[Senate Hearing 116-79]
[From the U.S. Government Publishing Office]


                                                     S. Hrg. 116-79

              SENSIBLY REFORMING THE CHEMICAL FACILITY 
                ANTI-TERRORISM STANDARDS PROGRAM

=======================================================================

                               ROUNDTABLE

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS


                             FIRST SESSION

                               __________

                              JUNE 4, 2019

                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]

                              __________
                               

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
36-699 PDF                  WASHINGTON : 2019                     
          
--------------------------------------------------------------------------------------

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio                    GARY C. PETERS, Michigan
RAND PAUL, Kentucky                  THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma             MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah                    KAMALA D. HARRIS, California
RICK SCOTT, Florida                  KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming             JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri

                Gabrielle D'Adamo Singer, Staff Director
                Michelle D. Woods, Senior Policy Advisor
                   Satya P. Thallam, Chief Economist
              Colleen E. Berny, Professional Staff Member
                     William G. Rhodes III, Fellow
               David M. Weinberg, Minority Staff Director
           Julie G. Klein, Minority National Security Advisor
   Christopher J. Mulkins, Minority Government Accountability Office 
                                Detailee
                  Jeffrey D. Rothblum, Minority Fellow
                     Laura W. Kilbride, Chief Clerk
                     Thomas J. Spino, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Johnson..............................................     1
    Senator Peters...............................................     2
    Senator Hawley...............................................    12
    Senator Carper...............................................    20
Prepared statements:
    Senator Johnson..............................................    35
    Senator Peters...............................................    36

                               WITNESSES
                         Tuesday, June 4, 2019

Brian Harrell, Assistant Director for Infrastructure Security, 
  Cybersecurity and Infrastructure Security Agency, U.S. 
  Department of Homeland Security................................     3
Nathan Anderson, Acting Director, Homeland Security and Justice 
  Team, U.S. Government Accountability Office....................     4
Matthew Fridley, Corporate Manager, Safety, Health, and Security, 
  Brenntag North America, on behalf of the National Association 
  of Chemical Distributors.......................................     5
Tim O'Brien, President, Detotec North America....................     6
William Erny, Senior Director, American Chemistry Council........     7
Andrew Wright, Vice President, Legislative Affairs, International 
  Liquid Terminals Association...................................     8
John S. Morawetz, Health and Safety Representative, International 
  Chemical Workers Union Council, United Food and Commercial 
  Workers International Union....................................     9

                     Alphabetical List of Witnesses

Anderson, Nathan:
    Testimony....................................................     4
    Prepared statement...........................................    44
Erny, William:
    Testimony....................................................     7
    Prepared statement...........................................    70
Fridley, Matthew:
    Testimony....................................................     5
    Prepared statement...........................................    52
Harrell, Brian:
    Testimony....................................................     3
    Prepared statement...........................................    38
Morawetz, John S.:
    Testimony....................................................     9
    Prepared statement...........................................    76
O'Brien, Tim:
    Testimony....................................................     6
    Prepared statement...........................................    60
Wright, Andrew:
    Testimony....................................................     8
    Prepared statement...........................................    73

                                APPENDIX

Statements submitted for the Record:
    American Fuel and Petrochemical Manufacturers................    82
    DOW..........................................................    86
    Environmental Technology Council.............................    88
Responses to post-hearing questions for the Record:
    Mr. Harrell..................................................    91
    Mr. Anderson.................................................    96

 
        SENSIBLY REFORMING THE CHEMICAL FACILITY ANTI-TERRORISM.
                           STANDARDS PROGRAM

                              ----------                              


                         TUESDAY, JUNE 4, 2019

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 2:30 p.m., in 
room SD-106, Dirksen Senate Office Building, Hon. Ron Johnson, 
Chairman of the Committee, presiding.
    Present: Senators Johnson, Scott, Hawley, Peters, Carper, 
and Hassan.

             OPENING STATEMENT OF CHAIRMAN JOHNSON

    Chairman Johnson. Good afternoon. This roundtable is called 
to order.
    I want to thank all of our witnesses for your thoughtful 
testimony and your time here today appearing before us 
answering our questions.
    I would ask consent that my written statement\1\ be entered 
into the record. Without objection.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Johnson appear in the 
Appendix on page 35.
---------------------------------------------------------------------------
    Just real quick, I do want to remind everybody what 
Chemical Facility Anti-Terrorism Standards stands for (CFATS). 
It is not the Environmental Protection Agency (EPA). It is not 
Occupational Safety and Health Administration (OSHA). It is not 
Department of Defense (DOD). It is not Department of 
Transportation (DOT). This was a piece of legislation enacted 
to prevent the diversion basically for terrorist purposes of 
chemicals, and from my standpoint it should be focused on that.
    Last Congress, we had actually a larger roundtable, more 
participants. I learned a lot from that and found there was 
duplication with the Bureau of Alcohol, Tobacco, Firearms and 
Explosives (ATF). We tried to address that in our bill that 
passed by voice vote. We tried to reward good behavior. If you 
are up to snuff and you have enacted a great plan here, we give 
you some rewards in terms of less of a regulatory burden. You 
have it covered. You do not need the nanny State coming in here 
and telling you exactly how to run your operation.
    I would hope that that will be--the goal of our ongoing 
efforts here is to reauthorize this, and I do realize those in 
industry would like a long-term authorization. It is all part 
of the Stockholm Syndrome. They are kidnapped and they are just 
asking for a glass of water. They want some certainty, and I am 
happy to give them that level of certainty.
    I do not think they want greater regulation. I do not think 
they want CFATS to become an adjunct or an addition to OSHA and 
EPA and DOT and DOD. I am sure there is more of an alphabet 
soup here of different agencies that control your lives. Again, 
I want to keep this thing focused. I appreciate everybody's 
involvement in here, but, hopefully that statement from the 
Chairman of this Committee will provide some guidance in what 
we are trying to do to reauthorize this program. We should 
reauthorize it for a longer period of time to provide that 
certainty. But I think we should reform it without mission 
creep.
    With that, I will turn it over to Senator Peters.

              OPENING STATEMENT OF SENATOR PETERS

    Senator Peters. Thank you, Mr. Chairman. I will give a few 
opening remarks, too, but I would ask unanimous consent that my 
prepared statement----\1\
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 36.
---------------------------------------------------------------------------
    Chairman Johnson. I am not so sure about that. [Laughter.]
    Without objection.
    Senator Peters. Thank you, Mr. Chairman.
    I would agree with the Chairman. At the most basic level, 
CFATS is about ensuring that certain chemicals never fall into 
the hands of terrorists. That is its fundamental task. But by 
most accounts that I have heard, at least, the program is well 
regarded. I have heard that from stakeholders, including 
industry owners and operators, labor unions, and the Department 
of Homeland Security (DHS). And it has been my experience that 
everybody is seeking the certainty that a long-term extension 
of the program would bring, and I agree with that aspect, and I 
am happy to hear the Chairman also agrees that that is 
something that we need to seek out.
    We need to keep the aspects of the program that are working 
well and improve aspects of the program that are not to ensure 
that CFATS is a mature and reliable security program on par 
with other established and enduring compliance frameworks. 
Improving CFATS' focus on cybersecurity, employee engagement, 
whistleblower protections, and outreach and coordination with 
first responders on-site, I think, are areas that there is some 
real room for progress.
    Senator Johnson put forward a number of priorities in the 
last Congress, and I look forward to working with the Chair and 
our House colleagues to find some common ground and to strike a 
bipartisan agreement that enhances security, reduces the risk 
of terrorist attacks, and protects workers and our communities. 
And I am confident, Mr. Chairman, that we can get that job 
done, and I look forward to working with you in a very frank 
and productive discussion with the experts we have here today.
    Chairman Johnson. I appreciate that, Senator Peters.
    We will just go down the list. Everybody has been given a 
generous 2 minutes. [Laughter.]
    We read your testimony, and it was very thoughtful, and 
that will obviously be entered in the record. But if you can 
just summarize your main points in 2 minutes, and then we will 
open it up for general discussion. And we do this a little bit 
different than a hearing where we each get 7 minutes. It is 
really more of an open discussion so that we stay on the same 
point with different Senators going down that same vein or the 
same line of questioning as opposed to hopping all over the 
place with more formalized rounds.
    We will start with Brian Harrell. Mr. Harrell currently 
serves as the Assistant Secretary for Infrastructure Security 
of the Cybersecurity and Infrastructure Security Agency (CISA), 
U.S. Department of Homeland Security. Mr. Harrell.

     TESTIMONY OF BRIAN HARRELL,\1\ ASSISTANT DIRECTOR FOR 
   INFRASTRUCTURE SECURITY, CYBERSECURITY AND INFRASTRUCTURE 
     SECURITY AGENCY, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Harrell. Alright. Thank you, Chairman Johnson, Ranking 
Member Peters, and Members of the Committee, for having me here 
today to discuss this important chemical security program.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Harrell appears in the Appendix 
on page 38.
---------------------------------------------------------------------------
    Chemicals are vital to our daily lives and economy. We use 
them to develop medicines, refine fuels for our vehicles, and 
build microchips for smartphones. Despite these benefits, 
chemicals do not come without risk.
    We live in a dynamic threat environment. Terrorists have 
shown the desire to seek out and use chemicals in devastating 
attacks, and our adversaries around the globe continue to 
target facilities that store or produce chemicals.
    The threat environment is changing. While an attacker would 
have to physically drive a vehicle bomb up to a building 20 
years ago, today the attacker might target a chemical 
facility's operating system or employ unmanned aircraft or a 
drone to carry out an attack from the comfort of their remote 
location.
    Ensuring that does not happen is one of my chief reasons 
that I sit before you today. CFATS, as a non-prescriptive, 
flexible anti-terrorism program is well suited to reduce the 
risks of a chemical terrorist attack. Since its creation, CFATS 
has identified chemical facilities that present the highest 
risk in case of attack or exploitation, and we have worked to 
ensure these facilities have security measures in place to 
reduce the risks of these hazardous chemicals. As a result, the 
level of security across the industry has significantly 
increased, not only making a successful chemical attack more 
difficult but also serving as a significant deterrent to our 
adversaries.
    Chemical security is a shared commitment, and the gains 
made by CFATS are the result of a strong working relationship 
with our industry stakeholders, our government partners, and 
first responders.
    However, the Department recognizes that as the threat 
environment is constantly evolving, so, too, must CFATS. We are 
engaging our workforce and industry stakeholders on ways in 
which the regulation can continue to meet today's complex risk 
landscape. We cannot be satisfied with our past progress, but 
we must look for opportunities for improvement and adjust 
within the changing physical and cybersecurity landscape. This 
is a sign of a mature program.
    Last, recognizing that CFATS focuses its efforts on only a 
fraction of chemical facilities, the Department is considering 
other opportunities to assist the chemical facility population 
at large through voluntary initiatives. Chemical security must 
remain a high priority for the Nation. We cannot allow 
terrorists to access dangerous chemicals. If we can imagine a 
scenario, a motivated terrorist can imagine a more devastating 
one.
    DHS looks forward to working with Congress toward a long-
term solution that includes both regulatory and voluntary 
efforts so that we can continue to defend today and secure 
tomorrow.
    Thank you, and I look forward to the conversation.
    Chairman Johnson. Our next witness is Nathan Anderson. Mr. 
Anderson currently serves as the Acting Director of the 
Homeland Security and Justice Team at the U.S. Government 
Accountability Office (GAO). Mr. Anderson.

