[Rules and Regulations]
[Page 17687-17745]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr09ap07-17]
[[Page 17687]]
-----------------------------------------------------------------------
Part III
Department of Homeland Security
-----------------------------------------------------------------------
6 CFR Part 27
Chemical Facility Anti-Terrorism Standards; Final Rule
[[Page 17688]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
6 CFR Part 27
[DHS-2006-0073]
RIN 1601-AA41
Chemical Facility Anti-Terrorism Standards
AGENCY: Department Of Homeland Security.
ACTION: Interim final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security (DHS or Department) issues
this interim final rule (IFR) pursuant to Section 550 of the Homeland
Security Appropriations Act of 2007 (Section 550), which provided the
Department with authority to promulgate ``interim final regulations''
for the security of certain chemical facilities in the United States.
This rule establishes risk-based performance standards for the
security of our Nation's chemical facilities. It requires covered
chemical facilities to prepare Security Vulnerability Assessments
(SVAs), which identify facility security vulnerabilities, and to
develop and implement Site Security Plans (SSPs), which include
measures that satisfy the identified risk-based performance standards.
It also allows certain covered chemical facilities, in specified
circumstances, to submit Alternate Security Programs (ASPs) in lieu of
an SVA, SSP, or both.
The rule contains associated provisions addressing inspections and
audits, recordkeeping, and the protection of information that
constitutes Chemical-terrorism Vulnerability Information (CVI).
Finally, the rule provides the Department with authority to seek
compliance through the issuance of Orders, including Orders Assessing
Civil Penalty and Orders for the Cessation of Operations.
EFFECTIVE DATES: This regulation is effective June 8, 2007, except for
Appendix A to part 27. A subsequent final rule document will announce
the effective date of Appendix A to Part 27.
Comment related to the addition of Appendix A to part 27 only will
be accepted until May 9, 2007.
ADDRESSES: You may submit comments, identified by docket number 2006-
0073, by one of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: IP/CSCD/Dennis Deziel, Mail Stop 8100, Department of
Homeland Security, Washington, DC 20528-8100.
FOR FURTHER INFORMATION CONTACT: Dennis Deziel, Chemical Security
Regulatory Task Force, Department of Homeland Security, 703-235-5263.
SUPPLEMENTARY INFORMATION: This interim final rule is organized as
follows: Section I explains the public participation provisions and
provides a brief discussion of the statutory and regulatory authority
and history; Section II summarizes the changes from the Advance Notice
of Rulemaking and discusses the revised rule text; Section III
summarizes and responds to the comments the Department received in
response to the Advance Notice of Rulemaking; and Section IV contains
the regulatory analyses for this interim final rule.
Table of Contents
I. Introduction and Background
A. Public Participation
B. Statutory and Regulatory Authority and History
II. Interim Final Rule
A. Summary of Changes From Advance Notice of Rulemaking
B. Rule Provisions
III. Discussion of Comments
A. Applicability of the Rule
1. Definition of ``Chemical Facility or Facility''
2. Multiple Owners or Operators
3. Classifying Facilities Based on Hazard Class
4. Applicability to Specific Chemicals or Quantities of
Chemicals
5. Applicability to Types of Facilities
6. Statutory Exemptions
B. Determining Which Facilities Present a High-Level of Security
Risk
1. Use of the Top-Screen Approach
2. Assessment Methodologies
3. Risk-Based Tiers
C. Security Vulnerability Assessments and Site Security Plans
1. General Comments
2. Submitting a Site Security Plan
3. Content of Site Security Plans
4. Approval of Site Security Plans
5. Timing
6. Alternate Security Programs
D. Risk-Based Performance Standards
1. General Approach To Performance Standards
2. Comments about Specific Performance Standards
3. Variations in Performance Standards for Risk Tiers
4. Adoption of MTSA Provisions
E. Background Checks
F. Inspections and Audits
1. Inspections
2. Third-Party Auditors and Inspectors
G. Recordkeeping
H. Orders
I. Adjudications and Appeals
J. Information Protection: Chemical-terrorism Vulnerability
Information (CVI)
1. General
2. Disclosure of CVI
3. Scope of CVI
4. Relation of CVI to Other Categories of Protected Information
and FOIA
5. Sharing CVI with State and Local Officials, the Public, and
Congress
6. Litigation
7. Protection of CVI
K. Preemption
L. Implementation of the Rule
M. Other Issues
1. Whistleblower Protection
2. Inherently Safer Technology
3. Delegation of Responsibility
4. Interaction with Other Federal Rules and Programs
5. Third-Party Actions
6. Judicial Review
7. Guidance and Technical Assistance
8. Miscellaneous Comments
N. Regulatory Evaluation
IV. Regulatory Analyses
A. Executive Order 12866: Regulatory Planning and Review
B. Regulatory Flexibility Act
C. Executive Order 13132: Federalism
1. Background
2. Propriety of the Department's View on Preemption
3. No Field Preemption
4. Principles of Conflict Preemption
D. Unfunded Mandates Reform Act
E. Paperwork Reduction Act
F. NEPA
I. Introduction and Background
A. Public Participation
Interested persons are invited to participate in this rulemaking by
submitting written data, views, or arguments on Appendix A of this
interim final rule. Comments that will provide the most assistance to
DHS in finalizing the Appendix will reference specific chemicals and
Screening Threshold Quantities on the list, explain the reason for any
recommended change, and include data, information, or authority that
support such recommended change.
Instructions: All submissions received must include the agency name
and docket number for this rulemaking. All comments received will be
posted without change to http://www.regulations.gov, including any
personal information provided.
Comments that include trade secrets, confidential commercial or
financial information, Sensitive Security Information (SSI), or
Protected Critical Infrastructure Information (PCII) should not be
submitted to the public regulatory docket. Please submit such comments
separately from other comments on the rule. Comments containing trade
secrets, confidential commercial or financial information, Sensitive
Security Information (SSI), or Protected Critical Infrastructure
Information (PCII) should be appropriately marked as containing such
information and submitted by mail
[[Page 17689]]
to the individual(s) listed in the FOR FURTHER INFORMATION CONTACT
section.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov. Submitted comments
by mail may also be inspected. To inspect comments, please call Dennis
Deziel, 703-235-5263, to arrange for an appointment.
B. Statutory Regulatory Authority and History
On October 4, 2006, the President signed the Department of Homeland
Security Appropriations Act of 2007 (the Act), which provides the
Department of Homeland Security with the authority to regulate the
security of high-risk chemical facilities. See Pub. L. 109-295, sec.
550. Section 550 requires the Secretary of Homeland Security to
promulgate interim final regulations ``establishing risk-based
performance standards for security of chemical facilities'' by April 4,
2007. Id. Although interim final regulations are usually issued without
prior notice and comment (and the Act requires neither), the Department
issued an Advance Notice of Rulemaking (Advance Notice) seeking comment
on the significant issues and regulatory text. See generally 71 FR
78276 (Dec. 28, 2006).
As discussed more fully in the Advance Notice, before the enactment
of Section 550, the Federal government did not have authority to
regulate the security of most chemical facilities. The Department has,
however, worked closely with industry leaders in pursuit of voluntary
enhancement of security at these facilities and provided both technical
assistance and grant funding for security. In addition, through the
Coast Guard's Maritime Security regulations, the Department has
addressed security at certain maritime-related chemical facilities. See
33 CFR Part 105. Recently, the Departments of Homeland Security and
Transportation also proposed security regulations for the rail
transportation of hazardous chemicals. See 71 FR 76834, 71 FR 76851
(Dec. 21, 2006). Other Federal programs have addressed chemical
facility safety, but not security: the Environmental Protection Agency
(EPA) regulates chemical process safety through its Risk Management
Plan (RMP) program; the Department of Labor's Occupational Safety and
Health Administration (OSHA) regulates workplace safety and health at
chemical facilities; the Department of Commerce oversees compliance
with the Chemical Weapons Convention; and the Department of Justice's
Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) regulates,
through licenses and permits, the purchase, possession, storage, and
transportation of explosives.
With the authority under Section 550, the Department can now fill a
significant security gap in the country's anti-terrorism efforts.
Section 550 specifies that the regulations ``shall apply to chemical
facilities that, in the discretion of the Secretary, present high
levels of security risk.'' The statute requires that the regulations
establish risk-based performance standards; requires Security
Vulnerability Assessments and Site Security Plans; allows Alternative
Security Programs; mandates audits and inspections to determine
compliance with the regulations; provides for civil penalties for
violation of an order issued under the statute; and allows the
Secretary to order a facility to cease operations if the facility is
not in compliance with the requirements. The statute also gives the
Department the authority to protect from inappropriate public
disclosure any information developed pursuant to Section 550,
``including vulnerability assessments, site security plans, and other
security related information, records, and documents.''
As discussed in the Advance Notice, by directing the Secretary to
issue ``interim final regulations,'' Congress authorized the Secretary
to proceed without the traditional notice-and-comment required by the
Administrative Procedure Act. See 71 FR 78276, 78277. The Department,
however, saw great benefit in soliciting comments on as much of the
program as was practicable in the short timeframe permitted under the
statute. Accordingly, the Department voluntarily sought comment on a
range of regulatory and implementation issues and responds to the
comments below.
II. Interim Final Rule
A. Summary of Changes From Advance Notice of Rulemaking
In this interim final rule, the Department has not changed the
general, risk-based approach it proposed in the December 28, 2006,
Advance Notice. See 71 FR 78276. As discussed in detail below, the
Department plans to implement the regulation in phases, starting to
work aggressively with chemical facilities presenting the very highest
security risks first. The Department adopts a risk-based tiering
structure in its regulatory approach, so that the Department's scrutiny
of facilities under this regulation increases as the level of risk
increases. Even though this approach remains the same, the Department
provides further details below on a number of unresolved issues
presented in the Advance Notice. For example, the Department provides
further detail on the issues surrounding background checks for those
with access to high-risk facilities, and the Department describes its
approach on facilities possessing ammonium nitrate.
On several important issues, the Department has reconsidered and
modified the position it proposed in the Advance Notice. For example,
in response to comments, the Department has restructured its provisions
concerning objections, consultations, adjudications, and appeals. As
discussed below, the Department's aim is to provide flexibility and
assistance for facilities seeking to comply with the regulatory
standards. The Department has decided, however, to incorporate a role
for a neutral adjudicator where unresolved differences present
themselves and result in significant fines or other penalties. In
addition, the Department has modified a number of scheduling and timing
requirements in response to comments, and the Department further
explains its approach on preemption of state and local law after
considering the numerous comments on that subject. Although the
Department continues to view as important the opportunity for
facilities to submit Alternative Security Programs, the Department
modified the circumstances in which it will accept Alternative Security
Programs.
