Chemical Facility Anti-Terrorism Standards
Interim Final Rule.
The Department of Homeland Security (DHS or Department) issues this interim final rule (IFR) pursuant to Section 550 of the Homeland Security Appropriations Act of 2007 (Section 550), which provided the Department with authority to promulgate “interim final regulations” for the security of certain chemical facilities in the United States.
This rule establishes risk-based performance standards for the security of our Nation's chemical facilities. It requires covered chemical facilities to prepare Security Vulnerability Assessments (SVAs), which identify facility security vulnerabilities, and to develop and implement Site Security Plans (SSPs), which include measures that satisfy the identified risk-based performance standards. It also allows certain covered chemical facilities, in specified circumstances, to submit Alternate Security Programs (ASPs) in lieu of an SVA, SSP, or both.
The rule contains associated provisions addressing inspections and audits, recordkeeping, and the protection of information that constitutes Chemical-terrorism Vulnerability Information (CVI). Finally, the rule provides the Department with authority to seek compliance through the issuance of Orders, including Orders Assessing Civil Penalty and Orders for the Cessation of Operations.
Table of Contents Back to Top
- EFFECTIVE DATES:
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- Table of Contents
- I. Introduction and Background
- A. Public Participation
- B. Statutory Regulatory Authority and History
- II. Interim Final Rule
- A. Summary of Changes From Advance Notice of Rulemaking
- B. Rule Provisions
- Subpart A
- Section 27.100Purpose
- Section 27.105Definitions
- Section 27.120Designation of a coordinating official; Consultations and technical assistance
- Subpart B
- Section 27.200Information regarding security risk for a chemical facility
- Section 27.205Determination that a chemical facility “presents a high level of security risk.”
- Section 27.210Submissions Schedule
- Section 27.215Security Vulnerability Assessments and Section 27.225 Site Security Plans
- Section 27.220Tiering
- Section 27.230Risk-Based Performance Standards
- Section 27.235Alternative security program
- Section 27.240Review and Approval of Security Vulnerability Assessment and Section 27.245 Review and Approval of Site Security Plans
- Section 27.250Inspections and Audits
- Section 27.255Recordkeeping Requirements
- Subpart C
- Section 27.300Orders
- Section 27.305 through 27.340 Adjudications
- Section 27.345Appeals
- Subpart D
- Section 27.400Chemical-Terrorism Vulnerability Information
- Section 27.405Review and Preemption of State Laws and Regulations
- Proposed Appendix A: DHS Chemicals of Interest
- III. Discussion of Comments
- A. Applicability of the Rule
- 1. Definition of “Chemical Facility or Facility”
- 2. Multiple Owners and Operators
- 3. Classifying Facilities Based on Hazard Class
- 4. Applicability to Specific Chemicals or Quantities of Chemicals
- 5. Applicability to Types of Facilities
- 6. Statutory Exemptions
- B. Determining Which Facilities Present a High-Level of Security Risk
- 1. Use of the Top-Screen Approach
- 2. Assessment Methodologies
- 3. Risk-Based Tiers
- C. Security Vulnerability Assessments and Site Security Plans
- 1. General Comments
- 2. Submitting a Site Security Plan
- 3. Content of Site Security Plans
- 4. Approval of Site Security Plans
- 5. Timing
- 6. Alternate Security Programs
- D. Risk-Based Performance Standards
- 1. General Approach to Performance Standards
- 2. Comments About Specific Performance Standards
- 3. Variations in Performance Standards for Risk Tiers
- 4. Adoption of MTSA Provisions
- E. Background Checks
- F. Inspections and Audits
- 1. Inspections
- 2. Third-Party Auditors and Inspectors
- G. Recordkeeping
- H. Orders
- I. Adjudications and Appeals
- 1. General
- 2. Disclosure of CVI
- 3. Scope of CVI
- 4. Relation of CVI to Other Categories of Protected Information and FOIA
- 5. Sharing CVI With State and Local Officials, the Public, and Congress
- 6. Litigation
- 7. Protection of CVI
- K. Preemption
- L. Implementation of the Rule
- M. Other Issues
- 1. Whistleblower Protection
- 2. Inherently Safer Technology
- 3. Delegation of Responsibility
- 4. Interaction With Other Federal Rules and Programs
- 5. Third-Party Actions
- 6. Judicial Review
- 7. Guidance and Technical Assistance
- 8. Miscellaneous Comments
- N. Regulatory Evaluation
- IV. Regulatory Analyses
- A. Executive Order 12866: Regulatory Planning and Review
- Cost Assessment Summary
- Benefits Assessment
- Need for Increased Security at High-Risk Chemical Facilities
- Qualitative Benefits of the Risk-Based Performance Standards
- B. Regulatory Flexibility Act
- C. Executive Order 13132: Federalism
- 1. Background
- 2. Propriety of Department's Views on Preemption
- 3. No Field Preemption
- 4. Principles of Conflict Preemption
- D. Unfunded Mandates Reform Act
- E. Paperwork Reduction Act
- F. National Environmental Policy Act
- List of Subjects in 6 CFR Part 27
- The Interim Final Rule
- Title 6—Department of Homeland Security
- Chapter 1—Department of Homeland Security, Office of the Secretary
- PART 27—CHEMICAL FACILITY ANTI-TERRORISM STANDARDS
- Subpart A—General
- Subpart B—Chemical Facility Security Program
- Subpart C—Orders and Adjudications
- Subpart D—Other
- Appendix A to Part 27—DHS Chemicals of Interest
- Subpart A—General
- Subpart B—Chemical Facility Security Program
- Subpart C—Orders and Adjudications
- Subpart D—Other
Tables Back to Top
- Table 1.—Percentage of Small Entities by Revenue
- Table 2.—Summary of Burden Hours for Conducting User Registration (DHS Form 9002 (1/07)) and Top Screen (DHS Form 9007 (2/07))
- Appendix A to Part 27.—DHS Chemicals of Interest
EFFECTIVE DATES: Back to Top
This regulation is effective June 8, 2007, except for Appendix A to part 27. A subsequent final rule document will announce the effective date of Appendix A to Part 27.
Comment related to the addition of Appendix A to part 27 only will be accepted until May 9, 2007.
ADDRESSES: Back to Top
You may submit comments, identified by docket number 2006-0073, by one of the following methods:
- Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
- Mail: IP/CSCD/Dennis Deziel, Mail Stop 8100, Department of Homeland Security, Washington, DC 20528-8100.
FOR FURTHER INFORMATION CONTACT: Back to Top
Dennis Deziel, Chemical Security Regulatory Task Force, Department of Homeland Security, 703-235-5263.
SUPPLEMENTARY INFORMATION: Back to Top
This interim final rule is organized as follows: Section I explains the public participation provisions and provides a brief discussion of the statutory and regulatory authority and history; Section II summarizes the changes from the Advance Notice of Rulemaking and discusses the revised rule text; Section III summarizes and responds to the comments the Department received in response to the Advance Notice of Rulemaking; and Section IV contains the regulatory analyses for this interim final rule.
Table of Contents Back to Top
I. Introduction and Background
A. Public Participation
B. Statutory and Regulatory Authority and History
II. Interim Final Rule
A. Summary of Changes From Advance Notice of Rulemaking
B. Rule Provisions
III. Discussion of Comments
A. Applicability of the Rule
1. Definition of “Chemical Facility or Facility”
2. Multiple Owners or Operators
3. Classifying Facilities Based on Hazard Class
4. Applicability to Specific Chemicals or Quantities of Chemicals
5. Applicability to Types of Facilities
6. Statutory Exemptions
B. Determining Which Facilities Present a High-Level of Security Risk
1. Use of the Top-Screen Approach
2. Assessment Methodologies
3. Risk-Based Tiers
C. Security Vulnerability Assessments and Site Security Plans
1. General Comments
2. Submitting a Site Security Plan
3. Content of Site Security Plans
4. Approval of Site Security Plans
6. Alternate Security Programs
D. Risk-Based Performance Standards
1. General Approach To Performance Standards
2. Comments about Specific Performance Standards
3. Variations in Performance Standards for Risk Tiers
4. Adoption of MTSA Provisions
E. Background Checks
F. Inspections and Audits
2. Third-Party Auditors and Inspectors
I. Adjudications and Appeals
J. Information Protection: Chemical-terrorism Vulnerability Information (CVI)
2. Disclosure of CVI
3. Scope of CVI
4. Relation of CVI to Other Categories of Protected Information and FOIA
5. Sharing CVI with State and Local Officials, the Public, and Congress
7. Protection of CVI
L. Implementation of the Rule
M. Other Issues
1. Whistleblower Protection
2. Inherently Safer Technology
3. Delegation of Responsibility
4. Interaction with Other Federal Rules and Programs
5. Third-Party Actions
6. Judicial Review
7. Guidance and Technical Assistance
8. Miscellaneous Comments
N. Regulatory Evaluation
IV. Regulatory Analyses
A. Executive Order 12866: Regulatory Planning and Review
B. Regulatory Flexibility Act
C. Executive Order 13132: Federalism
2. Propriety of the Department's View on Preemption
3. No Field Preemption
4. Principles of Conflict Preemption
D. Unfunded Mandates Reform Act
E. Paperwork Reduction Act
I. Introduction and Background Back to Top
A. Public Participation
Interested persons are invited to participate in this rulemaking by submitting written data, views, or arguments on Appendix A of this interim final rule. Comments that will provide the most assistance to DHS in finalizing the Appendix will reference specific chemicals and Screening Threshold Quantities on the list, explain the reason for any recommended change, and include data, information, or authority that support such recommended change.
Instructions: All submissions received must include the agency name and docket number for this rulemaking. All comments received will be posted without change to http://www.regulations.gov, including any personal information provided.
Comments that include trade secrets, confidential commercial or financial information, Sensitive Security Information (SSI), or Protected Critical Infrastructure Information (PCII) should not be submitted to the public regulatory docket. Please submit such comments separately from other comments on the rule. Comments containing trade secrets, confidential commercial or financial information, Sensitive Security Information (SSI), or Protected Critical Infrastructure Information (PCII) should be appropriately marked as containing such information and submitted by mail to the individual(s) listed in the FOR FURTHER INFORMATION CONTACT section.
Docket: For access to the docket to read background documents or comments received, go to http://www.regulations.gov. Submitted comments by mail may also be inspected. To inspect comments, please call Dennis Deziel, 703-235-5263, to arrange for an appointment.
B. Statutory Regulatory Authority and History
On October 4, 2006, the President signed the Department of Homeland Security Appropriations Act of 2007 (the Act), which provides the Department of Homeland Security with the authority to regulate the security of high-risk chemical facilities. See Pub. L. 109-295, sec. 550. Section 550 requires the Secretary of Homeland Security to promulgate interim final regulations “establishing risk-based performance standards for security of chemical facilities” by April 4, 2007. Id. Although interim final regulations are usually issued without prior notice and comment (and the Act requires neither), the Department issued an Advance Notice of Rulemaking (Advance Notice) seeking comment on the significant issues and regulatory text. See generally 71 FR 78276 (Dec. 28, 2006).
As discussed more fully in the Advance Notice, before the enactment of Section 550, the Federal government did not have authority to regulate the security of most chemical facilities. The Department has, however, worked closely with industry leaders in pursuit of voluntary enhancement of security at these facilities and provided both technical assistance and grant funding for security. In addition, through the Coast Guard's Maritime Security regulations, the Department has addressed security at certain maritime-related chemical facilities. See 33 CFR Part 105. Recently, the Departments of Homeland Security and Transportation also proposed security regulations for the rail transportation of hazardous chemicals. See 71 FR 76834, 71 FR 76851 (Dec. 21, 2006). Other Federal programs have addressed chemical facility safety, but not security: the Environmental Protection Agency (EPA) regulates chemical process safety through its Risk Management Plan (RMP) program; the Department of Labor's Occupational Safety and Health Administration (OSHA) regulates workplace safety and health at chemical facilities; the Department of Commerce oversees compliance with the Chemical Weapons Convention; and the Department of Justice's Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) regulates, through licenses and permits, the purchase, possession, storage, and transportation of explosives.
