In a rare bipartisan gesture, on December 11, 2014, the House of Representatives unanimously passed H.R. 4007, the “Protecting and Securing Chemicals Facilities from Terrorist Attacks Act of 2014” (“Act”), which the Senate had passed previously. President Obama signed the legislation into law on December 18. The Act is the product of more than six years of Congressional wrangling over reauthorization and potential expansion of the existing Department of Homeland Security (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program. DHS can now focus on implementing the beleaguered program.
For the next four years, the Act provides a solid legislative basis for the CFATS program, which originated in a 2002 appropriations bill. It builds on the existing program, 6 C.F.R. Part 27, by requiring employee input and adding time deadlines for DHS action to review and approve submissions under that program. It also requires certifications by submitters. It authorizes DHS to share information with state and local governments and first responders, while otherwise protecting submitted information from disclosure. It adds whistleblower protections and preempts more stringent state and local requirements only where there is an actual conflict with the federal program.
But the Act is at least as notable for what it does not do as what it does do. The scope is not expanded beyond the current scope to cover ports, public water systems, or water treatment works, as had been advocated for several years. Moreover, the Act does not require existing covered chemical facilities to adopt inherently safer technology (IST) as contemplated in some prior legislative proposals. This constitutes a major victory for industry trade groups and other opponents of an expansion of the existing CFATS program. The American Chemistry Council commented,
We applaud Congress for coming together to pass a long-term solution for regulating security that will help create a stronger foundation for CFATS. In addition to providing a more solid footing for the Department of Homeland Security to implement CFATS, the bill will help the Department improve its outreach to chemical facilities and the process for vetting personnel.
What is Inherently Safer Technology?
IST has been at the heart of disputes over the CFATS program from its inception. The term refers to technological and procedural steps designed to reduce the potential for a hazardous chemical release. The National Research Council explained IST as follows:
The most desirable solution to preventing chemical releases is to reduce or eliminate the hazard where possible, not to control it. This can be achieved by modifying processes where possible to minimize the amount of hazardous material used, lower the temperatures and pressures required, replace a hazardous substance with a less hazardous substitute, or minimize the complexity of a chemical process.
The chemical industry has long supported IST as a design concept for construction of new or modified chemical plants. There has, however, been a longstanding conflict between industry and NGOs over whether government programs should mandate IST retrofits to existing facilities. Some trade groups have argued that the industry’s existing incentives to produce safe, useful products and avoid liability for any resulting hazards naturally place the responsibility for risk management on those who have the most relevant technical expertise.
On the other hand, some NGOs advocate for mandatory IST retrofitting, arguing that “The only certain way to protect our communities is to remove the possibility of a toxic gas release by converting facilities to safer, more secure alternative technologies.”
Fights Over IST After September 11, 2001
Chemical facility security legislation was introduced shortly after the events of September 11, 2001. Competing bills from the 107th, 108th, and 109th Congresses were characterized by disputes over which agency should run the program (some bills would have allocated authority to EPA, others to DHS), the scope and details of the program, and particularly whether the program would mandate the retrofitting of existing chemical products production facilities to incorporate IST.
The deadlock over IST persisted into the 109th Congress, and ultimately motivated legislators to opt for a provisional approach, inserting a short section into the annual DHS appropriations bill to convey regulatory authority to DHS on a temporary basis, expiring “three years after the date of enactment,” October 4, 2006. The result, Section 550 of the DHS Appropriations Act of 2007, was sparse on programmatic details, in effect giving DHS wide latitude to interpret its mandate and define the contours of the program.
Initial Authorization for CFATS
Section 550 directed DHS to establish “risk-based performance standards” and require facilities first to conduct security vulnerability assessments and then to propose and implement site security plans. While section 550 gave DHS authority to approve or reject a facility’s site security plan, the provision expressly prohibited DHS from requiring any particular security measure in a particular situation. DHS has interpreted this to include a prohibition on adopting an IST requirement in its CFATS regulations. Section 550 gave DHS discretion to determine which facilities present sufficiently high security risks to be subject to its requirements, with no instructions to involve EPA in any decisions.
Implementation of the Existing CFATS Program
DHS quickly promulgated regulations established the resulting CFATS program in 2007. The application of CFATS requirements begins with the determination that a facility uses or plans to use any of a long list of “chemicals of interest” at or above particular screening threshold quantities. Any facility that meets the screening threshold quantity of a given chemical of interest is required to submit a “Top Screen” report, a preliminary risk assessment that DHS uses to decide which facilities present a sufficient security risk to be subject to the security vulnerability assessment and site security plan requirements. For facilities that are required to submit and implement a site security plan, the plan must be designed to repel potential attacks by securing the facility’s perimeter, restricting access, and monitoring. The current CFATS regulations do not require consideration of IST.