Finally, the Department will consider the issues surrounding the
use of fees in this regulatory program. The Department is contemplating
the assessment of different fees, including filing fees, fees for
inspections and audits, and fees for the screening of individuals
against the Terrorist Screening Database. The Department has not
provided for fees in this interim final rule, but may, in the future,
propose and seek comment on the issues surrounding fees for this
regulatory program.
B. Rule Provisions
This section summarizes the regulatory text changes that the
Department has made to this interim final rule. In addition to the
summary contained in this section, we have, in many cases, provided a
more extensive discussion of the change, and the reason for the change,
in the response to comments below. See Sec. III ``Discussion of
Comments.'' Finally, to the extent that the Department has made
technical corrections or corrected typographical errors, we do not
specifically discuss them.
[[Page 17690]]
Subpart A
Section 27.100 Purpose
The Department has added a Purpose section to the rule. It states
the Department's purpose and intent in issuing this rule and enforcing
this regulatory program.
Section 27.105 Definitions
For purposes of clarity, DHS has added several definitions,
including ``Chemical Security Assessment Tool,'' ``Chemical-terrorism
Vulnerability Information,'' ``Deputy Secretary,'' ``Director of the
Chemical Security Division'' and ``Screening Threshold Quantity.'' The
Department has also revised a few definitions, including ``Assistant
Secretary'' and ``Under Secretary.'' The Department revised ``Under
Secretary'' as a result of organizational changes in the Department
following the Post-Katrina Emergency Reform Act, which the President
signed on October 4, 2006. See Public Law 109-295, Title VI. In several
places, the Department indicated that the named official, or his
designee, has the specified responsibility under the regulation. The
Department also revised the definition of ``Alternate Security
Program,'' to provide consistency with changes the Department has since
made to Sec. 27.235, the Alternate Security Programs section. The
Department expanded upon the definition of ``tier,'' adding that, for
purposes of this part, there are four risk-based tiers.
Finally, the Department made clarifying changes to ``Chemical
Facility,'' ``Covered Chemical Facility,'' and ``Owner.'' With respect
to the definition of ``Chemical Facility,'' the Department removed the
circular nature of the definition in the Advance Notice (i.e., a
chemical facility shall mean any facility) (emphasis added) and now
provides that a chemical facility ``shall mean any establishment that
possesses or plans to possess * * *.''
Section 27.120 Designation of a coordinating official; Consultations
and technical assistance
The language in revised Sec. 27.120(a) makes clear that the
Assistant Secretary will designate a Coordinating Official responsible
for ensuring the uniform, impartial, and fair implementation of these
regulations. The language in revised Sec. 27.120(b) indicates that the
Coordinating Official and his staff shall provide guidance to
facilities, and while the Coordinating Official and his staff will be
available for consultation and to provide technical assistance, they
will be available only to the extent that resources permit.
In Sec. 27.120(c), the Department has provided specific details as
to how a facility requests the assistance of the Coordinating Official.
In the second sentence of Sec. 27.120(c), the Department provides that
requests for consultation or technical guidance do not serve to toll
any of the applicable timelines set forth in this part. Accordingly,
regardless of whether or when a facility submits a request for
consultation or technical guidance, the Department will require the
facility to comply with the regulatory requirements, such as completing
the Top-Screen, identifying vulnerabilities in the Security
Vulnerability Assessment, and developing and implementing a Site
Security Plan.
The Department has added a new provision in Sec. 27.120(d). This
provision provides that a covered facility may request a consultation
with the Coordinating Official if it modifies its facility, processes,
or the types or quantities of materials that it possesses, and believes
such changes may impact the covered facility's obligations under this
part. The Department added this provision in response to commenters
concerned about a facility's ability to ``exit'' the regulatory
program. The Department recognizes that facilities that reduce risk to
levels below those levels that the Department deems as that
characterized for Tier 4 facilities (i.e., the lowest risk facilities
of the ``high risk'' facilities) or that eliminate certain risks
altogether may no longer need to be covered by this regulation. This
provision allows the covered facility to request the initiation of the
screening process (which determines whether or not the facility is
high-risk and therefore whether the facility is or is not included in
this regulatory program) prior to the facility's next scheduled CSAT
Top-Screen submission pursuant to Sec. 27.210. Through this
consultation process, the facility may initiate discussions with the
Department and ultimately accelerate the process for determining
whether it can ``exit'' the regulatory program.
Subpart B
Section 27.200 Information regarding security risk for a chemical
facility
The Department has added several new provisions to this section.
The Department has revised paragraph (b), by incorporating language
from proposed Sec. 27.200(a) of the Advance Notice and by also adding
new provisions. The two sentences in paragraph (b)(1) come from the end
of proposed Sec. 27.200(a). Paragraph (b)(1) provides that the
Assistant Secretary may seek the information listed in paragraph (a) by
contacting chemical facilities individually or by publishing a notice
in the Federal Register. It also provides that the Assistant Secretary
may instruct facilities to complete and submit a Top-Screen through a
secure Department Web site or through any other means approved by the
Assistant Secretary.
Paragraph (b)(2) is a new provision. It provides that a facility
must complete and submit a Top-Screen in accordance with the schedule
provided in Sec. 27.210 if it possesses any of the chemicals listed in
Appendix A: ``DHS Chemicals of Interest'' at the corresponding
quantities. For a further discussion of Appendix A, see the discussion
of Appendix A further below in the Rule Provisions section. The purpose
of this provision is to give facilities direction as to whether or not
they must complete and submit a Top-Screen.
As noted in the discussion of Appendix A, the presence or amount of
a particular chemical is not an indicator of a facility's coverage
under this rule. The presence or amount of a chemical in the Appendix
is merely a baseline threshold requiring a facility to complete and
submit a Top-Screen. (Consistent with Sec. 27.200(b)(1), DHS will
retain the ability to notify facilities, through direct notification or
Federal Register notice, that they need to complete and submit a Top-
Screen.) The information that the Department will obtain through the
Top-Screen process is only one of several factors that the Department
will consider in determining whether a facility is ``high-risk'' and
thus covered by this rule.
Paragraph (b)(3) addresses the requirements for individuals who
submit information to the Department through the CSAT system, which
includes the Top-Screen process. Paragraph (b)(3) provides that, where
the Department requests that a facility complete and submit a Top-
Screen, the facility must designate a person to be responsible for the
submission of information through the CSAT system. (The CSAT system is
comprised of three sequential parts: the Top-Screen, the SVA, and the
SSP). The Department provides that any such submitter must be an
officer of the corporation or other person designated by an officer of
the corporation, and must be domiciled in the United States. The
Department had contemplated such requirements in Appendix A to the
Advance Notice and now finalizes them here.
Consistent with the explanation in Appendix A to the Advance
Notice, the
[[Page 17691]]
Department notes that a facility may choose to have another individual,
in addition to the above-discussed ``submitter,'' involved in the
submission of information through the Top-Screen. That other individual
is a ``provider.'' A provider would be a qualified individual who is
familiar with the facility in question and who completes the
information in the CSAT system. The provider, however, would not
formally submit information to the Department. The individual
responsible for sending information to the Department through the CSAT
system (whether Top-Screen, SVA, or SSP) is always the submitter. And
as indicated in paragraph (b)(3), the submitter is also responsible for
attesting to the accuracy of the submitted information.
Paragraphs (c)(1) and (2) address facilities that the Department
deems as ``presumptively high risk.'' Both paragraphs were in the
Advance Notice, though they were located in proposed Sec. Sec.
27.200(b) and (c).
Section 27.205 Determination that a chemical facility ``presents a high
level of security risk.''
The Advance Notice, at the end of Sec. 27.205(a), contained a
provision about Departmental notification to facilities of their
preliminary placement in a risk-based tier. The Department has moved
that language to Sec. 27.220 ``Tiering,'' so that it is located with
the related tiering provisions.
In addition, the Department has removed proposed Sec. 27.205(c),
along with Sec. Sec. 27.220(b), and 27.240(c), all of which had
contained a mechanism for objections. In the Advance Notice, the
Department had provided facilities with the opportunity to object to
the following three Departmental actions: determination that a facility
``presents a high level of risk,'' placement in a high-risk tier, and
disapproval of a facility's Site Security Plan. The intention behind
those provisions was to provide facilities with an informal opportunity
to consult with the Department. The Department believes that the rule
(including existing provisions from the Advance Notice as well as new
provisions in this interim final rule) provides facilities with several
opportunities for consultation when they disagree with an initial
decision on these matters. Specifically, revised Sec. 27.120(b)
provides that the Coordinating Official and his staff shall be
available to consult and to provide technical assistance to a facility
owner or operator, revised Sec. 27.120(c) provides the details for how
a facility should initiate consultations or assistance, and revised
Sec. 27.120(d) provides that a covered facility may request a
consultation if it modifies its facility, processes, or the types or
quantities of materials that it possesses and believes such changes may
impact the covered facility's obligations under this part. In addition,
Sec. Sec. 27.240(b) and 27.245(b) provide that a facility shall enter
further consultations following Departmental written notification that
a Security Vulnerability Assessment or Site Security Plan is
unsatisfactory. Given that the rule already provides consultation
opportunities, coupled with the fact that the Department has greatly
modified its adjudication and appeal provisions, the Department
believes it is unnecessary to retain these objections provisions and
has thus removed them from the interim final rule.
Section 27.210 Submissions Schedule
In Sec. 27.210, the Department clarifies the submission schedule
for the Top-Screen, Security Vulnerability Assessment, and Site
Security Plan. In Sec. 27.210(a) of the Advance Notice, the Department
included a sentence indicating that the presumptive time frames were 60
days for the Security Vulnerability Assessment and 120 days for the
Site Security Plan. In this interim final rule, the Department has
added presumptive timeframes for the submission of the Top-Screen and
revised the presumptive timeframes for SVAs and SSPs. See Sec.
27.210(a) and (b). The presumptive timeframes for initial submissions
are 60 calendar days for the Top-Screen, 90 calendar days for the SVA,
and 120 calendar days for the SSP. The presumptive timeframes for
resubmission vary depending on a facility's tier. As a general matter,
the Department will require facilities in Tiers 1 and 2 to update their
Top-Screen, SVA, and SSP every two years, and facilities in Tiers 3 and
4 to update their Top-Screen, SVA, and SSP every three years.
In addition, the Department added a new paragraph (c), which
addresses the Department's authority to modify schedules as necessary.
The Department removed Sec. 27.210(c) as it appeared in the Advance
Notice, because the provision was unnecessary in light of the new
provisions in Sec. 27.120(b) and (c), ``Designation of a coordinating
official; consultations and technical assistance.''
