This is the accessible text file for GAO report number GAO-06-899T entitled 'Homeland Security: DHS Is Addressing Security at Chemical Facilities, but Additional Authority is Needed' which was released on June 21, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Committee on Environment and Public Works, U.S. Senate: United States Government Accountability Office: GAO: For Release on Delivery Expected at 9:30 a.m. EDT: Wednesday, June 21, 2006: Homeland Security: DHS Is Addressing Security at Chemical Facilities, but Additional Authority Is Needed: Statement for the Record by John B. Stephenson, Director Natural Resources and Environment: GAO-06-899T: GAO Highlights: Highlights of GAO-06-899T, testimony before the Senate Committee on Environment and Public Works. Why GAO Did This Study: Terrorist attacks on U.S. chemical facilities could damage public health and the economy. The Department of Homeland Security (DHS) coordinates federal efforts to protect these facilities from attacks. GAO was asked to provide a statement for the record based on its report Homeland Security: DHS Is Taking Steps to Enhance Security at Chemical Facilities, but Additional Authority Is Needed (GAO-06-150, January 27, 2006), GAO reviewed (1) DHS’s actions to develop a strategy to protect chemical plants, assist with the industry’s security efforts, and coordinate with other federal agencies, (2) industry security initiatives, (3) DHS’s authorities and the need for additional security legislation, and (4) stakeholders’ views on any requirements to use safer technologies. What GAO Found: DHS is developing a Chemical Sector-Specific Plan, which is intended to, among other things, describe DHS’s ongoing efforts and future plans to coordinate with federal, state, and local agencies and the private sector; identify chemical facilities to include in the sector, assess their vulnerabilities, and prioritize them; and develop programs to prevent, deter, mitigate, and recover from attacks on chemical facilities. DHS officials told GAO that they now expect to complete and release the plan in the fall of 2006. In addition, DHS has taken a number of actions to protect the chemical sector from terrorist attacks. DHS identified 3,400 facilities that, if attacked, could pose the greatest hazard to human life and health and has initiated programs to assist the industry and local communities in protecting chemical plants. DHS also coordinates with the Chemical Sector Coordinating Council, an industry-led group that acts as a liaison for the chemical sector, and with EPA and other federal agencies. The chemical industry is voluntarily addressing plant security, but faces challenges. Some industry associations require member companies to assess plants’ vulnerabilities, develop and implement mitigation plans, and have a third party verify that security measures were implemented. Other associations have developed guidelines and other tools to encourage their members to address security. Industry officials said that high costs and limited guidance on how much security is adequate create challenges in preparing facilities against terrorism. Because existing laws provide DHS with only limited authority to address security at chemical facilities, it has relied primarily on the industry’s voluntary security efforts. However, the extent to which companies are addressing security is unclear. DHS does not have the authority to require chemical facilities to assess their vulnerabilities and implement security measures. Therefore, DHS cannot ensure that facilities are taking these actions. DHS has stated that its existing authorities do not permit it to effectively regulate the chemical industry, and that the Congress should enact federal requirements for chemical facilities. Many stakeholders agreed—as GAO concluded in 2003 and again in January 2006—that additional legislation placing federal security requirements on chemical facilities is needed. Stakeholders had mixed views on whether any chemical security legislation should require plants to substitute safer chemicals and processes, which could lessen the potential consequences of an attack, but could be costly or infeasible for some plants. DHS has stated that safer practices may make facilities less attractive to terrorist attack, but may shift risks rather than eliminate them. Environmental groups told GAO that they favored including or considering inherently safer technologies in any federal requirements, but most industry officials GAO contacted opposed a requirement to use safer technologies because they may shift risks or be prohibitively expensive. What GAO Recommends: GAO’s report recommended that (1) the Congress consider giving DHS the authority to require the chemical industry to address plant security, (2) DHS complete its Chemical Sector-Specific Plan in a timely manner, and (3) DHS study, with the Environmental Protection Agency (EPA), the security benefits of using safer technologies. DHS agreed in substance with GAO’s first two recommendations but expressed concerns about studying safer technologies. GAO continues to see merit in such a study. EPA had no comments on the report. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-899T]. To view the full product, including the scope and methodology, click on the link above. For more information, contact John Stephenson at (202) 512-3841 or stephensonj@gao.gov. [End of Section] Mr. Chairman and Members of the Committee: We are pleased to have the opportunity to present the results of our recent work on chemical facility security.[Footnote 1] As we reported in January 2006, across the nation, approximately 15,000 facilities produce, use, or store more than specific maximum amounts of chemicals that the Environmental Protection Agency (EPA) has identified as posing the greatest risk to human health and the environment if accidentally released into the air. These facilities include chemical manufacturers, storage and distribution facilities, water and wastewater treatment facilities, and refineries, among others. Since September 11, 2001, government and other experts have recognized the potential threat that chemical facilities pose because many house toxic chemicals that could become airborne and drift to surrounding areas or be used to create a chemical weapon capable of causing harm. While these facilities potentially put large numbers of Americans at risk of injury or death in the event of a chemical release, the chemicals they produce, use, store, and distribute are critical to the nation's economy. The Homeland Security Act of 2002 established the Department of Homeland Security (DHS) and set forth its mission to, among other things, prevent terrorist attacks in the United States and reduce the vulnerability of the nation to terrorism.[Footnote 2] The President's February 2003 National Strategy for the Physical Protection of Critical Infrastructures and Key Assets sets forth the federal government's roles, objectives, and responsibilities in protecting the nation's critical infrastructure, including the chemical industry. In addition, a December 2003 presidential directive instructed DHS to produce a comprehensive integrated plan outlining national goals, objectives, milestones, and key initiatives for protecting critical infrastructure and key resources.