With the authority under Section 550, the Department can now fill a significant security gap in the country's anti-terrorism efforts. Section 550 specifies that the regulations “shall apply to chemical facilities that, in the discretion of the Secretary, present high levels of security risk.” The statute requires that the regulations establish risk-based performance standards; requires Security Vulnerability Assessments and Site Security Plans; allows Alternative Security Programs; mandates audits and inspections to determine compliance with the regulations; provides for civil penalties for violation of an order issued under the statute; and allows the Secretary to order a facility to cease operations if the facility is not in compliance with the requirements. The statute also gives the Department the authority to protect from inappropriate public disclosure any information developed pursuant to Section 550, “including vulnerability assessments, site security plans, and other security related information, records, and documents.”
As discussed in the Advance Notice, by directing the Secretary to issue “interim final regulations,” Congress authorized the Secretary to proceed without the traditional notice-and-comment required by the Administrative Procedure Act. See 71 FR 78276, 78277. The Department, however, saw great benefit in soliciting comments on as much of the program as was practicable in the short timeframe permitted under the statute. Accordingly, the Department voluntarily sought comment on a range of regulatory and implementation issues and responds to the comments below.
II. Interim Final Rule Back to Top
A. Summary of Changes From Advance Notice of Rulemaking
In this interim final rule, the Department has not changed the general, risk-based approach it proposed in the December 28, 2006, Advance Notice. See 71 FR 78276. As discussed in detail below, the Department plans to implement the regulation in phases, starting to work aggressively with chemical facilities presenting the very highest security risks first. The Department adopts a risk-based tiering structure in its regulatory approach, so that the Department's scrutiny of facilities under this regulation increases as the level of risk increases. Even though this approach remains the same, the Department provides further details below on a number of unresolved issues presented in the Advance Notice. For example, the Department provides further detail on the issues surrounding background checks for those with access to high-risk facilities, and the Department describes its approach on facilities possessing ammonium nitrate.
On several important issues, the Department has reconsidered and modified the position it proposed in the Advance Notice. For example, in response to comments, the Department has restructured its provisions concerning objections, consultations, adjudications, and appeals. As discussed below, the Department's aim is to provide flexibility and assistance for facilities seeking to comply with the regulatory standards. The Department has decided, however, to incorporate a role for a neutral adjudicator where unresolved differences present themselves and result in significant fines or other penalties. In addition, the Department has modified a number of scheduling and timing requirements in response to comments, and the Department further explains its approach on preemption of state and local law after considering the numerous comments on that subject. Although the Department continues to view as important the opportunity for facilities to submit Alternative Security Programs, the Department modified the circumstances in which it will accept Alternative Security Programs.
Finally, the Department will consider the issues surrounding the use of fees in this regulatory program. The Department is contemplating the assessment of different fees, including filing fees, fees for inspections and audits, and fees for the screening of individuals against the Terrorist Screening Database. The Department has not provided for fees in this interim final rule, but may, in the future, propose and seek comment on the issues surrounding fees for this regulatory program.
B. Rule Provisions
This section summarizes the regulatory text changes that the Department has made to this interim final rule. In addition to the summary contained in this section, we have, in many cases, provided a more extensive discussion of the change, and the reason for the change, in the response to comments below. See§ III “Discussion of Comments.” Finally, to the extent that the Department has made technical corrections or corrected typographical errors, we do not specifically discuss them.
The Department has added a Purpose section to the rule. It states the Department's purpose and intent in issuing this rule and enforcing this regulatory program.
For purposes of clarity, DHS has added several definitions, including “Chemical Security Assessment Tool,” “Chemical-terrorism Vulnerability Information,” “Deputy Secretary,” “Director of the Chemical Security Division” and “Screening Threshold Quantity.” The Department has also revised a few definitions, including “Assistant Secretary” and “Under Secretary.” The Department revised “Under Secretary” as a result of organizational changes in the Department following the Post-Katrina Emergency Reform Act, which the President signed on October 4, 2006. See Public Law 109-295, Title VI. In several places, the Department indicated that the named official, or his designee, has the specified responsibility under the regulation. The Department also revised the definition of “Alternate Security Program,” to provide consistency with changes the Department has since made to § 27.235, the Alternate Security Programs section. The Department expanded upon the definition of “tier,” adding that, for purposes of this part, there are four risk-based tiers.
Finally, the Department made clarifying changes to “Chemical Facility,” “Covered Chemical Facility,” and “Owner.” With respect to the definition of “Chemical Facility,” the Department removed the circular nature of the definition in the Advance Notice (i.e., a chemical facility shall mean any facility) (emphasis added) and now provides that a chemical facility “shall mean any establishment that possesses or plans to possess * * *.”
Section 27.120Designation of a coordinating official; Consultations and technical assistance
The language in revised § 27.120(a) makes clear that the Assistant Secretary will designate a Coordinating Official responsible for ensuring the uniform, impartial, and fair implementation of these regulations. The language in revised § 27.120(b) indicates that the Coordinating Official and his staff shall provide guidance to facilities, and while the Coordinating Official and his staff will be available for consultation and to provide technical assistance, they will be available only to the extent that resources permit.
In § 27.120(c), the Department has provided specific details as to how a facility requests the assistance of the Coordinating Official. In the second sentence of § 27.120(c), the Department provides that requests for consultation or technical guidance do not serve to toll any of the applicable timelines set forth in this part. Accordingly, regardless of whether or when a facility submits a request for consultation or technical guidance, the Department will require the facility to comply with the regulatory requirements, such as completing the Top-Screen, identifying vulnerabilities in the Security Vulnerability Assessment, and developing and implementing a Site Security Plan.
The Department has added a new provision in § 27.120(d). This provision provides that a covered facility may request a consultation with the Coordinating Official if it modifies its facility, processes, or the types or quantities of materials that it possesses, and believes such changes may impact the covered facility's obligations under this part. The Department added this provision in response to commenters concerned about a facility's ability to “exit” the regulatory program. The Department recognizes that facilities that reduce risk to levels below those levels that the Department deems as that characterized for Tier 4 facilities (i.e., the lowest risk facilities of the “high risk” facilities) or that eliminate certain risks altogether may no longer need to be covered by this regulation. This provision allows the covered facility to request the initiation of the screening process (which determines whether or not the facility is high-risk and therefore whether the facility is or is not included in this regulatory program) prior to the facility's next scheduled CSAT Top-Screen submission pursuant to § 27.210. Through this consultation process, the facility may initiate discussions with the Department and ultimately accelerate the process for determining whether it can “exit” the regulatory program.
Section 27.200Information regarding security risk for a chemical facility
The Department has added several new provisions to this section. The Department has revised paragraph (b), by incorporating language from proposed § 27.200(a) of the Advance Notice and by also adding new provisions. The two sentences in paragraph (b)(1) come from the end of proposed § 27.200(a). Paragraph (b)(1) provides that the Assistant Secretary may seek the information listed in paragraph (a) by contacting chemical facilities individually or by publishing a notice in the Federal Register. It also provides that the Assistant Secretary may instruct facilities to complete and submit a Top-Screen through a secure Department Web site or through any other means approved by the Assistant Secretary.
Paragraph (b)(2) is a new provision. It provides that a facility must complete and submit a Top-Screen in accordance with the schedule provided in § 27.210 if it possesses any of the chemicals listed in Appendix A: “DHS Chemicals of Interest” at the corresponding quantities. For a further discussion of Appendix A, see the discussion of Appendix A further below in the Rule Provisions section. The purpose of this provision is to give facilities direction as to whether or not they must complete and submit a Top-Screen.
As noted in the discussion of Appendix A, the presence or amount of a particular chemical is not an indicator of a facility's coverage under this rule. The presence or amount of a chemical in the Appendix is merely a baseline threshold requiring a facility to complete and submit a Top-Screen. (Consistent with § 27.200(b)(1), DHS will retain the ability to notify facilities, through direct notification or Federal Register notice, that they need to complete and submit a Top-Screen.) The information that the Department will obtain through the Top-Screen process is only one of several factors that the Department will consider in determining whether a facility is “high-risk” and thus covered by this rule.
Paragraph (b)(3) addresses the requirements for individuals who submit information to the Department through the CSAT system, which includes the Top-Screen process. Paragraph (b)(3) provides that, where the Department requests that a facility complete and submit a Top-Screen, the facility must designate a person to be responsible for the submission of information through the CSAT system. (The CSAT system is comprised of three sequential parts: the Top-Screen, the SVA, and the SSP). The Department provides that any such submitter must be an officer of the corporation or other person designated by an officer of the corporation, and must be domiciled in the United States. The Department had contemplated such requirements in Appendix A to the Advance Notice and now finalizes them here.
Consistent with the explanation in Appendix A to the Advance Notice, the Department notes that a facility may choose to have another individual, in addition to the above-discussed “submitter,” involved in the submission of information through the Top-Screen. That other individual is a “provider.” A provider would be a qualified individual who is familiar with the facility in question and who completes the information in the CSAT system. The provider, however, would not formally submit information to the Department. The individual responsible for sending information to the Department through the CSAT system (whether Top-Screen, SVA, or SSP) is always the submitter. And as indicated in paragraph (b)(3), the submitter is also responsible for attesting to the accuracy of the submitted information.
Paragraphs (c)(1) and (2) address facilities that the Department deems as “presumptively high risk.” Both paragraphs were in the Advance Notice, though they were located in proposed §§ 27.200(b) and (c).
Section 27.205Determination that a chemical facility “presents a high level of security risk.”
The Advance Notice, at the end of § 27.205(a), contained a provision about Departmental notification to facilities of their preliminary placement in a risk-based tier. The Department has moved that language to § 27.220 “Tiering,” so that it is located with the related tiering provisions.
In addition, the Department has removed proposed § 27.205(c), along with §§ 27.220(b), and 27.240(c), all of which had contained a mechanism for objections. In the Advance Notice, the Department had provided facilities with the opportunity to object to the following three Departmental actions: determination that a facility “presents a high level of risk,” placement in a high-risk tier, and disapproval of a facility's Site Security Plan. The intention behind those provisions was to provide facilities with an informal opportunity to consult with the Department. The Department believes that the rule (including existing provisions from the Advance Notice as well as new provisions in this interim final rule) provides facilities with several opportunities for consultation when they disagree with an initial decision on these matters. Specifically, revised § 27.120(b) provides that the Coordinating Official and his staff shall be available to consult and to provide technical assistance to a facility owner or operator, revised § 27.120(c) provides the details for how a facility should initiate consultations or assistance, and revised § 27.120(d) provides that a covered facility may request a consultation if it modifies its facility, processes, or the types or quantities of materials that it possesses and believes such changes may impact the covered facility's obligations under this part. In addition, §§ 27.240(b) and 27.245(b) provide that a facility shall enter further consultations following Departmental written notification that a Security Vulnerability Assessment or Site Security Plan is unsatisfactory. Given that the rule already provides consultation opportunities, coupled with the fact that the Department has greatly modified its adjudication and appeal provisions, the Department believes it is unnecessary to retain these objections provisions and has thus removed them from the interim final rule.
Section 27.210Submissions Schedule
In § 27.210, the Department clarifies the submission schedule for the Top-Screen, Security Vulnerability Assessment, and Site Security Plan. In § 27.210(a) of the Advance Notice, the Department included a sentence indicating that the presumptive time frames were 60 days for the Security Vulnerability Assessment and 120 days for the Site Security Plan. In this interim final rule, the Department has added presumptive timeframes for the submission of the Top-Screen and revised the presumptive timeframes for SVAs and SSPs. See§ 27.210(a) and (b). The presumptive timeframes for initial submissions are 60 calendar days for the Top-Screen, 90 calendar days for the SVA, and 120 calendar days for the SSP. The presumptive timeframes for resubmission vary depending on a facility's tier. As a general matter, the Department will require facilities in Tiers 1 and 2 to update their Top-Screen, SVA, and SSP every two years, and facilities in Tiers 3 and 4 to update their Top-Screen, SVA, and SSP every three years.
