51.5 F
Washington D.C.
Friday, March 1, 2024

CFATS Expiration: Leaving Open an Opportunity for Disaster

Last summer, Congress allowed the Chemical Facility Anti-Terrorism Standards (CFATS) program’s statutory authority to expire, leaving our nation without a regulatory chemical security program for the first time in 15 years. 

Through the CFATS program, the Cybersecurity and Infrastructure Security Agency (CISA) identified facilities with dangerous chemicals to reduce the risk that those chemicals could be weaponized by terrorists and other bad actors. The CFATS program was developed as a direct response to the terrorist attacks of 9/11, with the goal of preventing another attack of that scope. The 300+ chemicals monitored by the CFATS program—in the hands of those intent on harm—have the capability to release a deadly toxic plume or create a devastating explosion.

Through CFATS, CISA screened more than 40,000 chemical facilities, identified 3,200 of those sites as high-risk, and worked with those facilities to understand the risks posed by their chemical holdings and develop appropriate security plans. CISA was constantly monitoring the landscape of dangerous chemicals across the nation as individual facilities tiered in and out of the program based on increases or decreases in these chemical holdings. Without CFATS, our agency no longer has an accurate national profile of the locations of these dangerous chemicals. We estimate that over the past four months, a minimum of 180 new chemical facilities have already acquired dangerous chemicals that ought to be more carefully secured; other facilities could be stockpiling these chemicals in excess of their existing security precautions, increasing the risk of terrorist exploitation.

Under CFATS, chemical facilities were required to develop site-specific security plans to mitigate the risks associated with possession of dangerous chemicals. Without CFATS, we cannot inspect security at sites that we know are high-risk. We cannot assist these facilities with security planning efforts unless they approach the agency voluntarily for an assessment via the ChemLock program. We were conducting an average of 160 site inspections every month under CFATS; of those, more than a third identified security gaps, which were then added to site security plans for remediation. We can safely estimate that hundreds of security gaps have gone unidentified since July, meaning that chemical facilities are operating with no knowledge of these gaps or guidance on how to address them.

History has shown that hostile actors have attempted to use legitimate means to gain access to dangerous chemicals. To reduce this risk, CFATS mandated that anyone who might have direct access to a facility’s high-risk chemicals be vetted against the Terrorist Screening Database. CFATS allowed CISA to vet an average of 300 new names per day for persons with terrorist ties. Since the program lapse, we have been unable to vet individuals gaining this level of access to dangerous chemicals. This means that since the end of July, around 41,000 unvetted individuals now have access to dangerous chemicals and are in a position to use them in an attack on our communities.

Over the past 15 years, CFATS has improved security at high-risk chemical facilities by an average of nearly sixty percent. To meet CISA’s security standards, high-risk facilities have implemented tens of thousands of new security measures such as cameras, alarms, fences and locks, training programs, cybersecurity, and community outreach. These tens of thousands of security improvements no longer have to remain in place.

High-risk chemical facilities are not evenly distributed across the country. Nor are they distributed uniformly across a state, or even within a single county. And far from what you might expect, they are not always isolated to the outskirts of well-populated areas. Of the over 3,200 facilities that CISA had determined to be at high risk of chemical terrorism, twenty-eight percent of them are located in the largest urban areas in the country. Over 7,000 schools, colleges, or universities stand within one mile of a high-risk facility. The same is true for more than 300 hospitals. A terrorist incident at any one of these facilities could impact our most vulnerable citizens, along with their families, coworkers, and the surrounding community.

One of the CFATS program’s unsung virtues is the way that it reduces risk exposure for our nation’s most underserved communities—communities that may be situated near a facility with dangerous chemicals yet lack the economic or political resources to advocate for adequate security measures.  What the CFATS program has done is provide a measure of equality that comes from having a single national set of standards, rather than the patchwork of standards that existed on a state-by-state, or even county-by-county basis before the program was implemented. Now, those protections are gone, leaving each community to advocate for its own security with whatever economic resources and political levers are available.

We cannot afford to pay the price of inaction. The CFATS program is a rare example of a regime that is successful in implementing its regulations, directly strengthens our safety and security, and is supported by its regulated industry. When regulatory programs function properly, when they are non-controversial, it can be easy to underestimate the effects of their absence. We can’t afford to wait until an attack on a chemical facility shows us just how steep the price is of letting CFATS expire. 

We know the threat of chemical terrorism did not go away simply because the CFATS program expired. We know the best practices to protect dangerous chemicals against terrorist exploitation still work, and we continue to strive to share that knowledge with the chemical industry via the ChemLock program on a voluntary basis. We must face the fact that the absence of the CFATS program is a national security gap too great to ignore. As we call on the American people to examine the resiliency plans for the critical infrastructure that supports our everyday lives, we at CISA also call on Congress to reauthorize CFATS as a pillar of security and resilience for the nation’s chemical sector.

Kelly Murray
Kelly Murray
Kelly Murray is the Associate Director at Cybersecurity and Infrastructure Security Agency. Kelly brings a wealth of knowledge and experience in chemical security to her position of Associate Director for Chemical Security at DHS. Over the last 13 years, she has been integral not only to developing and implementing the CFATS program, but also to growing the extensive stakeholder relationships across CISA’s critical infrastructure partners. Prior to joining the Department of Homeland Security, Murray was a government consultant who worked with the Federal Emergency Management Agency on disaster recovery and reconstitution efforts after Hurricane Katrina. She also worked with the Department of Defense on exercises, mobility and logistics, and war plans. Kelly earned a bachelor’s degree from Indiana University in mathematics with minors in Information Technology, Economics, and Spanish, and recently graduated from the Federal Executive Institute.

Related Articles

- Advertisement -

Latest Articles