b"<html>\n<title> - CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS UPDATE</title>\n<body><pre>[House Hearing, 113 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n \nCHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS \n                                 UPDATE \n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n              SUBCOMMITTEE ON ENVIRONMENT AND THE ECONOMY\n\n                                 OF THE\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED THIRTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 14, 2013\n\n                               __________\n\n                           Serial No. 113-15\n\n\n      Printed for the use of the Committee on Energy and Commerce\n                        energycommerce.house.gov\n\n                               ----------\n                         U.S. GOVERNMENT PRINTING OFFICE \n\n80-377 PDF                       WASHINGTON : 2013 \n\n\n                    COMMITTEE ON ENERGY AND COMMERCE\n\n                          FRED UPTON, Michigan\n                                 Chairman\nRALPH M. HALL, Texas                 HENRY A. WAXMAN, California\nJOE BARTON, Texas                      Ranking Member\n  Chairman Emeritus                  JOHN D. DINGELL, Michigan\nED WHITFIELD, Kentucky                 Chairman Emeritus\nJOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts\nJOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey\nGREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois\nLEE TERRY, Nebraska                  ANNA G. ESHOO, California\nMIKE ROGERS, Michigan                ELIOT L. ENGEL, New York\nTIM MURPHY, Pennsylvania             GENE GREEN, Texas\nMICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado\nMARSHA BLACKBURN, Tennessee          LOIS CAPPS, California\n  Vice Chairman                      MICHAEL F. DOYLE, Pennsylvania\nPHIL GINGREY, Georgia                JANICE D. SCHAKOWSKY, Illinois\nSTEVE SCALISE, Louisiana             ANTHONY D. WEINER, New York\nROBERT E. LATTA, Ohio                JIM MATHESON, Utah\nCATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina\nGREGG HARPER, Mississippi            JOHN BARROW, Georgia\nLEONARD LANCE, New Jersey            DORIS O. MATSUI, California\nBILL CASSIDY, Louisiana              DONNA M. CHRISTENSEN, Virgin \nBRETT GUTHRIE, Kentucky                  Islands\nPETE OLSON, Texas                    KATHY CASTOR, Florida\nDAVID B. McKINLEY, West Virginia     JOHN P. SARBANES, Maryland\nCORY GARDNER, Colorado               JERRY McNERNEY, California\nMIKE POMPEO, Kansas                  BRUCE L. BRALEY, Iowa\nADAM KINZINGER, Illinois             PETER WELCH, Vermont\nH. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico\nGUS M. BILIRAKIS, Florida            PAUL TONKO, New York\nBILL JOHNSON, Missouri\nBILLY LONG, Missouri\nRENEE L. ELLMERS, North Carolina\n                Subcommittee on Environment and Economy\n\n                         JOHN SHIMKUS, Illinois\n                                 Chairman\nPHIL GINGREY, Georgia                PAUL TONKO, New York\n  Vice Chairman                        Ranking Member\nRALPH M. HALL, Texas                 FRANK PALLONE, Jr., New Jersey\nED WHITFIELD, Kentucky               GENE GREEN, Texas\nJOSEPH R. PITTS, Pennsylvania        DIANA DeGETTE, Colorado\nTIM MURPHY, Pennsylvania             LOIS CAPPS, California\nROBERT E. LATTA, Ohio                JERRY McNERNEY, California\nGREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan\nBILL CASSIDY, Louisiana              JANICE D. SCHAKOWSKY, Illinois\nDAVID B. McKINLEY, West Virginia     JOHN BARROW, Georgia\nGUS M. BILIRAKIS, Florida            DORIS O. MATSUI, California\nBILL JOHNSON, Missouri               HENRY A. WAXMAN, California, ex \nJOE BARTON, Texas                        officio\nFRED UPTON, Michigan, ex officio\n  \n\n\n                             C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHon. John Shimkus, a Representative in Congress from the State of \n  Illinois, opening statement....................................     1\n    Prepared statement...........................................     2\nHon. Paul Tonko, a Representative in Congress from the State of \n  New York, opening statement....................................     2\nHon. Henry A. Waxman, a Representative in Congress from the State \n  of California, prepared statement..............................   113\n\n                               Witnesses\n\nRand Beers, Under Secretary, National Protection and Programs \n  Directorate, U.S. Department of Homeland Security..............     5\n    Prepared statement...........................................     7\n    Answers to submitted questions...............................   117\nDavid Wulf, Director, Infrastructure Security Compliance \n  Division, U.S. Department of Homeland Security.................    14\n    Prepared statement...........................................     7\n    Answers to submitted questions...............................   117\nStephen L. Caldwell, Director, Homeland Security and Justice, \n  Government Accountability Office...............................    34\n    Prepared statement...........................................    36\n    Answers to submitted questions...............................   143\nWilliam E. Allmond, IV, Vice President, Society of Chemical \n  Manufacturers and Affiliates...................................    63\n    Prepared statement...........................................    65\n    Answers to submitted questions...............................   149\nTimothy J. Scott, Chief Security Officer and Corporate Director, \n  the Dow Chemical Company, on Behalf of the American Chemistry \n  Council........................................................    71\n    Prepared statement...........................................    73\n    Answers to submitted questions...............................   157\nCharlie Drevna, President, American Fuel and Petrochemical \n  Manufacturers..................................................    78\n    Prepared statement...........................................    80\n    Answers to submitted questions...............................   168\nRick Hind, Legislative Director, Greenpeace......................    86\n    Prepared statement...........................................    88\n    Answers to submitted questions...............................   175\n\n                           Submitted Material\n\nLetter of March 12, 2013, from the National Association of \n  Chemical Distributors to Mssrs. Shimkus and Tonko..............   117\n\n\nCHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS \n                                 UPDATE\n\n                              ----------                              \n\n\n                        THURSDAY, MARCH 14, 2013\n\n                  House of Representatives,\n           Subcommittee on Environment and Economy,\n                           Committee on Energy and Commerce\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:07 a.m., in \nroom 2322 of the Rayburn House Office Building, Hon. John \nShimkus (chairman of the subcommittee) presiding.\n    Members present: Representatives Shimkus, Pitts, Murphy, \nLatta, Harper, Cassidy, McKinley, Bilirakis, Johnson, Barton, \nTonko, Green, Schakowsky, McNerney, Barrow ,and Waxman (ex \nofficio).\n    Staff present: Nick Abraham, Legislative Clerk; Charlotte \nBaker, Press Secretary; Matt Bravo, Professional Staff Member; \nJerry Couri, Senior Environmental Policy Advisor; David \nMcCarthy, Chief Counsel, Environment and the Economy; Chris \nSarley, Policy Coordinator, Environment and the Economy; Tom \nWilbur, Digital Media Advisor; Jacqueline Cohen, Democratic \nCounsel; Greg Dotson, Democratic Staff Director, Energy and \nEnvironment; and Caitlin Haberman, Democratic Policy Analyst.\n\n  OPENING STATEMENT OF HON. JOHN SHIMKUS, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF ILLINOIS\n\n    Mr. Shimkus. I would like to call the hearing to order.\n    We want to welcome our first panel, and I would like to \nrecognize myself for 5 minutes for an opening statement.\n    Good morning. The Subcommittee is now in order and I want \nto recognize myself for 5 minutes. Today marks the fourth \nhearing we have had on CFATS and the third consecutive one we \nhave had since I became the subcommittee chairman.\n    Sadly, it has been a very painful process to see how badly \nCFATS had fallen short of our expectations and to see the \nstruggle, both inside of DHS as well as externally, to get the \nprogram back on track. There are some positive reports about \nprogress from DHS, GAO, and the regulated stakeholders, but we \nhave uncovered more details showing that in key areas the \nsuggested progress is not what we had hoped. I think strides \nhave been made to remedy many of the managerial concerns of 1 \nyear ago, and some of our testimony will suggest communication \nlines have been opened in a way that could lead to longer-term \nachievements for the program.\n    By many accounts, Infrastructure Security Compliance \nDivision Director David Wulf deserves a great deal of credit. \nMr. Wulf, we appreciate your tireless, consistent, candid, and \nlong-standing commitment to improving CFATS when others could \nnot. I also think this process is merely meant to get us back \nto a semi-functional program, not a perfect or fully \nimplemented program.\n    Unfortunately, underlying programmatic issues we discussed \nin the last hearing--such as the fact that CFATS risk \nassessment falls far short of DHS' own National Infrastructure \nProtection Plan and the CFATS regulations, and the long time \nframe for evaluating Site Security Plans, despite the \nincomplete risk assessment--continue to threaten the \ncredibility of the program not only on the Hill, but with \nregulated stakeholders who are confused by many decisions made \nwithin the program.\n    As Chairman Upton has said before to DHS, we are all on the \nsame side. The enemy here is the terrorists who would seek to \nharm our Nation. We need to work together to determine the best \npath forward for CFATS and its reauthorization, but we can't do \nso if we aren't fully informed and in a way that verifies the \ndetails coming forward. That is why we are going to have some \ntough and balanced assessment of the program delivered by DHS, \nthe Government Accountability Office, and the CFATS stakeholder \ncommunity.\n    Our witnesses today may not tell us exactly what we want to \nhear, but they will tell us what we need to know. I want to \nthank all of these witnesses for appearing before our panel \nhere today. I believe we are at a critical juncture for the \nsuccess of the CFATS program in that the internal issues \ndistracting the program are not our focus, but rather getting \nthe program right, functioning effectively, efficiently, as \nCongress drafted the law. Their perspective will be crucial in \ngetting serious questions answered by the program and our \nability to work together.\n    [The prepared statement of Mr. Shimkus follows:]\n\n                Prepared statement of Hon. John Shimkus\n\n    Today marks the fourth hearing we have had on CFATS, and \nthe third consecutive one we have had since I became \nsubcommittee Chairman.\n    Sadly, it has been a very painful process to see how badly \nCFATS had fallen short of our expectations and to see the \nstruggle, both inside DHS as well as externally, to get the \nprogram back on track. There are some positive reports about \nprogress from DHS, GAO and the regulated stakeholders, but \nwe've uncovered more details showing that in key areas the \nsuggested progress is not what we had hoped.\n    I think strides have been made to remedy many of the \nmanagerial concerns of one year ago and some of our testimony \nwill suggest communication lines have been opened in a way that \ncould lead to longer term achievements for the program. By many \naccounts, Infrastructure Security Compliance Division (ISCD) \nDirector David Wulf deserves a good deal of credit. Mr. Wulf, \nwe appreciate your tireless, consistent, candid, and long-\nstanding commitment to improving CFATS when others could not.\n    I also think this progress is merely meant to get us back \nto a semi-functional program, not a perfect or fully \nimplemented program. Unfortunately, underlying programmatic \nissues we discussed in the last hearing--such as the fact that \nCFATS risk assessment falls far short of DHS's own National \nInfrastructure Protection Plan and the CFATS regulations, and \nthe long time frame for evaluating site security plans, despite \nthe incomplete risk assessment--continue to threaten the \ncredibility of the program not only on the Hill, but with \nregulated stakeholders who are confused by many decisions made \nwithin the program.\n    As Chairman Upton has said before to DHS, we are all on the \nsame side, the enemy here is the terrorists who would seek to \ndo harm to our nation. We need to work together to determine \nthe best path forward for CFATS and its reauthorization, but we \ncan't do so if we aren't fully informed and in a way that \nverifies the details coming forward. That's why we are going to \nhave some tough but balanced assessments of the program \ndelivered by DHS, the Government Accountability Office, and the \nCFATS stakeholder community.\n    Our witnesses today may not tell us exactly what we want to \nhear, but they will tell us what we need to know. I want to \nthank all of these witnesses for appearing before our panel \nhere today.\n    I believe we are at a critical juncture for the success of \nthe CFATS program, in that the internal issues distracting the \nprogram are not now our focus, but rather getting the program \nright, functioning effectively, efficiently, as congress \ndrafted the law. Their perspective will be crucial to getting \nserious questionsanswered by the program and our ability to \nwork together.\n\n                                #  #  #\n\n    Mr. Shimkus. And with that I would like to yield 1 minute \nto the gentleman from Texas, Mr. Barton.\n    Mr. Barton. Thank you, Mr. Chairman, for holding this \nhearing today.\n    Two years in a row this subcommittee has convened a hearing \nto discuss the concerns with the CFATS program. Last year, we \nbecame aware of an internal DHS memorandum which detailed an \narray of management flaws and achievement gaps with that \nprogram. One of the witnesses today was a co-author. When news \nof these problems surfaced, several Members of Congress, \nincluding myself, asked the GAO to determine what actions DHS \nwas taking to address the problems. We learned in the GAO \nreport that resulted of a 94-item Action Plan that DHS \ndeveloped to address those various issues. I understand today \nthat the most egregious examples of waste of taxpayer dollars \nhave been addressed but there is still work to do. We are at a \ncritical juncture.\n    DHS has been reviewing information since 2007 by operators \nof over 40,000 facilities. By January of this year, they had \nidentified about 4,400 as high-risk facilities. Of those, about \n90 percent were tier-based on the risk that they presented--\nmeaning that they would have to submit Site Security Plans for \nDHS review. We now know that there have been significant errors \nin the risk assessment methodology. We also know that only a \nfew dozen of the 3,100 high-risk security plans have been \nreviewed and approved. There is much work to be done. I hope \nthis hearing will facilitate some of that work.\n    Thank you for the hearing and thank you for the time and I \nyield back.\n    Mr. Shimkus. The gentleman yields back his time.\n    The chair now recognizes the ranking member of the \nsubcommittee, Mr. Tonko, for 5 minutes.\n\n   OPENING STATEMENT OF HON. PAUL TONKO, A REPRESENTATIVE IN \n              CONGRESS FROM THE STATE OF NEW YORK\n\n    Mr. Tonko. Thank you. Thank you, Mr. Chairman. And good \nmorning and thank you to our chair for convening this hearing \nand certainly to our witnesses for participating today and \nproviding your insight and offering very important information.\n    Ensuring the safety of our citizens and avoiding serious \ndisruption of our economy requires us to remain vigilant and to \nanticipate potential targets and actions of violent individuals \nand groups. The goal of the Chemical Facility Anti-Terrorism \nStandards, the CFATS program, is to ensure that chemical \nfacilities have robust plans to prevent terrorists from \nsabotaging them and to minimize the impacts should that \nprevention fail.\n    Two years ago, an internal memorandum revealed serious \nproblems with the CFATS program. While some progress has been \nmade to address some of the shortcomings, there is still much \nmore work to be done. That work surely falls to the Department \nof Homeland Security, clearly having more work to do, but also \nit falls to Congress. Congress created the Department of \nHomeland Security in 2002 and charged DHS with coordinating \nfederal policy to protect this Nation's critical \ninfrastructure. This is a complex task involving not only the \nFederal Government but a partnership with state and local \ngovernments, as well as the private sector.\n    Congress defined this complex and essential task of \nprotecting chemical facilities with a paragraph in an \nappropriations bill. The deficiencies in this program are \npartly a reflection of our failure to come together and provide \nclear guidance to the administration.\n    The industry has been active in this area. They have taken \nmany steps through initiatives such as the Responsible Care \nProgram to develop and disseminate best practices to member \ncompanies of industry organizations. These programs are, \nhowever, voluntary. Private industry does not have the tools of \nsurveillance and intelligence as that which the Federal \nGovernment has. In order to be most effective, we must have \npartnerships working together and the program must have the \npublic's confidence that their communities are indeed safe. The \npublic and the industry will benefit from a federal program \nthat is developed with their input and in which standards, \npractices, and policies are defined clearly by the Department \nof Homeland Security.\n    The CFATS program is not the only federal program \nregulating chemical facilities. Other federal departments and \nagencies have programs with longer histories and well-\nestablished protocols. There should be a consultation amongst \nfederal agencies to apply best practices, identify gaps in \nresponsibility, and to avoid conflicting regulations and \npolicies.\n    I hope this will not be the last hearing on this issue. \nThis committee should develop legislation that provides clear \ndirection to DHS, certainty to the regulated industry, and \nconfidence to the public that the CFATS program is providing \nthe protection we require and deserve. A paragraph in an \nappropriations bill that must be renewed annually simply does \nnot meet those needs.\n    I would like to thank all of our witnesses for appearing \nbefore us today. I look forward to your testimony and to \nhearing your views on how we can improve this most essential \nprogram.\n    With that, I thank you. Mr. Chairman, I yield back.\n    Mr. Shimkus. I want to thank my colleague. And I can \nguarantee it will not be last hearing on this issue, and we \nwould like to authorize a program.\n    So with that, I would like to turn to my colleagues on my \nside and ask if anyone would like to submit an opening \nstatement.\n    Seeing none, I turn to your side. No one? Thank you very \nmuch.\n    Now, I would like to recognize Mr. Rand Beers, the Under \nSecretary for the National Protection and Programs Directorate \nof the United States Department of Homeland Security.\n    Sir, your full statement is in the record. You are \nrecognized for 5 minutes.\n\n    STATEMENT OF HON. RAND BEERS, UNDER SECRETARY, NATIONAL \n    PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF \n  HOMELAND SECURITY; AND DAVID WULF, DIRECTOR, INFRASTRUCTURE \n   SECURITY COMPLIANCE DIVISION, U.S. DEPARTMENT OF HOMELAND \n                            SECURITY\n\n                  STATEMENT OF HON. RAND BEERS\n\n    Mr. Beers. Thank you, Chairman Shimkus and Ranking Member \nTonko and other members of the committee. I appreciate the \nopportunity to be before you today to talk about the \nDepartment's regulation of high-risk chemical facilities.\n    Let me start by emphasizing that the CFATS program has \nalready made the Nation more secure. The program has identified \nhigh-risk chemical facilities across the country. It has \nprovided them with the tools to identify their vulnerabilities, \nand it has helped them to develop plans to reduce the risks \nassociated with these chemicals.