[Footnote 3] The directive also named DHS as the lead agency for the chemical sector. [Footnote 4] Under an interim national plan released in February 2005, DHS is to identify and prioritize critical chemical facilities, evaluate the chemical sector's vulnerabilities and risks, develop and implement protective programs for high-priority chemical facilities, identify regulatory options for protective measures, and maintain a relationship with all stakeholders. The federal government's role in protecting chemical facilities from terrorist attacks has been much debated since September 11, 2001. Public debate has centered on whether the federal government should impose security requirements on chemical facilities or continue to work with the chemical industry to voluntarily address security concerns. Legislative proposals that would grant DHS or EPA, or one of these agencies in consultation with the other, the authority to require chemical facilities to take security steps were introduced in every Congress from 2001 to 2005. Provisions in legislative proposals that would require chemical facilities to implement or consider the substitution of safer chemicals and processes--referred to as "inherently safer technologies"--have also sparked debate. Appendix I provides an overview of key chemical security legislative proposals in the 109th Congress, two of which contain provisions relating to the use of inherently safer technologies. My statement today is based on our January 2006 report, and will focus on (1) DHS' actions to develop a plan for protecting the chemical sector, assess facilities' vulnerabilities, and interact with the industry and other federal agencies; (2) chemical industry security initiatives and challenges; (3) DHS' existing authorities and whether additional legislative authority is needed; and (4) stakeholders' views on the inclusion of an inherently safer technologies requirement in any legislation. In conducting our work, we interviewed officials from DHS and EPA and reviewed pertinent federal legislation, EPA data, DHS documents, and other available reports. We also interviewed representatives of all 16 associations participating on the Chemical Sector Coordinating Council, a group of chemical sector associations that facilitate the sharing of industry views with DHS, and spoke with at least one member company belonging to 13 of the key chemical industry associations.[Footnote 5] We also interviewed other organizations with chemical industry expertise, including the American Society of Mechanical Engineers, the Center for Chemical Process Safety, Sandia National Laboratories, and the Working Group on Community Right-to-Know, among others. We conducted our work according to generally accepted government auditing standards. Summary: In summary, we found the following: * As of January 2006, when we issued our report, DHS was developing a Chemical Sector-Specific Plan as part of a national framework to reduce the overall vulnerability of the chemical sector. According to DHS, the plan will describe, among other things, the chemical industry; DHS' coordination with federal, state, and local agencies and with the private sector; DHS' efforts to identify and prioritize chemical facilities on the basis of risk; and DHS' development of protective programs to prevent, deter, mitigate, and recover from attacks on chemical facilities. In developing this plan, DHS initiated actions to identify the sector's critical assets, prioritize facilities, develop and implement programs, exchange information with the private sector, and coordinate efforts with EPA and other federal agencies. For example, DHS identified about 3,400 high-priority facilities and plans to use a new risk assessment methodology to compare and prioritize all critical infrastructure assets according to their level of threat, vulnerability to attack, and the consequences of an attack. DHS officials told us that they expect to complete and release the sector- specific plan in the fall of 2006. * The chemical industry, led by its industry associations, has undertaken voluntary efforts to address plant security, but faces challenges in preparing facilities against terrorism. Some industry associations require their member companies to assess facilities' vulnerabilities and make security enhancements. For example, the American Chemistry Council, a chemical industry association, requires as a condition of membership that companies conduct vulnerability assessments, develop and implement plans to mitigate vulnerabilities, and have a third party verify that the security enhancements were implemented. The Council reports that its members have spent an estimated $2 billion on security improvements since September 11, 2001. Other industry associations have developed security guidelines, best practices, and other tools and a number of associations have developed security guidelines and vulnerability assessment methodologies tailored specifically to their member companies' unique security concerns. However, industry officials told us that they face a number of challenges in preparing facilities against a terrorist attack. They reported that the cost of security improvements can be a burden, particularly for smaller companies, and that determining the appropriate level of security for different facilities is difficult without guidance on what level of security is adequate. * Existing laws provide DHS with only limited authority to address security concerns at U.S. chemical facilities. To require security improvements at these facilities, which pose significant risks to millions of Americans, DHS needs additional legislative authority. DHS lacks the authority to require chemical facilities to assess their vulnerabilities and implement security measures and cannot enter most chemical facilities without their permission to assess security or to enforce the implementation of any needed security improvements. In contrast to some other critical infrastructure facilities--such as nuclear and drinking water facilities--chemical plants generally are not subject to federal security requirements. Consequently, DHS has relied primarily on the private sector's voluntary participation to address facility security. As a result, DHS cannot ensure that all high- risk facilities are assessing their vulnerability to terrorist attacks and taking corrective actions, where necessary. On this basis, we concluded in 2003 and again in January 2006 that additional legislation is needed to place federal security requirements on chemical facilities.[Footnote 6] In addition, DHS has concluded that its existing authorities do not permit it to effectively regulate the industry, and that the Congress should enact federal requirements for chemical facilities. Given that the nation's chemical facilities pose significant risks and the extent of their security preparedness is largely unknown, legislation giving DHS the authority to require the chemical industry to address security at their plants is long overdue. * While many of the stakeholders we contacted--including representatives from industry, research centers, and government-- agreed on the need for additional legislation establishing federal security requirements, they had divergent views on whether facilities should be required to use safer chemicals and processes--referred to as "inherently safer technologies." Inherently safer technologies could lessen the potential consequences of an attack by reducing the risks present at these facilities, but could be costly or infeasible for some plants. The Department of Justice and DHS have recognized that safer practices, such as reducing the quantity of hazardous material on site may make facilities less attractive to terrorist attack or could prevent or delay a terrorist attack. However, DHS officials told