[Senate Report 113-263]
[From the U.S. Government Publishing Office]


113th Congress  }                                            {   Report
  2nd Session   }             SENATE                         {  113-263
_______________________________________________________________________

                                                       Calendar No. 578
 
                  CHEMICAL FACILITIES ANTI-TERRORISM 

     STANDARDS PROGRAM AUTHORIZATION AND ACCOUNTABILITY ACT OF 2014 

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                               H.R. 4007

   TO RECODIFY AND REAUTHORIZE THE CHEMICAL FACILITY ANTI-TERRORISM 
                           STANDARDS PROGRAM

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


               September 18, 2014.--Ordered to be printed
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                  THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan                 TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           ROB PORTMAN, Ohio
JON TESTER, Montana                  RAND PAUL, Kentucky
MARK BEGICH, Alaska                  MICHAEL B. ENZI, Wyoming
TAMMY BALDWIN, Wisconsin             KELLY AYOTTE, New Hampshire
HEIDI HEITKAMP, North Dakota

                  Gabrielle A. Batkin, Staff Director
               John P. Kilvington, Deputy Staff Director
                    Mary Beth Schultz, Chief Counsel
           John G. Collins, Senior Professional Staff Member
           Jason M. Yanussi, Senior Professional Staff Member
                  Abigail A. Shenkle, Legislative Aide
               Keith B. Ashdown, Minority Staff Director
         Christopher J. Barkley, Minority Deputy Staff Director
               Andrew C. Dockham, Minority Chief Counsel
          William H.W. McKenna, Minority Investigative Counsel
                     Laura W. Kilbride, Chief Clerk
                                                       Calendar No. 578

113th Congress  }                                            {   Report
  2d Session    }                 SENATE                     {  113-263

=======================================================================


CHEMICAL FACILITIES ANTI-TERRORISM STANDARDS PROGRAM AUTHORIZATION AND 
                       ACCOUNTABILITY ACT OF 2014

                                _______
                                

               September 18, 2014.--Ordered to be printed

                                _______
                                

 Mr. Carper, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                        [To accompany H.R. 4007]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (H.R. 4007) to recodify 
and reauthorize the Chemical Facility Anti-Terrorism Standards 
Program, having considered the same, reports favorably thereon 
with an amendment in the nature of a substitute and recommends 
that the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and Need for the Legislation..........................2
III. Legislative History.............................................14
 IV. Section-by-Section Analysis of the Bill, as Reported............15
  V. Evaluation of Regulatory Impact.................................20
 VI. Congressional Budget Office Estimate............................20
VII. Changes in Existing Law Made by the Bill, as Reported...........22

                         I. Purpose and Summary

    H.R. 4007, the Protecting and Securing Chemical Facilities 
from Terrorist Attacks Act of 2014, as amended by the 
Committee's substitute amendment reauthorizes the Chemical 
Facility Anti-Terrorism Standards program (CFATS) of the 
Department of Homeland Security. The CFATS program is designed 
to help ensure that high-risk chemical facilities are secure 
from terrorist attack or sabotage. Facilities that make or use 
certain chemicals have been identified as a significant 
security concern and one that continues to warrant a dedicated 
security program at the federal level. The Committee substitute 
reauthorizes the CFATS program for four years, while at the 
same time mandating specific changes in response to concerns 
raised about that program by both stakeholders and overseers. 
Specifically, the bill directs DHS to identify high-risk 
facilities through the use of specific risk criteria and 
requires DHS to use risk-based performance standards for high-
risk facilities to meet. The facilities, for their part, submit 
security plans laying out how they plan to meet the performance 
standards, and DHS reviews and approves the plans and then 
follows up with in-person inspections of the facilities to 
ensure compliance.

                II. Background and Need for Legislation

    Chemicals are a ubiquitous part of modern life, forming 
indispensable parts of a vast number of products from the 
mundane to the complex. Thousands of facilities across the 
country produce and store chemicals, some of which could pose a 
significant threat to human health or safety if released or 
misused. Certain chemicals, if released into the water or air, 
pose a direct threat to the health or life of those in nearby 
communities. Other chemicals can explode if abused or 
mishandled posing a significant threat to the surrounding 
communities or, if the chemicals are stolen and smuggled, to 
other communities as well. Chemical facilities--places that 
produce, store or use significant quantities of certain 
chemicals--therefore offer attractive targets for terrorists 
because of the large scale damage and loss of life that can 
occur through a direct attack on a facility or the 
misappropriation of the chemicals they produce or store. While 
many of these chemicals are already regulated under various 
environmental or worker safety statutes, those regulations 
typically focus on the possibility of an accidental release or 
misuse rather than a deliberate effort to exploit the chemicals 
to inflict harm.
    To protect against this security risk, in the fall of 2006, 
Congress authorized the Department of Homeland Security (DHS) 
to determine which chemical facilities present a high level of 
security risk, establish risk-based performance standards for 
securing those high-risk facilities, and enforce regulations 
designed to ensure facilities posing the highest risk are 
meeting those standards.\1\ In response, DHS established the 
Chemical Facility Anti-Terrorism Standards (CFATS) program. The 
statute establishing the CFATS program included a three-year 
sunset for DHS's authority, creating initial authority for the 
program but ensuring that the effectiveness of the approach 
outlined in the bill could be evaluated, and other measures 
considered, relatively soon after the program's inception.\2\ 
Since then, Congress has passed several short-term extensions, 
only once making a change to the CFATS program despite 
Congress' desire to monitor implementation of the program 
closely.\3\ With the Department's current authority set to 
expire on October 4, 2014, the Committee voted to extend the 
chemical security program with a longer-term authorization 
while also addressing identified weaknesses in the program.
---------------------------------------------------------------------------
    \1\See P.L. 109-295, Department of Homeland Security Appropriations 
Act of 2007, Sec. 550.
    \2\See 152 Cong. Rec. S10351 (September 28, 2006) (Statement of 
Senator Collins), at http://www.gpo.gov/fdsys/pkg/CREC-2006-09-28/pdf/
CREC-2006-09-28.pdf.
    \3\Sec. 534(h) of P.L. 110-161, the Department of Homeland Security 
Appropriations Act of 2008, which allowed states and political 
subdivisions thereof to adopt laws regulating chemical facilities, as 
long as they were at least as stringent as CFATS. Since this change 
amended the authorizing language for the program, it was carried 
forward in subsequent short-term extensions of the program.
---------------------------------------------------------------------------
    The original 2006 authorization--which has been extended 
repeatedly on various appropriations bills or spending 
resolutions--directed DHS to develop a security program for 
high-risk chemical facilities that would rely on performance 
standards rather than specific, prescriptive measures. It also 
exempted certain facilities already subject to other regulatory 
regimes aimed at ensuring the security of their facilities, 
such as facilities owned or operated by the Departments of 
Defense or Energy, facilities already regulated under the 
Maritime Transportation Security Act of 2002 or by the Nuclear 
Regulatory Commission, and water and wastewater treatment 
facilities.
    DHS developed the core features of the CFATS program in 
interim regulations issued in spring 2007. To determine which 
facilities face regulation under the program, DHS developed a 
list of 322 ``chemicals of interest.'' All non-exempt 
facilities possessing any of the 322 ``chemicals of interest'' 
beyond specified threshold amounts must fill out a 
questionnaire known as a ``Top-Screen.'' DHS uses the completed 
Top-Screens to determine whether a facility poses a high 
security risk such that it should be covered by the risk-based 
performance standards. If DHS finds the facility to be ``high-
risk,'' the facility is covered by CFATS and must submit and 
comply with a security plan that meets the risk-based 
performance standards; those not determined to be high-risk 
face no further regulatory obligations under CFATS. DHS then 
assigns high-risk facilities to one of four risk-based tiers, 
with progressively stricter requirements for those in the 
highest risk tiers. Tier 1 facilities are the highest risk 
facilities; Tier 4 includes the lowest group of high-risk 
facilities.
    As of August 1, 2014, more than 48,000 facilities with 
chemicals of interest had submitted Top-Screens to DHS. From 
those submissions, DHS categorized approximately 3,986 
facilities as high-risk, triggering some level of regulation 
under CFATS.\4\ As of April 2014,\5\ 121 facilities had been 
preliminarily assigned\6\ to Tier 1; 382 had been assigned to 
Tier 2; 1,088 had been assigned to Tier 3; and 2,542 had been 
assigned to Tier 4.\7\
---------------------------------------------------------------------------
    \4\See Department of Homeland Security, CFATS Update August 2014 at 
http://www.dhs.gov/sites/default/files/publications/
CFATS%20FS_August2014.pdf.
    \5\The number of chemical facilities covered under the program is 
variously quoted in this report as between 3,986 and 4,100. This 
fluctuation is due to the fact that chemical facilities can reduce or 
remove their holdings of chemicals in order to tier out of the program, 
so the number of covered facilities is dynamic based on facilities' 
decision to ``tier out'' of the program. See ``Charting a Path Forward 
for the Chemical Facilities Anti-Terrorism Standards Program,'' hearing 
before the Senate Committee on Homeland Security and Governmental 
Affairs, 113th Cong. 3 (May 14, 2014) (Written testimony of Suzanne 
Spaulding, Under Secretary, and Director David Wulf, National 
Protection and Programs Directorate, Department of Homeland Security).
    \6\These figures refer to preliminary tier assignments from the 
Department based on facility submission of a Top-Screen. Final tier 
assignment occurs after facilities submit Security Vulnerability 
Assessments; the Department then reviews these assessments to identify 
which facilities should be assigned to a high-risk tier under CFATS.
    \7\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. 3 (May 14, 
2014) (Written testimony of Suzanne Spaulding, Under Secretary, and 
Director David Wulf, National Protection and Programs Directorate, 
Department of Homeland Security).
---------------------------------------------------------------------------
    Facilities deemed high-risk by the Department generally 
must develop an effective security plan, submit the plan to DHS 
for review, and implement their security plan. The security 
standards required under the CFATS program are performance 
based, rather than prescriptive. This means that the Department 
does not prescribe specific measures that must be taken by all 
facilities; instead, the manner in which a facility chooses to 
address its security vulnerabilities, although subject to 
approval by the Secretary, is developed by the facility 
owner.\8\
---------------------------------------------------------------------------
    \8\``A performance standard specifies the outcome required, but 
leaves the specific measures to achieve that outcome up to the 
discretion of the regulated entity. In contrast to a design standard or 
a technology-based standard that specifies exactly how to achieve 
compliance, a performance standard sets a goal and lets each regulated 
entity decide how to meet it.'' See Department of Homeland Security, 
Risk-Based Performance Standards Guidelines, Chemical Facility Anti-
Terrorism Standards, May 2009 at http://www.dhs.gov/xlibrary/assets/
chemsec_cfats_riskbased_performance_standards.pdf, quoting Cary 
Coglianese et al., Performance-Based Regulation: Prospects and 
Limitations in Health, Safety, and Environmental Protection, 55 Admin. 
L. Rev. 705, 706-07 (2003).
---------------------------------------------------------------------------
    For example, facilities need to secure some chemicals from 
theft or diversion. They can do this through various inventory 
controls or physical measures (for example walls or locked 
doors). It is worth noting that facilities that receive an 
initial high-risk determination can resubmit their information 
and ``tier out''--remove themselves from further regulation--if 
they adjust their operations in a way that removes them from 
the high-risk category. According to DHS officials, to date 
over 3,000 facilities possessing chemicals of interest have 
``voluntarily removed, reduced, or modified their holdings of 
chemicals of interest.''\9\
---------------------------------------------------------------------------
    \9\See Department of Homeland Security, CFATS Update August 2014 at 
http://www.dhs.gov/sites/default/files/publications/
CFATS%20FS_August2014.pdf.
---------------------------------------------------------------------------
    Under current procedures, following assignment of a final 
risk tier by the Department, but prior to approving a facility, 
DHS conducts an authorization inspection of the facility. An 
authorization inspection consists of an initial, physical 
review of the facility to determine if the Top-Screen, security 
vulnerability assessment, and facility security plan accurately 
represent and address the risks for the facility. Because the 
program requires performance-based standards to mitigate risk, 
facilities and the Department frequently discuss planned or 
alternative mitigation measures before a plan is approved. 
While this helps ensure facilities use both effective and cost-
effective measures, it can and frequently has delayed progress 
within the program. Once the Department approves the covered 
facility's security plan, the facility may begin implementing 
the plan. The Department maintains the authority to conduct 
subsequent compliance inspections to ensure facilities continue 
to meet the requirements of the security plan and the program.
    The implementation of the CFATS program has improved 
security of chemical facilities and the safety and security of 
communities located near the chemical facilities by throwing a 
spotlight on security, though the Committee acknowledges 
management challenges in the program have limited its 
effectiveness. Under the program, chemical facilities have 
systematically assessed security risks and invested in measures 
to mitigate those risks. This has led many companies to take 
measures to reduce risk in order to ``tier out'' of the 
program. Again, since the program's inception, 3,000 facilities 
have reduced risk at their facilities enough to ``tier out'' of 
the program, either by reducing, eliminating, or modifying 
their stores of chemicals.\10\ The fact that 3,000 facilities 
have tiered out is significant given that only 4,000 facilities 
are assigned to a risk tier under the program.\11\ Other 
chemical facilities have begun to install security measures as 
part of or in anticipation of security reviews by DHS under the 
program. The CFATS requirements work to level the playing field 
to allow companies to invest in security measures without 
facing a competitive disadvantage. Just as importantly, through 
the program the government has received information to allow it 
to for the first time develop a roadmap of the facilities in 
communities nationwide that pose security risks and warrant 
attention. DHS officials have testified that ``interagency 
partners have benefited from this information as it has 
enhanced law enforcement cooperation with high-risk chemical 
facilities.''\12\
---------------------------------------------------------------------------
    \10\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. 2 (May 14, 
2014) (Written testimony of Suzanne Spaulding, Under Secretary, and 
Director David Wulf, National Protection and Programs Directorate, 
Department of Homeland Security).
    \11\See Department of Homeland Security, CFATS Update August 2014 
at http://www.dhs.gov/sites/default/files/publications/
CFATS%20FS_August2014.pdf.
    \12\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. 1 (May 14, 
2014) (Written testimony of Suzanne Spaulding, Under Secretary, and 
Director David Wulf, National Protection and Programs Directorate, 
Department of Homeland Security).
---------------------------------------------------------------------------
    Yet the program has not been without its shortcomings. It 
has suffered for lack of a long-term authorization that would 
allow administrators to engage in meaningful and efficient 
programmatic planning, and require industry to invest in 
security measures.
    Just as importantly, internal and external reviews have 
revealed problems with the design, implementation, and 
administration of the CFATS program.\13\ These include human 
capital issues,\14\ a considerable backlog of facility security 
plan reviews and compliance inspections,\15\ and a flawed risk 
assessment methodology.\16\ In 2011, an internal management 
memorandum detailed significant mismanagement in the program, 
including buying unneeded equipment and vehicles and hiring 
ill-qualified workers. The memo also raised serious questions 
about whether facilities were being tiered correctly.\17\ An 
April 2013 GAO report looked at DHS's implementation of the 
program from roughly 2011 to 2013.\18\ The report raised 
several concerns with the program, most importantly that there 
was a need for DHS to improve its process of assessing the risk 
posed by a facility by including economic consequence among the 
risk factors, and that DHS was behind in reviewing site 
security plans and inspecting facilities to verify compliance. 
Following an explosion at a facility in West, Texas in 2013 
that never complied with its obligation to submit a Top-Screen 
despite having two chemicals of interest on site over the 
regulatory thresholds, GAO also recommended that DHS focus on 
finding and subjecting to regulation other facilities that had 
thus far ignored the mandate to report their existence to 
DHS.\19\
---------------------------------------------------------------------------
    \13\E.g., Sen. Tom Coburn, Ranking Member, Homeland Security & 
Government Affairs Committee, Chemical Insecurity: An Assessment of 
Efforts to Secure the Nation's Chemical Facilities from Terrorist 
Threats (2014), at http://www.coburn.senate.gov/public/index.cfm/2014/
7/federal-chemical-security-program-in-shambles-new-report-says.
    \14\See Government Accountability Office (GAO), DHS is Taking 
Action to Better Manage Its Chemical Security Program, but It Is Too 
Early to Assess Results, (GAO-12-515T), July 26, 2012, at 9.
    \15\See Department of Homeland Security Office of the Inspector 
General (DHS OIG), Effectiveness of the Infrastructure Security 
Compliance Division's Management Practices to Implement the Chemical 
Facility Anti-Terrorism Standards Program, (Report Number OIG-13-55), 
March 2013 at 17, 19-20, and 22; and Government Accountability Office 
(GAO), Critical Infrastructure Protection: DHS Efforts to Assess 
Chemical Security Risk and Gather Feedback on Facility Outreach Can Be 
Strengthened, (GAO-13-353), April 2013 at 18.
    \16\Id at 9-15.
    \17\Memorandum from Penny Anderson, Director, Infrastructure 
Security Compliance Division, Office of lnfrastructure Protection and 
David WuIf, Deputy Director to NPPD Undersecretary, Rand Beers: 
``Challenges Facing ISCD, and the Path Forward.'' November 10, 2011.
    \18\See Government Accountability Office (GAO), Critical 
Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk 
and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13-
353), April 2013 at 4.
    \19\Id.
---------------------------------------------------------------------------
    Since the 2011 memo, DHS's Infrastructure Security 
Compliance Division (ISCD), which manages the CFATS program, 
has taken steps to address some of these concerns. Among other 
things, DHS officials improved policies and training to ensure 
that inspections are conducted in a consistent and thorough 
fashion; implemented an improved, streamlined Site Security 
Plan (SSP) review process, which has enhanced ISCD's ability to 
authorize and, as appropriate, approve security plans; and 
conducted an extensive three-part review of CFATS's risk 
assessment methodology, including a peer review, which is now 
being partially implemented.
    This legislation is designed to address the challenges that 
have been identified, codify the improvements DHS has already 
begun making, and authorize additional steps DHS should take to 
make the program more effective.

