CFATS Restoration Legislation
Tomorrow it will be three months since the Chemical Facility Anti-Terrorism Standards (CFATS) program was officially closed by CISA after congress failed to renew the program authorization. Since July 28th, the 3,242 facilities (as of the last official accounting [removed from paywall]) covered by the program have continued to operate without facility security oversight by the federal government. Some facilities have continued to operate their security program as if no oversight was necessary, but others have reduced their security costs by eliminating procedures and processes that were no longer justifiable on a cost basis without the necessity of complying with the CFATS regulatory requirements. As industry and CISA have clamored for a restoration of the program authorization, there has been little discussion about what that restoration process would look like.
From a legislative perspective, the restoration could be a relatively easy matter of the Senate taking up HR 4470 [removed from paywall] and passing that bill. That would change the program sunset date to July 27th, 2025, and the program would be up and running again. Except…. CISA would have to figure out how to deal with determining which facilities were still in compliance with their negotiated site security plans, what changes to site security plans that have been made were acceptable, and establishing a re-compliance process for facilities with unacceptable changes to their site security plans. It could easily be argued that those CFATS processes would need to be established by a change in regulations which could take years to establish under the normal regulatory processes. We could easily reach a point where the effective date of the revised regulations would occur after the revised sunset date.
Since Congress was responsible (due to its failure to act in a timely manner in changing the sunset date for the program) for the closing of the CFATS program, they ought to do the heavy lifting of restoring the program. This could be done by including in the restoration legislation directions for CISA to follow in restarting the program. CISA would then be authorized to implement those clearly stated requirement in a direct final rule, which could be accomplished within weeks instead of years if CISA had to craft the rules from scratch.
Here is what such legislation could (should) look like:
Section 1. Short Title.
This Act may be cited as the “Chemical Facility Anti-Terrorism Standards (CFATS) Program Restoration Act”.
Section 2. Restoration of the CFATS Program Authorization.
(a) Section 5 of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014 (Public Law 113–254; 6 U.S.C. 621 note) is amended by striking ‘‘July 27, 2023’’ and inserting ‘‘September 30, 2027’’.
(b) Except as provided in Sec 3 below, site security plans approved by Cybersecurity and Infrastructure Security Agency (CISA) as of July 27th, 2023, continue to be approved in force.
(c) Site security plans authorized by CISA as of July 27th, 2023, continue to be authorized in force.
(d) Facilities that were notified by CISA prior to July 27th, 2023, that they were covered facilities based on the Top Screen previously submitted but had not yet had their site security plan authorized will continue through the authorization process in effect as of that date.
(e) CISA will resume their established risk assessment process on all Top Screens submitted prior to July 28th, 2023, but not yet completed.
(f) CISA will resume accepting new Top Screens within 30 days of the enactment of this Act.
Section 3. Reinstating Site Security Plans
(a) Within 60 days of the enactment of this Act, covered facilities in the CFATS program with approved site security plans (SSP) will certify, in a manner designated by CISA, the status of their site security plan implementation. That certification will inform CISA that:
(1) The approved SSP remains in effect with no modifications,
(2) Modifications have been made to the SSP, but the facility intends to restore security measures to the approved state, or
(3) Modifications have been made to the SSP for which the facility is requesting approval.
(b) Where a facility makes a certification as in (1) above, CISA will schedule a compliance inspection for the facility as if there were no suspension of the program.
(c) Where a facility makes a certification as in (2) above, CISA will schedule a compliance inspection for the facility on a date between 90 and 180 days after the date of the certification.
(d) Where a facility makes a certification as in (3) above, CISA will schedule a compliance assistance inspection for the facility on a date between 30 and 120 days after the date of the certification.
Section 4. Enforcement Activities
(a) Enforcement deadlines set before July 27th, 2023, that would expire between that date and a date that is 15 days after the enactment of this Act, will be reset by CISA as if no time passed between July 27th and the date of enactment. CISA will approve one 30-day extension of such revised deadlines upon request from facility management.
(b) For all new enforcement actions on non-compliance with requirements of the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, the time will not toll for dates between July 27th, 2023, and the date that is 30 days after the date of enactment of this Act.
Section 5. Regulations – Within 30 days of the enactment of this Act, CISA will publish a direct final rule implementing the requirements of Sections 2 and 3.