b'<html>\n<title> - SECURING OUR NATION\'S CHEMICAL FACILITIES: BUILDING ON THE PROGRESS OF THE CFATS PROGRAM</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\nSECURING OUR NATION\'S CHEMICAL FACILITIES: BUILDING ON THE PROGRESS OF \n                           THE CFATS PROGRAM\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           FEBRUARY 27, 2019\n\n                               __________\n\n                            Serial No. 116-3\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]                                     \n\n        Available via the World Wide Web: http://www.govinfo.gov\n        \n        \n                               __________\n                               \n\n                    U.S. GOVERNMENT PUBLISHING OFFICE                    \n35-379 PDF                  WASHINGTON : 2019                     \n          \n--------------------------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).\nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="c9b9a689aabcbabda1aca5b9e7aaa6a4e7">[email&#160;protected]</a>                 \n        \n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               Bennie G. Thompson, Mississippi, Chairman\nSheila Jackson Lee, Texas            Mike Rogers, Alabama\nJames R. Langevin, Rhode Island      Peter T. King, New York\nCedric L. Richmond, Louisiana        Michael T. McCaul, Texas\nDonald M. Payne, Jr., New Jersey     John Katko, New York\nKathleen M. Rice, New York           John Ratcliffe, Texas\nJ. Luis Correa, California           Mark Walker, North Carolina\nXochitl Torres Small, New Mexico     Clay Higgins, Louisiana\nMax Rose, New York                   Debbie Lesko, Arizona\nLauren Underwood, Illinois           Mark Green, Tennessee\nElissa Slotkin, Michigan             Van Taylor, Texas\nEmanuel Cleaver, Missouri            John Joyce, Pennsylvania\nAl Green, Texas                      Dan Crenshaw, Texas\nYvette D. Clarke, New York           Michael Guest, Mississippi\nDina Titus, Nevada\nBonnie Watson Coleman, New Jersey\nNanette Diaz Barragan, California\nVal Butler Demings, Florida\n                       Hope Goins, Staff Director\n                 Chris Vieson, Minority Staff Director\n                           \n                           \n                         C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Bennie G. Thompson, a Representative in Congress \n  From the State of Mississippi, and Chairman, Committee on \n  Homeland Security:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Mike Rogers, a Representative in Congress From the \n  State of Alabama, and Ranking Member, Committee on Homeland \n  Security:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     6\n\n                               Witnesses\n\nMr. David Wulf, Director, Infrastructure Security Compliance \n  Division, Cybersecurity and Infrastructure Security Agency, \n  U.S. Department of Homeland Security:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     9\nMr. Nathan Anderson, Acting Director, Homeland Security and \n  Justice, U.S. Government Accountability Office:\n  Oral Statement.................................................    12\n  Prepared Statement.............................................    14\n\n                             For the Record\n\nThe Honorable Mike Rogers, a Representative in Congress From the \n  State of Alabama, and Ranking Member, Committee on Homeland \n  Security:\n  Letter.........................................................     4\n\n                                Appendix\n\nQuestions From Chairman Bennie G. Thompson for David Wulf........    51\nQuestion From Honorable Xochitl Torres Small for David Wulf......    52\nQuestions From Honorable Cedric Richmond for David Wulf..........    52\nQuestions From Honorable Michael Guest for David Wulf............    53\nQuestion From Honorable Michael Guest for Nathan Anderson........    54\nQuestions From Ranking Member Mike Rogers for Nathan Anderson....    54\n\n \nSECURING OUR NATION\'S CHEMICAL FACILITIES: BUILDING ON THE PROGRESS OF \n                           THE CFATS PROGRAM\n\n                              ----------                              \n\n\n                      Wednesday, February 27, 2019\n\n                     U.S. House of Representatives,\n                            Committee on Homeland Security,\n                                                    Washington, DC.\n    The committee met, pursuant to notice, at 10:08 a.m., in \nroom 310, Cannon House Office Building, Hon. Bennie G. Thompson \n(Chairman of the committee) presiding.\n    Present: Representatives Thompson, Langevin, Richmond, \nCorrea, Torres Small, Rose, Underwood, Slotkin, Cleaver, Green, \nClarke, Barragan, Demings, Rogers, McCaul, Walker, Higgins, \nLesko, Taylor, Joyce, Crenshaw, and Guest.\n    Chairman Thompson. The Committee on Homeland Security will \ncome to order. At the request of the Ranking Member, we will \nbegin the hearing. He will join us momentarily.\n    The committee is meeting today to receive testimony on \nsecuring our Nation\'s chemical facilities, building on the \nprogress of the CFATS program. Since 2007, the Department of \nHomeland Security has administered a regulatory program that \ncovers security measures at high-risk chemical facilities to \nprotect against the threat of terrorist attack.\n    Through CFATS, DHS works with chemical facility owners and \noperators to make sure they have safeguards in place to prevent \na bad actor from gaining access to dangerous chemicals stored \non-site. In the past, this program has enjoyed broad bipartisan \nsupport on and off the Hill.\n    Officials in the Bush administration, including former \nHomeland Security Secretary Michael Chertoff, were among the \nfirst to call for a Federal rule to secure chemical facilities. \nOfficials from the Trump administration, among the most recent, \nlast November, DHS Secretary Kirstjen Nielsen wrote to Congress \nurging us to reauthorize CFATS.\n    We continue to face one of the most serious terrorist \nthreat environments since 9/11. Foreign terrorist organizations \nare urging recruits to use simple weapons, including toxic \nchemicals, to target public spaces and events. Clearly, this \nthreat has not abated.\n    Yet the Department\'s authority to carry out CFATS came very \nclose to lapsing last month which caused this committee to pass \na short-term bill extending the program until 2020. For 8 \nyears, CFATS was tied to the annual appropriations cycle.\n    Lacking the certainty of a multi-year authorization, DHS \nstruggles to keep staff, develop long-term policies and work \nwith a regulated community that did not know if the rules would \napply the following year. In 2014, Congress worked on a \nbicameral, bipartisan basis to finally put an end to this \npattern by passing a multi-year authorization.\n    I had hoped to work collaboratively in the last Congress, \nas we did in 2014, to give CFATS a long-term reauthorization. \nUnfortunately, that did not come to pass, and we once again \nfound ourselves with no alternative but to pass another short-\nterm extension. As Chairman, I do not intend to let that happen \nagain.\n    This committee is acting early this Congress to get a \nreauthorization bill across the finish line. However, I do not \nplan to let reauthorization become an excuse to water down \nregulatory requirements or diminish the overall security value \nof the program.\n    CFATS is already designed to give flexibility and deference \nto facility owners and operators. The requirements are non-\nprescriptive, meaning that regulated facilities can choose \nsecurity measures that work for their unique environment so \nlong as their site security plan generally adheres to a set of \nrisk-based security principles. When DHS inspectors go out and \nfind that a facility\'s security plan falls short, they work \nwith that facility to address vulnerabilities.\n    Thanks in part to the leadership of Director Wulf, who is \ntestifying here today, the CFATS program is in place where \nCongress can build on a foundation that has already been laid. \nFor example, there are currently half as many high-risk \nfacilities in the United States as there were in 2007.\n    I would like to understand how DHS is encouraging \nfacilities to voluntarily reduce and remove chemical security \nrisk and how we might put that data to good use.\n    I also see reauthorization as an opportunity to figure out \nwhat is working and what is not. That may mean taking another \nlook at how CFATS handles whistleblowers or deciding if an \nexpedited approval program is a good use of DHS\'s limited \nresources.\n    Finally, there are some areas where the program continues \nto fall short. Six years ago, there was a fertilizer plant \nexplosion in West, Texas, that caused catastrophic damage and \ntook the lives of first responders who had been called to the \nscene.\n    On the screen above you is a picture of that scene where \nvolunteer firemen went to that location not knowing what they \nwere going to, and they lost their lives. So we need to close \nthat loophole because as a volunteer fireman myself, those \npublic-spirited first responders did not know what they were \ngoing to until it was too late.\n    So if CFATS had been in place, those individuals probably, \ngiven the information available, would not have approached it \nin the same light. So whatever we need to do to make sure \ninformation is being shared, this is a challenge we will \naddress.\n    I look forward to hearing from the panel today about how we \nmight improve CFATS and make sure we give DHS and the regulated \ncommunity the civility and certainty of a long-term \nreauthorization program.\n    [The statement of Chairman Thompson follows:]\n                Statement of Chairman Bennie G. Thompson\n                           February 27, 2019\n    Since 2007, the Department of Homeland Security has administered a \nregulatory program that covers security measures at ``high-risk\'\' \nchemical facilities to protect against the threat of terrorist attack. \nThrough CFATS, DHS works with chemical facility owners and operators to \nmake sure they have safeguards in place to prevent a bad actor from \ngaining access to dangerous chemicals stored on-site.\n    In the past, this program has enjoyed broad, bipartisan support on \nand off the Hill. Officials in the Bush administration, including \nformer Homeland Security Secretary Michael Chertoff, were among the \nfirst to call for a Federal rule to secure chemical facilities. And, \nofficials from the Trump administration are among the most recent.\n    Last November, DHS Secretary Kirstjen Nielsen wrote to Congress \nurging us to reauthorize CFATS: ``[W]e continue to face one of the most \nserious terrorist threat environments since 9/11. Foreign terrorist \norganizations are urging recruits to use simple weapons, including \ntoxic chemicals, to target public spaces and events.\'\'\n    Clearly, this threat has not abated.\n    Yet, the Department\'s authority to carry out CFATS came very close \nto lapsing last month--until this committee passed a short-term bill \nextending the program until April 2020.\n    For 8 years, CFATS was tied to annual appropriations cycles. \nLacking the certainty of a multi-year authorization, DHS struggled to \nkeep staff, develop long-term policies, and work with a regulated \ncommunity that did not know if the rules would apply the following \nyear. In 2014, Congress worked on a bicameral, bipartisan basis to \nfinally put an end to this pattern by passing a multi-year \nauthorization.\n    I had hoped to work collaboratively in the last Congress, as we did \nin 2014, to give CFATS a long-term reauthorization. Unfortunately, that \ndid not come to pass, and we once again found ourselves with no \nalternative but passed another short-term extension.\n    As Chairman, I do not intend to let that happen again. This \ncommittee is acting early this Congress to get a reauthorization bill \nacross the finish line. However, I do not plan to let reauthorization \nbecome an excuse to water down regulatory requirements or diminish the \noverall security value of the program.\n    CFATS is already designed to give flexibility and deference to \nfacility owners and operators. The requirements are non-prescriptive, \nmeaning that regulated facilities can choose security measures that \nwork for their unique environment, so long as their site security plans \ngenerally adhere to a set of risk-based security principles. When DHS \ninspectors go out and find that a facility\'s security plan falls short, \nthey work with that facility to address vulnerabilities.\n    Thanks in part to the leadership of Director Wulf, who is \ntestifying here today, the CFATS program is in a place where Congress \ncan build on the foundation that has already been laid. For example, \nthere are currently half as many ``high-risk\'\' facilities in the United \nStates as there were in 2007.\n    I would like to understand how DHS is encouraging facilities to \nvoluntarily reduce or remove chemical security risks, and how we might \nput that data to good use. I also see reauthorization as an opportunity \nto figure out what\'s working, and what\'s not. That may mean taking \nanother look at how CFATS handles whistleblowers or deciding if the \nexpedited approval program is a good use of DHS\'s limited resources.\n    Finally, there are some areas where the program continues to fall \nshort.\n    I was extremely troubled by a report GAO released last year showing \nthat first responders and emergency planners are still not getting the \ninformation they need to respond to an incident at a CFATS facility. As \na former volunteer fire fighter, I am deeply concerned that--6 years \nafter the tragic fertilizer plant explosion in West, Texas--we still \nhave not yet figured out how to put the right information in the hands \nof the brave men and women running into a building in an emergency \nwhile everyone else is running out. When first responders show up at an \nincident, they need to know what\'s on the other side of the door. \nPeriod.\n    Whatever we need to do to make sure information is being shared--\nthis is a challenge we will address.\n    I look forward to hearing from the panel today about how we might \nimprove CFATS and make sure we give DHS--and the regulated community--\nthe stability and certainty of a long-term reauthorization for the \nprogram.\n\n    Chairman Thompson. I now recognize the Ranking Member of \nthe full committee, the gentleman from Alabama, Mr. Rogers, for \nan opening statement.\n    Mr. Rogers. Thank you, Mr. Chairman. Sorry I am late. Thank \nyou for holding this important hearing.\n    Before I begin, I would like to express my extreme \ndisappointment that the Majority staff denied the Minority\'s \nrequest for a witness at today\'s hearing. Under Rule 11 of the \nrules of the House, the Minority is afforded at least one \nwitness at each committee hearing. If denied a witness, the \nMinority is entitled to separate hearing to take testimony from \nits witnesses.\n    So pursuant to rule of the House, I am providing the \nChairman with a letter signed by the Republican Members of the \ncommittee formally invoking our right to a separate hearing of \nthe full committee to hear from Minority witnesses. I ask \nunanimous consent that a letter be made part of the record.\n    Chairman Thompson. Without objection.\n    [The information follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Rogers. The rules require the Chairman to schedule a \nhearing in a reasonable period of time. We request a hearing as \nsoon as possible.\n    CFATS is a critical program aimed at keeping dangerous \nchemicals out of the hands of terrorists. In the past, \nRepublicans and Democrats have worked together to reauthorize \nCFATS and make improvements to the program. I hope the \ntradition of bipartisanship on this issue can continue, despite \nthe actions taken by the Majority today.\n    CFATS has been a successful program because it gives \nindustry flexibility to secure their facilities with guidance \nfrom the Department of Homeland Security based on each \nfacility\'s unique risks and attributes. Fortunately, we have a \nsolid program that works well as a starting point. Only small \ntweaks are needed to make an already good program even better.\n    I believe that with bipartisan, bicameral process we can \nquickly give stakeholders the certainty they need and move a \nlong-term reauthorization of CFATS to the President\'s desk. I \nhope the Chairman will join me in providing stability and \ncertainty regarding chemical security and avoid taking actions \nwhich would undermine enactment of a bipartisan long-term \nreauthorization.\n    I look forward to working collaboratively with the \nMajority, the Senate, the stakeholders, and DHS to reauthorize \nCFATS program. I also look forward to today\'s witnesses.\n    With that, I yield back, Mr. Chairman.\n    [The statement of Ranking Member Rogers follows:]\n                Statement of Ranking Member Mike Rogers\n                           February 27, 2019\n    CFATS is a critical program aimed at keeping dangerous chemicals \nout of the hands of terrorists. In the past, Republicans and Democrats \nhave worked together to reauthorize CFATS and make improvements to the \nprogram.\n    I hope the tradition of bipartisanship on this issue can continue, \ndespite the actions taken by the Majority today. CFATS has been a \nsuccessful program because it gives industry flexibility to secure \ntheir facilities, with guidance from the Department of Homeland \nSecurity, based on each facility\'s unique risk and attributes.\n    Fortunately, we have a solid program that works well as a starting \npoint. Only small tweaks are needed to make an already good program \nbetter. I believe that with a bipartisan, bicameral process we can \nquickly give stakeholders the certainty they need and move a long-term \nreauthorization of CFATS to the President\'s desk.\n    I hope the Chairman will join me in providing stability and \ncertainty regarding chemical security--and avoid taking actions, which \nwould undermine enactment of a bipartisan, long-term reauthorization. I \nlook forward to working collaboratively with the Majority, the Senate, \nstakeholders, and DHS to reauthorize the CFATS program.\n\n    Chairman Thompson. Thank you very much. In response to the \nRanking Member\'s request, we will do so in writing. But \nconsistent with the rules that we adopted for this committee, \nsimilar to the rules we have had before, we offered a \nGovernment witness to this Government panel.\n    From my understanding, that was not accepted, but you could \nhave had a Government witness. It was--we will respond in \nwriting, but the rules we apply are the same rules that this \ncommittee has always operated under. Other Members of the \ncommittee are reminded that under the committee rules, opening \nstatements may be submitted for the record.\n    I welcome our panel of witnesses. First, I would like to \nwelcome David Wulf, the director of the Infrastructure Security \nCompliance Division at the DHS Cybersecurity and Infrastructure \nSecurity Agency, CISA.\n    Mr. Wulf has been CFATS through some of its difficult \nchallenges and helped it mature into an internationally-\nrenowned chemical security program. I am thankful for his \nleadership on CFATS and look forward to his testimony.\n    Next, I would like to welcome Mr. Nathan Anderson from the \nGovernment Accountability Office Homeland Security and Justice \nTeam. Mr. Anderson has contributed to GAO\'s substantial body of \nwork on the CFATS program, including a report GAO issued last \nJuly, which I expect will play a major role in informing CFATS\' \nreauthorization and provide important context to our \nconversation today.\n    Without objection, the witnesses\' full statement will be \ninserted in the record. I now ask each witness to summarize his \nor her statement for 5 minutes, beginning with Mr. Wulf.\n\n  STATEMENT OF DAVID WULF, DIRECTOR, INFRASTRUCTURE SECURITY \nCOMPLIANCE DIVISION, CYBERSECURITY AND INFRASTRUCTURE SECURITY \n          AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Wulf. Thank you so much, Mr. Chairman, Ranking Member \nRogers, and other Members of the committee. I really do \nappreciate the opportunity to be here today to provide an \nupdate on the progress of the Chemical Facility Anti-Terrorism \nStandards program, or CFATS, the progress that the CFATS \nprogram continues to make in fostering security at high-risk \nchemical facilities across the Nation.\n    When I last testified before this committee in 2014, the \nCFATS program was in a very different place, having faced some \nsignificant challenges in its early years. But we had \nimplemented a comprehensive corrective action plan and had made \nsome measurable forward progress. At that time, I emphasized \nthe importance of long-term authorization for this critical \nNational security program.\n    I am very grateful for the leadership you and the committee \ndemonstrated in securing the 4-year CFATS authorization that \nwas signed into law in December 2014. I am grateful, of course, \nas well for your role in attaining the 15-month extension of \nthat authorization through April 2020 that was enacted last \nmonth.\n    I am very appreciative that this committee is holding \ntoday\'s hearing and is again taking a lead role to ensure \ncontinuing long-term authorization of CFATS. I look forward to \nworking with you to continue to enhance and to evolve our \nprogram.\n    Now, as I am sure you will hear me say once or twice today, \nthe stability that has come along with long-term authorization \nhas driven unprecedented progress as our team has worked with \nCFATS-covered facilities to make America\'s high-risk chemical \ninfrastructure a truly hard target with literally tens of \nthousands of security measures having been put in place at \nhigh-risk chemical facilities across the Nation.\n    These facilities have achieved, on average, a 55 percent \nincrease in their security posture as a direct result of CFATS. \nThe stability afforded by long-term authorization has \nfacilitated our planning and execution of important \nprogrammatic improvements, a few of which I will detail in a \nmoment, while it has also afforded regulated industry \nstakeholders with the certainty they deserved as they planned \nfor and made significant investments in CFATS-related security \nmeasures.\n    Now, I know that as the reauthorization process proceeds, \nyou will have the opportunity to hear directly from industry \nand other stakeholders about their experience with CFATS.\n    The gains I have just noted would not have been possible \nwithout the commitment and hard work of companies and our \nvarious other stakeholders across the Nation who have put into \nplace CFATS-focused security measures and, in many cases, have \nprovided important feedback and ideas that have helped us to \nimprove our processes and our effectiveness as we have evolved \nand enhanced the program over the past 4 years.\n    So I see many of those stakeholders in the room, and I \nappreciate their presence here today. I would also like to \nacknowledge Nathan Anderson and the important role the GAO has \nplayed in reviewing our operations and making many helpful \nrecommendations over the past several years.\n    Of course, I want to acknowledge our hard-working CFATS \nteam, some 250 folks here in Washington and across the Nation \nwho have built a truly world-class program and who are laser-\nfocused on securing America\'s highest-risk chemical \ninfrastructure.\n    So about those programmatic improvements I mentioned, what \nhave we been doing to make CFATS even stronger as we have \nenjoyed the stability of long-term authorization over the past \n4 years? Well, we have improved processes. We have eliminated \nbottlenecks.