us that the use of inherently safer technologies tends to shift risks rather than eliminate them, often with unintended consequences. Representatives from environmental groups, as well as process safety experts, told us that the inherently safer technologies should be included or considered in any federal chemical security requirements. In contrast, the majority of the industry officials we contacted opposed a requirement to use inherently safer technologies because their use may shift risks or be prohibitively expensive. To ensure that chemical facilities take action to review and address security vulnerabilities, we recommended in January 2006 that: * the Congress consider providing DHS with the authority to require high-risk chemical facilities to assess their vulnerability to terrorist attacks and, where necessary, require these facilities to take corrective action, and: * DHS complete the Chemical Sector-Specific Plan in a timely manner and work with EPA to study the advantages and disadvantages of substituting safer chemicals and processes at some chemical facilities. In comments responding to a draft of our January 2006 report, DHS agreed that the Congress should consider granting DHS the authority to require the chemical industry to address plant security and that completing and implementing the sector-specific plan is a priority. Legislation is before the Congress that, if enacted, would direct DHS to require high-risk chemical facilities to assess their vulnerability to terrorist attacks and take corrective action, where necessary. Furthermore, DHS officials expect to complete and release the sector- specific plan in the fall of 2006. However, DHS disagreed with our recommendation that the department work with EPA to study the security benefits of using safer technologies. As noted, DHS believes that the use of safer technologies would not generally result in more secure chemical facilities and would shift risks rather than eliminate them. DHS also stated that it is unclear what role EPA would play in a study of the benefits of using safer technologies or how DHS's interaction with EPA might be perceived among DHS's private sector partners. We continue to believe, however, that the use of safer technologies may have the potential to reduce security risks for at least some chemical facilities by making them less attractive to a terrorist attack and reducing the severity of the potential consequences of an attack and that studying the costs and security benefits of using safer technologies would be a worthwhile effort. While DHS should have the lead role in conducting such a study, EPA can provide valuable support. EPA has extensive expertise on toxic chemical data sources, U.S. hazardous materials facilities, and process safety issues, among other things, that the agency has developed through its oversight of a number of chemical safety programs. In particular, EPA maintains data on high- risk facilities' inventories of toxic and flammable chemicals and facility worst-case release scenarios, which could be useful to DHS in studying inherently safer technologies. Furthermore, we do not believe that a DHS-EPA partnership to study safer chemicals and technologies would necessarily bring the department into conflict with the industry, if the appropriate informational safeguards and assurances are built into the process. Through additional study, these two agencies can help to determine the appropriate role of inherently safer technologies in government and industry efforts to bolster chemical facility security and could identify alternative ways to reduce security, environmental, and health risks that could be shared with private industry. Background: Experts agree that chemical facilities are among the most attractive targets for terrorists intent on causing massive damage. Despite the risk these facilities pose, no one has yet comprehensively assessed security at the nation's chemical facilities. EPA regulates about 15,000 facilities under the 1990 amendments to the Clean Air Act because they produce, use, or store more than certain threshold amounts of specific chemicals that would pose the greatest risk to human health and the environment if they were accidentally released into the air. These facilities must take a number of steps, including preparing a risk management plan (RMP), to prevent and prepare for an accidental release and, therefore, are referred to as RMP facilities. These facilities fall within a variety of industries and produce, use, or store a variety of products, including basic chemicals; specialty chemicals, such as solvents; life science chemicals, such as pharmaceuticals and pesticides; and consumer products, such as cosmetics. Some of these facilities are part of critical infrastructure sectors other than the chemical sector. For example, about 2,000 of these facilities are community water systems that are part of the water infrastructure sector. In addition, other facilities that house hazardous chemicals that are listed under the RMP regulations are not subject to RMP requirements because the quantities stored or used are below threshold amounts. Through the RMP program, EPA has gained extensive expertise with chemical facilities and processes that could be useful in helping DHS assess security issues. Federal requirements currently address security at some U.S. chemical facilities. For example, a small number of chemical facilities must comply with the Maritime Transportation Security Act of 2002 and its implementing regulations, which require maritime facility owners and operators to conduct assessments, develop security plans, and implement security measures. In addition, certain community water systems--while not specifically considered chemical facilities but which use and store large volumes of chemicals--are required by the Public Health Security and Bioterrorism Preparedness and Response Act of 2002 to conduct and submit a vulnerability assessment to EPA and prepare an emergency response plan that incorporates the results of the assessment. According to EPA, 1,928 drinking water facilities that are also subject to EPA's RMP program must comply with this act. Some states and localities have also created security requirements at chemical facilities. In addition, the federal government imposes safety and emergency response requirements on chemical facilities that may incidentally reduce the likelihood and consequences of terrorist attacks. For example, Section 112(r) of the Clean Air Act includes a general duty clause directing owners and operators of facilities to identify hazards, design and maintain a safe facility to prevent releases, and minimize the consequences of any accidental releases that occur. [Footnote 7] Under Section 112(r), RMP facilities must also implement a program to prevent accidental releases that includes safety precautions and maintenance, and monitoring and training measures, and they must have an emergency response plan. The Department of Labor's Occupational Safety and Health Administration's process safety management standard also requires facilities to conduct analyses of their chemical processes which must address hazards of the process, engineering and administrative controls applicable to the hazards, facilities siting, and evaluation of the possible health and safety effects of failures of controls on employees. DHS Has Taken Actions to Develop a Plan for Protecting the Chemical Sector, Assess Facilities' Vulnerabilities, and Interact with the Industry and Other Federal Agencies: DHS is developing a plan for