Skip to main content

Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened

GAO-13-353 Published: Apr 05, 2013. Publicly Released: Apr 05, 2013.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Since 2007, the Department of Homeland Security's (DHS) Infrastructure Security Compliance Division (ISCD) has assigned about 3,500 high-risk chemical facilities to risk-based tiers under its Chemical Facility Anti-Terrorism Standards (CFATS) program, but it has not fully assessed its approach for doing so. The approach ISCD used to assess risk and make decisions to place facilities in final tiers does not consider all of the elements of consequence, threat, and vulnerability associated with a terrorist attack involving certain chemicals. For example, the risk assessment approach is based primarily on consequences arising from human casualties, but does not consider economic consequences, as called for by the National Infrastructure Protection Plan (NIPP) and the CFATS regulation, nor does it consider vulnerability, consistent with the NIPP. ISCD has begun to take some actions to examine how its risk assessment approach can be enhanced, including commissioning a panel of experts to assess the current approach, identify strengths and weaknesses, and recommend improvements. ISCD will need to incorporate the various results of these efforts to help them ensure that the revised risk assessment approach includes all elements of risk. After ISCD has incorporated all elements of risk into its assessment approach, an independent peer review would provide better assurance that ISCD can appropriately identify and tier chemical facilities, better inform CFATS planning and resource decisions, and provide the greatest return on investment consistent with the NIPP.

DHS's ISCD has revised its process for reviewing facilities' site security plans--which are to be approved by ISCD before it performs compliance inspections--but it did not track data on the prior process to measure differences. The past process was considered by ISCD to be difficult to implement and caused bottlenecks in approving plans. ISCD views its revised process to be a significant improvement because, among other things, teams of experts review parts of the plans simultaneously rather than sequentially, as occurred in the past. Moving forward ISCD intends to measure the time it takes to complete reviews, but will not be able to do so until the process matures. GAO estimated that it could take another 7 to 9 years before ISCD is able to complete reviews on the approximately 3,120 plans in its queue which means that the CFATS regulatory regime, including compliance inspections, would likely be implemented in 8 to 10 years. ISCD officials said that they are exploring ways to expedite the process such as reprioritizing resources and streamlining inspection requirements.

DHS's ISCD has also taken various actions to work with owners and operators, including increasing the number of visits to facilities to discuss enhancing security plans, but trade associations that responded to GAO's query had mixed views on the effectiveness of ISCD's outreach. ISCD solicits informal feedback from facility owners and operators on its efforts to communicate and work with them, but it does not have an approach for obtaining systematic feedback on its outreach activities. ISCD's ongoing efforts to develop a strategic communication plan may provide opportunities to explore how ISCD can obtain systematic feedback on these activities. A systematic approach for gathering feedback and measuring the results of its outreach efforts could help ISCD focus greater attention on targeting potential problems and areas needing improvement.

Why GAO Did This Study

Facilities that produce, store, or use hazardous chemicals could be of interest to terrorists intent on using toxic chemicals to inflict mass casualties in the United States. As required by statute, DHS issued regulations that establish standards for the security of high-risk chemical facilities. DHS established the CFATS program to assess the risk posed by these facilities and inspect them to ensure compliance with DHS standards. ISCD, which manages the program, places high risk facilities in risk-based tiers and is to conduct inspections after it approves facility security plans. A November 2011 ISCD internal memorandum raised concerns about ISCD's ability to fulfill its mission.

GAO assessed the extent to which DHS has (1) assigned chemical facilities to tiers and assessed its approach for doing so, (2) revised its process to review facility security plans, and (3) communicated and worked with owners and operators to improve security. GAO reviewed DHS reports and plans on risk assessments, security plan reviews, and facility outreach and interviewed DHS officials. GAO also received input from 11 trade associations representing chemical facilities, about ISCD outreach. The results of this input are not generalizable but provide insights.

