[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]



 
CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS 
                                 UPDATE 

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON ENVIRONMENT AND THE ECONOMY

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED THIRTEENTH CONGRESS

                             FIRST SESSION

                               __________

                             MARCH 14, 2013

                               __________

                           Serial No. 113-15


      Printed for the use of the Committee on Energy and Commerce
                        energycommerce.house.gov

                               ----------
                         U.S. GOVERNMENT PRINTING OFFICE 

80-377 PDF                       WASHINGTON : 2013 


                    COMMITTEE ON ENERGY AND COMMERCE

                          FRED UPTON, Michigan
                                 Chairman
RALPH M. HALL, Texas                 HENRY A. WAXMAN, California
JOE BARTON, Texas                      Ranking Member
  Chairman Emeritus                  JOHN D. DINGELL, Michigan
ED WHITFIELD, Kentucky                 Chairman Emeritus
JOHN SHIMKUS, Illinois               EDWARD J. MARKEY, Massachusetts
JOSEPH R. PITTS, Pennsylvania        FRANK PALLONE, Jr., New Jersey
GREG WALDEN, Oregon                  BOBBY L. RUSH, Illinois
LEE TERRY, Nebraska                  ANNA G. ESHOO, California
MIKE ROGERS, Michigan                ELIOT L. ENGEL, New York
TIM MURPHY, Pennsylvania             GENE GREEN, Texas
MICHAEL C. BURGESS, Texas            DIANA DeGETTE, Colorado
MARSHA BLACKBURN, Tennessee          LOIS CAPPS, California
  Vice Chairman                      MICHAEL F. DOYLE, Pennsylvania
PHIL GINGREY, Georgia                JANICE D. SCHAKOWSKY, Illinois
STEVE SCALISE, Louisiana             ANTHONY D. WEINER, New York
ROBERT E. LATTA, Ohio                JIM MATHESON, Utah
CATHY McMORRIS RODGERS, Washington   G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi            JOHN BARROW, Georgia
LEONARD LANCE, New Jersey            DORIS O. MATSUI, California
BILL CASSIDY, Louisiana              DONNA M. CHRISTENSEN, Virgin 
BRETT GUTHRIE, Kentucky                  Islands
PETE OLSON, Texas                    KATHY CASTOR, Florida
DAVID B. McKINLEY, West Virginia     JOHN P. SARBANES, Maryland
CORY GARDNER, Colorado               JERRY McNERNEY, California
MIKE POMPEO, Kansas                  BRUCE L. BRALEY, Iowa
ADAM KINZINGER, Illinois             PETER WELCH, Vermont
H. MORGAN GRIFFITH, Virginia         BEN RAY LUJAN, New Mexico
GUS M. BILIRAKIS, Florida            PAUL TONKO, New York
BILL JOHNSON, Missouri
BILLY LONG, Missouri
RENEE L. ELLMERS, North Carolina
                Subcommittee on Environment and Economy

                         JOHN SHIMKUS, Illinois
                                 Chairman
PHIL GINGREY, Georgia                PAUL TONKO, New York
  Vice Chairman                        Ranking Member
RALPH M. HALL, Texas                 FRANK PALLONE, Jr., New Jersey
ED WHITFIELD, Kentucky               GENE GREEN, Texas
JOSEPH R. PITTS, Pennsylvania        DIANA DeGETTE, Colorado
TIM MURPHY, Pennsylvania             LOIS CAPPS, California
ROBERT E. LATTA, Ohio                JERRY McNERNEY, California
GREGG HARPER, Mississippi            JOHN D. DINGELL, Michigan
BILL CASSIDY, Louisiana              JANICE D. SCHAKOWSKY, Illinois
DAVID B. McKINLEY, West Virginia     JOHN BARROW, Georgia
GUS M. BILIRAKIS, Florida            DORIS O. MATSUI, California
BILL JOHNSON, Missouri               HENRY A. WAXMAN, California, ex 
JOE BARTON, Texas                        officio
FRED UPTON, Michigan, ex officio
  


                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. John Shimkus, a Representative in Congress from the State of 
  Illinois, opening statement....................................     1
    Prepared statement...........................................     2
Hon. Paul Tonko, a Representative in Congress from the State of 
  New York, opening statement....................................     2
Hon. Henry A. Waxman, a Representative in Congress from the State 
  of California, prepared statement..............................   113

                               Witnesses

Rand Beers, Under Secretary, National Protection and Programs 
  Directorate, U.S. Department of Homeland Security..............     5
    Prepared statement...........................................     7
    Answers to submitted questions...............................   117
David Wulf, Director, Infrastructure Security Compliance 
  Division, U.S. Department of Homeland Security.................    14
    Prepared statement...........................................     7
    Answers to submitted questions...............................   117
Stephen L. Caldwell, Director, Homeland Security and Justice, 
  Government Accountability Office...............................    34
    Prepared statement...........................................    36
    Answers to submitted questions...............................   143
William E. Allmond, IV, Vice President, Society of Chemical 
  Manufacturers and Affiliates...................................    63
    Prepared statement...........................................    65
    Answers to submitted questions...............................   149
Timothy J. Scott, Chief Security Officer and Corporate Director, 
  the Dow Chemical Company, on Behalf of the American Chemistry 
  Council........................................................    71
    Prepared statement...........................................    73
    Answers to submitted questions...............................   157
Charlie Drevna, President, American Fuel and Petrochemical 
  Manufacturers..................................................    78
    Prepared statement...........................................    80
    Answers to submitted questions...............................   168
Rick Hind, Legislative Director, Greenpeace......................    86
    Prepared statement...........................................    88
    Answers to submitted questions...............................   175

                           Submitted Material

Letter of March 12, 2013, from the National Association of 
  Chemical Distributors to Mssrs. Shimkus and Tonko..............   117


CHEMICAL FACILITY ANTI-TERRORISM STANDARDS (CFATS) PROGRAM: A PROGRESS 
                                 UPDATE

                              ----------                              


                        THURSDAY, MARCH 14, 2013

                  House of Representatives,
           Subcommittee on Environment and Economy,
                           Committee on Energy and Commerce
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:07 a.m., in 
room 2322 of the Rayburn House Office Building, Hon. John 
Shimkus (chairman of the subcommittee) presiding.
    Members present: Representatives Shimkus, Pitts, Murphy, 
Latta, Harper, Cassidy, McKinley, Bilirakis, Johnson, Barton, 
Tonko, Green, Schakowsky, McNerney, Barrow ,and Waxman (ex 
officio).
    Staff present: Nick Abraham, Legislative Clerk; Charlotte 
Baker, Press Secretary; Matt Bravo, Professional Staff Member; 
Jerry Couri, Senior Environmental Policy Advisor; David 
McCarthy, Chief Counsel, Environment and the Economy; Chris 
Sarley, Policy Coordinator, Environment and the Economy; Tom 
Wilbur, Digital Media Advisor; Jacqueline Cohen, Democratic 
Counsel; Greg Dotson, Democratic Staff Director, Energy and 
Environment; and Caitlin Haberman, Democratic Policy Analyst.

  OPENING STATEMENT OF HON. JOHN SHIMKUS, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Shimkus. I would like to call the hearing to order.
    We want to welcome our first panel, and I would like to 
recognize myself for 5 minutes for an opening statement.
    Good morning. The Subcommittee is now in order and I want 
to recognize myself for 5 minutes. Today marks the fourth 
hearing we have had on CFATS and the third consecutive one we 
have had since I became the subcommittee chairman.
    Sadly, it has been a very painful process to see how badly 
CFATS had fallen short of our expectations and to see the 
struggle, both inside of DHS as well as externally, to get the 
program back on track. There are some positive reports about 
progress from DHS, GAO, and the regulated stakeholders, but we 
have uncovered more details showing that in key areas the 
suggested progress is not what we had hoped. I think strides 
have been made to remedy many of the managerial concerns of 1 
year ago, and some of our testimony will suggest communication 
lines have been opened in a way that could lead to longer-term 
achievements for the program.
    By many accounts, Infrastructure Security Compliance 
Division Director David Wulf deserves a great deal of credit. 
Mr. Wulf, we appreciate your tireless, consistent, candid, and 
long-standing commitment to improving CFATS when others could 
not. I also think this process is merely meant to get us back 
to a semi-functional program, not a perfect or fully 
implemented program.
    Unfortunately, underlying programmatic issues we discussed 
in the last hearing--such as the fact that CFATS risk 
assessment falls far short of DHS' own National Infrastructure 
Protection Plan and the CFATS regulations, and the long time 
frame for evaluating Site Security Plans, despite the 
incomplete risk assessment--continue to threaten the 
credibility of the program not only on the Hill, but with 
regulated stakeholders who are confused by many decisions made 
within the program.
    As Chairman Upton has said before to DHS, we are all on the 
same side. The enemy here is the terrorists who would seek to 
harm our Nation. We need to work together to determine the best 
path forward for CFATS and its reauthorization, but we can't do 
so if we aren't fully informed and in a way that verifies the 
details coming forward. That is why we are going to have some 
tough and balanced assessment of the program delivered by DHS, 
the Government Accountability Office, and the CFATS stakeholder 
community.
    Our witnesses today may not tell us exactly what we want to 
hear, but they will tell us what we need to know. I want to 
thank all of these witnesses for appearing before our panel 
here today. I believe we are at a critical juncture for the 
success of the CFATS program in that the internal issues 
distracting the program are not our focus, but rather getting 
the program right, functioning effectively, efficiently, as 
Congress drafted the law. Their perspective will be crucial in 
getting serious questions answered by the program and our 
ability to work together.
    [The prepared statement of Mr. Shimkus follows:]

                Prepared statement of Hon. John Shimkus

    Today marks the fourth hearing we have had on CFATS, and 
the third consecutive one we have had since I became 
subcommittee Chairman.
    Sadly, it has been a very painful process to see how badly 
CFATS had fallen short of our expectations and to see the 
struggle, both inside DHS as well as externally, to get the 
program back on track. There are some positive reports about 
progress from DHS, GAO and the regulated stakeholders, but 
we've uncovered more details showing that in key areas the 
suggested progress is not what we had hoped.
    I think strides have been made to remedy many of the 
managerial concerns of one year ago and some of our testimony 
will suggest communication lines have been opened in a way that 
could lead to longer term achievements for the program. By many 
accounts, Infrastructure Security Compliance Division (ISCD) 
Director David Wulf deserves a good deal of credit. Mr. Wulf, 
we appreciate your tireless, consistent, candid, and long-
standing commitment to improving CFATS when others could not.
    I also think this progress is merely meant to get us back 
to a semi-functional program, not a perfect or fully 
implemented program. Unfortunately, underlying programmatic 
issues we discussed in the last hearing--such as the fact that 
CFATS risk assessment falls far short of DHS's own National 
Infrastructure Protection Plan and the CFATS regulations, and 
the long time frame for evaluating site security plans, despite 
the incomplete risk assessment--continue to threaten the 
credibility of the program not only on the Hill, but with 
regulated stakeholders who are confused by many decisions made 
within the program.
    As Chairman Upton has said before to DHS, we are all on the 
same side, the enemy here is the terrorists who would seek to 
do harm to our nation. We need to work together to determine 
the best path forward for CFATS and its reauthorization, but we 
can't do so if we aren't fully informed and in a way that 
verifies the details coming forward. That's why we are going to 
have some tough but balanced assessments of the program 
delivered by DHS, the Government Accountability Office, and the 
CFATS stakeholder community.
    Our witnesses today may not tell us exactly what we want to 
hear, but they will tell us what we need to know. I want to 
thank all of these witnesses for appearing before our panel 
here today.
    I believe we are at a critical juncture for the success of 
the CFATS program, in that the internal issues distracting the 
program are not now our focus, but rather getting the program 
right, functioning effectively, efficiently, as congress 
drafted the law. Their perspective will be crucial to getting 
serious questionsanswered by the program and our ability to 
work together.

                                #  #  #

    Mr. Shimkus. And with that I would like to yield 1 minute 
to the gentleman from Texas, Mr. Barton.
    Mr. Barton. Thank you, Mr. Chairman, for holding this 
hearing today.
    Two years in a row this subcommittee has convened a hearing 
to discuss the concerns with the CFATS program. Last year, we 
became aware of an internal DHS memorandum which detailed an 
array of management flaws and achievement gaps with that 
program. One of the witnesses today was a co-author. When news 
of these problems surfaced, several Members of Congress, 
including myself, asked the GAO to determine what actions DHS 
was taking to address the problems. We learned in the GAO 
report that resulted of a 94-item Action Plan that DHS 
developed to address those various issues. I understand today 
that the most egregious examples of waste of taxpayer dollars 
have been addressed but there is still work to do. We are at a 
critical juncture.
    DHS has been reviewing information since 2007 by operators 
of over 40,000 facilities. By January of this year, they had 
identified about 4,400 as high-risk facilities. Of those, about 
90 percent were tier-based on the risk that they presented--
meaning that they would have to submit Site Security Plans for 
DHS review. We now know that there have been significant errors 
in the risk assessment methodology. We also know that only a 
few dozen of the 3,100 high-risk security plans have been 
reviewed and approved. There is much work to be done. I hope 
this hearing will facilitate some of that work.
    Thank you for the hearing and thank you for the time and I 
yield back.
    Mr. Shimkus. The gentleman yields back his time.
    The chair now recognizes the ranking member of the 
subcommittee, Mr. Tonko, for 5 minutes.

   OPENING STATEMENT OF HON. PAUL TONKO, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEW YORK

    Mr. Tonko. Thank you. Thank you, Mr. Chairman. And good 
morning and thank you to our chair for convening this hearing 
and certainly to our witnesses for participating today and 
providing your insight and offering very important information.
    Ensuring the safety of our citizens and avoiding serious 
disruption of our economy requires us to remain vigilant and to 
anticipate potential targets and actions of violent individuals 
and groups. The goal of the Chemical Facility Anti-Terrorism 
Standards, the CFATS program, is to ensure that chemical 
facilities have robust plans to prevent terrorists from 
sabotaging them and to minimize the impacts should that 
prevention fail.
    Two years ago, an internal memorandum revealed serious 
problems with the CFATS program. While some progress has been 
made to address some of the shortcomings, there is still much 
more work to be done. That work surely falls to the Department 
of Homeland Security, clearly having more work to do, but also 
it falls to Congress. Congress created the Department of 
Homeland Security in 2002 and charged DHS with coordinating 
federal policy to protect this Nation's critical 
infrastructure. This is a complex task involving not only the 
Federal Government but a partnership with state and local 
governments, as well as the private sector.
    Congress defined this complex and essential task of 
protecting chemical facilities with a paragraph in an 
appropriations bill. The deficiencies in this program are 
partly a reflection of our failure to come together and provide 
clear guidance to the administration.
    The industry has been active in this area. They have taken 
many steps through initiatives such as the Responsible Care 
Program to develop and disseminate best practices to member 
companies of industry organizations. These programs are, 
however, voluntary. Private industry does not have the tools of 
surveillance and intelligence as that which the Federal 
Government has. In order to be most effective, we must have 
partnerships working together and the program must have the 
public's confidence that their communities are indeed safe. The 
public and the industry will benefit from a federal program 
that is developed with their input and in which standards, 
practices, and policies are defined clearly by the Department 
of Homeland Security.
    The CFATS program is not the only federal program 
regulating chemical facilities. Other federal departments and 
agencies have programs with longer histories and well-
established protocols. There should be a consultation amongst 
federal agencies to apply best practices, identify gaps in 
responsibility, and to avoid conflicting regulations and 
policies.
    I hope this will not be the last hearing on this issue. 
This committee should develop legislation that provides clear 
direction to DHS, certainty to the regulated industry, and 
confidence to the public that the CFATS program is providing 
the protection we require and deserve. A paragraph in an 
appropriations bill that must be renewed annually simply does 
not meet those needs.
    I would like to thank all of our witnesses for appearing 
before us today. I look forward to your testimony and to 
hearing your views on how we can improve this most essential 
program.
    With that, I thank you. Mr. Chairman, I yield back.
    Mr. Shimkus. I want to thank my colleague. And I can 
guarantee it will not be last hearing on this issue, and we 
would like to authorize a program.
    So with that, I would like to turn to my colleagues on my 
side and ask if anyone would like to submit an opening 
statement.
    Seeing none, I turn to your side. No one? Thank you very 
much.
    Now, I would like to recognize Mr. Rand Beers, the Under 
Secretary for the National Protection and Programs Directorate 
of the United States Department of Homeland Security.
    Sir, your full statement is in the record. You are 
recognized for 5 minutes.