In addition, the Department added a new paragraph (c), which addresses the Department's authority to modify schedules as necessary. The Department removed § 27.210(c) as it appeared in the Advance Notice, because the provision was unnecessary in light of the new provisions in § 27.120(b) and (c), “Designation of a coordinating official; consultations and technical assistance.”
Finally, the Department added a new paragraph (d), which addresses material modifications. In §§ 27.215(c)(3) and 27.225(b)(3) of the Advance Notice, the Department provided that a covered facility had to notify the Department of material modifications to the SVA or SSP and that the Department would notify the facility within 60 days of whether the Department disapproved the revised SVA or SSP. The Department has re-located a new but similar requirement in § 27.210(d). The regulation now provides that if a covered facility makes material modifications to its operations or site, the covered facility must complete and submit a revised Top-Screen to the Department within 60 days of completion of the material modification. In accordance with the resubmission requirements in § 27.210(b)(2) and (3), the Department will notify the covered facility as to whether the covered facility must submit a revised Security Vulnerability Assessment, Site Security Plan, or both. As a result of this new paragraph (d), the Department removed the provisions that appeared in §§ 27.215(c)(3) and 27.225(b)(3) of the Advance Notice.
Section 27.215Security Vulnerability Assessments and Section 27.225 Site Security Plans
The Department has revised several of the corresponding provisions in both § 27.215 and § 27.225. First, the Department has revised the corresponding provisions regarding methodologies. Specifically, the Department has revised the language in § 27.215(b) and added a new paragraph (b) in § 27.225. In both places, the Department explains that, except as provided in § 27.235, a covered facility must submit either the SVA/SSP through the CSAT process or any other methodology or process identified by the Assistant Secretary.
By this change, the Department is making more explicit its intention to use the CSAT process at this time. The CSAT process includes completion of the Top-Screen process and, depending on the results of the Top-Screen process, may also include the development of a Security Vulnerability Assessment and the development of a Site Security Plan. Thus, for facilities that are determined to be high-risk, the CSAT process will consist of three sequential parts (i.e., the Top-Screen, SVA, and SSP). The Department also notes that facilities will have to obtain access to the CSAT system by submitting a user registration request. Section 27.200(b)(1) contains the requirements for individuals (i.e., submitters) who will be submitting information through the CSAT system and attesting to the accuracy of that information.
Second, in paragraph (c) of both sections, the Department provides that a covered facility must submit an SVA or SSP to the Department in accordance with the schedule provided in § 27.210. This captures the requirement that had been located in proposed § 27.240(a)(1) of the Advance Notice.
Third, in paragraph (d) of both sections, the Department revised the update/revision provisions for submitting SVAs and SSPs. In the Advance Notice, the Department indicated that covered facilities must update or revise their SVAs or SSPs based on a schedule set by the Assistant Secretary. Because the Department has established a submission schedule in § 27.210, the Department now includes cross-references in § 27.215(d)(1) and § 27.225(d)(2) to that schedule. As a related matter, in § 27.215(d), the Department moved the general submissions schedule requirement to § 27.215(d)(1), thereby re-locating the provision formerly in § 27.215(d)(1) to § 27.215(d)(2).
Fourth, the Department has removed the language about material modifications from proposed § 27.215(c)(3) and § 27.225(b)(3). As discussed in the summary of § 27.210, the Department added a new, but similar, provision to § 27.210(d). The new provision now captures the concept contemplated in proposed § 27.215(c)(3) and § 27.225(b)(3).
With respect to changes to § 27.225 only, the Department has added a provision that requires facilities to conduct annual audits of their Site Security Plans. See§ 27.225(e). This provision had been implied in the recordkeeping requirement in the Advance Notice (see§ 27.255(a)(6)) and is now explicit. DHS made some additional revisions to the corresponding recordkeeping provision, in which DHS more clearly specifies the audit-related records that covered facilities should maintain.
Finally, throughout this document, the Department now uses the term “Security Vulnerability Assessment” (or SVA) instead of the term “Vulnerability Assessment” or (VA), which the Department had used in the Advance Notice. The Department intends no change in meaning with this revision.
The Department has added several paragraphs to this section. Section 27.220(a) addresses the Department's preliminary determination as to a facility's risk-based tier. Paragraph (a) is based on language that had been in the Advance Notice at the end of § 27.205(a). The Department has elaborated on the Preliminary Tiering provision. Notably, the Department has indicated that it shall notify a facility of the Department's preliminary tiering decision. This contrasts with the Advance Notice, which had merely indicated that the Department may notify a facility of the Department's preliminary tiering decision.
Section 27.220(b) is not a new subsection; rather, it contains the language that was previously located in § 27.220(a). Note that the Department has removed paragraph (b) as proposed in the Advance Notice. Paragraph (b) had contained an objections provision. For a discussion of the Department's decision to remove the objections provisions from this rule (in §§ 27.205(c), 27.220(b), and 27.240(c)), see the summary under § 27.205(c).
Section 27.220(c) is a new subsection. The Department is reiterating, in part, what it provides in the definitions section. The Department will place facilities in one of four risk-based tiers. Tiers will range from Tier 1, which contains the highest-risk covered facilities, to Tier 4, which contains the lowest-risk covered facilities. Finally, the Department separated the sentence located at the end of proposed § 27.220(a) into its own section, § 27.220(d).
Section 27.230Risk-Based Performance Standards
This section contains the risk-based performance standards that covered facilities must satisfy. The Department has added a sentence to § 27.230(a), noting that the “acceptable layering of measures used to meet the standards will vary by risk-based tier.” While all facilities must satisfy the performance standards, the measures sufficient to meet those standards will be more robust for those facilities that present higher levels of risk. In other words, the manner in which the standards are applied will require a higher level of security (and so provide for greater reduction in risk) for those facilities that present higher levels of risk. The Department will provide details about the application of these standards in guidance.
In addition, for each of the performance standards, the Department has added a short descriptor at the beginning of the subparagraph (e.g., paragraph (a)(1) begins with “Restricted Area Perimeter,” paragraph (a)(2) begins with “Securing Site Assets,” and so forth).
The Department has also revised some of the language related to specific performance standards. Section 27.230(a)(4) now provides that facilities must select, develop, and implement measures designed to “[d]eter, detect, and delay an attack, creating sufficient time between detection of an attack and the point at which the attack becomes successful.” This revised language more adequately captures the concept that the Department had intended in the language in paragraph (a)(4) of the Advance Notice and is more complete. Section 27.230(a)(5) now requires facilities to secure and monitor the storage of hazardous materials, in addition to the shipping and receipt of hazardous materials. Section 27.230(a)(8) now contains a broader description of critical process systems. In the Advance Notice, the Department had used the acronym “SCADA” (Supervisory Control and Data Acquisition) to refer to instrumented control systems in general. In this interim final rule, the Department has provided more descriptive terminology to refer to critical process systems. For a further discussion of SCADA, see the Department responses to “Comments on Specific Performance Standards.” Section 27.230(a)(12) contains an expanded standard for background checks. For a further discussion of background checks, see the Department response to comments about “Background Checks.” Section 27.230(a)(15) now provides that facilities should report significant security incidents to local law enforcement in addition to the Department. Finally, the Department has removed the paragraph that was paragraph 27.230(a)(19) in the Advance Notice, because that standard was already addressed in paragraph (a)(14).
Section 27.235Alternative security program
The Department has revised this section to provide more detail about the process for Alternate Security Programs (ASPs). The basic requirement remains the same, in that certain covered facilities may submit ASPs, and the Assistant Secretary may approve those ASPs. See§ 27.235(a). To accept an ASP, the Assistant Secretary must find that the program “provides an equivalent level of security to the level of security established by this part.” This language, which clarifies the standard for accepting ASPs, comes from the preamble of the Advance Notice and is consistent with the terms of Section 550. See 71 FR 78276, 78285.
In § 27.235(a)(1)-(2), the Department specifies, by tier, which facilities may submit ASPs in lieu of Security Vulnerability Assessments (SVAs) and which facilities may submit ASPs in lieu of Site Security Plans (SSPs). A Tier 4 facility may submit an ASP in lieu of a Security Vulnerability Assessment, Site Security Plan, or both. Tier 1, Tier 2, and Tier 3 facilities may submit an ASP in lieu of a Site Security Plan. Tier 1, Tier 2, and Tier 3 facilities may not submit an ASP in lieu of a Security Vulnerability Assessment. Accordingly, Tier 1, Tier 2, and Tier 3 facilities will have to submit their SVA through the CSAT system.
With respect to Tier 4 facilities, the Department clarifies the following point: Given that the Department notifies a facility of its final placement in a risk-based tier following the Department's review of a covered facility's SVA (see§ 27.220(b)), a facility will not know its final tier placement at the time it might decide to submit an ASP in lieu of a SVA. Because of that, the Department understands that facilities will rely on the Department's preliminary tiering determination made pursuant to § 27.220(a).
There are various reasons underlying the Department's decision not to accept ASPs as SVAs for Tier 1, Tier 2, and Tier 3 facilities. The Department needs a consistent baseline against which to compare risks and vulnerabilities across chemical facilities. (For a further discussion of this issue, see the Department's response to comments in § III(B)(1)). As well, the Chemical Security Assessment Tool (CSAT) system uses an integrated approach to chemical facility security, and by considering SVAs that use the methodology in the CSAT system, the Department can take full advantage of that integrated approach. Furthermore, by using this electronic, integrated CSAT approach, the Department can more efficiently review and assess a greater number SVAs, and that is of importance considering the Department's phased implementation scheme to address the highest risk facilities first.
The Department acknowledges that many facilities have expended substantial resources and incurred significant expense to identify vulnerabilities and to develop security plans. The Department commends facilities for such efforts. The work performed on these efforts is valuable, and DHS is committed to capitalizing on these investments. The information developed in these efforts will be relevant to facilities as they complete the CSAT SVA. Facilities will be able to use the information from existing vulnerability assessments, and in many cases, the practical impact of requiring Tiers 1, 2, and 3 facilities use the CSAT SVA system will be one of formatting, i.e., facilities will have to enter their information from their existing vulnerability assessments into the format established by the CSAT system. While some additional analytical effort will be required, even where the facility has produced a strong SVA, the effort will be considerably less than that at facilities that are starting without a pre-existing SVA.
In addition, § 27.235(b) provides that the notice requirements for submitting ASPs correspond with the notice requirements (including the approval and disapproval process) for SVAs and SSPs. In other words, if a facility is submitting an ASP in lieu of an SVA, the process in § 27.240 applies, and if a facility is submitting an ASP in lieu of an SSP, the process in § 27.245 applies.
Section 27.240Review and Approval of Security Vulnerability Assessment and Section 27.245 Review and Approval of Site Security Plans
In this interim final rule, the Department has separated the review and approval of SVAs and SSPs into two separate sections. In the Advance Notice, both sets of requirements were located in § 27.240. In this interim final rule, the provisions related to Security Vulnerability Assessments are located in § 27.240, and the provisions related to Site Security Plans are located in § 27.245.
In addition, the Department made some changes to the corresponding provisions in the two separate sections. In both sections, the Department has removed the language (from proposed § 27.240(a)(1)) about time periods for submitting SVAs and SSPs. The Department has already addressed this issue in §§ 27.215(c)-(d) and §§ 27.225(c)-(d) (by providing that a facility must provide, update, and revise its SVA and SSP consistent with the schedule in § 27.210), so it was unnecessary to also include this language here. Also, in both sections, the Department has added new language about the disapproval of SVAs or SSPs. The Department added a new sentence, which provides that “[i]f the resubmitted [SVA or SSP] does not satisfy the requirements of [§ 27.215 or § 27.225], the Department will provide the facility with written notification (including a clear explanation of deficiencies in the [SVA or SSP]) of the Department's disapproval of the [SVA or SSP].”See§ 27.240(b) and § 27.245(b).
