Since 2013, the Department of Homeland Security (DHS) has strengthened its processes for identifying high-risk chemical facilities and assigning them to tiers under its Chemical Facility Anti-Terrorism Standards (CFATS) program.
Among other things, DHS implemented a quality assurance review process to verify the accuracy of facility self-reported information used to identify high-risk facilities. DHS also revised its risk assessment methodology—used to assess whether chemical facilities are high-risk and, if so, assign them to a risk-based tier—by incorporating changes to address prior GAO recommendations and most of the findings of a DHS-commissioned peer review. For example, the updated methodology incorporates revisions to the threat, vulnerability, and consequence scoring methods to better cover the full range of security issues regulated by CFATS.
As of February 2018, a total of 29,195 facilities—including all 26,828 facilities previously assessed and 2,367 facilities new to the program—were assessed using DHS’s revised methodology. DHS designated 3,500 of these facilities as high-risk and subject to further requirements.
DHS has also made substantial progress conducting and completing compliance inspections and has begun to take action to measure facility security but does not evaluate vulnerability reduction resulting from the CFATS compliance inspection process. In 2013, GAO found that the backlog of chemical facility security plans awaiting review affected DHS’s ability to conduct compliance inspections, which are performed after security plans are approved. Since then DHS has made progress and increased the number of completed compliance inspections.
As of May 2018, DHS had conducted 3,553 compliance inspections. DHS has also begun to update its performance measure for the CFATS program to evaluate security measures implemented both when a facility submits its initial security plan and again when DHS approves its final security plan. However, GAO found that DHS’s new performance measure methodology does not measure reduction in vulnerability at a facility resulting from the implementation and verification of planned security measures during the compliance inspection process. Doing so would provide DHS an opportunity to begin assessing how vulnerability is reduced—and by extension, risk lowered—not only for individual high-risk facilities but for the CFATS program as a whole.
DHS shares some CFATS information, but first responders and emergency planners may not have all of the information they need to minimize the risk of injury or death when responding to incidents at high-risk facilities. Facilities are currently required to report some chemical inventory information, but GAO found that over 200 CFATS chemicals may not be covered by these requirements.
To improve access to information, DHS developed a secure interface called the Infrastructure Protection (IP) Gateway that provides access to CFATS facility-specific information that may be missing from required reporting. However, GAO found that the IP Gateway is not widely used at the local level. In addition, officials from 13 of the 15 Local Emergency Planning Committees—consisting of first responders and covering 373 CFATS high-risk facilities—told GAO they did not have access to CFATS data in the IP Gateway.
By encouraging wider use of the IP Gateway, DHS would have greater assurance that first responders have information about high-risk facilities and the specific chemicals they possess.