  TESTIMONY OF NATHAN ANDERSON,\1\ ACTING DIRECTOR, HOMELAND 
   SECURITY AND JUSTICE TEAM, U.S. GOVERNMENT ACCOUNTABILITY 
                             OFFICE

    Mr. Anderson. Chairman Johnson, Ranking Member Peters, 
Members of this Committee, good afternoon. We at GAO have 
issued a number of reports on CFATS over the last 7 years, and 
DHS has made substantial progress in a number of areas where we 
found deficiencies such as identifying high-risk facilities, 
prioritizing them, and reviewing security plans. But there is 
room for improvement, particularly in measuring the CFATS 
program's performance.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Anderson appears in the Appendix 
on page 44.
---------------------------------------------------------------------------
    Sometimes when people use terms like ``performance 
measures,'' it is difficult to understand the implications of 
shortcomings in this area, so let me be clear. When we identify 
deficiencies in the program's performance measures, we are 
stating that improvements are needed so that decisionmakers 
have the information necessary to gauge whether or in what form 
the program should exist.
    In our report from late last year, we found that DHS 
performance measures for the CFATS program speak to program 
accomplishments, such as the number of facilities inspected, 
and these are important outputs. However, they do not measure 
program outcomes. One way to do this is to measure reductions 
in vulnerability at facilities that have resulted from 
implementing required security measures.
    Think of this in terms of cost-benefit. We know the cost of 
the CFATS program in terms of annual appropriations, and we 
have information on the cost that industry has incurred through 
compliance. But we do not have clear information on the 
benefits, specifically the amount that risk is reduced through 
compliance with the CFATS program. Such information is needed 
to assess the program's return on investment, and such measures 
exist in some other DHS component programs.
    Mr. Chairman, Ranking Member Peters, and Members of the 
Committee, this concludes my statement, and I look forward to 
the discussion.
    Chairman Johnson. Thank you, Mr. Anderson and Mr. Harrell.
    Our next witness is Matthew Fridley. Mr. Fridley is the 
Safety, Regulatory, and Security Manager at Brenntag North 
America. He is also the current chair of the Chemical Sector 
Coordinating Council (CSCC). Mr. Fridley.

  TESTIMONY OF MATTHEW FRIDLEY,\1\ CORPORATE MANAGER, SAFETY, 
HEALTH, AND SECURITY, BRENNTAG NORTH AMERICA, ON BEHALF OF THE 
         NATIONAL ASSOCIATION OF CHEMICAL DISTRIBUTORS

    Mr. Fridley. Good afternoon, Chairman Johnson, Ranking 
Member Peters, and distinguished Members of the Committee. 
Again, my name is Matthew Fridley, and I am the safety, health, 
and security manager for Brenntag North America, a chemical 
distribution company headquartered in Reading, Pennsylvania.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Fridley appears in the Appendix 
on page 52.
---------------------------------------------------------------------------
    In addition to my role at Brenntag, I am the chair of the 
Chemical Sector Coordinating Council. I am also the vice chair 
of the Regulatory Affairs and Security Committee for the 
National Association of Chemical Distributors (NACD) on whose 
behalf I am testifying today.
    I thank you for allowing me to participate in this 
important roundtable. Brenntag is currently the largest 
chemical distributor globally and the second largest chemical 
distributor in the United States.
    I believe the CFATS program has made the chemical industry 
and our Nation much more secure with industry investing 
significant capital and training resources toward enhanced 
security measures.
    DHS has generally taken a non-adversarial and balanced 
approach in implementing the CFATS program. DHS has excelled in 
outreach to industry in a number of ways. They include 
understanding the diversity of the chemical industry and 
working with companies on security measures that meet the CFATS 
risk-based performance standards (RBPS); interacting with 
chemical owners and operators; and always making inspectors and 
headquarters personnel available to walk through and talk 
through issues or questions.
    One priority I can recommend to the Committee is to require 
that any changes to Appendix A: Chemicals of Interest (COI) 
list remain subject to rulemaking and notice and comment. 
Changes to the COI list will have a major impact on my business 
operation and security investments.
    I also support the creation of the program under which DHS 
would recognize companies that meet certain criteria such as 
participation in an initiative such as Responsible 
Distribution. By acknowledging the value of these industry 
initiatives, DHS will be able to prioritize resources in 
noncompliant outliers that pose a greater risk to security.
    In 2014, the reauthorization further enhanced the security 
efforts by providing regulatory certainty to both industry and 
DHS, thereby increasing efficiencies in the program. It is my 
hope Congress can pass a long-term reauthorization of the CFATS 
program.
    On behalf of both NACD and Brenntag, I appreciate the 
opportunity to present our views on this important issue.
    Chairman Johnson. Thank you, Mr. Fridley.
    Our next witness is Timothy O'Brien. Mr. O'Brien is 
President of Detotec North America, an explosive manufacturing 
company headquartered in Sterling, Connecticut. Mr. O'Brien.

 TESTIMONY OF TIM O'BRIEN,\1\ PRESIDENT, DETOTEC NORTH AMERICA

    Mr. O'Brien. Chairman Johnson, Ranking Member Peters, and 
Members of the Committee, as president of Detotec North America 
and past chairman of the Institute of Makers of Explosives, I 
thank you for the opportunity to discuss the CFATS program.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. O'Brien appears in the Appendix 
on page 60.
---------------------------------------------------------------------------
    The commercial explosives industry has been regulated for 
security since 1971 by ATF. Following the tragic events of 
September 11, 2001 (9/11), Congress passed the Homeland 
Security Act of 2002, which strengthened ATF's mission to 
protect the public from the diversion of explosives for illicit 
use, including acts of terrorism.
    Reports from the U.S. Bomb Data Center show a consistent 
decline in thefts of explosives over the past 30 years. CFATS 
has had no perceptible impact on security for commercial 
explosives. This may have been the reason why DHS stated before 
this Committee last year that they would ``lose no sleep over 
explosives leaving the program.''
    Since Detotec opened 30 years ago, we have been compliant 
with ATF's comprehensive security regulations. In all that 
time, we have never experienced a theft or diversion of our 
products. In 2008, Detotec submitted our first CFATS Top-
Screens and received conditional authorization in 2013.
    In 2016, we submitted new Top-Screens based on a new 
tiering methodology. Between the authorizations and the new 
Top-Screens, we were inspected 10 times by ATF, DOD, and the 
Defense Contract Management Agency (DCMA). No security concerns 
were raised, and we were found to be in full compliance.
    Despite our record, DHS required additional security 
measures from us. DHS made suggestions for compliance, and our 
cost estimates for those ranged from $400,000 to over $1 
million. That would have shut us down.
    By the time we found a viable plan, we were 10 days late, 
resulting in a fine of $100,000. Detotec was able to reduce the 
amount paid through a small business process; however, an 
employee had to be let go.
    Let me reiterate: I had to lay off an employee to pay a 
fine for failing to submit to DHS my plan for what we would 
implement in 6 months, not for failure to implement those 
measures.
    I do not appear before you to ask for deregulation of 
commercial explosives, but to make the case for removing ATF-
regulated materials from CFATS, which will cut costs for 
taxpayers and reduce duplicative regulation without having a 
negative effect on national security.
    Thank you. I look forward to any questions that you may 
have.
    Chairman Johnson. Thank you, Mr. O'Brien.
    Our next witness is William Erny. Mr. Erny is a Senior 
Director at the American Chemistry Council (ACC), which 
represents over 170 businesses involved in the chemistry 
industry. Mr. Erny.

    TESTIMONY OF WILLIAM ERNY,\1\ SENIOR DIRECTOR, AMERICAN 
                       CHEMISTRY COUNCIL

    Mr. Erny. Yes, good afternoon. As you all know, the 
business of chemistry is a major economic driver here in the 
United States. We are a $526 billion enterprise, and we are 
growing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Erny appears in the Appendix on 
page 70.
---------------------------------------------------------------------------
    It is because of this critical role in the economy that 
chemical security continues to be a major priority for ACC and 
its members, and to demonstrate this commitment, this year 
marks the 31st anniversary of ACC's Responsible Care program. 
Responsible Care is the leading chemical industry stewardship 
program. Under Responsible Care, our members have invested more 
than $17 billion to enhance security at all of our sites.
    The CFATS program also plays a very critical role in 
protecting chemicals. CFATS provides a baseline to set for the 
industry that covers all facilities that they must adhere to. 
As such, ACC supports long-term authorization.
    It is true that DHS has made a lot of progress over the 
last 4\1/2\ years. However, we would like to make some 
additional recommendations we believe would further enhance the 
program.
    One, DHS should maintain its focus on chemical security. 
CFATS should retain its core mission of chemical security, not 
wander into other areas such as safety and environmental 
requirements that we believe would serve to sort of water down 
their current focus and resources on their core mission.
    Two, personal surety, terrorist screening for Tiers 3 and 
4, lower-risk tiers, should be optional. DHS has recently 
announced they plan on expanding terrorist screening to more 
than 3,000 additional lower-risk facilities, including tens of 
thousands of additional workers and contractors. In a nutshell, 
we believe this is just too far, it is too much, and it is not 
necessary.
    And then item number three, establish a CFATS recognition 
program. DHS should leverage chemical industry stewardship 
programs such as Responsible Care by providing regulatory 
recognition for responsible operators. Such a program would 
enhance the current stewardship programs that are available and 
incentivize the creation of new programs.
    It is a fact that companies who participate in industry 
stewardship programs outperform their peers and the industry as 
a whole. Creating a CFATS recognition program would enhance 
chemical security across the sector and beyond the universe of 
the regulated community.
    In closing, I would just like to say that CFATS has helped 
make our industry and our communities more secure. We encourage 
this Committee to consider these proposed changes and to 
provide long-term authorization for CFATS.
    Thank you, and I look forward to our discussion.
    Chairman Johnson. Thank you, Mr. Erny.
    Our next witness is Andrew Wright. Mr. Wright is the Vice 
President of Legislative Affairs of the International Liquid 
Terminals Association (ILTA), representing both terminal and 
supply members that transport liquid products. Mr. Wright.