    STATEMENT OF HON. RAND BEERS, UNDER SECRETARY, NATIONAL 
    PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF 
  HOMELAND SECURITY; AND DAVID WULF, DIRECTOR, INFRASTRUCTURE 
   SECURITY COMPLIANCE DIVISION, U.S. DEPARTMENT OF HOMELAND 
                            SECURITY

                  STATEMENT OF HON. RAND BEERS

    Mr. Beers. Thank you, Chairman Shimkus and Ranking Member 
Tonko and other members of the committee. I appreciate the 
opportunity to be before you today to talk about the 
Department's regulation of high-risk chemical facilities.
    Let me start by emphasizing that the CFATS program has 
already made the Nation more secure. The program has identified 
high-risk chemical facilities across the country. It has 
provided them with the tools to identify their vulnerabilities, 
and it has helped them to develop plans to reduce the risks 
associated with these chemicals.
    Since its inception, CFATS has helped 3,000 chemical 
facilities eliminate, reduce, or otherwise modify their 
holdings so that they no longer possess potentially dangerous 
chemicals and are no longer considered high-risk. The 
significant reduction in the number of chemical facilities that 
represent the highest risk is an important success of the CFATS 
program and is attributable both to the design of the program 
as enacted by Congress and to the work of the CFATS personnel 
and industry at the thousands of chemical facilities that we 
work with on a regular basis.
    Over the past year, NPPD has worked diligently to turn a 
corner and has addressed many of the challenges identified by 
the program's leadership. The CFATS program has made 
significant progress advancing programmatically while 
simultaneously addressing the internal operational concerns. 
Equally important, the Department remains committed to working 
with stakeholders and with the Congress on a path forward to 
ensure that the CFATS program continues to build upon the 
successes to date.
    Over the last 6 months ISCD has made considerable progress 
in conducting authorization inspections and approving Site 
Security Plans. When I was here in September, we had authorized 
73 Site Security Plans. Today, we have authorized 261. That is 
a 400 percent increase. In September we had conducted 19 
authorization inspections; today, we have conducted 141. That 
is a 700 percent increase. In September we had approved only 
two Site Security Plans; now, we have approved 52, including 3 
Alternative Security Programs.
    While these are significant achievements in the last 6 
months, we recognize that we need to do much more and we need 
to increase the pace at which we are doing it. And we are 
looking at potential approaches for increasing the pace of 
security plan reviews and inspections for the lower Tier 3 and 
Tier 4 facilities without sacrificing quality and consistency.
    NPPD will work with the regulated community to gather 
feedback and thoughts on how best to increase the pace of the 
lower tiers. For example, we have been looking with industry on 
the development of templates, or corporate alternative Security 
Programs, and we believe that the use of ASPs will 
significantly increase the pace and improve our security plans. 
We have also discussed ASPs with the Coast Guard and will apply 
the lessons that they have learned regarding their use of ASPs 
to take your point, Ranking Member Tonko, about talking to our 
partners who also have regulatory programs.
    Regarding our private sector partners, the Department has 
received primarily positive feedback on outreach and 
communications efforts from the regulated community. And we 
will continue to address specific areas of interest to the 
CFATS community. For instance, recognizing that regulated 
facilities best understand their risk drivers and in support of 
increased transparency, the Department is analyzing what 
aspects of the classified risk tiering methodology it can and 
should share with members of the regulated community. In fact, 
that particular question has been presented to the risk 
methodology external Peer Review Panel for analysis. And I 
might add that this is a peer review that includes private 
sector participation. And the Department is looking forward 
very much to the panel's recommendations with respect to this.
    The Department has also actively engaged stakeholders 
regarding personnel surety. During the last 6 months, we have 
been listening to stakeholder feedback on personnel surety and 
we have revised our program based on this feedback. We now 
believe we have a proposal which provides the regulated 
community with flexibility for carrying out the outstanding 
requirement for personnel surety and reflects input from 
facilities of all sizes. This proposal balances the need to 
conduct thorough vetting of personnel for national security 
purposes with a desire to minimize the burden on facilities. 
Our engagement with the private sector will be reflected in two 
department Notices that have gone from the Department to the 
Federal Register and will be published in the coming days.
    I close with a note regarding the Department's current 
statutory authority to implement CFATS. As you are aware, the 
CFATS authorization currently extends through March 27 of this 
year. The Department supports a permanent authorization for the 
CFATS program and we are committed to working with the Congress 
and other security partners to establish a permanent authority 
for the CFATS program in federal law. Overall, I am here before 
you today convinced that we have positioned the program firmly 
on the right track and I would be happy to respond to any 
questions that you may have.
    Thank you.
    [The prepared statement of Mr. Beers and Mr. Wulf follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Shimkus. Thank you.
    Also joining at the first panel is Mr. David Wulf, who is 
the director of the Infrastructure Security and Compliance 
Division. Obviously, you didn't submit an opening statement, 
nor do you have one, but if you want to have anything just for 
the record, I would like to recognize you for a few minutes.

