Homeland Security
DHS Is Taking Steps to Enhance Security at Chemical Facilities, but Additional Authority Is Needed Gao ID: GAO-06-150 January 27, 2006Terrorist attacks on U.S. chemical facilities could damage public health and the economy. While the Environmental Protection Agency (EPA) formerly led federal efforts to ensure chemical facility security, the Department of Homeland Security (DHS) is now the lead federal agency coordinating efforts to protect these facilities from terrorist attacks. GAO reviewed (1) DHS's actions to develop a strategy to protect the chemical industry, (2) DHS's actions to assist in the industry's security efforts and coordinate with EPA, (3) industry security initiatives and challenges, and (4) DHS's authorities and whether additional legislation is needed to ensure chemical plant security. GAO interviewed DHS, EPA, and industry officials, among others.
As part of a national framework for protecting the chemical sector, DHS is developing a Chemical Sector-Specific Plan. The plan is intended to, among other things, describe DHS's ongoing efforts and future plans to coordinate with federal, state, and local agencies and the private sector; identify chemical facilities to include in the sector, assess their vulnerabilities, and prioritize them; and develop programs to prevent, deter, mitigate, and recover from attacks on chemical facilities. DHS did not estimate when the plan will be completed. To date, DHS has taken a number of actions aimed at protecting the chemical sector from terrorist attacks. DHS has identified 3,400 facilities that, if attacked, could pose the greatest hazard to human life and health and has initiated programs to assist the industry and local communities in protecting chemical facilities. For example, the Buffer Zone Protection Program assists facility owners and local law enforcement with improving the security of areas surrounding plants. DHS also coordinates with the Chemical Sector Coordinating Council, an industry-led group that acts as a liaison for the chemical sector, and with EPA and other federal agencies. The chemical industry is voluntarily addressing plant security, but faces challenges in preparing against terrorism. Some industry associations require member companies to assess plants' vulnerabilities, develop and implement plans to mitigate vulnerabilities, and have a third party verify that security measures were implemented. Other associations have developed security guidelines and other tools to encourage their members to address security. While voluntary efforts are under way, industry officials said that they face challenges in preparing facilities against terrorism, including high costs and limited guidance on how much security is adequate. Because existing laws provide DHS with only limited authority to address security at chemical facilities, it has relied primarily on the industry's voluntary security efforts. However, the extent to which companies are addressing security is unclear. Unlike EPA, for example, which requires drinking water facilities to improve their security, DHS does not have the authority to require chemical facilities to assess their vulnerabilities and implement security measures. Therefore, DHS cannot ensure that facilities are taking these actions. DHS has stated that its existing authorities do not permit it to effectively regulate the chemical industry, and that the Congress should enact federal requirements for chemical facilities. Many stakeholders agreed--as GAO concluded in 2003--that additional legislation placing federal security requirements on chemical facilities is needed. However, stakeholders had mixed views on the contents of any legislation, such as requirements that plants substitute safer chemicals and processes that potentially could reduce the risks present at these facilities.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-150, Homeland Security: DHS Is Taking Steps to Enhance Security at Chemical Facilities, but Additional Authority Is Needed
This is the accessible text file for GAO report number GAO-06-150
entitled 'Homeland Security: DHS Is Taking Steps to Enhance Security at
Chemical Facilities, but Additional Authority Is Needed' which was
released on February 27, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
January 2006:
Homeland Security:
DHS Is Taking Steps to Enhance Security at Chemical Facilities, but
Additional Authority Is Needed:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-150]:
GAO Highlights:
Highlights of GAO-06-150, a report to congressional requesters:
Why GAO Did This Study:
Terrorist attacks on U.S. chemical facilities could damage public
health and the economy. While the Environmental Protection Agency (EPA)
formerly led federal efforts to ensure chemical facility security, the
Department of Homeland Security (DHS) is now the lead federal agency
coordinating efforts to protect these facilities from terrorist
attacks.
GAO reviewed (1) DHS‘s actions to develop a strategy to protect the
chemical industry, (2) DHS‘s actions to assist in the industry‘s
security efforts and coordinate with EPA, (3) industry security
initiatives and challenges, and (4) DHS‘s authorities and whether
additional legislation is needed to ensure chemical plant security. GAO
interviewed DHS, EPA, and industry officials, among others.
What GAO Found:
As part of a national framework for protecting the chemical sector, DHS
is developing a Chemical Sector-Specific Plan. The plan is intended to,
among other things, describe DHS‘s ongoing efforts and future plans to
coordinate with federal, state, and local agencies and the private
sector; identify chemical facilities to include in the sector, assess
their vulnerabilities, and prioritize them; and develop programs to
prevent, deter, mitigate, and recover from attacks on chemical
facilities. DHS did not estimate when the plan will be completed.
To date, DHS has taken a number of actions aimed at protecting the
chemical sector from terrorist attacks. DHS has identified 3,400
facilities that, if attacked, could pose the greatest hazard to human
life and health and has initiated programs to assist the industry and
local communities in protecting chemical facilities. For example, the
Buffer Zone Protection Program assists facility owners and local law
enforcement with improving the security of areas surrounding plants.
DHS also coordinates with the Chemical Sector Coordinating Council, an
industry-led group that acts as a liaison for the chemical sector, and
with EPA and other federal agencies.
The chemical industry is voluntarily addressing plant security, but
faces challenges in preparing against terrorism. Some industry
associations require member companies to assess plants‘
vulnerabilities, develop and implement plans to mitigate
vulnerabilities, and have a third party verify that security measures
were implemented. Other associations have developed security guidelines
and other tools to encourage their members to address security. While
voluntary efforts are under way, industry officials said that they face
challenges in preparing facilities against terrorism, including high
costs and limited guidance on how much security is adequate.
Because existing laws provide DHS with only limited authority to
address security at chemical facilities, it has relied primarily on the
industry‘s voluntary security efforts. However, the extent to which
companies are addressing security is unclear. Unlike EPA, for example,
which requires drinking water facilities to improve their security, DHS
does not have the authority to require chemical facilities to assess
their vulnerabilities and implement security measures. Therefore, DHS
cannot ensure that facilities are taking these actions. DHS has stated
that its existing authorities do not permit it to effectively regulate
the chemical industry, and that the Congress should enact federal
requirements for chemical facilities. Many stakeholders agreed”as GAO
concluded in 2003”that additional legislation placing federal security
requirements on chemical facilities is needed. However, stakeholders
had mixed views on the contents of any legislation, such as
requirements that plants substitute safer chemicals and processes that
potentially could reduce the risks present at these facilities.
What GAO Recommends:
GAO recommends that (1) the Congress consider giving DHS the authority
to require the chemical industry to address plant security, (2) DHS
complete the chemical sector-specific plan in a timely manner, and (3)
DHS work with EPA to study the security benefits to plants of using
safer technologies. After reviewing a draft of this report, DHS agreed
in substance with GAO‘s first two recommendations but expressed
concerns about studying safer technologies. GAO continues to see merit
in such a study. EPA had no comments on the draft report.
www.gao.gov/cgi-bin/getrpt?GAO-06-150.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact John Stephenson at (202)
512-3841 or stephensonj@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DHS Is Developing a Plan for Protecting the Chemical Sector:
DHS Has Taken Actions to Assess Facilities' Vulnerabilities and
Interact with the Industry and Other Federal Agencies:
The Chemical Industry Continues Voluntary Efforts to Address Security,
but Faces Challenges in Safeguarding Facilities:
DHS Needs Additional Authority to Ensure That Chemical Facilities Are
Addressing Security Issues:
Conclusions:
Matters for Congressional Consideration:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Summary of the Chemical Industry's Voluntary Security
Initiatives:
Appendix III: Comments from the Department of Homeland Security:
GAO Comments:
Appendix IV: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Number and Percentage of Processes That Involve More Than
Threshold Amounts of Hazardous Chemicals under the RMP, by Industry
Sector:
Table 2: Overview of Key Chemical Security Legislative Proposals in the
109th Congress:
Table 3: Examples of Federal Security Requirements for Other Critical
Infrastructure Sectors:
Abbreviations:
ACC: American Chemistry Council:
ASC: Adhesive and Sealant Council:
CGA: Compressed Gas Association:
CSISSFRRA: Chemical Safety Information, Site Security and Fuels
Regulatory Relief Act:
DHS: Department of Homeland Security:
EPA: Environmental Protection Agency:
FACA: Federal Advisory Committee Act:
FDA: Food and Drug Administration:
FOIA: Freedom of Information Act:
IAIP: Information Analysis and Infrastructure Protection:
IME: Institute of Makers of Explosives:
ISAC: Information Sharing and Analysis Center:
MTSA: Maritime Transportation Security Act:
NACD: National Association of Chemical Distributors:
NPCA: National Paint and Coatings Association:
NPRA: National Petrochemical and Refiners Association:
NIPP: National Infrastructure Protection Plan:
NISAC: National Infrastructure Simulation and Analysis Center:
OMB: Office of Management and Budget:
PCII: Protected Critical Infrastructure Information Program:
RAMCAP: Risk Analysis Management for Critical Asset Protection:
RMP: Risk Management Plan:
SOCMA: Synthetic Organic Chemical Manufacturers Association:
TFI: The Fertilizer Institute:
Letter January 27, 2006:
The Honorable Susan M. Collins:
Chairman, Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable James M. Inhofe:
Chairman, Committee on Environment and Public Works:
United States Senate:
The Honorable Christopher Shays:
Chairman, Subcommittee on National Security, Emerging Threats, and
International Relations:
Committee on Government Reform:
House of Representatives:
Across the nation, approximately 15,000 facilities produce, use, or
store more than threshold amounts of chemicals identified by the
Environmental Protection Agency (EPA) as posing the greatest risk to
human health and the environment if accidentally released into the air.
These facilities include chemical manufacturers, storage and
distribution facilities, fertilizer and pesticide facilities, pulp and
paper manufacturers, water and wastewater treatment facilities, and
refineries, among others. Since the events of September 11, 2001,
government and other experts have recognized the potential threat that
chemical facilities pose because many house toxic chemicals that could
become airborne and drift to surrounding areas or be used to create a
weapon capable of causing harm. In this regard, in 2003, the Department
of Justice (Justice) reported that industrial chemical plants remain
viable targets and warned that al Qaeda operatives may attempt to
launch conventional attacks against U.S. chemical facilities to cause
contamination, disruption, and terror. While these facilities
potentially put large numbers of Americans at risk of injury or death
in the event of a chemical release, the chemicals they produce, use,
store, and distribute are critical to the nation's economy.
The Homeland Security Act of 2002 established the Department of
Homeland Security (DHS) and set forth its mission to, among other
things, prevent terrorist attacks in the United States and reduce the
vulnerability of the nation to terrorism.[Footnote 1] The President's
February 2003 National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets sets forth the federal government's
roles, objectives, and responsibilities in protecting the nation's
critical infrastructure, including the chemical industry. In addition,
consistent with the Homeland Security Act, a December 2003 presidential
directive instructed DHS to produce a comprehensive integrated plan
outlining national goals, objectives, milestones, and key initiatives
for protecting critical infrastructure and key resources. The directive
also names DHS as the lead agency for the chemical sector, a change
from earlier national strategies that named EPA as the lead.[Footnote
2] Under an interim national plan released in February 2005, DHS is to
identify and prioritize critical chemical facilities, evaluate the
chemical sector's vulnerabilities and risks, develop and implement
protective programs for high-priority chemical facilities, identify
regulatory options for protective measures, and maintain a relationship
with all stakeholders.
The federal government's role in protecting chemical facilities from
terrorist attacks has been much debated since September 11, 2001.
Public debate has centered on whether the federal government should
impose security requirements on chemical facilities or continue to work
with the chemical industry to voluntarily address security concerns.
Legislative proposals that would grant DHS or EPA, or one of these
agencies in consultation with the other, the authority to require
chemical facilities to take security steps were introduced in every
Congress from 2001 to 2005.
In this context, you asked us to examine federal and industry efforts
to address security concerns at chemical facilities. Specifically, this
report discusses (1) DHS's actions to develop an overall strategy for
protecting the chemical industry; (2) DHS's efforts to identify high-
risk chemical facilities, assess their vulnerabilities, ensure that
facilities are addressing security, and coordinate with EPA in these
efforts; (3) chemical industry security initiatives and challenges; and
(4) DHS's existing authorities and whether additional legislative
authority is needed to ensure that chemical facilities take action to
address vulnerabilities. In conducting our work, we interviewed
officials from DHS's Information Analysis and Infrastructure Protection
Directorate (IAIP), and EPA's Office of Emergency Management. We also
reviewed pertinent federal legislation; EPA data; and DHS documents,
including the Interim National Infrastructure Protection Plan, an early
draft of the Chemical Sector-Specific Plan; and other available
reports. We interviewed representatives of all 16 associations
participating on the Chemical Sector Coordinating Council, a group of
chemical sector associations that facilitate the sharing of industry
views with DHS.[Footnote 3] To obtain a broad range of industry views,
we also spoke with at least one member company belonging to 13 of the
key chemical industry associations.[Footnote 4] These companies
included large chemical manufacturers; small-and medium-sized chemical
distributors; companies that manufacture, distribute, and sell
agricultural and specialty chemicals; and plastics manufacturers, among
others. We also interviewed other organizations with chemical industry
expertise, including the American Society of Mechanical Engineers, the
Center for Chemical Process Safety, Sandia National Laboratories, and
the Working Group on Community Right-to-Know, among others. We
conducted our work from December 2004 through December 2005 in
accordance with generally accepted government auditing standards. A
more detailed description of our objectives, scope, and methodology is
contained in appendix I.
Results in Brief:
As part of a national framework for reducing the overall vulnerability
of the chemical sector in partnership with the industry and state and
local authorities, DHS is developing a Chemical Sector-Specific Plan.
Our review of a July 2004 draft of this plan--the most recent version
available, according to DHS officials--and discussions with these
officials on the contents of the final plan indicate that the plan
will, among other things, describe:
* the chemical industry, including providing background information and
a detailed profile of the sector;
* the regulatory authority of key federal agencies relative to the
chemical industry;
* DHS's coordination with federal, state, and local agencies, such as
law enforcement and emergency management departments, and with the
private sector on efforts that include sharing intelligence and
security information;
* DHS's efforts to identify chemical facilities that should be included
in the sector, assess their vulnerabilities, and prioritize these
facilities on the basis of risk;
* DHS's development of protective programs in coordination with private
and government entities to prevent, deter, mitigate, and recover from
attacks on chemical facilities;
* how DHS will measure DHS and the industry's performance in addressing
security issues, and research and develop new protective security
measures; and:
* challenges in improving security, including collecting information
about facilities from a large number of owners, communicating with
chemical facility owners who do not belong to industry associations,
coordinating the roles of sector stakeholders, and working without
federal regulatory authority.
DHS did not estimate when the plan will be completed.
In developing its plan for the chemical industry, DHS initiated several
actions to identify the sector's critical assets, prioritize
facilities, develop and implement protective programs, exchange
information with the private sector, and coordinate efforts with EPA
and other federal agencies. DHS has determined the chemical sector's
critical assets and identified about 3,400 high-priority facilities. In
the future, however, the agency plans to use a new risk assessment
methodology to compare and prioritize all critical infrastructure
assets according to their level of threat, vulnerability to attack, and
the consequences of an attack on the facility. To conduct this
analysis, it will be necessary for chemical facility owners and
operators to voluntarily assess and provide DHS with information on
their vulnerabilities and potential consequences of an attack. DHS also
has implemented a number of programs to assist the private sector and
local communities in protecting chemical facilities. For example, DHS
has conducted vulnerability assessments at 38 chemical facilities and
shared suggestions for improvement with the facility owners and
operators. In addition, DHS has worked with facility owners and local
law enforcement to improve the security of areas surrounding a few high-
risk chemical facilities in order to make launching an attack more
difficult. DHS also shares threat information with the industry and
coordinates sector activities with the Chemical Sector Coordinating
Council, an industry-led working group that acts as a liaison for the
chemical sector. Finally, DHS coordinates its chemical security efforts
with EPA and other federal agencies through a government coordinating
council.
The chemical industry, led by its industry associations, has undertaken
voluntary efforts to address plant security, but faces challenges in
preparing facilities against terrorism. As we reported in March 2005,
some industry associations require member companies to assess their
facilities' vulnerabilities and make security enhancements.[Footnote 5]
Three industry associations--the American Chemistry Council, the
National Association of Chemical Distributors, and the Synthetic
Organic Chemical Manufacturers Association--require as a condition of
membership that companies conduct vulnerability assessments, develop
and implement plans to mitigate vulnerabilities, and have a third party
verify that the security enhancements were implemented. Other industry
associations have encouraged their members to address security by
developing security guidelines, best practices, and other tools. For
example, a number of associations, including CropLife America, the
Fertilizer Institute, and the National Petrochemical and Refiners
Association, have developed guidelines and vulnerability assessment
methodologies tailored specifically to their member companies' unique
security concerns. While efforts are under way to address security,
industry officials told us that they face a number of challenges in
preparing facilities against a terrorist attack. They reported that the
cost of security improvements can be a burden, particularly for smaller
companies that may lack the resources larger chemical companies have to
devote to security. Industry officials stated that federal assistance
via grants or tax incentives to offset security costs could help them
enhance security at facilities. Industry officials also cited the need
for guidance on what level of security is adequate, noting that
determining the appropriate level of security for different facilities
is difficult.
Existing laws provide DHS with only limited authority to address
security concerns at U.S. chemical facilities. Because chemical
facilities pose significant risks to millions of Americans, additional
legislation is needed to give DHS the authority to require security
improvements at these facilities. In this regard, DHS lacks the
specific authority to require chemical facilities to assess their
vulnerabilities and implement security measures. In addition, DHS
currently lacks the authority to enter most chemical facilities without
their permission for the purposes of assessing security or to enforce
the implementation of any needed security improvements. Because, in
contrast to some other critical infrastructure facilities--such as
nuclear and drinking water facilities--chemical plants generally are
not subject to federal security requirements, DHS has relied primarily
on the voluntary participation of the private sector to address
facility security. As a result, DHS cannot ensure that all high-risk
facilities are assessing their vulnerability to terrorist attacks and
taking corrective actions, where necessary. On this basis, we concluded
in 2003 that additional legislation is needed to place federal security
requirements on chemical facilities. Similarly, many of the
stakeholders we contacted--including representatives from industry,
research centers, and government--agreed on the need for additional
legislation that would establish federal security requirements. These
stakeholders had mixed views, however, on the specific contents of any
legislation, such as requirements that facilities substitute safer
chemicals and processes--referred to as "inherently safer
technologies"--that could lessen the potential consequences of an
attack by reducing the risks present at these facilities, but could be
costly or infeasible for some plants. Finally, DHS also has concluded
that its existing authorities do not permit it to effectively regulate
the industry, and that the Congress should enact federal requirements
for chemical facilities. Given that the nation's chemical facilities
pose significant risks and the extent of their security preparedness is
largely unknown, legislation giving DHS the authority to require the
chemical industry to address security at their plants could help to
better protect these facilities against a potential terrorist attack.
We are recommending that the Congress consider providing DHS with the
authority to require high-risk chemical facilities to assess their
vulnerability to terrorist attacks and, where necessary, require these
facilities to take corrective action. We are also recommending that DHS
complete the Chemical Sector-Specific Plan in a timely manner and work
with EPA to study the advantages and disadvantages of substituting
safer chemicals and processes at some chemical facilities. In
commenting on a draft of this report, DHS agreed that the Congress
should consider granting DHS the authority to require the chemical
industry to address plant security and that completing and implementing
the sector-specific plan is a priority. However, DHS disagreed with our
recommendation that the department work with EPA to study the security
benefits to chemical plants of using safer technologies. DHS believes
that the use of safer technologies would not generally result in more
secure chemical facilities and would tend to shift risks rather than
eliminate them. DHS also stated that it is unclear what role EPA would
play in a study of the benefits of using safer technologies or how
DHS's interaction with EPA might be perceived among DHS's private
sector partners.