DHS’s implementation of CFATS regulations has been troubled. In early 2010, DHS officials acknowledged that the programs risk assessment model contained a computational error that caused DHS to overestimate the risk of a terrorist attack for about 250 facilities. Later in 2010, a critical internal report revealed that DHS had wasted taxpayer dollars on unnecessary equipment, hired unqualified employees, relied too heavily on contractors, lacked effective or professional leadership, and had yet to approve a single security plan. In late 2012, DHS discovered yet another computation error that affected the risk assessment for about 150 chemical facilities. In March 2013, DHS’s Inspector General released another report, noting a continuing backlog in program approval, lack of employee training, and faulty management, among other deficiencies. Most recently, in July 2014, Senator Tom Coburn (R-OK) released a scathing report arguing that CFATS did not reduce the risk of terrorism, but rather merely shifted the risks to other parts of the chemical sector; that CFATS regulates the wrong facilities; that the Program’s risk assessments are non-transparent and riddled with errors; and that the Program has consistently failed to timely validate security plans or inspect facilities.
Legislative Efforts Leading Up to the Recent Legislation
Since its original enactment as part of an appropriations bill in 2007, there has been much legislative wrangling over the contours of the Program. As during the lead-up to the adoption of section 550, this debate has been characterized by disputes over the scope of the CFATS program, and particularly the mandatory adoption of IST in existing covered chemical facilities. The authorization for CFATS has been extended by appropriations rider every year during this Congressional debate over more permanent legislation.
This perennial debate over IST began to draw to a close when Representative Patrick Meehan (R-PA) introduced H.R. 4007 in February 2014. The bill passed the House by a bipartisan voice-vote in July of 2014. Chairperson Senator Carper of the Senate Committee on Homeland Security and Governmental Affairs amended the bill by complete substitution, and the Senate version passed the Senate on December 10, 2014. The House again voted by voice-vote to approve the Senate version on December 11, and on December 18 President Obama signed the bill into law.
The “Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014”
Under the Act, authority to implement the CFATS program remains with the DHS, and funding for the Program is extended for four years. According to the Congressional Budget Office, implementation of the CFATS program is estimated to cost $349 million over fiscal years 2015 to 2019.
Many features of the Act are very similar or identical to the existing CFATS program as set forth in the DHS CFATS regulations. Specifically, under the Act, DHS is required to (1) identify “covered chemical facilities”; (2) establish tiered, risk-based performance standards intended to protect covered facilities from acts of terrorism and other security risks; and (3) to require such covered facilities to submit security vulnerability assessments and develop and implement site security plans. As under the current regulations, DHS is also authorized to approve an alternative security program established by a private-sector entity or a federal, state, or local authority, provided the alternative plan meets the requirement of the Act.
The Act goes beyond existing DHS regulations in several respects:
It requires DHS to issue guidance for expedited approval of covered facilities in risk-tiers 3 and 4;
It requires DHS to consult with other federal and state agencies, business associations, and labor organizations, to identify “chemical facilities of interest”;
It provides requirements for oversight and training of contractors acting as auditors and inspectors under the Program;
It establishes a “Personnel Surety Program” pursuant to which the owner or operator of a covered chemical facility may satisfy employee screening obligations without submitting information about a given employee more than one time;
It allows the owner or operator of a covered chemical facility to satisfy employee screening obligations by relying on any federal screening program that periodically vets individuals against the terrorist screening database;
It expressly provides that information submitted to DHS pursuant to the Act shall be protected from public disclosure;
It requires DHS to establish a reporting procedure for whistleblowers;
It defines “small covered chemical facility” to mean a covered facility with fewer than 100 employees that is owned and operated by a small business concern, as defined in 15 U.S.C. § 632, and authorizes DHS to provide assistance to such facilities through guidance, tools, methodologies, or software, to assist in the development of required physical security, cybersecurity, recordkeeping and reporting procedures; 
It requires the Secretary of DHS to submit a report to Congress no later than 18 months after the effective date, in which the Secretary certifies that DHS has made significant progress in the implementation of the Act.
The existing CFATS regulations will remain in effect until amended or repealed by DHS, though the Act requires DHS to repeal any regulation that is duplicative of or in conflict with the provision of the Act.
Notably, the Act does not include several features that had been proposed by NGOs and certain Democratic legislators. Most prominently, the Act does not include any requirement that covered chemical facilities adopt IST. Nor does the Act expand the scope of the Program to other types of facilities, such as ports or power plants, as some competing legislative proposals would have done.
The Act’s preemption provision provides that the Act does not preempt state or local requirements related to chemical facility security that are more stringent than the CFATS program unless there is an actual conflict with the federal requirements.
What’s Next for DHS?
Now that DHS has a statutory basis for its CFATS program, DHS will be focusing on improving that program, as well as addressing particular obligations introduced in the Act.
In light of criticism about its performance, DHS has been working to improve its implementation of CFATS, in part by reducing the backlog of security plan approvals.
In addition, DHS is reviewing comments that it received on ways to improve the CFATS program following publication of an advance notice of proposed rulemaking in August 2014. That notice came at the direction of an Executive Order directing DHS, as well as EPA and OSHA, to strengthen their program to protect chemical facility safety and security.