                     STATEMENT OF MR. WULF

    Mr. Wulf. That would be great. Thank you so much, Chairman 
Shimkus. I would like to thank you, Ranking Member Tonko, and 
the other members of the subcommittee for the opportunity to 
testify here today.
    ISCD has made great progress in addressing the challenges 
described in the internal memo and associated Action Plan that 
we presented to Under Secretary Beers in the fall of 2011. With 
strong support from leadership in the National Protection and 
Programs Directorate and the Office of Infrastructure 
Protection and through much hard work on the part of the 
talented men and women of ISCD, we have completed 88 of the 95 
items outlined in our Action Plan. We have developed improved 
policies, procedures, and training to ensure that inspections 
are conducted in a consistent and thorough fashion. We have 
implemented an effective streamlined SSP review process, a 
process that has greatly enhanced our ability to authorize, and 
as appropriate, grant final approval for Site Security Plans.
    We have also done much to stabilize our organization and 
our leadership cadre by hiring permanent supervisors, including 
a permanent deputy director, and we continue to foster 
transparency and open communication throughout our 
organization.
    I would like to recognize our workforce, which truly has a 
passion for the mission of chemical facility security. And I 
would like to recognize also the American Federation of 
Government Employees which represents our bargaining unit 
employees in the field, and has done much to expedite its 
review of key policies and procedures over the past several 
months.
    In September I reported that we had turned an important 
corner in the implementation of CFATS. I am pleased to be able 
to report today that not only has that corner been turned, but 
we are moving confidently down the road to realizing the full 
potential of the program. ISCD and the CFATS program are moving 
forward in a way that will foster continued advances in the 
security of America's highest-risk chemical facilities. We have 
achieved a marked increase in the pace of SSP authorizations, 
facility inspections, and approved Site Security Plans.
    As the Under Secretary noted, we have authorized more than 
260 SSPs and granted final approval for 52 of those. We 
anticipate completing approvals of Site Security Plans for 
facilities in the highest-risk tier, Tier 1, by September of 
this year and completing final approvals of Tier 2 SSPs by May 
of 2014. Reviews and authorizations of Tier 3 SSPs are now 
underway as well.
    However, recognizing that we must find ways to become ever 
more efficient and effective in our inspection and SSP review 
processes, we will be looking closely at, and soliciting 
stakeholder input on, options to streamline the review and 
approval cycle for facilities in Tiers 3 and 4. I do anticipate 
that ASP templates will be an important tool to enhance the 
efficiency of our reviews. The American Chemistry Council 
recently worked with us to develop an ASP template and we 
continue to work with industry associations such as SOCMA, 
AFPM, and the National Association of Chemical Distributors, 
who are all considering the adoption of ASP templates for their 
member companies.
    So even as we continue to seek ways to improve, it does 
bear noting that ISCD's chemical security inspectors are today 
providing compliance assistance to facilities and conducting 
inspections at an unprecedented rate. And I am pleased to 
report that I have received much favorable feedback from our 
industry stakeholders about their experience with these 
inspections. As you know, and this is something for which I am 
profoundly grateful, our stakeholders are not shy when it comes 
to expressing their candid thoughts and concerns about the 
program. So I am confident that when I am hearing positive 
things from industry about their facilities inspections-related 
experiences, we are on the right track.
    I would like to share one quote from Cathi Cross, Director 
of Security for Phillips 66 regarding a recent inspection in 
Oklahoma. Ms. Cross conveyed to me that her facility's 
experience with the DHS inspectors ``was a very positive 
one...that the members of the ISCD inspection team were 
knowledgeable, courteous, and quite helpful in their 
collaborative approach as they evaluated the facility, its SSP 
draft, and planned measures.'' Continuing, Ms. Cross noted that 
``the inspectors provided thoughtful comments and were 
receptive to alternate proposals for meeting security 
objectives.''
    So ISCD continues to fully engage with our industry 
stakeholders, and I very much appreciate industry's continued 
support for the program. And our stakeholder engagement 
continues to take many forms. At the facility level, in 
addition to inspections, we continue to conduct compliance 
assistance visits and other outreach to work with the 
facilities as they develop their Site Security Plans. We also 
engage with stakeholders on important programmatic issues. We 
continue to work on the development of ASP templates, and we 
are in the process of gathering industry feedback as we move 
forward to improve our suite of online tools.
    Also, as the Under Secretary noted, we recently concluded a 
productive and extensive series of discussions on the important 
issue of personnel surety. Ensuring that those who seek 
unescorted access to high-risk chemical facilities are vetted 
for terrorist ties is a critical piece of the CFATS effort and 
one that we must move forward to implement in the near term.
    I am also appreciative of the work done by GAO and the 
perspectives GAO has offered us on the CFATS risk-tiering 
methodology and on the management and tracking of our 
stakeholder outreach activities. With regard to our risk-
tiering efforts, while I am confident that our current 
methodology, with its focus on the consequences of a potential 
terrorist attack, is appropriate for a regulatory compliance 
program such as CFATS, considering ways in which our tiering 
efforts may be enhanced is something to which we are very much 
open at ISCD.
    I am very much eagerly anticipating the results of our 
external peer review in this regard on risk-tiering and any 
recommendations that may be forthcoming from the Peer Review 
Panel.
    As for our external outreach, ensuring that we 
appropriately track and manage our outreach activities is an 
important priority for ISCD and one that we will pursue.
    Thank you again for the opportunity to provide an update on 
the forward progress the CFATS program continues to make. It is 
an honor and a privilege to serve with the dedicated 
professionals at ISCD. I firmly believe we have made much 
progress in coming together as a regulatory compliance 
organization, and along with rest of the ISCD team, I am 
excited and optimistic about the future of the CFATS program.
    Thank you again for the opportunity and I welcome any 
questions that you may have. I apologize for the extra 30 
seconds.
    Mr. Shimkus. Oh, you are fine. Thank you, Mr. Wulf.
    And before I recognize myself for the first round of 
questions, I think just a comment for staff--especially, I 
think we have some guests in the room--is that maybe we need to 
put up a placard that defines these acronyms, because if you 
are visiting this room and you have no idea what these acronyms 
are, you are like probably listening to Chinese. So stuff like 
CFATS--Chemical Facility Anti-Terrorism Standards. We will talk 
about NIPP, which is the National Infrastructure Protection 
Plan. We will talk about ASP, Alternate Security Plan. So we 
know there are a lot of you that are well knowledgeable out 
there, but we probably could do better by having a display of 
some of these acronyms out there. So I am from the military a 
long time ago so we were acronym-focused also.
    So I will recognize myself for the first 5 minutes of 
questions and my questions will be directed to Mr. Beers.
    Mr. Beers, GAO says CFATS does not consider or analyze 
vulnerability threat or economic consequence during the tiering 
process. We knew about the vulnerability gap but not the 
others. But in GAO's testimony--Government Accounting Office--
when would the regulated community, the Hill, and others have 
learned of this?
    Mr. Beers. Sir, I do not know when the vulnerability issue 
surfaced specifically, but I do know that it surfaced within at 
least the last year as far as I am aware. With respect to the 
economic consequences issue, as I was not present when the 
program was originally briefed to this committee and other 
committees, I am simply unaware of when or whether that might 
have been brought to the Committee's attention.
    Mr. Shimkus. Yes. So the follow-up is, had not Chairman 
Upton, Joe Barton, Henry Waxman not asked for this GAO report, 
we on the Hill and stakeholders may not have learned of the 
vulnerability gap. Is that safe to say?
    Mr. Beers. Sir, that is certainly a conclusion that can be 
drawn from that. But one thing that I would add to that, which 
David and I have both spoken of, is that one of the things that 
we have asked of the peer review committee after our own 
internal review is that this methodology be looked at 
independently. Obviously, we are going to take note of the 
GAO's comments on this and it is certainly our intention to 
have full disclosure with you all, and if some of the material 
is classified, we will do that in a classified setting.
    Mr. Shimkus. Thank you. According to the National 
Infrastructure Protection Plan, risk is a function of three 
components: consequence, threat, and vulnerability--we did this 
in the last hearing--and a risk assessment approach must assess 
each one. Have you analyzed the effect of not considering 
vulnerability for all the regulated facilities?
    Mr. Beers. Sir, we have. The rationale behind that is that 
while we have----
    Mr. Shimkus. Did your mike go off or it is not pulled close 
enough?
    Mr. Beers. Let me start over again. We looked at 
consequences and threats and gave them a definition in the 
tiering methodology, but because vulnerability was what the 
whole program was about reducing and because we did not have 
the kind of data that we needed in order to be able to assign 
vulnerability factors with specific and differentiated levels, 
we chose to hold that constant, tier on the basis of threat and 
consequence, and ask the facilities then to come back to us 
with an indication of what their vulnerabilities were and to 
work with them on Site Security Plans to deal with those 
vulnerabilities.
    The consequence of this is that the tiering works to set 
them aside by threat and vulnerability and the whole endgame is 
about reducing vulnerability or risk. So we chose to hold that 
constant in the tiering; we chose to deal with that through the 
Site Security Plan process.
    Mr. Shimkus. And I guess then our follow-up would be we 
think you have evaluated part of the threat, not the entire 
threat, and there is no economic process that has been defined 
so far which is a part of that whole calculation. But you did 
identify in your comment about up-to-date data. So what is the 
effect of not using up-to-date threat data in the risk-tiering 
approach?
    Mr. Beers. Sir, as we go through this process, if there is 
additional threat data or altered threat data, our intention is 
to include that. That is certainly something that we are 
talking with the Peer Review Committee about and my guess is we 
will get some different information.
    David, do you want to add to that?
    Mr. Wulf. Yes, I would. Yes, the tiering methodology, as it 
currently exists, is certainly very much consequence-based. I 
think that consequence is tied very much directly to threat as 
we use the threat in the tiering engine. Targets that have high 
value from a terrorist perspective in terms of the consequence 
will also typically have a pretty high score on the threat 
side. We are certainly very much open to ways in which we can 
enhance the tiering methodology and that is the very reason we 
are having this external peer review.
    But I think focusing principally on consequence in a 
regulatory compliance framework is an appropriate way to tier 
facilities. If we focused heavily on vulnerability in the 
actual tiering, we would have potential situations in which a 
facility would tier highly because of a heightened 
vulnerability that it identified. As a result of tiering 
highly, it would put into place hopefully significant and 
successful security measures to address the vulnerability. The 
vulnerability would then be diminished and theoretically that 
facility would tier out, not have those requirements any 
longer, conceivably have its vulnerability go up again, tier 
back in, and we would have sort of a roller coaster effect.
    So I think the way in which we and the CFATS program have 
woven the vulnerability factor into the remainder of the 
program in the facilities, assessment of vulnerabilities, in 
the development of their security vulnerability assessments, 
and in their development of Site Security Plans makes sense. 
That is not to say there isn't room for improvement and I 
certainly anticipate we will get some solid recommendations in 
those regards from the Peer Review Panel.
    Mr. Shimkus. Thank you. My time has expired. The chair now 
recognizes Mr. Tonko for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chair.
    It appears that the Department of Homeland Security has 
good progress to report implementing their Action Plan to 
strengthen the CFATS program, but I am concerned that 
fundamental problems may still exist. I would like to focus on 
one of those concerns and that has just been the focus of the 
chair's address and that being the tiering of facilities.
    CFATS is a risk-based program meaning that facilities 
placed in a high-risk tier have to meet higher standards, I am 
told, for security. Lower-tiered facilities then meet lower 
standards. An error in tiering could mean that a high-risk 
facility is not adequately secured or that the owners and 
operators of a low-risk facility have to invest in unnecessary 
security measures. The tiering process must be, therefore, as 
accurate as possible.
    The Department published a National Infrastructure 
Protection Plan in 2006 and I believe revised it in 2009. This 
plan discusses how risk analysis for terrorism threats should 
be conducted. Under Secretary Beers, should the CFATS program 
be consistent with that plan, the developed plan of 2006, and 
improved in '09?
    Mr. Beers. Sir, the National Infrastructure and Protection 
Plan is a global statement of risk. All of the programs in the 
Department of Homeland Security should be in rough alignment 
with that. But we also have to recognize that different sectors 
and different companies may have some specifics that cause some 
alteration or some specific requirement relevant to them and 
perhaps only to them. But as a general measure, yes, that is 
correct, sir.
    Mr. Tonko. So as a general measure, we say yes. And 
according to the National Infrastructure Protection Plan, risk 
assessments must account for threat, vulnerability, and 
consequences. But that is not what CFATS, as a program, 
currently does. GAO is critical of the fact that apparently DHS 
completely ignores the potential economic consequences of a 
terrorist attack when conducting a risk assessment. And GAO is 
not the first to say this. In 2010, the National Academies 
published a report, requested by Congress, on department-wide 
efforts to analyze risk. And the Academies approved of the 
framework in the National Infrastructure Protection Plan but 
found that ``many of the Department's risk-analysis models and 
processes are weak and are not on a trajectory to improve.'' 
According to Academies, the methods were not ``documented, 
reproducible, transparent, or defensible.''
    These are very serious criticisms and to address these 
issues the National Academies made a number of specific 
recommendations. So my question to you, Under Secretary, is 
that did the Department ever provide a formal response to the 
National Academies' report?
    Mr. Beers. Sir, there was a response by the Department to 
that. I can get you a copy of that. I don't have it on hand at 
this particular point in time. But we were certainly aware of 
the Academies' report and we did respond to it.
    Mr. Tonko. Under Secretary Beers, can you please explain 
the process you are currently engaged in to improve the risk 
assessment done in the CFATS program and whether it will 
respond to the recommendations made by GAO and the National 
Academies?
    Mr. Beers. Sir, let me respond on two levels here, first, 
to go back to the original premise, which is the threat, 
consequences, and vulnerability address how one should be 
dealing with risk and simply say we believe in the CFATS 
program that we do address all three of those aspects even 
though the tiering methodology, which is not the entire dealing 
with risk, only focuses on consequences and threat and holds 
vulnerability constant. But as I said in my earlier response to 
the chairman's question, we believe that the vulnerability part 
of that equation is dealt with in the development of the Site 
Security Plans.
    With respect to the larger question, I think that what we 
are trying to do here is work through a regulatory program 
which is different--the NIPP was really written in association 
with voluntary programs, which meant that while we could lay 
out best practices or standards or thoughts on how to deal with 
this, it was really entirely up to the companies in order to do 
that. And in the regulatory program, we have the ability to 
state whether or not their response is in fact adequate to the 
regulatory requirement that we have. And that makes it somewhat 
different from the framework in which the NIPP was written.
    But let me also turned to David Wulf to add anything that 
he may wish to add.
    Mr. Wulf. I would just add a couple of things. We committed 
to do three things when we encountered some issues with the 
tiering methodology. One was to do an internal documentation of 
our processes and our methodology, do sort of an internal 
department look at the CFATS methodology and to do what is 
ongoing right now, the external peer review. As we conducted 
our documentation, we have tried to be transparent about what 
we found. We have talked through issues with staff up here, 
with our industry stakeholders, and have tried to keep everyone 
abreast of the progress we are making on the economic 
criticality piece of this, of the consequence assessment in the 
tiering methodology.
    In that regard, I would note for the Committee that we are 
actively engaged in trying to address the economic consequence 
part of the equation. We are working with Sandia National Labs 
on that effort. I received a briefing I want to say a couple of 
months ago. Our expectation is that Sandia's work--and it is 
difficult stuff assessing economic consequences of potential 
terrorist attack--will be complete in early 2014. We anticipate 
talking through the Sandia findings with our stakeholders. We 
are not going to proceed in a vacuum as we look to incorporate 
economic consequence into the model, but I do believe, as I 
think you do as well, that it is an important piece to the 
puzzle. So we are going to continue to seek to improve the 
methodology.
    The thing we struggle with is trying to be a continually 
improving program, at the same time trying to afford a degree 
of certainty to our industry stakeholders for whom it would be 
difficult to have an ever-changing target in terms of the 
tiering. So we have to balance all of that, but we are taking a 
hard look at it all.
    Mr. Tonko. Thank you.
    Mr. Shimkus. The gentleman's time has expired.
    Again the NIPP is the National Infrastructure Protection 
Plan again for our guests who are now leaving.
    So the chair now recognizes the gentleman from 
Pennsylvania, Mr. Pitts, for 5 minutes.
    Mr. Pitts. Thank you, Mr. Chairman. Under Secretary Beers, 
according to the NIPP, risk management should help focus 
planning and allocate resources. How can you prioritize 
resources and manage risk if you don't differentiate between 
threat or vulnerability?
    Mr. Beers. Sir, we definitely do differentiate between 
threat and vulnerability. What we have tried to do here is 
ensure that the compliance part of the effort which is to buy 
down risk, it was measured against the threat-and-consequence 
tiering of the tiering methodology. So the whole program is 
designed to reduce the vulnerability to the American people, to 
the communities that surround those facilities. And every 
effort is made through the risk-based performance standards to 
help those facilities produce Site Security Plans that in fact 
protect the communities in which they live far more than when 
there was no regulation on those facilities. Which is not to 
say that they weren't trying in their own way to do that, but 
what we have tried to do is to provide a general way in which 
they can approach that to help them or to give them thoughts 
about other ways that they might think about buying down that 
risk by reducing the vulnerabilities through their Site 
Security Plans.
    David, would you add anything?
    Mr. Wulf. No. I think that pretty well covers it. The 
vulnerability is, as I have expressed, woven through the fabric 
of the program in the security vulnerability assessments that 
facilities conduct, and in their development of Site Security 
Plans.
    Mr. Pitts. Given incomplete aspects of your risk assessment 
model, are you confident that the CFATS risk-tiering approach 
adequately tiers facilities?
    Mr. Beers. Based on the way that we have put forward the 
methodology, we are confident that the general model is 
correct, as has been indicated here. We are going to look at 
economic consequences to see whether or not--and if so, how--
that ought to be injected into the methodology. And we are 
reviewing the threat information as well. So this, as David 
just said, is not a static program and we are looking for 
assistance and help from the peer review effort to see how we 
might do a better job. But as David also said, we want to do 
this in a fashion in which we are not constantly changing and 
moving everything because industry also needs a degree of 
stability as they consider how to improve their own site 
security.
    Mr. Pitts. Now why do you collect data, information that 
you do not use? Regulated facilities are required to provide 
substantial information to facilitate the tiering process but 
ISCD only uses a small amount of this data.
    Mr. Wulf. My assessment is that all of the data that we 
take in is valuable to the program, and it is useful as we 
evaluate, not only the tiering as we assign risk tiers but as 
we look at evaluation of Site Security Plans. So the questions 
and the information that is provided in response to those 
questions I think goes a long way toward prompting facilities 
to give thought to their vulnerabilities and to incorporate 
appropriate responses to those vulnerabilities and to implement 
security measures appropriate to respond to those 
vulnerabilities as they develop their Site Security Plans.
    Mr. Pitts. My time has expired. Thank you.
    Mr. Shimkus. The gentleman's time has expired. I would hope 
that he will pay close attention to the GAO report because they 
say, obviously, there is a lot of data that is not used and 
that is the reason why that question is asked.
    Five minutes to Mr. Green.
    Mr. Green. Thank you, Mr. Chairman.
    Welcome to our panel. Under Secretary Beers, in your 
testimony for today's hearing you state that DHS will be 
publishing a revised Personnel Surety Program rule next week. 
Regarding the PSP, are you able to commit today that the new 
rule will allow similar credential programs like the TWIC 
program for land-based--so we would have one ID for employees 
whether they work for a company's land-based site or the water-
based site?
    Mr. Beers. Sir, you are correct. We have provided our 
Personnel Surety Program notice to the Federal Register and the 
Department has provided a TWIC Reader Rule Requirement Program 
to the Federal Register also this week. Those will be 
published, I am told, next week. It takes that long to actually 
put it out. It will include the ability to use a TWIC card as a 
personnel identification and personnel surety credential within 
the program for those who qualify for the program. The larger 
TWIC reader rule will allow companies, facilities to know what 
kind of a validation system they have in order for those TWIC 
cards to be validated as individuals pass into those 
facilities. That was, as you will recall, an original 
requirement of the whole TWIC program, which has been operating 
unfortunately without that reader rule requirement up to this 
point in time.
    Mr. Green. Well, and we have talked about this for a couple 
of years now and I appreciate the agencies doing that because a 
lot of plants have waterside and land-based--and employees move 
back and forth and most of the time the employees have to buy 
those cards themselves and it just seems like it did not make 
any sense to make an employee, you know, have to buy two cards 
that really should be issued by the Federal Government. You 
only need one.
    Mr. Beers. I couldn't agree with you more, sir.
    Mr. Green. And can you share the efforts the Department 
made to incorporate both employee and union interest, because I 
know of some in my area--we have steelworkers that represent my 
refiners and chemical plants, a number of them. Were they 
involved in this decision or received input?
    Mr. Wulf. The earlier information collection request that 
was withdrawn during the summer was open for comment across the 
board. We did not work specifically or discuss any of this 
specifically with labor unions.
    Mr. Green. OK. Well, I know one of their concerns is that 
their members would have to have these two cards. And when does 
your agency anticipate to complete the site security program 
review for all facilities and including Tier 3 and 4?
    Mr. Wulf. As I mentioned, we are looking to be through with 
Tiers 1 and 2 by the first part of 2014. With regard to Tiers 3 
and 4, we are looking at ways that we can increase the pace of 
the review. I know the GAO, looking at sort of the current 
pace, has projected it could take between 6 to 9 years. That is 
a pace that is, in our view, not an acceptable one. I think 
that we are going to continue to see the pace quicken. I don't 
want to provide a certain date because I am sure I will be 
slightly off.
    But I think as we move forward with the heightened pace of 
inspections as we learn more about how to achieve efficiencies 
in the SSP reviews and the inspection process, we will get 
better at doing them and be able to inspect, review, and 
approve larger numbers of SSPs. I think the alternative 
security programs will provide a means to heighten the pace as 
well. So as those templates come into greater use, and 
particularly as they are used by multiple facilities within the 
same company, I think we will see the pace quicken 
significantly. We will also continue to look at the resources 
we have to do those inspections. We are bringing on board 
another 18 inspectors which will increase our capacity. We will 
continue to look at whether there might be a possibility of 
getting some additional folks on board as well.
    Mr. Green. Mr. Chairman, I know my time is--but there has 
been a substantial public sector investment and private sector 
investment and we would hope to see some of that, that they 
would have their security plans at least on what they have 
invested literally hundreds of millions of dollars on, both, 
like I said, public money and private money.
    Thank you, Mr. Chairman.
    Mr. Shimkus. The gentleman's time has expired. Before I 
move to Mr. Cassidy, just for clarification, Mr. Wulf, and for 
the transcriber, when you said the 6 to 9 years did you say is 
not an acceptable or did you say not unacceptable?
    Mr. Wulf. I said it is not acceptable.
    Mr. Shimkus. OK.
    Mr. Wulf. It is not an acceptable----
    Mr. Shimkus. Great. Thank you. It caught my attention there 
for a second.
    So now the chair recognizes the gentleman from Louisiana, 
Mr. Cassidy, for 5 minutes.
    Mr. Cassidy. Hey, gentlemen. Thank you for being here. I 
understand that you all have done a heck of a lot of work to 
address some of the issues and as I have obviously been a sharp 
critic, so first, I thank you for your hard work that you have 
done.
    With that said, you might guess I have got a couple other 
concerns. The fact that you can----
    Mr. Wulf. I said I suspected you might.
    Mr. Cassidy. The fact that you can buy down risk or buy 
down vulnerability by decreasing threat suggests that risk is 
some constant. You have some number for risk, however you 
calculate that number, that you would like to address. It is 
also my understanding, I think you said earlier, the review 
panel will come up with a new model in which they will assess 
both the economic consequences and life consequences and all 
these other factors in a more sophisticated fashion than 
currently you are doing. Are they going to have access to your 
data--this category of data, this continuum of data that you 
have--in order to see the robustness of their model?
    Mr. Wulf. Yes, sir. The Peer Review Panel has access to 
everything that we have, classified and otherwise.
    Mr. Cassidy. Now, is it possible that that will show that 
what you are currently doing is--I suppose that means if they 
are coming up with a new model, it will show either that you 
are doing a good job or that you are not doing a good job. 
Correct?
    Mr. Wulf. Well, I don't know that it is fair to say that 
the panel's charter is to come up with a new model. The charter 
is to take a fresh look at what we are doing.
    Mr. Cassidy. But if you don't currently have--I don't mean 
to interrupt, I am sorry. It is limited time. If you don't have 
economic consequences in there, and I understand at some point, 
reading the testimony or GAO report, that population density 
wasn't factored in some places. It certainly seems that you 
need a new model. Does that make sense? I mean if we are going 
to include economic consequences, and what you are doing now 
does not do so, then clearly you need new model.
    Mr. Wulf. As we look to incorporate economic consequences--
and I should mention that at Sandia National Labs that is doing 
the work for us on economic consequences--but certainly 
something the Peer Review Panel can, and I suspect will, look 
at as well. As we move to incorporate that into the model 
certainly we would have to revise the model.
    Mr. Cassidy. So you do anticipate giving them access to 
your compendium of information for them to check to see the 
robustness of the model?
    Mr. Wulf. Absolutely.
    Mr. Cassidy. And will you share that with the Committee?
