Skip to main content

Critical Infrastructure Protection: DHS Action Needed to Verify Some Chemical Facility Information and Manage Compliance Process

GAO-15-614 Published: Jul 22, 2015. Publicly Released: Jul 22, 2015.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Since 2007, the Office of Infrastructure Protection's Infrastructure Security Compliance Division (ISCD), within the Department of Homeland Security (DHS), has identified and collected data from approximately 37,000 chemical facilities under its Chemical Facility Anti-Terrorism Standards (CFATS) program and categorized approximately 2,900 as high-risk based on the collected data. However, ISCD used unverified and self-reported data to categorize the risk level for facilities evaluated for a toxic release threat. A toxic release threat exists where chemicals, if released, could harm surrounding populations. One key input for determining a facility's toxic release threat is the Distance of Concern (distance) that facilities report—an area in which exposure to a toxic chemical cloud could cause serious injury or fatalities from short-term exposure. ISCD requires facilities to calculate the distance using a web-based tool and following DHS guidance. ISCD does not verify facility-reported data for facilities it does not categorize as high-risk for a toxic release threat. However, following DHS guidance and using a generalizable sample of facility-reported data in a DHS database, GAO estimated that more than 2,700 facilities (44 percent) of an estimated 6,400 facilities with a toxic release threat misreported the distance. By verifying that the data ISCD used in its risk assessment are accurate, ISCD could better ensure it has identified the nation's high-risk chemical facilities.

ISCD has made substantial progress approving site security plans but does not have documented processes and procedures for managing facilities that are noncompliant with their approved site security plans. Site security plans outline, among other things, the planned measures that facilities agree to implement to address security vulnerabilities. As of April 2015, GAO estimates that it could take between 9 and 12 months for ISCD to review and approve security plans for approximately 900 remaining facilities—a substantial improvement over the previous estimate of 7 to 9 years GAO reported in April 2013. ISCD officials attributed the increased approval rate to efficiencies in ISCD's security plan review process, updated guidance, and a new case management system. Further, ISCD began conducting compliance inspections in September 2013, but does not have documented processes and procedures for managing the compliance of facilities that have not implemented planned measures outlined in their site security plans. According to the nature of violations thus far, ISCD has addressed noncompliance on a case-by-case basis. Almost half (34 of 69) of facilities ISCD inspected as of February 2015 had not implemented one or more planned measures by deadlines specified in their approved site security plans and therefore were not fully compliant with their plans. GAO found variations in how ISCD addressed these 34 facilities, such as how much additional time the facilities had to come into compliance and whether or not a follow-on inspection was scheduled. Such variations may or may not be appropriate given ISCD's case-by-case approach, but having documented processes and procedures would ensure that ISCD has guidelines by which to manage noncompliant facilities and ensure they close security gaps in a timely manner. Additionally, given that ISCD will need to inspect about 2,900 facilities in the future, having documented processes and procedures could provide ISCD more reasonable assurance that facilities implement planned measures and address security gaps.

Why GAO Did This Study

Thousands of facilities have hazardous chemicals that could be targeted or used to inflict mass casualties or harm surrounding populations in the United States. DHS established the CFATS program to, among other things, identify and assess the security risk posed by chemical facilities. Within DHS, ISCD oversees this program.

GAO was asked to assess the CFATS program. This report addresses, among other things, the extent to which DHS has (1) categorized facilities as subject to the CFATS regulation, and (2) approved site security plans and conducted compliance inspections. GAO reviewed laws, regulations, and program documents; randomly selected data submitted to ISCD by facilities from 2007 to 2015, tested the data's reliability; and generated estimates for the entire population of facilities, and interviewed officials responsible for overseeing, identifying, categorizing, and inspecting chemical facilities from DHS headquarters and in California, Maryland, Oregon, and Texas (selected based on geographic location and other factors).

