Fast Facts

Terrorists and others may pose a cyber-threat to high-risk chemical facilities. Control systems, for example, could be manipulated to release hazardous chemicals. The Department of Homeland Security started a program more than a decade ago to help address these security risks.

We reviewed the program. DHS guidance designed to help about 3,300 facilities comply with cybersecurity and other standards has not been updated in over 10 years. Also, its cybersecurity training program for its inspectors does not follow some key training practices.

We made 6 recommendations, including that DHS review and update guidance and improve training.

A chemical facility

A chemical facility

Skip to Highlights
Highlights

What GAO Found

The Chemical Facility Anti-Terrorism Standards (CFATS) program within the Department of Homeland Security (DHS) evaluates high-risk chemical facilities’ cybersecurity efforts via inspections that include reviewing policies and procedures, interviewing relevant officials, and verifying facilities’ implementation of agreed-upon security measures. GAO found that the CFATS program has guidance designed to help the estimated 3,300 CFATS-covered facilities comply with cybersecurity and other standards, but the guidance has not been updated in more than 10 years, in contrast with internal control standards which recommend periodic review. CFATS officials stated that the program does not have a process to routinely review its cybersecurity guidance to ensure that it is up to date with current threats and technological advances. Without such a process, facilities could be more vulnerable to cyber-related threats.

Potential Cyber-Related Threats to Chemical Facilities

The CFATS program developed and provided cybersecurity training for its inspectors, but GAO found that the CFATS program does not fully address 3 of 4 key training practices, or address cybersecurity needs in its workforce planning process, as recommended by DHS guidance. Specifically:

  • The CFATS program does not: (1) systematically collect or track data related to inspectors’ cybersecurity training or knowledge, skills, and abilities; (2) develop measures to assess how training is contributing to cybersecurity-related program results; or (3) have a process to evaluate the effectiveness of its cybersecurity training in improving inspector skillsets.
  • The program also has yet to incorporate identified cybersecurity knowledge, skills, and abilities for inspectors in its current workforce planning processes or track data related to covered facilities’ reliance on information systems when assessing its workforce needs.

Fully addressing key training practices will help ensure that CFATS inspectors have the knowledge, skills, and abilities for cybersecurity inspections, and identifying cybersecurity needs in workforce planning will help the program ensure that it has the appropriate number of staff to carry out the program’s cybersecurity-related efforts.

Why GAO Did This Study

Thousands of high-risk chemical facilities may be subject to the risk posed by cyber threat adversaries—terrorists, criminals, or nations. These adversaries could potentially manipulate facilities’ information and control systems to release or steal hazardous chemicals and inflict mass causalities to surrounding populations (see figure). In accordance with the DHS Appropriations Act, 2007, DHS established the CFATS program to, among other things, identify and assess the security risk posed to chemical facilities.

GAO was asked to examine the cybersecurity efforts of the CFATS program, including the extent to which the program (1) assesses the cybersecurity efforts of covered facilities, and (2) determines the specialty training and level of staff needed to assess cybersecurity at covered facilities.

GAO conducted site visits to observe the cybersecurity portion of CFATS inspections based on scheduled inspections, reviewed inspection documents, and interviewed CFATS inspectors. GAO also analyzed inspection guidance and training against key practices and assessed workforce planning documents and processes.