\n    We have seen unprecedented progress in the pace of \ninspections and in the review and approval of facility site \nsecurity plans, eliminating a backlog of security plan reviews \n6 years ahead of earlier GAO projections.\n    We have developed and launched an improved risk assessment \nmethodology that effectively accounts for all relevant elements \nof risk. We have reassessed the level of risk associated with \nnearly 30,000 facilities across the country.\n    We have implemented the CFATS personnel surety program, \naffording the highest-tiered CFATS-covered facilities the \nability to ensure that individuals with access to critical \nassets have been vetted for terrorist ties.\n    We have dramatically reduced burden across our stakeholder \ncommunity, having built and launched a streamlined, more user-\nfriendly suite of on-line tools through which facilities submit \nrisk assessment surveys, also known as Top Screens, and develop \ntheir site security plans.\n    While the stability afforded by long-term authorization has \nyielded all of this progress over the past 4 years, we are \ncertainly not done yet. Continued long-term authorization will \nbe absolutely critical to ensuring that we are able to focus on \ndriving even more effective and even more efficient approaches \nto fostering chemical security across the Nation.\n    Now, as we are all too aware, the threat of chemical \nterrorism remains a real and a very relevant one. Around the \nglobe, our adversaries continue to seek, to acquire, and to use \nin attacks chemicals of the sort that trigger coverage under \nCFATS. The threat stream continues to reflect that chemical \nfacilities themselves remain an attractive target for our \nadversaries.\n    I can tell you with certainty that the work we are doing in \nconcert with our committed stakeholders across the wide variety \nof industries and facilities that compose the CFATS-covered \nuniverse is making a real difference in protecting the Nation.\n    Having had the opportunity to work closely with my \ncounterparts in other nations and to co-chair the G7 Global \nPartnership\'s Chemical Security Working Group, I can tell you \nas well that what we are doing here in the United States \nthrough CFATS, the culture of chemical security you have helped \nus to build with your support for long-term CFATS \nauthorization, is absolutely the envy of the world.\n    With its targeted focused on the highest-risk facilities, \nwith its 18 comprehensive risk-based performance standards \naddressing physical, cyber, and insider threats, and with its \nnon-prescriptive flexible approach to regulation, CFATS is \nwell-suited to enhancing security across the very diverse \nuniverse of high-risk chemical facilities.\n    So before I wrap up, I would like to again thank the \ncommittee and your top-notch staff for your leadership on CFATS \nand on chemical security writ large.\n    We are fond of saying that chemical security is a shared \ncommitment, and not unlike the role that industry and other \nstakeholders who have embraced and helped us to build this \nprogram in so many ways, and the role of our committed and very \ntalented team at DHS, the role of Congress and the role of this \ncommittee in shaping and authorizing CFATS for the long-term \nhas been hugely important.\n    I am looking forward to working further with you, as we \ndrive toward reauthorization this year.\n    So thanks again. Thank you so much. I look forward to your \nquestions, and to the dialog here today.\n    [The prepared statement of Mr. Wulf follows:]\n                    Prepared Statement of David Wulf\n                           February 27, 2019\n                              introduction\n    Chairman Thompson, Ranking Member Rogers, and Members of the \ncommittee, I appreciate the opportunity to appear before you today to \ndiscuss the development and maturation of the Department of Homeland \nSecurity\'s (DHS) regulation of high-risk chemical facilities under the \nChemical Facility Anti-Terrorism Standards (CFATS) Program.\n    I also want to thank you for your efforts in extending the \nprogram\'s authorization for an additional 15 months so that we may \ncontinue to work together toward the long-term reauthorization of this \ncritical National security program. Since the program\'s inception, \nCFATS has fundamentally improved chemical security in the United \nStates. Our threat landscape is constantly evolving and the threat of \nchemical terrorism remains a very real and very relevant one. For this \nreason, fostering the security of high-risk chemical facilities \ncontinues to be of the utmost importance. Given the wide diversity of \nfacilities that store chemicals, CFATS--and its flexible, targeted \napproach, is an essential tool in this effort.\n                         cfats program overview\n    The CFATS Program is a vital part of our Nation\'s counterterrorism \nefforts, addressing physical, cyber, and insider threats to our \nNation\'s highest-risk chemical facilities. Since the CFATS Program\'s \ncreation, we have engaged with industry to identify and regulate high-\nrisk chemical facilities to ensure they have security measures in place \nto reduce the risks associated with the possession of chemicals of \ninterest and to keep dangerous chemicals out of the hands of those who \nwish to do us harm.\n    The cornerstone of the CFATS Program is the development, \nsubmission, and implementation of Site Security Plans (SSPs), or \nAlternative Security Programs in lieu of SSPs, documenting the security \nmeasures that high-risk chemical facilities utilize to satisfy the \napplicable Risk-Based Performance Standards (RBPS) under CFATS. Due to \nthe diversity of facilities that hold chemicals of interest, it is \nimportant to note these plans are not ``one-size-fits-all,\'\' but are \nin-depth, highly customized, and account for each facility\'s unique \ncircumstances.\n    In order to determine whether a facility is covered under CFATS, \nDHS utilizes a risk-assessment methodology that takes into account \nthreat, vulnerability, and the consequences of a potential attack. To \nbegin the process, a facility in possession of threshold quantities of \nCFATS chemicals of interest submits a Top Screen to the Department\'s \nInfrastructure Security Compliance Division. Since we began collecting \nthis information in 2007, more than 40,000 unique facilities have \nreported chemical holdings. Based on the information received in the \nTop Screens, DHS determines which facilities are at high-risk of \nterrorist attack or exploitation and assigns each of these to a tier.\n    Facilities determined to be high-risk must submit a Security \nVulnerability Assessment (SVA) and a SSP, or a SVA and an Alternative \nSecurity Program (ASP), to DHS for approval. Tier 3 and 4 facilities \nalso have the option of submitting an Expedited Approval Program (EAP) \nSSP in lieu of an SSP or ASP. The plan must include security measures \nmeeting the RBPS established in the CFATS regulation. For facilities \nother than those submitting an EAP SSP, the Department performs an \nauthorization inspection at the facility prior to approving a security \nplan to ensure that the measures contained in the security plan are \nappropriate given the facility\'s specific security issues and unique \ncharacteristics. Once a facility\'s plan is approved, DHS conducts \nregular compliance inspections to verify that the facility is \nimplementing the agreed-upon security measures.\n       cfats act of 2014 afforded crucial stability and certainty\n    In December 2014, Congress passed the Protecting and Securing \nChemical Facilities from Terrorist Attacks Act of 2014 (CFATS Act of \n2014). This statute, which enjoyed strong bipartisan and stakeholder \nsupport, brought stability for both the Department and the regulated \ncommunity and provided stakeholders with confidence in the program\'s \nfuture. Enacting a multi-year CFATS authorization as Congress did in \n2014 marked an important turning point for the program. Among other \nthings, it:\n  <bullet> Provided industry stakeholders with the certainty they \n        needed to plan for and invest in CFATS-related security \n        measures to harden their critical sites against possible \n        terrorist attack or exploitation;\n  <bullet> Afforded the stability needed to enable the Department to \n        make programmatic improvements as well as strategic, long-term \n        planning decisions regarding staffing, program development, and \n        process efficiencies; and,\n  <bullet> Sent a clear message to potentially covered ``outlier\'\' \n        facilities that the CFATS Program is here to stay.\n    With long-term authorization, chemical facilities have become \nfurther incentivized to engage with the Department with regard to \nfacility security. Returning to the instability of short-term renewal \nof CFATS Program either through regular order or the appropriations \nprocess would represent a significant step backwards for the Nation\'s \nchemical security efforts, inhibit programmatic progress and long-term \nplanning, and undermine stakeholder confidence in the longevity of the \nprogram. In short, the absence of long-term CFATS authorization puts \nAmerica\'s chemical security--and the security of our communities--at \nrisk.\n              accomplishments since the cfats act of 2014\n    Due in large part to the stability afforded by passage of the CFATS \nAct of 2014, I am pleased to report today that much has been \naccomplished and that our program continues to make significant forward \nprogress. Through the collective efforts of our dedicated workforce, \nindustry, and other stakeholders, and through the support and \nleadership of Congress, the CFATS program has matured significantly in \nthis time and is poised to continue this progress in the coming years.\n    Clear examples of the gains made by the CFATS Program since the \npassage of the CFATS Act of 2014 include:\n  <bullet> A dramatic improvement in the pace of inspections, reviews, \n        and approvals resulting in the elimination of a backlog once \n        projected to take 7 to 9 years to clear, nearly 6 years ahead \n        of schedule;\n  <bullet> Development and deployment of an enhanced risk-tiering \n        methodology that affords a more accurate reflection of a \n        facility\'s risk--a methodology that is grounded in science and \n        has been vetted by external experts from across Government, \n        industry, and academia;\n  <bullet> Streamlining of the SSP-development process and the \n        stakeholder ``user experience,\'\' reducing the burden on \n        facility operators without sacrificing security through the \n        launch of the CSAT 2.0 suite of on-line tools; and,\n  <bullet> The closing of a critical gap in the security of our \n        Nation\'s highest-risk facilities through the implementation of \n        the CFATS Personnel Surety Program (screening for terrorist \n        ties).\n                           extensive outreach\n    DHS continues to prioritize outreach designed to ``get the word \nout\'\' about the program, share information with partners, make \navailable compliance assistance materials, provide education and \ntraining, and to otherwise foster chemical security. This outreach, \nwhich has been central to the success of CFATS, has involved extensive \nengagement with a diverse group of representatives across the chemical \nsecurity community, including industry stakeholders; law enforcement \nand emergency responders; Federal and State partner agencies; labor \norganizations, Federal partners, industry associations, labor and \ninterest groups, and international partners among many others.\n    DHS conducts outreach to members of the chemical industry, other \nindustries whose members routinely use threshold levels of CFATS \nchemicals of interest, and stakeholders with an interest in chemical \nfacility security. The Department has also prioritized coordinating \nwith Federal and State, local, Tribal, and territorial (SLTT) \nregulatory agencies to provide resource materials and to obtain data to \nassist with identifying Chemical Facilities of Interest. In fiscal year \n2018, as a result of the data set comparisons, we identified \napproximately 697 potential chemical facilities of interest. From the \nprogram\'s inception, DHS has made more than 3,500 presentations to its \nregulated community and attended more than 16,600 meetings with our \nFederal, SLTT, and industry stakeholders.\n    The Department has developed strong relationships with national \norganizations to leverage their networks and outreach activities and, \nin fiscal year 2018, DHS conducted Nation-wide outreach to more than \n350 State and local offices and more than 850 Local Emergency Planning \nCommittees/Tribal Emergency Planning Committees across the Nation.\n    Also, outreach to first responders is incorporated into the \ndevelopment of SSPs through Risk-Based Performance Standard 9 (RBPS \n9)--Response. This standard requires covered facilities to have a \ndocumented, comprehensive crisis management plan that details how the \nfacility will respond to security incidents and requires the facility \nto run exercises and drills--and make contact with local first-\nresponders. DHS verifies this outreach during on-site compliance \ninspections. In many instances, the Department has facilitated contact \nbetween the first responders and the facilities.\n    During the summer of 2018, as part of the Department\'s on-going \nefforts to maximize outreach to critical stakeholder communities and as \na supplement to 11 previous annual Chemical Security Summits, the \nCybersecurity and Infrastructure Security Agency\'s (CISA) Office of \nInfrastructure Security held a series of DHSChemSecurityTalks in which \nwe reached more than 300 facility owners and operators, Government \npartners, and industry stakeholders. This inaugural series of three 1-\nday events, held in Oakland, California, Chicago, Illinois, and \nPhiladelphia, Pennsylvania, was designed to take the chemical \ninfrastructure security discussion and CISA\'s largest regulatory \nprogram, CFATS, beyond the National Capital Region and into the very \ncommunities that CFATS protects.\n    The Department also continues to play a leadership role in \nencouraging a global culture of chemical security. In support of this, \nI am privileged to co-chair the Chemical Security Working Group of the \nG7 Global Partnership Against the Spread of Weapons and Materials of \nMass Destruction, leading the U.S. engagement with the G7 on chemical \nsecurity and helping to ensure cooperation among the international \ncommunity on chemical security efforts. Additionally, in 2018, the \nDepartment, along with the Federal Bureau of Investigation and \nINTERPOL, co-hosted the inaugural Global Congress on Chemical Security \nand Emerging Threats in Lyon, France. The Global Congress convenes a \ncommunity intent on countering chemical and explosive terrorism by non-\nState actors and their access to chemical agents. The Congress explored \nspecialized case studies highlighting emerging trends, identified \nlessons learned and best practices relating to chemical incident \nattribution and response and discussed evolving technologies and \ntactics. CFATS is recognized globally as a model chemical-security \nframework world-wide and the Department regularly responds to requests \nto work with other governments as they strive to build cultures of \nchemical security on a par with the security-culture CFATS has fostered \nin the United States.\n                        personnel surety program\n    Vetting those who have access to chemicals of interest and other \nsensitive parts of high-risk chemical facilities is a key aspect of \nfacility security. Under RBPS 12, Personnel Surety, facilities must: \n(1) Implement measures to verify and validate identity, (2) check \ncriminal history, (3) validate legal authorization to work in the \nUnited States, and (4) identify people with terrorist ties. While all \nTier 1 through 4 facilities have been implementing the first three \nelements of RPBS 12, in December 2015 the Department began working with \nTier 1 and Tier 2 facilities to implement the fourth element. This \neffort was begun in December 2015, after the Office of Management and \nBudget (OMB) approved the Department\'s Information Collection Request \nfor the CFATS Personnel Surety Program (RPBS 12[iv]) in accordance with \nthe requirements of the Paperwork Reduction Act (PRA).\n    The CFATS Personnel Surety Program closed a critical gap by \nenabling facilities in these two tiers to submit names to DHS for \nvetting individuals\' potential terrorist ties. Going forward, the \nDepartment is planning to expand its implementation to tiers 3 and 4, \nto enable all high-risk chemical facilities to ensure that those with \naccess to critical assets have been vetted for terrorist ties. The \nDepartment is in the process of requesting OMB\'s approval, through the \nPRA process, to collect information on individuals who have or who are \nseeking access to high-risk chemical facilities for all four Tiers.\n                               conclusion\n    Through CFATS and the hard work of our industry stakeholders who \ncontinue to put in place security measures to harden America\'s highest-\nrisk chemical facilities, we have collectively accomplished much since \n2014. This progress would not have been possible without the stability \nand certainty afforded by enactment of the Protecting and Securing \nChemical Facilities from Terrorist Attacks Act of 2014.\n    Long-term reauthorization will allow the Department and the \nchemical security community to continue to work together to secure the \nNation\'s chemicals and keep them out of the hands of our adversaries. \nThe Department will be able to continue to focus on pursuing more \nefficient ways to implement the program, to include the enhancement of \nexisting materials and tools, while industry will have the confidence \nto continue to make important investments in security.\n    Chemical security is very much a pressing need, and, in view of the \ncontinuing high level of chemical-terrorism threats, must remain a \ncontinuing high priority for the Nation. The CFATS program has \npositioned the United States as a world-leader in building the culture \nof security necessary to secure our Nation\'s highest-risk chemical \nfacilities. I look forward to working with this committee to chart a \npath toward long-term--or permanent--reauthorization of this critical \nNational security program, and I thank you in advance for your \ncontinuing leadership on this issue. I look forward to your questions.\n\n    Chairman Thompson. Thank you, Mr. Wulf. We feel your \npassion.\n    We now recognize Mr. Anderson to summarize his statement \nfor 5 minutes.\n\n    STATEMENT OF NATHAN ANDERSON, ACTING DIRECTOR, HOMELAND \n  SECURITY AND JUSTICE, U.S. GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Anderson. Chairman Thompson, Ranking Member Rogers, and \nMembers of the committee, good morning. My testimony today is \nprimarily based on work we have conducted over the past few \nyears.\n    Compared to where CFATS\' program was shortly after its \ninception, DHS has made substantial progress in a number of \nareas. There is room for improvement, particularly in reaching \nout to first responders.\n    I will speak first to the Department\'s efforts to identify \nhigh-risk chemical facilities. Just identifying the universe of \nfacilities that should even be regulated under CFATS, has been \nand may always be a huge challenge.\n    There is no one complete data source of facilities that \nhave chemicals. In 2014, we found that DHS used self-reported \nand unverified data to determine the risk of facilities holding \ntoxic chemicals that could threaten surrounding communities if \nreleased. We recommended that DHS should better verify the \naccuracy of facility-reported data.\n    DHS implemented this recommendation by revising its \nmethodology so it now calculates the risk of toxic release, \nrather than relying on facilities to do so.\n    We have also reviewed the Department\'s access to assess \nregulated facilities\' risks. We did those to place chemical \nfacilities into the appropriate risk tier.\n    Several years ago, we found that the Department\'s risk \nassessment approach did not consider all of the elements of \nrisk associated with a terrorist attack involving certain \nchemicals. They treated every facility as equally vulnerable to \na terrorist attack, regardless of location or on-site security.\n    We recommended that DHS enhance its risk-assessment \napproach to incorporate all elements of risk and conduct a peer \nreview after doing so.\n    DHS agreed with both recommendations and has implemented \nactions to address both of them. For example, DHS worked with \nSandia National Lab to develop a model to more comprehensively \nestimate the consequences of a chemical attack.\n    Our assessment of the Department\'s efforts to review and \napprove chemical facilities\' security plans also identified \nchallenges that DHS has taken steps to address. DHS is to \nreview security plans and visit facilities to ensure their \nsecurity measures meet DHS standards.\n    In April 2013, we reported a 7- to 9-year backlog for those \nreviews and visits. At that time, DHS officials told us they \nwere exploring ways to reprioritize resources and streamline \ninspection requirements. Recently, DHS reported to Congress \nthat it had eliminated its backlog by realigning resources \ntoward security plan reviews.\n    A key quality assurance function involves actions to ensure \ncompliance. In 2015, we reported that DHS had conducted \ncompliance inspections of 83 of the roughly 1,700 facilities \nwith approved security plans at that time.\n    We found that nearly half of the inspected facilities were \nnot fully compliant with their approved security plans, and \nthat DHS did not have documented procedures for managing \nfacilities\' compliance.\n    We recommended that DHS document procedures from managing \ncompliance. As a result, DHS revised CFATS procedures, which we \nare currently reviewing to determine if they sufficiently \ndocument the processes being used to track uncompliant \nfacilities and ensure facilities implement plan measures as \noutlined in their security plans.\n    On a positive note, DHS recently told us that they have \nconducted more than 2,000 compliance inspections.\n    Let me now turn to our most recent work, which addresses \nDHS\'s efforts to conduct outreach with stakeholders and first \nresponders.\n    In late 2018, we reported that DHS assured that some CFATS \ninformation that first responders and emergency planners may \nnot have all the information they need to minimize the risk of \ninjury or death when responding to incidents at high-risk \nfacilities.\n    We recommended that DHS should, among other things, take \nactions to improve information sharing with first responders \nand emergency planners. DHS concurred with this recommendation \nand reported in September 2018 that they are taking actions to \nimplement it.\n    In closing, our work has found that DHS has made progress \nin efforts to implement and manage its CFATS program. As CFATS \ncontinues to evolve, it will be important to focus on how DHS \nshould measure the security impact of the program, what DHS is \ndoing with all of the information it collects, and how such \ninformation is being communicated to the industry, first \npartners, and others.\n    It will also be important to focus on how the program \nevolves to face new challenges, such as cybersecurity.\n    Mr. Chairman, Ranking Member Rogers, Members of the \ncommittee, this concludes my statement. I will be happy to take \nany questions you may have.