  TESTIMONY OF ANDREW WRIGHT,\1\ VICE PRESIDENT, LEGISLATIVE 
      AFFAIRS, INTERNATIONAL LIQUID TERMINALS ASSOCIATION

    Mr. Wright. Chairman Johnson, Ranking Member Peters, and 
Members of the Committee, thank you for the opportunity to 
participate in today's roundtable.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Wright appears in the Appendix on 
page 73.
---------------------------------------------------------------------------
    The International Liquid Terminals Association represents 
the tank and terminals industry in all 50 States. ILTA members 
provide storage and transportation logistics and value-added 
services for a wide range of liquid commodities, including 
crude oil, gasoline, diesel, jet fuel, and chemicals.
    ILTA appreciates the critical role that DHS and the CFATS 
program play in maintaining our Nation's security and supports 
the CFATS coalition priorities.
    However, I want to focus on an ILTA recommendation to 
correct the treatment of gasoline, diesel, and other fuel 
mixtures. All flammable materials identified as chemicals of 
interest have a National Fire Protection Association (NFPA) 
rating of Class 4, which is extremely flammable, with the 
notable and problematic exception of gasoline Class 3 along 
with diesel, kerosene, and jet fuel, all of which are Class 2.
    Faced with the best science and the most authoritative 
standard in use today for the characterization of flammable 
materials, DHS no longer requires those facilities to perform 
top-screen evaluations based solely on the presence of these 
mixtures. In fact, for nearly a decade, gasoline, diesel, 
kerosene, and jet fuel have effectively not been regulated 
under CFATS because of a DHS regulatory hold. Therefore, in 
practice, DHS recognizes the lower risk associated with 
gasoline and other fuel blends. We believe that it is time to 
bring the regulation in line with current DHS practice and 
remove the unjustified exception that would incorrectly treat 
these products as if they were chemicals of interest.
    ILTA and its member companies have worked unsuccessfully 
through regulatory channels for more than 10 years to correct 
the mistaken treatment of gasoline and fuel blends that are 
still written into the regulations. Only Congress can focus 
CFATS on plausible security risk and ensure that gasoline and 
fuel mixtures are removed from CFATS during this and future 
Administrations.
    I look forward to your questions.
    Chairman Johnson. Thank you, Mr. Wright.
    Our final witness, last but not least, is John Morawetz. 
Mr. Morawetz is a Health and Safety Representative for the 
International Chemical Workers Union Council and the United 
Food and Commercial Workers (UFCW) International Union. Mr. 
Morawetz.

      TESTIMONY OF JOHN S. MORAWETZ,\1\ HEALTH AND SAFETY 
 REPRESENTATIVE, INTERNATIONAL CHEMICAL WORKERS UNION COUNCIL, 
     UNITED FOOD AND COMMERCIAL WORKERS INTERNATIONAL UNION

