This is the accessible text file for GAO report number GAO-14-608T 
entitled 'Critical Infrastructure Protection: Observations on DHS 
Efforts to Implement and Manage its Chemical Security Program' which 
was released on May 14, 2014. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Testimony: 

Before the Committee on Homeland Security and Governmental Affairs, 
U.S. Senate: 

For Release on Delivery: 
Expected at 10:00 a.m. EST: 
Wednesday, May 14, 2014: 

Critical Infrastructure Protection: 

Observations on DHS Efforts to Implement and Manage its Chemical 
Security Program: 

Statement of Stephen L. Caldwell: 
Director, Homeland Security and Justice: 

GAO-14-608T: 

GAO Highlights: 

Highlights of GAO-14-608T, a testimony before the Committee on 
Homeland Security and Governmental Affairs, U.S. Senate. 

Why GAO Did This Study: 

Facilities that produce, store, or use hazardous chemicals could be of 
interest to terrorists intent on using toxic chemicals to inflict mass 
casualties in the United States. As required by statute, DHS issued 
regulations establishing standards for the security of these 
facilities. DHS established the CFATS program to assess risk at 
facilities covered by the regulations and inspect them to ensure 
compliance. 

This statement provides observations on DHS efforts related to the 
CFATS program. It is based on the results of previous GAO reports 
issued in July 2012 and April 2013 and a testimony issued in February 
2014. In conducting the earlier work, GAO reviewed DHS reports and 
plans on the program and interviewed DHS officials. 

What GAO Found: 

In managing its Chemical Facility Anti-Terrorism Standards (CFATS) 
program, the Department of Homeland Security (DHS) has a number of 
efforts underway to identify facilities that are covered by the 
program, assess risk and prioritize facilities, review and approve 
facility security plans, and inspect facilities to ensure compliance 
with security regulations. 

* Identifying facilities. DHS has begun to work with other agencies to 
identify facilities that should have reported their chemical holdings 
to CFATS, but may not have done so. DHS initially identified about 
40,000 facilities by publishing a CFATS rule requiring that facilities 
with certain types and quantities of chemicals report certain 
information to DHS. However, a chemical explosion in West, Texas last 
year demonstrated the risk posed by chemicals covered by CFATS. 
Subsequent to this incident, the President issued Executive Order 
13650 which was intended to improve chemical facility safety and 
security in coordination with owners and operators. Under the 
executive order, a federal working group is sharing information to 
identify additional facilities that are to be regulated under CFATS, 
among other things. 

* Assessing risk and prioritizing facilities. DHS has begun to enhance 
its ability to assess risks and prioritize facilities. DHS assessed 
the risks of facilities that reported their chemical holdings in order 
to determine which ones would be required to participate in the 
program and subsequently develop site security plans. GAO's April 2013 
report found weaknesses in multiple aspects of the risk assessment and 
prioritization approach and made recommendations to review and improve 
this process. In February 2014, DHS officials told us they had begun 
to take action to revise the process for assessing risk and 
prioritizing facilities. 

* Reviewing security plans. DHS has also begun to take action to speed 
up its reviews of facility security plans. Per the CFATS regulation, 
DHS is to review security plans and visit the facilities to make sure 
their security measures meet the risk-based performance standards. GAO'
s April 2013 report found a 7- to 9-year backlog for these reviews and 
visits, and DHS has begun to take action to expedite these activities. 
As a separate matter, one of the performance standards—personnel 
surety, under which facilities are to perform background checks and 
ensure appropriate credentials for personnel and visitors as 
appropriate—is being developed. Of the facility plans DHS had reviewed 
as of February 2014, it conditionally approved these plans pending 
final development of the personal surety performance standard. 
According to DHS officials, it is unclear when the standard will be 
finalized. 

* Inspecting to verify compliance. In February 2014, DHS reported it 
had begun to perform inspections at facilities to ensure compliance 
with their site security plans. According to DHS, these inspections 
are to occur about 1 year after facility site security plan approval. 
Given the backlog in plan approvals, this process has started recently 
and GAO has not yet reviewed this aspect of the program. 