          HIGHLIGHTS OF H.R. 4007, AS AMENDED BY THE COMMITTEE

    H.R. 4007, as amended by the Committee's substitute 
amendment, reauthorizes the Department's CFATS program for a 
period of four years, providing much-needed programmatic 
stability and certainty for both the Department and regulated 
facilities. It achieves this by codifying reforms, 
strengthening management practices and whistleblower 
protections, simplifying facility reporting and information 
sharing practices, and authorizing a new expedited approval 
program for lower high-risk facilities to help reduce the 
backlog of unapproved facility security plans. Specifically, 
the substitute amendment to H.R. 4007\20\ would:
---------------------------------------------------------------------------
    \20\The legislation referred to in the body of this section is the 
Carper-Coburn substitute amendment to H.R. 4007 as reported by the 
Committee. The main differences between H.R. 4007 as reported by this 
Committee and the legislation by the same name passed in the House 
include strengthened whistleblower protections, the establishment of an 
expedited approval program, changes to the Personnel Surety Program, 
and a four-year authorization. For a full description of the underlying 
bill, see H.R., Rep. No. 113-491, Pt. 1 (2014).
---------------------------------------------------------------------------
    1. Authorize the program for a period of four years (the 
House-reported version of H.R. 4007 authorized the program for 
three years).
    2. Permit the submission of simplified facility security 
plans through an alternative security program to facilitate 
compliance for small businesses and reduce the backlog of plan 
approvals at the Department.
    3. Create an expedited approval program to enable 
facilities in the third and fourth risk tiers to implement 
security plans more quickly, without compromising the 
Department's ability to ensure they meet the program's security 
standards.
    4. Streamline the requirement for facilities to seek 
background checks on those with access to the facilities by 
allowing facilities to meet the requirement in more than just 
one way.
    5. Direct the Secretary to develop an implementation plan 
for outreach to chemical facilities with regulated amounts of 
chemicals of interest that have not submitted the required Top-
Screen, in order to reduce the number of facilities not 
compliant with CFATS.
    6. Appropriately strengthen whistleblower protections by 
requiring the Secretary to establish a reporting process and 
prohibiting retaliation against whistleblowers.
    7. Ensure that sensitive security information provided by 
chemical facilities is protected and shared with first 
responders in a secure and responsible manner.
    8. Ensure DHS is regularly reviewing and updating its risk 
assessment model.
    9. Require DHS to provide Congress key metrics for better 
oversight of program performance.

Four-year authorization

    The Committee substitute to H.R. 4007 will provide 
stability and predictability for both DHS and regulated 
facilities by providing a longer-term authorization than the 
CFATS program has had before now. Up until now, Congress has 
authorized the program via language in Appropriations bills, 
limping from year to year and sometimes month to month.\21\ The 
four-year authorization will provide industry stakeholders with 
the certainty they need to invest in CFATS compliance 
measures.\22\ At the Committee hearing in May, a witness 
representing Dow Chemical noted that:

    \21\See Pub. L. 109-295, title V, Sec. 550, Oct. 4, 2006, 120 Stat. 
1388, as amended by Pub. L. 110-161, div. E, title V, Sec. 534, Dec. 
26, 2007, 121 Stat. 2075; Pub. L. 111-83, title V, Sec. 550, Oct. 28, 
2009, 123 Stat. 2177; Pub. L. 112-10, div. B, title VI, Sec. 1650, Apr. 
15, 2011, 125 Stat. 146; Pub. L. 112-74, div. D, title V, Sec. 540, 
Dec. 23, 2011, 125 Stat. 976; Pub. L. 113-6, div. D, title V, Sec. 537, 
Mar. 26, 2013, 127 Stat. 373; and Pub. L. 113-76, div. F, title V, 
Sec. 536, Jan. 17, 2014, 128 Stat. 275.
    \22\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. 1 (May 14, 
2014) (Written testimony of Suzanne Spaulding, Under Secretary, and 
Director David Wulf, National Protection and Programs Directorate, 
Department of Homeland Security).

          Three years is the minimum to really match up with 
        the capital planning process for industry. If you tell 
        me today I have got to go do something, I will get the 
        money next year and probably finish the project the 
        year after that . . . Three is good, four is 
        better.\23\
---------------------------------------------------------------------------
    \23\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) 
(Testimony of Timothy J. Scott on behalf of Dow Chemical Company and 
the American Chemistry Council).

