[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] H.R. 4007, THE CHEMICAL FACILITY ANTI-TERRORISM STANDARDS AUTHORIZATION AND ACCOUNTABILITY ACT OF 2014 ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION __________ FEBRUARY 27, 2014 __________ Serial No. 113-54 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 88-171 PDF WASHINGTON : 2014 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 DC area (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Paul C. Broun, Georgia Yvette D. Clarke, New York Candice S. Miller, Michigan, Vice Brian Higgins, New York Chair Cedric L. Richmond, Louisiana Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Jeff Duncan, South Carolina Ron Barber, Arizona Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey Jason Chaffetz, Utah Beto O'Rourke, Texas Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii Lou Barletta, Pennsylvania Filemon Vela, Texas Richard Hudson, North Carolina Steven A. Horsford, Nevada Steve Daines, Montana Eric Swalwell, California Susan W. Brooks, Indiana Scott Perry, Pennsylvania Mark Sanford, South Carolina Vacancy Vacancy, Staff Director Michael Geffroy, Deputy Staff Director/Chief Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES Patrick Meehan, Pennsylvania, Chairman Mike Rogers, Alabama Yvette D. Clarke, New York Tom Marino, Pennsylvania William R. Keating, Massachusetts Jason Chaffetz, Utah Filemon Vela, Texas Steve Daines, Montana Steven A. Horsford, Nevada Scott Perry, Pennsylvania, Vice Bennie G. Thompson, Mississippi Chair (ex officio) Michael T. McCaul, Texas (ex officio) Alex Manning, Subcommittee Staff Director Dennis Terry, Subcommittee Clerk C O N T E N T S ---------- Page STATEMENTS The Honorable Patrick Meehan, a Representative in Congress From the State of Pennsylvania, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies................................................... 1 The Honorable Yvette D. Clarke, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 4 Prepared Statement............................................. 6 The Honorable Michael T. McCaul, a Representative in Congress From the State of Texas, and Chairman, Committee on Homeland Security....................................................... 7 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Oral Statement................................................. 8 Prepared Statement............................................. 9 The Honorable Gene Green, a Representative in Congress From the State of Texas: Oral Statement................................................. 10 Prepared Statement............................................. 12 WITNESSES Panel I Ms. Caitlin Durkovich, Assistant Secretary, Infrastructure Protection, U.S. Department of Homeland Security, Accompanied by David Wulf, Deputy Director, Infrastructure Security Compliance Division: Oral Statement................................................. 14 Joint Prepared Statement....................................... 16 Mr. Stephen L. Caldwell, Director, Homeland Security and Justice, U.S. Government Accountability Office: Oral Statement................................................. 21 Prepared Statement............................................. 22 Ms. Marcia Moxey Hodges, Chief Inspector, Office of Inspector General, U.S. Department of Homeland Security: Oral Statement................................................. 29 Prepared Statement............................................. 31 Panel II Mr. Clyde D. Miller, Director for Corporate Security, BASF North America, Incoming Vice Chair, American Chemistry Council Security Committee: Oral Statement................................................. 52 Prepared Statement............................................. 54 Ms. Kate Hampford Donahue, President, Hampford Research, Inc., and Member, Board of Governors, Society of Chemical Manufacturers and Affiliates (SOCMA): Oral Statement................................................. 57 Prepared Statement............................................. 58 Ms. Anna Fendley, Legislative Representative, United Steelworkers: Oral Statement................................................. 60 Prepared Statement............................................. 62 For the Record The Honorable Patrick Meehan, a Representative in Congress From the State of Pennsylvania, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Letter......................................................... 51 Memorandum From the Office of Enforcement and Compliance Assurance, United States Environmental Protection Agency, Washington, DC............................................... 47 H.R. 4007, THE CHEMICAL FACILITY ANTI-TERRORISM STANDARDS AUTHORIZATION AND ACCOUNTABILITY ACT OF 2014 ---------- Thursday, February 27, 2014 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to call, at 10:09 a.m., in Room 311, Cannon House Office Building, Hon. Patrick Meehan [Chairman of the subcommittee] presiding. Present: Representatives Meehan, McCaul, Perry, Clarke, Thompson, Vela, and Horsford. Also present: Representative Green. Mr. Meehan. The Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittee is meeting today to examine H.R. 4007, which is the Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act of 2014. I now recognize myself for an opening statement. Chemical facilities continually rank among the most attractive targets for terrorists because an attack on a chemical plant would likely result in large-scale damage and potentially terrible loss of life. What happened at West, Texas, last spring gave us a chilling look at the devastation that occurs when a chemical facility detonates. To protect against potential catastrophe, Congress in 2007 authorized the Department of Homeland Security to develop a set of vulnerability assessment standards for chemical plants and to implement a corresponding set of regulations to ensure that physical security of those at the highest risk. That authorization was in effect for 3 years. Seven years later, the resulting program, which we call CFATS, has yet to be reauthorized. Instead, the program simply receives appropriations year after year without any hard guidance from this authorizing committee. While we have held many hearings to assess the CFATS program's effectiveness and progress, the Department is still behind in establishing several of the program's most basic operational elements, and we all appreciate that this is simply not acceptable. It is the responsibility of this committee to set official guidelines and standards of this very important program. Oversight alone is simply not sufficient. We must give CFATS the formal and proper direction it needs. Therefore, we must resume our jurisdiction of the program. H.R. 4007, the Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act of 2014, is the product of the Homeland Security Committee's consultation with dozens of stakeholders, including the facilities regulated under this act, community representatives, the Energy and Commerce Committee, the Senate Homeland Committee, and the Government Affairs Committee in the Senate, as well as the Government Accountability Office, the Department of Homeland Security itself. In fact, just yesterday, the Secretary of the Department of Homeland Security, Jeh Johnson, said about this bill that, ``I have looked at it, I have read it, I support it, and our critical infrastructure folks support it.'' Therefore, we have reached the rare occurrence in Congress, constructive legislation supported by the White House, multiple House committees, the Senate, industry, and both Republicans and Democrats. As author of this bill, I take very seriously the problems that have plagued this program in the past; the now-infamous 2011 leaked memo written by the former ISCD Director Penny Anderson and then ISCD Deputy Director David Wulf was highly critical of the division and brought to light a disturbing litany of management flaws and achievement gaps within the ISCD. In response, this committee asked both the GAO and the inspector general to conduct a thorough review of the ISCD operations. The findings weren't surprising. Both auditors essentially said that the program's success had been slowed by inadequate tools, poorly-executed processes, and harmful mismanagement. In the 3 years since the Anderson-Wulf memo was leaked, ISCD has made substantial progress. The division has further accelerated the review process for security plans at facilities assigned a final tier under CFATS. It has significantly reduced the overall backlog of facilities. It has made notable progress in addressing the recommendations made by GAO in its 2013 report. It has implemented the Infrastructure Security Compliance Division Action Plan. In addition, ISCD has put in place a new management team, headed by Suzanne Spaulding, the acting under secretary for NPPD, and David Wulf, who is here with us today, now the ISCD director. With a new management team at the helm, and tangible progress continuing to be demonstrated, now is the time to help CFATS begin its new chapter and take these next critically important steps. While progress has been made, it is now time for Congress to step in to mandate accountability for the Department and provide certainty to the regulated community. H.R. 4007 authorizes CFATS for the short term in order to provide the stability and certainty both the Department and industry have been calling for, while at the same time using the authorization as a vehicle to mandate certain fundamental program improvements. Specifically, the bill improves the efficiency of a site security plan approval process. It amends certain parts of the original CFATS regulations to facilitate DHS industry coordination and simplify the compliance process. It ensures that DHS is communicating with State and local officials, as well as other Federal agencies and industry associations, to identify facilities of interest and implementing a sensible and effective methodology in assessing risk and ensures DHS accountability by requiring the Secretary to certify the Department's progress and by authorizing GAO to conduct an on- going assessment and report to Congress with its findings every 6 months. Last summer, the President issued Executive Order 13650, which improving Chemical Facility Safety and Security was the title of that Executive Order. While I applaud the President for his efforts, the security of our chemical facilities is too important to be guided by studies and directives alone. It is the duty of Congress and this committee to act. This bill works as a complementary piece of legislation to the President's Chemical Facility Safety and Security Working Group. The bill mirrors and reinforces many of the EO's initiatives. To suggest that this panel must choose between the Executive Order and authorizing CFATS in the short term is to create a false choice. Secretary Johnson confirmed this sentiment yesterday, saying, ``If we have got a good bill and there is an opportunity to pass it in this Congress, it supports my goals and objectives, and it enhances homeland security, I am going to support the measure. I think we in the Congressional, Executive branches owe it to the American people to get something done.'' Those were his words. Before I conclude, there is one final factor that must be considered today. The Government shutdown in late 2013 led to the first-ever expiration of the CFATS program. While this expiration thankfully turned out to be only temporary, the event nonetheless served as a wake-up call to the fragility of our Nation's chemical security and safety. With every appropriations cycle comes renewed anxiety that CFATS will cease to exist. Year after year, the authorizing committees have the opportunity to provide stability and certainty with regard to chemical security. Year after year, they have failed to take legislative action. As Henry Waxman, who was the Energy and Commerce Ranking Member, said, ``Whatever the flaws in the CFATS program, the answer is not to let the program sunset. This state of affairs leave dangerous chemical facilities unregulated and vulnerable to attack.'' I agree with that statement. The purpose of today's legislative hearing is to allow the subcommittee to hear from industry stakeholders, Government auditors, and those DHS officials directly responsible for implementing CFATS as to the value of H.R. 4007. I firmly believe this bill is a much-needed step in the right direction. If this bill takes--it takes a fresh approach to addressing some of the CFATS program's most basic issues. The bill represents a new partnership among industry, the Department, and Congress for the advancement of America's chemical security. The Chairman now recognizes the Ranking Member of the subcommittee, the gentlelady from New York, Ms. Clarke, for any statements she may have. Ms. Clarke. I thank you, Mr. Chairman. I would like to, before beginning my statement, acknowledge and recognize Congressman Gene Green and ask unanimous consent that he be allowed to sit in on this hearing. Mr. Meehan. I thank the gentleman for attending. Without objection, so ordered. Ms. Clarke. Thank you, Mr. Chairman. Thank you for holding this legislative hearing to examine your bill, H.R. 4007. This legislation before us today would repeal and replace the existing statute that authorizes the Department of Homeland Security, DHS, to regulate chemical facilities for security purposes. This subcommittee has a great stake and long history in attempting to help the CFATS program succeed, and I have watched with interest the development of this legislative language. However, I do have some concerns about the approach the bill takes. First, the bill stands alone. It would not amend the Homeland Security Act of 2002. This would not affect the implementation of the bill, if it is passed and enacted into law, but some might argue that such a bill does not provide a firm statutory footing for the CFATS program or resolve issues of Congressional jurisdiction. The bill does contain much of the language in the existing statutory authority and includes some new requirements for the Secretary to follow. Like in the existing statutory authority, the bill authorizes the use of a current regulatory rule that requires such facilities to submit security vulnerability assessments and to develop and implement site security plans and facilities that have approved site security plans as of the date of enactment will not have to resubmit those plans for approval just because the bill was enacted. The bill expressly authorizes DHS to accept the submission alternative security programs, or ASPs, with respect to site security plans. The practice of using ASPs is already in use at the Department, and I am in favor of the ASPs. I think it is an innovative approach for companies to address their security needs. Let me turn to the issue of standards versus regulations. The existing statutory authority expressly directs the Secretary to inform interim final regulations. H.R. 4007 does not, but instead directs the creation of a program establishing certain standards. The bill mandates the Secretary to establish risk-based performance standards designed to protect chemical facilities that the Secretary determines represent a high level of security risk. This is an important feature, because unlike the existing statutory authority, this bill would require the performance standards to provide protection from acts of terrorism, while the existing statutory authority requires the risk-based performance standards be for security. This may help with some of our jurisdiction issues, but in my mind, the establishment of standards as opposed to a current regulatory scheme poses questions as to how the Department would interpret such language, if it becomes law. For example, I think it is possible that some stakeholders, including some of our witnesses today, may assume that since such standards would be binding on the public, that this language provides an implied authority to issue regulations under provisions of the Administrative Procedure Act to implement these standards. On the other hand, in a close reading of the bill, one might also assert that the removal of the requirement to issue regulations reflects the Majority's Congressional intent to move the CFATS program away from a regulatory framework to a public-private partnership or some other unspecified structure. I am hoping to get some clarification or opinion from the Department on how they view these issues, especially in light of their surprisingly full-throated support of this language. Another issue I would like to bring up is the use of contractors in CFATS. One of the features of H.R. 4007 is that it specifically authorizes the Secretary to designate inspectors that are not DHS employees. The language says that the audit and inspection processes may be carried out by a non- Department or non-Governmental entity as approved by the Secretary. I understand that the bill is attempting to aid the Department in accelerating the site security authorization approval and compliance process, but I have serious reservations about the use of contractors in the inspector cadre, where this work is generally recognized as an inherently Governmental responsibility, especially when it involves terroristic threats and risks to the Nation. Finally, Mr. Chairman, I am anxious to work with you on the pressing issue of personnel surety, and I know your bill includes some helping language, but enactment into law for H.R. 4007 may be a while off. More recently, DHS has issued a 30-day information collection request offering its latest personnel surety proposal. The proposal, as I understand, would accept credentials that are vetted recurrently against the terrorist screening database and has their validity verified on a continuing basis by electronic or other means. However, DHS has previously communicated with stakeholders that it would not grant reciprocity to personnel surety programs that vet individuals against the terrorism screening database on a schedule not equivalent to recurrent vetting. This poses substantial problems in a very complex arena. Many have expressed concerns about duplication of efforts and the burden of multiple background checks, and others have rightfully asked about what protections might be offered for workers who would be required to secure multiple credentials to continue working and what financial and operation problems would be put on facilities who are already complying with credentialing regulations. We must find a way to meet the needs of addressing these risks posed by access to chemical facilities through a common- sense approach that will likely involve multiple program efforts to harmonize Government credentialing among the agencies and programs. We all know the CFATS program has been striving to improve its performance, and we commend the hard work and leadership shown at ISCD, and we will hear today from two agencies that have looked closely at the program to help us determine what we might codify to help the program achieve its potential. Thank you, Mr. Chairman. I look forward to working with you to make the CFATS program one we can be proud of. I yield back. [The statement of Ranking Member Clarke follows:] Statement of Ranking Member Yvette D. Clarke February 27, 2014 Thank you for holding this legislative hearing to examine your bill, H.R. 4007. The legislation before us today would repeal and replace the existing statute that authorizes the Department of Homeland Security (DHS) to regulate chemical facilities for security purposes. This subcommittee has a great stake, and long history, in attempting to help the CFATS program succeed, and I have watched with interest the development of this legislative language. However, I do have some concerns about the approach the bill takes. First, the bill stands alone, and would not amend the Homeland Security Act of 2002. This would not affect the implementation of the bill, if it is passed and enacted into law, but some might argue that such a bill does not provide a firm statutory footing for the CFATS program or resolve issues of Congressional jurisdiction. The bill does contain much of the language in the existing statutory authority and includes some new requirements for the Secretary to follow. Like in the existing statutory authority, the bill authorizes the use of the current regulatory rule that requires such facilities to submit security vulnerability assessments and to develop and implement site security plans, and facilities that have approved site security plans as of the date of enactment will not have to resubmit those plans for approval just because the bill was enacted. And the bill expressly authorizes DHS to accept the submission alternative security programs, or ASPs, with respect to site security plans. The practice of using ASPs is already in use at the Department, and I'm in favor of the ASPs, I think it is an innovative approach for companies to address their security needs. Let me turn to the issue of standards versus regulations. The existing statutory authority expressly directs the Secretary to issue interim final regulations. H.R. 4007 does not, but instead directs the creation of a program establishing certain standards. The bill mandates the Secretary to establish risk-based performance standards designed to protect chemical facilities that the Secretary determines represent a high level of security risk. This is an important feature, because unlike the existing statutory authority, this bill would require the performance standards to provide protection from ``acts of terrorism''; while the existing statutory authority requires the risk-based performance standards be for ``security.'' This may help with some of our jurisdictional issues, but in my mind, the establishment of ``standards'' as opposed to the current regulatory scheme, poses questions as to how the Department would interpret such language, if it becomes law. For example, I think it is possible that some stakeholders, including some of our witnesses today, may assume that since such standards would be binding on the public, that this language provides an implied authority to issue regulations under provisions of the Administrative Procedure Act to implement these standards. On the other hand, in a close reading of the bill, one might also assert that the removal of the requirement to issue regulations reflects the majority's Congressional intent to move the CFATS program away from a regulatory framework to a public/private partnership, or some other unspecified structure. I am hoping to get some clarification, or opinion from the Department, on how they view these issues, especially in light of their surprisingly full-throated support of this language. Another issue I'd like to bring up is the use of contractors in CFATS. One of the features of H.R. 4007 is that it specifically authorizes the Secretary to designate inspectors that are not DHS employees. The language says that the audit and inspection processes ``may be carried out by a non-Department or non-Governmental entity, as approved by the Secretary''. I understand that the bill is attempting to aid the Department in accelerating the site security authorization, approval, and compliance process, but I have serious reservations about the use of contractors in the inspector cadre, where this work is generally recognized as an inherently Governmental responsibility, especially when it involves terroristic threats and risks to the Nation. Finally, Mr. Chairman, I an anxious to work with you on the pressing issue of Personnel Surety, and I know your bill includes some helping language. But enactment into law for H.R. 4007 may be a while off. More recently, DHS has issued a 30-day information collection request offering its latest personnel surety proposal. The proposal, as I understand, would accept credentials that are vetted recurrently against the terrorist-screening database and has their validity verified on a continuing basis by electronic or other means. However, DHS has previously communicated with stakeholders that it would not grant reciprocity to personnel surety programs that vet individuals against the terrorism-screening database on a schedule not equivalent to recurrent vetting. This poses substantial problems in a very complex arena. Many have expressed concerns about duplication of efforts and the burden for multiple background checks, and others have rightfully asked about what protections might be offered for workers who would be required to secure multiple credentials to continue working, and what financial and operation problems would be put on facilities who are already complying with credentialing regulations. We must find a way to meet the needs of addressing the risks posed by access to chemical facilities through a common-sense approach that will likely involve multiple program efforts to harmonize Government credentialing among the agencies and programs. We all know that the CFATS program has been striving to improve its performance, and we commend the hard work and leadership shown at ISCD, and we will hear today from two agencies that have looked closely at the program to help us determine what we might codify to help the program achieve its potential. Thank you Mr. Chairman, I look forward to working with you to make the CFATS program one we can be proud of. Mr. Meehan. I thank the Ranking Member. The Chairman now recognizes the Chairman of the full committee, the gentleman from Texas, Mr. McCaul, for any statement he may have. Mr. McCaul. Thank you, Mr. Chairman. I want to thank you for holding this hearing, for introducing this important legislation that I strongly support, and I want to thank Mr. Green, Gene Green, my friend from Texas, for his support of this legislation. Energy and Commerce Committee has been very accommodating with this committee in terms of jurisdiction. We have worked out our differences to be able to move forward to this point. As Congressman Green and I can appreciate even more so, as the events of West, Texas, I think demonstrate, the explosion that occurred there, and the loss of life demonstrate the need for this legislation now. This is a product of, Mr. Chairman, your hard work, Joan O'Hara on the staff, over the last 6 months meeting with the stakeholders, Government Accountability Office, Senate authorizing committees, and most importantly, our Department of Homeland Security officials. In my meetings with DHS, they are strongly supportive of this legislation. They understand the need to authorize. This committee needs to operate and authorize. This has never been authorized, which creates confusion not only in the Government, but in the private sector. This has only been done by the appropriators. It is time for this committee to stand up and do its job and its responsibility and authorize, and that is what I strongly support here today. I was very pleased yesterday to hear the Secretary of Homeland Security--he gave me private assurances that he supports this legislation, but to hear him testify before this committee that he is fully supportive I think sends a strong message to this committee that we need to get our work done on this committee and pass this out of committee. We have enjoyed, I believe, on this committee a strong bipartisan support on legislation, whether there is a border security which passed unanimously out of this committee, whether it was a cybersecurity bill that after negotiations with the Minority passed unanimously out of this committee. I am very proud of that record, very proud of that record. I would ask that the Ranking Member of this committee and the full committee go forward with that same spirit of trying to get something done, and particularly on an issue of this importance, and continue our governance in a bipartisan issue, because when it comes to matters of security, I don't believe that partisan politics have any place in it. I will just end with the Secretary's quote, when he said yesterday, ``We owe it to the American people to get something done.'' I couldn't agree with the Secretary more, and I thank him for his testimony yesterday, and I look forward to working with the Minority to get something done in this area. With that, Mr. Chairman, I yield back. Mr. Meehan. I thank the Chairman for his comments and for his presence here. I also am very grateful for the presence of the Ranking Member on the committee, the gentleman from Mississippi. Mr. Thompson, you are recognized for any statements you may have. Mr. Thompson. Thank you very much, Mr. Chairman. I, too, am happy that we are moving forward with a discussion of much- needed legislation. However, there are still some differences of interpretation about this legislation, and I think we will see that over the course of this hearing. However, I do want to thank you for holding this hearing to examine your bill, H.R. 4007. As an original author of chemical security legislation, I am supportive of DHS's efforts to raise the level of security at our Nation's chemical facilities. If you would have told me back in 2006, 8 years later, that CFATS would still be operating without a free-standing authorization in the Homeland Security Act, I would have been shocked. Jurisdictional wrangling has been a problem. The closest that Congress has come to approving an authorization bill was back in 2010 when I teamed up with then- Energy and Commerce Chairman Waxman. Since that time, the program has faced its share of internal and external challenges. Today, the program appears to be in a better place. That said, there could be some major changes in the program once the President's interagency Chemical Facility Safety and Security Working Group completes its work to enhance chemical sector safety and security. The legislation before us today has some good features. Certainly, the mention of personnel surety is a positive. However, it has some glaring weaknesses. The bill is a stand-alone and would not amend the Homeland Security Act. This approach potentially denies CFATS a firm statutory footing and adds to jurisdictional conflict. The bill maintains exemptions that were put in place in haste in 2006 of categories of facilities even as we await the recommendations from the President's Chemical Facility Safety and Security Working Group. One of my biggest issues with the bill is that it is written so broadly as to raise questions on whether it is a stay-the-course bill or, by making little or no references to the existing CFATS program, requires something different. I must say that the introduction of this bill was somewhat surprising, since after the West, Texas, tragedy, last year, Chairman McCaul wrote, along with Energy and Commerce Chairman Upton, and Appropriations Subcommittee Chairman Carter, that the basic programmatic building blocks of CFATS are missing and they are convinced the program should not continue in its present condition. Since Chairman McCaul's July 2013 letter, the CFATS office has made some modest improvement, particularly with respect to identifying and reaching out to facilities that should be evaluated for risk. Still, fundamental questions about the program's implementation persist. Answers to those questions and recommendations for reform will likely be down the road. I wrote the President last year about my concerns regarding the tragedy that occurred in West, Texas, and how we might examine the processes here at DHS and other agencies to protect citizens from similar catastrophic events, including changes in the CFATS program. Soon thereafter, the President issued an Executive Order that created an interagency working group to undertake an across-the-board examination of the programs that regulate chemical security and safety in the Federal Government. The interagency working group includes the Department of Homeland Security, the Department of Agriculture, Department of Justice, Department of Labor, Department of Transportation, and the Environmental Protection Agency. The Chemical Facility Safety and Security Working Group is expected to report to the President in May. In fairness, the Federal Government shutdown, which resulted in lapses in funding and authority, was not helpful. For that matter, neither is the current sequester, but we are here to talk about making the CFATS program work for the American people and making our Nation more secure. As a committee, we have an obligation to advance legislation that gives effect to our oversight finding. From risk modeling to administrative processes, it is an excessive and wrongheaded approach to personal security. DHS needs guidance. Frankly, I see nothing in the scant 11 pages of H.R. 4007 to deliver the massive reforms that will be required to make CFATS and other chemical security programs more efficient and productive programs. With that, Mr. Chairman, I yield back. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson As an original author of chemical security legislation, I am supportive of DHS' efforts to raise the level of security at our Nation's chemical facilities. If you would have told me back in 2006 that 8 years later that CFATS would still be operating without a free- standing authorization in the Homeland Security Act, I would have been shocked. Jurisdictional wrangling has been a problem. The closest that Congress has come to approving an authorization bill was back in 2010, when I teamed up with then-Energy and Commerce Chairman Waxman. Since that time, the program has faced its share of internal and external challenges. Today, the program appears to be in a better place. That said, there could be some major changes to the program, once the President's inter-agency Chemical Facility Safety and Security Working Group completes its work, to enhance chemical sector safety and security. The legislation before us today has some good features; certainly, the mention of personnel surety is a positive; however, it has some glaring weaknesses. The bill is a stand-alone and would not amend the Homeland Security Act. This approach potentially denies CFATS a firm, statutory footing and adds to jurisdictional conflict. The bill maintains exemptions that were put in place, in haste, in 2006, of categories of facilities, even as we await the recommendations from the President's Chemical Facility Safety and Security Working Group. One of my biggest issues with the bill is that it is written so broadly as to raise questions on whether it is a ``stay the course'' bill or, by making little or no references to the existing CFATS program, requires something different. I must say that the introduction of this bill was somewhat surprising since, after the West, Texas, tragedy last year Chairman McCaul wrote, along with Energy and Commerce Chairman Upton, and Appropriations Subcommittee Chairman Carter, that ``The basic programmatic building blocks of CFATS are missing'' and they ``are convinced the program should not continue in its present condition.'' Since Chairman McCaul's July 2013 letter, the CFATS office has made some modest improvement, particularly with respect to identifying and reaching out to facilities that should be evaluated for risk. Still, fundamental questions about the program's implementation persist. Answers to those questions and recommendations for reform will likely be down the road. I wrote the President last year about my concerns regarding the tragedy that occurred in West, Texas, and how we might examine the processes here at DHS and other agencies to protect citizens from similar catastrophic events, including changes in the CFATS program. Soon thereafter, the President issued an Executive Order that created an inter-agency working group to undertake an across-the-board examination of the programs that regulate chemical security and safety in the Federal Government. The interagency working group includes the Department of Homeland Security, the Department of Agriculture, the Department of Justice, the Department of Labor, the Department of Transportation, and the Environmental Protection Agency. The Chemical Facility Safety and Security Working Group is expected to report to the President in May. In fairness, the Federal Government shutdown, which resulted in lapses in funding and authority, was not helpful. For that matter, neither is the current sequester, but we are here to talk about making the CFATS program work for the American people and making our Nation more secure. As a committee, we have an obligation to advance legislation that gives effect to our oversight findings. From risk modeling to administrative processes and its excessive and wrong-headed approach to personnel surety, DHS needs guidance. Frankly, I see nothing in the scant 11 pages of H.R. 4007 to deliver the massive reforms that will be required to make CFATS, and other chemical security programs more efficient and productive programs. Mr. Meehan. I thank the Ranking Member on the committee for his comments. Other Members of the committee are reminded that opening statements may be submitted for the record. Now, before I recognize our distinguished panel before us of witnesses today, we are privileged to have a guest at the hearing, and I want to use the prerogative of the Chairman to take a moment to recognize the gentleman from Texas, Mr. Green, for any comments or questions he might have. I appreciate that some duties that he has with regard to other committees are going to prevent him from attending the full hearing. So, Mr. Green, the Chairman recognizes you. Mr. Green. Thank you, Mr. Chairman, and I thank Ranking Member Clarke for allowing unanimous consent for me to testify, and Members of the subcommittee, for the opportunity to speak with you this morning regarding this important legislation. I serve on the Energy and Commerce Committee and also on the Environmental and Economy Subcommittee has jurisdiction over CFATS and have worked on the issue literally since its inception. Chemical facility security is extremely important to the protection of the public health and safety throughout the United States, and particularly in my district in Texas, the Texas 29th. I represent most of the Houston ship channel area, which is the heart of the petrochemical complex that stretches along the Texas Gulf Coast into Louisiana and produces many products essential to modern life, and it is also the largest petrochemical complex in the country. I cannot stress how important the success of CFATS program is to my constituents who are employees and live in these communities that surround these facilities. They deserve the best security standards possible to prevent the act of terrorism on U.S. soil. The Energy and Commerce Committee, which I sit on, has been very active for the past two congresses on CFATS. The Energy and Commerce Committee, like your committee, has held numerous hearings with DHS, GAO, and stakeholders on the problem from the program's shortcomings. In 2009 and again in 2011, Energy and Commerce cleared CFATS authorization bills. Neither were perfect bills, just like this one is not, but both provided important guidelines DHS needs to proceed in fixing the problems in CFATS. Both efforts--one led by Democrats, and the other by Republicans--failed to become law, and as a result, we are left with the status quo, which continues to endanger the security of our Nation's chemical facilities and surrounding communities, and ultimately resulted in DHS temporarily losing its authority to continue running CFATS during the Government shutdown last October. H.R. 4007, the Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act, gives this Congress a realistic pathway toward authorization. This bill doesn't solve every problem that exists in CFATS, and it isn't meant to do so. What this bill will do is provide the Department, industry, workers, and our communities the stability and certainty they need going forward that CFATS is here to stay. It will authorize CFATS for the first time for 2 years and give Congress the opportunity to oversee the Department's implementation of the program and provide Congress the time to come to consensus on how best to fix the lingering issues. The bill would also provide guidance on some of the most urgent fixes needed in CFATS, including improve the efficiency of the site security plans, allow facilities to use existing Federal terrorist screening programs, like TWIC, to satisfy personnel surety requirements, and limit information collected from individuals to only what is necessary to ensure site security. I am aware of the concerns of my colleagues that Congress should not act on chemical security until the completion of the administration's Chemical Facility Safety and Security Working Group. The intention of this bill is not to interfere with the President's Executive Order. The bill is intended narrowly in scope in order to avoid these conflicts. As Members of Congress, we shouldn't wait for any administration, Democrat or Republican, in order to act and author the laws that we know are necessary to protect the American people from terrorist threats. I would like to remind my colleagues of the words yesterday, and this will be the third time you get to hear DHS Secretary Jeh Johnson: ``We have got a good bill, and if there is an opportunity to pass it in this Congress that supports my goals and objectives and enhances homeland security, I am going to support that measure.'' I think we in the Congressional and Executive branches owe it to the American people to get something done. I ask my colleagues on both sides of the aisle to not let the perfect be the enemy of the good and to support this important legislation. Again, thank you again for the opportunity to speak this morning, and I will yield back my time, but also recognize my good friend from South Texas, Congressman Vela, who--I am glad he is on Homeland Security. He represents also the Port of Brownsville. [The statement of Hon. Green follows:] Statement of Honorable Gene Green February 27, 2014 Good morning. I would like to thank Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee for the opportunity to speak with you all this morning regarding this important legislation. Chemical facility security is extremely important to the protection of public health and safety throughout the United States and particularly for my district, the Texas 29th. I represent the Houston Ship Channel area which is the heart of a petro-chemical complex that stretches along the Texas Gulf Coast and produces many products essential to modern life and it is also the largest petrochemical complex in the country. I cannot stress how important the success of the CFATS program is to my constituents who are the employees and live in the communities that surround these facilities. They deserve the best security standards possible to prevent act of terrorism on U.S. soil. The Energy and Commerce Committee, which I sit on, has been very active for the past two Congresses on CFATS. Energy and Commerce, like your committee, has held numerous hearings with DHS, GAO, and stakeholders on the program's shortcomings. In 2009, and again in 2011, Energy and Commerce cleared CFATS authorizations bills. Neither were perfect bills, but both provided importance guidelines on how DHS needs to proceed in fixing the problems in CFATS. Both efforts, one lead by Democrats, the other by Republicans, failed to become law, and as a result we are left with the status quo, which continues to endanger the security of our Nation's chemical facilities and surrounding communities and ultimately resulted in DHS temporarily losing its authority to continue running CFATS during the Government shutdown last October. H.R. 4007, the Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act gives this Congress a realistic pathway towards authorization. This bill does not solve every problem that exists in CFATS. It isn't meant to do so. What this bill will do is provide the Department, industry, workers, and our communities, the stability and certainty they need going forward that CFATS is here to stay. It will authorize CFATS, for the first time, for 2 years and give Congress the opportunity to oversee the Department's implementation of the program and provide Congress the time to come to a consensus on how best to fix the lingering issues. The bill will also provide guidance on some of the most urgent fixes needed to CFATS, including:Improve the efficiency of the site security plans; Allow facilities to use existing Federal terrorist screening programs, like TWIC, to satisfy personnel surety requirements, and; Limit information collected from individuals to only what's necessary to ensure site security. I am aware of the concerns of some of my colleagues that Congress should not act on chemical security until the completion of the administration's Chemical Facility Safety and Security Working Group. The intention of this bill is not to interfere with the President's EO. The bill is intentionally narrow in scope in order to avoid these conflicts. As Members of Congress, we shouldn't have to wait for any administration, Democrat or Republican, in order to act and author the laws we know are necessary to protect the American people from terrorist threats. I would also like to remind my colleagues of the words said in this very room yesterday by DHS Secretary Jeh Johnson: ``We've got a good bill, and if there is an opportunity to pass it in this Congress that supports my goals and objectives, enhances homeland security, I'm going to support that measure. I think we in the Congressional and Executive Branches owe it to the American people to get something done.'' I ask my colleagues on both sides of the aisle to not let the perfect be the enemy of the good and to support this important legislation. Thank you again for the opportunity to speak with all of you this morning and I yield the balance of my time. Mr. Meehan. Well, I thank the gentleman from Texas, and I appreciate his taking the time out of his schedule to join us today. So at this point in time, let me turn to the testimony of our witnesses. We will have two panels of witnesses, the first constructed of members of the Department of Homeland Security and the agencies we have asked to participate in oversight of this program. So I will begin my identification of each of those witnesses. The first is Ms. Caitlin Durkovich, is the assistant secretary for infrastructure protection at the Department of Homeland Security. In this role, she leads the Department's efforts to strengthen public-private partnerships and coordinate programs to protect the Nation's critical infrastructure, assess and mitigate risk, build resilience, and strengthen incident response and recovery. Previously, Ms. Durkovich served as the National Program and Protection Directorate's chief of staff, overseeing day-to-day management of the director and the development of internal policy and strategic planning. Ms. Durkovich is accompanied this morning by Mr. David Wulf, the director of the Infrastructure Security Compliance Division in DHS's National Program and Protection Directorate. Mr. Wulf will not be offering an opening statement, but he is here to answer questions, and I do--Mr. Wulf has been previously identified in my testimony--but in his role, has spent a significant period of time both looking at the challenges of--been helping to direct the improvements in the response for DHS. We will also be joined on this panel by Mr. Stephen Caldwell. He is the director in the Government Accountability Office's homeland security and justice team. Most recently, Mr. Caldwell's focus has been related to protecting critical infrastructure and promoting resiliency. He recently raised concerns about the risk assessment process used by ISCD in assessing terrorist risk to the 3,500 chemical facilities under the CFATS program. Last on this panel, we will be joined by Ms. Marcia Hodges. She is the chief inspector of the office of inspection of the Department of Homeland Security's Office of Inspector General. Ms. Hodges directly directs highly complex analytical reviews of DHS operations and programs to determine their efficiency and effectiveness. Prior to her service at DHS, Ms. Hodges worked for the inspector general of the Federal Emergency Management Agency from 1999 to 2003. In that position, Ms. Hodges led a multi-discipline team in New York City to assist and facilitate FEMA's response to the terrorist attacks of September 11, 2001. I thank you all for being here. Full written statements for each of the witnesses have been submitted to the Chairman and will appear in the record. So I ask you to do your best to keep your testimony to our 5 minutes, and I will recognize our first witness, Ms. Durkovich. STATEMENTS OF CAITLIN DURKOVICH, ASSISTANT SECRETARY, INFRASTRUCTURE PROTECTION, U.S. DEPARTMENT OF HOMELAND SECURITY, ACCOMPANIED BY DAVID WULF, DEPUTY DIRECTOR, INFRASTRUCTURE SECURITY COMPLIANCE DIVISION Ms. Durkovich. Thank you very much, Chairman Meehan, Ranking Member Clarke. I do also want to thank Chairman McCaul, committee Ranking Member Thompson, Congressman Green, and Congressman Vela for their presence here earlier this morning and also other distinguished Members of the subcommittee. I very much appreciate the opportunity to appear before you today to discuss the progress made by CFATS and the need to authorize the program. The CFATS program has made the Nation more secure. Over the past 2 years, as you have noted, it has made significant progress. We are pleased the subcommittee has acknowledged this progress by introducing a bill that would provide longer-term authorization and the authority to carry out the program in a manner that will foster the security of America's highest-risk chemical infrastructure. As you are aware, the Department's current authority is set to expire in October 2014. DHS is eager to work with this subcommittee, our other authorization committees, and our stakeholders to achieve passage of legislation that provides long-term authorization and appropriately matures the CFATS program. As I said, the CFATS program has made the Nation more secure, and we are seeing the impact of the program at facilities throughout the country. For example, one facility had numerous positive aspects to their security program but failed to address security for small containers, which could be easily concealed in a purse or bag. After inspection, the facility understood this vulnerability and developed measures to prohibit bags within the restricted areas and to inspect hand-carrier items when exiting the restricted area. Another recent example is a tier four facility in Missouri that exercised its commitment to CFATS security measures and contacted their chemical security inspector when they discovered they had only received one of two pallets of a chemical of interest. Our chemical inspectors worked with UPS, local law enforcement, FBI weapons of mass destruction until the pallet was successfully located and delivered to the facility. These improvements are attributable to the hard work of the staff of the Infrastructure Security Compliance Division, which implements the CFATS program. I have confidence in the ability of Director Dave Wulf, who is here with me today, and the dedicated staff of ISCD located across the country to continue the success we have made to date. The progress made in the last 2 years has helped to put CFATS on a path to success, but there still is work to be done. We continue to engage with stakeholders and focus on three core areas of progress, reducing the backlog of security plan approvals, improving the risk assessment process, and ensuring that all potentially high-risk facilities are identified and meet their CFATS obligations. Over the past year, we have authorized, inspected, and approved hundreds of security plans. Since Director Wulf appeared before you last August, we have made great strides in increasing our pace of approvals, despite the 2\1/2\-week Government shutdown. The number of authorizations has nearly doubled to over 1,100 authorizations. The pace of inspections has increased dramatically, and we have now completed more than 800 inspections in total, including over 100 in January. We have tripled the number of approved site security plans, with over 500 approved, and we are on pace to hit 1,000 this summer. Finally, in September, we began conducting compliance inspections at facilities with approved security plans. Our progress demonstrates our commitment to ensuring this program succeeds. Now we ask Congress to demonstrate your commitment to this program in providing long-term authorization. The Federal funding hiatus last October illustrates the complication faced by a program authorized through appropriation bills. In addition to stopping all inspections, the authorization of the CFATS program expired on October 5, 2013. The gap in program authorization caused concern among our regulated facilities, with many questioning if the regulations were still in effect. This uncertainty illustrated the need for longer-term authorization outside of the appropriations process. The Department strongly believes that an authorization period longer than the 2 years currently stipulated in the bill would benefit Congressional oversight, ensuring maturation of the program, and the review and approval of security plans. Perhaps most importantly, long-term authorization will provide industry with the stability needed to plan and invest in measures to harden their sites against terrorist attack or exploitation. Companies have communicated to us that their capital planning and budgeting process for security improvements often runs on a 3-to-5-year cycle, and they deserve to know that the program will not be allowed to lapse as they invest in many CFATS-related improvements. Uncertainty about the future of CFATS has provided incentive for potentially regulated facilities to ignore their obligations and hope that the program will be allowed to sunset. An authorization period of 5 years or longer would enable you to send a message to facilities that may be seeking to avoid compliance. As we approach the anniversary of the explosion in West, Texas, the Department remains committed to ensuring that facilities are both aware of the requirements to report under CFATS and complete their obligations. The committee's efforts to codify the Department's authority to seek noncompliant facilities will greater support our actions to bring these facilities into compliance. We have worked closely with our interagency partners to implement Executive Order 13650 on improving chemical facility safety and security, but we feel strongly that multi-year authorization is vital now and will harmonize with the outcomes of the Executive Order. With the progress made over the last 2 years, the CFATS program is ready for stabilization through long-term authorization. Finally, I want to thank the next panel, Clyde Miller, who is representing the American Chemistry Council, and Kate Donahue, who is representing the Society of Chemical Manufacturers and its affiliates. Both individuals and organizations have been important supporters as we have worked to implement the program. It is with their input and feedback that we have made progress in areas like developing templates for alternative security programs, expanding outreach to potentially noncompliant facilities, and improving our tiering methodology. With continued support from industry and action by Congress to authorize the program, our mission to protect Americans will be strengthened. Thank you. I look forward to your questions. [The joint prepared statement of Ms. Durkovich and Mr. Wulf follows:] Joint Prepared Statement of Caitlin Durkovich and David Wulf February 27, 2014 Thank you, Chairman Meehan, Ranking Member Clarke, and distinguished Members of the subcommittee. I appreciate the opportunity to appear before you today to discuss the Department of Homeland Security's (DHS) regulation of high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS) and the need for action to authorize the program. Over the past year, the CFATS program has made significant progress, advancing programmatically while simultaneously addressing internal management concerns. We are pleased the subcommittee has acknowledged this progress by introducing a bill that would provide longer-term authorization and the authority to carry out the program in a manner that will foster the security of America's highest-risk chemical infrastructure. As you are aware, the Department's current authority under Section 550 of the Fiscal Year 2007 Department of Homeland Security Appropriations Act, as amended, is set to expire in October 2014. DHS is eager to work with this subcommittee, our other authorization committees, and our stakeholders both in Government and the private sector to achieve passage of legislation that provides long-term authorization and appropriately matures the CFATS program. In support of this collaboration, our testimony focuses on the progress made over the last 2 years, our efforts to continue strengthening the program, and the need for permanent authorization in order to fully stabilize the program. cfats has made the nation more secure The CFATS program is an important part of our Nation's counterterrorism efforts as we work with our industry stakeholders to keep dangerous chemicals out of the hands of those who wish to do us harm. Since the CFATS program was created, we have engaged with industry to identify and regulate high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with the possession of chemicals of interest. CFATS has also played a significant role in reducing the number of high-risk chemical facilities that are susceptible to attack or exploitation. To date, more than 3,000 facilities have eliminated, reduced, or modified their holdings of chemicals of interest. The significant reduction in the number of chemical facilities that represent the highest risk is an important success of the CFATS program and is attributable both to the design of the program as enacted by Congress and to the work of CFATS personnel and industry at thousands of chemical facilities. The progress made in the CFATS program over the last 2 years has helped to put the program on a path to success; however, there is still work to be done. The Department continues to engage with stakeholders and focus on three core areas: Reducing the backlog of site security plan approvals, improving the risk assessment process, and ensuring that all potentially high-risk facilities are identified and are meeting their regulatory obligations as required by CFATS. Along with long-term authorization, our continued focus on these areas will ensure our stakeholders have the stability they need to comply with their regulatory obligations. We welcome the opportunity to work with you and our stakeholders on these important issues to further improve this vital National security program. cfats implementation progress The cornerstone of the CFATS program is the development, submission, and implementation of Site Security Plans (SSPs), or Alternative Security Programs (ASPs) in lieu of SSPs, which document the security measures that high-risk chemical facilities utilize to satisfy the applicable Risk-Based Performance Standards (RBPS) under CFATS. It is important to note that these plans are not ``one-size- fits-all,'' but are in-depth, highly customized, and account for each facility's unique circumstances. In order to determine whether a facility is regulated under CFATS, the facility submits a Top-Screen to the Department's Infrastructure Security Compliance Division (ISCD). Since we began collecting this information in 2007, ISCD has data from more than 46,000 Top-Screens submitted by chemical facilities, providing important information about their chemical holdings. Based on the information received in the Top- Screens, ISCD makes an initial determination that certain facilities are considered high-risk and assigns each of these to a preliminary tier.\1\ These facilities then compile and submit Security Vulnerability Assessments (SVAs), which are used by ISCD to identify which facilities present a terrorism risk that is sufficiently high to warrant the assignment of a final high-risk tier under CFATS. As of February 20, 2013, CFATS covers over 4,200 high-risk facilities Nation- wide; of these, over 3,300 have received final high-risk determinations and are required to develop SSPs (or ASPs) for ISCD review. The remaining facilities are awaiting final tier determinations based on their SVA submissions. The tiered population is dynamic and subject to change, depending on the chemical holdings and other conditions at facilities. --------------------------------------------------------------------------- \1\ The Department has developed a risk-based tiering structure and assigns facilities to one of four risk-based tiers ranging from high (Tier 1) to low (Tier 4) risk. Assignment of tiers is based on an assessment of the potential consequences of a successful attack on assets associated with chemicals of interest. ---------------------------------------------------------------------------------------------------------------- Total No. Authorized Authorization Approved Compliance Tier* of Received SSPs and Inspection SSPs and Inspections Facilities Final Tier ASPs Conducted ASPs Conducted ---------------------------------------------------------------------------------------------------------------- 1................................... 120 111 106 103 99 11 2................................... 392 343 253 234 195 1 3................................... 1,119 957 541 416 241 0 4................................... 2,571 1,914 149 28 5 0 --------------------------------------------------------------------------- Total......................... 