ChemLock and Information Sharing
This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:
Making ChemLock Safety Act Compliant – ChemLock Program Background,
Reader Comment – TSDB Screening for ChemLock,
ChemLock and Risk Based Performance Standards,
ChemLock and Chemical-Terrorism Vulnerability Information.
NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.
The CFATS program handled a lot of sensitive information that was categorized as Chemical-Terrorism Vulnerability Information (CVI). In order to limit the exposure of that information, DHS established the Chemical Security Assessment Tool (CSAT) as a secure, on-line portal for facilities to share sensitive information with the regulators and provided a secure method for facilities to receive CVI information from DHS. If the ChemLock program is going to be upgraded to serve as a voluntary replacement for the CFATS program, a similar secure information sharing system will have to be employed to protect the information sharing required to implement that expanded program.
CSAT Background
The CSAT tool was stood up in stages, with new tools added as the program expanded. Before anyone had a chance to access the CSAT tool, they had to complete training in how to identify and protect CVI information, so the on-line CVI training was essentially the first of the CSAT tools to be stood up. The next tool that an organization would use in CSAT was the Facility Registration Tool (see my discussion about the tool). Once the designated representatives of a chemical facility were registered they were provided appropriate (read-only, submit/edit information, etc) to each of the following tools as the facility progressed through the CFATS program.
Top Screen,
Security Vulnerability Assessment,
Site Security Plan, and
Personnel Surety
Since CFATS was a regulatory program, potentially covered facilities were required to register with CFATS and complete a Top Screen. A potentially covered facility was any facility that had minimum quantities of one or more DHS Chemicals of Interest (COI) on site. DHS used the information submitted in the Top Screen to determine whether or not the facility was at high-risk of terrorist attack. High-risk facilities were notified (via CSAT) that they were a covered facility and would have to begin the process that would lead them through the development, implementation, and maintenance of a site security plan negotiated with DHS. Covered facilities were required to periodically re-submit a Top Screen, new Top Screens were also required any time there was a significant change in the type or quantity of COI on site.
Top Screen and ChemLock
Since ChemLock is not and would not be (under the proposal being discussed in this series of blog posts) a regulatory program, the Top Screen tool would not be needed to identify whether or not a facility was a covered facility. Facilities would self-identify if they wanted to be a ‘covered facility’. A tool like the Top Screen, would be required, however, to rank the risk of facilities that were interested in participating in the ChemLock Safety Act certification process. Facilities could use the updated ChemLock program as a security resource (much the way they currently do) without requesting that certification. Those facilities could voluntarily use the updated Top Screen for an independent evaluation of their security risk.
CISA’s Infrastructure Security Division could still use the Top Screen information to provide a broad assessment of industry chemical security efforts. I would expect that any ChemLock authorization effort would include periodic congressional reporting requirements about the status of the program and chemical security issues in general.
Chemical Fusion Center
While the CSAT tool was a secure two-way information sharing tool, it was never utilized to its full advantage as a way for CISA to share intelligence information with the chemical industry. Part of the reason for that was that there were too many restrictions on what facilities could be covered by the CFATS program. By statute {6 USC 621(3)}, the following types of facilities were exempted from the CFATS program:
A facility regulated under the Maritime Transportation Security Act of 2002 (Public Law 107–295; 116 Stat. 2064),
A public water system, as that term is defined in section 300f of title 42,
A Treatment Works, as that term is defined in section 1292 of title 33,
A facility owned or operated by the Department of Defense or the Department of Energy, or
A facility subject to regulation by the Nuclear Regulatory Commission.
Since the ChemLock is voluntary (and would continue to be under this proposal) there would be no need to stop those CFATS excluded facilities from participating in the ChemLock program. With a secure information sharing network open to a very wide swath of the chemical industry it would be easy to transform the ChemLock program into effectively a Chemical Fusion center, where chemical facilities could report chemical security incidents.
Facilities would not have to avail themselves of the proposed Safety Act certification process to participate in the ChemLock information sharing process, but all facilities participating in the ChemLock Safety Act process would be enrolled in the ChemLock fusion center information sharing process. Part of the required site security plan each facility would develop would their internal process for identifying and reporting suspicious situations and security incidents, as well as the internal mechanisms by which it would receive and process chemical security information from ChemLock.
Secure Information Sharing Tool
An authorized ChemLock program could use the security information sharing tool developed for the CFATS program as the backbone for the upgraded voluntary ChemLock program and provide a means for facilities and CISA to share chemical security intelligence information. While the Safety Act certification process would be a primary incentive for facilities to formally involve themselves in the ChemLock program, a secure source of chemical security information would also provide an incentive for facilities to join ChemLock, expanding the reach of the voluntary program.