What GAO Recommends: 

In a July 2012 report, GAO recommended that DHS measure its 
performance implementing actions to improve its management of CFATS. 
In an April 2013 report, GAO recommended that DHS enhance its risk 
assessment approach to incorporate all elements of risk, conduct a 
peer review, and gather feedback on its outreach to facilities. DHS 
concurred and has taken actions or has actions underway to address 
them. 

View [hyperlink, http://www.gao.gov/products/GAO-14-608T]. For more 
information, contact Stephen Caldwell at (202) 512-9610 or 
caldwells@gao.gov. 

[End of section] 

Chairman Carper, Ranking Member Coburn, and Members of the Committee: 

I am pleased to be here today to discuss our work on the Department of 
Homeland Security's (DHS) efforts in implementing and managing the 
Chemical Facility Anti-Terrorism Standards (CFATS) program. Facilities 
that produce, store, or use hazardous chemicals could be of interest 
to terrorists intent on using toxic chemicals to cause harm to 
surrounding populations during terrorist attacks, and these chemicals 
could be stolen and used as chemical weapons, such as improvised 
explosive devices, or as the ingredients for making chemical weapons. 
The danger posed by these chemicals became evident last year when 
ammonium nitrate--one of the chemicals covered by the CFATS program--
detonated during a fire at a fertilizer storage and distribution 
facility in West, Texas. An investigation by the U.S. Chemical Safety 
Board (CSB) showed that the explosion killed at least 14 people and 
injured more than 200 others and severely damaged or destroyed nearly 
200 homes, 3 nearby schools, a nursing home, and an apartment complex. 
[Footnote 1] According to CSB, the fire at the facility detonated 
about 30 tons of ammonium nitrate. This event serves as a tragic 
reminder of the extent to which chemicals covered by the CFATS program 
can pose a risk to surrounding populations. 

The DHS appropriations act for fiscal year 2007[Footnote 2] required 
DHS to issue regulations to establish risk-based performance standards 
for securing high-risk chemical facilities.[Footnote 3] In 2007, DHS 
established the CFATS program to assess the risk posed by chemical 
facilities, place facilities considered to be high-risk in one of four 
risk-based tiers, require high-risk facilities to develop security 
plans, review these plans, and inspect the facilities to ensure 
compliance with regulatory requirements. DHS's National Protection and 
Programs Directorate (NPPD) is responsible for the CFATS program. 
Within NPPD, the Infrastructure Security Compliance Division (ISCD), a 
division of the Office of Infrastructure Protection (IP), manages the 
program. 

On February 6, 2014 congressman Meehan and other members of the House 
of Representatives' Committee on Homeland Security, along with one 
member of the House of Representatives' Committee on Energy and 
Commerce, introduced H.R. 4007, the Chemical Facility Anti-Terrorism 
Standards Authorization and Accountability Act of 2014.[Footnote 4] 
Among other things, H.R. 4007 contained provisions regarding multiple 
aspects of the CFATS program, including risk assessment, security plan 
reviews, and facility inspections. On April 30, 2014, the bill, as 
amended, was reported out by the House Committee on Homeland Security. 
Related to H.R. 4007, on February 27, 2014, we testified on DHS 
efforts to implement and manage the CFATS program at a legislative 
hearing before the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Security Technologies, House Committee on Homeland 
Security.[Footnote 5] 

The purpose of this statement is to provide our observations on the 
status of DHS's efforts related to the implementation and management 
of the CFATS program. Specifically my testimony today summarizes our 
past work on the CFATS program and provides our observations on the 
status of DHS's efforts in four key areas--identifying facilities to 
be covered by CFATS, assessing risk and prioritizing covered 
facilities, reviewing facility security plans, and inspecting 
facilities to verify compliance with CFATS regulations. My statement 
is based on reports and a testimony we issued from July 2012 through 
February 2014 on various aspects of the CFATS program.[Footnote 6] To 
conduct our prior work, we reviewed applicable laws and regulations, 
as well as NPPD, IP, and ISCD policies and procedures for 
administering the CFATS program and conducting its mission. We 
interviewed senior ISCD officials along with NPPD and IP officials to 
obtain their views on the program and how ISCD assesses risk. We also 
reviewed ISCD documents and data on tiered facilities and the approach 
used to determine a facility's risk and assessed ISCD's process for 
reviewing security plans. Further details on the scope and methodology 
for the previously issued reports and testimony statement are 
available within each of the published products. 