Finally, the Department added a new paragraph (d), which addresses
material modifications. In Sec. Sec. 27.215(c)(3) and 27.225(b)(3) of
the Advance Notice, the Department provided that a covered facility had
to notify the Department of material modifications to the SVA or SSP
and that the Department would notify the facility within 60 days of
whether the Department disapproved the revised SVA or SSP. The
Department has re-located a new but similar requirement in Sec.
27.210(d). The regulation now provides that if a covered facility makes
material modifications to its operations or site, the covered facility
must complete and submit a revised Top-Screen to the Department within
60 days of completion of the material modification. In accordance with
the resubmission requirements in Sec. 27.210(b)(2) and (3), the
Department will notify the covered facility as to whether the covered
facility must submit a revised Security Vulnerability Assessment, Site
Security Plan, or both. As a result of this new paragraph (d), the
Department removed the provisions that appeared in Sec. Sec.
27.215(c)(3) and 27.225(b)(3) of the Advance Notice.
Section 27.215 Security Vulnerability Assessments and Section 27.225
Site Security Plans
The Department has revised several of the corresponding provisions
in both Sec. 27.215 and Sec. 27.225. First, the Department has
revised the corresponding provisions regarding methodologies.
Specifically, the Department has revised the language in Sec.
27.215(b) and added a new paragraph (b) in Sec. 27.225. In both
places, the Department explains that, except as provided in Sec.
27.235, a covered facility must submit either the SVA/SSP through the
CSAT process or any other methodology or process identified by the
Assistant Secretary.
By this change, the Department is making more explicit its
intention to use the CSAT process at this time. The CSAT process
includes completion of the Top-Screen process and, depending on the
results of the Top-Screen process, may also include the development of
a Security Vulnerability Assessment and the development of a Site
Security Plan. Thus, for facilities that are determined to be high-
risk, the CSAT process will consist of three sequential parts (i.e.,
the Top-Screen, SVA, and SSP). The Department also notes that
facilities will have to obtain access to the CSAT system by submitting
a user registration request. Section 27.200(b)(1) contains the
requirements for individuals (i.e., submitters) who will be submitting
information through the CSAT system and attesting to the accuracy of
that information.
Second, in paragraph (c) of both sections, the Department provides
that a covered facility must submit an SVA or SSP to the Department in
accordance
[[Page 17692]]
with the schedule provided in Sec. 27.210. This captures the
requirement that had been located in proposed Sec. 27.240(a)(1) of the
Advance Notice.
Third, in paragraph (d) of both sections, the Department revised
the update/revision provisions for submitting SVAs and SSPs. In the
Advance Notice, the Department indicated that covered facilities must
update or revise their SVAs or SSPs based on a schedule set by the
Assistant Secretary. Because the Department has established a
submission schedule in Sec. 27.210, the Department now includes cross-
references in Sec. 27.215(d)(1) and Sec. 27.225(d)(2) to that
schedule. As a related matter, in Sec. 27.215(d), the Department moved
the general submissions schedule requirement to Sec. 27.215(d)(1),
thereby re-locating the provision formerly in Sec. 27.215(d)(1) to
Sec. 27.215(d)(2).
Fourth, the Department has removed the language about material
modifications from proposed Sec. 27.215(c)(3) and Sec. 27.225(b)(3).
As discussed in the summary of Sec. 27.210, the Department added a
new, but similar, provision to Sec. 27.210(d). The new provision now
captures the concept contemplated in proposed Sec. 27.215(c)(3) and
Sec. 27.225(b)(3).
With respect to changes to Sec. 27.225 only, the Department has
added a provision that requires facilities to conduct annual audits of
their Site Security Plans. See Sec. 27.225(e). This provision had been
implied in the recordkeeping requirement in the Advance Notice (see
Sec. 27.255(a)(6)) and is now explicit. DHS made some additional
revisions to the corresponding recordkeeping provision, in which DHS
more clearly specifies the audit-related records that covered
facilities should maintain.
Finally, throughout this document, the Department now uses the term
``Security Vulnerability Assessment'' (or SVA) instead of the term
``Vulnerability Assessment'' or (VA), which the Department had used in
the Advance Notice. The Department intends no change in meaning with
this revision.
Section 27.220 Tiering
The Department has added several paragraphs to this section.
Section 27.220(a) addresses the Department's preliminary determination
as to a facility's risk-based tier. Paragraph (a) is based on language
that had been in the Advance Notice at the end of Sec. 27.205(a). The
Department has elaborated on the Preliminary Tiering provision.
Notably, the Department has indicated that it shall notify a facility
of the Department's preliminary tiering decision. This contrasts with
the Advance Notice, which had merely indicated that the Department may
notify a facility of the Department's preliminary tiering decision.
Section 27.220(b) is not a new subsection; rather, it contains the
language that was previously located in Sec. 27.220(a). Note that the
Department has removed paragraph (b) as proposed in the Advance Notice.
Paragraph (b) had contained an objections provision. For a discussion
of the Department's decision to remove the objections provisions from
this rule (in Sec. Sec. 27.205(c), 27.220(b), and 27.240(c)), see the
summary under Sec. 27.205(c).
Section 27.220(c) is a new subsection. The Department is
reiterating, in part, what it provides in the definitions section. The
Department will place facilities in one of four risk-based tiers. Tiers
will range from Tier 1, which contains the highest-risk covered
facilities, to Tier 4, which contains the lowest-risk covered
facilities. Finally, the Department separated the sentence located at
the end of proposed Sec. 27.220(a) into its own section, Sec.
27.220(d).
Section 27.230 Risk-Based Performance Standards
This section contains the risk-based performance standards that
covered facilities must satisfy. The Department has added a sentence to
Sec. 27.230(a), noting that the ``acceptable layering of measures used
to meet the standards will vary by risk-based tier.'' While all
facilities must satisfy the performance standards, the measures
sufficient to meet those standards will be more robust for those
facilities that present higher levels of risk. In other words, the
manner in which the standards are applied will require a higher level
of security (and so provide for greater reduction in risk) for those
facilities that present higher levels of risk. The Department will
provide details about the application of these standards in guidance.
In addition, for each of the performance standards, the Department
has added a short descriptor at the beginning of the subparagraph
(e.g., paragraph (a)(1) begins with ``Restricted Area Perimeter,''
paragraph (a)(2) begins with ``Securing Site Assets,'' and so forth).
The Department has also revised some of the language related to
specific performance standards. Section 27.230(a)(4) now provides that
facilities must select, develop, and implement measures designed to
``[d]eter, detect, and delay an attack, creating sufficient time
between detection of an attack and the point at which the attack
becomes successful.'' This revised language more adequately captures
the concept that the Department had intended in the language in
paragraph (a)(4) of the Advance Notice and is more complete. Section
27.230(a)(5) now requires facilities to secure and monitor the storage
of hazardous materials, in addition to the shipping and receipt of
hazardous materials. Section 27.230(a)(8) now contains a broader
description of critical process systems. In the Advance Notice, the
Department had used the acronym ``SCADA'' (Supervisory Control and Data
Acquisition) to refer to instrumented control systems in general. In
this interim final rule, the Department has provided more descriptive
terminology to refer to critical process systems. For a further
discussion of SCADA, see the Department responses to ``Comments on
Specific Performance Standards.'' Section 27.230(a)(12) contains an
expanded standard for background checks. For a further discussion of
background checks, see the Department response to comments about
``Background Checks.'' Section 27.230(a)(15) now provides that
facilities should report significant security incidents to local law
enforcement in addition to the Department. Finally, the Department has
removed the paragraph that was paragraph 27.230(a)(19) in the Advance
Notice, because that standard was already addressed in paragraph
(a)(14).
Section 27.235 Alternative security program
The Department has revised this section to provide more detail
about the process for Alternate Security Programs (ASPs). The basic
requirement remains the same, in that certain covered facilities may
submit ASPs, and the Assistant Secretary may approve those ASPs. See
Sec. 27.235(a). To accept an ASP, the Assistant Secretary must find
that the program ``provides an equivalent level of security to the
level of security established by this part.'' This language, which
clarifies the standard for accepting ASPs, comes from the preamble of
the Advance Notice and is consistent with the terms of Section 550. See
71 FR 78276, 78285.
In Sec. 27.235(a)(1)-(2), the Department specifies, by tier, which
facilities may submit ASPs in lieu of Security Vulnerability
Assessments (SVAs) and which facilities may submit ASPs in lieu of Site
Security Plans (SSPs). A Tier 4 facility may submit an ASP in lieu of a
Security Vulnerability Assessment, Site Security Plan, or both. Tier 1,
Tier 2, and Tier 3 facilities may submit an
[[Page 17693]]
ASP in lieu of a Site Security Plan. Tier 1, Tier 2, and Tier 3
facilities may not submit an ASP in lieu of a Security Vulnerability
Assessment. Accordingly, Tier 1, Tier 2, and Tier 3 facilities will
have to submit their SVA through the CSAT system.
With respect to Tier 4 facilities, the Department clarifies the
following point: Given that the Department notifies a facility of its
final placement in a risk-based tier following the Department's review
of a covered facility's SVA (see Sec. 27.220(b)), a facility will not
know its final tier placement at the time it might decide to submit an
ASP in lieu of a SVA. Because of that, the Department understands that
facilities will rely on the Department's preliminary tiering
determination made pursuant to Sec. 27.220(a).
There are various reasons underlying the Department's decision not
to accept ASPs as SVAs for Tier 1, Tier 2, and Tier 3 facilities. The
Department needs a consistent baseline against which to compare risks
and vulnerabilities across chemical facilities. (For a further
discussion of this issue, see the Department's response to comments in
Sec. III(B)(1)). As well, the Chemical Security Assessment Tool (CSAT)
system uses an integrated approach to chemical facility security, and
by considering SVAs that use the methodology in the CSAT system, the
Department can take full advantage of that integrated approach.
Furthermore, by using this electronic, integrated CSAT approach, the
Department can more efficiently review and assess a greater number
SVAs, and that is of importance considering the Department's phased
implementation scheme to address the highest risk facilities first.
The Department acknowledges that many facilities have expended
substantial resources and incurred significant expense to identify
vulnerabilities and to develop security plans. The Department commends
facilities for such efforts. The work performed on these efforts is
valuable, and DHS is committed to capitalizing on these investments.