protecting the chemical sector that will establish a framework for reducing the overall vulnerability of the sector in partnership with the industry and state and local authorities. At the time of our review, DHS did not provide a specific date for completion of the Chemical Sector-Specific Plan. DHS completed a draft of the plan in July 2004 and has been working to revise it to accommodate changes to DHS's risk management strategy and comments from stakeholders. DHS officials told us that the final plan--which they now expect to complete and release in the fall of 2006--will reflect the basic principles and content described in the draft plan. On the basis of our review of the draft plan and discussions with DHS officials, the final plan will, among other things, (1) present background information on the sector; (2) describe the process DHS will use to develop an inventory of chemical sector assets; (3) describe DHS's efforts to identify and assess chemical facilities' vulnerabilities and plans to prioritize these efforts on the basis of the vulnerability assessments; (4) outline the protective programs that will be created to prevent, deter, mitigate, and recover from attacks on chemical facilities, and describe how DHS will work with private sector and government entities to implement these programs; (5) explain the performance metrics DHS will use to measure the effectiveness of DHS and industry security efforts; and (6) outline the department's challenges in coordinating the efforts of the chemical sector.[Footnote 8] DHS has also initiated actions to identify the chemical sector's critical assets, prioritize facilities, develop and implement protective programs, exchange information with the private sector, and coordinate efforts with EPA and other federal agencies. DHS is focusing its efforts for the chemical sector by identifying high-priority facilities. As a starting point, DHS has adapted EPA's RMP database of facilities with more than threshold amounts of certain chemicals to develop an interim inventory of 3,400 chemical facilities that pose the greatest hazard to human life and health in the event of a terrorist attack. These are facilities where a worst-case scenario release potentially could affect over 1,000 people. According to DHS, 272 of these facilities could potentially affect more than 50,000 people. DHS is also developing a new risk assessment methodology to compare and prioritize all critical infrastructure assets according to their level of threat, their vulnerability to attack, and the consequences of an attack on the facility. According to DHS, Risk Analysis Management for Critical Asset Protection (RAMCAP) will provide a common methodology, terminology, and framework for homeland security risk analysis and decision making that is intended to allow consistent risk management across all sectors. The RAMCAP process entails chemical facility owners/operators voluntarily completing a screening tool to identify the consequences of an attack. On the basis of the results of the screening tool, DHS will identify facilities of highest concern and ask them to voluntarily complete a security vulnerability assessment. Finally, DHS has implemented a number of programs to assist the private sector and local communities in reducing vulnerabilities. For example, DHS works with local law enforcement officials and facility owners through the Buffer Zone Protection Program to improve the security of the area surrounding a facility. To assess and identify vulnerabilities at chemical facilities, DHS deploys teams of experts from both government and industry to conduct a site assistance visit. DHS had conducted 38 site assistance visits at chemical facilities as of June 15, 2005, and planned to conduct additional visits in fiscal year 2006 on the basis of need. DHS has also installed cameras at some high- consequence facilities, providing local law enforcement authorities with the ability to conduct remote surveillance and allowing state homeland security offices and DHS to monitor the facilities. In addition, DHS distributes threat information to the industry through various means and coordinates sector activities with the Chemical Sector Coordinating Council, an industry-led working group formed voluntarily by trade associations that acts as a liaison for the chemical sector. DHS also coordinates with EPA and other federal agencies through a government coordinating council. EPA officials believe that the agency could further assist DHS by providing analytical support in identifying high-risk facilities that should be targeted in DHS' chemical sector efforts, among other activities. The Chemical Industry Continues Voluntary Efforts to Address Security, but Faces Challenges in Safeguarding Facilities: With few federal security requirements, industry associations have been active in promoting security among member companies. Some industry associations, including the American Chemistry Council (ACC), the Synthetic Organic Chemical Manufacturers Association, and the National Association of Chemical Distributors, require member companies to assess their facilities' vulnerabilities and make security enhancements, requiring as a condition of membership that they conduct security activities and verify that these actions have been taken. ACC, representing 135 chemical manufacturing companies with approximately 2,000 facilities, has led the industry's efforts to improve security at their facilities. ACC requires its members to adhere to a set of security management principles that include performing physical security vulnerability assessments using an approved methodology, developing plans to mitigate vulnerabilities, taking actions to implement the plans, and having an independent party such as insurance representatives or local law enforcement officials verify that the facilities implemented the identified physical security enhancements. These reviewers do not verify that a vulnerability assessment was conducted appropriately or that actions taken by a facility adequately address security risks. However, ACC requires member companies to periodically conduct independent third-party audits that include an assessment of their security programs and processes and their implementation of corrective actions. In addition, ACC members must take steps to secure cyber assets, such as computer systems that control chemical facility operations, and the distribution chain from suppliers to customers, including transportation. Other industry associations have encouraged their members to address security by a variety of means. Most of the 16 associations we spoke to have developed security guidelines and best practices. For example, the International Institute of Ammonia Refrigeration, representing facilities such as food storage warehouses, developed site security guidelines tailored to ammonia refrigeration facilities and provides information about security resources to members. Several industry associations have also developed vulnerability assessment methodologies to assist their member companies in evaluating security needs. For example, the National Petrochemical and Refiners Association, in partnership with the American Petroleum Institute, developed a vulnerability assessment methodology tailored to refiners and petrochemical facilities. Despite industry associations' efforts to encourage or require members to voluntarily address security, the extent of participation in the industry's voluntary initiatives is unclear. Chemical industry officials told us they face a number of challenges