Six month gap in vetting people with access to high-risk chemicals means potential threats may have been missed

Six months since a key US chemical plant security monitoring programme expired, and with little prospect so far of government action to renew it, industry leaders are redoubling calls for reauthorisation.

The Chemical Facility Anti-Terrorism Standards (CFATS) programme, managed by the US Cybersecurity and Infrastructure Security Agency (CISA), regulates high-risk chemical facilities to ensure these sites are not exploited by terrorists. The programme helps chemical facilities strengthen their physical and cybersecurity, but it expired in July 2023 and Congress has yet to extend or reauthorise it.

More than one-third of inspections actually identify a security gap, and often more than one

Kelly Murray, CISA

Since the expiry, ‘CISA has not received updated information on dangerous chemicals from more than 240 facilities,’ stated Kelly Murray, CISA’s associate director for chemical security, at a recent media briefing convened chemical trade organisations, congressional, and government agency representatives to discuss the topic.

‘It affects our ability to work with federal, state and local partners in providing that information during incidents and events to keep our communities reprepared and safe,’ Murray continued, adding that the CISA will soon miss its 900th inspection under CFATS since the programme expired. ‘More than one-third of inspections actually identify a security gap, and often more than one,’ she stated. ‘That means if we have missed more than 900 inspections there are likely more than 300 facilities with security gaps – and we expect that that number is actually significantly higher.’

A barbed wire fence in front of a chemical plant

Source: © Aziz Shamuratov/Getty Images

Through CFATS, the names of people who have access to chemical facilities, or are seeking to access to dangerous chemicals within these plants, are vetted against those listed in the US Federal Bureau of Investigation’s Terrorist Screening Database. But CISA now estimates that 54,000 personnel who have recently gained, or are seeking access, to restricted areas or critical access at chemical facilities have not been checked.

This is a unique situation where regulators and industry are aligned

Chris Jahn, American Chemistry Council

Over the lifespan of CFATS, the CISA had identified more than 10 individuals with possible ties to terrorism, and given that rate of vetting Murray said CISA likely would have identified at least one individual as a known or suspected terrorist in the last six months. Murray also pointed to good data showing that CFATS made a difference in getting chemical facilities better prepared to handle security incidents, with plants introducing multiple security measures as part of the approval process.

‘Every day that this lapse continues, the risk of a chemical attack increases,’ warned Caitlin Durkovich, resilience and response deputy homeland security advisor to President Joe Biden, who used to oversee the CFATS programme at the Department of Homeland Security (DHS) during Barack Obama’s administration.

There is concern that in the absence of congressional action states will step in to regulate these chemical facilities. For example, a legislator in Nebraska recently introduced a bill to consider creating a CFATS-like regulation for the state.

‘A patchwork of rules and regulations from different agencies and states would place an enormous burden on companies and potentially create confusion and conflicting requirements,’ explained Nick Adams, a legislative director for Laurel Lee, a Republican Congresswoman from Florida who introduced legislation in July to extend CFATS’ authority. That measure was blocked in the Senate, and hence the programme expired.

Chris Jahn, president of the American Chemistry Council, agrees. ‘I spend a good portion of my day job pushing back against federal regulatory overreach. This is a unique situation where regulators and industry are aligned,’ he said. ‘Our companies should not be forced to go it alone; we need a partner that can provide threat information and security expertise – the kind of knowledge that only DHS can provide through CFATS.’