Making ChemLock Safety Act Compliant

ChemLock Program Background

Earlier this week, in my post “CFATS is Dead” I suggested that Congress needs to authorize CISA’s ChemLock program to protect it from the budget cutters. The reason being that without the Chemical Facility Anti-Terrorism Standards (CFATS) program, there is no broad federal program to help the chemical industry to protect itself from potential terrorist attacks. And news reports from the early morning of January 1^st reinforce the idea that terrorists still have an interest in attacking the United States.

In that earlier piece, I go on to explain, that as an incentive for chemical facilities to participate in the voluntary ChemLock program, Congress should provide in the program authorization automatic Safety Act (6 USC 441 et seq) protections for participating facilities, noting:

“The legislation authorizing the establishment of the ChemLock program could authorize DHS to declare that any facility that employs a minimum level of security measures defined under the program to have employed qualified anti-terrorism technology under the Safety Act and thus eligible for risk management and litigation management protections of the Act.”

In this series of posts, I would like to look at what that term “employs a minimum level of security measures defined under the program” could look like. Let’s start by looking at the existing ChemLock program.

ChemLock

The existing ChemLock program was established in November 2021. It provides chemical facilities with a wide range of resources to help them identify and mitigate their chemical facility security risks. These include:

• ChemLock Resources,

• ChemLock Exercises,

• ChemLock Training, and

• Special Access to Other CISA Services

But, most importantly for this discussion, ChemLock provides On-Site Assessments and Assistance. CISA’s Infrastructure Security Division notes that:

“Using CISA’s extensive knowledge of chemical security best practices, CISA chemical security personnel under the ChemLock program can provide on-site assistance and assessments that help facilities identify the specific security risks their on-site chemicals present and offer scalable, tailored suggestions for security measures that will best enhance their security posture based on their unique circumstances and business model.”

Security Goals

CISA has established in ChemLock five security goals that it hopes to help chemical facilities address. It asks facilities to answer the following questions with the development of their facility security plans:

• Can you DETECT an attack or suspicious activity?

• Can you DELAY the adversary?

• Are you able to RESPOND in a timely manner?

• Are you protecting your CYBER assets?

• Do you have the appropriate POLICIES, PLANS, and PROCEDURES to implement your plan?

Anyone familiar with the CFATS program will quickly realize that these goals are simply restatements of the Risk Based Performance Standards (RBPS) that guided the development of security plans under that program. As explained on the CFATS Risk-Based Performance Standards page:

“Security measures that differ from facility to facility mean that each facility's suite of security measures presents a new and unique problem for an adversary to solve. To assist chemical facilities in taking a holistic approach to their security posture and determine the appropriate security measures, a facility may think about RBPS through the use of five overarching security objectives: Detection, Delay, Response, Cyber, and Security Management. These guideposts are the overall security objectives [emphasis added] that the RPBS address. Each objective spans multiple RBPS and can be satisfied through one or more of those RBPS.”

Security Considerations

CISA has identified five other considerations that facilities under the ChemLock program need to address in developing their chemical facility security plan:

• Chemical Product Stewardship,

• Chemical Security on a Budget,

• Chemical Security Considerations for No-Notice Events,

• Conducting a Chemical Security Self-Assessment, and

• Reporting Suspicious Activity and Security Incidents

ChemLock Assistance

The whole point of the ChemLock program is that facilities no longer need to attempt to tackle facility security on their own. With fifteen years of experience with the CFATS program behind them, CISA’s team has looked at thousands of chemical facilities, and worked side-by-side with those facilities as they developed world class security plans to address the unique problems of chemical facility security. The ChemLock program provides that level of experience on a voluntary basis to chemical facilities across the country.

In addition to site visits and training, ChemLock provides a variety of chemical security information sources, including:

• Guidance Documents,

• General Fact Sheets,

• Security Consideration Fact Sheets,

• Security Goal Fact Sheets,

• Templates,

• ChemLock Services Flyers,

• Tabletop Exercises, and

• Industry-Specific Resources