Congress Finally Enacts Chemical Facility Security Legislation

by Beveridge & Diamond PC

In a rare bipartisan gesture, on December 11, 2014, the House of Representatives unanimously passed H.R. 4007, the “Protecting and Securing Chemicals Facilities from Terrorist Attacks Act of 2014” (“Act”), which the Senate had passed previously.[1]  President Obama signed the legislation into law on December 18.  The Act is the product of more than six years of Congressional wrangling over reauthorization and potential expansion of the existing Department of Homeland Security (DHS) Chemical Facility Anti-Terrorism Standards (CFATS) program.[2]  DHS can now focus on implementing the beleaguered program.

For the next four years, the Act provides a solid legislative basis for the CFATS program, which originated in a 2002 appropriations bill.  It builds on the existing program, 6 C.F.R. Part 27, by requiring employee input and adding time deadlines for DHS action to review and approve submissions under that program.  It also requires certifications by submitters.  It authorizes DHS to share information with state and local governments and first responders, while otherwise protecting submitted information from disclosure.  It adds whistleblower protections and preempts more stringent state and local requirements only where there is an actual conflict with the federal program.

But the Act is at least as notable for what it does not do as what it does do.  The scope is not expanded beyond the current scope to cover ports, public water systems, or water treatment works, as had been advocated for several years.  Moreover, the Act does not require existing covered chemical facilities to adopt inherently safer technology (IST) as contemplated in some prior legislative proposals.  This constitutes a major victory for industry trade groups and other opponents of an expansion of the existing CFATS program.  The American Chemistry Council commented,

We applaud Congress for coming together to pass a long-term solution for regulating security that will help create a stronger foundation for CFATS.  In addition to providing a more solid footing for the Department of Homeland Security to implement CFATS, the bill will help the Department improve its outreach to chemical facilities and the process for vetting personnel.[3]

What is Inherently Safer Technology?

IST has been at the heart of disputes over the CFATS program from its inception.  The term refers to technological and procedural steps designed to reduce the potential for a hazardous chemical release.  The National Research Council explained IST as follows:

The most desirable solution to preventing chemical releases is to reduce or eliminate the hazard where possible, not to control it.  This can be achieved by modifying processes where possible to minimize the amount of hazardous material used, lower the temperatures and pressures required, replace a hazardous substance with a less hazardous substitute, or minimize the complexity of a chemical process.[4]

The chemical industry has long supported IST as a design concept for construction of new or modified chemical plants.[5]  There has, however, been a longstanding conflict between industry and NGOs over whether government programs should mandate IST retrofits to existing facilities.  Some trade groups have argued that the industry’s existing incentives to produce safe, useful products and avoid liability for any resulting hazards naturally place the responsibility for risk management on those who have the most relevant technical expertise. 

On the other hand, some NGOs advocate for mandatory IST retrofitting, arguing that “The only certain way to protect our communities is to remove the possibility of a toxic gas release by converting facilities to safer, more secure alternative technologies.”[6]

Fights Over IST After September 11, 2001

Chemical facility security legislation was introduced shortly after the events of September 11, 2001.  Competing bills from the 107th, 108th, and 109th Congresses were characterized by disputes over which agency should run the program (some bills would have allocated authority to EPA, others to DHS), the scope and details of the program, and particularly whether the program would mandate the retrofitting of existing chemical products production facilities to incorporate IST.

The deadlock over IST persisted into the 109th Congress, and ultimately motivated legislators to opt for a provisional approach, inserting a short section into the annual DHS appropriations bill to convey regulatory authority to DHS on a temporary basis, expiring “three years after the date of enactment,” October 4, 2006.[7]  The result, Section 550 of the DHS Appropriations Act of 2007, was sparse on programmatic details, in effect giving DHS wide latitude to interpret its mandate and define the contours of the program.[8]

Initial Authorization for CFATS

Section 550 directed DHS to establish “risk-based performance standards” and require facilities first to conduct security vulnerability assessments and then to propose and implement site security plans.  While section 550 gave DHS authority to approve or reject a facility’s site security plan, the provision expressly prohibited DHS from requiring any particular security measure in a particular situation.  DHS has interpreted this to include a prohibition on adopting an IST requirement in its CFATS regulations.[9]  Section 550 gave DHS discretion to determine which facilities present sufficiently high security risks to be subject to its requirements, with no instructions to involve EPA in any decisions. 