    Mr. Wulf. We can certainly look at that----
    Mr. Cassidy. I mean, like, why wouldn't you?
    Mr. Wulf. I don't see why not.
    Mr. Cassidy. Yes. Now, if you decide upon this model as 
being that model which you should use, would you share it with 
the industry?
    Mr. Wulf. The underlying information?
    Mr. Cassidy. No, not the underlying information, the model 
itself. Because if, Mr. Beers, you say that they can buy down 
vulnerability by whatever--addressing in a greater way threat--
I imagine you have some retrogression analysis and that you can 
plug these things in. Really, right now, it appears that there 
is a certain degree of subjectivity.
    Mr. Wulf. Well, looking----
    Mr. Beers. Sir, we are committed. And that is one of the 
questions that we have asked the peer review to look at is, 
what should we share from the tiering methodology with them? 
Now, we have some parts of it which are currently classified. 
We are also looking at the possibility of declassifying some of 
that information as well. Because we firmly believe as the 
program has matured that the transparency of the tiering model 
is important. That will help them think about their own Site 
Security Plans in a better way than to simply use the risk-
based performance standards by themselves. The objective here 
is to reduce risk. The objective here is to reduce 
vulnerability and we believe as we have considered this, that 
that kind of transparency is necessary.
    If there remains classified parts of the program, we will 
look at whether or not we can at least have some industry 
representatives, as we do generally with the National 
Infrastructure Protection Plan, cleared to receive classified 
information even if we can't make it broadly available.
    Mr. Cassidy. So I am asking now, not to challenge but 
rather for information, if you have a formula by which someone 
can decide what their relative risk is, you plug in these 
variables and you come up risk, it seems to me that--I don't 
know whether that would be classified. Listen, a 15-foot fence 
will get you here and a 30-foot fence will get you there and 
video cameras will get you here and armored cars will get you 
there. So knowing that some of the information is classified, 
are the variables that you plug in classified?
    Mr. Beers. David?
    Mr. Wulf. Some of the factors that go into the calculation 
of the risk score are classified. But I would just echo the 
Under Secretary's comments that fostering greater transparency 
for our stakeholders in tiering is one of our goals and 
certainly one that we are going to pursue.
    Mr. Cassidy. Last question--and you may have mentioned this 
earlier--when do you expect the panel to come back with their 
report and then ideally to run some of those compendium of 
information to check out what you have been currently doing and 
et cetera?
    Mr. Wulf. We are anticipating a report from the Peer Review 
Panel this summer.
    Mr. Cassidy. OK. Thank you. I yield back.
    Mr. Shimkus. The gentleman yields back his time. The chair 
now recognizes the ranking member of the full committee, Mr. 
Waxman, for 5 minutes.
    Mr. Waxman. Thank you, Mr. Chairman. Today's hearing 
underscores the need for reform of this program, and in my 
view, this committee should develop comprehensive 
reauthorization legislation.
    Today, GAO will testify that it will take 8 to 10 years 
before the Department can review and approve the Site Security 
Plans it has already received. Additionally, the Department 
must revise its risk analysis model, which could mean that the 
current tiering of facilities will have to be revised, 
requiring many facilities to begin the process over again.
    In the 111th Congress, the Committee produced a 
comprehensive Chemical and Water Facility Security Bill to 
finally set this program on the path to sustainable success. 
Mr. Beers, you testified in support of that bill as did 
representatives of the labor community, the environmental 
community, water utilities, and the chemical industry. At that 
time you said, ``given the complexity of chemical facility 
regulation, the Department is committed to fully exploring all 
issues before the program is made permanent.'' I agree with 
that statement and I would like to explore some of those issues 
with you today.
    Mr. Beers, does the administration still support closing 
security gaps for wastewater and drinking water facilities?
    Mr. Beers. Yes, sir.
    Mr. Waxman. Does the administration still support 
maintaining EPA as the lead agency for drinking water and 
wastewater facilities with the Department supporting EPA's 
efforts?
    Mr. Beers. That is our position.
    Mr. Waxman. Does the administration still believe that all 
high-risk chemical facilities should assess inherently safer 
technology and that the appropriate regulatory entity should 
have the authority to require the highest-risk facilities to 
implement those inherently safer technologies if feasible?
    Mr. Beers. The statement at that time still remains the 
administration's position, sir.
    Mr. Waxman. Since we worked on that bill 3 years ago, 
additional challenges have come to light. Specifically, the 
internal review and memorandum prepared in November 2011 found 
serious problems. The Department produced an Action Plan to 
address these problems. That Action Plan included the formation 
of a task force to develop recommendations for legislative and 
regulatory changes to the CFATS program. My understanding is 
that the Department reports that it has completed development 
of those recommendations. Mr. Beers, when can we expect to see 
those recommendations?
    Mr. Beers. Sir, I will have to get back to you on that. I 
don't have specific answer on that question.
    Mr. Waxman. OK. Well, I look forward to you getting back 
and to have the record held open so that we can get that 
response.
    Mr. Shimkus. Without objection. So ordered.
    Mr. Waxman. As the Committee further considers the CFATS 
program, having your legislative recommendations for reforming 
the program would obviously be very helpful.
    Thank you, Mr. Chairman. I yield back my time.
    Mr. Shimkus. The gentleman yields back his time. The chair 
now recognizes the other gentleman from Pennsylvania, Mr. 
Murphy, for 5 minutes.
    Mr. Murphy. Thank you, Mr. Chairman. And thank you, to the 
panel.
    According to the CFATS rule, a high-risk chemical facility 
is one that, in the discretion of the Under Secretary, presents 
a high risk of significant consequences for human life and 
health and now security and critical assets. Let me ask you a 
few comments on this. If, as a result of your work with Sandia 
National Laboratories economic consequences are incorporated 
into the CFATS risk-tiering approach, how will this impact the 
current list of related facilities and do you expect more 
facilities to be covered?
    Mr. Wulf. I think it is hard to say right now. Depending on 
what we get back and our analysis of Sandia's work, it could 
impact the number of facilities that are covered in a few 
different ways. Depending on the weighting that is given to the 
economic consequence piece of the equation and really the 
general fabric of the assessment on economic consequences. So I 
don't think I am in a position today to forecast that.
    Mr. Murphy. Can you give any estimates at all how much you 
think it is going to cost to incorporate the results of the 
Sandia National Laboratories work into the current CFATS risk 
assessment approach?
    Mr. Wulf. I don't at this time, not without the assessment 
from Sandia.
    Mr. Murphy. Well, given also it is going take approximately 
7 to 9 years for ISCD to review plans submitted by regular 
facilities, how practical is it for you to expand the program 
to include additional facilities?
    Mr. Wulf. We are going to, first, as I said, the 6 to 9 
years is not an acceptable pace and we are going to do 
everything in our power to pick up that pace. I think though 
that it is important that we foster enhanced security for all 
chemical facilities that are high risk in nature. So, to the 
extent the universe of high-risk facilities is framed and 
includes in the calculation of that universe or in the 
formation of that universe the economic consequences and the 
universe grows, we will look at ways to make that work.
    As I said, we are bringing on additional inspectors; we are 
improving our processes and procedures. We are going to get 
better and better at this. So, if that challenge presents 
itself, we will meet the challenge.
    Mr. Murphy. I know we have talked about these things in 
other hearings that the chairman has conducted here, and you 
are expecting about 30 to 40 site plan approvals per month. 
That is your anticipated goal for the future?
    Mr. Wulf. That is our current pace.
    Mr. Murphy. The current pace. Well, how may did you approve 
in January of 2013?
    Mr. Wulf. I would have to get that to you specifically.
    Mr. Murphy. February? Just last month, any idea?
    Mr. Wulf. I would imagine between 20 and 30 in February.
    Mr. Murphy. So you said you expect----
    Mr. Wulf. Yes.
    Mr. Murphy. You are currently at 30 to 40 but you are half 
that in February. I am just trying to----
    Mr. Wulf. Yes. I expect it is going to continue to ramp up 
because what we are doing more of in January and February was 
authorizing plans. And as we authorize the plans, we schedule 
the inspections. That is what leads to the approvals. So the 
approval pace will pick up. We anticipate by the end of 
September being up to upwards of 350 approvals. So that will be 
all of Tier 1 and probably about halfway through the Tier 2 
facilities. So, actually, in 6 months, 6\1/2\ months from now, 
we will likely be doing about 50 approvals a month for the next 
foreseeable future.
    Mr. Murphy. You have a mechanism for continuous improvement 
as you go through these to speed them up, for example, getting 
feedback as you go through these approval processes--feedback 
from people you have worked on with those saying what we could 
have done to make this better, faster, more thorough?
    Mr. Wulf. Yes, we sure do. We are constantly evaluating our 
processes and looking at ways we can do things better.
    Mr. Murphy. Is that an internal process? Do you also get 
external feedback on that?
    Mr. Wulf. Well, it is an internal certainly within the 
division and the relevant branches within the division. But 
also we are talking consistently with our stakeholders, and I 
was able to share one comment we received back during my 
opening statement. But we are always talking to our 
stakeholders about improving. And one of the things we have 
done to pick up the pace and to increase the pace of SSP 
authorizations and approvals specifically has been to include 
our field inspectors, who are most familiar with the facilities 
in the authorization and approval loop early in the processes. 
As issues are identified, those SSPs are kicked out to the 
field and squared away and kicked back into the authorization 
and approval loop more quickly.
    Mr. Murphy. In my remaining time I just want to ask real 
quick. We understand there are some documentation issues 
regarding the CFATS risk-tiering approach. Can you give me a 
little information of what those documentation issues are? Is 
that something slowing you down, too, or what are those 
documentation issues?
    Mr. Wulf. No, I don't think so. The documentation I 
referenced earlier was our effort over the past year to 
thoroughly document the tiering methodology.
    Mr. Murphy. Is that also improving over time? Thoroughly 
documenting so you are----
    Mr. Wulf. Yes.
    Mr. Murphy. Well, I am out of time here I know but I will 
follow up on the other questions. Thank you.
    Mr. Wulf. OK.
    Mr. Shimkus. The gentleman's time has expired.
    The chair now recognizes the gentleman from California, Mr. 
McNerney, for 5 minutes.
    Mr. McNerney. Thank you, Mr. Chairman.
    Mr. Wulf, is the ISCD responsible for addressing cyber 
threats to chemical plants?
    Mr. Wulf. Yes, sir. Yes, sir. One of our Risk-Based 
Performance Standards, RBPS 8, relates to cyber.
    Mr. McNerney. So are there specific cyber threats for 
potential catastrophic results to human beings that you know 
of?
    Mr. Wulf. I think potentially there could be, which is why 
CFATS addresses cyber. It focuses within the CFATS framework on 
industrial control systems, on systems that can impact the 
release of chemicals, and on systems that can impact the 
security of a facility.
    Mr. McNerney. So how effective then is the DHS in 
addressing these potential cyber threats?
    Mr. Beers. Sir, we have the best team in the country to 
deal with industrial control systems as announced by Security 
magazine. The ICS or Industrial Control Systems team that we 
have in our cyber office is absolutely the best in the country. 
They provide regular assessments on requests from people. We 
are expanding that program. It will also be part of the work 
that we are doing with respect to the Executive Order on 
cybersecurity and the Presidential Policy Directive that came 
out, both for those in February, a major area of concern and a 
major area of involvement. We are basically teaching the rest 
of the government how to deal with this issue.
    Mr. McNerney. Good. Good. In my mind there are two aspects 
of cyber defense: protection and retaliation. Maybe that is not 
the way that you look at it, but a kinetic attack will almost 
certainly involve a strong response from this government. But 
on the other hand, a cyber attack may not elicit a response. So 
the question I have is, are there rules of engagement for cyber 
attacks on chemical facilities in this country?
    Mr. Beers. Sir, there are general rules of engagement that 
is not part of the DHS activity set. That belongs to the 
Department of Defense. But we and the Department of Defense and 
the Department of Justice have a very robust effort to work 
together on a regular basis at all of those things short of an 
actual attack. I mean, we are, as you well know, in a sort of 
cold state of a lot of reconnaissance, a lot of intellectual 
property theft that is going on now that the three departments 
are working mightily to try to deal with. But the offensive 
side is the domain of the Department of Defense. We are aware 
of what they do in a general sense but it is not part of our 
responsibility.
    Mr. McNerney. So I mean there must be some coordination 
then. I mean cyber attacks are happening on a continuing basis, 
some of them less of a threat and some of them more of a 
threat. And so what I would like to get is some comfort that 
there is going to be a consequence to conducting cyber attacks 
at any level on facilities in this country.
    Mr. Beers. Sir, I certainly can't comment on that in this 
unclassified setting.
    Mr. McNerney. OK. Mr. Chairman, I yield back.
    Mr. Shimkus. The gentleman yields back the time.
    The chair now recognizes the gentleman from West Virginia, 
Mr. McKinley, for 5 minutes.
    Mr. McKinley. Thank you, Mr. Chairman. This is an 
interesting subject.
    Mr. Shimkus. Mr. McKinley, can you turn your mike on, I 
think?
    Mr. McKinley. It is on.
    Mr. Shimkus. Oh, you do.
    Mr. McKinley. Yes, this is an interesting subject. As an 
engineer and as someone who has worked in some of these 
chemical plants, I am curious to learn more about what we have 
been doing and how long it has been going on. I am just 
curious, first, I guess is, do either of you feel are terrorism 
threats on the rise? Is it status? What is happening in this 
country? I am just curious.
    Mr. Beers. Yes, sir. That is a very good question. I think 
what we have seen since 9/11, a continued threat within the 
country that has been primarily executed by individuals who 
have been inspired by the rhetoric of the jihadists to conduct 
acts within the country. Fortunately, we have been able to 
thwart most of them. Some of them just simply failed because 
they weren't very well executed. The Bureau has a very 
extensive program trying to detect this. Could something happen 
from overseas again? Yes, that is always a possibility, but 
that is a major effort that we and the other departments are 
working on.
    Mr. McKinley. Well, again, are the attacks on the rise? 
Threats I should say. Are threats of attacks on the rise?
    Mr. Beers. Are threats of attacks on the rise? The threat 
and capability, because aspirational threats----
    Mr. McKinley. It should be just a yes or no. Isn't it a yes 
or no?
    Mr. Beers [continuing]. Occur on a regular basis and you 
could look--and there is something every day. Threat and 
capability matched with one another----
    Mr. McKinley. Are threats on the rise?
    Mr. Beers [continuing]. I think at this point are not on 
the rise.
    Mr. McKinley. OK. That is fine.
    Mr. Beers. Are not on the rise.
    Mr. McKinley. What is their objective? Is it just to have 
access? Are they trying to just blow up a facility? What is the 
threat that you are hearing? What are they trying to 
accomplish?
    Mr. Beers. So there is the local objective and there is the 
broader objective, and they think in both of these realms. The 
local objective is to have an event that is sufficiently 
newsworthy, sufficiently damaging, that it causes people to 
take notice of it and gives them credit for the ability to 
actually execute. The broader issue, though, is to destroy--and 
bin Laden and his successors have been very clear about this--
is to destroy the will of the West, and the will of the United 
States to oppose them and withdraw from the region.
    Mr. McKinley. So if I can continue with the question, can 
you give me an example of a chemical facility that has been 
attacked successfully in the West?
    Mr. Beers. No, sir. Unless you want to include the Amenas 
plant in Algeria, which is the one recent one----
    Mr. McKinley. OK. That is fair.
    Mr. Beers [continuing]. That we had, but other than that, I 
can't tell you.
    Mr. McKinley. It is one thing if they want to disrupt it, 
would we not pose a threat also in where the products that we 
are producing in these chemical plants--does it extend your 
risk assessment and evaluation? Does that also go to the 
distribution centers and transportation or is it just at the 
plant?
    Mr. Beers. It is in all of those, sir, depending upon the 
holdings, where the holdings are----
    Mr. McKinley. So you go the whole route. You are not just 
on risk assessment----
    Mr. Beers. But again, if the holding isn't large enough to 
be tiered in by the consequence, then they are not regulated. 
But we do look at distribution centers as well. David, you want 
to----
    Mr. Wulf. But CFATS focuses on facilities. So there are 
other agencies that deal with the transportation sectors. So 
the transportation of hazardous materials is covered by the 
Department of Transportation and the Transportation Security 
Administration. CFATS is focused on facilities but certainly 
including distribution centers. And among the chemicals of 
interest that we assess are those chemicals that could be 
successfully used by terrorists in an attack as well as 
chemicals that can be released.
    Mr. McKinley. In the time frame that I have left, are the 
four other European nations, do they have something comparable 
to what we are doing here?
    Mr. Wulf. I think in many ways we are on the cutting edge 
here. And I think CFATS is a sound program and really a model 
that, were it implemented elsewhere could be of value to 
securing chemical facilities and hardening them against 
potential terrorist attacks.
    Mr. Shimkus. Gentleman's----
    Mr. McKinley. OK. Time has expired on that, but I just want 
to say, even though they have not had an attack in Europe and 
they don't have anything comparable to this, I am just curious.
    Mr. Wulf. I think Congress' assessment and our assessment 
as well is that high-risk chemical facilities pose a very 
attractive target to terrorists.
    Mr. McKinley. Thank you.
    Mr. Shimkus. The gentleman's time has expired.
    The chair will now recognize the gentleman from Ohio, Mr. 
Johnson, for 5 minutes.
    Mr. Johnson. Thank you, Mr. Chairman.
    Mr. Beers, the Department of Homeland Security has adjusted 
its chemicals-of-interest release model because of errors in 
the formula. Are you aware of any other issues that may affect 
this or any other models within the risk assessment approach?
    Mr. Beers. Sir, I am not, but let me turn to my expert here 
and ask him if there is anything you want to add to that.
    Mr. Wulf. No. Our documentation found some minor issues 
that we have briefed staff on and that we have addressed and 
that have not led to significant re-tierings or significant 
numbers of re-tierings of facilities. So we are looking forward 
to receiving the report from the Peer Review Panel and any 
recommendations for improvements they may have for the tiering 
engine.
    Mr. Johnson. Is this the expert panel review that you are 
talking about?
    Mr. Wulf. That is right.
    Mr. Johnson. OK. Before you became aware of problems with 
the chemicals-of-interest release model, had you conducted any 
evaluations, Mr. Beers, of the risk-tiering approach?
    Mr. Beers. Sir, before we became aware of that particular 
problem, I am not aware of any reviews that had taken place. 
Having said that, it was, as we look backward on when that 
matter was brought to my attention, that there were questions 
about it a year prior to that. And the review that happened at 
that time turned out not to be an accurate review. So in that 
sense, there were anomalies that were looked at; unfortunately, 
they failed to detect the problem that ultimately surfaced 
several years ago.
    Mr. Johnson. OK. All right. In regards to the expert panel 
review, it is our understanding that the current expert panel 
review will not include a formal validation or verification of 
the model. How does that impact the value of the review?
    Mr. Wulf. We have asked the panel to take a full look at 
the program, at the tiering methodology, and to give us an 
assessment as to whether it is, in fact, a sound methodology 
for assessing risk and also to provide us any recommendations 
for potential enhancements and improvements to the methodology. 
So I don't anticipate a formal stamp of approval, but I expect 
that they will let us know how they feel about what we are 
doing in the tiering arena.
    Mr. Johnson. But it is important though, right? I mean, it 
is important to get that information, to get that stamp of 
approval.
    Mr. Wulf. I think that is why we are doing this. Not to----
    Mr. Johnson. But you said you are not expecting a stamp of 
approval.
    Mr. Wulf. Well, not----
    Mr. Johnson. So there is----
    Mr. Wulf [continuing]. An actual stamp, I guess.
    Mr. Johnson. Yes.
    Mr. Wulf. I am----
    Mr. Johnson. We don't want them to just look at it; we want 
them to give us a validation and verification that the model is 
accurate according to what we know today. Correct?
    Mr. Wulf. Yes. We want them to look at the methodology and 
let us know their thoughts on whether it works and if there are 
ways in which it could work better.
    Mr. Johnson. OK. Given that you have not been able to 
review the Site Security Plans for the Tier 3 and 4 facilities, 
how would you characterize how they are currently being 
regulated?
    Mr. Wulf. Well, I would mention that we have begun review 
of the Tier 3 Site Security Plans and I have authorized some of 
those. But that is admittedly in the early stages.
    Mr. Johnson. Tier 3 and 4, or just 3?
    Mr. Wulf. Tier 3. Tier 3.
    Mr. Johnson. OK. So 4 is not being included?
    Mr. Wulf. Tier 4 reviews have not begun on the SSPs. But I 
would say that across the tiers to include Tiers 3 and 4 CFATS 
has had an impact. Those Tier 3 and Tier 4 facilities have gone 
through the top screen process, have developed security 
vulnerability assessments, have, in most cases, met directly 
with CFATS inspectors who have worked with them through 
compliance assistance visits and other outreach in the order of 
more than 3,000 such visits and encounters to work with them on 
the development of their Site Security Plans. So I think in all 
cases, even without authorization or approval of those 
facilities, their security has been enhanced by CFATS and the 
work of our inspectors.
    Mr. Johnson. OK. With that I yield back, Mr. Chairman.
    Mr. Shimkus. The gentleman's time has expired.
    The chair now recognizes the gentleman from Mississippi, 
Mr. Harper, for 5 minutes.
    Mr. Harper. Thank you, Mr. Chairman.
    Thank you, gentlemen for being here. I know this is always 
an exciting time, but we welcome you and appreciate the 
insight. We are obviously concerned about security for these 
facilities, how we accomplish that. And as we are looking at 
the number of facilities we have, has there ever been any 
thought on your side of maybe just limiting the scope of 
regulating facilities only to the Tier 1 and Tier 2 facilities? 
Has there been any thought on that?
    Mr. Wulf. I would say that, no, there hasn't. Inasmuch as 
all four tiers represent high-risk chemical facilities and a 
relatively small percentage of the total number of chemical 
facilities in the country, our assessment is that all four 
tiers are worth covering under CFATS.
    Mr. Harper. Do you agree with that?
    Mr. Beers. Sir, remembering that this is a consequence-
focused----
    Mr. Harper. Yes, sir.
    Mr. Beers [continuing]. Issue, the original decision on all 
four of the tiers were that the consequences, the potential 
loss of life in the vicinity of those facilities--this is the 
primary reason----
    Mr. Harper. Yes, sir.
    Mr. Beers [continuing]. Was significant in terms of the 
communities that surrounded them. So it is, as you well know, 
impossible to put a cost on the loss of even one life. So that 
is why this is such an important decision and why we really 
haven't gone that step and said, no, that 3 and 4 are not high-
risk.
    Mr. Harper. OK. Let me ask this: as you are establishing 
these, you do a preliminary tier risk rating and then you do 
further evaluation--the SVA--and you determine what the final 
rating is.
    Mr. Beers. Yes.
    Mr. Harper. And once that is established, what is the 
review process after that? Is there a time with that final tier 
risk rating that it might change in the future? How often are 
you going back to review those?
    Mr. Wulf. As facilities make changes to their chemical 
holdings or to their processes, they may submit a request for 
redetermination or may submit a revised top screen to ISCD and 
we will, you know, rerun that and assign as appropriate a----
    Mr. Beers. So the nearly 3,000 changes that have been 
made----
    Mr. Harper. Sure.
    Mr. Beers [continuing]. Including tiering out are a result 
of changes in holdings that have been able----
    Mr. Harper. OK.
    Mr. Beers [continuing]. To be recognized in that fashion.
    Mr. Harper. So is that possible review or change of a tier 
risk, is that something that you have to wait on them to notify 
you or are you on a schedule? Do you go back and review those 
yourself even if you are not notified of any changes on their 
part?
    Mr. Wulf. To the extent that our inspectors are out working 
with these facilities through compliance assistance visits or 
other outreach----
    Mr. Harper. OK.
    Mr. Wulf [continuing]. That is sort of the form that would 
take. So our involvement would happen in that way but there is 
not a formal process for going back and----
    Mr. Harper. Not a calendar date say every 2 years, 3 years 
we are going to come back and review? OK. Now, it is my 
understanding that if you have two facilities that have the 
same chemical of interest, one that has very little physical 
security near a major city, and another stored with the same 
chemical in an extremely secure location near that same major 
city, they would be tiered identically? Is that accurate? If it 
is the same chemical of interest, regardless of the level of 
security near that major city, in two different facilities, 
would they be tiered the same?
    Mr. Wulf. I think that is accurate.
    Mr. Harper. OK.
    Mr. Wulf. The tiering is based on the potential consequence 
of that.
    Mr. Harper. All right. Is that a good way to manage and 
mitigate chemical facility terrorism risk?
    Mr. Wulf. Well, I think it is in that the facility, without 
the hardened security would, as a result of being tiered, have 
to look to implement security measures, develop a Site Security 
Plan that would bring it up to an acceptable level of security.
    Mr. Beers. The whole notion here is we want to level the 
playing field so----
    Mr. Harper. Sure, but----
    Mr. Beers [continuing]. A secure facility is great. An 
unsecured facility is something that we would want to change. 
We want to take the unsecured facility and raise it to roughly 
equivalent standards to the secure facility.
    Mr. Harper. But it appears to me that perhaps we are 
discouraging high-risk chemical facilities from increasing 
security at their facilities and making them stronger. And I 
don't know that that is having the desired effect that you are 
saying you want. Is it having that impact? And my time is up, 
so I guess I won't get a formal answer from you.
    And I yield back.
    Mr. Shimkus. The gentleman yields back his time.
    And I see no other members. But before I dismiss the panel, 
I just want to reference the law. Because, Mr. Beers, you keep 
saying a consequence, which is something that we need to be 
concerned about. But that is not what the law says. The law 
says a risk-based system.
    Mr. Beers. Yes, sir.
    Mr. Shimkus. Consequence is a part of that but it is not 
the whole calculation. I think you have caused more questions 
by this testimony today than answered questions.
    So I think we will have them back, Mr. Ranking Member, to 
keep ferreting this out because the law is pretty clear. And 
you can see there are still a lot of questions on how we are 
trying to define this.
    So we do thank you for coming. We do have the ability to 
offer written questions as the ranking member of the full 
committee asked. And with that, we would dismiss the first 
panel.
    Mr. Beers. Sir, may I respond to the question that you 
posed in writing?
    Mr. Shimkus. Correct. You may. I would be happy to----
    Mr. Beers. I think if you are still not satisfied, then we 
have more work to do to----
    Mr. Shimkus. I think you have a lot more work to do.
    So we will dismiss this panel and we will have the second 
panel.
    Staff, if I can get the back doors closed. Someone? Then we 
can move promptly.
    We would like to continue the hearing and welcome our 
second panel, a one-member panel, so we can put full attention 
to the testimony and answer questions. So we would like to 
welcome Mr. Stephen Caldwell, Director of Homeland Security and 
Justice from the Government Accountability Office.
    Sir, your full statement is in the record. You are 
recognized for 5 minutes.