4,202 3,325 1,049 781 540 12 ---------------------------------------------------------------------------------------------------------------- * As of February 20, 2013. ** Totals do not include facilities that are no longer regulated, but have received letters of authorization, authorization inspections, and/or approved SSPs/ASPs. Over the past year, the CFATS program has authorized, inspected, and approved hundreds of security plans. The program has also improved the pace of inspections and SSP approvals, developing new processes and distributing guidance materials. The majority of Tier 1 and Tier 2 facilities (the highest of the high-risk), as well as many Tier 3 facilities, now have an approved security plan. In September, ISCD marked yet another milestone when we began conducting compliance inspections for facilities with approved SSPs. During compliance inspections, the Department verifies that the facility is implementing the measures contained in its approved SSP. Initially, these inspections will be conducted approximately 1 year after a facility's SSP is approved, but the Department is developing a process whereby the timing for compliance inspections will be based on a variety of factors, such as the facility's risk tier, the facility and/or parent company's past CFATS compliance history, and the number of planned measures contained in the approved SSP. The improvements that have been made have accelerated the pace of approvals and we are continuing to explore areas to enhance the program. We recognize the projected time frame for all approvals must be reduced and we are exploring a variety of ways to increase the pace at which approvals are granted while maintaining the quality and thoroughness of the security plan approval process and the level of security required at chemical facilities. These include encouraging increased use of ASPs and supporting stakeholders' development of new ASP templates, focusing inspections on key RBPS at lower-tier facilities, exploring ways to streamline the security plan review and inspection process for facilities owned by corporations with multiple CFATS-regulated facilities, and identifying efficiencies in the inspection and compliance assistance visit scheduling process to reduce travel time per inspector activity. The Department is engaging with CFATS stakeholders on efforts to expedite security plan reviews and is committed to identifying and implementing appropriate enhancements to streamline the CFATS process. ASPs are an important option for facilities that desire flexibility in their site security plan, and we appreciate the subcommittee's effort to ensure this option remains available for the CFATS program moving forward. cfats risk assessment As a part of our commitment to continue moving the CFATS program forward, NPPD has conducted a thorough review of our risk assessment process. In support of this review, NPPD implemented a phased approach, which included documenting all processes and procedures relating to the risk assessment methodology; conducting an internal NPPD review of the risk assessment process; and initiating an external peer review of the risk assessment methodology. All three of these phases are now complete, with the Department receiving the CFATS Tiering Methodology Peer Review Final Report from the expert peer review panel in October 2013. Although many of the peer review panel's recommendations pertain to areas the Department had previously identified for improvement, we felt it was essential to engage external stakeholders through an external peer review. As a result of continued stakeholder engagement, the Report provides valuable perspectives that will inform our efforts to enhance the CFATS risk-tiering methodology. We have analyzed the peer review recommendations and developed an implementation plan to enable us to address the recommendations in a timely and thoughtful manner. We also recognize that it is essential to continue to engage our stakeholders in implementing changes to risk assessment process. As recommended by the Peer Review Final Report, the Department intends to adopt appropriate changes to the tiering methodology in an integrated fashion, addressing as many issues concurrently as feasible. The implementation plan also addresses modifications to the tiering methodology stemming from efforts beyond the peer review, such as the economic and mission criticality studies being conducted on behalf of the Department by Sandia National Laboratories. Additionally, consistent with both recommendations within the Peer Review Final Report and our response to the Government Accountability Office's report on the CFATS tiering methodology, ISCD intends to have a third party verify and validate the revised tiering methodology. As we move forward with implementing recommendations to the tiering methodology, we are committed to ensuring these improvements are balanced with our stakeholders need for continued stability in tiering. chemical facility safety and security improvement: a shared responsibility Since the inception of the CFATS program, the Department has worked to ensure that potentially regulated facilities are aware of their reporting obligation under the CFATS regulations and that they comply with these existing regulations. Following the explosion in West, Texas, this past April, ISCD has taken a number of steps to reinvigorate this effort, including supporting the implementation of Executive Order 13650, Improving Chemical Facility Safety and Security. Under Executive Order 13650, Federal agencies are exploring options for improving chemical facility safety and security to reduce the likelihood of incidents occurring in the future. The working group is developing recommendations to see if there is a need to improve information collection, more effectively share information between agencies, improve operational and Federal coordination efforts, and the working group is analyzing the effectiveness of existing regulations and policies governing chemicals and chemical facilities. These coordinated efforts will help ensure that the Federal Government most effectively uses the collective resources available for managing chemical risk. Promoting Compliance The activities taking place in support of Executive Order 13650 complement many of the individual efforts being undertaken within the Department, and other Federal departments and agencies, following the tragic events in West, Texas. Since the April explosion, DHS has engaged with numerous members of industry and all have agreed that we must work together to prevent future incidents. Industry has offered to share information about the CFATS regulatory requirements with other members of industry and do their part to promote safety and security at chemical facilities. The Department appreciates this support and looks forward to working with industry and our Government partners to carry out these activities. In pursuit of this shared responsibility, the Department has undertaken significant outreach efforts throughout the years, to inform potentially high-risk chemical facilities of their obligations under CFATS. These outreach efforts have been a major contributor to the submission of over 46,000 Top-Screens from potentially high-risk chemical facilities to date. As the tragic incident in West, Texas, demonstrated, however, not all facilities with threshold quantities of CFATS chemicals of interest have met their obligation to submit Top-Screens. DHS is committed to pursuing all reasonable measures to identify potential high-risk chemical facilities that are not among those that have already complied with initial Top-Screen submission requirements, and we will continue to work to get those facilities into compliance. When appropriate, the Department can utilize available enforcement mechanisms to bring non- compliant facilities into compliance. Both increased outreach and, where appropriate, the use of compliance enforcement mechanisms are part of the Department's overall strategy to reduce the likelihood of potentially high-risk chemical facilities intentionally or unintentionally evading identification under the CFATS program. State and Local Partnerships The Department's strategy for identifying potentially non-compliant facilities also includes enhanced coordination with Federal, State, and local partners. One such activity has been reinvigorating efforts with the EPA and other Federal partners with regulatory authority over the chemical industry to compare lists of regulated facilities to identify facilities which may have complied with another regulatory program and are potentially regulated under CFATS but have yet to comply with CFATS. Initial results from these efforts have been promising, with the Department seeing a substantial increase in the monthly rate of new Top-Screen submissions having begun in August 2013. The Department is also undertaking similar efforts with States and localities. Since April, ISCD has reached out to officials in all 50 States, including State Homeland Security Advisors (HSAs) and the Governors Homeland Security Advisory Council, about CFATS requirements. These efforts are in addition to continuing to provide State HSAs and their designees with access to information on CFATS-regulated facilities in their jurisdictions via CFATS Share, a web-based information-sharing portal that provides on an as-needed basis to certain Federal, State, and local agencies access to key information on CFATS facility information. Outreach to Non-Compliant Facilities The Department is expanding outreach efforts to identify potentially non-compliant facilities and has developed an Outreach and Engagement Strategy as well as an Outreach and Engagement Implementation Plan to raise awareness of CFATS, the measures of success, roles and responsibilities, and resource implications. DHS will continue to operate its CFATS Tip Line and will follow up on any information of potentially non-compliant facilities. All of the aforementioned efforts are being undertaken in addition to the larger-scale efforts being coordinated under E.O. 13650. Of particular relevance is the effort being led by DHS under Section 5 of the EO, which addresses Enhanced Information Collection and Sharing. This section requires the development of recommendations on possible changes to improve and streamline information collection from regulated industries and recommendations to enhance data sharing between agencies, States, localities, and Tribal entities to better identify facilities which may not have provided all required information or may be non-compliant with requirements. We feel strongly that our private-sector stakeholders are key to our efforts to enhance data sharing, increase cross-training, and identify areas for possible regulatory changes as well as identifying possible gaps in existing statutory authorities. Enhancing security and building resilience across the chemical sector is not something a single company, industry or even Government can do by itself. This has to be a collaborative effort. It also has to be a comprehensive effort, because of the sheer complexity of affected facilities, the linkages to other sectors, and the potential cascading effects and consequences of a significant attack or disruption. industry engagement Industry engagement has always been an important aspect of CFATS, but will be more important than ever as we move forward with program improvements. Chemical Security Inspectors play an important role, serving as our boots on the ground and the face of CFATS in the field. Inspectors provide assistance and outreach directly to facilities and play an important role in helping to identify appropriate security measures during the authorization inspection process. For example, one facility had numerous positive aspects to their security program, but failed to address any security measures for small containers, which could easily be concealed within a handbag or backpack. After the inspection, the facility understood the potential vulnerability and developed planned measures to prohibit bags within the restricted area and to inspect hand-carried items when exiting the restricted area. Another example is a different regulated facility that had effective security for the chemicals of interest located within the building, but failed to address the chemicals of interest located in the open storage yard. As a result of the inspection, the facility identified a new restricted area to store the chemicals of interest within the main building and added procedures to ensure that upon receipt, the appropriate facility personnel immediately moved the chemicals of interest into the new restricted area. In addition to conducting inspections and providing compliance assistance to facilities, NPPD's chemical inspectors actively work with local stakeholders and Governmental agencies across the country. the need for program authorization DHS recognizes the significant work that the committee and others have undertaken to reauthorize the CFATS program. The progress we have made over the last 2 years demonstrates the Department's commitment to ensuring this program is a success; now we ask Congress to demonstrate your commitment to this program in providing a long-term authorization. The Federal funding hiatus last October illustrates the complications in the current authorization structure. The funding hiatus directly impacted the CFATS program because the program is authorized through appropriations bills. The shutdown resulted in all ISCD staff being furloughed, which resulted in cancellation of numerous inspections and immobilized security plan approvals. In addition to the shutdown of programmatic activities, the authorization of the CFATS program expired on October 5, 2013. The gap in program authorization caused concern among regulated facilities, with many facilities questioning whether the regulations were still in effect. This confusion and uncertainty demonstrated the need for long-term authorization outside of the appropriations process. Moreover, it is unclear if the Department would have had the authority to act had there been an exigent need during the shutdown to take enforcement action under CFATS in furtherance of National security interests. The Department strongly believes that an authorization period longer than the 2 years currently stipulated in the bill would be beneficial to your oversight activities by ensuring the full maturation of the program and the review and approval of all backlogged Site Security Plans. Perhaps most importantly, long-term authorization will provide industry stakeholders with the stability needed to plan for and invest in CFATS-related security measures to harden their critical sites against terrorist attack or exploitation. Companies have regularly communicated to us that their capital-planning/budgeting processes for security improvements frequently run on a 3-to-5-year cycle and they deserve to know that the program will not be allowed to lapse as they invest in major CFATS-related security improvements. Uncertainty about the future of CFATS also has provided an incentive for potentially-regulated facilities storing large quantities of dangerous chemicals to ignore their obligations under CFATS in hopes that the program will be allowed to sunset. An authorization period of 5 years or longer would enable Congress to send an important message to such facilities that may willfully be seeking to avoid compliance. As we approach the 1-year anniversary of the explosion at the West Fertilizer plant in Texas, the Department remains committed to ensuring that facilities across the Nation are both aware of the requirements to report under CFATS and complete their obligations. The committee's efforts to codify the Department's authority to seek out non-compliant facilities will greatly support our on-going actions to bring these facilities into compliance. The Department has worked closely with our interagency partners to implement Executive Order 13650, but we feel strongly that multi-year CFATS authorization is vital now and will harmonize with the outcomes of the Executive Order. With the progress made over the last 2 years, the CFATS program is ready for program stabilization through permanent or long-term authorization. The Department has taken important steps to build a strong CFATS program and has a seasoned leadership team committed to the success of the program. With support from industry and action by Congress to authorize the program, the CFATS program's mission to protect Americans will be strengthened. conclusion The Department has made significant improvements to the CFATS program and is moving forward strategically to address the challenges that remain. With your support, we can ensure our Nation is more secure by continuing implementation of the CFATS program, and we are committed to working with you to pass legislation to establish permanent or long- term authorization for the program. As we implement CFATS, we will continue to work with stakeholders to keep our Nation secure by preventing terrorists from exploiting chemicals or chemical facilities. We firmly believe that CFATS is making the Nation more secure by reducing the risks associated with our Nation's chemical infrastructure and we are--along with our stakeholders and partners--committed to its continued success. Mr. Meehan. Thank you, Ms. Durkovich. The Chairman now recognizes the gentleman from the Government Accountability Office, Mr. Caldwell. STATEMENT OF STEPHEN L. CALDWELL, DIRECTOR, HOMELAND SECURITY AND JUSTICE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Caldwell. Chairman Meehan, Ranking Member Clarke, thank you very much for, again, asking GAO to discuss our CFATS work, particularly at your hearing on your bill, H.R. 4007. My written statement is based on work we have done over the last couple of years, as well as some more recent updates in talking to the CFATS staff. We will provide basically a status report on four areas that are key to the program. First is identifying chemical facilities. Next is assessing the risks and prioritizing those facilities to decide which ones are high risk and at what tier. The next one is reviewing facility site security plans and improving those. Then, finally, inspecting the facilities for compliance at the end of the process. Based on reports we have done, the recent updates and some of the statements by the Department today, there are certainly some indications of process across all four of these areas. Regarding the identification of the facilities, your last hearing raised the issue of outliers, facilities that should have applied, but have not. As you know, on that very same day, the President issued the Executive Order 13650, to address that issue, DHS as a whole has reported on some of the progress by the 13650 working group. GAO does have a review in process to look at the implementation of that, focused not only on DHS, but also at OSHA, EPA, and some of the other facilities. Regarding the assessment of risks and the prioritization of facilities, DHS is working to implement our recommendations related to the risk assessment methodology. As part of response to our recommendation, they ask for a peer review from the Homeland Security and Studies Analysis Institute. Their study had results very similar to ours, and as mentioned, DHS has an action plan to address that. Regarding the review of site security plans, as noted before, we have talked about a long backlog of that, and the Department is taking steps to do that. When we restart our work on this, that is one of the things will focus on, and if appropriate, we will certainly revise our estimate from about a year ago that it will take 7 to 9 years to resolve that backlog. Of course, the outstanding issue for all the facilities, those that have had plans approved or not, relates to the personnel surety program performance standard 12. Until that is resolved, you know, none of the facilities actually have a final approval of their site security plan. Then regarding the inspections for compliance, as just reported, the Department is just starting that process. We have not really looked at it, but this is one of the key areas that we will focus on as we go forward with our new review. Closing, I would like to note the GAO still needs to verify a lot of the progress that has been reported by the Department. We will do that through in-depth audits, as we always do. We are coordinating with the I.G., as we do as well, to make sure that we have maximum coverage over the program without duplicating work. We plan to go forward with these reviews in response to outstanding requests we already have from the appropriators and the authorization committees and whether or not this bill goes forward in terms of that particular clause. So with that, I will be happy to answer any questions. Thank you. [The prepared statement of Mr. Caldwell follows:] Prepared Statement of Stephen L. Caldwell February 27, 2014 gao highlights Highlights of GAO-14-365T, a testimony before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives. Why GAO Did This Study Facilities that produce, store, or use hazardous chemicals could be of interest to terrorists intent on using toxic chemicals to inflict mass casualties in the United States. As required by statute, DHS issued regulations establishing standards for the security of these facilities. DHS established the CFATS program to assess risk at facilities covered by the regulations and inspect them to ensure compliance. In February 2014, legislation was introduced related to several aspects of the program. This statement provides observations on DHS efforts related to the CFATS program. It is based on the results of previous GAO reports in July 2012 and April 2013, with selected updates conducted in February 2014. In conducting the earlier work, GAO reviewed DHS reports and plans on the program and interviewed DHS officials. In addition, GAO interviewed DHS officials to update information. What GAO Recommends In a July 2012 report, GAO recommended that DHS measure its performance implementing actions to improve its management of CFATS. In an April 2013 report, GAO recommended that DHS enhance its risk assessment approach to incorporate all elements of risk, conduct a peer review, and gather feedback on its outreach to facilities. DHS concurred with these recommendations and has taken actions or has actions underway to address them. GAO provided a draft of the updated information to DHS for review, and DHS confirmed its accuracy. critical infrastructure protection.--observations on dhs efforts to identify, prioritize, assess, and inspect chemical facilities What GAO Found In managing its Chemical Facility Anti-Terrorism Standards (CFATS) program, the Department of Homeland Security (DHS) has a number of efforts underway to identify facilities that are covered by the program, assess risk and prioritize facilities, review and approve facility security plans, and inspect facilities to ensure compliance with security regulations. Identifying facilities.--DHS has begun to work with other agencies to identify facilities that should have reported their chemical holdings to CFATS, but may not have done so. DHS initially identified about 40,000 facilities by publishing a CFATS rule requiring that facilities with certain types of chemicals report the types and quantities of these chemicals. However, a chemical explosion in West, Texas, last year demonstrated the risk posed by chemicals covered by CFATS. Subsequent to this incident, the President issued Executive Order 13650 which was intended to improve chemical facility safety and security in coordination with owners and operators. Under the Executive Order, a Federal working group is sharing information to identify additional facilities that are to be regulated under CFATS, among other things. Assessing risk and prioritizing facilities.--DHS has begun to enhance its ability to assess risks and prioritize facilities. DHS assessed the risks of facilities that reported their chemical holdings in order to determine which ones would be required to participate in the program and subsequently develop site security plans. GAO's April 2013 report found weaknesses in multiple aspects of the risk assessment and prioritization approach and made recommendations to review and improve this process. In February 2014, DHS officials told us they had begun to take action to revise the process for assessing risk and prioritizing facilities. Reviewing security plans.--DHS has also begun to take action to speed up its reviews of facility security plans. Per the CFATS regulation, DHS was to review security plans and visit the facilities to make sure their security measures met the risk-based performance standards. GAO's April 2013 report found a 7- to 9-year backlog for these reviews and visits, and DHS has begun to take action to expedite these activities. As a separate matter, one of the performance standards--personnel surety, under which facilities are to perform background checks and ensure appropriate credentials for personnel and visitors as appropriate--is being developed. As of February 2014, DHS has reviewed and conditionally approved facility plans pending final development of the personal surety performance standard. Inspecting to verify compliance.--In February 2014, DHS reported it had begun to perform inspections at facilities to ensure compliance with their site security plans. According to DHS, these inspections are to occur about 1 year after facility site security plan approval. Given the backlog in plan approvals, this process has started recently and GAO has not yet reviewed this aspect of the program. Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee: I am pleased to be here today to discuss our work on the Department of Homeland Security's (DHS) efforts in implementing and managing the Chemical Facility Anti-Terrorism Standards (CFATS) program. Facilities that produce, store, or use hazardous chemicals could be of interest to terrorists intent on using toxic chemicals to cause harm to surrounding populations during terrorist attacks, and these chemicals could be stolen and used as chemical weapons, such as improvised explosive devices, or as the ingredients for making chemical weapons. The danger posed by these chemicals became evident last year when ammonium nitrate--one of the chemicals covered by the CFATS program--detonated during a fire at a fertilizer storage and distribution facility in West, Texas. An investigation by the U.S. Chemical Safety Board (CSB) showed that the explosion killed at least 14 people and injured more than 200 others and severely damaged or destroyed nearly 200 homes, 3 nearby schools, a nursing home, and an apartment complex.\1\ According to CSB, the fire at the facility detonated about 30 tons of ammonium nitrate. This event serves as a tragic reminder of the extent to which chemicals covered by the CFATS program can pose a risk to surrounding populations. --------------------------------------------------------------------------- \1\ Rafael Moure-Eraso, Chairperson, U.S. Chemical Safety Board, testimony before the Senate Committee on Environment and Public Works, 113th Congress 1st Sess., June 27, 2013. The CSB is an independent Federal agency charged with investigating industrial chemical accidents. The CSB board members are appointed by the President and confirmed by the Senate. According to the CSB website, CSB does not issue fines or citations, but makes recommendations to plants, regulatory agencies, industry organizations, and labor groups. --------------------------------------------------------------------------- The DHS appropriations act for fiscal year 2007 \2\ required DHS to issue regulations to establish risk-based performance standards for securing facilities that possess, store, manufacture, or use chemicals that could be of interest to terrorists, among other things. \3\ In 2007, DHS established the CFATS program to assess the risk posed by chemical facilities, place facilities considered to be high-risk in one of four risk-based tiers, require high-risk facilities to develop security plans, review these plans, and inspect the facilities to ensure compliance with regulatory requirements. DHS's National Protection and Programs Directorate (NPPD) is responsible for the CFATS program. Within NPPD, the Infrastructure Security Compliance Division (ISCD), a division of the Office of Infrastructure Protection (IP), manages the program. --------------------------------------------------------------------------- \2\ Pub. L. No. 109-295, 550, 120 Stat. 1355, 1388 (2006). \3\ The CFATS regulation establishes 18 risk-based performance standards that identify the areas for which a facility's security are to be examined, such as perimeter security, access control, and cybersecurity. To meet these standards, facilities are free to choose whatever security programs or processes they deem appropriate so long as DHS determines that the facilities achieve the requisite level of performance in each applicable standard. --------------------------------------------------------------------------- On February 6, 2014, Congressman Meehan and other Members of the House of Representatives' Committee on Homeland Security, along with one Member of the House of Representatives' Committee on Energy and Commerce, introduced H.R. 4007, the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014.\4\ This bill would authorize the CFATS program for 2 years and would take effect 30 days after enactment. This bill includes provisions regarding multiple aspects of the CFATS program, including risk assessment, security plan reviews, and facility inspections. Among other things, H.R. 4007 would: --------------------------------------------------------------------------- \4\ H.R. 4007, 113th Cong. (2014). --------------------------------------------------------------------------- Require DHS to consult with the heads of other Federal agencies, States and political subdivisions, and business associations to identify chemical facilities of interest; Direct DHS to develop a risk assessment approach that includes all elements of risk, including threat data based on available intelligence, the vulnerability of the facility to terrorist attack, and consequence measurements including potential economic consequences; Reaffirm the risk-based performance standard approach to facility security plans and the use of Alternative Security Programs;\5\ --------------------------------------------------------------------------- \5\ Under current regulations, an Alternative Security Program (ASP) is a third-party, facility, or industry organization's security program that has been determined to meet the requirements of, and provides for an equivalent level of security to that established by the CFATS regulation. CFATS allows regulated chemical facilities to submit an ASP in lieu of a site security plan. 6 C.F.R. 27.235. --------------------------------------------------------------------------- Allow chemical facilities to utilize any Federal screening program that periodically vets individuals against the terrorist screening database to satisfy the requirements of a personnel surety performance standard;\6\ --------------------------------------------------------------------------- \6\ Personnel surety is one of the CFATS performance standards under which facilities are to perform background checks and ensure appropriate credentials for personnel and visitors as appropriate. --------------------------------------------------------------------------- Authorize the use of non-Department or non-Government entities, with the Secretary's approval, for audits and inspections; and: Require us to submit a semiannual report to Congress containing our assessment of the implementation of the bill. My testimony today summarizes our past work on the CFATS program and provides our observations on the status of DHS's efforts in four key areas--identifying facilities to be covered by CFATS, assessing risk and prioritizing covered facilities, reviewing facility security plans, and inspecting facilities to verify compliance with CFATS regulations. My statement is based on reports and testimonies we issued from July 2012 through August 2013 on various aspects of the CFATS program in addition to work we conducted in February 2014 to update the status of DHS actions related to these four areas.\7\ To conduct our prior work, we reviewed applicable laws and regulations, as well as NPPD, IP, and ISCD policies and procedures for administering the CFATS program and conducting its mission. We interviewed senior ISCD officials along with NPPD and IP officials to obtain their views on the program and how ISCD assesses risk. We also reviewed ISCD documents and data on tiered facilities and the approach used to determine a facility's risk and assessed ISCD's process for reviewing security plans. Further details on the scope and methodology for the previously- issued reports are available within each of the published products. To update our work, we met with senior ISCD officials and discussed status updates on the four areas (identifying facilities, assessing risk and prioritizating facilities, reviewing security plans, and inspecting facilities). Where possible, we also reviewed available documentation pertinent to each of the key areas. We provided a copy of new information in this statement to DHS for review. DHS confirmed the accuracy of this information. --------------------------------------------------------------------------- \7\ GAO, Critical Infrastructure Protection: DHS Needs to Improve Its Risk Assessments and Outreach for Chemical Facilities, GAO-13-801T (Washington, DC: Aug. 1, 2013); Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, GAO-13-353 (Washington, DC: Apr. 5, 2013); Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its Chemical Security Program, But It Is Too Early to Assess Results, GAO-12-515T (Washington, DC: July 26, 2012). --------------------------------------------------------------------------- We conducted the work on which this statement is based in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. observations on dhs efforts to identify facilities, assess risk, review security plans, and verify compliance Identifying Facilities Covered by CFATS DHS has begun to take action to work with other agencies to identify facilities that are required to report their chemical holdings to DHS but may not have done so. The first step of the CFATS process is focused on identifying facilities that might be required to participate in the program. The CFATS rule was published in April 2007,\8\ and appendix A to the rule, published in November 2007, listed 322 chemicals of interest and the screening threshold quantities for each.\9\ As a result of the CFATS rule, about 40,000 chemical facilities reported their chemical holdings and their quantities to DHS's ISCD. --------------------------------------------------------------------------- \8\ 72 Fed. Reg. 17,688 (Apr. 9, 2007) (codified at 6 C.F.R. pt. 27). \9\ 72 Fed. Reg. 65,396 (Nov. 20, 2007). According to DHS, CFATS covers facilities that manufacture chemicals as well as facilities that store or use certain chemicals as part of their daily operations. This can include food-manufacturing facilities that use chemicals of interest in the manufacturing process, universities that use chemicals to do experiments, or warehouses that store ammonium nitrate, among others. --------------------------------------------------------------------------- In August 2013, we testified about the ammonium nitrate explosion at the chemical facility in West, Texas, in the context of our past CFATS work. Among other things, the hearing focused on whether the West, Texas, facility should have reported its holdings to ISCD given the amount of ammonium nitrate at the facility. During this hearing, the Director of the CFATS program remarked that throughout the existence of CFATS, DHS had undertaken and continued to support outreach and industry engagement to ensure that facilities comply with their reporting requirements. However, the Director stated that the CFATS regulated community is large and always changing and DHS relies on facilities to meet their reporting obligations under CFATS. At the same hearing, a representative of the American Chemistry Council testified that the West, Texas, facility could be considered an ``outlier'' chemical facility, that is, a facility that stores or distributes chemical-related products, but is not part of the established chemical industry. Preliminary findings of the CSB investigation of the West, Texas, incident showed that although certain Federal agencies that regulate chemical facilities may have interacted with the facility, the ammonium nitrate at the West, Texas, facility was not covered by these programs. For example, according to the findings, the Environmental Protection Agency's (EPA) Risk Management Program, which deals with the accidental release of hazardous substances, covers the accidental release of ammonia, but not ammonium nitrate.\10\ As a result, the facility's consequence analysis considered only the possibility of an ammonia leak and not an explosion of ammonium nitrate. --------------------------------------------------------------------------- \10\ See 40 C.F.R. 68.130. --------------------------------------------------------------------------- On August 1, 2013, the same day as the hearing, the President issued Executive Order 13650--Improving Chemical Facility Safety and Security, which was intended to improve chemical facility safety and security in coordination with owners and operators.