    Likewise, representatives from the Department of Homeland 
Security have noted that long-term Congressional authorization 
is needed in order to cement the Department's enforcement 
authorities and eliminate confusion regarding authority for the 
program. For example, during the government shutdown in October 
2013, Infrastructure Security Compliance Division staff were 
furloughed and the CFATS program effectively ceased to exist 
because the Department's authority to manage the program also 
expired.\24\ DHS officials have noted the importance of a long-
term authorization in order to convey clearly the intent of 
Congress, and the Department, to maintain a robust chemical 
facility security program--an intent that the series of short-
term extensions simply could not convey.\25\ The Committee 
believes that a four-year authorization allows the greatest 
programmatic stability, affording the Department the ability to 
hire qualified personnel, while requiring chemical facilities 
to invest in required security measures.
---------------------------------------------------------------------------
    \24\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) 
(Testimony of David Wulf, Director, National Protection and Programs 
Directorate, Department of Homeland Security).
    \25\Id.
---------------------------------------------------------------------------
    Director David Wulf, of the Infrastructure Security 
Compliance Division of the Department, testified that a longer-
term or permanent authorization would enable the Department to 
recruit and retain talent, while continuing efforts to improve 
the CFATS program.\26\
---------------------------------------------------------------------------
    \26\Id.
---------------------------------------------------------------------------
    Finally, a long-term Congressional authorization, coupled 
with the additional reporting requirements in this Act, would 
allow needed Congressional oversight of the program.

Alternative security programs and creation of an expedited approval 
        program

    The legislation also creates two new, alternative options 
for review that will help the Department address the backlog of 
unapproved site security plans. The CFATS program has received 
over 48,000 Top-Screens and has made progress in program goals, 
including assigning tiers to covered chemical facilities and 
assisting covered facilities in compliance and improving 
security. Some 3,000 facilities have also reduced their 
holdings of chemicals of interest such that they are no longer 
covered by CFATS.\27\ Nevertheless, the program still faces a 
significant backlog of site security plan authorizations and 
compliance inspections. In its April 2013 report on CFATS, the 
Government Accountability Office estimated that it could take 
seven to nine years for the program to eliminate the backlog of 
reviewing facilities' site security plans and conducting 
compliance inspections.\28\ At a May 2014 hearing, DHS 
officials testified that they had devoted more resources and 
attention to the issues creating the backlog, had already begun 
speeding up reviews, and believed they could get through the 
backlog in half the time GAO initially assessed.\29\ However, 
even accounting for that progress, sixty-one percent of the 
approximately 4,100 facilities covered under the CFATS program 
at that time\30\ were awaiting authorization of the site 
security plans they submitted to DHS; ninety-nine percent had 
yet to undergo a compliance inspection.\31\
---------------------------------------------------------------------------
    \27\See Department of Homeland Security, CFATS Update August 2014 
at http://www.dhs.gov/sites/default/files/publications/
CFATS%20FS_August2014.pdf.
    \28\See Government Accountability Office (GAO), Critical 
Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk 
and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13-
353), April 2013 at 18.
    \29\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) 
(Testimony of David Wulf, Director, National Protection and Programs 
Directorate, Department of Homeland Security).
    \30\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. 3 (May 14, 
2014) (Written testimony of Suzanne Spaulding, Under Secretary, and 
Director David Wulf, National Protection and Programs Directorate, 
Department of Homeland Security).
    \31\Ibid.
---------------------------------------------------------------------------
    While the Committee believes that the Department has made 
considerable progress recently in speeding up its review of 
site security plans and conducting compliance inspections, it 
believes it crucial to expedite these reviews further so that 
needed security measures are put in place as soon as 
possible.\32\ These facilities and the threats they face can be 
complex and securing them in a manner that meets the mandated 
performance standards can be time and capital intensive. 
Companies do not want to move ahead with changes until they are 
certain they know what is required. Thus the backlog in 
reviewing applications inhibits facilities from implementing 
the investments they want to make to improve security at their 
sites, which makes the communities that surround them less 
secure.
---------------------------------------------------------------------------
    \32\See Department of Homeland Security, CFATS Fact Sheet, 
September 2014, http://www.dhs.gov/sites/default/files/publications/
CFATS-FS-September-2014-508.pdf.
---------------------------------------------------------------------------
    In response to this problem, the Committee substitute to 
H.R. 4007 authorizes two new, optional tracks for covered 
facilities to use in submitting security plans. The first, the 
alternative security program, allows facilities to implement 
security plans developed by industry associations and approved 
by DHS. The legislation creating the original authority for 
CFATS allowed the Department to approve Alternative Security 
Plans (ASPs) that had been ``established by private sector 
entities.'' But in 2007 the Department issued an Interim Final 
Rule that required that ASPs be approved individually. This 
change subverted Congressional intent and largely eliminated 
any efficiency the program would have created. The Committee 
substitute to H.R. 4007 would restore the program to its 
original intent, following the model set by the U.S. Coast 
Guard's Maritime Transportation Security Act (MTSA) program. 
That program allows approval of ASPs for types of vessels or 
facilities carrying certain dangerous chemicals.
    Second, it also creates a voluntary expedited approval 
program to facilitate compliance for lower-risk companies. 
Under that program, which the Committee developed in 
consultation with the Department and key stakeholders, DHS 
would have the authority to set prescriptive, rather than 
performance-based, standards for site security for facilities 
assigned to tiers three and four. Facilities electing to 
participate in the program would forego the need for an 
authorization inspection, but could still be subject to 
compliance inspections.
    The Committee believes that the expedited approval program 
will lessen the potentially disproportionate regulatory burden 
that current CFATS regulations impose on smaller chemical 
companies, which may lack the compliance infrastructure and 
resources of large chemical facilities. It does this by 
requiring that the Department establish clear, prescriptive 
guidelines these facilities certify they will meet and to which 
they will continue to adhere. This obviates the need for an 
extensive submission and review process of a facility security 
plan, frees DHS resources to focus on the highest risk 
facilities, and allows facilities to implement security 
measures more quickly. The program still maintains strong 
Departmental oversight to ensure facilities are indeed secure. 
Under the expedited approval program, the Department may reject 
site security plans that are ``facially deficient'' or 
obviously insufficient under the guidelines established by the 
program. Under the program, the Department also retains the 
right to conduct compliance inspections in order to determine 
whether facilities have implemented the security measures 
outlined in their plans.
    The voluntary expedited approval program created under the 
bill would require additional work by the Department at the 
outset, while it develops prescriptive security measures and 
security plan templates. However, it should result in a notable 
reduction in the administrative burden on both facilities and 
the Department, and help reduce the backlog of site security 
plan reviews of lower-risk facilities.

Personnel Surety Program

    Consistent with the House bill, the Committee substitute to 
H.R. 4007 establishes a functional and efficient Personnel 
Surety Program (PSP). As part of regulations promulgated under 
the CFATS program\33\ the Department established eighteen 
``risk-based performance standards'' (RBPSs) that covered 
chemical facilities are required to address. There has long 
been disagreement between regulated industry stakeholders and 
the Department as to how facilities can satisfy RBPS-12, which 
requires covered chemical facilities to take steps to determine 
whether persons with access to their facility may have 
terrorist ties.\34\
---------------------------------------------------------------------------
    \33\6 C.F.R. Part 27.
    \34\RBPS-12 provision (iv).
---------------------------------------------------------------------------
    Specifically at issue has been the RBPS-12 provision (iv), 
which requires facilities to establish ``measures designed to 
identify persons with terrorist ties.'' DHS has issued an 
interim rule that would establish a Personnel Surety Program 
(PSP) that would require facilities (or other entities acting 
on a facility's behalf) to submit information on individuals 
with access to a covered chemical facility through a DHS 
created and managed web portal at least 48 hours prior to such 
a person's initial access to the facility.\35\ The Department 
stated that this would allow facilities to submit information 
regarding covered individuals for DHS to check whether those 
individuals are on the FBI Terrorist Screening Database 
(TSDB).\36\ The concern raised by regulated entities with 
regards to the Department's proposal centers on the fact that a 
number of other security screening programs of the Federal 
Government, including the Transportation Security 
Administration's Transportation Worker Identification 
Credential (TWIC),\37\ already check individuals against the 
TSDB. However, the Department stated in its proposal that it 
would not accept the TWIC or other, similar credentials in lieu 
of a submission through the DHS PSP website as described above, 
unless the credential could be electronically verified. Since 
many individuals who access chemical facilities are already 
required to maintain a TWIC or other credential, regulated 
stakeholders argue that DHS's requirement is unnecessary and 
duplicative. For its part, the Department argues that repeat 
vetting directly before accessing a facility is necessary to 
truly determine if the individual may pose a threat.
---------------------------------------------------------------------------
    \35\79 F.R. 6417.
    \36\While the legislation still includes requirements for vetting 
personnel at covered chemical facilities against the terrorist 
screening database, the Committee has included a clear definition for 
the terrorist screening database to help address any concerns or 
confusion that the term could be interpreted to include new, 
additional, or different databases. The legislation clarifies that the 
term terrorist screening database refers to the current database 
maintained by the Terrorist Screening Center.
    \37\Department of Homeland Security. Transportation Security 
Administration, Transportation Worker Identification Credential. August 
2014 at http://www.tsa.gov/stakeholders/
transportation-worker-identification-credential-twic%C2%AE.
---------------------------------------------------------------------------
    The standards chemical facilities are required to meet 
under CFATS are by definition performance based, and not meant 
to be prescriptive.\38\ Industry partners argue that DHS's 
proposed PSP rule is far more prescriptive than what is 
necessary to meet the requirements of RBPS-12. Finally, the 
Committee believes the Department should avoid costly 
duplication of programs.
---------------------------------------------------------------------------
    \38\79 F.R. 6417.
---------------------------------------------------------------------------
    To that end, the Committee believes that DHS should 
leverage existing infrastructure within DHS and industry to 
verify and validate identity, check criminal history, verify 
and validate legal authorization to work, and identify 
individuals with terrorist ties by utilizing a Federal vetting 
program. Additionally, given the intent of the CFATS program to 
be a flexible program based on performance, the Committee wants 
to ensure that facilities have a full cadre of tools at their 
disposal to meet the Risk-Based Performance Standards.
    The legislation also clarifies Congressional intent related 
to the CFATS program by stating that a facility may satisfy its 
obligation under RBPS-12(iv) by relying upon presentation and 
visual validation of any credential issued by a Federal 
screening program that periodically vets individuals against 
the TSDB. The intent of this provision is to ensure that the 
Department cannot compel a covered chemical facility that has 
already vetted an individual against an alternate Federal 
screening program to then also submit information about that 
individual directly to the Department, unless that person has 
been identified positively against the Terrorist Screening 
Database.
    Finally, the Personnel Surety Program outlined in this 
legislation requires DHS to provide feedback to a participating 
owner or operator of a covered chemical facility about an 
individual based on vetting the individual against the TSDB, to 
the extent that such feedback is necessary for the facility's 
compliance with CFATS regulations. Under DHS's proposal, DHS 
may refuse to tell facility owners and operators when an 
individual with access has come up as a TSDB match. DHS argues 
that it wants to avoid interfering with ongoing law enforcement 
or intelligence operations that might involve the individual in 
question. But, as regulated industry partners point out, the 
security of a facility is jeopardized when an owner or operator 
unknowingly allows access to a suspected terrorist, creating 
security and liability, concerns. H.R. 4007 attempts to strike 
a balance between these two concerns by limiting notification 
to a facility regarding an individual matching the TSDB only if 
that individual presents a threat to the facility's physical 
security in such a way as to undermine the facility's efforts 
to comply with the CFATS regulations.