We conducted the work on which this statement is based in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings 
and conclusions based on our audit objectives. We believe the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives. 

Observations on DHS Efforts to Identify Facilities, Assess Risk, 
Review Security Plans, and Verify Compliance: 

Identifying Facilities Covered by CFATS: 

DHS has begun to take action to work with other agencies to identify 
facilities that are required to report their chemical holdings to DHS 
but may not have done so. 

The first step of the CFATS process is focused on identifying 
facilities that might be required to participate in the program. The 
CFATS rule was published in April 2007,[Footnote 7] and appendix A to 
the rule, published in November 2007, listed 322 chemicals of interest 
and the screening threshold quantities for each.[Footnote 8] As a 
result of the CFATS rule, about 40,000 chemical facilities reported 
their chemical holdings and their quantities to DHS's ISCD. 

In August 2013, we testified about the ammonium nitrate explosion at 
the chemical facility in West, Texas, in the context of our past CFATS 
work. Among other things, the hearing focused on whether the West, 
Texas, facility should have reported its holdings to ISCD given the 
amount of ammonium nitrate at the facility. During this hearing, the 
Director of the CFATS program remarked that throughout the existence 
of CFATS, DHS had undertaken and continued to support outreach and 
industry engagement to ensure that facilities comply with their 
reporting requirements. However, the Director stated that the CFATS 
regulated community is large and always changing and DHS relies on 
facilities to meet their reporting obligations under CFATS. At the 
same hearing, a representative of the American Chemistry Council 
testified that the West, Texas, facility could be considered an 
"outlier" chemical facility, that is, a facility that stores or 
distributes chemical-related products, but is not part of the 
established chemical industry. Preliminary findings of the CSB 
investigation of the West, Texas, incident showed that although 
certain federal agencies that regulate chemical facilities may have 
interacted with the facility, the ammonium nitrate at the West, Texas, 
facility was not covered by these programs. For example, according to 
the findings, the Environmental Protection Agency's (EPA) Risk 
Management Program, which deals with the accidental release of 
hazardous substances, covers the accidental release of ammonia, but 
not ammonium nitrate.[Footnote 9] As a result, the facility's 
consequence analysis considered only the possibility of an ammonia 
leak and not an explosion of ammonium nitrate. 

On August 1, 2013, the same day as the hearing, the President issued 
Executive Order 13650-Improving Chemical Facility Safety and Security, 
which was intended to improve chemical facility safety and security in 
coordination with owners and operators.[Footnote 10] The executive 
order established a Chemical Facility Safety and Security Working 
Group, composed of representatives from DHS; EPA; and the Departments 
of Justice, Agriculture, Labor, and Transportation, and directed the 
working group to identify ways to improve coordination with state and 
local partners; enhance federal agency coordination and information 
sharing; modernize policies, regulations and standards; and work with 
stakeholders to identify best practices. In February 2014, DHS 
officials told us that the working group has taken actions in the 
areas described in the executive order. For example, according to DHS 
officials, the working group has held listening sessions and webinars 
to increase stakeholder input, explored ways to share CFATS data with 
state and local partners to increase coordination, and launched a 
pilot program in New York and New Jersey aimed at increasing federal 
coordination and information sharing. DHS officials also said that the 
working group is exploring ways to better share information so that 
federal and state agencies can identify non-compliant chemical 
facilities and identify options to improve chemical facility risk 
management. This would include considering options to improve the safe 
and secure storage, handling, and sale of ammonium nitrate. 

