Fast Facts

Thousands of facilities use hazardous chemicals, and hundreds of them are subject to both Department of Homeland Security anti-terrorism standards and other federal chemical safety or security programs.

We reviewed 8 such programs and compared them to DHS's standards. We found some overlap, duplication, and fragmentation. For example, facilities may be developing duplicative information to comply with multiple programs. Even though some facilities may be subject to multiple programs, those not subject to DHS standards—such as water systems—may have gaps in oversight.

We recommended identifying potential security gaps and more.

Chemical Facility Storage Tanks

A series of large, white tanks ringed by walkways, stairs, pipes, and valves.

Skip to Highlights
Highlights

What GAO Found

Eight federal programs addressing chemical safety or security from four departments or agencies that GAO reviewed contain requirements or guidance that generally align with at least half of the Department of Homeland Security's (DHS) 18 Chemical Facility Anti-Terrorism Standards (CFATS) program standards. At least 550 of 3,300 (16 percent) facilities subject to the CFATS program are also subject to other federal programs. Analyses of CFATS and these eight programs indicate that some overlap, duplication, and fragmentation exists, depending on the program or programs to which a facility is subject. For example,

  • six federal programs' requirements or guidance indicate some duplication with CFATS. CFATS program officials acknowledge similarities among these programs' requirements or guidance, some of which are duplicative, and said that the CFATS program allows facilities to meet CFATS program standards by providing information they prepared for other programs.
  • more than 1,600 public water systems or wastewater treatment facilities are excluded under the CFATS statute, leading to fragmentation. While such facilities are subject to other programs, those programs collectively do not contain requirements or guidance that align with four CFATS standards. According to DHS, public water systems and wastewater treatment facilities are frequently subject to safety regulations that may have some security value, but in most cases, these facilities are not required to implement security measures commensurate to their level of security risk, which may lead to potential security gaps.

The departments and agencies responsible for all nine of these chemical safety and security programs—four of which are managed by DHS, three by the Environmental Protection Agency (EPA), and one each managed by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and the Department of Transportation (DOT)—have previously worked together to enhance information collection and sharing in response to Executive Order 13650, issued in 2013. This Executive Order directed these programs to take actions related to improving federal agency coordination and information sharing.

However, these programs have not identified which facilities are subject to multiple programs, such that facilities may be unnecessarily developing duplicative information to comply with multiple programs. Although CFATS allows facilities to use information they prepared for other programs, CFATS program guidance does not specify what information facilities can reuse. Finally, DHS and EPA leaders acknowledged that there are differences between CFATS requirements and the security requirements for public water systems and wastewater treatment facilities, but they have not assessed the extent to which potential security gaps may exist. By leveraging collaboration established through the existing Executive Order working group, the CFATS program and chemical safety and security partners would be better positioned to minimize unnecessary duplication between CFATS and other programs and better ensure the security of facilities currently subject to fragmented requirements.

Why GAO Did This Study

Facilities with hazardous chemicals could be targeted by terrorists to inflict mass casualties or damage. Federal regulations applicable to chemical safety and security have evolved over time as authorizing statutes and regulations established programs for different purposes, such as safety versus security, and with different enforcement authorities. GAO has reported that such programs may be able to achieve greater efficiency where overlap exists by reducing duplication and better managing fragmentation.

GAO was asked to review issues related to the effects that overlap, duplication, and fragmentation among the multiple federal programs may have on the security of the chemical sector. This report addresses the extent to which (1) such issues may exist between CFATS and other federal programs, and (2) the CFATS program collaborates with other federal programs. GAO analyzed the most recent available data on facilities subject to nine programs from DHS, EPA, ATF, and DOT; reviewed and analyzed statutes, regulations, and program guidance; and interviewed agency officials.