Outreach to covered chemical facilities

    This legislation improves DHS's ability to address the 
issue of ``outlier facilities'' and to identify the universe of 
chemical facilities which should be subject to requirements 
under CFATS. Outlier facilities are facilities that do not let 
DHS know of their existence much less take steps to comply with 
the CFATS program despite the fact that they possess enough 
chemicals of interest to trigger regulation under the program.
    Perhaps the most notable example of such a facility was the 
West Fertilizer Company located in West, Texas. That company's 
facility caught fire and then exploded on April 17, 2013, 
killing fifteen people, injuring hundreds more, and causing an 
estimated $100 million in damage. Initial reports indicated a 
large amount of anhydrous ammonia as the source of the 
explosions; later, authorities determined that the explosions 
were caused by ammonium nitrate that was stored at the 
facility.\39\ Both anhydrous ammonia and ammonium nitrate are 
designated by DHS as ``chemicals of interest,'' and possession 
of either above certain threshold amounts is subject to 
regulation under the CFATS program.\40\ Through an 
investigation following the disaster at West Fertilizer, the 
Department determined that the facility had not complied with 
the requirement of the CFATS program to submit a Top-Screen to 
DHS.\41\ As a result, until the explosion occurred program 
officials were unaware the facility existed. The EPA's Risk 
Management Program (RMP), however, did have a record of this 
facility.
---------------------------------------------------------------------------
    \39\See U.S. Chemical Safety Board (CSB), Preliminary Findings of 
the U.S. Chemical Safety Board from its Investigation of the West 
Fertilizer Explosion and Fire, April 22, 2014 at http://www.csb.gov/
assets/1/19/West_Preliminary_Findings.pdf.
    \40\6 CFR Part 27.
    \41\Letter from Suzanne Spaulding, Acting Under Secretary, National 
Protection and Programs Directorate, Department of Homeland Security, 
Hon. Thomas R. Carper, Chairman, Senate Committee on Homeland Security 
and Governmental Affairs, dated July 31, 2013.
---------------------------------------------------------------------------
    Prior to the West Fertilizer Company disaster, DHS was 
taking some actions to identify outlier facilities. DHS relied 
on information sharing among state homeland security agencies, 
components within the Department, and stakeholders, the 
maintenance of a toll-free CFATS Tip Line, and a limited, 
regional pilot program allowing CFATS inspectors to review a 
database maintained by the Environmental Protection Agency. 
However, as the Department acknowledged, these efforts yielded 
relatively few identifications of outlier facilities.\42\ In 
August 2013, after the West disaster, the President issued an 
executive order addressing this issue, calling for a working 
group to improve federal, state, and local coordination to 
identify facilities subject to CFATS requirements.\43\ And at a 
Committee hearing in May, Department officials emphasized the 
critical need for continued and improved outreach in order to 
identify chemical facilities potentially subject to CFATS 
requirements.\44\
---------------------------------------------------------------------------
    \42\Id.
    \43\EO 13650.
    \44\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. 5 (May 14, 
2014) (Written testimony of Suzanne Spaulding, Under Secretary, and 
Director David Wulf, National Protection and Programs Directorate, 
Department of Homeland Security).
---------------------------------------------------------------------------
    The Committee substitute to H.R. 4007 establishes and 
defines the term ``chemical facilities of interest'' to mean 
facilities that hold, or that the Secretary has a reasonable 
basis to believe hold, chemicals of interest in excess of the 
threshold quantities set under the existing CFATS standards. It 
requires the Secretary to consult with other government 
agencies, including state and local governments, business 
associations, and labor organizations to identify such 
facilities, to report to Congress regarding the steps the 
Department has taken to identify chemical facilities of 
interest and its progress toward achieving that goal, and to 
submit an action plan for better identifying and enforcing 
compliance among chemical facilities of interest to 
Congress.\45\
---------------------------------------------------------------------------
    \45\The Committee substitute would allow the Secretary 18 months to 
produce such a plan, rather than the 90 days specified in the House 
bill.
---------------------------------------------------------------------------

Whistleblower protections

    The Committee substitute to H.R. 4007 requires the 
Department to establish procedures to allow workers or 
contractors to report to the Secretary regarding potential 
problems or vulnerabilities at a covered chemical facility. 
Further, it protects those individuals who report problems from 
termination or other forms of retaliation, though it provides 
no protections for individuals who are found to have lied or 
misled authorities. The Committee believes that workers can 
play an important role in chemical security. Few individuals 
know and understand the particular vulnerabilities of a 
facility more than those who work there every day. As Anna 
Fendley from the United Steelworkers testified at the 
Committee's hearing in May 2014, ``[Workers] would be hurt 
first and worst in an attack on a facility, and therefore have 
the largest stake in ensuring safety.''\46\ The Committee 
believes that protecting whistleblowers could potentially help 
DHS identify chemical facilities that are covered by CFATS but 
are not complying with its requirements. Furthermore, the 
Committee believes it is important to protect whistleblowers 
from retaliation.
---------------------------------------------------------------------------
    \46\``Charting a Path Forward for the Chemical Facilities Anti-
Terrorism Standards Program,'' hearing before the Senate Committee on 
Homeland Security and Governmental Affairs, 113th Cong. (May 14, 2014) 
(Testimony of Anna Fendley on behalf of the United Steelworkers).
---------------------------------------------------------------------------

Information sharing with first responders

    The Committee substitute to H.R. 4007 would allow the 
Secretary to disseminate information collected from covered 
chemical facilities, including security vulnerability 
assessments, site security plans, and other information, to 
first responders through any medium or system the Secretary 
determines appropriate.\47\ The Committee's change reflects its 
intent that this potentially sensitive information be shared in 
a secure and effective manner only with those individuals who 
possess a need to know, and our belief that mandating that 
information be shared via HSIN and HSDN could include too broad 
an audience. The Committee believes the Secretary, examining 
the sensitivity of the information and the relative needs of 
recipients, is in the best position to make a determination. 
Based on similar reasoning, the legislation exempts information 
gathered from chemical facilities under the authority granted 
in the bill from requests under the Freedom of Information Act. 
The Committee intends this blanket exemption to preclude the 
possibility that members of the public without a need to know, 
including potentially bad actors, seeking to access this 
information might receive it from the Federal Government 
through a FOIA request.\48\
---------------------------------------------------------------------------
    \47\In contrast, H.R. 4007 as passed by the House would require the 
Secretary to use the Homeland Security Information Network (HSIN) or 
the Homeland Secure Data Network (HSDN) to distribute such information. 
Though the HSDN reaches a more limited audience and is used only to 
share classified information, HSIN is a public-facing web portal that 
allows for the sharing of sensitive but not classified information to 
federal, state, local, tribal, territorial, international, and private 
sector partners.
    \48\The Committee does not intend this provision to affect one way 
or the other the ability of anyone to access any information about a 
chemical facility, either from the company itself, or from the 
government, as provided for under any other law or program.
---------------------------------------------------------------------------

Improved risk assessment methodology

    Finally, this legislation ensures that the Department fixes 
its historically flawed risk assessment and tiering methodology 
by requiring DHS to consider all areas of risk in developing 
risk assessments in order to more accurately reflect the core 
criteria of risk: threat, consequence (including both economic 
consequences and fatalities), and vulnerability. The Committee 
wants to ensure that all aspects of risk are being considered 
when determining whether a facility presents a high enough risk 
to be regulated under the CFATS program and into what tier a 
facility may be placed. It further instructs the Secretary to 
maintain a record of any changes to a facility's tiering status 
and why the change was made. In its April 2013 report, GAO 
recommended that DHS should enhance its risk assessment 
approach to incorporate all elements of risk, and conduct an 
independent peer review to ensure the approach is 
effective.\49\ That peer review, conducted by the Homeland 
Security Studies and Analysis Institute, was published in 
September, 2013 and laid out a number of recommendations for 
improvement.\50\ This legislation would require the Department 
to develop a risk assessment approach and tiering methodology 
based on that review and require the Secretary to report to 
Congress on the Infrastructure Security Compliance Division's 
progress in doing so within 18 months of the bill's enactment.
---------------------------------------------------------------------------
    \49\See Government Accountability Office (GAO), Critical 
Infrastructure Protection: DHS Efforts to Assess Chemical Security Risk 
and Gather Feedback on Facility Outreach Can Be Strengthened, (GAO-13-
353), April 2013 at 9-15.
    \50\See Homeland Security Studies and Analysis Institute's Tiering 
Methodology Peer Review, Publication Number: RP12-22-02.
---------------------------------------------------------------------------

                        III. Legislative History

    H.R. 4007, the Protecting and Securing Chemical Facilities 
from Terrorist Attacks Act of 2014, was introduced by 
Representative Meehan on February 6, 2014. The House passed the 
bill on July 8, 2014, on a motion to suspend the rules and pass 
the bill, as amended, by voice vote. The bill was received in 
the Senate on July 9, 2014, and referred to the Homeland 
Security and Governmental Affairs Committee.
    Prior to the bill's referral, the Committee held a hearing 
on May 14, 2014, titled ``Charting a Path Forward for the 
Chemical Facilities Anti-Terrorism Standards Program.'' The 
purpose of the hearing was to examine the current state of the 
CFATS program and the need to reauthorize the program. 
Witnesses included two senior DHS officials responsible for 
managing the program, representatives from the Government 
Accountability Office and Congressional Research Service, an 
industry representative, and a labor representative.
    The Committee considered H.R. 4007 at a business meeting on 
July 30, 2014. Senators Carper and Coburn offered a substitute 
amendment that made a number of changes to the bill as passed 
by the House. The substitute added provisions permitting the 
submission of simplified security plans through the alternative 
security program; establishing an expedited approval program to 
allow lower high-risk facilities to more quickly implement 
security plans; requiring DHS to review and update its risk 
assessment model and report key metrics to Congress so that 
Congress can better perform oversight of the CFATS program; 
requiring sensitive security information to be protected and 
shared with first responders; and requiring the Secretary to: 
collect and report on program best practices in order to assist 
smaller facilities in complying with the program, develop an 
implementation plan for outreach to chemical facilities of 
interest; establish a program-specific reporting process for 
whistleblowers, and work with industry and labor organizations 
to improve information sharing.
    The committee adopted the Carper-Coburn substitute, as 
modified, and ordered the bill, as amended, reported favorably, 
both by voice vote. Senators present for both votes were 
Senators Carper, Levin, Landrieu, McCaskill, Begich, Baldwin, 
Coburn, Johnson, and Ayotte. Senator Baldwin requested to be 
recorded as voting ``no'' on the bill.

        IV. Section-by-Section Analysis of the Bill, as Reported


Section 1--Short title

    This section establishes the title of the legislation as 
the ``The Protecting and Securing Chemical Facilities from 
Terrorist Attacks Act of 2014.''\51\
---------------------------------------------------------------------------
    \51\Note that the House version was titled, ``The Chemical Facility 
Anti-Terrorism Standards Program Authorization and Accountability Act 
of 2014.''
---------------------------------------------------------------------------

Section 2--Chemical Facility Anti-Terrorism Standards Program

    This section amends the Homeland Security Act of 2002 (6 
U.S.C. 101 et seq.), adding at the end a new title, Title XXI--
Chemical Facility Anti-Terrorism Standards.

New section 2101 of the Homeland Security Act of 2002--Definitions

    This section defines key terms used in the bill, including 
``CFATS regulation,'' and specifies which types of facilities 
are considered to be ``covered chemical facilities,'' which 
facilities are exempted, and which types of facilities are 
considered to be ``chemical facilities of interest.''
    This section defines ``chemical facility of interest'' as a 
facility that the Secretary has reason to believe holds 
threshold quantities of chemicals of interest.
    It defines ``covered chemical facility'' as a facility that 
the Secretary identifies as a chemical facility of interest, 
which is a high-risk facility, as determined by the 
Department's risk assessment methodology.
    It defines ``excluded facility'' to mean a facility 
regulated under the U.S. Coast Guard's Maritime Transportation 
Security Act (MTSA) protocol or the Safe Drinking Water Act, a 
wastewater treatment works regulated under the Federal Water 
Pollution Control Act, a facility owned or operated by the 
Department of Defense or the Department of Energy, or a 
facility regulated by the Nuclear Regulatory Commission or by a 
state that has entered into an agreement with the Nuclear 
Regulatory Commission.
    It defines ``expedited approval facility'' as a covered 
chemical facility for which the owner or operator elects to 
submit a site security plan for expedited approval under a new 
program authorized in the legislation.
    It defines a ``facially deficient'' security plan as a 
security plan that does not support a certification that the 
security measures in the plan address the security 
vulnerability assessment and risk-based performance standards.