Background:
Experts agree that chemical facilities present an attractive target for
terrorists intent on causing massive damage. Terrorist attacks
involving the theft or release of certain chemicals could significantly
impact the health and safety of millions of Americans; disrupt local or
regional economies; or impact other critical infrastructures that rely
on chemicals, such as drinking water and wastewater treatment systems.
The disaster in Bhopal, India, in 1984, when methyl isocyanate--a
highly toxic chemical--leaked from a tank, reportedly killing about
3,800 people and injuring anywhere from 150,000 to 600,000 others,
illustrates the potential threat to public health from a chemical
release. As we reported in 2003, Justice has been warning of the
terrorist threat to chemical facilities for a number of years and has
concluded that the risk of an attempt in the foreseeable future to
cause an industrial chemical release is both real and
credible.[Footnote 6] On the basis of analysis of trends in
international and domestic terrorism and the burgeoning interest in
weapons of mass destruction among criminals and terrorists, Justice
warned of potential targeting of chemical facilities by terrorists even
before the events of September 11, 2001. In fact, according to Justice,
domestic terrorists plotted to use a destructive device against a U.S.
facility that housed millions of gallons of propane in the late 1990s.
According to news reports, terrorists also have targeted chemical
facilities in Europe. Furthermore, on May 15, 2005, bombs were
detonated in Spain by suspected Basque separatists at two chemical
plants, a paint factory, and a metal works facility, leading to minor
injuries from toxic fume inhalation.
No one has yet comprehensively assessed security at the nation's
chemical facilities. In April 2005 testimony before the Senate
Committee on Homeland Security and Governmental Affairs on chemical
facility security, experts from the Council on Foreign Relations and
the Brookings Institute underscored the threat that U.S. chemical
facilities pose and expressed concern about the adequacy of security at
these facilities. While federal and state governments and the chemical
industry have taken steps to address security at chemical facilities,
recent studies and media exposés have raised doubts about security at
some plants. According to media accounts, every year from 2001 to 2005,
reporters and environmental activists gained access to chemical tanks
and computer centers that control manufacturing processes at a number
of facilities, including American Chemistry Council (ACC) member
company facilities. In addition, a 2004 survey of employees at 189
chemical facilities conducted for the Paper, Allied-Industrial,
Chemical, and Energy Workers International Union found that employees
had doubts about the effectiveness of facilities' efforts to prevent a
terrorist attack. Less than half of the respondents (44 percent)
indicated that their companies' preventative actions, including
security efforts, were effective in reducing facility vulnerabilities
to terrorist attack. The U.S. Chemical Safety and Hazard Investigation
Board also testified in April 2005 that gaps in safety and emergency
response preparedness at chemical facilities leave Americans
vulnerable. Furthermore, some environmental and advocacy groups believe
reducing safety risks should be an integral part of facilities' efforts
to reduce the potential consequences of a terrorist attack. These
groups advocate reducing the inherent risks that toxic chemicals
present by substituting safer chemicals or switching to inherently
safer technologies.
Universe of Chemical Facilities:
EPA regulates about 15,000 facilities under the Clean Air Act because
they produce, use, or store more than certain threshold amounts of
specific chemicals that would pose the greatest risk to human health
and the environment if they were accidentally released into the air.
These facilities must take a number of steps, including preparing a
risk management plan (RMP), to prevent and prepare for an accidental
release and, therefore, are referred to as RMP facilities. These
facilities fall within a variety of industries and produce, use, or
store a host of products, including (1) basic chemicals used to
manufacture other products, such as fertilizers, plastics, and
synthetic fibers; (2) specialty chemicals used for a specific purpose,
such as a functional ingredient or a processing aid in the manufacture
of a range of products, including adhesives and solvents, coatings,
industrial gases and cleaners, and water management chemicals; (3) life
science chemicals consisting of pharmaceuticals and pesticides; and (4)
consumer products, such as hair and skin products and cosmetics. Some
of these facilities are part of critical infrastructure sectors other
than the chemical sector. For example, about 2,000 of these facilities
are community water systems that are part of the water infrastructure
sector. In addition, other facilities that house hazardous chemicals
that are listed under the RMP regulations are not subject to RMP
requirements because the quantities stored or used are below threshold
amounts. However, these facilities could also potentially be at risk of
terrorist attacks. Table 1 outlines the number and percentage of
processes in different industry sectors that involve more than
threshold amounts of hazardous chemicals.
Table 1: Number and Percentage of Processes That Involve More Than
Threshold Amounts of Hazardous Chemicals under the RMP, by Industry
Sector:
Industry sector: Agriculture and farming, farm supply, fertilizer
production, and pesticides;
Number of processes: 5,767;
Percentage of processes: 29%.
Industry sector: Water supply and wastewater treatment;
Number of processes: 3,456;
Percentage of processes: 17%.
Industry sector: Chemical manufacturing;
Number of processes: 3,758;
Percentage of processes: 19%.
Industry sector: Energy production, transmission, transport, and sale;
Number of processes: 3,045;
Percentage of processes: 15%.
Industry sector: Food and beverage manufacturing and storage (including
refrigerated warehousing);
Number of processes: 2,531;
Percentage of processes: 13%.
Industry sector: Chemical warehousing (not including refrigerated
warehousing);
Number of processes: 238;
Percentage of processes: 1%.
Industry sector: Other[A];
Number of processes: 1,033;
Percentage of processes: 5%.
Industry sector: Total[B];
Number of processes: 19,828;
Percentage of processes: 100%[C].
Source: EPA.
[A] "Other" represents a large variety of industry sectors, including
pulp mills, iron and steel mills, cement manufacturing, and computer
manufacturing.
[B] The total number of covered processes is not equal to the 15,000
RMP facilities because some RMP facilities have more than one covered
process (i.e., multiple processes containing more than a threshold
amount of a covered hazardous chemical).
[C] Percentages do not total 100 percent due to rounding.
[End of table]
The Federal Government's Roles and Responsibilities in Protecting the
Chemical Sector:
The Homeland Security Act established DHS and set forth its mission to,
among other things, prevent terrorist attacks within the United States,
reduce the nation's vulnerability to terrorism, and minimize the damage
from and assist in the recovery from terrorist attacks that occur
within the United States. The act also established DHS's IAIP and made
it responsible for critical infrastructure protection and information
analysis functions.[Footnote 7] As part of its statutory
responsibilities, IAIP must develop a comprehensive national plan for
securing the key resources and critical infrastructure of the United
States. IAIP's other responsibilities include identifying threats,
conducting comprehensive assessments of the vulnerabilities of key
resources, conducting risk assessments to determine the risks posed by
certain types of terrorist attacks, identifying priorities for
protective measures, and recommending measures to protect critical
infrastructure and key resources. The Secretary of the Department of
Homeland Security has given IAIP responsibility for creating and
managing private sector advisory councils composed of representatives
of industries and associations designated by the Secretary to advise
the Secretary on various matters, including private sector products,
applications, and solutions, as they relate to homeland security
challenges.[Footnote 8]
This act and the December 2003 presidential directive established the
framework under which IAIP carries out its responsibilities for
coordinating the overall national critical infrastructure protection
effort. The directive designates a lead federal agency for each
critical infrastructure sector, such as agriculture, banking and
finance, and chemical. DHS is now the lead, or sector-specific agency,
for the chemical infrastructure, which is a change from national
strategies issued in July 2002 and February 2003 that named EPA as the
lead agency. IAIP is responsible for infrastructure protection
activities for the chemical sector, including developing a plan for
protecting the chemical sector by July 2004. Other IAIP chemical sector
responsibilities include:
* collaborating with relevant federal agencies, state and local
governments, and the private sector;
* conducting or facilitating vulnerability assessments of the chemical
sector;
* encouraging risk management strategies to protect against and
mitigate the effects of attacks against chemical sector assets; and:
* collaborating with the appropriate private sector entities and
continuing to encourage the development of information-sharing and
analysis mechanisms and to support sector coordinating mechanisms.
In February 2005, DHS released an Interim National Infrastructure
Protection Plan that also outlines the responsibilities of sector-
specific agencies. As the lead agency for the chemical sector, the
national plan calls for DHS to identify and prioritize critical
chemical facilities, evaluate the chemical sector's vulnerabilities and
risks, develop and implement protective programs for high-priority
chemical facilities, identify regulatory options for protective
measures, and maintain a relationship with all stakeholders.
Currently, federal requirements address security at some U.S. chemical
facilities. A small number of chemical facilities must comply with the
Maritime Transportation Security Act of 2002 (MTSA). MTSA and its
implementing regulations require maritime facility owners and operators
to conduct assessments of certain at-risk facilities to identify
vulnerabilities, develop security plans to mitigate these
vulnerabilities, and implement the measures discussed in the security
plans. MTSA and implementing regulations also require that the United
States Coast Guard conduct inspections at these facilities and prohibit
operation of facilities that do not have required security plans
approved by the Secretary or that are not operating in compliance with
these plans. According to July 27, 2005, testimony before the Senate
Homeland Security and Governmental Affairs Committee, the Coast Guard
has reviewed and approved facility security plans for 300 chemical
facilities.
Some states and localities have also created security requirements at
chemical facilities. For example, Maryland's Hazardous Material
Security Act requires RMP facilities in the state to perform
vulnerability assessments, develop and implement security measures, and
report to the state Department of the Environment. Under New York's
Anti-Terrorism Preparedness Act of 2004, the state Office of Homeland
Security, subject to available appropriations, must require certain
chemical facilities to conduct vulnerability assessments. Under the
Domestic Security Preparedness Task Force established by New Jersey
law, New Jersey Department of Environmental Protection officials work
with the state's chemical facilities to adopt security best practices.
In addition, Baltimore, Maryland, requires chemical manufacturers to
follow a set of safety and security regulations devised by its fire and
police commissioners; noncompliance can result in penalties, such as
the withholding or suspension of facility operating permits.
Separate from its responsibilities for enhancing the protection of the
chemical sector from terrorist attacks, the federal government imposes
safety and emergency response requirements on chemical facilities that
may incidentally reduce the likelihood and consequences of terrorist
attacks. For example, the Emergency Planning and Community Right to
Know Act requires owners and operators of facilities that maintain
specified quantities of certain extremely hazardous chemicals to
annually submit information on their chemical inventory to state and
local emergency response officials. This information is used to help
prepare community response plans in the event of a chemical incident.
Furthermore, under the Clean Air Act, EPA requires owners and operators
of RMP facilities to prepare and implement a plan to detect and prevent
or minimize accidental releases. In addition to evaluating "worst-case"
accidental release scenarios, facility owners and operators must
implement a program to prevent accidental releases that includes safety
precautions and maintenance, and monitoring and training measures, and
they must have an emergency response plan. The Department of Labor's
Occupational Safety and Health Administration's process safety
management standard also requires facilities to assess and address the
hazards of their chemical processes. All of these requirements could
potentially mitigate a terrorist attack by (1) providing an incentive
to facilities to reduce or eliminate chemicals below regulated
threshold levels, (2) requiring facilities to implement measures to
improve the safety of areas that are vulnerable to a chemical release,
and (3) facilitating emergency response planning that increases
preparedness for a chemical release--whether intentional or
unintentional.
Legislative Proposals:
Since 2001, the Congress has considered a number of legislative
proposals that would give the federal government a greater role in
ensuring the protection of the nation's chemical facilities. These
legislative proposals would have granted DHS or EPA, or one of these
agencies in consultation with the other, the authority to require
chemical facilities to conduct vulnerability assessments and implement
security measures to address their vulnerabilities. In the 109th
Congress, three bills have been introduced but have not yet been acted
upon: H.R. 1562, H.R. 2237, and S. 2145. Table 2 provides an overview
of the major provisions of these legislative proposals.
Table 2: Overview of Key Chemical Security Legislative Proposals in the
109th Congress:
Major provisions: General requirements;
H.R. 1562: High-priority facilities would be required to submit
vulnerability assessments and security plans to DHS; other chemical
sources would be required to self-certify completion of assessments and
plans and provide DHS copies upon request;
H.R. 2237: High-priority facilities would be required to submit
vulnerability assessments and to certify that they have prepared
prevention, preparedness, and response plans to EPA;
S. 2145: Designated chemical sources would be required to submit
vulnerability assessments, security plans, and emergency response plans
to DHS. The assessment and security plan would be required to address
security performance standards established by DHS for each risk-based
tier. Chemical sources would be required to self-certify completion of
assessments and plans.
Major provisions: Role of DHS and EPA;
H.R. 1562: DHS, in consultation with EPA, would identify high-priority
categories of facilities; DHS would receive and review assessments and
plans;
H.R. 2237: EPA, in consultation with DHS and state and local agencies,
would identify high-priority categories of facilities; EPA would
receive assessments and certifications;
S. 2145: DHS would designate facilities as chemical sources and assign
each chemical source to a risk-based tier. DHS would receive and review
assessments, plans, and certifications. EPA would have no role.
Major provisions: Compliance enforcement;
H.R. 1562: DHS would, when and where it deems appropriate, conduct or
require the conduct of vulnerability assessments and other activities
to ensure and evaluate compliance; DHS could disapprove a vulnerability
assessment or site security plan; following written notification and
consultation with the owner or operator, DHS could issue a compliance
order;
H.R. 2237: Not later than 3 years after the deadline for submission of
vulnerability assessments and response plans, EPA, in consultation with
DHS, would review and certify compliance of each assessment and plan;
following consultation with DHS, and 30 days after providing
notification to the facility and providing advice and technical
assistance to bring the assessment or plan into compliance and address
threats, EPA could issue a compliance order;
S. 2145: DHS would review and approve or disapprove all vulnerability
assessments, security plans, and emergency response plans for
facilities in higher risk tiers within 1 year, and within 5 years for
all other facilities. DHS would be required to disapprove of any
vulnerability assessment, site security plan, or emergency response
plan not in compliance with the vulnerability assessment, site security
plan, and emergency response plan requirements. For higher risk
facilities, if DHS disapproves the assessment or plans, the Secretary
could issue an order to a chemical source to cease operation. For other
facilities, the Secretary could issue an order to a chemical source to
cease operation, but only after a process of written notification,
consultation, and time for compliance.
Major provisions: Penalties for noncompliance;
H.R. 1562: Would provide for court awarded civil penalties up to
$50,000 per day for failure to comply with an order, site security
plan, or other recognized procedures, protocols, or standards, and
administrative penalties up to $250,000 for failure to comply with an
order;
H.R. 2237: Would provide for court awarded civil penalties up to
$25,000 per day, criminal penalties, and administrative penalties (if
the total civil penalties do not exceed $125,000) for failure to comply
with an order;
S. 2145: Would provide for court awarded civil penalties up to $50,000
per day, and administrative penalties of not more than $25,000 per day
(not to exceed $1 million per year) for failure to comply with a DHS
order or directive issued under the act. Also calls for criminal
penalties of up to $50,000 in fines per day, imprisonment for not more
than 2 years, or both for knowingly violating an order or failing to
comply with a site security plan.
Major provisions: Inherently safer technologies requirements;
H.R. 1562: None;
H.R. 2237: Response plans would be required to include a description of
safer design and maintenance options considered and reasons those
options were not implemented; EPA would be required to establish a
clearinghouse for information on inherently safer technologies and
would be authorized to provide grants to assist chemical facilities
demonstrating financial hardship in implementing inherently safer
technologies;
S. 2145: None.
Major provisions: Information protections;
H.R. 1562: Would exempt information obtained from disclosure under the
Freedom of Information Act (FOIA) or otherwise, or from disclosure
under state or local laws; information would also not be subject to
discovery or admitted into evidence in any federal or state civil
judicial or administrative procedure other than in civil compliance
action brought by DHS. Calls for DHS, in consultation with others, to
establish confidentiality protocols;
H.R. 2237: Would exempt information obtained from disclosure under
FOIA; calls for EPA, in consultation with DHS, to establish information
protection protocols;
S. 2145: Would exempt information obtained from disclosure under FOIA,
or from disclosure under state or local laws. Certifications submitted
by the chemical sources, orders for failure to comply, and certificates
of compliance and other orders would generally be made available to the
public. Calls for DHS, in consultation with the Director of the Office
of Management and Budget and appropriate federal law enforcement
officials, to create confidentiality protocols for the maintenance and
use of records; would establish penalties for the unlawful disclosure
of protected information.
Major provisions: Equivalence of industry codes;
H.R. 1562: Upon petition, DHS would be required to endorse other
industry, state, or federal protocols or standards that the Secretary
of DHS determines to be substantially equivalent;
H.R. 2237: None;
S. 2145: Would allow the Secretary to determine that vulnerability
assessments, security plans, and emergency response plans prepared
under alternative security programs meet the act's requirements and to
permit submissions or modifications to the assessments or plans.
Major provisions: Other;
H.R. 1562: Would grant DHS right of entry; would exempt facilities that
are subject to MTSA (port facilities) or the Bioterrorism Act
(community water systems). Except with respect to protection of
information, would not affect requirements imposed under state law;
H.R. 2237: Would grant EPA right of entry; would authorize EPA to
provide grants for training of first responders and employees at
chemical facilities; would not affect requirements imposed under state
law;
S. 2145: Would grant DHS right of entry; would exempt facilities that
are subject to MTSA from certain area security requirements but these
facilities would otherwise comply with the act's requirements. Would
preserve the right of states to adopt chemical security requirements
that are more stringent than the federal standard, as long as the state
standard does not conflict with the federal standard.
Source: GAO analysis of proposed legislation.
[End of table]
Also in the 109th Congress, the conference committee for H.R. 2360,
making appropriations for DHS for fiscal year 2006, directed DHS to:
* submit a report to the Senate and House Committees on Appropriations
by February 10, 2006, describing (1) the resources needed to implement
mandatory security requirements for the chemical sector and to create a
system for auditing and ensuring compliance with the security standards
and (2) the security requirements and any reasons why the requirements
should differ from those already in place for chemical facilities that
operate in a port zone;
* complete vulnerability assessments of the highest risk U.S. chemical
facilities by December 2006, giving preference to facilities that, if
attacked, pose the greatest threat to human life and the economy; and:
* complete a national security strategy for the chemical sector by
February 10, 2006.[Footnote 9]
DHS Is Developing a Plan for Protecting the Chemical Sector:
As part of an overall National Infrastructure Protection Plan (NIPP),
DHS is developing a plan for protecting the chemical sector that will
establish a framework for reducing the overall vulnerability of the
sector in partnership with the industry and state and local
authorities. The NIPP will outline how DHS and relevant stakeholders
will develop and implement the national effort to protect
infrastructures across all sectors. In February 2005, DHS released an
interim NIPP that provides a strategy for critical infrastructure
protection and a means for discussion with critical stakeholders. The
NIPP states that each sector-specific agency is responsible for
developing, implementing, and maintaining a sector-specific plan for
their sector. Each plan is supposed to outline strategies for (1)
collaborating with all relevant federal departments and agencies, state
and local governments, and the private sector; (2) identifying assets;
(3) conducting or facilitating vulnerability assessments; and (4)
encouraging risk management strategies to protect against and mitigate
the effects of an attack. The Chemical Sector-Specific Plan will be an
appendix to the NIPP. While DHS did not provide an estimated completion
date for either the Chemical Sector-Specific Plan or the NIPP, DHS
stated that the plan and the plans for the other critical
infrastructure and key resource sectors will be completed within 6
months of approval of the NIPP.
As the agency with lead responsibility for the chemical sector, DHS is
responsible for developing the chemical sector-specific plan. DHS
completed a draft of the plan in July 2004. Since that time, DHS has
worked to revise the plan to accommodate changes to DHS's risk
management strategy, comments from stakeholders' review of the NIPP,
and consultation with chemical sector stakeholders. While DHS officials
told us that the structure of the final plan will differ from the July
2004 version, they said that the basic principles and content described
in that draft will still be included in the final plan.