Assessing Risk and Prioritizing Facilities: 

DHS has also begun to take actions to enhance its ability to assess 
risk and prioritize facilities covered by the program. 

For the second step of the CFATS process, facilities that possess any 
of the 322 chemicals of interest at levels at or above the screening 
threshold quantity must first submit data to ISCD via an online tool 
called a Top-Screen.[Footnote 11] ISCD uses the data submitted in 
facilities' Top Screens to make an assessment as to whether facilities 
are covered under the program. If DHS determines that they are covered 
by CFATS, facilities are to then submit data via another online tool, 
called a security vulnerability assessment, so that ISCD can further 
assess their risk and prioritize the covered facilities.[Footnote 12] 
ISCD uses a risk assessment approach to develop risk scores to assign 
chemical facilities to one of four final tiers. Facilities placed in 
one of these tiers (tier 1, 2, 3, or 4) are considered to be high 
risk, with tier 1 facilities considered to be the highest risk. 
[Footnote 13] The risk score is intended to be derived from estimates 
of consequence (the adverse effects of a successful attack), threat 
(the likelihood of an attack), and vulnerability (the likelihood of a 
successful attack, given an attempt). ISCD's risk assessment approach 
is composed of three models, each based on a particular security 
issue: (1) release, (2) theft or diversion, and (3) sabotage, 
depending on the type of risk associated with the 322 chemicals. Once 
ISCD estimates a risk score based on these models, it assigns the 
facility to a final tier. 

Our prior work showed that the CFATS program was using an incomplete 
risk assessment approach to assign chemical facilities to a final 
tier. Specifically, in April 2013, we reported that the approach ISCD 
used to assess risk and make decisions to place facilities in final 
tiers did not consider all of the elements of consequence, threat, and 
vulnerability associated with a terrorist attack involving certain 
chemicals. For example, the risk assessment approach was based 
primarily on consequences arising from human casualties, but did not 
consider economic criticality consequences, as called for by the 2009 
National Infrastructure Protection Plan (NIPP)[Footnote 14] and the 
CFATS regulation.[Footnote 15] In April 2013, we reported that ISCD 
officials told us that, at the inception of the CFATS program, they 
did not have the capability to collect or process all of the economic 
data needed to calculate the associated risks and they were not 
positioned to gather all of the data needed. They said that they 
collected basic economic data as part of the initial screening 
process; however, they would need to modify the current tool to 
collect more sufficient data. We also found that the risk assessment 
approach did not consider threat for approximately 90 percent of 
tiered facilities. Moreover, for the facilities that were tiered using 
threat considerations, ISCD was using 5-year-old data. We also found 
that ISCD's risk assessment approach was not consistent with the NIPP 
because it did not consider vulnerability when developing risk scores. 
When assessing facility risk, ISCD's risk assessment approach treated 
every facility as equally vulnerable to a terrorist attack regardless 
of location and on-site security. As a result, in April 2013 we 
recommended that ISCD enhance its risk assessment approach to 
incorporate all elements of risk and conduct a peer review after doing 
so. 

ISCD agreed with our recommendations, and in February 2014, ISCD 
officials told us that they were taking steps to address them and 
recommendations of a recently released Homeland Security Studies and 
Analysis Institute (HSSAI) report that examined the CFATS risk 
assessment model.[Footnote 16] As with the findings in our report, 
HSSAI found, among other things, that the CFATS risk assessment model 
inconsistently considers risks across different scenarios and that the 
model does not adequately treat facility vulnerability. Overall, HSSAI 
recommended that ISCD revise the current risk-tiering model and create 
a standing advisory committee--with membership drawn from government, 
expert communities, and stakeholder groups--to advise DHS on 
significant changes to the methodology. 