Finally, the Department has added a provision in § 27.245(a)(1)(iii), indicating that the Department issues a Letter of Approval if it approves a facility's Site Security Plan in accordance with § 27.250. While this provision appears elsewhere in the rule (see§ 27.245(b)), the Department thought it was appropriate to include it here as well.
The Department has removed 27.240(c) as proposed in the Advance Notice. Paragraph (c) had contained an objections provision. For a discussion of the Department's decision to remove the objections provisions from this rule (in §§ 27.205(c), 27.220(b), and 27.240(c)), see the summary under § 27.205(c).
Section 27.250Inspections and Audits
The Department has added additional provisions to the inspection and audit section. In § 27.250(c), the Department discusses the time and manner requirements for inspections. While the Department will generally provide facilities with 24-hour advance notice of inspections, the Department recognizes two exceptions where an unannounced inspection might occur. The Department included the first exception in the Advance Notice, and the Department has added the second exception in this interim final rule. For a further discussion, see the Discussion of Comments in § III(F) on “Inspections and Audits.”
In § 27.250(d), the Department addresses various details related to the inspectors who will conduct inspections and audits. This is a new paragraph that was not in the Advance Notice. Although Congress has not provided the Department with administrative subpoena authority, this paragraph explains that inspectors will have credentials and may administer oaths and receive affirmations upon consent. It also provides details about the means by which inspectors may gather information and the access that inspectors will have to records. The Department has also added a paragraph (e), which addresses confidentiality. Finally, the guidance paragraph, which had been located in paragraph (d) has been moved to paragraph (f).
Section 27.255Recordkeeping Requirements
The Department revised various provisions related to recordkeeping. With respect to § 27.255(a)(1), the Department added a few additional record requirements regarding training. In addition to keeping records of the date and location of each training session, time of day and duration of each session, the name and qualifications of the instructor, and a clear, legible list of the attendees including attendees' signatures, the facility must also keep at least one other unique identifier for each attendee receiving training and the results of any evaluation or training. The Department also added a requirement to § 27.255(b), requiring facilities to keep submitted Top-Screens in addition to submitted SVAs and SSPs. In addition, as discussed above in the summary for § 27.225(e), the Department revised the recordkeeping provision related to internal audits. See§ 27.255(a)(6).
The Department also added a new paragraph (c), allowing the Department to request that covered facilities make available records kept pursuant to other Federal programs or regulations. The Department would make such requests for records to the extent that any such records were necessary for security purposes. As a result of adding new paragraph (c), the Department had to re-designate proposed paragraph (c) as paragraph (d).
The Department has substantially revised Subpart C, which contains the provisions for Orders, Adjudications, and Appeals.
The Department has restructured the Orders provisions. Whereas the Advance Notice contained four separate sections (see§§ 27.300, 27.305, 27.310, and 27.315), the Department has now consolidated all of the Order provisions into one section, § 27.300. The main substance of the Orders provisions, however, remains the same. Pursuant to § 27.300(a), the Assistant Secretary can issue an Order for any instance of noncompliance. For example, the Assistant Secretary may issue an Order for a facility's refusal to complete a Top-Screen, failure to allow an inspection, or failure to update a Site Security Plan.
Beyond a basic Order, the Assistant Secretary may issue an Order Assessing Civil Penalty, an Order to Cease Operations, or both, where it determines that a facility is in violation of any Order issued pursuant to paragraph (a). See§ 27.300(b). Orders Assessing Civil Penalty are for a continual noncompliance, a repeated pattern of noncompliance or egregious instances of noncompliance. Orders to Cease Operations are the most serious Orders that the Assistant Secretary might choose to issue under this regulatory scheme. The Assistant Secretary will use such a measure cautiously and judiciously and will balance the immediate security needs with the possible impact (e.g., economic impact or national security effect) of such an Order on the chemical industry and the Nation as a whole. As the Department wrote in the Advance Notice, “This authority would be utilized when no other options will achieve the required result.”See 71 FR 78276, 78287.
Paragraphs (c) through (f) of § 27.300 address the process and procedures for Orders. Section 27.300(c) lists the information, at a minimum, that the Assistant Secretary must include in an Order and also notes that the Assistant Secretary may establish further procedures for the issuance of Orders. Section 27.300(d) notes that a facility must comply with the terms of the Order by the date specified in the Order. Section 27.300(e) indicates that a facility has the right to seek an adjudication to review the decision of the Assistant Secretary to issue an Order, and § 27.300(f) addresses final agency action.
With respect to the staying of Orders, the Department addresses this issue in the new adjudications sections. Specifically, § 27.310(b)(4) provides that an Order is stayed from the timely filing of a Notice of Application for Review until the Presiding Officer issues an Initial Decision, unless the Secretary lifts the stay due to exigent circumstances pursuant to § 27.310(d). The new adjudications section is discussed in more depth below.
Section 27.305 through 27.340 Adjudications
Most significantly with respect to adjudications, the Department has provided facilities with the opportunity to seek review of specified decisions before a neutral adjudications officer. A facility or other person may seek review of the following Department (i.e., Assistant Secretary) determinations: (1) A finding, pursuant to § 27.230(a)(12)(iv) that an individual is a potential security threat; (2) The disapproval of a Site Security Plan pursuant to § 27.245(b); or (3) The issuance of an Order pursuant to § 27.300(a) or (b). See§ 27.310(a).
The procedures for Applications are found in § 27.310(b). To institute Adjudication Proceedings, the facility or other person (“Applicant”) must file a Notice of Application for Review within seven calendar days of notification of the Assistant Secretary's determination. See§ 27.310(b)(1)-(2). Then, in an Application for Review, the Applicant must explain his or her position (i.e., explain why the Assistant Secretary's determination should be set aside). The Applicant has 14 calendar days from the date of notification of the Assistant Secretary's determination to file and serve an Application for Review. See§ 27.310(b)(5). The Assistant Secretary, through the Office of the General Counsel, shall file and serve a Response within 14 calendar days of the filing and service of the Application for Review. See§ 27.310(c). Finally, the Secretary may make certain procedural modifications in exigent circumstances. See§ 27.310(d).
A Presiding Officer is the neutral adjudications officer who handles these proceedings. The Secretary shall appoint a Presiding Officer, consistent with the requirements in § 27.315. A Presiding Officer shall immediately consider whether a summary adjudication of an Application for Review is appropriate, and if the Presiding Officer finds that there is no genuine issue of material fact and that one party or the other is entitled to decision as a matter of law, then the record shall be closed and the Presiding Officer shall issue an Initial Decision on the Application for Review. See§ 27.330(b). Such summary decisions are governed by the procedures in § 27.330.
Where there is no summary decision, the Presiding Officer may conduct a hearing using the procedures specified in § 27.335. The Presiding Officer shall close and certify the record upon the completion of one of the following: a summary judgment proceeding, a hearing, the submission of post-hearing briefs, or the conclusion of oral arguments. See§ 27.340(a). Based on the certified record, the Presiding Officer shall issue an Initial Decision, and the decision shall be subject to appeal pursuant to § 27.345.
In addition to the sections mentioned above, there are a few other sections that address provisions related to adjudications. Section 27.320 specifies the prohibition on ex parte communications during Proceedings. And § 27.325 provides that the Assistant Secretary bears the initial burden of proving the facts necessary to support the challenged administrative action at every proceeding instituted under this subpart.
Finally, as related to the Appeals section below, a Presiding Officer's Initial Decision is stayed from the timely filing of a Notice of Appeal until the Under Secretary issues a Final Decision, unless the Under Secretary lifts the stay due to exigent circumstances. See§ 27.345(b)(4).
The interim final rule contains a revised appeals section. There are several differences. First, a facility or other person may appeal the Initial Decision of the Presiding Officer made pursuant to § 27.340(b). This differs from the Advance Notice, in which a facility could appeal a Departmental final determination regarding disapproval of a Site Security Plan and the Departmental issuance of an Order. See§ 27.320 in the Advance Notice. Second, the Advance Notice provided that the Under Secretary would make decisions for most categories of appeals, and the Deputy Secretary would make decisions for one category of appeal. This interim final rule provides that all appeals go to the Under Secretary or his designee acting as a neutral appeals officer. Third, as is discussed in more depth below, the procedures for an appeal have changed.
The Assistant Secretary, a facility, or other person (“Appellant”) may institute an Appeal by filing a Notice of Appeal within seven calendar days of notification of the Presiding Officer's Initial Decision. See§ 27.345(b)(1)-(3). The Appellant shall then file and serve a Brief within 28 calendar days of the notification of the Presiding Officer's Initial Decision. See§ 27.345(b)(5). The Appellee shall file and serve its Opposition Brief within 28 days of the filing of Appellant's Brief. See§ 27.345(b)(6). The Under Secretary shall issue a Final Decision and serve it on the parties. A Final Decision by the Under Secretary constitutes final agency action. See§ 27.345(f).
In addition to the provisions mentioned above, the Department notes the following: Pursuant to § 27.345(b), the Under Secretary may provide for an expedited appeal; pursuant to § 27.345(c), ex parte communications are prohibited; and pursuant to § 27.345(c), a facility or other person may elect to have the Under Secretary participate in any mediation or other resolution process by expressly waiving, in writing, any argument that such participation has compromised the Appeals process. In addition, pursuant to § 27.345(g), the Secretary may establish procedures for the conduct of appeals.
Section 27.400Chemical-Terrorism Vulnerability Information
The Department has made numerous clarifying changes to the chemical-terrorism vulnerability information (CVI) section. Some of these changes corrected typographical errors, while several others clarified existing provisions. With respect to a minor change, note that, in § 27.400 of the Advance Notice, the Department referred to CVI as “Chemical-terrorism Security and Vulnerability Information” and in this interim final rule, the Department now refers to CVI as “Chemical-terrorism Vulnerability Information.” The Department intends no change in meaning with this revision.
The Department has highlighted below the more substantive changes to § 27.400. With respect to paragraph (c), the Department has removed paragraph (c)(2), because that concept is already covered in paragraph (e)(1)(v). In paragraph (d)(1), the Department provides that covered persons must protect all CVI in their possession or control, including electronic data. In paragraph (e)(1), the Department added language providing that a person who might have a “need to know” includes “state or local officials, law enforcement officials, and first responders.” In paragraph (e)(1)(ii), the Department clarified that a person in training will only have access to CVI that he needs as part of his training, and in paragraph (e)(1)(iv), the Department clarified that a the person in a fiduciary relationship with a covered person who is representing or providing advice to that covered person will also have a need to know CVI. In paragraph (e)(2)(iii), the Department provides that it may require non-Federal persons seeking access to CVI to complete a non-disclosure agreement before such access is granted. In paragraph (f)(3), the Department shortened the distribution limitation statement and added a new sentence at the end, which provides: “[i]n any administrative or judicial proceedings, this information shall be treated as classified information in accordance with 6 CFR §§ 27.400(h) and (i).” And in paragraphs (h)(1), (i)(1), and (i)(2), the Department made it clear that these sections apply to the disclosure of CVI in the context of administrative or judicial enforcement proceedings of section 550 only, not any other kind of enforcement proceeding. Similarly, in paragraph (i)(7)(iii), the Department made it clear that this section applies only to judicial enforcement proceedings and not any other judicial proceeding.
Section 27.405Review and Preemption of State Laws and Regulations
The Department has made several changes to § 27.405, including various regulatory text changes. Among those changes, the Department has added paragraph (a)(1). The Department wishes to avoid any unintended consequences in the program's interaction with other Federal requirements. For this reason, § 27.405(a)(1) provides that “[n]othing in this regulation is intended to displace other federal requirements administered by the Environmental Protection Agency, U.S. Department of Justice, U.S. Department of Labor, U.S. Department of Transportation, or other federal agencies.” For a further discussion of these changes and preemption in general, see the section below entitled “Executive Order: 13132: Federalism.”