The information developed in these efforts will be relevant to
facilities as they complete the CSAT SVA. Facilities will be able to
use the information from existing vulnerability assessments, and in
many cases, the practical impact of requiring Tiers 1, 2, and 3
facilities use the CSAT SVA system will be one of formatting, i.e.,
facilities will have to enter their information from their existing
vulnerability assessments into the format established by the CSAT
system. While some additional analytical effort will be required, even
where the facility has produced a strong SVA, the effort will be
considerably less than that at facilities that are starting without a
pre-existing SVA.
In addition, Sec. 27.235(b) provides that the notice requirements
for submitting ASPs correspond with the notice requirements (including
the approval and disapproval process) for SVAs and SSPs. In other
words, if a facility is submitting an ASP in lieu of an SVA, the
process in Sec. 27.240 applies, and if a facility is submitting an ASP
in lieu of an SSP, the process in Sec. 27.245 applies.
Section 27.240 Review and Approval of Security Vulnerability Assessment
and Section 27.245 Review and Approval of Site Security Plans
In this interim final rule, the Department has separated the review
and approval of SVAs and SSPs into two separate sections. In the
Advance Notice, both sets of requirements were located in Sec. 27.240.
In this interim final rule, the provisions related to Security
Vulnerability Assessments are located in Sec. 27.240, and the
provisions related to Site Security Plans are located in Sec. 27.245.
In addition, the Department made some changes to the corresponding
provisions in the two separate sections. In both sections, the
Department has removed the language (from proposed Sec. 27.240(a)(1))
about time periods for submitting SVAs and SSPs. The Department has
already addressed this issue in Sec. Sec. 27.215(c)-(d) and Sec. Sec.
27.225(c)-(d) (by providing that a facility must provide, update, and
revise its SVA and SSP consistent with the schedule in Sec. 27.210),
so it was unnecessary to also include this language here. Also, in both
sections, the Department has added new language about the disapproval
of SVAs or SSPs. The Department added a new sentence, which provides
that ``[i]f the resubmitted [SVA or SSP] does not satisfy the
requirements of [Sec. 27.215 or Sec. 27.225], the Department will
provide the facility with written notification (including a clear
explanation of deficiencies in the [SVA or SSP]) of the Department's
disapproval of the [SVA or SSP].'' See Sec. 27.240(b) and Sec.
27.245(b).
Finally, the Department has added a provision in Sec.
27.245(a)(1)(iii), indicating that the Department issues a Letter of
Approval if it approves a facility's Site Security Plan in accordance
with Sec. 27.250. While this provision appears elsewhere in the rule
(see Sec. 27.245(b)), the Department thought it was appropriate to
include it here as well.
The Department has removed 27.240(c) as proposed in the Advance
Notice. Paragraph (c) had contained an objections provision. For a
discussion of the Department's decision to remove the objections
provisions from this rule (in Sec. Sec. 27.205(c), 27.220(b), and
27.240(c)), see the summary under Sec. 27.205(c).
Section 27.250 Inspections and Audits
The Department has added additional provisions to the inspection
and audit section. In Sec. 27.250(c), the Department discusses the
time and manner requirements for inspections. While the Department will
generally provide facilities with 24-hour advance notice of
inspections, the Department recognizes two exceptions where an
unannounced inspection might occur. The Department included the first
exception in the Advance Notice, and the Department has added the
second exception in this interim final rule. For a further discussion,
see the Discussion of Comments in Sec. III(F) on ``Inspections and
Audits.''
In Sec. 27.250(d), the Department addresses various details
related to the inspectors who will conduct inspections and audits. This
is a new paragraph that was not in the Advance Notice. Although
Congress has not provided the Department with administrative subpoena
authority, this paragraph explains that inspectors will have
credentials and may administer oaths and receive affirmations upon
consent. It also provides details about the means by which inspectors
may gather information and the access that inspectors will have to
records. The Department has also added a paragraph (e), which addresses
confidentiality. Finally, the guidance paragraph, which had been
located in paragraph (d) has been moved to paragraph (f).
Section 27.255 Recordkeeping Requirements
The Department revised various provisions related to recordkeeping.
With respect to Sec. 27.255(a)(1), the Department added a few
additional record requirements regarding training. In addition to
keeping records of the date and location of each training session, time
of day and duration of each session, the name and qualifications of the
instructor, and a clear, legible list of the attendees including
attendees' signatures, the facility must also keep at least one other
unique identifier for each attendee receiving training and the results
of any evaluation or training. The Department also added a requirement
to Sec. 27.255(b), requiring facilities to keep submitted Top-Screens
in addition to submitted
[[Page 17694]]
SVAs and SSPs. In addition, as discussed above in the summary for Sec.
27.225(e), the Department revised the recordkeeping provision related
to internal audits. See Sec. 27.255(a)(6).
The Department also added a new paragraph (c), allowing the
Department to request that covered facilities make available records
kept pursuant to other Federal programs or regulations. The Department
would make such requests for records to the extent that any such
records were necessary for security purposes. As a result of adding new
paragraph (c), the Department had to re-designate proposed paragraph
(c) as paragraph (d).
Subpart C
The Department has substantially revised Subpart C, which contains
the provisions for Orders, Adjudications, and Appeals.
Section 27.300 Orders
The Department has restructured the Orders provisions. Whereas the
Advance Notice contained four separate sections (see Sec. Sec. 27.300,
27.305, 27.310, and 27.315), the Department has now consolidated all of
the Order provisions into one section, Sec. 27.300. The main substance
of the Orders provisions, however, remains the same. Pursuant to Sec.
27.300(a), the Assistant Secretary can issue an Order for any instance
of noncompliance. For example, the Assistant Secretary may issue an
Order for a facility's refusal to complete a Top-Screen, failure to
allow an inspection, or failure to update a Site Security Plan.
Beyond a basic Order, the Assistant Secretary may issue an Order
Assessing Civil Penalty, an Order to Cease Operations, or both, where
it determines that a facility is in violation of any Order issued
pursuant to paragraph (a). See Sec. 27.300(b). Orders Assessing Civil
Penalty are for a continual noncompliance, a repeated pattern of
noncompliance or egregious instances of noncompliance. Orders to Cease
Operations are the most serious Orders that the Assistant Secretary
might choose to issue under this regulatory scheme. The Assistant
Secretary will use such a measure cautiously and judiciously and will
balance the immediate security needs with the possible impact (e.g.,
economic impact or national security effect) of such an Order on the
chemical industry and the Nation as a whole. As the Department wrote in
the Advance Notice, ``This authority would be utilized when no other
options will achieve the required result.'' See 71 FR 78276, 78287.
Paragraphs (c) through (f) of Sec. 27.300 address the process and
procedures for Orders. Section 27.300(c) lists the information, at a
minimum, that the Assistant Secretary must include in an Order and also
notes that the Assistant Secretary may establish further procedures for
the issuance of Orders. Section 27.300(d) notes that a facility must
comply with the terms of the Order by the date specified in the Order.
Section 27.300(e) indicates that a facility has the right to seek an
adjudication to review the decision of the Assistant Secretary to issue
an Order, and Sec. 27.300(f) addresses final agency action.
With respect to the staying of Orders, the Department addresses
this issue in the new adjudications sections. Specifically, Sec.
27.310(b)(4) provides that an Order is stayed from the timely filing of
a Notice of Application for Review until the Presiding Officer issues
an Initial Decision, unless the Secretary lifts the stay due to exigent
circumstances pursuant to Sec. 27.310(d). The new adjudications
section is discussed in more depth below.
Section 27.305 through 27.340 Adjudications
Most significantly with respect to adjudications, the Department
has provided facilities with the opportunity to seek review of
specified decisions before a neutral adjudications officer. A facility
or other person may seek review of the following Department (i.e.,
Assistant Secretary) determinations: (1) A finding, pursuant to Sec.
27.230(a)(12)(iv) that an individual is a potential security threat;
(2) The disapproval of a Site Security Plan pursuant to Sec.
27.245(b); or (3) The issuance of an Order pursuant to Sec. 27.300(a)
or (b). See Sec. 27.310(a).
The procedures for Applications are found in Sec. 27.310(b). To
institute Adjudication Proceedings, the facility or other person
(``Applicant'') must file a Notice of Application for Review within
seven calendar days of notification of the Assistant Secretary's
determination. See Sec. 27.310(b)(1)-(2). Then, in an Application for
Review, the Applicant must explain his or her position (i.e., explain
why the Assistant Secretary's determination should be set aside). The
Applicant has 14 calendar days from the date of notification of the
Assistant Secretary's determination to file and serve an Application
for Review. See Sec. 27.310(b)(5). The Assistant Secretary, through
the Office of the General Counsel, shall file and serve a Response
within 14 calendar days of the filing and service of the Application
for Review. See Sec. 27.310(c). Finally, the Secretary may make
certain procedural modifications in exigent circumstances. See Sec.
27.310(d).
A Presiding Officer is the neutral adjudications officer who
handles these proceedings. The Secretary shall appoint a Presiding
Officer, consistent with the requirements in Sec. 27.315. A Presiding
Officer shall immediately consider whether a summary adjudication of an
Application for Review is appropriate, and if the Presiding Officer
finds that there is no genuine issue of material fact and that one
party or the other is entitled to decision as a matter of law, then the
record shall be closed and the Presiding Officer shall issue an Initial
Decision on the Application for Review. See Sec. 27.330(b). Such
summary decisions are governed by the procedures in Sec. 27.330.
Where there is no summary decision, the Presiding Officer may
conduct a hearing using the procedures specified in Sec. 27.335. The
Presiding Officer shall close and certify the record upon the
completion of one of the following: a summary judgment proceeding, a
hearing, the submission of post-hearing briefs, or the conclusion of
oral arguments. See Sec. 27.340(a). Based on the certified record, the
Presiding Officer shall issue an Initial Decision, and the decision
shall be subject to appeal pursuant to Sec. 27.345.
In addition to the sections mentioned above, there are a few other
sections that address provisions related to adjudications. Section
27.320 specifies the prohibition on ex parte communications during
Proceedings. And Sec. 27.325 provides that the Assistant Secretary
bears the initial burden of proving the facts necessary to support the
challenged administrative action at every proceeding instituted under
this subpart.
Finally, as related to the Appeals section below, a Presiding
Officer's Initial Decision is stayed from the timely filing of a Notice
of Appeal until the Under Secretary issues a Final Decision, unless the
Under Secretary lifts the stay due to exigent circumstances. See Sec.
27.345(b)(4).
Section 27.345 Appeals
The interim final rule contains a revised appeals section. There
are several differences. First, a facility or other person may appeal
the Initial Decision of the Presiding Officer made pursuant to Sec.
27.340(b). This differs from the Advance Notice, in which a facility
could appeal a Departmental final determination regarding disapproval
of a Site Security Plan and the Departmental issuance of an Order. See
Sec. 27.320 in the Advance Notice.