\n    Since its inception, CFATS has helped 3,000 chemical \nfacilities eliminate, reduce, or otherwise modify their \nholdings so that they no longer possess potentially dangerous \nchemicals and are no longer considered high-risk. The \nsignificant reduction in the number of chemical facilities that \nrepresent the highest risk is an important success of the CFATS \nprogram and is attributable both to the design of the program \nas enacted by Congress and to the work of the CFATS personnel \nand industry at the thousands of chemical facilities that we \nwork with on a regular basis.\n    Over the past year, NPPD has worked diligently to turn a \ncorner and has addressed many of the challenges identified by \nthe program's leadership. The CFATS program has made \nsignificant progress advancing programmatically while \nsimultaneously addressing the internal operational concerns. \nEqually important, the Department remains committed to working \nwith stakeholders and with the Congress on a path forward to \nensure that the CFATS program continues to build upon the \nsuccesses to date.\n    Over the last 6 months ISCD has made considerable progress \nin conducting authorization inspections and approving Site \nSecurity Plans. When I was here in September, we had authorized \n73 Site Security Plans. Today, we have authorized 261. That is \na 400 percent increase. In September we had conducted 19 \nauthorization inspections; today, we have conducted 141. That \nis a 700 percent increase. In September we had approved only \ntwo Site Security Plans; now, we have approved 52, including 3 \nAlternative Security Programs.\n    While these are significant achievements in the last 6 \nmonths, we recognize that we need to do much more and we need \nto increase the pace at which we are doing it. And we are \nlooking at potential approaches for increasing the pace of \nsecurity plan reviews and inspections for the lower Tier 3 and \nTier 4 facilities without sacrificing quality and consistency.\n    NPPD will work with the regulated community to gather \nfeedback and thoughts on how best to increase the pace of the \nlower tiers. For example, we have been looking with industry on \nthe development of templates, or corporate alternative Security \nPrograms, and we believe that the use of ASPs will \nsignificantly increase the pace and improve our security plans. \nWe have also discussed ASPs with the Coast Guard and will apply \nthe lessons that they have learned regarding their use of ASPs \nto take your point, Ranking Member Tonko, about talking to our \npartners who also have regulatory programs.\n    Regarding our private sector partners, the Department has \nreceived primarily positive feedback on outreach and \ncommunications efforts from the regulated community. And we \nwill continue to address specific areas of interest to the \nCFATS community. For instance, recognizing that regulated \nfacilities best understand their risk drivers and in support of \nincreased transparency, the Department is analyzing what \naspects of the classified risk tiering methodology it can and \nshould share with members of the regulated community. In fact, \nthat particular question has been presented to the risk \nmethodology external Peer Review Panel for analysis. And I \nmight add that this is a peer review that includes private \nsector participation. And the Department is looking forward \nvery much to the panel's recommendations with respect to this.\n    The Department has also actively engaged stakeholders \nregarding personnel surety. During the last 6 months, we have \nbeen listening to stakeholder feedback on personnel surety and \nwe have revised our program based on this feedback. We now \nbelieve we have a proposal which provides the regulated \ncommunity with flexibility for carrying out the outstanding \nrequirement for personnel surety and reflects input from \nfacilities of all sizes. This proposal balances the need to \nconduct thorough vetting of personnel for national security \npurposes with a desire to minimize the burden on facilities. \nOur engagement with the private sector will be reflected in two \ndepartment Notices that have gone from the Department to the \nFederal Register and will be published in the coming days.\n    I close with a note regarding the Department's current \nstatutory authority to implement CFATS. As you are aware, the \nCFATS authorization currently extends through March 27 of this \nyear. The Department supports a permanent authorization for the \nCFATS program and we are committed to working with the Congress \nand other security partners to establish a permanent authority \nfor the CFATS program in federal law. Overall, I am here before \nyou today convinced that we have positioned the program firmly \non the right track and I would be happy to respond to any \nquestions that you may have.\n    Thank you.\n    [The prepared statement of Mr. Beers and Mr. Wulf follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Shimkus. Thank you.\n    Also joining at the first panel is Mr. David Wulf, who is \nthe director of the Infrastructure Security and Compliance \nDivision. Obviously, you didn't submit an opening statement, \nnor do you have one, but if you want to have anything just for \nthe record, I would like to recognize you for a few minutes.\n\n                     STATEMENT OF MR. WULF\n\n    Mr. Wulf. That would be great. Thank you so much, Chairman \nShimkus. I would like to thank you, Ranking Member Tonko, and \nthe other members of the subcommittee for the opportunity to \ntestify here today.\n    ISCD has made great progress in addressing the challenges \ndescribed in the internal memo and associated Action Plan that \nwe presented to Under Secretary Beers in the fall of 2011. With \nstrong support from leadership in the National Protection and \nPrograms Directorate and the Office of Infrastructure \nProtection and through much hard work on the part of the \ntalented men and women of ISCD, we have completed 88 of the 95 \nitems outlined in our Action Plan. We have developed improved \npolicies, procedures, and training to ensure that inspections \nare conducted in a consistent and thorough fashion. We have \nimplemented an effective streamlined SSP review process, a \nprocess that has greatly enhanced our ability to authorize, and \nas appropriate, grant final approval for Site Security Plans.\n    We have also done much to stabilize our organization and \nour leadership cadre by hiring permanent supervisors, including \na permanent deputy director, and we continue to foster \ntransparency and open communication throughout our \norganization.\n    I would like to recognize our workforce, which truly has a \npassion for the mission of chemical facility security. And I \nwould like to recognize also the American Federation of \nGovernment Employees which represents our bargaining unit \nemployees in the field, and has done much to expedite its \nreview of key policies and procedures over the past several \nmonths.\n    In September I reported that we had turned an important \ncorner in the implementation of CFATS. I am pleased to be able \nto report today that not only has that corner been turned, but \nwe are moving confidently down the road to realizing the full \npotential of the program. ISCD and the CFATS program are moving \nforward in a way that will foster continued advances in the \nsecurity of America's highest-risk chemical facilities. We have \nachieved a marked increase in the pace of SSP authorizations, \nfacility inspections, and approved Site Security Plans.\n    As the Under Secretary noted, we have authorized more than \n260 SSPs and granted final approval for 52 of those. We \nanticipate completing approvals of Site Security Plans for \nfacilities in the highest-risk tier, Tier 1, by September of \nthis year and completing final approvals of Tier 2 SSPs by May \nof 2014. Reviews and authorizations of Tier 3 SSPs are now \nunderway as well.\n    However, recognizing that we must find ways to become ever \nmore efficient and effective in our inspection and SSP review \nprocesses, we will be looking closely at, and soliciting \nstakeholder input on, options to streamline the review and \napproval cycle for facilities in Tiers 3 and 4. I do anticipate \nthat ASP templates will be an important tool to enhance the \nefficiency of our reviews. The American Chemistry Council \nrecently worked with us to develop an ASP template and we \ncontinue to work with industry associations such as SOCMA, \nAFPM, and the National Association of Chemical Distributors, \nwho are all considering the adoption of ASP templates for their \nmember companies.\n    So even as we continue to seek ways to improve, it does \nbear noting that ISCD's chemical security inspectors are today \nproviding compliance assistance to facilities and conducting \ninspections at an unprecedented rate. And I am pleased to \nreport that I have received much favorable feedback from our \nindustry stakeholders about their experience with these \ninspections. As you know, and this is something for which I am \nprofoundly grateful, our stakeholders are not shy when it comes \nto expressing their candid thoughts and concerns about the \nprogram. So I am confident that when I am hearing positive \nthings from industry about their facilities inspections-related \nexperiences, we are on the right track.\n    I would like to share one quote from Cathi Cross, Director \nof Security for Phillips 66 regarding a recent inspection in \nOklahoma. Ms. Cross conveyed to me that her facility's \nexperience with the DHS inspectors ``was a very positive \none...that the members of the ISCD inspection team were \nknowledgeable, courteous, and quite helpful in their \ncollaborative approach as they evaluated the facility, its SSP \ndraft, and planned measures.'' Continuing, Ms. Cross noted that \n``the inspectors provided thoughtful comments and were \nreceptive to alternate proposals for meeting security \nobjectives.''\n    So ISCD continues to fully engage with our industry \nstakeholders, and I very much appreciate industry's continued \nsupport for the program. And our stakeholder engagement \ncontinues to take many forms. At the facility level, in \naddition to inspections, we continue to conduct compliance \nassistance visits and other outreach to work with the \nfacilities as they develop their Site Security Plans. We also \nengage with stakeholders on important programmatic issues. We \ncontinue to work on the development of ASP templates, and we \nare in the process of gathering industry feedback as we move \nforward to improve our suite of online tools.\n    Also, as the Under Secretary noted, we recently concluded a \nproductive and extensive series of discussions on the important \nissue of personnel surety. Ensuring that those who seek \nunescorted access to high-risk chemical facilities are vetted \nfor terrorist ties is a critical piece of the CFATS effort and \none that we must move forward to implement in the near term.\n    I am also appreciative of the work done by GAO and the \nperspectives GAO has offered us on the CFATS risk-tiering \nmethodology and on the management and tracking of our \nstakeholder outreach activities. With regard to our risk-\ntiering efforts, while I am confident that our current \nmethodology, with its focus on the consequences of a potential \nterrorist attack, is appropriate for a regulatory compliance \nprogram such as CFATS, considering ways in which our tiering \nefforts may be enhanced is something to which we are very much \nopen at ISCD.\n    I am very much eagerly anticipating the results of our \nexternal peer review in this regard on risk-tiering and any \nrecommendations that may be forthcoming from the Peer Review \nPanel.\n    As for our external outreach, ensuring that we \nappropriately track and manage our outreach activities is an \nimportant priority for ISCD and one that we will pursue.\n    Thank you again for the opportunity to provide an update on \nthe forward progress the CFATS program continues to make. It is \nan honor and a privilege to serve with the dedicated \nprofessionals at ISCD. I firmly believe we have made much \nprogress in coming together as a regulatory compliance \norganization, and along with rest of the ISCD team, I am \nexcited and optimistic about the future of the CFATS program.\n    Thank you again for the opportunity and I welcome any \nquestions that you may have. I apologize for the extra 30 \nseconds.\n    Mr. Shimkus. Oh, you are fine. Thank you, Mr. Wulf.\n    And before I recognize myself for the first round of \nquestions, I think just a comment for staff--especially, I \nthink we have some guests in the room--is that maybe we need to \nput up a placard that defines these acronyms, because if you \nare visiting this room and you have no idea what these acronyms \nare, you are like probably listening to Chinese. So stuff like \nCFATS--Chemical Facility Anti-Terrorism Standards. We will talk \nabout NIPP, which is the National Infrastructure Protection \nPlan. We will talk about ASP, Alternate Security Plan. So we \nknow there are a lot of you that are well knowledgeable out \nthere, but we probably could do better by having a display of \nsome of these acronyms out there. So I am from the military a \nlong time ago so we were acronym-focused also.\n    So I will recognize myself for the first 5 minutes of \nquestions and my questions will be directed to Mr. Beers.\n    Mr. Beers, GAO says CFATS does not consider or analyze \nvulnerability threat or economic consequence during the tiering \nprocess. We knew about the vulnerability gap but not the \nothers. But in GAO's testimony--Government Accounting Office--\nwhen would the regulated community, the Hill, and others have \nlearned of this?\n    Mr. Beers. Sir, I do not know when the vulnerability issue \nsurfaced specifically, but I do know that it surfaced within at \nleast the last year as far as I am aware. With respect to the \neconomic consequences issue, as I was not present when the \nprogram was originally briefed to this committee and other \ncommittees, I am simply unaware of when or whether that might \nhave been brought to the Committee's attention.\n    Mr. Shimkus. Yes. So the follow-up is, had not Chairman \nUpton, Joe Barton, Henry Waxman not asked for this GAO report, \nwe on the Hill and stakeholders may not have learned of the \nvulnerability gap. Is that safe to say?\n    Mr. Beers. Sir, that is certainly a conclusion that can be \ndrawn from that. But one thing that I would add to that, which \nDavid and I have both spoken of, is that one of the things that \nwe have asked of the peer review committee after our own \ninternal review is that this methodology be looked at \nindependently. Obviously, we are going to take note of the \nGAO's comments on this and it is certainly our intention to \nhave full disclosure with you all, and if some of the material \nis classified, we will do that in a classified setting.\n    Mr. Shimkus. Thank you. According to the National \nInfrastructure Protection Plan, risk is a function of three \ncomponents: consequence, threat, and vulnerability--we did this \nin the last hearing--and a risk assessment approach must assess \neach one. Have you analyzed the effect of not considering \nvulnerability for all the regulated facilities?\n    Mr. Beers. Sir, we have. The rationale behind that is that \nwhile we have----\n    Mr. Shimkus. Did your mike go off or it is not pulled close \nenough?\n    Mr. Beers. Let me start over again. We looked at \nconsequences and threats and gave them a definition in the \ntiering methodology, but because vulnerability was what the \nwhole program was about reducing and because we did not have \nthe kind of data that we needed in order to be able to assign \nvulnerability factors with specific and differentiated levels, \nwe chose to hold that constant, tier on the basis of threat and \nconsequence, and ask the facilities then to come back to us \nwith an indication of what their vulnerabilities were and to \nwork with them on Site Security Plans to deal with those \nvulnerabilities.\n    The consequence of this is that the tiering works to set \nthem aside by threat and vulnerability and the whole endgame is \nabout reducing vulnerability or risk. So we chose to hold that \nconstant in the tiering; we chose to deal with that through the \nSite Security Plan process.\n    Mr. Shimkus. And I guess then our follow-up would be we \nthink you have evaluated part of the threat, not the entire \nthreat, and there is no economic process that has been defined \nso far which is a part of that whole calculation. But you did \nidentify in your comment about up-to-date data. So what is the \neffect of not using up-to-date threat data in the risk-tiering \napproach?\n    Mr. Beers. Sir, as we go through this process, if there is \nadditional threat data or altered threat data, our intention is \nto include that. That is certainly something that we are \ntalking with the Peer Review Committee about and my guess is we \nwill get some different information.\n    David, do you want to add to that?\n    Mr. Wulf. Yes, I would. Yes, the tiering methodology, as it \ncurrently exists, is certainly very much consequence-based. I \nthink that consequence is tied very much directly to threat as \nwe use the threat in the tiering engine. Targets that have high \nvalue from a terrorist perspective in terms of the consequence \nwill also typically have a pretty high score on the threat \nside. We are certainly very much open to ways in which we can \nenhance the tiering methodology and that is the very reason we \nare having this external peer review.\n    But I think focusing principally on consequence in a \nregulatory compliance framework is an appropriate way to tier \nfacilities. If we focused heavily on vulnerability in the \nactual tiering, we would have potential situations in which a \nfacility would tier highly because of a heightened \nvulnerability that it identified. As a result of tiering \nhighly, it would put into place hopefully significant and \nsuccessful security measures to address the vulnerability. The \nvulnerability would then be diminished and theoretically that \nfacility would tier out, not have those requirements any \nlonger, conceivably have its vulnerability go up again, tier \nback in, and we would have sort of a roller coaster effect.\n    So I think the way in which we and the CFATS program have \nwoven the vulnerability factor into the remainder of the \nprogram in the facilities, assessment of vulnerabilities, in \nthe development of their security vulnerability assessments, \nand in their development of Site Security Plans makes sense. \nThat is not to say there isn't room for improvement and I \ncertainly anticipate we will get some solid recommendations in \nthose regards from the Peer Review Panel.\n    Mr. Shimkus. Thank you. My time has expired. The chair now \nrecognizes Mr. Tonko for 5 minutes.\n    Mr. Tonko. Thank you, Mr. Chair.\n    It appears that the Department of Homeland Security has \ngood progress to report implementing their Action Plan to \nstrengthen the CFATS program, but I am concerned that \nfundamental problems may still exist. I would like to focus on \none of those concerns and that has just been the focus of the \nchair's address and that being the tiering of facilities.\n    CFATS is a risk-based program meaning that facilities \nplaced in a high-risk tier have to meet higher standards, I am \ntold, for security. Lower-tiered facilities then meet lower \nstandards. An error in tiering could mean that a high-risk \nfacility is not adequately secured or that the owners and \noperators of a low-risk facility have to invest in unnecessary \nsecurity measures. The tiering process must be, therefore, as \naccurate as possible.\n    The Department published a National Infrastructure \nProtection Plan in 2006 and I believe revised it in 2009. This \nplan discusses how risk analysis for terrorism threats should \nbe conducted. Under Secretary Beers, should the CFATS program \nbe consistent with that plan, the developed plan of 2006, and \nimproved in '09?\n    Mr. Beers. Sir, the National Infrastructure and Protection \nPlan is a global statement of risk. All of the programs in the \nDepartment of Homeland Security should be in rough alignment \nwith that. But we also have to recognize that different sectors \nand different companies may have some specifics that cause some \nalteration or some specific requirement relevant to them and \nperhaps only to them. But as a general measure, yes, that is \ncorrect, sir.