\11\ The Executive Order established a Chemical Facility Safety and Security Working Group, composed of representatives from DHS; EPA; and the Departments of Justice, Agriculture, Labor, and Transportation, and directed the working group to identify ways to improve coordination with State and local partners; enhance Federal agency coordination and information sharing; modernize policies, regulations, and standards; and work with stakeholders to identify best practices. In February 2014, DHS officials told us that the working group has taken actions in the areas described in the Executive Order. For example, according to DHS officials, the working group has held listening sessions and webinars to increase stakeholder input, explored ways to share CFATS data with State and local partners to increase coordination, and launched a pilot program in New York and New Jersey aimed at increasing Federal coordination and information sharing. DHS officials also said that the working group is exploring ways to better share information so that Federal and State agencies can identify non-compliant chemical facilities and identify options to improve chemical facility risk management. This would include considering options to improve the safe and secure storage, handling, and sale of ammonium nitrate. --------------------------------------------------------------------------- \11\ Exec. Order No. 13,650, 78 Fed. Reg. 48,029 (Aug. 1, 2013). --------------------------------------------------------------------------- Assessing Risk and Prioritizing Facilities DHS has also begun to take actions to enhance its ability to assess risk and prioritize facilities covered by the program. For the second step of the CFATS process, facilities that possess any of the 322 chemicals of interest at levels at or above the screening threshold quantity must first submit data to ISCD via an on- line tool called a Top-Screen.\12\ ISCD uses the data submitted in facilities' Top-Screens to make an assessment as to whether facilities are covered under the program. If DHS determines that they are covered by CFATS, facilities are to then submit data via another on-line tool, called a security vulnerability assessment, so that ISCD can further assess their risk and prioritize the covered facilities.\13\ ISCD uses a risk assessment approach to develop risk scores to assign chemical facilities to one of four final tiers. Facilities placed in one of these tiers (tier 1, 2, 3, or 4) are considered to be high-risk, with tier 1 facilities considered to be the highest risk.\14\ The risk score is intended to be derived from estimates of consequence (the adverse effects of a successful attack), threat (the likelihood of an attack), and vulnerability (the likelihood of a successful attack, given an attempt). ISCD's risk assessment approach is composed of three models, each based on a particular security issue: (1) Release, (2) theft or diversion, and (3) sabotage, depending on the type of risk associated with the 322 chemicals. Once ISCD estimates a risk score based on these models, it assigns the facility to a final tier. --------------------------------------------------------------------------- \12\ 6 C.F.R. 27.200(b)(2). \13\ 6 C.F.R. 27.215, .220. \14\ 6 C.F.R. 27.220. --------------------------------------------------------------------------- Our prior work showed that the CFATS program was using an incomplete risk assessment approach to assign chemical facilities to a final tier. Specifically, in April 2013, we reported that the approach ISCD used to assess risk and make decisions to place facilities in final tiers did not consider all of the elements of consequence, threat, and vulnerability associated with a terrorist attack involving certain chemicals. For example, the risk assessment approach was based primarily on consequences arising from human casualties, but did not consider economic criticality consequences, as called for by the 2009 National Infrastructure Protection Plan (NIPP)\15\ and the CFATS regulation.\16\ In April 2013, we reported that ISCD officials told us that, at the inception of the CFATS program, they did not have the capability to collect or process all of the economic data needed to calculate the associated risks and they were not positioned to gather all of the data needed. They said that they collected basic economic data as part of the initial screening process; however, they would need to modify the current tool to collect more sufficient data. We also found that the risk assessment approach did not consider threat for approximately 90 percent of tiered facilities. Moreover, for the facilities that were tiered using threat considerations, ISCD was using 5-year-old data. We also found that ISCD's risk assessment approach was not consistent with the NIPP because it did not consider vulnerability when developing risk scores. When assessing facility risk, ISCD's risk assessment approach treated every facility as equally vulnerable to a terrorist attack regardless of location and on-site security. As a result, in April 2013 we recommended that ISCD enhance its risk assessment approach to incorporate all elements of risk and conduct a peer review after doing so. --------------------------------------------------------------------------- \15\ DHS, National Infrastructure Protection Plan (Washington, DC: June 2006). The NIPP sets forth the risk management framework for the protection and resilience of the Nation's critical infrastructure. DHS updated the NIPP in January 2009 to include resiliency. See DHS, National Infrastructure Protection Plan, Partnering to Enhance Protection and Resiliency (Washington, DC: January 2009). Broadly defined, risk management is a process that helps policymakers assess risk, strategically allocate finite resources, and take actions under conditions of uncertainty. DHS further updated the NIPP, which is now called the National Plan, in December 2013. See DHS, NIPP 2013, Partnering for Critical Infrastructure Security and Resilience (Washington, DC: December 2013). \16\ The CFATS regulation states that chemical facilities covered by the rule are those that present a high risk of significant adverse consequences for human life or health, or critical economic assets, among other things, if subjected to terrorist attack, compromise, infiltration, or exploitation. 6 C.F.R. 27.105, .205. --------------------------------------------------------------------------- ISCD agreed with our recommendations, and in February 2014, ISCD officials told us that they were taking steps to address them and recommendations of a recently-released Homeland Security Studies and Analysis Institute (HSSAI) report that examined the CFATS risk assessment model.\17\ As with the findings in our report, HSSAI found, among other things, that the CFATS risk assessment model inconsistently considers risks across different scenarios and that the model does not adequately treat facility vulnerability. Overall, HSSAI recommended that ISCD revise the current risk-tiering model and create a standing advisory committee--with membership drawn from Government, expert communities, and stakeholder groups--to advise DHS on significant changes to the methodology. --------------------------------------------------------------------------- \17\ Homeland Security Studies and Analysis Institute, CFATS Tiering Methodology Peer Review (For Official Use Only) (Falls Church, Virginia: October 2013). The Homeland Security Studies and Analysis Institute, operated by Analytic Services Inc. on behalf of DHS, is a Federally-funded research and development center providing independent analyses of homeland security issues. --------------------------------------------------------------------------- In February 2014, senior ISCD officials told us that they have developed an implementation plan that outlines how they plan to modify the risk assessment approach to better include all elements of risk while incorporating our findings and recommendations and those of HSSAI. Moreover, these officials stated that they have completed significant work with Sandia National Laboratory with the goal of including economic consequences into their risk tiering approach. They said that the final results of this effort to include economic consequences will be available in the summer of 2014. With regard to threat and vulnerability, ISCD officials said that they have been working with multiple DHS components and agencies, including the Transportation Security Administration and the Coast Guard, to see how they consider threat and vulnerability in their risk assessment models. ISCD officials said that they anticipate that the changes to the risk tiering approach should be completed within the next 12 to 18 months. We plan to verify this information as part of our recommendation follow-up process. Reviewing of Facilities' Security Plans DHS has begun to take action to lessen the time it takes to review site security plans which could help DHS reduce the backlog of plans awaiting review. For the third step of the CFATS process, ISCD is to review facility security plans and their procedures for securing these facilities. Under the CFATS rule, once a facility is assigned a final tier, it is to submit a site security plan or participate in an alternative security program in lieu of a site security plan. The security plan is to describe security measures to be taken and how such measures are to address applicable risk-based performance standards.\18\ After ISCD receives the site security plan, the plan is reviewed using teams of ISCD employees (i.e., physical, cyber, chemical, and policy specialists), contractors, and ISCD inspectors. If ISCD finds that the requirements are satisfied, ISCD issues a letter of authorization to the facility. After ISCD issues a letter of authorization to the facility, ISCD is to then inspect the facility to determine if the security measures implemented at the site comply with the facility's authorized plan. If ISCD determines that the site security plan is in compliance with the CFATS regulation, ISCD approves the site security plan, and issues a letter of approval to the facility, and the facility is to implement the approved site security plan. --------------------------------------------------------------------------- \18\ 6 C.F.R. 27.225. --------------------------------------------------------------------------- In April 2013, we reported that it could take another 7 to 9 years before ISCD would be able to complete reviews of the approximately 3,120 plans in its queue at that time. As a result, we estimated that the CFATS regulatory regime, including compliance inspections (discussed in the next section), would likely not be implemented for 8 to 10 years. We also noted in April 2013 that ISCD had revised its process for reviewing facilities' site security plans. ISCD officials stated that they viewed ISCD's revised process to be an improvement because, among other things, teams of experts reviewed parts of the plans simultaneously rather than sequentially, as had occurred in the past. In April 2013, ISCD officials said that they were exploring ways to expedite the process, such as streamlining inspection requirements. In February 2014, ISCD officials told us that they are taking a number of actions intended to lessen the time it takes to complete reviews of remaining plans including the following: Providing updated internal guidance to inspectors and ISCD reviewers; Updating the internal case management system; Providing updated external guidance to facilities to help them better prepare their site security plans; Conducting inspections using one or two inspectors at a time over the course of 1 day, rather than multiple inspectors over the course of several days; Conducting pre-inspection calls to the facility to help resolve technical issues before-hand; Creating and leveraging the use of corporate inspection documents (i.e., documents for companies that have over 7 regulated facilities in the CFATS program);\19\ --------------------------------------------------------------------------- \19\ According to ISCD officials, these documents would be designed to provide examples of standard operating procedures regarding employee vetting, chemical handling, or security practices that are standard across corporations and that could be placed in a facility's file and expedite the inspection process. --------------------------------------------------------------------------- Supporting the use of alternative security programs to help clear the backlog of security plans because, according to DHS officials, alternative security plans are easier for some facilities to prepare and use; and, Taking steps to streamline and revise some of the on-line data collection tools such as the site security plan to make the process faster. It is too soon to tell whether DHS's actions will significantly reduce the amount of time needed to resolve the backlog of site security plans because these actions have not yet been fully implemented. In April 2013, we also reported that DHS had not finalized the personnel surety aspect of the CFATS program. The CFATS rule includes a risk-based performance standard for personnel surety, which is intended to provide assurance that facility employees and other individuals with access to the facility are properly vetted and cleared for access to the facility. In implementing this provision, we reported that DHS intended to: (1) Require facilities to perform background checks on and ensure appropriate credentials for facility personnel and, as appropriate, visitors with unescorted access to restricted areas or critical assets, and (2) check for terrorist ties by comparing certain employee information with its terrorist screening database. However, as of February 2014, DHS had not finalized its information collection request that defines how the personal surety aspect of the performance standards will be implemented. Thus, DHS is currently approving facility security plans conditionally whereby plans are not to be finally approved until the personnel surety aspect of the program is finalized. According to ISCD officials, once the personal surety performance standard is finalized, they plan to reexamine each conditionally approved plan. They would then make final approval as long as ISCD had assurance that the facility was in compliance with the personnel surety performance standard. As an interim step, in February 2014, DHS published a notice about its Information Collection Request (ICR) for personnel surety to gather information and comments prior to submitting the ICR to the Office of Management and Budget (OMB) for review and clearance.\20\ According to ISCD officials, it is unclear when the personnel surety aspect of the CFATS program will be finalized. --------------------------------------------------------------------------- \20\ 79 Fed. Reg. 6418 (Feb. 3, 2014). DHS previously published a notice about the personnel surety ICR on March 22, 2013. 78 Fed. Reg. 17,680 (March 22, 2013). --------------------------------------------------------------------------- During a March 2013 hearing on the CFATS program, industry officials discussed using DHS's Transportation Worker Identification Credential (TWIC) as one approach for implementing the personal surety program. The TWIC, which is also discussed in DHS's ICR, is a biometric credential \21\ issued by DHS for maritime workers who require unescorted access to secure areas of facilities and vessels regulated under the Maritime Transportation Security Act of 2002 (MTSA).\22\ In discussing TWIC in the context of CFATS during the August 2013 hearing, officials representing some segments of the chemical industry stated that they believe that using TWIC would lessen the reporting burden and stop facilities from having to submit additional personnel information to DHS while maintaining the integrity of the program. In May 2011, and May 2013, we reported that the TWIC program has some shortfalls-- including challenges in development, testing, and implementation--that may limit its usefulness with regard to the CFATS program.\23\ We recommended that DHS take steps to resolve these issues, including completing a security assessment that includes addressing internal controls weaknesses, among other things. The explanatory statement accompanying the Consolidated Appropriations Act, 2014, directed DHS to complete the recommended security assessment.\24\ However, as of February 2014, DHS had not yet done the assessment, and although DHS had taken some steps to conduct an internal control review, it had not corrected all the control deficiencies identified in our report. --------------------------------------------------------------------------- \21\ A biometric access control system consists of technology that determines an individual's identity by detecting and matching unique physical or behavioral characteristics, such as fingerprint or voice patterns, as a means of verifying personal identity. \22\ Pub. L. No. 107-295, 116 Stat. 2064. The TWIC program is intended to provide a tamper-resistant biometric credential to maritime workers who require unescorted access to secure areas of facilities and vessels regulated under the MTSA. TWIC is to enhance the ability of MTSA-regulated facility and vessel owners and operators to control access to their facilities and verify workers' identities. Under current statute and regulation, maritime workers requiring unescorted access to secure areas of MTSA-regulated facilities or vessels are required to obtain a TWIC, and facility and vessel operators are required by regulation to visually inspect each worker's TWIC before granting unescorted access. 46 U.S.C. 70105(a); 33 C.F.R. 101.514, 104.265(c), 105.255(c). Prior to being granted a TWIC, maritime workers are required to undergo a background check, known as a security threat assessment. See 49 C.F.R 1572.21. \23\ GAO, Transportation Worker Identification Credential: Card Reader Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed, GAO-13-198 (Washington, DC: May 8, 2013); Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, GAO-11-657 (Washington, DC: May 10, 2011). \24\ Explanatory statement accompanying the Consolidated Appropriations Act, 2014, Pub. L. No. 113-76, 128 Stat. 5 (2014). --------------------------------------------------------------------------- Inspecting to Verify Compliance with Facility Plans DHS reports that it has begun to perform compliance inspections at regulated facilities. The fourth step in the CFATS process is compliance inspections by which ISCD determines if facilities are employing the measures described in their site security plans. During the August 1, 2013, hearing on the West, Texas, explosion, the Director of the CFATS program stated that ISCD planned to begin conducting compliance inspections in September 2013 for facilities with approved site security plans. The Director further noted that the inspections would generally be conducted approximately 1 year after plan approval. According to ISCD, as of February 24, 2014, ISCD had conducted 12 compliance inspections. ISCD officials stated that they have considered using third-party non-Governmental inspectors to conduct inspections but thus far do not have any plans to do so. In closing, we anticipate providing oversight over the issues outlined above and look forward to helping this and other committees of Congress continue to oversee the CFATS program and DHS's progress in implementing this program. Currently, the explanatory statement accompanying the Consolidated and Further Continuing Appropriations Act, 2013, requires GAO to continue its on-going effort to examine the extent to which DHS has made progress and encountered challenges in developing CFATS. Additionally, once the CFATS program begins performing and completing a sufficient number of compliance inspections, we are mandated to review those inspections along with various aspects of them.\25\ Moreover, Ranking Member Thompson of the Committee on Homeland Security has requested that we examine among other things, DHS efforts to assess information on facilities that submit data, but that DHS ultimately decides are not to be covered by the program. --------------------------------------------------------------------------- \25\ Explanatory statement accompanying the Consolidated and Further Continuing Appropriations Act, 2013, Pub. L. No. 113-6, 127 Stat. 198 (2013). --------------------------------------------------------------------------- Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee, this completes my prepared statement. I would be happy to respond to any questions you may have at this time. Mr. Meehan. I thank you, Mr. Caldwell, and I thank you and your colleagues in the GAO for the extensive work that you do. You perform a great service to those of us in Congress in helping us to get to, you know, an objective assessment of where things are and many challenging areas. Thank you for your continuing service. Last, I would like to recognize the gentlelady from the inspector general's office, Ms. Hodges. STATEMENT OF MARCIA MOXEY HODGES, CHIEF INSPECTOR, OFFICE OF INSPECTOR GENERAL, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Hodges. Good morning, Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee. In response to the leaked memorandum in December 2011, we were requested by the former subcommittee Chairman, Chairman Lungren, to look at the issues that were identified in that leaked memorandum. In April 2012, we were also asked by Member Waxman of the House Committee on Energy and Commerce to look at the issues that were identified in that leaked memorandum. In March 2013, we issued our report, ``The Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program.'' We had three objectives: Whether management controls were in place and operational to ensure the CFATS program was not mismanaged; whether leadership misrepresented program progress; and whether nonconforming opinions of personnel had been suppressed or met with retaliation. The scope of that review covered the CFATS implementation all the way through October 2012. We determined that ISCD needs to improve program-related tools and processes, reduce its reliance on contractors, eliminate program waste and duplication, follow proper hiring practices, and provide sufficient training to all CFATS personnel. When Congress granted DHS the authority to regulate high- risk chemical facilities, it required an interim final rule to be issued within 6 months. While DHS met that deadline, there appeared to be confusion within ISCD about the 6-month requirement. Some employees interpreted that statute as a mandate to stand up and implement the CFATS program within 6 months. Misinterpretations of Congressional intent may have put unnecessary pressure on ISCD to develop and implement the program, resulting in poor management oversight and internal control, personnel issues, and missed milestones. In our report, we made 24 recommendations to correct these deficiencies. When the inspector general issues a report, we go through a resolution process on open recommendations, and this procedure requires us to perform an analysis of any and all documentation and corrective action that has been presented by the Department to determine whether this information meets the intent of a recommendation. This process is repeated in 90-day intervals until all report recommendations are closed. Currently, this report has 12 open recommendations, and 12 are closed. Since we issued the report back in March of last year, ISCD has provided our office with correction plan updates regarding the progress it has made to address those recommendations. Of the nine administrative recommendations closed, these include selecting permanent ISCD leadership and communicating organizational--and the structure of the staff, reducing reliance on contractors, ensuring that proper human resources, policies, and procedures are followed, reiterating the process of reporting misconduct allegations, implementing a plan to ensure long-term CFATS authorization, and establishing internal controls for appropriated funds. We also closed three programmatic recommendations that concern revising the review process to reduce the site security plan backlog, implementing a process to improve the timeliness of facilities' submission determinations, and metrics that measure CFATS's value accurately and demonstrate the extent to which risk has been reduced at regulated facilities. To close these, NPPD provided our office with evidence showing a reduction in the site security plan backlog for all tiers, improved response time to facility submissions, performance metrics were placed into its annual operating plan, as well as the Government Performance and Results Act measures. Despite this progress, program challenges remain. Before CFATS can attain intended program results, ISCD needs to address the opening remaining 12 recommendations. These recommendations include improving program tools and processes, engaging regulated industry and Government partners, finalizing program requirements, providing training and guidance, and eliminating inappropriate administratively uncontrollable overtime pay. This concludes my remarks. Thank you for the opportunity to testify. I welcome any questions that the Chairman or the subcommittee Members may have. [The prepared statement of Ms. Hodges follows:] Prepared Statement of Marcia Moxey Hodges February 27, 2014 Good morning, Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee. Thank you for the opportunity to testify on The Chemical Facility Anti-Terrorism Standards Authorization and Accountability Act of 2014. In December 2011, a limited distribution internal memorandum, prepared by Infrastructure Security Compliance Division (ISCD) management, was leaked to news media. The document disclosed allegations of employee misconduct and inadequate performance, as well as misuse of funds and ineffective hiring within the Department of Homeland Security's (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) Program. In February 2012, former Chairman Lungren, of the House Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, requested that we review these issues. In April 2012, Ranking Member Waxman, of the House Committee on Energy and Commerce, also requested that we review the challenges facing this program. In March 2013, we issued a report, Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program, OIG- 13-55. We reviewed whether: (1) Management controls are in place and operational to ensure that the CFATS Program is not mismanaged; (2) National Protection and Programs Directorate (NPPD) and ISCD leadership misrepresented program progress; and (3) nonconforming opinions of program personnel have been suppressed or met with retaliation. ISCD addressed some issues contained in the December 2011 memorandum; however, challenges remain. For example, we determined ISCD needs to improve program-related tools and processes, reduce its reliance on contractors, eliminate program waste and duplication, follow proper hiring practices, and provide sufficient training to personnel at all CFATS Program levels. When Congress granted DHS the authority to regulate high-risk chemical facilities, it required that an interim final rule be issued within 6 months. While DHS met this deadline when it published the CFATS Interim Final Rule in April 2007, there appeared to be confusion throughout ISCD about the 6-month requirement.\1\ Some ISCD employees interpreted the statute as a mandate to stand up and implement the CFATS Program within 6 months. Misinterpretations of Congressional intent may have put unnecessary pressure on ISCD to develop and implement the CFATS Program, resulting in poor management oversight and internal controls, personnel issues, and missed milestones. --------------------------------------------------------------------------- \1\ Chemical Facility Anti-Terrorism Standards; Interim Final Rule, 72 FR 17688, April 9, 2007. --------------------------------------------------------------------------- In our March 2013 report, we made 24 recommendations to correct program deficiencies and attain intended program results and outcomes. After a report is issued, OIG standard operating procedures require that we perform analyses of all documentation submitted by the Department to determine whether proposed corrective actions meet the intent of a recommendation. Corrective action plans are due 90 days after a report is issued. Recommendation status is defined as ``unresolved or resolved'' and ``open or closed.'' An unresolved recommendation means the corrective action plan does not meet the intent of the recommendation. A recommendation that is resolved and open means the corrective action plan meets the recommendation's intent, but additional measures and milestones are necessary before the recommendation can be closed. A recommendation that is resolved and closed means the corrective action plan meets the recommendation's intent, corrective action has occurred, and no additional reporting is necessary. However, based on the recommendation, final implementation of the corrective action may not be required to close a recommendation. This process is repeated every 90 days until all report recommendations are closed. Currently, 12 report recommendations are resolved and open, and 12 recommendations are closed. Since we issued the report, ISCD has provided our office with two corrective action plan updates regarding its progress toward addressing the report recommendations. The nine administrative recommendations closed include: Selecting permanent ISCD leadership; reducing reliance on contract personnel; developing policy for appointing acting management; ensuring that all employees serving in an acting supervisory capacity have a supervisory position description; ensuring that all employees receive performance reviews; disseminating ISCD organizational and reporting structure to staff; reiterating to all employees the process for reporting misconduct allegations; implementing a plan to ensure the long-term authorization of the CFATS Program; and establishing internal controls for the accountability of appropriated funds. We have also closed three programmatic recommendations pertaining to: Revising the long-term review process to reduce the Site Security Plan backlog; implementing a process to improve the timeliness of facility submission determinations; and program metrics that measure CFATS Program value accurately and demonstrate the extent to which risk has been reduced at regulated facilities. To close these programmatic recommendations, NPPD provided our office with evidence showing a reduction in the Site Security Plan backlog for all tiers, improved ISCD response times to facility submissions, and performance metrics incorporated into ISCD's Annual Operating Plan and Government Performance and Results Act measure. Despite this progress, programmatic challenges remain. Before CFATS can attain intended program results, ISCD must address the remaining 12 resolved and open recommendations. The ten resolved and open programmatic recommendations, which are 1, 2, 4, 6, 7, 8, 9, 12, 13, and 24, include: Improving CFATS Program tools and processes; engaging regulated industry and Government partners; and finalizing program requirements. The two resolved and open administrative recommendations, which are 15 and 19, include: Providing training and guidance; and eliminating inappropriate Administratively Uncontrollable Overtime pay. Most industry officials believe the CFATS regulation is sound and the performance-based philosophy is appropriate. However, ISCD needs to modify its Chemical Security Assessment Tool (CSAT) to make it more efficient, effective, and easier to use. For example, the Site Security Plan is a list of yes or no questions; it is not a security plan and is of limited use to facilities. We recommended that ISCD modify the CSAT to capture facility data efficiently and ensure the tools provide meaningful end products for industry users and ISCD. In its November 2013 corrective action plan update, NPPD provided some of the key milestones and target dates for modifying the CSAT. We will close this recommendation once we receive documentation confirming NPPD has completed deploying the modified CSAT. As ISCD addresses its Site Security Plan backlog, those facilities with approved plans will need inspection. However, when we issued our report in March 2013 ISCD had yet to define, develop, and implement processes and procedures for Compliance Inspections, or train CFATS personnel to conduct Compliance Inspections. In response to our recommendation, ISCD developed a Standard Operating Procedure for inspections of CFATS Covered Facilities, which defines the different types of inspections, enumerates roles and responsibilities related to inspections, and details processes and procedures for pre-inspection, inspection, and post-inspection activities. ISCD has completed its Compliance Inspection guidance and training materials, but this recommendation will remain open until ISCD has trained all Chemical Security Inspectors. Chemical facilities must resubmit a Top-Screen when there are changes to the use and quantities of certain chemicals of interest, referred to in the CFATS regulation as material modifications and changes in ownership.