House committee leaders question CISA over chemical facility security, CFATS program

With the Chemical Facility Anti-Terrorism Standards (CFATS) program approaching its sunset date, House committee leaders reached out to Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly this week seeking information on its status and potential renewal.

Barring further action, the CFATS program will retire on July 27, 2023. However, this poses security concerns, as the program regulates facilities with chemicals at or above certain levels deemed to be high levels of security risk and mandates assessments of their vulnerabilities and implementation of counterterrorism measures therein. Undercutting the issue, though, is the sense from lawmakers that they need a better understanding of how, exactly, the program operates.

“On October 4, 2006, the legal authority first creating the Chemical Facility Anti-Terrorism Standards (CFATS) program first became effective,” the lawmakers wrote. “CFATS requires certain facilities, whose possession or planned possession of chemicals at or above certain levels determined to present ‘high levels of security risk,’ to assess their vulnerabilities and implement security measures to minimize terrorism risks posed by those vulnerabilities. These facilities can fall under numerous types of industries and sectors, including chemical manufacturing, storage and distribution, energy and utilities, agriculture and food, explosives, mining, electronics, plastics, colleges and universities, laboratories, paint and coatings, and healthcare and pharmaceuticals.”

The representatives, which included Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) and Committee Ranking Member Frank Pallone, Jr. (D-NJ), Environment, Manufacturing & Critical Materials Subcommittee Chair Bill Johnson (R-OH), Subcommittee Ranking Member Paul Tonko (D-NY), and U.S. Rep. August Pfluger (R-TX), asked Easterly pointed questions, seeking details on the steps CISA has taken to build transparency, change the way it protects chemical-terrorism vulnerability information and the veracity of reports that CISA could begin a rulemaking affecting CFAT details such as risk methodology, list of chemicals and cybersecurity.

Beyond these, the lawmakers also sought answers on CISA’s responses to reports from the Government Accountability Office (GAO) and its use of training standards, as well as the agency’s work to guarantee its regional offices implement CFATS in lock-step with its main office. Further, they pressed for plans from CISA to address drone activity around CFATS regulated facilities and insights into CISA’s proposal to restart the statutorily required regulation on sales of ammonium nitrate and the impact that these regulations will have on CFATS-regulated facilities.

In their conclusion, they sought answers no later than June 27, 2023.