in preparing facilities against a terrorist attack. Most of the chemical associations we contacted stated that the cost of security improvements is a challenge for some chemical companies. For example, ACC reports that its members have spent an estimated $2 billion on security improvements since September 11, 2001. Representatives of the American Forest & Paper Association and the National Paint and Coatings Association told us that small companies, in particular, may struggle with the cost of security improvements or the cost of complying with any potential government security programs because they may lack the resources larger companies have to devote to security. Industry stakeholders also cited the need for guidance on what level of security is adequate. While DHS has issued guidance to state Homeland Security Offices and the Chemical Sector Coordinating Council on vulnerabilities and protective measures that are common to most chemical facilities, several stakeholders expressed a desire for guidance on specific security improvements. For example, representatives of the National Petrochemical and Refiners Association stated that one reason the association holds workshops and best practices sessions is to meet the challenge of determining the types of security measures that constitute a reasonable amount of security. In addition, industry officials told us that the lack of threat information makes it difficult for companies to know how to protect facilities. A few industry officials also mentioned limited guidance on conducting vulnerability assessments and difficulty in conducting employee background checks as challenges. One industry association stated that it would like its members to receive guidance from DHS on how to conduct vulnerability assessments. Another association expressed frustration because none of the current vulnerability assessment tools address issues specific to their member facilities, which package and distribute chemicals, and it would like DHS to help develop or approve a methodology for this type of facility. Finally, a number of stakeholders we contacted told us that emergency response preparedness is a challenge for chemical companies. An official with an industry- affiliated research center asserted that emergency responders and communities in the United States are prepared to respond to a toxic release. However, other stakeholders we spoke with stated that many facilities have conducted security vulnerability assessments but may not have done enough emergency response planning and outreach to the responders and communities that would be involved in a release. A 2004 survey by a chemical workers union of workers at 189 RMP facilities found that only 38 percent of respondents indicated that their companies' actions in preparing to respond to a terrorist attack were effective, and 28 percent reported that no employees at their facilities had received training about responding to a terrorist attack since September 11, 2001.[Footnote 9] While environmental laws require emergency response planning for accidental chemical releases, several stakeholders told us facilities need to consider very different scenarios with consequences on different orders of magnitude when planning the emergency response for a terrorist incident. DHS Needs Additional Authority to Ensure That Chemical Facilities Are Addressing Security Issues: Existing laws give DHS limited authority to address chemical sector security, but DHS currently lacks specific authority to require all high-risk facilities to assess their vulnerabilities and take corrective actions, where needed. A number of existing laws outline DHS's responsibilities for coordinating with the private sector and obtaining information on and protecting critical infrastructure, but these laws provide DHS with only limited authority to address security concerns at U.S. chemical facilities. For example, under the Homeland Security Act, the Secretary of DHS is responsible for coordinating homeland security issues with the private sector to ensure adequate planning, equipment, training, and exercise activities.[Footnote 10] Furthermore, the Act gives DHS's Under Secretary for Information Analysis and Infrastructure Protection (IAIP) responsibilities related to protecting critical infrastructure, including: * accessing, receiving, analyzing, and integrating information from federal, state, and local governments and private sector entities to identify, detect, and assess the nature and scope of terrorist threats to the United States; * carrying out comprehensive assessments of the vulnerabilities of the nation's key resources and critical infrastructure; * developing a comprehensive national plan for securing the nation's key resources and critical infrastructure; and: * recommending the necessary measures to protect these key resources and critical infrastructure. DHS does not currently have the authority to require all chemical facilities to conduct vulnerability assessments or to enter chemical facilities without their permission to assess security or to require and enforce security improvements.[Footnote 11] There is also no legislation requiring chemical facilities to provide information about their security and vulnerabilities. Furthermore, except with respect to certain chemical facilities covered under federal security requirements for other critical infrastructures, existing laws do not give DHS the right to enter a chemical facility to assess its vulnerability to a terrorist attack or the authority to require and enforce the implementation of any needed security improvements at these facilities. The Homeland Security Act, with some limited exceptions, does not provide any new regulatory authority to DHS and only transferred the existing regulatory authority of any agency, program, or function transferred to DHS, thereby limiting actions DHS might otherwise be able to take under the Homeland Security Act.[Footnote 12] Therefore, DHS has relied solely on the voluntary participation of the private sector to address facility security. As a result, DHS cannot ensure that all high-risk facilities are assessing their vulnerability to terrorist attacks and taking corrective action, where necessary. DHS has concluded that its existing patchwork of authorities does not permit it to regulate the chemical industry effectively, and that the Congress should enact federal requirements for chemical facilities. Echoing public statements by the Secretary of Homeland Security and the Administrator of EPA in 2002 that voluntary efforts alone are not sufficient to assure the public of the industry's preparedness, in June 2005, both DHS and EPA called for legislation to give the federal government greater authority over chemical facility security.[Footnote 13] Similarly, we concluded in 2003, and continue to believe, that additional federal legislation is needed because of the significant risks posed by thousands of chemical facilities across the country to millions of Americans and because the extent of security preparedness at these facilities is unknown.