    Mr. Morawetz. Thank you, Chairman Johnson, Ranking Member 
Peters, and Committee Members for the honor of appearing before 
you on chemical facilities security and safety. I represent, as 
you said, the Chemical Workers and UFCW. We represent 20,000 
members in 32 States and strongly support a multiyear 
reauthorization with four improvements.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Morawetz appears in the Appendix 
on page 76.
---------------------------------------------------------------------------
    One, our members work with many CFATS Appendix A extremely 
hazardous substance and have a vested interest in a facility 
operation for everyone's well-being. Thankfully, there has not 
been a terrorist attack on a chemical plant, but we can learn 
from unintentional releases at our facilities, including a 
massive release in Houston that killed four people and a 
complete rupture of a full chlorine tanker car in West 
Virginia.
    Most tragically, in 1971, a Georgia facility that 
manufactured magnesium trip flares had some fires and blew up. 
Horribly, the evacuation distance was not sufficient, and 27 
workers were killed.
    Our recommendations:
    First, workers and labor representatives need to be 
involved in protecting our chemical infrastructure. Workers' 
daily expertise must be utilized and documented in the 
drafting, implementation, and evaluation of plant security 
plans. I would love to talk about CFATS inspections, but our 
locals and members are often not included while other Federal 
agencies have established joint management-labor inspection 
models.
    Second, everyone, including CFATS inspectors, must be 
trained on specific hazards, responses, their roles and drills.
    Third, whistleblowers must not face retaliation. DHS must 
have procedures on whistleblower retaliation, including at 
least 90 days to file a complaint, a private right of action, 
and for representatives to file complaints.
    Last, DHS knows how facilities use best practices to reduce 
their risk, including safer substances, reductions in storage, 
and just-in-time use, and that information should be released 
annually.
    Thank you, and I would be glad for the continuing 
discussion.
    Chairman Johnson. Thank you, Mr. Morawetz.
    Let me just start. I come from a manufacturing background, 
and it was my experience that the whole safety issue started 
with local police and fire public safety organizations. We 
would get frequent visits by the fire department. Do you have 
any hazardous chemicals? Where are they located? What the 
quantities were, what is your evacuation plan, those types of 
things. So, kind of like the Federal Emergency Management 
Agency (FEMA), a layered approach, local, State, and then 
Federal.
    What we have here with CFATS after 9/11 is a whole new 
program specifically designed to keep dangerous chemicals that 
could be used in a terrorist attack out of the hands of 
terrorists. I do not believe the intent of Congress--and had I 
been here, I would have fought that intent--was to have an all-
encompassing regulatory agency governing worker safety, fire 
hazards, chemical discharge, potential pollution issues.
    I want to start questioning with industry: What agencies 
regulate your businesses already in addition to DHS? We will 
start with Mr. Fridley because you look like you are ready to 
go here.
    Mr. Fridley. Yes, pretty much the alphabet soup, as you 
stated earlier, Chairman.
    Chairman Johnson. So give us the most significant ones, if 
you can.
    Mr. Fridley. Obviously, EPA, OSHA, DOT, DEA, we have ATF, 
we have the Food and Drug Administration (FDA), the U.S. Coast 
Guard (USCG) as well because we have the Maritime 
Transportation Security Act of 2002 (MTSA) facilities, are the 
primary, along with DHS.
    Chairman Johnson. And you are heavily regulated by most of 
those.
    Mr. Fridley. Yes, sir.
    Chairman Johnson. It is not like you do not get visited. It 
is not like they are ignoring those issues that they are 
concerned about.
    Mr. Fridley. That is correct.
    Chairman Johnson. Mr. O'Brien.
    Mr. O'Brien. ATF would be our primary agency that oversees 
us, and they in the past have clearly stated that they 
effectively regulate the security of commercial explosives, 
emphasizing that the only value DHS adds relative to explosives 
is the regulation of the precursor chemicals. We are visited 
routinely by them. We have very prescriptive regulations by 
them, that they tell us exactly what we have to do.
    Chairman Johnson. Describe ``routinely.'' How often do you 
get site visits from ATF?
    Mr. O'Brien. So at a minimum, you are inspected every 3 
years because a license lasts 3 years. My particular company 
has three separate licenses, so they happen to fall one a year. 
So we were getting visits one every year by ATF. And when they 
come in, they will come in and examine exactly how much 
explosives we have, down to the gram. They will count all of 
the detonators we have. They will count everything. There is no 
threshold at which, OK, this program only applies if you are 
over a certain level. If we have a gram or higher, we are 
regulated by ATF.
    They also have a vetting program because after the Safe 
Explosives Act of 2002, all of our downstream customers had to 
get a license. So they have all gone through the ATF vetting 
process as well. They will verify that we are only receiving 
and giving out explosives to companies that----
    Chairman Johnson. I do not want to get too far in the 
weeds.
    Mr. Erny. By the way, this is my first and only kind of 
structured question. Then we are going to throw it open. If you 
want to say something on an issue, put your name tag up so we 
can call on you, OK. Mr. Erny, quickly.
    Mr. Erny. Sure. To add on to the ones that I think I caught 
mentioned so far, some of the additional ones, in addition to 
OSHA and EPA and the regular ones, would be DOT, for instance. 
They have security regulations in place that handle en route 
security of chemicals, which include the sale point and the end 
point as well. So there is a lot of crossover and duplication 
in that.
    The Transportation Security Administration (TSA) and its 
rail security regulation, very involved in sort of the 
transportation via rail of chemical products.
    Customs and Border Protection (CBP) and Customs-Trade 
Partnership Against Terrorism (CTPAT) program, not a 
regulation, voluntary, but the nature of it and the importance 
of it to import chemicals across the border makes it 
essentially a must-do.
    And then FDA with food-grade chemicals and things of that 
nature.
    Chairman Johnson. Mr. Wright.
    Mr. Wright. Yes, Senator----
    Chairman Johnson. Can you add anything to that?
    Mr. Wright. Well, the Coast Guard. A lot of our facilities 
are maritime, so we have the Coast Guard, EPA, OSHA, DHS, DOT. 
I would add we have a lot of State and local regulation on our 
facilities. We probably have as much from the States as we do--
obviously, it varies State to State, but we probably have as 
much from the States as we do from the Feds.
    Chairman Johnson. Again, we got more site visits by the 
local fire department. So a show of hands, does anybody feel 
you are underregulated?
    [No hands raised.]
    OK. Senator Peters, do you have something?
    Senator Peters. I will do a couple.
    Mr. Morawetz, in your opening remarks, you discussed the 
need to improve employee engagement in the development and 
implementation of these assessments. I think as you mentioned 
in your opening comments, chemical workers are routinely not 
consulted. Is that correct?
    Mr. Morawetz. That is correct.
    Senator Peters. Can you discuss the security benefits of 
engaging more broadly with these chemical workers on the site 
plans? Why do we need to try to facilitate that in your mind?
    Mr. Morawetz. I would say it is no different than any other 
party at this table or any stakeholder involved in this 
process, that if you leave anybody out, you lose some vital 
information. In particular, the people who actually operate the 
machinery, the reactor vessels, the storage vessels, the 
piping, everything, if they are not involved, then I think we 
lose potentially some information, and basically from a 
terrorist attack--and that is what we are concentrated on; I 
agree with that--we are at greater risk if we do not include 
people.
    Senator Peters. So you are saying they are not included for 
all the benefits to potentially be there, but they are not 
included now in this current program? Could you discuss your 
experience with inspectors in other compliance programs that 
may be a good model for us to look at?
    Mr. Morawetz. I have experience, direct experience with 
three: the National Institute for Occupational Safety and 
Health (NIOSH)--I worked at NIOSH for 2 years; OSHA--OSHA 
inspected some of these facilities; and the Chemical Safety 
Board. The facility that I mentioned where four people got 
killed, it was a massive release of methyl mercaptan. It was 
the subject of OSHA regulations. It was the subject of a 
Chemical Safety Board investigation. It is actually still 
pending. It was basically a seamless, easy process. The 
inspectors come in. There is a union there or the union knows. 
They sit down. They meet together. The vast majority of the 
time you sit down and you meet and you discuss the problem and 
try to resolve it.
    A rare situation where one side or the other says, ``No, I 
want to meet separately.'' Then there are separate meetings 
with both parties. I think there is a lot to be gained for 
inspectors in doing that and, in particular, it puts me at a 
disadvantage of answering a lot of questions about CFATS, how 
it applies with the other gentlemen know more, because we only 
have found one facility where our members know and have been 
involved with the CFATS program.
    Senator Peters. The current CFATS program also does not 
have real whistleblower retaliation protections in place. Would 
you talk a little bit about why that may be problematic?
    Mr. Morawetz. I do not have direct experience with the 
chemical workers. However, in the news, our whistleblowers may 
be biased, but I tend to think where a union is in place, a 
whistleblower situation is less inclined to get to an extreme 
position and things resolve easier. We work with a couple of 
Department of Energy (DOE) facilities, and in those facilities, 
for the last, I think, about 5 or 6 years, there has been a 
whole move toward a culture of safety based upon a DOE worker 
who complained. It was a whistleblower complaint. His job was 
taken away from him. He had his pay, but he was put into a 
different office basically doing nothing. That is one. There 
are other articles today about American Federation of 
Government Employees (AFGE) in Kansas City, I believe, that 
there is a whistleblower complaint. So it can happen.
    Senator Peters. Yes. I have other questions, but I will 
defer so Senator Hawley can ask his questions, if that is 
alright, Mr. Chairman.
    Chairman Johnson. Senator Hawley.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you very much. I just want to note 
that Missouri companies often tell us what while they support 
the intent of regulations like CFATS, these regulations are 
often redundant, contradictory, poorly defined, as many of you 
have testified today, and it makes it harder and costlier for 
them to meet the requirements, and that is especially true in 
the case of small businesses.
    I want to just ask about the commercial security 
initiatives. Mr. Fridley, I think it was in your written 
testimony, you wrote that verified industry standard programs 
and insurance carriers often require companies to maintain 
contingency plans that are ``as comprehensive as the 
contingency plans required by government agencies and often 
have much more applicability and effectiveness in real-world 
situations.'' That is from your testimony. Do you want to say 
something more about that?
    Mr. Fridley. Yes, Senator Hawley. Thank you for the 
question. There are obviously municipalities, there are 
insurance requirements. I have five facilities, over 100 people 
employed in the State of Missouri, so we see this----
    Senator Hawley. We are so glad you do.
    Mr. Fridley. But, yes, everybody has different aspects that 
they want as part of that contingency plan. How we are doing 
some of these things is we are leveraging the different 
agencies and different ones on how we can do one plan that 
satisfies multiple agency requirements, insurance requirements 
and such.
    We are doing that same thing with our security models. We 
are looking at the various requirements by the different 
agencies, and we are putting in one security system, that will 
be able to be managed and be applied by all. So we are not 
necessarily seeing the duplicative portion of it, at least not 
in my experience.
    Senator Hawley. Let me just ask Mr. Harrell on that point, 
can you speak to how CFATS is leveraging or considering 
leverages commercial security initiatives to advance the goal 
of protecting chemical facilities and then, wherever possible, 
to reduce any duplicative or unnecessary regulatory burdens on 
business?
    Mr. Harrell. Absolutely. I just got to the Department back 
in December, so I have often said in this forum that I have 
been a regulator, I have been regulated, and now I am seeing 
things through kind of that Federal lens. I am very sensitive 
to that duplicative nature of compliance and regulatory 
standards. I think it is very important to reduce where we can. 
I think that is where the Department of Homeland Security has 
done a good job of engaging with the other Federal regulators 
out there. We have routine meetings with them to ensure that 
while we may show up on a Monday, that somebody else is not 
showing up on a Tuesday, which would be completely disruptive 
to private industry. Coming from private industry, I am very 
sensitive to that.
    I think we have done a good job of ensuring that there is 
coordinating and the ability to share information back and 
forth, which I think prevents some of the issues that you are 
describing.
    Senator Hawley. Very good. Thank you, Mr. Chairman.
    Chairman Johnson. Mr. Morawetz, let me ask you, you said in 
OSHA you have the ability, labor has the ability to input into 
OSHA's process, into their inspections?
    Mr. Morawetz. Yes.
    Chairman Johnson. What other Federal agencies does labor 
have the input right?
    Mr. Morawetz. In an OSHA inspection?
    Chairman Johnson. Well, what about EPA? What about the 
Department of Transportation?
    Mr. Morawetz. I do not have direct experience with EPA. So 
my experience is NIOSH, OSHA, and Chemical Safety Board, and 
basically there are joint meetings. There are separate 
conversations. We have access to information, letters, etc., 
and we discuss the questions and see what--in particular, not 
so much me, but I would say the rank-and-file members who know 
more information about processes and dangers, they get involved 
in it.