In February 2014, senior ISCD officials told us that they have 
developed an implementation plan that outlines how they plan to modify 
the risk assessment approach to better include all elements of risk 
while incorporating our findings and recommendations and those of 
HSSAI. Moreover, these officials stated that they have completed 
significant work with Sandia National Laboratory with the goal of 
including economic consequences into their risk tiering approach. They 
said that the final results of this effort to include economic 
consequences will be available in the summer of 2014. With regard to 
threat and vulnerability, ISCD officials said that they have been 
working with multiple DHS components and agencies, including the 
Transportation Security Administration and the Coast Guard, to see how 
they consider threat and vulnerability in their risk assessment 
models. ISCD officials said that they anticipate that the changes to 
the risk tiering approach should be completed within the next 12 to 18 
months. We plan to verify this information as part of our 
recommendation follow-up process. 

Reviewing of Facilities' Security Plans: 

DHS has begun to take action to lessen the time it takes to review 
site security plans which could help DHS reduce the backlog of plans 
awaiting review. 

For the third step of the CFATS process, ISCD is to review facility 
security plans and their procedures for securing these facilities. 
Under the CFATS rule, once a facility is assigned a final tier, it is 
to submit a site security plan or participate in an alternative 
security program in lieu of a site security plan.[Footnote 17] The 
security plan is to describe security measures to be taken and how 
such measures are to address applicable risk-based performance 
standards.[Footnote 18] After ISCD receives the site security plan, 
the plan is reviewed using teams of ISCD employees (i.e., physical, 
cyber, chemical, and policy specialists), contractors, and ISCD 
inspectors. If ISCD finds that the requirements are satisfied, ISCD 
issues a letter of authorization to the facility. After ISCD issues a 
letter of authorization to the facility, ISCD is to then inspect the 
facility to determine if the security measures implemented at the site 
comply with the facility's authorized plan. If ISCD determines that 
the site security plan is in compliance with the CFATS regulation, 
ISCD approves the site security plan, and issues a letter of approval 
to the facility, and the facility is to implement the approved site 
security plan. 

In April 2013, we reported that it could take another 7 to 9 years 
before ISCD would be able to complete reviews of the approximately 
3,120 plans in its queue at that time. As a result, we estimated that 
the CFATS regulatory regime, including compliance inspections 
(discussed in the next section), would likely not be implemented for 8 
to 10 years. We also noted in April 2013 that ISCD had revised its 
process for reviewing facilities' site security plans. ISCD officials 
stated that they viewed ISCD's revised process to be an improvement 
because, among other things, teams of experts reviewed parts of the 
plans simultaneously rather than sequentially, as had occurred in the 
past. In April 2013, ISCD officials said that they were exploring ways 
to expedite the process, such as streamlining inspection requirements. 

In February 2014, ISCD officials told us that they are taking a number 
of actions intended to lessen the time it takes to complete reviews of 
remaining plans including the following: 

* providing updated internal guidance to inspectors and ISCD reviewers; 

* updating the internal case management system; 

* providing updated external guidance to facilities to help them 
better prepare their site security plans; 

* conducting inspections using one or two inspectors at a time over 
the course of 1 day, rather than multiple inspectors over the course 
of several days; 

* conducting pre-inspection calls to the facility to help resolve 
technical issues beforehand; 

* creating and leveraging the use of corporate inspection documents 
(i.e., documents for companies that have over seven regulated 
facilities in the CFATS program);[Footnote 19] 

* supporting the use of alternative security programs to help clear 
the backlog of security plans because, according to DHS officials, 
alternative security plans are easier for some facilities to prepare 
and use; and: 

* taking steps to streamline and revise some of the on-line data 
collection tools such as the site security plan to make the process 
faster. 

It is too soon to tell whether DHS's actions will significantly reduce 
the amount of time needed to resolve the backlog of site security 
plans because these actions have not yet been fully implemented. 