[Footnote 14] In testimony before the Congress in June 2005, the Acting Undersecretary for IAIP stated that any proposed regulatory structure (1) must recognize that not all facilities within the chemical sector present the same level of risk, and that the most scrutiny should be focused on those facilities that, if attacked, could endanger the greatest number of lives, have the greatest impact on the economy, or present other significant risks; (2) should be based on reasonable, clear, equitable, and measurable performance standards; and (3) should recognize the progress that responsible companies have made to date. He also stated that the performance standards should be enforceable and based on the types and severity of potential risks posed by terrorists, and that facilities should have the flexibility to select among appropriate site-specific security measures that will effectively address those risks. In addition, he said that DHS would need the ability to audit vulnerability assessment activities and a mechanism to ensure compliance with requirements. Stakeholders' Views on Safer Technologies Requirement in Chemical Security Legislation Are Mixed: While many stakeholders--including representatives from industry, research centers, and government--agreed on the need for additional legislation that would place federal security requirements on chemical facilities, they expressed divergent views on whether such legislation should require the use of inherently safer technologies. Implementing inherently safer technologies could potentially lessen the consequences of an attack by reducing the chemical risks present at facilities. The Department of Justice, in introducing a methodology to assess chemical facilities' vulnerabilities, recognized that reducing the quantity of hazardous material may make facilities less attractive to terrorist attack and reduce the severity of an attack. Furthermore, DHS's July 2004 draft Chemical Sector-Specific Plan states that inherently safer chemistry and engineering practices can prevent or delay a terrorist incident, noting that it is important to make sure that facility owners/operators consider alternate ways to reduce risk, such as using inherently safer design, implementing just-in-time manufacturing, or replacing high-risk chemicals with safer alternatives. However, DHS told us that the use of inherently safer technologies tends to shift risks rather than eliminate risks, often with unintended consequences. Some previous chemical security legislative proposals have included a requirement that facility security plans include safer design and maintenance actions, or that facility security plans include "consideration" of alternative approaches regarding safer design. Representatives from three environmental groups told us that facilities have defined security too narrowly, without focusing on reducing facility risks through safer technologies. Noting that no existing laws require facilities to analyze inherently safer options, these representatives believe legislation should require such an analysis and give DHS or EPA the authority to require the implementation of technologies if high-risk facilities are not doing so. Process safety experts at one research organization recognized that reducing facility hazards and the potential consequences of chemical releases makes facilities less vulnerable to attack. However, these experts also explained that inherently safer technologies can be prohibitively expensive and can shift risks onto other facilities or the transportation sector. For example, reducing the amount of chemicals stored at a facility may increase reliance on rail or truck shipments of chemicals. However, the substitution of chemicals such as liquid bleach for chlorine gas at drinking water facilities reduces overall risks. These experts support legislative provisions requiring analysis or consideration of technology options but do not support giving the federal government the authority to require specific technology changes because of the complexity of these decisions. Representatives of two research centers affiliated with the industry told us that while facilities should look at inherently safer technologies when assessing their vulnerability to terrorist attack, safer technologies are not a substitute for security. Industry associations and company officials were strongly opposed to any requirements to use inherently safer technologies. The majority of the industry officials we contacted opposed an inherently safer technologies requirement, with many stating that inherently safer technologies involve a safety issue that is unrelated to facility security. Industry officials voiced concerns about the federal government's second-guessing complex safety decisions made by facility process safety engineers. Representatives from four associations and two companies told us that, in many cases, it is not feasible to substitute safer chemicals or change to safer processes. Certain hazardous chemicals may be essential to necessary chemical processes, while changing chemical processes may require new chemicals that carry different risks. In July 2005 testimony before the Congress, a Synthetic Organic Chemical Manufacturers Association representative explained that while inherently safer technologies are intended to reduce the overall risks at a facility, they could do so only if a chemical hazard was not displaced to another time or location or did not magnify another hazard. Furthermore, process safety experts and representatives from associations and companies report that some safer alternatives are extremely expensive. For example, reducing facility chemical inventories by moving to on-site manufacturing when chemicals are needed can cost millions of dollars, according to a stakeholder. One company also voiced opposition even to a legislative requirement that facilities "consider" safer options. The official explained that the company opposed such a provision--even if legislation does not explicitly give the government the authority to require implementation of safer technologies--because it might leave companies liable for an accident that might have been prevented by a technology option that was considered but not implemented. Conclusions: Despite voluntary efforts by industry associations and a number of DHS programs to assist companies in protecting their chemical facilities, the extent of security preparedness at U.S. chemical facilities remains largely unknown. DHS does not currently have the authority to require the chemical industry to take actions to improve their security. On this basis, DHS has concluded--as we did in 2003 and again in January 2006--that its existing authorities do not allow it to effectively regulate chemical sector security. Since 2002, both DHS and EPA have called for legislation creating security requirements at chemical facilities, and legislation has been introduced without success in every Congress since September 11, 2001. By granting DHS the authority to require high-risk chemical facilities to take security actions, policy makers can better ensure the preparedness of the chemical sector. Furthermore, implementing inherently safer technologies potentially could lessen the consequences of a terrorist attack by reducing the chemical risks present at facilities, thereby making facilities less attractive targets. However, substituting safer technologies can be prohibitively expensive and can shift risks onto other facilities or the transportation sector. Also, in many cases, it may not be feasible to substitute safer chemicals or change to safer processes. Therefore, given the possible security and safety benefits as well as the potential costs to some companies of substituting safer technologies, a collaborative study employing DHS's security expertise and EPA's chemical expertise could help policy makers determine the appropriate role of safer technologies in facility security efforts. Contacts and Acknowledgments: For further information about this statement, please contact John