Recommendations

GAO recommends that DHS enhance its risk assessment approach to incorporate all elements of risk, conduct a peer review after doing so, and explore opportunities to gather systematic feedback on facility outreach. DHS concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status Sort descending
Department of Homeland Security To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for National Protection and Programs Directorate (NPPD), the Assistant Secretary for NIPP's Office of Infrastructure Protection (IP), and Director of ISCD to develop a plan, with timeframes and milestones, that incorporates the results of the various efforts to fully address each of the components of risk and take associated actions where appropriate to enhance ISCD's risk assessment approach consistent with the NIPP and the CFATS rule.
Closed – Implemented
In April 2013, we reported on the Department of Homeland Security's (DHS's) management of its Chemical Facility Anti-Terrorism Standards (CFATS) program, managed by the Infrastructure Security Compliance Division (ISCD) (GAO-13-353). We found that the approach ISCD used to assess risk and make decisions to place facilities into risk-based tiers did not consider all of the elements of consequence, threat, and vulnerability associated with a terrorist attack involving certain chemicals. Our work showed that, among other things, DHS's CFATS risk assessment methodology was based primarily on consequences from human casualties, but did not consider economic consequences, as called for by the National Infrastructure Protection Plan (NIPP) and the CFATS regulation. Consequently, we recommended that ISCD review and improve its risk assessment approach to fully address each of the elements of threat, vulnerability, and consequence. From 2013 through 2016, ISCD conducted a multiyear effort to review and improve the CFATS program's risk assessment approach and tiering methodology with the primary goal of improving the identification and appropriate tiering of high-risk chemical facilities. As of August 2018, the result of these efforts is an updated, "second generation" risk assessment approach and tiering methodology that addresses our prior recommendations. Specifically, with regard to our recommendation that DHS enhance its risk assessment approach to incorporate all elements of risk, ISCD worked with Sandia National Laboratories to develop and evaluate a model to estimate the economic consequences of a chemical attack. In addition, among other enhancements, the updated risk assessment methodology incorporates revisions to the threat, vulnerability, and consequence scoring methods to better cover the full range of chemical security issues regulated by the CFATS program. These actions are consistent with our recommendation and, as a result, it is now closed as implemented.
Department of Homeland Security To better assess risk associated with facilities that use, process, or store chemicals of interest consistent with the NIPP and the CFATS rule, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and Director of ISCD to conduct an independent peer review, after ISCD completes enhancements to its risk assessment approach, that fully validates and verifies ISCD's risk assessment approach consistent with the recommendations of the National Research Council of the National Academies.
Closed – Implemented
In April 2013, we reported on the Department of Homeland Security's (DHS's) management of its Chemical Facility Anti-Terrorism Standards (CFATS) program, managed by the Infrastructure Security Compliance Division (ISCD) (GAO-13-353). We found that the approach ISCD used to assess risk and make decisions to place facilities into risk-based tiers did not consider all of the elements of consequence, threat, and vulnerability associated with a terrorist attack involving certain chemicals. Our work showed that, among other things, DHS's CFATS risk assessment methodology was based primarily on consequences from human casualties, but did not consider economic consequences, as called for by the National Infrastructure Protection Plan (NIPP) and the CFATS regulation. Consequently, we recommended that ISCD conduct an independent peer review after enhancements to the risk assessment approach were complete. From 2013 through 2016, ISCD conducted a multiyear effort to review and improve the CFATS program's risk assessment approach and tiering methodology with the primary goal of improving the identification and appropriate tiering of high-risk chemical facilities. Among these efforts was an ISCD-commissioned peer review of the CFATS tiering methodology conducted in 2013 by the Homeland Security Studies and Analysis Institute (HSSAI). HSSAI's final report summarized the findings of the peer review and included a list of 44 recommendations for ISCD to implement in its efforts to improve and revise the CFATS risk assessment and tiering methodology. ISCD undertook a risk assessment improvement project to implement most of the recommendations described in the 2013 HSSAI final report; these efforts included, for example, convening advisory board meetings with experts drawn from across industry, academia, and government to review and make additional recommendations on the proposed improvements to the CFATS risk assessment methodology and associated tools and processes. As of August 2018, the result of these efforts is an updated, "second generation" risk assessment approach and tiering methodology that addresses our prior recommendations. Specifically, with regard to our recommendation that DHS conduct a peer review after enhancing its risk assessment approach, in addition to the HSSAI review, DHS conducted peer reviews and technical reviews with government organizations and facility owners and operators, and worked with Sandia National Laboratories to verify and validate the CFATS program's revised risk assessment methodology, which was completed in January 2017. These actions are consistent with our recommendation and, as a result, it is now closed as implemented.
Department of Homeland Security To enhance ISCD efforts to communicate and work with facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for IP, and the Director of ISCD to explore opportunities and take action to systematically solicit and document feedback on facility outreach consistent with ISCD efforts to develop a strategic communication plan.
Closed – Implemented
The Infrastructure Security Compliance Division (ISCD) developed a questionnaire to solicit feedback on outreach with industry stakeholders in the Chemical Facility Anti-terrorism Standards (CFATS) community. In September 2016, the Office of Management and Budget approved ISCD's request to implement the questionnaire during various outreach engagements with stakeholders, including meetings and conferences, contact with ISCD's Knowledge Center, and during compliance assistance visits by ISCD inspectors. ISCD started using the questionnaire during these engagements, consistent with ISCD's Outreach Implementation Plan and began using the questionnaire in October 2016, during various CFATS outreach events. In early 2017, ISCD began to compile and analyze the data provided by stakeholders when using the questionnaire.

Full Report

Office of Public Affairs

Topics

Peer reviewAntiterrorismChemicalsCommunicationCritical infrastructureCritical infrastructure protectionCyber securityFacility securityHomeland securityInspectionRisk assessmentRisk managementTerrorismTerroristsToxic substances