In April 2013, we also reported that DHS had not finalized the 
personnel surety aspect of the CFATS program. The CFATS rule includes 
a risk-based performance standard for personnel surety, which is 
intended to provide assurance that facility employees and other 
individuals with access to the facility are properly vetted and 
cleared for access to the facility.[Footnote 20] In implementing this 
provision, we reported that DHS intended to (1) require facilities to 
perform background checks on and ensure appropriate credentials for 
facility personnel and, as appropriate, visitors with unescorted 
access to restricted areas or critical assets, and (2) check for 
terrorist ties by comparing certain employee information with the 
federal government's consolidated terrorist watch list. However, as of 
February 2014, DHS had not finalized its information collection 
request that defines how the personnel surety aspect of the 
performance standards will be implemented. Thus, DHS is currently 
approving facility security plans conditionally whereby plans are not 
to be finally approved until the personnel surety aspect of the 
program is finalized. According to ISCD officials, once the personnel 
surety performance standard is finalized, they plan to reexamine each 
conditionally approved plan. They would then make final approval as 
long as ISCD had assurance that the facility was in compliance with 
the personnel surety performance standard. As an interim step, in 
February 2014, DHS published a notice about its Information Collection 
Request (ICR) for personnel surety to gather information and comments 
prior to submitting the ICR to the Office of Management and Budget 
(OMB) for review and clearance.[Footnote 21] According to ISCD 
officials, it is unclear when the personnel surety aspect of the CFATS 
program will be finalized. 

During a March 2013 hearing on the CFATS program, industry officials 
discussed using DHS's Transportation Worker Identification Credential 
(TWIC) as one approach for implementing the personnel surety program. 
The TWIC, which is also discussed in DHS's ICR, is a biometric 
credential[Footnote 22] issued by DHS for maritime workers who require 
unescorted access to secure areas of facilities and vessels regulated 
under the Maritime Transportation Security Act of 2002 (MTSA). 
[Footnote 23] In discussing TWIC in the context of CFATS during the 
August 2013 hearing, officials representing some segments of the 
chemical industry stated that they believe that using TWIC would 
lessen the reporting burden and prevent facilities from having to 
submit additional personnel information to DHS while maintaining the 
integrity of the program. In May 2011, and May 2013, we reported that 
the TWIC program has some shortfalls--including challenges in 
development, testing, and implementation--that may limit its 
usefulness with regard to the CFATS program.[Footnote 24] We 
recommended that DHS take steps to resolve these issues, including 
completing a security assessment that includes addressing internal 
controls weaknesses, among other things. The explanatory statement 
accompanying the Consolidated Appropriations Act, 2014, directed DHS 
to complete the recommended security assessment.[Footnote 25] However, 
as of February 2014, DHS had not yet done the assessment, and although 
DHS had taken some steps to conduct an internal control review, it had 
not corrected all the control deficiencies identified in our report. 

Inspecting to Verify Compliance with Facility Plans: 

DHS reports that it has begun to perform compliance inspections at 
regulated facilities. The fourth step in the CFATS process is 
compliance inspections by which ISCD determines if facilities are 
employing the measures described in their site security plans. During 
the August 1, 2013, hearing on the West, Texas, explosion, the 
Director of the CFATS program stated that ISCD planned to begin 
conducting compliance inspections in September 2013 for facilities 
with approved site security plans. The Director further noted that the 
inspections would generally be conducted approximately 1 year after 
plan approval. According to ISCD, as of February 24, 2014, ISCD had 
conducted 12 compliance inspections. ISCD officials stated that they 
have considered using third-party non-governmental inspectors to 
conduct inspections but thus far do not have any plans to do so. 

In closing, we anticipate providing oversight over the issues outlined 
above and look forward to helping this and other committees of 
Congress continue to oversee the CFATS program and DHS's progress in 
implementing this program. Currently, the explanatory statement 
accompanying the Consolidated and Further Continuing Appropriations 
Act, 2013, directs GAO to continue its ongoing effort to examine the 
extent to which DHS has made progress and encountered challenges in 
developing CFATS. Additionally, once the CFATS program begins 
performing and completing a sufficient number of compliance 
inspections, we are mandated review those inspections along with 
various aspects of them.[Footnote 26] 

Chairman Carper, Ranking Member Coburn, and members of the Committee, 
this completes my prepared statement. I would be happy to respond to 
any questions you may have at this time. 