B. Stephenson at (202) 512-3841. Karen Keegan, Omari Norman, Joanna Owusu, Vincent P. Price, and Leigh White made key contributions to this statement. [End of section] Appendix I: Overview of Key Chemical Security Legislative Proposals in the 109th Congress: Since 2001, the Congress has considered a number of legislative proposals that would give the federal government a greater role in ensuring the protection of the nation's chemical facilities. These legislative proposals would have granted DHS or EPA, or one of these agencies in consultation with the other, the authority to require chemical facilities to conduct vulnerability assessments and implement security measures to address their vulnerabilities. In the 109th Congress, five bills have been introduced but have not yet been acted upon: H.R. 1562, H.R. 2237, S. 2145, H.R. 4999, and S. 2486. Table 1: Major provisions: General requirements; H.R. 1562: High-priority facilities would be required to submit vulnerability assessments and security plans to DHS; other chemical sources would be required to self-certify completion of assessments and plans and provide DHS copies upon request; H.R. 2237: High-priority facilities would be required to submit vulnerability assessments and to certify that they have prepared prevention, preparedness, and response plans to EPA; S. 2145 / H.R. 4999: Designated chemical sources would be required to submit vulnerability assessments, security plans, and emergency response plans to DHS. The assessment and security plan would be required to address security performance standards established by DHS for each risk-based tier. Chemical sources would be required to self- certify completion of assessments and plans. Major provisions: Role of DHS and EPA; H.R. 1562: DHS, in consultation with EPA, would identify high-priority categories of facilities; DHS would receive and review assessments and plans; H.R. 2237: EPA, in consultation with DHS and state and local agencies, would identify high-priority categories of facilities; EPA would receive assessments and certifications; S. 2145 / H.R. 4999: DHS would designate facilities as chemical sources and assign each chemical source to a risk-based tier. DHS would receive and review assessments, plans and certifications. EPA would have no role. Major provisions: Compliance enforcement; H.R. 1562: DHS would, when and where it deems appropriate, conduct or require the conduct of vulnerability assessments and other activities to ensure and evaluate compliance; DHS could disapprove a vulnerability assessment or site security plan; following written notification and consultation with the owner or operator, DHS could issue a compliance order; H.R. 2237: Not later than 3 years after the deadline for submission of vulnerability assessments and response plans, EPA, in consultation with DHS, would review and certify compliance of each assessment and plan; following consultation with DHS, and 30 days after providing notification to the facility and providing advice and technical assistance to bring the assessment or plan into compliance and address threats, EPA could issue a compliance order; S. 2145 / H.R. 4999: DHS would review and approve or disapprove all vulnerability assessments, security plans, and emergency response plans for facilities in higher risk tiers within one year, and within five years for all other facilities. DHS would be required to disapprove of any vulnerability assessment, site security plan, or emergency response plan not in compliance with the vulnerability assessment, site security plan, and emergency response plan requirements. For higher risk facilities, if DHS disapproves the assessment or plans, the Secretary could issue an order to a chemical source to cease operation. For other facilities, the Secretary could issue an order to a chemical source to cease operation, but only after a process of written notification, consultation and time for compliance. Major provisions: Penalties for noncompliance; H.R. 1562: Would provide for court awarded civil penalties up to $50,000 per day for failure to comply with an order, site security plan, or other recognized procedures, protocols, or standards, and administrative penalties up to $250,000 for failure to comply with an order; H.R. 2237: Would provide for court awarded civil penalties up to $25,000 per day, criminal penalties, and administrative penalties (if the total civil penalties do not exceed $125,000) for failure to comply with an order; S. 2145 / H.R. 4999: Would provide for court awarded civil penalties up to $50,000 per day, and administrative penalties of not more than $25,000 per day (not to exceed $1 million per year) for failure to comply with a DHS order or directive issued under the act. Also calls for criminal penalties of up to $50,000 in fines per day, imprisonment for not more than two years, or both for knowingly violating an order or failing to comply with a site security plan. Major provisions: Inherently safer technologies requirements; H.R. 1562: None; H.R. 2237: Response plans would be required to include a description of safer design and maintenance options considered and reasons those options were not implemented; EPA would be required to establish a clearinghouse for information on inherently safer technologies and would be authorized to provide grants to assist chemical facilities demonstrating financial hardship in implementing inherently safer technologies; S. 2145 / H.R. 4999: None. Major provisions: Information protections; H.R. 1562: Would exempt information obtained from disclosure under the Freedom of Information Act (FOIA) or otherwise, or from disclosure under state or local laws; information would also not be subject to discovery or admitted into evidence in any federal or state civil judicial or administrative procedure other than in civil compliance action brought by DHS. Calls for DHS, in consultation with others, to establish confidentiality protocols; H.R. 2237: Would exempt information obtained from disclosure under FOIA; calls for EPA, in consultation with DHS, to establish information protection protocols; S. 2145 / H.R. 4999: Would exempt information obtained from disclosure under FOIA, or from disclosure under state or local laws. Certifications submitted by the chemical sources, orders for failure to comply, and certificates of compliance and other orders would generally be made available to the public. Calls for DHS, in consultation with the Director of the Office of Management and Budget and appropriate federal law enforcement officials, to create confidentiality protocols for the maintenance and use of records; would establish penalties for the unlawful disclosure of protected information. Major provisions: Equivalence of industry codes; H.R. 1562: Upon petition, DHS would be required to endorse other industry, state, or federal protocols or standards that the Secretary of DHS determines to be substantially equivalent; H.R. 2237: None; S. 2145 / H.R. 4999: Would allow the Secretary to determine that vulnerability assessments, security plans, and emergency response plans prepared under alternative security programs meet the act's requirements and to permit submissions or modifications to the assessments or plans. Major provisions: Other; H.R. 1562: Would grant DHS right of entry; would exempt facilities that are subject to MTSA (port facilities) or the Bioterrorism Act (community water systems). Except with respect to protection of information, would not affect requirements imposed under state law; H.R. 2237: Would grant EPA right of entry; would