    Chairman Johnson. Most union contracts lay out a process 
for workers to come forward and lodge certain safety concerns 
or other types of problems, correct? Most formal labor 
agreements? That would be a true statement?
    Mr. Morawetz. I do not have really direct experience 
exactly what particular contracts say about bringing health and 
safety concerns. I know contracts often have a health and 
safety committee, so there is a process set up.
    Chairman Johnson. I know what I have experienced coming 
from the private sector to the public sector. Whistleblower 
retaliation is far more prevalent--I do not know how many 
orders of magnitude more prevalent--within government than it 
ever was in the private sector, because in the private sector 
you can get sued out of existence if you use and abuse your 
employees that way. Do you have a different experience?
    Mr. Morawetz. I could not compare private and public. Most 
of our main job is not involved with retaliation, so, really, 
it is hard for me to----
    Chairman Johnson. My understanding is that workers have a 
great deal of protection when it comes to whistleblowing on 
their employers, whether it is a labor issue, whether it is a 
safety issue. Just go right down the line. Just get an 
attorney, and you will find out how many rights you have in the 
private sector as a whistleblower against an employer.
    Again, I am not seeing a great need to offer additional 
whistleblower protection within something like CFATS, which 
should be a narrowly focused piece of legislation about keeping 
dangerous chemicals out of the hands of terrorists.
    Mr. Morawetz. Generally from my experience, talking to 
representatives, the vice president of the union, they really 
feel that because it is not so much public sector but because 
they have a union contract in that structure, that it is more 
likely that there will not be that kind of situation. In non-
union facilities, we feel that that intimidation is much real 
and can happen more readily. And my personal experience and 
different ways that I have heard from people, I think the fear 
on the job is a very real factor.
    Chairman Johnson. Mr. Wright, real quick, because I am not 
following the Class 2, 3, and 4, really describe what you are 
talking about here. Are all the liquids exempted from CFATS 
except for gasoline and diesel fuel? Or are they all under it 
except for--describe what you are talking about.
    Mr. Wright. Yes, Senator. I am sorry. That is sort of 
complicated. Only 4's are included as COIs. However--and that 
was the specific rule that DHS put into the regulation. But 
then away from Appendix A, they put a couple of little 
paragraphs in that brought gasoline in, diesel fuel, kerosene, 
even though it was not a 4, but a 3 or a 2.
    Chairman Johnson. This is as clear as mud right now. I am 
sorry. What liquids were included to be covered under CFATS in 
the original law?
    Mr. Wright. Well, things like--I mean, we are talking about 
flammables. I mean, it would be----
    Chairman Johnson. OK, flammable liquids.
    Mr. Wright. Yes.
    Chairman Johnson. That is what you are dealing--again, 
talking about your industry. So which ones were included under 
the law?
    Mr. Wright. It would be chemicals like propane, for 
example, that need to be kept under pressure, that are 
genuinely highly flammable, that might explode. Basically the 
thing that we are trying to prevent here is for terrorists to 
be able to use something as a weapon that, in the case of 
flammables, that might explode and cause damage outside the 
fence. With gasoline, it will burn but it will not explode. I 
call it the ``A Team effect.'' You watch these television 
shows, and they bump up against a car and the car explodes.
    Chairman Johnson. So liquids that were not only flammable 
but explodable were included in the law?
    Mr. Wright. That is correct.
    Chairman Johnson. And then by regulation----
    Mr. Wright. Well, it was included in the regulation.
    Chairman Johnson. So included in the regulation.
    Mr. Wright. Under Title A--or under Appendix A. But then 
they just added gasoline in and kerosene and the other 
flammables.
    Chairman Johnson. So they added liquids that are flammable 
but not explosive.
    Mr. Wright. Correct.
    Chairman Johnson. Are they regulating them now?
    Mr. Wright. They are not regulating them now under a 
regulatory hold.
    Chairman Johnson. And you are asking to put something in 
this piece of legislation to prevent them from adding that at a 
later date, to make the distinction between a liquid that is 
flammable and non-explosive versus a liquid that is flammable 
and explosive?
    Mr. Wright. That is basically the case.
    Chairman Johnson. Is that the----
    Mr. Wright. But right now, Senator, they are not 
regulating, but the regulation still exists. It is just on a 
regulatory hold.
    Chairman Johnson. I am trying to get clarity.
    Mr. Harrell, tell me, is that an accurate description of 
what we are talking about here with flammable liquids? You are 
including under CFATS and regulating under CFATS flammable and 
explosive liquids but not strictly flammable, although you are 
reserving the option to do so?
    Mr. Harrell. Yes, absolutely. So what he is describing is, 
in fact, accurate. There are a number of chemicals that are 
originally part of Appendix A that we have since essentially 
minimized. And so now as we move forward, we are willing and 
open to have this conversation of removing these chemicals from 
Appendix A. But that will require rulemaking.
    Chairman Johnson. Or law.
    Mr. Harrell. Correct.
    Chairman Johnson. We could do that as part of this 
reauthorization, make it very explicit so it is not necessarily 
up to one regulator after the next going, ``OK. No, we changed 
our mind.''
    Mr. Harrell. And I think that is----
    Chairman Johnson. Wouldn't it be better to kind of lay out 
exactly what CFATS is all about? Why are we doing this? What is 
the purpose of CFATS? Anti-terrorism. And what chemicals are we 
trying to protect from what?
    Mr. Harrell. I think we agree with that.
    Chairman Johnson. Is there a generalized statement you can 
make in terms of what CFATS is supposed to be dealing with in 
terms of chemicals, an overall mission statement?
    Mr. Harrell. So, the overall mission statement would be the 
Department's role in risk reduction, right? So removing or 
mitigating the risk of high-risk chemicals for chemical 
facilities across the country.
    Chairman Johnson. Now define high-risk chemicals. Wouldn't 
that be the next step? So now define a high-risk chemical.
    Mr. Harrell. Right. So that potentially could do 
significant harm, cause a number of deaths, and have giant 
explosions throughout the country, that we would otherwise feel 
uncomfortable with as a country, as a Nation; that and the 
stealing of those chemicals that could be used potentially 
against soft targets or otherwise.
    Chairman Johnson. Do you have that definition anywhere 
within regulation, whatever a high-risk chemical is?
    Mr. Harrell. We do, and I have not committed it to memory, 
but I am sure we have it.
    Chairman Johnson. OK, great. I would like to see what that 
definition is.
    Any of you folks aware of what that definition is of a 
high-risk chemical?
    [Witnesses shaking heads.]
    You have obviously looked at this. Do you understand what 
the mission is of the CFATS regulation? Are they following that 
mission?
    Mr. Anderson. Yes, sir, absolutely. When we speak of high-
risk chemicals, we are talking about chemicals in X quantity 
past a certain threshold could inflict mass danger based on a 
geographic distance of concern. And what we have looked at 
recently is how the methodology has changed, how CFATS has 
become more mature and has a better understanding for where 
there might be higher consequences or lower consequences. And 
there was a peer-reviewed study by Sandia National Labs where 
they got into that and made some changes to how they define 
risk.
    Chairman Johnson. Again, Appendix A was developed under the 
regulatory regime, and the industry had the opportunity to 
comment on that? Did DHS do a pretty good job of responding to 
comments and lay out that list where it made sense? Go ahead, 
Mr. O'Brien. By the way, I am not here to litigate your 
particular case.
    Mr. O'Brien. No, nor am I saying--but from our experience, 
we know that ATF was only engaged very late in the process. So 
I was just going to offer that perspective.
    Chairman Johnson. Duplicative regulation is different than 
what I am talking about right now. Right now I am trying to 
talk about how CFATS defined its mission, how it came up with 
Appendix A, what the definition of those risky chemicals are, 
and whether that Appendix A makes sense, and does it need 
further refinement? Or does the definition need further 
refinement?
    Mr. Wright, you had----
    Mr. Wright. Yes, thank you, Senator. I just wanted to point 
out that when we were included, we went back to DHS in 2009 
with white papers, evidence, and said, look, this is not a 
chemical of mass effect. We can have a fire but we are not 
going to have an explosion. And they basically as a result of 
that quit regulating us, but they would never change the 
underlying regulation. And that is why we are asking the Senate 
to exercise some oversight and say, OK, 10 years is long 
enough, let us make the regulation meet the reality--I mean the 
policy meet the reality.
    Chairman Johnson. Mr. Harrell, real quick, do you kind of 
agree--you are just in the position now. Do you agree with that 
distinction between something that is flammable, but then you 
have a ton of it could cause real damage, versus something that 
is flammable and explosive in terms of a risky chemical.
    Mr. Harrell. Indeed, yes, so there is a difference between 
the two. I think DHS is absolutely committed to having the 
conversation back and forth with this Committee to do what 
makes sense and to remove or add things if we had to, to 
Appendix A through rulemaking.
    Chairman Johnson. And to me, again, the whole purpose of 
reauthorization is to provide certainty, and if we can kind of 
do that--gasoline has been around a while. It is not like this 
is a new issue. I think we should bring certainty to this. If 
you are going to regulate it, regulate it. If not, you are not. 
I would tend to agree, kind of the explosive definition.
    Mr. Fridley, you had a comment?
    Mr. Fridley. Yes, the only thing I would want to make sure 
is we are very careful with what we are going to change as far 
as Appendix A, whether we are going to take away from or add 
to, percentages, poundage, it could be anything, because any 
minor change could have significant consequences to my 
industry.
    Chairman Johnson. OK. By the way, I agree. This is all 
about bringing certainty.
    Mr. Fridley. Yes, absolutely.
    Chairman Johnson. If we have an Appendix A that can be 
changeable depending on Administration or the administrator or 
regulator, I would say it does not bring a great deal of 
certainty.
    Now, if we develop new chemicals, we learn something new 
about something, but we know what gasoline does. If it is not 
going to be regulated, it should not be on the list. We 
probably ought to take that out, I would think, legislatively.
    Again, you guys hop in here. Otherwise, I will just keep 
going.
    Senator Peters. Let me----
    Chairman Johnson. Just hop in. I want this free-flowing.
    Senator Peters. I should have hopped in on some of the 
whistleblower information. I want to get back to you, Mr. 
Morawetz. The Chairman was asking you about union protections 
for folks who are whistleblowers. It is true if you are in a 
union, you usually have a lot of additional protections, but I 
understand a lot of the companies in this industry are not 
unionized. Is that correct?
    Mr. Morawetz. That is correct.
    Senator Peters. So they would not have those kinds of 
protections----
    Mr. Morawetz. That is correct.
    Senator Peters [continuing]. That you have in a union, so 
that is why we are looking at this broadly as protections to 
make sure we are creating a work environment where when people 
see things that are not right, they know they will not----
    Chairman Johnson. But there are plenty of protections 
within law.
    Senator Peters. Well, yes, but you must have a process that 
makes it a lot easier than saying, well, you are going to get 
fired, you must hire a lawyer, you are going to be out of work 
for a few years. You are going to have to litigate the case. I 
mean, that is not really reasonable for folks. That is still 
going to create an environment that is not conducive to folks 
who are seeing things, particularly workers who are on the 
front lines and are actually engaged in this activity.
    Chairman Johnson. Not to interrupt, but I am going to 
interrupt. You have the exact same thing with the law in CFATS. 
Again, what I am saying is there is already whistleblower 
protection in law. Do we need another layer of whistleblower 
protection in law within a specific program? I am happy to look 
at that.
    Senator Peters. We will talk about it. We have an actual 
process where the person continues to stay in the job, 
continues to work, does not have to----
    Chairman Johnson. And that exists in law. We will figure 
out where that is and work that out.
    Senator Peters. Yes, we had a GAO report titled, 
``Improvements Needed for DHS Chemical Facility Whistleblower 
Report Process.'' There is a long title. And included in the 
DHS response, which was dated back in 2016, the DHS, Mr. 
Harrell, was going to move forward with some of that. Were such 
whistleblower retaliation rules ever issued as a result of that 
GAO report, to your knowledge?
    Mr. Harrell. So DHS has developed a documented process and 
procedure to address and investigate whistleblower retaliation 
reports, and we can share this process with this Committee. 
However, DHS will need to complete rulemaking to fully 
implement the whistleblower retaliation provision.
    We value whistleblower provisions and any program that 
investigates any retaliation claims. However--and this is 
really to Senator Johnson's point. CFATS is focused on anti-
terrorism, facility security, and risk reduction, so this is 
outside of our subject matter expertise.
    So we would like to work with Congress to develop a program 
that meets the needs of industry, facility employees, and, of 
course, the Department.
    Senator Peters. Mr. Harrell, the President's Fiscal Year 
(FY) 2020 budget includes about $18 million in cuts to CFATS. 
If the cut were implemented, how would that impact your 
program?
    Mr. Harrell. So any budget cut, whether you are in the 
private sector or you are in the Federal Government, will 
certainly impact operations. So my job is really to minimize 
those impacts and assure that we do not diminish national 
security or allow foreseeable risks to materialize. So CISA 
will continue to approve facility security plans and conduct 
inspections, although probably at a somewhat reduced rate.