Proposed Appendix A: DHS Chemicals of Interest
In the Advance Notice, the Department sought comment on appropriate sources of information or methodologies for evaluating and categorizing chemical facilities.”See 71 FR 78276, 78282. The Department responds to those comments below in the “Discussion of Comments.” In this interim final rule, the Department has decided to evaluate chemical facility risks by, in part, classifying facilities by particular chemicals. In proposed Appendix A, the Department has included a list of “DHS Chemicals of Interest” along with Screening Threshold Quantities, or STQs, for each chemical. The Department has established STQs to trigger preliminary screening requirements. The STQ is not the threshold quantity for establishing whether a given facility is a high-risk facility, but only sets a threshold to require a facility to complete and submit a CSAT Top-Screen. As noted in the “Public Participation” section above, the Department is accepting public comment on proposed Appendix A for 30 days. Following the close of the comment period, the Department will review the comments and publish a final Appendix A. The requirements related to Appendix A, which are found in §§ 27.200(b)(2) and 27.210, will become operative on the date that the Department publishes a final Appendix A.
Pursuant to § 27.200(b)(2), if a facility possesses any chemicals identified in Appendix A at the corresponding quantities, the facility must complete and submit a Top-Screen. Consistent with the submission requirements in § 27.210(a)(1), the facility must complete the Top-Screen within 60 calendar days of the effective date of a final Appendix A or within 60 calendar days of coming into possession of any such chemical at the corresponding quantity. (As indicated in the regulatory text, this submission requirement is not operative until the Department publishes a final Appendix A.) Note that this provision does not affect the Department's ability to contact facilities independently of this list. Pursuant to § 27.200(b)(1), DHS may notify facilities, on an individual basis or through an additional Federal Register notice, that they need to complete and submit the Top-Screen. The Department notes that, where a facility has a question as to whether it should complete a Top-Screen, the facility can contact the Department and seek a consultation pursuant to § 27.120.
The Department reiterates that the presence or amount of a particular chemical listed in Appendix A is not the sole factor in determining whether a facility presents a high-level of security risk and is not an indicator of a facility's coverage under this rule. The DHS Chemicals of Interest list merely directs certain facilities to complete and submit the Top-Screen. This list serves as a tool to aid the Department in gathering information needed to administer the program under Section 550. In order for the Department to assess compliance by particular chemical facilities with the regulation (see Section 550(e)), the Department must first obtain information to determine whether the particular chemical facilities qualify for coverage under Section 550. The list set out in Appendix A serves as a procedural tool designed to aid the Department in determining which facilities must comply with the substantive standards. Only after the Department gathers additional information through the Top-Screen process will the Department make a determination as to whether a facility presents a high risk and therefore must comply with the regulatory requirements to ensure adequate security. Under Section 550, the Department has the authority to use its best judgment and all available information in determining whether a facility presents a high level of security risk.
In developing the “DHS Chemicals of Interest” list, the Department has looked to existing sources of information and has then drawn on many of those sources of information, including some of the sources that commenters suggested. Those sources include the following: (1) The chemicals contained on the EPA's RMP list. Pursuant to the Clean Air Act (42 U.S.C. 7401, et seq.), which provides that the EPA shall promulgate a list of substances that “in the case of accidental release, are known to cause or may reasonably be anticipated to cause death, injury, or serious adverse effects to human health or the environment (see 42 U.S.C. 7412(r)(3)), the EPA promulgated two lists. Table 1 is titled “List of Regulated Toxic Substances and Threshold Quantities for Accidental Release Prevention,” and Table 3 is titled “List of Regulated Flammable Substances and Threshold Quantities for Accidental Release Prevention” (see 40 CFR 68.130); (2) The chemicals from the Chemical Weapons Convention (CWC). Section 6701, et seq. of Title 22 of the United States Code implements the Convention on the Prohibition of the Development, Production, Stockpiling and Use of Chemical Weapons and on Their Destruction. The CWC covers three lists, or “schedules” of chemicals. Schedule 1 chemicals are provided in Supplement No. 1 to 15 CFR part 712, Schedule 2 chemicals are provided in Supplement No. 2 to 15 CFR part 713, and Schedule 3 chemicals are provided in Supplement No. 3 to 15 CFR part 714; and (3) Hazardous materials, including gases poisonous by inhalation (PIH) and explosive materials, which the Department of Transportation regulates. See 49 CFR 173.115(c), 49 CFR 173.50(b), and 49 CFR 172.101. The Department has also considered other categories of chemicals, such as chemicals that can be used as precursors for Improvised Explosive Devices (IEDs) and certain water-reactive materials that produce toxic gases.
The Department makes a few points with respect to the list in Appendix A. First, DHS is not using any existing list (e.g., the EPA RMP list) as its sole source, and DHS is not classifying all facilities on a list in one particular way (i.e., classifying all RMP facilities as high-risk). By using multiple sources at this initial phase, DHS believes it is obtaining a more complete picture of the universe of facilities that may qualify as high-risk. Second, in identifying the types and STQs of chemicals for Appendix A, the Department has sought to be sufficiently inclusive of chemicals and quantities that might present a high level of risk under the statute without being overly inclusive and therefore capturing facilities which are unlikely to present a high level of risk.
In addition to drawing on information from existing sources, the Department has identified chemicals by considering three security issues. These three security issues, which are explained below, address multiple risk areas.
1. Release—DHS believes that certain quantities of toxic, flammable, or explosive chemicals or materials, if released from a facility, have the potential for significant adverse consequences for human life or health.
2. Theft or Diversion—DHS believes that certain chemicals or materials, if stolen or diverted, have the potential to be used as weapons or easily converted into weapons using simple chemistry, equipment or techniques in order to create significant adverse consequences for human life or health.
3. Sabotage or Contamination—DHS believes that certain chemicals or materials, if mixed with readily-available materials, have the potential to create significant adverse consequences for human life or health.
In proposed Appendix A, the Department lists the DHS Chemicals of Interest and identifies a Standard Threshold Quantity (STQ) for each chemical. To clearly identify each chemical, the Department includes the Chemical Abstract Service (CAS) number for each chemical. These chemicals listed in proposed Appendix A fall into the three categories identified above: chemicals with a release hazard, chemicals with a theft or diversion hazard, and chemicals with a sabotage or contamination hazard.
The Department acknowledges that there are two additional security issues that it is considering at this time, although it is not including any such chemicals that would trigger a Top-Screen submission. They include the following two issues:
1. Critical Relationship to Government Mission—DHS believes that the loss of certain chemicals, materials, or facilities could create significant adverse consequences for national security or the ability of the government to deliver essential services.
2. Critical Relationship to National Economy—DHS believes that the loss of certain chemicals, materials or facilities could create significant adverse consequences for the national or regional economy.
The Department is continuing to assess currently-available information about these chemicals critical to government mission and the national economy. The Department will use the information it collects through the Top-Screen process, as well as currently-available information, as a means of identifying facilities responsible for economically critical and mission-critical chemicals.
III. Discussion of Comments Back to Top
In the Advance Notice, DHS sought comment on proposed text for the interim final rule as well as on various implementation and policy issues concerning the chemical security program. DHS received a total of 106 public comments totaling more than 1,300 pages, including comments from thirty-two trade associations, thirty companies, thirteen private citizens, ten state agencies and associations, seven advocacy and safety groups, eight U.S. Representatives, five U.S. Senators, four unions, one Local Emergency Planning Committee, one professional association, one international standards committee, and the U.S. Small Business Administration.
Commenters generally applauded this effort from the Department and commended the general approach that the Department is taking. However, commenters also raised some specific concerns. In the sections below, DHS provides a topical summary of the comments and responses to those comments.
A. Applicability of the Rule
1. Definition of “Chemical Facility or Facility”
The Advance Notice defined “Chemical Facility or facility” to mean “any facility that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other risk-related criterion identified by the Department. * * *”See proposed § 27.100.
Comment: While a few industry and State agency commenters supported this definition, commenters generally thought that the proposed definition was broad. In particular, several industry commenters, an industry association, a labor union, and a State agency thought the proposed definition was overly broad and consequently did not inform facilities about whether they would be regulated. They noted that the definition did not name the regulated chemical substances or the threshold quantities. One commenter argued that DHS's failure to release to the public its proposed list of “potentially dangerous chemicals” and threshold amounts for those chemicals denies the public the opportunity to comment on key provisions of the rule that depend on whether the facility possess specified quantities of chemicals determined by DHS to be potentially dangerous. The commenter explained that it is difficult to comment on that aspect of the rule without knowing what the chemicals and thresholds are. An industry group cautioned that threshold quantities should be set high enough that retail establishments are not covered merely because they stock commercially acceptable quantities of commonly used chemicals. A few industry commenters and a member of Congress added that the definition of chemical facility should include the concepts of national security and economic criticality.
Several industry commenters supported the use of EPA's Risk Management Plan (RMP) program to help identify the initial group of regulated facilities. Commenters supported use of the RMP list of toxic substances as a basis for selecting chemical facilities. Likewise, one association felt that DHS should link its definition of chemical facility to those facilities covered by EPA's RMP, because it is a clear and defined list. The industry commenters noted, however, that not all RMP facilities should be considered high-risk. One commenter pointed out that RMP does not take into account facilities that may cause substantial impacts from multiple tanks. A few commenters also recommended that DHS should consider facilities in EPA's Toxic Release Inventory program or facilities that handle DOT hazardous materials.
One commenter emphasized that the rule could focus on toxic gases at RMP threshold quantities, but warned that the RMP program has a different purpose. The commenter indicated that worst-case scenarios under RMP may be based on unrealistic assumptions. Another commenter indicated that DHS should consider certain substances from the Chemical Weapons Convention list when assessing overall risk. Finally, some industry commenters objected to the phrase “possesses or plans to possess,” because the term implies legal title or ownership rather than simple presence at the facility.
Response: Aside from the minor modification noted above, DHS is retaining the definition of chemical facility that it proposed in the Advance Notice. And while DHS is not defining “chemical facility” by listing specific chemicals, DHS is making available, with the issuance of this rule, a list of those chemicals and Screening Threshold Quantities (STQs) that it proposes to use to determine whether to further assess whether a chemical facility presents a high risk. Specifically, if a facility possesses any of the chemicals, at the corresponding quantities, in Appendix A (when finalized), the facility must complete and submit a Top-Screen within 60 calendar days. See§ 27.200(b)(2) and § 27.210(a). The Department will continue to contact facilities individually and through additional Federal Register notices, as necessary. See§ 27.200(b)(1). To the extent the Department notifies facilities through an additional Federal Register notice, the Department will engage in outreach activities with the chemical sector.
Finally, in response to specific comments above, the Department makes two additional points. The Department has retained the phrase “possesses or plans to possess.” DHS believes that phrase adequately captures the Department's intent. The plain meaning of those terms is not limited to ownership. Also, with respect to the commenter who cautioned that any types of threshold quantities should be high enough so that DHS does not cover all retail establishments that stock commercially acceptable quantities of commonly used chemicals, DHS notes that it is aware of that issue. While DHS believes these STQs are set at levels that normally will not cover such retail establishments, DHS believes that, if a retail establishment does exceed any of these STQs, the retail establishment will have to complete the Top-Screen.
2. Multiple Owners and Operators
The second half of the definition of “Chemical Facility or facility” provides that the terms “shall also refer to the owner or operator of the chemical facility. Where multiple owners and/or operators function within a common infrastructure or within a single fenced area, the Assistant Secretary may determine that such owners and operators constitute multiple chemical facilities depending on the circumstances.”See§ 27.105.
Comment: Comments were varied on the issue of multiple owners and operators. One industry commenter suggested that DHS should combine adjacent facilities under common ownership into a single facility, and other industry commenters thought that DHS should define certain adjacent facilities as less than the entire property. One industry commenter thought that DHS should allow facilities with multiple owners or operators to agree among themselves how to meet the requirements of this rule. A trade association noted that some large chemical facilities have third-party warehouses and leasing agreements and that the owners of the chemical facility should be responsible for security.
Response: DHS believes that it will generally be fairly straightforward for facilities to define their boundaries and identify the party (at their facility) that is responsible for compliance with the regulation. However, DHS acknowledges that, in some circumstances, the issue might be more complex. The Department will address these situations on a case-by-case basis. Both owners and operators of facilities, however, bear responsibility under the regulations for implementing measures that meet the regulatory standards.