\n    Mr. Tonko. So as a general measure, we say yes. And \naccording to the National Infrastructure Protection Plan, risk \nassessments must account for threat, vulnerability, and \nconsequences. But that is not what CFATS, as a program, \ncurrently does. GAO is critical of the fact that apparently DHS \ncompletely ignores the potential economic consequences of a \nterrorist attack when conducting a risk assessment. And GAO is \nnot the first to say this. In 2010, the National Academies \npublished a report, requested by Congress, on department-wide \nefforts to analyze risk. And the Academies approved of the \nframework in the National Infrastructure Protection Plan but \nfound that ``many of the Department's risk-analysis models and \nprocesses are weak and are not on a trajectory to improve.'' \nAccording to Academies, the methods were not ``documented, \nreproducible, transparent, or defensible.''\n    These are very serious criticisms and to address these \nissues the National Academies made a number of specific \nrecommendations. So my question to you, Under Secretary, is \nthat did the Department ever provide a formal response to the \nNational Academies' report?\n    Mr. Beers. Sir, there was a response by the Department to \nthat. I can get you a copy of that. I don't have it on hand at \nthis particular point in time. But we were certainly aware of \nthe Academies' report and we did respond to it.\n    Mr. Tonko. Under Secretary Beers, can you please explain \nthe process you are currently engaged in to improve the risk \nassessment done in the CFATS program and whether it will \nrespond to the recommendations made by GAO and the National \nAcademies?\n    Mr. Beers. Sir, let me respond on two levels here, first, \nto go back to the original premise, which is the threat, \nconsequences, and vulnerability address how one should be \ndealing with risk and simply say we believe in the CFATS \nprogram that we do address all three of those aspects even \nthough the tiering methodology, which is not the entire dealing \nwith risk, only focuses on consequences and threat and holds \nvulnerability constant. But as I said in my earlier response to \nthe chairman's question, we believe that the vulnerability part \nof that equation is dealt with in the development of the Site \nSecurity Plans.\n    With respect to the larger question, I think that what we \nare trying to do here is work through a regulatory program \nwhich is different--the NIPP was really written in association \nwith voluntary programs, which meant that while we could lay \nout best practices or standards or thoughts on how to deal with \nthis, it was really entirely up to the companies in order to do \nthat. And in the regulatory program, we have the ability to \nstate whether or not their response is in fact adequate to the \nregulatory requirement that we have. And that makes it somewhat \ndifferent from the framework in which the NIPP was written.\n    But let me also turned to David Wulf to add anything that \nhe may wish to add.\n    Mr. Wulf. I would just add a couple of things. We committed \nto do three things when we encountered some issues with the \ntiering methodology. One was to do an internal documentation of \nour processes and our methodology, do sort of an internal \ndepartment look at the CFATS methodology and to do what is \nongoing right now, the external peer review. As we conducted \nour documentation, we have tried to be transparent about what \nwe found. We have talked through issues with staff up here, \nwith our industry stakeholders, and have tried to keep everyone \nabreast of the progress we are making on the economic \ncriticality piece of this, of the consequence assessment in the \ntiering methodology.\n    In that regard, I would note for the Committee that we are \nactively engaged in trying to address the economic consequence \npart of the equation. We are working with Sandia National Labs \non that effort. I received a briefing I want to say a couple of \nmonths ago. Our expectation is that Sandia's work--and it is \ndifficult stuff assessing economic consequences of potential \nterrorist attack--will be complete in early 2014. We anticipate \ntalking through the Sandia findings with our stakeholders. We \nare not going to proceed in a vacuum as we look to incorporate \neconomic consequence into the model, but I do believe, as I \nthink you do as well, that it is an important piece to the \npuzzle. So we are going to continue to seek to improve the \nmethodology.\n    The thing we struggle with is trying to be a continually \nimproving program, at the same time trying to afford a degree \nof certainty to our industry stakeholders for whom it would be \ndifficult to have an ever-changing target in terms of the \ntiering. So we have to balance all of that, but we are taking a \nhard look at it all.\n    Mr. Tonko. Thank you.\n    Mr. Shimkus. The gentleman's time has expired.\n    Again the NIPP is the National Infrastructure Protection \nPlan again for our guests who are now leaving.\n    So the chair now recognizes the gentleman from \nPennsylvania, Mr. Pitts, for 5 minutes.\n    Mr. Pitts. Thank you, Mr. Chairman. Under Secretary Beers, \naccording to the NIPP, risk management should help focus \nplanning and allocate resources. How can you prioritize \nresources and manage risk if you don't differentiate between \nthreat or vulnerability?\n    Mr. Beers. Sir, we definitely do differentiate between \nthreat and vulnerability. What we have tried to do here is \nensure that the compliance part of the effort which is to buy \ndown risk, it was measured against the threat-and-consequence \ntiering of the tiering methodology. So the whole program is \ndesigned to reduce the vulnerability to the American people, to \nthe communities that surround those facilities. And every \neffort is made through the risk-based performance standards to \nhelp those facilities produce Site Security Plans that in fact \nprotect the communities in which they live far more than when \nthere was no regulation on those facilities. Which is not to \nsay that they weren't trying in their own way to do that, but \nwhat we have tried to do is to provide a general way in which \nthey can approach that to help them or to give them thoughts \nabout other ways that they might think about buying down that \nrisk by reducing the vulnerabilities through their Site \nSecurity Plans.\n    David, would you add anything?\n    Mr. Wulf. No. I think that pretty well covers it. The \nvulnerability is, as I have expressed, woven through the fabric \nof the program in the security vulnerability assessments that \nfacilities conduct, and in their development of Site Security \nPlans.\n    Mr. Pitts. Given incomplete aspects of your risk assessment \nmodel, are you confident that the CFATS risk-tiering approach \nadequately tiers facilities?\n    Mr. Beers. Based on the way that we have put forward the \nmethodology, we are confident that the general model is \ncorrect, as has been indicated here. We are going to look at \neconomic consequences to see whether or not--and if so, how--\nthat ought to be injected into the methodology. And we are \nreviewing the threat information as well. So this, as David \njust said, is not a static program and we are looking for \nassistance and help from the peer review effort to see how we \nmight do a better job. But as David also said, we want to do \nthis in a fashion in which we are not constantly changing and \nmoving everything because industry also needs a degree of \nstability as they consider how to improve their own site \nsecurity.\n    Mr. Pitts. Now why do you collect data, information that \nyou do not use? Regulated facilities are required to provide \nsubstantial information to facilitate the tiering process but \nISCD only uses a small amount of this data.\n    Mr. Wulf. My assessment is that all of the data that we \ntake in is valuable to the program, and it is useful as we \nevaluate, not only the tiering as we assign risk tiers but as \nwe look at evaluation of Site Security Plans. So the questions \nand the information that is provided in response to those \nquestions I think goes a long way toward prompting facilities \nto give thought to their vulnerabilities and to incorporate \nappropriate responses to those vulnerabilities and to implement \nsecurity measures appropriate to respond to those \nvulnerabilities as they develop their Site Security Plans.\n    Mr. Pitts. My time has expired. Thank you.\n    Mr. Shimkus. The gentleman's time has expired. I would hope \nthat he will pay close attention to the GAO report because they \nsay, obviously, there is a lot of data that is not used and \nthat is the reason why that question is asked.\n    Five minutes to Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman.\n    Welcome to our panel. Under Secretary Beers, in your \ntestimony for today's hearing you state that DHS will be \npublishing a revised Personnel Surety Program rule next week. \nRegarding the PSP, are you able to commit today that the new \nrule will allow similar credential programs like the TWIC \nprogram for land-based--so we would have one ID for employees \nwhether they work for a company's land-based site or the water-\nbased site?\n    Mr. Beers. Sir, you are correct. We have provided our \nPersonnel Surety Program notice to the Federal Register and the \nDepartment has provided a TWIC Reader Rule Requirement Program \nto the Federal Register also this week. Those will be \npublished, I am told, next week. It takes that long to actually \nput it out. It will include the ability to use a TWIC card as a \npersonnel identification and personnel surety credential within \nthe program for those who qualify for the program. The larger \nTWIC reader rule will allow companies, facilities to know what \nkind of a validation system they have in order for those TWIC \ncards to be validated as individuals pass into those \nfacilities. That was, as you will recall, an original \nrequirement of the whole TWIC program, which has been operating \nunfortunately without that reader rule requirement up to this \npoint in time.\n    Mr. Green. Well, and we have talked about this for a couple \nof years now and I appreciate the agencies doing that because a \nlot of plants have waterside and land-based--and employees move \nback and forth and most of the time the employees have to buy \nthose cards themselves and it just seems like it did not make \nany sense to make an employee, you know, have to buy two cards \nthat really should be issued by the Federal Government. You \nonly need one.\n    Mr. Beers. I couldn't agree with you more, sir.\n    Mr. Green. And can you share the efforts the Department \nmade to incorporate both employee and union interest, because I \nknow of some in my area--we have steelworkers that represent my \nrefiners and chemical plants, a number of them. Were they \ninvolved in this decision or received input?\n    Mr. Wulf. The earlier information collection request that \nwas withdrawn during the summer was open for comment across the \nboard. We did not work specifically or discuss any of this \nspecifically with labor unions.\n    Mr. Green. OK. Well, I know one of their concerns is that \ntheir members would have to have these two cards. And when does \nyour agency anticipate to complete the site security program \nreview for all facilities and including Tier 3 and 4?\n    Mr. Wulf. As I mentioned, we are looking to be through with \nTiers 1 and 2 by the first part of 2014. With regard to Tiers 3 \nand 4, we are looking at ways that we can increase the pace of \nthe review. I know the GAO, looking at sort of the current \npace, has projected it could take between 6 to 9 years. That is \na pace that is, in our view, not an acceptable one. I think \nthat we are going to continue to see the pace quicken. I don't \nwant to provide a certain date because I am sure I will be \nslightly off.\n    But I think as we move forward with the heightened pace of \ninspections as we learn more about how to achieve efficiencies \nin the SSP reviews and the inspection process, we will get \nbetter at doing them and be able to inspect, review, and \napprove larger numbers of SSPs. I think the alternative \nsecurity programs will provide a means to heighten the pace as \nwell. So as those templates come into greater use, and \nparticularly as they are used by multiple facilities within the \nsame company, I think we will see the pace quicken \nsignificantly. We will also continue to look at the resources \nwe have to do those inspections. We are bringing on board \nanother 18 inspectors which will increase our capacity. We will \ncontinue to look at whether there might be a possibility of \ngetting some additional folks on board as well.\n    Mr. Green. Mr. Chairman, I know my time is--but there has \nbeen a substantial public sector investment and private sector \ninvestment and we would hope to see some of that, that they \nwould have their security plans at least on what they have \ninvested literally hundreds of millions of dollars on, both, \nlike I said, public money and private money.\n    Thank you, Mr. Chairman.\n    Mr. Shimkus. The gentleman's time has expired. Before I \nmove to Mr. Cassidy, just for clarification, Mr. Wulf, and for \nthe transcriber, when you said the 6 to 9 years did you say is \nnot an acceptable or did you say not unacceptable?\n    Mr. Wulf. I said it is not acceptable.\n    Mr. Shimkus. OK.\n    Mr. Wulf. It is not an acceptable----\n    Mr. Shimkus. Great. Thank you. It caught my attention there \nfor a second.\n    So now the chair recognizes the gentleman from Louisiana, \nMr. Cassidy, for 5 minutes.\n    Mr. Cassidy. Hey, gentlemen. Thank you for being here. I \nunderstand that you all have done a heck of a lot of work to \naddress some of the issues and as I have obviously been a sharp \ncritic, so first, I thank you for your hard work that you have \ndone.\n    With that said, you might guess I have got a couple other \nconcerns. The fact that you can----\n    Mr. Wulf. I said I suspected you might.\n    Mr. Cassidy. The fact that you can buy down risk or buy \ndown vulnerability by decreasing threat suggests that risk is \nsome constant. You have some number for risk, however you \ncalculate that number, that you would like to address. It is \nalso my understanding, I think you said earlier, the review \npanel will come up with a new model in which they will assess \nboth the economic consequences and life consequences and all \nthese other factors in a more sophisticated fashion than \ncurrently you are doing. Are they going to have access to your \ndata--this category of data, this continuum of data that you \nhave--in order to see the robustness of their model?\n    Mr. Wulf. Yes, sir. The Peer Review Panel has access to \neverything that we have, classified and otherwise.\n    Mr. Cassidy. Now, is it possible that that will show that \nwhat you are currently doing is--I suppose that means if they \nare coming up with a new model, it will show either that you \nare doing a good job or that you are not doing a good job. \nCorrect?\n    Mr. Wulf. Well, I don't know that it is fair to say that \nthe panel's charter is to come up with a new model. The charter \nis to take a fresh look at what we are doing.\n    Mr. Cassidy. But if you don't currently have--I don't mean \nto interrupt, I am sorry. It is limited time. If you don't have \neconomic consequences in there, and I understand at some point, \nreading the testimony or GAO report, that population density \nwasn't factored in some places. It certainly seems that you \nneed a new model. Does that make sense? I mean if we are going \nto include economic consequences, and what you are doing now \ndoes not do so, then clearly you need new model.\n    Mr. Wulf. As we look to incorporate economic consequences--\nand I should mention that at Sandia National Labs that is doing \nthe work for us on economic consequences--but certainly \nsomething the Peer Review Panel can, and I suspect will, look \nat as well. As we move to incorporate that into the model \ncertainly we would have to revise the model.\n    Mr. Cassidy. So you do anticipate giving them access to \nyour compendium of information for them to check to see the \nrobustness of the model?\n    Mr. Wulf. Absolutely.\n    Mr. Cassidy. And will you share that with the Committee?\n    Mr. Wulf. We can certainly look at that----\n    Mr. Cassidy. I mean, like, why wouldn't you?\n    Mr. Wulf. I don't see why not.\n    Mr. Cassidy. Yes. Now, if you decide upon this model as \nbeing that model which you should use, would you share it with \nthe industry?\n    Mr. Wulf. The underlying information?\n    Mr. Cassidy. No, not the underlying information, the model \nitself. Because if, Mr. Beers, you say that they can buy down \nvulnerability by whatever--addressing in a greater way threat--\nI imagine you have some retrogression analysis and that you can \nplug these things in. Really, right now, it appears that there \nis a certain degree of subjectivity.\n    Mr. Wulf. Well, looking----\n    Mr. Beers. Sir, we are committed. And that is one of the \nquestions that we have asked the peer review to look at is, \nwhat should we share from the tiering methodology with them? \nNow, we have some parts of it which are currently classified. \nWe are also looking at the possibility of declassifying some of \nthat information as well. Because we firmly believe as the \nprogram has matured that the transparency of the tiering model \nis important. That will help them think about their own Site \nSecurity Plans in a better way than to simply use the risk-\nbased performance standards by themselves. The objective here \nis to reduce risk. The objective here is to reduce \nvulnerability and we believe as we have considered this, that \nthat kind of transparency is necessary.\n    If there remains classified parts of the program, we will \nlook at whether or not we can at least have some industry \nrepresentatives, as we do generally with the National \nInfrastructure Protection Plan, cleared to receive classified \ninformation even if we can't make it broadly available.\n    Mr. Cassidy. So I am asking now, not to challenge but \nrather for information, if you have a formula by which someone \ncan decide what their relative risk is, you plug in these \nvariables and you come up risk, it seems to me that--I don't \nknow whether that would be classified. Listen, a 15-foot fence \nwill get you here and a 30-foot fence will get you there and \nvideo cameras will get you here and armored cars will get you \nthere. So knowing that some of the information is classified, \nare the variables that you plug in classified?\n    Mr. Beers. David?\n    Mr. Wulf. Some of the factors that go into the calculation \nof the risk score are classified. But I would just echo the \nUnder Secretary's comments that fostering greater transparency \nfor our stakeholders in tiering is one of our goals and \ncertainly one that we are going to pursue.\n    Mr. Cassidy. Last question--and you may have mentioned this \nearlier--when do you expect the panel to come back with their \nreport and then ideally to run some of those compendium of \ninformation to check out what you have been currently doing and \net cetera?\n    Mr. Wulf. We are anticipating a report from the Peer Review \nPanel this summer.\n    Mr. Cassidy. OK. Thank you. I yield back.\n    Mr. Shimkus. The gentleman yields back his time. The chair \nnow recognizes the ranking member of the full committee, Mr. \nWaxman, for 5 minutes.\n    Mr. Waxman. Thank you, Mr. Chairman. Today's hearing \nunderscores the need for reform of this program, and in my \nview, this committee should develop comprehensive \nreauthorization legislation.\n    Today, GAO will testify that it will take 8 to 10 years \nbefore the Department can review and approve the Site Security \nPlans it has already received. Additionally, the Department \nmust revise its risk analysis model, which could mean that the \ncurrent tiering of facilities will have to be revised, \nrequiring many facilities to begin the process over again.\n    In the 111th Congress, the Committee produced a \ncomprehensive Chemical and Water Facility Security Bill to \nfinally set this program on the path to sustainable success. \nMr. Beers, you testified in support of that bill as did \nrepresentatives of the labor community, the environmental \ncommunity, water utilities, and the chemical industry. At that \ntime you said, ``given the complexity of chemical facility \nregulation, the Department is committed to fully exploring all \nissues before the program is made permanent.'' I agree with \nthat statement and I would like to explore some of those issues \nwith you today.