vulnerability analysis, risk assessment, and countermeasure analysis. DHS has emphasized the Risk Analysis and Management for Critical Asset Protection (RAMCAP) vulnerability assessment methodology to complete the vulnerability assessment, though alternative vulnerability assessment methodologies (e.g., Alternative Security Programs as discussed below) may satisfy the requirement. 
  • Upon review, DHS will place each covered facility in a risk tier. The risk tier will include covered facilities with similar risk profiles. DHS anticipates having as many as four tiers, with Tier 1 representing the highest-risk facilities. DHS will make tiering decisions using the vulnerability assessment and “a number of [other] factors, including information from the Top-screen, intelligence information, and information from other appropriate sources.” 
  • The Site Security Plan is a security and emergency preparedness roadmap. Specifically, the Site Security Plan must remediate deficiencies identified by the vulnerability assessment and satisfy the applicable risk-based performance standard, which DHS will develop for each tier. Because a performance standard, by definition, seeks a specific result but does not direct the manner to achieve it, precise security measures are not mandated. For example, DHS can mandate that all Tier facilities achieve a required level of protection (i.e., meet the risk-based performance standard). DHS cannot mandate that all Tier 1 facilities install specific vehicle barricades or perimeter intrusion detection systems to do so. Accordingly, DHS cannot disapprove a Site Security Plan based on the presence or absence of a specific security measure. DHS can only disapprove a Site Security Plan if the plan, as a whole, fails to satisfy the applicable risk-based performance standard.
  • Because threats, vulnerabilities and consequences change, covered facilities have an affirmative obligation to amend and resubmit vulnerability assessments and Site Security Plans as situations warrant or as required by DHS.
  • Following initial approval of a Site Security Plan, DHS proposes to ensure compliance through audits and inspections. DHS auditors will inspect high-risk tier facilities but may use third-party auditors to inspect those with lower-risk-tier classifications.

History of the Chemical Security Proposed Regulation

While many chemical companies have increased security voluntarily since September 11 , 2001 , DHS believes that the danger of terrorism for the chemical sector collectively remains high. The efforts of individual companies and industry associations to reduce the vulnerability of attack cannot compensate for those companies that have done little to raise their security profile. Congress determined that only a legislative solution could address security deficiencies and provide uniform standards. Legislative proposals, most notably S. 214 5 and H.R. 5695, and a series of hearings received considerable attention in 2005 and 2006.

However, DHS’ authority to regulate chemical security originates in the Department of Homeland Security Appropriations Act of 2007. 8 Section 550 of the act requires DHS to implement chemical security regulations no later than April 4 , 2007. The December 28, 2006, publication of an Advance Notice of Rulemaking represents DHS’ first step towards fulfillment of its statutory mandate.

Anaysis of Specific Issiues Raised by the Proposed Regulation

Key Terms

Congress granted DHS significant authority to define the regulatory parameters for chemical facility security. Because applicability hinges upon a handful of terms, defining statutory language is especially important.

For example, only chemical facilities that “present high levels of security risk” are subject to regulation. Thus, the meaning DHS attaches to the phrase is determinative. DHS proposes to define “present high level of security risk” to mean “a chemical facility that, in the discretion of the Secretary of Homeland Security, presents a high risk of significant adverse consequences for human life or health, national security and/or critical economic assets if subjected to terrorist attack, compromise, infiltration, or exploitation.”

This definition offers little insight. Recognizing the need for clarity, DHS will look to current lists of regulated high-risk chemicals – such chemicals covered by the Environmental Protection Agency’s Risk Management Program; the Convention on the Development, Production, Stockpiling and Use of Chemical Weapons and Their Destruction; and the Department of Transportation’s Hazardous Materials Regulations – for insight and precedent.

DHS’ definition of “chemical facility” is equally significant. DHS proposes to adopt a broad definition of chemical facility to include “any facility that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criterion identified by the Department.”

Alternative Security Plans

As noted, many covered facilities have enhanced security voluntarily since 9/11 . Robust security vulnerability assessments, site security plans and other emergency initiatives have resulted in a level of preparedness that likely meets or exceeds forthcoming regulatory mandates. Additionally, industry associations have undertaken significant efforts to develop security benchmarks unique to the chemical sector to help member companies increase security and work with DHS and other government departments.

Recognizing the progress that has already been made, DHS may accept Alternative Security Programs as a substitute for some of the mandates proposed by this regulatory scheme.

An approved Alternative Security Plan, which would include a vulnerability assessment and a Site Security Plan, must satisfy the applicable risk-based performance standard.