 STATEMENT OF STEPHEN L. CALDWELL, DIRECTOR, HOMELAND SECURITY 
         AND JUSTICE, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Caldwell. Thank you very much, Chairman Shimkus and 
Ranking Member Tonko. I appreciate being here to talk about 
CFATS and the findings in our about-to-be released report on 
the program.
    As you know, our earlier report focused on an internal DHS 
memo documenting management problems with the CFATS program and 
agency efforts to come up with corrective actions. But our 
current report focuses on agency efforts to do three things 
related to its core mission. The first of those is assess risks 
at the facility, which we have talked about quite a bit; review 
the Site Security Plans; and work with industry to improve 
security.
    Let me start with the risk assessments. As noted, both the 
Department and GAO have established criteria for risk 
assessments and these were not followed closely in the CFATS 
program. Specifically, the three elements of risk--threat, 
vulnerability, and consequence--were not all used. As has been 
discussed, vulnerability has not been used even though DHS does 
collect extensive information on it. Some of the CFATS program 
criteria in its own 2007 rule, including the economic 
consequences, also have yet to be implemented.
    Regarding the Site Security Plans, we found that the 
Department had a cumbersome process in place for reviewing the 
security plans which led to a backlog of security plans 
awaiting approval. The Department has attempted to streamline 
the review process by doing concurrent reviews among its 
experts when it had formerly been doing sequential reviews. 
However, the impacts of the streamlining is not known because 
no metrics were kept on how long the old process was taking.
    But even with a more streamlined review process, as we have 
noted in our statement, we are estimating 7 to 9 years to 
improve those facilities that have been tiered. But our 
estimate does exclude some of the important parts of the regime 
as a whole, such as the compliance inspections.
    Regarding industry, the CFATS program has increased its 
outreach, and this was noted in the inquiries we made through 
industry associations representing chemical facilities. The 
industry also expressed concerns about the burden of submitting 
and updating information to DHS, as well as frustration in 
wanting more details on the how and why the facilities were 
tiered a certain way. Some of these issues, as has been noted, 
may be resolved in terms of the Department is considering what 
information on its tiering process it might provide to 
industry. Nevertheless, the CFATS program could benefit from 
systematically monitoring the effectiveness of its outreach 
activities.
    In closing, I would like to briefly look back at our 
previous report, which commented on the serious management 
problems within the CFATS program. Because of a lack of 
documentation in the earlier years, we were really unable to 
determine the root causes for a lot of those problems. And this 
condition was found in our current work. As an example, we 
found no documentation as to why the current incomplete 
approach to risk assessment was chosen. So to some extent, the 
current program is still recovering from some of those earlier 
management problems.
    But we have found the Department to be responsive to our 
recent recommendations and our current findings. We hope their 
positive attitude continues to result in improvements.
    And related to this, I would like to note that my written 
statement is titled ``Preliminary Observations.'' Because we 
are still awaiting Department comments on the recommendations 
in our current draft report, we will finalize that report once 
we receive those comments and we anticipate issuing that in 
early April.
    With that, I am happy to respond to any questions.
    [The prepared statement of Mr. Caldwell follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Shimkus. Thank you, Mr. Caldwell.
    I would like to recognize myself for 5 minutes for the 
first round of questions.
    You were in here for the last panel and probably listened 
to my last exchange based upon the language of the law. Could 
you understand my frustration with the question based upon what 
members had said before about the formula for risk and if there 
are two variables that are undefined, how do you identify risk?
    Mr. Caldwell. Yes. I guess I agree with your point. The law 
calls for an assessment of risk, not of consequence. I think 
the DHS response we have heard today kind of indicates that the 
exclusion of vulnerability was part of a well-laid-out and 
thoughtful methodology and analysis that they used from the 
start. We certainly found no evidence of this. I mean our early 
discussions with methodology with them last year indicated the 
fissures did not know why the current methodology was picked or 
why vulnerability was left out. And there certainly was no 
documentation on that. It was really only when we raised the 
issue of the lack of the consideration of vulnerability----
    Mr. Shimkus. It was?
    Mr. Caldwell [continuing]. That the current narrative 
emerged that you heard today. So I think that really reinforces 
the need for an independent peer review, preferably earlier in 
the process than now because the problems they will have if 
they find major changes. And I have some other comments on peer 
review I can make as well.
    Mr. Shimkus. Did you get any comfort from the response that 
the formula is being reviewed by Sandia? And I think the 
frustration from my end was that we might take it; we might 
consider it. I mean, it was pretty vague as to whether all of 
this work that they would even consider is part of a fix to the 
formula.
    Mr. Caldwell. Yes. Let me make two comments on the peer 
review. I think based on our work today--and they have been 
sharing a lot of information with us--but we are still not sure 
how much of a free hand and leeway this new peer review is 
going to have, this expert panel. Will they have the leeway to 
really start from scratch and kind of come up with fundamental 
changes from the model if they think they are needed?
    And then, of course, we are also not really sure and the 
Department really hasn't committed to really how they would 
receive any major recommendations for changes because of 
impacts it could have on the peering process. So that is what I 
will call the peer review's need to do a review of the 
methodology.
    But what the peer review would also need to do to be 
comprehensive would be what is called the V and V, or a 
verification and validation. We know that there was some 
miscalculations found in the formula. This did lead to the re-
tiering of several facilities. Also, in the course of our work, 
we found out there was an omission of certain locations such as 
Hawaii, Alaska, and Puerto Rico from the data in the model 
calculations. And they don't think this will lead to any 
changes in tiering, but, I mean, together they certainly don't 
give us a warm, fuzzy feeling that they have looked at the 
actual mechanics of the model to make sure that even if the 
methodology is correct that the model is working the way it was 
intended to. So it is also important that the peer review do a 
V and V, a verification and validation, to actually look at the 
model, play with the numbers, do calculations, ensure they are 
correct, and maybe do some sensitivity analysis as well.
    Mr. Shimkus. Well, and just kind of following up on this 
line of questions because it was asked by one of my colleagues 
on data, data collection, and what is it used for. Again, a 
pretty vague answer by our first panel as to what they really 
needed, what they had, and why they had it. You found that 
owners and operators were spending unnecessary resources 
complying with CFATS data collection requirements. Can you 
elaborate on your findings?
    Mr. Caldwell. Well, I will say two things. I think whether 
the industry feels that they misspent funds or wasted funds, I 
will leave maybe for the third panel. You can ask them that. 
But in terms of the question about whether all this 
vulnerability data was useful that the Department is capturing 
but is not using, I think the way they put it is that it is 
data that then the facilities have been able to use or could 
use. So again, that is a question for the facilities. I mean, 
you could ask the facilities and industry----
    Mr. Shimkus. But the facilities are the ones who provide 
the data. So it is kind of like we got the data, we gave it to 
Homeland Security, and then Homeland Security says we got the 
data, here is your data because it is going to help you out, or 
the collection of that data will help you out. I mean, it is 
just----
    Mr. Caldwell. Yes.
    Mr. Shimkus [continuing]. Counterintuitive. I am struggling 
with this.
    Mr. Caldwell. We found that the Department is not using the 
vulnerability data at all that it collected from facilities.
    One other thing on that point, when we talked to them about 
why they were not using the vulnerability data, they said, 
well, they were concerned because it was self-reported and thus 
might be either exaggerated or not exaggerated. But everything 
in this thing is self-reported until--I mean everything going 
into tiering about how much chemicals they have and where they 
have them and the method of storage--all of that is self-
reported. So I am not sure that I agree with that distinction.
    Mr. Shimkus. You are not helping me very much but thank 
you. My frustration level continues to mount.
    So I would like to recognize the ranking member, Mr. Tonko, 
for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chairman. I hope you can relax 
for a moment.
    I thank you, Mr. Caldwell, for appearing here today.
    GAO's analysis reveals significant concerns about this 
important national security program and the sufficiency of the 
Department of Homeland Security's Action Plan to address these 
concerns. We heard from the Department on the first panel that 
they are taking GAO's findings seriously and intend to follow 
GAO's recommendations to strengthen the risk assessment models 
used in their programs.
    It seems that some of these concerns are long-standing. For 
instance, stakeholders have long called for a greater 
transparency in the risk assessment process. I welcome the 
GAO's testimony today and have a few questions that, I think, 
would be helpful in providing the information we require. To 
the DHS methodology itself, does it appropriately, in your 
opinion, account for threat?
    Mr. Caldwell. Threat is a little tougher. And so I think in 
our own analysis we have been less critical of the Department 
on that. And the reason that threat is more difficult is 
because the threat comes from a potentially adaptive adversary 
that can see where vulnerabilities have been reduced or maybe 
where vulnerabilities still exist and change their targets. But 
even more so, when you are looking at these chemical 
facilities, the facilities themselves could be attacked or some 
of the chemicals at those facilities could be stolen or 
diverted and then moved and then used again in a population 
center or any other location. So I think it is very difficult, 
and also I think in terms of some of the questions about threat 
there were asked, there just really is not a lot of actionable, 
real intelligence that shows there is a threat against these 
facilities or specific facilities.
    Mr. Tonko. Thank you. And to that methodology again, does 
it account for the two minimum components of consequences, that 
being human consequences and economic consequences?
    Mr. Caldwell. It does not include economic consequences. As 
the Department has stated, they have now engaged Sandia 
National Labs to do that but it has been a while. I mean, the 
rule came out in 2007 that specifically said that they would 
include that at some point. And if you look at the National 
Infrastructure Protection Plan it does say at a minimum 
consequence needs to include both human casualties and 
fatalities, those things, as well as the economic consequences.
    Mr. Tonko. Thank you. And I would imagine that GAO has 
looked at risk assessments prepared by many different agencies 
over the years. How would you say the CFATS risk assessments 
compare to the work at those other agencies?
    Mr. Caldwell. Well, there are a couple of examples I can 
think of. At the Coast Guard, for example, we have done 
extensive work on their risk assessment model. It is called the 
Maritime Security Risk Assessment Model. And it does include 
all the components. And that is probably the most sophisticated 
model within DHS because it also takes into account the 
mitigation efforts that a facility is doing and how that 
impacts the risk.
    There have been other cases--I believe it is TSA--I will 
have to correct my statement if I find that it is a different 
agency--where we found that vulnerability was also being held 
constant and we have made those recommendations that they not 
do that and that that particular component agreed with that 
recommendation.
    Mr. Tonko. Thank you. During the first panel Director Wulf 
indicated that including vulnerability in risk assessments 
would lead to an ever-changing tier assignment for a given 
facility. Is this a valid enough reason for leaving the 
criteria out of the assessment?
    Mr. Caldwell. Well, I think if in the beginning that was 
thought through and done on purpose, I could have maybe given 
him a little more sympathy if he is trying to design something 
to do that. But as I said, that narrative was developed pretty 
recently as to why was left out. There is a problem now in that 
a lot of these facilities, thousands of these facilities--and 
if there are major changes in their model because of the peer 
review or things we have said or adding the economic 
consequences, this could reasonably change the tiering of those 
facilities.
    Mr. Tonko. And this committee is aware of two mis-tiering 
incidences at the Department were facilities where placed in 
the wrong tier because of errors made by the Department. That 
is a serious problem. But now we hear from GAO that none of the 
more than 3,500 tiering decisions that have been made are 
reliable. They are all based on a risk assessment methodology 
that is seriously lacking. Is that an accurate assessment?
    Mr. Caldwell. I wouldn't use the term that this is a fatal 
flaw or things like that. But certainly we are questioning why 
they haven't included vulnerability. I think that we have a 
concern. Now, we do believe the best way to address that would 
be to have a peer review come in externally, review it. As we 
have said before, and as you said before, the National 
Academies of Sciences came in and found very similar problems 
across the Department that we are talking about here within the 
CFATS program.
    Mr. Tonko. Well, I see that my time has expired so I will 
yield back, Mr. Chairman.
    Mr. Shimkus. Thank you.
    The chair now recognizes the gentleman from Pennsylvania, 
Mr. Pitts, for 5 minutes.
    Mr. Pitts. Thank you, Mr. Chairman.
    Mr. Caldwell, you noted in your statement that it could 
take 7 to 9 years before ISCD completes the review of the 3,120 
security plans currently in the review queue and that the 
estimate does not include work by ISCD on other missioned 
activities. What are some examples of these ISCD activities?
    Mr. Caldwell. Well, that estimate does not include about 
900 facilities that have yet to be assigned into a final tier. 
Also, the time required to review the plans to resolve issues 
related to personnel surety take some time because some of the 
plans have been provisionally or conditionally approved. So 
they have to go back and revisit that once the personnel surety 
rule is in place. And then there are the compliance inspections 
that they would do which are separate from the plan approval, 
but those are generally done a year after. So you are looking 
at another year out there for individual facilities before they 
have the compliance inspections. And really, it is only until 
you have the compliance inspection whether you know that the 
facility is actually implementing the things in its security 
plan.
    Mr. Pitts. So will implementing these mission activities 
further delay full CFATS program implementation?
    Mr. Caldwell. Well, certainly until all of the pieces are 
in place, it is not going to be there. And I think several 
figures have been thrown out; 8 to 10 years we said in our last 
hearing. I mean, now, we are looking at 7 to 9 just for the 
approval plan. So it is going to be some time before this 
regime is completely in place. It is in contrast to maybe some 
of the other programs that were put in place after 9/11.
    Mr. Pitts. Now, the regulated industry says that ISCD's 
efforts to communicate regarding CFATS-related issues are mixed 
in effectiveness. Does ISCD measure the effectiveness of its 
outreach efforts and could they?
    Mr. Caldwell. No, they don't. They measure some of the 
things like how many meetings they have and those kinds of 
things, but they haven't outreached really to find out whether 
these have been effective so we are considering----
    Mr. Pitts. Should they or could they?
    Mr. Caldwell. Yes. And we are considering a recommendation 
with the Department. We are in discussions with a 
recommendation that we ask that they do so.
    Mr. Pitts. What should we take away from the input that you 
got from trade associations?
    Mr. Caldwell. Some of the things are working pretty well. 
The meetings with this Sector Coordinating Council seem to be 
effective according to industry. Also some of the visits to 
facilities, a little bit mixed there. I think the more recent 
things based on some of the testimony you will hear later today 
is that the officials doing those inspections from DHS do seem 
qualified and helpful, whereas I think some of the early 
responses that they were very reluctant to actually make useful 
concrete suggestions on how to improve security.
    Mr. Pitts. Now, you found that owners and operators were 
spending unnecessary resources complying with CFATS data 
collection requirements. Would you elaborate on that?
    Mr. Caldwell. I don't believe we ever said they were 
unnecessary. I just think they were worried about a substantial 
burden in terms of the cost it was taking to do these, 
particularly, if something changed and they did this. I think 
one of the things industry may tell you about in the next panel 
is the chemical industry can be a complicated business, so 
sometimes they change mixes of their chemicals in terms of some 
of their processes. And there has been a debate about whether 
then do they have to go back to DHS and resubmit everything 
because their mixture of chemicals is slightly different? It is 
a concern.
    Mr. Pitts. And what in your view is the difference between 
the current Site Security Plans and Alternative Security Plans?
    Mr. Caldwell. Well, I think the Alternative Security Plans 
look a little simpler. I think that they have some of the same 
information but perhaps in a more useful way because it is 
portrayed as a plan as opposed to a data dump of a lot of 
individual information that is in the DHS tool.
    Mr. Pitts. Thank you, Mr. Chairman.
    Mr. Shimkus. Thank you.
    The chair now recognizes the gentleman from California, Mr. 
McNerney, for 5 minutes.
    Mr. McNerney. Thank you, Mr. Chairman.
    Mr. Caldwell, we have been hearing this morning a lot about 
tiering formulas and about the risk assessment models. How 
familiar are you with the details of these models and formulas?
    Mr. Caldwell. We have not done the kind of verification and 
validation that a peer review of experts might do. So we have 
talked through what they use, we have discussed the factors, 
but I can't say we have tried to reproduce their models or do 
sensitivity analysis.
    Mr. McNerney. Are these by-and-large Excel spreadsheets or 
what do they look like? What form do they take or how do people 
have access to the models?
    Mr. Caldwell. It is an online tool so it is some kind of 
relational database. But beyond that, I can't tell you too much 
about the formulas or what the actual algorithms are.
    Mr. McNerney. And what sort of security do the models have 
in terms of making changes to parameters--not parameters but 
the way the models are executed? Is there a very secure 
methodology that is required for someone within DHS to change 
the model itself?
    Mr. Caldwell. We have not looked at the internal controls 
or the security settings on the model.
    Mr. McNerney. So as far as you know somebody in one of 
these departments can say, well, gee, I think this model is a 
little off; I am going to change it? I mean, there has to be 
some sort of control on these things.
    Mr. Caldwell. There should be, yes, sir.
    Mr. McNerney. Is that something you think you can find out 
or make an assessment?
    Mr. Caldwell. We can certainly ask the Department and 
answer that as a question for the record or if you could direct 
it to the Department, then that might expedite things or not.
    Mr. McNerney. All right. Thank you. I have a question. Were 
you assured by the under secretary's declaration that they have 
the best teams on cybersecurity and that they are on top of 
this issue and we don't have anything to worry about?
    Mr. Caldwell. That is not an aspect we looked at. So I have 
no comments on that.
    Mr. McNerney. So cybersecurity is not within your, sort of, 
realm?
    Mr. Caldwell. It is one of the many standards that they 
apply here. We do have other experts in GAO on cybersecurity 
that if you want to ask us a question for the record, we might 
be able to take that and answer it for you, sir.
    Mr. McNerney. All right. Thank you.
    That is all I have, Mr. Chairman.
    Mr. Shimkus. The chair thanks the gentleman.
    The chair now recognizes, I believe, the gentleman from 
Ohio, Mr. Latta, for 5 minutes.
    Mr. Latta. Well, thank you very much, Mr. Chairman. And 
thank you very much for being here. And we have got a couple of 
hearings going on so I am sorry that we are kind of in out 
today.
    But if I could start with this question: how important is 
it for the Infrastructure Security Compliance Division to have 
a complete validated and verified risk assessment approach?
    Mr. Caldwell. I mean I think our position is that the 
current approach is incomplete. So to the extent that they are 
using an incomplete model, they don't have an assurance that 
they are tiering these in the right fashion appropriate with 
the National Infrastructure Protection Plans criteria, which 
is, pretty much the Department's criteria in terms of how you 
do risk assessments.
    Mr. Latta. So how would you have to go about to get that 
complete?
    Mr. Wulf. You would have to include vulnerability in it and 
economic consequences are maybe the two minimum things that 
would need to be added into it. We have also asked that they 
update some of their threat data. Some of the threat data that 
they were using was a few years old, which they have agreed to 
do.
    Mr. Latta. OK. Thank you. Also, how important is it for the 
ISCD to eventually conduct an independent peer-review on CFATS 
risk assessment approach?
    Mr. Caldwell. We think it is very critical that there be an 
independent peer review. And I think you might have missed my 
answer talking to the chairman a few minutes ago, but there are 
really two factors. One is to make sure they have the 
methodology right, and secondly, to make sure the model, once 
you have the methodology right or at least with existing 
methodology, is the model actually functioning as intended? And 
as we have noted, there has been some miscalculations in the 
model that have been found which should, again, call for doing 
a verification and validation of the model itself.
    Mr. Latta. And just to follow up on that, how soon should 
that independent peer review occur?
    Mr. Caldwell. Well, I think it has already started. At 
least the panel that they have now, I think that there is a 
statement in Mr. Beers' written comments that if they need to 
do a second one, they are willing to do that as well. So the 
first one may be to find out where they are now, make some 
recommendations, and maybe would require a second peer review 
to actually go in and validate the model----
    Mr. Latta. OK.
    Mr. Caldwell [continuing]. With any changes.
    Mr. Latta. OK. Mr. Chairman, I have no further questions. 
Thank you.
    Mr. Shimkus. And the chair thanks the gentleman.
    The chair now recognizes the gentleman from Florida, Mr. 
Bilirakis, for 5 minutes.
    Mr. Bilirakis. Thank you, Mr. Chairman. I appreciate it 
very much. I have one question. What is the difference between 
the current Site Security Plans and Alternative Security Plans?
    Mr. Caldwell. The Alternative Security Plans are written 
more like a plan. The Site Security Plans that DHS has I would 
describe as more of a data dump. It is a lot of different data 
that is in there. I mean, both can be useful, but I think 
industry feels--and you can ask the third panel--that the 
alternative site plan or the Alternative Security Plan is a 
little more user-friendly and still get you there in the end.
    Mr. Bilirakis. Thank you, Mr. Chairman.
    Mr. Shimkus. Seeing no other members present, we would like 
to thank you, Mr. Caldwell, for appearing before us. You have 
done great work on this report. It looks like we have got a lot 
more work to do.
    And with that, we will allow the second panel to be 
dismissed and ask the third panel to join us at the table. 
Thank you, sir.
    Mr. Caldwell. Thank you very much.
    Mr. Shimkus. We want to thank the third panel for joining 
us and sitting through most of the testimony. I am sure that is 
going to be helpful for the remaining members as we listened to 
your opening statements and direct questions. And we will do so 
now.
    The first person that I would like to recognize is--yes, I 
am going to recognize Mr. Allmond--that is oK, Jerry, I am 
great--Mr. Allmond, who is vice president of the Society of 
Chemical Manufactures and Affiliates. Sir, you are recognized 
for 5 minutes. Your full statement is in the record.

