The U.S. Department of Homeland Security’s (DHS) decade-old program for protecting chemical facilities against potential terrorist attacks is working well and should be reauthorized for multiple years with some targeted improvements, industry officials say.
The Chemical Facility Anti-Terrorism Standards (CFATS) program “has helped make our industry and communities more secure,” Kirsten Meskill, director of corporate security for BASF, told the House of Representatives Homeland Security Subcommittee on Cybersecurity & Infrastructure Protection on Feb. 15.
The panel held the hearing to gather industry input on CFATS as lawmakers prepare to extend and possibly revise the counterterrorism initiative that began in 2007. The program, which Congress overhauled in 2014, is set to expire at the end of the year.
CFATS applies to facilities that make, use, or store threshold quantities of any one of more than 300 hazardous chemicals. Facilities that qualify must assess their risks, develop site-security plans for DHS approval, and then put the security measures in place. About 3,500 facilities are currently regulated under the program.
“The 2014 CFATS reauthorization made critical improvements to the program that DHS has done an excellent job in implementing,” said Chet Thompson, president of the American Fuel & Petrochemical Manufacturers, an industry trade group. Improvements included the establishment of an expedited system for approving site-security plans at lower-risk facilities and streamlining the vetting process for personnel, he said.
As Congress considers potential changes to the CFATS program, BASF’s Meskill said DHS should be more transparent with facility operators about how risk determinations are made.
DHS divides facilities into four tiers of decreasing risk based on the potential consequences that could result from a terrorist attack. Facilities placed in the higher-risk tiers must implement more stringent security measures than those in the lower tiers.
“More often than not, facility operators are left in the dark as to why they are tiered at a specified level, when in fact it is the operator who has the overall responsibility and authority for making security-risk-management decisions for that facility,” Meskill said.