DHS proposes to require covered chemical facilities to maintain records related to security and emergency preparedness activities for at least three years. Recordkeeping requirements pertain to activities including, but not limited to: training; drills and exercises; incidents and breaches of security; maintenance, calibration, and testing of security equipment; and security threats.

Regulatory Vviolations and Appeals

Though there is no private right of action, DHS proposes to penalize covered facilities that are noncompliant.

Penalties begin with a DHS-issued Order of Compliance. The Order of Compliance will establish a specific date for compliance and will require, among other things, “a representative of the chemical facility [to] submit a written response to the Department explaining how the facility has remedied any instances of noncompliance.”

Importantly, DHS believes that its statutory authority to order compliance includes the Top-screen. In this regard, DHS can force a facility to undergo a Top-screen, even if the outcome of the Top-screen results in the exclusion of the facility from further security regulation.

If the Order of Compliance is not satisfied by the date specified, then DHS may impose a civil penalty not to exceed $25,000 for each day of noncompliance. Continued noncompliance may result in a DHS-ordered cessation of operations.

As noted above – and consistent with procedural due process – DHS proposes an objection and appeal process. Covered facilities have the right to object to a:

  • DHS determination that the covered facility presents a high level of security risk;
  • DHS determination regarding a covered facility’s risk tier classification; and
  • DHS disapproval of a covered facility’s Site Security Plan.

The covered facility must object to the Assistant Secretary for Infrastructure Protection within 20 days of notification of objectionable information.

Covered facilities have the right to appeal:

  • final disapproval of a Site Security Plan directly to the Under Secretary;
  • Orders for Compliance directly to the Under Secretary;
  • Orders Assessing a Civil Penalty directly to the Under Secretary; and
  • Orders to Cease Operations directly to the Deputy Secretary.

The covered facility must appeal within 30 days of DHS’ issuance of a final disapproval or order and may request a meeting with DHS adjudicating official(s). The Under Secretary and the General Counsel serve as adjudicating officials for most appeals. The Deputy Secretary, however, serves as the adjudicating official for Orders to Cease Operations.

The proposed regulations permit the adjudicating official(s) to “affirm the order, revoke the order, or suspend the order for a specified period of time, after which the terms of the Order go into effect.” An adjudicating official’s decision constitutes final agency action, which is necessary before seeking relief in U.S. district court.

Chemical-terrorism Vvulnerability Iinformation

Chemical facility security information – such as vulnerability assessments, Site Security Plans, Alternative Security Programs, and inspections and audits – is sensitive. It may be characterized not only as national security information but also as proprietary and confidential business information. Current law protects both from unauthorized disclosure.

DHS is proposing to protect covered facility security information from unauthorized release. Through the proposed “Chemical-terrorism Vulnerability Information” (CVI) designation, DHS will protect the confidential nature of covered facility security information. Only individuals with a need to know will have access to or otherwise obtain CVI. DHS may enforce CVI restrictions through administrative processes (e.g., secure storage, marking and destruction) and personnel processes (e.g., limiting CVI to individuals with satisfactory background checks). DHS has also proposed specific procedures to protect CVI in judicial and administrative proceedings.

Nonetheless, several questions remain unresolved: the precise nature of the relationship between CVI and Protected Critical Infrastructure Information (PCII) looms large. Section 214 of the Homeland Security Act of 2002 statutorily exempts private sector information voluntarily provided to DHS for the purposes of critical infrastructure protection. DHS administratively finalized the PCII program with a Final Rule on September 1 , 2006.


Pursuant to Section 550, Congress statutorily exempts five types of facilities from this regulatory regime:

  • facilities regulated by the Maritime Transportation Security Act of 2002;
  • Public Water Systems, under section 14 01 of the Safe Drinking Water Act;
  • Treatment Works, under section 21 2 of the Federal Water Pollution Control Act;
  • any Department of Defense or Department of Energy owned or operated facility; and
  • any facility regulated by the Nuclear Regulatory Commission.


While Section 550 of the Homeland Security Appropriations Act does not contain an express preemption provision, well established principles of federalism preempt state or local law that conflicts with or frustrates the purpose of DHS’ proposed regulatory scheme. DHS proposes to permit covered facilities or any state to “petition the Department by submitting a copy of a State law, regulation, or administrative action, or decision or order….” for a DHS-authored preemption opinion.

Three Year Sunset

DHS’ power to regulate chemical facilities is not absolute: assuming no further congressional action, Section 550(b) of the Homeland Security Appropriations Act limits DHS’ authority to a three year period. This is significant, as the composition of the 110th Congress – and the upcoming 2008 election cycle – could alter DHS’ proposed regulatory agenda and limit DHS’ broad discretion to define implementing regulations.