New section 2102 of the Homeland Security Act of 2002--Chemical 
        Facility Anti-Terrorism Standards Program

    Subsection (a) requires DHS to establish risk-based 
performance standards to ensure the security of chemical 
facilities. It charges the Secretary of Homeland Security 
(``the Secretary'') with identifying chemical facilities of 
interest and covered chemical facilities. It authorizes the 
Secretary to require chemical facilities of interest to submit 
a Top-Screen. The subsection authorizes the Secretary to 
require covered facilities to submit to the Department of 
Homeland Security (``DHS'') security vulnerability assessments, 
and to develop, submit, and implement site security plans. 
(This language largely mirrors the original CFATS authorizing 
statute, PL 109-295, the Department of Homeland Security 
Appropriations Act of 2007, Sec. 550, hereinafter referred to 
as ``Sec. 550'').
    Subsection (b), Security Measures, describes the 
requirements of a site security plan, stating they should 
include security measures that, in combination, appropriately 
address the security vulnerability assessment and the risk-
based performance standards for securing the facility.
    Subsection (c), Approval or Disapproval of Site Security 
Plans, outlines the process for DHS's review of site security 
plans and improves the efficiency of the site security plan 
approval process by allowing facilities to use an alternative 
security program. This subsection charges the Secretary with 
evaluating and approving site security plans described under 
subsection (a), and specifies that the Secretary may not 
require the presence or absence of particular measures.
    This subsection further authorizes the Secretary to approve 
alternative security programs created by outside entities, such 
as the American Chemistry Council, if those programs satisfy 
all the requirements of the Risk-Based Performance Standards. 
If the requirements of the alternative security program do not 
fully meet the requirements of the subsection, the Secretary 
may recommend additional security measures to allow the program 
to be approved. Further, the subsection allows the Secretary to 
accept an already-approved alternative security program without 
reevaluating the program.
    This subsection further obligates the Secretary to employ 
the risk assessment procedures established under this title, 
and establishes a ``grandfather clause'' providing that, if the 
legislation is enacted, a site security plan already approved 
by the Secretary prior to the date of enactment of this Act 
need not be reevaluated solely because of enactment of this 
Act.
    This subsection also creates a new expedited approval 
program through which tier 3 and 4 facilities may develop and 
submit a site security plan for expedited approval. It requires 
that the Secretary first issue prescriptive guidance for such 
facilities to meet the risk-based performance standards, and 
outlines how facilities may certify that deviations from the 
guidance meet or exceed the prescriptive standards. The 
subsection requires the Secretary to consult with labor 
organizations and Sector Coordinating Councils to develop this 
guidance. The subsection establishes deadlines for facilities 
to submit and certify plans for expedited approval and for the 
Department to review certified plans, provides authority for 
the Secretary to enforce compliance under this program, and 
provides a process by which facilities can amend site security 
plans. It allows the Secretary to suspend and ultimately revoke 
a facility's ability to participate in the voluntary expedited 
approval program if it submits a facially deficient site 
security plan, and to recommend additional security measures if 
it suspends a facility's certification. The subsection also 
allows DHS to develop prescriptive security plan templates that 
meet the risk-based performance standards and tier 3 and 4 
facilities can submit as their site security plans. Finally, 
the subsection requires that the Secretary fully evaluate the 
expedited approval program within 18 months of enactment of the 
Act.
    Subsection (d), Compliance, requires the Secretary to 
conduct audits or inspections of covered chemical facilities, 
and would allow nongovernmental personnel to conduct audits or 
inspections on behalf of the Department in order to address the 
existing backlog. This section also requires the Secretary to 
establish a Personnel Surety Program that ensures individuals 
with access to covered chemical facilities are vetted against 
the Terrorist Screening Database, the central terrorist 
watchlist consolidated by the FBI's Terrorist Screening Center.
    This subsection defines ``nondepartmental'' to refer to 
personnel and entities that are neither employed by nor are 
components or other authorities of DHS, and ``nongovernmental'' 
to refer to personnel or entities that are neither employed by 
nor are agencies, departments, or other authorities of the 
Federal Government. This subsection would allow the Secretary 
to make use of nondepartmental and nongovernmental facility 
inspectors in addition to DHS Inspectors, and requires the 
Secretary to set high standards and professional qualifications 
for both governmental and nongovernmental personnel. This will 
help to expedite the rate of inspections and address the 
backlog of authorization inspections DHS now faces. This 
subsection also makes clear that any duties carried out by a 
nongovernmental entity should not be inherently governmental 
functions, and that only the Secretary or the Secretary's 
designee retains the authority to approve a site security plan.
    This subsection clarifies that a facility may utilize any 
Federal screening program that periodically vets individuals 
against the Terrorist Screening Database in order to comply 
with the requirement to vet personnel against the terrorist 
watchlist. This subsection also prohibits DHS from collecting 
information from covered chemical facilities about an 
individual unless that individual has been identified as 
presenting a terrorist threat, or is being vetted under the 
CFATS program's Personnel Surety Program (PSP). Finally, this 
subsection instructs DHS to share any information with a 
facility that the facility needs to comply with this section. 
The Committee added this requirement to address concerns raised 
by industry groups that the Department was not required to 
share with a chemical facility information that an individual 
identified through the Terrorist Screening Database as 
potentially having terrorist ties had accessed the chemical 
facility. Under the requirement, the Committee intends for the 
Department to determine what information a facility needs in 
order to comply.
    Subsection (e) outlines the responsibilities of the 
Secretary. It ensures that DHS is communicating with state and 
local officials as well as other Federal agencies and industry 
associations to identify chemical facilities of interest, and 
that DHS implements a comprehensive risk assessment and 
maintains records documenting the basis for any facility that 
experiences a change in risk tiering.
    This subsection instructs DHS to communicate with state and 
local officials, as well as other Federal agencies and industry 
associations, to identify chemical facilities of interest, 
which will help to ensure that outlier facilities are known to 
the Department. This subsection further ensures that DHS is 
taking into account all relevant risk information when 
developing its risk assessment standards and corresponding 
tiering methodology. It also requires that the Secretary 
document the basis for each change in a covered chemical 
facility's tier. It also requires the Secretary to provide a 
biannual report to Congress detailing specific metrics on the 
program's performance in order to aid Congressional evaluation 
and oversight of the program.

New section 2103 of the Homeland Security Act of 2002--Protection and 
        sharing of information

    This section ensures that sensitive security information is 
protected, and shared with first responders in a secure, 
responsible manner in order to prevent loss of life and 
property. It ensures that sensitive information regarding a 
facility, where disclosure could present a potential risk, 
developed under this Act shall not be made available for public 
disclosure. However such information may be shared with state 
and local government officials for purposes of carrying out 
this Act. This section further ensures that first responders 
are properly prepared and provided situational awareness when 
responding to incidents at CFATS facilities without 
compromising the security of the information. This section 
allows the Secretary to disseminate information through any 
medium or system deemed appropriate by the Secretary. It is the 
Committee's intent that proprietary and chemical vulnerability 
information shared pursuant to this section continues to be 
protected against disclosure to unauthorized individuals and 
the public.

New section 2104 of the Homeland Security Act of 2002--Civil 
        enforcement

    This section specifies penalties for noncompliance and sets 
the parameters of civil liability.
    Subsection (a), Notice of Noncompliance, provides that if a 
facility is found to be non-compliant the Secretary must first 
present the facility with written notice of non-compliance 
before the Department may issue fines or penalties. It further 
specifies that in the event of continued non-compliance the 
Secretary may assess a civil penalty, order a facility to cease 
operations, or both.
    Subsection (b), Civil Penalties, provides that civil 
penalties may be assessed against a person who violates an 
order under this Act. It further provides that any owner of a 
chemical facility of interest who fails to comply with or 
knowingly submits false information under the Act shall be 
liable for a civil penalty.
    Subsection (c), Emergency Orders, authorizes the Secretary 
to direct a facility to implement emergency security measures, 
or cease some or all operations if the Secretary determines 
that there is a reasonable likelihood that a violation of the 
CFATS regulations could result in death, serious illness, 
severe personal injury, or substantial endangerment to the 
public.
    Subsection (d), Right of Action, clarifies that only the 
Secretary (or his or her designee) may bring an action against 
the owner or operator of a covered chemical facility to enforce 
any of the Act's provision.

New section 2105 of the Homeland Security Act of 2002--Whistleblower 
        protections

    This section clarifies whistleblower protections available 
to chemical facility employees and contractors, and requires 
these protections be publicly disclosed and advertised. It 
requires the Secretary to establish a reporting procedure for 
whistleblowers to report problems, deficiencies, or 
vulnerabilities related to chemical security at a covered 
chemical facility to DHS, and to protect the confidentiality of 
an individual making a report. It further requires the 
Secretary affirmatively acknowledge receipt of whistleblower 
reports, if possible, and take appropriate steps to address any 
problems the Department is able to substantiate.
    This section also prohibits retaliatory actions against 
whistleblowers by owners or operators of a chemical facility. 
The section also clarifies that no employee is entitled to the 
protection of this section if the employee makes false, 
fictitious, or fraudulent statements or representations, and 
that disclosures protected by other federal or state laws 
remain in place.

New section 2106 of the Homeland Security Act of 2002--Relationship to 
        other laws

    This section states that nothing in this Act supersedes 
Federal law governing the manufacture, sale or handling of 
chemical substances or mixtures. It also clarifies that States 
and political subdivisions may adopt more stringent 
requirements with respect to chemical facility security, unless 
there is an actual conflict between this section and the law of 
that State or subdivision.

New section 2107 of the Homeland Security Act of 2002--CFATS 
        regulations

    This section specifies that the Department can continue to 
follow previously-issued regulations, and does not need to 
undertake a new rulemaking. This section also stipulates that 
the Secretary shall rely on the authority provided in Title XXI 
of the Homeland Security Act of 2002 in determining chemicals 
of interest and relevant security risks, and determining 
compliance with Title XXI.

New section 2108 of the Homeland Security Act of 2002--Small covered 
        chemical facilities

    This section defines a ``small covered chemical facility'' 
as a facility with 100 employees or fewer. The House bill, in 
contrast, defines such a facility as one having 350 or fewer 
employees. The Committee believes that its definition more 
accurately reflects the size of chemical facilities likely to 
require the Departmental compliance assistance mandated under 
the legislation. The section also allows the Secretary to 
provide assistance and guidance to small covered chemical 
facilities in the development of their physical security, 
cybersecurity, recordkeeping, and reporting procedures. It 
directs the Secretary to report to the authorizing committees 
on best practices that may assist small chemical facilities in 
meeting their physical security requirements under this title.

New section 2109 of the Homeland Security Act of 2002--Outreach to 
        chemical facilities of interest

    This section directs the Secretary to develop an 
implementation plan for outreach to chemical facilities of 
interest in order to minimize the number of outliers.