\n    [The prepared statement of Mr. Anderson follows:]\n                 Prepared Statement of Nathan Anderson\n                           February 27, 2019\n critical infrastructure protection.--progress and challenges in dhs\'s \n          management of its chemical facility security program\n    Chairman Thompson, Ranking Member Rogers, and Members of the \ncommittee: Thank you for the opportunity to discuss our past work on \nthe Department of Homeland Security\'s (DHS) efforts to manage its \nChemical Facility Anti-Terrorism Standards (CFATS) program. Thousands \nof facilities that produce, use, or store hazardous chemicals could be \nof particular interest to terrorists who might seek to use toxic \nchemicals to inflict mass casualties in the United States. These \nchemicals could be released from a facility to cause harm to \nsurrounding populations; they could be stolen and used as chemical \nweapons or as their precursors (the ingredients for making chemical \nweapons); or they could be stolen and used to build an improvised \nexplosive device. Past incidents remind us of the danger that these \nchemicals pose, including the 2013 ammonium nitrate explosion at a \nfertilizer storage and distribution facility in West, Texas, which \nkilled at least 14 people and damaged or destroyed at least 200 homes, \nand the 1995 domestic terrorist attack on the Federal building in \nOklahoma City, Oklahoma, where 168 people were killed using ammonium \nnitrate fertilizer mixed with fuel oil.\n    The Department of Homeland Security Appropriations Act, 2007, \nrequired DHS to issue regulations to establish risk-based performance \nstandards (performance standards) for securing high-risk chemical \nfacilities.\\1\\ DHS subsequently established the CFATS program in 2007 \nto, among other things, identify high-risk chemical facilities and \nassess the risk posed by them; place facilities considered to be high-\nrisk into 1 of 4 risk-based tiers (with tier 1 being the highest risk \ntier and 4 being the lowest); assess facility security; approve \nsecurity plans prepared by facilities; and inspect facilities to ensure \ncompliance with regulatory requirements.\\2\\ DHS\'s CFATS rule \nestablished 18 performance standards that identify the areas for which \na facility\'s security posture are to be examined, such as perimeter \nsecurity, access control, and cybersecurity.\\3\\ To meet these \nstandards, facilities are free to choose whatever security programs or \nprocesses they deem appropriate so long as DHS determines that the \nfacilities achieve the requisite level of performance in each of the \napplicable areas. The Protecting and Securing Chemical Facilities from \nTerrorist Attacks Act of 2014 (CFATS Act of 2014), enacted in December \n2014, in effect, reauthorized the CFATS program for an additional 4 \nyears, while also imposing additional implementation requirements on \nDHS for the program.\\4\\ In January 2019, the Chemical Facility Anti-\nTerrorism Standards Program Extension Act, was enacted and extended the \nauthorization by 15 months.\\5\\\n---------------------------------------------------------------------------\n    \\1\\ Pub. L. No. 109-295, \x06 550, 120 Stat. 1335, 1388-89 (2006).\n    \\2\\ See 72 Fed. Reg. 17,688 (Apr. 9, 2007) (codified as amended at \n6 C.F.R. pt. 27).\n    \\3\\ DHS has enumerated 18 risk-based performance standards that \nchemical facilities must meet to comply with CFATS. See 6 C.F.R. \x06 \n27.230.\n    \\4\\ See Pub. L. No. 113-254, 128 Stat. 2898 (2014); 6 U.S.C. \x06\x06 \n621-629. The act amended the Homeland Security Act of 2002, Pub. L. No. \n107-296, 116 Stat. 2135 (2002), as amended, by adding Title XXI--\nChemical Facility Anti-Terrorism Standards--and expressly repealing the \nprogram\'s authority under the fiscal year 2007 DHS appropriations act.\n    \\5\\ See Pub. L. No. 116-2, 113 Stat. 5 (2019).\n---------------------------------------------------------------------------\n    DHS\'s Cybersecurity and Infrastructure Security Agency\'s \nInfrastructure Security Compliance Division (ISCD) manages the CFATS \nprogram. According to DHS, the Department received approximately $911 \nmillion for the CFATS program for the period beginning fiscal year 2007 \nthrough fiscal year 2018.\n    My testimony today summarizes our past work examining DHS\'s \nmanagement of the CFATS program, and provides updates on actions DHS \nhas taken to address our prior recommendations. This testimony is based \non our reports issued from July 2012 through August 2018.\\6\\ For these \nreports, we reviewed applicable laws and regulations, DHS policies and \nprocedures, DHS data on tiered facilities, information on the approach \nDHS used to determine a facility\'s risk, and process for reviewing \nsecurity plans. We also interviewed DHS officials about how facilities \nare placed in risk-based tiers, how DHS assesses risk, and how it \nreviews and approves facility security plans. Additional details on the \nscope and methodology are available in our published reports. In \naddition, this statement contains updates as of September 2018 from DHS \non actions it has taken to address the recommendations made in our \nprior reports.\n---------------------------------------------------------------------------\n    \\6\\ GAO, Critical Infrastructure Protection: DHS Is Taking Action \nto Better Manage Its Chemical Security Program, but It Is Too Early to \nAssess Results, GAO-12-515T (Washington, DC: July 26, 2012); Critical \nInfrastructure Protection: DHS Efforts to Assess Chemical Security Risk \nand Gather Feedback on Facility Outreach Can Be Strengthened, GAO-13-\n353 (Washington, DC: Apr. 5, 2013); Critical Infrastructure Protection: \nDHS Efforts to Identify, Prioritize, Assess, and Inspect Chemical \nFacilities, GAO-14-365T (Washington, DC: Feb. 27, 2014); Critical \nInfrastructure Protection: Observations on DHS Efforts to Implement and \nManage Its Chemical Security Program, GAO-14-608T (Washington, DC: May \n14, 2014); Chemical Safety: Actions Needed to Improve Federal Oversight \nof Facilities with Ammonium Nitrate, GAO-14-274 (Washington, DC: May \n19, 2014); Critical Infrastructure Protection: DHS Action Needed to \nVerify Some Chemical Facility Information and Manage Compliance \nProcess, GAO-15-614 (Washington, DC, July 22, 2015); Critical \nInfrastructure Protection: Improvements Needed for DHS\'s Chemical \nFacility Whistleblower Report Process, GAO-16-572, (Washington, DC: Jul \n12, 2016); Critical Infrastructure Protection: DHS Has Implemented Its \nChemical Security Expedited Approval Program and Participation Has Been \nLimited, GAO-17-502 (Washington, DC: June 29, 2017); Critical \nInfrastructure Protection: Progress and Challenges in DHS\'s Management \nof Its Chemical Facility Security Program, GAO-18-613T (Washington, DC: \nJune 14, 2018); and Critical Infrastructure Protection: DHS Should Take \nActions to Measure Reduction in Chemical Facility Vulnerability and \nShare Information with First Responders, GAO-18-538 (Washington, DC: \nAug. 8, 2018).\n---------------------------------------------------------------------------\n    The work upon which this statement is based was conducted in \naccordance with generally accepted Government auditing standards. Those \nstandards require that we plan and perform the audit to obtain \nsufficient, appropriate evidence to provide a reasonable basis for our \nfindings and conclusions based on our audit objectives. We believe that \nthe evidence obtained provides a reasonable basis for our findings and \nconclusions based on our audit objectives.\ndhs has made progress addressing past challenges, but some actions are \n                            still under way\n    Our past work has identified progress and challenges in a number of \nareas related to DHS\'s management of the CFATS program, including: (1) \nThe process for identifying high-risk chemical facilities; (2) how it \nassesses risk and prioritizes facilities; (3) reviewing and approving \nfacility site security plans; (4) inspecting facilities and ensuring \ncompliance; and (5) efforts to conduct outreach with stakeholders and \nfirst responders.\nIdentifying High-Risk Chemical Facilities\n    In May 2014, we found that more than 1,300 facilities had reported \nhaving ammonium nitrate to DHS. However, based on our review of State \ndata and records, there were more facilities with ammonium nitrate \nholdings than those that had reported to DHS under the CFATS \nprogram.\\7\\ Thus, we concluded that some facilities weren\'t required to \nreport to DHS and some that were required may have failed to do so.\\8\\ \nWe recommended that DHS work with other agencies, including the \nEnvironmental Protection Agency (EPA), to develop and implement methods \nof improving data sharing among agencies and with States as members of \na Chemical Facility Safety and Security Working Group.\\9\\ DHS agreed \nwith our recommendation and has since addressed it. Specifically, DHS \ncompared DHS data with data from other Federal agencies, such as EPA, \nas well as member states from the Chemical Facility Safety and Security \nWorking Group to identify potentially noncompliant facilities. As a \nresult of this effort, in July 2015, DHS officials reported that they \nhad identified about 1,000 additional facilities that should have \nreported information to comply with CFATS and subsequently contacted \nthese facilities to ensure compliance. DHS officials told us that they \ncontinue to engage with States to identify potentially non-compliant \nfacilities. For example, as of June 2018, DHS officials stated that \nthey have received 43 lists of potentially noncompliant facilities from \n34 State governments, which are in various stages of review by DHS. DHS \nofficials also told us that they hired an individual to serve as the \nlead staff member responsible for overseeing this effort.\n---------------------------------------------------------------------------\n    \\7\\ GAO-14-274. We reviewed Emergency Planning and Community Right-\nto-Know Act of 1986 data from Texas and Alabama, which have different \nreporting criteria than CFATS. Under section 312 of the act and \nEnvironmental Protection Agency\'s regulations, facilities with 10,000 \npounds or more of ammonium nitrate generally must submit an annual \nchemical inventory report to their designated State and local \nauthorities. 42 U.S.C. \x06 11022, 40 C.F.R. \x06 370.10(a)(2)(i).\n    \\8\\ Consistent with law and regulation, certain facilities--\nincluding, in general, facilities regulated under the Maritime \nTransportation Security Act of 2002 (Public Law 107-295, 116 Stat. \n2064), public water systems or wastewater treatment facilities, \nfacilities owned and operated by the Department of Defense or the \nDepartment of Energy, and facilities subject to regulation by the \nNuclear Regulatory Commission or in accordance with the Atomic Energy \nAct of 1954--are not subject to regulation under CFATS and are referred \nto as excluded facilities. See 6 U.S.C. \x06 621(4); 6 C.F.R. \x06 27.110(b). \nIn addition, pursuant to its authority under 6 C.F.R. \x06 27.210(c), DHS \nhas extended the deadline for submitting CFATS reports until further \nnotice for certain agricultural production facilities, such as farms, \nranches, turfgrass growers, golf courses, nurseries, and public and \nprivate parks. See Notice to Agricultural Facilities About Requirement \nTo Complete DHS\'s Chemical Security Assessment Tool, 73 Fed. Reg. 1640 \n(Jan. 9, 2008).\n    \\9\\ Executive Order 13650--Improving Chemical Facility Safety and \nSecurity established a Chemical Facility Safety and Security Working \nGroup, composed of representatives from DHS; EPA; and the Departments \nof Justice, Agriculture, Labor, and Transportation, and directed the \nworking group to identify ways to improve coordination with State and \nlocal partners; enhance Federal agency coordination and information \nsharing; modernize policies, regulations, and standards; and work with \nstakeholders to identify best practices. See Exec. Order No. 13,650 \n(Aug. 1, 2013), 78 Fed. Reg. 48,029 (Aug. 7, 2013).\n---------------------------------------------------------------------------\n    DHS has also taken action to strengthen the accuracy of data it \nuses to identify high-risk facilities. In July 2015, we found that DHS \nused self-reported and unverified data to determine the risk \ncategorization for facilities that held toxic chemicals that could \nthreaten surrounding communities if released.\\10\\ At the time, DHS \nrequired that facilities self-report the Distance of Concern--an area \nin which exposure to a toxic chemical cloud could cause serious injury \nor fatalities from short-term exposure--as part of its Top Screen.\\11\\ \nWe estimated that more than 2,700 facilities with a toxic release \nthreat had misreported the Distance of Concern and therefore \nrecommended that DHS: (1) Develop a plan to implement a new Top Screen \nto address errors in the Distance of Concern submitted by facilities, \nand (2) identify potentially miscategorized facilities that could cause \nthe greatest harm and verify that the Distance of Concern of these \nfacilities report is accurate.\\12\\ DHS has fully addressed both of \nthese recommendations. Specifically, in response to the first \nrecommendation, DHS implemented an updated Top Screen survey in October \n2016 and now collects data from facilities and conducts more accurate \nmodeling to determine the actual area of impact (formerly called the \nDistance of Concern), rather than relying on the facilities\' \ncalculation. In response to the second recommendation, DHS officials \nreported in November 2016 that they reassessed all facility Top Screens \nthat reported threshold quantities of chemicals posing a toxic release \nthreat, and identified 158 facilities with the potential to cause the \ngreatest harm. In April 2018, DHS officials reported that all of these \nfacilities have since been reassessed using updated Top Screen \ninformation and, where appropriate, assigned a risk tier.\n---------------------------------------------------------------------------\n    \\10\\ GAO-15-614.\n    \\11\\ Any chemical facility that possesses any of the 322 chemicals \nin the quantities that meet or exceed the threshold quantity or \nconcentration outlined in Appendix A to the DHS CFATS rule is required \nto complete the Chemical Security Assessment Tool (CSAT) Top Screen--\nwhich is the initial screening tool or document whereby the facility is \nto provide DHS various data, including the name and location of the \nfacility and the chemicals and their quantities at the site. See 6 \nC.F.R. \x06 27.200(b); see also 72 Fed. Reg. 65,396 (Nov. 20, 2007) \n(codified at 6 C.F.R. pt. 27, App. A).\n    \\12\\ We recalculated the Distance of Concern for a generalizable \nsample of facilities--a simple random sample of 475 facilities from the \npopulation of 36,811 facilities that submitted Top Screens since the \ninception of the CFATS program in 2007 through January 2, 2015--and \ncompared these results to what facilities reported in their Top Screen \nsubmission. Based upon this sample, we estimated that 4,173 facilities \nwith a toxic release chemical misreported the Distance of Concern, with \nan associated 95 percent confidence interval of 2,798 to 5,822 \nfacilities.\n---------------------------------------------------------------------------\nAssessing Risk and Prioritizing Facilities\n    DHS has also taken actions to better assess regulated facilities\' \nrisks in order to place the facilities into the appropriate risk tier. \nIn April 2013, we reported that DHS\'s risk assessment approach did not \nconsider all of the elements of threat, vulnerability, and consequence \nassociated with a terrorist attack involving certain chemicals. Our \nwork showed that DHS\'s CFATS risk assessment methodology was based \nprimarily on consequences from human casualties, but did not consider \neconomic consequences, as called for by the National Infrastructure \nProtection Plan (NIPP) and the CFATS regulation. We also found that: \n(1) DHS\'s approach was not consistent with the NIPP because it treated \nevery facility as equally vulnerable to a terrorist attack regardless \nof location or on-site security, and (2) DHS was not using threat data \nfor 90 percent of the tiered facilities--those tiered for the risk of \ntheft or diversion--and using 5-year-old threat data for the remaining \n10 percent of those facilities that were tiered for the risks of toxic \nchemical release or sabotage. We recommended that DHS enhance its risk \nassessment approach to incorporate all elements of risk and conduct an \nindependent peer review after doing so. DHS agreed with our \nrecommendations and has implemented actions to address both of them.\n    Specifically, with regard to our recommendation that DHS enhance \nits risk assessment approach to incorporate all elements of risk, DHS \nworked with Sandia National Laboratories to develop a model to estimate \nthe economic consequences of a chemical attack. In addition, DHS worked \nwith Oak Ridge National Laboratory to devise a new tiering methodology, \ncalled the Second Generation Risk Engine. In so doing, DHS revised the \nCFATS threat, vulnerability, and consequence scoring methods to better \ncover the range of CFATS security issues. Additionally, with regard to \nour recommendation that DHS conduct a peer review after enhancing its \nrisk assessment approach, DHS conducted peer reviews and technical \nreviews with Government organizations and facility owners and \noperators, and worked with Sandia National Laboratories to verify and \nvalidate the CFATS program\'s revised risk assessment methodology.\n    To further enhance its risk assessment approach, in the fall of \n2016, DHS also revised its Chemical Security Assessment Tool (CSAT), \nwhich supports DHS efforts to gather information from facilities to \nassess their risk. According to DHS officials, the new tool--called \nCSAT 2.0--is intended to eliminate duplication and confusion associated \nwith DHS\'s original CSAT. DHS officials told us that they have improved \nthe tool by revising some questions in the original CSAT to make them \neasier to understand; eliminating some questions; and pre-populating \ndata from one part of the tool to another so that users do not have to \nretype the same information multiple times. DHS officials also told us \nthat the facilities that have used the CSAT 2.0 have provided favorable \nfeedback that the new tool is more efficient and less burdensome than \nthe original CSAT. Finally, DHS officials told us that, as of June \n2018, DHS completed all notifications and processed tiering results for \nall but 226 facilities. DHS officials did not provide an estimated \ntarget completion date for these pending risk assessments, noting that \ncompleting the assessments is highly dependent on the facilities \nproviding the necessary Top Screen information.\nReviewing and Approving Facility Site Security Plans\n    DHS has also made progress reviewing and approving facility site \nsecurity plans by reducing the time it takes to review these plans and \neliminating the backlog of plans awaiting review. In April 2013, we \nreported that DHS revised its procedures for reviewing facilities\' \nsecurity plans to address DHS managers\' concerns that the original \nprocess was slow, overly complicated, and caused bottlenecks in \napproving plans.\\13\\ We estimated that it could take DHS another 7 to 9 \nyears to review the approximately 3,120 plans in its queue at that \ntime. We also estimated that, given the additional time needed to do \ncompliance inspections, the CFATS program would likely be implemented \nin 8 to 10 years. We did not make any recommendations for DHS to \nimprove its procedures for reviewing facilities\' security plans because \nDHS officials reported that they were exploring ways to expedite the \nprocess, such as reprioritizing resources and streamlining inspection \nrequirements. In July 2015, we reported that DHS had made substantial \nprogress in addressing the backlog--estimating that it could take \nbetween 9 and 12 months for DHS to review and approve security plans \nfor the approximately 900 remaining facilities.\\14\\ DHS officials \nattributed the increased approval rate to efficiencies in DHS\'s review \nprocess, updated guidance, and a new case management system. \nSubsequently, DHS reported in its December 2016 semi-annual report to \nCongress that it had eliminated its approval backlog.\\15\\\n---------------------------------------------------------------------------\n    \\13\\ GAO-13-353.\n    \\14\\ GAO-15-614.\n    \\15\\ Department of Homeland Security, National Protection and \nPrograms Directorate, Implementation Status of the Chemical Facility \nAnti-Terrorism Standards: Second Semiannual, Fiscal Year 2016 Report to \nCongress (Washington, DC: December 9, 2016).\n---------------------------------------------------------------------------\n    Finally, we found in our 2017 review that DHS took action to \nimplement an Expedited Approval Program (EAP).\\16\\ The CFATS Act of \n2014 required that DHS create the EAP as another option that tier 3 and \ntier 4 chemical facilities may use to develop and submit security plans \nto DHS.\\17\\ Under the program, these tier 3 and 4 facilities may \ndevelop a security plan based on specific standards published by DHS \n(as opposed to the more flexible performance standards using the \nstandard, non-expedited process). DHS issued guidance intended to help \nfacilities prepare and submit their EAP security plans to DHS, which \nincludes an example that identifies prescriptive security measures that \nfacilities are to have in place. According to committee report \nlanguage, the EAP was expected to reduce the regulatory burden on \nsmaller chemical companies, which may lack the compliance \ninfrastructure and the resources of large chemical facilities, and help \nDHS to process security plans more quickly.\\18\\ If a tier 3 or 4 \nfacility chooses to use the expedited option, DHS is to review the plan \nto determine if it is facially deficient, pursuant to the reporting \nrequirements of the CFATS Act of 2014.\\19\\ If DHS approves the EAP site \nsecurity plan, it is to subsequently conduct a compliance inspection.\n---------------------------------------------------------------------------\n    \\16\\ GAO-17-502.\n    \\17\\ See 6 U.S.C. \x06 622(c)(4). Under the CFATS rule, once a \nfacility is assigned a final tier, it is to submit a site security plan \nor participate in an alternative security program in lieu of a site \nsecurity plan. An alternative security program is a third-party or \nindustry organization program, a local authority, State, or Federal \nGovernment program, or any element or aspect thereof that DHS \ndetermines meets the requirements of the regulation and provides an \nequivalent level of security to that established by the regulation. See \n6 C.F.R. \x06 27.105. Chemical facilities assessed by DHS and considered \nto be high-risk are placed into one of four risk-based tiers (with tier \n1 being the highest-risk tier and 4 being the lowest).\n    \\18\\ S. Rep. No. 113-263, at 9-10 (Sept. 18, 2014).\n    \\19\\ A facially-deficient site security plan is defined as a \nsecurity plan that does not support a certification that the security \nmeasures in the plan address the security vulnerability assessment and \nrisk-based performance standards, based on a review of the facility\'s \nsite security plan, the facility\'s Top Screen, the facility\'s security \nvulnerability assessment, or any other information that the facility \nsubmits to ISCD or ISCD obtains from a public source or other source. 6 \nU.S.C. \x06 621(7). Specifically, ISCD determines that an EAP site \nsecurity plan is deficient if it: Does not include existing or planned \nmeasures which satisfy applicable Risk-Based Performance Standard; \nmaterially deviates from at least one EAP security measure without \nadequately explaining that the facility has a comparable security \nmeasure; and/or contains a misrepresentation, omission, or inaccurate \ndescription of at least one EAP security measure. A facility is to \nimplement any planned security measures within 12 months of the EAP \nsite security plan\'s approval because ISCD has determined that it is \nunlikely that all required security measures will be in place when a \nfacility submits its plan to ISCD.\n---------------------------------------------------------------------------\n    In 2017, we found that DHS had implemented the EAP and had reported \nto Congress on the program, as required by the CFATS Act of 2014.\\20\\ \nIn addition, as of June 2018, according to DHS officials, only 18 of \nthe 3,152 facilities eligible to use the EAP had opted to use it. DHS \nofficials attributed the low participation to several possible factors \nincluding:\n---------------------------------------------------------------------------\n    \\20\\ GAO-17-502.\n---------------------------------------------------------------------------\n  <bullet> DHS had implemented the expedited program after most \n        eligible facilities already submitted standard (non-expedited) \n        security plans to DHS;\n  <bullet> facilities may consider the expedited program\'s security \n        measures to be too strict and prescriptive, not providing \n        facilities the flexibility of the standard process; and\n  <bullet> the lack of an authorization inspection may discourage some \n        facilities from using the expedited program because this \n        inspection provides useful information about a facility\'s \n        security.\\21\\\n---------------------------------------------------------------------------\n    \\21\\ An authorization inspection consists of an initial, physical \nreview of the facility to determine if the Top Screen, security \nvulnerability assessment, and site security plan accurately represent \nand address the risks for the facility.\n---------------------------------------------------------------------------\n    We also found in 2017 that recent changes made to the CFATS program \ncould affect the future use of the expedited program.\\22\\ As discussed \npreviously, DHS has revised its methodology for determining the level \nof each facility\'s security risk, which could affect a facility\'s \neligibility to participate in the EAP.\n---------------------------------------------------------------------------\n    \\22\\ GAO-17-502.\n---------------------------------------------------------------------------\nInspecting Facilities and Ensuring Compliance\n    In our July 2015 report, we found that DHS began conducting \ncompliance inspections in September 2013, and by April 2015, had \nconducted inspections of 83 of the inspected 1,727 facilities that had \napproved security plans.\\23\\ Our analysis showed that nearly half of \nthe facilities were not fully compliant with their approved site \nsecurity plans and that DHS had not used its authority to issue \npenalties because DHS officials found it more productive to work with \nfacilities to bring them into compliance. We also found that DHS did \nnot have documented processes and procedures for managing the \ncompliance of facilities that had not implemented planned measures by \nthe deadlines outlined in their plans. We recommended that DHS document \nprocesses and procedures for managing compliance to provide more \nreasonable assurance that facilities implement planned measures and \naddress security gaps. DHS agreed and has since taken steps toward \nimplementing this recommendation. Specifically, DHS revised CFATS \nStandard Operating Procedures that, as of February 2019, we are \nreviewing to determine if they sufficiently document the processes and \nprocedures currently being used to track noncompliant facilities and \nensure facilities implement planned measures as outlined in their \napproved site security plans.\n---------------------------------------------------------------------------\n    \\23\\ GAO-15-614.\n---------------------------------------------------------------------------\n    In August 2018, we reported that our analysis of DHS data since our \n2015 report showed that DHS has made substantial progress in conducting \nand completing compliance inspections.\\24\\ Specifically, our analysis \nshowed that DHS increased the number of compliance inspections \ncompleted per year since DHS began conducting compliance inspections in \n2013 and that, for the 2,466 high-risk facilities with an approved site \nsecurity plan as of May 2018, DHS had conducted 3,553 compliance \ninspections.\\25\\ Of these, DHS issued corrective actions to 2 \nfacilities that were not in compliance with their approved site \nsecurity plan.\\26\\\n---------------------------------------------------------------------------\n    \\24\\ GAO-18-538.\n    \\25\\ In accordance with the CFATS regulations, as a general matter, \nDHS intends to require facilities in Tiers 1 and 2 to update their Top \nScreen every 2 years, and for Tiers 3 and 4 every 3 years. DHS conducts \ncompliance inspections on a regular and recurring basis. DHS officials \nstated that compliance inspections are prioritized based on several \nfactors including tier and the number of planned security enhancements \nrequired at facilities.\n    \\26\\ In addition to these two corrective actions, we reported in \nAugust 2018 that, since fiscal year 2015, DHS has issued 5 additional \norders to 4 high-risk facilities with final penalties totaling \n$38,691.88. Of these 5 orders, 3 included the failure of a facility to \nsubmit an approvable security plan and 2 included the failure of a \nfacility to submit a Top Screen.\n---------------------------------------------------------------------------\n    In our August 2018 report, we also found that DHS developed a new \nmethodology and performance measure for the CFATS program in order to \nevaluate security changes made by high-risk chemical facilities, but \nthat the methodology does not measure the program\'s impact on reducing \na facility\'s vulnerability to an attack. We found that DHS could take \nsteps to evaluate vulnerability reduction resulting from the CFATS \ncompliance inspection process. We recommended that DHS incorporate \nvulnerability into the new methodology to help measure the reduction in \nthe vulnerability of high-risk facilities to a terrorist attack, and \nuse that data in assessing the CFATS program\'s performance in lowering \nrisk and enhancing National security. DHS agreed and is taking steps to \nimplement this recommendation. Specifically, in September 2018, DHS \nreported making progress toward the implementation of 2 new performance \nmetrics by the end of the first quarter of fiscal year 2019. DHS \nofficials stated that these metrics should, among other things, \nevaluate the progress of individual facilities in enhancing their \nsecurity while part of the CFATS program and be used to demonstrate an \nincrease in the security posture across the population of CFATS \nfacilities.\nConducting Stakeholder and First Responder Outreach\n    In April 2013, we reported that DHS took various actions to work \nwith facility owners and operators, including increasing the number of \nvisits to facilities to discuss enhancing security plans, but that some \ntrade associations had mixed views on the effectiveness of DHS\'s \noutreach.\\27\\ We found that DHS solicited informal feedback from \nfacility owners and operators in its efforts to communicate and work \nwith them, but did not have an approach for obtaining systematic \nfeedback on its outreach activities. We recommended that DHS take \naction to solicit and document feedback on facility outreach consistent \nwith DHS efforts to develop a strategic communication plan. DHS agreed \nand has implemented this recommendation by developing a questionnaire \nto solicit feedback on outreach with industry stakeholders and began \nusing the questionnaire in October 2016.\n---------------------------------------------------------------------------\n    \\27\\ GAO-13-353.\n---------------------------------------------------------------------------\n    In August 2018, we reported that DHS shares some CFATS information \nwith first responders and emergency planners, but these stakeholders \nmay not have all of the information they need to minimize the risk of \ninjury or death when responding to incidents at high-risk \nfacilities.\\28\\ While certain facilities are required under the \nEmergency Planning and Community Right-to-Know Act of 1986 to report \nsome chemical inventory information, which local officials told us they \nrely on to prepare for and respond to incidents at chemical facilities, \nwe found over 200 chemicals covered by CFATS that may not be covered by \nthese reporting requirements.\\29\\ We also reported that DHS developed a \nsecure interface called the Infrastructure Protection (IP) Gateway that \nprovides access to CFATS facility-specific information that may be \nmissing from required reporting. However, we found that the IP Gateway \nis not widely used at the local level and officials from 13 of 15 \nselected Local Emergency Planning Committees we contacted--consisting \nof first responders and covering 373 CFATS high-risk facilities--said \nthey did not have access to CFATS data in the IP Gateway. We \nrecommended that DHS should take actions to encourage access to and \nwider use of the IP Gateway and explore other opportunities to improve \ninformation sharing with first responders and emergency planners. DHS \nconcurred with this recommendation and reported in September 2018 that \nthey are taking actions to implement it. Specifically, DHS has revised \n3 fact sheets and an outreach presentation to include information on \nthe IP Gateway and how to request access to it. In addition, DHS plans \nto ensure contact is made with first responders representing the top 25 \npercent of CFATS high-risk chemical facilities by no later than March \n2019 so that they are properly prepared to respond to incidents at \nthese facilities.\n---------------------------------------------------------------------------\n    \\28\\ GAO-18-538.\n    \\29\\ Under Section 312 of the Emergency Planning and Community \nRight-to-Know Act of 1986 (EPCRA), facilities are required to submit an \nemergency and hazardous chemical inventory form--referred to as a Tier \n2 form. See 42 U.S.C. \x06 11022. The purpose of this form is to provide \nState and local officials and the public with specific information on \npotential hazards. This includes the locations and amount of hazardous \nchemicals present at a facility during the previous calendar year.\n---------------------------------------------------------------------------\n    Chairman Thompson, Ranking Member Rogers, and Members of the \ncommittee, this completes my prepared statement. I would be pleased to \nrespond to any questions that you may have at this time.\n\n    Chairman Thompson. I thank all the witnesses for their \ntestimony. I remind each Member that he or she will have 5 \nminutes to question the panel.\n    Now, I will recognize myself for questions. You saw the \npicture on the screen earlier about the 12 first responders in \nWest, Texas who, unfortunately, lost their life because they \nwere basically responding to an incident that we could possibly \ncover on the CFATS.\n    Now, the law requires DHS to share such information as is \nnecessary. So, Mr. Anderson, you indicated in your testimony \nthat GAO surveyed first responders and emergency planners last \nyear about whether such critical information is getting shared. \nTell us what you found in that survey?\n    Mr. Anderson. Of course. As part of our work, we looked at \n13 or interviewed 13 to 15 local emergency planning committees. \nThese committees cover about 373 high-risk facilities. Thirteen \nof those 15 local emergency planning committees did not have \naccess to the information in CFATS that could potentially be \nuseful to first responders and emergency planners.\n    Chairman Thompson. So the majority of the information that \nwas available, just was not being shared?\n    Mr. Anderson. I think it is a situation of access. DHS has \nstood up something called the IP Gateway, which is a forum and \na vehicle for communicating that kind of information to first \nresponders. I think this is a situation where the first \nresponders either did not have access or were not familiar with \nhow to use the IP Gateway system.\n    Chairman Thompson. So Mr. Wulf, can you provide the \ncommittee with what do you see as a way forward in this \nrespect?\n    Mr. Wulf. Absolutely, Mr. Chairman. I appreciate the \nopportunity.\n    So obviously the sharing of information with first \nresponders is of the utmost importance and is something that we \nhighly prioritize as a result. Those who may be called upon to \nrespond to incidents at facilities, high-risk facilities, or \nother facilities, holding chemicals, need information about \nthose facilities.\n    They need information about the chemical holdings so they \nknow what they are walking into when they attempt to save lives \nand property.\n    So we have redoubled our efforts over the past couple of \nyears, to reach to local emergency planning committees.\n    In fact, in 2018, we visited more than 800 of those local \nemergency planning committees, and we are right now in the \nmidst of a push to reach emergency planning committees \nassociated with the highest population, CFATS-covered \nfacilities in the various counties, the top 25 percent of those \ncounties across the country.\n    I think another important thing to remember is that CFATS \nand our chemical security inspectors across the country promote \nsharing of information with first responders and do that in a \nway that connects them directly with facilities.\n    So one of the CFATS risk-based performance standards, RBPS \n9, is focused on response, and it requires that every high-risk \nfacility reach out to make contact with their local first \nresponders. In many cases our inspectors, our CFATS team, \nfacilitates that contact and that communication.\n    So I think that is another important way in which we are \ncontinuing to get the word out. We are pushing, as well, \ninformation about that IP Gateway and signing more and more \nfolks up every day----\n    Chairman Thompson. So----\n    Mr. Wulf. To gain access to the portal.\n    Chairman Thompson. Before I lose my time, you know, that \nwas this requirement that at least 25 percent that you \nreferenced in your comments would be done by the end of March. \nWhere are you percentage-wise with hitting that target?\n    Mr. Wulf. We are on track to have that done by the end of \nMarch.\n    Chairman Thompson. After that, what is the next target?\n    Mr. Wulf. We will continue, you know, circling back. We \nhave met with literally thousands of local emergency planning \ncommittees.\n    We are committed to continuing to ride that circuit and to \nensure that relevant folks, those who have a need-to-know \ninformation about chemical facilities and chemical holdings, \nbecause they may be called to run into those facilities, have \nthe information----\n    Chairman Thompson. Well, the reason I said that, as I look \nat the membership of the committee present, a lot of us \nrepresent volunteer fire departments in our respective \ndistricts.\n    So I think it is really incumbent upon us to push this \ninformation out to those departments so that those first \nresponders who are unpaid, doing their civic duty, would not be \nput at risk simply because the information that is available is \nnot being shared.\n    Can you give the committee some kind of a guestimate as to \nwhen the process can be completed?\n    Mr. Wulf. Well, you know, I would say that it is going to \nbe an on-going kind of continuing effort. I don\'t think we will \never stop the outreach.\n    But we will get through those 25 percent highest-density \ncounties in the next month. I would suspect that, you know, \ntoward the end of this calendar year we will have gotten to \nmost of the other LEPCs across the country, as well. In many \ncases, those will be repeat visits.\n    Chairman Thompson. Thank you.\n    I will now recognize the Ranking Member of the full \ncommittee is the gentleman from Alabama, Mr. Rogers, for \nquestions.\n    Mr. Rogers. Thank you, Mr. Chairman. I gather from your \nopening statements that CFATS is working well. Is that a fair--\nnow you suggested some improvements, but generally, it is \nworking well?\n    Mr. Anderson. The program has progressed over the years and \nhas implemented the majority of GAO\'s recommendations so on \nthat score, yes.\n    Mr. Rogers. You mentioned some recommendations, but I \ndidn\'t hear anything major that you thought needed to be \nimproved. Is that accurate?\n    Mr. Anderson. We don\'t have any open recommendations that \nwould be easily directed to, you know, like the safety of a \nfacility itself.\n    Our recommendations that are open and not implemented do \ndeal with whether or not first responders have all the \ninformation they need. So on that score, I would consider that \na major recommendation, ensuring that the people who respond to \nthese events have the right kind of information.\n    The other recommendation that we have that is currently \nopen is on whether or not the program itself can speak to just \nhow much risk is reduced.\n    As the program evolves, we would like to see them get to \nthe point where they can say, for X number of dollars invested, \nhere is how much risk has been reduced through this process, \nthrough CFATS.\n    Mr. Rogers. OK.\n    Mr. Wulf, how would you distinguish CFATS from other \nsecurity regulatory programs, like EPA, OSHA, ATF?\n    Mr. Wulf. Yes, so I appreciate the question. CFATS is a \nvery comprehensive, very security-focused regulatory program. \nSo programs administered by EPA and OSHA focus primarily on \nsafety. Our program, the CFATS program, is a security-focused \nanti-terrorism program.\n    At its core our 18 risk-based performance standards \naddressing physical security measures to deter, detect, delay \nterrorist attacks, cybersecurity, insider threat, and the \nvarious security-focused threat streams.\n    So I think it is a program that is flexible in its \napproach, which I think is well-suited to the wide diversity of \nfacilities that compose the CFATS-regulated universe. It is a \nprogram that is very well-suited to its task.\n    Mr. Rogers. Great. Mr. Wulf, do you feel that any CFATS \nfacilities are subject to duplicate security regulations from \nthe jurisdiction of other Federal agencies?\n    Mr. Wulf. So that is a a good question. I would say that \ngiven the comprehensive nature of the CFATS program, although \nthere are certainly facilities that are touched by a variety of \ndifferent programs, CFATS is in all cases bringing something \nadditional to the table.\n    Where facilities are, perhaps, doing things under a \ndifferent program, if they are putting in place measures, say, \nto satisfy ATF requirements, but those measures also work to \nsatisfy our DHS CFATS requirements, we absolutely encourage \nfacilities to take credit for and apply those measures within \nCFATS. They are not required to duplicate work for CFATS.\n    Mr. Rogers. Great, thank you. That is all I have.\n    I yield back.\n    Chairman Thompson. Thank you very much.\n    The Chair now recognizes other Members for questions they \nmay wish to ask the witnesses. In accordance with our committee \nrules, I will recognize Members who were present at the start \nof the hearing, based on seniority on the committee, \nalternating between Majority and Minority. Those Members coming \nin later will be recognized in the order of their arrival.\n    The Chair now recognizes for 5 minutes the gentleman from \nRhode Island, Mr. Langevin.\n    Mr. Langevin. Thank you, Mr. Chairman. I want to thank you \nfor holding this important hearing.\n    I want to thank our witnesses for your testimony this \nmorning.\n    I am glad we touched on the issue of cybersecurity in the \nfacility issues and inspections that are done.\n    So I want to start with Mr. Wulf, if I could? DHS does \nprovide that cyber is one of the l8 performance standards \nfacilities must address.\n    So I want to start out with the question of what \ncybersecurity guidance does the CFATS program actually provide \nto facilities? What cybersecurity requirements does CFATS make \nof facilities?\n    Mr. Wulf. I appreciate that question. CFATS has been in \nmany ways, I think, ahead of the curve with cybersecurity. So \ncybersecurity has been an important part of the program since \nits inception.\n    I would say broadly speaking our focus is on working with \nfacilities to ensure that they have policies and procedures in \nplace essentially to deter, to detect, and/or to delay cyber \nintrusions.\n    So, you know, we work with them. We have our inspectors \ntrained. Many of our inspectors have been provided advanced \ncybersecurity training.\n    We have cybersecurity experts in our headquarters who work \nwith facilities as they develop their site security plans, as \nthey think through ways in which they can appropriately \nrestrict access to critical cyber systems, ways in which they \ncan restrict privileges, ensure that they have appropriate \npatches in place, that they are, you know, that they are in the \nbest position possible to protect themselves against malware, \nagainst ransomware, against the, you know, the panoply of cyber \nthreats that are out there.\n    Mr. Langevin. So what are the specific requirements, the \ncyber requirements that you put on these facilities? How do you \naudit those requirements to determine compliance?\n    Mr. Wulf. Yes, so we will conduct inspections of facilities \nacross all of their risk-based performance standards and that \nincludes cyber.\n    So, you know, even before a facility site security plan is \nimproved, our inspectors will be out helping facilities to \ndevelop the policies and procedures they will put in place from \na cybersecurity perspective. When their plans have been \napproved, we will be back on a regular cycle of compliance \ninspections.\n    So as I mentioned earlier, CFATS is a non-prescriptive, \nflexible program. So we don\'t have hard and fast requirements. \nWe have standards that facilities need to meet.\n    So, you know, we will work with facilities to assess what \nworks for a particular facility given its particular operations \nand the level of integration of its cyber systems with its \nchemical processes and industrial control systems, et cetera.\n    Mr. Langevin. So am I to understand that they are setting \ntheir own standards?\n    Mr. Wulf. They are not setting their own standards. They \nhave some flexibility in the types of policies and procedures \nthey can apply to meet the spirit of the cybersecurity standard \nunder CFATS.\n    But no two chemical facilities are alike. So some \nfacilities have cyber systems that are very highly integrated \nwith their industrial control systems, with their chemical \nprocesses. Some have no integrations whatsoever. So there may \nbe a difference from facility to facility, as to what we are \ngoing to ask them to have in place to get to a place where we \ncan approve their site security plan.\n    Mr. Langevin. OK. I have other questions for you, but I am \ngoing to go to Mr. Anderson, if I could?\n    Mr. Anderson, staying on the topic of cybersecurity, what \ndoes GAO evaluate the maturity of the CFATS cybersecurity \nreviews to be? Do you have suggestions on how those elements of \nSSPs can be improved?\n    Mr. Anderson. Thank you. We haven\'t done a deep dive audit \ninto the cyber realm. But we have touched on it in our recent \nwork. I think our conclusion is that this may be an area, cyber \nspecifically, where there may be a capability gap.\n    As you may know, GAO produces a high-risk list every 2 \nyears highlighting certain programs that are vulnerable and at \nhigh risk for fraud, waste, abuse, and mismanagement.\n    The cyber area within DHS is one of those where recently we \ndid raise the question about whether or not they have the right \nhuman capital resources to address the cyber threat.\n    Mr. Langevin. Thank you.\n    Mr. Chairman, we may want to ask for a specific GAO report \non this particular topic with respect to cyber to make sure \nthat there is no gap, if we could--something you would \nconsider?\n    Chairman Thompson. Absolutely. I will work with Tim Richman \non making sure we get that request.\n    Mr. Langevin. Thank you.\n    Chairman Thompson. Thank you.\n    The Chair now recognizes the gentleman from North Carolina, \nMr. Walker.\n    Mr. Walker. Thank you, Mr. Chairman.\n    Thank you to our panel today.\n    Mr. Wulf, as the director of the infrastructure security \ncompliance division, my question for you is does every employee \nat each location have access to all areas of the facility? Or \ndo certain chemical facilities have Classified areas? Could you \naddress that for me?\n    Mr. Wulf. Sure, I appreciate the question. The short answer \nis, it varies from facility to facility based upon, you know, \nthe facility management, the facility security officers\' \nassessment as to what makes sense given that facility\'s \nparticular operation.\n    So you may find a facility with restricted access to \ncertain critical assets. You may have a facility on which all \nemployees have access to all parts of the facility.\n    Mr. Walker. Are there any of those scenarios that concern \nyou? Or are you familiar with enough to know, as you said, the \nvarying scenarios? Can you deep dive a little bit more for me?\n    Mr. Wulf. Yes. So, you know, as we work with facilities on \nan individual basis, which we do as each one develops its \ncomprehensive site security plan, you know, we assess whether \nit makes sense to have a more restricted area where high-risk \nchemicals of interest are stored.\n    Whether it makes sense for a particular facility to more \nfully restrict access to some of its employees or perhaps to \ncontractors who are, you know, coming in and out of the \nfacility.\n    Mr. Walker. Yes. Do you have any concerns of any of the \nareas that you have overlooked or reviewed?\n    Mr. Wulf. I would say that we have, you know, identified \nareas of concern as we have worked with facilities to develop \ntheir site security plans. We have been able to address those \nin the course of that SSP development process.\n    So I would not approve a plan about which I had concerns.\n    Mr. Walker. So let me make sure. Is that process in \ndevelopment or are you saying that it is past tense, that those \nhave been resolved in those concerns?\n    Mr. Wulf. Those have been resolved and the site security \nplans have been approved.\n    Mr. Walker. Some proposed reforms have included requiring \nall employees at a facility to be notified of the security \nrequirements under CFATS. Do you agree, Mr. Wulf, that having \nfront office staff, like an accountant or receptionist, know \nthe CFATS plan would add additional security to a chemical \nfacility? Do you agree with that?\n    Mr. Wulf. So the law requires facilities, to the extent \npractical, to involve employees who have relevant security \nexpertise in the development of their site security plans. That \nis, I would say, not likely to include administrative staff.\n    Mr. Walker. So going back to my previous question, that \nwouldn\'t be a concern for you? That in this case the accountant \nor the receptionist know the CFATS plan? You don\'t think that \nwould help as far as adding additional security to a chemical \nfacility?\n    Mr. Wulf. I don\'t imagine that would be particularly \nhelpful.\n    Mr. Walker. OK. Could you describe the additional security \nrisks that may arise from a proposal like this? Can you go in a \nlittle bit more detail? What--would be the issue here?\n    Mr. Wulf. Yes. So I think the core of the issue on the \nsharing of information in the employee context or otherwise is, \nyou know, the importance of ensuring that those folks who have \na need-to-know information, that includes certainly the first \nresponders we discussed earlier, or sort-of a key facility \nsecurity-focused personnel have the information that they need \nto develop plans and to execute security plans.\n    There are processes in place within CFATS, within our risk-\nbased performance standards, that ensure that other employees \nat facilities, even those who, you know, might not be privy to \nall the details of a security plan or of chemical holdings on \nthe facility are, you know, are brought into training, are \nbrought into exercises and drills on incident response so they \nhave what they need in the event of an incident.\n    But I don\'t believe that all employees need access to the \nsecurity features of a plan.\n    Mr. Walker. Thank you, Mr. Wulf.\n    Mr. Chairman, I yield back.\n    Chairman Thompson. Thank you very much.\n    The Chair now recognizes the gentlelady from New Mexico, \nMs. Torres Small.\n    Ms. Torres Small. Thank you, Chairman Thompson.\n    Mr. Wulf, you spoke about--and I was glad to see that you \nmentioned DHS outreach to the chemical security community in \nyour prepared statement and also to see that you had talked \nwith over 800 local emergency planning communities, based on \nyour questions with Chairman Thompson.\n    I would like you to speak specifically to outreach to rural \ncommunities. If there are any--I represent the bottom, more \nthan one-half, of New Mexico. So we have a fair number of large \nrural communities there.\n    So I would like you to speak slightly to if there is any \nadditional outreach you do in these communities where volunteer \nfirefighting departments are in a deeper need.\n    Mr. Wulf. Absolutely. I appreciate that, and we certainly \nwant to and do get out, you know, to both urban, suburban, and \nrural communities. We want to ensure that all who have a need-\nto-know information about high-risk chemical facilities, about \nthe chemical holdings have access to that information.\n    So absolutely, we make an extra effort to get out to rural \ncommunities. We have about 150 inspectors across the country. \nWe have actually put in place across the country some new \nregional offices at which we have put in place regional \noutreach coordinators, training, and exercise coordinators.\n    We have additional firepower at the kind-of agency level as \nwell now to help with that outreach. So very much committed to \ncontinuing on that path.\n    Ms. Torres Small. Do you have any specific resources \ntailored toward these rural communities?\n    Mr. Wulf. I think they are, essentially, the same resources \nthat we provide to all first responders, so access to the IP \nGateway tool. You know, we facilitate connections between those \nfirst responders and facilities in their areas of \nresponsibility and ensure that that happens for each and every \nfacility, rural or otherwise.\n    Ms. Torres Small. In the questions that Chairman Thompson \nasked, I am glad to hear that DHS is on track for the March \n2019 deadline for doing the outreach to the high-risk chemical \nfacilities. Does that information sharing include the specific \nchemical holdings stored on the sites that the first responders \nwould be responding to?\n    Mr. Wulf. Yes, it does. So first responders who have a \nfacility in their sort-of area of jurisdiction can have access. \nWe want them to have access to that information.\n    Ms. Torres Small. Right. I want to switch gears just a \nlittle bit in terms of it appears that DHS relies heavily on \nthe CFATS facilities to reach out to local emergency \nresponders. Then you have inspectors who come in and confirm \nthat that has occurred. Is that accurate?\n    Mr. Wulf. In some cases, that is accurate. We will confirm \nin every case. In some cases we will actually proactively \nfacilitate the introduction and make sure that that happens and \nin many cases participate in those meetings.\n    Ms. Torres Small. If it turns out that there hasn\'t been \noutreach by the facility, would that result in disproving of a \nfacility\'s site security plan?\n    Mr. Wulf. It absolutely would. We would not approve a plan \nwhere that outreach connection has not been made.\n    Ms. Torres Small. Great. We also discussed a little bit the \noutreach that is done to employees of facility plans, so the \ntraining and exercise and drills that are done, but also \nlimiting access on a need-to-know basis.\n    I would like to know a little bit about the input \nrequirement, that there is a requirement to get input from at \nleast one employee, where applicable, or a labor union \nrepresentative informing the facility plan. Do inspectors \nconfirm that that input requirement has been complied with?\n    Mr. Wulf. Inspectors will raise that issue during an \ninspection and will hear from facilities to what extent they \nhave involved employees and/or as kind-of relevant resident \nbargaining unit members in the process. So yes, those \ndiscussions happen during inspections.\n    Ms. Torres Small. Are inspectors required to speak with \nthose employees or union representatives?\n    Mr. Wulf. It is not a requirement.\n    Ms. Torres Small. If it is determined, even if they are not \nspeaking with the employees or labor unions, that there was not \nan employee or labor union representative consulted, does that \nresult in disproving of the security plan?\n    Mr. Wulf. It does not. It does not. So, you know, we sort-\nof leave to the discretion of those who are responsible for \nsecurity of the facility the extent to which it actually is \npractical to involve, you know, however many employees in the \nprocess.\n    Ms. Torres Small. Even though the CFATS Act requires that \ninput?\n    Mr. Wulf. Well, the CFATS Act talks about involvement to \nthe extent practical.\n    Ms. Torres Small. Thank you.\n    Chairman Thompson. Thank you. Thank you very much.\n    The Chair now recognizes gentlelady from Arizona, Mrs. \nLesko.\n    Mrs. Lesko. Thank you, Mr. Chairman. My question is for Mr. \nWulf. The question is, you know, some would say that Department \nof Homeland Security should mandate that CFATS facilities, \nregulated facilities, should adopt inherently safer \ntechnologies to improve security.\n    I have been told that these facilities are opposed to that. \nSo I guess I am asking if you think that is necessary and at \nwhat rate are the facilities already developing these safer \ntechnologies without Federal mandates?\n    Mr. Wulf. Yes, that is a good question. I appreciate it. I \nwould say that organically CFATS has promoted the consideration \nand implementation of facilities of inherently safer \ntechnologies and processes.\n    So, you know, over the course of the program\'s history more \nthan 3,000 facilities have either reduced their holdings of \nhigh-risk chemicals of interest or eliminated them completely, \nsubstituting other less risky chemicals or have changed their \nprocesses and have actually come out of the program, been \ndetermined no longer to be high-risk.\n    You know, to my mind that is a success. That is a win for \nthe program without really the need for an inherently safer \ntechnology mandate.\n    Mrs. Lesko. I have another question for either one of you \nand that is how do you work? I heard earlier how you work with \nlocal responders and a gateway program that they look at. I \ndon\'t know if that is on-line or what it was.\n    But how do you work with the States and local agencies? How \ndo you communicate with them or does every State have an agency \nthat deals directly with you? How does this work?\n    Mr. Wulf. Yes, it varies by State, so, you know, some \nStates have multiple agencies that touch facilities holding \nchemicals. Some States have one. In some States it is the State \nfire marshal, in some States it is the fire marshal plus the \nState Department of Environmental Quality, the State Railroad \nCommission or otherwise.\n    So on a State-by-State basis, we engage with the relevant \nagencies both State and local levels. We prioritize the sharing \nof information about the list of facilities we have under our \npurview, both those that we have tiered as high-risk and those \nthat we have determined to be not high-risk.\n    We kind-of share lists with those State agencies. We \ncrosswalk those lists and we strive to identify what we call \npotential chemical facilities of interest, essentially \npotential outlier facilities with an eye toward bringing into \nthe program to ensure that we are getting the relevant reports \nto run through our risk assessment methodology from facilities \nthat have threshold quantities of chemicals of interest.\n    So that is an area in which we have really stepped up our \nefforts in recent years. We have put into place a leader within \nour organization whose full-time responsibility is to \ncoordinate the outreach that we do for the purpose of bringing \ninto the fold those potential outlier facilities.\n    Mrs. Lesko. One last question, Mr. Chairman.\n    Yesterday, I think it was yesterday, we had testimony from \nsome cybersecurity folks from the Federal Government and one of \nthe things that was identified as a problem is in cybersecurity \nthere are these different silos. They are always working on \ncybersecurity in just that one area and don\'t really share \ninformation.\n    Do you see that as a problem in this sector as well? \nBecause what they were trying to say is usually attackers, \nhackers or foreign governments will not only attack one area, \nbut they will try and attack all of the areas.\n    Mr. Wulf. Yes, and I think that is absolutely a concern and \nit is something that the design of CFATS guards very much \nagainst. So we have 18 risk-based performance standards that \nfacilities work with us to, you know, as they work with us they \nput into place security measures focused not only on physical \nsecurity, but also on cybersecurity, on insider threat, on the, \nyou know, the wide variety of kind of threat vectors that \nexist.\n    So, you know, we believe that a high-risk chemical facility \nthat has an improved site security plan and is implementing \nthat site security plan has hardened itself very effectively \nagainst multi-faceted attacks.\n    Mrs. Lesko. Thank you, Mr. Chair. I yield back my time.\n    Chairman Thompson. Thank you very much.\n    The Chair now recognizes the gentlelady from Michigan, Ms. \nSlotkin.\n    Ms. Slotkin. Good evening--or good morning--Lord, not good \nevening. Thanks for being here. I really appreciate you guys \ndoing this. I am from Michigan and we have a large of number of \nthese facilities, including two in my district. Then just \noutside my district in Detroit, we had a big chemical fire in \nyears that passed. So this one is really of interest to my \ncommunity.\n    I guess my first question, Mr. Wulf, is just on \naccountability. So how would a Member of Congress know after \nMarch whether the facilities in his or her district have \ncommunicated effectively with local law enforcement, that there \nis a shared understanding of kind-of the risks? Like, how would \nI know that after March?\n    Mr. Wulf. Are you talking about the communication with the \nfirst responders?\n    Ms. Slotkin. Yes, just making sure--yes, because I think we \nhad this Detroit fire years ago, years ago. But my \nunderstanding is we did not have full awareness by the first \nresponders. We didn\'t lose anyone, but it certainly was a \npotential risk. So how would I feel comfort that my local \nresponders have been informed with what they need?\n    Mr. Wulf. Yes. So I think I can tell you with confidence \nthat all facilities within the CFATS program, all facilities \ncovered by CFATS, will have made connections with their \nrelevant local first responders. It is a requirement of the \nprogram.\n    It is the focus of one of our risk-based performance \nstandards, number 9 of 18. It is something that we verify and \nfacilitate. So you can rest assured that that is happening \nacross the 3,300 highest-risk chemical facilities and their \nrelevant first responders across the country.\n    Ms. Slotkin. Then are you the senior accountable official \nif for some reason that didn\'t happen, right? Of course, I want \nthat all to happen and I want them to check the box, but if for \nsome reason that hasn\'t happened as it should, are you the \nsenior accountable official for making sure?\n    Mr. Wulf. Yes. Yes.\n    Ms. Slotkin. OK.\n    Mr. Wulf. Call me.\n    Ms. Slotkin. OK, great. Then on cyber, similarly, so again, \na Congresswoman was mentioning this. So if we started to see \ntrends in, you know, these hacktivists or these cyber threats \nagainst chemical facilities, would you know about it?\n    If we started to see a systematic attempt either in one \nState or in a series of States to go after these facilities, is \nthere a reporting mechanism? Are people telling you about the \nthreats that they see? Are you capturing the trends?\n    Mr. Wulf. Yes, so we have within our broader organization a \ncybersecurity division and National cybersecurity and \ncommunications integration center that is focused on threats \nNationally. That is crunching all of the intelligence, the \nthreat streams, and that is communicating with us.\n    So we are in the mix to get that information and we are \ncertainly on a daily basis focused on kind-of the continuing \ncyber and other threat streams that concern our facilities.\n    Ms. Slotkin. Then I am a former CIA officer and so I get a \nlot of--I guess they would call them complaints from people \nback home, generally about the lack of information sharing \nbetween sort-of folks in Washington seeing maybe some of the \nTop Secret- or Secret-level information on threats related to \ncyber and then what actually distills down. It is a consummate, \nyou know, complaint that I hear.\n    So what is your responsibility to go the other direction \nand inform facilities if you are seeing things that raise your \neyebrows? What is your mandate to do that?\n    Mr. Wulf. Yes, and it something that we take very seriously \nand, you know, as the situation might warrant we have \nmechanisms in place to reach to facilities and talk to them \nabout ways in which they can harden, you know, potentially even \nfurther against specific threats.\n    In fact, CFATS program accounts for that, part of a couple \nof our risk-based performance standards are focused on specific \nthreats and elevated threats. We require facilities to put into \ntheir site security plans measures that they would increase in \nthe event we reach out to them and tell them that there is a \nspecific or a more generalized elevated threat that they need \nto concern themselves with.\n    Ms. Slotkin. Last, so again are you the senior accountable \nofficial if for some reason there was a threat against a \nspecific facility or a bunch of facilities in one State and \nthat information didn\'t get to the facility so they could \nprotect themselves that is under your mandate?\n    Mr. Wulf. For CFATS facilities----\n    Ms. Slotkin. Yes.\n    Mr. Wulf. Absolutely.\n    Ms. Slotkin. OK, great.\n    Thank you, Mr. Chairman.\n    Chairman Thompson. Thank you very much. But you raised two \ngood questions.\n    One is, Mr. Wulf, can you provide the committee with how \nmany actions you have brought on facilities inspected that have \nbeen found in noncompliance?\n    Mr. Wulf. Sure. I guess it is kind-of a two-part answer \nbecause of the way the CFATS program and our enforcement \nprocesses work. Of course, you know, we strive to work with \nfacilities to bring them into a compliance, and by and large, \nfacilities have done a good job and are in compliance with \ntheir plans.\n    In upwards of 80 cases we have had to resort to our \nenforcement authorities and to issue an administrative order \nthat per the law gives facilities a certain amount of time to \nget their act together and alleviate whatever the issue might \nbe.\n    We have gotten to the point with 5 facilities where we have \nhad to issue a civil monetary penalty and that has proven in \nthose cases to be the additional impetus facilities needed to \ncome into compliance.\n    Chairman Thompson. So everybody is in compliance?\n    Mr. Wulf. Everybody is currently in compliance. You know, \nit is a dynamic population, right? So facilities are in \ndifferent stages of perhaps working on their site security \nplans, getting them to approval, but facilities against which \nwe have enforced and issued civil penalties have come into \ncompliance.\n    Chairman Thompson. The last question is those 2 facilities \nin Ms. Slotkin\'s district, is there a directory that she can go \nto or is there is a way that she can get with you and you can \nsay these 2 facilities are compliant?\n    Mr. Wulf. Yes, absolutely. If they are CFATS facilities we \nare glad to sit down and talk through, you know, what exists \nin----\n    Chairman Thompson. Was really what she was trying to get \nto.\n    Mr. Wulf. Pardon me?\n    Chairman Thompson. That was what she was trying to get to.\n    Mr. Wulf. Yes, we are glad to get you that information and \ntalk through it with----\n    Chairman Thompson. Thank you.\n    The Chair now recognizes the gentleman from Texas, Mr. \nCrenshaw.\n    Mr. Crenshaw. Thank you, Mr. Chairman. Thank you both for \nbeing here and giving your testimony. I think we have made some \nimportant strides in streamlining this program. It is an \nimportant program for my constituents in Houston.\n    We have a lot of these facilities, of course, and look \nforward to giving it a long-term extension to this program so \nthat we can have some certainty for the industry and for the \nAmerican people.\n    Director Wulf, I want to quickly--I know you answered \nsomething inherently about safer technologies a minute ago. I \njust want to get a sense from you, if we were to mandate \ninherently safer technologies, how feasible would that really \nbe for you to regulate----\n    Mr. Wulf. I think that would be a pretty tough--to crack \nfrom a pure regulatory standpoint.\n    Mr. Crenshaw. OK. You can expand on that a little bit if \nyou would like.\n    Mr. Wulf. Yes. No, so I, you know, I think CFATS by its \nnature promotes the consideration of inherently safer \ntechnologies and the implementation of inherently safer \ntechnologies----\n    Mr. Crenshaw. It is incentives based on the tiering \nsystem----\n    Mr. Wulf. Right, exactly.\n    Mr. Crenshaw. To sort-of have safer technologies.\n    Mr. Wulf. So facilities make risk-based decisions to change \ntheir processes, to change their chemical holdings, maybe to \nsubstitute safer chemicals. But I would say, you know, we at \nDHS are focused on security. I think it would be difficult for \nus to regulate it in the area of what is safer or not.\n    Mr. Crenshaw. Right.\n    For Director Anderson, has the GAO assessed how much new \nstandards on inherently separate technologies would cost?\n    Mr. Anderson. We have not looked at that question \nspecifically. You know, just to expand upon what Director Wulf \nwas saying, the waterfront of types of facilities is highly \nvariable. You have huge, like, petrochemical facilities and \nthen very, very small mom-and-shop places that are in rural \nareas. So mandating a specific technology solution may \nencounter challenges.\n    I think one of the things we have routinely heard in our \nconversations with industry is about the flexibility of the \nprogram and the implementation of the 18 risk-based performance \nstandards. That is what I can speak to. To answer your question \ndirectly, we have not looked at the technology.\n    Mr. Crenshaw. Right.\n    Director Wulf, back to you. Should the risk-based \nperformance standards be modified or reflect evolving threats \nfrom drones or other unmanned aerial vehicles?\n    Mr. Wulf. Yes, so the drones question is an important one, \nfor sure and it is a continually evolving sort-of threat \nvector. I think as they stand the risk-based performance \nstandards account for, and we certainly engage with facilities, \non the reporting of significant incidents.\n    We do take in a, you know, decent number of reports \nassociated with overflight or flights nearby high-risk chemical \nfacilities of unmanned aircraft systems.\n    So I think we have the tools in place from an incidents \nreporting standpoint. Our counterparts at the Federal Aviation \nAdministration I know are working toward a broader framework, \nand we are working with them----\n    Mr. Crenshaw. Right.\n    Mr. Wulf. On that for critical infrastructure.\n    Mr. Crenshaw. Because it is prohibited under Federal law to \ninterfere with the operation of a drone right now. So is that \npart of the conversation? I mean to allow essentially \nfacilities to defend themselves.\n    Mr. Wulf. Yes.\n    Mr. Crenshaw. Is that conversation on-going?\n    Mr. Wulf. I think that is probably part of the broader \nconversation for sure. You know, it is an issue that we at the \nDepartment are looking at, not just from a chemical facility \nangle, but across all critical infrastructure sectors.\n    Mr. Crenshaw. OK. Again, I want to encourage all to focus \non these new problems with drones as they become more \nprevalent.\n    Last question I have for--either one of you can, I think, \ntake this. Is there any discussion about the level of scrutiny \nplaced on the tier 4 operators and whether that is necessary? \nWhether that really needs to be as stringent as it is, given \nthat the low level of danger from tier 4 chemical facilities.\n    Is that in discussion at all? What kind of feedback are you \ngetting from the industry on this?\n    Mr. Wulf. So I think there is pretty broad consensus that \ntier, you know, Tier 4 facilities, Tier 3 facilities as well, \nwhich make up the majority of our covered chemical facilities \nare high-risk facilities. They are still among the less than 10 \npercent of facilities that we have determined to be at high \nrisk of terrorist attack or exploitation.\n    We do have the tiering system in place, so we do apply \nkind-of different standards to the lower-tiered but still high-\nrisk facilities. It seems to be an approach and a framework \nthat continues to work well.\n    Mr. Crenshaw. OK. Thank you very much.\n    Mr. Wulf. Absolutely. Thank you.\n    Chairman Thompson. Thank you.\n    The Chair now recognizes the gentlelady from Orlando, \nFlorida, Mrs. Demings.\n    Mrs. Demings. Thank you so much, Mr. Chairman.\n    Thank you to both of our witnesses for joining us today.\n    Mr. Wulf, my questions are for you. When DHS is considering \nwhether a facility is high-risk, do you include in that \nmethodology, or whatever process you use, would you factor in \nif the facility would be located to an elementary school for \nexample or a nursing home or a hospital?\n    Mr. Wulf. Yes, so we factor in--that is a good question. We \ntier for a couple of major different threat streams, one of \nwhich focused on theft and diversion of chemicals, the other \nwhich is focused on facilities where there could be a release \ninto a surrounding community. In those cases of release, we \nabsolutely factor in the surrounding population.\n    One of the things we were able to make some significant \nheadway on, as we kind-of basked in the stability that was \nafforded by long-term authorization, was a complete retooling \nof our risk assessment methodology. So we are now more \naccurately able to model those surrounding populations and tier \nmore accurately.\n    Mrs. Demings. Also, studies show that chemical facilities \ntend to be concentrated in low-income and minority communities. \nIn determining facility risk, does DHS consider whether a \nfacility is in close proximity to other chemical facilities \nthat could exacerbate the impact of an attack on an already \nvulnerable population?\n    Mr. Wulf. We certainly consider what is in the surrounding \narea by way of population as we do our tiering.\n    Mrs. Demings. So when you consider the proximity to those \npopulations, those low-income, already very vulnerable areas, \nwhat do you factor into it? What is it exactly that you are \nconsidering or looking at?\n    Mr. Wulf. Well, we are considering where the population is \nlocated in proximity to a facility and we are kind-of modeling, \nyou know, were there to be an incident that caused a release of \nchemicals, you know, what part of that population would be \nimpacted and, you know and what number of fatalities could \npotentially occur as we are thinking about the tiering.\n    Mrs. Demings. OK, so when you say where the population is \nlocated, what exactly does that mean? Could you help me with \nthat?\n    Mr. Wulf. It means, like, how many people are located \neither, you know, during the day or at night in their homes, in \ntheir businesses, the schools, and how close they are to the \nfacility.\n    Then we look at what type of chemical we are talking about, \nwhat quantities of chemicals we are talking about, what the \nprospect is for release of those chemicals, what quantity could \nbe released.\n    Then, you know, there is sort-of a plume modeling effort \ndesigned to get us to a place where we can model what the \nconsequences would be of a release of chemicals caused by \nterrorists.\n    Mrs. Demings. OK. Finally, what are you doing to make sure \nsecurity measures aren\'t interfering with precautions taken in \nanticipation of extreme weather or natural disasters?\n    As the Chairman indicated, I come from Florida, so I wonder \nwhat are you doing to make sure there are no conflicts there as \nyou are implementing your security measures? Or at least that \nyou are working together to make sure there are no conflicts?\n    Mr. Wulf. Yes, we, you know, we strive to, and we do, in \nfact, work in close cooperation with agencies that are focused \non safety, that are focused on response to natural disasters.\n    So that includes as we continue to implement the provisions \nof an Executive Order from 2014 that followed the West Texas \nincident, to work closely to coordinate with EPA, with OSHA, \nwith ATF and to, you know, harmonize to the extent absolutely \npossible our respective programs. So and to communicate as \nfrequently and effectively as we possibly can.\n    Mrs. Demings. OK, thank you very much.\n    Mr. Chairman, I yield back.\n    Chairman Thompson. Thank you.\n    The Chair now recognizes the gentleman from Texas, Mr. \nTaylor.\n    Mr. Taylor. Thank you, Mr. Chairman.\n    Just a question, Mr. Wulf, for you. So I understand that \nthere are some facilities that are exempted by statute and some \nthat are included. Do you have any thoughts for us on, you know \nthese facilities I am worried about that are exempted and I am \nconcerned that these facilities that I am doing, I don\'t really \nsee why I am doing that.\n    So I mean, we write the laws with the best of intent, but \nnot necessarily the implementation is the best. So you are \nimplementing so what do you see in terms of what should be in \nthe mix and what isn\'t in the mix?\n    Mr. Wulf. Yes.\n    Mr. Taylor. Can you speak to that?\n    Mr. Wulf. So there are a number of exemptions, of \nexclusions, from the authorities. So, you know, broadly those \nexclusions apply to facilities that are covered by other \nsecurity-focused programs, so nuclear facilities covered by the \nNuclear Regulatory Commission, facilities owned by the \nDepartment of Defense and a handful of others. It also includes \nan exemption for water and wastewater facilities.\n    I think that, you know, a dozen years into implementation \nof the program, a pretty opportune time to kind-of take a look \nat where we are with the exclusions and maybe to study what \nmight make sense going forward with respect to facilities that \nare excluded from the program. We are open as well to talking \nabout, you know, about what facilities are included.\n    You know, as I mentioned earlier, I think the comprehensive \nnature of CFATS makes it very much value-added across the \nentire universe of 3,300-plus facilities that are currently \ncovered as high-risk. I think it is an important program. So I \nwould say there are not facilities that which I am saying, why \nare we doing this?\n    Mr. Taylor. OK.\n    Mr. Wulf. We are adding value across the board.\n    Mr. Taylor. Then sort-of building on that conflicts \ndiscussion, are you finding yourselves duplicating effort with \nother agencies and where they are, you know, where the person \non the ground is saying, wow, you are telling me to do it this \nway but I have got this other agency telling me to do it \nanother way.\n    I mean, are you finding conflict or maybe even at the \nstatutory level where one law says this and another law says \nthat? Are you seeing conflict there that needs to be clarified?\n    Mr. Wulf. I don\'t think we are seeing conflict. I think we \nare seeing rare instances in what is needed to require, what is \nneeded to meet our standards, meet the intent and spirit of the \n18 CFATS risk-based performance standards is above and beyond \nwhat might be required by other programs.\n    So I don\'t view that as a conflict. I view that as a \nfacility that has been assessed to be at high risk of terrorist \nattack or exploitation having to have in place security \nmeasures beyond those that might be required or that might be \nneeded by other programs at facilities that aren\'t high-risk \nCFATS facilities.\n    Mr. Taylor. So are you saying that you don\'t see conflict? \nI mean, you are not running into other agencies in doing what \nyou are doing?\n    Mr. Wulf. Well, I mean we are certainly covering facilities \nthat are covered by other agencies and their programs. No \nquestion about that. I would say almost every facility we \nregulate is visited as well by, you know, EPA and/or OSHA, in \nsome cases by Bureau of Alcohol, Tobacco, Firearms, and \nExplosives, and by State regulators.\n    But I think CFATS is unique and it is an extraordinarily \ncomprehensive program that is targeted at the highest-risk \nfacilities, facilities that are at the highest risk of \nterrorist attack or exploitation.\n    So there is some overlap, absolutely, in the universes of \nfacilities that we cover as compared to other facilities. You \nknow, that is among the reasons we prioritize working closely \nboth at the National and regional levels with other regulatory \nagencies.\n    Mr. Taylor. Mr. Chairman, actually, one final question.\n    How are you handling changes? I mean when a facility wants \nto change something, add a new cracker or whatever it may be, \nis what you are doing getting in the way of that or is \nsecurities just for the whole structure, doesn\'t matter if they \nare subtracting or adding people, services, plant on the \nground?\n    Mr. Wulf. Yes, unless they are changing their holdings of \nhigh-risk chemicals of interest, it should not have an impact. \nWe are always, always willing and able to work with facilities \nas they are thinking about design changes, changes to their \nprocesses to talk them through what impact it might have and \noptions they might have, if there is going to be a potential \nimpact under CFATS.\n    Mr. Taylor. Thank you.\n    Mr. Chairman, I yield back.\n    Chairman Thompson. Thank you.\n    The Chair now recognizes the gentlelady from California, \nMs. Barragan.\n    Ms. Barragan. Thank you, Mr. Chairman. I want to start by \nthanking you for making this a priority and for pushing this \nand having this hearing. When I saw the photo before we \nstarted, of the explosion in West, Texas, it reminded me very \nmuch of a facility that is of great concern in my Congressional \ndistrict.\n    Now, I represent the Port of Los Angeles, and it is a huge \neconomic engine. It touches every Congressional district. \nShould there be an incident there, certainly an explosion like \nthat, it would be devastating to the economy and really to the \nsurrounding areas.\n    Mr. Wulf, I know you and I had a chance briefly to speak \nbefore the hearing started. I wanted to make sure to get over \nhere to follow up. I want to talk a little bit about this \nfacility that is of great concern in my district. As you are \naware of it, it is, I call them the LPG storage tanks, they \nstore large amounts of butane and some propane.\n    Now, these are tanks that are right next to a park where \nchildren play, within a very close radius of schools where \nchildren go to school and not very far at all from residential \nneighborhoods and the Port of Los Angeles.\n    I understand that you have been out to the facility, is \nthat correct, Mr. Wulf?\n    Mr. Wulf. If we are talking about the same facility, then \nyes I have.\n    Ms. Barragan. Yes, and is this facility part of the CFATS \nprogram?\n    Mr. Wulf. The facility I visited is part of the program.\n    Ms. Barragan. Yes. Do you know if anyone at DHS has \nassessed the devastating impacts that would occur should there \nbe a leak or an explosion to that facility?\n    Mr. Wulf. So, you know, so that is exactly what CFATS is \nfocused on. So, you know, in determining the high-risk status \nof that facility we absolutely would have modeled the potential \neffects of a release caused by a terrorist act on the \nsurrounding population, absolutely.\n    Ms. Barragan. So one of the questions I often get from \nconstituents, will ask questions like how high-risk is it? Is \nthat information public that you might be able to share with us \non what the possible result would be if there was an explosion \nthere and the risk level?\n    Mr. Wulf. Well, portions of our risk-tiering methodology \nare Classified----\n    Ms. Barragan. Yes.\n    Mr. Wulf. It is certainly a discussion we could have.\n    Ms. Barragan. OK. You know, one group, a consulting group \nthat has done a study on it, concludes that the devastation \nfrom a blast could stretch as far as 6.8 miles from the \nfacility, and that is within the realm of not just residential \nhomes, but the Port of Los Angeles.\n    Again, when I see the photo of what happened in Texas, I \nnoticed there wasn\'t too many residential around there. I \ndidn\'t even see anything around that area. So it is critically \nimportant for me that we reauthorize the program, but that we \nare also making sure that there is on-going inspections.\n    Because I think I read in our report that there had been \nlapses in safety regulations and things like that. Now, my \nunderstanding is because of CFATS\' early instability DHS did \nnot begin carrying out compliance inspections for several years \nwith the bulk of inspections conducted after 2015.\n    However, since that time, compliance inspections have \nspiked to over 3,500, and now the question is whether \ninspectors are being pressured to rush through inspections to \nget numbers up.\n    Mr. Wulf, how much time do inspectors have to carry out \ninspections and how can we be sure these inspections are not \nmerely a paperwork exercise or rubber stamp?\n    Mr. Wulf. Yes, I appreciate that question and inspectors \nare absolutely not pressured to move through inspections \nquickly. We do have time frames in place for the submission of \nreports. I want to say generally about 2 weeks to get a report \ndone, but if an inspector for whatever reason needs additional \ntime, needs to spend an extra day at a facility, or make a \nreturn visit to a facility, absolutely is something that we \nmake sure can happen under our program.\n    You know, I would say as well with regard to the facility \nand potential impacts, I am glad to have additional discussions \nabout that specific facility but that, you know, those are \nexactly the sorts of impacts that CFATS is designed to address.\n    It is exactly the reason that high-risk facilities are in \nthe CFATS program and have to put into place security measures \nfocused on 18 comprehensive risk-based performance standards \nand submit to inspections. So absolutely glad to have that----\n    Ms. Barragan. Well, thank you, and I will certainly follow \nup with you to have that conversation.\n    I yield back.\n    Chairman Thompson. Thank you.\n    The Chair now recognizes the gentleman from Louisiana, Mr. \nHiggins.\n    Mr. Higgins. Thank you, Mr. Chairman.\n    Mr. Wulf, Mr. Anderson, thank you both for appearing today.\n    I represent south Louisiana. The chemical industry is vital \nto Louisiana\'s economy. In Louisiana it is a $50.5 billion \nindustry. It provides over 25,000 direct jobs and an additional \n83,000 supporting jobs.\n    In my district alone, this industry generates nearly $60 \nmillion in Federal tax revenue and employs nearly 7,000 direct \nemployees. These are families that I work for.\n    State-wide, Louisiana ships 7.9 billion in chemical-related \nproducts to customers world-wide. Needless to say, ensuring \nthese facilities are secure is vital to my State and district \nand by extension the entire country.\n    Mr. Wulf, based on your testimony, the CFATS program is \neffective and its success has positioned the United States as a \nworld leader in chemical facility security. As with any \nGovernment program I understand there is always room for \nimprovement.\n    I am certainly willing to work with my colleagues and I \nthank the Chairman for his leadership and the Ranking Member as \nwell. I am willing to work with my colleagues in this body to \naddress how we can improve CFATS and provide a long-term \nauthorization for this important program. A long-term \nauthorization is a significant quest in my mind.\n    Mr. Wulf, given the success of the program in its current \nstate, do you believe it would be in the best interests of our \nNational security to approve a clean, long-term, re-\nauthorization of CFATS and then address any needed changes as \nissues arise in a bipartisan manner through this body and \ncommittee?\n    Mr. Wulf. I would say that absolutely a long-term \nauthorization for CFATS is key to our ability to continue to \nfocus on chemical security and it was the foundation for the \nimprovements that we were able to make over the last 4 years.\n    I think the foundation of the program is a very strong one. \nThe program is effective and successful.\n    Mr. Higgins. Thank you, sir. Reflective of your answer \nregarding protecting the people\'s treasure, which we are \nresponsible for in this body, do you believe that the increased \ncertainty of a long-term or permanent re-authorization would \nallow Government and industry to work more uniformly to develop \nbetter practices, improve inefficiency of the program and thus \nmaintaining the peoples\' investment?\n    Mr. Wulf. No question about it. So chemical industry \ncompanies across the country have made significant investments, \nhave made capital investments in CFATS-focused security \nmeasures. They continue to deserve to know that the program is \nhere for the long haul.\n    Mr. Higgins. Mr. Anderson, do you concur with that \nassessment, sir?\n    Mr. Anderson. GAO doesn\'t take a position on that but we \nwould note that----\n    Mr. Higgins. You work very closely with CFATS though do you \nnot, sir?\n    Mr. Anderson. I am sorry, what was that?\n    Mr. Higgins. You work very closely with CFATS and you \nrecognize that long-term stability encourages efficiency in any \nprogram, do you not?\n    Mr. Anderson. Long-term stability absolutely increases \ncertainty in budgets and periodic reauthorization also provides \na good catalyst for oversight, which is the role we fill.\n    Mr. Higgins. Thank you, sir. But oversight is an on-going \nendeavor, is it not? Legislation can be changed as needed to a \nlong-term program, a long-term authorization.\n    Mr. Anderson. True.\n    Mr. Higgins. Yes, sir.\n    Mr. Wulf, last question. With political infighting in \nCongress over minor changes, again--and we had a bipartisan \nmanner, we are willing to work together--but would political \ninfighting in Congress over minor changes to the currently \neffective CFATS program while it remains in limbo under short-\nterm authorization, be a disservice to our Nation\'s mission to \nprevent terror attacks?\n    Mr. Wulf. We are absolutely better-positioned to secure \nAmerica\'s highest-risk chemical infrastructure with a long-term \nauthorization. No question about it.\n    Mr. Higgins. I thank you for your answer.\n    Mr. Chairman, I apologize that I have not been able to \nattend the entire hearing. You know that happens sometimes, but \nI respect you, sir, and the Ranking Member, and I yield the \nbalance of my time.\n    Chairman Thompson. Thank you very much.\n    The Chair now recognizes the gentleman from New York, Mr. \nRose.\n    Mr. Rose. Chair, it is Staten Island. Thank you, Chair.\n    Chairman Thompson. At some point I will get it right.\n    [Laughter.]\n    Mr. Rose. Mr. Wulf, thank you again for being here. Thank \nyou for your service to this country. Let us talk about fusion \ncenters. What has been the role of fusion centers throughout \nthe coordination process? Has this been an institutionalized \nrole? Have they been your direct point of contact?\n    I understand you could reply to that question by saying, \nthey have been great and that is it, but I actually want to \nknow what their role has been as mandated by the Department and \nif there has been a variable role across States?\n    How we can use this as a point of improving the role of \nfusion centers as the lead in terms of coordinating issues such \nas this between the Federal Government, States, localities, and \nthe private sector?\n    Mr. Wulf. I appreciate that question, and I do think there \nis probably more that we can do on a National basis. So fusion \ncenters have been an important focal point for us in \ncoordinating, in connecting the CFATS program with State and \nlocal law enforcement and first responders. So it is a node.\n    In some cases we have had chemical security inspectors sit \nat fusion centers. Certainly on the other side of our house, \nthe voluntary side of their house, our protective security \nadvisors are very much looped in, tied to the fusion centers \nacross the country.\n    But I think it is important for us to continue to think \nabout ways we can even further harness across the country----\n    Mr. Rose. So I take it then this has been ad hoc though?\n    Mr. Wulf. It has sort-of varied across the various \njurisdictions, absolutely.\n    Mr. Rose. So what has been the best example of a fusion \ncenter taking the lead? You don\'t have to name the State but I \njust want to know what the model looked like when that fusion \ncenter took the lead here.\n    Mr. Wulf. Yes, so I think the model looks like, you know, a \nchemical security inspector or a local supervisory inspector or \nchief of regulatory compliance being well-connected with a \nfusion center and being plugged in by virtue of that fusion \ncenter connection with law enforcement and first responders \nacross a given, you know, either metropolitan area or a State \nand pushing tools like the infrastructure protection gateway \nthrough which first responders and law enforcement can have \naccess to CFATS information about the high-risk facilities in \ntheir jurisdictions.\n    So that is what I think the optimal model is.\n    Mr. Rose. So that is the optimal best model. What has been \nthe worst case you have seen?\n    Mr. Wulf. I don\'t know if I have a--I guess worst case are, \nyou know, any situations in which, you know, those \nrelationships haven\'t been built. I am not going to say that \nhas happened but it is a discussion of certain----\n    Mr. Rose. Theoretically.\n    Mr. Wulf. Latitude we continue having. Yes.\n    Mr. Rose. OK, so moving on, in terms of the voluntary \nparticipation of the private sector, it seems as if this is \nactually a great case in which we have been very successful in \nthat regard.\n    What type of lessons learned can we draw out of this to \ntransfer to issues of cybersecurity, general counterterrorism, \nwhere we have to involve the private sector but we are often \nstruggling to get them to come forward? What type of lessons \nlearned can we glean from this?\n    Mr. Wulf. Right. So I mean, in this case, we do have a \nregulatory framework so there, you know, there is an obligation \nfor facilities that, and companies that operate facilities, \nthat have threshold quantities of chemicals of interest in our \nregulation to report information to us. If they are assessed as \nhigh-risk to be part of the program to develop site security \nplans and be subjected to inspections.\n    But I would say that on a purely voluntary basis the \nchemical industry writ large, and that cuts across a variety of \ncritical infrastructure sectors, has been fully committed and \nbought in to this program and has helped us to drive forward \nkey improvements to the program.\n    So one of the ways that happens is through something we \ncall the Critical Infrastructure Partnership Advisory Council \nframework. So we bring together sector councils of, you know, \nchemical industry or as the case may be, oil and natural gas \nindustry folks, to talk about ways in which we can continue to \nenhance our respective critical infrastructure protection and/\nor chemical security efforts.\n    I do think that is a good model and it is one that the \nDepartment is also using on the cybersecurity front and across \nothers.\n    Mr. Rose. Right. I take it that the best model in this case \nwas that this was mandatory with private-sector involvement. \nThat was the pathway to success then.\n    Mr. Wulf. The regulatory framework I think has helped for \nsure.\n    Mr. Rose. Thank you.\n    I yield my time.\n    Chairman Thompson. Thank you, gentleman from Staten Island.\n    Now recognize the gentleman from Texas, Mr. McCaul.\n    Mr. McCaul. Thank you, Mr. Chairman. It is great to be back \nin the old committee room. It looks kind-of nice.\n    Just let me say at the outset, you and I, Mr. Chairman, I \nthink enjoyed a very bipartisan relationship. We got along most \nof the time and that is how I think this committee should \noperate.\n    It came to my attention that the Minority, and in this case \nour side of the aisle, was not entitled to call a witness at \nthis hearing. I believe that both the House and committee rules \ndo provide for the Minority to be able to call a witness at the \nhearing, and I hope that we can adhere to that in the future \nmoving forward.\n    Having said that, I commend both of you, you and the \nRanking Member, for this hearing. I tried to get this thing, \nlong-term extension, and we had resistance in the Senate. The \nbest we could get was a 15-month extension.\n    When I talk to chemical facilities in the private sector, \nthey need that kind of certainty. They don\'t really want to be \nregulated but if they are, and they prefer CFATS over other \nregulatory entities and they prefer DHS, how important, I \nguess, from--well, Mr. Wulf, I mean, I know how important it \nis.\n    I applaud, again, the Chairman and Ranking Member for \ntrying to get a long-term extension. I hope Senator Johnson and \nhis committee will take this up as a long-term extension rather \nthan a short-term because the private sector needs that kind of \ncertainty, in my judgment. Can you explain to me how important \nthat is?\n    Mr. Wulf. Yes, I think the importance cannot be overstated. \nI know we have personally visited CFATS-covered facilities that \nhave put in place security measures and they need the certainty \nthat comes along with knowing that the program is not going to \ngo away.\n    That if they are going to make capital investments in \naddressing the 18 CFATS risk-based performance standards, \nputting in place security measures that sometimes require on \nindustry budget cycles 2-, 3-, 4-year capital planning, they \nneed to know that the program will be around in 3, 4, 5 years.\n    So long-term authorization is hugely important, not only \nfor industry but for our ability in the Government to plan for \nand execute the program.\n    Mr. McCaul. That is a great point. Not only from the \nprivate sector, any businessman is going to need more long-term \ncertainty for sure, but the Government to be able to implement \nthis effectively. I think the GAO probably points that out as \nan issue. Is that right, sir? Is that----\n    Mr. Anderson. While we at GAO don\'t take a formal position \non reauthorization, we do note the benefits that can accrue and \nto add to the list that you both have talked about, it helps \nthe DHS to retain top talent when there is a longer-term \nreauthorization period and that kind of certainty.\n    At the same time I would simply note, though, that in the \npast, reauthorization has been an excellent catalyst for \nprogram improvement. So that is something that should be noted.\n    Mr. McCaul. Thank you. Now, the report itself, though, I \nfound some parts troubling and that was identifying high-risk \nfacilities, not fully utilizing threat information and ensuring \ncompliance.\n    Director Wulf, what have you done to address those \nconcerns? Can you also touch on your outreach efforts to the \nprivate sector in the chemical facilities?\n    Mr. Wulf. Yes, absolutely. So I think the, you know, I \nthink you are referring to our risk-tiering methodology and the \nextent to which in the past we focused largely on the \nconsequences of a potential terrorist attack, less so on \nvulnerability and threat.\n    Actually one of the things that the long-term \nauthorization, the 4-year authorization we attained in 2014 \nenabled us to do was to completely retool that risk-tiering \nmethodology so that we are now as fully as possible accounting \nfor all relevant elements of risk to include not only \nconsequences and vulnerability but threat as well. So, you \nknow, that was a huge outgrowth of long-term authorization.\n    Outreach, we continue very much to prioritize outreach, to \ncontinue to prioritize working with the various industries that \nare part of the CFATS-covered universe of chemical facilities. \nYou know, one of the things we prioritize, you know, within \nthat area is getting the word out about the program.\n    So we work through National industry associations. We work \nthrough local chambers of commerce to ensure that we are \ncommunicating as widely, as broadly as possible the basics of \nthe CFATS program so the facilities that are using chemicals, \nthat are storing chemicals have the awareness they need to be \nable to meet their obligations to report to us information \nabout their holdings----\n    Mr. McCaul. If I could just conclude, you know well GAO \nplays an important role. We make these kind of requests, not to \nbe adversarial and for, like, gotcha moments, but rather \nworking together to improve Government operations. I am glad so \nsee that you are adhering to these recommendations to improve \nyour operations.\n    With that, I will yield back.\n    Mr. Wulf. It has been very helpful.\n    Chairman Thompson. Thank you very much.\n    In order to make sure the record is complete, let me assure \nthe former Chairman that the rules we are operating under are \nthe same set of rules. Both of these are Government witnesses. \nWe offered the Minority a Government witness. They chose not to \nprovide a Government witness, so that is really the only reason \nyou don\'t have a witness.\n    We now recognize the gentlelady from north Chicago, Ms. \nUnderwood.\n    Ms. Underwood. Thank you, Mr. Chairman, and thank you for \norganizing this hearing on DHS\'s Chemical Facility \nAntiterrorism Standards program and for your leadership in \nextending this important program.\n    Securing our chemical facilities is vital to our National \nsecurity and to ensure that our communities remain safe. I \nconsider it really important to have a robust security plan in \nplace for high-risk facilities and am pleased that DHS can \neffectively reduce the risk for potential targeting by bad \nactors.\n    So my questions are for Mr. Wulf. Sir, as we look to \nreauthorize the program there is interest in DHS developing \nvoluntary best practices informed by lessons learned for \nfacilities who may want to lower their risk and possibly their \nregulatory burden. Is that something that you think that \nfacilities would find useful?\n    Mr. Wulf. I think it is. As I mentioned earlier in these \nproceedings, over the course of the program\'s existence more \nthan 3,000 facilities have either reduced their holdings of \nhigh-risk chemicals, have eliminated them, have substituted \nsafer chemicals or changed their processes such that they are \nno longer considered high risk and are not covered by the \nprogram\'s requirements.\n    So, you know, we have gathered information as these \nfacilities have come out of the program. We have kind-of \ncategorized the what, you know, the reduction, the elimination, \nthe change in process, the change in sort-of delivery or other \nprocedures.\n    But, you know, we would certainly be open to discussing \nadditional authority to enable us to further mine the how and \nto, you know, put us in a position to share that information on \na voluntary basis with other facilities.\n    Now, keeping in mind that CFATS is focused, you know, I \nthink appropriately as a risk-based program, it is targeted at \nAmerica\'s highest-risk facilities, so those facilities at the \nhighest risk of terrorist attack or exploitation. That is less \nthan 10 percent of the facilities that submit Top Screens for \nrisk assessment by us.\n    So the additional 30,000 facilities that aren\'t covered by \nCFATS could certainly benefit from the lessons that have been \nderived from the practices that have been used at facilities \nthat have lowered their risk.\n    Ms. Underwood. Thank you. So DHS has said that CFATS has \nencouraged many facilities, as you said, to voluntarily \neliminate, reduce, or modify their holdings of certain \nchemicals of interest in order to reduce the number of high-\nrisk facilities throughout the country.\n    So does DHS, in fact, capture the data on how facilities \nare reducing the risk? If so, how can DHS use that data to help \nother facilities?\n    Mr. Wulf. Yes, I think, you know, we have captured what \nfacilities have done, you know, whether they have reduced, \nwhether they have eliminated, whether they have changed a \nprocess, but I think there is more that we can do to kind-of \nmine those practices, mine those approaches----\n    Ms. Underwood. Yes.\n    Mr. Wulf [continuing]. And share them more broadly.\n    Ms. Underwood. OK, thank you. Now, we have seen a rise in \ncyber attacks against U.S. critical infrastructure often \ncarried out by foreign governments, criminal organizations, or \nterrorist groups and obviously the chemical sector is among the \nmost frequent targets, so what type of cybersecurity measures \nare CFATS facilities required to adopt?\n    Mr. Wulf. So that is a good question and cybersecurity is \nan important part of the CFATS program and, you know, our \ninspectors and other personnel are trained specifically in \ncarrying out the cyber piece of the CFATS inspections.\n    They work with facilities as they develop their site \nsecurity plans and as they put in place policies and procedures \nthat are designed to protect their cyber systems, to, you know, \nto detect cyber attacks and to address cyber attacks as they \nmight occur.\n    So, you know, CFATS is a non-prescriptive program. We \ncan\'t----\n    Ms. Underwood. Right.\n    Mr. Wulf [continuing]. Require any specific measures, but \nwe can require a cybersecurity posture that is appropriate to \nthe facility\'s level of cyber integration. You know, facilities \nvary in the level to which cyber systems impact their chemical \nprocesses, their industrial control systems, or for that matter \ntheir physical security systems.\n    So, you know, different measures might be appropriate \ndepending upon that level of integration of the cyber system. \nSo, you know, we work with facilities on an individual basis as \nthey tailor cybersecurity postures that are appropriate to \ntheir operations.\n    Ms. Underwood. So how much cybersecurity training do the \ninspectors then receive, the CFATS inspectors?\n    Mr. Wulf. So all inspectors receive a kind-of base level of \ntraining on cybersecurity and for that matter on the other \nrisk-based performance standards.\n    We have a more advanced cybersecurity training that we have \nrun probably about half of our inspectors through. So that is \nan additional week or 2 of advanced cyber training and they are \nthen capable of working with the facilities with somewhat more \nintegration of their cyber systems with chemical processes.\n    For those facilities that have the highest level of \nintegration we have folks who focus on nothing but \ncybersecurity at our headquarters. So cyber experts----\n    Ms. Underwood. OK.\n    Mr. Wulf. Who actually have eyes on every facility\'s site \nsecurity plan and who are available to work with inspectors as \nthey work with facilities that have that sort-of highest degree \nof cyber complexity.\n    Ms. Underwood. Well, thank you, Mr. Wulf and Mr. Anderson \nfor being here today.\n    Thank you, Mr. Chairman. I yield back.\n    Chairman Thompson. Thank you, Madam Vice Chair, a good \nquestion.\n    Now, I recognize the gentleman from Houston, Mr. Green.\n    Mr. Green. Thank you, Mr. Chairman.\n    I thank the witnesses for appearing as well.\n    Mr. Chairman, I want to extend a special expression of \nappreciation and gratitude to you because the intelligence that \nhas been accorded me indicates that this is the first time \nsince the 113th Congress that we have had a full committee \nhearing on this CFATS program and that the program would have \nexpired had you not intervened and enacted a stop-gap measure.\n    So I appreciate greatly what you have done because this \nprogram is something that is near and dear to a good many \nTexans because of what happened in the town of West in Texas. \nWe had a number of persons who were first responders, and I am \nsure the story has been told, but some things bear repeating.\n    First responders didn\'t know what they were rushing into. \nIt is a wonderful thing to accord first responders the proper \nequipment. The equipment is necessary, but they also have to \nhave intelligence and they rushed in.\n    They were on the site without intelligence. Fifteen persons \nlost their lives, so this is important to a good many of us and \nespecially to some of us who are from Texas.\n    I would like to start with the CFATS Act of 2014 which \nrequires DHS to create an experimental new program. DHS has \nperformed diligently and the program has been implemented and \nseems that as of June 2018 only 18 facilities have taken \nadvantage of this program.\n    My query is does it make good sense to keep a program that \nappeals to 18 facilities? I am sure that there are some other \nprojects that merit our attention. There are some other goals \nthat we should review in the area of cybersecurity first \nresponder outreach. DHS probably has a lot of energy that it \nhas put into this that may have been used otherwise.\n    So quickly if you would, please, give me some sense of why \na program that has accommodated 18 facilities at some great \nexpense should be maintained?\n    Mr. Wulf. Yes, I think it is--I appreciate the remarks, and \nit is a fair question. You are referring to the expedited \napproval program that enables on, I guess, an expedited basis \nthe certification of facility security plans where those \nfacilities adhere to a prescriptive list of security measures.\n    You know, I think it is fair to say, as you noted, that a \nvery small number of facilities have taken advantage and \navailed themselves of the program.\n    Mr. Green. If I may? Just so that we may understand that is \nthe size of the language. When you said small how many could \nhave taken advantage of it and juxtapose that to the number \nthat have?\n    Mr. Wulf. Yes. So it applies to, you know, Tier 3 and 4 \nfacilities so that would be 90 percent of our regulated \nuniverse could have taken advantage, so upwards of 2,500 \nfacilities could have.\n    Mr. Green. Of the 2,500, 18 or thereabout?\n    Mr. Wulf. Eighteen have.\n    Mr. Green. Yes, OK. Continue please.\n    Mr. Wulf. I think some of that owes itself to the fact that \nmost facilities were well through the process of developing \ntheir site security plans through the normal process at the \ntime the expedited approval program was rolled out, though we \ncertainly, you know, did our best to publicize its \navailability.\n    The fact that most facilities appreciate the contact that \nthey are able to have with inspectors throughout the the normal \nprocess of developing their site security plan. That tends to \nimprove those plans.\n    So, you know, although we have had a few additional \nfacilities since the re-tiering of facilities occurred within \nthe last couple of years that have availed themselves of the \nprogram, the overall number is very small. The fact of the \nmatter is that our on-line system through which facilities \ndevelop their SSPs is now significantly more streamlined, \nsignificantly more user-friendly. So it is certainly----\n    Mr. Green. Permit me to----\n    Mr. Wulf. Less----\n    Mr. Green [continuing]. Ask. It is I----\n    Mr. Wulf [continuing]. To use this other program.\n    Mr. Green. I don\'t mean to be rude----\n    Mr. Wulf. No worries.\n    Mr. Green [continuing]. And unrefined, but I have to ask \nbecause I have another question. Is it time to review this \nprogram so that we can ascertain whether or not it is something \nthat we should continue with?\n    Mr. Wulf. I would say yes, it is certainly time to take a \nhard look at it.\n    Mr. Green. OK. I am going to leave it at that because I \nhave another question. This relates to hexavalent chloride or \nchromium, excuse me, also known as chromium-6, which is quite \nprevalent around the country and is also a carcinogen.\n    We have had a scare in my home town of Houston, Texas and \nwe have gotten news reporters who have been looking into \nchromium-6. EPA has not provided us with the proper guidelines \nthat we have been waiting on for some time. That doesn\'t mean \nthat we won\'t get them.\n    But OSHA not only regulates workplaces that use it, but \nalso has referred to it as the most toxic form of chromium. My \nquestion is, is this something that you should give us some \nadditional attention to?\n    Mr. Wulf. It is something that we will certainly look at. \nOff-hand, I am not certain that it is one of the 322 chemicals \nof interest that trigger coverage under CFATS, but I will \nabsolutely take a look.\n    Mr. Green. I would greatly appreciate it.\n    Mr. Chairman, I greatly appreciate the times you have \nextended, and I will yield back.\n    Chairman Thompson. Thank you very much. If you will provide \nMr. Green, Mr. Wulf, with whatever information you have on \nthat? I am certain, based on Mr. Wulf\'s comment he will give \nyou whatever information in return.\n    Mr. Wulf. Absolutely.\n    Mr. Green. Thank you, Mr. Chairman. I shall do so.\n    Chairman Thompson. The Chair now recognizes the gentleman \nfrom Kansas City, Mr. Cleaver.\n    Mr. Cleaver. Thank you, Mr. Chairman. Thank you for calling \nthis hearing because this is something that I am very much \nconcerned about and at our hearing yesterday I raised similar \nissues.\n    Because the EPA no longer updates its list of the locations \nof these facilities, chemical facilities, it is difficult for \nme to just pinpoint exactly where they are. Now, they have a \nmap and you can look at the map and kind-of get an idea.\n    I am from Missouri and so I am concerned about what the map \nsuggests, which is the rural parts of Missouri. If you put a \ncomma there for a moment, one of the things that I am concerned \nabout and it has been driving me crazy since the days that I \nwas mayor of Kansas City, and it is that for the most part the \nFederal Government ignores the middle of the country as it \nrelates to the possibility of terrorist attacks.\n    So we lean toward the East Coast, the West Coast, the North \nCoast and I remind people that it was shortly after Easter \n1996, I think it was, when the Murrah Federal Building in \nOklahoma City, not too far from Kansas City, was the first \nmajor terrorist attack.\n    I can\'t remember now. It was just under 200 people killed, \nabout half of them little children at a preschool inside the \nFederal building. I have a little 3-year-old grandson who is at \na Federal daycare center right now.\n    We just can\'t seem to get the kind of attention to deal \nwith these issues. Now that there is no update we don\'t know. I \nwill also remind everyone, remind you and maybe everyone on the \ncommittee, that it was ammonium nitrate used by McVey, Timothy \nMcVey.\n    Ammonium nitrate is fertilizer. I represent a rural area. \nEverybody uses fertilizer to survive. We have 85,000 jobs in \nMissouri related to agriculture. We export about $14 billion a \nyear that support those jobs and many of those are in my \ndistrict, the soybeans and corn. I can\'t tell you how--and so \nyou know there are facilities all over.\n    A terrorist with a IQ above room temperature can figure out \nthe most vulnerable places in our country and the places that \ncreate the least amount of risk to them. It is, frankly, a part \nof the district I represent.\n    I am open for you to tell me how we can correct this by \nnext Thursday?\n    [Laughter.]\n    Mr. Cleaver. Or Wednesday or whatever.\n    Mr. Wulf. I appreciate all that. I will take the first \ncrack. Absolutely agree that, you know, the terrorist threat is \nnot a, you know, bi-coastal threat. It is an all-of-America \nthreat.\n    You know, for our part, you know, we work closely with \nfertilizer retailers with fertilizer manufacturers, many of \nwhom are part of the CFATS program and have put into place \ncomprehensive security measures designed to address the CFATS \nrisk-based performance standards.\n    Our broader organization has placed a regional office in \nKansas City to focus on some of the Midwestern States. There is \none in Chicago as well. So, you know, very focused on working \nwith retailers of fertilizer, with manufacturers of fertilizer, \nas with all other companies and entities that hold high-risk \nchemicals and that are covered under CFATS.\n    Mr. Cleaver. Are the facilities open in Kansas City?\n    Mr. Wulf. Pardon me? There is a regional office in Kansas \nCity, so our chief of regulatory compliance sits in Kansas \nCity.\n    Mr. Cleaver. Yes. How many people? I am just curious. \nBecause I wasn\'t even aware.\n    Mr. Wulf. There are probably 20 folks across the \ninfrastructure protection enterprise in that regional office \nand there are protective security advisors and our chemical \nsecurity inspectors in every State in the region.\n    Mr. Cleaver. I will get in touch with them quickly.\n    Mr. Wulf. Yes.\n    Mr. Cleaver. Thank you, Mr. Chairman. I appreciate it very \nmuch. This is a major issue in my community, so thank you very \nmuch for this hearing.\n    Chairman Thompson. Absolutely.\n    A couple of takeaways, Mr. Wulf, I think based on what I \nheard, I think it would help us if you could provide us with a \nmaster list of the facilities that have been regulated. I think \nthat would help a lot.\n    Mr. Wulf. Yes.\n    Chairman Thompson. But I heard questions from several \nMembers and we can just kind-of share that information.\n    So the other has to do with the data of the inspections \nthat you make. Do you collect that data?\n    Mr. Wulf. Oh, absolutely. Our inspectors produce a report \nof each and every inspection and that runs through our \ncompliance branch here in----\n    Chairman Thompson. So who do you share that data with? Just \ninternally?\n    Mr. Wulf. It is for our internal use for making decisions \nabout approving site security plans and for, you know, as \nnecessary engaging in enforcement activities. But some of that \ndata is the type of data, you know, some of the data on the \nchemical holdings and specifics of the facility is the sort of \ninformation that we share with first responders, law \nenforcement, and others in the local community who have a need \nto know that information.\n    Chairman Thompson. OK.\n    Mr. Anderson, have you all looked at any of that data \ncollection and sharing?\n    Mr. Anderson. Well, we have certainly looked at both \naspects, the data collection piece and the recommendation that \nwe made in that report has been implemented by DHS. So from, \nyou know, from our view in terms of the data on assessing risk, \nfor example, DHS has implemented our recommendations.\n    The information sharing point though, that is still open \nand I think that that is, you know, a valid point of emphasis \nfrom our standpoint. The information sharing with first \nresponders so that there is full visibility over what those \nthreats may be if there is an incident.\n    Chairman Thompson. Well, and I think that is what Mr. \nCleaver and Ms. Slotkin and Underwood, Rose, a number of \nMembers are interested in, whether or not what we collect \nthrough our CFATS process is actually pushed out to especially \nfirst responders.\n    Mr. Anderson. Absolutely.\n    Chairman Thompson. Or communities that are at risk just \ngiven the location of many of those facilities.\n    So I want to thank the witnesses for their testimony and \nthe Members for their questions. The Members of the committee \nmay have additional questions for the witnesses and we ask that \nyou respond expeditiously in writing to those questions.\n    Pursuant to the Committee Rule VII(D), the hearing record \nwill be held open for 10 days. Hearing no further business, the \ncommittee stands adjourned.\n    [Whereupon, at 12:07 p.m., the committee was adjourned.]\n\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n       Questions From Chairman Bennie G. Thompson for David Wulf\n    Question 1a. Since 2007, DHS reports that ``CFATS has encouraged \nmany facilities to voluntarily eliminate, reduce, or modify their \nholdings of certain chemicals of interest in order to reduce the number \nof high-risk facilities\'\' throughout the country.\\1\\ The total number \nof high-risk facilities in the United States has dropped from 7,000 in \n2008 to only about 3,300 today.\n---------------------------------------------------------------------------\n    \\1\\ CFATS Fact Sheet, https://www.dhs.gov/sites/default/files/\npublications/cfats-fact-sheet-07-16-508.pdf.\n---------------------------------------------------------------------------\n    How does DHS verify the accuracy of the information facilities are \nsubmitting to show a reduction in risk?\n    Answer. Response was not received at the time of publication.\n    Question 1b. Can you explain some of the primary ways a facility \nmight reduce their risk level--for instance by storing chemicals in \nlower quantities, using more secure containers, or building security \ninto new constructions?\n    Answer. Response was not received at the time of publication.\n    Question 1c. Does DHS have a system in place to collect and analyze \nthis data to help DHS understand how facilities are reducing risk?\n    Answer. Response was not received at the time of publication.\n    Question 2a. In your testimony, you agreed that there is an \nopportunity for DHS to use this data to develop voluntary best \npractices that could help other facility owners and operators find ways \nto reduce risk, while also maintaining the program\'s non-prescriptive, \nrisk-based approach.\n    Are there additional authorities DHS would need in order to \naggregate, anonymize, and analyze data on facilities that successfully \nreduce risk?\n    Answer. Response was not received at the time of publication.\n    Question 2b. Are there additional authorities DHS would need in \norder to use this data to develop best practices for reducing chemical \nsecurity risks?\n    Answer. Response was not received at the time of publication.\n    Question 2c. Are there additional authorities DHS would need in \norder to share such best practices with other chemical facility owners \nand operators, or with the public?\n    Answer. Response was not received at the time of publication.\n    Question 3a. The Protecting and Securing Chemical Facilities from \nTerrorist Attacks Act of 2014 (CFATS Act of 2014) requires DHS to share \n``such information as is necessary to help ensure that first responders \nare properly prepared and provided with the situational awareness \nneeded to respond to security incidents\'\' at high-risk chemical \nfacilities.\\2\\ In 2018, GAO surveyed first responders and local \nemergency planners and found that many of them either were not aware of \nCFATS facilities in their district, did not have access to the specific \nchemical holdings at those facilities, and sometimes had not even heard \nof the CFATS program.\\3\\ Specifically, GAO interviewed 15 local \nemergency planning committees (LEPCs), representing 373 high-risk \nfacilities, and found that 13 of the LEPCs interviewed did not have \naccess to sufficient CFATS information.\n---------------------------------------------------------------------------\n    \\2\\ Pub. L. 113-254.\n    \\3\\ GAO-18-538.\n---------------------------------------------------------------------------\n    You testified that you can say ``with confidence\'\' that all 3,300 \nCFATS facilities ``have made connections with their relevant local \nfirst responders,\'\' and that inspectors verify these connections in \neach and every case. How do you reconcile this with GAO\'s recent \nreporting?\n    Answer. Response was not received at the time of publication.\n    Question 3b. Has DHS made contact with all 13 of the LEPCs GAO \ninterviewed and found did not have access to information on CFATS \nfacilities? Have those LEPCs been given an IP Gateway account?\n    Answer. Response was not received at the time of publication.\n    Question 3c. What training does DHS provide new IP Gateway account \nholders on how to utilize the portal effectively?\n    Answer. Response was not received at the time of publication.\n    Question 3d. Has DHS successfully completed its goal of conducting \noutreach to LEPCs in the top 25 percent of districts with the highest \nnumber of CFATS facilities? What is the next milestone?\n    Answer. Response was not received at the time of publication.\n    Question 3e. Does DHS prioritize outreach to LEPCs in districts \nwith one or more Tier 1 facilities, or is it based on the number of \nCFATS facilities, regardless of Tier?\n    Answer. Response was not received at the time of publication.\n    Question 3f. In your testimony, you agreed that first responders \n``need information about the chemical holdings so they know what they \nare walking into when they attempt to save lives and property.\'\' Are \nthere any circumstances where a facility would be justified in \nwithholding such information on the grounds that it is protected \nchemical terrorism vulnerability information (CVI)?\n    Answer. Response was not received at the time of publication.\n    Question 3g. Are you aware of instances where a facility has \nwithheld information on chemical holdings, or other information \nimportant for first responders to properly respond to an emergency or \nsecurity incident, on the grounds it is protected under another Federal \nor State regulation?\n    Answer. Response was not received at the time of publication.\n    Question 3h. Is DHS currently working with Federal and State \nregulators, and chemical facilities, to harmonize information \nprotection regimes and make sure first responders and LEPCs are given \nappropriate access to information?\n    Answer. Response was not received at the time of publication.\n    Question 3i. Going forward, does DHS plan to be more proactive in \nmaking sure first responders and LEPCs have IP Gateway access? Will the \nIP Gateway feature more specific information, and do so more broadly, \non the basis of GAO\'s 2018 report?\n    Answer. Response was not received at the time of publication.\n    Question 4. On December 6, 2016, I wrote to the Secretary of DHS \nrequesting an IP Gateway account. On January 11, 2017, then-Under \nSecretary of the National Protection and Programs Directorate Suzanne \nSpaulding responded that ``a representative of the Department\'s Office \nof Legislative Affairs will contact your staff to coordinate the \nprovision of access to the IP Gateway.\'\' Despite multiple follow-up \nrequests, I have yet to receive an IP Gateway account. Please provide \nthe aforementioned IP Gateway account, as well as:\n    (a) a master list of CFATS regulated facilities, per your testimony \nbefore the committee on Feb. 27, 2019;\n    (b) a master list of facilities that were at one point covered by \nCFATS, but have since been determined to no longer present a high level \nof risk, and thus were released from the program; and\n    (c) the standard operating procedures currently used by CFATS \ninspectors.\n    Answer. Response was not received at the time of publication.\n      Question From Honorable Xochitl Torres Small for David Wulf\n    Question. Mr. Wulf, during the hearing you stated that DHS makes \n``an extra effort\'\' to reach out to rural communities to ensure they \nhave access to information on high-risk chemical facilities. Can you \nplease elaborate on what these ``extra efforts\'\' entail and how they \ndiffer from DHS outreach efforts to non-rural communities?\n    Answer. Response was not received at the time of publication.\n        Questions From Honorable Cedric Richmond for David Wulf\n    Question 1a. The CFATS Act of 2014 requires facilities to seek \ninput from at least one knowledgeable employee, and where applicable, \nlabor union representatives, in the development of site security plans.\n    At this time, do CFATS inspectors confirm, as part of each \ninspection, that a facility has complied with this requirement?\n    Answer. Response was not received at the time of publication.\n    Question 1b. Are inspectors required to speak with the employees or \nunion representatives consulted, or check any records at the facility?\n    Answer. Response was not received at the time of publication.\n    Question 1c. Would failing to consult with an employee or union \nrepresentative be grounds for disapproving a site security plan?\n    Answer. Response was not received at the time of publication.\n    Question 1d. In your testimony, you mentioned that DHS gives \nfacilities discretion on whether to consult with employees because the \nlaw provides for consultation only ``to the greatest extent \npracticable.\'\' What authorities would DHS need to verify that this \nconsultation is truly happening to the greatest extent practicable?\n    Answer. Response was not received at the time of publication.\n    Question 2a. In 2018, GAO found that DHS was missing an opportunity \nto show its value as a National security program by tracking and \nmeasuring facility security pre-CFATS, compared to security post-\nimplementation of a CFATS site security plan.\n    How is DHS planning to measure the extent to which facilities \nreduced vulnerabilities as a result of the CFATS program?\n    Answer. Response was not received at the time of publication.\n    Question 2b. Are there other Federal programs that have adopted \nsimilar mechanisms to track vulnerability reduction that the Department \ncan use as a model?\n    Answer. Response was not received at the time of publication.\n    Question 2c. How might this recommendation help DHS understand the \nways in which CFATS facilities are eliminating or reducing on-site \nvulnerabilities?\n    Answer. Response was not received at the time of publication.\n    Question 3a. We have seen a rapid rise in the frequency and \nsophistication of cyber attacks against U.S. critical infrastructure, \noften carried out by well-resourced, determined foreign governments, \ncriminal organizations, or terrorist groups. The U.S. chemical sector \nis among the most frequent targets.\n    What cybersecurity measures are CFATS facilities required to adopt? \nAre facility site security plans ever disapproved due to cybersecurity \ndeficiencies?\n    Answer. Response was not received at the time of publication.\n    Question 3b. How much cybersecurity training do CFATS inspectors \nreceive?\n    Answer. Response was not received at the time of publication.\n    Question 4. The CFATS program is carried out by a division of the \nCybersecurity and Infrastructure Security Agency (CISA), which is DHS\'s \nmain cybersecurity arm. Does CFATS leverage the cyber resources and \nexpertise of the NCCIC, the US-CERT, the ICS-CERT? Are there \nopportunities to do so?\n    Answer. Response was not received at the time of publication.\n    Question 5a. In the past, there have been questions about the CFATS \nrisk-tiering methodology, and whether the program is capturing the \nNation\'s highest-risk facilities.\n    When DHS is considering whether a facility is high-risk, does it \nconsider characteristics about the neighboring infrastructure? For \ninstance, would it matter if the facility was located next door to an \nelementary school, nursing home, hospital, or sensitive Government \nbuilding (e.g., a military base)?\n    Answer. Response was not received at the time of publication.\n    Question 5b. Does the methodology consider the potential health \nconsequences that could result from exploitation of chemicals of \ninterest, or strictly potential loss of life?\n    Answer. Response was not received at the time of publication.\n    Question 5c. Studies show chemical facilities tend to be \nconcentrated in low-income and minority communities. In determining \nrisk, does DHS consider whether a facility is in close proximity to \nother chemical facilities that could exacerbate the impacts of an \nattack?\n    Answer. Response was not received at the time of publication.\n    Question 6. Because of CFATS early instability, DHS did not begin \ncarrying out compliance inspections for several years, with the bulk of \ninspections conducted after 2015. However, since that time compliance \ninspections have spiked to over 3,500, and now the question is whether \ninspectors are being pressured to rush through inspections to get \nnumbers up. How much time do inspectors have to carry out inspections?\n    Answer. Response was not received at the time of publication.\n    Question 7. What should lawmakers be doing to address the statutory \nexemptions for certain types of potentially high-risk facilities like \nwater treatment systems and nuclear power plants? Is there an \nopportunity to study security gaps?\n    Answer. Response was not received at the time of publication.\n         Questions From Honorable Michael Guest for David Wulf\n    Question 1. Of the 40,000 unique facilities that have reported \nchemical holdings since 2007, how many of them ultimately were secured \nthrough CFATS?\n  <bullet> How many of them are still secured through the CFATS \n        program?\n  <bullet> What are some of the reasons a facility may no longer be in \n        the CFATS program?\n    Answer. Response was not received at the time of publication.\n    Question 2. Why has participation in the Expedited Approval Program \nbeen so low?\n  <bullet> What improvements can be made to encourage more \n        participation?\n    Answer. Response was not received at the time of publication.\n    Question 3. How does DHS work with facilities to improve \ncompliance?\n    Answer. Response was not received at the time of publication.\n       Question From Honorable Michael Guest for Nathan Anderson\n    Question. How does the CFATS program account for vulnerability in \nits performance measures, and what is the program\'s methodology to \nimprove security?\n    Answer. In August 2018, we reported that DHS began development of a \nnew methodology and performance measure for the CFATS program in 2016 \ncalled the guidepost-based site security plan scoring methodology.\\1\\ \nDHS officials stated they planned to use the methodology to evaluate \nthe security measures a facility implemented from initial state--when a \nfacility submits its initial site security plan--to the facility\'s \napproved security plan. DHS officials stated the purpose of the \nmethodology is to measure the increase in security attributed to the \nCFATS program and stated that the methodology is not intended to \nmeasure risk reduction.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Critical Infrastructure Protection: DHS Should Take \nActions to Measure Reduction in Chemical Facility Vulnerability and \nShare Information with First Responders, GAO-18-538 (Washington, DC: \nAug. 8, 2018).\n---------------------------------------------------------------------------\n    We found that DHS\'s new methodology and performance measure for the \nCFATS program does not measure the program\'s impact on reducing a \nfacility\'s vulnerability to an attack and that DHS could take steps to \nevaluate vulnerability reduction resulting from the CFATS compliance \ninspection process. We recommended that DHS incorporate vulnerability \ninto the new methodology to help measure the reduction in the \nvulnerability of high-risk facilities to a terrorist attack, and use \nthat data in assessing the CFATS program\'s performance in lowering risk \nand enhancing National security. DHS agreed and is taking steps to \nimplement this recommendation. Specifically, in September 2018, DHS \nreported making progress towards the implementation of two new \nperformance metrics by the end of the first quarter of fiscal year \n2019. DHS officials stated that these metrics should, among other \nthings, evaluate the progress of individual facilities in enhancing \ntheir security and be used to demonstrate an increase in the security \nposture across the population of CFATS facilities. We are currently in \nthe process of obtaining an update from DHS on the status of efforts to \nimplement this recommendation.\n     Questions From Ranking Member Mike Rogers for Nathan Anderson\n    Question 1. In regards to access to information for first \nresponders: What is the difference between ``did not use\'\' and ``did \nnot have access to\'\' Chemical Vulnerability Information through the \nportal?\n    Answer. In August 2018, we reported that while the Infrastructure \nProtection (IP) Gateway is a mechanism for sharing names and quantities \nof chemicals at CFATS high-risk facilities with first responders and \nemergency planners, we found it is not widely used by officials at the \nlocal level.\\2\\ For example, according to DHS, there were 14 accounts \ncategorized at the local level whose access to the IP Gateway layer \nincludes the names and quantities of chemicals at CFATS facilities. A \nlocal account indicates the individual with access is a county- or \ncity-level employee or contractor.\\3\\ Additionally, while not \ngeneralizable to all Local Emergency Planning Committees (LEPCs), \nofficials representing 7 of the 15 LEPCs we interviewed were not aware \nof the IP Gateway and officials representing 13 of the 15 LEPCs stated \nthat they do not have access to CFATS information within the IP \nGateway. Of the 13 officials that reported they did not have access, 11 \nsaid that it would be helpful or critical to have access for several \nreasons. Specifically, officials representing these LEPCs stated that \nthis information would assist them to better prepare and respond to \nincidents and help emergency planners prioritize the most critical \nsites among the thousands of facilities that they oversee. We \nrecommended that DHS should take actions to encourage access to and \nwider use of the IP Gateway and explore other opportunities to improve \ninformation sharing with first responders and emergency planners. DHS \nconcurred with this recommendation and reported in September 2018 that \nthey are taking actions to implement it.\n---------------------------------------------------------------------------\n    \\2\\ GAO-18-538.\n    \\3\\ Account requests for access to the IP Gateway are made via a \nweb-based registration form that asks the individual requesting access \nto identify the type of employee they are. Options include: Federal, \nState, Local (City/County), and Tribal/Territory.\n---------------------------------------------------------------------------\n    Question 2. Of the first responders surveyed, how many of them \nfailed to obtain statutorily-required training to review Chemical \nVulnerability Information?\n    Answer. We reported in August 2018 that CFATS data available in the \nIP Gateway includes, among other things, facility name, location, risk \ntier, and chemicals on-site and is accessible to authorized Federal and \nother State, local, Tribal, and territorial officials and responders \nwith an established need to know, which is determined by DHS.\\4\\ We did \nnot audit DHS officials nor the officials representing the 15 LEPCs we \ninterviewed to determine if any of them failed to obtain statutorily-\nrequired training to review Chemical Vulnerability Information.\n---------------------------------------------------------------------------\n    \\4\\ GAO-18-538.\n---------------------------------------------------------------------------\n    Question 3. Besides the Emergency Planning and Community Right to \nKnow Act, first responders have access to chemical hazard information \nunder the Clean Air Act\'s Risk Management Plan, the Toxic Release \nInventory, Toxic Substances Control Act, and other Federal statutes. \nDid GAO ask the first responders if they used these authorities to \nobtain information necessary to respond to facilities?\n    Answer. In August 2018, we reported that in our interviews with 15 \nLEPCs--whose jurisdictions included 373 high-risk chemical facilities \nregulated by the CFATS program--we found that officials rely on \ninformation reported on chemical inventory forms required by the \nEmergency Planning and Community Right-to-Know Act of 1986 in order to \nprepare for and respond to incidents at CFATS facilities.\\5\\ While we \ninterviewed officials to determine what Federal Government and other \nresources and information they have access to or may receive in order \nto prepare for or respond to an incident at chemical facilities in \ntheir area, we did not ask about each individual authority outlined \nabove. Additionally, we did not review the extent to which the CFATS \nchemicals of interest are covered by the disclosure requirements \noutlined in the above-listed authorities.\n---------------------------------------------------------------------------\n    \\5\\ We interviewed officials representing 15 LEPCs out of more than \n3,000 known LEPCs. We selected LEPCs from different States to include \ncounties with some of the highest number of facilities in each State. \nThe number of high-risk CFATS facilities located in each LEPC ranges \nfrom a low of 11 to a high of 88 across our sample.\n---------------------------------------------------------------------------\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'