Chemical Facilities Anti-Terrorism Standards Program – Does it Help?
Does CFATS improve the security of U.S. chemical facilities? The answer is certainly “yes.” Is it an efficient way to achieve such improvement? The answer to that question is explored by Firestorm Principal Guy Higgins.
Suzanne E. Spaulding, Under Secretary of Homeland Security for National Protection and Programs, recently testified before the Senate Committee on Homeland Security and Government Affairs concerning the Chemical Facilities Anti-Terrorism Standards (CFATS)
The hearing was held to establish a legislative record of the intent of Congress as Congress considers re-authorizing the CFATS program within the Department of Homeland Security. As such, the written testimony was a description of the accomplishments of the program since its original authorization in 2007.
The CFATS program has created a structure for identifying potentially dangerous chemicals, the quantities of those chemicals that are significant enough to require special security measures, the companies that use or store those chemicals, a tiering structure for categorizing the level of danger posed by a company’s use of those chemicals and a process for requiring, reviewing, and approving each company’s security plans (including regular inspections).
Certainly, maintaining the security of facilities that use and/or store potentially dangerous chemicals is important, and the CFATS program provides a framework within which companies can develop and implement security procedures that will contribute to the security of their facilities.
It is important, however, to recognize that there are costs associated with CFATS, but it is not apparent that DHS has taken that into consideration. For example, any amount of fluorine subjects a company to regulation while an ounce less than a ton of TNT does not. When a company or organization considers developing and implementing security programs or contingency plans, that company must consider the cost/benefit ratio and make decisions accordingly. As it stands, CFATS seems to be making those decisions for the industry without considering those cost/benefit ratios.
A very quick comparison of the CFATS approach to developing and implementing security programs vs. a commercial approach is captured in the following table:
|CFATS Approach||Commercial Approach|
|Level of risk||Yes||Yes|
|Synergy with other government regulations||No||Yes|
|Cost of implementation||No||Yes|
The Federal Government is an enormous organization with millions of employees and a vast set of responsibilities, duties and obligations. The people executing those responsibilities, duties and obligations, both career civil servants and political appointees, are dedicated, capable professionals. However, it is important to recognize the organizational and behavioral dynamics that come into play in a massive organization with limited to no responsibility for the costs it imposes on others. The following is at least a partial list of issues that will tend to compromise the effectiveness of the CFATS program:
- The CFATS program addresses dangerous chemicals, some of which are also regulated by the Environmental Protection Agency and which also fall within the purview of the Department of Commerce. While the CFATS program recognizes these overlaps and unofficially coordinates with the EPA and Commerce, there is no formal effort to deconflict regulatory requirements or create a consolidated approach to be used by all federal regulatory agencies. This imposes additional costs on each company and will create compliance with the letter, but not the spirit, of the regulations.
- There is no apparent, explicit requirement for the CFATS program to justify security requirements in view of the costs imposed. Since no security plan will ever be perfect, there is significant risk of creeping requirements where each year, additional, minor changes will be added to the requirements, often unofficially, that tend to increase the cost of the security – again with no explicit requirement to justify the change in view of the cost incurred balanced against the benefit achieved.
- Any effort that mandates compliance with some set of regulations or standards risks creating a situation in which compliance is all that matters; however, compliance does not necessarily equal security of the facility. If compliance dominates security activity, the risk of “just going through the motions” becomes very real. When this happens, the plan/program is emphasized only when the inspectors are scheduled to arrive or when the plan is to be reviewed. Such has consistently been the case with inspections in the military, with ISO certification reviews and with certification to other standards. Mandated compliance achieves certain levels of capability, but always less than programs that create the internalization of the need and response within the organization. A bureaucracy cannot mandate internalization, and human behavior in a bureaucracy normally tends to use “the stick” rather than “the carrot.” Such appears to be the case with the CFATS program.
- Standardized security templates (provided within the CFATS program) tend to result in largely standardized security plans since achieving compliance (mandated compliance results in a goal of compliance – not security) is easier, for both the company and the reviewer/approval authority, if the plan mimics the template. Standard plans tend to have standard flaws – something that terrorists can, potentially take advantage of.
It is far easier and more straightforward for a government regulator to impose requirements than it is for that same regulator to create an environment within which the regulated entity is incentivized to achieve the goals of the regulation. Compliance with regulations is also much easier to measure and report than is the evaluation of custom-developed plans and procedures.
Does CFATS improve the security of U.S. chemical facilities? The answer is certainly “yes.” Is it an efficient way to achieve such improvement? The answer to that question is far more complex and is probably, at best, “not yet.”
Firestorm Related Articles