On the basis of our review of the draft plan and discussions with DHS
officials, the final plan will:
* present background information on the sector, including a description
of (1) the types of assets that are considered part of the chemical
sector; (2) the regulatory authority of key federal agencies relative
to the chemical industry and the key stakeholders in the sector; (3)
the roles and responsibilities of each stakeholder; and (4) DHS's
coordination with federal, state, and local agencies, such as law
enforcement and emergency management departments, and with the private
sector on efforts that include sharing intelligence and security
information;
* describe the process DHS will use to develop a comprehensive
inventory of assets in the chemical sector, including plans for working
with the private sector to develop this inventory, since the critical
infrastructure in the chemical sector is predominantly privately owned
and operated;
* describe DHS's efforts to identify and assess the vulnerabilities of
chemical facilities and how DHS plans to prioritize these efforts on
the basis of the vulnerability assessments;
* outline the protective programs that will be created to prevent,
deter, mitigate, and recover from attacks on chemical facilities, and
describe how DHS will work with private sector and government entities
to implement these programs;
* explain the performance metrics DHS will use to measure the
effectiveness of DHS and industry security efforts and ensure that DHS
meets its overall critical infrastructure goals, including (1)
identifying and assessing the vulnerability of the nation's critical
infrastructure and key resources; (2) ensuring the protection of the
nation's critical infrastructure and key resources from terrorist
attack; (3) establishing a collaborative environment across all levels
of government and with the private sector to better protect the
nation's critical infrastructure and key resources; and (4)
coordinating and integrating, as appropriate, with other federal
emergency management and preparedness activities, including the
National Response Plan;[Footnote 10]
* document DHS's plans to work with stakeholders to review current
federal research and development initiatives for prioritization and to
identify gaps between the chemical sector's requirements and current
projects in order to identify research and development needs; and:
* outline challenges the department faces in coordinating the efforts
of the chemical sector, such as collecting information about facilities
from a large number of owners; communicating with chemical facility
owners who do not belong to industry associations; coordinating the
roles of sector stakeholders; and working without federal regulatory
authority.
Furthermore, in September 2005, the conference committee, in the
conference report for the Department of Homeland Security
Appropriations Act, 2006, directed DHS to complete a national security
strategy for the chemical sector by February 10, 2006.[Footnote 11]
According to DHS, the department is preparing a high-level strategic
document--the National Strategy for Securing the Chemical Sector--that
is separate but complementary to the Chemical Sector-Specific Plan.
Our March 2003 report on chemical security recommended that DHS develop
a comprehensive national chemical security strategy that is both
practical and cost-effective.[Footnote 12] We recommended that the
strategy identify high-risk facilities, collect information on industry
security preparedness, specify the roles and responsibilities of each
federal agency partnering with the chemical industry, and develop
appropriate information-sharing mechanisms. If the final Chemical
Sector-Specific Plan includes the elements DHS has described, it should
meet the criteria set out in this recommendation.
DHS Has Taken Actions to Assess Facilities' Vulnerabilities and
Interact with the Industry and Other Federal Agencies:
DHS has taken initial action to identify the chemical sector's critical
assets, prioritize facilities, develop and implement protective
programs, exchange information with the private sector, and coordinate
efforts with EPA and other federal agencies. In this regard, DHS has
identified about 3,400 chemical facilities as posing the greatest
hazard to human life and health, and it is developing a new risk
assessment methodology to compare and prioritize all critical
infrastructure assets according to their level of threat, their
vulnerability to attack, and the consequences of an attack on the
facility. Furthermore, DHS has implemented a number of programs to
assist the private sector and local communities in protecting chemical
facilities, conducted site vulnerability assessments at 38 facilities,
and installed cameras at some high-consequence facilities. DHS is also
distributing threat information to the industry and coordinating sector
activities with the Chemical Sector Coordinating Council, an industry-
led working group that acts as a liaison for the chemical sector.
Finally, DHS is coordinating with EPA and other federal agencies
through a government coordinating council.
DHS Is Conducting Efforts to Identify and Prioritize Facilities:
As the chemical sector-specific agency, one of DHS's key
responsibilities under the interim NIPP is to identify the assets of
the chemical sector and prioritize them according to risk. DHS's
ongoing efforts in this regard, once completed, should produce a
methodology for identifying critical assets in the chemical sector and
comparing assets across sectors.
DHS Is Identifying High-Priority Sites:
DHS has identified approximately 3,400 chemical facilities that it
believes pose the greatest hazard to human life and health in the event
of a terrorist attack. To develop an inventory of the chemical sector's
critical assets, DHS first had to define what the sector includes.
According to DHS officials, in general, they consider the chemical
sector to include facilities that manufacture, distribute, and store
chemicals, but not retail facilities. The chemical sector also includes
facilities that overlap with other critical infrastructure sectors. For
example, refineries, while considered part of the energy sector, use
large amounts of chemicals and are often colocated with chemical
manufacturing facilities. In addition, water purification and
sanitation facilities are part of the water sector, but they store
large amounts of chemicals on-site. Similarly, agricultural facilities
house toxic chemicals, such as fertilizers and pesticides.
While the chemical sector includes a large number of facilities, DHS is
focusing its efforts for the sector by identifying high-priority
facilities. As a starting point, DHS has adapted EPA's RMP database of
facilities with more than threshold amounts of certain chemicals to
develop an interim inventory of chemical facilities of concern in the
event of a terrorist attack. DHS officials told us that, to prioritize
facilities, they reduced the list of RMP facilities in the database by
eliminating entries that were redundant and 3,000 facilities that were
no longer in business or were no longer RMP facilities (e.g., they had
reduced the volume of chemicals on-site below the RMP
threshold).[Footnote 13] Furthermore, DHS determined that 8,000 of the
remaining sites were the responsibility of another critical
infrastructure sector. For example, DHS removed water treatment and
distribution facilities because they fall under the water critical
infrastructure sector, which is the responsibility of EPA. In addition,
DHS removed agricultural facilities, such as fertilizer and pesticide
distributors. DHS's analysis resulted in approximately 4,000
facilities. According to DHS officials, DHS then conducted a
consequence analysis of these remaining facilities to identify those
that, if attacked, would endanger the largest number of lives.
According to DHS, the analysis included the following:
* Reviewing the amount and toxicity of RMP materials stored at sites.
For example, DHS eliminated some facilities with flammable chemicals
because they would not create catastrophic effects when released. DHS
focused on toxic chemicals that pose inhalation hazards and very high-
order flammables and explosives.
* Reviewing the population density in the vicinity of facilities with
large amounts of toxic chemicals. DHS modeled potential toxic plumes
from facilities and revised the population estimates of the RMP worst-
case scenarios to develop what they believe is a more realistic
estimate of the population that a terrorist attack would harm.[Footnote
14]
* Evaluating possible impacts of an intentional attack, instead of
using the accidental release model used in the RMP program. For
example, DHS evaluated the daytime versus the nighttime population
surrounding facilities and the possible impact resulting from the
release of the entire volume of chemicals at a facility during an
attack. By contrast, the RMP analysis considers the impacts of the
release of the chemical volume in the single largest container.
* Consulting with industry experts to identify facilities that, if
attacked, could cause serious economic harm or the shortage of critical
materials.
On the basis of this analysis, DHS identified approximately 3,400
chemical facilities where a worst-case scenario release potentially
could affect over 1,000 people. According to DHS, 272 of these
facilities could potentially affect more than 50,000 people. These 272
facilities include chemical manufacturing plants as well as some
refineries located with petrochemical facilities, wastewater treatment
facilities, and other types of chemical facilities. In commenting on
our report, DHS noted that it did not intend wastewater treatment
facilities to be incorporated in the list of top facilities.
DHS Is Piloting a Risk Analysis Tool to Prioritize Facilities:
DHS is developing a new process known as Risk Analysis Management for
Critical Asset Protection (RAMCAP) that will allow the department to
apply a risk management approach to prioritize assets in all critical
infrastructure sectors. According to DHS, RAMCAP will provide a common
methodology, terminology, and framework for homeland security risk
analysis and decision making that is intended to allow consistent risk
management across all sectors. According to DHS, RAMCAP will improve
DHS's ability to collect information on critical infrastructure assets,
compare risks across assets, and increase owners' and operators'
awareness of the vulnerabilities and consequences at their sites.
DHS contracted with the American Society of Mechanical Engineers to
assist it in creating the RAMCAP methodology. In 2004, the society
presented the methodology to academic and industry officials and
incorporated their comments. The feedback from many industry officials
conveyed that the methodology was complex, and that industry officials
completing the methodology would need assessment tools with terminology
specific to their sector. As a result, the society hired subcontractors
with industry expertise to develop sector-specific vulnerability
assessment methodologies for five sectors: (1) chemical, (2) nuclear
power, (3) nuclear fuel storage, (4) petroleum refining, and (5)
liquefied natural gas storage/terminals. According to a society
official, the subcontractor developing the chemical sector methodology
studied and incorporated elements from existing methodologies, such as
those developed by Sandia National Laboratories and the American
Institute for Chemical Engineers' Center for Chemical Process Safety.
The RAMCAP chemical sector methodology differs from these methodologies
in that it uses terminology and processes that will be consistent with
other sector methodologies and will allow comparisons to be made from
the results of facility assessments across sectors. To assist in the
development of the chemical sector tools, the subcontractor created a
committee composed of representatives from chemical companies, such as
Dow, DuPont, and Air Products; trade associations; national
laboratories; and other entities with expertise, such as the Center for
Chemical Process Safety.
In the first step in the RAMCAP process, chemical facility
owners/operators will voluntarily complete a screening tool (top
screen) through a secure Web site. The top screen helps identify the
consequences of an attack at a facility, including the human, economic,
and psychological impacts. It would also identify such things as
whether a facility produces a product that is essential to the military
or pharmaceutical industry, or that is critical to the delivery of
water or energy. On the basis of the results of the screening tool, DHS
will identify facilities of highest concern and ask them to voluntarily
complete a security vulnerability assessment, the second step in the
RAMCAP process. Facility owners/operators will be able to use the
results of previous vulnerability assessments they may have conducted
to assist them in completing the RAMCAP process. The security
vulnerability assessment will include the following steps:
* assessment of facility characteristics, such as potential target
areas and facility attractiveness to attack;
* threat characterization of specific scenarios of concern--these
"benchmark threats" of concern to the government will allow cross-
sector comparison;
* consequence analysis of the impacts that could be produced by an
attack; and:
* vulnerability assessment of a facility's existing security measures
in place, including mitigation, detection, and response capability.
According to DHS officials, DHS will work with industry associations to
distribute the RAMCAP screening tool to the highest consequence
chemical facilities. DHS officials expect that between 5 and 10 percent
of those chemical facility owners/operators will be asked to complete
the self-vulnerability assessment.
DHS has tested both the screening tool and the vulnerability
assessment, and several private sector companies have also volunteered
to pilot test the vulnerability assessment. In 2005, New York's Office
of Homeland Security, working with DHS, requested all chemical
facilities in the state to complete the RAMCAP screening tool.
According to industry officials, however, the companies that pretested
the vulnerability assessment found the exercise valuable but difficult
to complete. They said that DHS officials assisted their companies in
completing the assessment and expressed concern that some
owners/operators may have difficulty completing the assessment without
DHS's help. Some chemical company officials who had not participated in
the pilot told us that they would be reluctant to complete the RAMCAP
assessment, citing concerns about the work involved, the need for DHS
to collect the information, and the ability of DHS to safeguard
information on the facilities' security vulnerabilities. In addition,
DHS recognizes that it will have difficulty in collecting information
about chemical facilities and verifying these data due to the large
number of facilities in the sector. While DHS plans to work with
industry associations to encourage owners/operators to share
information, private sector participation will be voluntary, and some
companies do not belong to industry associations and, therefore, may
not be easily contacted. According to DHS's draft Chemical Sector-
Specific Plan, DHS does not have the resources to verify asset data for
all chemical facilities and will have to rely in large part on the
accuracy of information submitted by the owners/operators and federal,
state, and local agencies. However, DHS plans to verify submitted
information relating to high-consequence facilities.
DHS Has a Number of Programs to Assist the Private Sector in Reducing
Vulnerabilities:
DHS has implemented a number of programs designed to assist the
department in assessing chemical industry vulnerabilities, develop best
practices, and assist the private sector and law enforcement in
improving the security of high-risk chemical facilities. These programs
will help DHS gather needed information on facilities and the level of
security preparedness of the industry.
Buffer Zone Protection Program: Through this program, DHS works with
local law enforcement officials and facility owners to improve the
security of the area surrounding the facility or "outside of the
fence." Improving the security of this buffer zone makes it more
difficult for a terrorist to conduct surveillance or launch an attack.
In general, a DHS team will visit a chemical plant and consider the
facility's vulnerabilities and the community's capability to prevent
and respond to an attack. Then, DHS brings together the appropriate
local emergency response officials and provides training on how to
assess buffer zone security and identify specific measures to reduce or
eliminate vulnerabilities. Local officials conduct an assessment and
summarize their work and the protective measures needed in a Buffer
Zone Protection Plan. DHS reviews the plan and provides funding
assistance to the community for some of the protective measures.
According to DHS officials, the process helps facilitate relationships
between owners/operators and the various response and law enforcement
entities in the community. Several company officials we contacted who
had participated in buffer zone assessments agreed with DHS's
assessment of the process. For example, one company told us that the
process helped them develop a relationship with the local police, who
are not always involved in emergency response planning at facilities.
After the buffer zone assessment, the local police now patrols the
company's fence on every shift.
Prior to March 2005, the Buffer Zone Protection Program was a loan
program. DHS purchased equipment directly for loan to the states for a
1-year period prior to formal transfer of ownership. DHS received
buffer zone plans for 10 chemical facilities and loaned over $260,000
in equipment to these jurisdictions. DHS also has conducted 63
technical assistance visits to assist chemical facility
owners/operators and local law enforcement in assessing their buffer
zone security.
In March 2005, DHS announced a targeted grant program for states to
purchase equipment that will enhance security measures around
facilities.[Footnote 15] DHS identified 259 chemical manufacturing
plants and storage and stockpile supply areas that are eligible under
program guidelines for $12.95 million from the Buffer Zone Protection
Plan grant program. According to DHS officials, these are sites with
50,000 people living in close enough proximity that, if attacked, some
portion of this population would be at risk of death or serious
injury.[Footnote 16] States may apply for these grants on the behalf of
local jurisdictions that plan to implement protective
measures.[Footnote 17] The local jurisdictions must conduct a buffer
zone assessment and prepare a plan requesting funds for equipment on an
approved list. Before the state can allocate funds, the guidelines
state that DHS must approve the buffer zone plan and spending plan.
States have until April 30, 2006, to apply for these funds.
Site assistance visits: To assess and identify vulnerabilities at
chemical facilities, DHS deploys teams of experts from both government
and industry to facilities to conduct a site assistance visit. The
teams conducting the visits have subject matter expertise in various
areas, including physical security measures, system interdependencies,
and terrorist attack planning. The teams have a field template to guide
their efforts, and a typical visit lasts 1 to 2 days. Officials at
participating facilities receive assistance in addressing security
issues at their sites and obtain current threat information. At the
conclusion of the visit, DHS suggests mitigation measures for the
company to consider. As a result of these visits, DHS learns valuable
information about chemical facility vulnerabilities and obtains
information to assist in developing reports and identifying training
for industry.
As of June 15, 2005, DHS had conducted 38 site assistance visits at
chemical facilities. These visits included trips to water/wastewater
treatment facilities that store and use chemicals, major refineries,
and chemical manufacturing facilities. DHS selected facilities to visit
on the basis of a variety of factors, including whether the facility
(1) would have significant economic or public health effects if
attacked, (2) is near a special event of national significance, or (3)
is in the vicinity where another site assistance visit is planned and
whether the visit was requested by the owner/operator. DHS plans to
conduct additional site assistance visits to chemical facilities in
fiscal year 2006 on the basis of need.
Maritime Transportation Security Act: The Coast Guard, now under DHS,
is responsible for the MTSA program at facilities located along
waterways, including 238 chemical sites. Program regulations
established a process and deadlines for maritime facilities to follow
in assessing their security risks and preparing related plans to
include actions to mitigate any identified vulnerabilities. The Coast
Guard has approved plans for all of these facilities and completed on-
site compliance inspections. The Coast Guard has stated that it will
continue to visit annually these and all facilities subject to MTSA to
ensure compliance. The Coast Guard has awarded Port Security Grants to
a number of chemical facilities to provide assistance for physical
security enhancements.[Footnote 18]
Other protective measure programs: DHS will place 68 protective
security advisors in metropolitan areas across the country. The
advisors have experience related to vulnerability reduction and
physical security and many have law enforcement or military
backgrounds. The advisors serve as a liaison between federal efforts
and those by the state, local, and private sector. The advisors have
responsibility for assisting in identifying high-priority facilities,
providing the local community with information on threats and best
practices, and coordinating training and facility visits.
In addition, DHS has installed cameras for security monitoring at 10
high-consequence chemical facilities. These are facilities that could
have a significant effect on public health or the national or regional
economy if attacked. The cameras provide local law enforcement
authorities with the ability to conduct remote surveillance of the
areas surrounding the facility during elevated threat levels. State
homeland security offices and DHS also have access and may monitor the
facilities. Prior to the installation of cameras, Buffer Zone
Protection Plans were completed at the sites that determined the need
for additional surveillance. According to DHS officials, they are
considering equipping additional sites with Webcams.
DHS also is planning a series of Comprehensive Reviews in areas with a
large number of chemical facilities, focusing on facilities' security
as well as emergency response capabilities in the local area. A team of
federal officials from multiple agencies will plan and conduct the work
in coordination with state and local officials.[Footnote 19] The goal
of these reviews is to assess the current security and response
capabilities of individual facilities, local law enforcement, and
emergency response organizations. The results of the review should help
reduce disconnects between emergency response, law enforcement, and
facilities and identify training, processes, and resources needed for
the community. For these reviews, DHS will rely heavily on cooperation
with facility owners/operators. DHS plans to conduct one visit to a
cluster of facilities and then determine if it needs to improve the
processes. DHS hopes to complete six visits to clusters of facilities
during 2006.
DHS Shares Information with the Industry by Various Means:
DHS is responsible for collaborating with the private sector in
protecting critical infrastructure.[Footnote 20] DHS's two main
vehicles for coordinating and sharing information on threats,
vulnerabilities, and best practices are the chemical sector Information
Sharing and Analysis Center (ISAC) and an industry-led Chemical Sector
Coordinating Council. DHS also is creating a new secure computer system
to share information, provide best practice reports, and conduct
training and drills.
In 2002, the federal government and ACC created the chemical sector
ISAC to collect and share threat information for the chemical
industry.[Footnote 21] Through ISAC, DHS provides the private sector
with threat information by means of daily electronic mail and a secure
Web site. While ISAC was initially designed to allow companies to
report unexplained or suspicious incidents involving chemical
facilities, the system can no longer provide this function because of
technical constraints. To operate the center, ACC uses its existing 24-
hour communication network for sharing information about chemical
emergencies. Any company engaged in the production, storage,
transportation, sale, or delivery of chemicals may participate in
ISAC's activities. ISAC has almost 600 participants representing more
than 430 chemical companies that receive daily intelligence reports as
well as episodic alerts and warnings. Some industry officials have
complained about the lack of specific threat information they receive
from DHS, and, in recent testimony, ACC called for more frequent and
more detailed threat briefings that are specific to the chemical
sector.