\2\ The regulation also requires resubmission of Top-Screens, Security Vulnerability Assessments, and Site Security Plans at 2 or 3 year intervals, depending on a facility's tier level. In addition, a facility may seek a redetermination of its tier level by filing a request with DHS' Assistant Secretary for Infrastructure Protection. We recommended that ISCD develop a strategy and implement a plan to address facility resubmissions and requests for redetermination as prescribed in the CFATS regulation. In its November 2013 update, NPPD officials provided some of the key milestones for finalizing the procedures and policies associated with receiving, reviewing, and responding to facility resubmissions and requests for redetermination. The recommendation will remain open pending our receipt of the approved final procedures for receiving, reviewing, and responding to facility resubmissions and requests for redetermination. --------------------------------------------------------------------------- \2\ Ibid. --------------------------------------------------------------------------- The CFATS tiering engines were created quickly, leaving limited time for quality assurance and internal control. Since December 2009, multiple errors in the data and formulas used to tier chemical facilities have been identified. Because concerns remained that the tiering methodology was still flawed, we recommended that ISCD develop a methodology and reporting process to identify and address errors and anomalies that arise in the CFATS tiering methodology and risk engine. In its November 2013 corrective action plan update, ISCD officials said they are undertaking a three-phased approach to review the tiering process and indicated that ISCD would be developing a formalized process for documenting, reporting, and resolving potential anomalies within the risk engine. This recommendation will remain open pending our receipt of the finalized process. As the three-phased approach includes an external peer review, we also recommended that ISCD provide us with the review results and ISCD's action plan to implement peer review recommendations. ISCD has received the final peer review report, and is developing an action plan with time frames to address the recommendations. This recommendation will remain open pending our receipt of the integrated plan with time frames and milestones for addressing the peer review recommendations. Industry representatives favorably view some DHS' Infrastructure Protection voluntary programs, and recommend these programs be used to assist the CFATS Program. For example, the Protective Security Advisor Program has a field cadre that specializes in public and private outreach, and activities to reduce security risks of critical infrastructure and key resources across all sectors. In addition, many industry members use the Voluntary Chemical Assessment Tool, which allows owners/operators to identify current facility risk levels using an all-hazards approach, and it also facilitates a cost-benefit analysis. However, since CFATS Program development, management separated the Infrastructure Protection voluntary and regulatory programs, impeding ISCD's ability to identify and apply best practices across programs. We recommended ISCD document engagement with Infrastructure Protection and DHS regulatory and voluntary programs to identify and implement existing tools and processes that can be leveraged to make Top-Screen, Security Vulnerability Assessments, and the Site Security Plan tools more efficient, effective, and easier to use for the CFATS Program. In its November 2013 update, NPPD provided examples of collaboration since the inception of ISCD. The examples NPPD provided demonstrate collaboration; however, these examples pertain to the initial CFATS tools and processes development, not current efforts to modify existing program areas. This recommendation will remain open pending the receipt of documentation demonstrating continued engagement between Infrastructure Protection and DHS regulatory and voluntary programs has resulted in tangible improvements to the Top-Screen, Security Vulnerability Assessments, and the Site Security Plan tools. The regulated chemical industry has embraced the Risk-Based Performance Standards approach and the flexibility it allows. However, challenges remain with CSAT tools, and limited feedback is provided to facilities following submissions of Security Vulnerability Assessments and Site Security Plans. While the industry has applauded ISCD leadership for identifying programmatic issues, additional efforts are necessary. Industry officials support the CFATS Program, but without a clear path forward, they are concerned about industry resources and funds spent to meet program requirements. As a result, we recommended that ISCD improve the clarity of guidance provided to the CFATS- regulated industry so that industry can benefit from regular and timely comments on facility submissions. In its November 2013 corrective action plan update, NPPD officials reiterated that as part of its efforts to improve the CSAT, ISCD intends to update guidance materials for the Top-Screen, Security Vulnerability Assessment, and Site Security Plan. ISCD is also in the process of developing updated guidance related to its Chemical-terrorism Vulnerability Information program, and intends to release guidance specific to the CFATS Personnel Surety Program when the CFATS Personnel Surety Program is launched. The recommendation will remain open pending our receipt of guidance materials for the Top-Screen, Security Vulnerability Assessment, Site Security Plan, Chemical-terrorism Vulnerability Information program, and the CFATS Personnel Surety Program. Risk-Based Performance Standards-12, Personnel Surety, requires regulated facilities to perform background checks and ensure credentials for facility personnel, and for unescorted visitors with access to restricted areas or critical assets. This includes measures designed to: (1) Verify and validate identity; (2) check criminal history; (3) verify and validate legal authorization to work; and (4) identify people with terrorist ties. Since April 2010, NPPD has paid DHS' Transportation Security Administration (TSA) more than $7.7 million to conduct vetting against the terrorist watch list, although no names have been vetted to date. Providing names to TSA for vetting is contingent on the Office of Management and Budget's (OMB) approval of the program's Information Collection Request. As a result, we recommended that ISCD limit funding for Personnel Surety Program vetting until the Information Collection Request has been approved. Since our review, NPPD will only allocate funding to TSA when deemed appropriate given all relevant factors. NPPD has also submitted the Information Collection Request necessary to move the Personnel Surety Program forward. We acknowledge that Information Collection Request approval rests with OMB, and this recommendation will remain open until documentation is received that the Information Collection Request has been approved by OMB and names have been sent to TSA for vetting. In December 2007, Congress directed NPPD to provide a plan to regulate the sale and transfer of ammonium nitrate by an ammonium nitrate facility to prevent the misappropriation or use of the chemical in an act of terrorism. However, as of March 2013, the Ammonium Nitrate Program was only in the rulemaking process. As a result, we recommended that ISCD develop an action plan and guidance for implementing the Ammonium Nitrate Program, which incorporates lessons learned from CFATS Program challenges. In its November 2013 corrective action plan update, NPPD officials said they have been working to develop a final rule, an action plan, and guidance for implementing the final rule. The recommendation will remain open pending our receipt of quarterly status updates of the Ammonium Nitrate Security Program Action Plan until all items on the plan have been implemented. In addition, ISCD is moving forward with a dual-functioning inspector cadre and will be hiring inspectors for the Ammonium Nitrate Program and cross-training them on the CFATS Program. We recommended that ISCD develop and implement a curriculum and time line for training inspectors to perform both Ammonium Nitrate and CFATS Program duties and responsibilities. NPPD provided a copy of the ISCD New Chemical Security Inspector Training Work Plan and copies of training materials for courses identified in the Work Plan. However, this material does not include necessary training for the proposed dual-functioning Ammonium Nitrate Security Program inspector cadre. Therefore, the recommendation will remain open pending our receipt of training curriculum and implementation data for dual-functioning inspectors. When establishing the CFATS Program, ISCD leadership envisioned an academy to train Chemical Security Inspectors to enforce the CFATS regulation. However, ISCD began training personnel before issuing the CFATS Interim Final Rule, developing a program vision, or defining inspector roles and responsibilities. In addition, by focusing training efforts on Chemical Security Inspectors, ISCD has provided limited guidance to headquarters staff on responsibilities and career development. Most headquarters staff do not have formalized training, and frequently have to learn critical position duties and functions on the job with little guidance. We recommended that ISCD develop and implement a learning curriculum that: (1) Describes position roles and responsibilities clearly; (2) provides comprehensive training plans to prepare employees to perform assigned duties; and (3) communicates measures to assess performance. In its November 2013 corrective action plan update, NPPD officials said that ISCD has completed a Strategic Human Capital and Training Plan, delivered Performance Management Training to all personnel, and is developing an ISCD Employee Handbook. The recommendation will remain open pending our receipt of documentation that the ISCD Employee Handbook has been developed and disseminated to all ISCD employees. Since its inception in 2007, ISCD has struggled with applying sound Government practices to human capital issues, pay administration, and resource allocation. ISCD personnel received inappropriate Administratively Uncontrollable Overtime, which is a form of premium pay used to compensate employees who occupy positions that require substantial amounts of irregular and unscheduled overtime work. We were unable to determine a definitive rationale for why inspectors were receiving Administratively Uncontrollable Overtime and recommended that ISCD eliminate its authorization and payment for all ISCD personnel. In its November 2013 update, NPPD officials said that instead of eliminating Administratively Uncontrollable Overtime, ISCD leadership has determined that the more appropriate path is to continue to permit CFATS Chemical Security Inspectors to claim Administratively Uncontrollable Overtime in a manner that is consistent with rules and regulations, and that is supported by greater oversight, increased training, documented policies and procedures, and greater management controls. We consider NPPD's actions partially responsive to our recommendation. Administratively Uncontrollable Overtime is a form of premium pay used to compensate employees who occupy positions that require substantial amounts of irregular, unscheduled overtime work that cannot be controlled administratively and cannot be scheduled in advance of the work week. According to the Interim Final Rule, the Department will conduct audits and inspections at reasonable times and in a reasonable manner, providing covered facility owners and operators with advance notice before inspections, with limited exceptions. Therefore, inspectors schedule their work in advance, eliminating the need for Administratively Uncontrollable Overtime. The recommendation will remain open pending our receipt and analysis of documentation that demonstrate Administratively Uncontrollable Overtime payments to inspectors are supported and justified by current and long-term activities across multiple fiscal years. Chairman Meehan, this concludes my prepared remarks. I welcome any questions that you or the Members of the committee may have. Mr. Meehan. I thank each of the panelists for their testimony. Thank you, Ms. Hodges. I now recognize myself for 5 minutes of questions. Ms. Durkovich, let me begin with you, because you have been, along with Director Wulf, sort-of the closest to this process, as we have moved along. This has certainly been tenuous, from the legacy, some of which has been inherited, and we are dealing with a regulated community that has made significant investment over time. We are also dealing with outliers that are out there, watching this process, and using their assessments of it to determine how they may or may not act in accordance with the requirements of our program. So will you please discuss for me your assessment of what it means to have certainty in a program of this sort? Ms. Durkovich. Thank you very much, Chairman, and that is a great question. As the Secretary said yesterday, DHS supports a bill that provides long-term authorization. We firmly believe that H.R. 4007 is an important starting point. We look forward to working with you to continue to refine the bill, and as you know, we hope to actually get longer-term authorization, anywhere from 3 to 5 years, because it is important both for our regulated community, industry that in addition to having invested the time that they have over the last 7 years to submit Top-Screens, to do security vulnerability assessments, to work with us on authorization of those SSPs, to begin implementing the recommended path forward, and as we come back and begin compliance inspection, the investments and time and resources--and certainly as they look to the capital planning process--to begin to implement some of these recommended measures, the certainty is important for them, so as they make these investments, they know that the program is going to be around. As for outliers, for those facilities that have chosen for whatever reason not to comply with their requirement to submit Top-Screens if they may have one of the 324 possible chemicals of interest, this will prevent them from waiting the program out. It is certainly, I think, fair to say that there are some facilities out there that may be waiting to see whether the program is around next year. If we are able to guarantee longer-term authorization, I think that that position of waiting us out will likely dissipate. I do agree with you, sir, that I think that it is--we owe it to the American people, but we also owe it to our stakeholders and we owe it to the men and women of ISCD to give this program long-term or permanent authorization. Thank you. Mr. Meehan. We are talking long-term. We are talking not just the--where we go into the future, but where we have been. We have had a complex process. There has been pain associated with taking, first, the identification, but simply the winnowing down and to a point in which we have been able to significantly identify--albeit we have outliers--but significantly identify numbers of people we have had significant collaboration and cooperation from industry themselves that are looking for more in the way of an ability to contribute to moving forward. Now, we are also appreciative that there are a lot of questions that are being asked in the aftermath of West, Texas, and the reality that there are, you know, outliers who are out there, but there are also efforts to include a great number of more agencies and others to be involved in this process. My first question for you is: Do you see anything mutually exclusive? The importance of us taking this objective, which we had, which was to identify where we needed to secure dangerous chemicals from access to those who would want to use them to commit acts of terrorism, and that was our focus, and we have made significant progress towards that. Would it create ambiguity for us now to include a number of other considerations that would not just be dealing with security, but perhaps questions of safety in the program that we have? Are we in any way precluded down the road from seriously considering those issues of safety and allowing an Executive Order to contribute? But do we have to wait in order to authorize--do we have to wait before we authorize this program? Ms. Durkovich. I want to thank you again for that important question. To answer your question directly, I do not think that they are mutually exclusive. What our priority is, is to ensure that we do have long-term and permanent authorization, and I think that is one of the most important things that we can see happen in this particular session of Congress. As you know, we are very willing to work with you and our colleagues in the Minority to get a bill that has bipartisan support, but, really, again, at the end of the day, what we need is stability and long-term authorization. I think that as we continue to look at some of the findings that are coming out of the work that is going on between us, between EPA, between OSHA and other members of the interagency, that will present other opportunities for us to look at legislation that is needed to address some of the issues around operational coordination, around information sharing, around ensuring that we have compatible sets of data. Legislation is certainly one way that we can address some of these issues. We can work under existing regulation and under existing authority. We can continue just to work better together, which we have already done with the EPA, in looking at both of our data sets and trying to cross-walk those data sets to see where we may have outliers and to send out notices to those facilities, letting them know that they may potentially be regulated both by our program and by EPA. We have had a lot of success on that front. I think that we have already demonstrated that we can work together. But the most important thing at the end of the day, again, is that we provide long-term stability of the program. It has been successful, sir. We started with 40,000 facilities that submitted Top-Screens. Through our process, we have whittled that down to nearly 4,000 that are regulated. Most of them have SSPs in place. We are working through the process of authorizing and improving them and going back and doing inspections. I think, at the end of the day, the most important thing is long-term authorization. Mr. Meehan. I thank you. My time is expired, but I will before--Mr. Wulf, you have been intimately involved in this process, as well, as we have gone, and I asked that question, but you have been here from the beginning of the challenging moment of trying to really get our arms around this and improve the process. Do you have any observations on the question that I asked? Mr. Wulf. With regard to whether the Executive Order is mutually exclusive to the legislation, I would completely agree with the assistant secretary. You know, there is a lot of good work being done on the Executive Order. Assistant Secretary Durkovich is one of three tri-chairs of that effort. But I think the absolute priority for us is achieving long- term authorization of this program. It is something that will provide much-needed certainty for industry as they consider long-term investments and important security matters, important security measures. From a management standpoint, it will provide my leadership team with the stability that is needed to plan and execute what are some really game-changing initiatives to take CFATS even beyond the next level. So we are doing a lot of things to continue to increase the pace of SSP reviews, authorization inspections, and approvals. We are getting into the regular cycle of compliance inspection activity. You know, the ability to have a long-term authorization would be tremendous from the standpoint of our being able to focus on that critical mission and to be able to recruit and retain top talent in the division. Mr. Meehan. Thank you, Mr. Wulf. The Chairman now recognizes the Ranking Member for her questions. Ms. Clarke. I thank you, Mr. Chairman. My first question is to you, Ms. Durkovich. I want to echo and sort of drill down a little on something Mr. Thompson asked earlier in his statement about H.R. 4007. It provides no explicit authorization of a specific level of appropriation. So would you want a CFATS authorizing bill to identify funding for the program's operations? If not, would it create the possibility that funding for CFATS be taken from other programs within DHS's budget? I might question whether the absence of an authorization of appropriations indicates some Congressional intent for DHS to provide funding for this program from within its current budget. Ms. Durkovich. Thank you, Ranking Member Clarke, and thank you for that important question. Ensuring that we have adequate funding for the program has been and remains a priority. We certainly appreciate your support in the past and would like to work with you to see funding authorized for CFATS in legislation to ensure that we retain the appropriate levels in the future, both as we continue to move the program forward and work to implement many of the initiatives under the Executive Order. Ms. Clarke. So just for clarification, through the appropriations process, not from some other means within DHS itself? Ms. Durkovich. Well, again, we would like to work with you to authorize funding through the appropriations process, yes, ma'am. Ms. Clarke. Got it. Got it, got it. If passed and signed by the President, the bill would take effect 30 days after enactment. On that day, the existing statutory authority for CFATS would be repealed by striking Section 550 from Public Law 109-295. Thus, the bill creates a free-standing program, apart from the original authorizing DHS legislation. Additionally, CFATS would terminate or sunset 2 years after the date it would take effect. Two questions: Would you want CFATS authorizing legislation that codified the program in Homeland Security Act of 2002, rather than leave the program stand-alone? What would be the Department's plan for chemical security in general if Congress failed to act if and when CFATS is sunsetted? Ms. Durkovich. Thank you very much for that question. It certainly does seem appropriate to me that placing a statute for the program in the Homeland Security Act is a reasonable thing. But, again, our goal, because of the sunsetting of the program, is to make sure that we have multi-year or permanent authorization, and that is our priority for this session. We know that we will be able to work with Chairman Meehan and with you, ma'am, I think to get us to a successful outcome so we don't have to think about the latter part of your question. Ms. Clarke. Looking at a stand-alone, but you would like to see it comprehensive? Ms. Durkovich. If a stand-alone gets us to multi-year or permanent authorization, that is our priority. As you know---- Ms. Clarke. I hear a major emphasis in all of this discussion around multi-year, which this bill does not contain. So it seems to me that that is a major priority for the Department. Is that correct? Ms. Durkovich. Yes. We have been clear that, again, while we are very supportive of the bill, at the end of the day, we would like to see a longer authorization period, either 5 years or permanent authorization. Yes, ma'am. Ms. Clarke. Okay. Like you, I am supportive of authorizing CFATS program in DHS and taking the program off the appropriations cycle. That said, I would like to talk through the expectations the Department has for such legislation, and I just want to get a yes-or-no to each of these questions. Would you want it to authorize funding for the program's operations? Ms. Durkovich. If that is something that---- Ms. Clarke. Yes or no. Yes---- Ms. Durkovich [continuing]. Could be contained in the bill---- Ms. Clarke. Yes or no? Ms. Durkovich [continuing]. Yes. Ms. Clarke. Yes. Would you want it to reflect the forthcoming findings and recommendations from the President's Chemical Safety and Security Working Group that DHS is leading? Ms. Durkovich. I do not think that it needs to do that, no. Ms. Clarke. No? Would you want it to codify the program in the Homeland Security Act? Ms. Durkovich. That would be a desirable---- Ms. Clarke. Yes? Ms. Durkovich. Yes, ma'am. Ms. Clarke. Would you want it to remove the exemptions on water facilities and other possible terrorist targets that were hastily agreed to in 2006? Ms. Durkovich. Again, that is something we would like to work with you on, but at the end of the day, what is most important---- Ms. Clarke. Yes, no? Ms. Durkovich [continuing.] Is that we get--that is a laudable goal, yes, ma'am. Ms. Clarke. Yes. You did say yes? Ms. Durkovich. Yes. Ms. Clarke. That is what I thought. Okay, very well. I wanted--Mr. Chairman, my time is---- Mr. Meehan. You may pursue your questions. Ms. Clarke. Thank you. Thank you, Mr. Chairman. Ms. Hodges, H.R. 4007 would allow the Secretary to expand the CFATS inspector force to include contractors, which begs the question as to whether the inspection of chemical facilities for possible terroristic vulnerabilities is an inherently Governmental responsibility or should be outsourced to contractors. In 2007, during comment on the CFATS final rule, several stakeholders expressed concerns regarding DHS's use of third-party inspectors. How would you describe these concerns, including the maintenance of confidentiality of facility business information, potential variation in training and inspection, standards between Federal and third-party inspectors, and DHS establishment of qualifications, certification, indemnification of third-party inspectors? Ms. Hodges. Contractors are used in various components of the Department. I think the most important element is the decisions being done are applied by Government employees. Contractors do serve a very valuable purpose when you have limited resources, but ultimately, they may not and should not be ever doing anything that would be of a decision-making inherently Governmental function. Ms. Clarke. So you are saying that if there is a supervisory--personnel from a Governmental standpoint, basically, overlooking what these contractors would be doing, you would feel more comfortable with that, but should contractors be in a position to make decisions themselves, that would present some discomfort? Ms. Hodges. That would get into the area of an inherently Governmental function, yes. Ms. Clarke. Can you tell me in your opinion if it is appropriate for DHS to use third-party auditors and, if so, for which tiers of facilities and what the standards and requirements would be for those third-party auditors? Who would pay for the third-party auditors? Ms. Hodges. Right, well, I think that goes back to the initial underlying issue here about authorization. Trying to make an estimate on resources needed or our contract staff to augment the Federal staff is a little bit difficult now, not knowing what the on-going appropriation would be for this particular program. Ms. Clarke. Very well. Mr. Chairman, I yield back. Mr. Meehan. I thank the gentlelady. The Chairman now recognizes the gentleman from Pennsylvania, Mr. Perry. Mr. Perry. Thank you, Mr. Chairman. Greetings to the panel. Thank you for your testimony. My questions will be directed to the assistant secretary. Madam Secretary, some in Congress and elsewhere have said that the CFATS program is not operating efficiently or making adequate progress and is in need of a complete overhaul. Unfortunately, the individuals that have that opinion are waiting for a unilateral overhaul that allows the administration to dictate chemical security policy without reasonable input from industry. I just listened to some of the testimony regarding the backlog and approvals and the recommendations, et cetera, and I think it lends itself at least a portion to the credibility of that opinion. So my questions are as follows: Can you explain to the committee how a completed overhaul is not the right approach and why waiting for it would make the situation more burdensome for the Department and hinder continued progress? Finally, do you feel that it is crucial that the industry has substantial input into any regulations imposed upon them? If you would comment on those two, I would appreciate it. Ms. Durkovich. Thank you very much, sir, for that question. It is an important question, because I firmly believe we do not need a major overhaul of the program. As I noted in my opening statement, the program has made this country more secure, and we have demonstrated tremendous progress, not only over the course of the last 7 years, but certainly over the course of the last 2 years. We started with over 40,000 facilities that submitted Top- Screens. Through our process, we now have over 4,000 that are regulated in our various stages of having both approved SSPs, but now beginning compliance inspections. At every turn, Director Wulf is looking at ways to improve the efficiency and the effectiveness of the program. We do that in very close collaboration with our stakeholders, who have provided important input to us on the Alternative Security Program, on our tiering methodology, on how to reach outliers, and to overhaul the program, again, at a point where we have demonstrated success, where we have over 500 SSPs that are approved, where we have facilities that are making investments and making decisions based on those SSPs again would, I think, be unfair both to the industry itself, but also to the men and women of ISCD. I would like to yield the last 2\1/2\ minutes of my time to allow Director Wulf perhaps to speak to a few minutes to that, as well. Mr. Wulf. I would be glad to. Thank you so much. You know, I would add that the core of the CFATS program, 18 risk-based performance standards, a non-prescriptive program that allows for security measures to be tailored to the individual needs of our 4,000 regulated facilities, is strong and is well-suited to the mission at hand. So I would absolutely agree that a major overhaul of the program is not needed. The program is moving absolutely in the right direction. That is not to say that the regulation is perfect or that we won't move forward to try to make some tweaks and to further improve the process. Down the road, I would anticipate an advanced notice of proposed rulemaking, through which we will solicit from our stakeholders across the board their thoughts on what can be done to improve the program. But I would absolutely, you know, want to be clear that the core of this program is very strong and well-suited to the mission. Appreciate the question. Mr. Perry. So the only place that stakeholders will have a voice is in the rulemaking or the reform maybe of--or, you know, the modification of rules moving forward at this point? Is that their place? Mr. Wulf. No, we have a continuing dialogue with our stakeholders through sector coordinating councils, the chemical sector, the oil and natural gas sector, our other stakeholders. We are working on a continuing basis to conduct outreach, working with the industry associations, including ACC and SOCMA, from which you will hear later on during this hearing, working together on initiatives to drive the program forward, to get the word out, to reach out to facilities that may be in the outlier population, to work on efforts such as Alternative Security Program templates that can further streamline industry members' ability to develop security plans and our ability to review, authorize, and approve those plans. Mr. Perry. Thank you, Mr. Chairman. I yield back. Mr. Meehan. I thank the gentleman. The Chairman now recognizes the gentleman from Nevada, Mr. Horsford. Mr. Horsford. Thank you, Mr. Chairman. Ms. Hodges, I want to thank you for coming to testify today, and I know that our invitation to you was recent and that your report, however, is almost a year old, so I realize that the effort that you and your staff had put into the update and the review of this report. In your 2013 report, you issued 24 recommendations. Since that time, we understand that 12 recommendations were closed. What does this change in status tell us about the effectiveness of the CFATS program to prevent a terrorist incident involving a chemical plant? Ms. Hodges. Yes, thank you for that question. The change in the recommendation status indicates that ISCD is addressing the report recommendations to build a basic administrative foundation, as well as the core infrastructure to support the program. While the majority of the closed recommendations involved administrative issues that were presented, the majority of the unresolved issues have to do with programmatic areas, on-going programmatic areas that need to be addressed. The program is maturing, but it is not fully operational. Even when CFATS becomes fully operational, it can't prevent an incident, but what it can do is better prepare industry and