House Committee requests CISA for information on status and renewal of CFATS program

A bipartisan group of the U.S. House Energy and Commerce Committee members have written to the Cybersecurity and Infrastructure Security Agency (CISA) director regarding the status and renewal of the Chemical Facility Anti-Terrorism Standards (CFATS) program. The letter is being sent before the statutory authority for CFATS expires on July 27, and comes in anticipation of any congressional efforts to extend the program, to better understand the current operation of CFATS.

The energy committee members have requested the cybersecurity agency to ‘please provide us answers no later than June 27, 2023.’ The CFATS regulatory program focuses specifically on security at high-risk chemical facilities. Managed by CISA, the CFATS program identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists. 

House Energy and Commerce Committee Chair Cathy McMorris Rodgers, a Republican from Washington, Committee Ranking Member Frank Pallone, Jr., a Democrat from New Jersey, Environment, Manufacturing, & Critical Materials Subcommittee Chair Bill Johnson, a Republican from Ohio, Subcommittee Ranking Member Paul Tonko, a Democrat from New York, and Congressman August Pfluger, a Republican from Texas, wrote in their letter to Jen Easterly, CISA director that CFATS requires certain facilities, whose possession or planned possession of chemicals at or above certain levels determined to present ‘high levels of security risk,’ to assess their vulnerabilities and implement security measures to minimize terrorism risks posed by those vulnerabilities. 

The letter added that “these facilities can fall under numerous types of industries and sectors, including chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, colleges and universities, laboratories, paint and coatings, and healthcare and pharmaceuticals.”

The members outlined that three years ago, Congress was concerned about the transparency of the CFATS tier process. Addressing this the members have asked in their letter what steps the CISA has taken to improve transparency and understanding of the tier process among regulated stakeholders. They added that in case the CISA has taken steps to improve transparency, whether the CISA conducted outreach to stakeholders and others to determine if those steps improved understanding. 

The letter also revealed that Congress is also very concerned about protecting the sensitive vulnerability and site security plan information of high-risk chemical facilities from public disclosure. On this, the members asked what steps, if any, has CISA taken in the last three years to change the way it protects chemical-terrorism vulnerability information (CVI), whether CISA has plans to change the scope or treatment of CVI, and what actions, if any, is CISA taking to communicate with other federal entities on that entity’s treatment and use of CVI as part of their programs. 

There are reports that CISA may soon begin a rulemaking that impacts the CFATS program, including changing the risk methodology, the list of chemicals and their thresholds, the letter identified. It called upon the cybersecurity agency to confirm for each of the three specific areas, whether CISA will be proposing a new rule in this area, whether the new rule will propose to make changes in this area, the need identified, and the precise purpose for each of these proposed changes, and the timeline for action on these changes and whether they will be subject to the Administrative Procedures Act or some other legal set of guidelines. 

The Government Accountability Office (GAO) has in the past identified certain deficiencies in the implementation of the CFATS program. The members queried CISA whether the agency has remedied, to GAO’s satisfaction, all identified deficiencies. In cases of not remedied, the letter sought details of which ones are still outstanding. Additionally, whether CISA employs training standards for CFATS inspection and compliance officers, including the use of minimum qualification requirements for inspectors to demonstrate knowledge and understanding of CFATS facilities. 

CISA has several regional offices that carry out CFATS-related responsibilities. The committee members asked in their letter to committee members what action(s) CISA’s main office in Washington, D.C. take to ensure that the regional offices are uniformly implementing CFATS across the country. They also questioned if there is an accountability process to prevent one region from operating a very different program from another. 

On the issue of drone activity around CFATS-regulated facilities getting increased attention, the members asked what actions has CISA taken and what plans CISA has to address this matter. 

In her testimony last month, Easterly told the U.S. Homeland Security Committee that CISA’s Infrastructure Security Division (ISD) leads and coordinates national programs and policies on critical infrastructure security, including conducting vulnerability assessments, facilitating exercises, and providing training and technical assistance. 

Easterly added that “ISD leads programmatic efforts to secure our Nation’s chemical infrastructure through implementation of the Chemical Facility Anti-Terrorism Standards (CFATS) regulation, authority for which is expiring on July 27, 2023.”  

The CFATS regulatory program focuses on security at high-risk chemical facilities. Managed by the CISA, the CFATS program identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists. The CFATS regulation applies to facilities across many industries – chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, colleges and universities, laboratories, paint and coatings, healthcare and pharmaceuticals, among others.

Last August, the administration of U.S. President Joe Biden announced that it is set to address the cybersecurity issues faced by the chemical sector, consistent with the president’s Executive Order 14028 released in May 2021. The voluntary-first approach to cybersecurity will assist the chemical sector in a fourth 100-day sprint to gain insights into the cybersecurity posture of the nation’s critical infrastructure and improve its resilience. Operators in the chemical sector will follow their counterparts in the critical electric sector, gas pipelines, and water treatment plants in being asked to facilitate visibility into their systems.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.