DHS also is developing the Homeland Security Information Network-
Chemical, a secure network for sharing information among DHS, state and
local governments, law enforcement, and private sector critical
infrastructure, including the chemical industry. Through the network,
the chemical industry will receive immediate reports of threats to the
sector directly from the Homeland Security Operations Center and DHS
chemical sector specialists. The system also will allow
owners/operators to report information to the government and each
other. The network will allow for collaboration and coordination among
chemical sector stakeholders, a shared document repository for best
practices and planning activities, and forums for discussion. The
chemical sector is one of the first sectors to pilot test the new
system--approximately 25 industry officials have access to it. DHS
plans to eventually enroll in the system all chemical company employees
with a need for access to sensitive security information. According to
ACC, legal concerns, such as who will operate the system and how DHS
will protect the information provided by industry from release under
the Freedom of Information Act, have delayed the use of the system. DHS
is working with the industry on drafting agreements on the use of the
network and information protection.
The Chemical Sector Coordinating Council was formed voluntarily by
trade associations within the chemical sector in June 2004, and it
currently comprises representatives from 16 key industry stakeholder
associations. The council is a single point of contact to facilitate
organizing and coordinating sector policy developments, infrastructure
protection planning, and plan implementation activities. In addition to
serving as a routine information-sharing mechanism, the council has
helped DHS develop an emergency response exercise and industry guidance
and is working closely with DHS to develop, refine, and disseminate the
RAMCAP methodology. Furthermore, DHS provided the council with a draft
of its Chemical Sector-Specific Plan for comments in September 2005.
According to DHS, the council represents the majority of chemical
facility owners/operators through its broad membership. The council
defines the chemical sector as "entities engaged in the production of
chemicals, as well as those engaged in the storage, transportation,
delivery, and use of chemicals not adequately addressed by other
critical infrastructure sectors." The council does not include water
treatment facilities or chemical transportation modes (rail, truck, and
barge) since both have separate sector coordination mechanisms.
DuPont's Director of Global Operations Security currently serves as the
chair of the council to provide a specific, frontline perspective and
guidance. The industry associations participating on the council
include the following:
* The Adhesive and Sealant Council:
* American Chemistry Council:
* American Forest & Paper Association:
* Chemical Producers and Distributors Association:
* Chlorine Chemistry Council:
* The Chlorine Institute:
* Compressed Gas Association:
* CropLife America:
* The Fertilizer Institute:
* Institute of Makers of Explosives:
* International Institute of Ammonia Refrigeration:
* National Association of Chemical Distributors:
* National Paint and Coatings Association:
* National Petrochemical and Refiners Association:
* The Society of the Plastics Industry, Inc.
* Synthetic Organic Chemical Manufacturers Association:
According to ACC, the interchange between DHS and the council has been
hampered by DHS's slow progress in determining whether the Federal
Advisory Committee Act (FACA) applies to the council.[Footnote 22]
Among other things, under FACA, federal advisory committee meetings
must generally be open to the public, and agencies are required to
prepare meeting minutes and make them available to interested
parties.[Footnote 23] The Homeland Security Act allows the Secretary of
DHS to establish and use the services of advisory committees and to
exempt such committees from FACA.[Footnote 24] In June 2005, the
Homeland Security Advisory Council recommended that the Secretary
exempt both Sector Coordinating Councils and ISACs from FACA because of
the critical value of this information-sharing relationship.[Footnote
25]
To share industry best practices, DHS has prepared three guidance
documents that highlight common issues across the chemical sector and
identify measures for protecting chemical facilities. These reports are
(1) the Common Characteristics and Vulnerabilities report, (2) the
Potential Indicators of Terrorist Activity report, and (3) the
Protective Measures report. DHS has provided copies of these reports to
state Homeland Security Offices and the Chemical Sector Coordinating
Council for distribution to owners/operators of chemical facilities and
the law enforcement community.
DHS also hosts training and tabletop exercises for facility
owners/operators; state, local, and tribal governments; and local law
enforcement agencies. DHS has developed a number of courses on such
topics as surveillance detection, terrorism awareness, and buffer zone
protection. DHS has hosted tabletop exercises at six high-risk chemical
facilities and invited industry officials to participate in TopOff3,
the third in a series of congressionally mandated emergency response
exercises. These extensively planned exercises simulate a terrorist
attack and test federal, state, local, and private sector responses.
Industry officials we spoke with said both government and private
sector participants learned valuable lessons from the exercises.
Both DHS and the Homeland Security Advisory Council recognize the
challenges in sharing information with the industry. According to
department officials, DHS has difficulty reaching all members of the
chemical sector. To address this issue, DHS plans to utilize ISAC as
well as the Chemical Sector Council, other federal agencies, and state
and local authorities to assist in identifying and communicating with
chemical facilities. The Homeland Security Advisory Council recently
recommended ways to improve information sharing between DHS and the
industry.
DHS Coordinates with EPA and Other Federal Agencies:
Homeland Security Presidential Directive Number 7 directs DHS to work
closely with other federal departments and agencies, state and local
governments, and the private sector to identify and prioritize the
nation's critical infrastructure and key resources and to protect them
from terrorist attacks. DHS coordinates its chemical security efforts
with EPA and other federal agencies through a government coordinating
council. As outlined in DHS's Interim National Infrastructure
Protection Plan, government coordinating councils are intended to
include representatives from DHS and the appropriate federal agencies
to work with the Sector Coordinating Council in supporting the nation's
homeland security mission. According to DHS's 2004 draft Chemical
Sector-Specific Plan, DHS views government coordinating councils as the
future of sector coordination and communications activities.
Participants in the chemical sector government coordinating council
include officials from the Department of Commerce's Bureau of Industry
and Security; Justice's Bureau of Alcohol, Tobacco, Firearms, and
Explosives and the Federal Bureau of Investigation; the Department of
Transportation's Federal Railroad Administration, Federal Motor Carrier
Safety Administration, and Pipeline and Hazardous Materials Safety
Administration; and EPA's Office of Emergency Management and Water
Security Division. DHS also recently invited officials from the
Department of Energy, the Department of Labor's Occupational Safety and
Health Administration, and the Department of Defense to participate on
the council. As of October 2005, the council had met four times to
discuss issues related to chemical sector security. DHS officials told
us that recent meetings included discussions of such topics as
comparing the work of different government agencies on modeling
chlorine incidents.
In addition to interactions through the coordinating council, EPA has
provided DHS with a copy of the RMP database and participates on a
RAMCAP committee to develop chemical sector tools. According to EPA
officials, however, EPA has not played a major role in analyzing these
or other data on chemical risks to identify or prioritize chemical
facilities. EPA officials believe that the agency could further assist
DHS by providing analytical support in identifying high-risk facilities
that should be targeted in DHS's chemical sector efforts. These
officials also believe that the agency has expertise in a number of
other areas that has not been tapped and could support DHS's
activities. In addition to EPA's expertise on RMP data and its
familiarity with RMP facilities, EPA maintains information on hazardous
chemicals and related facilities. For example, EPA collects some
information under the Toxic Substances Control Act on industrial
chemicals that may pose environmental or human health hazards and
collects information about oil and pesticides facilities under other
authorities. Furthermore, as the lead federal agency for hazardous
materials emergency response, EPA has infrastructure in place around
the country with designated on-site coordinators for hazardous
materials incidents. These officials, as well as field inspectors who
visit chemical facilities under a variety of environmental programs,
are familiar with chemical facilities across the country and have
general knowledge of process safety issues and expertise on hazardous
material releases. EPA officials also told us that EPA staff have
garnered extensive knowledge about the chemical sector through informal
information sharing about facility practices. For example, EPA
officials explained that before the RMP program, EPA collected and
shared general information about facility safety problems as well as
strategies facilities have used to address these problems. Finally, as
the lead agency for the water sector, EPA has developed knowledge on
security issues related to drinking water facilities. In this regard,
under the Public Health Security and Bioterrorism Preparedness and
Response Act of 2002, EPA is responsible for receiving vulnerability
assessments from community water systems serving more than 3,300
people.
DHS officials believe that their coordination with EPA has been
sufficient; they told us that they do not see a need for additional
coordination with EPA on data analysis or other efforts because EPA has
no expertise relating to chemical industry security matters, as does
DHS. Furthermore, the DHS officials stated that EPA is a safety agency
and can add little to modeling or analysis of RMP data from a security
perspective. DHS officials also told us that the department has not
involved EPA in site assistance or Buffer Zone Protection Plan visits
at chemical facilities because the owners/operators would strongly
oppose EPA's involvement, given its role in regulating other aspects of
the chemical industry. These officials explained that, while EPA will
be involved in the planning and preparation aspects of DHS's chemical
sector Comprehensive Reviews--which will bring together groups of
government officials to visit clusters of chemical facilities in
specific geographic areas--EPA will not participate in the site visits
for the same reason.
The Chemical Industry Continues Voluntary Efforts to Address Security,
but Faces Challenges in Safeguarding Facilities:
The chemical industry, led by its industry associations, has undertaken
voluntary efforts to address plant security, but faces challenges in
preparing facilities against terrorism. Some industry associations
require member companies to assess their facilities' vulnerabilities
and make security enhancements. For example, ACC requires, as a
condition of membership, that companies conduct vulnerability
assessments, develop and implement plans to mitigate vulnerabilities,
and have a third party verify that the security enhancements identified
in the plans were implemented. Other industry associations have
encouraged their members to address security by developing security
guidelines, best practices, and other tools. Although the chemical
industry has taken these actions, industry officials told us that they
face a number of challenges in preparing facilities against a terrorist
attack. For example, they reported that the cost of security
improvements can be a burden, particularly for smaller companies that
may lack the resources larger chemical companies have to devote to
security.
Some Industry Associations Require Members to Assess Vulnerabilities
and Enhance Security:
With few federal security requirements, industry associations have been
active in promoting security among member companies. As we reported in
March 2005, some industry associations require member companies to
assess their facilities' vulnerabilities and make security
enhancements, requiring as a condition of membership that they conduct
security activities and verify that these actions have been
taken.[Footnote 26] Appendix II includes a description of security
efforts that individual industry associations are undertaking.
ACC, representing 135 chemical manufacturing companies with
approximately 2,000 facilities, has led the industry's efforts to
improve security at their facilities. In 1988, ACC initiated its
Responsible Care® Management System, which is a comprehensive
management system for its members to follow to continuously improve
safety performance; increase communication; and protect employees,
communities, and the environment. In June 2002, as part of its
Responsible Care® Management System, ACC adopted a security code
requiring its members to adhere to a set of security management
principles. For physical site security, member companies are to perform
vulnerability assessments using an approved methodology. Companies also
must develop plans to mitigate vulnerabilities, take actions to
implement the plans, and have an independent party verify that the
facilities implemented the identified physical security enhancements.
Third-party reviewers can include insurance representatives, local
emergency responders, or local law enforcement officials. These
reviewers do not verify that a vulnerability assessment was conducted
appropriately or that actions taken by a facility adequately address
security risks. However, the Responsible Care® Management System
requires member companies to periodically conduct independent third-
party audits that include an assessment of their security programs and
processes and their implementation of corrective actions. According to
ACC, all members have completed their physical security vulnerability
assessments and almost all have had their physical security
enhancements verified.
The Responsible Care® Security Code also established requirements for
cyber assets, such as computer systems that control chemical facility
operations, and the distribution chain, which covers the complete
"value chain" for chemicals, from suppliers to customers, including
transportation. ACC member companies must perform vulnerability
assessments of cyber assets and the distribution chain and implement
plans to mitigate any vulnerabilities. Examples of security
improvements in distribution include measures such as additional
screening of transportation providers.
ACC asked each member company to provide a signed statement from a
company executive that the company had management systems in place for
the entire security code by June 30, 2005. According to ACC, as of
October 1, 2005, 95 percent of its member companies affirmed that they
had implemented a security management system for physical security,
cyber security, and the distribution chain. The Coast Guard recognized
the Responsible Care® Security Code as an alternative security program
for purposes of fulfilling security requirements under MTSA.
The Synthetic Organic Chemical Manufacturers Association (SOCMA), which
includes 160 specialty chemical manufacturers that operate about 300
small-to medium-sized facilities in the United States, also adopted the
Responsible Care® Security Code in December 2002.[Footnote 27] SOCMA
developed its own vulnerability assessment methodology that is designed
to address the unique needs of its members, which are primarily small
businesses. According to SOCMA officials, all of its member companies
have reported completing vulnerability assessments, and 98 percent of
these companies reported that they had implemented security
enhancements and obtained third-party verification, as of September
2005. However, beginning in October 2005, SOCMA no longer required its
members to adhere to the Responsible Care® Management System because it
has developed its own environmental, health, safety, and security
performance program. SOCMA's new program, called ChemStewardsSM, still
requires members to conduct vulnerability assessments for physical
security and implement appropriate countermeasures. In addition,
facilities that are subject to RMP must have third parties verify
implementation of security measures.
Furthermore, the National Association of Chemical Distributors (NACD)-
-which represents 253 companies with approximately 1,380 facilities in
the United States and Canada that package, distribute, and blend
chemicals, typically in warehouse facilities--has developed an
environment, health, safety, and security management protocol called
the Responsible Distribution Process. Created in 1991, adherence to the
Responsible Distribution Process is a condition of NACD membership.
Since January 1998, NACD members have been required to undergo and
successfully complete on-site third-party verification of the company's
implementation of all required membership practices once every 3 years.
NACD contracted with an internal auditing company to be the third-party
reviewer for its members. The first 3-year cycle of Responsible
Distribution Process verification ended in December 2001. In April
2002, NACD added security measures to the process that require its
members to develop security programs, scrutinize security measures
taken by for-hire motor carriers, check that customers are purchasing
chemicals for the appropriate use (as prescribed by government
regulations), and verify implementation of security measures by an
independent firm designated by NACD. The second 3-year cycle for
process verification began in January 2003 and will end in December
2005. NACD has terminated the membership of 20 companies that failed to
comply with Responsible Distribution Process requirements and to
complete and pass third-party verification. Beginning in January 2006,
NACD's Responsible Distribution Process includes a requirement that
members conduct security vulnerability assessments. Members will be
expected to have completed their assessment by June 2006. NACD also
developed its own vulnerability assessment methodology specific to its
members.
Other Industry Associations Have Developed Security Guidelines, Best
Practices, and Other Tools:
Other industry associations have encouraged their members to address
security by a variety of means, rather than only by establishing
security requirements that include steps to verify compliance. Most of
the associations we spoke with have taken steps to educate their
members about security by developing security guidelines and best
practices. For example, the Compressed Gas Association, representing
138 companies that manufacture or distribute gases and related
products, developed guidance for its members on site security,
transportation security, and security steps to check that customers are
purchasing gas products for the appropriate uses. The Institute of
Makers of Explosives, representing 40 companies of which 30 are
explosives manufacturers and distributors, also provided recommended
guidelines for security to its members. The guidelines recommend
security practices specific to the manufacture, transportation,
storage, and use of explosives products and also recommend that
facilities conduct vulnerability assessments and develop security
plans.[Footnote 28] In addition, the International Institute of Ammonia
Refrigeration, representing facilities such as food storage warehouses,
developed site security guidelines tailored to ammonia refrigeration
facilities and provides information about security resources to
members. All 16 associations we met with told us they keep members
apprised of security issues and discuss security at meetings, training
courses, and conferences.
In addition to these efforts, several industry associations have
developed vulnerability assessment methodologies to assist their member
companies in evaluating security needs. For example, the National
Petrochemical and Refiners Association, in partnership with the
American Petroleum Institute, developed a vulnerability assessment
methodology tailored to refineries and petrochemical facilities. The
methodology was developed in cooperation with the Department of Energy
and DHS and has been approved by the Center for Chemical Process
Safety. In addition, an agribusiness working group comprising members
of the Agricultural Retailers Association, CropLife America, and the
Fertilizer Institute, developed a Web-based security vulnerability
assessment tool for agricultural facilities that has also been approved
by the Center for Chemical Process Safety. According to the Fertilizer
Institute, approximately 2,000 retail agricultural facilities have used
the tool to date.[Footnote 29] Furthermore, the Chlorine Institute,
which represents approximately 220 companies involved in the
production, distribution, and use of chlorine, developed a seven-step
process that smaller chlorine manufacturing and distribution companies
can use to assess their vulnerabilities. The process takes companies
through a series of steps that score facilities in different areas to
identify vulnerabilities. Security experts have reviewed and approved
the institute's process.
Some associations also recommend or require that member companies
follow security programs, but they do not require steps to verify
compliance. The National Paint and Coatings Association, which
represents over 300 paint and coatings manufacturing and supply
companies, worked with its members to develop a safety and
environmental management system called Coatings Care. This system
includes security steps such as analyzing threats, vulnerabilities, and
consequences and implementing security measures. Member companies have
1 year from the time they join the association to agree to follow
Coatings Care principles. However, the association does not require
third-party verification of security steps. Similarly, the Chlorine
Institute requires executives at all member companies to sign an
agreement stating that they will meet nine safety and security
requirements, including complying with the Responsible Care® Management
System, NACD's Responsible Distribution Process, or another industry
security program. While companies that do not sign the agreement are
not eligible for Chlorine Institute membership, the institute does not
require that companies take steps to verify compliance with security
programs. In addition, the Fertilizer Institute, which represents
approximately 190 companies that make, sell, or transport fertilizer
products, recommends but does not require that members follow a
Security Code of Management Practices that involves screening
facilities into priority tiers on the basis of potential security
hazards and conducting a vulnerability assessment, following a timeline
that is based on their tier level.
Despite industry associations' efforts to encourage or require members
to voluntarily address security, the extent of participation in the
industry's voluntary initiatives is unclear. DHS has not estimated the
extent of participation in voluntary initiatives across the chemical
sector. Furthermore, not all chemical companies belong to the
associations that represent their industry sectors. DHS does not have
data on the number of RMP facilities that belong to these associations.
The Chemical Industry Faces Challenges in Securing Facilities against
Terrorism:
Chemical industry officials told us they face a number of challenges in
preparing facilities against a terrorist attack. Most of the chemical
associations we contacted stated that the cost of security improvements
is a challenge for some chemical companies. Industry officials we spoke
with said that some companies have already made significant investments
to improve security. For example, ACC reports that its members have
spent an estimated $2 billion on security improvements since September
11, 2001. However, industry associations told us that while some
companies have implemented security enhancements, others may not be
implementing security measures because of cost concerns.
Representatives of the American Forest & Paper Association and the
National Paint and Coatings Association told us that small companies,
in particular, may struggle with the cost of security improvements or
the cost of complying with any potential government security programs
because they may lack the resources larger companies have to devote to
security.
Many industry officials suggested that federal assistance via grants or
tax incentives to offset security costs could help companies enhance
facility security. According to these officials, financial incentives
to companies to support both vulnerability assessments and security
improvements would be helpful. Representatives from two industry
associations stated that financial assistance from the government to
support the cost of compliance with voluntary programs such as the
Responsible Care® Management System would be helpful, noting that
complying with voluntary programs is very costly. Other industry
officials suggested that DHS direct funding to high-risk facilities it
views as vulnerable. A number of officials also told us that financial
incentives for security improvements will make chemical security
legislation, if enacted, more palatable to industry. In this regard,
H.R. 713, introduced in the 109th Congress, would create a tax credit
for 50 percent of the cost incurred by eligible agricultural businesses
for protecting hazardous chemicals or pesticides from unauthorized
access.
Industry stakeholders also cited the need for guidance on what level of
security is adequate. While DHS has issued guidance to state Homeland
Security Offices and the Chemical Sector Coordinating Council on
vulnerabilities and protective measures that are common to most
chemical facilities, several stakeholders expressed a desire for
guidance on specific security improvements. For example,
representatives of the National Petrochemical and Refiners Association
stated that one reason the association holds workshops and best
practices sessions is to meet the challenge of determining the types of
security measures that constitute a reasonable amount of security.
