Critical Infrastructure Protection:

DHS Should Take Actions to Measure Reduction in Chemical Facility Vulnerability and Share Information with First Responders

GAO-18-538: Published: Aug 8, 2018. Publicly Released: Aug 8, 2018.

Additional Materials:

Contact:

Chris Currie
(404) 679-1875
CurrieC@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Facilities that handle hazardous chemicals could be targets for terrorists—e.g., these chemicals could be stolen and used to build explosive devices. The Department of Homeland Security inspects such facilities to ensure they comply with security standards. DHS also shares information about these facilities with local officials so that first responders are prepared for potential security incidents.

However, we found that first responders may not have all the information they need to safely respond to incidents at these facilities. We recommended, among other things, that DHS provide first responders with better access to this information.

Chemical facility storage tanks

Photo of chemical facility storage tanks

Photo of chemical facility storage tanks

Additional Materials:

Contact:

Chris Currie
(404) 679-1875
CurrieC@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Since 2013, the Department of Homeland Security (DHS) has strengthened its processes for identifying high-risk chemical facilities and assigning them to tiers under its Chemical Facility Anti-Terrorism Standards (CFATS) program. Among other things, DHS implemented a quality assurance review process to verify the accuracy of facility self-reported information used to identify high-risk facilities. DHS also revised its risk assessment methodology—used to assess whether chemical facilities are high-risk and, if so, assign them to a risk-based tier—by incorporating changes to address prior GAO recommendations and most of the findings of a DHS-commissioned peer review. For example, the updated methodology incorporates revisions to the threat, vulnerability, and consequence scoring methods to better cover the full range of security issues regulated by CFATS. As of February 2018, a total of 29,195 facilities—including all 26,828 facilities previously assessed and 2,367 facilities new to the program—were assessed using DHS's revised methodology. DHS designated 3,500 of these facilities as high-risk and subject to further requirements.

DHS has also made substantial progress conducting and completing compliance inspections and has begun to take action to measure facility security but does not evaluate vulnerability reduction resulting from the CFATS compliance inspection process. In 2013, GAO found that the backlog of chemical facility security plans awaiting review affected DHS's ability to conduct compliance inspections, which are performed after security plans are approved. Since then DHS has made progress and increased the number of completed compliance inspections. As of May 2018, DHS had conducted 3,553 compliance inspections. DHS has also begun to update its performance measure for the CFATS program to evaluate security measures implemented both when a facility submits its initial security plan and again when DHS approves its final security plan. However, GAO found that DHS's new performance measure methodology does not measure reduction in vulnerability at a facility resulting from the implementation and verification of planned security measures during the compliance inspection process. Doing so would provide DHS an opportunity to begin assessing how vulnerability is reduced—and by extension, risk lowered—not only for individual high-risk facilities but for the CFATS program as a whole.

DHS shares some CFATS information, but first responders and emergency planners may not have all of the information they need to minimize the risk of injury or death when responding to incidents at high-risk facilities. Facilities are currently required to report some chemical inventory information, but GAO found that over 200 CFATS chemicals may not be covered by these requirements. To improve access to information, DHS developed a secure interface called the Infrastructure Protection (IP) Gateway that provides access to CFATS facility-specific information that may be missing from required reporting. However, GAO found that the IP Gateway is not widely used at the local level. In addition, officials from 13 of the 15 Local Emergency Planning Committees—consisting of first responders and covering 373 CFATS high-risk facilities—told GAO they did not have access to CFATS data in the IP Gateway. By encouraging wider use of the IP Gateway, DHS would have greater assurance that first responders have information about high-risk facilities and the specific chemicals they possess.

Why GAO Did This Study

Facilities that produce, use, or store hazardous chemicals could be targeted or used by terrorists to inflict mass casualties, damage, and fear. DHS established the CFATS program to assess the risk posed by these facilities and inspect them to ensure compliance with DHS standards. DHS places high-risk facilities in risk-based tiers and is to conduct inspections after it approves their security plans. Under the CFATS Act of 2014, authorization for the CFATS program expires in January 2019.

GAO assessed the extent to which DHS has (1) enhanced the process for identifying high-risk facilities and assigning them to tiers, (2) conducted facility inspections and measured facility security, and (3) ensured that information is shared with emergency responders to prepare them for incidents at high-risk facilities. GAO reviewed DHS reports and data on compliance inspections and interviewed DHS officials. GAO also obtained non-generalizable information from 11 trade associations representing chemical facilities regarding DHS outreach and from 15 emergency planning committees about their awareness of CFATS and the chemicals it covers.

What GAO Recommends

GAO recommends that DHS take actions to (1) measure reduction in vulnerability of high-risk facilities and use that data to assess program performance; and (2) encourage access to and wider use of the IP Gateway among first responders and emergency planners. DHS concurred with both recommendations and outlined efforts underway or planned.

For more information, contact Chris Currie at (404) 679-1875 or CurrieC@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Director of DHS's National Protection and Programs Directorate's Infrastructure Security Compliance Division (ISCD) should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. (Recommendation 1)

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: DHS concurred with this recommendation and said it would take steps to implement it. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.

    Recommendation: The Assistant Secretary for Infrastructure Protection, in coordination with the Director of ISCD, should take actions to encourage access to and wider use of the IP Gateway and explore other opportunities to improve information-sharing with first responders and emergency planners. (Recommendation 2)

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Oct 11, 2018

Sep 21, 2018

Sep 19, 2018

Sep 6, 2018

Sep 4, 2018

Aug 16, 2018

Aug 14, 2018

Aug 8, 2018

Aug 6, 2018

Looking for more? Browse all our products here