\n    Mr. Beers, does the administration still support closing \nsecurity gaps for wastewater and drinking water facilities?\n    Mr. Beers. Yes, sir.\n    Mr. Waxman. Does the administration still support \nmaintaining EPA as the lead agency for drinking water and \nwastewater facilities with the Department supporting EPA's \nefforts?\n    Mr. Beers. That is our position.\n    Mr. Waxman. Does the administration still believe that all \nhigh-risk chemical facilities should assess inherently safer \ntechnology and that the appropriate regulatory entity should \nhave the authority to require the highest-risk facilities to \nimplement those inherently safer technologies if feasible?\n    Mr. Beers. The statement at that time still remains the \nadministration's position, sir.\n    Mr. Waxman. Since we worked on that bill 3 years ago, \nadditional challenges have come to light. Specifically, the \ninternal review and memorandum prepared in November 2011 found \nserious problems. The Department produced an Action Plan to \naddress these problems. That Action Plan included the formation \nof a task force to develop recommendations for legislative and \nregulatory changes to the CFATS program. My understanding is \nthat the Department reports that it has completed development \nof those recommendations. Mr. Beers, when can we expect to see \nthose recommendations?\n    Mr. Beers. Sir, I will have to get back to you on that. I \ndon't have specific answer on that question.\n    Mr. Waxman. OK. Well, I look forward to you getting back \nand to have the record held open so that we can get that \nresponse.\n    Mr. Shimkus. Without objection. So ordered.\n    Mr. Waxman. As the Committee further considers the CFATS \nprogram, having your legislative recommendations for reforming \nthe program would obviously be very helpful.\n    Thank you, Mr. Chairman. I yield back my time.\n    Mr. Shimkus. The gentleman yields back his time. The chair \nnow recognizes the other gentleman from Pennsylvania, Mr. \nMurphy, for 5 minutes.\n    Mr. Murphy. Thank you, Mr. Chairman. And thank you, to the \npanel.\n    According to the CFATS rule, a high-risk chemical facility \nis one that, in the discretion of the Under Secretary, presents \na high risk of significant consequences for human life and \nhealth and now security and critical assets. Let me ask you a \nfew comments on this. If, as a result of your work with Sandia \nNational Laboratories economic consequences are incorporated \ninto the CFATS risk-tiering approach, how will this impact the \ncurrent list of related facilities and do you expect more \nfacilities to be covered?\n    Mr. Wulf. I think it is hard to say right now. Depending on \nwhat we get back and our analysis of Sandia's work, it could \nimpact the number of facilities that are covered in a few \ndifferent ways. Depending on the weighting that is given to the \neconomic consequence piece of the equation and really the \ngeneral fabric of the assessment on economic consequences. So I \ndon't think I am in a position today to forecast that.\n    Mr. Murphy. Can you give any estimates at all how much you \nthink it is going to cost to incorporate the results of the \nSandia National Laboratories work into the current CFATS risk \nassessment approach?\n    Mr. Wulf. I don't at this time, not without the assessment \nfrom Sandia.\n    Mr. Murphy. Well, given also it is going take approximately \n7 to 9 years for ISCD to review plans submitted by regular \nfacilities, how practical is it for you to expand the program \nto include additional facilities?\n    Mr. Wulf. We are going to, first, as I said, the 6 to 9 \nyears is not an acceptable pace and we are going to do \neverything in our power to pick up that pace. I think though \nthat it is important that we foster enhanced security for all \nchemical facilities that are high risk in nature. So, to the \nextent the universe of high-risk facilities is framed and \nincludes in the calculation of that universe or in the \nformation of that universe the economic consequences and the \nuniverse grows, we will look at ways to make that work.\n    As I said, we are bringing on additional inspectors; we are \nimproving our processes and procedures. We are going to get \nbetter and better at this. So, if that challenge presents \nitself, we will meet the challenge.\n    Mr. Murphy. I know we have talked about these things in \nother hearings that the chairman has conducted here, and you \nare expecting about 30 to 40 site plan approvals per month. \nThat is your anticipated goal for the future?\n    Mr. Wulf. That is our current pace.\n    Mr. Murphy. The current pace. Well, how may did you approve \nin January of 2013?\n    Mr. Wulf. I would have to get that to you specifically.\n    Mr. Murphy. February? Just last month, any idea?\n    Mr. Wulf. I would imagine between 20 and 30 in February.\n    Mr. Murphy. So you said you expect----\n    Mr. Wulf. Yes.\n    Mr. Murphy. You are currently at 30 to 40 but you are half \nthat in February. I am just trying to----\n    Mr. Wulf. Yes. I expect it is going to continue to ramp up \nbecause what we are doing more of in January and February was \nauthorizing plans. And as we authorize the plans, we schedule \nthe inspections. That is what leads to the approvals. So the \napproval pace will pick up. We anticipate by the end of \nSeptember being up to upwards of 350 approvals. So that will be \nall of Tier 1 and probably about halfway through the Tier 2 \nfacilities. So, actually, in 6 months, 6\\1/2\\ months from now, \nwe will likely be doing about 50 approvals a month for the next \nforeseeable future.\n    Mr. Murphy. You have a mechanism for continuous improvement \nas you go through these to speed them up, for example, getting \nfeedback as you go through these approval processes--feedback \nfrom people you have worked on with those saying what we could \nhave done to make this better, faster, more thorough?\n    Mr. Wulf. Yes, we sure do. We are constantly evaluating our \nprocesses and looking at ways we can do things better.\n    Mr. Murphy. Is that an internal process? Do you also get \nexternal feedback on that?\n    Mr. Wulf. Well, it is an internal certainly within the \ndivision and the relevant branches within the division. But \nalso we are talking consistently with our stakeholders, and I \nwas able to share one comment we received back during my \nopening statement. But we are always talking to our \nstakeholders about improving. And one of the things we have \ndone to pick up the pace and to increase the pace of SSP \nauthorizations and approvals specifically has been to include \nour field inspectors, who are most familiar with the facilities \nin the authorization and approval loop early in the processes. \nAs issues are identified, those SSPs are kicked out to the \nfield and squared away and kicked back into the authorization \nand approval loop more quickly.\n    Mr. Murphy. In my remaining time I just want to ask real \nquick. We understand there are some documentation issues \nregarding the CFATS risk-tiering approach. Can you give me a \nlittle information of what those documentation issues are? Is \nthat something slowing you down, too, or what are those \ndocumentation issues?\n    Mr. Wulf. No, I don't think so. The documentation I \nreferenced earlier was our effort over the past year to \nthoroughly document the tiering methodology.\n    Mr. Murphy. Is that also improving over time? Thoroughly \ndocumenting so you are----\n    Mr. Wulf. Yes.\n    Mr. Murphy. Well, I am out of time here I know but I will \nfollow up on the other questions. Thank you.\n    Mr. Wulf. OK.\n    Mr. Shimkus. The gentleman's time has expired.\n    The chair now recognizes the gentleman from California, Mr. \nMcNerney, for 5 minutes.\n    Mr. McNerney. Thank you, Mr. Chairman.\n    Mr. Wulf, is the ISCD responsible for addressing cyber \nthreats to chemical plants?\n    Mr. Wulf. Yes, sir. Yes, sir. One of our Risk-Based \nPerformance Standards, RBPS 8, relates to cyber.\n    Mr. McNerney. So are there specific cyber threats for \npotential catastrophic results to human beings that you know \nof?\n    Mr. Wulf. I think potentially there could be, which is why \nCFATS addresses cyber. It focuses within the CFATS framework on \nindustrial control systems, on systems that can impact the \nrelease of chemicals, and on systems that can impact the \nsecurity of a facility.\n    Mr. McNerney. So how effective then is the DHS in \naddressing these potential cyber threats?\n    Mr. Beers. Sir, we have the best team in the country to \ndeal with industrial control systems as announced by Security \nmagazine. The ICS or Industrial Control Systems team that we \nhave in our cyber office is absolutely the best in the country. \nThey provide regular assessments on requests from people. We \nare expanding that program. It will also be part of the work \nthat we are doing with respect to the Executive Order on \ncybersecurity and the Presidential Policy Directive that came \nout, both for those in February, a major area of concern and a \nmajor area of involvement. We are basically teaching the rest \nof the government how to deal with this issue.\n    Mr. McNerney. Good. Good. In my mind there are two aspects \nof cyber defense: protection and retaliation. Maybe that is not \nthe way that you look at it, but a kinetic attack will almost \ncertainly involve a strong response from this government. But \non the other hand, a cyber attack may not elicit a response. So \nthe question I have is, are there rules of engagement for cyber \nattacks on chemical facilities in this country?\n    Mr. Beers. Sir, there are general rules of engagement that \nis not part of the DHS activity set. That belongs to the \nDepartment of Defense. But we and the Department of Defense and \nthe Department of Justice have a very robust effort to work \ntogether on a regular basis at all of those things short of an \nactual attack. I mean, we are, as you well know, in a sort of \ncold state of a lot of reconnaissance, a lot of intellectual \nproperty theft that is going on now that the three departments \nare working mightily to try to deal with. But the offensive \nside is the domain of the Department of Defense. We are aware \nof what they do in a general sense but it is not part of our \nresponsibility.\n    Mr. McNerney. So I mean there must be some coordination \nthen. I mean cyber attacks are happening on a continuing basis, \nsome of them less of a threat and some of them more of a \nthreat. And so what I would like to get is some comfort that \nthere is going to be a consequence to conducting cyber attacks \nat any level on facilities in this country.\n    Mr. Beers. Sir, I certainly can't comment on that in this \nunclassified setting.\n    Mr. McNerney. OK. Mr. Chairman, I yield back.\n    Mr. Shimkus. The gentleman yields back the time.\n    The chair now recognizes the gentleman from West Virginia, \nMr. McKinley, for 5 minutes.\n    Mr. McKinley. Thank you, Mr. Chairman. This is an \ninteresting subject.\n    Mr. Shimkus. Mr. McKinley, can you turn your mike on, I \nthink?\n    Mr. McKinley. It is on.\n    Mr. Shimkus. Oh, you do.\n    Mr. McKinley. Yes, this is an interesting subject. As an \nengineer and as someone who has worked in some of these \nchemical plants, I am curious to learn more about what we have \nbeen doing and how long it has been going on. I am just \ncurious, first, I guess is, do either of you feel are terrorism \nthreats on the rise? Is it status? What is happening in this \ncountry? I am just curious.\n    Mr. Beers. Yes, sir. That is a very good question. I think \nwhat we have seen since 9/11, a continued threat within the \ncountry that has been primarily executed by individuals who \nhave been inspired by the rhetoric of the jihadists to conduct \nacts within the country. Fortunately, we have been able to \nthwart most of them. Some of them just simply failed because \nthey weren't very well executed. The Bureau has a very \nextensive program trying to detect this. Could something happen \nfrom overseas again? Yes, that is always a possibility, but \nthat is a major effort that we and the other departments are \nworking on.\n    Mr. McKinley. Well, again, are the attacks on the rise? \nThreats I should say. Are threats of attacks on the rise?\n    Mr. Beers. Are threats of attacks on the rise? The threat \nand capability, because aspirational threats----\n    Mr. McKinley. It should be just a yes or no. Isn't it a yes \nor no?\n    Mr. Beers [continuing]. Occur on a regular basis and you \ncould look--and there is something every day. Threat and \ncapability matched with one another----\n    Mr. McKinley. Are threats on the rise?\n    Mr. Beers [continuing]. I think at this point are not on \nthe rise.\n    Mr. McKinley. OK. That is fine.\n    Mr. Beers. Are not on the rise.\n    Mr. McKinley. What is their objective? Is it just to have \naccess? Are they trying to just blow up a facility? What is the \nthreat that you are hearing? What are they trying to \naccomplish?\n    Mr. Beers. So there is the local objective and there is the \nbroader objective, and they think in both of these realms. The \nlocal objective is to have an event that is sufficiently \nnewsworthy, sufficiently damaging, that it causes people to \ntake notice of it and gives them credit for the ability to \nactually execute. The broader issue, though, is to destroy--and \nbin Laden and his successors have been very clear about this--\nis to destroy the will of the West, and the will of the United \nStates to oppose them and withdraw from the region.\n    Mr. McKinley. So if I can continue with the question, can \nyou give me an example of a chemical facility that has been \nattacked successfully in the West?\n    Mr. Beers. No, sir. Unless you want to include the Amenas \nplant in Algeria, which is the one recent one----\n    Mr. McKinley. OK. That is fair.\n    Mr. Beers [continuing]. That we had, but other than that, I \ncan't tell you.\n    Mr. McKinley. It is one thing if they want to disrupt it, \nwould we not pose a threat also in where the products that we \nare producing in these chemical plants--does it extend your \nrisk assessment and evaluation? Does that also go to the \ndistribution centers and transportation or is it just at the \nplant?\n    Mr. Beers. It is in all of those, sir, depending upon the \nholdings, where the holdings are----\n    Mr. McKinley. So you go the whole route. You are not just \non risk assessment----\n    Mr. Beers. But again, if the holding isn't large enough to \nbe tiered in by the consequence, then they are not regulated. \nBut we do look at distribution centers as well. David, you want \nto----\n    Mr. Wulf. But CFATS focuses on facilities. So there are \nother agencies that deal with the transportation sectors. So \nthe transportation of hazardous materials is covered by the \nDepartment of Transportation and the Transportation Security \nAdministration. CFATS is focused on facilities but certainly \nincluding distribution centers. And among the chemicals of \ninterest that we assess are those chemicals that could be \nsuccessfully used by terrorists in an attack as well as \nchemicals that can be released.\n    Mr. McKinley. In the time frame that I have left, are the \nfour other European nations, do they have something comparable \nto what we are doing here?\n    Mr. Wulf. I think in many ways we are on the cutting edge \nhere. And I think CFATS is a sound program and really a model \nthat, were it implemented elsewhere could be of value to \nsecuring chemical facilities and hardening them against \npotential terrorist attacks.\n    Mr. Shimkus. Gentleman's----\n    Mr. McKinley. OK. Time has expired on that, but I just want \nto say, even though they have not had an attack in Europe and \nthey don't have anything comparable to this, I am just curious.\n    Mr. Wulf. I think Congress' assessment and our assessment \nas well is that high-risk chemical facilities pose a very \nattractive target to terrorists.\n    Mr. McKinley. Thank you.\n    Mr. Shimkus. The gentleman's time has expired.\n    The chair will now recognize the gentleman from Ohio, Mr. \nJohnson, for 5 minutes.\n    Mr. Johnson. Thank you, Mr. Chairman.\n    Mr. Beers, the Department of Homeland Security has adjusted \nits chemicals-of-interest release model because of errors in \nthe formula. Are you aware of any other issues that may affect \nthis or any other models within the risk assessment approach?\n    Mr. Beers. Sir, I am not, but let me turn to my expert here \nand ask him if there is anything you want to add to that.\n    Mr. Wulf. No. Our documentation found some minor issues \nthat we have briefed staff on and that we have addressed and \nthat have not led to significant re-tierings or significant \nnumbers of re-tierings of facilities. So we are looking forward \nto receiving the report from the Peer Review Panel and any \nrecommendations for improvements they may have for the tiering \nengine.\n    Mr. Johnson. Is this the expert panel review that you are \ntalking about?\n    Mr. Wulf. That is right.\n    Mr. Johnson. OK. Before you became aware of problems with \nthe chemicals-of-interest release model, had you conducted any \nevaluations, Mr. Beers, of the risk-tiering approach?\n    Mr. Beers. Sir, before we became aware of that particular \nproblem, I am not aware of any reviews that had taken place. \nHaving said that, it was, as we look backward on when that \nmatter was brought to my attention, that there were questions \nabout it a year prior to that. And the review that happened at \nthat time turned out not to be an accurate review. So in that \nsense, there were anomalies that were looked at; unfortunately, \nthey failed to detect the problem that ultimately surfaced \nseveral years ago.\n    Mr. Johnson. OK. All right. In regards to the expert panel \nreview, it is our understanding that the current expert panel \nreview will not include a formal validation or verification of \nthe model. How does that impact the value of the review?\n    Mr. Wulf. We have asked the panel to take a full look at \nthe program, at the tiering methodology, and to give us an \nassessment as to whether it is, in fact, a sound methodology \nfor assessing risk and also to provide us any recommendations \nfor potential enhancements and improvements to the methodology. \nSo I don't anticipate a formal stamp of approval, but I expect \nthat they will let us know how they feel about what we are \ndoing in the tiering arena.\n    Mr. Johnson. But it is important though, right? I mean, it \nis important to get that information, to get that stamp of \napproval.\n    Mr. Wulf. I think that is why we are doing this. Not to----\n    Mr. Johnson. But you said you are not expecting a stamp of \napproval.\n    Mr. Wulf. Well, not----\n    Mr. Johnson. So there is----\n    Mr. Wulf [continuing]. An actual stamp, I guess.\n    Mr. Johnson. Yes.\n    Mr. Wulf. I am----\n    Mr. Johnson. We don't want them to just look at it; we want \nthem to give us a validation and verification that the model is \naccurate according to what we know today. Correct?\n    Mr. Wulf. Yes. We want them to look at the methodology and \nlet us know their thoughts on whether it works and if there are \nways in which it could work better.\n    Mr. Johnson. OK. Given that you have not been able to \nreview the Site Security Plans for the Tier 3 and 4 facilities, \nhow would you characterize how they are currently being \nregulated?\n    Mr. Wulf. Well, I would mention that we have begun review \nof the Tier 3 Site Security Plans and I have authorized some of \nthose. But that is admittedly in the early stages.\n    Mr. Johnson. Tier 3 and 4, or just 3?\n    Mr. Wulf. Tier 3. Tier 3.\n    Mr. Johnson. OK. So 4 is not being included?\n    Mr. Wulf. Tier 4 reviews have not begun on the SSPs. But I \nwould say that across the tiers to include Tiers 3 and 4 CFATS \nhas had an impact. Those Tier 3 and Tier 4 facilities have gone \nthrough the top screen process, have developed security \nvulnerability assessments, have, in most cases, met directly \nwith CFATS inspectors who have worked with them through \ncompliance assistance visits and other outreach in the order of \nmore than 3,000 such visits and encounters to work with them on \nthe development of their Site Security Plans. So I think in all \ncases, even without authorization or approval of those \nfacilities, their security has been enhanced by CFATS and the \nwork of our inspectors.