 The Act as passed by the Senate is available here.
 For our reports on previous legislation, see “Chemical Plant Security Legislation: Where We’ve Been, Where We Are, Where We’re Going” (Apr. 29, 2009); “Chemical Plant Security Legislation - On the Move” (July 2, 2009); “Congress Poised to Defer Permanent Chemical Plant Security Legislation Until 2010” (July 10, 2009); “House of Representatives Passes Chemical Plant and Water Utility Security Legislation” (Nov. 17, 2009); “Chemical Plant Security Legislation Advances with Companion Bill on Drinking Water Utilities” (Oct. 26, 2009); “Debate over Chemical Plant Security Moves to the Senate” (Apr. 21, 2010); “Chemical Plant and Water Facility Security Legislation in the Senate” (Aug. 18, 2010); “Chemical Plant Security Returns to the Congressional Agenda” (June 10, 2011).
 See ACC press release here.
 National Research Council, Terrorism and the Chemical Infrastructure: Protecting People and Reducing Vulnerabilities (2006), at 7.
 For a brief history of IST, see Center for Chemical Process Safety (CCPS), Inherently Safer Chemical Process: A Life Cycle Approach (2d ed. 2008), § 1.4. See also testimony by Dennis C. Hendershot and Scott Berger, CCPS, before the Senate Environment and Public Works Committee, 109th Cong. (June 21, 2006), available here.
 Paul Orum & Reece Rushing, Center for American Progress, “Chemical Security 101: What You Don’t Have Can’t Leak, or Be Blown Up by Terrorists” (Nov. 2008).
 Department of Homeland Security Appropriations Act, 2007, § 550, Pub. L. No. 109-295, 6 U.S.C. § 121 note.
 72 Fed. Reg. 17688, 17719 (Apr. 9, 2007) (“Section 550 prohibits the Department from disapproving a site security plan ‘based on the presence or absence of a particular security measure,’ including inherently safer technologies. See Section 550(a). Even so, covered chemical facilities are certainly free to consider IST options, and their use may reduce risk and regulatory burdens.”).
 72 Fed. Reg. 17688 (Apr. 9, 2007), amended at 72 Fed. Reg. 65396 (Nov. 20, 2007), clarified at 73 Fed. Reg. 15051 (Mar. 21, 2008) (codified as 6 C.F.R. Part 27).
 6 C.F.R. § 27.105.
 Id. § 27.200.
 Id. § 27.230.
 Government Accountability Office, “Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened,” GAO-13-353, at 10 (2013).
 Memorandum from Penny J. Anderson, Director, DHS Infrastructure Security and Compliance Division, and David M. Wulf, Deputy Director, DHS Infrastructure Security and Compliance Division to Rand Beers, Undersecretary, DHS National Protection & Programs Directorate, and Todd Keil, Assistant Secretary, DHS Office of Infrastructure Protection, “Challenges Facing ISCD, and the Path Forward” (Nov. 10, 2011), cited in Committee on Homeland Security and Governmental Affairs, “Chemical Facilities Anti-Terrorism Standards Program Authorization and Accountability Act of 2014,” S. Rep. 113-263, at 5.
 See supra footnote 5 at 10.
 Office of the Inspector General, DHS, “Effectiveness of the Infrastructure Security Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program,” OIG-13-55 (Mar. 25, 2013).
 See “An Assessment of Efforts to Secure the Nation’s Chemical Facilities From Terrorist Threats” (July 2014).
 For a detailed account of various legislative proposals throughout 2009-2010, see http://www.bdlaw.com/news-625.html and http://www.bdlaw.com/news-945.html.
 Act § 2, adding § 2102(c)(3)(B) to the Homeland Security Act of 2002, 6 U.S.C § 101 et seq.
 Act, § 2, adding § 2102(e)(1).
 Act, § 2, adding § 2102(d).
 Act, § 2, adding § 2102(d)(2)(A).
 Act, § 2, adding § 2102(d)(2)(B)(i)(I).
 Act, § 2, adding §2013.
 Act, § 2, adding § 2105.
 Act, § 2, adding § 2108.
 Act, § 3.
 Act, § 2, adding § 2107.
 Act, § 2, adding § 2016(b).
 See Congressional Research Service, “Implementation of Chemical Facility Anti-Terrorism Standards" (CFATS); Issues for Congress (Oct. 14, 2014), at 2, (“As of October 2014, DHS had authorized 2,216 site security plans; conducted 1,592 authorization inspections; and approved 1,192 site security plans. Between October 2013 and October 2014, DHS authorized an average of 122 and approved an average of 70 site security plans per month. The DHS has generally increased its average authorization and approval rate over time; between April 2014 and October 2014, DHS authorized an average of 147 and approved an average of 91 site security plans per month. Between September 2014 and October 2014, DHS authorized 177 and approved 132 site security plans.”).
 79 Fed. Reg. 48693 (Aug. 18, 2014).
 Executive Order 13650, 78 Fed. Reg. 48029 (Aug. 1, 2013).