Fall 2022 Unified Agenda – DHS

Yesterday the Biden Administration published their Fall 2022 Unified Agenda (I know, it is no longer 2022 and it is no longer fall, but regulators have their own calendar). The Unified Agenda lays out the major regulatory measures that the Administration is considering taking action on over the next year. The listing of a rulemaking or the estimated action dates associated with a rulemaking are aspirational at best and no guarantee of agency action.

DHS Rulemakings

The DHS portion of the UA lists 87 rulemakings, eight of which will be covered here in this blog if/when any actions are taken on them. The table below shows those eight rulemakings.

There are two rulemakings that were added since the 2022 Spring Agenda was published. Those rulemakings are:

• Cybersecurity in the Marine Transportation System, and

• Enhancing Surface Cyber Risk Management

One rulemaking made it back from the Long-Term Agenda (see discussion below):

• Chemical Facility Anti-Terrorism Standards (CFATS)

New Rulemakings – Cybersecurity

The new Coast Guard rulemaking on “Cybersecurity in the Marine Transportation System” is designed to update current regulations under 33 USC Part 101 et seq, the Maritime Transportation Security Act (MTSA) regulations. The CG hopes to publish a notice of proposed rulemaking in June of this year.

The new TSA rulemaking on “Enhancing Surface Cyber Risk Management” is designed to permanently codify the cybersecurity requirements of the series of security directives that TSA has issued to the pipeline and railroad sectors. The TSA published an advanced notice of proposed rulemaking (ANPRM) for this rulemaking in November.

New Rulemaking – CFATS

The CISA rulemaking on “Chemical Facility Anti-Terrorism Standards (CFATS)” has been on and off the Unified Agenda since before 2014. CISA (and its predecessor) have published two ANPRMs and a retrospective analysis of the program in support of this rulemaking. CISA is hoping to have an NPRM published in May.

An interesting addition has been made to the rulemaking listings in the new Unified Agenda, each listing now includes a ‘Statement of Need’. The statement for this rulemaking states:

“The Chemical Facility Anti-Terrorism Standards (CFATS) program regulates facilities possessing large quantities of dangerous chemicals. The particular chemicals listed and threshold quantities were established in 2007, and were based on EPA’s threshold quantities for Hazardous Substances published under its Release Management Program. In the 15 years since implementation of the program, CISA has gained extensive experience in analyzing chemical holdings and determining which facilities should be classified as high-risk and subject to further regulation. Given its experience, CISA has determined that it should adjust its list of regulated chemicals, threshold quantities, and counting methods to better reflect the security issues implicated by these chemicals. Additionally, CISA believes that the CFATS security performance guidelines, first issued in 2009, should be updated to better reflect lessons learned over the past decade, including substantially updating the guidelines for cybersecurity performance metrics.”

Long Term Agenda

There is a separate section of the Unified Agenda for rulemaking actions that are on the minds of agencies, but for which there is no current intention by those agencies to take action, the Long-Term Actions list. Rulemakings move back and forth between the Long-Term Actions list and the main Unified Agenda listing, sometimes without rhyme or reason. There are currently two rulemakings on the DHS list that would be covered here if the agencies were to act on those rulemakings.

Both of these rulemakings were on the previous Long-Term Actions list.