\n    Mr. Johnson. OK. With that I yield back, Mr. Chairman.\n    Mr. Shimkus. The gentleman's time has expired.\n    The chair now recognizes the gentleman from Mississippi, \nMr. Harper, for 5 minutes.\n    Mr. Harper. Thank you, Mr. Chairman.\n    Thank you, gentlemen for being here. I know this is always \nan exciting time, but we welcome you and appreciate the \ninsight. We are obviously concerned about security for these \nfacilities, how we accomplish that. And as we are looking at \nthe number of facilities we have, has there ever been any \nthought on your side of maybe just limiting the scope of \nregulating facilities only to the Tier 1 and Tier 2 facilities? \nHas there been any thought on that?\n    Mr. Wulf. I would say that, no, there hasn't. Inasmuch as \nall four tiers represent high-risk chemical facilities and a \nrelatively small percentage of the total number of chemical \nfacilities in the country, our assessment is that all four \ntiers are worth covering under CFATS.\n    Mr. Harper. Do you agree with that?\n    Mr. Beers. Sir, remembering that this is a consequence-\nfocused----\n    Mr. Harper. Yes, sir.\n    Mr. Beers [continuing]. Issue, the original decision on all \nfour of the tiers were that the consequences, the potential \nloss of life in the vicinity of those facilities--this is the \nprimary reason----\n    Mr. Harper. Yes, sir.\n    Mr. Beers [continuing]. Was significant in terms of the \ncommunities that surrounded them. So it is, as you well know, \nimpossible to put a cost on the loss of even one life. So that \nis why this is such an important decision and why we really \nhaven't gone that step and said, no, that 3 and 4 are not high-\nrisk.\n    Mr. Harper. OK. Let me ask this: as you are establishing \nthese, you do a preliminary tier risk rating and then you do \nfurther evaluation--the SVA--and you determine what the final \nrating is.\n    Mr. Beers. Yes.\n    Mr. Harper. And once that is established, what is the \nreview process after that? Is there a time with that final tier \nrisk rating that it might change in the future? How often are \nyou going back to review those?\n    Mr. Wulf. As facilities make changes to their chemical \nholdings or to their processes, they may submit a request for \nredetermination or may submit a revised top screen to ISCD and \nwe will, you know, rerun that and assign as appropriate a----\n    Mr. Beers. So the nearly 3,000 changes that have been \nmade----\n    Mr. Harper. Sure.\n    Mr. Beers [continuing]. Including tiering out are a result \nof changes in holdings that have been able----\n    Mr. Harper. OK.\n    Mr. Beers [continuing]. To be recognized in that fashion.\n    Mr. Harper. So is that possible review or change of a tier \nrisk, is that something that you have to wait on them to notify \nyou or are you on a schedule? Do you go back and review those \nyourself even if you are not notified of any changes on their \npart?\n    Mr. Wulf. To the extent that our inspectors are out working \nwith these facilities through compliance assistance visits or \nother outreach----\n    Mr. Harper. OK.\n    Mr. Wulf [continuing]. That is sort of the form that would \ntake. So our involvement would happen in that way but there is \nnot a formal process for going back and----\n    Mr. Harper. Not a calendar date say every 2 years, 3 years \nwe are going to come back and review? OK. Now, it is my \nunderstanding that if you have two facilities that have the \nsame chemical of interest, one that has very little physical \nsecurity near a major city, and another stored with the same \nchemical in an extremely secure location near that same major \ncity, they would be tiered identically? Is that accurate? If it \nis the same chemical of interest, regardless of the level of \nsecurity near that major city, in two different facilities, \nwould they be tiered the same?\n    Mr. Wulf. I think that is accurate.\n    Mr. Harper. OK.\n    Mr. Wulf. The tiering is based on the potential consequence \nof that.\n    Mr. Harper. All right. Is that a good way to manage and \nmitigate chemical facility terrorism risk?\n    Mr. Wulf. Well, I think it is in that the facility, without \nthe hardened security would, as a result of being tiered, have \nto look to implement security measures, develop a Site Security \nPlan that would bring it up to an acceptable level of security.\n    Mr. Beers. The whole notion here is we want to level the \nplaying field so----\n    Mr. Harper. Sure, but----\n    Mr. Beers [continuing]. A secure facility is great. An \nunsecured facility is something that we would want to change. \nWe want to take the unsecured facility and raise it to roughly \nequivalent standards to the secure facility.\n    Mr. Harper. But it appears to me that perhaps we are \ndiscouraging high-risk chemical facilities from increasing \nsecurity at their facilities and making them stronger. And I \ndon't know that that is having the desired effect that you are \nsaying you want. Is it having that impact? And my time is up, \nso I guess I won't get a formal answer from you.\n    And I yield back.\n    Mr. Shimkus. The gentleman yields back his time.\n    And I see no other members. But before I dismiss the panel, \nI just want to reference the law. Because, Mr. Beers, you keep \nsaying a consequence, which is something that we need to be \nconcerned about. But that is not what the law says. The law \nsays a risk-based system.\n    Mr. Beers. Yes, sir.\n    Mr. Shimkus. Consequence is a part of that but it is not \nthe whole calculation. I think you have caused more questions \nby this testimony today than answered questions.\n    So I think we will have them back, Mr. Ranking Member, to \nkeep ferreting this out because the law is pretty clear. And \nyou can see there are still a lot of questions on how we are \ntrying to define this.\n    So we do thank you for coming. We do have the ability to \noffer written questions as the ranking member of the full \ncommittee asked. And with that, we would dismiss the first \npanel.\n    Mr. Beers. Sir, may I respond to the question that you \nposed in writing?\n    Mr. Shimkus. Correct. You may. I would be happy to----\n    Mr. Beers. I think if you are still not satisfied, then we \nhave more work to do to----\n    Mr. Shimkus. I think you have a lot more work to do.\n    So we will dismiss this panel and we will have the second \npanel.\n    Staff, if I can get the back doors closed. Someone? Then we \ncan move promptly.\n    We would like to continue the hearing and welcome our \nsecond panel, a one-member panel, so we can put full attention \nto the testimony and answer questions. So we would like to \nwelcome Mr. Stephen Caldwell, Director of Homeland Security and \nJustice from the Government Accountability Office.\n    Sir, your full statement is in the record. You are \nrecognized for 5 minutes.\n\n STATEMENT OF STEPHEN L. CALDWELL, DIRECTOR, HOMELAND SECURITY \n         AND JUSTICE, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Caldwell. Thank you very much, Chairman Shimkus and \nRanking Member Tonko. I appreciate being here to talk about \nCFATS and the findings in our about-to-be released report on \nthe program.\n    As you know, our earlier report focused on an internal DHS \nmemo documenting management problems with the CFATS program and \nagency efforts to come up with corrective actions. But our \ncurrent report focuses on agency efforts to do three things \nrelated to its core mission. The first of those is assess risks \nat the facility, which we have talked about quite a bit; review \nthe Site Security Plans; and work with industry to improve \nsecurity.\n    Let me start with the risk assessments. As noted, both the \nDepartment and GAO have established criteria for risk \nassessments and these were not followed closely in the CFATS \nprogram. Specifically, the three elements of risk--threat, \nvulnerability, and consequence--were not all used. As has been \ndiscussed, vulnerability has not been used even though DHS does \ncollect extensive information on it. Some of the CFATS program \ncriteria in its own 2007 rule, including the economic \nconsequences, also have yet to be implemented.\n    Regarding the Site Security Plans, we found that the \nDepartment had a cumbersome process in place for reviewing the \nsecurity plans which led to a backlog of security plans \nawaiting approval. The Department has attempted to streamline \nthe review process by doing concurrent reviews among its \nexperts when it had formerly been doing sequential reviews. \nHowever, the impacts of the streamlining is not known because \nno metrics were kept on how long the old process was taking.\n    But even with a more streamlined review process, as we have \nnoted in our statement, we are estimating 7 to 9 years to \nimprove those facilities that have been tiered. But our \nestimate does exclude some of the important parts of the regime \nas a whole, such as the compliance inspections.\n    Regarding industry, the CFATS program has increased its \noutreach, and this was noted in the inquiries we made through \nindustry associations representing chemical facilities. The \nindustry also expressed concerns about the burden of submitting \nand updating information to DHS, as well as frustration in \nwanting more details on the how and why the facilities were \ntiered a certain way. Some of these issues, as has been noted, \nmay be resolved in terms of the Department is considering what \ninformation on its tiering process it might provide to \nindustry. Nevertheless, the CFATS program could benefit from \nsystematically monitoring the effectiveness of its outreach \nactivities.\n    In closing, I would like to briefly look back at our \nprevious report, which commented on the serious management \nproblems within the CFATS program. Because of a lack of \ndocumentation in the earlier years, we were really unable to \ndetermine the root causes for a lot of those problems. And this \ncondition was found in our current work. As an example, we \nfound no documentation as to why the current incomplete \napproach to risk assessment was chosen. So to some extent, the \ncurrent program is still recovering from some of those earlier \nmanagement problems.\n    But we have found the Department to be responsive to our \nrecent recommendations and our current findings. We hope their \npositive attitude continues to result in improvements.\n    And related to this, I would like to note that my written \nstatement is titled ``Preliminary Observations.'' Because we \nare still awaiting Department comments on the recommendations \nin our current draft report, we will finalize that report once \nwe receive those comments and we anticipate issuing that in \nearly April.\n    With that, I am happy to respond to any questions.\n    [The prepared statement of Mr. Caldwell follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Shimkus. Thank you, Mr. Caldwell.\n    I would like to recognize myself for 5 minutes for the \nfirst round of questions.\n    You were in here for the last panel and probably listened \nto my last exchange based upon the language of the law. Could \nyou understand my frustration with the question based upon what \nmembers had said before about the formula for risk and if there \nare two variables that are undefined, how do you identify risk?\n    Mr. Caldwell. Yes. I guess I agree with your point. The law \ncalls for an assessment of risk, not of consequence. I think \nthe DHS response we have heard today kind of indicates that the \nexclusion of vulnerability was part of a well-laid-out and \nthoughtful methodology and analysis that they used from the \nstart. We certainly found no evidence of this. I mean our early \ndiscussions with methodology with them last year indicated the \nfissures did not know why the current methodology was picked or \nwhy vulnerability was left out. And there certainly was no \ndocumentation on that. It was really only when we raised the \nissue of the lack of the consideration of vulnerability----\n    Mr. Shimkus. It was?\n    Mr. Caldwell [continuing]. That the current narrative \nemerged that you heard today. So I think that really reinforces \nthe need for an independent peer review, preferably earlier in \nthe process than now because the problems they will have if \nthey find major changes. And I have some other comments on peer \nreview I can make as well.\n    Mr. Shimkus. Did you get any comfort from the response that \nthe formula is being reviewed by Sandia? And I think the \nfrustration from my end was that we might take it; we might \nconsider it. I mean, it was pretty vague as to whether all of \nthis work that they would even consider is part of a fix to the \nformula.\n    Mr. Caldwell. Yes. Let me make two comments on the peer \nreview. I think based on our work today--and they have been \nsharing a lot of information with us--but we are still not sure \nhow much of a free hand and leeway this new peer review is \ngoing to have, this expert panel. Will they have the leeway to \nreally start from scratch and kind of come up with fundamental \nchanges from the model if they think they are needed?\n    And then, of course, we are also not really sure and the \nDepartment really hasn't committed to really how they would \nreceive any major recommendations for changes because of \nimpacts it could have on the peering process. So that is what I \nwill call the peer review's need to do a review of the \nmethodology.\n    But what the peer review would also need to do to be \ncomprehensive would be what is called the V and V, or a \nverification and validation. We know that there was some \nmiscalculations found in the formula. This did lead to the re-\ntiering of several facilities. Also, in the course of our work, \nwe found out there was an omission of certain locations such as \nHawaii, Alaska, and Puerto Rico from the data in the model \ncalculations. And they don't think this will lead to any \nchanges in tiering, but, I mean, together they certainly don't \ngive us a warm, fuzzy feeling that they have looked at the \nactual mechanics of the model to make sure that even if the \nmethodology is correct that the model is working the way it was \nintended to. So it is also important that the peer review do a \nV and V, a verification and validation, to actually look at the \nmodel, play with the numbers, do calculations, ensure they are \ncorrect, and maybe do some sensitivity analysis as well.\n    Mr. Shimkus. Well, and just kind of following up on this \nline of questions because it was asked by one of my colleagues \non data, data collection, and what is it used for. Again, a \npretty vague answer by our first panel as to what they really \nneeded, what they had, and why they had it. You found that \nowners and operators were spending unnecessary resources \ncomplying with CFATS data collection requirements. Can you \nelaborate on your findings?\n    Mr. Caldwell. Well, I will say two things. I think whether \nthe industry feels that they misspent funds or wasted funds, I \nwill leave maybe for the third panel. You can ask them that. \nBut in terms of the question about whether all this \nvulnerability data was useful that the Department is capturing \nbut is not using, I think the way they put it is that it is \ndata that then the facilities have been able to use or could \nuse. So again, that is a question for the facilities. I mean, \nyou could ask the facilities and industry----\n    Mr. Shimkus. But the facilities are the ones who provide \nthe data. So it is kind of like we got the data, we gave it to \nHomeland Security, and then Homeland Security says we got the \ndata, here is your data because it is going to help you out, or \nthe collection of that data will help you out. I mean, it is \njust----\n    Mr. Caldwell. Yes.\n    Mr. Shimkus [continuing]. Counterintuitive. I am struggling \nwith this.\n    Mr. Caldwell. We found that the Department is not using the \nvulnerability data at all that it collected from facilities.\n    One other thing on that point, when we talked to them about \nwhy they were not using the vulnerability data, they said, \nwell, they were concerned because it was self-reported and thus \nmight be either exaggerated or not exaggerated. But everything \nin this thing is self-reported until--I mean everything going \ninto tiering about how much chemicals they have and where they \nhave them and the method of storage--all of that is self-\nreported. So I am not sure that I agree with that distinction.\n    Mr. Shimkus. You are not helping me very much but thank \nyou. My frustration level continues to mount.\n    So I would like to recognize the ranking member, Mr. Tonko, \nfor 5 minutes.\n    Mr. Tonko. Thank you, Mr. Chairman. I hope you can relax \nfor a moment.\n    I thank you, Mr. Caldwell, for appearing here today.\n    GAO's analysis reveals significant concerns about this \nimportant national security program and the sufficiency of the \nDepartment of Homeland Security's Action Plan to address these \nconcerns. We heard from the Department on the first panel that \nthey are taking GAO's findings seriously and intend to follow \nGAO's recommendations to strengthen the risk assessment models \nused in their programs.\n    It seems that some of these concerns are long-standing. For \ninstance, stakeholders have long called for a greater \ntransparency in the risk assessment process. I welcome the \nGAO's testimony today and have a few questions that, I think, \nwould be helpful in providing the information we require. To \nthe DHS methodology itself, does it appropriately, in your \nopinion, account for threat?\n    Mr. Caldwell. Threat is a little tougher. And so I think in \nour own analysis we have been less critical of the Department \non that. And the reason that threat is more difficult is \nbecause the threat comes from a potentially adaptive adversary \nthat can see where vulnerabilities have been reduced or maybe \nwhere vulnerabilities still exist and change their targets. But \neven more so, when you are looking at these chemical \nfacilities, the facilities themselves could be attacked or some \nof the chemicals at those facilities could be stolen or \ndiverted and then moved and then used again in a population \ncenter or any other location. So I think it is very difficult, \nand also I think in terms of some of the questions about threat \nthere were asked, there just really is not a lot of actionable, \nreal intelligence that shows there is a threat against these \nfacilities or specific facilities.\n    Mr. Tonko. Thank you. And to that methodology again, does \nit account for the two minimum components of consequences, that \nbeing human consequences and economic consequences?\n    Mr. Caldwell. It does not include economic consequences. As \nthe Department has stated, they have now engaged Sandia \nNational Labs to do that but it has been a while. I mean, the \nrule came out in 2007 that specifically said that they would \ninclude that at some point. And if you look at the National \nInfrastructure Protection Plan it does say at a minimum \nconsequence needs to include both human casualties and \nfatalities, those things, as well as the economic consequences.\n    Mr. Tonko. Thank you. And I would imagine that GAO has \nlooked at risk assessments prepared by many different agencies \nover the years. How would you say the CFATS risk assessments \ncompare to the work at those other agencies?\n    Mr. Caldwell. Well, there are a couple of examples I can \nthink of. At the Coast Guard, for example, we have done \nextensive work on their risk assessment model. It is called the \nMaritime Security Risk Assessment Model. And it does include \nall the components. And that is probably the most sophisticated \nmodel within DHS because it also takes into account the \nmitigation efforts that a facility is doing and how that \nimpacts the risk.\n    There have been other cases--I believe it is TSA--I will \nhave to correct my statement if I find that it is a different \nagency--where we found that vulnerability was also being held \nconstant and we have made those recommendations that they not \ndo that and that that particular component agreed with that \nrecommendation.\n    Mr. Tonko. Thank you. During the first panel Director Wulf \nindicated that including vulnerability in risk assessments \nwould lead to an ever-changing tier assignment for a given \nfacility. Is this a valid enough reason for leaving the \ncriteria out of the assessment?