3. Classifying Facilities Based on Hazard Class
Comment: In the preamble to the Advance Notice, DHS requested comment on whether it should use an approach based on hazard class, rather than use an approach where classifications are based on particular chemicals. Responses were mixed.
Several commenters favored the hazard class approach, noting that facilities are familiar with the DOT hazard classes, that the hazard classes may be harmonized with international requirements, and that the number of chemicals (in a non-hazard class approach) might otherwise be very large. Some of the commenters who favored the hazard class approach also noted some caveats to its use. Industry commenters and a State agency warned that the hazard class approach could result in the inclusion of chemicals that do not pose a security risk. Conversely, others noted that the hazard classes may not include chemicals of concern from a terrorism perspective. Commenters noted that other agencies may regulate the hazard classes under other programs. Also, one State agency association pointed out that a combination of chemicals might be more dangerous than any one chemical. One firm suggested that the DHS approach should include both the hazard class approach and the classification of chemicals approach.
A few industry commenters indicated that basing the applicability of the rule on hazard classes would be inappropriate and that they favored a list of security-sensitive chemicals with threshold quantities. One trade association supported the use of lists of particular chemicals, explaining that they thought it would lead to more accurate assessments of likelihood and consequence and therefore risk. They also argued that DHS publish the list in the final rule.
Response: As explained above, DHS is publishing a list of “Chemicals of Interest” in Appendix A to this interim final rule. The list contains specific chemicals and STQs. That list is a baseline screening threshold against which facilities will know whether they need to complete and submit a Top-Screen. While DHS's primary approach will be through the classification of chemicals, DHS will not preclude the use of the hazard classes for certain purposes in the performance standard guidelines.
4. Applicability to Specific Chemicals or Quantities of Chemicals
Comment: Several commenters discussed specific chemicals and whether or not the regulation should cover facilities that possess those chemicals. Several commenters thought that DHS should not cover anhydrous ammonia or ammonium nitrate, both of which are discussed in more depth below. A local government agency urged DHS to cover facilities that store propane, while other commenters indicated that DHS should not cover flammable fuels such as propane. A few commenters noted that some facilities may have only small amounts of chemicals or may handle them only intermittently. A trade association suggested that DHS should allow such facilities to adjust their level of security to the level of risk. Another commenter urged DHS to consider the nature of batch production facilities, which make a continually changing mix of products using a continually changing, and often unpredictable, mix of ingredients.
With respect to anhydrous ammonia, commenters noted that the chemical is in the EPA RMP list but indicated that it should not be a chemical that DHS regulates. They explained that ammonia refrigeration is used for dairy and food processing facilities and that those facilities do not pose a significant risk to human health, national security, or the economy, because an attack on such a facility would not result in a catastrophic release of ammonia. In addition, the commenters stated that the food industry (which uses anhydrous ammonia for refrigeration) should not have to spend its resources enhancing security for refrigeration systems.
With respect to ammonium nitrate (AN), some industry commenters noted that AN is an important part of the economy in both the explosives and the fertilizer industries. They noted that the threat posed by AN is not that of a direct attack but of theft or diversion for later criminal misuse. While they said that DHS should focus not only on the possibility of a direct attack at facilities with “weaponizable” chemicals, but on facilities with risks of theft or diversion, they suggested that DHS place those facilities (i.e., those with risk of theft or diversion) in lower-risk tiers.
One commenter recommended requirements for chain-of-custody control and suggested that the ATF could assist in enforcement at AN sites with commercial explosives; other commenters favored regulation by DHS, not ATF. Another commenter believed that DHS should work with the U.S. Department of Agriculture and producer groups in deciding whether to regulate an agriculture operator or supplier. An industry commenter noted that the mere presence of AN at a site should not trigger application of DHS's screening process. Two members of Congress argued that the rule should apply to AN manufacturing facilities, but they agreed with DHS and other commenters that DHS should subject AN facilities to regulatory requirements based on the nature of the facility and risk assessment results. The commenters thought that by including AN facilities in the regulatory program, DHS would make it more difficult for terrorists to acquire this product.
Response: The Department's regulatory scheme will cover chemical facilities that present a high risk because they possess or plan to possess chemicals that terrorists may use or target in the furtherance of acts of terrorism. Facilities that possess chemicals that are hazardous and can be used as weapons, such as anhydrous ammonia or ammonium nitrate, will be regulated if they present a high risk. However, a facility that possesses a chemical substance that does not cause it to present a high risk (taking into account all relevant factors), or possesses an otherwise hazardous chemical in an amount that is below what would cause the facility to present a high risk (again, taking into consideration all relevant factors), will not be regulated.
Accordingly, with this interim final rule, DHS plans to regulate high-risk facilities with ammonium nitrate and anhydrous ammonia using the same risk-based approach under which it plans to regulate all other high-risk facilities. If DHS later decides that any individual chemicals warrant specialized attention in regulatory provisions, DHS will address such chemicals through future rulemakings.
5. Applicability to Types of Facilities
Comment: A few commenters suggested that the rule should not apply to railroad facilities, because such facilities are covered by current and proposed requirements from the Department of Transportation's (DOT) Federal Railroad Administration and Pipeline and Hazardous Materials Safety Administration and DHS's Transportation Security Administration (TSA). Those commenters asserted that railroads should be treated separately from fixed facilities and that the proposed requirements are inappropriate for railroad facilities. One commenter requested exemptions for motor vehicles and rail cars that are “in transit.” Another commenter asked DHS to take a system-wide approach and recognize the interdependence of chemical facility and rail security.
Response: Regulating chemicals in the railroad system is a complex issue, and DHS continues to evaluate it. TSA is the lead component within DHS for the security of transportation facilities and has initiated some recent efforts to address rail security, including Voluntary Agreements with the rail industry and a Notice of Proposed Rulemaking on Rail Transportation Security. See 71 FR 76852 (December 21, 2006). With respect to chemical security, certain aspects of Section 550 and TSA's authorities are concurrent and overlapping. DHS is working, and will continue to work, with its components, including TSA, to determine whether DHS will include railroad facilities in its chemical security program. DHS presently does not plan to screen railroad facilities for inclusion in the Section 550 regulatory program, and therefore DHS will not request that railroads complete the Top-Screen risk assessment methodology. DHS may in the future, however, re-evaluate the coverage of railroads, and would issue a rulemaking to consider the matter.
Comment: Commenters asked about the applicability of the rule to natural gas pipelines and facilities, with some noting that DHS should not regulate pipelines because DOT/PHMSA and DHS/TSA already regulate safety and security of pipelines. Other commenters asked about DHS's plans to address other large facilities, such as mines. One engineer pointed out that mining facilities can be very large and can cover thousands or tens of thousands acres but that the security-sensitive portions of those mines may be very small (e.g., a single tank).
Response: Whether a facility is covered under this regulation is driven by a number of factors, including the specific types and quantities of chemicals at a given facility. Whether the Department will apply the requirements of this regulation to a facility depends, in part, on the chemicals present at that facility. In the case of natural gas pipelines, DHS has no intention at this time of requiring long-haul pipelines to complete the Top-Screen (or prepare Security Vulnerability Assessments and develop Site Security Plans). But chemical facilities otherwise covered by this regulation and with pipelines within their boundaries must treat those pipelines like any other asset, i.e., include measures in their Site Security Plan addressing the security of those pipelines.
Related to this, DHS makes a clarifying point about facility assets in general. DHS expects that facilities will address all facility assets in their Security Vulnerability Assessments and Site Security Plans, as any given facility asset has the potential to have an effect on the consequence and/or vulnerabilities of the facility. Facility assets include any items or structures (such as buildings, vehicles, laboratories, or test facilities) located on an area owned, operated, or used by the facility. Such assets may exist inside or outside of perimeter structures.
Similarly, the extent of coverage of mines in this regulation will depend in part on the type and amount of chemicals present at any given mine facility. The Department expects that mines will comply with the requirements of § 27.200(b) and complete and submit the Top-Screen as required in that section. With respect to large mines that may only possess a concentrated amount of a given chemical in one discrete location, if the given chemical (and quantity) is one that the Department believes presents a security risk, the Department will expect that the facility will go through the screening process. While the facility may have to develop a Site Security Plan, the SSP would be tailored to the specific circumstances at the mine. The SSP for a large mine with a concentrated amount of one chemical in one location would surely look dramatically different than that of mine company with different circumstances (e.g., a large mine with larger quantities of different types of chemicals spread throughout the mine or a smaller mine with moderate quantities of very hazardous chemicals in several different locations).
6. Statutory Exemptions
Comment: Some commenters asked why § 27.105(b) excluded certain facilities from the rule, and another commenter suggested that the exempted facilities should be reviewed to determine if they would be considered high-risk but for the exemption.
Other commenters suggested additional exemptions. One commenter suggested that the rule should not apply to most facilities that manufacture, sell, or reclaim lead-acid batteries, and another commenter believed DHS should exclude pesticide facilities. Yet another commenter thought that most facilities storing petroleum products, some of which are exempted under proposed § 27.105(b), are not high-risk facilities.
Response: In the authorizing legislation for this regulation, Congress exempted various facilities from this rule. See Section 550(a). DHS has included those exemptions in § 27.110(b) of the rule. The statute provides for the following exemptions: facilities regulated pursuant to the Maritime Transportation Security Act of 2002, Public Law 107-295, as amended; public water systems (as defined by Section 1401 of the Safe Drinking Water Act); water treatment works facilities (as defined by Section 212 of the Federal Water Pollution Control Act); any facilities owned or operated by the Departments of Defense and Energy; and any facilities subject to regulation by the Nuclear Regulatory Commission. The Department has considered the exemptions requested by commenters, and, at this time, the Department does not intend to provide any additional regulatory text exemptions.
Comment: Some industry commenters supported the exemptions in § 27.110, such as the exemption for facilities regulated under the Maritime Transportation Security Act (MTSA). In addition, one association wanted to exclude from the Top-Screen requirements any facilities covered under MTSA. Other commenters asked for clarifying information about the exemptions.
Response: In the Advance Notice, the Department discussed the applicability of this rule to maritime facilities. See 71 FR 78276, 78290. In this interim final rule, the Department clarifies that it will apply the statutory exemption only to facilities regulated under 33 CFR part 105, Maritime Facility Security regulations. Part 105 of Title 33 of the Code of Federal Regulations is the only regulation that imposes the security plan requirements of 46 U.S.C. 70103 on maritime facilities.
Comment: A State agency believed that the Nuclear Regulatory Commission (NRC) exemption should apply only to facilities holding an NRC power reactor license and disagreed with the exemptions for public water systems and treatment works.
Response: The Department agrees with the commenter and will apply the statutory exemption to facilities where NRC already imposes significant security requirements and regulates the safety and security of most of the facility, not just a few radioactive sources. For example, a power reactor holding a license under 10 CFR part 50, a special nuclear material fuel cycle holding a license under 10 CFR part 70, and facilities licensed under 10 CFR parts 30 and 40 that have received security orders requiring increased protection, will all be exempt from 6 CFR part 27. A facility that only possesses small radioactive sources for chemical process control equipment, gauges, and dials, will not be exempt.
B. Determining Which Facilities Present a High-Level of Security Risk
1. Use of the Top-Screen Approach
Comment: In general, many industry associations and chemical companies supported the use of a tiered approach that narrows DHS's focus to high-risk facilities. Several commenters pointed out as a problem the fact that they had been unable to review the details of the approach and associated criteria; several commenters suggested that knowledgeable parties should have an opportunity to review the details. Many of the commenters wanted to make sure that the final group of high-risk facilities was determined based on risk (not just on potential consequence or limited pieces of threat data) and that the number of facilities in this group was small.