[[Page 17695]]
Second, the Advance Notice provided that the Under Secretary would make
decisions for most categories of appeals, and the Deputy Secretary
would make decisions for one category of appeal. This interim final
rule provides that all appeals go to the Under Secretary or his
designee acting as a neutral appeals officer. Third, as is discussed in
more depth below, the procedures for an appeal have changed.
The Assistant Secretary, a facility, or other person
(``Appellant'') may institute an Appeal by filing a Notice of Appeal
within seven calendar days of notification of the Presiding Officer's
Initial Decision. See Sec. 27.345(b)(1)-(3). The Appellant shall then
file and serve a Brief within 28 calendar days of the notification of
the Presiding Officer's Initial Decision. See Sec. 27.345(b)(5). The
Appellee shall file and serve its Opposition Brief within 28 days of
the filing of Appellant's Brief. See Sec. 27.345(b)(6). The Under
Secretary shall issue a Final Decision and serve it on the parties. A
Final Decision by the Under Secretary constitutes final agency action.
See Sec. 27.345(f).
In addition to the provisions mentioned above, the Department notes
the following: Pursuant to Sec. 27.345(b), the Under Secretary may
provide for an expedited appeal; pursuant to Sec. 27.345(c), ex parte
communications are prohibited; and pursuant to Sec. 27.345(c), a
facility or other person may elect to have the Under Secretary
participate in any mediation or other resolution process by expressly
waiving, in writing, any argument that such participation has
compromised the Appeals process. In addition, pursuant to Sec.
27.345(g), the Secretary may establish procedures for the conduct of
appeals.
Subpart D
Section 27.400 Chemical-Terrorism Vulnerability Information
The Department has made numerous clarifying changes to the
chemical-terrorism vulnerability information (CVI) section. Some of
these changes corrected typographical errors, while several others
clarified existing provisions. With respect to a minor change, note
that, in Sec. 27.400 of the Advance Notice, the Department referred to
CVI as ``Chemical-terrorism Security and Vulnerability Information''
and in this interim final rule, the Department now refers to CVI as
``Chemical-terrorism Vulnerability Information.'' The Department
intends no change in meaning with this revision.
The Department has highlighted below the more substantive changes
to Sec. 27.400. With respect to paragraph (c), the Department has
removed paragraph (c)(2), because that concept is already covered in
paragraph (e)(1)(v). In paragraph (d)(1), the Department provides that
covered persons must protect all CVI in their possession or control,
including electronic data. In paragraph (e)(1), the Department added
language providing that a person who might have a ``need to know''
includes ``state or local officials, law enforcement officials, and
first responders.'' In paragraph (e)(1)(ii), the Department clarified
that a person in training will only have access to CVI that he needs as
part of his training, and in paragraph (e)(1)(iv), the Department
clarified that a the person in a fiduciary relationship with a covered
person who is representing or providing advice to that covered person
will also have a need to know CVI. In paragraph (e)(2)(iii), the
Department provides that it may require non-Federal persons seeking
access to CVI to complete a non-disclosure agreement before such access
is granted. In paragraph (f)(3), the Department shortened the
distribution limitation statement and added a new sentence at the end,
which provides: ``[i]n any administrative or judicial proceedings, this
information shall be treated as classified information in accordance
with 6 CFR Sec. Sec. 27.400(h) and (i).'' And in paragraphs (h)(1),
(i)(1), and (i)(2), the Department made it clear that these sections
apply to the disclosure of CVI in the context of administrative or
judicial enforcement proceedings of section 550 only, not any other
kind of enforcement proceeding. Similarly, in paragraph (i)(7)(iii),
the Department made it clear that this section applies only to judicial
enforcement proceedings and not any other judicial proceeding.
Section 27.405 Review and Preemption of State Laws and Regulations
The Department has made several changes to Sec. 27.405, including
various regulatory text changes. Among those changes, the Department
has added paragraph (a)(1). The Department wishes to avoid any
unintended consequences in the program's interaction with other Federal
requirements. For this reason, Sec. 27.405(a)(1) provides that
``[n]othing in this regulation is intended to displace other federal
requirements administered by the Environmental Protection Agency, U.S.
Department of Justice, U.S. Department of Labor, U.S. Department of
Transportation, or other federal agencies.'' For a further discussion
of these changes and preemption in general, see the section below
entitled ``Executive Order: 13132: Federalism.''
Proposed Appendix A: DHS Chemicals of Interest
In the Advance Notice, the Department sought comment on appropriate
sources of information or methodologies for evaluating and categorizing
chemical facilities.'' See 71 FR 78276, 78282. The Department responds
to those comments below in the ``Discussion of Comments.'' In this
interim final rule, the Department has decided to evaluate chemical
facility risks by, in part, classifying facilities by particular
chemicals. In proposed Appendix A, the Department has included a list
of ``DHS Chemicals of Interest'' along with Screening Threshold
Quantities, or STQs, for each chemical. The Department has established
STQs to trigger preliminary screening requirements. The STQ is not the
threshold quantity for establishing whether a given facility is a high-
risk facility, but only sets a threshold to require a facility to
complete and submit a CSAT Top-Screen. As noted in the ``Public
Participation'' section above, the Department is accepting public
comment on proposed Appendix A for 30 days. Following the close of the
comment period, the Department will review the comments and publish a
final Appendix A. The requirements related to Appendix A, which are
found in Sec. Sec. 27.200(b)(2) and 27.210, will become operative on
the date that the Department publishes a final Appendix A.
Pursuant to Sec. 27.200(b)(2), if a facility possesses any
chemicals identified in Appendix A at the corresponding quantities, the
facility must complete and submit a Top-Screen. Consistent with the
submission requirements in Sec. 27.210(a)(1), the facility must
complete the Top-Screen within 60 calendar days of the effective date
of a final Appendix A or within 60 calendar days of coming into
possession of any such chemical at the corresponding quantity. (As
indicated in the regulatory text, this submission requirement is not
operative until the Department publishes a final Appendix A.) Note that
this provision does not affect the Department's ability to contact
facilities independently of this list. Pursuant to Sec. 27.200(b)(1),
DHS may notify facilities, on an individual basis or through an
additional Federal Register notice, that they need to complete and
submit the Top-Screen. The Department notes that, where a facility has
a question as to whether it should complete a Top-Screen, the facility
can contact the
[[Page 17696]]
Department and seek a consultation pursuant to Sec. 27.120.
The Department reiterates that the presence or amount of a
particular chemical listed in Appendix A is not the sole factor in
determining whether a facility presents a high-level of security risk
and is not an indicator of a facility's coverage under this rule. The
DHS Chemicals of Interest list merely directs certain facilities to
complete and submit the Top-Screen. This list serves as a tool to aid
the Department in gathering information needed to administer the
program under Section 550. In order for the Department to assess
compliance by particular chemical facilities with the regulation (see
Section 550(e)), the Department must first obtain information to
determine whether the particular chemical facilities qualify for
coverage under Section 550. The list set out in Appendix A serves as a
procedural tool designed to aid the Department in determining which
facilities must comply with the substantive standards. Only after the
Department gathers additional information through the Top-Screen
process will the Department make a determination as to whether a
facility presents a high risk and therefore must comply with the
regulatory requirements to ensure adequate security. Under Section 550,
the Department has the authority to use its best judgment and all
available information in determining whether a facility presents a high
level of security risk.
In developing the ``DHS Chemicals of Interest'' list, the
Department has looked to existing sources of information and has then
drawn on many of those sources of information, including some of the
sources that commenters suggested. Those sources include the following:
(1) The chemicals contained on the EPA's RMP list. Pursuant to the
Clean Air Act (42 U.S.C. 7401, et seq.), which provides that the EPA
shall promulgate a list of substances that ``in the case of accidental
release, are known to cause or may reasonably be anticipated to cause
death, injury, or serious adverse effects to human health or the
environment (see 42 U.S.C. 7412(r)(3)), the EPA promulgated two lists.
Table 1 is titled ``List of Regulated Toxic Substances and Threshold
Quantities for Accidental Release Prevention,'' and Table 3 is titled
``List of Regulated Flammable Substances and Threshold Quantities for
Accidental Release Prevention'' (see 40 CFR 68.130); (2) The chemicals
from the Chemical Weapons Convention (CWC). Section 6701, et seq. of
Title 22 of the United States Code implements the Convention on the
Prohibition of the Development, Production, Stockpiling and Use of
Chemical Weapons and on Their Destruction. The CWC covers three lists,
or ``schedules'' of chemicals. Schedule 1 chemicals are provided in
Supplement No. 1 to 15 CFR part 712, Schedule 2 chemicals are provided
in Supplement No. 2 to 15 CFR part 713, and Schedule 3 chemicals are
provided in Supplement No. 3 to 15 CFR part 714; and (3) Hazardous
materials, including gases poisonous by inhalation (PIH) and explosive
materials, which the Department of Transportation regulates. See 49 CFR
173.115(c), 49 CFR 173.50(b), and 49 CFR 172.101. The Department has
also considered other categories of chemicals, such as chemicals that
can be used as precursors for Improvised Explosive Devices (IEDs) and
certain water-reactive materials that produce toxic gases.
The Department makes a few points with respect to the list in
Appendix A. First, DHS is not using any existing list (e.g., the EPA
RMP list) as its sole source, and DHS is not classifying all facilities
on a list in one particular way (i.e., classifying all RMP facilities
as high-risk). By using multiple sources at this initial phase, DHS
believes it is obtaining a more complete picture of the universe of
facilities that may qualify as high-risk. Second, in identifying the
types and STQs of chemicals for Appendix A, the Department has sought
to be sufficiently inclusive of chemicals and quantities that might
present a high level of risk under the statute without being overly
inclusive and therefore capturing facilities which are unlikely to
present a high level of risk.
In addition to drawing on information from existing sources, the
Department has identified chemicals by considering three security
issues. These three security issues, which are explained below, address
multiple risk areas.
1. Release--DHS believes that certain quantities of toxic,
flammable, or explosive chemicals or materials, if released from a
facility, have the potential for significant adverse consequences for
human life or health.
2. Theft or Diversion--DHS believes that certain chemicals or
materials, if stolen or diverted, have the potential to be used as
weapons or easily converted into weapons using simple chemistry,
equipment or techniques in order to create significant adverse
consequences for human life or health.
3. Sabotage or Contamination--DHS believes that certain chemicals
or materials, if mixed with readily-available materials, have the
potential to create significant adverse consequences for human life or
health.