\n    Mr. Caldwell. Well, I think if in the beginning that was \nthought through and done on purpose, I could have maybe given \nhim a little more sympathy if he is trying to design something \nto do that. But as I said, that narrative was developed pretty \nrecently as to why was left out. There is a problem now in that \na lot of these facilities, thousands of these facilities--and \nif there are major changes in their model because of the peer \nreview or things we have said or adding the economic \nconsequences, this could reasonably change the tiering of those \nfacilities.\n    Mr. Tonko. And this committee is aware of two mis-tiering \nincidences at the Department were facilities where placed in \nthe wrong tier because of errors made by the Department. That \nis a serious problem. But now we hear from GAO that none of the \nmore than 3,500 tiering decisions that have been made are \nreliable. They are all based on a risk assessment methodology \nthat is seriously lacking. Is that an accurate assessment?\n    Mr. Caldwell. I wouldn't use the term that this is a fatal \nflaw or things like that. But certainly we are questioning why \nthey haven't included vulnerability. I think that we have a \nconcern. Now, we do believe the best way to address that would \nbe to have a peer review come in externally, review it. As we \nhave said before, and as you said before, the National \nAcademies of Sciences came in and found very similar problems \nacross the Department that we are talking about here within the \nCFATS program.\n    Mr. Tonko. Well, I see that my time has expired so I will \nyield back, Mr. Chairman.\n    Mr. Shimkus. Thank you.\n    The chair now recognizes the gentleman from Pennsylvania, \nMr. Pitts, for 5 minutes.\n    Mr. Pitts. Thank you, Mr. Chairman.\n    Mr. Caldwell, you noted in your statement that it could \ntake 7 to 9 years before ISCD completes the review of the 3,120 \nsecurity plans currently in the review queue and that the \nestimate does not include work by ISCD on other missioned \nactivities. What are some examples of these ISCD activities?\n    Mr. Caldwell. Well, that estimate does not include about \n900 facilities that have yet to be assigned into a final tier. \nAlso, the time required to review the plans to resolve issues \nrelated to personnel surety take some time because some of the \nplans have been provisionally or conditionally approved. So \nthey have to go back and revisit that once the personnel surety \nrule is in place. And then there are the compliance inspections \nthat they would do which are separate from the plan approval, \nbut those are generally done a year after. So you are looking \nat another year out there for individual facilities before they \nhave the compliance inspections. And really, it is only until \nyou have the compliance inspection whether you know that the \nfacility is actually implementing the things in its security \nplan.\n    Mr. Pitts. So will implementing these mission activities \nfurther delay full CFATS program implementation?\n    Mr. Caldwell. Well, certainly until all of the pieces are \nin place, it is not going to be there. And I think several \nfigures have been thrown out; 8 to 10 years we said in our last \nhearing. I mean, now, we are looking at 7 to 9 just for the \napproval plan. So it is going to be some time before this \nregime is completely in place. It is in contrast to maybe some \nof the other programs that were put in place after 9/11.\n    Mr. Pitts. Now, the regulated industry says that ISCD's \nefforts to communicate regarding CFATS-related issues are mixed \nin effectiveness. Does ISCD measure the effectiveness of its \noutreach efforts and could they?\n    Mr. Caldwell. No, they don't. They measure some of the \nthings like how many meetings they have and those kinds of \nthings, but they haven't outreached really to find out whether \nthese have been effective so we are considering----\n    Mr. Pitts. Should they or could they?\n    Mr. Caldwell. Yes. And we are considering a recommendation \nwith the Department. We are in discussions with a \nrecommendation that we ask that they do so.\n    Mr. Pitts. What should we take away from the input that you \ngot from trade associations?\n    Mr. Caldwell. Some of the things are working pretty well. \nThe meetings with this Sector Coordinating Council seem to be \neffective according to industry. Also some of the visits to \nfacilities, a little bit mixed there. I think the more recent \nthings based on some of the testimony you will hear later today \nis that the officials doing those inspections from DHS do seem \nqualified and helpful, whereas I think some of the early \nresponses that they were very reluctant to actually make useful \nconcrete suggestions on how to improve security.\n    Mr. Pitts. Now, you found that owners and operators were \nspending unnecessary resources complying with CFATS data \ncollection requirements. Would you elaborate on that?\n    Mr. Caldwell. I don't believe we ever said they were \nunnecessary. I just think they were worried about a substantial \nburden in terms of the cost it was taking to do these, \nparticularly, if something changed and they did this. I think \none of the things industry may tell you about in the next panel \nis the chemical industry can be a complicated business, so \nsometimes they change mixes of their chemicals in terms of some \nof their processes. And there has been a debate about whether \nthen do they have to go back to DHS and resubmit everything \nbecause their mixture of chemicals is slightly different? It is \na concern.\n    Mr. Pitts. And what in your view is the difference between \nthe current Site Security Plans and Alternative Security Plans?\n    Mr. Caldwell. Well, I think the Alternative Security Plans \nlook a little simpler. I think that they have some of the same \ninformation but perhaps in a more useful way because it is \nportrayed as a plan as opposed to a data dump of a lot of \nindividual information that is in the DHS tool.\n    Mr. Pitts. Thank you, Mr. Chairman.\n    Mr. Shimkus. Thank you.\n    The chair now recognizes the gentleman from California, Mr. \nMcNerney, for 5 minutes.\n    Mr. McNerney. Thank you, Mr. Chairman.\n    Mr. Caldwell, we have been hearing this morning a lot about \ntiering formulas and about the risk assessment models. How \nfamiliar are you with the details of these models and formulas?\n    Mr. Caldwell. We have not done the kind of verification and \nvalidation that a peer review of experts might do. So we have \ntalked through what they use, we have discussed the factors, \nbut I can't say we have tried to reproduce their models or do \nsensitivity analysis.\n    Mr. McNerney. Are these by-and-large Excel spreadsheets or \nwhat do they look like? What form do they take or how do people \nhave access to the models?\n    Mr. Caldwell. It is an online tool so it is some kind of \nrelational database. But beyond that, I can't tell you too much \nabout the formulas or what the actual algorithms are.\n    Mr. McNerney. And what sort of security do the models have \nin terms of making changes to parameters--not parameters but \nthe way the models are executed? Is there a very secure \nmethodology that is required for someone within DHS to change \nthe model itself?\n    Mr. Caldwell. We have not looked at the internal controls \nor the security settings on the model.\n    Mr. McNerney. So as far as you know somebody in one of \nthese departments can say, well, gee, I think this model is a \nlittle off; I am going to change it? I mean, there has to be \nsome sort of control on these things.\n    Mr. Caldwell. There should be, yes, sir.\n    Mr. McNerney. Is that something you think you can find out \nor make an assessment?\n    Mr. Caldwell. We can certainly ask the Department and \nanswer that as a question for the record or if you could direct \nit to the Department, then that might expedite things or not.\n    Mr. McNerney. All right. Thank you. I have a question. Were \nyou assured by the under secretary's declaration that they have \nthe best teams on cybersecurity and that they are on top of \nthis issue and we don't have anything to worry about?\n    Mr. Caldwell. That is not an aspect we looked at. So I have \nno comments on that.\n    Mr. McNerney. So cybersecurity is not within your, sort of, \nrealm?\n    Mr. Caldwell. It is one of the many standards that they \napply here. We do have other experts in GAO on cybersecurity \nthat if you want to ask us a question for the record, we might \nbe able to take that and answer it for you, sir.\n    Mr. McNerney. All right. Thank you.\n    That is all I have, Mr. Chairman.\n    Mr. Shimkus. The chair thanks the gentleman.\n    The chair now recognizes, I believe, the gentleman from \nOhio, Mr. Latta, for 5 minutes.\n    Mr. Latta. Well, thank you very much, Mr. Chairman. And \nthank you very much for being here. And we have got a couple of \nhearings going on so I am sorry that we are kind of in out \ntoday.\n    But if I could start with this question: how important is \nit for the Infrastructure Security Compliance Division to have \na complete validated and verified risk assessment approach?\n    Mr. Caldwell. I mean I think our position is that the \ncurrent approach is incomplete. So to the extent that they are \nusing an incomplete model, they don't have an assurance that \nthey are tiering these in the right fashion appropriate with \nthe National Infrastructure Protection Plans criteria, which \nis, pretty much the Department's criteria in terms of how you \ndo risk assessments.\n    Mr. Latta. So how would you have to go about to get that \ncomplete?\n    Mr. Wulf. You would have to include vulnerability in it and \neconomic consequences are maybe the two minimum things that \nwould need to be added into it. We have also asked that they \nupdate some of their threat data. Some of the threat data that \nthey were using was a few years old, which they have agreed to \ndo.\n    Mr. Latta. OK. Thank you. Also, how important is it for the \nISCD to eventually conduct an independent peer-review on CFATS \nrisk assessment approach?\n    Mr. Caldwell. We think it is very critical that there be an \nindependent peer review. And I think you might have missed my \nanswer talking to the chairman a few minutes ago, but there are \nreally two factors. One is to make sure they have the \nmethodology right, and secondly, to make sure the model, once \nyou have the methodology right or at least with existing \nmethodology, is the model actually functioning as intended? And \nas we have noted, there has been some miscalculations in the \nmodel that have been found which should, again, call for doing \na verification and validation of the model itself.\n    Mr. Latta. And just to follow up on that, how soon should \nthat independent peer review occur?\n    Mr. Caldwell. Well, I think it has already started. At \nleast the panel that they have now, I think that there is a \nstatement in Mr. Beers' written comments that if they need to \ndo a second one, they are willing to do that as well. So the \nfirst one may be to find out where they are now, make some \nrecommendations, and maybe would require a second peer review \nto actually go in and validate the model----\n    Mr. Latta. OK.\n    Mr. Caldwell [continuing]. With any changes.\n    Mr. Latta. OK. Mr. Chairman, I have no further questions. \nThank you.\n    Mr. Shimkus. And the chair thanks the gentleman.\n    The chair now recognizes the gentleman from Florida, Mr. \nBilirakis, for 5 minutes.\n    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it \nvery much. I have one question. What is the difference between \nthe current Site Security Plans and Alternative Security Plans?\n    Mr. Caldwell. The Alternative Security Plans are written \nmore like a plan. The Site Security Plans that DHS has I would \ndescribe as more of a data dump. It is a lot of different data \nthat is in there. I mean, both can be useful, but I think \nindustry feels--and you can ask the third panel--that the \nalternative site plan or the Alternative Security Plan is a \nlittle more user-friendly and still get you there in the end.\n    Mr. Bilirakis. Thank you, Mr. Chairman.\n    Mr. Shimkus. Seeing no other members present, we would like \nto thank you, Mr. Caldwell, for appearing before us. You have \ndone great work on this report. It looks like we have got a lot \nmore work to do.\n    And with that, we will allow the second panel to be \ndismissed and ask the third panel to join us at the table. \nThank you, sir.\n    Mr. Caldwell. Thank you very much.\n    Mr. Shimkus. We want to thank the third panel for joining \nus and sitting through most of the testimony. I am sure that is \ngoing to be helpful for the remaining members as we listened to \nyour opening statements and direct questions. And we will do so \nnow.\n    The first person that I would like to recognize is--yes, I \nam going to recognize Mr. Allmond--that is oK, Jerry, I am \ngreat--Mr. Allmond, who is vice president of the Society of \nChemical Manufactures and Affiliates. Sir, you are recognized \nfor 5 minutes. Your full statement is in the record.\n\nSTATEMENTS OF BILL ALLMOND, VICE PRESIDENT, SOCIETY OF CHEMICAL \nMANUFACTURERS AND AFFILIATES; TIMOTHY J. SCOTT, CHIEF SECURITY \n OFFICER AND CORPORATE DIRECTOR, THE DOW CHEMICAL COMPANY, ON \n   BEHALF OF THE AMERICAN CHEMISTRY COUNCIL; CHARLIE DREVNA, \n PRESIDENT, AMERICAN FUEL AND PETROCHEMICAL MANUFACTURERS; AND \n          RICK HIND, LEGISLATIVE DIRECTOR, GREENPEACE\n\n                   STATEMENT OF BILL ALLMOND\n\n    Mr. Allmond. Thank you. And good morning, Chairman Shimkus, \nRanking Member Tonko, and members of the subcommittee.\n    My name is Bill Allmond and I am the vice president of \nGovernment and Public Relations at the Society of Chemical \nManufacturers and Affiliates. I am pleased to have the \nopportunity to provide you with an update on the Department of \nHomeland Security's implementation of CFATS from the \nperspective of specialty chemical manufacturers, many of which \nare small and medium-sized companies.\n    Since the previous hearing last September, there are \nseveral areas we feel are worthy to highlight in terms of \nimplementation progress. First, CFATS continues to reduce risk. \nSecond, authorizing inspections are revealing some positives \nabout DHS' implementation but also some challenges for small \nand medium-sized facilities. Lastly, a collaboration with the \nregulated community has improved.\n    With respect to risk reduction, CFATS continues to drive \nfacilities to reduce inherent hazards where, in their judgment, \ndoing so is in fact safer, does not transfer risk to some other \npoint in the supply chain, and makes economic sense. Today, \nnearly 3,000 facilities have changed processes or inventories \nin ways that have enabled them to screen out of the regulation.\n    Furthermore, due to the outstanding cooperation of the \nchemical sector, there has been 100 percent compliance with \nrequirements to date. DHS has not yet had to institute a single \nadministrative penalty action to enforce compliance. As a \nresult of CFATS, our Nation is more secure from terrorist \nchemical attacks than it was before the regulation's inception.\n    Turning to DHS' inspection process, the few that so far \nhave been conducted at SOCMA members reveal some positive \naspects about how the Department is carrying out the \nregulation, as well as some challenges being presented among \nsmall and medium-sized facilities. Among the positives is the \nlevel of interaction of DHS inspectors with facilities \nscheduled for an inspection. Inspectors are providing \nsufficient details with facilities prior to their arrival, \nwhich aids the planning process to ensure resources and \nfacility personnel are available.\n    Similarly, facilities are finding DHS inspectors generally \nto be reasonable during the onsite inspection, which is perhaps \ndue to the fact that some of them have chemical facility \nexperience. Such operational familiarity is necessary when \ninterpreting how risk-based performance standards apply to, and \ncould be implemented at, such facilities.\n    Importantly, inspections have so far appropriately verified \na facility's approach to addressing risk-based performance \nstandards. Inspectors appear not to be adhering rigidly to the \nRBPS guidance and instead to permitting company personnel to \nexplain from the facility perspective, how they are \nappropriately implementing their Site Security Plan.\n    The principal challenge that SOCMA's smaller facilities are \nfinding with the inspection process, however, is the enormous \namount of time and resources to meet DHS demands following an \ninspection. Of highest concern is an unwillingness by DHS to \nreasonably extend deadlines for facility response. In SOCMA's \nopinion, DHS should be more willing to extend the time of which \na small and medium-sized facility has to respond to a post-\ninspection report.\n    Facilities are learning that, even if they had an \ninspection that went well, they are having to rewrite much of \ntheir Site Security Plans. Under a 30-day deadline, which has \nbeen the usual case, facilities are having to pull two to three \nworkers for 2 to 3 days each to ensure that they meet the \ndeadline. To us, this is unreasonable. In small companies, \nthere simply may not be more than a few people qualified to \nwork on security measures and all those people have other \nobligations which frequently include compliance with other \nregulatory programs.\n    It is still early in the inspections process, and these \nburdens are now coming to light. However, DHS still has time to \nmake adjustments given a willingness to do so.\n    And lastly, collaboration with facilities on implementation \nhas improved. We are pleased that DHS has recently worked with \nindustry to establish an alternative security program template \nwith possibly more the future.\n\n    Additionally, DHS appears prepared this year to co-host \nanother Chemical Sector Security Summit. For the past 6 years \nthe Summit has been a collaborative effort by the Department \nand the chemical sector to provide an educational forum for \nCFATS stakeholders. An overwhelming majority of attendees each \nyear are industry personnel who, when satisfaction surveys, \nconsistently rate the Summit as having a high value to them.\n    Many of the improvements over the past year have occurred \nunder leadership of Deputy Under Secretary Suzanne Spaulding \nand Director David Wulf and their actions to help put CFATS \nback on track is worthy of recognition. I appreciate the \nopportunity to testify this morning and I look forward to your \nquestions.\n    [The prepared statement of Mr. Allmond follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Shimkus. Thank you very much. I would now like to \nrecognize, as I move my papers all around--where is his name? \nHere it is--Mr. Timothy Scott, Chief Security Officer and \nCorporate Director of Dow Chemical Company, on behalf of The \nAmerican Chemistry Council. Sir, you are recognized for 5 \nminutes.\n\n                 STATEMENT OF TIMOTHY J. SCOTT\n\n    Mr. Scott. Thank you, Chairman Shimkus, Ranking Member \nTonko, and members of the subcommittee. I am Tim Scott, Chief \nSecurity officer of the Dow Chemical Company, speaking today on \nbehalf of Dow and the American Chemistry Counsel.\n    The chemical industry and Department of Homeland Security \nhave a common goal: to improve the security profile of the \nchemical sector and reduce the risk of attack against industry \nor the use of chemicals as a weapon. Our positions are that \nsecurity is a top priority of the chemical industry. Progress \nhas been made in all areas of chemical security, but there is \nstill, obviously, work to be done. ACC will continue to partner \nwith DHS to achieve success and we need the certainty of a \nmultiyear extension of DHS authority for a sustainable program. \nProgress has been made and we need to build on that progress as \nrespectful partners with different skills and expertise but \nwith a common goal.\n    DHS has evaluated nearly 40,000 chemical facilities across \nUnited States initially identifying more than 7,000 as \npotentially high-risk. Since then, more than 3,000 facilities \nhave lowered their chemical risk profile, clear evidence that \nwe have made progress. Last year, ACC published an alternative \nsecurity program guidance document available at no cost to the \nregulated community, the result of a year-long effort and full \ncooperation with DHS. This ASP approach offers an efficient \nalternative to DHS process and is an excellent example of how \nan effective public-private partnership can create smart \nregulatory solutions that benefit both partners, while ensuring \nthe security and safety of our industry.