    The good news is, though, we have streamlined many of our 
processes and inspections over the years, and we have matured. 
We have improved training and implemented measures to ensure 
the consistency across the country.
    So, ultimately, at the end of the day, though, we would 
need to curtail some of our inspector training, some of our 
travel, and some of our outreach as some of the low-hanging 
fruit there of how we would curtail.
    Senator Peters. So $18 million is low-hanging fruit?
    Mr. Harrell. No. We will continue the mission. We will 
continue to execute. It will just be somewhat of a slower 
process and a bit reduced other than normal operations.
    Senator Peters. Has the Department's focus on the Southern 
Border impacted any of the CFATS program in any way?
    Mr. Harrell. It has had zero impact.
    Senator Peters. Zero impact. A few weeks ago, a notice went 
out to all CISA employees soliciting volunteers to go to the 
Southern Border. Did any of your personnel volunteer to be 
deployed down to the Southern Border?
    Mr. Harrell. They did, yes. So the Cybersecurity and 
Infrastructure Security Agency had a number of employees 
volunteer, some of which came from the Infrastructure Security 
Division, my division, and so there are some down there now.
    Senator Peters. How many in total?
    Mr. Harrell. I do not have the total number offhand, but we 
have a few down there. But in terms of impact, in terms of that 
operational impact, not doing inspections or slowing the 
process down of approving site security plans, there has been 
none of that.
    Senator Peters. OK. During the February 27 House hearing on 
CFATS, Director David Wulf mentioned that thousands of 
facilities have lowered their tier or have tiered out and are 
no longer considered high risk. I think we should all consider 
that probably a good thing that that happened. It seems to me 
that there are fewer facilities that are high risk.
    So my question for you, Mr. Harrell, is: Has DHS done 
anything to inform facilities still covered by CFATS of lessons 
that were learned from those facilities that now have a lower 
tier or tiered out of the program?
    Mr. Harrell. So we pride ourselves on doing a lot of 
outreach. We are very transparent with some of the things that 
we have done well over the years. And so in terms of going 
around the country and engaging with facilities and engaging 
with trade associations, we are talking about these industry 
best practices and some of these physical security mitigation 
measures that industry has implement over the years.
    So do I have a document to point to? No, not necessarily. 
But there are conversations that are happening on almost a 
daily basis about what good security looks like, and I think we 
have been able to convey that to the industry at large.
    Senator Peters. So you are having informal conversations, 
but it does not sound like there is any systemic way of 
actually compiling data to look at facilities that are at 
reduced risk and then provide some of that data to other 
facilities?
    Mr. Harrell. In terms of data, I think this is probably an 
opportunity for improvement for us.
    Senator Peters. Is that something you will consider going 
forward? Is that something we need to be engaged in here?
    Mr. Harrell. No, indeed. As a matter of fact, it is ongoing 
as we speak now. As we move forward, I think it is incumbent 
upon us as a mature program to push out these industry best 
practices to what reduces risk for not only the regulated 
community but also the non-regulated community as well. The 
30,000 facilities that are out there that we do not necessarily 
touch now, they may not be high risk, but they are not no risk. 
And so there is an opportunity to engage them as to what good 
security looks like and provide that road map.
    Senator Peters. A good security format is that we want to 
reduce the security risk, so it is good to get folks into lower 
tiers. So that should be a focus of your efforts. You would 
agree with that?
    Mr. Harrell. Indeed.
    Senator Peters. That is a good thing.
    Mr. Harrell. Yes.
    Senator Peters. We need to step up those efforts.
    Mr. Harrell. Yes.
    Senator Peters. Great. Thank you.
    Mr. Harrell. Thank you.
    Chairman Johnson. Senator Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks. Sorry to arrive late, and I know 
some other of our colleagues will arrive eventually.
    Senator Tom Coburn and I, I think we were Chair and Ranking 
Member of this Committee when we worked on CFATS 
reauthorization. Actually, it might have been authorization. I 
think it was earlier. It was not actually authorized, but I 
think it was maybe included in an appropriations bill. But we 
worked on it, and we did a pretty good model of bipartisan 
cooperation, which we always like to do, but my recollection is 
that we made a number of changes and improvements to the law in 
order to address, on the one hand, the backlog of inspections 
of the facilities across the country, and also ensure that DHS 
and also the industry being regulated had the kind of certainty 
that they needed in order to make investments in securing 
chemical facilities.
    I would just ask, Mr. Anderson, you are representing GAO. 
Is that correct?
    Mr. Anderson. Yes, sir.
    Senator Carper. And, Mr. Harrell, I understand you are here 
representing DHS. Is that correct?
    Mr. Harrell. Yes, sir.
    Senator Carper. I am going to ask both of you sort of the 
same question. Nobody back 5 years ago thought the law was 
perfect, and the idea is to find out what works, do more of 
that. And if it is not perfect, make it better. So we knew it 
was not perfect, so the idea is to make it better, and my hope 
is that this conversation today will help us to do that.
    In the spirit of if it is not perfect make it better, I 
understand that GAO has issued a number of recommendations to 
DHS regarding improvements to the program. Mr. Anderson, if you 
could just talk a little bit about maybe some of those 
recommendations, and then I am going to ask you, Mr. Harrell, 
if either you or maybe both of you could talk about how DHS has 
responded to those recommendations. And, finally, is there more 
work to be done? And my guess is the answer is probably yes.
    Mr. Anderson, do you want to lead us off?
    Mr. Anderson. Happy to lead off. We have issued 12 
recommendations over the last 7 years. Ten have been 
implemented, and they speak to identifying high-risk 
facilities, better prioritizing them, and then reviewing and 
approving facility site security plans.
    The two areas that we believe are outstanding and do demand 
attention, first is performance measurement. And as I said in 
my opening remarks, this sounds bureaucratic, but it really 
speaks to how the program should exist, how in that risk 
equation of threat, vulnerability, and consequence do we know 
that these security measures that the CFATS program puts in 
place are actually reducing vulnerability? A lot of the big 
facilities, they have a security posture in place where they 
might be high consequence and, therefore, get a real high risk 
rating. But they have already got those security measures in 
place, so it is not the CFATS program that is reducing that 
threat of a terrorist attack. It is some of the smaller ones in 
many cases that maybe, would not have a perimeter fence or 
would not have video surveillance but for the requirements of 
the program.
    In that situation, then perhaps if it is the CFATS program 
coming in and recommending or requiring that security posture, 
there has been a reduction in vulnerability. We feel at GAO 
that that is where the program needs to improve. It is called 
an ``outcome measure.'' What is the outcome of that investment 
in the CFATS program?
    The second area is with information sharing for first 
responders, and that was from our most recent report as well, 
that in many cases the Local Emergency Planning Committees 
(LEPCs), did not have the information or did not have access to 
the information to know what kind of chemicals were present in 
an area when they were responding to an event.
    Senator Carper. Mr. Harrell.
    Mr. Harrell. Thank you, Senator, for the question.
    Senator Carper. Do you agree with anything he said?
    Mr. Harrell. We are very focused on metrics and 
accountability, and we have spent a lot of----
    Senator Carper. I am sorry. Very focused on metrics, did 
you say?
    Mr. Harrell. Metrics, yes. This program has over the last 
number of years really driven, I think, a lot of the physical 
security protective measures within industry. And these 
measures are contributing to risk reduction. Well, now the 
question, the logical question, is: Prove it. Do not tell me 
about it, but show me. Right?
    And so in going forward in coordination with the GAO 
report, we are trying to move our metrics and our 
responsibility toward proving the fact that we have done risk 
reduction. And so we think that comes through engaging with the 
facility and talking about from the moment in which you started 
CFATS and you had just kind of a regular security program, to 
now implementing the measures within CFATS, how has risk been 
reduced? What measures have you put in place that have 
quantitatively reduced risk?
    And so we are trying to take that data, compile it, and 
measure with it, and I think that is one of the new things that 
really should be back to this Committee, is, again, expressing 
the fact that we have done risk reduction.
    Right now we have measured that over the last number of 
years we have had a number of facilities increase their 
security measures by 55 percent, and we are certainly willing 
to kind of walk through that number with this Committee as to 
how we have gotten to that. But we think it is important, 
moving forward, that we measure this, and I think it is a sign 
of a mature program. That is what I am committed to doing.
    Senator Carper. Anybody else want to comment on this 
exchange and what was said or not said? Speak now or forever 
hold your peace.
    Mr. Erny. Maybe I will just say just a few things. 
Information availability, this is an issue that sort of spans 
across multiple statutory authorities and regulatory agencies, 
and with involuntary programs, etc. In fact, DHS, Brian, I do 
not think you mentioned anything about your Internet Protocol 
(IP) Gateway. A great tool that is available today where, 
folks, members of the LEPCs and others can gain access to 
critical information about sites, CFATS sites, and chemicals in 
their community.
    But the thing that I want to stress with this is you have 
to balance the need for information and transparency and 
security, and I think it is always kind of that tough line that 
we are trying to reach as to what is the right balance here. So 
I would just caution everybody when we talk about making more 
information available to more people, the whole issue around 
need to know is really important?
    Senator Carper. OK. Yes, Mister--is it Fridley?
    Mr. Fridley. Yes, sir.
    Senator Carper. Hi, Mr. Fridley.
    Mr. Fridley. Just a little piggyback on Bill's comment. The 
outreach, I think we do as good a job as we can, and obviously 
it has been getting better with the CFATS DHS inspectors' help. 
They do a lot of the coordination for us. They know who are the 
players. We do really big live exercises with different 
agencies. The Federal Bureau of Investigation (FBI), we involve 
the Joint Terrorism Task Forces (JTTF). We involve, you know, 
ATF. We involved Transportation Security Administration 
officers. We do not publicize this nor do they, but we offer up 
our facilities on a regular basis for them to come in to do 
their drills as well as our drills.
    So there is a lot of coordination, I think, that goes out 
that does not necessarily get communicated out. So we are 
dealing with the right people. It is just not publicized.
    Senator Carper. OK. Good. Anyone else?
    Mr. Wright. Yes, thank you, Senator. I want to reiterate 
what Bill is saying. I think it is a balance, and there are 
lots of other statutes and agencies that deal with sharing of 
this type of information. As Senator Johnson said in his 
opening, we need to keep CFATS focused on the terrorism issue. 
There are lots of other statutes, lots of other agencies that 
can do this. I know that my industry, we work very hard--and 
other industries----
    Senator Carper. What is your industry?
    Mr. Wright. I work with the terminals, sir, the storage 
facilities that you see at ports particularly. But we work very 
hard and it is in our interest to see that the local first 
responders know what we have and know how to deal with it. So 
we do that.
    But in the CFATS context, the whole purpose of CFATS is to 
keep information close to the people who are trained to deal 
with it, the people who are committed to keeping it secret, 
because we go through this exercise, and that information about 
dangerous chemicals or vulnerabilities to facilities, we have 
sort of turned the thing on its head. And so, it is very 
critical that we keep--and I think we have done a good job of 
this, and I think certainly DHS has done a good job with this, 
is to keep the information to the number and kinds of people 
with the right training who can deal with it.
    And so if there is a problem, maybe it is another statute, 
maybe it is another agency that ought to be dealing with it. 
But I feel that industry is doing a very good job because it is 
in the industry's interest.
    Chairman Johnson. In other words, you want to keep your 
security plans out of the hands of terrorists.
    Mr. Wright. That is correct.
    Chairman Johnson. Mr. Harrell, you wanted to comment on 
something?
    Mr. Harrell. Yes. Thank you again for the question. So 
information sharing I think is absolutely critical to not only 
the facility but also first responders, and I say this as a 
former law enforcement officer. We need to strike that nice 
balance between getting the information to first responders and 
then also not providing that blueprint for attack. I think that 
is kind of what we all necessarily can agree on up here. But 
CFATS requires facilities currently to make contact with first 
responders during the facility's security planning. This is 
found under Risk-based Performance Standard No. 9.
    So we have made concerted efforts over the last year as a 
response to the GAO audit to engage our Local Emergency 
Planning Committees. As a matter of fact, in 2018 we engaged 
570, which is a pretty significant number. Over the last 5 
years, we have actually engaged every single LEPC that is 
active in the United States. So I think we are doing a very 
good job of engaging those local first responders and providing 
them the things that they need to know so that when things go 
bump in the night or something happens, they have and are armed 
with the information to properly respond.
    Chairman Johnson. I think it was Mr. Anderson's testimony 
that said there was--you did take a look at use of the IP 
Gateway.
    Mr. Anderson. Yes.
