CFATS is Dead
Whither Chemical Security
With the 118th Congress effectively dead (the House and Senate meet today in pro forma session, and then again on Friday to adjourn sine die), the time has come to officially declare the Chemical Facility Anti-Terrorism Standards (CFATS) program dead. While the program authority expired on July 27th, 2023 (see note 6 USC 621) the program has been kept on life support by CISA and Congress, hoping that it could be resurrected over the objections of Sen Paul (R,KY). On January 3rd, 2025, Paul becomes the Chair of the Senate Homeland Security and Governmental Affairs Committee, further increasing his power to block the program. CFATS will not be reauthorized.
Chemical Security Regulations Continue
The CFATS program was never the only chemical security program operated by the federal government. This was formally recognized in 6 USC 621(b)(4) under the definition of the term ‘excluded facility’. That paragraph listed the categories of chemical facilities which were already under federal security regulations:
MTSA covered facilities,
Public water systems,
Treatment works,
DOD/DOE facilities, and
NRC regulated facilities.
These facilities continue to be regulated, though the protection of chemicals under those regulations are less stringent and certainly not as comprehensive as the CFATS requirements.
Voluntary Chemical Security Program
In November of 2021, CISA established the ChemLock program, a voluntary chemical security program initially designed to provide chemical security assistance to chemical facilities manufacturing or maintaining inventories of DHS chemicals of interest, but not judged to be high-risk facilities covered by the CFATS program requirements. The way that CISA actually implemented the program, however, made it open to any facility that decided to avail itself of the assistance provided by the program. While that program has never been specifically authorized by Congress, the program continues to this day.
Congressional Republicans have never really been comfortable with regulatory programs in general, preferring to see voluntary public-private partnerships. These programs are generally less costly for the government to operate (fewer people to staff, and less red tape to deal with), and limit the costs of compliance to the private sector. That will not change in the 119th Congress.
Authorize ChemLock
Instead of trying to resurrect the CFATS program, chemical security supporters should instead try to expand the ChemLock program. First and foremost, the ChemLock program needs to be specifically authorized by Congress. One of the first things that the Trump Administration will attempt to do to reduce government spending will be to eliminate non-authorized programs. To avoid the death of this chemical security program, legislation needs to be introduced that establishes ChemLock as an official program under CISA’s Infrastructure Security Division.
Since ChemLock will need to continue to be a voluntary program (rather than a regulatory program) to obtain the support (or at least avoid the opposition) of members like Sen Paul, some method will have to included that provides an incentive for companies to actively participate in the program. While financial incentives would work best, they would run afoul of ‘reduce spending’ ethos of the 119th Congress. A ‘no cost to the government’ incentive would be to apply Safety Act (6 USC 441 et seq) protections to participating organizations.
Safety Act
“As part of the Homeland Security Act of 2002, Public Law 107-296, Congress enacted several liability protections for providers of anti-terrorism technologies. The SAFETY Act provides incentives for the development and deployment of anti-terrorism technologies [emphasis added] by creating a system of "risk management" and a system of "litigation management." The purpose of the Act is to ensure that the threat of liability does not deter potential manufacturers or Sellers of anti-terrorism technologies from developing and commercializing technologies that could save lives. The Act creates certain liability limitations for "claims arising out of, relating to, or resulting from an act of terrorism" where qualified anti-terrorism technologies have been deployed.”
The statute defines “qualified anti-terrorism technology” as:
“For purposes of this part, the term ‘‘qualified anti-terrorism technology’’ means any product, equipment, service (including support services), device, or technology (including information technology) designed, developed, modified, or procured for the specific purpose of preventing, detecting, identifying, or deterring acts of terrorism or limiting the harm such acts might otherwise cause, that is designated as such by the Secretary.”
The legislation authorizing the establishment of the ChemLock program could authorize DHS to declare that any facility that employs a minimum level of security measures defined under the program to have employed qualified anti-terrorism technology under the Safety Act and thus eligible for risk management and litigation management protections of the Act.
I will discuss what those minimum levels of security might include in subsequent posts about ChemLock authorization.
Information Sharing and Protection
Any authorization of the ChemLock program will have to address the protection and sharing requirements for security information provided to CISA by participating facilities. A reasonable approach can be found in the 6 USC 623 requirements from the CFATS program. That language did not specifically address Chemical Terrorism Vulnerability Information (CVI) requirements for facilities to protect their own information. Instead, it would broadly apply the exemptions from public disclosure by CISA found under 46 USC 70103(d) under the MTSA statute to information provided to, or developed by, the agency. It would still require CISA to share information about chemical facilities with fusion centers and first responders.
Moving Forward
CISA and the chemical industry need to start discussing the authorization of the ChemLock program with member of Congress. The quicker this legislation is introduced (and ultimately signed into law) the less likely it will be that this program will fall under the scrutiny of elements of the Trump Administration looking at cutting spending and reducing government.