CISA, DHS urge Congress to reauthorize CFATS program, highlighting chemical sector risks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) called for congressional action to reauthorize the regulatory program that specifically focuses on security at high-risk chemical facilities. The agency added that it is offering facilities resources and tools to help these chemical facilities enhance their security, but this voluntary program is no substitute for the Chemical Facility Anti-Terrorism Security (CFATS) program. The move comes following failure by the U.S. Senate last month to pass legislation that reauthorizes the CFATS program, before its expiration date of July 27, 2023.  

In an Opinion piece published Monday in the Washington Post, Jen Easterly, CISA director, outlined that with the absence of the CFATS authority, “we cannot ensure that chemical facilities are mitigating the terrorist exploitation of chemical holdings. We are unable to vet the average 300 new names per day to determine whether the individuals seeking access to dangerous chemicals have ties to terrorism. We can’t process new submissions from facilities to determine whether they fall under the CFATS thresholds for dangerous chemicals, meaning the locations and quantities of dangerous chemicals are unknown to CISA and local first responders — which leaves sites vulnerable to terrorist threats.”

She added that communities across the nation are at greater risk until Congress reauthorizes this bipartisan and critical program. “We must ensure that chemicals do not become weaponized by those who wish to do Americans harm.”

Using the CFATS standards, CISA keeps dangerous chemicals out of the hands of terrorists and other malicious actors by identifying facilities that possess certain high-risk chemicals and ensuring they have critical security measures in place, Easterly detailed. “This is an essential element of homeland security: An attack on one of these U.S. chemical facilities could be as lethal as a nuclear blast.”

Easterly spoke Tuesday at the ongoing 2023 Chemical Security Summit, where she drew attention to “that authority has been absolutely critical to keeping our communities safe from the threat of chemical terrorism, from ensuring that the more than 3200 high-risk chemical facilities across every state are protected from both cyber threats and physical threats. And so it’s not, it’s not just about putting safeguards in place to digital systems and to physical security of structures.”

“It really is fundamentally about protecting our communities and given how important chemicals are in our everyday lives. It’s really about ensuring that the economic foundation of our society can continue to thrive, but to do so in a safe and secure way,” according to Easterly. “So I was really disheartened when the CFATS authority, despite very strong and full-throated support from the chemical industry, the association groups and, you know, frankly, very strong bipartisan support from both the House and the Senate. I was really disheartened that the authority was allowed to expire about a month ago. And we know how important this authority is.” 

Also speaking at the Chemical Security Summit, Alejandro Mayorkas, Homeland Security Secretary pointed to the countless lives that have undoubtedly been saved by the collaboration of Congress and CFATS, and what they have long-established, among and enabled CISA, DHS, private industry, and law enforcement. “It is a worthy and important legacy and a critical plank of our national security apparatus. Both have now been jeopardized because some have declined for the first time to reauthorize CFATS authorities.” 

Mayorkas added that already CISA has been effectively barred from determining who is accessing 3242 high-risk chemical facilities or monitoring whether or not facilities are stockpiling dangerous chemicals. “Already, we have been barred from enforcing penalties on facilities that violate safety standards. Even though the chemical industry at large supports CFATS reauthorization and is pushing Congress for its reauthorization. Already, a few chemical facilities have decided not to move ahead with security investments and enhancements because of the expiration of the regulation. More have expressed concern about an interest in doing so should reauthorization languish in the Senate much longer. “

He also pointed to the risk that terrorists could access and weaponize the dangerous chemicals produced in these facilities increasing day by day. 

“I wanted to join you today and speak at this summit to make this point and make it very clear – the safety and security of 3242 high-risk chemical facilities across all 50 states. The safety and security of our communities and the safety and security of the American people are not political bargaining chips,” Mayorkas highlighted. “They are not a frivolous use of government resources. Our national security has not been and cannot become a partisan endeavor. 

The chemical threat environment is rapidly evolving, evolving as the discussions featured throughout this summit are a testament to, Mayorkas said. “CFATS is the foundation of all those chemical security efforts publicly and privately now and in the future.” 

Mayorkas said that the Senate must reauthorize CFATS as soon as it is back in session. Time is not our ally when it comes to confronting terrorists, chemical weapons, or chemical threats. “CFATS reauthorization passed the House of Representatives by a vote of 409 to 1. Reauthorization is popular. It is bipartisan, it is common sense and it is critical,” he added.

Commenting on the developments, Brian Harrell, former Assistant Director for Infrastructure Security at CISA, which oversaw the Office of Chemical Security, told Industrial Cyber that while CFATS is a great program that demonstrates chemical security risk-reduction, it also needs to be updated. 

“Very few updates have materialized from its original authorization in 2007. Every time we reauthorize, there’s an acknowledgment that we need to modernize the standards, but then DHS never does,” Harrell said. “The cyber performance standards are lackluster, and it still does not take into account emerging risks like insider threat or overhead concerns from drones, despite staff stretching loose interpretations of compliance. I appreciate that CFATS works with industry to mitigate security risks, but in order to justify its monumental historical price tag, it needs to mature with the times.” 

Harrell added that the status quo is a death sentence for security regulations where tactics and threat actors are constantly changing. “Interestingly, the chemical sector loves this regulation because the standards never mature, nearly no fines are levied, and the “costs” to comply never go up.  I do appreciate that most chemical facilities fall outside of CFATS regulation, so the voluntary program that we conceptualized back in 2019, is a huge feather in the cap.”

The Summit will also feature important chemical security information for industry organizations, facility owners and operators, government officials, first responders, and law enforcement. Sessions will include updates on CISA’s ChemLock programs; emerging threats to the chemical industry, demonstrations from federal partners; approaches to supply chain disruptions, case studies of real-world scenarios, cascading effects of cyberattacks, and international chemical security initiatives

Earlier this month, CISA updated the landing page of the CFATS program, after the Senate failed to pass legislation that reauthorizes the program, before its expiration date. The failure of the Senate to reauthorize the CFATS program has significant implications for chemical facility security measures, potentially putting these facilities at risk.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.