US Senate fails to reauthorize CFATS program, affecting chemical facility security measures

The U.S. Senate failed last week to pass legislation that reauthorizes the Chemical Facility Anti-Terrorism Security (CFATS) program, prior to its expiration date of July 27, 2023. Senator Rand Paul, a Republican from Kentucky, blocked the H.R. 4470 bill in the Senate that would re-authorize the U.S. program to address terrorism and site security, allowing it to expire at the end of Thursday.

The bill was to extend the authorization of the program of the Department of Homeland Security (DHS) until July 27, 2025. The failure of the Senate to reauthorize the CFATS program has significant implications for chemical facility security measures, potentially putting these facilities at risk.

Paul feared that the bill was being rushed through the Senate. He said there were no hearings about CFATS or whether it was effective. “We tend to re-authorise things without ever examining whether they work, what works and what doesn’t work.” He conditioned his support for the re-authorization bill on an amendment that would create what he called a duplicative scoring system for every future proposal brought before legislators. The system would determine how many programs in the bill are duplicated by ones that already exist in the government.

“I urge my colleagues to support my amendment, which would continue the programme, allow it to be re-authorised, but at the same time, begin having a duplication score on every new proposal,” Paul said in a speech.

Senate approval of the chemical site-security bill was the next step needed before it could be signed into law by the president.

Introduced by Congresswoman Laurel Lee, a Republican from Florida, the bill H.R. 4470, ‘Protecting and Securing Chemical Facilities from Terrorists Attacks Act of 2023,’ passed in the House of Representatives last week. 

“The CFATS program identifies and regulates high-risk chemical facilities across the U.S. to ensure they have security measures in place to reduce the risks associated with certain chemicals and terrorist threats posed by foreign actors,” Laurel Lee said in a statement. “My bill will ensure that the CFATS Program remains authorized so that Department of Homeland Security Officials can continue working with these facilities to keep our communities safe.”

“I am proud the House worked on a bipartisan basis today to keep chemical facilities protected from terrorists and safeguard the surrounding communities in the event of an emergency,” according to Mark Green, House Committee on Homeland Security Chairman. “As threats to the homeland grow more complex, DHS must continue utilizing CFATS to ensure the physical and cyber security of regulated facilities in strong partnership with the private sector.”

“I applaud the House for working in a bipartisan manner to reauthorize the CFATS Program, ensuring communities across the country can remain protected from terrorist attacks,” Lee continued. “Collaboration between industry leaders and the Department of Homeland Security has never been more important with cyberattacks becoming more common. I’d like to thank Chairman Green for his leadership and support during the process of moving this bill.”

CFATS has a 15-year regulatory history, and the program has continued to deliver real results. According to the DHS, the agency has seen facilities increase their security measures by almost 60 percent under CFATS. The CFATS regulatory program focuses specifically on security at high-risk chemical facilities. Managed by CISA, the CFATS program identifies and regulates high-risk facilities to ensure security measures are in place to reduce the risk that certain dangerous chemicals are weaponized by terrorists.

Last October, the U.S. administration expanded its industrial control systems (ICS) cybersecurity initiative to the chemical sector. The Chemical Action Plan will serve as a roadmap to guide the sector’s assessment of their current cybersecurity practices over the next 100 days, building on the lessons learned and best practices of the previously launched action plans for the electric, pipeline, and water sectors to meet the needs for this sector.

Reactions to the Congress’ failure to pass the legislation were quick to come in. 

Eric R. Byer, president and CEO of the National Association of Chemical Distributors (NACD), said in a statement that his agency has been ringing the alarm about the approaching deadline for months. “Now that the program has regrettably expired, our nation’s sensitive chemical facilities have the difficult challenge of navigating a wide range of national security risks— including physical, cyber, and emerging artificial intelligence risks—on their own. The industry will be left to manage these threats without the invaluable insight and partnership with the U.S Department of Homeland Security,” he added.

“Given the vital role of chemicals in our economy and their unique vulnerabilities, it’s imperative that we take the necessary steps to protect this critical infrastructure from a range of threats posed by the country’s adversaries,” according to Byer. “I am incredibly disappointed that the U.S. Senate failed to reauthorize the CFATS program ahead of its expiration last night, potentially leaving our nation’s security exposed.”

Byer added that the NACD will continue to work with Congressional leaders to underscore the importance of this critical program and call on Congress to immediately reinstate and extend CFATS to ensure the security of the American people. 

The American Chemistry Council (ACC) expressed deep concern and disappointment regarding the expiration of the CFATS program. It said in a statement that by allowing CFATS to expire our industry and the country lost a valuable tool in the ongoing fight against terrorism. “ACC and its members called on Congress to pass an extension for CFATS because the program provides a strong yet flexible national approach to chemical security. The Senate failed us by adjourning without acting to keep CFATS in place,” it added.

“The loss of CFATS creates immediate risks and problems by limiting the ability to vet personnel, increasing exposure to cyber threats, and opening the door to a patchwork of federal and state regulations,” according to the ACC. “Congress must get back to work immediately to reinstate CFATS to help keep our industry and America safe.”

Chemical security expert Patrick Coyle identified in his blog that the people most obviously affected by the program’s death are the folks in CISA that were responsible for managing the program and overseeing its implementation in the field. “The Office of Chemical Security will almost certainly carry on, but probably at a reduced level. They still have the ChemLock program to oversee and the Ammonium Nitrate Security Program still needs to be stood up. Even so, there are almost certainly positions within OCS that will not survive the end of the fiscal year.”

He added that another, less easily recognized group affected by the programmatic death of CFATS, is a small contingent of advisors, contractors and consultants that have been supporting industry’s implantation of the CFATS program at the facility level. “For smaller companies covered by CFATS, these hard working folks provide the expertise and vision that allowed many companies to successfully standup security programs and compliance efforts.”

Coyle added that the over 3200 facilities that saw their coverage under the CFATS program evaporate on Thursday are going to be impacted. “Their security issues remain, but the spending justification has disappeared. Each facility is going to have to evaluate what they can continue to afford in the way of security measures.”

Last month, a bipartisan group of the U.S. House Energy and Commerce Committee members wrote to the CISA director regarding the status and renewal of the CFATS program.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.