ChemLock and Chemical-Terrorism Vulnerability Information
This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:
NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.
The CFATS program collected a great deal of sensitive information from facilities; both covered facilities and facilities submitting Top Screen information to see if they were to become covered facilities. The information provided to CISA that would be of potential interest to any terrorist organization planning on attacking the facilities. To prevent that sort of information sharing, it was protected by the Chemical-Terrorism Vulnerability Information (CVI) program.
While the CFATS program was in effect, the CVI program was authorized by 6 USC 623. The regulations concerning the program can be found at 6 CFR 27.400. CISA’s predecessor published a revised guidance manual for the program in September of 2008. When CISA stood up the ChemLock program, they made no attempt to apply CVI protections to information provided under the new program, maintaining that, since the two programs were separate and distinct, there was no statutory authorization for applying the CVI protections to the ChemLock program.
CUI Information
When the National Archives and Records Administration (NARA) stood up their Controlled Unclassified Information (CUI) {frequently referred to as Sensitive But Unclassified (SBU) information} protection regulations (32 CFR Part 2002 Controlled Unclassified Information) they included the CVI program in their list of CUI Categories under the CUI Registry.
There is one important difference between the CVI program and other CUI programs; the CVI program specifically applies its information protection requirements to regulated entities. Other CUI programs apply the information protection requirements to government agencies and contractors supporting those agencies. The main reason is that facilities receive sensitive information about their security programs from CISA. Still, reports that facilities developed from their own information sources and submit to CISA are also treated as CVI and had to be protected while the source information was not required to be protected.
Since most of the CVI processed by CFATS covered facilities is processed electronically, the majority of the security processes protecting the CVI materials are also electronic. The requirements for protecting cyber systems utilized in storing, processing, and transmitting CUI materials are outlined in NIST SP 800-171 Revision 2.
What Information Should Be Covered
Under the CFATS program, the regulation {6 CFR 27.400(b)} was fairly specific about what types of information were required to be considered CVI. Unless the authorization for the ChemLock program gets as detailed as the Protecting and Securing Chemical Facilities From Terrorist Attacks Act of 2014 (PL113-254), the legislation could simply specify that all communications from facilities voluntarily requesting assistance from the ChemLock program, documents and information developed by CISA and its contractors, as a result of those communications, and information developed by CISA’s chemical security inspectors pursuant to visits to the facility, should be protected in accordance with the standards set for the CVI program.
Additionally, the ChemLock program should assume that local first responders, law enforcement personnel, and Congressional staff have prima facie ‘need to know’ status for CVI information, while they retain responsibility for protecting that same information from public disclosure.
More than a Program
The CVI program for the CFATS program was more than just a set of standards for protecting information. It was, at its core, a software and hardware system for the receipt, storage, and processing of information for and about the chemical facilities covered by the CFATS program. It was part and parcel of the secure Chemical Security Assessment Tool (CSAT) online process by which facilities submitted and received information to and from the CFATS program.
In the 15+ years that the program was in operation, there was only one known attack on that system, and that occurred in January of last year. To date, no one has been able to identify any CVI protected information that would have been exposed in that attempted intrusion. CISA is going to have to stand up a similar system to protect any information handled by the ChemLock program. Currently, no such system is in place.
Moving Forward
Any attempt to authorize the ChemLock program is going to have to specifically deal with the protection of controlled unclassified information submitted to and developed by that program. Adaption of the Chemical-Terrorism Vulnerability Information (CVI) program from the CFATS program would be the most obvious way of dealing with necessity.