\n    While we have made progress, there are many more \nopportunities for efficient and effective compliance options \nthat will accelerate CFATS implementation while maintaining the \nquality and integrity of the program. Existing industry \nsecurity programs such as the Responsible Care Security Code \nshould be recognized by DHS under their ASP authority as \nmeeting the initial hurdles for authorization, thus \nstreamlining and prioritizing reviews, especially at the lower \ntiered sites.\n    We must develop a workable process regarding personnel \nsurety. The goal of the PSP program is to ensure that personnel \naccessing sensitive sites of high-risk chemical facilities are \ntrustworthy and do not pose a security risk. It is essential \nthat these individuals are properly vetted against the \nterrorist screening database. We all agree on that. But is also \nessential that the site know these individuals are cleared \nbefore granting access to such sensitive areas.\n    Under the current proposals, industry submits the \nindividual's personal information and receives no verification \nof any kind. We are supposed to be satisfied that simply \nsubmitting the data is enough to grant site access. This is \nsimply a poor security practice, especially when solutions \nalready exist. It is good to hear that we may be making \nprogress in this area with DHS. By leveraging existing PSP \nprograms and allowing for corporate and third-party submissions \nfor vetting against a terrorist screening database, a \nsignificant reporting burden will be minimized and the \nintegrity of the program will be much improved.\n    Another opportunity for efficiency that can easily be \nimplemented is in what we call corporate audits. These audits \ncover areas of the risk-based performance standards in which \nmany companies' sites operate under a single corporate process, \nsuch as cybersecurity or security escalation processes. Current \ninspections often have inspectors getting the same corporate \nanswers site-by-site instead of addressing the issue once at \nthe corporate level. This can unnecessarily extend the length \nof a site inspection. We also heard that DHS is working on \nthis.\n    ACC believes that DHS should be more transparent about all \nfactors related to a covered facility's risk assessment. Trust \nis at the core of an effective security partnership and ACC \nstrongly recommends that DHS improve the transparency of its \nrisk determinations with the site security managers. A lack of \ntransparency has been the source for many of the inefficiencies \nand missteps during the CFATS implementation.\n    The CFATS concept is fundamentally sound, risk-based, \nfocused on the right priorities allowing regulated sites to \nchoose and apply customized security solutions for DHS review \nand evaluation for compliance with the DHS-established risk-\nbased performance standards. And that is the goal, to meet the \nstandards. And industry will.\n    DHS has demonstrated renewed commitment and effort to our \npartnership due in part by oversight of this committee. ACC \nurges Congress to provide DHS extended statutory authority for \nthe CFATS program to provide the regulatory certainty and \nstability needed for industry to make prudent security \ninvestment and capital planning decisions. Industry and DHS \nhave made progress in improving the security of the chemical \nsector. There have been missteps, but we should acknowledge the \nprogress and the challenge and commit to making CFATS work. \nThank you.\n    [The prepared statement of Mr. Scott follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Shimkus. Thank you. Next, I would like to recognize Mr. \nCharlie Drevna, President, American Fuel and Petrochemical \nManufacturers.\n    Sir, you are recognized for 5 minutes.\n\n                  STATEMENT OF CHARLIE DREVNA\n\n    Mr. Drevna. Chairman Shimkus, Ranking Member Tonko, and \nmembers of the subcommittee, thank you for giving me the \nopportunity to testify today on today's hearing on the progress \nreport of the CFATS program. I am Charlie Drevna and I serve as \npresident of AFPM.\n    We are a 111-year-old trade association representing high-\ntech American manufactures that use oil and natural gas liquids \nas raw materials to make virtually the entire supply of U.S. \ngasoline, diesel, jet fuel, other fuels such as home heating \noil, as well as the petrochemicals used as building blocks for \nthousands of products vital in everyone's daily lives.\n    America's refining and petrochemical companies play a \npivotal role in ensuring and maintaining the security of \nAmerica's energy and petrochemical infrastructure. Nothing is \nmore important to AFPM member companies than the safety and \nsecurity of our employees, facilities, and communities. Our \nmembers have worked extensively with the Department of Homeland \nSecurity and we have invested hundreds of millions of dollars. \nAnd we don't mind investing the money as long as we know it is \ngoing for the right reasons, and again, toward strengthening \nfacility security.\n    Our industry also recognizes that protection of critical \ninfrastructure against potential threats or terrorist attacks \nshould be a shared responsibility between government and \nstakeholders.\n    AFPM appreciates that DHS conducted an internal review to \nidentify administrative and implementation problems that \nrequire immediate action and that the Agency developed an \nAction Plan for improving CFATS implementation. But it is \nimportant, however, to recognize that the structure of the \nCFATS framework itself is sound, even though the leaked report \nfrom GAO revealed the implementation of CFATS program was \nsomewhat flawed.\n    Additionally, America's critical infrastructure facilities \nare secure and there have been no attacks on chemical \nfacilities since development of the CFATS program. Nonetheless, \nit is clear that DHS needs to better manage its resources and \nset priorities to make progress in areas that need immediate \naction, including faster approval of Site Security Plans and \nfinalizing a workable Personnel Surety Program, a PSP. Such \nmeasures would work to strengthen the program and our national \nsecurity.\n    AFPM believes that DHS has made progress over the past year \nto address the problems identified in the DHS-leaked report and \nAction Plan. However, DHS should continue to make improvements \nby addressing issues including personnel surety with the help \nof the industry in order to enhance the overall effectiveness \nof CFATS implementation in the short-term.\n    AFPM is pleased that DHS withdrew the personnel surety \nproposal from the Office of Management and Budget last July and \nthen held a series of meetings with industry to take another \nlook at this issue. Congress intended, and I heard today a \nrepeat of that intent, that the risk-based performance standard \non personnel surety which governs access to high-risk \nfacilities, allow facilities the flexibility to determine the \nmost efficient manner to meet that standard.\n    Instead, DHS initially proposed and arguably prescribed PSP \nprogram that failed to recognize the Transportation Worker \nIdentification Credential, or TWIC card, and other established \nfederal vetting programs. Such a program would have been \nburdensome to both DHS and industry, and would be a wasteful \nand ineffective use of agency and industry resources. Instead \nof proposing a duplicative, burdensome PSP, DHS should remain \nfocused on fixing the current problems and not expand beyond \nthe scopes of the core CFATS program.\n    The PSP program must be fixed soon and we hope that DHS \nwill honor the TWIC and other federal credentials at CFATS \nsites. Facilities should have the option to use federally \nsecure vetting programs such as TWIC to satisfy CFATS without \nsubmitting additional personnel information. AFPM supports a \nPSP program that requires only a one-time submission of \npersonnel identifying information to DHS, recognition of TWIC \nand other federal credentials, and the use of third-party \nsubmitters for corporate submissions. This would lessen the \nburden on both DHS and industry, and would potentially account \nfor half of the population affected by the Personnel Surety \nPrograms, specifically, contractors coming to CFATS sites who \nwould already have those cards.\n    Stakeholder input is necessary. To assist DHS in addressing \nCFATS implementation challenges, continued stakeholder input is \nnecessary. We are encouraged that we are seeing DHS do this \nmore and more.\n    In summary, AFPM believes that DHS has made progress over \nthe year addressing the problems identified in the internal \nreport. We also acknowledge that there is been far greater \noutreach and more detailed discussions with DHS, and we hope \nthat those continue in the future.\n    Thank you and I look forward to any questions you may have \nregarding my testimony.\n    [The prepared statement of Mr. Drevna follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Shimkus. Thank you. And now the chair recognizes Mr. \nRick Hind, Legislative Director for Greenpeace. Sir, you are \nrecognized for 5 minutes.\n\n                     STATEMENT OF RICK HIND\n\n    Mr. Hind. Thank you, Mr. Chairman. My name is Rick Hind. I \nam the legislative director of Greenpeace, as you mentioned. I \nappreciate the opportunity to talk to you today both to this \ncommittee and with this panel here.\n    We work with over 100 other organizations, mainly unions, \nenvironmental justice organizations, other environmental \ngroups, security experts, 9/11 families, and others who, for 10 \nyears, have pushed for disaster prevention. The legislation \nthat passed the House in 2009--November, actually, 2009--had \nthat component in it but it also addressed a lot of the \nproblems that you have been hearing about today. It provided \nfor regular scheduling of the DHS issuing vulnerability and \nsecurity plans as well as keeping regular reports back to \nCongress. I think you probably would have been hearing about \nany these problems in 2011 at the latest if that legislation \nhad been enacted in 2010.\n    That legislation also would have seamlessly replaced the \n2006 authorization that you have referred to earlier, which was \nnever really thought to be adequate. Everybody knew that and \nthat is why it had a 3-year expiration date on it. And today, \nwe are extending it now 6 years, 1 or so years at a time, and \ntherefore, I think you have appropriately given the due that \nDHS staff deserved. Their dedication and stick-to-itiveness in \na program that is really inadequate, from the legislative \nfoundation through to the continuity of its funding by \nCongress.\n    However, the kind of big elephants in the room that we see \nunaddressed are the fact that the statute actually prohibits \nthe government from requiring disaster prevention in the \nstatute barring any particular security measure for approval of \nsecurity plans. In addition, the statute actually exempts \nthousands of facilities. So what we are talking about here when \nyou think of the classic Bhopal disaster of poison gas drifting \nout of a plant endangering people--and in this country we have \nhundreds of plants that can do that.\n    In looking at the tiering of DHS, if you separate that by \nrisk issue, or I should say security issue, the release issue \nsecurity facilities in Tiers 1 and 2 totals 35. That is \ntotaling, in all 4 tiers, 370 facilities. That data is 2011 so \nit may be slightly less now. The point is that less than 10 \npercent of the facilities that you think of as the 3,900 CFATS \nfacilities may be chemical disasters in the sense we all think \nof it as. And that is because they are being regulated by other \nprograms like the MTSA, which look at more the water access of \nthe facility.\n    Major facilities in the country, like this Keeney plant, \nprobably the highest-risk facility in the United States, is \nregulated by MTSA. That facility puts 12 million people at \nrisk. They, for 2 years on their Web site, say they are \nconverting. We hope they are. Clorox converted all of their \nfacilities in 3 years eliminating these risks to 13 million \npeople. And we say risk, we mean a consequence; we mean the \npoison gas like chlorine that can drift 14 to 20 miles from a \nfacility and put everyone downwind in danger of pulmonary \nedema, which would mean your lungs would literally melt. You \nwould drown in your lung fluid. Those who would survive could \nhave long-lasting, lifelong health problems.\n    So when we hear about the rush to approve security plans \nnow, and were not comforted by the 7- to 9-year schedule GAO \nbrings out, we are also not comforted by the fact that it is \nnot a complete deck that we are dealing with here. So approval \nof a plan doesn't necessarily make it secure and it certainly \ndoesn't make it no longer vulnerable. The CEO of DuPont \nadmitted that if an airplane or a small helicopter coming into \na plant couldn't be stopped by fence-line security, which is \nthe entire basis of this kind of security.\n    Similar communities living near these plants are not \ncomforted by these Alternative Security Plans developed by \nindustry lobbies. They have heard too often when they have \nsheltered in place, or see explosions and flares and fires--\nwere averaging about 45 a year, by the way, at refineries--that \neverything is oK. There are no dangerous levels of chemicals \nreleased.\n    So when you look at our testimony, look at the people who \nwe have quoted in there, but also look at the Center for \nAmerican Progress reports we sited, which identified hundreds \nof facilities that have converted and eliminated these risks to \nmillions of people. We think any plant that can convert should \nbe required to convert and, in fact, the CEP studies found that \n87 percent of those converted that were surveyed did so for $1 \nmillion or less; 1/3 expected to save money. So this is good \nbusiness. It also means eliminating liability and regulatory \nobligations.\n    And I have much more to say but I will wait for your \nquestions. Thank you again for allowing us to appear today.\n    [The prepared statement of Mr. Hind follows:]\n\n    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Shimkus. Thank you, Mr. Hind.\n    Now, I would like to recognize myself for the first 5 \nminutes of questions.\n    I want to start off whatever script I was given to ask Mr. \nScott a question. Were you in the room when Representative \nMcKinley was asking about the risk assessment issue? And, of \ncourse, DHS responded that, well, we don't know of any \nidentifiable risks. And I am paraphrasing here--then the \nquestion went to about European security and DHS responded, \nwell, we think we are the gold standard. Since you operate \naround the globe, does individual European countries or the EU \nat large have a CFATS-type program?\n    Mr. Scott. No, but they are discussing a similar program. \nThe difference you have there, you are working between various \ncountries. But they do have regulations in place like the \nSeveso regulations that impact offsite types of emergencies. \nThe EU is having a conversation about are there any general \nrules and regulations that we can put in place? They have been \ntalking. They have talked with DHS in the past. We are working \nwith----\n    Mr. Shimkus. Maybe they should talk with our GAO, our \nGovernment Accounting Office, then DHS.\n    Mr. Scott. Yes. Well, DHS is a standard; I wouldn't say it \nis a gold standard. But the folks overseas are looking at \nsimilar directions to go, both in transportation and site \nsecurity. But we also have a lot of work that we have done over \nthere through the Responsible Care Code. It is a global code. \nSo that has been implemented. And a lot of the same safety and \nsecurity cultures that are in place in the U.S. are in place \nthroughout Europe.\n    Mr. Shimkus. I appreciate that.\n    Now, for Mr. Allmond and Mr. Scott and Mr. Drevna, GAO \nreports--and you all have heard these conversations earlier \ntoday--that DHS largely disregards vulnerability, economic \ncriticality, and threat assessments as part of the risk \ncalculations making CFATS a modified consequence prevention-\nonly program. Are you concerned your members might be \noverregulated or under-tiered? Mr. Allmond?\n    Mr. Allmond. Well, certainly these revelations are \nconcerning. And it is going to take me some time to get back to \nmy members to find out from their perspective how they would \nlike to proceed. I think completely stopping the CFATS program \nfrom going forward probably would be overboard. Perhaps some \ncomponents could go forward. But certainly----\n    Mr. Shimkus. OK. But you were here during the testimony. Do \nyou think that some of your folks are overregulated or under-\ntiered? It is pretty easy----\n    Mr. Allmond. Well, at this point it seems like that may be \nthe case.\n    Mr. Shimkus. Thank you. Mr. Scott?\n    Mr. Scott. I would say yes. Looking at the variability in \nthe sites that we have that are covered, there is a lot of \nquestion on how we got where we got.\n    Mr. Shimkus. Mr. Drevna?\n    Mr. Drevna. I concur.\n    Mr. Shimkus. You have heard from panels one and two that \nDHS has collected a lot of information that it will not use in \nrisk assessment. Are you comfortable with that? Mr. Allmond?\n    Mr. Allmond. No, we are not.\n    Mr. Shimkus. And why?\n    Mr. Allmond. DHS should use the information that is given \nto them. As has been testify before, there has been an enormous \namount of resources given to--from our side--given to the \nDepartment that we are compelled to do and there is an \nunderstanding that the Department is going to use that \ninformation.\n    Mr. Shimkus. Mr. Scott?\n    Mr. Scott. I agree. The inefficiency in the process caused \na lot of unnecessary work, a lot of information that they have \nnever used, and we don't know where the information went. It \nseems like they felt like they had the answer before we started \nthe process.\n    Mr. Shimkus. Mr. Drevna?\n    Mr. Drevna. Yes. And I would like to add to that, Chairman \nShimkus, that in chemical facilities you are changing processes \nconstantly. So we are submitting information, it goes \nsomewhere, lots of information, up to 900 questions on some \nthings. It goes somewhere. Whether it is used or not, probably \nnot all of it. Again, if it is vital, perfect. If it is not, \nlet us work with you to get it done. But then you change your \nprocess again, you may have to go through the whole thing again \nbecause these things are not static kinds of plants. We are \nalways changing volumes and chemicals.\n    Mr. Shimkus. Mr. Scott?\n    Mr. Scott. I would like to add to that. That is one of the \nbig issues that we have is we typically have larger plants, a \nlot of processes in those plants and we are required to submit \nany time we change anything in the process, make another \nsubmission. That puts you back to square one in the whole \nprocess.\n    Mr. Shimkus. And just because my time is getting short, and \nMr. McNerney is not here, but he talked a lot about cyber \nstuff. So you have got all this data going somewhere. If it is \nnot being used, why it is being held and what is the risk of \nthat being pulled out to make your facilities less secure. Is \nthat a risk? Mr. Scott?\n    Mr. Scott. Well, it is a risk whenever you release the \ninformation that you hope it is going to be secure. But in the \nearlier panel, we also heard that, well, maybe we can \ndeclassify that so everybody can talk about it. And I am \nconcerned about the level of declassification. If it is just \nopen to the public, that is a real security concern.\n    Mr. Shimkus. Anyone else while my time is expired? Mr. \nDrevna?\n    Mr. Drevna. I would like to add to that. You are probably \none hit of forward or reply all from exactly what Mr. Scott was \njust talking about.\n    Mr. Allmond. Absolutely.\n    Mr. Shimkus. Mr. Allmond. OK. Thank you. The chair now \nrecognizes ranking member, Mr. Tonko, for 5 minutes.\n    Mr. Tonko. Thank you, Mr. Chairman.\n    And to the gentleman on the panel, thank you for your time \nand your input today.\n    To the industry witnesses, did you participate in GAO's \nsurvey?\n    Mr. Allmond. Oh, SOCMA did, yes.\n    Mr. Scott. ACC did, yes.\n    Mr. Drevna. Yes, sir.\n    Mr. Tonko. So you all did.\n    GAO found that transparency in the tiering process should \nbe improved. Can each of you state whether you agree with this \nGAO conclusion?\n    Mr. Allmond. I will say absolutely. As Mr. Scott was \nsaying, a lot of times these facilities give information \nwithout getting a really detailed understanding about why they \ngot the tier level they did.