Another association stated that standardized security criteria would be
useful in helping companies determine adequate levels of security. In
addition, a number of associations told us that companies are operating
on tight profit margins and want to feel certain that the benefits of
security improvements justify the cost. According to these
associations, while companies are addressing security since the events
of September 11, 2001, they have to make cost-effective decisions about
allocating their resources. Because it is unlikely that sufficient
resources will be available for companies to address all risks,
adopting a risk management framework can aid facilities in prioritizing
risks and the actions taken to reduce those risks, taking cost into
consideration.[Footnote 30]
In addition, industry officials told us that the lack of threat
information makes it difficult for companies to know how to protect
facilities. Two associations told us that ISAC has not been very useful
to members because the information shared is not new or is very broad.
Some officials have attended classified briefings with DHS but reported
that very little specific information was provided. Other industry
association officials told us that DHS has withheld some threat
information because it was classified. Providing both classified and
declassified or sanitized information to associations would allow them
to understand specific threats and pass on unclassified information to
members. An official with an agricultural chemical company told us that
many companies do not have access to threat information applicable to
rural areas that may have different threats than companies located in
urban areas. While companies would like to receive very specific threat
information, some officials acknowledged that such information may not
exist. Officials with one association hoped that DHS's Homeland
Security Information Network will improve the quality of the threat
information that DHS shares with industry.
A few industry officials also mentioned limited guidance on conducting
vulnerability assessments and difficulty in conducting employee
background checks as challenges. One industry association stated that
it would like its members to receive guidance from DHS on how to
conduct vulnerability assessments. Another association expressed
frustration because none of the current vulnerability assessment tools
address issues specific to its members' facilities, which package and
distribute chemicals, and it would like DHS to help develop or approve
a methodology for this type of facility. Furthermore, representatives
of forest and paper products companies reported that the
inaccessibility of government records has made conducting background
checks on employees difficult. Officials told us that in addition to
regular facility employees, the number of contractors continuously
moving through facilities could pose security risks without the
appropriate background checks. Access to employment and criminal
records would allow facility officials to conduct a more thorough check
on employees, thereby reducing the risk of hiring someone who could
threaten a facility.
Finally, a number of stakeholders we contacted told us that emergency
response preparedness is a challenge for chemical companies. An
official with an industry-affiliated research center asserted that
emergency responders and communities in the United States are prepared
to respond to a toxic release. However, other stakeholders we spoke
with stated that many facilities have conducted security vulnerability
assessments but may not have done enough emergency response planning
and outreach to the responders and communities that would be involved
in a release. A 2004 survey by a chemical workers union of workers at
189 RMP facilities found that only 38 percent of respondents indicated
that their companies' actions in preparing to respond to a terrorist
attack were effective, and 28 percent reported that no employees at
their facilities had received training about responding to a terrorist
attack since September 11, 2001.[Footnote 31] While environmental laws
require emergency response planning for accidental chemical releases,
several stakeholders told us facilities need to consider very different
scenarios with consequences on different orders of magnitude when
planning the emergency response for a terrorist incident. An expert
with Texas A&M University's National Emergency Response and Rescue
Training Center echoed this view, noting that chemical facility
employees are well-trained for an accidental release but may not be
trained in the emergency response for a terrorist release. According to
this expert, both facility employees and local emergency responders
need to prepare for terrorist-caused chemical releases that are less
predictable and harder to prepare for than accidental releases.
Facilities should be aware of the types of aid located within a 50-mile
radius of the facility, such as welders, neutralizing chemicals, and
back-up protection equipment, according to this expert. While some
companies have formed mutual-aid groups in a given geographic area, the
expert cautioned that these groups may not prove effective if
facilities lock down and focus on protecting themselves when terrorists
attack.
DHS Needs Additional Authority to Ensure That Chemical Facilities Are
Addressing Security Issues:
Existing laws provide DHS with only limited authority to address
security concerns at U.S. chemical facilities, and additional
legislation is needed to place federal security requirements on these
facilities. DHS lacks the authority to require all high-risk chemical
facilities to assess their vulnerabilities and implement security
measures and, consequently, has relied largely on the industry's
voluntary participation to address facility security. As a result, DHS
cannot ensure that facilities are assessing their vulnerability to
terrorist attacks and taking corrective actions, where necessary. DHS
has acknowledged that its existing authorities do not permit it to
effectively regulate the industry, and that the Congress should enact
federal security requirements for chemical facilities. Furthermore, we
concluded in 2003, and continue to believe, that additional legislation
is needed. Although many stakeholders agreed on the need for federal
requirements, they had mixed views on the content and structure of such
requirements. They also identified a number of challenges the federal
government will face in implementing chemical security requirements.
Existing Laws Give DHS Limited Authority to Address Chemical Sector
Security, but Specific Authority Is Needed to Require All High-Risk
Facilities to Act:
A number of existing laws outline DHS's responsibilities for
coordinating with the private sector and obtaining information on and
protecting critical infrastructure. While the chemical industry is
included in the nation's critical infrastructure, these laws provide
DHS with only limited authority to address security concerns at U.S.
chemical facilities.
The Homeland Security Act assigns DHS responsibility for coordinating
and collaborating with the private sector on certain homeland security
issues. Under the Homeland Security Act, the Secretary of DHS is
responsible for coordinating homeland security issues with the private
sector to ensure adequate planning, equipment, training, and exercise
activities. The Homeland Security Act also makes the Special Assistant
to the Secretary (Private Sector) responsible for (1) promoting and
developing public-private partnerships for collaboration and mutual
support to address homeland security challenges, (2) assisting in
promoting and developing private sector best practices to secure
critical infrastructure, and (3) coordinating industry efforts to
identify private sector resources and capabilities that could
effectively supplement government efforts to prevent or respond to a
terrorist attack.[Footnote 32]
Existing laws also assign DHS responsibilities specifically related to
the protection of critical infrastructure, including chemical
facilities. The Patriot Act called for the establishment of the
National Infrastructure Simulation and Analysis Center (NISAC)--a
partnership between Los Alamos and Sandia National Laboratories--under
DHS to help protect critical infrastructure by supporting
counterterrorism, threat assessment, and risk mitigation
activities.[Footnote 33] NISAC is to provide support--such as modeling,
simulation, and analysis of critical infrastructure systems--to
facilitate modifying these systems to mitigate threats to them and to
critical infrastructure in general. In addition, the Homeland Security
Act gives DHS's Under Secretary for Information Analysis and
Infrastructure Protection (IAIP) responsibilities related to protecting
critical infrastructure, including:
* accessing, receiving, analyzing, and integrating information from
federal, state, and local governments and private sector entities to
identify, detect, and assess the nature and scope of terrorist threats
to the United States, and to understand these threats in light of
actual and potential vulnerabilities;
* carrying out comprehensive assessments of the vulnerabilities of the
nation's key resources and critical infrastructure, including assessing
the risks posed by particular types of terrorist attacks within the
United States, the probability of success of such attacks, and the
feasibility and potential efficacy of various countermeasures to such
attacks;
* developing a comprehensive national plan for securing the nation's
key resources and critical infrastructure; and:
* recommending the necessary measures to protect these key resources
and critical infrastructure.
While DHS's existing legal authorities provide it with access to some
information about critical infrastructure threats and vulnerabilities,
DHS does not have the authority to require all chemical facilities to
conduct vulnerability assessments.[Footnote 34] The Homeland Security
Act provides DHS with access to all information that may be collected,
prepared, or possessed by any federal agency concerning infrastructure
or other vulnerabilities of the United States to terrorism. Under the
Homeland Security Act, DHS may request information from the private
sector through cooperative agreements. In addition, the Chemical Safety
Information, Site Security and Fuels Regulatory Relief Act (CSISSFRRA)
required the Attorney General to review and report on the vulnerability
of certain chemical facilities to criminal and terrorist activity and
current industry practices regarding site security.[Footnote 35] In
2003, $3 million was transferred from Justice's general administration
appropriation to DHS as part of the Consolidated Appropriations
Resolution, 2003, and the conferees stated that they expected DHS to
use the transferred funds to conduct the vulnerability assessments
under CSISSFRRA.[Footnote 36] However, CSISSFRRA does not give DHS the
authority to require facilities to conduct vulnerability assessments.
Similarly, the October 2004 conference report on DHS's fiscal year 2005
appropriations act directed IAIP--within DHS--to analyze whether DHS
should require private sector entities to provide IAIP with existing
information about their security measures and vulnerabilities in order
to improve its ability to evaluate critical infrastructure protection
nationwide. The conference report stated that the analysis should
include all critical infrastructure, including chemical plants, and
evaluate the benefits of securing the information and the costs to both
the private sector and IAIP for implementing this requirement.[Footnote
37] However, neither the appropriations act nor any other legislation
would require chemical facilities to provide information about their
security and vulnerabilities.
Furthermore, DHS currently lacks the authority to enter all chemical
facilities without their permission to assess security or to require
and enforce security improvements. In this regard, except with respect
to certain chemical facilities covered under federal security
requirements for other critical infrastructures, existing laws do not
give DHS the right to enter a chemical facility to assess its
vulnerability to a terrorist attack or the authority to require and
enforce the implementation of any needed security improvements at these
facilities. The Homeland Security Act, with some limited exceptions,
does not provide any new regulatory authority to DHS and only
transferred the existing regulatory authority of any agency, program,
or function transferred to DHS, thereby limiting actions DHS might
otherwise be able to take under the Homeland Security Act.[Footnote 38]
Therefore, DHS has relied solely on the voluntary participation of the
private sector to address facility security. As a result, DHS cannot
ensure that all high-risk facilities are assessing their vulnerability
to terrorist attacks and taking corrective action, where necessary.
In contrast, some other critical infrastructure sectors are subject to
federal security requirements. For example, all commercial nuclear
power plants licensed by the Nuclear Regulatory Commission are required
to take security steps, including placing physical barriers outside of
the operating reactor area, limiting access to vital areas, and
maintaining a trained security force. In addition, community water
systems that serve more than 3,300 people are required to conduct and
submit a vulnerability assessment to EPA and prepare an emergency
response plan that incorporates the results of the assessment. Table 3
provides examples of federal security requirements that are in place
for these and some other critical infrastructure sectors.
Table 3: Examples of Federal Security Requirements for Other Critical
Infrastructure Sectors:
Sector: Aviation;
Public law or other requirement: Aviation and Transportation Security
Act of 2002;
Major provisions: This act created the Transportation Security
Administration, now within DHS, to assume responsibility for aviation
security, including the screening of passengers and their baggage.
Sector: Drinking water;
Public law or other requirement: Public Health Security and
Bioterrorism Preparedness and Response Act of 2002;
Major provisions: Community water systems serving more than 3,300
people are required to assess the system's vulnerability to terrorist
attacks, prepare an emergency response plan that incorporates the
results of this assessment, certify to EPA that the assessment and
response plan have been completed, and provide a copy of the assessment
to EPA. According to EPA, 1,928 drinking water facilities that are also
subject to EPA's RMP program must comply with this act.
Sector: Food;
Public law or other requirement: Public Health Security and
Bioterrorism Preparedness and Response Act of 2002;
Major provisions: This act requires all domestic and foreign facilities
that manufacture, process, pack, or hold food for human or animal
consumption in the United States to register with the Food and Drug
Administration (FDA) by December 12, 2003. Restaurants, certain retail
stores, nonprofit feeding establishments, fishing vessels, and farms
are exempt from these registration requirements. FDA is also to give
high priority in increasing the number of inspections of food offered
for import at ports of entry into the United States, with the greatest
priority given to inspections to detect the intentional adulteration of
food.
Sector: Nuclear;
Public law or other requirement: Nuclear Regulatory Commission
advisories and orders;
Major provisions: Commercial nuclear plants licensed by the Nuclear
Regulatory Commission are required to take security steps such as
placing physical barriers outside reactor areas, limiting access to
vital areas, maintaining a trained security force, and conducting
simulated terrorist attack exercises.
Sector: Ports;
Public law or other requirement: Maritime Transportation Security Act
of 2002;
Major provisions: Maritime facility owners and operators must conduct
vulnerability assessments, develop security plans, and implement the
measures discussed in security plans. The Coast Guard conducts
inspections at these facilities, and MTSA prohibits operation of
facilities that do not have the required security plans or that are not
operating in compliance with these plans. The Coast Guard has reviewed
and approved facility security plans for 238 chemical facilities.
Source: GAO.
[End of table]
DHS Has Concluded That It Needs Additional Authority to Address
Chemical Facility Security:
DHS has concluded that its existing patchwork of authorities does not
permit it to regulate the chemical industry effectively, and that the
Congress should enact federal requirements for chemical facilities.
While DHS reports that most chemical companies have been eager to
voluntarily cooperate with agency efforts to address security issues at
their facilities, DHS determined that voluntary efforts alone will not
sufficiently address security for the entire sector. Echoing public
statements by the Secretary of DHS and the Administrator of EPA in 2002
that voluntary efforts alone are not sufficient to assure the public of
the industry's preparedness, in June 2005, both DHS and EPA called for
legislation to give the federal government greater authority over
chemical facility security.[Footnote 39] Similarly, we concluded in
2003, and continue to believe, that additional federal legislation is
needed because of the significant risks posed by thousands of chemical
facilities across the country to millions of Americans and because the
extent of security preparedness at these facilities is
unknown.[Footnote 40]
In testimony before the Congress in June 2005, the Acting
Undersecretary for IAIP stated that any proposed regulatory structure
(1) must recognize that not all facilities within the chemical sector
present the same level of risk, and that the most scrutiny should be
focused on those facilities that, if attacked, could endanger the
greatest number of lives, have the greatest impact on the economy, or
present other significant risks; (2) should be based on reasonable,
clear, equitable, and measurable performance standards; and (3) should
recognize the progress that responsible companies have made to date. He
also stated that the performance standards should be enforceable and
based on the types and severity of potential risks posed by terrorists,
and that facilities should have the flexibility to select among
appropriate site-specific security measures that will effectively
address those risks. In addition, he said that DHS would need the
ability to audit vulnerability assessment activities and a mechanism to
ensure compliance with requirements.
Beyond these general principles, DHS officials were reluctant to share
with us their views on the specific content and structure of chemical
security legislation. These officials explained that DHS provides its
views on proposed legislation to the Office of Management and Budget
(OMB) as part of the executive branch coordination process, and that
OMB--after considering the points of view of all departments, agencies,
and independent operating entities--establishes the unified executive
branch position on proposed legislation. Because the administration's
unified position had not yet been determined at the time of our
discussion, DHS officials believed that it was inappropriate to discuss
their views on the specific provisions of any legislation.
Stakeholders' Views on Chemical Security Legislation Are Mixed:
While many stakeholders--including representatives from industry,
research centers, and government--agreed on the need for additional
legislation that would place federal security requirements on chemical
facilities, they had mixed views on the content and structure of such
requirements. Representatives of three research organizations and three
environmental groups told us that DHS needs more authority to
adequately ensure that chemical facilities are taking action, based on
the potential harm that an attack on chemical facilities may cause. One
expert stated that chemical facility security is a public safety issue
that warrants federal oversight, while others said the number of
facilities with potential off-site consequences in proximity to
population centers justifies federal involvement in security.
Furthermore, testifying in support of legislation before the Congress
in July 2005, a representative of a chemical workers union underscored
that workers and communities should not be placed at risk because some
companies choose not to prioritize security and that, in the same vein,
responsible companies should not be placed at an economic disadvantage
because they allocate resources to security. Half of the industry
associations we contacted also favor additional legislative authority.
ACC has publicly stated that they support chemical security legislation
for a number of reasons, including the belief that all of the nation's
chemical facilities should be required to take the security steps that
its members are taking under the Responsible Care® Management System.
One association supported federal legislation because its members are
encountering various state efforts to oversee facility security.
Concerned that member companies will be subject to different security
requirements in different states, officials with three associations
would rather the federal government take the lead on chemical facility
security.
Other stakeholders preferred that DHS continue to work with the
industry to voluntarily address security or were undecided about the
need for federal requirements. Two industry associations stated that
the partnership DHS has forged with the chemical industry has proven
effective in working to address security concerns. In July 2005
testimony before the Congress, the National Petrochemical and Refiners
Association expressed concern that legislation giving DHS authority
over chemical facility security will negatively impact the cooperative
relationship the industry and DHS have established, noting that the
level of information sharing could be diminished if DHS becomes an
industry regulator. Similarly, two research centers affiliated with the
industry did not advocate chemical security legislation. One expressed
concern that the goodwill that the industry has shown to DHS will wane
if DHS becomes a regulatory agency, while another noted that the threat
of new security regulations provides an adequate incentive for
facilities to take security steps. Notwithstanding ACC's position, most
of the individual chemical companies we contacted also believed that
legislation is not needed, or they were undecided about whether DHS
needed additional authority. Company officials generally told us that
industry self-regulation is preferable to federal oversight of facility
security. One company official also told us that states are better
suited to regulating facility security because they have greater
knowledge about facilities in their state.
Stakeholders expressed a range of views about which facilities should
be covered if legislation is enacted; about whether legislation should
address inherently safer technologies; about EPA's role, if any; and
about voluntary industry programs. Stakeholders favoring legislation
generally agreed that legislation should target high-risk facilities,
rather than applying the same requirements to all facilities regardless
of the different risks they pose. These stakeholders told us that
chemical facilities should be prioritized on the basis of their
potential impacts if attacked, with the highest-risk facilities subject
to stricter requirements than lower-risk facilities that do not warrant
the same degree of federal oversight. For example, in testimony before
the Senate Committee on Homeland Security and Governmental Affairs in
July 2005, ACC explained that any regulatory system must reflect the
different risks posed by different facilities and require security
measures commensurate with those risks. At the same hearing, a
representative of SOCMA, which represents specialty chemical
manufacturers, recommended that legislation require facilities to
perform a risk screen on the basis of the potential consequences of an
attack and the attractiveness as a target. Facilities screened as high
risk would then perform a detailed vulnerability analysis.
Representatives from two research centers and two companies believed
that RMP facilities provide a good starting point for the universe of
facilities that legislation should cover because these facilities
exceed a risk threshold on the basis of the type and amount of
chemicals they house. One company suggested that chemical security
legislation should require an analysis of RMP facilities that ranks
facilities on the basis of risk.
Stakeholders expressed strongly divergent views on whether legislation
should require the substitution of safer chemicals and processes,
referred to as "inherently safer technologies." Implementing inherently
safer technologies could potentially lessen the consequences of an
attack by reducing the chemical risks present at facilities. Justice,
in introducing a methodology to assess chemical facilities'
vulnerabilities, recognized that reducing the quantity of hazardous
material may make facilities less attractive to terrorist attack and
reduce the severity of an attack. Furthermore, DHS's July 2004 draft
Chemical Sector-Specific Plan states that inherently safer chemistry
and engineering practices can prevent or delay a terrorist incident,
noting that it is important to make sure that facility owners/operators
consider alternate ways to reduce risk, such as inherently safer
design, implementing just-in-time manufacturing, or replacing high-
risk chemicals with safer alternatives. However, DHS told us that the
use of inherently safer technologies tends to shift risks rather than
eliminate risks, often with unintended consequences. Some previous
chemical security legislative proposals have included a requirement
that facility security plans include safer design and maintenance
actions, or that facility security plans include "consideration" of
alternative approaches regarding safer design. Representatives from
three environmental groups told us that facilities have defined
security too narrowly as guns, gates, and guards, without focusing on
reducing facility risks through safer technologies. Noting that no
existing laws require facilities to analyze inherently safer options,
these representatives believe legislation should require such an
analysis and give DHS or EPA the authority to require the
implementation of technologies if high-risk facilities are not doing
so. Process safety experts at one research organization recognized that
reducing facility hazards and the potential consequences of chemical
releases makes facilities less vulnerable to attack. However, these
experts also explained that inherently safer technologies can be
prohibitively expensive and can shift risks onto other facilities or
the transportation sector. For example, reducing the amount of
chemicals stored at a facility may increase reliance on rail or truck
shipments of chemicals. These experts support legislative provisions
requiring analysis or consideration of technology options but do not
support giving the federal government the authority to require specific
technology changes because of the complexity of these decisions.