    Chairman Johnson. And the local responders had access to 
that? I am highly concerned about having that information 
available, but it is in a secured channel with a properly 
secured gateway. Local responders should be looking at that. 
What is the disconnect here?
    Mr. Anderson. Two data points that may be relevant to the 
discussion here. Thirteen of 15 LEPCs that we spoke with did 
not have access to IP Gateway, so they did not know how to 
navigate it. Put that on one side. Seven of 11 other LEPCs we 
spoke with did not realize they had CFATS-covered facilities in 
their jurisdiction. So part of this is communication, and part 
of this is education. But we did see some pretty big gaps in 
terms of information sharing with first responders as of August 
2018.
    Chairman Johnson. I would think that would be pretty easy 
to take care of. You have how many total CFATS-regulated 
companies? How many thousand?
    Mr. Anderson. High risk, 3,500. Total, 30,000.
    Chairman Johnson. Those 3,500 that DHS just says you have 
to contact your local fire department and make them aware that 
you are there and that here is your secure password into this 
IP Gateway. I would think that would be pretty simple. Again, a 
little lowly plastics manufacturer, our fire department knew 
everything about our operation. So what is happening with local 
law enforcement?
    Mr. O'Brien. Senator Johnson, just to add our perspective 
from the explosives industry, by ATF law we have to engage the 
local fire and first responders. So every facility covered by 
CFATS that is an ATF-regulated facility already has to engage 
local law enforcement and first responders.
    Chairman Johnson. I will kick it over to you, Mr. Harrell. 
Do you have an answer to why law enforcement did not even know 
about the CFATS facilities or why not a one that were surveyed 
had access to the IP Gateway.
    Mr. Harrell. I think we are still very intent on engaging 
local law enforcement, LEPCs. This is an iterative process. 
This is us going and pinging them, constantly talking about our 
tools. Some of them are overtaxed. Some of them are running 
from call to call and do not necessarily have the resources and 
do not necessarily have the full situational awareness that we 
offer these things. I think it is incumbent upon us to engage 
early and often to remind them that we have these tools, and, 
oh, by the way, they are free. And so we are committed to that.
    Chairman Johnson. OK. Again, my experience with, fire 
departments, they are waiting in between fire calls, and this 
is what they do in between that, is they visit different sites 
so they are prepared.
    Mr. Harrell, you talked about operating systems. I am a 
little concerned about hearing you talk about operating 
systems. Can you tell me what you are talking about, CFATS 
program looking at operating systems?
    Mr. Harrell. Sure. The Risk-based Performance Standard No. 
8, which is cybersecurity, if you read the language today it is 
a little bit antiquated. I think there is an opportunity for 
improvement here to revisit that language, refresh it, and 
really focus on today's cybersecurity threats when it comes to 
not only corporate systems but also industrial control systems. 
And so I think we really need to understand the threat, and we 
have seen this threat in terms of industrial control systems 
and, nation-state adversaries trying to exploit this overseas, 
and we do not want that to happen here.
    Chairman Johnson. Cybersecurity is an incredibly complex 
and an unbelievably large issue here. The President's budget 
calls for a reduction and basically calls for it because your 
right-sizing the industry for today's threat. First of all, do 
you agree with that statement of the President's budget?
    Mr. Harrell. Well, so CFATS resides in the Cybersecurity 
and Infrastructure Security Agency----
    Chairman Johnson. I understand, so should cybersecurity and 
looking at operational controls of chemical facilities, do you 
really think that should be within the purview or within the 
jurisdiction of the CFATS program?
    Mr. Harrell. As it currently is written, and I would 
continue this today, that is, there are certain industry best 
practices, things that we should be doing to safeguard our 
systems, having a phishing plan, understanding insider threats, 
doing the basic cyber hygiene that every company should be 
doing. And so, yes, the answer is yes. I think from a risk-
based performance standard we should continue to at a high 
level look at cybersecurity.
    Chairman Johnson. OK. Anybody in industry want to comment 
on that?
    Mr. Fridley. We actually utilize a lot of the resources 
that DHS provides us for our information technology (IT). I am 
not an IT person, but I have put them in contact with our IT.
    Chairman Johnson. That is DHS, that is CISA's 
responsibility, not necessarily CFATS.
    Mr. Fridley. But I am using the CFATS portal to be able to 
make the right contacts. I just do not have the infinite 
knowledge of who is all who, so they definitely play a role in 
that. But we actually work with a lot of things as far as 
looking at pulling certain things off our business network that 
are not core to our business and putting them on separate 
networks, to kind of keep that delineation between the 
different attacks that could happen.
    Chairman Johnson. Using CFATS as your portal to get to the 
experts at CISA in terms of plugging into National Institute of 
Standards and Technology (NIST) standards or whatever, that 
does not bother me. Where I get a little concerned is if all of 
a sudden CFATS is going to set up its own little cybersecurity 
directorate to audit and consult with chemical facilities in 
terms of your operating systems and how to prevent cyber 
attacks. I am questioning that right now.
    Mr. Fridley. We actually get inspected from our cyber 
standpoint from, RBPS 8 that Brian was talking about, and we 
actually had the inspectors come and get with our IT folks to 
kind of go through and do that cleanse.
    Chairman Johnson. Which inspectors?
    Mr. Fridley. The CFATS inspectors.
    Chairman Johnson. On cyber?
    Mr. Fridley. Yes, sir.
    Chairman Johnson. This is different from the roundtable we 
had last year on cyber.
    Mr. Fridley. We have a corporate approach for our cyber, so 
they send their cyber experts to our facility, our 
headquarters, and they did the whole inspection process with 
our director of cybersecurity.
    Chairman Johnson. OK.
    Senator Peters. I will interject. I mean, it is clear, I 
think, Mr. Harrell, you mentioned the attack on a plant now is 
not going to be a truck driving through the gate. It is likely 
to be a cyber attack in some way and that is why cybersecurity 
is an important part of what you do. Is that correct?
    Mr. Harrell. It is, yes, 100 percent.
    Senator Peters. And would all of you agree that we are 
thinking about with CFATS?
    [Witnesses nodding heads.]
    Great. Thank you.
    Mr. Harrell. If you do not mind, sir, one of the things I 
would just add to that is, I would really refrain from looking 
at this through the silos of physical security, cybersecurity, 
and industrial controls. Today we are seeing blended attacks. 
We are seeing that hybrid threat. And so it is incredibly 
important that we look at this from a convergence perspective 
to understand that what happens on the physical side can 
certainly have a cyber implication. And what happens on the 
cyber side can have a physical implication.
    IP-based cameras, access control systems, they are all 
Internet-facing today, and we do not want that to be the enemy 
avenue of approach on the physical security side to get into 
some of the key cyber systems. So I think we need to have a 
full understanding across the entire threat landscape.
    Senator Peters. Everyone agree with that? Any other 
opinions on that?
    Mr. Erny. Maybe I will just add a couple of thoughts. I do 
not disagree with that; for sure there needs to be a focus, a 
cyber-related focus when it comes to the CFATS program. 
However, it needs to be a focused approach to this, and I think 
for the most part, my understanding listening to members, that 
DHS has done that. But there is a continuing concern of this 
thing expanding out. We are looking at things like ransomware 
and some of these other cyber-related issues that we see today. 
Some of this gets blended in with more of sort of what you 
would consider to be sort of a traditional attack on a chemical 
facility through a cyber means.
    I think the one way to look at it and the way we try to 
define it in our membership is: Can a cyber means be used to 
institute a physical release or a physical theft of chemicals 
of interest? And so I would just ask DHS that as long as you 
maintain a focus on cyber as it applies to CFATS, I think that 
is appropriate.
    The one last thing I will say about this issue is we have 
other agencies dipping their toes into cyber. We have the Coast 
Guard getting ready to release some cyber guidance through 
their Navigation and Vessel Inspection Circulars (NVIC) 
process. Customs and Border Protection just added a lot of 
cyber-related, and they are not all the same.
    And so one of the issues here with the companies is just 
getting overwhelmed by all these different agencies----
    Chairman Johnson. That is my concern.
    Mr. Erny [continuing]. Different approaches around 
cybersecurity. That is a real concern.
    Chairman Johnson. It is the concern I am expressing right 
now. Listen, there is no doubt about it that cyber attacks, 
that cybersecurity is a threat to every business particularly 
in this sphere. What you do not want is you do not want every 
one of your alphabet soup agencies with a whole new cyber 
standard and their cyber inspection team and that type of 
thing. I can certainly see every agency being a portal to a 
unified approach how we go about doing this. Now, the unified 
approach may be to an Industry Sector Advisory Committee (ISAC) 
within a particular industry where you try and get like-minded, 
similar types of industries working at the problems because 
they have some similarities there, like the Financial Systemic 
Analysis and Resilience Center (FSARC) or whatever. I have a 
real concern when one program within a larger agency is taking 
the whole cybersecurity issue on its own back and trying to 
develop the processes and the expertise and that type of thing, 
do full audits and, here is the program, this is what you have 
to comply with; if you do not comply with it, here is your 
fine. That is where I start having some real concern. Mr. 
Harrell, if that makes sense to you.
    Mr. Harrell. Actually, it does, and our commitment to you 
is that, we will reduce those redundancies amongst regulation. 
We do not want that same scenario that you just described. And 
so as we go down that road, potentially, the onus is on us to 
ensure that does not happen.
    Chairman Johnson. And you may take that attitude. The 
fellow or gal that follows you may not. Again, I think Congress 
has done a pretty poor job of actually writing law that directs 
these agencies. We write these little frameworks to have the 
agencies go about and become their own little fiefdoms. So as 
we reauthorize this thing, I am going to try and do as best as 
possible to keep CFATS within its little box doing its thing 
and hopefully doing it really well and doing it really 
efficiently and, rewarding the good actors here.
    Senator Peters. I will just say, Mr. Chairman, when you say 
keep it in a box and silos, we have way too many silos right 
now when it comes to this. And when you have cyber, we have to 
be able to break down silos and make sure the communication is 
there to really have a whole-of-society impact so that folks 
from DHS or Coast Guard or wherever are also assisting private 
industry to safeguard assets, too. We have to come together. I 
do not think this is just strictly a regulatory regime. It is 
also a way to incorporate how we use some of the assets that we 
have at the Federal Government to assist you in protecting your 
assets as well against the bad guys that are looking for the 
weakest link to get in. And if we do not do this in a 
comprehensive way, we are not going to be successful. So that 
will put my 2 cents in.
    Chairman Johnson. I am not looking at silos in terms of 
information when we see a threat and, oh, we are just going to 
keep that to ourselves. I am just talking about mission creep 
and having 16 ways on Sunday in terms of this is--no, you have 
to comply with cyber this way, no, you have to--again, you 
mentioned all the alphabet soups, and they are all giving you 
the business, right? Because we all recognize this is a threat, 
we cannot let this, I do not think, cyber to proliferate in 
terms of regulatory regimes. We have to try as best as possible 
unify this.
    OK. One thing, and I think this came across, and it is 
actually pretty pleasing to hear it in the last roundtable, 
there does appear to be a pretty cooperative--and I think Mr. 
O'Brien may disagree with this, but, in general, there seems to 
be a fair level of good cooperation between industry and DHS. 
This seems to be one agency that, by and large, because Mr. 
O'Brien said opportunity to assist voluntarily. Is that pretty 
accurate?
    Mr. Fridley. Yes, sir.
    Chairman Johnson. I know you have your regulator sitting 
right next to you, but----
    Mr. Fridley. He is one down. [Laughter.]
    Chairman Johnson. One down. We kept it arm's length.
    Mr. Wright. Senator, we think so. We think particularly 
after the 2014 changes that we have had a very cooperative 
relationship with DHS. We have been very pleased. But as this 
reauthorization process starts, we have the same concern that 
you have.
    Chairman Johnson. I know. You want clarity on that issue, 
and we will----
    Mr. Wright. Exactly. On our narrow issue I do, but on the 
broader issue, we just do not want to see mission creep here. 
We want this program to remain focused on terrorism.
    Chairman Johnson. OK. Anybody else want to comment? 
Confirm? Deny?
    Mr. Fridley. Yes, I think that, obviously, at Brenntag we 
have probably the most regulated facilities for the CFATS 
program in the country. So, we have a lot of conversations. Any 
questions we have get answered. Any concerns we have, we may 
not like the answer, but we get the answers back. They listen. 
It is a team effort. It is one of the few, obviously, from the 
regulatory agencies that we have that relationship and actually 
think we are being heard and valued.
    Chairman Johnson. OK. Mr. O'Brien?
    Mr. O'Brien. Thank you, Senator.
    Chairman Johnson. Spill your guts. [Laughter.]
    Mr. O'Brien. Actually, this may surprise you, but they have 
been amazingly receptive. The deficiency has been no 
recognition of ATF in their mission and what they do. So that 
is the deficiency. But as an agency, I mean, I have to be fair 
and I have to be honest. They have been approachable. They have 
given answers. But there has been no justification for those 