\n    Mr. Scott. All of the information was submitted. I \nabsolutely think it should be more transparent with the people \nthat we were supposed to be working as partners.\n    Mr. Drevna. I agree, Mr. Tonko. But I will say that the \nprocess has somewhat improved. We have got a long way to go, \nbut we weren't where we were before this report came out.\n    Mr. Tonko. Mr. Drevna, you talked about the PSP process----\n    Mr. Drevna. Yes, sir.\n    Mr. Tonko [continuing]. And utilizing it more readily.\n    Mr. Drevna. Yes, sir.\n    Mr. Tonko. Can you just develop that a bit for me?\n    Mr. Drevna. Well, at refineries and petrochemical \nfacilities, you have constantly--you have your own employees--\nbut you have constant, contractors coming in and out, \nturnarounds, changeovers, et cetera, and they are authorized, \nthe contractors, under TWIC, Transportation Worker \nIdentification Credential. And what the DHS will tell us is \nthat, well, we are coming up with a remedy for that but those \nrules aren't going to be ready for who knows how many more \nyears. Meanwhile, we have to, perhaps, have other \nidentification notices or identification cards for the various \nemployees and contractors.\n    It is sort of like if I can make some sort of an analogy, \nsort of like me or you going through an airport and you have to \nhave your passport to go through the first gate, and your \ndriver's license you through the second, and maybe your voter \nID card to go through the third or whatever. But it doesn't \nmake any sense. So you talk to us in industry and we usually \nobject to the one-size-fits-all approach and maybe that is not \napplicable. But we need something that is not duplicative, \ntime-consuming, and sometimes conflicting.\n    Mr. Tonko. Thank you. Thank you, Mr. Drevna.\n    Mr. Hind, you made mention, or I think to use your words, \nwe are not dealing with a complete deck. Can you elaborate on \nthat? What else should be done to make certain that we are \nproviding for the public safety elements out there or in \nkeeping with the mission of the legislation?\n    Mr. Hind. Well, if you look at the EPA's database through \nits risk management program, which is really kind of an \nimperfect larger universe of the facilities we are worried \nabout, those that have off-site consequences, the total number \nof facilities in that program is 12,440 according to CRS' \nlatest update in November. Of those, 2,500 plants each put \n10,000 people or more at risk. Of the 2,500, some of them could \nput over a million at risk. In fact, 473 put 100,000 at risk. \nAnd so my question to the panel here is, which of your member \ncompanies are actually part of MTSA and exempt from CFATS or \npart of a DOE program or even Defense Department? And I think \nthat the numbers would be rather revealing in terms of which \nthey are.\n    We have heard that Dow's largest plant the country at \nFreeport, Texas, is that MTSA facility. So that means there are \nhuge holes, or as Congressman Waxman called them, gaps in the \nsecurity and in terms of the continuity of security by the \ngovernment accountability over the industry.\n    Mr. Tonko. Thank you. And from the public interest \nperspective, what are the problems with incorrect tiering of \nfacilities?\n    Mr. Hind. You mean in terms of the way that the risk \nassessment has been conducted and so forth? Well, in our view, \nwe are a little bit nervous to hear about economic \nconsiderations being added and also vulnerability. I think that \nall of these facilities are vulnerable. If somebody takes a \nsmall plane or hijacked it, all of the guards and cameras and \ngates are not going to be enough to stop a small plane, as the \nCEO of DuPont admitted years ago. So I think that, as the \nformer EPA administrator Ruckels has warned, risk assessment is \nlike a captured spy. If you torture it enough, you can get to \nsay anything. And I fear that we are going down a slippery \nslope here, and what needs to be done is adding alternative \nassessment to the process. Each company should be going out and \nsaying to the DHS, we have looked at all the alternatives and \nthere is nothing feasible for facility, or we are like Clorox \nand we can convert. And then you have zero risk.\n    Mr. Tonko. Thank you. I think some of you might have a \ncomment to that, too, or----\n    Mr. Scott. Yes, I just----\n    Mr. Shimkus. Without objection, we will continue for a \nminute to get a response. Mr. Scott?\n    Mr. Scott. OK. Yes, I would just like to reply on the MTSA \nquestion. There are several sites that are covered by MTSA, but \nrightly so. They have waterside security included on their \nsecurity. But the Texas operation site is the one that Mr. Hind \nmentioned, which is our largest site. It is the largest \nchemical site in the United States. It is covered by MTSA so it \ndoes have different requirements. It also has exactly the same \nsecurity upgrades already in place that are required of a Tier \n1 CFATS site. So if you come down to Freeport operations or \nTexas operations, you will see we would be in full compliance \nwith CFATS right now as a Tier 1 site. All of our MTSA sites \nare upgraded security-wise exactly the same as our CFATS sites. \nAnd all of our sites globally are tiered the same way and have \nsecurity upgrades in place the same way. So I think that \naddresses the issue that we can have integration of the two \nsystems very well.\n    Mr. Shimkus. Thank you very much.\n    The chair now recognizes the gentleman from Pennsylvania, \nMr. Pitts, for 5 minutes.\n    Mr. Pitts. Mr. Drevna, did you want to add to that?\n    Mr. Drevna. Well, if you don't mind, Mr. Chairman, thank \nyou.\n    I agree with everything that Mr. Scott had said \nexponentially. But since the question was asked from the panel \nto the panel, in short of installing Patriot missile batteries \nat all facilities, I don't see how we are going to stop \nanything from coming in from outside the gate like an airplane \nor helicopter.\n    Mr. Pitts. Mr. Allmond, you testified that DHS should be \nmore willing to extend the amount of time a small or medium-\nsized facility has to respond to a post-inspection report. How \nmuch time is reasonable so that the small and medium-sized \nfacility still feels the urge to promptly respond while also \ngiving them the chance to provide a quality response?\n    Mr. Allmond. Yes. Thank you for that question. I think a \nminimum of 90 days will be sufficient.\n    Mr. Pitts. Do you believe DHS still has time to make \nprogram adjustments and will consider your perspective, and if \nso, what gives you that confidence?\n    Mr. Allmond. I do. In fact, I have already broached this \nconcern with the Department and they have been receptive to \nhearing our proposal.\n    Mr. Pitts. Thank you. Mr. Drevna, your testimony discusses \nthe importance your members place on getting a workable \nPersonnel Surety Program. Is DHS addressing your particular \nconcerns?\n    Mr. Drevna. Well, we have been working with them, and as I \nsaid previously, ever since, the report came out and we have \nsat down--and I have to admit, there has been more transparency \nand they are willing to work with us. But we have got to \nestablish the fact that we--you know, as I said before, the \nTWIC reader card implementation is years away. But we are in \nthe process of doing all this now. So there has to be some \nmeeting of the minds here that says, oK, let's get this done in \na timely fashion so we can move on.\n    Mr. Pitts. Has AFPM tried to get an Alternative Security \nPlan approved by DHS for its members? What has been your \nexperience with DHS in trying to advance----\n    Mr. Drevna. Well, we support the alternative plans. We \nhaven't particularly as an association done it, but our members \nhave. And that is one of the things we keep, the tiering \nprocess, the kind of data that is needed. It is a little bit \nconfusing between what is needed for the full assessment, what \nis needed to get you into a quicker AV alternative plan. So we \nare working with them. We support it and again, we are seeing \nthe light at the end of this tunnel but we still have a ways to \ngo.\n    Mr. Pitts. Assuming DHS, with the help from a Peer Review \nPanel, comes up with a better risk assessment model, when \nshould it be applied to CFATS activities? Does it affect the \nspeed with which your members would have their Site Security \nPlans reviewed and approved?\n    Mr. Drevna. Is that for me, sir?\n    Mr. Pitts. Yes.\n    Mr. Drevna. I believe it would. I mean, we have three \nmembers companies on that tiering panel. And we are confident \nthat we are getting joint cooperation. Anytime you get three \ncompanies on the panel, a government panel, we are happy with \nthat. But the proof is going to be at the end of the day with \nwhat is accepted and what isn't.\n    Mr. Pitts. All right. Mr. Scott, your testimony raised \nconcerns about transparency by DHS officials because they did a \npoor job of communicating threat information to CFATS-regulated \nfacilities. Do you think DHS can formulate credible threat \ninformation and assessments?\n    Mr. Scott. I think they can give us the information that \nthey have available to us. There is a NIAC study out that is on \ncommunications amongst the intelligence communities in the D.C. \narea and DHS did not come out very highly on that panel.\n    Mr. Pitts. Does it surprise you that GAO found that DHS \nreally doesn't assess threat for 90 percent of terror threats \nat facilities with chemicals?\n    Mr. Scott. Threat typically is not discussed, and when you \nhave a meeting with DHS, typically, it starts with there are no \ncredible threats to the chemical industry at this time. We go \non the premise that because we are part of the critical \ninfrastructure, we are a potential threat or there is always a \npotential threat. That is the discussions we have always had.\n    Mr. Pitts. What recommendations do you have for DHS to \nimprove its threat characterizations and communications?\n    Mr. Scott. You have to identify the baseline on the threats \nthat you are going to address, and then you have to have plans \nin place to escalate your security programs accordingly as the \nrisk increases.\n    Mr. Pitts. Do you agree with GAO that DHS assessment tools, \nparticularly threat consequence and vulnerability ones, should \nbe verified and valid before being deployed?\n    Mr. Scott. Yes, I do. Validity is important, yes.\n    Mr. Pitts. My time has expired. Thank you.\n    Mr. Shimkus. The gentleman's time has expired.\n    The chair now recognizes the gentleman from Texas, Mr. \nGreen, for 5 minutes.\n    Mr. Green. Thank you, Mr. Chairman. And obviously, our \nthreat assessments are a work in progress because I remember in \nlate 2001 there was in one of the caves in Afghanistan there \nwas information on an attack on a refinery in Pasadena, \nCalifornia. It didn't take too long to know there are no \nrefineries in Pasadena, California. But I represent Pasadena, \nTexas, and we have no shortage of refineries. And that was \nright after 9/11. Obviously, it was infancy.\n    And today, though, there is a lot--and I know at least in \nthe industries that I work with in my area in East Harris \nCounty, the coordination between the federal agencies and our \nlocal police agencies is amazing. Now, I don't know what DHS \ndoes with the local law enforcement, the FBI, the Customs and \nBorder Protection, the Coast Guard. In fact, I was at the Coast \nGuard facility in our district that now is co-located at a \nCoast Guard facility with the Harris County Sheriff's office \nboats, along with the Houston Police Department boats at the \nsame location in our district in Galena Park, Texas. So, I \nmean, it is a work in progress.\n    Were you all here for the first panel? Do you feel \nconfident that we are going to end up not having to jump \nthrough second hoops on your non-MTSA facilities and that the \nTWIC card is going to be able to be used? If you have a site \nthat Dow does, for example, in Freeport, that the TWIC card \nworks and you have a land-based site, the TWIC card will also, \nultimately when they get through, will also be able to be used \nfor an ID at that land-based facility for Dow?\n    Mr. Scott. That is the direction that they are moving in. \nSo yes, a TWIC card would be acceptable and usable at any of \nthose sites. Yes.\n    Mr. Green. Well, Mr. Chairman, we need to just monitor that \nbecause I know we in the Subcommittee had that discussion for a \nnumber of years, and frankly, we probably wouldn't have gotten \nwhere we are without a great GAO study to show that the problem \nis within DHS.\n    For Mr. Drevna and Mr. Scott, over the past year, have you \nseen changes in outreach and cooperation from DHS and the \nindustry, particularly as they relates to chemical and fuel and \npetrochemical manufacturers in the last year?\n    Mr. Drevna. Yes. In the last year they have significantly \nimproved the communications from DHS to their people in the \nfield and from the people in the field to the sites. Yes.\n    Mr. Green. Well, and I understand in your testimony you are \nconcerned that the transparency on the decision-making ought to \nbe much better and our committee ought to be encouraging that. \nNow, I do have some concern about the information provided on \nyour plant facilities, because again, the experience we have \nover the last 12 years is that if a lot of your information is \ngiven to DHS, it is public record. There are folks in part of \nthe world who can, with the punch of a button, look up plant \ndesign and plant vulnerability. That should not be public \nrecord. And I am concerned about that.\n    We want transparency in the approval process but as much as \nI want as much public information for my constituents that live \naround and work on those plants, I also know I don't want to \ngive a guide to somebody who wants to fly that Piper Cub over \nit. Is that some of your concern?\n    Mr. Drevna. Absolutely. Like I said before, Congressman \nGreen, we submit information and we submit it in good faith \nand----\n    Mr. Green. Well, you are required to.\n    Mr. Drevna. But like I say, it is either one reply all or \none forward button away from getting into the wrong hands.\n    Mr. Green. Well, I think in follow-up hearings we might \nhave DHS come talk about what they do with information that is \nprovided so it is protected. But I have to admit, Charlie, it \nis interesting, the ultimate 2nd Amendment is somebody having a \nStinger missile to protect their plant or their house from a \nPiper Cub flying over it. I don't think we are going to get to \nthat point. But I see planes fly over my plants literally every \nday when I am at home. And there is a special protection, \nthough, you have to have special access to be able to fly over \nthose facilities and no system is foolproof. But also, I don't \nknow if I really want us to have to train our plant personnel \nto have a Stinger missile on their shoulder.\n    Mr. Drevna. I would concur, Congressman Green.\n    Mr. Green. But Mr. Chairman, I appreciate the hearing. It \nseems like we made progress, but obviously DHS needs to come a \nlittle more with plants who, as I have said before, have made a \nmillion dollars in federal tax dollars, millions of dollars of \ninvestments and partnerships with our local communities that we \nstill don't know what hoops and what will be approved, whether \nit be Tier 1, 2, 3, or 4. And I would like to have some \ncertainty there, and I know Greenpeace would like that to, and \nso would my constituents. Thank you.\n    Mr. Shimkus. The gentleman yields back his time.\n    We want to thank the third panel for being here and ask \nunanimous consent for 5 days for subcommittee members to submit \nopening statements for the record. Without objection, so \nordered. We would also ask unanimous consent for 10 days to \nsubmit written questions for submittal to witnesses for an \ninclusion in the records. That also pertains to you all.\n    And inclusion of a letter, I ask unanimous consent for the \ninclusion of a letter from the National Association of Chemical \nDistributors to myself and Mr. Tonko--your staff has approved--\ndated March 12, 2013, on the CFATS program. Without objection, \nso ordered.\n    [The information appears at the conclusion of the hearing.]\n    Mr. Shimkus. And the hearing is now adjourned.\n    [Whereupon, at 12:43 p.m., the subcommittee was adjourned.]\n    [Material submitted for inclusion in the record follows:]\n\n               Prepared statement of Hon. Henry A. Waxman\n\n    I thank the Chairman for calling this hearing on this very \nimportant program. The Chemical Facilities Anti-Terrorism \nStandards Program, or CFATS, is a critical national security \nprogram designed to protect communities from potential \nterrorist attacks on industrial facilities with significant \nstores of dangerous chemicals.\n    Since 2001, federal officials, the Government \nAccountability Office (GAO), and outside experts have warned \nthat the nation's drinking water utilities and chemical \nfacilities remain vulnerable to terrorist attack.\n    Unfortunately, the CFATS program is a grave disappointment. \nAt the end of 2011, we learned the program was in disarray. No \nfacilities had approved site security plans. Homeland Security \nofficials felt their enforcement authority was insufficient and \nineffective. There were no procedures in place to document \nimportant programmatic decisions. No one on staff was even \nqualified to conduct a compliance inspection.\n    There has been some progress. We will hear from the \nDepartment today about their efforts to strengthen the CFATS \nprogram and the advances the Department has made since \nundertaking a serious internal examination of the program in \n2011.\n    But today we will also hear from the Government \nAccountability Office, which has undertaken the first rigorous \nexternal accounting of the program. GAO has found that \nfundamental problems still plague the program. More work is \nneeded before Congress and the American public can have \nconfidence in the risk assessments that determine the potential \ndangers facilities pose.\n    Perhaps we shouldn't be surprised. CFATS was created in the \nsloppiest legislative fashion possible. It was established in \n2006 by a provision tucked into an appropriations bill without \nthe benefit of hearings or markups by the Committee.\n    The problems with the program are not all Congress' fault. \nBoth the current and previous administrations have failed to \nimplement the program effectively. The Department issued an \ninterim final rule within six months of the law's passage. This \nrule determined what chemicals might be targets, how risk would \nbe assessed, and what security standards would be applied. \nGiven the quick action and limited statutory guidance, the rule \nwas flawed. But now--six years later--it still hasn't been \nupdated and improved.\n    In the 111th Congress, we worked on a bipartisan basis with \nindustry, labor, and other affected stakeholders to \nmethodically resolve each of the issues surrounding the CFATS \nprogram.\n    The result was H.R. 2868, the Chemical and Water Security \nAct of 2009, which passed the House by a vote of 230-193. That \nlegislation would have addressed many of the challenges the \nprogram now faces, increased transparency and accountability, \nclarified the process for approving or disapproving site \nsecurity plans, and set enforceable deadlines. It also would \nhave strengthened security at covered facilities by requiring \nassessment, and in particular circumstances, adoption of safer \nchemicals, processes, or technologies to reduce the \nconsequences of a terrorist attack.\n    Unfortunately, that bill did not become law, and that \nopportunity to set this program on a more successful path was \nmissed.\n    In the years since, this Committee has failed to develop \ncomprehensive legislation to reform the CFATS program. It has \nalso failed to offer any legislation to close security gaps or \naddress security at water facilities.\n    This Committee needs to do more. Comprehensive legislation \nis long overdue.\n    I look forward to the testimony of the witnesses today, and \nI invite all of them and other stakeholders to engage with this \nCommittee and help us seek solutions to a troubled, yet \ncritically important anti-terrorism program.\n                              ----------                              \n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"