STATEMENTS OF BILL ALLMOND, VICE PRESIDENT, SOCIETY OF CHEMICAL 
MANUFACTURERS AND AFFILIATES; TIMOTHY J. SCOTT, CHIEF SECURITY 
 OFFICER AND CORPORATE DIRECTOR, THE DOW CHEMICAL COMPANY, ON 
   BEHALF OF THE AMERICAN CHEMISTRY COUNCIL; CHARLIE DREVNA, 
 PRESIDENT, AMERICAN FUEL AND PETROCHEMICAL MANUFACTURERS; AND 
          RICK HIND, LEGISLATIVE DIRECTOR, GREENPEACE

                   STATEMENT OF BILL ALLMOND

    Mr. Allmond. Thank you. And good morning, Chairman Shimkus, 
Ranking Member Tonko, and members of the subcommittee.
    My name is Bill Allmond and I am the vice president of 
Government and Public Relations at the Society of Chemical 
Manufacturers and Affiliates. I am pleased to have the 
opportunity to provide you with an update on the Department of 
Homeland Security's implementation of CFATS from the 
perspective of specialty chemical manufacturers, many of which 
are small and medium-sized companies.
    Since the previous hearing last September, there are 
several areas we feel are worthy to highlight in terms of 
implementation progress. First, CFATS continues to reduce risk. 
Second, authorizing inspections are revealing some positives 
about DHS' implementation but also some challenges for small 
and medium-sized facilities. Lastly, a collaboration with the 
regulated community has improved.
    With respect to risk reduction, CFATS continues to drive 
facilities to reduce inherent hazards where, in their judgment, 
doing so is in fact safer, does not transfer risk to some other 
point in the supply chain, and makes economic sense. Today, 
nearly 3,000 facilities have changed processes or inventories 
in ways that have enabled them to screen out of the regulation.
    Furthermore, due to the outstanding cooperation of the 
chemical sector, there has been 100 percent compliance with 
requirements to date. DHS has not yet had to institute a single 
administrative penalty action to enforce compliance. As a 
result of CFATS, our Nation is more secure from terrorist 
chemical attacks than it was before the regulation's inception.
    Turning to DHS' inspection process, the few that so far 
have been conducted at SOCMA members reveal some positive 
aspects about how the Department is carrying out the 
regulation, as well as some challenges being presented among 
small and medium-sized facilities. Among the positives is the 
level of interaction of DHS inspectors with facilities 
scheduled for an inspection. Inspectors are providing 
sufficient details with facilities prior to their arrival, 
which aids the planning process to ensure resources and 
facility personnel are available.
    Similarly, facilities are finding DHS inspectors generally 
to be reasonable during the onsite inspection, which is perhaps 
due to the fact that some of them have chemical facility 
experience. Such operational familiarity is necessary when 
interpreting how risk-based performance standards apply to, and 
could be implemented at, such facilities.
    Importantly, inspections have so far appropriately verified 
a facility's approach to addressing risk-based performance 
standards. Inspectors appear not to be adhering rigidly to the 
RBPS guidance and instead to permitting company personnel to 
explain from the facility perspective, how they are 
appropriately implementing their Site Security Plan.
    The principal challenge that SOCMA's smaller facilities are 
finding with the inspection process, however, is the enormous 
amount of time and resources to meet DHS demands following an 
inspection. Of highest concern is an unwillingness by DHS to 
reasonably extend deadlines for facility response. In SOCMA's 
opinion, DHS should be more willing to extend the time of which 
a small and medium-sized facility has to respond to a post-
inspection report.
    Facilities are learning that, even if they had an 
inspection that went well, they are having to rewrite much of 
their Site Security Plans. Under a 30-day deadline, which has 
been the usual case, facilities are having to pull two to three 
workers for 2 to 3 days each to ensure that they meet the 
deadline. To us, this is unreasonable. In small companies, 
there simply may not be more than a few people qualified to 
work on security measures and all those people have other 
obligations which frequently include compliance with other 
regulatory programs.
    It is still early in the inspections process, and these 
burdens are now coming to light. However, DHS still has time to 
make adjustments given a willingness to do so.
    And lastly, collaboration with facilities on implementation 
has improved. We are pleased that DHS has recently worked with 
industry to establish an alternative security program template 
with possibly more the future.

    Additionally, DHS appears prepared this year to co-host 
another Chemical Sector Security Summit. For the past 6 years 
the Summit has been a collaborative effort by the Department 
and the chemical sector to provide an educational forum for 
CFATS stakeholders. An overwhelming majority of attendees each 
year are industry personnel who, when satisfaction surveys, 
consistently rate the Summit as having a high value to them.
    Many of the improvements over the past year have occurred 
under leadership of Deputy Under Secretary Suzanne Spaulding 
and Director David Wulf and their actions to help put CFATS 
back on track is worthy of recognition. I appreciate the 
opportunity to testify this morning and I look forward to your 
questions.
    [The prepared statement of Mr. Allmond follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Shimkus. Thank you very much. I would now like to 
recognize, as I move my papers all around--where is his name? 
Here it is--Mr. Timothy Scott, Chief Security Officer and 
Corporate Director of Dow Chemical Company, on behalf of The 
American Chemistry Council. Sir, you are recognized for 5 
minutes.