GAO Contact and Staff Acknowledgments: 

For information about this statement please contact Stephen L. 
Caldwell, at (202) 512-9610 or caldwellS@gao.gov. Contact points for 
our Offices of Congressional Relations and Public Affairs may be found 
on the last page of this statement. Other individuals making key 
contributions to this and our prior work included John F. Mortin, 
Assistant Director; Jose Cardenas, Analyst-in-Charge; Chuck Bausell; 
Michele Fejfar; Jeff Jensen; Tracey King; Marvin McGill; Jessica Orr; 
Hugh Paquette, and Ellen Wolfe. 

[End of section] 

Footnotes: 

[1] Rafael Moure-Eraso, Chairperson, U.S. Chemical Safety Board, 
testimony before the Senate Committee on Environment and Public Works, 
113th Congress 1st Sess., June 27, 2013. The CSB is an independent 
federal agency charged with investigating industrial chemical 
accidents. The CSB board members are appointed by the President and 
confirmed by the Senate. According to the CSB website, CSB does not 
issue fines or citations, but makes recommendations to plants, 
regulatory agencies, industry organizations, and labor groups. 

[2] Pub. L. No. 109-295, § 550, 120 Stat. 1355, 1388 (2006). 

[3] The CFATS regulation establishes 18 risk-based performance 
standards that identify the areas for which a facility's security are 
to be examined, such as perimeter security, access control, and cyber 
security. To meet these standards, facilities are free to choose 
whatever security programs or processes they deem appropriate so long 
as DHS determines that the facilities achieve the requisite level of 
performance in each applicable standard. 

[4] H.R. 4007, 113th Cong. (2014). 

[5] GAO, Critical Infrastructure Protection: Observations on DHS 
Efforts to Identify, Prioritize, Assess, and Inspect Chemical 
Facilities, [hyperlink, http://www.gao.gov/products/GAO-14-365T] 
(Washington, D.C.: February 27, 2014). 

[6] [hyperlink, http://www.gao.gov/products/GAO-14-365T], Critical 
Infrastructure Protection: DHS Needs to Improve Its Risk Assessments 
and Outreach for Chemical Facilities, [hyperlink, 
http://www.gao.gov/products/GAO-13-801T] (Washington, D.C.: Aug. 1, 
2013); Critical Infrastructure Protection: DHS Efforts to Assess 
Chemical Security Risk and Gather Feedback on Facility Outreach Can Be 
Strengthened, [hyperlink, http://www.gao.gov/products/GAO-13-353] 
(Washington, D.C.: Apr. 5, 2013); Critical Infrastructure Protection: 
DHS Is Taking Action to Better Manage Its Chemical Security Program, 
but It Is Too Early to Assess Results, [hyperlink, 
http://www.gao.gov/products/GAO-12-515T] (Washington, D.C.: July 26, 
2012). 

[7] 72 Fed. Reg. 17,688 (Apr. 9, 2007) (codified at 6 C.F.R. pt. 27). 

[8] 72 Fed. Reg. 65,396 (Nov. 20, 2007). According to DHS, CFATS 
covers facilities that manufacture chemicals as well as facilities 
that store or use certain chemicals as part of their daily operations. 
This can include food-manufacturing facilities that use chemicals of 
interest in the manufacturing process, universities that use chemicals 
to do experiments, or warehouses that store ammonium nitrate, among 
others. 

[9] See 40 C.F.R. § 68.130. 

[10] Exec. Order No. 13,650, 78 Fed. Reg. 48,029 (Aug. 1, 2013). 

[11] 6 C.F.R. § 27.200(b)(2). 

[12] 6 C.F.R. §§ 27.215, .220. 