Associations differed in their views on how inclusive the Top-Screen process should be—one association wanted DHS to screen out certain low-risk facilities in the first few questions while other associations and a chemical company wanted DHS to make sure that as many facilities as possible submitted Top-Screen data, including some facilities that might not traditionally be considered chemical facilities. Several associations urged DHS not to presumptively classify facilities as high-risk without perfect information; they felt that doing so would go beyond the authority that Congress granted DHS and would not match the intended focus on high-risk facilities. A local agency took the opposite view on that question.
Several commenters provided input on the data that facilities will need to enter into the Top-Screen. One association suggested that DHS allow facilities to enter chemical volumes in ranges and asked that DHS provide guidance on handling mixtures and blends. That association also questioned how facilities should address chemicals that are stored offsite. Another association encouraged DHS to include reactive chemicals and propane in the Top-Screen. One advocacy group encouraged DHS to incorporate chemical transportation in the rule and the Top-Screen.
Commenters also provided input on how DHS should process the information that it receives through the Top-Screen. One industry association suggested that facilities should be allowed to explain “yes” responses before DHS drives the facility to a full Security Vulnerability Assessment. The association suggested that facilities should not be the ones to estimate consequences, particularly injuries, and that DHS should refine the definition of injuries. The association stated that DHS should have different requirements for facilities that only periodically have certain materials onsite. One association cautioned about using RMP data and advocated for DHS to use conversion factors to make estimates of casualties.
Several commenters were concerned about the questions in the Top-Screen that related to economic impacts. Several associations indicated that DHS should use a sufficiently high threshold for economic impacts that captures the full extent of economic impacts. They noted that a facility should consider all impacts, not just the impacts to one facility. One association commented that most facilities will not be able to provide answers to the questions in the Top-Screen that ask about a facility's market share for given chemicals. That association suggested that DHS re-phrase those questions to support yes/no answers or to allow facilities to use broad ranges.
Several associations commented that the submitting company, not DHS, should determine the most appropriate person to submit data. A number of parties commented on DHS's subsequent use of the data that is collected through the Top-Screen. One association commented that any information must have demonstrated utility before it is shared with anyone.
As for timing, commenters, including State agencies, requested that DHS provide facilities with the specific timing requirements for completing the Top-Screen. One industry association recommended that DHS use phased-in timing for having facilities complete the Top-Screen. A number of commenters from State agencies and industry associations suggested the need for DHS to provide active, written notification that a facility is not high risk—and for telling facilities that they need to comply with the regulation. One association suggested that DHS provide this notification immediately upon the facility's submission of data.
Finally, a number of company and industry association commenters wanted to make sure that facilities have the opportunity to conduct independent evaluations (or meet with DHS) to verify or deny DHS's initial classification of a facility's risk.
Response: In this regulatory program, DHS will employ a modified version of the Risk Analysis and Management for Critical Asset Protection (RAMCAP) risk assessment methodology known as the Chemical Security Assessment Tool, or CSAT. The RAMCAP Sector Specific Guidance was developed under contract to DHS by the ASME Innovative Technologies Institute (ASME-ITI) and leveraged the knowledge and insight of leading experts from across the industry and Federal Government. The DHS Risk Assessment Methodology is composed of two separate parts. The first part is a screening tool known as the Top-Screen, which is used to perform a preliminary “consequence” analysis. The second part provides the tools to conduct a thorough facility Security Vulnerability Assessment.
DHS is using a standard vulnerability tool, the CSAT system, because it is not practical for DHS to accept a broad spectrum of methodologies. Even where certain “equivalencies” exist between methodologies, the equivalencies can only be extracted and employed in a comparative risk analysis at very great cost and over a very long period of time. In order to effectively manage risk at the national level, the Department must be able to develop and understand the relative risk of different facilities. A comparative risk capability is essential to regulation and can be achieved only through the collection of comparative data. Thus, a standard vulnerability tool is necessary.
The Department has vetted the CSAT system with the engineering profession, the National Laboratories, and academia. The Top-Screen component, as well as the individual algorithms employed in the Top-Screen, have been subject to extensive peer review and have been found acceptable. While the Top-Screen is consequence-specific, DHS uses the Top-Screen only to determine a preliminary tier ranking. DHS bases a facility's final tier ranking upon the complete Security Vulnerability Assessment, as well as the application of threat information—and thus it is risk-based.
Insofar as the range of facilities possessing dangerous or potentially dangerous chemicals is large, there is no good alternative to a fairly broad range of facilities being included in the screening process. DHS anticipates that the vast majority of screened facilities will be found not to have a level of potential consequences that would result in a “high risk” designation. However, the facilities that do achieve that level of consequence are expected to come from a fairly broad swath of the Nation's economy. DHS has no intention of classifying facilities as presumptively high risk until and unless DHS is unable to acquire sufficient data.
The Top-Screen will enable DHS to determine a preliminary tier based on consequence. That ranking will determine the need for (and timeline for) a Security Vulnerability Assessment, and where the Top-Screen indicates the need for a follow-on Security Vulnerability Assessment, DHS will expect that the owner-operator will comply. The Department will require facilities to submit the Top-Screen within the timeframes now specified in § 27.210. The Department notes that the Top-Screen is designed to preclude a large number of “false negatives.”
DHS is establishing the entire CSAT system as an on-line suite of tools, which will allow notification of results to the owner or operator. As provided in § 27.205, the Department “shall notify the facility in writing [of a determination that the facility presents a high level of security risk].” While the online feature of the CSAT system will allow rapid results, it will not allow the Department to respond instantaneously, as some commenters requested. Finally, the Top-Screen tool does require the owner-operator to provide certain data similar to an RMP analysis; however, casualty estimates and consequence ranking are performed by DHS using well-vetted formulae.
Regarding economic criticality, DHS recognizes the complexity of estimating potential economic or mission impact stemming from the loss of certain manufacturing (or other) capacity. Accordingly, DHS will focus early efforts on developing a sufficiently clear picture of the chemical industry as a system in order to allow a reasonable analysis of economic and mission criticality, which will be enhanced as the Department moves forward.
2. Assessment Methodologies
Comment: Many commenters provided input on methodologies that DHS should use for determining which facilities present a high level of risk, and several commenters had suggestions as to how DHS should determine which facilities are high-risk. One association asserted that DHS needed to clearly define the “risk of interest” before DHS could determine which methodology to use. One (non-chemical) company suggested that DHS use other Federal programs such as the EPA's Toxics Release Inventory or the Superfund Amendments and Reauthorization Act (SARA) Tier II annual reports to determine high risk facilities. Commenters addressed the suitability of both asset- and scenario-based approaches, with the majority favoring an asset-based approach. Commenters suggested that DHS consider specific methodologies developed by associations, national laboratories, or State and Federal agencies. One association suggested that DHS use other methodologies while RAMCAP continues to develop and mature. State agency commenters warned that the question of which facilities pose a high risk is a community-specific issue.
Many comments were very specific as to how DHS should proceed, and what tools DHS should employ. For example, an engineering firm focused on the need for process-based assessments. A chemical company noted the need for any approved methodology to also consider the criticality of surrounding and supporting infrastructure in a reasonable manner—that is, one that is within the expertise of the facility personnel.
Many commenters also focused on various aspects related to RAMCAP. One commenter asserted that RAMCAP might not adequately identify high-risk facilities. Another commenter asked who owns RAMCAP. Several commenters noted that the RAMCAP approach was not designed to address control system cyber security. Another commenter felt that DHS provided inadequate detail on the RAMCAP methodology and noted that DHS should define the method before DHS solicits comment. Several commenters also pointed out that RAMCAP's lack of details on vulnerability team composition and experience could be a limitation. Some of RAMCAP's developers took issue with deviations from the original RAMCAP design. Another commenter pointed out the need for DHS to include proper references to the RAMCAP and its genesis.
Also related to RAMCAP, some commenters expressed concern with the details in Appendix B, “Background: Risk Analysis and Management Critical Asset Protection (RAMCAP) Vulnerability Assessment Methodology.” In particular, some expressed concern about expectations that the noted threat scenarios would be analyzed as design basis threats. The commenters noted that many of the scenarios require military support to defeat, and that appears to be beyond the capability of a chemical facility to address. Associations noted that scenarios can be useful in a comparative top-screen, but that they should not guide all facility-specific assessments. One company opined that the threats needed to be more realistic before they were used in any assessments.
Finally, one chemical company commented that DHS needs to list in the rule the specific threats that facilities need to address in their SSP. Also, the company indicated that DHS, not individual companies, should determine deaths and injuries.
Response: In the Advance Notice, DHS sought to provide an overview of RAMCAP and the DHS Methodology Assessment in the preamble (see, e.g., pp. 78277-78288) and in Appendix B. As there seemed to be confusion about the nature and purpose of RAMCAP and the DHS Assessment Methodology (or CSAT) and its purpose, DHS provides further explanation here.
The CSAT vulnerability assessment tool, part of the CSAT system owned by DHS, is an asset-based vulnerability assessment tool very similar to the Chemical Sector RAMCAP module. The CSAT system employs a set of defined attack vectors, used to both “produce” consequences (for the measurement of criticality) and to measure vulnerability. These are not “Design Basis” threats and in no way reflect the type of actual threats against which owner-operators will be expected to “defend.” They are measurement devices, supporting the DHS need to conduct comparative risk analysis. The CSAT tool does include basic assessments of certain types of cyber systems, and certain features thereof. However, the CSAT tool is not intended to be a full-scope, detailed analysis of all possible areas of vulnerability. It is a measurement tool that will allow general categorization of a facility as vulnerable or not, critical or not, and thus, at risk or not. DHS will undertake detailed evaluations of specific security issues as part of the ongoing relationship between the facility owner-operator and DHS. The assessment tool that DHS uses to conduct comparative risk assessments must be uniform and consistent in order for DHS to use it, and so a “menu” of different methodologies is simply not practical.
Finally, DHS notes that there were several comments from companies, encouraging the Department to adopt or require their own methodology or technique. DHS is unaware of the extent of peer review or scientific evaluation of these other methodologies or techniques. In addition, DHS does not believe it is appropriate to identify a single commercial product or endorse particular commercial products for purposes of complying with this rule.
3. Risk-Based Tiers
In the Advance Notice, the Department asked for comment on the notion of risk-based tiering of high-risk facilities. Specifically, the Department asked how many risk-based tiers should the Department create, what the criteria should be for differentiating among tiers, what the types of risk should be most critical in the tiering, how should performance standards differ among risk-based tiers, what additional levels of regulatory scrutiny should DHS apply to each tier. 71 FR 78276, 78283.
Comment: Most commenters supported the establishment of risk tiers and agreed that three or four tiers would be sufficient. Several comments, including industry commenters, State agencies, and a member of Congress believed that DHS should base tiering on the attractiveness of the facility as a target or the consequences of a terrorist attack, such as adverse impacts on public health and welfare, the potential for mass casualties, and disruption of essential services. The commenter indicated that the creation of tiers would allow facilities to maintain security measures commensurate with risk.
A few commenters suggested that DHS did not provide enough information in the Advance Notice on the number of tiers or on how a tier classification would affect a facility's security requirements. Two industry commenters were concerned that DHS might apply the rule requirements to facilities other than those that pose the highest security risk. Two other commenters believed that the tiering approach is not appropriate for cyber security of control systems. One commenter argued that tiers should include consideration of the transportation of chemicals outside the facility property. Another commenter recommended that DHS should modify the tiers after it receives data from regulated facilities. Another commenter thought that DHS should define “present high levels of security risk” and “high risk” at the end of the RAMCAP process and not at the discretion of the Secretary.
Commenters suggested that tiers should be objective and transparent and should provide flexibility. One industry commenter pointed out that tiering allows DHS to focus on the most important facilities first and believed that DHS should establish a de minimis tier that sets thresholds below which a facility does not have to complete the Top-Screen tool. Two commenters noted that tiering provides an incentive for facilities to eliminate risk.
Some industry commenters and State and local agencies suggested that facilities in higher risk tiers should have more contact with DHS, and that lower-risk facilities should have fewer security layers implemented over a longer period of time, greater discretion, or fewer inspections. One commenter, however, believed there should be no difference in regulatory scrutiny or performance standards between tiers.
