CISA again prioritizes resilience in times of uncertainty for national chemical security following CFATS lapse

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) highlighted the need to bring resilience within the chemical security sector following Congress’ failure to reauthorize the Chemical Facility Anti-Terrorism Security (CFATS) program in July. The move has led to the U.S. without a regulatory chemical security program for the first time in 15 years.

“CISA continues to urge Congress to reauthorize the CFATS program,” Kelly Murray, CISA associate director for chemical security, wrote in a Monday CISA blog post. “CFATS provides essential resilience for the chemical industry by enabling chemical facility owners and operators to understand the risks associated with their chemical security holdings, develop site security plans and programs, conduct site inspections, coordinate with local law enforcement and first responders, and continue to reevaluate each facility’s security posture based on changes in its chemical holdings and threat nexus.” 

Murray added that CISA follows its advice: “We believe in putting the right security plans and countermeasures in place before an incident occurs to reduce the risk of incidents occurring and improving resilience during and after incidents to reduce the impact on our communities and our nation.”

Four months after the expiration of the CFATS program, Murray called upon the chemical security sector to improve their security and resilience principles through CISA’s Shields Ready campaign, which includes four key pillars – Identifying Critical Assets, Assessing Risk, Security Planning, and Continual Improvement. 

As part of identifying critical assets, through CFATS, CISA screened over 40,000 chemical facilities, identified 3,200 of those sites as high-risk, and worked with those facilities to understand the risks posed by their chemical holdings and develop appropriate security plans. CISA was constantly monitoring the landscape of dangerous chemicals across the nation as individual facilities tiered in and out of the program based on increases or decreases in these chemical holdings. 

“Without CFATS, our agency no longer has an accurate national profile of the locations of these dangerous chemicals,” Murray pointed out. “We estimate that over the past four months, a minimum of 200 new chemical facilities have already acquired dangerous chemicals that ought to be more carefully secured; other facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation.”

As of July 2023, CISA was conducting terrorist vetting on an average of 9,000 names per month, Murray disclosed. “Based on this rate of vetting, CISA estimates that in the past four months, facilities have had to make decisions on granting access to about 36,000 employees without their being vetted beforehand by CISA for terrorist ties.” 

“Prior to the lapse in authority, CFATS identified more than 10 individuals with possible ties to terrorism over the lifetime of the Personnel Surety Program,” Murray revealed. “Given that rate of vetting, CISA likely would have identified an individual with or seeking access to dangerous chemicals as a known or suspected terrorist at some point over the past four months. We cannot sound the alarm loudly enough: every day this program is offline is too long.”

Under CFATS, chemical facilities were required to develop site-specific security plans to mitigate the risks associated with possession of dangerous chemicals. 

“Without CFATS, we cannot inspect high-risk sites or assist these facilities with security planning efforts unless they approach the agency voluntarily for an assessment via the ChemLock program,” Murray outlined. “We were conducting an average of 160 site inspections every month under CFATS; of those, more than a third identified security gaps, which were then added to site security plans for remediation. We can safely estimate that hundreds of security gaps have gone unidentified since July, meaning that chemical facilities are operating with no knowledge of these gaps or guidance on how to address them.”

CISA Chemical Security and the high-risk facilities previously regulated by CFATS worked together to ensure continuous improvement and adapt to the changing threat environment. “Through regular and recurring CFATS compliance inspections, we were able to provide lessons learned and best practices to address emerging threats and challenges and, based on the performance-based nature of the regulation, require facilities to amend security plans to account for these risks. This, in conjunction with updated guidance and resources, helped to ensure continuous growth in the chemical security community,” according to Murray. 

“For facilities, the steady continuity of the CFATS program meant that they could project their security budgets years in advance; this is why CISA has traditionally supported long-term program reauthorization,” Murray detailed. “Reliable and reasonable regulation bolsters resilience by allowing industry to make wise choices and build security into their budgets. Suddenly allowing the program to expire with no alternative in place has already led to confusion and concern across the chemical industry, reducing the chemical sector’s resilience in the face of an ever-changing threat landscape,” she added.

Looking ahead, Murray said that while the CFATS program has lapsed, “we continue to offer expertise to chemical facilities on a voluntary basis through the ChemLock program, which is available to any facility with dangerous chemicals regardless of whether they were previously tiered under CFATS. Inspectors nationwide continue to offer on-site assessments and assistance, which chemical facilities may request via the ChemLock Services Request Form on the ChemLock homepage.” 

She clarified that “while the voluntary ChemLock program complements the CFATS program, it is in no way a replacement for CFATS.”   

“We know the threat of chemical terrorism did not go away simply because the CFATS program expired. We know the best practices to protect dangerous chemicals against terrorist exploitation still work, and we continue to strive to share that knowledge with the chemical industry via the ChemLock program on a voluntary basis,” according to Murray. “But as we ask the nation to reflect on its security posture and Resolve to #BeResilient, we must face the fact that the absence of the CFATS program is a national security gap too great to ignore.” 

“As we call on the American people to examine the resiliency plans for the critical infrastructure that supports our everyday lives, we at CISA also call on Congress to reauthorize CFATS as a pillar of security and resilience for the nation’s chemical sector. This is a resolution we cannot afford to break,” Murray added.

Ahead of the nation’s commemoration of November as ‘Critical Infrastructure Security and Resilience Month,’ U.S. President Joe Biden rolled out a proclamation urging the nation to strengthen the country’s critical infrastructure and stay alert to threats that jeopardize collective security and economic well-being. He said that these disruptions, whether a natural disaster, a pandemic, or a cyberattack, exploit vulnerabilities in supply chains and make it more difficult to access critical products when people need them.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.