                 STATEMENT OF TIMOTHY J. SCOTT

    Mr. Scott. Thank you, Chairman Shimkus, Ranking Member 
Tonko, and members of the subcommittee. I am Tim Scott, Chief 
Security officer of the Dow Chemical Company, speaking today on 
behalf of Dow and the American Chemistry Counsel.
    The chemical industry and Department of Homeland Security 
have a common goal: to improve the security profile of the 
chemical sector and reduce the risk of attack against industry 
or the use of chemicals as a weapon. Our positions are that 
security is a top priority of the chemical industry. Progress 
has been made in all areas of chemical security, but there is 
still, obviously, work to be done. ACC will continue to partner 
with DHS to achieve success and we need the certainty of a 
multiyear extension of DHS authority for a sustainable program. 
Progress has been made and we need to build on that progress as 
respectful partners with different skills and expertise but 
with a common goal.
    DHS has evaluated nearly 40,000 chemical facilities across 
United States initially identifying more than 7,000 as 
potentially high-risk. Since then, more than 3,000 facilities 
have lowered their chemical risk profile, clear evidence that 
we have made progress. Last year, ACC published an alternative 
security program guidance document available at no cost to the 
regulated community, the result of a year-long effort and full 
cooperation with DHS. This ASP approach offers an efficient 
alternative to DHS process and is an excellent example of how 
an effective public-private partnership can create smart 
regulatory solutions that benefit both partners, while ensuring 
the security and safety of our industry.
    While we have made progress, there are many more 
opportunities for efficient and effective compliance options 
that will accelerate CFATS implementation while maintaining the 
quality and integrity of the program. Existing industry 
security programs such as the Responsible Care Security Code 
should be recognized by DHS under their ASP authority as 
meeting the initial hurdles for authorization, thus 
streamlining and prioritizing reviews, especially at the lower 
tiered sites.
    We must develop a workable process regarding personnel 
surety. The goal of the PSP program is to ensure that personnel 
accessing sensitive sites of high-risk chemical facilities are 
trustworthy and do not pose a security risk. It is essential 
that these individuals are properly vetted against the 
terrorist screening database. We all agree on that. But is also 
essential that the site know these individuals are cleared 
before granting access to such sensitive areas.
    Under the current proposals, industry submits the 
individual's personal information and receives no verification 
of any kind. We are supposed to be satisfied that simply 
submitting the data is enough to grant site access. This is 
simply a poor security practice, especially when solutions 
already exist. It is good to hear that we may be making 
progress in this area with DHS. By leveraging existing PSP 
programs and allowing for corporate and third-party submissions 
for vetting against a terrorist screening database, a 
significant reporting burden will be minimized and the 
integrity of the program will be much improved.
    Another opportunity for efficiency that can easily be 
implemented is in what we call corporate audits. These audits 
cover areas of the risk-based performance standards in which 
many companies' sites operate under a single corporate process, 
such as cybersecurity or security escalation processes. Current 
inspections often have inspectors getting the same corporate 
answers site-by-site instead of addressing the issue once at 
the corporate level. This can unnecessarily extend the length 
of a site inspection. We also heard that DHS is working on 
this.
    ACC believes that DHS should be more transparent about all 
factors related to a covered facility's risk assessment. Trust 
is at the core of an effective security partnership and ACC 
strongly recommends that DHS improve the transparency of its 
risk determinations with the site security managers. A lack of 
transparency has been the source for many of the inefficiencies 
and missteps during the CFATS implementation.
    The CFATS concept is fundamentally sound, risk-based, 
focused on the right priorities allowing regulated sites to 
choose and apply customized security solutions for DHS review 
and evaluation for compliance with the DHS-established risk-
based performance standards. And that is the goal, to meet the 
standards. And industry will.
    DHS has demonstrated renewed commitment and effort to our 
partnership due in part by oversight of this committee. ACC 
urges Congress to provide DHS extended statutory authority for 
the CFATS program to provide the regulatory certainty and 
stability needed for industry to make prudent security 
investment and capital planning decisions. Industry and DHS 
have made progress in improving the security of the chemical 
sector. There have been missteps, but we should acknowledge the 
progress and the challenge and commit to making CFATS work. 
Thank you.
    [The prepared statement of Mr. Scott follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Shimkus. Thank you. Next, I would like to recognize Mr. 
Charlie Drevna, President, American Fuel and Petrochemical 
Manufacturers.
    Sir, you are recognized for 5 minutes.

                  STATEMENT OF CHARLIE DREVNA

    Mr. Drevna. Chairman Shimkus, Ranking Member Tonko, and 
members of the subcommittee, thank you for giving me the 
opportunity to testify today on today's hearing on the progress 
report of the CFATS program. I am Charlie Drevna and I serve as 
president of AFPM.
    We are a 111-year-old trade association representing high-
tech American manufactures that use oil and natural gas liquids 
as raw materials to make virtually the entire supply of U.S. 
gasoline, diesel, jet fuel, other fuels such as home heating 
oil, as well as the petrochemicals used as building blocks for 
thousands of products vital in everyone's daily lives.
    America's refining and petrochemical companies play a 
pivotal role in ensuring and maintaining the security of 
America's energy and petrochemical infrastructure. Nothing is 
more important to AFPM member companies than the safety and 
security of our employees, facilities, and communities. Our 
members have worked extensively with the Department of Homeland 
Security and we have invested hundreds of millions of dollars. 
And we don't mind investing the money as long as we know it is 
going for the right reasons, and again, toward strengthening 
facility security.
    Our industry also recognizes that protection of critical 
infrastructure against potential threats or terrorist attacks 
should be a shared responsibility between government and 
stakeholders.
    AFPM appreciates that DHS conducted an internal review to 
identify administrative and implementation problems that 
require immediate action and that the Agency developed an 
Action Plan for improving CFATS implementation. But it is 
important, however, to recognize that the structure of the 
CFATS framework itself is sound, even though the leaked report 
from GAO revealed the implementation of CFATS program was 
somewhat flawed.
    Additionally, America's critical infrastructure facilities 
are secure and there have been no attacks on chemical 
facilities since development of the CFATS program. Nonetheless, 
it is clear that DHS needs to better manage its resources and 
set priorities to make progress in areas that need immediate 
action, including faster approval of Site Security Plans and 
finalizing a workable Personnel Surety Program, a PSP. Such 
measures would work to strengthen the program and our national 
security.
    AFPM believes that DHS has made progress over the past year 
to address the problems identified in the DHS-leaked report and 
Action Plan. However, DHS should continue to make improvements 
by addressing issues including personnel surety with the help 
of the industry in order to enhance the overall effectiveness 
of CFATS implementation in the short-term.
    AFPM is pleased that DHS withdrew the personnel surety 
proposal from the Office of Management and Budget last July and 
then held a series of meetings with industry to take another 
look at this issue. Congress intended, and I heard today a 
repeat of that intent, that the risk-based performance standard 
on personnel surety which governs access to high-risk 
facilities, allow facilities the flexibility to determine the 
most efficient manner to meet that standard.
    Instead, DHS initially proposed and arguably prescribed PSP 
program that failed to recognize the Transportation Worker 
Identification Credential, or TWIC card, and other established 
federal vetting programs. Such a program would have been 
burdensome to both DHS and industry, and would be a wasteful 
and ineffective use of agency and industry resources. Instead 
of proposing a duplicative, burdensome PSP, DHS should remain 
focused on fixing the current problems and not expand beyond 
the scopes of the core CFATS program.
    The PSP program must be fixed soon and we hope that DHS 
will honor the TWIC and other federal credentials at CFATS 
sites. Facilities should have the option to use federally 
secure vetting programs such as TWIC to satisfy CFATS without 
submitting additional personnel information. AFPM supports a 
PSP program that requires only a one-time submission of 
personnel identifying information to DHS, recognition of TWIC 
and other federal credentials, and the use of third-party 
submitters for corporate submissions. This would lessen the 
burden on both DHS and industry, and would potentially account 
for half of the population affected by the Personnel Surety 
Programs, specifically, contractors coming to CFATS sites who 
would already have those cards.
    Stakeholder input is necessary. To assist DHS in addressing 
CFATS implementation challenges, continued stakeholder input is 
necessary. We are encouraged that we are seeing DHS do this 
more and more.
    In summary, AFPM believes that DHS has made progress over 
the year addressing the problems identified in the internal 
report. We also acknowledge that there is been far greater 
outreach and more detailed discussions with DHS, and we hope 
that those continue in the future.
    Thank you and I look forward to any questions you may have 
regarding my testimony.
    [The prepared statement of Mr. Drevna follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Shimkus. Thank you. And now the chair recognizes Mr. 
Rick Hind, Legislative Director for Greenpeace. Sir, you are 
recognized for 5 minutes.

                     STATEMENT OF RICK HIND

    Mr. Hind. Thank you, Mr. Chairman. My name is Rick Hind. I 
am the legislative director of Greenpeace, as you mentioned. I 
appreciate the opportunity to talk to you today both to this 
committee and with this panel here.
    We work with over 100 other organizations, mainly unions, 
environmental justice organizations, other environmental 
groups, security experts, 9/11 families, and others who, for 10 
years, have pushed for disaster prevention. The legislation 
that passed the House in 2009--November, actually, 2009--had 
that component in it but it also addressed a lot of the 
problems that you have been hearing about today. It provided 
for regular scheduling of the DHS issuing vulnerability and 
security plans as well as keeping regular reports back to 
Congress. I think you probably would have been hearing about 
any these problems in 2011 at the latest if that legislation 
had been enacted in 2010.
    That legislation also would have seamlessly replaced the 
2006 authorization that you have referred to earlier, which was 
never really thought to be adequate. Everybody knew that and 
that is why it had a 3-year expiration date on it. And today, 
we are extending it now 6 years, 1 or so years at a time, and 
therefore, I think you have appropriately given the due that 
DHS staff deserved. Their dedication and stick-to-itiveness in 
a program that is really inadequate, from the legislative 
foundation through to the continuity of its funding by 
Congress.
    However, the kind of big elephants in the room that we see 
unaddressed are the fact that the statute actually prohibits 
the government from requiring disaster prevention in the 
statute barring any particular security measure for approval of 
security plans. In addition, the statute actually exempts 
thousands of facilities. So what we are talking about here when 
you think of the classic Bhopal disaster of poison gas drifting 
out of a plant endangering people--and in this country we have 
hundreds of plants that can do that.
    In looking at the tiering of DHS, if you separate that by 
risk issue, or I should say security issue, the release issue 
security facilities in Tiers 1 and 2 totals 35. That is 
totaling, in all 4 tiers, 370 facilities. That data is 2011 so 
it may be slightly less now. The point is that less than 10 
percent of the facilities that you think of as the 3,900 CFATS 
facilities may be chemical disasters in the sense we all think 
of it as. And that is because they are being regulated by other 
programs like the MTSA, which look at more the water access of 
the facility.
    Major facilities in the country, like this Keeney plant, 
probably the highest-risk facility in the United States, is 
regulated by MTSA. That facility puts 12 million people at 
risk. They, for 2 years on their Web site, say they are 
converting. We hope they are. Clorox converted all of their 
facilities in 3 years eliminating these risks to 13 million 
people. And we say risk, we mean a consequence; we mean the 
poison gas like chlorine that can drift 14 to 20 miles from a 
facility and put everyone downwind in danger of pulmonary 
edema, which would mean your lungs would literally melt. You 
would drown in your lung fluid. Those who would survive could 
have long-lasting, lifelong health problems.
    So when we hear about the rush to approve security plans 
now, and were not comforted by the 7- to 9-year schedule GAO 
brings out, we are also not comforted by the fact that it is 
not a complete deck that we are dealing with here. So approval 
of a plan doesn't necessarily make it secure and it certainly 
doesn't make it no longer vulnerable. The CEO of DuPont 
admitted that if an airplane or a small helicopter coming into 
a plant couldn't be stopped by fence-line security, which is 
the entire basis of this kind of security.
    Similar communities living near these plants are not 
comforted by these Alternative Security Plans developed by 
industry lobbies. They have heard too often when they have 
sheltered in place, or see explosions and flares and fires--
were averaging about 45 a year, by the way, at refineries--that 
everything is oK. There are no dangerous levels of chemicals 
released.
    So when you look at our testimony, look at the people who 
we have quoted in there, but also look at the Center for 
American Progress reports we sited, which identified hundreds 
of facilities that have converted and eliminated these risks to 
millions of people. We think any plant that can convert should 
be required to convert and, in fact, the CEP studies found that 
87 percent of those converted that were surveyed did so for $1 
million or less; 1/3 expected to save money. So this is good 
business. It also means eliminating liability and regulatory 
obligations.
    And I have much more to say but I will wait for your 
questions. Thank you again for allowing us to appear today.
    [The prepared statement of Mr. Hind follows:]

