Thousands of facilities across the United States contain hazardous chemicals that could be used by terrorists to inflict mass casualties or harm surrounding populations. In accordance with the Department of Homeland Security (DHS) Appropriations Act, 2007, DHS established the Chemical Facility Anti-Terrorism Standards (CFATS) program to, among other things, identify and assess the security risk posed by chemical facilities. DHS inspects high-risk facilities after it approves facility security plans to ensure that the facilities are implementing required security measures and procedures.
The Government Accountability Office issued a statement on February 27 on the progress and challenges related to DHS’s CFATS program management. This statement is based on prior products GAO issued from July 2012 through August 2018, along with updates as of September 2018 on actions DHS has taken to address GAO’s prior recommendations.
In the statement, GAO says DHS has made progress addressing challenges that GAO’s previously identified to managing the Chemical Facility Anti-Terrorism Standards (CFATS) program.
Identifying high-risk chemical facilities. In July 2015, GAO reported that DHS used self-reported and unverified data to determine the risk of facilities holding toxic chemicals that could threaten surrounding communities if released. GAO recommended that DHS should better verify the accuracy of facility-reported data. DHS implemented this recommendation by revising its methodology so it now calculates the risk of toxic release, rather than relying on facilities to do so.
Assessing risk and prioritizing facilities. In April 2013, GAO reported weaknesses in multiple aspects of DHS’s risk assessment and prioritization approach. To improve this process, GAO recommended that DHS enhance its risk assessment approach to incorporate all elements of risk and conduct a peer review after doing so. DHS implemented both recommendations by revising the CFATS risk assessment methodology to include threat, vulnerability, and consequence to better cover the range of security issues, and conducting peer reviews and technical reviews to verify and validate the CFATS program’s new risk assessment approach.
Reviewing and approving facility site security plans. DHS is to review facility security plans to ensure their security measures meet DHS standards. In April 2013, GAO reported a 7- to 9-year backlog for these reviews. In July 2015, GAO reported that DHS had made substantial progress in addressing the backlog—estimating that it could take between 9 and 12 months for DHS to review and approve security plans for the approximately 900 remaining facilities. DHS has since taken additional action to expedite these activities and has eliminated this backlog.
Inspecting facilities and ensuring compliance. In July 2015, GAO found that nearly half of the facilities DHS had inspected were not fully compliant with their approved security plans and that DHS did not have documented procedures for managing facilities’ compliance. GAO recommended that DHS document procedures for managing compliance. DHS revised CFATS procedures that, as of February 2019, GAO is reviewing to determine if they sufficiently address the recommendation.
Conducting stakeholder and first responder outreach. In August 2018, GAO reported that DHS shares some CFATS information with first responders and emergency planners but these stakeholders may not have all of the information they need to minimize the risk of injury or death when responding to incidents at high-risk facilities. GAO recommended that DHS should, among other things, take actions to explore opportunities to improve information-sharing with first responders and emergency planners. DHS concurred with this recommendation and reported that it is conducting additional outreach and taking other actions to implement it.