Lapsed US chemical security programme leaves facilities vulnerable

A US government programme that helps ensure the safety of about 3300 high-risk chemical facilities has expired, prompting warnings from security experts and industry that the lapse leaves sensitive facilities vulnerable to terrorist, cyber, and physical attacks.

The Chemical Facility Anti-Terrorism Standards (CFATS) programme was authorised 17 years ago, and was due to expire on 27 July. On 15 July, the House of Representatives approved legislation to reauthorise it for two years, but without Senate approval before the August break, the effort stalled and CFATS expired.

The programme, which is managed by the Cybersecurity and Infrastructure Security Agency (CISA), identifies and regulates high-risk chemical facilities to ensure security measures are in place to address the threat of certain dangerous chemicals being weaponised by terrorists. The programme covers 300 chemicals of concern, wherever they are produced or stored at quantities large enough to be a threat.

In a notice on its website, CISA announced that it can no longer enforce compliance with the CFATS regulations, which means the agency will not require facilities to report their chemicals of interest or submit any information in its Chemical Security Assessment Tool, perform inspections, or provide CFATS compliance assistance, among other activities.

Just one senator, Republican Rand Paul from Kentucky, blocked the Senate legislation after expressing concerns on 26 July that it creates regulatory burdens that favour big businesses able to afford compliance officers, and that the programme duplicates efforts at other agencies.

Security experts, including at US-based consulting firm TRC Companies, expect that the programme will be reauthorised in the autumn, but it remains unclear when exactly this will happen.

Finding faults

On 6 September, a coalition of nearly 20 organisations – including the American Chemistry Council, National Association of Chemical Distributors, and the Society of Chemical Manufacturers & Affiliates – wrote to senators arguing that the CFATS programme ‘promotes security by providing facility risk assessments, guidance to companies about their security plans and policies, and vetting personnel against the terrorist screening database.’ For example, 9000 new hires have not been screened for terrorist ties in the past month, they said.

Without a comprehensive audit programme like the one provided by CFATS, many activities not directly related to getting products out of the door can slip through the cracks, explains Patrick Coyle, who has more than two decades of experience in the chemical process industry and writes a chemical facilities security blog. He says this is why about 35% of the CISA’s compliance inspections find security deficiencies in established security programs. ‘Generally, facilities correct those problems when notified of them during an inspection, but they did miss the problems in the first place,’ Coyle tells Chemistry World.

He also points out that CISA is uniquely placed to determine the level of threat a facility faces, since it has access to information not available to the public. But without CFATS, the agency does not have the authority to collect the requisite information from facilities and conduct risk assessments with the full information available to the government.

In addition, Coyle is concerned that the ability to vet personnel has also been shut down with CFATS’ expiration. ‘Companies routinely do fiscal and criminal background checks on new employees to ensure that dangerous … individuals do not get jobs,’ he tells Chemistry World. ‘What companies cannot do, however, is to check prospective employees against the federal government’s terrorist screening database, to see if a potential employee has known associations with various terrorist-connected organisations or individuals.’

Such vetting is only available to chemical facilities through the CFATS programme. ‘CISA was processing about 300 names each day before the CFATS programme was shut down,’ Coyle adds. ‘Now no names are going into the system.’

On 14 September 2023 Patrick Coyle’s name was corrected