Recommendations

GAO recommends, among other things, that DHS (1) verify the Distance of Concern reported by facilities is accurate and (2) document processes and procedures for managing compliance with site security plans. DHS concurred with GAO's recommendations and outlined steps to address them.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To ensure the accuracy of the data submitted by chemical facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD to provide milestone dates and a timeline for implementation of the new Top-Screen and ensure that changes to this Top-Screen mitigate errors in the Distance of Concern submitted by facilities.
Closed – Implemented
We found that ISCD used self-reported and unverified data to determine the risk categorization for facilities with a toxic release threat. DHS requires that facilities self-report the Distance of Concern, an area in which exposure to a toxic chemical cloud could cause serious injury or fatalities from short-term exposure. Facilities report the Distance of Concern as part of the Top-Screen, which is the initial screening tool whereby chemical facilities report to ISCD information on the chemicals in their possession. Following DHS guidance and using a generalizable sample of facility-reported data in a DHS database, we estimated that more than 2,700 facilities (44 percent) of an estimated 6,400 facilities with a toxic release threat misreported the Distance of Concern. ISCD officials stated that the next iteration of the Top-Screen will not require facilities to calculate and provide a Distance of Concern, but officials did not have a timeline for implementing the new Top-Screen. We recommended that DHS provide milestone dates and a timeline for implementation of a new Top-Screen and ensure that changes to this Top-Screen mitigate errors in the Distance of Concern submitted by facilities. In January 2016, ISCD developed milestone dates for implementing an updated Top-Screen. ISCD stated that the new Top-Screen will no longer require facilities to calculate the Distance of Concern, but rather will collect data from facilities to enable DHS to calculate it to assess risk. These actions are consistent with our recommendation.
Department of Homeland Security To ensure the accuracy of the data submitted by chemical facilities, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD, in the interim, to identify potentially miscategorized facilities with the potential to cause the greatest harm and verify the Distance of Concern these facilities report is accurate.
Closed – Implemented
We found that the Department of Homeland Security's (DHS) Infrastructure Security Compliance Division (ISCD) may have miscategorized high-risk facilities with a toxic release threat based on an erroneous Distance of Concern, an area in which exposure to a toxic chemical cloud could cause serious injury or fatalities from short-term exposure. On the basis of our generalizable sample of facility-reported data in a DHS database and ISCD's input regarding the extent of facilities that could have been miscategorized, we estimated that ISCD could have miscategorized 85 high-risk facilities, but potentially up to 543 high-risk facilities that had previously submitted Top-Screens. We recommended that DHS identify potentially miscategorized facilities with the potential to cause the greatest harm and verify the Distance of Concern these facilities report is accurate. In response, in November 2016, ISCD officials stated that they completed an assessment of all Top-Screens that reported threshold quantities of toxic release chemicals of interest and identified 158 facilities with the potential to cause the greatest harm. As of May 2017, according to ISCD officials, 156 of the 158 facilities had submitted updated Top-Screens and 145 of 156 Top-Screens had undergone a quality assurance review process. Officials stated that the quality assurance review process entailed a review by a subject matter expert to check for items such as the temperature and/or pressure for the release-toxic chemicals reported by the facilities and ISCD officials are to contact facilities when these items are questionable. ISCD officials also noted that DHS's revised Top-Screen application, launched on October 1, 2016, eliminates the need for facilities to calculate the Distance of Concern. Instead, DHS's tiering methodology will use an updated plume model, which incorporates the plume distance and overlays it over the potential impacted population based on specific properties of the chemical, facility, and surrounding geographic area being assessed. As a result of these actions, ISCD has taken steps to better ensure it has identified the nation's high-risk chemical facilities.
Department of Homeland Security In addition, to better manage compliance among high-risk chemical facilities and demonstrate program results, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD to develop documented processes and procedures to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans.
Closed – Implemented
We found that the CFATS program did not have documented processes and procedures to track facilities that were noncompliant with their approved site security plans and to ensure facilities implement planned measures to become compliant. CFATS program standard operating procedures for inspections of covered facilities provided that inspectors were to report to CFATS program officials, among other things, any recommended enforcement actions resulting from a compliance inspection. The CFATS regulation also provides that if a facility is in violation of any part of the regulation, appropriate action may be taken, including the issuance of an order, compelling a facility to take actions necessary to become compliant. However, we found that the CFATS program did not have documented processes and procedures for how officials and inspectors are to track noncompliant facilities and ensure that they take actions towards compliance. Therefore, we recommended that the CFATS program develop documented processes and procedures to track noncompliant facilities and ensure they implement planned measures as outlined in their approved site security plans. In response, CFATS program officials took several actions to implement our recommendation. First, in May 2017 the officials updated the CFATS Enforcement Standard Operating Procedure to outline the roles, responsibilities and processes for identifying, initiating and resolving all enforcement procedures. Second, in October 2018 the officials updated the CFATS Inspections Standard Operating Procedure to document the verification procedures for planned measure completion and the timelines associated, including details on when extensions should be granted and when enforcement should be recommended. CFATS program officials also stated that planned measures were auto-populated into compliance inspection report templates with a required data item indicating when completed and DHS began tracking this metric to show timeliness. These actions are consistent with our recommendation.
Department of Homeland Security In addition, to better manage compliance among high-risk chemical facilities and demonstrate program results, the Secretary of Homeland Security should direct the Under Secretary for NPPD, the Assistant Secretary for the Office of Infrastructure Protection, and the Director of ISCD to improve the measurement and reporting of the CFATS program performance by developing a performance measure that includes only planned measures that have been implemented and verified.
Closed – Implemented
We found that DHS's performance measure for the Chemical Facility Anti-Terrorism Standards (CFATS) program, which was intended to reflect the overall impact of the CFATS regulation on facility security, did not solely capture security measures that were implemented by facilities and verified by ISCD. Instead, the performance measure reflected both existing security measures and planned security measures that facilities intended to implement within the fiscal year. We recommended that the Director of ISCD improve the measurement and reporting of the CFATS program performance by developing a performance measure that includes only planned measures that have been implemented and verified. In December 2015, ISCD finalized its fiscal year 2016 annual operating plan that included verification requirements for the performance measure. Specifically, the new requirement requires that ISCD officials verify that planned measures have been implemented in accordance with the approved site security plan (or alternative security program) by compliance inspection other means before inclusion in the performance measure calculation. ISCD's actions to improve the performance measure verification are consistent with our recommendation.

Full Report

Office of Public Affairs

Topics

Critical infrastructure protectionData collectionDocumentationFacility managementFacility securityRisk managementToxic substancesPolicies and proceduresChemical facilitiesCompliance oversight