authorize EPA to provide grants for training of first responders and employees at chemical facilities; would not affect requirements imposed under state law; S. 2145 / H.R. 4999: Would grant DHS right of entry; would exempt facilities that are subject to MTSA from certain area security requirements but these facilities would otherwise comply with the act's requirements. Would preserve the right of States to adopt chemical security requirements that are more stringent than the Federal standard, as long as the State standard does not conflict with the Federal standard. Source: GAO analysis of proposed legislation. [End of table] S. 2486, introduced on March 30, 2006, would impose a general duty on chemical facility owners and operators, in the same manner as the duty under the Clean Air Act's Section 112(r), to identify hazards that may result from a criminal release, ensure the design, operation, and maintenance of safe facilities by taking such actions as are necessary to prevent criminal releases, and eliminate or significantly reduce the consequences of any criminal release that does occur. S. 2486 also directs DHS to work with EPA, as well as state and local agencies, to identify not fewer than 3,000 high priority chemical facilities. These facilities would be required to take adequate actions (including the design, operation, and maintenance of safe facilities), to detect, prevent, or eliminate or significantly reduce the consequences of criminal releases and to submit a report to DHS that includes a vulnerability assessment; a hazards assessment; a prevention, preparedness, and response plan; statements as to how the response plan meets regulatory requirements and general duty requirements; and a discussion of the consideration of the elements of design, operation, and maintenance of safe facilities. "Design, operation, and maintenance of safe facilities" is defined as practices of preventing or reducing the possibility of a release through use of inherently safer technologies, among other things. DHS would certify compliance and DHS and EPA would establish a program to conduct inspections of facilities. The bill also provides for civil penalties, administrative penalties, and criminal penalties (including imprisonment for up to 2 years for first violations and up to 4 years for subsequent violations), for owners or operators of high priority facilities who fail to comply with an order. Also in the 109th Congress, the conference committee for H.R. 2360, making appropriations for DHS for fiscal year 2006, directed DHS to: * submit a report to the Senate and House Committees on Appropriations by February 10, 2006, describing (1) the resources needed to implement mandatory security requirements for the chemical sector and to create a system for auditing and ensuring compliance with the security standards and (2) the security requirements and any reasons why the requirements should differ from those already in place for chemical facilities that operate in a port zone; * complete vulnerability assessments of the highest risk U.S. chemical facilities by December 2006, giving preference to facilities that, if attacked, pose the greatest threat to human life and the economy; and: * complete a national security strategy for the chemical sector by February 10, 2006.[Footnote 15] FOOTNOTES [1] GAO, Homeland Security: DHS Is Taking Steps to Enhance Security at Chemical Facilities, but Additional Authority Is Needed, GAO-06-150 (Washington, D.C.: January 27, 2006). [2] Pub. L. No. 107-296, § 101(b), 116 Stat. 2135, 2142 (2002). [3] Homeland Security Presidential Directive Number 7, section 27 (Washington, D.C.: Dec. 17, 2003). [4] Homeland Security Presidential Directive Number 7, section 15 (Washington, D.C.: Dec. 17, 2003). [5] As of November 2005, Chemical Sector Coordinating Council members included the Adhesive and Sealant Council; the American Chemistry Council; the American Forest & Paper Association; the Chemical Producers and Distributors Association; the Chlorine Chemistry Council; the Chlorine Institute; the Compressed Gas Association; CropLife America; the Fertilizer Institute; the Institute of Makers of Explosives; the International Institute of Ammonia Refrigeration; the National Association of Chemical Distributors; the National Paint and Coatings Association; the National Petrochemical and Refiners Association; the Society of the Plastics Industry, Inc; and the Synthetic Organic Chemical Manufacturers Association. Three associations--the Adhesive and Sealant Council, the International Institute of Ammonia Refrigeration, and the National Paint and Coatings Association--were not able to identify a member company willing to speak with us. [6] GAO, Homeland Security: Voluntary Initiatives Are Under Way at Chemical Facilities, but the Extent of Security Preparedness Is Unknown, GAO-03-439 (Washington, D.C.: Mar. 14, 2003). [7] See 42 U.S.C. § 7412 (r)(1). [8] Our March 2003 report on chemical security recommended that DHS develop a comprehensive national chemical security strategy that is both practical and cost-effective. We recommended that the strategy identify high-risk facilities, collect information on industry security preparedness, specify the roles and responsibilities of each federal agency partnering with the chemical industry, and develop appropriate information-sharing mechanisms. If the final Chemical Sector-Specific Plan includes the elements DHS has described, it should meet the criteria set out in this recommendation. [9] Paper, Allied-Industrial, Chemical, and Energy Workers International Union, PACE International Union Survey: Workplace Incident Prevention and Response Since 9/11 (October 2004). [10] All standards activities are to be conducted in conformance with section 12(d) of the National Technology Transfer Act of 1995, which states that federal agencies generally must use technical standards-- performance-based or design-specific technical specifications and related management systems practices--developed or adopted by voluntary consensus standards bodies as a means to carry out policy objectives or activities, consulting and participating with such bodies in the development of technical standards when such participation is in the public interest and compatible with the agency's authorities and budget resources. See 6 U.S.C. §112(g) and 15 U.S.C. § 272 note. [11] Under the Maritime Transportation Security Act, DHS's Coast Guard requires maritime facility owners/operators to conduct assessments of vulnerabilities, develop security plans, and implement security measures. The Coast Guard also has the authority to enter facilities. However, the Coast Guard reports that these requirements currently apply to only 300 chemical facilities. [12] The Secretary may issue regulations for antiterrorism technology and may issue necessary regulations with respect to research; development; demonstration; testing; and evaluation activities of the department, including the conducting, reviewing, and funding of such activities. [13] Testimony before the House Committee on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity and the Senate Committee on Homeland Security and Governmental Affairs on June 15, 2005. [14] GAO-03-439. [15] H.R. Conf. Rep. No. 109-24 (2005). GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to www.gao.gov and select "Subscribe to Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S. Government Accountability Office, 441 G Street NW, Room 7125 Washington, D.C. 20548: Public Affairs: Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: