[Senate Report 113-263] [From the U.S. Government Publishing Office] 113th Congress } { Report 2nd Session } SENATE { 113-263 _______________________________________________________________________ Calendar No. 578 CHEMICAL FACILITIES ANTI-TERRORISM STANDARDS PROGRAM AUTHORIZATION AND ACCOUNTABILITY ACT OF 2014 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany H.R. 4007 TO RECODIFY AND REAUTHORIZE THE CHEMICAL FACILITY ANTI-TERRORISM STANDARDS PROGRAM [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] September 18, 2014.--Ordered to be printed COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS THOMAS R. CARPER, Delaware, Chairman CARL LEVIN, Michigan TOM COBURN, Oklahoma MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio JON TESTER, Montana RAND PAUL, Kentucky MARK BEGICH, Alaska MICHAEL B. ENZI, Wyoming TAMMY BALDWIN, Wisconsin KELLY AYOTTE, New Hampshire HEIDI HEITKAMP, North Dakota Gabrielle A. Batkin, Staff Director John P. Kilvington, Deputy Staff Director Mary Beth Schultz, Chief Counsel John G. Collins, Senior Professional Staff Member Jason M. Yanussi, Senior Professional Staff Member Abigail A. Shenkle, Legislative Aide Keith B. Ashdown, Minority Staff Director Christopher J. Barkley, Minority Deputy Staff Director Andrew C. Dockham, Minority Chief Counsel William H.W. McKenna, Minority Investigative Counsel Laura W. Kilbride, Chief Clerk Calendar No. 578 113th Congress } { Report 2d Session } SENATE { 113-263 ======================================================================= CHEMICAL FACILITIES ANTI-TERRORISM STANDARDS PROGRAM AUTHORIZATION AND ACCOUNTABILITY ACT OF 2014 _______ September 18, 2014.--Ordered to be printed _______ Mr. Carper, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany H.R. 4007] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (H.R. 4007) to recodify and reauthorize the Chemical Facility Anti-Terrorism Standards Program, having considered the same, reports favorably thereon with an amendment in the nature of a substitute and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Legislative History.............................................14 IV. Section-by-Section Analysis of the Bill, as Reported............15 V. Evaluation of Regulatory Impact.................................20 VI. Congressional Budget Office Estimate............................20 VII. Changes in Existing Law Made by the Bill, as Reported...........22 I. Purpose and Summary H.R. 4007, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, as amended by the Committee's substitute amendment reauthorizes the Chemical Facility Anti-Terrorism Standards program (CFATS) of the Department of Homeland Security. The CFATS program is designed to help ensure that high-risk chemical facilities are secure from terrorist attack or sabotage. Facilities that make or use certain chemicals have been identified as a significant security concern and one that continues to warrant a dedicated security program at the federal level. The Committee substitute reauthorizes the CFATS program for four years, while at the same time mandating specific changes in response to concerns raised about that program by both stakeholders and overseers. Specifically, the bill directs DHS to identify high-risk facilities through the use of specific risk criteria and requires DHS to use risk-based performance standards for high- risk facilities to meet. The facilities, for their part, submit security plans laying out how they plan to meet the performance standards, and DHS reviews and approves the plans and then follows up with in-person inspections of the facilities to ensure compliance. II. Background and Need for Legislation Chemicals are a ubiquitous part of modern life, forming indispensable parts of a vast number of products from the mundane to the complex. Thousands of facilities across the country produce and store chemicals, some of which could pose a significant threat to human health or safety if released or misused. Certain chemicals, if released into the water or air, pose a direct threat to the health or life of those in nearby communities. Other chemicals can explode if abused or mishandled posing a significant threat to the surrounding communities or, if the chemicals are stolen and smuggled, to other communities as well. Chemical facilities--places that produce, store or use significant quantities of certain chemicals--therefore offer attractive targets for terrorists because of the large scale damage and loss of life that can occur through a direct attack on a facility or the misappropriation of the chemicals they produce or store. While many of these chemicals are already regulated under various environmental or worker safety statutes, those regulations typically focus on the possibility of an accidental release or misuse rather than a deliberate effort to exploit the chemicals to inflict harm. To protect against this security risk, in the fall of 2006, Congress authorized the Department of Homeland Security (DHS) to determine which chemical facilities present a high level of security risk, establish risk-based performance standards for securing those high-risk facilities, and enforce regulations designed to ensure facilities posing the highest risk are meeting those standards.\1\ In response, DHS established the Chemical Facility Anti-Terrorism Standards (CFATS) program. The statute establishing the CFATS program included a three-year sunset for DHS's authority, creating initial authority for the program but ensuring that the effectiveness of the approach outlined in the bill could be evaluated, and other measures considered, relatively soon after the program's inception.\2\ Since then, Congress has passed several short-term extensions, only once making a change to the CFATS program despite Congress' desire to monitor implementation of the program closely.\3\ With the Department's current authority set to expire on October 4, 2014, the Committee voted to extend the chemical security program with a longer-term authorization while also addressing identified weaknesses in the program. --------------------------------------------------------------------------- \1\See P.L. 109-295, Department of Homeland Security Appropriations Act of 2007, Sec. 550. \2\See 152 Cong. Rec. S10351 (September 28, 2006) (Statement of Senator Collins), at http://www.gpo.gov/fdsys/pkg/CREC-2006-09-28/pdf/ CREC-2006-09-28.pdf. \3\Sec. 534(h) of P.L. 110-161, the Department of Homeland Security Appropriations Act of 2008, which allowed states and political subdivisions thereof to adopt laws regulating chemical facilities, as long as they were at least as stringent as CFATS. Since this change amended the authorizing language for the program, it was carried forward in subsequent short-term extensions of the program. --------------------------------------------------------------------------- The original 2006 authorization--which has been extended repeatedly on various appropriations bills or spending resolutions--directed DHS to develop a security program for high-risk chemical facilities that would rely on performance standards rather than specific, prescriptive measures. It also exempted certain facilities already subject to other regulatory regimes aimed at ensuring the security of their facilities, such as facilities owned or operated by the Departments of Defense or Energy, facilities already regulated under the Maritime Transportation Security Act of 2002 or by the Nuclear Regulatory Commission, and water and wastewater treatment facilities. DHS developed the core features of the CFATS program in interim regulations issued in spring 2007. To determine which facilities face regulation under the program, DHS developed a list of 322 ``chemicals of interest.'' All non-exempt facilities possessing any of the 322 ``chemicals of interest'' beyond specified threshold amounts must fill out a questionnaire known as a ``Top-Screen.'' DHS uses the completed Top-Screens to determine whether a facility poses a high security risk such that it should be covered by the risk-based performance standards. If DHS finds the facility to be ``high- risk,'' the facility is covered by CFATS and must submit and comply with a security plan that meets the risk-based performance standards; those not determined to be high-risk face no further regulatory obligations under CFATS. DHS then assigns high-risk facilities to one of four risk-based tiers, with progressively stricter requirements for those in the highest risk tiers. Tier 1 facilities are the highest risk facilities; Tier 4 includes the lowest group of high-risk facilities. As of August 1, 2014, more than 48,000 facilities with chemicals of interest had submitted Top-Screens to DHS. From those submissions, DHS categorized approximately 3,986 facilities as high-risk, triggering some level of regulation under CFATS.\4\ As of April 2014,\5\ 121 facilities had been preliminarily assigned\6\ to Tier 1; 382 had been assigned to Tier 2; 1,088 had been assigned to Tier 3; and 2,542 had been assigned to Tier 4.\7\ --------------------------------------------------------------------------- \4\See Department of Homeland Security, CFATS Update August 2014 at http://www.dhs.gov/sites/default/files/publications/ CFATS%20FS_August2014.pdf. \5\The number of chemical facilities covered under the program is variously quoted in this report as between 3,986 and 4,100. This fluctuation is due to the fact that chemical facilities can reduce or remove their holdings of chemicals in order to tier out of the program, so the number of covered facilities is dynamic based on facilities' decision to ``tier out'' of the program. See ``Charting a Path Forward for the Chemical Facilities Anti-Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 3 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). \6\These figures refer to preliminary tier assignments from the Department based on facility submission of a Top-Screen. Final tier assignment occurs after facilities submit Security Vulnerability Assessments; the Department then reviews these assessments to identify which facilities should be assigned to a high-risk tier under CFATS. \7\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 3 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). --------------------------------------------------------------------------- Facilities deemed high-risk by the Department generally must develop an effective security plan, submit the plan to DHS for review, and implement their security plan. The security standards required under the CFATS program are performance based, rather than prescriptive. This means that the Department does not prescribe specific measures that must be taken by all facilities; instead, the manner in which a facility chooses to address its security vulnerabilities, although subject to approval by the Secretary, is developed by the facility owner.\8\ --------------------------------------------------------------------------- \8\``A performance standard specifies the outcome required, but leaves the specific measures to achieve that outcome up to the discretion of the regulated entity. In contrast to a design standard or a technology-based standard that specifies exactly how to achieve compliance, a performance standard sets a goal and lets each regulated entity decide how to meet it.'' See Department of Homeland Security, Risk-Based Performance Standards Guidelines, Chemical Facility Anti- Terrorism Standards, May 2009 at http://www.dhs.gov/xlibrary/assets/ chemsec_cfats_riskbased_performance_standards.pdf, quoting Cary Coglianese et al., Performance-Based Regulation: Prospects and Limitations in Health, Safety, and Environmental Protection, 55 Admin. L. Rev. 705, 706-07 (2003). --------------------------------------------------------------------------- For example, facilities need to secure some chemicals from theft or diversion. They can do this through various inventory controls or physical measures (for example walls or locked doors). It is worth noting that facilities that receive an initial high-risk determination can resubmit their information and ``tier out''--remove themselves from further regulation--if they adjust their operations in a way that removes them from the high-risk category. According to DHS officials, to date over 3,000 facilities possessing chemicals of interest have ``voluntarily removed, reduced, or modified their holdings of chemicals of interest.''\9\ --------------------------------------------------------------------------- \9\See Department of Homeland Security, CFATS Update August 2014 at http://www.dhs.gov/sites/default/files/publications/ CFATS%20FS_August2014.pdf. --------------------------------------------------------------------------- Under current procedures, following assignment of a final risk tier by the Department, but prior to approving a facility, DHS conducts an authorization inspection of the facility. An authorization inspection consists of an initial, physical review of the facility to determine if the Top-Screen, security vulnerability assessment, and facility security plan accurately represent and address the risks for the facility. Because the program requires performance-based standards to mitigate risk, facilities and the Department frequently discuss planned or alternative mitigation measures before a plan is approved. While this helps ensure facilities use both effective and cost- effective measures, it can and frequently has delayed progress within the program. Once the Department approves the covered facility's security plan, the facility may begin implementing the plan. The Department maintains the authority to conduct subsequent compliance inspections to ensure facilities continue to meet the requirements of the security plan and the program. The implementation of the CFATS program has improved security of chemical facilities and the safety and security of communities located near the chemical facilities by throwing a spotlight on security, though the Committee acknowledges management challenges in the program have limited its effectiveness. Under the program, chemical facilities have systematically assessed security risks and invested in measures to mitigate those risks. This has led many companies to take measures to reduce risk in order to ``tier out'' of the program. Again, since the program's inception, 3,000 facilities have reduced risk at their facilities enough to ``tier out'' of the program, either by reducing, eliminating, or modifying their stores of chemicals.\10\ The fact that 3,000 facilities have tiered out is significant given that only 4,000 facilities are assigned to a risk tier under the program.\11\ Other chemical facilities have begun to install security measures as part of or in anticipation of security reviews by DHS under the program. The CFATS requirements work to level the playing field to allow companies to invest in security measures without facing a competitive disadvantage. Just as importantly, through the program the government has received information to allow it to for the first time develop a roadmap of the facilities in communities nationwide that pose security risks and warrant attention. DHS officials have testified that ``interagency partners have benefited from this information as it has enhanced law enforcement cooperation with high-risk chemical facilities.''\12\ --------------------------------------------------------------------------- \10\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 2 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). \11\See Department of Homeland Security, CFATS Update August 2014 at http://www.dhs.gov/sites/default/files/publications/ CFATS%20FS_August2014.pdf. \12\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 1 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). --------------------------------------------------------------------------- Yet the program has not been without its shortcomings. It has suffered for lack of a long-term authorization that would allow administrators to engage in meaningful and efficient programmatic planning, and require industry to invest in security measures. Just as importantly, internal and external reviews have revealed problems with the design, implementation, and administration of the CFATS program.\13\ These include human capital issues,\14\ a considerable backlog of facility security plan reviews and compliance inspections,\15\ and a flawed risk assessment methodology.\16\ In 2011, an internal management memorandum detailed significant mismanagement in the program, including buying unneeded equipment and vehicles and hiring ill-qualified workers. The memo also raised serious questions about whether facilities were being tiered correctly.\17\ An April 2013 GAO report looked at DHS's implementation of the program from roughly 2011 to 2013.\18\ The report raised several concerns with the program, most importantly that there was a need for DHS to improve its process of assessing the risk posed by a facility by including economic consequence among the risk factors, and that DHS was behind in reviewing site security plans and inspecting facilities to verify compliance. Following an explosion at a facility in West, Texas in 2013 that never complied with its obligation to submit a Top-Screen despite having two chemicals of interest on site over the regulatory thresholds, GAO also recommended that DHS focus on finding and subjecting to regulation other facilities that had thus far ignored the mandate to report their existence to DHS.\19\ --------------------------------------------------------------------------- \13\E.g., Sen. Tom Coburn, Ranking Member, Homeland Security & Government Affairs Committee, Chemical Insecurity: An Assessment of Efforts to Secure the Nation's Chemical Facilities from Terrorist Threats (2014), at http://www.coburn.senate.gov/public/index.cfm/2014/ 7/federal-chemical-security-program-in-shambles-new-report-says. \14\See Government Accountability Office (GAO), DHS is Taking Action to Better Manage Its Chemical Security Program, but It Is Too Early to Assess Results, (GAO-12-515T), July 26, 2012, at 9. \15\See Department of Homeland Security Office of the Inspector General (DHS OIG), Effectiveness of the Infrastructure Security Compliance Division's Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program, (Report Number OIG-13-55), March 2013 at 17, 19-20, and 22; and Government Accountability Office (GAO), Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13-353), April 2013 at 18. \16\Id at 9-15. \17\Memorandum from Penny Anderson, Director, Infrastructure Security Compliance Division, Office of lnfrastructure Protection and David WuIf, Deputy Director to NPPD Undersecretary, Rand Beers: ``Challenges Facing ISCD, and the Path Forward.'' November 10, 2011. \18\See Government Accountability Office (GAO), Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13- 353), April 2013 at 4. \19\Id. --------------------------------------------------------------------------- Since the 2011 memo, DHS's Infrastructure Security Compliance Division (ISCD), which manages the CFATS program, has taken steps to address some of these concerns. Among other things, DHS officials improved policies and training to ensure that inspections are conducted in a consistent and thorough fashion; implemented an improved, streamlined Site Security Plan (SSP) review process, which has enhanced ISCD's ability to authorize and, as appropriate, approve security plans; and conducted an extensive three-part review of CFATS's risk assessment methodology, including a peer review, which is now being partially implemented. This legislation is designed to address the challenges that have been identified, codify the improvements DHS has already begun making, and authorize additional steps DHS should take to make the program more effective. HIGHLIGHTS OF H.R. 4007, AS AMENDED BY THE COMMITTEE H.R. 4007, as amended by the Committee's substitute amendment, reauthorizes the Department's CFATS program for a period of four years, providing much-needed programmatic stability and certainty for both the Department and regulated facilities. It achieves this by codifying reforms, strengthening management practices and whistleblower protections, simplifying facility reporting and information sharing practices, and authorizing a new expedited approval program for lower high-risk facilities to help reduce the backlog of unapproved facility security plans. Specifically, the substitute amendment to H.R. 4007\20\ would: --------------------------------------------------------------------------- \20\The legislation referred to in the body of this section is the Carper-Coburn substitute amendment to H.R. 4007 as reported by the Committee. The main differences between H.R. 4007 as reported by this Committee and the legislation by the same name passed in the House include strengthened whistleblower protections, the establishment of an expedited approval program, changes to the Personnel Surety Program, and a four-year authorization. For a full description of the underlying bill, see H.R., Rep. No. 113-491, Pt. 1 (2014). --------------------------------------------------------------------------- 1. Authorize the program for a period of four years (the House-reported version of H.R. 4007 authorized the program for three years). 2. Permit the submission of simplified facility security plans through an alternative security program to facilitate compliance for small businesses and reduce the backlog of plan approvals at the Department. 3. Create an expedited approval program to enable facilities in the third and fourth risk tiers to implement security plans more quickly, without compromising the Department's ability to ensure they meet the program's security standards. 4. Streamline the requirement for facilities to seek background checks on those with access to the facilities by allowing facilities to meet the requirement in more than just one way. 5. Direct the Secretary to develop an implementation plan for outreach to chemical facilities with regulated amounts of chemicals of interest that have not submitted the required Top- Screen, in order to reduce the number of facilities not compliant with CFATS. 6. Appropriately strengthen whistleblower protections by requiring the Secretary to establish a reporting process and prohibiting retaliation against whistleblowers. 7. Ensure that sensitive security information provided by chemical facilities is protected and shared with first responders in a secure and responsible manner. 8. Ensure DHS is regularly reviewing and updating its risk assessment model. 9. Require DHS to provide Congress key metrics for better oversight of program performance. Four-year authorization The Committee substitute to H.R. 4007 will provide stability and predictability for both DHS and regulated facilities by providing a longer-term authorization than the CFATS program has had before now. Up until now, Congress has authorized the program via language in Appropriations bills, limping from year to year and sometimes month to month.\21\ The four-year authorization will provide industry stakeholders with the certainty they need to invest in CFATS compliance measures.\22\ At the Committee hearing in May, a witness representing Dow Chemical noted that: \21\See Pub. L. 109-295, title V, Sec. 550, Oct. 4, 2006, 120 Stat. 1388, as amended by Pub. L. 110-161, div. E, title V, Sec. 534, Dec. 26, 2007, 121 Stat. 2075; Pub. L. 111-83, title V, Sec. 550, Oct. 28, 2009, 123 Stat. 2177; Pub. L. 112-10, div. B, title VI, Sec. 1650, Apr. 15, 2011, 125 Stat. 146; Pub. L. 112-74, div. D, title V, Sec. 540, Dec. 23, 2011, 125 Stat. 976; Pub. L. 113-6, div. D, title V, Sec. 537, Mar. 26, 2013, 127 Stat. 373; and Pub. L. 113-76, div. F, title V, Sec. 536, Jan. 17, 2014, 128 Stat. 275. \22\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 1 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). Three years is the minimum to really match up with the capital planning process for industry. If you tell me today I have got to go do something, I will get the money next year and probably finish the project the year after that . . . Three is good, four is better.\23\ --------------------------------------------------------------------------- \23\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) (Testimony of Timothy J. Scott on behalf of Dow Chemical Company and the American Chemistry Council). Likewise, representatives from the Department of Homeland Security have noted that long-term Congressional authorization is needed in order to cement the Department's enforcement authorities and eliminate confusion regarding authority for the program. For example, during the government shutdown in October 2013, Infrastructure Security Compliance Division staff were furloughed and the CFATS program effectively ceased to exist because the Department's authority to manage the program also expired.\24\ DHS officials have noted the importance of a long- term authorization in order to convey clearly the intent of Congress, and the Department, to maintain a robust chemical facility security program--an intent that the series of short- term extensions simply could not convey.\25\ The Committee believes that a four-year authorization allows the greatest programmatic stability, affording the Department the ability to hire qualified personnel, while requiring chemical facilities to invest in required security measures. --------------------------------------------------------------------------- \24\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) (Testimony of David Wulf, Director, National Protection and Programs Directorate, Department of Homeland Security). \25\Id. --------------------------------------------------------------------------- Director David Wulf, of the Infrastructure Security Compliance Division of the Department, testified that a longer- term or permanent authorization would enable the Department to recruit and retain talent, while continuing efforts to improve the CFATS program.\26\ --------------------------------------------------------------------------- \26\Id. --------------------------------------------------------------------------- Finally, a long-term Congressional authorization, coupled with the additional reporting requirements in this Act, would allow needed Congressional oversight of the program. Alternative security programs and creation of an expedited approval program The legislation also creates two new, alternative options for review that will help the Department address the backlog of unapproved site security plans. The CFATS program has received over 48,000 Top-Screens and has made progress in program goals, including assigning tiers to covered chemical facilities and assisting covered facilities in compliance and improving security. Some 3,000 facilities have also reduced their holdings of chemicals of interest such that they are no longer covered by CFATS.\27\ Nevertheless, the program still faces a significant backlog of site security plan authorizations and compliance inspections. In its April 2013 report on CFATS, the Government Accountability Office estimated that it could take seven to nine years for the program to eliminate the backlog of reviewing facilities' site security plans and conducting compliance inspections.\28\ At a May 2014 hearing, DHS officials testified that they had devoted more resources and attention to the issues creating the backlog, had already begun speeding up reviews, and believed they could get through the backlog in half the time GAO initially assessed.\29\ However, even accounting for that progress, sixty-one percent of the approximately 4,100 facilities covered under the CFATS program at that time\30\ were awaiting authorization of the site security plans they submitted to DHS; ninety-nine percent had yet to undergo a compliance inspection.\31\ --------------------------------------------------------------------------- \27\See Department of Homeland Security, CFATS Update August 2014 at http://www.dhs.gov/sites/default/files/publications/ CFATS%20FS_August2014.pdf. \28\See Government Accountability Office (GAO), Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13- 353), April 2013 at 18. \29\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) (Testimony of David Wulf, Director, National Protection and Programs Directorate, Department of Homeland Security). \30\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 3 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). \31\Ibid. --------------------------------------------------------------------------- While the Committee believes that the Department has made considerable progress recently in speeding up its review of site security plans and conducting compliance inspections, it believes it crucial to expedite these reviews further so that needed security measures are put in place as soon as possible.\32\ These facilities and the threats they face can be complex and securing them in a manner that meets the mandated performance standards can be time and capital intensive. Companies do not want to move ahead with changes until they are certain they know what is required. Thus the backlog in reviewing applications inhibits facilities from implementing the investments they want to make to improve security at their sites, which makes the communities that surround them less secure. --------------------------------------------------------------------------- \32\See Department of Homeland Security, CFATS Fact Sheet, September 2014, http://www.dhs.gov/sites/default/files/publications/ CFATS-FS-September-2014-508.pdf. --------------------------------------------------------------------------- In response to this problem, the Committee substitute to H.R. 4007 authorizes two new, optional tracks for covered facilities to use in submitting security plans. The first, the alternative security program, allows facilities to implement security plans developed by industry associations and approved by DHS. The legislation creating the original authority for CFATS allowed the Department to approve Alternative Security Plans (ASPs) that had been ``established by private sector entities.'' But in 2007 the Department issued an Interim Final Rule that required that ASPs be approved individually. This change subverted Congressional intent and largely eliminated any efficiency the program would have created. The Committee substitute to H.R. 4007 would restore the program to its original intent, following the model set by the U.S. Coast Guard's Maritime Transportation Security Act (MTSA) program. That program allows approval of ASPs for types of vessels or facilities carrying certain dangerous chemicals. Second, it also creates a voluntary expedited approval program to facilitate compliance for lower-risk companies. Under that program, which the Committee developed in consultation with the Department and key stakeholders, DHS would have the authority to set prescriptive, rather than performance-based, standards for site security for facilities assigned to tiers three and four. Facilities electing to participate in the program would forego the need for an authorization inspection, but could still be subject to compliance inspections. The Committee believes that the expedited approval program will lessen the potentially disproportionate regulatory burden that current CFATS regulations impose on smaller chemical companies, which may lack the compliance infrastructure and resources of large chemical facilities. It does this by requiring that the Department establish clear, prescriptive guidelines these facilities certify they will meet and to which they will continue to adhere. This obviates the need for an extensive submission and review process of a facility security plan, frees DHS resources to focus on the highest risk facilities, and allows facilities to implement security measures more quickly. The program still maintains strong Departmental oversight to ensure facilities are indeed secure. Under the expedited approval program, the Department may reject site security plans that are ``facially deficient'' or obviously insufficient under the guidelines established by the program. Under the program, the Department also retains the right to conduct compliance inspections in order to determine whether facilities have implemented the security measures outlined in their plans. The voluntary expedited approval program created under the bill would require additional work by the Department at the outset, while it develops prescriptive security measures and security plan templates. However, it should result in a notable reduction in the administrative burden on both facilities and the Department, and help reduce the backlog of site security plan reviews of lower-risk facilities. Personnel Surety Program Consistent with the House bill, the Committee substitute to H.R. 4007 establishes a functional and efficient Personnel Surety Program (PSP). As part of regulations promulgated under the CFATS program\33\ the Department established eighteen ``risk-based performance standards'' (RBPSs) that covered chemical facilities are required to address. There has long been disagreement between regulated industry stakeholders and the Department as to how facilities can satisfy RBPS-12, which requires covered chemical facilities to take steps to determine whether persons with access to their facility may have terrorist ties.\34\ --------------------------------------------------------------------------- \33\6 C.F.R. Part 27. \34\RBPS-12 provision (iv). --------------------------------------------------------------------------- Specifically at issue has been the RBPS-12 provision (iv), which requires facilities to establish ``measures designed to identify persons with terrorist ties.'' DHS has issued an interim rule that would establish a Personnel Surety Program (PSP) that would require facilities (or other entities acting on a facility's behalf) to submit information on individuals with access to a covered chemical facility through a DHS created and managed web portal at least 48 hours prior to such a person's initial access to the facility.\35\ The Department stated that this would allow facilities to submit information regarding covered individuals for DHS to check whether those individuals are on the FBI Terrorist Screening Database (TSDB).\36\ The concern raised by regulated entities with regards to the Department's proposal centers on the fact that a number of other security screening programs of the Federal Government, including the Transportation Security Administration's Transportation Worker Identification Credential (TWIC),\37\ already check individuals against the TSDB. However, the Department stated in its proposal that it would not accept the TWIC or other, similar credentials in lieu of a submission through the DHS PSP website as described above, unless the credential could be electronically verified. Since many individuals who access chemical facilities are already required to maintain a TWIC or other credential, regulated stakeholders argue that DHS's requirement is unnecessary and duplicative. For its part, the Department argues that repeat vetting directly before accessing a facility is necessary to truly determine if the individual may pose a threat. --------------------------------------------------------------------------- \35\79 F.R. 6417. \36\While the legislation still includes requirements for vetting personnel at covered chemical facilities against the terrorist screening database, the Committee has included a clear definition for the terrorist screening database to help address any concerns or confusion that the term could be interpreted to include new, additional, or different databases. The legislation clarifies that the term terrorist screening database refers to the current database maintained by the Terrorist Screening Center. \37\Department of Homeland Security. Transportation Security Administration, Transportation Worker Identification Credential. August 2014 at http://www.tsa.gov/stakeholders/ transportation-worker-identification-credential-twic%C2%AE. --------------------------------------------------------------------------- The standards chemical facilities are required to meet under CFATS are by definition performance based, and not meant to be prescriptive.\38\ Industry partners argue that DHS's proposed PSP rule is far more prescriptive than what is necessary to meet the requirements of RBPS-12. Finally, the Committee believes the Department should avoid costly duplication of programs. --------------------------------------------------------------------------- \38\79 F.R. 6417. --------------------------------------------------------------------------- To that end, the Committee believes that DHS should leverage existing infrastructure within DHS and industry to verify and validate identity, check criminal history, verify and validate legal authorization to work, and identify individuals with terrorist ties by utilizing a Federal vetting program. Additionally, given the intent of the CFATS program to be a flexible program based on performance, the Committee wants to ensure that facilities have a full cadre of tools at their disposal to meet the Risk-Based Performance Standards. The legislation also clarifies Congressional intent related to the CFATS program by stating that a facility may satisfy its obligation under RBPS-12(iv) by relying upon presentation and visual validation of any credential issued by a Federal screening program that periodically vets individuals against the TSDB. The intent of this provision is to ensure that the Department cannot compel a covered chemical facility that has already vetted an individual against an alternate Federal screening program to then also submit information about that individual directly to the Department, unless that person has been identified positively against the Terrorist Screening Database. Finally, the Personnel Surety Program outlined in this legislation requires DHS to provide feedback to a participating owner or operator of a covered chemical facility about an individual based on vetting the individual against the TSDB, to the extent that such feedback is necessary for the facility's compliance with CFATS regulations. Under DHS's proposal, DHS may refuse to tell facility owners and operators when an individual with access has come up as a TSDB match. DHS argues that it wants to avoid interfering with ongoing law enforcement or intelligence operations that might involve the individual in question. But, as regulated industry partners point out, the security of a facility is jeopardized when an owner or operator unknowingly allows access to a suspected terrorist, creating security and liability, concerns. H.R. 4007 attempts to strike a balance between these two concerns by limiting notification to a facility regarding an individual matching the TSDB only if that individual presents a threat to the facility's physical security in such a way as to undermine the facility's efforts to comply with the CFATS regulations. Outreach to covered chemical facilities This legislation improves DHS's ability to address the issue of ``outlier facilities'' and to identify the universe of chemical facilities which should be subject to requirements under CFATS. Outlier facilities are facilities that do not let DHS know of their existence much less take steps to comply with the CFATS program despite the fact that they possess enough chemicals of interest to trigger regulation under the program. Perhaps the most notable example of such a facility was the West Fertilizer Company located in West, Texas. That company's facility caught fire and then exploded on April 17, 2013, killing fifteen people, injuring hundreds more, and causing an estimated $100 million in damage. Initial reports indicated a large amount of anhydrous ammonia as the source of the explosions; later, authorities determined that the explosions were caused by ammonium nitrate that was stored at the facility.\39\ Both anhydrous ammonia and ammonium nitrate are designated by DHS as ``chemicals of interest,'' and possession of either above certain threshold amounts is subject to regulation under the CFATS program.\40\ Through an investigation following the disaster at West Fertilizer, the Department determined that the facility had not complied with the requirement of the CFATS program to submit a Top-Screen to DHS.\41\ As a result, until the explosion occurred program officials were unaware the facility existed. The EPA's Risk Management Program (RMP), however, did have a record of this facility. --------------------------------------------------------------------------- \39\See U.S. Chemical Safety Board (CSB), Preliminary Findings of the U.S. Chemical Safety Board from its Investigation of the West Fertilizer Explosion and Fire, April 22, 2014 at http://www.csb.gov/ assets/1/19/West_Preliminary_Findings.pdf. \40\6 CFR Part 27. \41\Letter from Suzanne Spaulding, Acting Under Secretary, National Protection and Programs Directorate, Department of Homeland Security, Hon. Thomas R. Carper, Chairman, Senate Committee on Homeland Security and Governmental Affairs, dated July 31, 2013. --------------------------------------------------------------------------- Prior to the West Fertilizer Company disaster, DHS was taking some actions to identify outlier facilities. DHS relied on information sharing among state homeland security agencies, components within the Department, and stakeholders, the maintenance of a toll-free CFATS Tip Line, and a limited, regional pilot program allowing CFATS inspectors to review a database maintained by the Environmental Protection Agency. However, as the Department acknowledged, these efforts yielded relatively few identifications of outlier facilities.\42\ In August 2013, after the West disaster, the President issued an executive order addressing this issue, calling for a working group to improve federal, state, and local coordination to identify facilities subject to CFATS requirements.\43\ And at a Committee hearing in May, Department officials emphasized the critical need for continued and improved outreach in order to identify chemical facilities potentially subject to CFATS requirements.\44\ --------------------------------------------------------------------------- \42\Id. \43\EO 13650. \44\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. 5 (May 14, 2014) (Written testimony of Suzanne Spaulding, Under Secretary, and Director David Wulf, National Protection and Programs Directorate, Department of Homeland Security). --------------------------------------------------------------------------- The Committee substitute to H.R. 4007 establishes and defines the term ``chemical facilities of interest'' to mean facilities that hold, or that the Secretary has a reasonable basis to believe hold, chemicals of interest in excess of the threshold quantities set under the existing CFATS standards. It requires the Secretary to consult with other government agencies, including state and local governments, business associations, and labor organizations to identify such facilities, to report to Congress regarding the steps the Department has taken to identify chemical facilities of interest and its progress toward achieving that goal, and to submit an action plan for better identifying and enforcing compliance among chemical facilities of interest to Congress.\45\ --------------------------------------------------------------------------- \45\The Committee substitute would allow the Secretary 18 months to produce such a plan, rather than the 90 days specified in the House bill. --------------------------------------------------------------------------- Whistleblower protections The Committee substitute to H.R. 4007 requires the Department to establish procedures to allow workers or contractors to report to the Secretary regarding potential problems or vulnerabilities at a covered chemical facility. Further, it protects those individuals who report problems from termination or other forms of retaliation, though it provides no protections for individuals who are found to have lied or misled authorities. The Committee believes that workers can play an important role in chemical security. Few individuals know and understand the particular vulnerabilities of a facility more than those who work there every day. As Anna Fendley from the United Steelworkers testified at the Committee's hearing in May 2014, ``[Workers] would be hurt first and worst in an attack on a facility, and therefore have the largest stake in ensuring safety.''\46\ The Committee believes that protecting whistleblowers could potentially help DHS identify chemical facilities that are covered by CFATS but are not complying with its requirements. Furthermore, the Committee believes it is important to protect whistleblowers from retaliation. --------------------------------------------------------------------------- \46\``Charting a Path Forward for the Chemical Facilities Anti- Terrorism Standards Program,'' hearing before the Senate Committee on Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) (Testimony of Anna Fendley on behalf of the United Steelworkers). --------------------------------------------------------------------------- Information sharing with first responders The Committee substitute to H.R. 4007 would allow the Secretary to disseminate information collected from covered chemical facilities, including security vulnerability assessments, site security plans, and other information, to first responders through any medium or system the Secretary determines appropriate.\47\ The Committee's change reflects its intent that this potentially sensitive information be shared in a secure and effective manner only with those individuals who possess a need to know, and our belief that mandating that information be shared via HSIN and HSDN could include too broad an audience. The Committee believes the Secretary, examining the sensitivity of the information and the relative needs of recipients, is in the best position to make a determination. Based on similar reasoning, the legislation exempts information gathered from chemical facilities under the authority granted in the bill from requests under the Freedom of Information Act. The Committee intends this blanket exemption to preclude the possibility that members of the public without a need to know, including potentially bad actors, seeking to access this information might receive it from the Federal Government through a FOIA request.\48\ --------------------------------------------------------------------------- \47\In contrast, H.R. 4007 as passed by the House would require the Secretary to use the Homeland Security Information Network (HSIN) or the Homeland Secure Data Network (HSDN) to distribute such information. Though the HSDN reaches a more limited audience and is used only to share classified information, HSIN is a public-facing web portal that allows for the sharing of sensitive but not classified information to federal, state, local, tribal, territorial, international, and private sector partners. \48\The Committee does not intend this provision to affect one way or the other the ability of anyone to access any information about a chemical facility, either from the company itself, or from the government, as provided for under any other law or program. --------------------------------------------------------------------------- Improved risk assessment methodology Finally, this legislation ensures that the Department fixes its historically flawed risk assessment and tiering methodology by requiring DHS to consider all areas of risk in developing risk assessments in order to more accurately reflect the core criteria of risk: threat, consequence (including both economic consequences and fatalities), and vulnerability. The Committee wants to ensure that all aspects of risk are being considered when determining whether a facility presents a high enough risk to be regulated under the CFATS program and into what tier a facility may be placed. It further instructs the Secretary to maintain a record of any changes to a facility's tiering status and why the change was made. In its April 2013 report, GAO recommended that DHS should enhance its risk assessment approach to incorporate all elements of risk, and conduct an independent peer review to ensure the approach is effective.\49\ That peer review, conducted by the Homeland Security Studies and Analysis Institute, was published in September, 2013 and laid out a number of recommendations for improvement.\50\ This legislation would require the Department to develop a risk assessment approach and tiering methodology based on that review and require the Secretary to report to Congress on the Infrastructure Security Compliance Division's progress in doing so within 18 months of the bill's enactment. --------------------------------------------------------------------------- \49\See Government Accountability Office (GAO), Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13- 353), April 2013 at 9-15. \50\See Homeland Security Studies and Analysis Institute's Tiering Methodology Peer Review, Publication Number: RP12-22-02. --------------------------------------------------------------------------- III. Legislative History H.R. 4007, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, was introduced by Representative Meehan on February 6, 2014. The House passed the bill on July 8, 2014, on a motion to suspend the rules and pass the bill, as amended, by voice vote. The bill was received in the Senate on July 9, 2014, and referred to the Homeland Security and Governmental Affairs Committee. Prior to the bill's referral, the Committee held a hearing on May 14, 2014, titled ``Charting a Path Forward for the Chemical Facilities Anti-Terrorism Standards Program.'' The purpose of the hearing was to examine the current state of the CFATS program and the need to reauthorize the program. Witnesses included two senior DHS officials responsible for managing the program, representatives from the Government Accountability Office and Congressional Research Service, an industry representative, and a labor representative. The Committee considered H.R. 4007 at a business meeting on July 30, 2014. Senators Carper and Coburn offered a substitute amendment that made a number of changes to the bill as passed by the House. The substitute added provisions permitting the submission of simplified security plans through the alternative security program; establishing an expedited approval program to allow lower high-risk facilities to more quickly implement security plans; requiring DHS to review and update its risk assessment model and report key metrics to Congress so that Congress can better perform oversight of the CFATS program; requiring sensitive security information to be protected and shared with first responders; and requiring the Secretary to: collect and report on program best practices in order to assist smaller facilities in complying with the program, develop an implementation plan for outreach to chemical facilities of interest; establish a program-specific reporting process for whistleblowers, and work with industry and labor organizations to improve information sharing. The committee adopted the Carper-Coburn substitute, as modified, and ordered the bill, as amended, reported favorably, both by voice vote. Senators present for both votes were Senators Carper, Levin, Landrieu, McCaskill, Begich, Baldwin, Coburn, Johnson, and Ayotte. Senator Baldwin requested to be recorded as voting ``no'' on the bill. IV. Section-by-Section Analysis of the Bill, as Reported Section 1--Short title This section establishes the title of the legislation as the ``The Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014.''\51\ --------------------------------------------------------------------------- \51\Note that the House version was titled, ``The Chemical Facility Anti-Terrorism Standards Program Authorization and Accountability Act of 2014.'' --------------------------------------------------------------------------- Section 2--Chemical Facility Anti-Terrorism Standards Program This section amends the Homeland Security Act of 2002 (6 U.S.C. 101 et seq.), adding at the end a new title, Title XXI-- Chemical Facility Anti-Terrorism Standards. New section 2101 of the Homeland Security Act of 2002--Definitions This section defines key terms used in the bill, including ``CFATS regulation,'' and specifies which types of facilities are considered to be ``covered chemical facilities,'' which facilities are exempted, and which types of facilities are considered to be ``chemical facilities of interest.'' This section defines ``chemical facility of interest'' as a facility that the Secretary has reason to believe holds threshold quantities of chemicals of interest. It defines ``covered chemical facility'' as a facility that the Secretary identifies as a chemical facility of interest, which is a high-risk facility, as determined by the Department's risk assessment methodology. It defines ``excluded facility'' to mean a facility regulated under the U.S. Coast Guard's Maritime Transportation Security Act (MTSA) protocol or the Safe Drinking Water Act, a wastewater treatment works regulated under the Federal Water Pollution Control Act, a facility owned or operated by the Department of Defense or the Department of Energy, or a facility regulated by the Nuclear Regulatory Commission or by a state that has entered into an agreement with the Nuclear Regulatory Commission. It defines ``expedited approval facility'' as a covered chemical facility for which the owner or operator elects to submit a site security plan for expedited approval under a new program authorized in the legislation. It defines a ``facially deficient'' security plan as a security plan that does not support a certification that the security measures in the plan address the security vulnerability assessment and risk-based performance standards. New section 2102 of the Homeland Security Act of 2002--Chemical Facility Anti-Terrorism Standards Program Subsection (a) requires DHS to establish risk-based performance standards to ensure the security of chemical facilities. It charges the Secretary of Homeland Security (``the Secretary'') with identifying chemical facilities of interest and covered chemical facilities. It authorizes the Secretary to require chemical facilities of interest to submit a Top-Screen. The subsection authorizes the Secretary to require covered facilities to submit to the Department of Homeland Security (``DHS'') security vulnerability assessments, and to develop, submit, and implement site security plans. (This language largely mirrors the original CFATS authorizing statute, PL 109-295, the Department of Homeland Security Appropriations Act of 2007, Sec. 550, hereinafter referred to as ``Sec. 550''). Subsection (b), Security Measures, describes the requirements of a site security plan, stating they should include security measures that, in combination, appropriately address the security vulnerability assessment and the risk- based performance standards for securing the facility. Subsection (c), Approval or Disapproval of Site Security Plans, outlines the process for DHS's review of site security plans and improves the efficiency of the site security plan approval process by allowing facilities to use an alternative security program. This subsection charges the Secretary with evaluating and approving site security plans described under subsection (a), and specifies that the Secretary may not require the presence or absence of particular measures. This subsection further authorizes the Secretary to approve alternative security programs created by outside entities, such as the American Chemistry Council, if those programs satisfy all the requirements of the Risk-Based Performance Standards. If the requirements of the alternative security program do not fully meet the requirements of the subsection, the Secretary may recommend additional security measures to allow the program to be approved. Further, the subsection allows the Secretary to accept an already-approved alternative security program without reevaluating the program. This subsection further obligates the Secretary to employ the risk assessment procedures established under this title, and establishes a ``grandfather clause'' providing that, if the legislation is enacted, a site security plan already approved by the Secretary prior to the date of enactment of this Act need not be reevaluated solely because of enactment of this Act. This subsection also creates a new expedited approval program through which tier 3 and 4 facilities may develop and submit a site security plan for expedited approval. It requires that the Secretary first issue prescriptive guidance for such facilities to meet the risk-based performance standards, and outlines how facilities may certify that deviations from the guidance meet or exceed the prescriptive standards. The subsection requires the Secretary to consult with labor organizations and Sector Coordinating Councils to develop this guidance. The subsection establishes deadlines for facilities to submit and certify plans for expedited approval and for the Department to review certified plans, provides authority for the Secretary to enforce compliance under this program, and provides a process by which facilities can amend site security plans. It allows the Secretary to suspend and ultimately revoke a facility's ability to participate in the voluntary expedited approval program if it submits a facially deficient site security plan, and to recommend additional security measures if it suspends a facility's certification. The subsection also allows DHS to develop prescriptive security plan templates that meet the risk-based performance standards and tier 3 and 4 facilities can submit as their site security plans. Finally, the subsection requires that the Secretary fully evaluate the expedited approval program within 18 months of enactment of the Act. Subsection (d), Compliance, requires the Secretary to conduct audits or inspections of covered chemical facilities, and would allow nongovernmental personnel to conduct audits or inspections on behalf of the Department in order to address the existing backlog. This section also requires the Secretary to establish a Personnel Surety Program that ensures individuals with access to covered chemical facilities are vetted against the Terrorist Screening Database, the central terrorist watchlist consolidated by the FBI's Terrorist Screening Center. This subsection defines ``nondepartmental'' to refer to personnel and entities that are neither employed by nor are components or other authorities of DHS, and ``nongovernmental'' to refer to personnel or entities that are neither employed by nor are agencies, departments, or other authorities of the Federal Government. This subsection would allow the Secretary to make use of nondepartmental and nongovernmental facility inspectors in addition to DHS Inspectors, and requires the Secretary to set high standards and professional qualifications for both governmental and nongovernmental personnel. This will help to expedite the rate of inspections and address the backlog of authorization inspections DHS now faces. This subsection also makes clear that any duties carried out by a nongovernmental entity should not be inherently governmental functions, and that only the Secretary or the Secretary's designee retains the authority to approve a site security plan. This subsection clarifies that a facility may utilize any Federal screening program that periodically vets individuals against the Terrorist Screening Database in order to comply with the requirement to vet personnel against the terrorist watchlist. This subsection also prohibits DHS from collecting information from covered chemical facilities about an individual unless that individual has been identified as presenting a terrorist threat, or is being vetted under the CFATS program's Personnel Surety Program (PSP). Finally, this subsection instructs DHS to share any information with a facility that the facility needs to comply with this section. The Committee added this requirement to address concerns raised by industry groups that the Department was not required to share with a chemical facility information that an individual identified through the Terrorist Screening Database as potentially having terrorist ties had accessed the chemical facility. Under the requirement, the Committee intends for the Department to determine what information a facility needs in order to comply. Subsection (e) outlines the responsibilities of the Secretary. It ensures that DHS is communicating with state and local officials as well as other Federal agencies and industry associations to identify chemical facilities of interest, and that DHS implements a comprehensive risk assessment and maintains records documenting the basis for any facility that experiences a change in risk tiering. This subsection instructs DHS to communicate with state and local officials, as well as other Federal agencies and industry associations, to identify chemical facilities of interest, which will help to ensure that outlier facilities are known to the Department. This subsection further ensures that DHS is taking into account all relevant risk information when developing its risk assessment standards and corresponding tiering methodology. It also requires that the Secretary document the basis for each change in a covered chemical facility's tier. It also requires the Secretary to provide a biannual report to Congress detailing specific metrics on the program's performance in order to aid Congressional evaluation and oversight of the program. New section 2103 of the Homeland Security Act of 2002--Protection and sharing of information This section ensures that sensitive security information is protected, and shared with first responders in a secure, responsible manner in order to prevent loss of life and property. It ensures that sensitive information regarding a facility, where disclosure could present a potential risk, developed under this Act shall not be made available for public disclosure. However such information may be shared with state and local government officials for purposes of carrying out this Act. This section further ensures that first responders are properly prepared and provided situational awareness when responding to incidents at CFATS facilities without compromising the security of the information. This section allows the Secretary to disseminate information through any medium or system deemed appropriate by the Secretary. It is the Committee's intent that proprietary and chemical vulnerability information shared pursuant to this section continues to be protected against disclosure to unauthorized individuals and the public. New section 2104 of the Homeland Security Act of 2002--Civil enforcement This section specifies penalties for noncompliance and sets the parameters of civil liability. Subsection (a), Notice of Noncompliance, provides that if a facility is found to be non-compliant the Secretary must first present the facility with written notice of non-compliance before the Department may issue fines or penalties. It further specifies that in the event of continued non-compliance the Secretary may assess a civil penalty, order a facility to cease operations, or both. Subsection (b), Civil Penalties, provides that civil penalties may be assessed against a person who violates an order under this Act. It further provides that any owner of a chemical facility of interest who fails to comply with or knowingly submits false information under the Act shall be liable for a civil penalty. Subsection (c), Emergency Orders, authorizes the Secretary to direct a facility to implement emergency security measures, or cease some or all operations if the Secretary determines that there is a reasonable likelihood that a violation of the CFATS regulations could result in death, serious illness, severe personal injury, or substantial endangerment to the public. Subsection (d), Right of Action, clarifies that only the Secretary (or his or her designee) may bring an action against the owner or operator of a covered chemical facility to enforce any of the Act's provision. New section 2105 of the Homeland Security Act of 2002--Whistleblower protections This section clarifies whistleblower protections available to chemical facility employees and contractors, and requires these protections be publicly disclosed and advertised. It requires the Secretary to establish a reporting procedure for whistleblowers to report problems, deficiencies, or vulnerabilities related to chemical security at a covered chemical facility to DHS, and to protect the confidentiality of an individual making a report. It further requires the Secretary affirmatively acknowledge receipt of whistleblower reports, if possible, and take appropriate steps to address any problems the Department is able to substantiate. This section also prohibits retaliatory actions against whistleblowers by owners or operators of a chemical facility. The section also clarifies that no employee is entitled to the protection of this section if the employee makes false, fictitious, or fraudulent statements or representations, and that disclosures protected by other federal or state laws remain in place. New section 2106 of the Homeland Security Act of 2002--Relationship to other laws This section states that nothing in this Act supersedes Federal law governing the manufacture, sale or handling of chemical substances or mixtures. It also clarifies that States and political subdivisions may adopt more stringent requirements with respect to chemical facility security, unless there is an actual conflict between this section and the law of that State or subdivision. New section 2107 of the Homeland Security Act of 2002--CFATS regulations This section specifies that the Department can continue to follow previously-issued regulations, and does not need to undertake a new rulemaking. This section also stipulates that the Secretary shall rely on the authority provided in Title XXI of the Homeland Security Act of 2002 in determining chemicals of interest and relevant security risks, and determining compliance with Title XXI. New section 2108 of the Homeland Security Act of 2002--Small covered chemical facilities This section defines a ``small covered chemical facility'' as a facility with 100 employees or fewer. The House bill, in contrast, defines such a facility as one having 350 or fewer employees. The Committee believes that its definition more accurately reflects the size of chemical facilities likely to require the Departmental compliance assistance mandated under the legislation. The section also allows the Secretary to provide assistance and guidance to small covered chemical facilities in the development of their physical security, cybersecurity, recordkeeping, and reporting procedures. It directs the Secretary to report to the authorizing committees on best practices that may assist small chemical facilities in meeting their physical security requirements under this title. New section 2109 of the Homeland Security Act of 2002--Outreach to chemical facilities of interest This section directs the Secretary to develop an implementation plan for outreach to chemical facilities of interest in order to minimize the number of outliers. Section 3--Assessment; reports This section requires the Secretary to commission a third- party study of vulnerability of covered chemical facilities to acts of terrorism, and requires that the Secretary report to Congress on a number of specific aspects of the CFATS program within 18 months of enactment of this Act. It also provides for GAO reports assessing the implementation of this Act, including a review of the expedited approval program not later than three years after enactment of this Act. Section 4--Effective date; Conforming repeal This section states that the Act shall take effect 30 days after the date of enactment. The section also repeals the previous authorization language, saying that it is superseded by this Act. Section 5--Termination This section would sunset the program four years after enactment. V. Evaluation of Regulatory Impact Pursuant to the requirement of paragraph 11(b)(1) of rule XXVI of the Standing Rules of the Senate the Committee has considered the regulatory impact of this bill. The bill as amended would extend an existing regulatory program with a number of changes. As indicated in the Congressional Budget Office cost estimate for this bill (included below), the bill as amended should not result in significant additional costs beyond the current costs of complying with the CFATS program. VI. Congressional Budget Office Cost Estimate September 10, 2014. Hon. Tom Carper, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for H.R. 4007, the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Jason Wheelock. Sincerely, Douglas W. Elmendorf. Enclosure. H.R. 4007--Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 H.R. 4007 would extend the Department of Homeland Security's (DHS's) authority to regulate security at certain chemical facilities in the United States. Under the Chemical Facility Anti-Terrorism Standards (CFATS) program, DHS collects and reviews information from chemical facilities in the United States to determine which facilities present security risks. Facilities determined to present a high level of security risk are then required to develop a Site Security Plan (SSP). DHS in turn conducts inspections to validate the adequacy of a facility's SSP and their compliance with it. The program is set to end on October 4, 2014. H.R. 4007 would authorize CFATS for an additional four years and would create an expedited review procedure for facilities in the lower risk tiers of the CFATS program. Based on amounts requested for the CFATS in fiscal year 2015 as well as information from DHS, CBO estimates that continued implementation of CFATS would require appropriations of $87 million in 2015 and slightly higher amounts in fiscal years 2016 through 2018 after accounting for the effects of inflation. Assuming appropriation of the estimated amounts, CBO estimates that implementing H.R. 4007 would result in outlays of $349 million over the 2015-2019 period. ---------------------------------------------------------------------------------------------------------------- By fiscal year, in millions of dollars-- ------------------------------------------------------------ 2015 2016 2017 2018 2019 2015-2019 ---------------------------------------------------------------------------------------------------------------- CHANGES IN SPENDING SUBJECT TO APPROPRIATION Estimated Authorization Level...................... 87 89 92 95 0 363 Estimated Outlays.................................. 45 78 100 103 23 349 ---------------------------------------------------------------------------------------------------------------- Enacting H.R. 4007 could result in the collection of additional civil penalties, which are recorded as revenues and deposited in the Treasury; therefore, pay-as-you-go procedures apply. However, CBO estimates that such collections would be insignificant. Enacting the bill would not affect direct spending. H.R. 4007 would extend intergovernmental and private-sector mandates, as defined in the Unfunded Mandates Reform Act (UMRA), on owners and operators of public and private facilities where certain chemicals are present. Current law requires owners and operators to assess the vulnerability of their facilities to a terrorist incident and to prepare and implement facility security plans. This bill would extend, for four years, the authority of DHS to regulate those facilities through minimum standards designed to protect facilities from acts of terrorism and other security risks. The requirement to meet those standards would be a mandate on public and private entities. The bill would impose an additional mandate on public and private employers by prohibiting them from discharging or discriminating against employees who report security problems at a covered chemical facility. Information from DHS indicates that owners and operators of chemical facilities already meet the existing security standards and that they would only need to make small changes to administrative procedures to comply with the new whistleblower protections for their employees. Therefore, CBO estimates that the aggregate additional costs of complying with the mandates would be small and would fall below the annual thresholds established in UMRA for intergovernmental and private-sector mandates ($76 million and $152 million, respectively, in 2014, adjusted annually for inflation). On May 30, 2014, CBO transmitted a cost estimate for H.R. 4007 as ordered reported by the House Committee on Homeland Security on April 30, 2014. The difference in CBO's estimates reflects differences in the two versions of the bill. The version reported by the House Committee on Homeland Security would permanently authorize CFATS and would authorize the appropriation of $87 million for each of fiscal years 2015 through 2017. The Senate version of H.R. 4007 would extend CFATS for four years and would not specify an authorization level for any fiscal year. Based on those differences, CBO estimates that implementing this version of the bill would cost approximately $80 million less than the House version over the 2015-2019 period, assuming the appropriation of the estimated amounts. The CBO staff contacts for this estimate are Jason Wheelock (for federal costs), Melissa Merrell (for the intergovernmental impact), and Paige Piper/Bach (for the private-sector impact). The estimate was approved by Theresa Gullo, Deputy Assistant Director for Budget Analysis. VII. Changes in Existing Statute Made by the Bill, as Reported In compliance with paragraph 12 of rule XXVI of the Standing Rules of the Senate, changes in existing law made by H.R. 4007 as reported are shown as follows (existing law proposed to be omitted is enclosed in brackets, new matter is printed in italic, and existing law in which no change is proposed is shown in roman): DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS ACT OF 2007 * * * * * * * [Sec. 550. (a) No later than six months after the date of enactment of this Act, the Secretary of Homeland Security shall issue interim final regulations establishing risk-based performance standards for security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities: Provided, That such regulations shall apply to chemical facilities that, in the discretion of the Secretary, present high levels of security risk: Provided further, That such regulations shall permit each such facility, in developing and implementing site security plans, to select layered security measures that, in combination, appropriately address the vulnerability assessment and the risk-based performance standards for security for the facility: Provided further, That the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established by this section: Provided further, That the Secretary may approve alternative security programs established by private sector entities, Federal, State, or local authorities, or other applicable laws if the Secretary determines that the requirements of such programs meet the requirements of this section and the interim regulations: Provided further, That the Secretary shall review and approve each vulnerability assessment and site security plan required under this section: Provided further, That the Secretary shall not apply regulations issued pursuant to this section to facilities regulated pursuant to the Maritime Transportation Security Act of 2002, Public Law 107-295, as amended; Public Water Systems, as defined by section 1401 of the Safe Drinking Water Act, Public Law 93-523, as amended; Treatment Works as defined in section 212 of the Federal Water Pollution Control Act, Public Law 92-500, as amended; any facility owned or operated by the Department of Defense or the Department of Energy, or any facility subject to regulation by the Nuclear Regulatory Commission.] [(b) Interim regulations issued under this section shall apply until the effective date of interim or final regulations promulgated under other laws that establish requirements and standards referred to in subsection (a) and expressly supersede this section: Provided, That the authority provided by this section shall terminate three years after the date of enactment of this Act.] [(c) Notwithstanding any other provision of law and subsection (b), information developed under this section, including vulnerability assessments, site security plans, and other security related information, records, and documents shall be given protections from public disclosure consistent with similar information developed by chemical facilities subject to regulation under section 70103 of title 46, United States Code: Provided, That this subsection does not prohibit the sharing of such information, as the Secretary deems appropriate, with State and local government officials possessing the necessary security clearances, including law enforcement officials and first responders, for the purpose of carrying out this section, provided that such information may not be disclosed pursuant to any State or local law: Provided further, That in any proceeding to enforce this section, vulnerability assessments, site security plans, and other information submitted to or obtained by the Secretary under this section, and related vulnerability or security information, shall be treated as if the information were classified material.] [(d) Any person who violates an order issued under this section shall be liable for a civil penalty under section 70119(a) of title 46, United States Code: Provided, That nothing in this section confers upon any person except the Secretary a right of action against an owner or operator of a chemical facility to enforce any provision of this section. (e) The Secretary of Homeland Security shall audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section.] [(f) Nothing in this section shall be construed to supersede, amend, alter, or affect any Federal law that regulates the manufacture, distribution in commerce, use, sale, other treatment, or disposal of chemical substances or mixtures.] [(g) If the Secretary determines that a chemical facility is not in compliance with this section, the Secretary shall provide the owner or operator with written notification (including a clear explanation of deficiencies in the vulnerability assessment and site security plan) and opportunity for consultation, and issue an order to comply by such date as the Secretary determines to be appropriate under the circumstances: Provided, That if the owner or operator continues to be in noncompliance, the Secretary may issue an order for the facility to cease operation, until the owner or operator complies with the order.] [(h) This section shall not preclude or deny any right of any State or political subdivision thereof to adopt or enforce any regulation, requirement, or standard of performance with respect to chemical facility security that is more stringent than a regulation, requirement, or standard of performance issued under this section, or otherwise impair any right or jurisdiction of any State with respect to chemical facilities within that State, unless there is an actual conflict between this section and the law of that State.] * * * * * * * SECTION 1. SHORT TITLE; TABLE OF CONTENTS. (a) * * * (b) Table of Contents.--The table of contents for this Act is as follows: * * * * * * * TITLE XXI--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS Sec. 2101. Definitions. Sec. 2102. Chemical Facility Anti-Terrorism Standards Program. Sec. 2103. Protection and sharing of information. Sec. 2104. Civil enforcement. Sec. 2105. Whistleblower protections. Sec. 2106. Relationship to other laws. Sec. 2107. CFATS regulations. Sec. 2108. Small covered chemical facilities. Sec. 2109. Outreach to chemical facilities of interest. * * * * * * * TITLE XXI--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS SEC. 2101. DEFINITIONS. In this title-- (1) the term ``CFATS regulation'' means-- (A) an existing CFATs regulation; and (B) any regulation or amendment to an existing CFATS regulation issued pursuant to the authority under section 2107; (2) the term ``chemical facility of interest'' means a facility that-- (A) holds, or that the Secretary has a reasonable basis to believe holds, a chemical of interest, as designated under Appendix A to part 27 of title 6, Code of Federal Regulations, or any successor thereto, at a threshold quantity set pursuant to relevant risk-related security principles; and (B) is not an excluded facility; (3) the term ``covered chemical facility'' means a facility that-- (A) the Secretary-- (i) identifies as a chemical facility of interest; and (ii) based upon review of the facility's Top-Screen, determines meets the risk criteria developed under section 2102(e)(2)(B); and (B) is not an excluded facility; (4) the term ``excluded facility'' means-- (A) a facility regulated under the Maritime Transportation Security Act of 2002 (Public Law 107-295; 116 Stat. 2064); (B) a public water system, as that term is defined in section 1401 of the Safe Drinking Water Act (42 U.S.C. 300f); (C) a Treatment Works, as that term is defined in section 212 of the Federal Water Pollution Control Act (33 U.S.C. 1292); (D) a facility owned or operated by the Department of Defense or the Department of Energy; or (E) a facility subject to regulation by the Nuclear Regulatory Commission, or by a State that has entered into an agreement with the Nuclear Regulatory Commission under section 274 b. of the Atomic Energy Act of 1954 (42 U.S.C. 2021(b)) to protect against unauthorized access of any material, activity, or structure licensed by the Nuclear Regulatory Commission; (5) the term ``existing CFATS regulation'' means-- (A) a regulation promulgated under section 550 of the Department of Homeland Security Appropriations Act, 2007 (Public Law 109-295; 6 U.S.C. 121 note) that is in effect on the day before the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014; and (B) a Federal Register notice or other published guidance relating to section 550 of the Department of Homeland Security Appropriations Act, 2007 that is in effect on the day before the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014; (6) the term ``expedited approval facility'' means a covered chemical facility for which the owner or operator elects to submit a site security plan in accordance with section 2102(c)(4); (7) the term ``facially deficient'', relating to a site security plan, means a site security plan that does not support a certification that the security measures in the plan address the security vulnerability assessment and the risk-based performance standards for security for the facility, based on a review of-- (A) the facility's site security plan; (B) the facility's Top-Screen; (C) the facility's security vulnerability assessment; or (D) any other information that-- (i) the facility submits to the Department; or (ii) the Department obtains from a public source or other source; (8) the term ``guidance for expedited approval facilities'' means the guidance issued under section 2102(c)(4)(B)(i); (9) the term ``risk assessment'' means the Secretary's application of relevant risk criteria identified in section 2102(e)(2)(B); (10) the term ``terrorist screening database'' means the terrorist screening database maintained by the Federal Government Terrorist Screening Center or its successor; (11) the term ``tier'' has the meaning given the term in section 27.105 of title 6, Code of Federal Regulations, or any successor thereto; (12) the terms ``tiering'' and ``tiering methodology'' mean the procedure by which the Secretary assigns a tier to each covered chemical facility based on the risk assessment for that covered chemical facility; (13) the term ``Top-Screen'' has the meaning given the term in section 27.105 of title 6, Code of Federal Regulations, or any successor thereto; and (14) the term ``vulnerability assessment'' means the identification of weaknesses in the security of a chemical facility of interest. SEC. 2102. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS PROGRAM. (a) Program Established.-- (1) In general.--There is in the Department a Chemical Facility Anti-Terrorism Standards Program. (2) Requirements.--In carrying out the Chemical Facility Anti-Terrorism Standards Program, the Secretary shall-- (A) identify-- (i) chemical facilities of interest; and (ii) covered chemical facilities; (B) require each chemical facility of interest to submit a Top-Screen and any other information the Secretary determines necessary to enable the Department to assess the security risks associated with the facility; (C) establish risk-based performance standards designed to address high levels of security risk at covered chemical facilities; and (D) require each covered chemical facility to-- (i) submit a security vulnerability assessment; and (ii) develop, submit, and implement a site security plan. (b) Security Measures.--A facility, in developing a site security plan as required under subsection (a), shall include security measures that, in combination, appropriately address the security vulnerability assessment and the risk-based performance standards for security for the facility. (c) Approval or Disapproval of Site Security Plans.-- (1) In general.-- (A) Review.--Except as provided in paragraph (4), the Secretary shall review and approve or disapprove each site security plan submitted pursuant to subsection (a). (B) Bases for disapproval.--The Secretary-- (i) may not disapprove a site security plan based on the presence or absence of a particular security measure; and (ii) shall disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established pursuant to subsection (a)(2)(C). (2) Alternative security programs.-- (A) Authority to approve.-- (i) In general.--The Secretary may approve an alternative security program established by a private sector entity or a Federal, State, or local authority or under other applicable laws, if the Secretary determines that the requirements of the program meet the requirements under this section. (ii) Additional security measures.-- If the requirements of an alternative security program do not meet the requirements under this section, the Secretary may recommend additional security measures to the program that will enable the Secretary to approve the program. (B) Satisfaction of site security plan requirement.--A covered chemical facility may satisfy the site security plan requirement under subsection (a) by adopting an alternative security program that the Secretary has-- (i) reviewed and approved under subparagraph (A); and (ii) determined to be appropriate for the operations and security concerns of the covered chemical facility. (3) Site security plan assessments.-- (A) Risk assessment policies and procedures.--In approving or disapproving a site security plan under this subsection, the Secretary shall employ the risk assessment policies and procedures developed under this title. (B) Previously approved plans.--In the case of a covered chemical facility for which the Secretary approved a site security plan before the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary may not require the facility to resubmit the site security plan solely by reason of the enactment of this title. (4) Expedited approval program.-- (A) In general.--A covered chemical facility assigned to tier 3 or 4 may meet the requirement to develop and submit a site security plan under subsection (a)(2)(D) by developing and submitting to the Secretary-- (i) a site security plan and the certification described in subparagraph (C); or (ii) a site security plan in conformance with a template authorized under subparagraph (H). (B) Guidance for expedited approval facilities.-- (i) In general.--Not later than 180 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall issue guidance for expedited approval facilities that identifies specific security measures that are sufficient to meet the risk-based performance standards. (ii) Material deviation from guidance.--If a security measure in the site security plan of an expedited approval facility materially deviates from a security measure in the guidance for expedited approval facilities, the site security plan shall include an explanation of how such security measure meets the risk-based performance standards. (iii) Process.--In developing and issuing, or amending, the guidance for expedited approval facilities under this subparagraph and in collecting information from expedited approval facilities, the Secretary-- (I) shall consult with-- (aa) Sector Coordinating Councils established under sections 201 and 871(a); and (bb) appropriate labor organizations; and (II) shall not be subject to section 553 of title 5, United States Code, the National Environmental Policy Act of 1969 (42 U.S.C. 4321 et seq.), subchapter I of chapter 35 of title 44, United States Code, or section 2107(b) of this title. (C) Certification.--The owner or operator of an expedited approval facility shall submit to the Secretary a certification, signed under penalty of perjury, that-- (i) the owner or operator is familiar with the requirements of this title and part 27 of title 6, Code of Federal Regulations, or any successor thereto, and the site security plan being submitted; (ii) the site security plan includes the security measures required by subsection (b); (iii)(I) the security measures in the site security plan do not materially deviate from the guidance for expedited approval facilities except where indicated in the site security plan; (II) any deviations from the guidance for expedited approval facilities in the site security plan meet the risk- based performance standards for the tier to which the facility is assigned; and (III) the owner or operator has provided an explanation of how the site security plan meets the risk-based performance standards for any material deviation; (iv) the owner or operator has visited, examined, documented, and verified that the expedited approval facility meets the criteria set forth in the site security plan; (v) the expedited approval facility has implemented all of the required performance measures outlined in the site security plan or set out planned measures that will be implemented within a reasonable time period stated in the site security plan; (vi) each individual responsible for implementing the site security plan is fully aware of the requirements relevant to the individual's responsibility contained in the site security plan and is competent to carry out those requirements; and (vii) the owner or operator has committed, or, in the case of planned measures will commit, the necessary resources to fully implement the site security plan. (D) Deadline.-- (i) In general.--Not later than 120 days after the date described in clause (ii), the owner or operator of an expedited approval facility shall submit to the Secretary the site security plan and the certification described in subparagraph (C). (ii) Date.--The date described in this clause is-- (I) for an expedited approval facility that was assigned to tier 3 or 4 under existing CFATS regulations before the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the date that is 210 days after the date of enactment of that Act; and (II) for any expedited approval facility not described in subclause (I), the later of-- (aa) the date on which the expedited approval facility is assigned to tier 3 or 4 under subsection (e)(2)(A); or (bb) the date that is 210 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014. (iii) Notice.--An owner or operator of an expedited approval facility shall notify the Secretary of the intent of the owner or operator to certify the site security plan for the expedited approval facility not later than 30 days before the date on which the owner or operator submits the site security plan and certification described in subparagraph (C). (E) Compliance.-- (i) In general.--For an expedited approval facility submitting a site security plan and certification in accordance with subparagraphs (A), (B), (C), and (D)-- (I) the expedited approval facility shall comply with all of the requirements of its site security plan; and (II) the Secretary-- (aa) except as provided in subparagraph (G), may not disapprove the site security plan; and (bb) may audit and inspect the expedited approval facility under subsection (d) to verify compliance with its site security plan. (ii) Noncompliance.--If the Secretary determines an expedited approval facility is not in compliance with the requirements of the site security plan or is otherwise in violation of this title, the Secretary may enforce compliance in accordance with section 2104. (F) Amendments to site security plan.-- (i) Requirement.-- (I) In general.--If the owner or operator of an expedited approval facility amends a site security plan submitted under subparagraph (A), the owner or operator shall submit the amended site security plan and a certification relating to the amended site security plan that contains the information described in subparagraph (C). (II) Technical amendments.-- For purposes of this clause, an amendment to a site security plan includes any technical amendment to the site security plan. (ii) Amendment required.--The owner or operator of an expedited approval facility shall amend the site security plan if-- (I) there is a change in the design, construction, operation, or maintenance of the expedited approval facility that affects the site security plan; (II) the Secretary requires additional security measures or suspends a certification and recommends additional security measures under subparagraph (G); or (III) the owner or operator receives notice from the Secretary of a change in tiering under subsection (e)(3). (iii) Deadline.--An amended site security plan and certification shall be submitted under clause (i)-- (I) in the case of a change in design, construction, operation, or maintenance of the expedited approval facility that affects the security plan, not later than 120 days after the date on which the change in design, construction, operation, or maintenance occurred; (II) in the case of the Secretary requiring additional security measures or suspending a certification and recommending additional security measures under subparagraph (G), not later than 120 days after the date on which the owner or operator receives notice of the requirement for additional security measures or suspension of the certification and recommendation of additional security measures; and (III) in the case of a change in tiering, not later than 120 days after the date on which the owner or operator receives notice under subsection (e)(3). (G) Facially deficient site security plans.-- (i) Prohibition.--Notwithstanding subparagraph (A) or (E), the Secretary may suspend the authority of a covered chemical facility to certify a site security plan if the Secretary-- (I) determines the certified site security plan or an amended site security plan is facially deficient; and (II) not later than 100 days after the date on which the Secretary receives the site security plan and certification, provides the covered chemical facility with written notification that the site security plan is facially deficient, including a clear explanation of each deficiency in the site security plan. (ii) Additional security measures.-- (I) In general.--If, during or after a compliance inspection of an expedited approval facility, the Secretary determines that planned or implemented security measures in the site security plan of the facility are insufficient to meet the risk- based performance standards based on misrepresentation, omission, or an inadequate description of the site, the Secretary may-- (aa) require additional security measures; or (bb) suspend the certification of the facility. (II) Recommendation of additional security measures.-- If the Secretary suspends the certification of an expedited approval facility under subclause (I), the Secretary shall-- (aa) recommend specific additional security measures that, if made part of the site security plan by the facility, would enable the Secretary to approve the site security plan; and (bb) provide the facility an opportunity to submit a new or modified site security plan and certification under subparagraph (A). (III) Submission; review.--If an expedited approval facility determines to submit a new or modified site security plan and certification as authorized under subclause (II)(bb)-- (aa) not later than 90 days after the date on which the facility receives recommendations under subclause (II)(aa), the facility shall submit the new or modified plan and certification; and (bb) not later than 45 days after the date on which the Secretary receives the new or modified plan under item (aa), the Secretary shall review the plan and determine whether the plan is facially deficient. (IV) Determination not to include additional security measures.-- (aa) Revocation of certification.--If an expedited approval facility does not agree to include in its site security plan specific additional security measures recommended by the Secretary under subclause (II)(aa), or does not submit a new or modified site security plan in accordance with subclause (III), the Secretary may revoke the certification of the facility by issuing an order under section 2104(a)(1)(B). (bb) Effect of revocation.--If the Secretary revokes the certification of an expedited approval facility under item (aa) by issuing an order under section 2104(a)(1)(B)-- (AA) the order shall require the owner or operator of the facility to submit a site security plan or alternative security program for review by the Secretary review under subsection (c)(1); and (BB) the facility shall no longer be eligible to certify a site security plan under this paragraph. (V) Facial deficiency.--If the Secretary determines that a new or modified site security plan submitted by an expedited approval facility under subclause (III) is facially deficient-- (aa) not later than 120 days after the date of the determination, the owner or operator of the facility shall submit a site security plan or alternative security program for review by the Secretary under subsection (c)(1); and (bb) the facility shall no longer be eligible to certify a site security plan under this paragraph. (H) Templates.-- (i) In general.--The Secretary may develop prescriptive site security plan templates with specific security measures to meet the risk-based performance standards under subsection (a)(2)(C) for adoption and certification by a covered chemical facility assigned to tier 3 or 4 in lieu of developing and certifying its own plan. (ii) Process.--In developing and issuing, or amending, the site security plan templates under this subparagraph, issuing guidance for implementation of the templates, and in collecting information from expedited approval facilities, the Secretary-- (I) shall consult with-- (aa) Sector Coordinating Councils established under sections 201 and 871(a); and (bb) appropriate labor organizations; and (II) shall not be subject to section 553 of title 5, United States Code, the National Environmental Policy Act of 1969 (42 U.S.C. 4321 et seq.), subchapter I of chapter 35 of title 44, United States Code, or section 2107(b) of this title. (iii) Rule of construction.--Nothing in this subparagraph shall be construed to prevent a covered chemical facility from developing and certifying its own security plan in accordance with subparagraph (A). (I) Evaluation.-- (i) In general.--Not later than 18 months after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall take any appropriate action necessary for a full evaluation of the expedited approval program authorized under this paragraph, including conducting an appropriate number of inspections, as authorized under subsection (d), of expedited approval facilities. (ii) Report.--Not later than 18 months after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report that contains-- (I) any costs and efficiencies associated with the expedited approval program authorized under this paragraph; (II) the impact of the expedited approval program on the backlog for site security plan approval and authorization inspections; (III) an assessment of the ability of expedited approval facilities to submit facially sufficient site security plans; (IV) an assessment of any impact of the expedited approval program on the security of chemical facilities; and (V) a recommendation by the Secretary on the frequency of compliance inspections that may be required for expedited approval facilities. (d) Compliance.-- (1) Audits and inspections.-- (A) Definitions.--In this paragraph-- (i) the term ``nondepartmental''-- (I) with respect to personnel, means personnel that is not employed by the Department; and (II) with respect to an entity, means an entity that is not a component or other authority of the Department; and (ii) the term ``nongovernmental''-- (I) with respect to personnel, means personnel that is not employed by the Federal Government; and (II) with respect to an entity, means an entity that is not an agency, department, or other authority of the Federal Government. (B) Authority to conduct audits and inspections.--The Secretary shall conduct audits or inspections under this title using-- (i) employees of the Department; or (ii) nondepartmental or nongovernmental personnel approved by the Secretary. (C) Support personnel.--The Secretary may use nongovernmental personnel to provide administrative and logistical services in support of audits and inspections under this title. (D) Reporting structure.-- (i) Nondepartmental and nongovernmental audits and inspections.--Any audit or inspection conducted by an individual employed by a nondepartmental or nongovernmental entity shall be assigned in coordination with a regional supervisor with responsibility for supervising inspectors within the Infrastructure Security Compliance Division of the Department for the region in which the audit or inspection is to be conducted. (ii) Requirement to report.--While an individual employed by a nondepartmental or nongovernmental entity is in the field conducting an audit or inspection under this subsection, the individual shall report to the regional supervisor with responsibility for supervising inspectors within the Infrastructure Security Compliance Division of the Department for the region in which the individual is operating. (iii) Approval.--The authority to approve a site security plan under subsection (c) or determine if a covered chemical facility is in compliance with an approved site security plan shall be exercised solely by the Secretary or a designee of the Secretary within the Department. (E) Standards for auditors and inspectors.-- The Secretary shall prescribe standards for the training and retraining of each individual used by the Department as an auditor or inspector, including each individual employed by the Department and all nondepartmental or nongovernmental personnel, including-- (i) minimum training requirements for new auditors and inspectors; (ii) retraining requirements; (iii) minimum education and experience levels; (iv) the submission of information as required by the Secretary to enable determination of whether the auditor or inspector has a conflict of interest; (v) the proper certification or certifications necessary to handle chemical-terrorism vulnerability information (as defined in section 27.105 of title 6, Code of Federal Regulations, or any successor thereto); (vi) the reporting of any issue of non-compliance with this section to the Secretary within 24 hours; and (vii) any additional qualifications for fitness of duty as the Secretary may require. (F) Conditions for nongovernmental auditors and inspectors.--If the Secretary arranges for an audit or inspection under subparagraph (B) to be carried out by a nongovernmental entity, the Secretary shall-- (i) prescribe standards for the qualification of the individuals who carry out such audits and inspections that are commensurate with the standards for similar Government auditors or inspectors; and (ii) ensure that any duties carried out by a nongovernmental entity are not inherently governmental functions. (2) Personnel surety.-- (A) Personnel surety program.--For purposes of this title, the Secretary shall establish and carry out a Personnel Surety Program that-- (i) does not require an owner or operator of a covered chemical facility that voluntarily participates in the program to submit information about an individual more than one time; (ii) provides a participating owner or operator of a covered chemical facility with relevant information about an individual based on vetting the individual against the terrorist screening database, to the extent that such feedback is necessary for the facility to be in compliance with regulations promulgated under this title; and (iii) provides redress to an individual-- (I) whose information was vetted against the terrorist screening database under the program; and (II) who believes that the personally identifiable information submitted to the Department for such vetting by a covered chemical facility, or its designated representative, was inaccurate. (B) Personnel surety program implementation.--To the extent that a risk- based performance standard established under subsection (a) requires identifying individuals with ties to terrorism-- (i) a covered chemical facility may satisfy its obligation under the standard by using any Federal screening program that periodically vets individuals against the terrorist screening database, or any successor program, including the Personnel Surety Program established under subparagraph (A); and (ii) the Secretary may not require a covered chemical facility to submit any information about an individual unless the individual-- (I) is to be vetted under the Personnel Surety Program; or (II) has been identified as presenting a terrorism security risk. (3) Availability of information.--The Secretary shall share with the owner or operator of a covered chemical facility any information that the owner or operator needs to comply with this section. (e) Responsibilities of the Secretary.-- (1) Identification of chemical facilities of interest.--In carrying out this title, the Secretary shall consult with the heads of other Federal agencies, States and political subdivisions thereof, relevant business associations, and public and private labor organizations to identify all chemical facilities of interest. (2) Risk assessment.-- (A) In general.--For purposes of this title, the Secretary shall develop a security risk assessment approach and corresponding tiering methodology for covered chemical facilities that incorporates the relevant elements of risk, including threat, vulnerability, and consequence. (B) Criteria for determining security risk.-- The criteria for determining the security risk of terrorism associated with a covered chemical facility shall take into account-- (i) relevant threat information; (ii) potential economic consequences and the potential loss of human life in the event of the facility being subject to a terrorist attack, compromise, infiltration, or exploitation; and (iii) vulnerability of the facility to a terrorist attack, compromise, infiltration, or exploitation. (3) Changes in tiering.-- (A) Maintenance of records.--The Secretary shall document the basis for each instance in which-- (i) tiering for a covered chemical facility is changed; or (ii) a covered chemical facility is determined to no longer be subject to the requirements under this title. (B) Required information.--The records maintained under subparagraph (A) shall include information on whether and how the Secretary confirmed the information that was the basis for the change or determination described in subparagraph (A). (4) Semiannual performance reporting.--Not later than 6 months after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, and not less frequently than once every 6 months thereafter, the Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report that describes, for the period covered by the report-- (A) the number of covered chemical facilities in the United States; (B) the average number of days spent reviewing site security or an alternative security program for a covered chemical facility prior to approval; (C) the number of covered chemical facilities inspected; (D) the average number of covered chemical facilities inspected per inspector; and (E) any other information that the Secretary determines will be helpful to Congress in evaluating the performance of the Chemical Facility Anti-Terrorism Standards Program. SEC. 2103. PROTECTION AND SHARING OF INFORMATION. (a) In General.--Notwithstanding any other provision of law, information developed under this title, including vulnerability assessments, site security plans, and other security related information, records, and documents shall be given protections from public disclosure consistent with the protection of similar information under section 70103(d) of title 46, United States Code. (b) Sharing of Information With States and Local Governments.--Nothing in this section shall be construed to prohibit the sharing of information developed under this title, as the Secretary determines appropriate, with State and local government officials possessing a need to know and the necessary security clearances, including law enforcement officials and first responders, for the purpose of carrying out this title. (c) Sharing of Information With First Responders.-- (1) Requirement.--The Secretary shall provide to State, local, and regional fusion centers (as that term is defined in section 210A(j)(1)) and State and local government officials, as the Secretary determines appropriate, such information as is necessary to help ensure that first responders are properly prepared and provided with the situational awareness needed to respond to security incidents at covered chemical facilities. (2) Dissemination.--The Secretary shall disseminate information under paragraph (1) through a medium or system determined by the Secretary to be appropriate to ensure the secure and expeditious dissemination of such information to necessary selected individuals. (d) Enforcement Proceedings.--In any proceeding to enforce this section, vulnerability assessments, site security plans, and other information submitted to or obtained by the Secretary under this title, and related vulnerability or security information, shall be treated as if the information were classified information. (e) Availability of Information.--Notwithstanding any other provision of law (including section 552(b)(3) of title 5, United States Code), section 552 of title 5, United States Code (commonly known as the Freedom of Information Act') shall not apply to information protected from public disclosure pursuant to subsection (a) of this section. SEC. 2104. CIVIL ENFORCEMENT. (a) Notice of Noncompliance.-- (1) Notice.--If the Secretary determines that a covered chemical facility is not in compliance with this title, the Secretary shall-- (A) provide the owner or operator of the facility with-- (i) not later than 14 days after date on which the Secretary makes the determination, a written notification of noncompliance that includes a clear explanation of any deficiency in the security vulnerability assessment or site security plan; and (ii) an opportunity for consultation with the Secretary or the Secretary's designee; and (B) issue to the owner or operator of the facility an order to comply with this title by a date specified by the Secretary in the order, which date shall be not later than 180 days after the date on which the Secretary issues the order. (2) Continued noncompliance.--If an owner or operator continues to be in noncompliance with this title after the date specified in an order issued under paragraph (1)(B), the Secretary may enter an order in accordance with this section assessing a civil penalty, an order to cease operations, or both. (b) Civil Penalties.-- (1) Violations of orders.--Any person who violates an order issued under this title shall be liable for a civil penalty under section 70119(a) of title 46, United States Code. (2) Non-reporting chemical facilities of interest.-- Any owner of a chemical facility of interest who fails to comply with, or knowingly submits false information under, this title or the CFATS regulations shall be liable for a civil penalty under section 70119(a) of title 46, United States Code. (c) Emergency Orders.-- (1) In general.--Notwithstanding subsection (a) or any site security plan or alternative security program approved under this title, if the Secretary determines that there is a reasonable likelihood that a violation of this title or the CFATS regulations by a chemical facility could result in death, serious illness, severe personal injury, or substantial endangerment to the public, the Secretary may direct the facility, effective immediately or as soon as practicable, to-- (A) cease some or all operations; or (B) implement appropriate emergency security measures. (2) Limitation on delegation.--The Secretary may not delegate the authority under paragraph (1) to any official other than the Under Secretary for the National Protection and Programs Directorate. (d) Right of Action.--Nothing in this title confers upon any person except the Secretary or his or her designee a right of action against an owner or operator of a covered chemical facility to enforce any provision of this title. SEC. 2105. WHISTLEBLOWER PROTECTIONS. (a) Procedure for Reporting Problems.-- (1) Establishment of a reporting procedure.--Not later than 180 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall establish, and provide information to the public regarding, a procedure under which any employee or contractor of a chemical facility may submit a report to the Secretary regarding problems, deficiencies, or vulnerabilities at a covered chemical facility that are associated with the risk of a chemical facility terrorist incident. (2) Confidentiality.--The Secretary shall keep confidential the identity of an individual who submits a report under paragraph (1) and any such report shall be treated as a record containing protected information to the extent that the report does not consist of publicly available information. (3) Acknowledgment of receipt.--If a report submitted under paragraph (1) identifies the individual making the report, the Secretary shall promptly respond to the individual directly and shall promptly acknowledge receipt of the report. (4) Steps to address problems.--The Secretary shall-- (A) review and consider the information provided in any report submitted under paragraph (1); and (B) take appropriate steps under this title if necessary to address any substantiated problems, deficiencies, or vulnerabilities associated with the risk of a chemical facility terrorist incident identified in the report. (5) Retaliation prohibited.-- (A) In general.--An owner or operator of a covered chemical facility or agent thereof may not discharge an employee or otherwise discriminate against an employee with respect to the compensation provided to, or terms, conditions, or privileges of the employment of, the employee because the employee (or an individual acting pursuant to a request of the employee) submitted a report under paragraph (1). (B) Exception.--An employee shall not be entitled to the protections under this section if the employee-- (i) knowingly and willfully makes any false, fictitious, or fraudulent statement or representation; or (ii) uses any false writing or document knowing the writing or document contains any false, fictitious, or fraudulent statement or entry. (b) Protected Disclosures.--Nothing in this title shall be construed to limit the right of an individual to make any disclosure-- (1) protected or authorized under section 2302(b)(8) or 7211 of title 5, United States Code; (2) protected under any other Federal or State law that shields the disclosing individual against retaliation or discrimination for having made the disclosure in the public interest; or (3) to the Special Counsel of an agency, the inspector general of an agency, or any other employee designated by the head of an agency to receive disclosures similar to the disclosures described in paragraphs (1) and (2). (c) Publication of Rights.--The Secretary, in partnership with industry associations and labor organizations, shall make publicly available both physically and online the rights that an individual who discloses information, including security- sensitive information, regarding problems, deficiencies, or vulnerabilities at a covered chemical facility would have under Federal whistleblower protection laws or this title. (d) Protected Information.--All information contained in a report made under this subsection (a) shall be protected in accordance with section 2103. SEC. 2106. RELATIONSHIP TO OTHER LAWS. (a) Other Federal Laws.--Nothing in this title shall be construed to supersede, amend, alter, or affect any Federal law that regulates the manufacture, distribution in commerce, use, sale, other treatment, or disposal of chemical substances or mixtures. (b) States and Political Subdivisions.--This title shall not preclude or deny any right of any State or political subdivision thereof to adopt or enforce any regulation, requirement, or standard of performance with respect to chemical facility security that is more stringent than a regulation, requirement, or standard of performance issued under this section, or otherwise impair any right or jurisdiction of any State with respect to chemical facilities within that State, unless there is an actual conflict between this section and the law of that State. SEC. 2107. CFATS REGULATIONS. (a) General Authority.--The Secretary may, in accordance with chapter 5 of title 5, United States Code, promulgate regulations or amend existing CFATS regulations to implement the provisions under this title. (b) Existing CFATS Regulations.-- (1) In general.--Notwithstanding section 4(b) of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, each existing CFATS regulation shall remain in effect unless the Secretary amends, consolidates, or repeals the regulation. (2) Repeal.--Not later than 30 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall repeal any existing CFATS regulation that the Secretary determines is duplicative of, or conflicts with, this title. (c) Authority.--The Secretary shall exclusively rely upon authority provided under this title in-- (1) determining compliance with this title; (2) identifying chemicals of interest; and (3) determining security risk associated with a chemical facility. SEC. 2108. SMALL COVERED CHEMICAL FACILITIES. (a) Definition.--In this section, the term ``small covered chemical facility'' means a covered chemical facility that-- (1) has fewer than 100 employees employed at the covered chemical facility; and (2) is owned and operated by a small business concern (as defined in section 3 of the Small Business Act (15 U.S.C. 632)). (b) Assistance to Facilities.--The Secretary may provide guidance and, as appropriate, tools, methodologies, or computer software, to assist small covered chemical facilities in developing the physical security, cybersecurity, recordkeeping, and reporting procedures required under this title. (c) Report.--The Secretary shall submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives a report on best practices that may assist small covered chemical facilities in development of physical security best practices. SEC. 2109. OUTREACH TO CHEMICAL FACILITIES OF INTEREST. Not later than 90 days after the date of enactment of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the Secretary shall establish an outreach implementation plan, in coordination with the heads of other appropriate Federal and State agencies, relevant business associations, and public and private labor organizations, to-- (1) identify chemical facilities of interest; and (2) make available compliance assistance materials and information on education and training.