Skip to Recommendations

Recommendations

GAO is making seven recommendations, including that DHS, EPA, ATF, and DOT identify facilities subject to multiple programs; DHS clarify guidance; and DHS and EPA assess security gaps. Agencies generally agreed with six; EPA did not agree with the recommendation on gaps. GAO continues to believe it is valid, as discussed in the report.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security 1. The Secretary of DHS should direct its chemical safety and security programs to collaborate with partners and establish an iterative and ongoing process to identify the extent to which CFATS-regulated facilities are also covered by other programs with requirements or guidance that generally align with some CFATS standards. (Recommendation 1)
Open
DHS concurred with this recommendation, and described planned steps it would take to implement it, such as collaborating with fellow federal agencies to identify facilities covered by multiple programs. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency 2. The Administrator of the EPA should direct its chemical safety and security programs to collaborate with partners and establish an iterative and ongoing process to identify the extent to which the facilities that it regulates are also covered by the CFATS program. (Recommendation 2)
Open
EPA concurred with this recommendation, and described planned steps to address the recommendation, including information sharing of facility data and EPA enforcement actions. When we confirm what actions EPA has taken in response to this recommendation, we will provide updated information.
Bureau of Alcohol, Tobacco, Firearms and Explosives 3. The Director of ATF should direct its explosive materials programs to collaborate with chemical safety and security program partners and establish an iterative and ongoing process to identify the extent to which the facilities that it regulates are also covered by the CFATS program. (Recommendation 3)
Open
ATF informed us via email that they had no comments on the draft report and neither agreed nor disagreed with this recommendation. We will continue to monitor ATF's activities to assess whether this recommendation is implemented. When we confirm what actions ATF has taken in response to this recommendation, we will provide updated information.
Department of Transportation 4. The Secretary of Transportation should direct its hazardous materials transportation program to collaborate with chemical safety and security partners and establish an iterative and ongoing process to identify the extent to which the facilities that it regulates are also covered by the CFATS program. (Recommendation 4)
Open
DOT concurred with this recommendation, and stated that it will provide a detailed response to the recommendation within 180 days of the issuance of our report. When we confirm what actions DOT has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency 5. The Director of DHS's Cybersecurity and Infrastructure Security Agency should update CFATS program guidance or fact sheets to include a list of commonly accepted actions facilities may have taken and information they may have prepared pursuant to other federal programs, and disseminate this information. (Recommendation 5)
Open
DHS concurred with this recommendation, and described planned steps it would take to implement it, such as updating its guidance. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
Cybersecurity and Infrastructure Security Agency 6. DHS's Cybersecurity and Infrastructure Security Agency should collaborate with the EPA to assess the extent to which potential security gaps exist at water and wastewater facilities and, if gaps exist, develop a legislative proposal for how best to address them and submit it to the Secretary of Homeland Security and Administrator of EPA, and Congress, as appropriate. (Recommendation 6)
Open
DHS concurred with this recommendation, and described planned steps it would take to implement it, including working with EPA to identify and explore possible approaches for assessing potential security gaps that exist at water and wastewater facilities broadly. According to DHS's comment letter, DHS and the EPA will determine if any additional action is warranted. If it is determined that a significant security gap exists, DHS stated in its letter that it and EPA will identify and evaluate potential options for addressing that gap and acknowledged that one option of working with Congress to legislatively address the gap either through the removal of the existing water and wastewater facility exemption from CFATS or by providing either DHS or EPA with new authority to regulate security at these facilities. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
Environmental Protection Agency 7. The EPA should collaborate with the DHS's Cybersecurity and Infrastructure Security Agency to assess the extent to which potential security gaps exist at water and wastewater facilities and, if gaps exist, develop a legislative proposal for how best to address them and submit it to the Secretary of Homeland Security and Administrator of EPA, and Congress, as appropriate. (Recommendation 7)
Open
The EPA did not concur with this recommendation. We continue to believe that our recommendation is valid. As noted in our report, EPA and DHS senior officials have stated that there is a gap in the chemical security regulatory framework due to the exemption of drinking water and wastewater treatment facilities from CFATS. If DHS and EPA identify security gaps at water and wastewater facilities, developing a legislative proposal to address them may be appropriate. However, if DHS and EPA determine that they can adequately address identified security gaps under current authorities, taking action under such authorities would also satisfy our recommendation. We will continue to monitor EPA efforts to address it.

Full Report

GAO Contacts