Section 3--Assessment; reports

    This section requires the Secretary to commission a third-
party study of vulnerability of covered chemical facilities to 
acts of terrorism, and requires that the Secretary report to 
Congress on a number of specific aspects of the CFATS program 
within 18 months of enactment of this Act. It also provides for 
GAO reports assessing the implementation of this Act, including 
a review of the expedited approval program not later than three 
years after enactment of this Act.

Section 4--Effective date; Conforming repeal

    This section states that the Act shall take effect 30 days 
after the date of enactment. The section also repeals the 
previous authorization language, saying that it is superseded 
by this Act.

Section 5--Termination

    This section would sunset the program four years after 
enactment.

                   V. Evaluation of Regulatory Impact

    Pursuant to the requirement of paragraph 11(b)(1) of rule 
XXVI of the Standing Rules of the Senate the Committee has 
considered the regulatory impact of this bill. The bill as 
amended would extend an existing regulatory program with a 
number of changes. As indicated in the Congressional Budget 
Office cost estimate for this bill (included below), the bill 
as amended should not result in significant additional costs 
beyond the current costs of complying with the CFATS program.

             VI. Congressional Budget Office Cost Estimate


                                                September 10, 2014.
Hon. Tom Carper,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for H.R. 4007, the 
Protecting and Securing Chemical Facilities from Terrorist 
Attacks Act of 2014.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Jason 
Wheelock.
            Sincerely,
                                              Douglas W. Elmendorf.
    Enclosure.

H.R. 4007--Protecting and Securing Chemical Facilities from Terrorist 
        Attacks Act of 2014

    H.R. 4007 would extend the Department of Homeland 
Security's (DHS's) authority to regulate security at certain 
chemical facilities in the United States. Under the Chemical 
Facility Anti-Terrorism Standards (CFATS) program, DHS collects 
and reviews information from chemical facilities in the United 
States to determine which facilities present security risks. 
Facilities determined to present a high level of security risk 
are then required to develop a Site Security Plan (SSP). DHS in 
turn conducts inspections to validate the adequacy of a 
facility's SSP and their compliance with it. The program is set 
to end on October 4, 2014.
    H.R. 4007 would authorize CFATS for an additional four 
years and would create an expedited review procedure for 
facilities in the lower risk tiers of the CFATS program. Based 
on amounts requested for the CFATS in fiscal year 2015 as well 
as information from DHS, CBO estimates that continued 
implementation of CFATS would require appropriations of $87 
million in 2015 and slightly higher amounts in fiscal years 
2016 through 2018 after accounting for the effects of 
inflation. Assuming appropriation of the estimated amounts, CBO 
estimates that implementing H.R. 4007 would result in outlays 
of $349 million over the 2015-2019 period.

----------------------------------------------------------------------------------------------------------------
                                                               By fiscal year, in millions of dollars--
                                                    ------------------------------------------------------------
                                                       2015      2016      2017      2018      2019    2015-2019
----------------------------------------------------------------------------------------------------------------
                                  CHANGES IN SPENDING SUBJECT TO APPROPRIATION
Estimated Authorization Level......................        87        89        92        95         0        363
Estimated Outlays..................................        45        78       100       103        23        349
----------------------------------------------------------------------------------------------------------------

    Enacting H.R. 4007 could result in the collection of 
additional civil penalties, which are recorded as revenues and 
deposited in the Treasury; therefore, pay-as-you-go procedures 
apply. However, CBO estimates that such collections would be 
insignificant. Enacting the bill would not affect direct 
spending.
    H.R. 4007 would extend intergovernmental and private-sector 
mandates, as defined in the Unfunded Mandates Reform Act 
(UMRA), on owners and operators of public and private 
facilities where certain chemicals are present. Current law 
requires owners and operators to assess the vulnerability of 
their facilities to a terrorist incident and to prepare and 
implement facility security plans. This bill would extend, for 
four years, the authority of DHS to regulate those facilities 
through minimum standards designed to protect facilities from 
acts of terrorism and other security risks. The requirement to 
meet those standards would be a mandate on public and private 
entities.
    The bill would impose an additional mandate on public and 
private employers by prohibiting them from discharging or 
discriminating against employees who report security problems 
at a covered chemical facility.
    Information from DHS indicates that owners and operators of 
chemical facilities already meet the existing security 
standards and that they would only need to make small changes 
to administrative procedures to comply with the new 
whistleblower protections for their employees. Therefore, CBO 
estimates that the aggregate additional costs of complying with 
the mandates would be small and would fall below the annual 
thresholds established in UMRA for intergovernmental and 
private-sector mandates ($76 million and $152 million, 
respectively, in 2014, adjusted annually for inflation).
    On May 30, 2014, CBO transmitted a cost estimate for H.R. 
4007 as ordered reported by the House Committee on Homeland 
Security on April 30, 2014. The difference in CBO's estimates 
reflects differences in the two versions of the bill. The 
version reported by the House Committee on Homeland Security 
would permanently authorize CFATS and would authorize the 
appropriation of $87 million for each of fiscal years 2015 
through 2017. The Senate version of H.R. 4007 would extend 
CFATS for four years and would not specify an authorization 
level for any fiscal year. Based on those differences, CBO 
estimates that implementing this version of the bill would cost 
approximately $80 million less than the House version over the 
2015-2019 period, assuming the appropriation of the estimated 
amounts.
    The CBO staff contacts for this estimate are Jason Wheelock 
(for federal costs), Melissa Merrell (for the intergovernmental 
impact), and Paige Piper/Bach (for the private-sector impact). 
The estimate was approved by Theresa Gullo, Deputy Assistant 
Director for Budget Analysis.

     VII. Changes in Existing Statute Made by the Bill, as Reported

    In compliance with paragraph 12 of rule XXVI of the 
Standing Rules of the Senate, changes in existing law made by 
H.R. 4007 as reported are shown as follows (existing law 
proposed to be omitted is enclosed in brackets, new matter is 
printed in italic, and existing law in which no change is 
proposed is shown in roman):

DEPARTMENT OF HOMELAND SECURITY APPROPRIATIONS ACT OF 2007

           *       *       *       *       *       *       *


    [Sec. 550. (a) No later than six months after the date of 
enactment of this Act, the Secretary of Homeland Security shall 
issue interim final regulations establishing risk-based 
performance standards for security of chemical facilities and 
requiring vulnerability assessments and the development and 
implementation of site security plans for chemical facilities: 
Provided, That such regulations shall apply to chemical 
facilities that, in the discretion of the Secretary, present 
high levels of security risk: Provided further, That such 
regulations shall permit each such facility, in developing and 
implementing site security plans, to select layered security 
measures that, in combination, appropriately address the 
vulnerability assessment and the risk-based performance 
standards for security for the facility: Provided further, That 
the Secretary may not disapprove a site security plan submitted 
under this section based on the presence or absence of a 
particular security measure, but the Secretary may disapprove a 
site security plan if the plan fails to satisfy the risk-based 
performance standards established by this section: Provided 
further, That the Secretary may approve alternative security 
programs established by private sector entities, Federal, 
State, or local authorities, or other applicable laws if the 
Secretary determines that the requirements of such programs 
meet the requirements of this section and the interim 
regulations: Provided further, That the Secretary shall review 
and approve each vulnerability assessment and site security 
plan required under this section: Provided further, That the 
Secretary shall not apply regulations issued pursuant to this 
section to facilities regulated pursuant to the Maritime 
Transportation Security Act of 2002, Public Law 107-295, as 
amended; Public Water Systems, as defined by section 1401 of 
the Safe Drinking Water Act, Public Law 93-523, as amended; 
Treatment Works as defined in section 212 of the Federal Water 
Pollution Control Act, Public Law 92-500, as amended; any 
facility owned or operated by the Department of Defense or the 
Department of Energy, or any facility subject to regulation by 
the Nuclear Regulatory Commission.]
    [(b) Interim regulations issued under this section shall 
apply until the effective date of interim or final regulations 
promulgated under other laws that establish requirements and 
standards referred to in subsection (a) and expressly supersede 
this section: Provided, That the authority provided by this 
section shall terminate three years after the date of enactment 
of this Act.]
    [(c) Notwithstanding any other provision of law and 
subsection (b), information developed under this section, 
including vulnerability assessments, site security plans, and 
other security related information, records, and documents 
shall be given protections from public disclosure consistent 
with similar information developed by chemical facilities 
subject to regulation under section 70103 of title 46, United 
States Code: Provided, That this subsection does not prohibit 
the sharing of such information, as the Secretary deems 
appropriate, with State and local government officials 
possessing the necessary security clearances, including law 
enforcement officials and first responders, for the purpose of 
carrying out this section, provided that such information may 
not be disclosed pursuant to any State or local law: Provided 
further, That in any proceeding to enforce this section, 
vulnerability assessments, site security plans, and other 
information submitted to or obtained by the Secretary under 
this section, and related vulnerability or security 
information, shall be treated as if the information were 
classified material.]
    [(d) Any person who violates an order issued under this 
section shall be liable for a civil penalty under section 
70119(a) of title 46, United States Code: Provided, That 
nothing in this section confers upon any person except the 
Secretary a right of action against an owner or operator of a 
chemical facility to enforce any provision of this section. (e) 
The Secretary of Homeland Security shall audit and inspect 
chemical facilities for the purposes of determining compliance 
with the regulations issued pursuant to this section.]
    [(f) Nothing in this section shall be construed to 
supersede, amend, alter, or affect any Federal law that 
regulates the manufacture, distribution in commerce, use, sale, 
other treatment, or disposal of chemical substances or 
mixtures.]
    [(g) If the Secretary determines that a chemical facility 
is not in compliance with this section, the Secretary shall 
provide the owner or operator with written notification 
(including a clear explanation of deficiencies in the 
vulnerability assessment and site security plan) and 
opportunity for consultation, and issue an order to comply by 
such date as the Secretary determines to be appropriate under 
the circumstances: Provided, That if the owner or operator 
continues to be in noncompliance, the Secretary may issue an 
order for the facility to cease operation, until the owner or 
operator complies with the order.]
    [(h) This section shall not preclude or deny any right of 
any State or political subdivision thereof to adopt or enforce 
any regulation, requirement, or standard of performance with 
respect to chemical facility security that is more stringent 
than a regulation, requirement, or standard of performance 
issued under this section, or otherwise impair any right or 
jurisdiction of any State with respect to chemical facilities 
within that State, unless there is an actual conflict between 
this section and the law of that State.]

           *       *       *       *       *       *       *


SECTION 1. SHORT TITLE; TABLE OF CONTENTS.

    (a) * * *
    (b) Table of Contents.--The table of contents for this Act 
is as follows:

           *       *       *       *       *       *       *



          TITLE XXI--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS


Sec. 2101. Definitions.
Sec. 2102. Chemical Facility Anti-Terrorism Standards Program.
Sec. 2103. Protection and sharing of information.
Sec. 2104. Civil enforcement.
Sec. 2105. Whistleblower protections.
Sec. 2106. Relationship to other laws.
Sec. 2107. CFATS regulations.
Sec. 2108. Small covered chemical facilities.
Sec. 2109. Outreach to chemical facilities of interest.

           *       *       *       *       *       *       *


         TITLE XXI--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS

SEC. 2101. DEFINITIONS.