[13] 6 C.F.R. § 27.220 

[14] DHS, National Infrastructure Protection Plan (Washington, D.C.: 
June 2006). The NIPP sets forth the risk management framework for the 
protection and resilience of the nation's critical infrastructure. DHS 
updated the NIPP in January 2009 to include resiliency. See DHS, 
National Infrastructure Protection Plan, Partnering to Enhance 
Protection and Resiliency (Washington, D.C.: January 2009). Broadly 
defined, risk management is a process that helps policymakers assess 
risk, strategically allocate finite resources, and take actions under 
conditions of uncertainty. DHS further updated the NIPP, which is now 
called the National Plan, in December 2013. See DHS, NIPP 2013, 
Partnering for Critical Infrastructure Security and Resilience 
(Washington, D.C.: December 2013). 

[15] The CFATS regulation states that chemical facilities covered by 
the rule are those that present a high risk of significant adverse 
consequences for human life or health or critical economic assets, 
among other things, if subjected to terrorist attack, compromise, 
infiltration, or exploitation. 6 C.F.R. §§ 27.105, .205. 

[16] Homeland Security Studies and Analysis Institute, CFATS Tiering 
Methodology Peer Review (For Official Use Only) (Falls Church, 
Virginia: October 2013). The Homeland Security Studies and Analysis 
Institute, operated by Analytic Services Inc. on behalf of DHS, is a 
federally funded research and development center providing independent 
analyses of homeland security issues. 

[17] An alternative security program is a third-party or industry 
organization program, a local authority, state, or federal government 
program, or any element or aspect thereof, that DHS determines meets 
the requirements of the regulation and provides an equivalent level of 
security to that established by the regulation. 6 C.F.R. § 27.105. 

[18] 6 C.F.R. § 27.225. 

[19] According to ISCD officials, these documents would be designed to 
provide examples of standard operating procedures regarding employee 
vetting, chemical handling, or security practices that are standard 
across corporations and that could be placed in a facility's file and 
expedite the inspection process. 

[20] 6 C.F.R. § 27.230(a)(12). 

[21] 79 Fed. Reg. 6418 (Feb. 3, 2014). DHS previously published a 
notice about the personnel surety ICR on March 22, 2013. 78 Fed. Reg. 
17,680 (March 22, 2013). 

[22] A biometric access control system consists of technology that 
determines an individual's identity by detecting and matching unique 
physical or behavioral characteristics, such as fingerprint or voice 
patterns, as a means of verifying personal identity. 

[23] See Pub. L. No. 107-295,116 Stat. 2064. The TWIC program is 
intended to provide a tamper-resistant biometric credential to 
maritime workers who require unescorted access to secure areas of 
facilities and vessels regulated under the MTSA. TWIC is to enhance 
the ability of MTSA-regulated facility and vessel owners and operators 
to control access to their facilities and verify workers' identities. 
Under current statute and regulation, maritime workers requiring 
unescorted access to secure areas of MTSA-regulated facilities or 
vessels are required to obtain a TWIC, and facility and vessel 
operators are required by regulation to visually inspect each worker's 
TWIC before granting unescorted access. 46 U.S.C. § 70105(a); 33 
C.F.R. §§ 101.514, 104.265(c), 105.255(c). Prior to being granted a 
TWIC, maritime workers are required to undergo a background check, 
known as a security threat assessment. See 49 C.F.R § 1572.21. 

[24] GAO, Transportation Worker Identification Credential: Card Reader 
Pilot Results Are Unreliable; Security Benefits Need to Be Reassessed, 
[hyperlink, http://www.gao.gov/products/GAO-13-198] (Washington, D.C.: 
May 8, 2013); Transportation Worker Identification Credential: 
Internal Control Weaknesses Need to Be Corrected to Help Achieve 
Security Objectives, [hyperlink, 
http://www.gao.gov/products/GAO-11-657] (Washington, D.C.: May 10, 
2011). 

[25] Explanatory statement accompanying the Consolidated 
Appropriations Act, 2014, Pub. L. No. 113-76, 128 Stat. 5 (2014). 

[26] Explanatory statement accompanying the Consolidated and Further 
Continuing Appropriations Act, 2013, Pub. L. No. 113-6, 127 Stat. 198 
(2013). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO's commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select 
"E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO's actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO's 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548. 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548. 

[End of document]