    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
    
    Mr. Shimkus. Thank you, Mr. Hind.
    Now, I would like to recognize myself for the first 5 
minutes of questions.
    I want to start off whatever script I was given to ask Mr. 
Scott a question. Were you in the room when Representative 
McKinley was asking about the risk assessment issue? And, of 
course, DHS responded that, well, we don't know of any 
identifiable risks. And I am paraphrasing here--then the 
question went to about European security and DHS responded, 
well, we think we are the gold standard. Since you operate 
around the globe, does individual European countries or the EU 
at large have a CFATS-type program?
    Mr. Scott. No, but they are discussing a similar program. 
The difference you have there, you are working between various 
countries. But they do have regulations in place like the 
Seveso regulations that impact offsite types of emergencies. 
The EU is having a conversation about are there any general 
rules and regulations that we can put in place? They have been 
talking. They have talked with DHS in the past. We are working 
with----
    Mr. Shimkus. Maybe they should talk with our GAO, our 
Government Accounting Office, then DHS.
    Mr. Scott. Yes. Well, DHS is a standard; I wouldn't say it 
is a gold standard. But the folks overseas are looking at 
similar directions to go, both in transportation and site 
security. But we also have a lot of work that we have done over 
there through the Responsible Care Code. It is a global code. 
So that has been implemented. And a lot of the same safety and 
security cultures that are in place in the U.S. are in place 
throughout Europe.
    Mr. Shimkus. I appreciate that.
    Now, for Mr. Allmond and Mr. Scott and Mr. Drevna, GAO 
reports--and you all have heard these conversations earlier 
today--that DHS largely disregards vulnerability, economic 
criticality, and threat assessments as part of the risk 
calculations making CFATS a modified consequence prevention-
only program. Are you concerned your members might be 
overregulated or under-tiered? Mr. Allmond?
    Mr. Allmond. Well, certainly these revelations are 
concerning. And it is going to take me some time to get back to 
my members to find out from their perspective how they would 
like to proceed. I think completely stopping the CFATS program 
from going forward probably would be overboard. Perhaps some 
components could go forward. But certainly----
    Mr. Shimkus. OK. But you were here during the testimony. Do 
you think that some of your folks are overregulated or under-
tiered? It is pretty easy----
    Mr. Allmond. Well, at this point it seems like that may be 
the case.
    Mr. Shimkus. Thank you. Mr. Scott?
    Mr. Scott. I would say yes. Looking at the variability in 
the sites that we have that are covered, there is a lot of 
question on how we got where we got.
    Mr. Shimkus. Mr. Drevna?
    Mr. Drevna. I concur.
    Mr. Shimkus. You have heard from panels one and two that 
DHS has collected a lot of information that it will not use in 
risk assessment. Are you comfortable with that? Mr. Allmond?
    Mr. Allmond. No, we are not.
    Mr. Shimkus. And why?
    Mr. Allmond. DHS should use the information that is given 
to them. As has been testify before, there has been an enormous 
amount of resources given to--from our side--given to the 
Department that we are compelled to do and there is an 
understanding that the Department is going to use that 
information.
    Mr. Shimkus. Mr. Scott?
    Mr. Scott. I agree. The inefficiency in the process caused 
a lot of unnecessary work, a lot of information that they have 
never used, and we don't know where the information went. It 
seems like they felt like they had the answer before we started 
the process.
    Mr. Shimkus. Mr. Drevna?
    Mr. Drevna. Yes. And I would like to add to that, Chairman 
Shimkus, that in chemical facilities you are changing processes 
constantly. So we are submitting information, it goes 
somewhere, lots of information, up to 900 questions on some 
things. It goes somewhere. Whether it is used or not, probably 
not all of it. Again, if it is vital, perfect. If it is not, 
let us work with you to get it done. But then you change your 
process again, you may have to go through the whole thing again 
because these things are not static kinds of plants. We are 
always changing volumes and chemicals.
    Mr. Shimkus. Mr. Scott?
    Mr. Scott. I would like to add to that. That is one of the 
big issues that we have is we typically have larger plants, a 
lot of processes in those plants and we are required to submit 
any time we change anything in the process, make another 
submission. That puts you back to square one in the whole 
process.
    Mr. Shimkus. And just because my time is getting short, and 
Mr. McNerney is not here, but he talked a lot about cyber 
stuff. So you have got all this data going somewhere. If it is 
not being used, why it is being held and what is the risk of 
that being pulled out to make your facilities less secure. Is 
that a risk? Mr. Scott?
    Mr. Scott. Well, it is a risk whenever you release the 
information that you hope it is going to be secure. But in the 
earlier panel, we also heard that, well, maybe we can 
declassify that so everybody can talk about it. And I am 
concerned about the level of declassification. If it is just 
open to the public, that is a real security concern.
    Mr. Shimkus. Anyone else while my time is expired? Mr. 
Drevna?
    Mr. Drevna. I would like to add to that. You are probably 
one hit of forward or reply all from exactly what Mr. Scott was 
just talking about.
    Mr. Allmond. Absolutely.
    Mr. Shimkus. Mr. Allmond. OK. Thank you. The chair now 
recognizes ranking member, Mr. Tonko, for 5 minutes.
    Mr. Tonko. Thank you, Mr. Chairman.
    And to the gentleman on the panel, thank you for your time 
and your input today.
    To the industry witnesses, did you participate in GAO's 
survey?
    Mr. Allmond. Oh, SOCMA did, yes.
    Mr. Scott. ACC did, yes.
    Mr. Drevna. Yes, sir.
    Mr. Tonko. So you all did.
    GAO found that transparency in the tiering process should 
be improved. Can each of you state whether you agree with this 
GAO conclusion?
    Mr. Allmond. I will say absolutely. As Mr. Scott was 
saying, a lot of times these facilities give information 
without getting a really detailed understanding about why they 
got the tier level they did.
    Mr. Scott. All of the information was submitted. I 
absolutely think it should be more transparent with the people 
that we were supposed to be working as partners.
    Mr. Drevna. I agree, Mr. Tonko. But I will say that the 
process has somewhat improved. We have got a long way to go, 
but we weren't where we were before this report came out.
    Mr. Tonko. Mr. Drevna, you talked about the PSP process----
    Mr. Drevna. Yes, sir.
    Mr. Tonko [continuing]. And utilizing it more readily.
    Mr. Drevna. Yes, sir.
    Mr. Tonko. Can you just develop that a bit for me?
    Mr. Drevna. Well, at refineries and petrochemical 
facilities, you have constantly--you have your own employees--
but you have constant, contractors coming in and out, 
turnarounds, changeovers, et cetera, and they are authorized, 
the contractors, under TWIC, Transportation Worker 
Identification Credential. And what the DHS will tell us is 
that, well, we are coming up with a remedy for that but those 
rules aren't going to be ready for who knows how many more 
years. Meanwhile, we have to, perhaps, have other 
identification notices or identification cards for the various 
employees and contractors.
    It is sort of like if I can make some sort of an analogy, 
sort of like me or you going through an airport and you have to 
have your passport to go through the first gate, and your 
driver's license you through the second, and maybe your voter 
ID card to go through the third or whatever. But it doesn't 
make any sense. So you talk to us in industry and we usually 
object to the one-size-fits-all approach and maybe that is not 
applicable. But we need something that is not duplicative, 
time-consuming, and sometimes conflicting.
    Mr. Tonko. Thank you. Thank you, Mr. Drevna.
    Mr. Hind, you made mention, or I think to use your words, 
we are not dealing with a complete deck. Can you elaborate on 
that? What else should be done to make certain that we are 
providing for the public safety elements out there or in 
keeping with the mission of the legislation?
    Mr. Hind. Well, if you look at the EPA's database through 
its risk management program, which is really kind of an 
imperfect larger universe of the facilities we are worried 
about, those that have off-site consequences, the total number 
of facilities in that program is 12,440 according to CRS' 
latest update in November. Of those, 2,500 plants each put 
10,000 people or more at risk. Of the 2,500, some of them could 
put over a million at risk. In fact, 473 put 100,000 at risk. 
And so my question to the panel here is, which of your member 
companies are actually part of MTSA and exempt from CFATS or 
part of a DOE program or even Defense Department? And I think 
that the numbers would be rather revealing in terms of which 
they are.
    We have heard that Dow's largest plant the country at 
Freeport, Texas, is that MTSA facility. So that means there are 
huge holes, or as Congressman Waxman called them, gaps in the 
security and in terms of the continuity of security by the 
government accountability over the industry.
    Mr. Tonko. Thank you. And from the public interest 
perspective, what are the problems with incorrect tiering of 
facilities?
    Mr. Hind. You mean in terms of the way that the risk 
assessment has been conducted and so forth? Well, in our view, 
we are a little bit nervous to hear about economic 
considerations being added and also vulnerability. I think that 
all of these facilities are vulnerable. If somebody takes a 
small plane or hijacked it, all of the guards and cameras and 
gates are not going to be enough to stop a small plane, as the 
CEO of DuPont admitted years ago. So I think that, as the 
former EPA administrator Ruckels has warned, risk assessment is 
like a captured spy. If you torture it enough, you can get to 
say anything. And I fear that we are going down a slippery 
slope here, and what needs to be done is adding alternative 
assessment to the process. Each company should be going out and 
saying to the DHS, we have looked at all the alternatives and 
there is nothing feasible for facility, or we are like Clorox 
and we can convert. And then you have zero risk.
    Mr. Tonko. Thank you. I think some of you might have a 
comment to that, too, or----
    Mr. Scott. Yes, I just----
    Mr. Shimkus. Without objection, we will continue for a 
minute to get a response. Mr. Scott?
    Mr. Scott. OK. Yes, I would just like to reply on the MTSA 
question. There are several sites that are covered by MTSA, but 
rightly so. They have waterside security included on their 
security. But the Texas operation site is the one that Mr. Hind 
mentioned, which is our largest site. It is the largest 
chemical site in the United States. It is covered by MTSA so it 
does have different requirements. It also has exactly the same 
security upgrades already in place that are required of a Tier 
1 CFATS site. So if you come down to Freeport operations or 
Texas operations, you will see we would be in full compliance 
with CFATS right now as a Tier 1 site. All of our MTSA sites 
are upgraded security-wise exactly the same as our CFATS sites. 
And all of our sites globally are tiered the same way and have 
security upgrades in place the same way. So I think that 
addresses the issue that we can have integration of the two 
systems very well.
    Mr. Shimkus. Thank you very much.
    The chair now recognizes the gentleman from Pennsylvania, 
Mr. Pitts, for 5 minutes.
    Mr. Pitts. Mr. Drevna, did you want to add to that?
    Mr. Drevna. Well, if you don't mind, Mr. Chairman, thank 
you.
    I agree with everything that Mr. Scott had said 
exponentially. But since the question was asked from the panel 
to the panel, in short of installing Patriot missile batteries 
at all facilities, I don't see how we are going to stop 
anything from coming in from outside the gate like an airplane 
or helicopter.
    Mr. Pitts. Mr. Allmond, you testified that DHS should be 
more willing to extend the amount of time a small or medium-
sized facility has to respond to a post-inspection report. How 
much time is reasonable so that the small and medium-sized 
facility still feels the urge to promptly respond while also 
giving them the chance to provide a quality response?
    Mr. Allmond. Yes. Thank you for that question. I think a 
minimum of 90 days will be sufficient.
    Mr. Pitts. Do you believe DHS still has time to make 
program adjustments and will consider your perspective, and if 
so, what gives you that confidence?
    Mr. Allmond. I do. In fact, I have already broached this 
concern with the Department and they have been receptive to 
hearing our proposal.
    Mr. Pitts. Thank you. Mr. Drevna, your testimony discusses 
the importance your members place on getting a workable 
Personnel Surety Program. Is DHS addressing your particular 
concerns?
    Mr. Drevna. Well, we have been working with them, and as I 
said previously, ever since, the report came out and we have 
sat down--and I have to admit, there has been more transparency 
and they are willing to work with us. But we have got to 
establish the fact that we--you know, as I said before, the 
TWIC reader card implementation is years away. But we are in 
the process of doing all this now. So there has to be some 
meeting of the minds here that says, oK, let's get this done in 
a timely fashion so we can move on.
    Mr. Pitts. Has AFPM tried to get an Alternative Security 
Plan approved by DHS for its members? What has been your 
experience with DHS in trying to advance----
    Mr. Drevna. Well, we support the alternative plans. We 
haven't particularly as an association done it, but our members 
have. And that is one of the things we keep, the tiering 
process, the kind of data that is needed. It is a little bit 
confusing between what is needed for the full assessment, what 
is needed to get you into a quicker AV alternative plan. So we 
are working with them. We support it and again, we are seeing 
the light at the end of this tunnel but we still have a ways to 
go.
    Mr. Pitts. Assuming DHS, with the help from a Peer Review 
Panel, comes up with a better risk assessment model, when 
should it be applied to CFATS activities? Does it affect the 
speed with which your members would have their Site Security 
Plans reviewed and approved?
    Mr. Drevna. Is that for me, sir?
    Mr. Pitts. Yes.
    Mr. Drevna. I believe it would. I mean, we have three 
members companies on that tiering panel. And we are confident 
that we are getting joint cooperation. Anytime you get three 
companies on the panel, a government panel, we are happy with 
that. But the proof is going to be at the end of the day with 
what is accepted and what isn't.
    Mr. Pitts. All right. Mr. Scott, your testimony raised 
concerns about transparency by DHS officials because they did a 
poor job of communicating threat information to CFATS-regulated 
facilities. Do you think DHS can formulate credible threat 
information and assessments?
    Mr. Scott. I think they can give us the information that 
they have available to us. There is a NIAC study out that is on 
communications amongst the intelligence communities in the D.C. 
area and DHS did not come out very highly on that panel.
    Mr. Pitts. Does it surprise you that GAO found that DHS 
really doesn't assess threat for 90 percent of terror threats 
at facilities with chemicals?
    Mr. Scott. Threat typically is not discussed, and when you 
have a meeting with DHS, typically, it starts with there are no 
credible threats to the chemical industry at this time. We go 
on the premise that because we are part of the critical 
infrastructure, we are a potential threat or there is always a 
potential threat. That is the discussions we have always had.
    Mr. Pitts. What recommendations do you have for DHS to 
improve its threat characterizations and communications?
    Mr. Scott. You have to identify the baseline on the threats 
that you are going to address, and then you have to have plans 
in place to escalate your security programs accordingly as the 
risk increases.
    Mr. Pitts. Do you agree with GAO that DHS assessment tools, 
particularly threat consequence and vulnerability ones, should 
be verified and valid before being deployed?
    Mr. Scott. Yes, I do. Validity is important, yes.
    Mr. Pitts. My time has expired. Thank you.
    Mr. Shimkus. The gentleman's time has expired.
    The chair now recognizes the gentleman from Texas, Mr. 
Green, for 5 minutes.
    Mr. Green. Thank you, Mr. Chairman. And obviously, our 
threat assessments are a work in progress because I remember in 
late 2001 there was in one of the caves in Afghanistan there 
was information on an attack on a refinery in Pasadena, 
California. It didn't take too long to know there are no 
refineries in Pasadena, California. But I represent Pasadena, 
Texas, and we have no shortage of refineries. And that was 
right after 9/11. Obviously, it was infancy.
    And today, though, there is a lot--and I know at least in 
the industries that I work with in my area in East Harris 
County, the coordination between the federal agencies and our 
local police agencies is amazing. Now, I don't know what DHS 
does with the local law enforcement, the FBI, the Customs and 
Border Protection, the Coast Guard. In fact, I was at the Coast 
Guard facility in our district that now is co-located at a 
Coast Guard facility with the Harris County Sheriff's office 
boats, along with the Houston Police Department boats at the 
same location in our district in Galena Park, Texas. So, I 
mean, it is a work in progress.
    Were you all here for the first panel? Do you feel 
confident that we are going to end up not having to jump 
through second hoops on your non-MTSA facilities and that the 
TWIC card is going to be able to be used? If you have a site 
that Dow does, for example, in Freeport, that the TWIC card 
works and you have a land-based site, the TWIC card will also, 
ultimately when they get through, will also be able to be used 
for an ID at that land-based facility for Dow?
    Mr. Scott. That is the direction that they are moving in. 
So yes, a TWIC card would be acceptable and usable at any of 
those sites. Yes.
    Mr. Green. Well, Mr. Chairman, we need to just monitor that 
because I know we in the Subcommittee had that discussion for a 
number of years, and frankly, we probably wouldn't have gotten 
where we are without a great GAO study to show that the problem 
is within DHS.
    For Mr. Drevna and Mr. Scott, over the past year, have you 
seen changes in outreach and cooperation from DHS and the 
industry, particularly as they relates to chemical and fuel and 
petrochemical manufacturers in the last year?
    Mr. Drevna. Yes. In the last year they have significantly 
improved the communications from DHS to their people in the 
field and from the people in the field to the sites. Yes.
    Mr. Green. Well, and I understand in your testimony you are 
concerned that the transparency on the decision-making ought to 
be much better and our committee ought to be encouraging that. 
Now, I do have some concern about the information provided on 
your plant facilities, because again, the experience we have 
over the last 12 years is that if a lot of your information is 
given to DHS, it is public record. There are folks in part of 
the world who can, with the punch of a button, look up plant 
design and plant vulnerability. That should not be public 
record. And I am concerned about that.
    We want transparency in the approval process but as much as 
I want as much public information for my constituents that live 
around and work on those plants, I also know I don't want to 
give a guide to somebody who wants to fly that Piper Cub over 
it. Is that some of your concern?
    Mr. Drevna. Absolutely. Like I said before, Congressman 
Green, we submit information and we submit it in good faith 
and----
    Mr. Green. Well, you are required to.
    Mr. Drevna. But like I say, it is either one reply all or 
one forward button away from getting into the wrong hands.
    Mr. Green. Well, I think in follow-up hearings we might 
have DHS come talk about what they do with information that is 
provided so it is protected. But I have to admit, Charlie, it 
is interesting, the ultimate 2nd Amendment is somebody having a 
Stinger missile to protect their plant or their house from a 
Piper Cub flying over it. I don't think we are going to get to 
that point. But I see planes fly over my plants literally every 
day when I am at home. And there is a special protection, 
though, you have to have special access to be able to fly over 
those facilities and no system is foolproof. But also, I don't 
know if I really want us to have to train our plant personnel 
to have a Stinger missile on their shoulder.
    Mr. Drevna. I would concur, Congressman Green.
    Mr. Green. But Mr. Chairman, I appreciate the hearing. It 
seems like we made progress, but obviously DHS needs to come a 
little more with plants who, as I have said before, have made a 
million dollars in federal tax dollars, millions of dollars of 
investments and partnerships with our local communities that we 
still don't know what hoops and what will be approved, whether 
it be Tier 1, 2, 3, or 4. And I would like to have some 
certainty there, and I know Greenpeace would like that to, and 
so would my constituents. Thank you.
    Mr. Shimkus. The gentleman yields back his time.
    We want to thank the third panel for being here and ask 
unanimous consent for 5 days for subcommittee members to submit 
opening statements for the record. Without objection, so 
ordered. We would also ask unanimous consent for 10 days to 
submit written questions for submittal to witnesses for an 
inclusion in the records. That also pertains to you all.
    And inclusion of a letter, I ask unanimous consent for the 
inclusion of a letter from the National Association of Chemical 
Distributors to myself and Mr. Tonko--your staff has approved--
dated March 12, 2013, on the CFATS program. Without objection, 
so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Shimkus. And the hearing is now adjourned.
    [Whereupon, at 12:43 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

               Prepared statement of Hon. Henry A. Waxman

    I thank the Chairman for calling this hearing on this very 
important program. The Chemical Facilities Anti-Terrorism 
Standards Program, or CFATS, is a critical national security 
program designed to protect communities from potential 
terrorist attacks on industrial facilities with significant 
stores of dangerous chemicals.
    Since 2001, federal officials, the Government 
Accountability Office (GAO), and outside experts have warned 
that the nation's drinking water utilities and chemical 
facilities remain vulnerable to terrorist attack.
    Unfortunately, the CFATS program is a grave disappointment. 
At the end of 2011, we learned the program was in disarray. No 
facilities had approved site security plans. Homeland Security 
officials felt their enforcement authority was insufficient and 
ineffective. There were no procedures in place to document 
important programmatic decisions. No one on staff was even 
qualified to conduct a compliance inspection.
    There has been some progress. We will hear from the 
Department today about their efforts to strengthen the CFATS 
program and the advances the Department has made since 
undertaking a serious internal examination of the program in 
2011.
    But today we will also hear from the Government 
Accountability Office, which has undertaken the first rigorous 
external accounting of the program. GAO has found that 
fundamental problems still plague the program. More work is 
needed before Congress and the American public can have 
confidence in the risk assessments that determine the potential 
dangers facilities pose.
    Perhaps we shouldn't be surprised. CFATS was created in the 
sloppiest legislative fashion possible. It was established in 
2006 by a provision tucked into an appropriations bill without 
the benefit of hearings or markups by the Committee.
    The problems with the program are not all Congress' fault. 
Both the current and previous administrations have failed to 
implement the program effectively. The Department issued an 
interim final rule within six months of the law's passage. This 
rule determined what chemicals might be targets, how risk would 
be assessed, and what security standards would be applied. 
Given the quick action and limited statutory guidance, the rule 
was flawed. But now--six years later--it still hasn't been 
updated and improved.
    In the 111th Congress, we worked on a bipartisan basis with 
industry, labor, and other affected stakeholders to 
methodically resolve each of the issues surrounding the CFATS 
program.
    The result was H.R. 2868, the Chemical and Water Security 
Act of 2009, which passed the House by a vote of 230-193. That 
legislation would have addressed many of the challenges the 
program now faces, increased transparency and accountability, 
clarified the process for approving or disapproving site 
security plans, and set enforceable deadlines. It also would 
have strengthened security at covered facilities by requiring 
assessment, and in particular circumstances, adoption of safer 
chemicals, processes, or technologies to reduce the 
consequences of a terrorist attack.
    Unfortunately, that bill did not become law, and that 
opportunity to set this program on a more successful path was 
missed.
    In the years since, this Committee has failed to develop 
comprehensive legislation to reform the CFATS program. It has 
also failed to offer any legislation to close security gaps or 
address security at water facilities.
    This Committee needs to do more. Comprehensive legislation 
is long overdue.
    I look forward to the testimony of the witnesses today, and 
I invite all of them and other stakeholders to engage with this 
Committee and help us seek solutions to a troubled, yet 
critically important anti-terrorism program.
                              ----------                              


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 