their facilities to mitigate risk to the incident. Mr. Horsford. Okay. So when you assessed DHS's effort to implement the CFATS program from inception to the end of fiscal year 2012, at the time, among other items, you found that DHS's officials' use of, ``confusing terminology'' led to misunderstandings of CFATS's program progress. Likewise, we on the committee have repeatedly expressed concern in the way that NPPD tracks its progress, as it makes it difficult to get to an accurate picture of the program. Since the release of your program--of your report, excuse me, you have made a chance to review the Department's materials. Is that correct? Ms. Hodges. That is correct. Mr. Horsford. What would you say about the quality of information that is furnished today by the program and the terminology utilized to communicate it? Ms. Hodges. I think there has been great strides with their annual operating plan. That plan has realistic and thoughtful measures. It also has milestones, time frames, and that is a really big--from our frame of reference, our fieldwork ended back in October 2012. The report was issued in March 2013. From where the program was to where they are now, with just the foundational documents of having a way forward, that has been a big, impressive effort on the part of NPPD and ISCD. Mr. Horsford. Do you feel that it is presented in a way that is useful for this oversight committee to reach conclusions about the efficacy of the program? Ms. Hodges. With the time and the distance from our field work, we wanted to get the measures in place. We haven't been back with the component or with ISCD to look at whether they have had results, you know, from those measures. So I would not be able to articulate or weigh in if that progress would be helpful to the subcommittee and the committee. Mr. Horsford. Well, I would see, to the extent we can--I mean, my experience here is rather recent, but what I find, Mr. Chairman, and to the Ranking Member, is that a lot of times, you know, we have these reports and their recommendations and conclusions to the agencies, but a lot of time there is not the follow-up or the follow-through to help us provide the proper guidance and oversight. So that is something that I would be interested in as a Member of the subcommittee. Maybe someone from the agency can respond. I yield back. Mr. Wulf. Yes, I would be glad to, and I appreciate the opportunity. Even at the time that the inspector general issued its report, many of the recommendations that it made and issues it had identified had been previously identified through the challenges memo that we prepared in the fall of 2011, and those issues had largely been resolved through the implementation of the action plan we had put together. So we have done a lot of good work putting into place important management controls, business practices, streamlining processes with respect to the review authorization, inspection of facilities, and approval of site security plans. You know, acknowledging that the I.G. engagement with our division is somewhat dated, you know, I would--I am not sure I would accept the premise that our program is not fully operational. Every day across America, our inspectors are working closely with facilities and working through security measures that are fostering security and improving security at America's highest-risk chemical infrastructure. So the program is absolutely on the move. Since I last testified before this committee in August, we have more than tripled our output of approved site security plans, more than doubled to more than 1,100 our output of authorized plans. This program is absolutely fully operational, and the pace will only continue to increase, and we are certainly committed to continuing to work to improve the program going forward. Mr. Meehan. I thank the gentleman. Mr. Wulf, let me just ask a quick question as a follow-up on that. There were 24 recommendations made by the OIG. Twelve of those recommendations have been fully closed. Is that not correct? Mr. Wulf. That is correct. The remaining 12 are noted as resolved, but open. Mr. Meehan. There are three levels of scrutiny on this, so if you had been entirely lacking on those remaining 12, some of which, as I have reviewed the report, indicate that there are various technical reasons why they may not be, but the bottom line is, by having said that they were not yet closed, but you are in that middle level of scrutiny, which you have made the significant progress, you are pretty close to getting to answering the questions of the OIG. Is that not accurate? Mr. Wulf. I think that is absolutely correct, sir. Mr. Meehan. Do you disagree, Ms. Hodges, or agree? Ms. Hodges. I believe that, yes, 12 of the 24 recommendations are closed. The remaining open recommendations, some of them will be more longer-term. When a recommendation is indicated as resolved, that means that the inspector general's office and the Department have agreed in principle on the way forward the action plan, the milestones, the goals. Depending on how far we are in achieving those milestones and goals and deliverables, we would resolve and close that particular recommendation. However, some recommendations require a longer period of time to be resolved and then closed. Mr. Meehan. Thank you. The Chairman recognizes the Ranking Member, Mr. Thompson, for questions he may have. Mr. Thompson. Thank you very much, Mr. Chairman. Ms. Durkovich, a lot has been talked about, about West, Texas. Can you tell this committee, since the explosion, that those facilities like the one in West, Texas, are now being inspected on a regular basis? Ms. Durkovich. Thank you for that question. Since West, Texas, nearly a year ago, both the Department, but the interagency, has undertaken an extraordinary effort to identify outliers like West, Texas. We have worked very closely with our colleagues at EPA to cross-walk our lists of regulated facilities. We are working very closely with State homeland security advisers, with State chemists, with State departments of agriculture to identify facilities that may not be aware of our regulations and/or who may not have decided to comply with them. We have a number of facilities since our efforts with the EPA and to get the word out who have since submitted Top- Screens. We are in the process of assessing and evaluating those Top-Screens to determine which one of those will be given a preliminary tier. But the way that our process works, sir, is that we are not yet at a point where we are doing inspections, but we have certainly undertaken, again, an extraordinary effort to identify those outliers and to ensure that they have begun the process under CFATS, which begins with a Top-Screen. Mr. Thompson. Thank you. So for the sake of the committee, can you give us an estimate of how many of those outliers that might be out here? Ms. Durkovich. I will tell you that as part of our work, we sent out--I think it was 3,000 letters to potentially--or to facilities that could be potentially regulated under CFATS. Those facilities, again, have gone through--or are in process of submitting Top-Screens. I am going to defer to Mr. Wulf, but I think the number--I will actually let you answer that. Mr. Wulf. Absolutely. We have taken in approximately 800 additional Top-Screen submissions from facilities since we started this process, facilities that have threshold holdings of high-risk chemicals of interest, beginning the process, then as appropriate to go through the security vulnerability assessment and sign as appropriate a final tier. We found through this that very few of these facilities are looking as though they are going to tier into the program. So I am pretty confident that we have a good handle on the known universe of high-risk chemical facilities as currently defined in the United States. Over the course of the program's history, we have taken in upwards of 46,000 Top-Screens. Mr. Thompson. Right. But what I am trying to get to is--we were told that the West, Texas, facility was one of those outliers, that there was no review. I am trying to see--you said 3,000. Is that the universe to your knowledge? Ms. Durkovich. No, go ahead. Mr. Wulf. That is the number of facilities that we identified through a cross-walk with EPA and subsequently sent letters. West, Texas, the West Fertilizer Company did not meet its obligation to submit a Top-Screen. That doesn't mean that, had it submitted a Top-Screen--and it has subsequently submitted a Top-Screen--it would end up as a regulated facility under CFATS, that it would be determined to be one of the highest risk of a terrorist attack exploitation. Mr. Thompson. So at what point would these 3,000 people you sent letters to, what is the Department's time table for bringing that review to completion? Mr. Wulf. It is moving forward right now. I would anticipate that the facilities that, you know, have moved through and received a preliminary tier, and I believe that is only about 40 facilities right now, would be receiving their final tier as appropriate, developing their site security plan in concert with our physical security specialists and chemical security inspectors, and moving through the process of authorization, inspection, and approval. Mr. Thompson. Well, I guess what I am trying, Mr. Chairman, to get to is, if it is 3,000 or the 3,000--is it X number that--what is the time table for the agency? You talked about it may not be involved for the tiering, but we need assurance that these outliers, whether they voluntarily come in or you identify them through some other process, that they don't endanger the lives and communities just because we didn't know they existed. Mr. Wulf. Absolutely. Mr. Thompson. I am trying to get us to some point of how we are going to bring everybody into a system, regardless of where they are. Ms. Durkovich. So, sir, I think that this is a continuous process, frankly. The work that we have done with the EPA to cross-walk our list is just one step in the process. But, frankly, we will always work very closely not only with the major trade associations, again, with State homeland security advisers, with State agricultural departments, with State chemists. We are working very closely now with smaller State associations. Some of these outliers don't always belong to the large National associations. We are looking at how through our voluntary program, through our protective security adviser program, we can utilize those individuals who are--so it is going to be an on-going process, sir. Mr. Thompson. Well, and I understand that. But, you know, the West, Texas, facility was not a new facility. It had been there a long time. It had gone through some modifications. So a lot of this information and these companies are already there. So I am trying to figure out, how did they fall through the system to start with? Ms. Durkovich. So they--sir, they were in the system. They were not necessarily in our system. We have gone through a very important process, which is cross-walking our database with the EPA's database. That is what resulted in the 3,000 letters that we ended up sending out. Part of what we are doing is part of the Executive Order---- Mr. Thompson. Yes. Ms. Durkovich. Okay. Mr. Thompson. Well, I understand. But if you know there are 3,000, so you assume these companies will just fill out the form and send it back. If you know that 3,000 are there, you do not plan to do a physical inspection of the 3,000, just if they send it back, fine, if they don't---- Ms. Durkovich. That is how our process works, yes, sir. They submit a Top-Screen, and then based on that Top-Screen and the corresponding site--the security vulnerability assessment, we then---- Mr. Thompson. So if they don't submit it, what happens? Ms. Durkovich. Then we can issue an administrative order. Again, we are going through the process of ensuring that all of the people who have received letters, where appropriate, are submitting their Top-Screens. Because of some of the way the taxonomy of the data is structured, a facility that is in an EPA database may be identified differently than it is in our database, because we look at that long, and they look at addresses, and so we have to work through some of that, but there is a process to ensure that those need to submit Top-Screens do. Mr. Thompson. Mr. Chairman, I hope you can understand the need to put some of this under one roof, because there is just too much--too many moving parts, and there doesn't appear to be one person really in charge. I understand the need to talk, but somebody should have the ultimate responsibility. I think the public would like to see some entity, DHS or something, in charge, and we can talk to other people. But if I might ask, Mr. Chairman, that Mr. Wulf or Ms. Durkovich provide the committee with the current status of those 3,000 facilities that they have identified that are outside the system, what kind of time table they are operating from to bring them under some kind of review, so we can assure the public that a West, Texas-type event, if it happens, we at least know the facility is there and that there is some regulation being applied to it. Ms. Durkovich. We would be happy to do that, sir. Thank you. Mr. Thompson. Thank you. Mr. Meehan. I thank the Ranking Member. Let me take a moment just to follow up on a couple of questions with regard to that particular issue. We are talking about outliers that may or may not be purposefully deciding that they don't want to participate, for whatever reason. Is it more likely that they will be inclined to participate if, in fact, we have an authorized program than whether or not we have an ambiguous program about whether it is moving forward or not, in your professional opinion? Ms. Durkovich. In my professional opinion, it is more likely that they will participate, if there is a fully authorized program, yes, sir. Mr. Meehan. Now, you are also cooperating with other members of the industry who are significantly interested in working with you, and it is often likely that chemical companies who are in possession very infrequently operate entirely in isolation. By that I mean they are either selling their product to another user or they are purposing component chemicals from a user. So the privity of relationships with people in the industry is well established. So the capacity to identify through other members who outliers may be is significantly enhanced when we, in fact, have a program which is predictable, dependable, and people know that they have made a commitment. Is your professional opinion we do better working through industry to identify outliers if we had an authorized program? Ms. Durkovich. That is my--yes, that is my professional opinion. I am happy to let Mr. Wulf just talk a little bit about how we are already doing that, but yes. Mr. Wulf. Yes, no, I am glad to, and that is absolutely the case. We work very well with industry through the National associations, through these State-level associations, and through the companies that are part of those associations, and otherwise, to identify segments of industry that we may need to communicate with, working with them to get the word out, you know, working together on efforts such as the chemical security summit to bring in members of industry and educate them on the requirements of the CFATS program and on the availability of voluntary programs, as well. So, yes, absolutely would agree with that. Mr. Meehan. Okay. Well, I thank you. I am aware we have another panel to get to, but I want to ask just a few follow-up questions and, of course, turn it over to my colleagues to see if they have concluding questions for this particular panel. But let me just ask Ms. Hodges, as a matter of record, if you do know, and I know there have been some questions about contract employees. I am referring to the EPA. Are you aware that it is their practice to use contract employees for inspections and evaluations under such things as the Clean Water Act, the Resource Conservation and Recovery Act, the Toxic Substances Control Act, the Oil Pollution Act, the Safe Drinking Water Act? Are you aware as to the utilization of contract employees for those kinds of important programs? Ms. Hodges. For the EPA? Mr. Meehan. Yes, ma'am. Ms. Hodges. No, I am personally not. Mr. Meehan. Okay. Okay, well, I will ask that a letter of record be submitted, the letter from David Kling, director of the Federal Facilities Enforcement Office of the EPA, dated November 1. I thank you. Without objection, so ordered. [The information follows:] Memorandum From the Office of Enforcement and Compliance Assurance, United States Environmental Protection Agency, Washington, DC Nov. 1, 2005 memorandum SUBJECT: Use of Contract Inspectors for EPA's Federal Facility Compliance Inspections/Evaluations FROM: David J. Kling, Director, Federal Facilities Enforcement Office (2261A) TO: Regional Federal Facilities Program Managers, Regional Federal Facilities Senior Managers Since some EPA Regional enforcement and compliance personnel have recently raised questions regarding the use of contract inspectors in compliance inspections/evaluations of Federal facilities, we are writing to confirm that properly trained and authorized contract inspectors are appropriate for Federal facility compliance inspections/ evaluations under the Clean Water Act (CWA), the Resource Conservation and Recovery Act (RCRA), the Toxic Substances Control Act (TSCA), the Oil Pollution Act (OPA) and the Safe Drinking Water Act (SDWA). The Federal courts are split as to whether contract inspectors are authorized to conduct inspections under the Clean Air Act (CAA), and the Federal Insectide, Fungicide and Rodenticide Act's (FIFRA's) language limits those who are authorized to conduct inspections. Under the CAA, the Courts of Appeals for the Sixth, Ninth, and Tenth Circuits have considered the issue of contract inspectors, but have reached different conclusions that depend, in part, on the specific area being inspected. Without a definitive answer from the Supreme Court, we advise that Regions should not use contract inspectors for CAA inspections. In the rare circumstance where contract inspectors may be needed to conduct a CAA evaluation/inspection, written approval for the use of such inspectors must first be granted by the Federal Facilities Enforcement Office (FFEO). Further, FIFRA's language limits those authorized to conduct inspections to ``any officer or employee of the Environmental Protection Agency or of any State or political subdivision.'' FIFRA 9, 7 U.S.C. 136g. Accordingly, we do not advise using contract inspectors for FIFRA compliance inspections/evaluations. Regional enforcement personnel should reacquaint themselves with the requirements for authorizing contractors to conduct inspections. These requirements include: The inspection contract must contain language per EPA Order 3500.1 requiring the contract inspector to meet the training requirements of the Order, including completion ofthe Basic Inspector Course, health and safety training, and medium- specific training requirements--prior to leading an inspection. Contractors who merely assist, rather than lead, inspections are not required to comply with all of the requirements of EPA Order 3500.1, although meeting the requirements is still recommended. Even if not leading inspections, contract inspectors are obliged to have health and safety training, as specified in EPA Order 1440.3. The inspections must be carried out in accordance with approved Quality Assurance/Quality Control plans (that are part of the Regions' Quality Assurance Management Plan) and use established procedures, such as those set forth in EPA's Inspection Manuals. Depending on the nature of the inspections to be conducted, a background investigation may be required for contract inspectors. Any background investigation requirements should be included in the contract. Background investigations are especially important in the Federal facilities context-- particularly at high-risk facilities (e.g., certain military bases, nuclear weapons plants, and Classified facilities). A contract inspector may not request or review Confidential Business Information (CBl) unless she or he has been cleared for CBl by EPA under the particular statute for which the authorization is given. EPA does not issue the same Federal credential which EPA employees carry to contractors. A few programs issue a statute specific credential authorizing the contractor to carry out inspections under a specific statute. It clearly identifies the bearer as a contractor. In most cases, EPA provides contractors with a letter of authorization. The letter identifies the bearer as a contractor. Please note that OECA and OARM are developing an EPA order that addresses the issuance of credentials to Federal employees, State/Tribal government employees, Senior Environmental Employees (SEEs), and contractors. Thank you for your interest in this matter and your support for using contract inspectors in appropriate circumstances. If you have any questions regarding this memorandum, please contact Gracie Garcia in OECA's Federal Facilities Enforcement Office or Phyllis Flaherty in OECA'S Office of Compliance. cc (electronic only): Michael S. Alushin, OECA/OC, Kenneth A. Gigliello, OECA/OC, Phyllis E. Flaherty, OECA/OC, Sandra L. Connors, OECA/FFEO, Bernadette Rappold, OECA/FFEO, Gregory Snyder, OECA/FFEO, Gracie Garcia, OECA/FFEO, FFEO Liaisons, Regional Enforcement Division Directors, Regional Media Division Directors, Regional Enforcement Coordinators. Mr. Meehan. Let me just close my comments--my questions. Mr. Caldwell, you have done a great deal of oversight in this program. I know you are responsible for sort-of looking at the activities in response to the directions that have been given us, but we are not operating in isolation here. You have also been very closely associated with the things that are being done to move forward. From your position, you have seen this bill. Do you see any advantages in it or any of the provisions there that you think are helpful? Mr. Caldwell [continuing]. Sorry, GAO doesn't have an official position on the bill itself, but I can talk about a couple of things there. Many of them have been said. I mean, I think the multi-year authorization, whether it is 2, 3, 4, whatever many years, certainly adds stability to both DHS and to industry. I think it also provides some normalcy in terms of being an authorized program, whether or not the appropriations have been approved or not. As we know from recent years, that has not always been a pretty thing. The bill codifies some of the activities that are already being done in the program, but that also offers some stability to industry, because if it is purely something within the regulations, the Department in theory could change those quite different--you know, could change those quite dramatically. Then industry and others, as well as the Department, would have to react to that. Finally, I think if you look at some of the areas that were emphasized in the bill, they certainly are areas where GAO, as well as I.G., has pointed out a need for corrective actions and emphasis. Mr. Meehan. Let me just close by an observation, as well. You have watched. We have been through a long history, and one of the great frustrations here has been in the past there have been requests for responsiveness from DHS with regard to a number of matters with Congressional oversight, and your own investigations have demonstrated that part of these issues from time to time have been related to not just program management and other kinds of tools, et cetera, but the overall responsiveness, as you have begun, do you believe that you are seeing an improvement and important activity along the lines of the requests and demands that you have met? Mr. Caldwell. Yes, sir. So our first review of CFATS came at what might be the low point of the program, when the internal memo came out. I think relatively early, when we started our work, the top management at NPPD talked to us, pledged their commitment to change, as well as the commitment from our auditor standpoint, of giving us access to their people and documents, which they did. I think since that time, we have had very good cooperation in terms of when we have actually had an on-going review, getting documents, getting access to their people, and reviewing it. I would say, we have seen progress since that time, again, taking the longer sweep here, in terms of the management problems that they have identified. They sit down to track them and look at their progress against them. In terms of the outlier issue, they are certainly working to match data with the other agencies, be it EPA or other ones. Whether that will lead to some of the--I am not sure you could prevent all the West, Texases, through that process because of the tiering process, but at least it is progress in the sense of trying to identify them. They are speeding up, say, the plan reviews through the concurrent review process. They are doing something that used to be very sequential and very long to do. I guess maybe the biggest thing to GAO--and I would ask Ms. Hodges to comment, if she wants to, as well, is I think they are certainly interested in any suggestions and recommendations that we have, and there is an effort certainly to implement those, sir. Mr. Meehan. Ms. Hodges, do you have a comment? Ms. Hodges. I do believe that the component has been responsive to our follow-up for recommendations and documentation, yes. Mr. Meehan. Thank you. I turn it to the Ranking Member. Do you have any closing questions for the panel? Ms. Clarke. I do, Mr. Chairman, but just to put in perspective the agencies and the letter that you have submitted for the record, those agencies don't have the mandate of preventing terrorism. I think that that is the distinction that we are talking about with these contractors that we really need to make sure we hold fast to. Ms. Durkovich, ISCD has on a number of occasions testified that the agency is willing to accept any vetting program for the Department as an alternative to the PSP under CFATS. However, I understand that ISCD does not intend to accept these alternative vetting programs without preconditions. Most recently, Congress addressed this issue in the fiscal year 2014 omnibus appropriations bill, but I would like to get the Department's most recent views on the PSP issues. Ms. Durkovich. Thank you very much. I appreciate the opportunity to address this great question. The personnel surety program under CFATS presents a standard that I think that any prudent company isn't already doing or shouldn't be doing. It requires that those companies verify the identity of new personnel, that they conduct a criminal or a background check, and that they verify that they are legal to work. For those personnel with access to restricted areas or critical assets, as you have mentioned, since this program does have a terror--a mandate for terrorism, we are requiring a check against the TSDB, the Terrorist Screening Database. We have outlined a number of different options that will allow facilities to do that, and the information collection request that is out right now is part of the basic tenets of our program. We allow flexibility and options for companies. We can't mandate requirements or prescribe requirements. As part of personnel surety and the check against this Terrorist Screening Database, we are allowing for other credentials to be used. However, what we want to ensure is that we have the ability to verify the validity of those credentials and to ensure in the intervening period since they have been issued that that individual has not committed a crime or has for some reason not ended up on the Terrorist Screening Database. That is the intent of the program, is, again, to verify that the individual who will have access to those restricted areas and to those critical assets is not on the TSDB. So, yes, we are giving companies the option to leverage existing credential programs, but, again, we want to verify the validity of those credentials to ensure that, again, in the intervening time since they have been issued, for some reason, that individual has not committed a crime or has not ended up on the screening--Terrorist Screening Database. Ms. Clarke. What is the process for verification? Is there---- Ms. Durkovich. There are a number of different ways. Specific to the credential, through our CFATS tool, they can enter their name, their date of birth, and the credential number, and that will do a quick verification---- Ms. Clarke. So is it sort of a self-verifying---- Ms. Durkovich. No, no, no. No. Either the facility or a third party does the verification, but it is--again, either through the database or they can do a swipe with a TWIC reader card, for example. Ms. Clarke. Very well. Mr. Chairman, I yield back. Thank you. Mr. Meehan. I thank the Ranking Member. I thank each of the witnesses, not just for your testimony today, but for the long work each of you in your various capacities have given to the oversight and continuing progress of this program. I thank you. The Members may have additional questions, and if they are submitted to you at some point in time, I would ask that you respond in writing. Thank you. The panel is dismissed. The clerk will prepare the witness table for the second panel. I want to welcome our panel. Before I recognize the panel, I am going to ask unanimous consent that a letter in support of H.R. 4007 that has been signed by 24 industry associations be entered into the record. Without objection, that will be so ordered. [The information follows:] Letter Submitted by Hon. Patrick Meehan February 7, 2014. The Honorable Michael McCaul (R-TX), Chairman, U.S. House of Representatives, Committee on Homeland Security, H2-176 Ford House Office Building, Washington, DC 20515. The Honorable Bennie Thompson (D-MS), Ranking Member, U.S. House of Representatives, Committee on Homeland Security, H2-176 Ford House Office Building, Washington, DC 20515. The Honorable Patrick Meehan (R-PA), Chairman, U.S. House of Representatives, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, H2-117 Ford House Office Building, Washington, DC 20515. The Honorable Yvette Clarke (D-NY), Ranking Member, U.S. House of Representatives, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, H2-117 Ford House Office Building, Washington, DC 20515. Dear Chairman McCaul, Ranking Member Thompson, Chairman Meehan, and Ranking Member Clarke: We, the undersigned organizations would like to express our support for H.R. 4007, the CFATS Authorization and Accountability Act of 2014, a streamlined bill that provides a 2-year authorization of the Chemical Facility Anti-Terrorism Standards (CFATS) program and guidance to the Department of Homeland Security (DHS) on key issues of chemical facility security. The bill addresses several important policy goals. First, it provides a multi-year authorization to allow DHS to confidently implement CFATS and industry to make important investments with the certainty that goes along with knowing the program will be authorized. The current practice of year-to-year extensions, or worse, short-term continuing resolutions through the appropriations process is a destabilizing force in the implementation and investment process. Secondly, the legislation also addresses some of the major impediments to completing site security plans and full implementation of the program. It addresses certain concerns surrounding the personnel surety requirements needed for access; gives covered facilities the ability to meet site security plans through alternate security plans approved by DHS and an option to use third parties as inspectors; improves Congressional oversight regarding the tiering methodology; and ensures better coordination with State and local officials. We recognize the complexities in implementing a program like CFATS and are fully aware of some of the flaws in management exposed over the past few years. This multi-year authorization will give DHS the time and stability it needs to improve its implementation, but at the same time, will ensure that Congress has the ability to monitor the program and make any necessary changes to it before the next authorization. The organizations and companies listed below represent thousands of American businesses that employ millions of American workers. We are manufacturers, producers, processors, distributors, transporters, and retailers in agriculture, chemistry, energy, forest products, food processing, medicine, and other businesses that form our Nation's infrastructure. We support H.R. 4007, and urge you to quickly consider and pass this important legislation. Thank you for your timely consideration. Sincerely, Agricultural Retailers Association, American Chemistry Council, American Coatings Association, American Forest & Paper Association, American Fuel and Petrochemical Manufacturers, American Petroleum Institute, American Trucking Associations, Association of Oil Pipe Lines, Edison Electric Institute, Global Cold Chain Alliance, Institute of Makers of Explosives, International Association of Refrigerated