Representatives of two research centers affiliated with the industry
told us that while facilities should look at inherently safer
technologies when assessing their vulnerability to terrorist attack,
safer technologies are not a substitute for security.
Industry associations and company officials voiced strong opposition to
any inherently safer technologies requirements. The majority of the
industry officials we contacted opposed an inherently safer
technologies requirement, with many stating that inherently safer
technologies involve a safety issue that is unrelated to facility
security. Industry officials voiced concerns about the federal
government's second-guessing complex safety decisions made by facility
process safety engineers. Representatives from four associations and
two companies told us that, in many cases, it is not feasible to
substitute safer chemicals or change to safer processes. Certain
hazardous chemicals may be essential to necessary chemical processes,
while changing chemical processes may require new chemicals that carry
different risks. In July 2005 testimony before the Congress, a SOCMA
representative explained that while inherently safer technologies are
intended to reduce the overall risks at a facility, this could be
achieved only if a chemical hazard was not displaced to another time or
location or did not magnify another hazard. Furthermore, process safety
experts and representatives from associations and companies report that
some safer alternatives are extremely expensive. For example, reducing
facility chemical inventories by moving to on-site manufacturing when
chemicals are needed can cost millions of dollars, according to a
stakeholder. One company also voiced opposition even to a legislative
requirement that facilities "consider" safer options. The official
explained that the company opposed such a provision--even if
legislation does not explicitly give the government the authority to
require implementation of safer technologies--because it might leave
companies liable for an accident that might have been prevented by a
technology option that was considered but not implemented.
Stakeholder views also varied on whether EPA should play a role in
developing or enforcing security requirements. Many of the stakeholders
we contacted acknowledged that EPA has considerable expertise on
chemical facilities, although some noted that DHS lacks expertise
specific to the risks related to the chemicals and processes used at
facilities. Some of the experts we spoke with stated that EPA should be
involved in enforcing any security requirements because of the agency's
expertise and because it has an established field presence. Process
safety experts also suggested that DHS should work with EPA in
identifying the chemicals of concern that would determine which
facilities are subject to chemical security requirements. In contrast,
all of the industry stakeholders we spoke with about this issue
believed that EPA should not have a prominent role, if any, in chemical
security legislation because of EPA's regulatory function and because
it lacks security expertise. One association said it would be extremely
difficult for its members to work with EPA on security issues because
the agency's focus on enforcement of environmental regulations would
undermine security discussions. Another association was concerned that
EPA would approach facility security as an opportunity for further
environmental regulation.
Finally, a number of stakeholders believed that any legislation should
include provisions recognizing compliance with industry initiatives,
such as ACC's Responsible Care® Security Code, equivalent to federal
security requirements. Representatives from ACC, SOCMA, the National
Association of Chemical Distributors, and other associations
underscored that legislation, if enacted, should recognize voluntary
industry security programs so facilities that have acted to address
security do not have to duplicate efforts they have made to date. In
testimony before the Senate Homeland Security and Governmental Affairs
Committee in July 2005, an ACC official emphasized the need for
legislation to give credit for the substantial voluntary expenditures
ACC members have made implementing the Responsible Care® Security Code.
Representatives of three environmental groups were not opposed to a
provision making compliance with the industry's currently voluntary
security programs equivalent to federal requirements, but they
emphasized that these facilities should be required to submit
documentation of security steps for review by the federal government.
The Coast Guard, in implementing MTSA, approved ACC's Responsible Care®
Security Code and others as accepted alternative security programs for
the purposes of fulfilling security requirements under MTSA.[Footnote
41] A number of the industry officials we interviewed praised MTSA as a
model for chemical security legislation because it allows participation
in industry security programs to meet security requirements, and
because MTSA's requirements are performance-based rather than
prescribing specific actions that all facilities must take. Some
industry officials have suggested that legislation should also exempt
MTSA-covered chemical facilities from security requirements.
Stakeholders Identified Challenges DHS Will Face in Implementing
Chemical Security Requirements:
Stakeholders identified a number of challenges DHS will face in
implementing chemical security requirements. First, some stakeholders
told us that identifying the appropriate universe of facilities to be
covered by requirements will be difficult, given the diversity of
facilities that handle hazardous materials. While the RMP program
identifies facilities with amounts of chemicals deemed hazardous to
human health, stakeholders told us non-RMP facilities may also need to
be considered. For example, process safety experts mentioned that some
chemicals not on the RMP list may need to be considered when
identifying facilities, such as reactive chemicals that are currently
not included under RMP. New Jersey officials noted that the state's
chemical security efforts use criteria to identify facilities that
exceed RMP criteria, including facilities with RMP chemicals below RMP
threshold quantities and non-RMP chemicals that the state deemed
hazardous. Representatives from two agricultural chemical companies
stated that DHS will have a hard time identifying agricultural
facilities that house chemicals of concern, since these facilities
range from large plants to small rural facilities. Other stakeholders
stated that some RMP facilities should be excluded from security
requirements. Representatives of the ammonia refrigeration and forest
products industries stated that many of these facilities are not high
risk in terms of the possible terrorist threat they pose, even though
they are subject to RMP. Officials with two industry associations said
that RMP data are not the best indicator of terrorism risks, and that
DHS will need to look beyond RMP data to understand the complexities of
the chemical sector and identify those facilities with the greatest off-
site consequences under terrorist scenarios.
Second, because some states have established their own chemical
security requirements, some stakeholders also were concerned about
potentially overlapping state and federal requirements. Representatives
from two industry associations stressed that the federal government
needs to assert its leadership over the chemical sector because states
are stepping in where they see a void. At least two states have passed
chemical security legislation. Maryland's Hazardous Material Security
Act requires RMP facilities in the state to perform vulnerability
assessments, develop and implement security measures, and report to the
state Department of the Environment. Under New York's Anti-Terrorism
Preparedness Act of 2004, the state Office of Homeland Security,
subject to available appropriations, must require certain chemical
facilities to conduct vulnerability assessments. Stakeholders report
that other states have created chemical security offices or are
developing chemical security initiatives. Officials with one industry
association told us that state homeland security agencies are getting
involved in chemical facility security, even though they may lack the
resources to fully understand the issues these facilities face.
Furthermore, officials with three associations told us that many
companies have operations in multiple states and that cooperating with
numerous potentially conflicting state efforts would be a burden.
Industry officials also said that federal legislation would need to
clearly preempt state requirements in order for companies to avoid
being subjected to both federal and state laws. State officials from
New Jersey and Texas also voiced concern about duplicating efforts with
the federal government. State officials from New Jersey, which has used
existing state environmental authorities and a state homeland security
task force to work with chemical facilities on security issues,
suggested that federal legislation would provide industry with a
reasonable and predictable set of standards, rather than a patchwork of
state requirements. New Jersey officials also told us that although
states have done their best to address security concerns, many states,
including New Jersey, lack specific enforcement authority that could be
provided for in federal legislation.
Third, some stakeholders told us that enforcing chemical security
requirements, if enacted, will be a challenge for DHS. While
legislation may include enforcement provisions, stakeholders believe
DHS may face challenges in implementing any such provisions. Several
stakeholders questioned whether DHS has the expertise and resources to
enforce security requirements at chemical facilities. New Jersey state
officials believe that because DHS lacks experience in dealing with
chemical facilities, it should delegate implementation and enforcement
authority to states, allowing states to review facility activities and
report back to DHS. Unlike the Coast Guard, which conducts facility
inspections under MTSA, DHS currently does not have significant staff
resources located throughout the country.[Footnote 42] Some
stakeholders suggested that DHS will need staff in the field or will
need contract support to enforce requirements. Representatives from two
industry associations suggested that allocating federal resources to
support chemical facility security preparedness will be a challenge.
Finally, some stakeholders were concerned about the federal
government's ability to protect information on facility vulnerabilities
and security. Most of the industry associations and company officials
we spoke with raised concerns about this issue, noting that information
about facility vulnerabilities and security measures could provide a
roadmap for terrorists. While the industry wants to cooperate with DHS
on its chemical security efforts, businesses are concerned that
sensitive information could be released. This concern arises from the
conflict between the public's "right-to-know" such information and
security concerns about releasing facility data. As an example, while
federal regulations authorized the posting of some RMP data on the
Internet and in government reading rooms, some industry officials
opposed making this information available. Following the events of
September 11, 2001, various media reports published RMP data on some
facilities. Industry officials are willing to share information with
DHS about the vulnerability assessment process and procedures, but they
would prefer that vulnerability and security information remain at the
facility, where government officials can view such information if
needed. Reporting concerns about DHS's Protected Critical
Infrastructure Information (PCII) Program, officials with four
associations said companies need additional information about DHS's
information protection procedures. Officials with one association added
that companies may not be comfortable with the PCII program until it is
tested in court. Officials with three industry associations also told
us that sharing information at the state level is a concern. In this
regard, New Jersey officials noted that they have faced a challenge in
allaying industry fears about sharing security information. These
officials told us that while some states do not have the ability to
protect critical infrastructure information, New Jersey state law
exempts private sector information provided for domestic security
purposes from open records requirements. In contrast to these views,
representatives of three environmental groups believe that some
information about high-risk facilities should be publicly available.
Specifically, these representatives stated that communities need to
understand the risks posed by facilities in the area, and should have
access to information on the potential impacts of high-risk facilities'
worst-case terrorist scenarios. These representatives told us that
details about specific facility vulnerabilities need not be released,
but that the public should have access to information about facilities
that present the greatest concern.
Conclusions:
Across the nation, thousands of facilities produce, use, or store
hazardous chemicals in quantities that could potentially put large
numbers of Americans at risk. DHS, Justice, and other experts have
warned that these facilities present an attractive target for
terrorists. A terrorist attack could threaten human health and safety,
cause economic disruptions, and impact other critical infrastructures
that rely on chemicals. However, the extent of security preparedness at
these facilities remains largely unknown. Chemical industry
associations have undertaken numerous initiatives to raise awareness
about security and to encourage--and in some cases require--member
companies to assess their vulnerabilities and act to address them.
While these efforts are laudable, participation in these initiatives is
voluntary and the extent to which individual companies across the
industry are addressing security issues is unclear. Furthermore,
voluntary efforts cannot ensure widespread participation and, unless
chemical facilities' vulnerabilities are identified and addressed on a
widespread basis across the sector, the security of the chemical
industry as a critical national infrastructure remains at risk. As the
lead federal agency for the chemical sector, DHS has developed a number
of programs to assist companies in protecting their chemical
facilities. However, unlike other federal agencies--such as EPA and the
Nuclear Regulatory Commission, which require drinking water and nuclear
facilities, respectively, to take actions to improve their security--
DHS does not currently have the authority to require the chemical
industry to take such actions. On this basis, DHS has concluded--as we
did in 2003--that its existing patchwork of authorities does not allow
it to effectively regulate chemical sector security. Since 2002, both
DHS and EPA have called for legislation creating security requirements
at chemical facilities, and legislation has been introduced in every
Congress since the events of September 11, 2001. Our work demonstrates
the need to enhance DHS's ability to collect information about industry
preparedness and to ensure that facilities evaluate and mitigate their
vulnerability to terrorist attack. By granting DHS the authority to
require high-risk chemical facilities to take security actions, policy
makers can better ensure the preparedness of the chemical sector.
Among its activities to enhance chemical sector security, DHS has
developed methods for identifying high-priority facilities, assessing
facility vulnerabilities, and suggesting improvements to address these
vulnerabilities. In this process, DHS should take full advantage of
EPA's expertise on toxic chemical data sources, U.S. hazardous
materials facilities, and process safety issues, among other things,
that the agency has developed through its oversight of a number of
chemical safety programs. For example, EPA maintains data on RMP
facilities' inventories of toxic and flammable chemicals and facility
worst-case release scenarios and enforces compliance with a variety of
environmental programs through inspections of facilities located
throughout the country. By tapping EPA's expertise on chemical
facilities and general facility safety issues, DHS can enhance its
efforts to identify high-priority facilities and assess facility
vulnerabilities as well as better target government resources to those
facilities posing the greatest risk.
Implementing inherently safer technologies potentially could lessen the
consequences of a terrorist attack by reducing the chemical risks
present at facilities, thereby making facilities less attractive
targets. However, substituting safer technologies can be prohibitively
expensive for some companies and can shift risks onto other facilities
or the transportation sector. Also, in many cases, it may not be
feasible to substitute safer chemicals or change to safer processes.
Therefore, given the possible security and safety benefits as well as
the potential costs to some companies of substituting safer
technologies, a collaborative study employing DHS's security expertise
and EPA's chemical expertise could help policy makers determine the
appropriate role of safer technologies in facility security efforts.
Matters for Congressional Consideration:
To enhance DHS's ability to collect comprehensive information on
industry preparedness and better ensure the security of the chemical
sector, we recommend that the Congress consider the following two
actions:
* granting DHS the authority to require high-risk chemical facilities
to assess their vulnerability to terrorist attacks and, where
necessary, to take corrective action and:
* providing DHS with the enforcement capability to ensure that
facilities are following these practices.
Recommendations for Executive Action:
Because completion of the Chemical Sector-Specific Plan is critical to
DHS's efforts to enhance chemical facility security, we recommend that
the Secretary of the Department of Homeland Security direct DHS to take
the following two actions:
* ensure that the Chemical Sector-Specific Plan is completed in a
timely manner and:
* recognizing EPA's expertise in managing chemical risks, jointly study
with EPA whether chemical facilities' efforts to reduce vulnerabilities
would benefit from the use of technologies that substitute safer
chemicals and processes, referred to as "inherently safer
technologies."
Agency Comments and Our Evaluation:
We provided a draft of this report to DHS and EPA for their review and
comment. EPA provided no comments on the draft report. DHS agreed in
substance with two of the report's recommendations, but disagreed with
the third. DHS agreed that the Congress should consider granting DHS
the authority to require the chemical industry to address plant
security. DHS also agreed that completing and implementing the sector-
specific plan is a priority and stated that it is making progress
toward developing this plan. However, DHS disagreed with our
recommendation that the department work with EPA to study the security
benefits to chemical plants of using safer technologies. In this
regard, DHS believes that the use of safer technologies would not
generally result in more secure chemical facilities and would tend to
shift risks rather than eliminate them. DHS stated that it is unclear
what role EPA would play in a study of the benefits of using safer
technologies or how DHS's interaction with EPA might be perceived among
DHS's private sector partners.
We continue to believe, however, that the use of safer technologies may
have the potential to reduce security risks for at least some chemical
facilities by making them less attractive to a terrorist attack and
reducing the severity of the potential consequences of an attack. While
we recognize in our report that inherently safer technologies can shift
risks onto other facilities or the transportation sector, there may
also be instances where implementing safer technologies could reduce
the likelihood and severity of a terrorist attack. In fact, DHS's July
2004 draft of the Chemical Sector-Specific Plan states that inherently
safer chemistry and engineering practices can prevent or delay a
terrorist incident. The draft also notes that it is important to make
sure that facility owners/operators consider alternate ways to reduce
risk, such as inherently safer design, implementing just-in-time
manufacturing, or replacing high-risk chemicals with safer
alternatives. Therefore, we continue to believe that studying the costs
and security benefits of using safer technologies would be a worthwhile
effort. While DHS, as the federal agency primarily responsible for
chemical facility security, should have the lead role in conducting
such a study, EPA--charged with ensuring environmental and human health
and safety and having the key expertise needed to analyze the potential
environmental and health effects of a variety of alternative
technologies--can provide valuable support. We acknowledge DHS's
concern that its working relationship with the chemical industry might
be constrained by too close association with EPA, which regulates the
industry. However, we do not believe that a DHS-EPA partnership to
study the potential security benefits of using safer chemicals and
technologies would necessarily bring the department into conflict with
the industry, if the appropriate informational safeguards and
assurances are built into the process. Through additional study, DHS--
in conjunction with EPA--can help to determine the appropriate role of
inherently safer technologies in government and industry efforts to
bolster chemical facility security. Through such an effort, DHS and EPA
could also identify alternative ways to reduce both security and
environmental and health risks and share these practices with private
industry.
DHS also provided a number of technical comments and clarifications,
which we have incorporated into the report as appropriate. Appendix III
contains the full text of DHS's comments in a letter dated December 8,
2005.
As arranged with your offices, unless you publicly announce its
contents earlier, we plan no further distribution of this report until
30 days after the date of this report. At that time, we will send
copies to other interested congressional committees and to the
Secretary of the Department of Homeland Security and the Administrator
of the Environmental Protection Agency. We will also make copies
available to others upon request. In addition, the report will be
available at no charge on the GAO Web site at [Hyperlink,
http://www.gao.gov].
If you or your staff have any questions on this report, please contact
me at (202) 512-3841 or at [Hyperlink, stephensonj@gao.gov]. Contact
points for our Offices of Congressional Relations and Public Affairs
may be found on the last page of this report. Other GAO staff who
contributed to this report are listed in appendix IV.
Signed by:
John B. Stephenson:
Director, Natural Resources and Environment:
[End of section]
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Our objectives were to describe (1) the Department of Homeland
Security's (DHS) actions to develop an overall strategy for protecting
the chemical industry; (2) DHS's efforts to identify high-risk chemical
facilities, assess their vulnerabilities, ensure that facilities are
addressing security, and coordinate with the Environmental Protection
Agency (EPA) in these efforts; (3) chemical industry security
initiatives and challenges; and (4) DHS's existing authorities, and
whether additional legislative authority is needed to ensure that
chemical facilities take action to address vulnerabilities. To discuss
DHS's actions to develop an overall strategy for protecting the
chemical industry, we reviewed DHS's February 2005 Interim National
Infrastructure Protection Plan, its April 2004 guidance to sector-
specific agencies on drafting sector plans, and a July 2004 draft of
its Chemical Sector-Specific Plan.
To discuss the actions DHS has taken to identify high-risk chemical
facilities, assess their vulnerabilities, ensure that facilities are
addressing security, and coordinate with EPA, we interviewed officials
from DHS's Information Analysis and Infrastructure Protection
Directorate and EPA's Office of Emergency Management and gathered and
reviewed available documents and reports from both agencies.
Specifically, in addition to the documents previously mentioned, we
reviewed DHS reports on chemical facilities' and chemical storage
facilities' characteristics and their common vulnerabilities and
potential indicators of terrorist activity, one-page summaries of DHS
programs provided by department officials, and other available reports
and information on DHS efforts. We also attended two industry-sponsored
conferences, which included detailed presentations from DHS officials
on the department's chemical security efforts. In addition, we
interviewed contractors for DHS's Risk Analysis Management for Critical
Asset Protection (RAMCAP) initiative; representatives from the American
Society of Mechanical Engineers; and the subcontractor developing
chemical sector RAMCAP tools, the AcuTech Consulting Group. In
addition, we reviewed EPA Risk Management Plan (RMP) data and obtained
EPA officials' views on DHS's analysis of these data to identify high-
risk chemical facilities. We also discussed current interagency
coordination and opportunities for additional coordination between DHS
and EPA with officials from both agencies.
To discuss chemical industry voluntary initiatives and challenges, we
met with representatives of all 16 associations participating on the
Chemical Sector Coordinating Council.[Footnote 43] Using structured
interview questions, we gathered representatives' views on threats,
DHS's chemical security efforts, and industry security initiatives. We
also reviewed documents from industry associations, such as
vulnerability assessment tools, descriptions of voluntary security
programs, security guidelines, and best practices. We used this
information to assess the various initiatives undertaken by
associations and their members. To obtain a broad range of industry
views, we also talked to representatives of 20 chemical companies
belonging to 13 of the 16 associations on the Chemical Sector
Coordinating Council. Officials of some of these companies were present
at our meetings with associations, while others were contacted by
industry associations and agreed to speak with us separately. Three
associations--the Adhesive and Sealant Council, the International
Institute of Ammonia Refrigeration, and the National Paint and Coatings
Association--were not able to identify a member company willing to
speak with us. We also gathered information from both industry
associations and chemical company officials about challenges companies
face in improving security. To avoid unintentionally disclosing any
security-related information, we are not disclosing the names or other
identifying information relating to the individual chemical companies
we contacted. The comments from industry officials discussed in this
report are illustrative, are not statistically representative of the
chemical sector, and should not be considered to represent the views of
the chemical sector as a whole.
