Recommendation: The Director of DHS's Cybersecurity and Infrastructure Agency should assess EPA data when planning outreach to public water system and wastewater treatment works facilities (Recommendation 1).

Agency: Department of Homeland Security
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Assistant Director of the Infrastructure Security Division should implement a documented process for reviewing and, if deemed necessary, revising its guidance for implementing cybersecurity measures at regularly defined intervals. (Recommendation 1)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA's Infrastructure Security Division (ISD) will work to develop a documented process for reviewing CFATS cybersecurity guidance at regularly defined intervals. DHS stated in its comments that once the process is documented and implemented, ISD will revise or supplement existing guidance, as appropriate. We will continue to monitor DHS's actions to address the recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should incorporate measures to assess the contribution that its cybersecurity training is making to program goals, such as inspector- or program-specific performance improvement goals. (Recommendation 2)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation stated that CISA agrees that it is important to ensure training supports program goals, whether relating to inspector-specific or program-specific performance maintenance or improvement goals. Regarding inspector performance maintenance or improvement, DHS stated that, among other things, management will ensure that each inspector's individual performance plan fully captures their expected performance goals in the area of cybersecurity. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should track delivery and performance data for its cybersecurity training, such as the completion of courses, webinars, and refresher trainings. (Recommendation 3)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA agrees that process improvements to better document and evaluate the effectiveness of the training provided to CFATS staff are worthwhile. DHS stated in its comments that CISA will establish policies and procedures intended to ensure that all cybersecurity training provided to chemical security personnel is accounted for in a centralized mechanism. We will continue to monitor DHS's actions taken to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should develop a plan to evaluate the effectiveness of its cybersecurity training, such as collecting and analyzing course evaluation forms. (Recommendation 4)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that evaluating the effectiveness of training is beneficial and CISA will work to ensure that all cybersecurity courses provided to CISA chemical security staff are evaluated for effectiveness. DHS also stated that, among other things, CISA will require course evaluation forms from each attendee of any cybersecurity training provided by CISA to its chemical facility staff. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should develop a workforce plan that addresses the program's cybersecurity-related needs, which should include an analysis of any gaps in the program's capacity and capability to perform its cybersecurity-related functions, and human capital strategies to address them. (Recommendation 5)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA will develop a concept of operations, which will include goals and requirements for a workforce review and planning effort to ensure the organization addresses the new program's capacity and capability to perform its regulatory, voluntary, and programmatic goals, to include its cybersecurity related functions. We will continue to monitor DHS's actions to address this recommendation.

Recommendation: The Assistant Director of the Infrastructure Security Division should maintain reliable, readily available information about the cyber integration levels of covered chemical facilities and inspector cybersecurity expertise. This could include updating the program's inspection database system to better track facilities' cyber integration levels. (Recommendation 6)

Agency: Department of Homeland Security: Cybersecurity and Infrastructure Security Agency
Status: Open

Comments: DHS concurred with this recommendation and stated that CISA retains information on cyber integration levels for regulated facilities but that it is not in a readily accessible format. DHS stated in its comments that ISD will execute a contract for new information technology development support for the CSAT system which, once executed, will work with the new support contractor to build a tool to automate the locating and reporting of a facility's cyber integration level data in a more accessible format. We will continue to monitor the status of DHS's actions to address this recommendation.

Recommendation: To strengthen federal oversight of facilities with ammonium nitrate, the Secretary of Labor and the Administrator of EPA should direct OSHA and EPA, respectively, to consider revising their related regulations to cover ammonium nitrate and jointly develop a plan to require high risk facilities with ammonium nitrate to assess the risks and implement safeguards to prevent accidents involving this chemical.

Agency: Department of Labor
Status: Open

Comments: On December 9, 2013, OSHA issued a Request for Information seeking, among other things, comments on potential revisions to its Process Safety Management standard and its Explosives and Blasting Agents Standard. The Request for Information specifically invited comments on safe work practices for storing, handling, and managing ammonium nitrate and on regulatory requirements to improve its approach to preventing the hazards associated with ammonium nitrate. As of July 2017, OSHA reports it has completed a Small Business Regulatory Flexibility Review Act panel to gather feedback from small businesses on updating its Process Safety Management (PSM) regulation. During the panel, the agency discussed the option of adding ammonium nitrate to the list of chemicals covered by PSM and collected comments. As of June 2018, the PSM rulemaking is on the regulatory agenda under Long Term Action. According to OSHA officials, the agency will continue to collect comments on the option of adding ammonium nitrate to the list of highly hazardous chemicals covered by the PSM regulations as dictated by the rulemaking process. We will close this recommendation when OSHA decides what action to take as a result of the rulemaking process.

Recommendation: To strengthen federal oversight of facilities with ammonium nitrate, the Secretary of Labor and the Administrator of EPA should direct OSHA and EPA, respectively, to consider revising their related regulations to cover ammonium nitrate and jointly develop a plan to require high risk facilities with ammonium nitrate to assess the risks and implement safeguards to prevent accidents involving this chemical.

Agency: Environmental Protection Agency
Status: Open

Comments: In January 2017, EPA issued a final rule to modify its Risk Management Program (RMP) regulations. The agency decided not to propose any revisions to the list of regulated substances and therefore, did not address ammonium nitrate in the revised regulations.

Recommendation: The Secretary of Labor should direct the Assistant Secretary for Occupational Safety and Health to consider updating regulations for the storage of ammonium nitrate taking into consideration, as appropriate, other related standards and current practices.

Agency: Department of Labor
Status: Open

Comments: OSHA previously (December 3, 2014) issued guidance to Regional Administrators to assist OSHA officials in enforcing the ammonium nitrate storage requirements in the Explosives and Blasting Agents Standard. In addition, on December 9, 2013, OSHA issued a Request for Information (RFI) seeking, among other things, comments on potential revisions to the Explosives and Blasting Agents Standard, which includes ammonium nitrate storage requirements. According to OSHA officials, the agency discussed the option of adding ammonium nitrate to the list of chemicals covered by the Process Safety Management (PSM) regulations and collected comments. As of June 2018, the PSM rulemaking is on the regulatory agenda under Long-Term Action. We will close this recommendation when the agency decides what action to take as a result of the rulemaking process.