Implementation of the Existing CFATS Program

DHS quickly promulgated regulations established the resulting CFATS program in 2007.[10]  The application of CFATS requirements begins with the determination that a facility uses or plans to use any of a long list of “chemicals of interest” at or above particular screening threshold quantities.[11]  Any facility that meets the screening threshold quantity of a given chemical of interest is required to submit a “Top Screen” report, a preliminary risk assessment that DHS uses to decide which facilities present a sufficient security risk to be subject to the security vulnerability assessment and site security plan requirements.[12]  For facilities that are required to submit and implement a site security plan, the plan must be designed to repel potential attacks by securing the facility’s perimeter, restricting access, and monitoring.[13]  The current CFATS regulations do not require consideration of IST.

DHS’s implementation of CFATS regulations has been troubled.  In early 2010, DHS officials acknowledged that the programs risk assessment model contained a computational error that caused DHS to overestimate the risk of a terrorist attack for about 250 facilities.[14]  Later in 2010, a critical internal report revealed that DHS had wasted taxpayer dollars on unnecessary equipment, hired unqualified employees, relied too heavily on contractors, lacked effective or professional leadership, and had yet to approve a single security plan.[15]  In late 2012, DHS discovered yet another computation error that affected the risk assessment for about 150 chemical facilities.[16]  In March 2013, DHS’s Inspector General released another report, noting a continuing backlog in program approval, lack of employee training, and faulty management, among other deficiencies.[17]  Most recently, in July 2014, Senator Tom Coburn (R-OK) released a scathing report arguing that CFATS did not reduce the risk of terrorism, but rather merely shifted the risks to other parts of the chemical sector; that CFATS regulates the wrong facilities; that the Program’s risk assessments are non-transparent and riddled with errors; and that the Program has consistently failed to timely validate security plans or inspect facilities.[18]

Legislative Efforts Leading Up to the Recent Legislation

Since its original enactment as part of an appropriations bill in 2007, there has been much legislative wrangling over the contours of the Program.[19]  As during the lead-up to the adoption of section 550, this debate has been characterized by disputes over the scope of the CFATS program, and particularly the mandatory adoption of IST in existing covered chemical facilities.  The authorization for CFATS has been extended by appropriations rider every year during this Congressional debate over more permanent legislation.

This perennial debate over IST began to draw to a close when Representative Patrick Meehan (R-PA) introduced H.R. 4007 in February 2014.  The bill passed the House by a bipartisan voice-vote in July of 2014.  Chairperson Senator Carper of the Senate Committee on Homeland Security and Governmental Affairs amended the bill by complete substitution, and the Senate version passed the Senate on December 10, 2014.  The House again voted by voice-vote to approve the Senate version on December 11, and on December 18 President Obama signed the bill into law. 

The “Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014”

Under the Act, authority to implement the CFATS program remains with the DHS, and funding for the Program is extended for four years.  According to the Congressional Budget Office, implementation of the CFATS program is estimated to cost $349 million over fiscal years 2015 to 2019. 

Many features of the Act are very similar or identical to the existing CFATS program as set forth in the DHS CFATS regulations.  Specifically, under the Act, DHS is required to (1) identify “covered chemical facilities”; (2) establish tiered, risk-based performance standards intended to protect covered facilities from acts of terrorism and other security risks; and (3) to require such covered facilities to submit security vulnerability assessments and develop and implement site security plans.  As under the current regulations, DHS is also authorized to approve an alternative security program established by a private-sector entity or a federal, state, or local authority, provided the alternative plan meets the requirement of the Act. 