To discuss DHS's existing authorities and whether additional
legislative authority is needed to ensure that chemical facilities take
action to address vulnerabilities, we analyzed DHS's current
authorities and gathered a range of views on the need for additional
authority. Specifically, we analyzed DHS's current authorities under
the Homeland Security Act of 2002, the Patriot Act, and other laws. DHS
officials would not comment directly to us on the department's need for
additional authority because the executive branch has not yet
established a unified position on this issue. However, we were able to
obtain DHS's views on legislation by reviewing DHS statements and
comments at hearings on chemical facility security in July 2005. We
also gathered views on the need for legislation and the content and
structure of legislation during interviews with EPA, industry
associations, chemical companies, state homeland security officials in
New Jersey and Texas, and other organizations with chemical industry
expertise. These organizations included the American Institute of
Chemical Engineers' Center for Chemical Process Safety; Sandia National
Laboratories; the U.S. Chemical Safety and Hazard Investigation Board;
the American Society of Mechanical Engineers; the University of
Pennsylvania Wharton School's Risk Management and Decision Processes
Center; Texas A&M University's Mary K. O'Connor Process Safety Center
and National Emergency Response and Rescue Training Center; OMB Watch;
the Working Group on Community Right-to-Know; U.S. Public Interest
Research Group; and the Paper, Allied-Industrial, Chemical, and Energy
Workers International Union. We also asked representatives of these
organizations and industry officials about challenges the federal
government faces in securing the nation's chemical facilities from a
terrorist attack. In addition, we reviewed the testimony of industry
officials and other experts on legislation at hearings before the
Senate Homeland Security and Governmental Affairs Committee and the
House Homeland Security Committee, Subcommittee on Economic Security,
Infrastructure Protection and Cybersecurity, in April, June, and July
2005.
We limited our review of security issues to stationary chemical
facilities and did not address security concerns surrounding the
transportation of hazardous chemicals. We conducted our work from
December 2004 through December 2005 in accordance with generally
accepted government auditing standards.
[End of section]
Appendix II: Summary of the Chemical Industry's Voluntary Security
Initiatives:
Sixteen chemical industry associations participate in the Chemical
Sector Coordinating Council and have initiated a variety of security
efforts. These efforts range from developing security guidance and best
practices to establishing security requirements that member facilities
must follow to remain eligible for association membership.
The following is a brief description of these 16 associations and a
summary of security efforts under way at the facilities owned and/or
operated by their member companies.
American Chemistry Council:
The American Chemistry Council (ACC) has 135 members that represent the
leading companies in the U.S. chemical manufacturing sector. According
to ACC, its members are responsible for nearly 90 percent of basic
industrial chemical production. ACC's member companies operate about
2,000 facilities, approximately 1,000 of which are RMP facilities.
Approximately 270 of ACC's member facilities are also subject to the
Maritime Transportation Security Act of 2002 (MTSA).
ACC adopted a Responsible Care® Security Code that outlines 13
management practices that company security management systems must
include. These practices require companies to perform security
vulnerability assessments of their facilities, develop and implement
plans to mitigate the vulnerabilities, and obtain third-party
verification that the planned physical security enhancements were
completed. ACC members assigned its facilities into "tiers" on the
basis of the potential impact a chemical release at a facility would
have on surrounding communities, and these facilities must follow
milestone dates for completing security requirements that are based on
tier level. ACC reported that as of May 2004, all of its 2,000
facilities have completed security vulnerability assessments at their
sites using the Sandia National Laboratories vulnerability assessment
methodology, the Center for Chemical Process Safety methodology, or an
equivalent methodology approved by the center.
The Responsible Care® Security Code also requires that companies apply
security management practices to facility cyber assets and the chemical
industry distribution chain, which covers the complete "value chain"
for chemicals, from suppliers to customers, including transportation.
Member companies must perform vulnerability assessments of their cyber
assets and distribution value chain and implement plans to mitigate
these vulnerabilities. ACC asked that a company executive from each
member provide a signed statement declaring that the company had
management systems in place for the entire security code by June 30,
2005. As of October 3, 2005, 95 percent of member companies have signed
this statement. ACC officials told us that a number of companies have
left ACC over the last few years because of the cost of complying with
Responsible Care® requirements. Recognizing the degree of rigor
associated with the Responsible Care® Security Code, the United States
Coast Guard recognized the code as an alternative security program for
purposes of fulfilling facility security requirements under MTSA.
American Forest & Paper Association:
The American Forest & Paper Association has 116 members, including
companies that manufacture pulp, paper, paperboard, wood, or related
products in the United States. According to the association, its member
companies operate over 1,000 facilities, of which 80 to 90 are RMP
facilities. The association has established no specific security
requirements for its members, but has provided them with guidance on
facility site security principles and distributed pamphlets on common
steps for protecting forest products industry infrastructure.
Chemical Producers and Distributors Association:
The Chemical Producers and Distributors Association represents 86
member companies engaged in (1) the manufacture, formulation,
distribution, and sale of crop protection chemicals, fertilizers, feed,
fiber crops, and ingredients used in food; (2) the care and maintenance
of lawns, gardens, and turf; and (3) various forestry and vegetation
management markets. The association has established no specific
security requirements for its members, but shares information about
security issues with members at meetings and conferences.
Chlorine Chemistry Council:
The Chlorine Chemistry Council is a business council of ACC
representing the manufacturers and users of chlorine and chlorine-
related products. The council has seven voting members, who must be
members of ACC and comply with ACC's Responsible Care® security
requirements. Most facilities of voting member companies are also RMP
facilities. The council also has nonvoting members who are not ACC
members. Some of these members voluntarily follow the general approach
of Responsible Care®.
Compressed Gas Association:
The Compressed Gas Association (CGA) has 138 member companies that
represent manufacturers, distributors, suppliers, and transporters of
gases and cryogenic liquids (i.e., liquefied gases kept in a liquid
state at extremely low temperatures). The association's members have
gases, such as oxygen, nitrogen, argon, and helium, that are used in
most industries, including food and metal processing, semiconductor
manufacturing, healthcare, and chemical production. According to CGA,
member companies include approximately 15 to 20 industrial gas
manufacturing companies. CGA does not collect information on the number
of facilities member companies have that must meet RMP requirements.
Some member companies that make gas products used in foods must comply
with aspects of the Public Health Security and Bioterrorism
Preparedness and Response Act of 2002 to protect the nation's food,
according to CGA.
CGA has established no specific security requirements for members, but
has developed and distributed guidance to the compressed gas industry
on assessing security risks and identifying and implementing preventive
security measures. Guidelines address site security, transportation
security, and steps facilities should take to "qualify" customers,
(i.e., ensure that they are purchasing products for the appropriate
uses). CGA relied heavily on site security guidelines developed by ACC,
the Chlorine Institute, and the Synthetic Organic Chemical
Manufacturers Association in 2001 and on information from the Center
for Chemical Process Safety in developing these guidelines.
CropLife America:
CropLife America represents the developers, manufacturers, formulators,
and distributors of chemicals for agriculture and pest management in
the United States. CropLife America member companies produce, sell, and
distribute virtually all of the crop protection and biotechnology
products used by American farmers. CropLife America's membership
includes 18 pesticides manufacturing companies with about 30 facilities
and 5 integrated distribution companies with 1,100 of the nation's
5,500 bulk pesticide retail agricultural facilities, which typically
store both fertilizer chemicals and pesticides. All of the
manufacturing facilities are subject to RMP. Most of the retail
facilities also are subject to RMP because they house ammonia. CropLife
America also has about 10 member facilities that formulate pesticides.
CropLife America also participates in the Food and Agriculture Sector
Coordinating Council.
Six of CropLife America's basic research and manufacturing members are
ACC members and their facilities adhere to the Responsible Care®
Security Code. In addition, working with the Agricultural Retailers
Association, CropLife America created a not-for-profit organization
called the American Agronomic Stewardship Alliance to develop a
stewardship inspection and accreditation program for its agricultural
retail and distribution facilities that includes some security steps.
The alliance requires facilities to develop security plans and undergo
inspection by third-party vendors that includes checking to see that
security plans were prepared. However, the inspectors do not look at
whether the security plan has been implemented. As of April 2005, third
parties had completed about 2,000 inspections and 98 percent of
inspected facilities had a security plan on file. CropLife America also
published security guidelines shortly after the events of September 11,
2001, and has distributed these guidelines extensively.
Institute of Makers of Explosives:
The 40 member companies of the Institute of Makers of Explosives (IME)
include explosives manufacturers and distributors, and companies that
are contracted by mining companies to conduct explosions. According to
IME, about 30 of IME's member companies manufacture or distribute
explosives at about 300 facilities. Six of these companies operate 23
RMP facilities.
IME member companies are subject to a number of safety and security
requirements regulated by the Department of Justice's Bureau of
Alcohol, Tobacco, Firearms, and Explosives. IME has no specific
security requirements for its members, but has provided recommended
security guidelines to its members that include conducting a
vulnerability assessment but does not audit members for compliance. IME
also has work under way on a risk assessment modeling tool for accident
risk planning that will include a terrorist threat scenario. The model
is based on Department of Energy work and is intended for manufacturers
and drill blast companies.
International Institute of Ammonia Refrigeration:
The International Institute of Ammonia Refrigeration is an
international association serving companies that use ammonia
refrigeration technology, including end users such as food
refrigeration companies, contractors, engineers, equipment
manufacturers, and others in the industry. While the institute was
unable to provide the number of RMP facilities in its membership, about
2,000 RMP facilities use ammonia refrigeration. According to the
institute, these ammonia refrigeration facilities include approximately
600 refrigerated warehouses and storage facilities, such as regional
food distribution centers, and about 400 facilities that house meat
from slaughterhouses. Almost all of the food facilities belonging to
the institute are covered by the Bioterrorism Act. The institute also
participates in DHS's Agriculture Sector Coordinating Council. The
institute has established no specific security requirements for its
members, but shares information about security issues with its members
at annual meetings.
National Association of Chemical Distributors:
Member companies of the National Association of Chemical Distributors
(NACD) package, distribute, and blend chemicals. Its members typically
work with chemicals that do not react in unstable ways and store large
quantities of chemicals in warehouses. NACD represents 253 chemical
distribution companies that own, lease, or manage approximately 1,380
facilities in the United States and Canada. NACD estimates that at
least 350 member facilities are RMP facilities.
In 1991, NACD developed an environment, health, safety, and security
management protocol called the Responsible Distribution Process.
Adherence to this process is a condition of NACD membership. Since
January 1999, NACD members have been required to have their successful
implementation of all required membership practices verified by third
parties once every 3 years. NACD contracted with an internal auditing
company to be the third-party reviewer for its members. The first 3-
year cycle of Responsible Distribution Process verification ended in
December 2001. In April 2002, NACD added security measures to the
process, which require its members to develop security programs,
scrutinize security measures taken by for-hire motor carriers, ensure
that customers are purchasing chemicals for the appropriate use (as
prescribed by government regulations), and verify implementation of
security measures by an independent firm designated by NACD. The second
3-year cycle for process verification began in January 2003 and ended
in December 2005. Beginning in January 2006, NACD's Responsible
Distribution Process includes a requirement that members conduct
security vulnerability assessments. NACD developed its own
vulnerability assessment methodology, and members will be expected to
have completed their assessment by June 2006. NACD has terminated the
membership of 20 companies that failed to comply with the Responsible
Distribution Process requirements and to complete and pass the
verification step.
National Paint and Coatings Association:
The National Paint and Coatings Association (NPCA) represents
manufacturers and suppliers of paints and coatings, including lacquers,
stains, varnishes, and concrete. NPCA has over 350 associate and full-
member companies, representing an estimated 700 paint manufacturing
facilities that range from mom-and-pop stores to chain stores.
Approximately 50 of these facilities are RMP facilities. NPCA worked
with its members to develop Coatings Care, a safety and environmental
management system that includes security steps such as analyzing
threats, vulnerabilities, and consequences and the implementation of
security measures. Coatings Care also includes a vulnerability
assessment methodology developed by a member company specifically for
paint and coatings facilities that companies may elect to use, as well
as examples of security checklists and best practices. Member companies
have 1 year from the time they become NPCA members to agree to follow
the Coatings Care principles. However, NPCA does not require that
members take steps to verify their compliance with Coatings Care
security requirements.
National Petrochemical and Refiners Association:
The National Petrochemical and Refiners Association (NPRA) has about
450 member companies that include refiners and petrochemical
manufacturers, suppliers, and vendors. Almost all U.S. refiners are
NPRA members, which represent about 98 percent of the total refining
capacity in the United States. Petrochemical manufacturing facilities
use processes similar to those used in refineries and are often
colocated at refineries. According to NPRA, a majority of the almost
150 refineries and 200 petrochemical manufacturing facilities in the
United States are subject to MTSA. Because refineries are currently
considered to be part of the energy critical infrastructure sector,
NPRA also participates in the Oil and Natural Gas Sector Homeland
Security Coordinating Council, which meets regularly with a sector
government coordinating council that includes DHS and the Department of
Energy. NPRA has established no specific security requirements for its
members, but it holds security conferences and workshops for its
members that address security issues. In addition, NPRA and the
American Petroleum Institute developed a vulnerability assessment
methodology for petrochemical manufacturing and refining facilities
that was issued in 2003 and updated in 2004. The Center for Chemical
Process Safety has approved the methodology. DHS formally acknowledged
that the methodology can be used to satisfy MTSA requirements.
Synthetic Organic Chemical Manufacturers Association:
The Synthetic Organic Chemical Manufacturers Association (SOCMA)
includes 160 member companies that operate about 300 small-to medium-
sized specialty chemical manufacturing facilities in the United States,
or "batch" facilities, that produce a diverse number of chemicals.
Specialty chemicals are formulated to meet the detailed specifications
of various end users, and usually have unique purposes, such as making
nylon fibers stronger or serving as the active ingredient in medicine.
In December 2002, SOCMA adopted ACC's Responsible Care® Security Code.
SOCMA also developed a vulnerability assessment methodology reflecting
the variable risks at smaller facilities. According to SOCMA officials,
as of September 2005, all of its member companies had reported
completing vulnerability assessments and 98 percent of these companies
reported that they had implemented security enhancements and obtained
third-party verification. However, beginning in October 2005, SOCMA no
longer required its members to adhere to Responsible Care® because it
has developed its own environmental, health, safety, and security
performance program. SOCMA's new program, called ChemStewardsSM, will
still require members to conduct vulnerability assessments and
implement enhancements for physical security but will not include
specific security requirements for cyber assets and facilities'
distribution chain, which covers the complete value chain for
chemicals, from suppliers to customers, including transportation.
According to SOCMA, they have taken this step because cybersecurity
issues are far less significant for small companies, most of whom do
not use process control systems that can be disrupted via cyber attack.
Members will have to obtain third-party verification of security
improvements if a facility is an RMP facility.
The Adhesive and Sealant Council:
The Adhesive and Sealant Council (ASC) represents adhesive and sealant
manufacturers and supplier companies. The council has about 126 member
companies with approximately 250 facilities. According to ASC, most of
these facilities are RMP facilities. About 75 or 80 member companies
are raw materials suppliers, some of which also belong to ACC and,
therefore, comply with Responsible Care®. About 55 member companies are
adhesives or sealant manufacturers, some of which also belong to NPCA.
ASC has no specific security requirements for members.
The Chlorine Institute:
The Chlorine Institute represents approximately 220 member companies
that produce, distribute, and use chlorine, sodium, and potassium
hydroxides and sodium hypochlorite, and that distribute and use
hydrogen chloride. The institute's North American producer members
account for 98 percent of the total chlorine production capacity of the
United States and Canada; its packager member companies represent 100
percent of the total U.S. market. Most of the facilities of the
institute's member companies are RMP facilities. A few of the
institute's members are large water treatment facilities that are
covered by the Bioterrorism Act, and many of their members also have
facilities covered by MTSA, according to the institute.
The Chlorine Institute encourages, but does not require, its members to
conduct vulnerability assessments and develop security plans. Member
companies that are also ACC members conduct vulnerability assessments
and develop security plans in accordance with the Responsible Care®
Security Code. The institute has developed a seven-step process that
smaller chlorine manufacturing and distribution companies can use to
assess their vulnerabilities. In addition, the institute requires
executives of all member companies to sign an agreement stating that
they will meet nine safety and security requirements, including
complying with Responsible Care® or another industry security program.
Companies whose executives do not sign the agreement are not eligible
for institute membership. The institute does not require that companies
take steps to verify that vulnerability assessments and security plans
are completed and security measures are implemented.
The Fertilizer Institute:
The Fertilizer Institute (TFI) represents companies that make, sell,
and transport fertilizer products. Its approximately 190 member
companies operate retail spaces, warehouses, terminal, and production
facilities. Approximately 20 companies in the United States manufacture
fertilizer. TFI has established no specific security requirements for
its members. In 2002, however, TFI developed a Security Code of
Management Practices that it recommends, but does not require, that
members follow. The security code involves screening facilities into
priority tiers that are based on potential security hazards and,
following a timeline on the basis of tier level, conducting a
vulnerability assessment using a methodology developed by the Center
for Chemical Process Safety, SOCMA, or other equivalent methods. Also
in 2002, a working group comprising members of TFI, CropLife America,
and the Agriculture Retailers Association, developed a Web-based
vulnerability assessment tool for agribusiness retail facilities. The
Center for Chemical Process Safety approved the tool as meeting its
criteria for security vulnerability assessments. According to TFI,
approximately 2,000 of its member retail facilities have used the tool
to date.
The Society of the Plastics Industry, Inc.
The Society of the Plastics Industry, Inc., represents the entire
plastics industry, including processors, machinery and equipment
manufacturers, and raw materials suppliers. The society has about 1,100
member companies--about half of these companies supply machinery
(auxiliary components, dryers, and heavy equipment, among others);
about 250 to 300 companies process and recycle plastics; less than 100
companies make resins; and the remaining companies make molds. The bulk
of the society's member companies do not handle large quantities of
hazardous chemicals. The society has established no specific security
requirements for its members. Some of the society's members are also
members of ACC or the Synthetic Organic Chemical Manufacturers
Association and, therefore, comply with these associations' security
programs.
[End of section]
Appendix III: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
December 8, 2005:
Mr. John Stephenson:
Director:
Natural Resources and Environment:
U.S. Government Accountability Office:
Washington, D. C. 20548:
Dear Mr. Stephenson:
RE: Draft Report GAO-05-150 DHS is Taking Steps to Enhance Security at
Chemical Facilities, but Additional Authority is Needed (GAO Job Code
360538):
Thank you for the opportunity to review the draft report. In addition
to responses to the two recommendations contained in the report, we are
providing general comments that are more than technical in nature and
are responsive to content in the text of the report.
Recommendation: The Congress considers giving the Department of
Homeland Security (DHS) authority to require the chemical industry to
address plant security.
Response: Concur in Part. DHS agrees the Congress should consider
giving DHS authority to require the chemical industry to address plant
security in the interest of enhancing security at these facilities.
Recommendation: DHS complete the chemical sector-specific plan in a
timely manner and work with the Environmental Protection Agency (EPA)
to study the security benefits to chemical plants of using safer
technologies.