In proposed Appendix A, the Department lists the DHS Chemicals of
Interest and identifies a Standard Threshold Quantity (STQ) for each
chemical. To clearly identify each chemical, the Department includes
the Chemical Abstract Service (CAS) number for each chemical. These
chemicals listed in proposed Appendix A fall into the three categories
identified above: chemicals with a release hazard, chemicals with a
theft or diversion hazard, and chemicals with a sabotage or
contamination hazard.
The Department acknowledges that there are two additional security
issues that it is considering at this time, although it is not
including any such chemicals that would trigger a Top-Screen
submission. They include the following two issues:
1. Critical Relationship to Government Mission--DHS believes that
the loss of certain chemicals, materials, or facilities could create
significant adverse consequences for national security or the ability
of the government to deliver essential services.
2. Critical Relationship to National Economy--DHS believes that the
loss of certain chemicals, materials or facilities could create
significant adverse consequences for the national or regional economy.
The Department is continuing to assess currently-available
information about these chemicals critical to government mission and
the national economy. The Department will use the information it
collects through the Top-Screen process, as well as currently-available
information, as a means of identifying facilities responsible for
economically critical and mission-critical chemicals.
III. Discussion of Comments
In the Advance Notice, DHS sought comment on proposed text for the
interim final rule as well as on various implementation and policy
issues concerning the chemical security program. DHS received a total
of 106 public comments totaling more than 1,300 pages, including
comments from thirty-two trade associations, thirty companies, thirteen
private citizens, ten state agencies and associations, seven advocacy
and safety groups, eight U.S. Representatives, five U.S. Senators, four
unions, one Local Emergency Planning Committee, one professional
association, one international standards committee, and the U.S. Small
Business Administration.
Commenters generally applauded this effort from the Department and
commended the general approach that the Department is taking. However,
[[Page 17697]]
commenters also raised some specific concerns. In the sections below,
DHS provides a topical summary of the comments and responses to those
comments.
A. Applicability of the Rule
1. Definition of ``Chemical Facility or Facility''
The Advance Notice defined ``Chemical Facility or facility'' to
mean ``any facility that possesses or plans to possess, at any relevant
point in time, a quantity of a chemical substance determined by the
Secretary to be potentially dangerous or that meets other risk-related
criterion identified by the Department. * * *'' See proposed Sec.
27.100.
Comment: While a few industry and State agency commenters supported
this definition, commenters generally thought that the proposed
definition was broad. In particular, several industry commenters, an
industry association, a labor union, and a State agency thought the
proposed definition was overly broad and consequently did not inform
facilities about whether they would be regulated. They noted that the
definition did not name the regulated chemical substances or the
threshold quantities. One commenter argued that DHS's failure to
release to the public its proposed list of ``potentially dangerous
chemicals'' and threshold amounts for those chemicals denies the public
the opportunity to comment on key provisions of the rule that depend on
whether the facility possess specified quantities of chemicals
determined by DHS to be potentially dangerous. The commenter explained
that it is difficult to comment on that aspect of the rule without
knowing what the chemicals and thresholds are. An industry group
cautioned that threshold quantities should be set high enough that
retail establishments are not covered merely because they stock
commercially acceptable quantities of commonly used chemicals. A few
industry commenters and a member of Congress added that the definition
of chemical facility should include the concepts of national security
and economic criticality.
Several industry commenters supported the use of EPA's Risk
Management Plan (RMP) program to help identify the initial group of
regulated facilities. Commenters supported use of the RMP list of toxic
substances as a basis for selecting chemical facilities. Likewise, one
association felt that DHS should link its definition of chemical
facility to those facilities covered by EPA's RMP, because it is a
clear and defined list. The industry commenters noted, however, that
not all RMP facilities should be considered high-risk. One commenter
pointed out that RMP does not take into account facilities that may
cause substantial impacts from multiple tanks. A few commenters also
recommended that DHS should consider facilities in EPA's Toxic Release
Inventory program or facilities that handle DOT hazardous materials.
One commenter emphasized that the rule could focus on toxic gases
at RMP threshold quantities, but warned that the RMP program has a
different purpose. The commenter indicated that worst-case scenarios
under RMP may be based on unrealistic assumptions. Another commenter
indicated that DHS should consider certain substances from the Chemical
Weapons Convention list when assessing overall risk. Finally, some
industry commenters objected to the phrase ``possesses or plans to
possess,'' because the term implies legal title or ownership rather
than simple presence at the facility.
Response: Aside from the minor modification noted above, DHS is
retaining the definition of chemical facility that it proposed in the
Advance Notice. And while DHS is not defining ``chemical facility'' by
listing specific chemicals, DHS is making available, with the issuance
of this rule, a list of those chemicals and Screening Threshold
Quantities (STQs) that it proposes to use to determine whether to
further assess whether a chemical facility presents a high risk.
Specifically, if a facility possesses any of the chemicals, at the
corresponding quantities, in Appendix A (when finalized), the facility
must complete and submit a Top-Screen within 60 calendar days. See
Sec. 27.200(b)(2) and Sec. 27.210(a). The Department will continue to
contact facilities individually and through additional Federal Register
notices, as necessary. See Sec. 27.200(b)(1). To the extent the
Department notifies facilities through an additional Federal Register
notice, the Department will engage in outreach activities with the
chemical sector.
Finally, in response to specific comments above, the Department
makes two additional points. The Department has retained the phrase
``possesses or plans to possess.'' DHS believes that phrase adequately
captures the Department's intent. The plain meaning of those terms is
not limited to ownership. Also, with respect to the commenter who
cautioned that any types of threshold quantities should be high enough
so that DHS does not cover all retail establishments that stock
commercially acceptable quantities of commonly used chemicals, DHS
notes that it is aware of that issue. While DHS believes these STQs are
set at levels that normally will not cover such retail establishments,
DHS believes that, if a retail establishment does exceed any of these
STQs, the retail establishment will have to complete the Top-Screen.
2. Multiple Owners and Operators
The second half of the definition of ``Chemical Facility or
facility'' provides that the terms ``shall also refer to the owner or
operator of the chemical facility. Where multiple owners and/or
operators function within a common infrastructure or within a single
fenced area, the Assistant Secretary may determine that such owners and
operators constitute multiple chemical facilities depending on the
circumstances.'' See Sec. 27.105.
Comment: Comments were varied on the issue of multiple owners and
operators. One industry commenter suggested that DHS should combine
adjacent facilities under common ownership into a single facility, and
other industry commenters thought that DHS should define certain
adjacent facilities as less than the entire property. One industry
commenter thought that DHS should allow facilities with multiple owners
or operators to agree among themselves how to meet the requirements of
this rule. A trade association noted that some large chemical
facilities have third-party warehouses and leasing agreements and that
the owners of the chemical facility should be responsible for security.
Response: DHS believes that it will generally be fairly
straightforward for facilities to define their boundaries and identify
the party (at their facility) that is responsible for compliance with
the regulation. However, DHS acknowledges that, in some circumstances,
the issue might be more complex. The Department will address these
situations on a case-by-case basis. Both owners and operators of
facilities, however, bear responsibility under the regulations for
implementing measures that meet the regulatory standards.
3. Classifying Facilities Based on Hazard Class
Comment: In the preamble to the Advance Notice, DHS requested
comment on whether it should use an approach based on hazard class,
rather than use an approach where classifications are based on
particular chemicals. Responses were mixed.
Several commenters favored the hazard class approach, noting that
facilities are familiar with the DOT hazard classes, that the hazard
classes
[[Page 17698]]
may be harmonized with international requirements, and that the number
of chemicals (in a non-hazard class approach) might otherwise be very
large. Some of the commenters who favored the hazard class approach
also noted some caveats to its use. Industry commenters and a State
agency warned that the hazard class approach could result in the
inclusion of chemicals that do not pose a security risk. Conversely,
others noted that the hazard classes may not include chemicals of
concern from a terrorism perspective. Commenters noted that other
agencies may regulate the hazard classes under other programs. Also,
one State agency association pointed out that a combination of
chemicals might be more dangerous than any one chemical. One firm
suggested that the DHS approach should include both the hazard class
approach and the classification of chemicals approach.
A few industry commenters indicated that basing the applicability
of the rule on hazard classes would be inappropriate and that they
favored a list of security-sensitive chemicals with threshold
quantities. One trade association supported the use of lists of
particular chemicals, explaining that they thought it would lead to
more accurate assessments of likelihood and consequence and therefore
risk. They also argued that DHS publish the list in the final rule.
Response: As explained above, DHS is publishing a list of
``Chemicals of Interest'' in Appendix A to this interim final rule. The
list contains specific chemicals and STQs. That list is a baseline
screening threshold against which facilities will know whether they
need to complete and submit a Top-Screen. While DHS's primary approach
will be through the classification of chemicals, DHS will not preclude
the use of the hazard classes for certain purposes in the performance
standard guidelines.
4. Applicability to Specific Chemicals or Quantities of Chemicals
Comment: Several commenters discussed specific chemicals and
whether or not the regulation should cover facilities that possess
those chemicals. Several commenters thought that DHS should not cover
anhydrous ammonia or ammonium nitrate, both of which are discussed in
more depth below. A local government agency urged DHS to cover
facilities that store propane, while other commenters indicated that
DHS should not cover flammable fuels such as propane. A few commenters
noted that some facilities may have only small amounts of chemicals or
may handle them only intermittently. A trade association suggested that
DHS should allow such facilities to adjust their level of security to
the level of risk. Another commenter urged DHS to consider the nature
of batch production facilities, which make a continually changing mix
of products using a continually changing, and often unpredictable, mix
of ingredients.
With respect to anhydrous ammonia, commenters noted that the
chemical is in the EPA RMP list but indicated that it should not be a
chemical that DHS regulates. They explained that ammonia refrigeration
is used for dairy and food processing facilities and that those
facilities do not pose a significant risk to human health, national
security, or the economy, because an attack on such a facility would
not result in a catastrophic release of ammonia. In addition, the
commenters stated that the food industry (which uses anhydrous ammonia
for refrigeration) should not have to spend its resources enhancing
security for refrigeration systems.
With respect to ammonium nitrate (AN), some industry commenters
noted that AN is an important part of the economy in both the
explosives and the fertilizer industries. They noted that the threat
posed by AN is not that of a direct attack but of theft or diversion
for later criminal misuse. While they said that DHS should focus not
only on the possibility of a direct attack at facilities with
``weaponizable'' chemicals, but on facilities with risks of theft or
diversion, they suggested that DHS place those facilities (i.e., those
with risk of theft or diversion) in lower-risk tiers.
One commenter recommended requirements for chain-of-custody control
and suggested that the ATF could assist in enforcement at AN sites with
commercial explosives; other commenters favored regulation by DHS, not
ATF. Another commenter believed that DHS should work with the U.S.