Warehouses, International Dairy Foods Association, International Liquid Terminals Association, International Warehouse Logistics Association, National Agricultural Aviation Association, National Association of Chemical Distributors, National Association of Manufacturers, National Mining Association, National Pest Management Association, Petroleum Marketers Association of America, Society of Chemical Manufacturers & Affiliates, The Fertilizer Institute, U.S. Chamber of Commerce. Mr. Meehan. I want to thank our second panel for your presence here today and for your willingness to help us draw light on this very, very important issue. In order of appearance, Mr. Clyde Miller is the director of corporate security at BASF Corporation. In this capacity, Mr. Miller is responsible for critical security initiatives both at the corporate level and at BASF production sites across North America, which include the execution of a crisis management and response plan, CFATS compliance, and company-wide security initiatives. In addition, Mr. Miller has served as the chair of the Chemical Sector Coordinating Council, chair of the Partnership for Critical Infrastructure Protection, and is currently the incoming vice chair of the American Chemistry Council's Security Committee. Ms. Kate Hampford Donahue is the president of Hampford Research, a specialty chemical manufacturer serving Fortune 500 companies in the electronics, dental, personal care, printing, and adhesive markets. In addition, Ms. Donahue's company is a member of the board of governors of the Society of Chemical Manufacturers and Affiliates. This association supports the industry with programs that maximize commercial and networking opportunities to increase public confidence and to influence the passage of rational laws and regulations. We are joined by Ms. Anna Fendley, who represents the Health, Safety, and Environmental Department of the United Steelworkers of America. USW is North America's largest industrial union, representing 850,000 workers across a diverse range of industries, including the majority of unionized workers in the chemical industry and workplace that use and store large quantities of industrial chemicals. I may add for the record, I am quite pleased to have good relationships with the many fine workers in the refineries in the southeastern Pennsylvania portion that I am able to represent, and I thank you for being here today. In fact, I thank each of you. Your full written statements will be entered into the record. You may give your verbal testimony, and I am going to ask that you do your best to try to keep it within the 5-minute time limit. So right now, the Chairman recognizes Mr. Miller for his testimony. STATEMENT OF CLYDE D. MILLER, DIRECTOR FOR CORPORATE SECURITY, BASF NORTH AMERICA, INCOMING VICE CHAIR, AMERICAN CHEMISTRY COUNCIL SECURITY COMMITTEE Mr. Miller. Thank you, Chairman Meehan, and good morning, Ranking Member Clarke and Members of the committee. I am the director of corporate security for BASF Corporation, and I think it speaks to the importance of this legislation that we had both Chairman McCaul and Ranking Member Thompson from the full committee in the hearing this morning to speak to this legislation. I am here today on behalf of BASF and the American Chemistry Council. As you have pointed out, I am responsible for all the security functions at our chemical facilities at BASF in North America, as well as the implementation of the Chemical Facility Anti-Terrorism Standards, or CFATS. For BASF and the chemical industry as a whole, security is an important aspect of our operations, and there is no greater priority than the safety and security of our employees and the communities that surround our sites. I appreciate the opportunity to appear this morning to provide feedback on the legislation being considered. To that end, in addition to my written comments, I would like to emphasize the following points. First of all, we support moving the CFATS regulation from an appropriations process to an authorization process. This bill for the most part codifies what is in the original 2006 spending bill, which established the Nation's first comprehensive chemical facility security regulation. Like the original bill, it is short and to the point and validates the original premise of risk-based performance model focusing on security. The bill does not try to reinvent the wheel or add complexity to the program, which seemed to doom previous attempts at long-term authorizations. Instead, this bill has some narrow fixes in a few areas, such as offering options to comply with the personnel surety performance standard. It also reiterates a part of the original regulation, requiring DHS to use threat, vulnerability, and consequence for assessing risk, which they had not been doing. I look at CFATS as an essay test rather than a multiple- choice or fill-in-the-blank exam. Due to the CFATS security regulation being a collection of performance standards, a facility can implement a solution that draws from all available options to meet those standards tailored to address the unique needs of that site. To effectively comply with CFATS, an essay of measures has to be implemented. This can be perimeter-related, as well as other security measures, combined with operating measures such as process cameras and alarms. The totality or the essay becomes the regulation with which the facility complies. A long-term authorized regulation provides industry with the confidence to make long-term capital investments and having the certainty, and having that certainty, by the way, helps DHS and recruiting and retaining top talent to effectively oversee the regulation. Second, we support the implementation of the overarching findings and recommendations of the peer review panel in the manner mentioned in the bill. The peer review panel was established last year by DHS to study the methodology they use to tier facilities covered under CFATS. This effort resulted in a report setting out key findings and overarching recommendations to improve the consistency and transparency of the process. As a member of that panel, it is gratifying to see that the bill requires DHS to report on the progress and implementation of those recommendations. Third, Director Wulf and his team have done a tremendous job of turning CFATS around and moving toward an effective chemical facility security program. Since Mr. Wulf and his management team arrived, significant progress has been made in carrying out CFATS. For example, to streamline the process, they embraced the American Chemistry Council's alternate security plan template and are actually working with other stakeholders to develop similar plans. They significantly increased the number of approved site security plans and the pace of inspections without impacting the effectiveness of the program. BASF sites have gone through these authorization inspections, and I can assure you that the heightened pace has not reduced their effectiveness or compromised CFATS. Mr. Wulf and his team have also undertaken efforts to better identify facilities that should have submitted Top-Screens, but failed to do so, by coordinating with other agencies to identify those outliers. Finally, the passage of this bill by no means conflicts with the Executive Order 13650. If anything, it will add to enhancing and strengthening security throughout the sector, one of the goals of the EO. DHS is undertaking many of the activities being considered under the Executive Order. Passage of this bill would only complement those efforts and give CFATS the permanency it needs so that it does not risk lapsing as occurred during the Government shutdown last year. To summarize, CFATS has had a positive impact on enhancing security at U.S. chemical sites, and we support making it permanent. It is a robust program requiring companies to continually monitor their operations to ensure compliance. In some cases, facilities have evaluated their processes and security programs and have taken measures to reduce their risk and actually dropped out of CFATS. Before CFATS, BASF already had a fairly comprehensive and effective security program. However, for our facilities under the CFATS regulation, we have increased capital spending and operating cost to ensure that we meet or exceed the performance standards set out in the regulation. A long-term authorization with Congressional oversight will provide the regulatory certainty and operational stability to give the industry confidence that our long-term capital commitments to this program are appropriate. To try to reinvent CFATS by passing more comprehensive legislation, I am afraid, will have a significantly negative impact. We pledge our continued support as this legislation moves forward and to continuing to work in partnership with you and your staff. Thank you again for the opportunity to testify in support of this bill and to highlight improvements by DHS. I will be glad to answer any questions you may have. [The prepared statement of Mr. Miller follows:] Prepared Statement of Clyde D. Miller February 27, 2014 Good morning, Chairman Meehan, Ranking Member Clarke, and Members of the committee. My name is Clyde Miller, and I am the director of corporate security for BASF Corporation. I am here today on behalf of BASF and the American Chemistry Council. At BASF, I am responsible for all of the security functions at our chemical facilities in North America and for the implementation of the Chemical Facility Anti-Terrorism Standards, or CFATS, at our facilities in the United States. I have been directly involved in that effort since CFATS' inception. Last year, I was asked to serve on the Department of Homeland Security (DHS)-commissioned Peer Review Panel analyzing the CFATS risk assessment methodology that was conducted by the Homeland Security Studies and Analysis Institute. For BASF and the chemical industry as a whole, security is an important aspect of our operations and there is no greater priority than the safety and security of our employees and the communities that surround our sites. I appreciate the opportunity to appear here this morning to provide feedback on the Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014. To that end, I would like to emphasize the following points in my remarks: ONE.--We support moving the CFATS regulation from an appropriations process to an authorization process. TWO.--We support the implementation of the overarching findings and recommendations of the Peer Review Panel, in the manner mentioned in this bill. THREE.--Dave Wulf and his team have done a tremendous job of turning the CFATS program around and moving toward an effective chemical facility security program. FOUR.--The passage of this bill by no means conflicts with Executive Order 13650. If anything, it will add to enhancing and strengthening security throughout the sector--one of the goals of the EO. Now, I would like to elaborate on these points. I. We support moving the CFATS program from an appropriations process to an authorization process. This bill, for the most part, codifies what is in the original 2006 spending bill, which established the Nation's first comprehensive chemical facility security regulation. Like the original bill, it is short and to the point and validates the original premise of establishing a risk-based performance model for enhancing chemical facility security across the Nation. I look at CFATS as an essay test rather than a multiple choice or fill-in-the-blank exam. Due to the CFATS security regulation being a collection of performance standards, a facility can implement a solution that draws from all available options to meet those standards. And since not all facilities are the same, plans can also be tailored to address the unique needs of individual sites. To effectively comply with CFATS, an ``essay'' of measures has to be implemented. This can be perimeter-related measures as well as other security measures, combined with operating measures such as process cameras and alarms. The totality, or ``essay,'' becomes the regulation with which the facility complies and is given a pass or no-pass grade when undergoing a compliance inspection by DHS. A long-term authorized regulation provides industry with the confidence to make long-term capital investments. Further, having that certainty helps DHS in recruiting and retaining top talent to effectively oversee the regulation. The bill does not try to reinvent the wheel or add complexity to the program, which seemed to doom previous attempts at long-term authorizations. Instead, this bill has some narrow fixes in a few areas that need to be addressed, such as a simplified Alternative Security Program, similar to that used by the U.S. Coast Guard under the Maritime Transportation Security Act, implementation of third-party inspectors and some simplified solutions to the personnel surety program. Concerning the Personnel Surety Program, the bill requires DHS to accept other well-established Federal credentials that currently continually vet their holders against the Terrorist Screening Database with no further obligation required of the facility. This bill reiterates a part of the original regulation, using threat, vulnerability, and consequence for assessing risk, which DHS had not been doing, as we discovered during the previously-mentioned peer review process. The Peer Review Panel recommended DHS evaluate all three elements to fully assess risk, which is also required by the National Infrastructure Protection Program of 2009 and 2013. Finally, the bill sets up an oversight process to ensure the program continues to make improvements and establishes accountability by setting a time line for the Secretary of DHS to report to Congress on its progress with implementation of recommendations made by the Peer Review Panel. II. We support the implementation of the overarching findings and recommendations of the Peer Review Panel, in the manner mentioned in this bill. A peer review panel was established last year by the Homeland Security Studies and Analysis Institute to study the methodology used by DHS to tier facilities covered under CFATS. This panel was made up of subject-matter experts covering 15 areas of expertise, including industrial security, risk analysis, toxicology, process safety, infrastructure security, and other pertinent areas. This effort resulted in a report setting out key findings and over-arching recommendations. As a member of that panel, it is gratifying to see that the effort is mentioned in this bill and requires DHS to report on the progress in implementation of those recommendations. III. Since Dave Wulf and his team have arrived at DHS; they have done a tremendous job of turning around the program and moving CFATS toward an effective chemical facility security program. First, recognizing that the Chemical Security Assessment Tool (CSAT) process could be streamlined, they embraced the American Chemistry Council's Alternative Security Plan (ASP) template, which provides an alternate path for developing and submitting site security plans. Second, they significantly increased the number of approved site security plans, having recently passed the 500th approved security plan. Third, they have greatly increased the pace of inspections, up to 100 inspections per month. They have completed nearly all of the Tier 1 and 2 high-risk facilities and have started reaching into the Tier 3 and Tier 4 sites. BASF has had sites that have gone through these authorization inspections and I can assure you that the heightened pace has not reduced their effectiveness or compromised the program. Fourth, they recognized that implementing a new regulatory program required significant outreach to the regulated community. As a result, they have enhanced their outreach efforts, engaging with industry via sector councils and other means. They've increased the number of Compliance Assistance Visits and inspectors regularly participate in introductory meetings with owners and operators of CFATS-regulated or potentially-regulated facilities. Finally, DHS has undertaken efforts to better identify ``outlier'' facilities that should have submitted Top-Screens but have failed to do so by coordinating with other agencies such as EPA, the U.S. Coast Guard, and State and local authorities. IV. The passage of this bill by no means conflicts with Executive Order 13650. If anything, it will add to enhancing and strengthening security throughout the sector--one of the goals of the EO. As just mentioned, DHS is undertaking many of the activities being considered under the Executive Order. Passage of this bill will allow DHS to increase these activities that go to the heart of their mission--ensuring chemical facility security throughout the sector. It is precisely these efforts, without any changes to the program that might hamper efficiency or speed, that the EO--and Congress--should be encouraging and supporting. Passing this bill will give the program the permanency it needs so that it does not risk lapsing as occurred during the Government shutdown last year. conclusion CFATS has had a positive impact on enhancing security at U.S. chemical sites, and we support making this a permanent program for the approximately 4,500 sites that are regulated under CFATS. It is a robust program, for example at BASF we already had a fairly comprehensive and effective security program. However, for facilities under the CFATS regulation, we have seen increased capital spending and operating costs to ensure we meet or exceed the performance standards set out in the regulation. In complying with CFATS facilities have evaluated their processes and security programs and in some cases taken measures to reduce their risk and dropped out of the program. The previously-mentioned Peer Review made recommendations to make some process changes to make the program more transparent and consistent. To try to reinvent CFATS by passing more comprehensive legislation, I'm afraid, would have a significantly negative impact on the program. Congressional oversight via authorization would help DHS continue to address some of the challenges they have faced implementing the program, even as the agency has made progress with a new management team. The industry has seen considerable increased activity from DHS, including improved quality of inspections and faster authorizations. Most importantly, DHS leadership has demonstrated a commitment to working with stakeholders to improve the implementation of the CFATS program. A long-term authorization will provide the regulatory certainty and operational stability to give the industry confidence that our long-term capital commitments to this program are appropriate, and provide a stronger foundation for the overall success of the program. We support and share in your efforts to provide a long-term authorization for CFATS. We pledge our continued support as this legislation moves forward, and look forward to continuing to work in partnership with you and your staff as this process moves forward. Thank you again for the opportunity to testify in support of this bill. I'll be glad to answer any questions you may have. Mr. Meehan. Thank you, Mr. Miller. The Chairman now recognizes Ms. Hampford Donahue. STATEMENT OF KATE HAMPFORD DONAHUE, PRESIDENT, HAMPFORD RESEARCH, INC., AND MEMBER, BOARD OF GOVERNORS, SOCIETY OF CHEMICAL MANUFACTURERS AND AFFILIATES (SOCMA) Ms. Hampford Donahue. Good afternoon, Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee. My name is Kate Hampford Donahue, and I am president of Hampford Research, a specialty chemical manufacturer located in Stratford, Connecticut. We are a second-generation family-owned business with 30 employees. We supply complex compounds to Fortune 500 companies serving the electronics, personal care, printing and lithography, and industrial adhesives industries. Some of our customers are chemical giants, and some are high-tech firms that develop and use engineered materials, but who lack the ability or desire to manufacture those materials themselves. Hampford Research is a member of the Society of Chemical Manufacturers and Affiliates, or SOCMA, where I also serve on the board of governors. SOCMA has been and continues to be the leading trade association representing the batch, custom, and specialty chemical industry. I am proud today to provide testimony on behalf of SOCMA in support of H.R. 4007, the CFATS Authorization and Accountability Act of 2014. SOCMA strongly supports the CFATS program and is wholly supportive of H.R. 4007. The program requires chemical facilities Nation-wide, including mine, to develop security enhancements. It protects facilities against attack without impairing the industry's ability to remain innovative. Hampford Research takes the security of our facilities and our products very seriously, as it does the safety of our employees and our communities. We have literally bought into this program. We received notice last year that our final CFATS authorization inspection was scheduled for October 1. We prepared as thoroughly as possible for the audit, but then our inspection was delayed due to the Government shutdown. To make matters worse, during the shutdown, we learned that the legislative authorization for the CFATS program had expired. These are the kinds of disruptions and regulatory uncertainty that Congress should do its best to avoid. Even under ideal circumstances, it costs companies, especially small businesses, time and money to plan for, pay for, prepare for, and clear days off calendars for multiple employees to comply with the full scope of the program. Responsible companies like Hampford want the CFATS program, but we want a stable and predictable one. In our re-scheduled final authorization inspection, we had two inspectors who were knowledgeable, professional, courteous, and practical. They engaged us in a real dialogue during the inspection and continued that dialogue after they left. Their focus was on creating layers of deterrent. They offered lots of suggestions on options we might consider, but were clear that we were the experts on our facility and only we could create a plan that would work for us. They were very responsive to follow-up questions from us, as well. In addition, the entire process, from the time when we were inspected on October 23 until we got final approval for our plan just February 14 last week was extremely timely and efficient. The CFATS program went through a difficult period, but we believe that our positive experience is an example of the broader success story that the CFATS program has become. For its part, DHS is making good progress in implementing the reforms identified by Deputy Director David Wulf. SOCMA applauds the work of Mr. Wulf and his team. We also thank him for his quick response in developing a resource at SOCMA's request called ``What to Expect from the Inspectors,'' that will explain what companies should anticipate for final authorization. This is a great example of chemical companies wanting to do the right thing and DHS working well with them for compliance. We are meeting mutual goals. CFATS is reducing risk in a market-based way. Over 3,000 facilities have changed processes or inventories in ways to screen out of the program. CFATS is driving facilities to reduce inherent hazards, relying not on regulatory mandates, but on the company's expert judgment to do so where it makes sense, where it can be done without reducing product quality or transferring risk to some other point in the supply chain. The CFATS program is working, but would help my company and others like it if Congress could ensure CFATS's continued stability through a longer-term authorization like H.R. 4007. This bill codifies what was in the original 2006 spending bill and removes the program from annual funding fire drills. This bill also makes a few fixes in areas where legislative change could improve the program, including allowing facilities the flexibility in satisfying their obligation to help screen employees and visitors for terrorist ties if the facilities rely on Federal credentials that are vetted against the Terrorist Screening Database. H.R. 4007 is a simple bill and a strong solution to help DHS and facilities like mine concentrate on implementing the CFATS regulations without worrying about the future of the program. It would help me and my 30 employees of Hampford Research significantly. The chemical sector is united in support of this bill. Per his testimony before the full committee in this room yesterday, Secretary Jeh Johnson supports it, as well. Thank you very much for this opportunity to testify, and I look forward to your questions. [The prepared statement of Ms. Hampford Donahue follows:] Prepared Statement of Kate Hampford Donahue February 27, 2014 Good morning Chairman Meehan, Ranking Member Clarke, and Members of the subcommittee. My name is Kate Hampford Donahue and I am the president of Hampford Research, Inc., a specialty chemical manufacturer headquartered in Stratford, Connecticut. We are a second-generation, family-owned business with 30 employees. We supply high-purity, complex compounds to Fortune 500 companies serving the electronics, dental, personal care, printing & lithography, and industrial adhesives industries. Some of our customers are chemical giants, and some are high-tech firms that develop and use engineered materials but lack the ability or desire to manufacture those materials themselves. Hampford Research is a member of the Society of Chemical Manufacturers and Affiliates, or SOCMA, where I also serve on the board of governors. For 90 years, SOCMA has been and continues to be the leading trade association representing the batch, custom, and specialty chemical industry. SOCMA's 220-plus member companies employ more than 100,000 workers across the country and produce some 50,000 products--valued at $60 billion annually--that help make our standard of living possible. Over 80% of SOCMA's members are small businesses and many are covered by the CFATS program. I am proud today to provide testimony on behalf of SOCMA in support of H.R. 4007, The CFATS Authorization and Accountability Act of 2014. SOCMA strongly supports the CFATS program and is wholly supportive of H.R. 4007. The program requires chemical facilities Nation-wide, including mine, to develop security enhancements. Its performance-based approach protects facilities against attack without impairing the industry's ability to remain innovative and to maintain some of the Nation's highest-paying manufacturing jobs. Like most other specialty chemical manufacturers covered by CFATS in our industry, Hampford Research takes the security of our facilities and our products very seriously, as it does the safety of our employees and communities. We have quite literally ``bought in'' to the program. We received notice last year that our final CFATS authorization inspection was scheduled for October. We prepared as thoroughly as possible for compliance--but then our inspection was delayed, due to the Government shutdown in October. To make matters worse, during the shutdown, we learned that on October 4, the legislative authorization for the CFATS program had expired, albeit briefly. These are the kinds of disruptions and regulatory uncertainty that Congress should do its best to avoid. Even under ideal circumstances, it costs companies, especially small businesses, time and money to plan for, pay for, prepare for, and clear days off of calendars of multiple employees to comply with a program like CFATS. Responsible companies like Hampford want the CFATS program--but we want a stable and predictable program. In our rescheduled final authorization inspection, we had two inspectors who were knowledgeable, professional, courteous, and practical. They engaged us in a real dialogue during the inspection-- and continued that dialogue after they left. Their focus was on creating layers of deterrent. They offered lots of suggestions on options we might consider but were clear that we were the experts on our facility and only we could create a plan that would work for us. They were very responsive to follow up questions from us. In addition, the entire process (from when we were inspected on October 23-24 until we got approval for our plan on February 14) was very timely and efficient. The CFATS program went through a difficult period, but we believe that our positive experience is an example of the broader success story that the CFATS program has become. As a result of the chemical sector's strong cooperation with DHS, there has been 100% compliance by industry with the requirements to submit Top-Screens, Security Vulnerability Assessments and Site Security Plans. For its part, DHS is making good progress in implementing the reforms identified by Deputy Director David Wulf. SOCMA applauds the work of Mr. Wulf and his team. We also thank him for his quick response in developing a resource called ``What to Expect from the Inspectors'' that will explain what companies should anticipate for final authorizations. The Chemical Sector Coordinating Council suggested this idea to Mr. Wulf last year and he enthusiastically endorsed it. While it will come too late for Hampford Research, we expect that the tool will be very helpful to other facilities like ours. This is a great example of chemical companies wanting to do the right thing, and DHS working well with them for compliance. We are meeting mutual goals. CFATS is reducing risks in a market-based way. Over 3,000 facilities have changed processes or inventories in ways that have enabled them to screen out of the program. CFATS is thus driving facilities to reduce inherent hazards, relying not on regulatory mandates but on the company's expert judgment to do so where it makes sense--where it can be done without reducing product quality or transferring risk to some other point in the supply chain. The CFATS program is working, but it would help my company and others like it if Congress would ensure CFATS's continued stability through a longer-term authorization like H.R. 4007 would provide. This bill simply codifies what was in the original 2006 spending bill that established the program, and removes the program from the annual funding fire drills. The bill also makes a few simple fixes in areas where legislative change can improve the program: First, it clarifies that DHS can approve generic alternative security programs that facilities can opt into, rather than having to approve ASPs facility-by-facility. This approach has worked well for the maritime security program and should be extended to CFATS. Second, it clearly authorizes DHS to rely on third parties to conduct authorization inspections. DHS has stepped up the pace of inspections, but at the current rate it will still take years and years to get through all the tier 3 and 4 facilities. Leveraging third parties could be the key to dramatically shortening that time table. Third, the bill confirms that facilities can satisfy their obligation to help screen employees and visitors for terrorist ties if the facilities rely on Federal credentials that are vetted against the terrorist screening database--without having to supply any other information to DHS. H.R. 4007 is a simple bill and strong solution that will allow DHS and facilities like mine to concentrate on implementing the CFATS regulations without worrying about the future of the program. It would help me, and the 30 employees of Hampford Research, significantly. The chemical sector is united in support of this bill. Thank you for the opportunity to testify, and I look forward to your questions. Mr. Meehan. Thank you, Ms. Hampford Donahue. The Chairman now recognizes Ms. Fendley for her testimony. STATEMENT OF ANNA FENDLEY, LEGISLATIVE REPRESENTATIVE, UNITED STEELWORKERS Ms. Fendley. Thank you, Chairman Meehan and Ranking Member Clarke, and Members of the subcommittee, for the opportunity to testify today. I am here on behalf of the United Steelworkers. We represent 850,000 workers in many sectors, including the majority of organized workers in the chemical industry. The massive explosion nearly a year ago in West, Texas, brought acute National attention to the vulnerabilities in our communities and the potential for the same or much worse is present at other facilities across the country. CFATS was intended to be an interim measure when DHS was given statutory authority during the 109th Congress. Subsequent appropriations have not addressed recognized problems with the implementation and scope of the CFATS program, and H.R. 4007 also neglects to address many of the inherent weaknesses of CFATS, five of which I will cite today. First, H.R. 4007 does not extend CFATS coverage to chemicals shipped or stored outside of a facility's fence line in nearby rail yards or elsewhere that may have little or no security measures. Our members cite rail cars full of hazardous chemicals parked outside fence lines near homes and other businesses. Employers may engage in this form of risk-shifting to be taken off the list of high-risk facilities, or it could be unintentional. DHS claims that ``more than 3,000 facilities removed, reduced, or modified holdings of