    In this title--
          (1) the term ``CFATS regulation'' means--
                  (A) an existing CFATs regulation; and
                  (B) any regulation or amendment to an 
                existing CFATS regulation issued pursuant to 
                the authority under section 2107;
          (2) the term ``chemical facility of interest'' means 
        a facility that--
                  (A) holds, or that the Secretary has a 
                reasonable basis to believe holds, a chemical 
                of interest, as designated under Appendix A to 
                part 27 of title 6, Code of Federal 
                Regulations, or any successor thereto, at a 
                threshold quantity set pursuant to relevant 
                risk-related security principles; and
                  (B) is not an excluded facility;
          (3) the term ``covered chemical facility'' means a 
        facility that--
                  (A) the Secretary--
                          (i) identifies as a chemical facility 
                        of interest; and
                          (ii) based upon review of the 
                        facility's Top-Screen, determines meets 
                        the risk criteria developed under 
                        section 2102(e)(2)(B); and
                  (B) is not an excluded facility;
          (4) the term ``excluded facility'' means--
                  (A) a facility regulated under the Maritime 
                Transportation Security Act of 2002 (Public Law 
                107-295; 116 Stat. 2064);
                  (B) a public water system, as that term is 
                defined in section 1401 of the Safe Drinking 
                Water Act (42 U.S.C. 300f);
                  (C) a Treatment Works, as that term is 
                defined in section 212 of the Federal Water 
                Pollution Control Act (33 U.S.C. 1292);
                  (D) a facility owned or operated by the 
                Department of Defense or the Department of 
                Energy; or
                  (E) a facility subject to regulation by the 
                Nuclear Regulatory Commission, or by a State 
                that has entered into an agreement with the 
                Nuclear Regulatory Commission under section 274 
                b. of the Atomic Energy Act of 1954 (42 U.S.C. 
                2021(b)) to protect against unauthorized access 
                of any material, activity, or structure 
                licensed by the Nuclear Regulatory Commission;
          (5) the term ``existing CFATS regulation'' means--
                  (A) a regulation promulgated under section 
                550 of the Department of Homeland Security 
                Appropriations Act, 2007 (Public Law 109-295; 6 
                U.S.C. 121 note) that is in effect on the day 
                before the date of enactment of the Protecting 
                and Securing Chemical Facilities from Terrorist 
                Attacks Act of 2014; and
                  (B) a Federal Register notice or other 
                published guidance relating to section 550 of 
                the Department of Homeland Security 
                Appropriations Act, 2007 that is in effect on 
                the day before the date of enactment of the 
                Protecting and Securing Chemical Facilities 
                from Terrorist Attacks Act of 2014;
          (6) the term ``expedited approval facility'' means a 
        covered chemical facility for which the owner or 
        operator elects to submit a site security plan in 
        accordance with section 2102(c)(4);
          (7) the term ``facially deficient'', relating to a 
        site security plan, means a site security plan that 
        does not support a certification that the security 
        measures in the plan address the security vulnerability 
        assessment and the risk-based performance standards for 
        security for the facility, based on a review of--
                  (A) the facility's site security plan;
                  (B) the facility's Top-Screen;
                  (C) the facility's security vulnerability 
                assessment; or
                  (D) any other information that--
                          (i) the facility submits to the 
                        Department; or
                          (ii) the Department obtains from a 
                        public source or other source;
          (8) the term ``guidance for expedited approval 
        facilities'' means the guidance issued under section 
        2102(c)(4)(B)(i);
          (9) the term ``risk assessment'' means the 
        Secretary's application of relevant risk criteria 
        identified in section 2102(e)(2)(B);
          (10) the term ``terrorist screening database'' means 
        the terrorist screening database maintained by the 
        Federal Government Terrorist Screening Center or its 
        successor;
          (11) the term ``tier'' has the meaning given the term 
        in section 27.105 of title 6, Code of Federal 
        Regulations, or any successor thereto;
          (12) the terms ``tiering'' and ``tiering 
        methodology'' mean the procedure by which the Secretary 
        assigns a tier to each covered chemical facility based 
        on the risk assessment for that covered chemical 
        facility;
          (13) the term ``Top-Screen'' has the meaning given 
        the term in section 27.105 of title 6, Code of Federal 
        Regulations, or any successor thereto; and
          (14) the term ``vulnerability assessment'' means the 
        identification of weaknesses in the security of a 
        chemical facility of interest.

SEC. 2102. CHEMICAL FACILITY ANTI-TERRORISM STANDARDS PROGRAM.