Skip to Recommendations

Recommendations

GAO is making six recommendations to DHS to routinely review guidance and update, as needed; to fully incorporate key training practices; and to identify workforce cybersecurity needs. DHS concurred with the recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Cybersecurity and Infrastructure Security Agency 1. The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals. (Recommendation 1)
Open
DHS concurred with this recommendation and stated in its comments that CISA's Infrastructure Security Division (ISD) will work to develop a documented process for reviewing CFATS cybersecurity guidance at regularly defined intervals. DHS stated that once the process is documented and implemented, ISD will revise or supplement existing guidance, as appropriate. In November 2020, DHS reported that ISD was in the process of developing a policy directive that will include a process for reviewing existing CFATS-related cybersecurity guidance based on the latest cybersecurity information made available by CISA, NIST, and other federal agencies. DHS anticipates this document will be completed by December 31, 2020. Further, ISD initiated a new project to update the CFATS Risk Based Performance Standards (RBPS) guidance on cybersecurity. DHS stated that this project is also expected to be completed by December 31, 2020. We will continue to monitor the status of the policy directive, the additional actions taken in response to this recommendation, and the extent to which they implement a process for reviewing and revising CFATS cybersecurity guidance..
Cybersecurity and Infrastructure Security Agency 2. The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)
Open
DHS concurred with this recommendation and stated that CISA agrees that it is important to ensure training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. Regarding inspector performance maintenance or improvement, DHS stated that, among other things, management will ensure that each inspector's individual performance plan fully captures their expected performance goals in the area of cybersecurity. In November 2020, the CISA Infrastructure Security Division (ISD) reported that ISD completed more than a dozen compliance inspection audits that reviewed inspector performance and identified programmatic improvements, including review of the cybersecurity inspection protocol. CISA officials also stated that ISD began developing its fiscal year (FY) 2021 Annual Operating Plan (AOP), which is expected to include cybersecurity performance goals and measurements. Finally, according to CISA officials, ISD is planning to review FY2021 individual performance plans and intends to include a cybersecurity-related performance goal or objective in each plan. Both the FY2021 AOP and the individual performance plans are to be completed by December 31, 2020. We will continue to monitor the status of the AOP and individual performance plan reviews and the extent to which they assess the contribution that cybersecurity training is making to CFATS programmatic goals.
Cybersecurity and Infrastructure Security Agency 3. The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)
Open
DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. DHS stated in its comments that CISA will establish policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is accounted for in a centralized mechanism. In November 2020, CISA reported that its infrastructure Security Division (ISD) completed three virtual basic cybersecurity courses attended by 117 chemical security inspectors and supervisors in April, May, and July 2020. These courses included a final test and course evaluation. According to CISA officials, CISA is using these materials to develop a long-term cybersecurity training strategy, to include updated onboarding training, intermediate and advanced training, and both regular and recurring refresher training. ISD is also finalizing the development of an intermediate course to be delivered in the fall of 2020 calendar year, according to CISA officials. Additionally, according to CISA officials, ISD is establishing policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is tracked centrally by December 31, 2020. We will continue to monitor the status of actions taken to address this recommendation and the extent to which they result in ISD's ability to track delivery and performance data for cybersecurity training.
Cybersecurity and Infrastructure Security Agency 4. The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)
Open
DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. DHS also stated that, among other things, CISA will require course evaluation forms from each attendee of any cybersecurity training provided by CISA to its chemical facility staff. In November 2020, CISA reported that ISD is developing a plan to evaluate the effectiveness and coverage of its cybersecurity training. Consequently, the agency will consider the evaluations completed at the end of recent courses and other training opportunities to be part of an effectiveness review specific to cybersecurity training. According to CISA officials, the results of the effectiveness review will feed into the development of a Chemical Security Standard Operating Procedure and Policy for the Field Training Program, which, once final, will describe processes for managing the training and retraining of chemical security inspectors, including minimum initial training and retraining requirements for cybersecurity. These efforts are expected to be completed by December 31, 2020. We will continue to monitor the status of actions taken to address this recommendation and the extent to which they result in a plan to evaluate the effectiveness of cybersecurity training.
Cybersecurity and Infrastructure Security Agency 5. The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)
Open
DHS concurred with this recommendation and stated that CISA will develop a concept of operations, which will include goals and requirements for a workforce review. In November 2020, DHS reported that CISA's Infrastructure and Security Division ( ISD) prepared a CISA Personnel Certification Program Concept of Operations and Work Plan (Work Plan) in January 2020, which supported the development of a CISA Role-Based Competency Model and Qualification Training System. Specifically, according to DHS, the Work Plan establishes a standard method for qualifying each CISA staff member to perform the functions required for their assigned role, including any cybersecurity qualification requirements. DHS also reported that CISA's ISD will continue developing a concept of operations, which will include goals and requirements for a workforce review by December 31, 2020. We will continue to monitor CISA's efforts to address this recommendation and the extent to which the actions result in a workforce plan that addresses CFATS' cybersecurity-related needs.
Cybersecurity and Infrastructure Security Agency 6. The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)
Open
DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities but that it is not in a readily accessible format. DHS stated in its comments that ISD will execute a contract for new information technology development support for the CSAT system which, once executed, will work with the new support contractor to build a tool to automate the locating and reporting of a facility's cyber integration level data in a more accessible format. In November 2020, DHS reported that CISA awarded a contract for new information technology development support for the CSAT system, which the agency says, once initiated, will provide for greater ability to modify the existing CSAT system. According to DHS, the contract's primary purpose is to create means for making it easier to track a facility's cyber integration level. This project is estimated to be completed by October 31, 2021. With regards to making information on inspector cybersecurity expertise more readily available, DHS reported that the CISA Training Lead/Chief Learning Officer will maintain cybersecurity training information in a centralized repository of training and certification information for chemical security staff. These efforts are expected to be completed by October 31, 2021. We will continue to monitor these actions taken in response to our recommendation and the extent to which they result in reiable, readily available information about covered facilities cyber integration levels and inspector cybersecurity expertise.

Full Report

GAO Contacts