chemicals of interest,'' but maintains no information as to how these reductions in holdings were achieved. Second, H.R. 4007 does not change the prohibition within CFATS of any particular security measure by DHS, including a fence in a particular area, a specific control on a unit, or any other measure that is well-documented through past practice to prevent catastrophic incidents. Third, H.R. 4007 does not develop or promote the most effective means of reducing a catastrophic chemical incident, which is the use of safer chemical processes. Some companies have made these changes. According to DHS, nearly 1,300 facilities have completely removed their chemicals of interest, and approximately 600 decreased quantities of chemicals of interest to below the threshold. But many companies will never even look into innovating with safer processes without a legal requirement to do so. A provision addressing this would be a particularly effective addition to H.R. 4007. Fourth, the personnel surety program under CFATS has the potential for unintended consequences. H.R. 4007 does not prevent the collection of unnecessary personal employee data by employers or third parties that may be inaccurate. There is not an adequate appeals process for workers who are wrongly discriminated against during the PSP process. DHS statements that employers are expected to follow all laws are inadequate to protect workers in this regard. Many have expressed concern about the duplication of efforts and the burden for multiple background checks under the PSP. The Transportation Worker Identification Credential, TWIC, is an option, but it is not without concerns. Fifth, CFATS and H.R. 4007 lack the requirement for a meaningful role for workers in chemical security. Workers who operate and maintain chemical facilities know the most about what needs to be done to reduce vulnerabilities. CFATS should require meaningful involvement of plant employees in developing security plans and participating in the agency's inspections at a facility. Additionally, whistleblower protections should be added for workers or others who report vulnerabilities to the Secretary of Homeland Security. As the first panel cited, there have been a number of challenges with implementing the CFATS program. The OIG and GAO reports are important documents for serious consideration. Another current activity to consider is the report that DHS must provide to the House and Senate Appropriations Committees by April. After the explosion in West, Texas, President Obama signed Executive Order 13650 on Improving Chemical Facility Safety and Security. The EO's working group has been gathering stakeholder input and is currently requesting public comments on policy regulation and standards modernization, including issues specific to CFATS. A status report is due to the President in May. These documents will be very valuable to consider. Any legislation authorizing the CFATS program must be responsive to the identified shortcomings and challenges of CFATS, the oversight recommendations, and other activities at the Federal level. Congress should not merely require more metrics from an inadequate program when there is consensus about problems. Legislative action based on the recommendations from OIG, GAO, the EO working group, and other stakeholders is necessary to address the gaps in CFATS that leave millions of American workers and communities at risk. Thank you again for the opportunity to be here today. [The prepared statement of Ms. Fendley follows:] Prepared Statement of Anna Fendley February 27, 2014 Chairman Meehan, Ranking Member Clarke, and Members of the committee, thank you for the opportunity to testify today. My name is Anna Fendley. I am here on behalf of the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial, and Service Workers International Union--USW for short. We represent 850,000 workers in the sectors I just mentioned and many others, including the majority of unionized workers in the chemical industry and hundreds of thousands of men and women whose workplaces use and store large quantities of industrial chemicals. A massive explosion nearly a year ago at the West Fertilizer Company's storage and distribution facility in West, TX killed 15 people and injured hundreds more. The blast also destroyed a nursing home, an apartment complex, schools, and private homes. This incident has brought acute National attention to the vulnerabilities in our communities. As devastating as the West explosion was, the potential for much worse is present at other facilities across the country. Our members are well aware of the hazards and the potential for wide-spread damage to critical infrastructure and the communities where they work and live. Small accidental releases occur more often than the public realizes, and it is only a matter of time before the next large explosion or release. In one example, our members at a chemical plant on the West Coast cite a normal procedure that turned abnormal last year and caused a release of sulfuric acid that sent workers at the warehouse next door to the hospital. Luckily this release was stopped relatively quickly. However, that may not be the case in every situation. CFATS was intended to be an interim measure when the 109th Congress passed legislation providing the Department of Homeland Security (DHS) with statutory authority to regulate chemical facilities for security purposes. Since that time subsequent Congresses have continued to extend the authority to DHS for the CFATS program through appropriations. These appropriations have not addressed recognized problems within the implementation and scope of the CFATS program and have instead allowed an inadequate and ineffective status quo. H.R. 4007 also neglects to address many of the inherent weaknesses of CFATS, five of which of which I will cite today. First, H.R. 4007 does not extend CFATS coverage to chemicals shipped or stored outside of a facility's fence line in nearby rail yards or elsewhere that may have little or no security measures. Currently CFATS does not prevent this risk shifting from one location to another. I have seen pictures and gotten accounts from our members of rail cars full of hazardous chemicals parked for days outside the fence line within yards of a busy road near homes and other businesses. Employers may engage in this form of risk shifting to be taken off the list of high-risk facilities, or risk shifting could be an established practice occurring for years because workers and management do not recognize the hazard and the potential for a criminal act. Under CFATS there is no way of knowing if and how these risks are being shifted, which leaves communities in danger. DHS claims that ``more than 3,000 facilities removed, reduced, or modified holdings of chemicals of interest'' but maintains no information as to how these reductions in holdings were achieved.\1\ The program does not know or track whether the risk was shifted to just over the fence-line. --------------------------------------------------------------------------- \1\ http://www.dhs.gov/sites/default/files/publications/ CFATS%20Update_February2014.pdf. --------------------------------------------------------------------------- Second, HR 4007 does not change the prohibition within CFATS of any ``particular security measure'' by DHS including a fence in a particular area, a specific control on a unit, or any other measure that is well-documented through past practice to prevent catastrophic incidents. This capacity-building measure would require covered facilities to conduct a structured review of options that avoid catastrophic chemical hazards in well-documented assessments and plans that are reported to DHS. My colleagues and I work with employers every day. Many take safety measures that go above and beyond, but there are always some that will only do the minimum required by law and, as we all know, some who refuse to even do the minimum required. Third, H.R. 4007 does not develop or promote the most effective means of reducing a catastrophic chemical incident, which is the use of safer chemical processes. DHS,\2\ EPA,\3\ and the U.S. Chemical Safety Board \4\ have all highlighted the effectiveness of assessing and, where feasible, implementing safer alternatives at high-risk facilities. Some companies have shifted to safer processes or reduced their inventory of hazardous chemicals so they are no longer listed as high-risk. In fact, according to a report from DHS to the Coalition to Prevent Chemical Disasters, since the inception of the CFATS program nearly 1,300 facilities have completely removed their Chemicals of Interest and approximately 600 no longer possess a Chemical of Interest at the threshold that requires submission of a Top-Screen to DHS. But many companies will never even look into innovating with safer chemical processes without a legal requirement to do so. Past legislation in the House has included the requirement that covered facilities ``assess alternatives, in particular `the technical feasibility, costs, avoided costs (including liabilities), personnel implications, savings, and applicability of implementing each method to reduce the consequences of a terrorist attack'.''\5\ This provision would be a particularly effective addition to H.R. 4007. --------------------------------------------------------------------------- \2\ http://www.dhs.gov/news/2011/03/30/written-testimony-nppd- house-committee-energy-and-commerce-hearingtitled-hr-908. \3\ http://www.epa.gov/ocir/hearings/testimony/111_2009_2010/ 2010_0728_ccd.pdf. \4\ http://www.nytimes.com/2014/01/29/opinion/the-next-accident- awaits.html?smid=pl-share&_r=0. \5\ HR 2868--111th Congress. http://beta.congress.gov/bill/111th- congress/house-bill/2868. --------------------------------------------------------------------------- Fourth, the Personnel Surety Program (PSP) under CFATS has the potential for unintended consequences. Within the current context of the CFATS program, individual chemical facilities are responsible for clearing workers under their PSP. H.R. 4007 does not prevent the collection of unnecessary personal employee data by employers or third parties that may be full of inaccuracies due to errors in reporting. CFATS does not include an adequate appeals process for workers who are wrongly discriminated against during the PSP process. In a February 3, 2014 Federal Register notice, DHS stated that employment decisions based on background checks are outside of the scope of CFATS and that DHS expects employers to comply with applicable Federal, State, and local law regarding employment and privacy.\6\ On the whole this is inadequate. Workers need an appeals process and whistleblower protections under the CFATS. --------------------------------------------------------------------------- \6\ http://www.gpo.gov/fdsys/pkg/FR-2014-02-03/pdf/2014-02082.pdf (page 6436). --------------------------------------------------------------------------- Many have expressed concerns about duplication of efforts and the burden for multiple background checks. The Transportation Worker Identification Credential (TWIC) is an option, but it is not without concerns. What protections would be in place for workers who would suddenly be required to secure TWICs to continue working? What financial and operational burdens would the installation of biometric readers put on facilities? Relying on the TWIC program in this way could be problematic, particularly since the Coast Guard has not issued a final rule for TWIC readers, it will not be fully deployed in ports across the country, and there are examples of some problems with the appeals process. And fifth, CFATS lacks the requirement for a meaningful role for workers in chemical security, and H.R. 4007 does not provide it. Workers who operate and maintain chemical facilities know the most about what needs to be done to reduce vulnerability and protect against a terrorist attack. They would be hurt first and worst in an attack on a facility, and therefore have the largest stake in ensuring safety. CFATS should require meaningful involvement of plant employees in developing security plans. DHS should also be required to include an employee representative when the agency does inspections at a facility. The Occupational Safety and Health Administration \7\ and the Environmental Protection Agency \8\ both have policies that could be used as a model for DHS to include workers in inspections. Additionally, whistleblower protections should be added for workers or others who report problems, deficiencies, and vulnerabilities to the Secretary of Homeland Security. --------------------------------------------------------------------------- \7\ https://www.osha.gov/Firm_osha_data/100006.html. \8\ http://www.epa.gov/compliance/resources/policies/monitoring/ caa/caa112r-rmpguide.pdf. --------------------------------------------------------------------------- As the first panel cited, there have been a number of challenges with implementing the CFATS program. In a March 2013 report, the Office of Inspector General (OIG) found that the program continued to face challenges in the areas of submission tools and processes, representation and oversight, human capital, and fiscal stewardship.\9\ OIG made 24 recommendations to improve implementation of the CFATS program, and those recommendations should be considered. Additionally the recommendations in the April 2013 Government Accountability Office (GAO) report titled ``Critical Infrastructure Protection: DHS Efforts To Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened'' should be considered as the committee considers risk assessment under the CFATS program.\10\ --------------------------------------------------------------------------- \9\ http://www.oig.dhs.gov/assets/Mgmt/2013/OIG_13-55_Mar13.pdf. \10\ http://www.gao.gov/products/GAO-13-353. --------------------------------------------------------------------------- Another current activity to consider is that the Joint Explanatory Statement for the Consolidated Appropriations Act, 2014 included a requirement that DHS provide a report to the House and Senate Appropriations Committees, the House Committee on Energy and Commerce, and this committee, the House Committee on Homeland Security by April 2014.\11\ This report will outline how DHS is using existing resources and infrastructure to avoid duplication within the program and how DHS is working to ensure that that a facility meets the personnel surety standard. The information included in this report will be valuable to incorporate into any legislation concerning the CFATS program. --------------------------------------------------------------------------- \11\ http://docs.house.gov/billsthisweek/20140113/113-HR3547-JSOM- D-F.pdf. --------------------------------------------------------------------------- After the explosion in West, TX, President Obama signed Executive Order (EO) 13650 on Improving Chemical Facility Safety and Security.\12\ The EO set up a working group to improve operational coordination with State and local partners; enhance Federal agency coordination and information sharing; modernize policies, regulations, and standards; and work with stakeholders to identify best practices. The working group is co-chaired by the Department of Homeland Security, the Environmental Protection Agency, and the Department of Labor. It has been meeting regularly and has held listening sessions at locations across the country to gather stakeholder input about how the agencies can more effectively reduce the risks to workers and communities. Additionally, there is also a document out for public comment until March 31, 2014 requesting public input on policy, regulation, and standards modernization. As a part of that public comment, DHS is asking for input from stakeholders about the following issues specific to CFATS: --------------------------------------------------------------------------- \12\ http://www.whitehouse.gov/the-press-office/2013/08/01/ executive-order-improving-chemical-facility-safety-and-security. --------------------------------------------------------------------------- Options to improve the secure storage, handling, and sale of ammonium nitrate; Potential updates to the CFATS chemicals of interest list and the screening threshold quantities of certain substances contained on that list; Options for improving the coverage of reactive substances and reactivity hazards; Options for addressing security of chemicals at agricultural production facilities; Opportunities to leverage industry best practices in chemical facility security; Methods for identifying economically and mission-critical chemical facilities; Opportunities to harmonize facility security standards across different programs; and Approaches to identifying potential high-risk chemical facilities that have not yet complied with their initial CFATS obligations.\13\ --------------------------------------------------------------------------- \13\ https://www.osha.gov/chemicalexecutiveorder/ Section_6ai_Options_List.html. --------------------------------------------------------------------------- A status report from the working group to the President is due on May 1, 2014 along with a comprehensive and integrated standard operating procedure that unifies the Federal approach for identifying and responding to risks. These documents will be very valuable to consider as a part of CFATS reform. Any legislation authorizing the program must be responsive to the identified shortcomings and challenges of CFATS, the oversight recommendations, and other activities at the Federal level regarding the CFATS program. Congress should not merely require more metrics from an inadequate program when there is consensus about problems in the program. Legislative action based on the recommendations from OIG, GAO, the EO working group, and other stakeholders is necessary to address the gaps in CFATS that leave millions of American workers and communities at risk. Thank you again for the opportunity to testify today. Mr. Meehan. I thank you, Ms. Fendley. I thank each of the panelists. Let me begin with you, Mr. Miller, representing larger industry in this. There has been major investment that has been made by the industry in response to the call and a sense of responsibility to try to meet the challenge of securing our chemicals against the threat of potential use for terrorist activity. That investment has been made under the basis that there be some kind of certainty with regard to the program. What does it mean to business to have a question of certainty? How is it that people make calculations about the kinds of investments and planning that they are going to do in larger organizations where oftentimes you can have numerous facilities and literally millions of dollars at stake, so to speak, in the decisions that you make? Mr. Miller. Thank you, Mr. Chairman, for that question. It does certainly play into the considerations of capital planning. The reality of it is, money spent for security measures may be money that was taken away from some other process that we wanted to make an improvement on. But knowing that the money that we are spending is not necessarily going to be--I don't want to say wasted, but certainly the money that is spent trying to comply with the program should be spent for a good cause. Knowing that this program is going to be around and it is going to be something that we will be complying with for a number of years would be helpful. Mr. Meehan. So the absence of some kind of certainty with regard to it may in these times of difficult decision making at a corporate level lead people to say, well, if we don't know, resources could be shifted until there is certainty into another area, leaving some measure of potential vulnerability as we move forward? Mr. Miller. Well, I think that we as an industry try to be responsible in that area and we want to make sure that we are doing what we should be doing in the security arena. However, having that uncertainty can cause, I think, some companies to proverbially kick the can down the road and wait to see what is going to happen as to whether this regulation is going to continue or not. Mr. Meehan. Thank you. Ms. Donahue, you represent many of the smaller participants in the business. We recognize that there are numerous components, and that may be the very place where, you know, we have got smaller companies, smaller abilities to be responsive to mandates and other kinds of things, and yet a similar interest in trying to be responsive to our goal of protecting the homeland. What does it mean to--you used the word flexibility. What about this legislation enables you to have some measure of flexibility while still fulfilling the obligations that you think the law creates? Ms. Hampford Donahue. Well, in general, I mean, in the course of our plan being approved, it was a real dialogue with the inspectors. They were in our facility. They could see some of the space limitations we were dealing with and other issues. We talked about how we created more layers of security. They had some ideas for us that hadn't occurred to us before, and we had some, actually, some insights that they added to their list, so it was it was a very collaborative process that ended up with a plan that we could execute within our means-- again, goes back to this capital planning--I would echo it is probably even more important for a small facility to be able to plan capital spending, because we have fewer dollars to spend, and chemical manufacturing is an extremely capital-intensive business, extremely. So the more we can plan for what is going to be required to meet the commitments for CFATS, the better it is for us. I mean, if we are talking about putting some new camera system in, I need to know that that is going to be an investment that will be able to keep for years to come and that, in 2 years, I won't have some new set of standards that I have to meet, that now the candid cameras aren't a good investment. So flexibility to look at the standards and create solutions that are executable in my facility is important, but also this ability to plan long-term. Mr. Meehan. That flexibility, as well, is--there is an engagement that is taking place, in the sense of you are collaboratively looking at the kinds of things that may be being requested of you, but there is also a dialogue about things, where and how you store your chemicals and otherwise. Would it be conceivable you would be asked questions about whether you have materials outside of the boundaries of your particular plant? Ms. Hampford Donahue. Absolutely. Mr. Meehan. Would there then be an opportunity for DHS to engage with you about ways to assure that they are at least either in transit or you could shift things if necessarily to assure that they are otherwise secure? Ms. Hampford Donahue. Absolutely. Mr. Meehan. So this is the part of the flexibility and the ability to move forward is the on-going dialogue that takes place, so when issues are raised with respect to security of these, there is a capacity with the way things are being constructed in this bill to be responsive and to take appropriate steps to assure that they are taken. Ms. Hampford Donahue. Based on what we have seen so far, yes. Mr. Meehan. Okay. Ms. Hampford Donahue. I mean, we have an open dialogue with the inspectors that were there, that as we implement our plan, should, you know, you hit a speed bump that you weren't anticipating, you know, we will be absolutely picking up the phone to talk to them about how we best resolve, you know, any forthcoming issues. So the dialogue that was created during the audit was the cornerstone of this for us. Mr. Meehan. Thank you. My time is expired, and I turn to the Ranking Member for questions she may have. Ms. Clarke. Thank you, Mr. Chairman. Let me thank Mr. Miller, Ms. Hampford Donahue, and Ms. Fendley for your expert testimony here today. My question is to you, Ms. Fendley: In your testimony, you mentioned that chemical security measures rarely address capacity-building measures that would require covered facilities to conduct a structured review of options that would help avoid catastrophic chemical hazards and that are reported to DHS. I know that you and your organization work with employers every day to improve the safety and security of workers. We also know that many companies take their corporate responsibility to work with the citizens who live nearby seriously and take safety measures that go above and beyond. But there are always bad actors who do the minimum required by law or less. Can you give us some examples of how we can help the CFATS program and coverage avoidance of catastrophic chemical hazard? Ms. Fendley. Sure. Thank you for that question. The most effective means, we believe, to avoid these catastrophic incidents is to promote and develop the use of safer chemical processes. As I included in my testimony, there are many facilities that have done that, but that dramatically mitigates the risk, should an act of terror take place. There has been legislation in past congresses that addresses that and included some requirements that facilities at a minimum assess the financial and technological feasibility to implement those kinds of processes. I think the second thing I would add is that the CFATS program does a very good job of hearing from industry as a stakeholder, but workers and communities also ought to be at the table as stakeholders in this process. Workers specifically at facility sites would be incredibly useful in creating site security plans and participating in inspections, because they are the people who are really on the process every day and they understand the true vulnerabilities. Ms. Clarke. Ms. Hampford Donahue, you are a smaller company, and you mentioned that part of what has sort-of enabled you to wrap your arms around this process is the consultative process with inspection. Part of the challenge that we are facing right now is the outlying organization; based on the West Virginia--excuse me, the West, Texas, model, it seemed to be a small company, as well. Through your trade association, have you been able to sort- of get to those far-flung organizations to have them become a part of your association? What are the challenges that we face as a Nation in sort of locating those outliers? Because it seems to me that that process of collaboration and inspection helps those companies that may be isolated to come into compliance and have a certain level of comfort in that interaction. Ms. Hampford Donahue. I am not sure that I can speak specifically to the issue of outliers. I can speak to the kind of dialogue that we have within the SOCMA membership. I can tell you that when we received the call that we were going to be inspected, that was the first call I made was to SOCMA, to reach out to the staff there and to my fellow board of governors, members, to find out who else had been inspected. So it is, you know, an active engagement that we have talking about, you know, all sorts of issues, but--CFATS being one of them. Beyond--I mean, talk about outliers. I don't know of any. I mean, everybody that is in SOCMA that I know of is compliant with whatever Government regulations they need to be. Ms. Clarke. I guess my question to you was, have you seen in your experience, I guess, the willingness or an ability to identify a company that may be out there that sees your organization as a place where they can find a home and then ultimately become far more engaged in a trade association, thereby getting the access to the information they would need to be in compliance with CFATS? I mean, I am sure there are companies that are coming on- line every day, but there may be older ones out there that, you know, get access to the web and see your organization. Have you seen that as an avenue? Ms. Hampford Donahue. Well, SOCMA has--you know, got a very strong outreach effort to its members. Certainly, legislative and regulatory issues are a cornerstone of that. If you go to any SOCMA meeting, board meeting or, you know, other seminar or session that they have, there is always a regulatory or legislative component to what we are talking about. So I think for us, certainly, that is one of the benefits of SOCMA membership, is that that is the way that I make sure that my company is always compliant with what is going on or what we need to be, so I would assume that is why other organizations would join, as well. Ms. Clarke. Very well. Thank you very much, Mr. Chairman. I yield back. Mr. Meehan. I thank the Ranking Member. I just have one sort-of follow-up question that I would like to ask for some insight on. I know we have mentioned a couple of times the personnel surety performance, and I am aware that there is continuing difficulty with some of this. Mr. Miller, our committee appreciates that DHS has taken some steps. Some have called them a little overly burdensome or invasive at times. We also want to make sure that progress in this regard that has been made isn't retarded in a way that it becomes difficult to do the thing we want to do, which is to attest to the ability of somebody who is in a facility to appropriately be there. With these twin concerns of mine, how would you think you would like to see the personnel surety requirement developed? Mr. Miller. Thank you, Mr. Chairman. The personnel surety performance standard is a tough one, because there is a certain element of that performance standard having to do with vetting--or vetting people against the Terrorist Screening Database, that there is only one way that can be accomplished, and that can only be accomplished by submitting data in some manner to the Federal Government for them to bounce it off of that database. So that makes it a little bit of a challenge to say that we should have various options to be able to comply, when you have that restriction. So I think that is the reason for the consideration of having--recognizing multiple credentials that are already out there that do that thing to comply with this performance standard. Another option, though, too, is--and certainly it is something that we look at our facilities--is the true issue here is allowing people having access to the chemicals of interest. Where we have the ability to isolate those materials so that we can reduce the number of people that have access to that, and we take advantage of that, that way, that reduces the total population that we have to submit to DHS. The simplification and the reduction of the number of people that have access to those types of materials is what we are driving for there. If I might add one more thing, in some of the other questioning--and I apologize for being so bold--but there has been a lot of discussion about the facilities and the population of facilities that almost sounds like this is a static program, but it is not. All of my facilities at any given time may decide to change a process. They may decide to expand their processes. We have to have a process in place where we are continually monitoring what our facilities are doing, so that if they suddenly trigger the need for a Top- Screen, we know about it and we can have that facility to do that. Same way with our warehouses and so forth, in kind-of going to Ranking Member Clarke's question. We make sure that our suppliers and that our warehouses and so forth recognize they may have to comply with CFATS, because the last thing we need is to have a warehouse or a supplier get shut down by DHS and we can't get that--can't have that working material there. So that is one of the ways that outreach can be done. This is a dynamic regulation, in that it is always changing as far as the population of facilities that are out there. Mr. Meehan. Well, I thank you for that observation about not only the dynamism, but we used the word flexibility before as with anything, and one of the real objectives of this legislation was to make it structured enough that we could be able to accomplish the very real objectives that we share, but also not to make it so prescriptive or to be introducing so many new variables into these that we start to get in the way of the very specific objective that we have now, recognizing that that concept of flexibility always opens the door to, if there is another kind of need, it can be included, but if we don't have a baseline that allows us to get started, we are going to continue to wallow in the mud and find ourselves potentially down here 2 or 3 years later looking at the next West, Texas, and saying, why didn't we do something to make the difference? I want to thank you for your testimony. I want to thank you for your work in this very, very important area. We appreciate the value of the information you have been able to bring to us in deliberations about this important bill. So I thank the witnesses. The Members of the committee may have some additional questions for you, and if they do, I ask that you respond in writing. So, thank you. Pursuant to committee rule 7(e), the record of this hearing will be held open for 7 days. Without objection, the subcommittee stands adjourned. [Whereupon, at 12:32 p.m., the subcommittee was adjourned.] [all]