There are continued warnings that the US has been without a chemical security programme since late July, leaving more than 3000 high-risk chemical facilities in the country vulnerable to terrorist, cyber- and physical attacks.
The Chemical Facility Anti-Terrorism Standards (CFATS) programme, which was authorised 17 years ago and is managed by the Cybersecurity and Infrastructure Security Agency (CISA), is charged with regulating high-risk chemical facilities to ensure these sites are not weaponised by terrorists. It expired on 27 July and has yet to be reauthorised by Congress.
Now CISA’s director for chemical security, Kelly Murray, is urging Congress to take action and get the programme up and running again. Through CFATS, she says, her agency screened more than 40,000 chemical facilities, identified 3200 of those sites as high-risk, and worked with them to understand the risks posed by their chemical inventories and develop appropriate security plans.
Without CFATS, Murray cautions that CISA no longer has an up to date understanding of the location of the more than 300 chemicals of concern that the programme covers. She cites CISA estimates that over the past four months at least 200 new chemical facilities have already acquired chemicals that need to be secured. There is concern that other facilities could be stockpiling these chemicals, increasing the risk of a terrorist attack.
Under CFATS, chemical facilities could submit the names of personnel with or seeking access to dangerous chemicals, and then CISA would vet those names against the Federal Bureau of Investigation’s terrorism database. As of July 2023, CISA was vetting an average of 9000 people a month, Murray notes. Based on this, she says CISA estimates that in the past four months facilities have had to make decisions on granting access to about 36,000 employees without having them vetted.
Before CFATS lapsed in July it had identified, in total, more than 10 individuals with possible ties to terrorism, according to Murray. Based on this rate, she estimates that CISA would, in all probability, have identified another individual with known or suspected terrorist ties in the past four months seeking to work on a high-risk site.
‘We cannot sound the alarm loudly enough: every day this programme is offline is too long,’ Murray warns.