Department of Agriculture and producer groups in deciding whether to
regulate an agriculture operator or supplier. An industry commenter
noted that the mere presence of AN at a site should not trigger
application of DHS's screening process. Two members of Congress argued
that the rule should apply to AN manufacturing facilities, but they
agreed with DHS and other commenters that DHS should subject AN
facilities to regulatory requirements based on the nature of the
facility and risk assessment results. The commenters thought that by
including AN facilities in the regulatory program, DHS would make it
more difficult for terrorists to acquire this product.
Response: The Department's regulatory scheme will cover chemical
facilities that present a high risk because they possess or plan to
possess chemicals that terrorists may use or target in the furtherance
of acts of terrorism. Facilities that possess chemicals that are
hazardous and can be used as weapons, such as anhydrous ammonia or
ammonium nitrate, will be regulated if they present a high risk.
However, a facility that possesses a chemical substance that does not
cause it to present a high risk (taking into account all relevant
factors), or possesses an otherwise hazardous chemical in an amount
that is below what would cause the facility to present a high risk
(again, taking into consideration all relevant factors), will not be
regulated.
Accordingly, with this interim final rule, DHS plans to regulate
high-risk facilities with ammonium nitrate and anhydrous ammonia using
the same risk-based approach under which it plans to regulate all other
high-risk facilities. If DHS later decides that any individual
chemicals warrant specialized attention in regulatory provisions, DHS
will address such chemicals through future rulemakings.
5. Applicability to Types of Facilities
Comment: A few commenters suggested that the rule should not apply
to railroad facilities, because such facilities are covered by current
and proposed requirements from the Department of Transportation's (DOT)
Federal Railroad Administration and Pipeline and Hazardous Materials
Safety Administration and DHS's Transportation Security Administration
(TSA). Those commenters asserted that railroads should be treated
separately from fixed facilities and that the proposed requirements are
inappropriate for railroad facilities. One commenter requested
exemptions for motor vehicles and rail cars that are ``in transit.''
Another commenter asked DHS to take a system-wide approach and
recognize the interdependence of chemical facility and rail security.
Response: Regulating chemicals in the railroad system is a complex
issue, and DHS continues to evaluate it. TSA is the lead component
within DHS for the security of transportation facilities and has
initiated some recent efforts to address rail security, including
Voluntary Agreements with the rail industry and a Notice of Proposed
Rulemaking on Rail Transportation Security. See 71 FR 76852 (December
21, 2006). With respect to chemical security, certain aspects of
Section 550 and TSA's authorities are concurrent
[[Page 17699]]
and overlapping. DHS is working, and will continue to work, with its
components, including TSA, to determine whether DHS will include
railroad facilities in its chemical security program. DHS presently
does not plan to screen railroad facilities for inclusion in the
Section 550 regulatory program, and therefore DHS will not request that
railroads complete the Top-Screen risk assessment methodology. DHS may
in the future, however, re-evaluate the coverage of railroads, and
would issue a rulemaking to consider the matter.
Comment: Commenters asked about the applicability of the rule to
natural gas pipelines and facilities, with some noting that DHS should
not regulate pipelines because DOT/PHMSA and DHS/TSA already regulate
safety and security of pipelines. Other commenters asked about DHS's
plans to address other large facilities, such as mines. One engineer
pointed out that mining facilities can be very large and can cover
thousands or tens of thousands acres but that the security-sensitive
portions of those mines may be very small (e.g., a single tank).
Response: Whether a facility is covered under this regulation is
driven by a number of factors, including the specific types and
quantities of chemicals at a given facility. Whether the Department
will apply the requirements of this regulation to a facility depends,
in part, on the chemicals present at that facility. In the case of
natural gas pipelines, DHS has no intention at this time of requiring
long-haul pipelines to complete the Top-Screen (or prepare Security
Vulnerability Assessments and develop Site Security Plans). But
chemical facilities otherwise covered by this regulation and with
pipelines within their boundaries must treat those pipelines like any
other asset, i.e., include measures in their Site Security Plan
addressing the security of those pipelines.
Related to this, DHS makes a clarifying point about facility assets
in general. DHS expects that facilities will address all facility
assets in their Security Vulnerability Assessments and Site Security
Plans, as any given facility asset has the potential to have an effect
on the consequence and/or vulnerabilities of the facility. Facility
assets include any items or structures (such as buildings, vehicles,
laboratories, or test facilities) located on an area owned, operated,
or used by the facility. Such assets may exist inside or outside of
perimeter structures.
Similarly, the extent of coverage of mines in this regulation will
depend in part on the type and amount of chemicals present at any given
mine facility. The Department expects that mines will comply with the
requirements of Sec. 27.200(b) and complete and submit the Top-Screen
as required in that section. With respect to large mines that may only
possess a concentrated amount of a given chemical in one discrete
location, if the given chemical (and quantity) is one that the
Department believes presents a security risk, the Department will
expect that the facility will go through the screening process. While
the facility may have to develop a Site Security Plan, the SSP would be
tailored to the specific circumstances at the mine. The SSP for a large
mine with a concentrated amount of one chemical in one location would
surely look dramatically different than that of mine company with
different circumstances (e.g., a large mine with larger quantities of
different types of chemicals spread throughout the mine or a smaller
mine with moderate quantities of very hazardous chemicals in several
different locations).
6. Statutory Exemptions
Comment: Some commenters asked why Sec. 27.105(b) excluded certain
facilities from the rule, and another commenter suggested that the
exempted facilities should be reviewed to determine if they would be
considered high-risk but for the exemption.
Other commenters suggested additional exemptions. One commenter
suggested that the rule should not apply to most facilities that
manufacture, sell, or reclaim lead-acid batteries, and another
commenter believed DHS should exclude pesticide facilities. Yet another
commenter thought that most facilities storing petroleum products, some
of which are exempted under proposed Sec. 27.105(b), are not high-risk
facilities.
Response: In the authorizing legislation for this regulation,
Congress exempted various facilities from this rule. See Section
550(a). DHS has included those exemptions in Sec. 27.110(b) of the
rule. The statute provides for the following exemptions: facilities
regulated pursuant to the Maritime Transportation Security Act of 2002,
Public Law 107-295, as amended; public water systems (as defined by
Section 1401 of the Safe Drinking Water Act); water treatment works
facilities (as defined by Section 212 of the Federal Water Pollution
Control Act); any facilities owned or operated by the Departments of
Defense and Energy; and any facilities subject to regulation by the
Nuclear Regulatory Commission. The Department has considered the
exemptions requested by commenters, and, at this time, the Department
does not intend to provide any additional regulatory text exemptions.
Comment: Some industry commenters supported the exemptions in Sec.
27.110, such as the exemption for facilities regulated under the
Maritime Transportation Security Act (MTSA). In addition, one
association wanted to exclude from the Top-Screen requirements any
facilities covered under MTSA. Other commenters asked for clarifying
information about the exemptions.
Response: In the Advance Notice, the Department discussed the
applicability of this rule to maritime facilities. See 71 FR 78276,
78290. In this interim final rule, the Department clarifies that it
will apply the statutory exemption only to facilities regulated under
33 CFR part 105, Maritime Facility Security regulations. Part 105 of
Title 33 of the Code of Federal Regulations is the only regulation that
imposes the security plan requirements of 46 U.S.C. 70103 on maritime
facilities.
Comment: A State agency believed that the Nuclear Regulatory
Commission (NRC) exemption should apply only to facilities holding an
NRC power reactor license and disagreed with the exemptions for public
water systems and treatment works.
Response: The Department agrees with the commenter and will apply
the statutory exemption to facilities where NRC already imposes
significant security requirements and regulates the safety and security
of most of the facility, not just a few radioactive sources. For
example, a power reactor holding a license under 10 CFR part 50, a
special nuclear material fuel cycle holding a license under 10 CFR part
70, and facilities licensed under 10 CFR parts 30 and 40 that have
received security orders requiring increased protection, will all be
exempt from 6 CFR part 27. A facility that only possesses small
radioactive sources for chemical process control equipment, gauges, and
dials, will not be exempt.
B. Determining Which Facilities Present a High-Level of Security Risk
1. Use of the Top-Screen Approach
Comment: In general, many industry associations and chemical
companies supported the use of a tiered approach that narrows DHS's
focus to high-risk facilities. Several commenters pointed out as a
problem the fact that they had been unable to review the details of the
approach and associated criteria; several commenters suggested that
knowledgeable parties should have an
[[Page 17700]]
opportunity to review the details. Many of the commenters wanted to
make sure that the final group of high-risk facilities was determined
based on risk (not just on potential consequence or limited pieces of
threat data) and that the number of facilities in this group was small.
Associations differed in their views on how inclusive the Top-
Screen process should be--one association wanted DHS to screen out
certain low-risk facilities in the first few questions while other
associations and a chemical company wanted DHS to make sure that as
many facilities as possible submitted Top-Screen data, including some
facilities that might not traditionally be considered chemical
facilities. Several associations urged DHS not to presumptively
classify facilities as high-risk without perfect information; they felt
that doing so would go beyond the authority that Congress granted DHS
and would not match the intended focus on high-risk facilities. A local
agency took the opposite view on that question.
Several commenters provided input on the data that facilities will
need to enter into the Top-Screen. One association suggested that DHS
allow facilities to enter chemical volumes in ranges and asked that DHS
provide guidance on handling mixtures and blends. That association also
questioned how facilities should address chemicals that are stored
offsite. Another association encouraged DHS to include reactive
chemicals and propane in the Top-Screen. One advocacy group encouraged
DHS to incorporate chemical transportation in the rule and the Top-
Screen.
Commenters also provided input on how DHS should process the
information that it receives through the Top-Screen. One industry
association suggested that facilities should be allowed to explain
``yes'' responses before DHS drives the facility to a full Security
Vulnerability Assessment. The association suggested that facilities
should not be the ones to estimate consequences, particularly injuries,
and that DHS should refine the definition of injuries. The association
stated that DHS should have different requirements for facilities that
only periodically have certain materials onsite. One association
cautioned about using RMP data and advocated for DHS to use conversion
factors to make estimates of casualties.
Several commenters were concerned about the questions in the Top-
Screen that related to economic impacts. Several associations indicated
that DHS should use a sufficiently high threshold for economic impacts
that captures the full extent of economic impacts. They noted that a
facility should consider all impacts, not just the impacts to one
facility. One association commented that most facilities will not be
able to provide answers to the questions in the Top-Screen that ask
about a facility's market share for given chemicals. That association
suggested that DHS re-phrase those questions to support yes/no answers
or to allow facilities to use broad ranges.
Several associations commented that the submitting company, not
DHS, should determine the most appropriate person to submit data. A
number of parties commented on DHS's subsequent use of the data that is
collected through the Top-Screen. One association commented that any
information must have demonstrated utility before it is shared with
anyone.
As for timing, commenters, including State agencies, requested that
DHS provide facilities with the specific timing requirements for
completing the Top-Screen. One industry association recommended that
DHS use phased-in timing for having facilities complete the Top-Screen.
A number of commenters from State agencies and industry associations
suggested the need for DHS to provide active, written notification that
a facility is not high risk--and for telling facilities that they need
to comply with the regulation. One association suggested that DHS
provide this notification immediately upon the facility's submission of
data.
Finally, a number of company and industry association commenters
wanted to make sure that facilities have the opportunity to conduct
independent evaluations (or meet with DHS) to verify or deny DHS's
initial classification of a facility's risk.
Response: In this regulatory program, DHS will employ a modified
version of the Risk Analysis and Management for Critical Asset
Protection (RAMCAP) risk assessment methodology known as the Chemical
Security Assessment Tool, or CSAT. The RAMCAP Sector Specific Guidance
was developed under contract to DHS by the ASME Innovative Technologies
Institute (ASME-ITI) and leveraged the knowledge and insight of leading
experts from across the industry and Federal Government. The DHS Risk
Assessment Methodology is composed of two separate parts. The first
part is a screening tool known as the Top-Screen, which is used to
perform a preliminary ``consequence'' analysis. The second part
provides the tools to conduct a thorough facility Security
Vulnerability Assessment.
DHS is using a standard vulnerability tool, the CSAT system,
because it is not practical for DHS to accept a broad spectrum of
methodologies. Even where certain ``equivalencies'' exist between
methodologies, the equivalencies can only be extracted and employed in
a comparative risk analysis at very great cost and over a very long
period of time. In order to effectively manage risk at the national
level, the Department must be able to develop and understand the
relative risk of different facilities. A comparative risk capability is
essential to regulation and can be achieved only through the collection
of comparative data. Thus, a standard vulnerability tool is necessary.
The Department has vetted the CSAT system with the engineering
profession, the National Laboratories, and academia. The Top-Screen
component, as well as the individual algorithms employed in the Top-
Screen, have been subject to extensive peer review and have been found
acceptable. While the Top-Screen is consequence-specific, DHS uses the
Top-Screen only to determine a preliminary tier ranking. DHS bases a
facility's final tier ranking upon the complete Security Vulnerability
Assessment, as well as the application of threat information--and thus
it is risk-based.
Insofar as the range of facilities possessing dangerous or
potentially dangerous chemicals is large, there is no good alternative
to a fairly broad range of facilities being included in the screening
process. DHS anticipates that the vast majority of screened facilities
will be found not to have a level of potential consequences that would
result in a ``high risk'' designation. However, the facilities that do
achieve that level of consequence are expected to come from a fairly
broad swath of the Nation's economy. DHS has no intention of
classifying facilities as presumptively high risk until and unless DHS
is unable to acquire sufficient data.
The Top-Screen will enable DHS to determine a preliminary tier
based on consequence. That ranking will determine the need for (and
timeline for) a Security Vulnerability Assessment, and where the Top-
Screen indicates the need for a follow-on Security Vulnerability
Assessment, DHS will expect that the owner-operator will comply. The
Department will require facilities to submit the Top-Screen within the
timeframes now specified in Sec. 27.210. The Department notes that the
Top-Screen is designed to preclude a large number of ``false
negatives.''
DHS is establishing the entire CSAT system as an on-line suite of
tools, which will allow notification of results to the owner or
operator. As provided in Sec. 27.205, the Department ``shall notify
[[Page 17701]]
the facility in writing [of a determination that the facility presents
a high level of security risk].'' While the online feature of the CSAT
system will allow rapid results, it will not allow the Department to
respond instantaneously, as some commenters requested. Finally, the
Top-Screen tool does require the owner-operator to provide certain data
similar to an RMP analysis; however, casualty estimates and consequence
ranking are performed by DHS using well-vetted formulae.
Regarding economic criticality, DHS recognizes the complexity of
estimating potential economic or mission impact stemming from the loss
of certain manufacturing (or other) capacity. Accordingly, DHS will
focus early efforts on developing a sufficiently clear picture of the
chemical industry as a system in order to allow a reasonable analysis
of economic and mission criticality, which will be enhanced as the
Department moves forward.
2. Assessment Methodologies
Comment: Many commenters provided input on methodologies that DHS
should use for determining which facilities present a high level of
risk, and several commenters had suggestions as to how DHS should
determine which facilities are high-risk. One association asserted that
DHS needed to clearly define the ``risk of interest'' before DHS could
determine which methodology to use. One (non-chemical) company
suggested that DHS use other Federal programs such as the EPA's Toxics
Release Inventory or the Superfund Amendments and Reauthorization Act
(SARA) Tier II annual reports to determine high risk facilities.
Commenters addressed the suitability of both asset- and scenario-based
approaches, with the majority favoring an asset-based approach.
Commenters suggested that DHS consider specific methodologies developed
by associations, national laboratories, or State and Federal agencies.
One association suggested that DHS use other methodologies while RAMCAP
continues to develop and mature. State agency commenters warned that
the question of which facilities pose a high risk is a community-
specific issue.
Many comments were very specific as to how DHS should proceed, and
what tools DHS should employ. For example, an engineering firm focused
on the need for process-based assessments. A chemical company noted the
need for any approved methodology to also consider the criticality of
surrounding and supporting infrastructure in a reasonable manner--that
is, one that is within the expertise of the facility personnel.
Many commenters also focused on various aspects related to RAMCAP.
One commenter asserted that RAMCAP might not adequately identify high-
risk facilities. Another commenter asked who owns RAMCAP. Several
commenters noted that the RAMCAP approach was not designed to address
control system cyber security. Another commenter felt that DHS provided
inadequate detail on the RAMCAP methodology and noted that DHS should
define the method before DHS solicits comment. Several commenters also
pointed out that RAMCAP's lack of details on vulnerability team
composition and experience could be a limitation. Some of RAMCAP's
developers took issue with deviations from the original RAMCAP design.
Another commenter pointed out the need for DHS to include proper
references to the RAMCAP and its genesis.
Also related to RAMCAP, some commenters expressed concern with the
details in Appendix B, ``Background: Risk Analysis and Management
Critical Asset Protection (RAMCAP) Vulnerability Assessment
Methodology.'' In particular, some expressed concern about expectations
that the noted threat scenarios would be analyzed as design basis
threats. The commenters noted that many of the scenarios require
military support to defeat, and that appears to be beyond the
capability of a chemical facility to address. Associations noted that
scenarios can be useful in a comparative top-screen, but that they
should not guide all facility-specific assessments. One company opined
that the threats needed to be more realistic before they were used in
any assessments.
Finally, one chemical company commented that DHS needs to list in
the rule the specific threats that facilities need to address in their
SSP. Also, the company indicated that DHS, not individual companies,
should determine deaths and injuries.
Response: In the Advance Notice, DHS sought to provide an overview
of RAMCAP and the DHS Methodology Assessment in the preamble (see,
e.g., pp. 78277-78288) and in Appendix B. As there seemed to be
confusion about the nature and purpose of RAMCAP and the DHS Assessment
Methodology (or CSAT) and its purpose, DHS provides further explanation
here.
The CSAT vulnerability assessment tool, part of the CSAT system
owned by DHS, is an asset-based vulnerability assessment tool very
similar to the Chemical Sector RAMCAP module. The CSAT system employs a
set of defined attack vectors, used to both ``produce'' consequences
(for the measurement of criticality) and to measure vulnerability.
These are not ``Design Basis'' threats and in no way reflect the type
of actual threats against which owner-operators will be expected to
``defend.'' They are measurement devices, supporting the DHS need to
conduct comparative risk analysis. The CSAT tool does include basic
assessments of certain types of cyber systems, and certain features
thereof. However, the CSAT tool is not intended to be a full-scope,
detailed analysis of all possible areas of vulnerability. It is a
measurement tool that will allow general categorization of a facility
as vulnerable or not, critical or not, and thus, at risk or not. DHS
will undertake detailed evaluations of specific security issues as part
of the ongoing relationship between the facility owner-operator and
DHS. The assessment tool that DHS uses to conduct comparative risk
assessments must be uniform and consistent in order for DHS to use it,
and so a ``menu'' of different methodologies is simply not practical.
Finally, DHS notes that there were several comments from companies,
encouraging the Department to adopt or require their own methodology or
technique. DHS is unaware of the extent of peer review or scientific
evaluation of these other methodologies or techniques. In addition, DHS
does not believe it is appropriate to identify a single commercial
product or endorse particular commercial products for purposes of
complying with this rule.
3. Risk-Based Tiers
In the Advance Notice, the Department asked for comment on the
notion of risk-based tiering of high-risk facilities. Specifically, the
Department asked how many risk-based tiers should the Department
create, what the criteria should be for differentiating among tiers,
what the types of risk should be most critical in the tiering, how
should performance standards differ among risk-based tiers, what
additional levels of regulatory scrutiny should DHS apply to each tier.
71 FR 78276, 78283.
Comment: Most commenters supported the establishment of risk tiers
and agreed that three or four tiers would be sufficient. Several
comments, including industry commenters, State agencies, and a member
of Congress believed that DHS should base tiering on the attractiveness
of the facility as a target or the consequences of a terrorist attack,
such as adverse impacts on public health and welfare, the potential for
mass casualties, and disruption of
[[Page 17702]]
essential services. The commenter indicated that the creation of tiers
would allow facilities to maintain security measures commensurate with
risk.
A few commenters suggested that DHS did not provide enough
information in the Advance Notice on the number of tiers or on how a
tier classification would affect a facility's security requirements.
Two industry commenters were concerned that DHS might apply the rule
requirements to facilities other than those that pose the highest
security risk. Two other commenters believed that the tiering approach
is not appropriate for cyber security of control systems. One commenter
argued that tiers should include consideration of the transportation of
chemicals outside the facility property. Another commenter recommended
that DHS should modify the tiers after it receives data from regulated
facilities. Another commenter thought that DHS should define ``present
high levels of security risk'' and ``high risk'' at the end of the
RAMCAP process and not at the discretion of the Secretary.
Commenters suggested that tiers should be objective and transparent
and should provide flexibility. One industry commenter pointed out that
tiering allows DHS to focus on the most important facilities first and
believed that DHS should establish a de minimis tier that sets
thresholds below which a facility does not have to complete