IN12235 — The CFATS Sunset and Its Implications for Chemical Security

The Chemical Facility Anti-Terrorism Standards (CFATS) program, which regulated covered chemical facilities for security, sunset as of July 28, 2023, after Congress allowed its statutory program authorization to expire. The House passed a bill (H.R. 4470) on a 409-1 vote to extend the authorization for two years. A companion Senate bill (S. 2499) did not advance past introduction, and a motion to consider the House-passed bill was blocked in the Senate on July 26, shortly before the Senate adjourned for fall recess. The Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security (DHS) agency that administered CFATS, subsequently issued a statement that it had suspended all program activities related to enforcement and compliance assistance. Additionally, requirements for facilities to maintain existing site security plans or programs and to report possession of certain “chemicals of interest” were suspended. CISA encouraged previously covered chemical facilities to maintain existing security measures, and noted the availability of its resources for adoption of voluntary best practices under the ChemLock initiative, which provides a toolkit of on-site assessments and assistance, exercise packages, on-demand training, and online informational guidance. Absent congressional action to reauthorize CFATS, continuing DHS infrastructure security and resilience activities in the Chemical Sector would rely mainly on voluntary public-private partnerships, as is the case in most other critical infrastructure sectors. Entities formerly covered by CFATS regulations may choose to engage in critical infrastructure security and resilience partnerships, while also maintaining or improving certain security practices and risk mitigation investments. However, they are no longer required to do so. This Insight describes potential changes to chemical security in the wake of CFATS expiration and provides analysis of potential longer-term implications for the Chemical Sector’s security posture if CFATS is not reauthorized. It may inform congressional action, whether Congress decides to reinstate CFATS (with or without modifications) or allows the lapse in regulatory authorization to continue indefinitely. Continuity and Changes to Chemical Security Activities The CFATS program mandated a “top-screen” process for covered facilities possessing potentially dangerous chemicals (above certain threshold limits) at risk for misuse by terrorists. High risk facilities were required to formulate and implement CISA-approved security plans to meet 18 risk-based performance standards (RBPS), subject to approval and verification. RBPS covered a variety of security issues, including, among others: perimeter security, vetting and screening of onsite personnel, incident response, record keeping, incident reporting, and security training. CISA did not prescribe specific security measures, but did provide guidance and consultation to facility owner-operators to aid in compliance. Certain security measures might continue after the CFATS sunset on a voluntary basis, but likely with changes. For example, RBPS 1 (Restrict Area Perimeter) includes installation of barriers, lighting, and monitoring and detection equipment at covered facilities. Formerly covered entities may choose to keep these assets—either partially or entirely—in place. However, operation and maintenance of perimeter security assets requires trained personnel to monitor systems and react to contingencies. Owner-operators could choose to discontinue these activities if they deem them unnecessary or cost-prohibitive, and if no other relevant federal regulatory requirements apply. Owner-operators may also continue personnel screening and identification as they see fit, but they will not have the ability to submit requests to DHS for personnel vetting using the Terrorism Screening Database (TSDB), a unified federal watchlist developed after the September 11, 2001, terrorist attacks. CISA has closed the online portal used for enrollment in the program. Background documentation such as credit checks, which do not require TSDB access, remain available to facility owner-operators. Security personnel may also inspect credentials already issued to vetted individuals under the auspices of CFATS and certain other federal security programs, but CISA cannot validate existing credentials or approve new ones. Potential Longer-Term Implications of CFATS Sunset The 18 RBPS have complex interdependencies, potentially complicating any efforts to fully separate voluntary security activities from the regulatory authorities that enable them. For example, TSDB vetting under CFATS regulatory authority enabled many other security activities related to access control, such as cybersecurity. Likewise, CISA used mandated incident reports to inform regulatory oversight and develop up-to-date voluntary security guidance for the Chemical Sector. CISA maintains a program for voluntary submission of critical infrastructure information, but it is not specific to chemical sector security requirements. In general, regulation and voluntary public-private partnerships often develop concurrently, and coexist within the broader federal critical infrastructure enterprise. Regulatory relationships may encourage private-sector engagement with federal agencies on voluntary initiatives, particularly if these facilitate cost-effective compliance. For example, the offshore exploration and extraction industry segment of the Oil and Gas Subsector—regulated under authorities in the Maritime Transportation Security Act of 2002 (P.L. 107-295)—has more voluntary public-private engagement on risk assessment, information sharing, and standards development than some other, less-regulated oil and gas industry segments. Some observers voiced concern that the CFATS sunset may erode chemical security expertise in CISA and the private sector. Some CISA chemical security positions may be eliminated or reallocated, absent reauthorization. In the private sector, compliance-relevant expertise may atrophy. Some Members expressed concerns about program effectiveness, compliance costs, and overlap with other federal regulations. In a July 26 floor speech, Senator Rand Paul said that CFATS “places a burden on business, impeding their potential growth and creating unsurmountable barriers to entry for those who find the regulatory compliance too cumbersome and expensive to even attempt to break into the sector.” He added that the Government Accountability Office (GAO) “found much of this program to be duplicative of other Agencies.” The January 2021 GAO report reviewed eight federal chemical security programs and compared them with CFATS standards. It found that six programs had some duplicative requirements that certain facilities might be subject to. It also found that statutory exclusions of certain facilities from CFATS regulations produced some potential regulatory gaps.

Curated by CRS — every bill listed in this report's relatedMaterials. Edge type cited_in_report, gold confidence.

• HR 4470 — Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023 · 118th Cong
• S 2499 — Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2023 · 118th Cong