Response: Non-concur. DHS does not concur with the recommendation as
stated. The Office of Infrastructure Protection (IP) agrees that
completing and implementing the sector-specific plan is a priority and
is making significant progress toward developing a final plan. However,
IP recommends GAO strike the mention of DHS working with EPA to study
safer technologies. DHS believes that safer technologies would not
generally result in more secure chemical facilities. The use of
inherently safer technologies tends to shift risks rather than
eliminate risks, often with unintended consequences. It is also unclear
what EPA's role would be in this context, or how DHS interaction with
EPA in this regard might be perceived among our private sector
partners.
General Item 1:
Page: 3, 15:
Issue summary: DHS is developing a national strategy for protecting the
chemical sector, which department officials expect to complete in 2006.
This strategy-to be included in a Chemical Sector-Specific Plan-is
intended to outline a framework for reducing the overall vulnerability
of the chemical sector in partnership with industry, state and local
authorities, according to DHS officials.. As a part of the National
Infrastructure Protection Plan (NIPP), DHS is developing a national
strategy for protecting the chemical sector that will establish a
framework for reducing the overall vulnerability of the sector in
partnership with the industry and state and local authorities.:
DHS/IP Statement The National Strategy being developed for the Chemical
Sector is separate but complimentary to the Chemical Sector Specific
Plan. The National Strategy for Securing the Chemical Sector, which was
requested by Congress in the committee report for the FY06 Homeland
Security appropriations bill, is a high-level strategic document being
prepared solely by DHS. The Chemical Sector Specific Plan (SSP), which
will be an appendix to the National Infrastructure Protection Plan
(NIPP), is a strategic & operational document being prepared by DHS in
conjunction with other Federal agencies, State and local governments,
and the private sector. The Chemical SSP, like SSPs for all 17 critical
infrastructure and key resource sectors, cannot be completed until the
NIPP Base Plan is completed, and is scheduled to be completed within
six months of the signing out of the NIPP Base Plan.
General Item: 2:
Page: 4:
Issue: "Conducting this analysis will require that chemical facility
owners and operators voluntary assess their own risks and provide DHS
with this information."
DHS/IP Statement: DHS would like owners and operators to assess and
provide information on their vulnerabilities and potential consequences
of an attack. An accurate assessment of risk requires specific threat
information, which may not be available in all cases.
General Item 3:
Page: 19, FN 12:
Issue: EPA has expressed concern about DHS' analysis of the Risk
Management Plan (RMP) database. According to EPA officials, the results
of DHS analysis appear to indicate that the data may have been
manipulated incorrectly. For example, EPA does not agree that the
database contains 3,000 facilities that are no longer in business or no
longer RMP facilities. EPA officials offered to assist DHS with
implementation of the RMP database.
DHS/IP Statement: Please note in the GAO Report that DHS is open to
working with EPA to clarify the Department's methodology for
interpreting the RMP database as it relates to risk.
General Item 4:
Page: 21:
Issue: According to DHS, 272 of these facilities could potentially
affect more than 50,000 people. These 272 facilities include chemical
manufacturing plants as well as refineries, wastewater treatment
facilities, and other types of chemical facilities.
DHS/IP Statement: This states that the 272 facilities include
refineries and wastewater treatment facilities. However, in regard to
refineries, the list mainly includes petro-chemical companies. In
addition, it should be noted that wastewater treatment facilities were
not intended to be incorporated in the list of top facilities.
General Item: 5:
Page: 22:
Issue: According to DHS officials, DHS plans to ask 20,000 chemical
facility owners/operators to complete the Risk Analysis Management for
Critical Asset Protection (RAMCAP) top screen. DHS will work with
industry associations to distribute the RAMCAP screening tool to
chemical facilities. DHS officials said that they expect that less than
1,000 chemical facility owners/operators will be asked to complete the
vulnerability assessment.
DHS/IP Statement: This states that DHS plans to ask 20K facilities to
do the Top Screen and 1K to do the Site Vulnerability Assessment (SVA).
DHS recommends that GAO strike the mention of 20,000 facilities as this
number is subject to change.
IP Proposed Replacement Language: According to DHS officials, DHS will
work with industry associations to distribute the RAMCAP screening tool
to the highest consequence chemical facilities DHS officials expect
that between 5-10 percent of those chemical facility owners/operators
will be asked to complete the self vulnerability assessment.
General Item: 6:
Page: 23:
Issue: According to industry officials, however, the companies who pre-
tested the security vulnerability assessment found the exercise
valuable and difficult to complete.
DHS/IP Statement: The GAO Report says companies pre-tested the SVA, but
they actually tested the Top Screen, not the SVA.
General Item: 7:
Page: 27:
Issue: DHS is also planning a series of Comprehensive Reviews in areas
with large number of chemical facilities, focusing on facilities'
security as well as emergency response capabilities in the local area.
A team of federal officials from multiple agencies along with state and
local officials will plan and conduct the work.. DHS hopes to complete
5 visits to clusters of facilities during 2006.
DHS/IP Statement: DHS expects to visit 6 Comprehensive Review (CR)
clusters in 2006, not 2005. Also, the description says that state and
local officials will plan and conduct the work. Actually, the planning
and conduct of the actual work is all going to be done by the various
federal agencies involved in the CR effort in coordination with State
and local officials:
IP Suggested Language: The Comprehensive Review is a DHS-led
cooperative government and private sector analysis of Critical
Infrastructure/Key Resource (CI/KR) that will enhance public safety by
helping the nation prevent and prepare for a potential terrorist
attack, identify and reduce the possible consequences of such an
attack, and enhance the integrated prevention and response capabilities
of the ownerloperator, local law enforcement, and emergency response
organizations. The results will be used to enhance the nation's
security posture by implementing short-term protective measures and
making longer-term risk-based investments in training, processes,
procedures, and resources for the community. The Comprehensive Review
process also provides an opportunity for all affected stakeholders to
identify and implement best practices for readiness and preparedness
for any catastrophic event affecting critical infrastructure.
General Item 8:
Page: 48:
Issue: Set of principles proposed for chemical security legislation:
* Require a common set of standards and practices to level the playing
field across the chemical sector;
* Implement core security measures consistently and fairly, based on
risk;
* Give DHS the authority to decide which facilities will be subjected
to any new rules, based on the risk of a terrorist attack;
* Give DHS the flexibility to address security issues for individuals
facilities on a case-specific basis;
Provide DHS the authority, with sufficient flexibility, to address
specific threats to high-risk facilities, or under extraordinary
circumstances;
* Recognize and build upon public-and private-sector work and
investment to date, and avoid penalizing companies already operating
under existing Federal security authorities (for example MTSA), where
appropriate;
* Do not halt or deter ongoing capital investment by companies that are
taking responsible security measures currently;
* Balance the need for appropriate security measures with the ability
to effectively and efficiently maintain business operations;
* Institute market-based incentives to the highest degree possible to
secure the chemical sector;
* Include an objective verification and validation process for ensuring
that adequate security measures implanted, and allow the Security of
DHS to issue civil penalties for non-compliance; and:
* Protect confidential, proprietary, and business sensitive
information:
DHS/IP Statement: This list differs from the current list of principles
for proposed chemical legislation. The following text represents the
current list of principles, which were outlined during testimony that
DHS believes should be incorporated into any potential legislation:
"First, we must recognize that not alt facilities present the same
level of risk, and that the most scrutiny should be focused on those
that, if attacked, could endanger the greatest number of lives, have
the greatest economic impact or present other very significant risks
Second, facility security should be based on reasonable, clear, and
equitable performance standards. The Department should develop
enforceable performance standards based on the types and severity of
potential risks posed by terrorists, and facilities should have the
flexibility to select among appropriate site-specific security measures
that will effectively address those risks. Third, we should recognize
the progress many responsible companies have made to date."
General Item 9:
Page: 52:
Issue: Furthermore, DHS' July 2004 draft Chemical Sector-Specific Plan
states that inherently safer chemistry and engineering practices can
prevent or delay a terrorist incident, noting that it is important to
make sure that facility owners/operators consider alternative ways to
reduce risk such as inherently safer design, implementing just-in-time
manufacturing, or replacing high-risk chemicals with safer
alternatives.
DHS/IP Statement: Inherently Safer Technology (IST) does not "prevent
or deny" incidents. The use of inherently safer technologies tends to
shift risks rather than eliminate risks, often with unintended
consequences. It is also unclear what EPA's role would be in this
context.
We thank you again for the opportunity to review the report and provide
comments.
Sincerely,
Signed by:
Steven J. Pecinovsky:
Director:
Departmental GAO/OIG Liaison Office:
The following are GAO's comments on the Department of Homeland
Security's letter dated December 8, 2005.
GAO Comments:
1. We revised the report to include a description of the National
Strategy for Securing the Chemical Sector.
2. We revised the report to include the language suggested by DHS.
3. We revised the report to include DHS's statement that it is open to
working with EPA on interpreting the RMP database. In addition, we
encourage DHS to share its analysis of the database with EPA to ensure
that all high-risk facilities are identified.
4. We revised the report to state that the 272 facilities that could
potentially affect more than 50,000 people included some refineries
located with petrochemical companies. We also added DHS's comment that
it did not intend to incorporate wastewater treatment facilities into
the list of top facilities.
5. We revised the report to indicate that DHS is uncertain how many
facilities it will ask to complete the RAMCAP top screen.
6. Contrary to DHS's statement, industry officials told us that the
companies that pretested the security vulnerability assessments--not
the top screen, as DHS indicates--found the exercise valuable, but
difficult to complete. As of early November 2005, four chemical
companies had tested the security vulnerability assessment at one of
its facilities.
7. We revised the report to state that DHS expects to conduct six
Comprehensive Reviews, and that they will coordinate these reviews with
state and local officials.
8. As DHS suggested, we deleted the list of principles for proposed
chemical security legislation that DHS officials provided us in October
2005 and substituted the language suggested by DHS, which was, in part,
already included in the draft report.
9. As we state in our response to DHS's views on our recommendation, we
continue to believe that the use of safer technologies may potentially
reduce both security and environmental and health risks at some
chemical facilities. We retained the draft report's existing discussion
of the issue, including DHS's and the industry's views, but added DHS's
specific statement from its comment letter that "the use of inherently
safer technologies tends to shift risks rather than eliminate risks,
often with unintended consequences." We also included information from
DHS's draft Chemical Sector-Specific Plan, which states that inherently
safer chemistry and engineering practices can prevent or delay a
terrorist incident, and that it is important to make sure that facility
owners/operators consider alternate ways to reduce risk, such as
inherently safer design, implementing just-in-time manufacturing, or
replacing high-risk chemicals with safer alternatives.
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
John B. Stephenson (202) 512-3841:
Staff Acknowledgments:
In addition, Vincent P. Price, Assistant Director; Leigh White; Joanna
Owusu; and Jill Edelson made key contributions to this report.
Important contributions were also made by John W. Delicath and Amy
Webbink.
(360538):
FOOTNOTES
[1] Pub. L. No. 107-296, 116 Stat. 2145 (2002).
[2] Homeland Security Presidential Directive Number 7 (Washington,
D.C.: Dec. 17, 2003).
[3] As of November 2005, Chemical Sector Coordinating Council members
included the Adhesive and Sealant Council; the American Chemistry
Council; the American Forest & Paper Association; the Chemical
Producers and Distributors Association; the Chlorine Chemistry Council;
the Chlorine Institute; the Compressed Gas Association; CropLife
America; the Fertilizer Institute; the Institute of Makers of
Explosives; the International Institute of Ammonia Refrigeration; the
National Association of Chemical Distributors; the National Paint and
Coatings Association; the National Petrochemical and Refiners
Association; the Society of the Plastics Industry, Inc; and the
Synthetic Organic Chemical Manufacturers Association.
[4] Three associations--the Adhesive and Sealant Council, the
International Institute of Ammonia Refrigeration, and the National
Paint and Coatings Association--were not able to identify a member
company willing to speak with us.
[5] GAO, Protection of Chemical and Water Infrastructure: Federal
Requirements, Actions of Selected Facilities, and Remaining Challenges,
GAO-05-327 (Washington, D.C.: Mar. 28, 2005).
[6] GAO, Homeland Security: Voluntary Initiatives Are Under Way at
Chemical Facilities, but the Extent of Security Preparedness Is
Unknown, GAO-03-439 (Washington, D.C.: Mar. 14, 2003).
[7] In November 2005, DHS reorganized the department. DHS divided the
responsibilities of IAIP between DHS's Preparedness Directorate and a
new Office of Intelligence and Analysis.
[8] The Homeland Security Act called upon the Secretary of DHS to
appoint a special assistant to be responsible for these functions. See
6 U.S.C. § 112(f)(4).
[9] H.R. Conf. Rep. No. 109-24 (2005).
[10] DHS plans to use a metrics-based system of performance evaluation
that will conform to the Government Performance and Results Act of
1993. DHS will have core metrics, which will be common across all
sectors, and specific metrics for the chemical sector.
[11] H.R. Conf. Rep. No. 109-241 (2005).
[12] GAO-03-439.
[13] EPA has expressed concern about DHS's analysis of the RMP
database. According to EPA officials, the results of DHS's analysis
appear to indicate that the data may have been manipulated incorrectly.
For example, EPA does not agree that the database contains 3,000
facilities that are no longer in business or no longer RMP facilities.
EPA officials offered to assist DHS with interpretation of the RMP
database. In commenting on our report, DHS stated that the department
is open to working with EPA to clarify DHS's methodology for
interpreting the RMP database as it relates to risk.
[14] According to EPA officials, RMP worst-case scenario population
estimates are not intended to represent the number of people that could
be harmed by a toxic worst-case accident. EPA regulations require
facilities to estimate the distance that a toxic gas cloud would travel
before its concentration is diluted below a specified level and to
report the entire population within that distance of the facility. EPA
officials stated that in an actual release event, even one where worst-
case conditions existed, the toxic chemical plume would generally
impact a fraction of the reported population, since a toxic plume would
only cover areas downwind of the facility. However, since it is
impossible to predict the exact wind conditions that will be present
during an accidental release, EPA regulations require facilities to
report the entire population within a full 360-degree circle
surrounding the facility, even though this population number will
almost always significantly overestimate the number of people that
could be harmed by the scenario. EPA officials refer to the population
within the 360-degree circle around the facility as the "vulnerable
zone" population. DHS determined that the maximum width of a toxic
chemical plume is 60 degrees, not the full 360-degree circle
surrounding a facility. Thus, DHS adjusted the RMP worst-case scenarios
estimates to develop what they believe is a more realistic estimate of
the potential impact of a worst-case, terrorist-caused chemical
release.
[15] The Department of Homeland Security Appropriations Act, 2005, made
appropriations for DHS grant programs. DHS allocated $92 million for
buffer zone protection grants for all sectors, including the chemical
sector.
[16] According to DHS's Buffer Zone Grant Guidance, these are sites
that, if attacked, could cause death or serious injury to 50,000 or
more people.
[17] The governor of each state has designated a state administrative
agency that is responsible for preparing and submitting all grant
application materials on behalf of the state. The administrative agency
is the grantee--that is, it administers the funds for the state and
allocates funds to responsible jurisdictions.
[18] The Coast Guard provided 287 grants, including some to chemical
facilities, totaling over $100 million.
[19] DHS stakeholders include the Office of Infrastructure Protection,
Office for Domestic Preparedness, Federal Emergency Management Agency,
United States Coast Guard, and Transportation Security Administration.
Other federal stakeholders include the Environmental Protection Agency
and the Federal Bureau of Investigation.
[20] The Homeland Security Act and Homeland Security Presidential
Directive 7 require DHS to collaborate with the private sector.
[21] The Federal Bureau of Investigation's National Infrastructure
Protection Center created ISAC with ACC. The Homeland Security Act
transferred these functions to DHS, which now supports ISAC.
[22] Pub. L. No. 92-463, 86 Stat. 770 (1972) (classified at 5 U.S.C.
app. 2).
[23] The President or head of an agency may determine that a meeting be
closed if, for example, the meeting will include discussions of
classified information, reviews of proprietary data submitted in
support of federal grant applications, or deliberations involving
considerations of personal privacy.
[24] If the Secretary exempts a committee from FACA, the Secretary must
publish a notice in the Federal Register announcing the establishment
of an advisory committee and identifying its purpose and membership.
See 6 U.S.C. § 451.
[25] The Homeland Security Advisory Council provides advice and
recommendations to the Secretary on matters related to homeland
security. The council is comprised of leaders from state and local
governments, first responder communities, the private sector, and
academia.
[26] GAO-05-327.
[27] Specialty chemicals are formulated to meet the detailed
specifications of various end users and usually have unique purposes,
such as making nylon fibers stronger or serving as the active
ingredient in medicine.
[28] Explosives companies are regulated by Justice's Bureau of Alcohol,
Tobacco, Firearms, and Explosives.
[29] The security vulnerability assessment is owned and operated by the
Agricultural Retailers Association.
[30] A risk management framework represents a series of analytical and
managerial steps, basically sequential, that can be used to assess
risk, assess alternatives for reducing risks, choose among those
alternatives, implement the alternatives, monitor their implementation,
and continually use new information to adjust and revise the
assessments and actions, as needed.
[31] Paper, Allied-Industrial, Chemical, and Energy Workers
International Union, PACE International Union Survey: Workplace
Incident Prevention and Response Since 9/11 (October 2004).
[32] All standards activities are to be conducted in conformance with
section 12(d) of the National Technology Transfer Act of 1995, which
states that federal agencies generally must use technical standards--
performance-based or design-specific technical specifications and
related management systems practices--developed or adopted by voluntary
consensus standards bodies as a means to carry out policy objectives or
activities, consulting and participating with such bodies in the
development of technical standards when such participation is in the
public interest and compatible with the agency's authorities and budget
resources. See 6 U.S.C. §112(g) and 15 U.S.C. § 272 note.
[33] Pub. L. No. 107-56, § 1016, 115 Stat. 400 (2001) (codified at 42
U.S.C. § 5195c(d)).
[34] Under MTSA, DHS's Coast Guard requires maritime facility
owners/operators to conduct assessments of vulnerabilities, develop
security plans, and implement security measures. The Coast Guard also
has the authority to enter facilities. However, the Coast Guard reports
that these requirements currently apply to only 300 chemical
facilities.
[35] Pub. L. No. 106-40, § 3(a) (1999). Justice partially fulfilled
this requirement by submitting an interim report on the vulnerability
of chemical facilities in May 2002. Neither Justice nor DHS has
submitted a final report to the Congress, which was due on August 5,
2002.
[36] H.R. Conf. Rep. No. 108-10 (2003).
[37] H.R. Conf. Rep. No. 108-774, at 75 (2004).
[38] The Secretary may issue regulations for antiterrorism technology
and may issue necessary regulations with respect to research;
development; demonstration; testing; and evaluation activities of the
department, including the conducting, reviewing, and funding of such
activities.
[39] Testimony before the House Homeland Security Subcommittee on
Economic Security, Infrastructure Protection and Cybersecurity and the
Senate Committee on Homeland Security and Governmental Affairs on June
15, 2005.
[40] GAO-03-439.
[41] These facilities are subject to Coast Guard inspections.
[42] DHS has begun to establish a field presence through the hiring and
placement of 63 protective security advisors in metropolitan areas
across the country.
[43] As of November 2005, Chemical Sector Coordinating Council members
included the Adhesive and Sealant Council; the American Chemistry
Council; the American Forest and Paper Association; the Chemical
Producers and Distributors Association; the Chlorine Chemistry Council;
the Chlorine Institute; the Compressed Gas Association; CropLife
America; the Fertilizer Institute; the Institute of Makers of
Explosives; the International Institute of Ammonia Refrigeration; the
National Association of Chemical Distributors; the National Paint and
Coatings Association; the National Petrochemical and Refiners
Association; the Society of the Plastics Industry, Inc; and the
Synthetic Organic Chemical Manufacturers Association.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