The Act goes beyond existing DHS regulations in several respects:

  • It requires DHS to issue guidance for expedited approval of covered facilities in risk-tiers 3 and 4;[20]
  • It requires DHS to consult with other federal and state agencies, business associations, and labor organizations, to identify “chemical facilities of interest”;[21]
  • It provides requirements for oversight and training of contractors acting as auditors and inspectors under the Program;[22]
  • It establishes a “Personnel Surety Program” pursuant to which the owner or operator of a covered chemical facility may satisfy employee screening obligations without submitting information about a given employee more than one time;[23]
  • It allows the owner or operator of a covered chemical facility to satisfy employee screening obligations by relying on any federal screening program that periodically vets individuals against the terrorist screening database;[24]
  • It expressly provides that information submitted to DHS pursuant to the Act shall be protected from public disclosure;[25]
  • It requires DHS to establish a reporting procedure for whistleblowers;[26]
  • It defines “small covered chemical facility” to mean a covered facility with fewer than 100 employees that is owned and operated by a small business concern, as defined in 15 U.S.C. § 632, and authorizes DHS to provide assistance to such facilities through guidance, tools, methodologies, or software, to assist in the development of required physical security, cybersecurity, recordkeeping and reporting procedures; [27]
  • It requires the Secretary of DHS to submit a report to Congress no later than 18 months after the effective date, in which the Secretary certifies that DHS has made significant progress in the implementation of the Act.[28]

The existing CFATS regulations will remain in effect until amended or repealed by DHS, though the Act requires DHS to repeal any regulation that is duplicative of or in conflict with the provision of the Act.[29]

Notably, the Act does not include several features that had been proposed by NGOs and certain Democratic legislators.  Most prominently, the Act does not include any requirement that covered chemical facilities adopt IST.  Nor does the Act expand the scope of the Program to other types of facilities, such as ports or power plants, as some competing legislative proposals would have done.  

The Act’s preemption provision provides that the Act does not preempt state or local requirements related to chemical facility security that are more stringent than the CFATS program unless there is an actual conflict with the federal requirements.[30]

What’s Next for DHS?

Now that DHS has a statutory basis for its CFATS program, DHS will be focusing on improving that program, as well as addressing particular obligations introduced in the Act.

In light of criticism about its performance, DHS has been working to improve its implementation of CFATS, in part by reducing the backlog of security plan approvals.[31]

In addition, DHS is reviewing comments that it received on ways to improve the CFATS program following publication of an advance notice of proposed rulemaking in August 2014.[32]  That notice came at the direction of an Executive Order directing DHS, as well as EPA and OSHA, to strengthen their program to protect chemical facility safety and security.[33]

[1] The Act as passed by the Senate is available here.

[2] For our reports on previous legislation, see “Chemical Plant Security Legislation: Where We’ve Been, Where We Are, Where We’re Going” (Apr. 29, 2009); “Chemical Plant Security Legislation - On the Move” (July 2, 2009); “Congress Poised to Defer Permanent Chemical Plant Security Legislation Until 2010” (July 10, 2009); “House of Representatives Passes Chemical Plant and Water Utility Security Legislation” (Nov. 17, 2009); “Chemical Plant Security Legislation Advances with Companion Bill on Drinking Water Utilities” (Oct. 26, 2009); “Debate over Chemical Plant Security Moves to the Senate” (Apr. 21, 2010); “Chemical Plant and Water Facility Security Legislation in the Senate” (Aug. 18, 2010); “Chemical Plant Security Returns to the Congressional Agenda” (June 10, 2011).

[3] See ACC press release here.

[4] National Research Council, Terrorism and the Chemical Infrastructure: Protecting People and Reducing Vulnerabilities (2006), at 7. 

[5] For a brief history of IST, see Center for Chemical Process Safety (CCPS), Inherently Safer Chemical Process:  A Life Cycle Approach (2d ed. 2008), § 1.4. See also testimony by Dennis C. Hendershot and Scott Berger, CCPS, before the Senate Environment and Public Works Committee, 109th Cong. (June 21, 2006), available here.

