ChemLock and Tiering
This is part of a series of blog posts looking at the potential for the authorization of CISA’s existing ChemLock program and using it as a voluntary replacement for the now defunct Chemical Facility Anti-Terrorism Standards (CFATS) program. Other posts in this series include:
NOTE: Previous articles in this series have been removed from the CFSN Detailed Analysis paywall.
Risk Assessment
One of the things that made the CFATS program so successful over the years was the realization that there were different levels of risk associated with different chemical facilities and that meant that different levels of security were needed to mitigate that threat. DHS developed, and CISA upgraded, a sophisticated tool to complete the risk assessment process that was based upon data provided by each chemical facility called the Top Screen tool. Facility security managers completed a secure, online questionnaire about their facility and CISA used that information to determine if facilities were at a high enough risk to be covered under the CFATS program and if they were to assign the facility to one of four Tiers. That Tier level served as the basis for the much of what the facility was subsequently required to do under the program.
A similar risk assessment process will be required for the ChemLock program if it is going to be used as a basis for providing facilities with Safety Act (6 USC 441 et seq) protections as an incentive to actively participate in the ChemLock program. Obviously, some changes need to be made, but the existing (and currently mothballed) Top Screen process would serve as an excellent basis for such assessments.
Tiering Levels
The existing four Tiers served the CFATS program well, but the whole point with the introduction of the ChemLock program was to provide facilities that were not covered under the CFATS program with the assistance and security expertise of the chemical security inspectors. We would not want to drive those facilities out of the program, so the tiering under the ChemLock program would probably need to add a Tier 5 for those facilities that would not fall under the four existing Tier levels.
For security reasons, DHS has never been willing to share the details of their risk assessment process, but it would seem to be obvious that one of the discriminators that would have been used in the CFATS risk assessment process would have been the types of chemicals used at the facility. Looking at two broad categories of chemicals, release threat and theft/diversion threat, we can easily see that level of security needed at these two types of facilities would be significantly different. Facilities with primarily release threat (fires, explosions and toxic chemicals) are going to have to be prepared to deal with entirely different types of attacks than facilities with just theft/diversion types of chemicals (explosive precursor and chemical weapon precursor chemicals). The first will need to primarily protect against physical attacks against bulk storage, while the former would need to focus on protecting portable containers from theft or deliveries to unauthorized personnel.
While these differences are already baked into the current risk assessment process, it would probably be a good idea to modify the tiering levels into a better description of the potential threat by assigning a lettered qualifier to the Tier level. For example, for facilities with only release threat chemicals on site, a suffix of ‘R’ could be appended to the Tier level. Similarly, a ‘T’ (for theft) could be used for facilities with just theft/diversion threat chemicals on site. Facilities with both would be assigned a ‘B’ (for blended) suffix. This would allow for a better understanding of the security requirements that would be required for a facility to be provided with Safety Act protections.
The CFATS program originally intended to add nationally critical chemicals to list of potential threats to be considered for inclusion in the program. Early Top Screen questionnaires attempted to address this with questions about facility production as a percentage of national production. This was quickly seen to be less than helpful since there was little attempt to identify nationally critical chemical to which this data could be reasonably applied. With the national effects of the Colonial Pipeline ransomware attack in mind, this concept should be re-examined when developing the ChemLock risk assessment process. Since this program is voluntary, it would be easier for companies to self-identify those economically or national security critical chemicals.
One thing is certain, these critical chemicals will not likely fall directly into the CFATS threat assessment, or even the security guidelines developed for the CFATS program. While I will discuss those guidelines in a subsequent post, for the purposes of this discussion, these facilities holding chemicals with threats that do not fit into the standard threat model used under the CFATS program would be given a suffix of ‘C’ for critical chemicals.
Chemicals of Interest
A key component of the Top Screen process was the list of chemicals of specific interest to DHS for the program. DHS developed a list of a little over 300 chemicals that it was concerned with for the CFATS program. These DHS Chemicals of Interest (COI) formed the regulatory basis for facilities to be required to complete the Top Screen process. Those COI were listed in Appendix A of 6 CFR Part 27 (the CFATS regulations). Any facility holding any of the chemicals in inventory at or above limits determined by their threat categories was required to submit a Top Screen so that CISA could determine whether or not the facility was covered by the program and to which Tier level it would be assigned.
That list of chemicals is still of value, but since the ChemLock program is voluntary, the use of that list as a screening tool for which facilities would be required to submit a ChemLock Top Screen would no longer be possible. That list remains valuable as part of the screening tool as do the chemical threat categories assigned to those chemicals.
There have been suggestions over the years of chemicals that should be added to, or removed from, the COI list. As part of the standup of the ChemLock screening process it would be valuable to revisit the chemicals included in this list. It would not be necessary, however, to step on too many toes by adding chemicals as companies would be encouraged to self-identify new chemicals of interest at their facilities as part of the new threat assessment process.
Moving Forward
Congress would not need to directly address changes to the Top Screen process nor the Chemicals of Interest list in their rulemaking authorizing the ChemLock process and tying it into the Safety Act process. It could simply authorize CISA to update the existing Top Screen process and adapt it to a voluntary ChemLock reporting process. It would, however, need to require CISA to adopt a screening process that would allow for the establishment of risk-based security measures needed to qualify facilities for Safety Act protections.