Response: The Department agrees with many of the commenters that the risk-based tiering structure will allow DHS to focus its efforts on the highest risk facilities first. To that end, the Department intends to retain the model proposed in the Advance Notice. See, e.g., 71 FR 78276, 78283. In sum, the Department's framework for risk-based tiering will consist of four risk-based tiers of high-risk facilities, ranging from high (Tier 1) to low (Tier 4). The Department will use a variety of factors in determining which tier facilities will be placed, including information about the public health and safety risk, economic impact, and mission critical aspects of the given chemicals and Threshold Quantities (TQ) of the chemicals. The Department considers the methods for determining these tiers to be sensitive anti-terrorism information that may be protected from further disclosure. The types and intensity of security measures (necessary to satisfy the risk-based performance standards in the facility's Site Security Plan) will depend on the facility's tier. The Department will mandate the most rigorous levels of protection and regulatory scrutiny for facilities that present the greatest degree of risk. Finally, pursuant to Section 550(a), it is in the discretion of the Secretary to apply regulatory requirements to those facilities that present high levels of security risk; accordingly, the Department believes it is most appropriate for the Secretary to determine which facilities present high-risk (and not, for example, rely solely on output from the CSAT process).
The Department incorporates the concept of “target attractiveness” into its risk equation. Insofar as it is a fairly subjective element, and that it requires considerable analysis to develop, DHS will not incorporate it into the initial tier assignment process. However, insofar as “target attractiveness” is included in the more detailed Security Vulnerability Assessment component of the regulatory process, and insofar as the final determination of tier placement will be based upon the complete analysis of risk, “target attractiveness” will, in fact, be an important element in tier assignment and subsequent risk management efforts.
C. Security Vulnerability Assessments and Site Security Plans
1. General Comments
Comment: One association requested that DHS encourage, but not require, facilities that are not high-risk to conduct vulnerability assessments as a best practice.
Response: The Department has always encouraged the chemical sector to analyze security vulnerabilities and will continue to do so through voluntary sector efforts even if the site has not been designated as high risk under this rule.
Comment: One commenter requested that DHS define “material modifications,” as used in §§ 27.215(c)(3) and 27.225(b)(3), or at least provide examples of circumstances or events that rise to the level of “material modifications.”
Response: Material modifications can include a whole host of changes, and for that reason, the Department cannot provide an exhaustive list of material modifications. In general, though, DHS expects that material modifications would likely include changes at a facility to chemical holdings (including the presence of a new chemical, increased amount of an existing chemical, or the modified use of a given chemical) or to site physical configuration, which may (1) substantially increase the level of consequence should a terrorist attack or incident occur; (2) substantially increase a facility's vulnerabilities from those identified in the facility's Security Vulnerability Assessment; (3) substantially effect the information already provided in the facility's Top-Screen submission; or (4) substantially effect the measures contained in the facility's Site Security Plan.
2. Submitting a Site Security Plan
Comment: Several industry commenters recommended changes to the proposed process for notifying facilities to submit SSPs and the timing for submitting the SSPs. A number of commenters believed that the most appropriate person to submit an SSP is a corporate representative with first-hand knowledge of security matters at the facility, rather than an officer of the corporation, as proposed. The comments recommended allowing a corporate security contact, a security manager, or a consultant with delegated authority to submit information on behalf of the corporation. The commenters indicated that, in most instances, members of senior management teams do not have day-to-day detailed knowledge on security issues and, thus, cannot meet the proposed qualifications. One of the commenters added that the proposed regulations appear to limit an organization's flexibility to assign internal responsibilities for various aspects of the regulations. Another commenter suggested that, in addition to notifying a covered facility, the Department should notify the facility's corporate ownership (and/or parent corporation) allowing a multi-facility corporation to prepare and submit a response in an efficient and timely manner.
Response: The goal of this rule is to increase flexibility while embracing security for covered facilities, not to unnecessarily decrease flexibility. The rule obligates the chemical facility to submit the Site Security Plan; however, as used herein, the term chemical facility or facility shall also refer to the owner or operator of the chemical facility. While the owner or operator of a chemical facility may designate someone to submit the Site Security Plan, the owner or operator is responsible for satisfying all the requirements under this part. Note that the Department has added requirements for submitters in the rule (see§ 27.200(b)(3)) and that the Department discusses those new requirements in the Rule Provisions discussion of § 27.200. See§ II(B). Finally, it is presumed that the covered facility is the most appropriate party to notify its parent corporation or other related corporate entities as necessary.
3. Content of Site Security Plans
Comment: One commenter stated that, until some of the initial regulatory elements regarding definition of risk and the establishment of tiers is in place, it would be premature for DHS to publish details on Site Security Plans. Another commenter stated that, based on the consequence assessment, every site should be required to have specific security elements in place that prudently deter, detect, delay, and respond based on their assigned tier level. The commenter also stated that, without some degree of access control and physical security specificity based on tier levels, there will be considerable confusion as to the exact considerations needed to meet Department requirements. Another commenter encouraged DHS to abide by the congressional mandate of Public Law 104-113, as described in OMB Circular A119, and ensure that voluntary consensus codes and standards are used when they are applicable under the rule.
Response: The Department has developed a means of assessing risk and a tiering process as described in §§ 27.205 and 27.220. These methods anticipate, on a risk basis, a certain level of vulnerability for a given tier level. A facility's SSP will describe the appropriate levels of security measures that a facility must implement to address the vulnerabilities identified in their SVA and the risk-based performance standards for their tier. The Department has included risk-based performance standards in this interim final rule and will publish further guidance on the risk-based performance standards. The risk-based standards address, among other things, vulnerabilities under the security concepts of detection, deterrence, delay, and response. Finally, the Department notes that covered facilities may use and cite voluntary consensus codes and standards in their SVAs and SSPs to the extent they are appropriate.
4. Approval of Site Security Plans
Comment: In general, commenters supported the proposed submission and approval processes for SSPs. While one commenter endorsed proposed § 27.240(a)(3) stating that the Department will not disapprove an SSP based on the presence or absence of a particular security measure, another commenter believed that the Department should have the authority to disapprove an SSP if a facility has refused to include a widely-practiced and cost-efficient procedure that can severely reduce the risk posed by a chemical facility. Two commenters requested that the Department inform local law enforcement and first responders when the Department is reviewing an SSP in their community and then inform them whether that plan was accepted or rejected. The commenters stated that the health and safety of responders may well depend upon whether the chemical facility has an adequate SSP.
Response: The Department may not disapprove a Site Security Plan submitted under this Part based on the presence or absence of a particular security measure, as provided in Section 550 of the Homeland Security Appropriations Act of 2007. The Department may disapprove a Site Security Plan that fails to satisfy the risk-based performance standards established in § 27.230.
The Department intends to work closely with local law enforcement and first responders to provide adequate homeland security information to them under this rule.
Comment: One commenter recommended that the Department first complete the SSP review and approval process for Tier 1 facilities, then, after soliciting feedback from the Tier 1 facilities on the process, then proceed in a step-wise fashion to subsequent tiers.
Response: The Department will implement the rule in a phased approach but will not necessarily complete all Tier 1 sites prior to undertaking plan review and approvals with lower-tier chemical facilities as the need arises. This is necessary to make sufficient progress with higher-tier chemical facilities and not only the highest tier.
Comment: One concern raised by an industry association related to DHS's resources for reviewing Security Vulnerability Assessments and providing responses in 20 days. Changes to control systems were suggested for reviews and updates within 7 days or sooner. One commenter agreed with updating SSPs annually, but not Security Vulnerability Assessments. Several commenters suggested the following for updates: every 2-5 years for Tier 1 facilities, 3-5 years for Tier 2, and 3-7 years for Tier 3 and beyond.
Numerous reviewers recommended that the reviews be limited to approximately every three years. Two companies and one industry association wanted reviews to follow major changes and not follow a set schedule. Many reviewers wanted periodic replaced with a suggested frequency.
Several commenters stated that the requirement to submit SVAs within 60 calendar days, and SSPs within 120 calendar days, starting on the date that the facility is notified that it is considered high-risk, is too short, and therefore inadequate. One commenter noted that managing change in a safe fashion requires significant thought and careful planning to ensure that the change itself does not create another hazard to the community, the environment, or employees. The commenter also noted that developing and implementing an SSP that properly mitigates risk requires the security manager to make appropriate revisions to existing facility procedures and to train employees and other affected parties on these new procedures. Another commenter expressed concern that there is no specific date or time by which DHS must notify high-risk chemical facilities of their status. Likewise, there is no firm time by which the Secretary will send out a notice approving or disapproving an SSP.
With regard to the time needed to review an SSP, one commenter stated that DHS should issue a decision approving or disapproving them within 30 days of receipt of a completed plan. This timeframe would bring at least most priority facilities into compliance within seven months of the effective date. The commenter also stated that, given the urgency, any “objections” or “appeals” should be processed after the seven-month schedule is completed. Because of concern that DHS staffing levels might delay the processing of SSPs, another commenter requested a provision be included in the interim final rule indicating that facilities are deemed in compliance after 30 days of submission of SVAs and SSPs until such time that the Department reviews and responds to the submission.
A few commenters recommended that the deadline for Tier 1 facilities to submit SSPs be extended from 120 days to 180 days. The commenters believe that this extension would assure facilities adequate time to assemble the best teams, prepare thorough SVAs, deal with budget planning for potentially large capital expenditures, and ensure the on-site work is properly conducted. Another commenter agreed that the proposed submission schedule for submitting SSPs was unrealistic in light of the tasks involved. The commenter also thought that, if DHS found fault with a provision of the SVA, it would be unreasonable to begin development of an SSP based upon a potentially flawed assessment. Consequently, the commenter argued that the submission time of 120 days should be started only after the Department's approval of the SVA is formally received. Yet another commenter believed that submission of SSPs should be timed according to the tier assigned to the facility and that the time clock should begin when the facility receives word back from the Department on its preliminary tier assignment.
Response: The Department has established a schedule for activities under this part that considers the need to generally address the risks associated with higher tier facilities before that of lower tiers, but staggers the submittals and review and inspection activities. The Department has developed the Chemical Security Assessment Tool (CSAT) to assist chemical facilities with all of the program requirements (registration, screening, SVA, and SSP). In addition, because information from the CSAT applications will be in electronic form, DHS will be able to expedite its review of the information that chemical facilities submit. These deadlines are both prudent and achievable. DHS expects that it will complete its review of the Top-Screen, SVA, and SSP within 60 days of the facility's submission of the Top-Screen, SVA, or SSP.
6. Alternate Security Programs
Comment: The use of alternate security programs was supported by several chemical companies and associations as well as companies and associations in related industries. A chemical company agreed with the concept of initially allowing multiple methodologies and then switching to a common methodology for at least the Tier 1 facilities; they encouraged DHS to still allow alternate approaches for other tiers. This viewpoint was echoed by at least one association. Several companies wanted to ensure that existing plans could be used and one association noted that more methodologies than just those approved by the Center for Chemical Process Safety (CCPS) would be appropriate. Commenters also noted that CCPS should not be the sole arbiter unless DHS periodically reviews its resources and expertise.
A number of industry associations offered their own approaches and a food industry association commented on the need to keep their current programs in place and to not unduly focus on ammonia refrigeration risks. MTSA-, Sandia-, and NFPA-approved programs were among those mentioned by the commenters, as were those allowed under other regulations. Some commenters found the specific process for approval of alternative programs to be lacking in detail. One association requested that submitters just send in a form saying they have an alternate security plan, and not require any other document be submitted for approval.
An advocacy group commented that alternate approaches needed to be equivalent to the DHS approach, not just sufficiently similar, and that DHS should approve equivalent State and local programs. Another advocacy group suggested that DHS should only determine equivalency based on reviews of individual SSPs, not in any blanket or broad way. A third advocacy group supported a single, consistent approach set out by DHS with private sector programs being modified to conform to the DHS approach. One commenter noted that the specification of RAMCAP may have created an unfair playing field for other firms wanting to visit the source company for RAMCAP.
Response: The Ass