[6] Paul Orum & Reece Rushing, Center for American Progress, “Chemical Security 101:  What You Don’t Have Can’t Leak, or Be Blown Up by Terrorists” (Nov. 2008).

[7] Department of Homeland Security Appropriations Act, 2007, § 550, Pub. L. No. 109-295, 6 U.S.C. § 121 note.

[8] Id.

[9] 72 Fed. Reg. 17688, 17719 (Apr. 9, 2007) (“Section 550 prohibits the Department from disapproving a site security plan ‘based on the presence or absence of a particular security measure,’ including inherently safer technologies.  See Section 550(a).  Even so, covered chemical facilities are certainly free to consider IST options, and their use may reduce risk and regulatory burdens.”).

[10] 72 Fed. Reg. 17688 (Apr. 9, 2007), amended at 72 Fed. Reg. 65396 (Nov. 20, 2007), clarified at 73 Fed. Reg. 15051 (Mar. 21, 2008) (codified as 6 C.F.R. Part 27). 

[11] 6 C.F.R. § 27.105.

[12] Id. § 27.200.

[13] Id. § 27.230. 

[14] Government Accountability Office, “Critical Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk and Gather Feedback on Facility Outreach Can Be Strengthened,” GAO-13-353, at 10 (2013).

[15] Memorandum from Penny J. Anderson, Director, DHS Infrastructure Security and Compliance Division, and David M. Wulf, Deputy Director, DHS Infrastructure Security and Compliance Division to Rand Beers, Undersecretary, DHS National Protection & Programs Directorate, and Todd Keil, Assistant Secretary, DHS Office of Infrastructure Protection, “Challenges Facing ISCD, and the Path Forward” (Nov. 10, 2011), cited in Committee on Homeland Security and Governmental Affairs, “Chemical Facilities Anti-Terrorism Standards Program Authorization and Accountability Act of 2014,” S. Rep. 113-263, at 5.

[16] See supra footnote 5 at 10. 

[17] Office of the Inspector General, DHS, “Effectiveness of the Infrastructure Security Compliance Division’s Management Practices to Implement the Chemical Facility Anti-Terrorism Standards Program,” OIG-13-55 (Mar. 25, 2013).

[18] SeeAn Assessment of Efforts to Secure the Nation’s Chemical Facilities From Terrorist Threats” (July 2014). 

[19] For a detailed account of various legislative proposals throughout 2009-2010, see and

[20] Act § 2, adding § 2102(c)(3)(B) to the Homeland Security Act of 2002, 6 U.S.C § 101 et seq.

[21] Act, § 2, adding § 2102(e)(1).

[22] Act, § 2, adding § 2102(d).

[23] Act, § 2, adding § 2102(d)(2)(A).

[24] Act, § 2, adding § 2102(d)(2)(B)(i)(I).

[25] Act, § 2, adding §2013.

[26] Act, § 2, adding § 2105.

[27] Act, § 2, adding § 2108. 

[28] Act, § 3. 

[29] Act, § 2, adding  § 2107.  

[30] Act, § 2, adding § 2016(b).

[31] See Congressional Research Service, “Implementation of Chemical Facility Anti-Terrorism Standards" (CFATS); Issues for Congress (Oct. 14, 2014), at 2,  (“As of October 2014, DHS had authorized 2,216 site security plans; conducted 1,592 authorization inspections; and approved 1,192 site security plans. Between October 2013 and October 2014, DHS authorized an average of 122 and approved an average of 70 site security plans per month. The DHS has generally increased its average authorization and approval rate over time; between April 2014 and October 2014, DHS authorized an average of 147 and approved an average of 91 site security plans per month. Between September 2014 and October 2014, DHS authorized 177 and approved 132 site security plans.”).

[32] 79 Fed. Reg. 48693 (Aug. 18, 2014).

[33] Executive Order 13650, 78 Fed. Reg. 48029 (Aug. 1, 2013).


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Beveridge & Diamond PC | Attorney Advertising

Written by:

Beveridge & Diamond PC

Beveridge & Diamond PC on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.