Critical Infrastructure Protection:
DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened
GAO-13-353: Published: Apr 5, 2013. Publicly Released: Apr 5, 2013.
What GAO Found
Since 2007, the Department of Homeland Security's (DHS) Infrastructure Security Compliance Division (ISCD) has assigned about 3,500 high-risk chemical facilities to risk-based tiers under its Chemical Facility Anti-Terrorism Standards (CFATS) program, but it has not fully assessed its approach for doing so. The approach ISCD used to assess risk and make decisions to place facilities in final tiers does not consider all of the elements of consequence, threat, and vulnerability associated with a terrorist attack involving certain chemicals. For example, the risk assessment approach is based primarily on consequences arising from human casualties, but does not consider economic consequences, as called for by the National Infrastructure Protection Plan (NIPP) and the CFATS regulation, nor does it consider vulnerability, consistent with the NIPP. ISCD has begun to take some actions to examine how its risk assessment approach can be enhanced, including commissioning a panel of experts to assess the current approach, identify strengths and weaknesses, and recommend improvements. ISCD will need to incorporate the various results of these efforts to help them ensure that the revised risk assessment approach includes all elements of risk. After ISCD has incorporated all elements of risk into its assessment approach, an independent peer review would provide better assurance that ISCD can appropriately identify and tier chemical facilities, better inform CFATS planning and resource decisions, and provide the greatest return on investment consistent with the NIPP.
DHS's ISCD has revised its process for reviewing facilities' site security plans--which are to be approved by ISCD before it performs compliance inspections--but it did not track data on the prior process to measure differences. The past process was considered by ISCD to be difficult to implement and caused bottlenecks in approving plans. ISCD views its revised process to be a significant improvement because, among other things, teams of experts review parts of the plans simultaneously rather than sequentially, as occurred in the past. Moving forward ISCD intends to measure the time it takes to complete reviews, but will not be able to do so until the process matures. GAO estimated that it could take another 7 to 9 years before ISCD is able to complete reviews on the approximately 3,120 plans in its queue which means that the CFATS regulatory regime, including compliance inspections, would likely be implemented in 8 to 10 years. ISCD officials said that they are exploring ways to expedite the process such as reprioritizing resources and streamlining inspection requirements.
DHS's ISCD has also taken various actions to work with owners and operators, including increasing the number of visits to facilities to discuss enhancing security plans, but trade associations that responded to GAO's query had mixed views on the effectiveness of ISCD's outreach. ISCD solicits informal feedback from facility owners and operators on its efforts to communicate and work with them, but it does not have an approach for obtaining systematic feedback on its outreach activities. ISCD's ongoing efforts to develop a strategic communication plan may provide opportunities to explore how ISCD can obtain systematic feedback on these activities. A systematic approach for gathering feedback and measuring the results of its outreach efforts could help ISCD focus greater attention on targeting potential problems and areas needing improvement.
Why GAO Did This Study
Facilities that produce, store, or use hazardous chemicals could be of interest to terrorists intent on using toxic chemicals to inflict mass casualties in the United States. As required by statute, DHS issued regulations that establish standards for the security of high-risk chemical facilities. DHS established the CFATS program to assess the risk posed by these facilities and inspect them to ensure compliance with DHS standards. ISCD, which manages the program, places high risk facilities in risk-based tiers and is to conduct inspections after it approves facility security plans. A November 2011 ISCD internal memorandum raised concerns about ISCD's ability to fulfill its mission.
GAO assessed the extent to which DHS has (1) assigned chemical facilities to tiers and assessed its approach for doing so, (2) revised its process to review facility security plans, and (3) communicated and worked with owners and operators to improve security. GAO reviewed DHS reports and plans on risk assessments, security plan reviews, and facility outreach and interviewed DHS officials. GAO also received input from 11 trade associations representing chemical facilities, about ISCD outreach. The results of this input are not generalizable but provide insights.
What GAO Recommends
GAO recommends that DHS enhance its risk assessment approach to incorporate all elements of risk, conduct a peer review after doing so, and explore opportunities to gather systematic feedback on facility outreach. DHS concurred with the recommendations.
For more information, contact Steve Caldwell at (202) 512-9610 or email@example.com.
Recommendations for Executive Action
Comments: According to Infrastructure Security Compliance Division (ISCD) officials, they completed development of an updated tiering methodology, which incorporates improvements based on recommendations from both the external peer review of the tiering methodology and a Sandia National Laboratory (Sandia) report on economic consequences, which was submitted to the Department in the first quarter of fiscal year (FY) 2015. Additionally, according to the officials, DHS continued hosting meetings of an external experts panel consisting of representatives from other Federal agencies and the chemical and oil and natural gas industries, who have met repeatedly to review and provide input on the proposed improvements to the Chemical Facility Anti-Terrorism Standards (CFATS) tiering methodology. As noted in the tiering methodology improvement plan previously provided by the Department to GAO, the ISCD is having external entities validate and verify the updated methodology before deployment. To that end, the Homeland Security Studies and Analysis Institute (HSSAI) has reviewed and provided findings and recommendations on all parts of the updated tiering engine. Additionally, Sandia has been conducting component testing of the tiering engine as it is being updated and, beginning in January 2016, Sandia will conduct end-to-end testing of the engine. Concurrent with these efforts, ISCD has been updating the Chemical Security Assessment Tool (CSAT) applications which currently support the collection of the data used by the CFATS tiering methodology (i.e., Top-Screen, Security Vulnerability Assessment). According to the officials, deployment of these new applications cannot occur until the DHS's Information Collection Request (ICR) is approved by the White House's Office of Management and Budget (OMB), which the Department anticipates submitting to OMB in the third quarter of fiscal year 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate (NPPD), the Assistant Secretary for NIPP's Office of Infrastructure Protection (IP), and Director of ISCD to develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD's risk assessment approach consistent with the NIPP and the CFATS rule.
Agency Affected: Department of Homeland Security
Comments: According to Infrastructure Security Compliance Division (ISCD) officials, the updated CFATS risk-based tiering methodology has been developed and portions of it are undergoing independent review from both HSSAI and Sandia. An independent verification and validation of the updated tiering methodology is scheduled to be conducted by Sandia beginning in January 2016. We will update the status of this recommendation after additional information is received from DHS. Status as of January 20, 2016.
Recommendation: To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and Director of ISCD to conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach, that fully validates and verifies ISCD's risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: The Infrastructure Security Compliance Division (ISCD) developed a questionnaire to solicit feedback on outreach with industry stakeholders in the Chemical Facility Anti-terrorism Standards (CFATS) community. In September 2016, the Office of Management and Budget approved ISCD's request to implement the questionnaire during various outreach engagements with stakeholders, including meetings and conferences, contact with ISCD's Knowledge Center, and during compliance assistance visits by ISCD inspectors. ISCD started using the questionnaire during these engagements, consistent with ISCD's Outreach Implementation Plan and began using the questionnaire in October 2016, during various CFATS outreach events. In early 2017, ISCD began to compile and analyze the data provided by stakeholders when using the questionnaire.
Recommendation: To enhance ISCD efforts to communicate and work with facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and the Director of ISCD to explore opportunities and take action to systematically solicit and document feedback on facility outreach consistent with ISCD efforts to develop a strategic communication plan.
Agency Affected: Department of Homeland Security