answers, and that is where we are really falling. Understand--
why are we regulated for safety and security against terrorism 
twice? And we cannot get those answers. But the people who come 
out have been nice, congenial.
    Chairman Johnson. By the way, there is not a good answer 
for it.
    Mr. O'Brien. Might not be.
    Chairman Johnson. Mr. Harrell, do you want to comment?
    Mr. Harrell. Yes, we would love to. The intent really is to 
work with all entities that are subject to compliance. This is 
not a ``gotcha'' regulation. We pride ourselves on the outreach 
and the transparency and the willingness to help facilities 
really across the board.
    The program is designed to give facilities many chances to 
come into compliance. Out of the 3,327 facilities that are 
regulated by CFATS, DHS has only taken five enforcement actions 
on four facilities. One facility was actually fined twice. But 
this represents less than 1 percent of the regulated 
population.
    So, we are committed to--a rising tide lifts all boats. We 
want to have the interaction back and forth. We are very 
flexible, and we want to have the conversation to where, at the 
end of the day, the facility becomes more secure. We are 
committed to that.
    Chairman Johnson. So one of the things I am a big believer 
in--I was not always when running a small business, then I got 
bought by a bigger business, and I had to create one, when I 
really found out the real value of developing a mission 
statement. I asked staff, do we have a mission statement? Is it 
anywhere in law? And there really is not one for this. So I 
would recommend as we reauthorize this stuff to develop a 
mission statement. If we need to clearly define some of these 
things, we should do it. Let us take the opportunity right now, 
let us lay out that mission statement. Let us try and get--
because we have this cooperation and coordination. Let us get 
agreement within the industry this is what--everybody wants 
this reauthorized. Fine. Under what mission statement? And if 
we do a good job writing it--I am not talking about multiple 
paragraphs, multiple sentences. I am talking about something 
pretty simple. The simpler, the better. Then if we need to look 
at some of these definitions of what a risky chemical is, a 
liquid that is flammable but explodable, and just try and get 
some definition to bring everybody a little bit better clarity 
of what CFATS is all about, the regulators combined with the 
regulated, then I think we will have done a pretty good job as 
we reauthorize this thing.
    So let us bring clarity to this thing, let us bring 
certainty to the business, while at the same time accomplishing 
what I consider is the primary goal here. Let us make sure we 
keep chemicals out of the hands of terrorists and do not let 
them fall into the wrong hands to be used for terrorist-type 
events.
    Again, I think it ought to be pretty simple to do these 
things, so let us work together on that.
    I will give everybody an opportunity. We will start with 
Mr. Morawetz, and if you have any comments that you cannot wait 
to get out?
    Mr. Morawetz. Besides my written statement, I would just 
reiterate that we are a stakeholder like everybody else at this 
table and this room. We think that we should be included in it. 
Without that, I think you are losing a lot from it. In 
particular, I agree about where the focus is, which is Appendix 
A, Chemicals, and that they are extremely hazardous substances. 
And we are only dealing with it in the realm of anti-terrorism, 
but there is a lot that could be done on it.
    Chairman Johnson. By the way, Mr. Morawetz. It is 
interesting. When I was running a manufacturing plant, if I 
wanted to get answers, I did not go to management. I went to 
people on the plant floor. So you are absolutely right. They 
are the ones that are actually implementing. Any smart 
management, any smart regulator is going to get input from the 
people that are actually doing the work on the shop floor. So 
we are in complete agreement from that standpoint.
    Mr. Morawetz. And my guess is most of the people at this 
table involve their workforce.
    Chairman Johnson. Mr. Wright.
    Mr. Wright. Senator, just thank you for this opportunity. 
As I say, we have a very specific issue, and we want Congress 
to exercise some oversight and to help give us some relief for 
what we consider to be a rather narrow problem. But beyond 
that, we are very supportive of CFATS and very supportive of 
the program, and we look forward to working with you as we get 
into the reauthorization language. And thank you very much for 
your comments today.
    Chairman Johnson. Mr. Erny.
    Mr. Erny. I would just say a few things. I like the focus 
and the attention that you are bringing to this issue. We stand 
ready to help and support the Committee as needed. I think one 
of the more important things here is to make sure that we keep 
CFATS focused on anti-terrorism and chemical security, and I 
would be very concerned with any wandering away into some other 
areas.
    Anyway, I look forward to working with your Committee.
    Chairman Johnson. As a homework assignment, I would not be 
opposed to each of you writing up a no-more-than-two-sentence 
mission statement. I would be really interested in seeing 
something like that. If you have to go longer, I am just going 
to ignore it. No, I am just kidding. I think these things are 
best when they are really focused. I have seen mission 
statements that run on three pages. That is really not being 
succinct enough. Mr. O'Brien.
    Mr. O'Brien. Thank you, Senator Johnson, for the 
opportunity to be here. A side note. My kids were thrilled that 
I actually was participating with a Senator. They had no idea 
things like this happened in----
    Chairman Johnson. Not that big a deal. [Laughter.]
    Mr. O'Brien. I said, boy, when my kids think it is a big 
deal, it must be a big deal. Daddy did something good.
    I appreciate the opportunity. It still confuses us why a 
group that is already regulated for safety and security against 
terrorism is falling under the CFATS program. It is the most 
obvious duplicative regulation we can see out there. When you 
look around, we cannot find another one that is as obvious as 
this. We still would love answers as to why we are continuing 
to be in this, because we have done our metrics. We do not see 
the benefit for security that DHS is claiming. We do not know 
where they are getting those metrics from.
    So the continued ask is please look at us as a regulated 
community and look for that justification. If you are opening 
up the thing as to what ought to change? We are easy, double-
regulation group.
    Chairman Johnson. Well, as you are aware, I fixed that last 
time, so you understand where I stand on that.
    Mr. O'Brien. We appreciate your efforts, Senator.
    Chairman Johnson. Mr. Fridley.
    Mr. Fridley. Yes. With over 100 CFATS-regulated facilities, 
we are looking to invest quite a bit of capital, and we are 
just looking for certainty on reauthorization. So we look 
forward to working with you, Ranking Member Peters, and both 
your staffs on this regulation and get the reauthorization.
    Chairman Johnson. I actually have a question for Mr. 
Anderson, because I think what you are asking for, a metric 
reduction vulnerability, I just think it is unanswerable and 
immeasurable. So how do you do that? Or let us put it this way: 
very difficult to.
    Mr. Anderson. There are other analogs in Federal space, and 
I will point to the Coast Guard and to their MTSA and how they 
regulate and measure the effects of--I should say measure the 
effects of their efforts, for example, at port chemical 
facilities. It is called the ``Maritime Security Risk Analysis 
Model (MSRAM),'' and to unpack that a little bit, what they 
will do is they will go in and, based on that initial security 
vulnerability assessment, there will be a baseline of the 
security posture. And then after additional measures are put in 
place, even if it is somewhat back of the hand, say they have 
gone from a five in terms of vulnerability to a terrorist 
attack to a two, based on some perhaps subjective measure, but 
there is usually alignment between some of those numerics and a 
given security posture. Then you are getting a better 
understanding for how much has vulnerability reduced as a 
function of these requirements. Otherwise, you and other 
decisionmakers who are in a position to evaluate this program 
do not have the information necessary to determine whether the 
benefit is worth the cost.
    Chairman Johnson. OK. You have answered my question. I 
understand what you are talking about. I think part of the 
problem for DHS on that is if they have already brought people 
up to a standard--the good metrics have already been achieved, 
hopefully. Now what else are you going to measure? So, you are 
here. Without further mission creep, without saying, ``well, 
because we have to improve our metrics now, OK, you met this 
standard.'' It is like in my business, it is OK, you have the 
one part per billion. Hey, how about two parts per trillion? 
Because now we can measure it. Which, by the way, is exactly 
what is happening in industry as we get an ability to measure 
with more precision. It has gone from parts per million to 
parts per billion. Now I am reading things like parts per 
billion in terms of purity. Again, I am a little concerned 
about a metric like that at this level at this point in time 
after people have already been certified. How would they 
actually have an improved metric if you have already got people 
at a certification level?
    Mr. Harrell, are you providing any scores on that? Is there 
any score right now in terms of facilities other than tier 
level?
    Mr. Harrell. There is. As a matter of fact, we are focused 
on from when you enter the program and your current State of 
security program to where you finally come into compliance and 
you have added some of these physical security protective 
measures in place. What is that score? What is that risk 
reduction? And we have been able to measure that, and we are 
happy to supply----
    Chairman Johnson. Isn't it just for GAO's purposes, just a 
matter of accumulating all that data on 3,500 companies?
    Mr. Harrell. I believe it is.
    Mr. Anderson. I would say there is a little bit of the 
devil is in the details. The information that we have gotten 
from DHS is on risk, writ large. We are talking about the 
vulnerability variable between threat plus vulnerability plus 
consequence. So you could reduce risk by, reducing consequence. 
Or you could better measure risk or have a risk score based on 
a high-consequence event. But it is really vulnerability that 
we are after here. We are trying to reduce the vulnerability of 
facilities to a terrorist attack. That needs to be measured. 
There are analogs in Federal space. While it is difficult, 
other mature programs have gotten there, and I would be happy 
to unpack the MSRAM model for DHS.
    Chairman Johnson. I would like to keep talking--let me 
throw one out. How would you measure this one? After 9/11, I 
think the most significant security measure we took is we 
hardened the cockpits. How do you put a score on that? I think 
it dramatically increased security in our airspace. But how 
would you ever measure that? Other than we did it. This was 
obvious. Just kind of like meeting the standards of what CFATS 
certification is, you have done it. So we will have this--we do 
need to have this conversation because I am just not quite 
getting measurement. I do want these agencies to concentrate on 
actually certifying and responding and cooperating with the 
agencies to make things safe as opposed to spending a lot of 
time measuring the unanswerable. So you have to do a little 
more convincing, at least to me.
    Mr. Anderson. I am happy to, and I do have more to say, but 
I am thinking the conversation is pivoting away from this at 
the moment.
    Chairman Johnson. Well, we should probably do this in my 
conference room or whatever with staff. Because, I am 
intrigued. That is why I am asking the question. I am an 
accountant. I love data. I like to measure things. But 
sometimes, again----
    Mr. Anderson. But it also underscores your point. It does 
underscore that perhaps the program needs to change. If you 
have gotten to this high baseline already for a given security 
posture, then maybe you argue at that point that the hard work 
has been done. Now the program needs to shift from one of 
checking internal controls.
    Chairman Johnson. Mr. Harrell, do you have anything just 
burning----
    Mr. Harrell. Just our commitment to evolving the program, 
not only with you but this Committee. We recognize that the 
program should be focused on risk reduction and active 
intelligence. The threat has evolved, and so should we. And we 
are committed to this body, the industry, and, we want to be a 
partner in a long-term policy solution.
    Chairman Johnson. OK. Well, let me underscore how important 
it is that you maintain the attitude you have right now with 
the people you are regulating that you have been cooperative. I 
think that is pretty rare in the Federal Government, so I am 
glad to be conducting the oversight over a program and agency 
that has that type of seal of approval from your regulator, 
those that you regulate. It is a real feather in the cap to all 
your personnel, so thank them personally from me.
    Mr. Harrell. Yes, sir, I will.
    Chairman Johnson. Make sure you maintain it. That should be 
a prime goal of the organization, is to maintain that level of 
cooperation that is in reality that you really are cooperating.
    One suggestion for doing that is listening. Where you have 
duplication like ATF, support a reform that in a way does not 
jeopardize national security, and helps reduce the regulatory 
burden. Those businesses that have International Organization 
for Standardization (ISO) certification or, other regulatory 
agencies that are keeping you up to snuff, they have already 
met your certification and potentially surpassed it, reward 
them with less of a regulatory burden. I think that not only 
would demonstrate that you have an attitude toward cooperation, 
but in the end you will actually modify things based on the 
reality and you will continue to cooperate with the industries 
that you regulate.
    Again, hats off to you and everybody within the CFATS 
program for, first of all, creating that atmosphere where you 
really do have people that appreciate the fact you have that 
cooperation and just lay that in as just an ongoing culture 
within your agency.
    Mr. Harrell. Thank you.
    Chairman Johnson. Anybody have any last thoughts based on 
that?
    [No response.]
    Speak now, or you have to do it in the conference room 
later. [Laughter.]
    This hearing record will remain open for 15 days until June 
19 at 5 p.m. for the submission of statements and questions for 
the record. This hearing is adjourned.
    [Whereupon, at 4 p.m., the Committee was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]