    (a) Program Established.--
          (1) In general.--There is in the Department a 
        Chemical Facility Anti-Terrorism Standards Program.
          (2) Requirements.--In carrying out the Chemical 
        Facility Anti-Terrorism Standards Program, the 
        Secretary shall--
                  (A) identify--
                          (i) chemical facilities of interest; 
                        and
                          (ii) covered chemical facilities;
                  (B) require each chemical facility of 
                interest to submit a Top-Screen and any other 
                information the Secretary determines necessary 
                to enable the Department to assess the security 
                risks associated with the facility;
                  (C) establish risk-based performance 
                standards designed to address high levels of 
                security risk at covered chemical facilities; 
                and
                  (D) require each covered chemical facility 
                to--
                          (i) submit a security vulnerability 
                        assessment; and
                          (ii) develop, submit, and implement a 
                        site security plan.
    (b) Security Measures.--A facility, in developing a site 
security plan as required under subsection (a), shall include 
security measures that, in combination, appropriately address 
the security vulnerability assessment and the risk-based 
performance standards for security for the facility.
    (c) Approval or Disapproval of Site Security Plans.--
          (1) In general.--
                  (A) Review.--Except as provided in paragraph 
                (4), the Secretary shall review and approve or 
                disapprove each site security plan submitted 
                pursuant to subsection (a).
                  (B) Bases for disapproval.--The Secretary--
                          (i) may not disapprove a site 
                        security plan based on the presence or 
                        absence of a particular security 
                        measure; and
                          (ii) shall disapprove a site security 
                        plan if the plan fails to satisfy the 
                        risk-based performance standards 
                        established pursuant to subsection 
                        (a)(2)(C).
          (2) Alternative security programs.--
                  (A) Authority to approve.--
                          (i) In general.--The Secretary may 
                        approve an alternative security program 
                        established by a private sector entity 
                        or a Federal, State, or local authority 
                        or under other applicable laws, if the 
                        Secretary determines that the 
                        requirements of the program meet the 
                        requirements under this section.
                          (ii) Additional security measures.--
                        If the requirements of an alternative 
                        security program do not meet the 
                        requirements under this section, the 
                        Secretary may recommend additional 
                        security measures to the program that 
                        will enable the Secretary to approve 
                        the program.
                  (B) Satisfaction of site security plan 
                requirement.--A covered chemical facility may 
                satisfy the site security plan requirement 
                under subsection (a) by adopting an alternative 
                security program that the Secretary has--
                          (i) reviewed and approved under 
                        subparagraph (A); and
                          (ii) determined to be appropriate for 
                        the operations and security concerns of 
                        the covered chemical facility.
          (3) Site security plan assessments.--
                  (A) Risk assessment policies and 
                procedures.--In approving or disapproving a 
                site security plan under this subsection, the 
                Secretary shall employ the risk assessment 
                policies and procedures developed under this 
                title.
                  (B) Previously approved plans.--In the case 
                of a covered chemical facility for which the 
                Secretary approved a site security plan before 
                the date of enactment of the Protecting and 
                Securing Chemical Facilities from Terrorist 
                Attacks Act of 2014, the Secretary may not 
                require the facility to resubmit the site 
                security plan solely by reason of the enactment 
                of this title.
          (4) Expedited approval program.--
                  (A) In general.--A covered chemical facility 
                assigned to tier 3 or 4 may meet the 
                requirement to develop and submit a site 
                security plan under subsection (a)(2)(D) by 
                developing and submitting to the Secretary--
                          (i) a site security plan and the 
                        certification described in subparagraph 
                        (C); or
                          (ii) a site security plan in 
                        conformance with a template authorized 
                        under subparagraph (H).
                  (B) Guidance for expedited approval 
                facilities.--
                          (i) In general.--Not later than 180 
                        days after the date of enactment of the 
                        Protecting and Securing Chemical 
                        Facilities from Terrorist Attacks Act 
                        of 2014, the Secretary shall issue 
                        guidance for expedited approval 
                        facilities that identifies specific 
                        security measures that are sufficient 
                        to meet the risk-based performance 
                        standards.
                          (ii) Material deviation from 
                        guidance.--If a security measure in the 
                        site security plan of an expedited 
                        approval facility materially deviates 
                        from a security measure in the guidance 
                        for expedited approval facilities, the 
                        site security plan shall include an 
                        explanation of how such security 
                        measure meets the risk-based 
                        performance standards.
                          (iii) Process.--In developing and 
                        issuing, or amending, the guidance for 
                        expedited approval facilities under 
                        this subparagraph and in collecting 
                        information from expedited approval 
                        facilities, the Secretary--
                                  (I) shall consult with--
                                          (aa) Sector 
                                        Coordinating Councils 
                                        established under 
                                        sections 201 and 
                                        871(a); and
                                          (bb) appropriate 
                                        labor organizations; 
                                        and
                                  (II) shall not be subject to 
                                section 553 of title 5, United 
                                States Code, the National 
                                Environmental Policy Act of 
                                1969 (42 U.S.C. 4321 et seq.), 
                                subchapter I of chapter 35 of 
                                title 44, United States Code, 
                                or section 2107(b) of this 
                                title.
                  (C) Certification.--The owner or operator of 
                an expedited approval facility shall submit to 
                the Secretary a certification, signed under 
                penalty of perjury, that--
                          (i) the owner or operator is familiar 
                        with the requirements of this title and 
                        part 27 of title 6, Code of Federal 
                        Regulations, or any successor thereto, 
                        and the site security plan being 
                        submitted;
                          (ii) the site security plan includes 
                        the security measures required by 
                        subsection (b);
                          (iii)(I) the security measures in the 
                        site security plan do not materially 
                        deviate from the guidance for expedited 
                        approval facilities except where 
                        indicated in the site security plan;
                          (II) any deviations from the guidance 
                        for expedited approval facilities in 
                        the site security plan meet the risk-
                        based performance standards for the 
                        tier to which the facility is assigned; 
                        and
                          (III) the owner or operator has 
                        provided an explanation of how the site 
                        security plan meets the risk-based 
                        performance standards for any material 
                        deviation;
                          (iv) the owner or operator has 
                        visited, examined, documented, and 
                        verified that the expedited approval 
                        facility meets the criteria set forth 
                        in the site security plan;
                          (v) the expedited approval facility 
                        has implemented all of the required 
                        performance measures outlined in the 
                        site security plan or set out planned 
                        measures that will be implemented 
                        within a reasonable time period stated 
                        in the site security plan;
                          (vi) each individual responsible for 
                        implementing the site security plan is 
                        fully aware of the requirements 
                        relevant to the individual's 
                        responsibility contained in the site 
                        security plan and is competent to carry 
                        out those requirements; and
                          (vii) the owner or operator has 
                        committed, or, in the case of planned 
                        measures will commit, the necessary 
                        resources to fully implement the site 
                        security plan.
                  (D) Deadline.--
                          (i) In general.--Not later than 120 
                        days after the date described in clause 
                        (ii), the owner or operator of an 
                        expedited approval facility shall 
                        submit to the Secretary the site 
                        security plan and the certification 
                        described in subparagraph (C).
                          (ii) Date.--The date described in 
                        this clause is--
                                  (I) for an expedited approval 
                                facility that was assigned to 
                                tier 3 or 4 under existing 
                                CFATS regulations before the 
                                date of enactment of the 
                                Protecting and Securing 
                                Chemical Facilities from 
                                Terrorist Attacks Act of 2014, 
                                the date that is 210 days after 
                                the date of enactment of that 
                                Act; and
                                  (II) for any expedited 
                                approval facility not described 
                                in subclause (I), the later 
                                of--
                                          (aa) the date on 
                                        which the expedited 
                                        approval facility is 
                                        assigned to tier 3 or 4 
                                        under subsection 
                                        (e)(2)(A); or
                                          (bb) the date that is 
                                        210 days after the date 
                                        of enactment of the 
                                        Protecting and Securing 
                                        Chemical Facilities 
                                        from Terrorist Attacks 
                                        Act of 2014.
                          (iii) Notice.--An owner or operator 
                        of an expedited approval facility shall 
                        notify the Secretary of the intent of 
                        the owner or operator to certify the 
                        site security plan for the expedited 
                        approval facility not later than 30 
                        days before the date on which the owner 
                        or operator submits the site security 
                        plan and certification described in 
                        subparagraph (C).
                  (E) Compliance.--
                          (i) In general.--For an expedited 
                        approval facility submitting a site 
                        security plan and certification in 
                        accordance with subparagraphs (A), (B), 
                        (C), and (D)--
                                  (I) the expedited approval 
                                facility shall comply with all 
                                of the requirements of its site 
                                security plan; and
                                  (II) the Secretary--
                                          (aa) except as 
                                        provided in 
                                        subparagraph (G), may 
                                        not disapprove the site 
                                        security plan; and
                                          (bb) may audit and 
                                        inspect the expedited 
                                        approval facility under 
                                        subsection (d) to 
                                        verify compliance with 
                                        its site security plan.
                          (ii) Noncompliance.--If the Secretary 
                        determines an expedited approval 
                        facility is not in compliance with the 
                        requirements of the site security plan 
                        or is otherwise in violation of this 
                        title, the Secretary may enforce 
                        compliance in accordance with section 
                        2104.
                  (F) Amendments to site security plan.--
                          (i) Requirement.--
                                  (I) In general.--If the owner 
                                or operator of an expedited 
                                approval facility amends a site 
                                security plan submitted under 
                                subparagraph (A), the owner or 
                                operator shall submit the 
                                amended site security plan and 
                                a certification relating to the 
                                amended site security plan that 
                                contains the information 
                                described in subparagraph (C).
                                  (II) Technical amendments.--
                                For purposes of this clause, an 
                                amendment to a site security 
                                plan includes any technical 
                                amendment to the site security 
                                plan.
                          (ii) Amendment required.--The owner 
                        or operator of an expedited approval 
                        facility shall amend the site security 
                        plan if--
                                  (I) there is a change in the 
                                design, construction, 
                                operation, or maintenance of 
                                the expedited approval facility 
                                that affects the site security 
                                plan;
                                  (II) the Secretary requires 
                                additional security measures or 
                                suspends a certification and 
                                recommends additional security 
                                measures under subparagraph 
                                (G); or
                                  (III) the owner or operator 
                                receives notice from the 
                                Secretary of a change in 
                                tiering under subsection 
                                (e)(3).
                          (iii) Deadline.--An amended site 
                        security plan and certification shall 
                        be submitted under clause (i)--
                                  (I) in the case of a change 
                                in design, construction, 
                                operation, or maintenance of 
                                the expedited approval facility 
                                that affects the security plan, 
                                not later than 120 days after 
                                the date on which the change in 
                                design, construction, 
                                operation, or maintenance 
                                occurred;
                                  (II) in the case of the 
                                Secretary requiring additional 
                                security measures or suspending 
                                a certification and 
                                recommending additional 
                                security measures under 
                                subparagraph (G), not later 
                                than 120 days after the date on 
                                which the owner or operator 
                                receives notice of the 
                                requirement for additional 
                                security measures or suspension 
                                of the certification and 
                                recommendation of additional 
                                security measures; and
                                  (III) in the case of a change 
                                in tiering, not later than 120 
                                days after the date on which 
                                the owner or operator receives 
                                notice under subsection (e)(3).
                  (G) Facially deficient site security plans.--
                          (i) Prohibition.--Notwithstanding 
                        subparagraph (A) or (E), the Secretary 
                        may suspend the authority of a covered 
                        chemical facility to certify a site 
                        security plan if the Secretary--
                                  (I) determines the certified 
                                site security plan or an 
                                amended site security plan is 
                                facially deficient; and
                                  (II) not later than 100 days 
                                after the date on which the 
                                Secretary receives the site 
                                security plan and 
                                certification, provides the 
                                covered chemical facility with 
                                written notification that the 
                                site security plan is facially 
                                deficient, including a clear 
                                explanation of each deficiency 
                                in the site security plan.
                          (ii) Additional security measures.--
                                  (I) In general.--If, during 
                                or after a compliance 
                                inspection of an expedited 
                                approval facility, the 
                                Secretary determines that 
                                planned or implemented security 
                                measures in the site security 
                                plan of the facility are 
                                insufficient to meet the risk-
                                based performance standards 
                                based on misrepresentation, 
                                omission, or an inadequate 
                                description of the site, the 
                                Secretary may--
                                          (aa) require 
                                        additional security 
                                        measures; or
                                          (bb) suspend the 
                                        certification of the 
                                        facility.
                                  (II) Recommendation of 
                                additional security measures.--
                                If the Secretary suspends the 
                                certification of an expedited 
                                approval facility under 
                                subclause (I), the Secretary 
                                shall--
                                          (aa) recommend 
                                        specific additional 
                                        security measures that, 
                                        if made part of the 
                                        site security plan by 
                                        the facility, would 
                                        enable the Secretary to 
                                        approve the site 
                                        security plan; and
                                          (bb) provide the 
                                        facility an opportunity 
                                        to submit a new or 
                                        modified site security 
                                        plan and certification 
                                        under subparagraph (A).
                                  (III) Submission; review.--If 
                                an expedited approval facility 
                                determines to submit a new or 
                                modified site security plan and 
                                certification as authorized 
                                under subclause (II)(bb)--
                                          (aa) not later than 
                                        90 days after the date 
                                        on which the facility 
                                        receives 
                                        recommendations under 
                                        subclause (II)(aa), the 
                                        facility shall submit 
                                        the new or modified 
                                        plan and certification; 
                                        and
                                          (bb) not later than 
                                        45 days after the date 
                                        on which the Secretary 
                                        receives the new or 
                                        modified plan under 
                                        item (aa), the 
                                        Secretary shall review 
                                        the plan and determine 
                                        whether the plan is 
                                        facially deficient.
                                  (IV) Determination not to 
                                include additional security 
                                measures.--
                                          (aa) Revocation of 
                                        certification.--If an 
                                        expedited approval 
                                        facility does not agree 
                                        to include in its site 
                                        security plan specific 
                                        additional security 
                                        measures recommended by 
                                        the Secretary under 
                                        subclause (II)(aa), or 
                                        does not submit a new 
                                        or modified site 
                                        security plan in 
                                        accordance with 
                                        subclause (III), the 
                                        Secretary may revoke 
                                        the certification of 
                                        the facility by issuing 
                                        an order under section 
                                        2104(a)(1)(B).
                                          (bb) Effect of 
                                        revocation.--If the 
                                        Secretary revokes the 
                                        certification of an 
                                        expedited approval 
                                        facility under item 
                                        (aa) by issuing an 
                                        order under section 
                                        2104(a)(1)(B)--
                                                  (AA) the 
                                                order shall 
                                                require the 
                                                owner or 
                                                operator of the 
                                                facility to 
                                                submit a site 
                                                security plan 
                                                or alternative 
                                                security 
                                                program for 
                                                review by the 
                                                Secretary 
                                                review under 
                                                subsection 
                                                (c)(1); and
                                                  (BB) the 
                                                facility shall 
                                                no longer be 
                                                eligible to 
                                                certify a site 
                                                security plan 
                                                under this 
                                                paragraph.
                                  (V) Facial deficiency.--If 
                                the Secretary determines that a 
                                new or modified site security 
                                plan submitted by an expedited 
                                approval facility under 
                                subclause (III) is facially 
                                deficient--
                                          (aa) not later than 
                                        120 days after the date 
                                        of the determination, 
                                        the owner or operator 
                                        of the facility shall 
                                        submit a site security 
                                        plan or alternative 
                                        security program for 
                                        review by the Secretary 
                                        under subsection 
                                        (c)(1); and
                                          (bb) the facility 
                                        shall no longer be 
                                        eligible to certify a 
                                        site security plan 
                                        under this paragraph.
                  (H) Templates.--
                          (i) In general.--The Secretary may 
                        develop prescriptive site security plan 
                        templates with specific security 
                        measures to meet the risk-based 
                        performance standards under subsection 
                        (a)(2)(C) for adoption and 
                        certification by a covered chemical 
                        facility assigned to tier 3 or 4 in 
                        lieu of developing and certifying its 
                        own plan.
                          (ii) Process.--In developing and 
                        issuing, or amending, the site security 
                        plan templates under this subparagraph, 
                        issuing guidance for implementation of 
                        the templates, and in collecting 
                        information from expedited approval 
                        facilities, the Secretary--
                                  (I) shall consult with--
                                          (aa) Sector 
                                        Coordinating Councils 
                                        established under 
                                        sections 201 and 
                                        871(a); and
                                          (bb) appropriate 
                                        labor organizations; 
                                        and
                                  (II) shall not be subject to 
                                section 553 of title 5, United 
                                States Code, the National 
                                Environmental Policy Act of 
                                1969 (42 U.S.C. 4321 et seq.), 
                                subchapter I of chapter 35 of 
                                title 44, United States Code, 
                                or section 2107(b) of this 
                                title.
                          (iii) Rule of construction.--Nothing 
                        in this subparagraph shall be construed 
                        to prevent a covered chemical facility 
                        from developing and certifying its own 
                        security plan in accordance with 
                        subparagraph (A).
                  (I) Evaluation.--
                          (i) In general.--Not later than 18 
                        months after the date of enactment of 
                        the Protecting and Securing Chemical 
                        Facilities from Terrorist Attacks Act 
                        of 2014, the Secretary shall take any 
                        appropriate action necessary for a full 
                        evaluation of the expedited approval 
                        program authorized under this 
                        paragraph, including conducting an 
                        appropriate number of inspections, as 
                        authorized under subsection (d), of 
                        expedited approval facilities.
                          (ii) Report.--Not later than 18 
                        months after the date of enactment of 
                        the Protecting and Securing Chemical 
                        Facilities from Terrorist Attacks Act 
                        of 2014, the Secretary shall submit to 
                        the Committee on Homeland Security and 
                        Governmental Affairs of the Senate and 
                        the Committee on Homeland Security of 
                        the House of Representatives a report 
                        that contains--
                                  (I) any costs and 
                                efficiencies associated with 
                                the expedited approval program 
                                authorized under this 
                                paragraph;
                                  (II) the impact of the 
                                expedited approval program on 
                                the backlog for site security 
                                plan approval and authorization 
                                inspections;
                                  (III) an assessment of the 
                                ability of expedited approval 
                                facilities to submit facially 
                                sufficient site security plans;
                                  (IV) an assessment of any 
                                impact of the expedited 
                                approval program on the 
                                security of chemical 
                                facilities; and
                                  (V) a recommendation by the 
                                Secretary on the frequency of 
                                compliance inspections that may 
                                be required for expedited 
                                approval facilities.
    (d) Compliance.--
          (1) Audits and inspections.--
                  (A) Definitions.--In this paragraph--
                          (i) the term ``nondepartmental''--
                                  (I) with respect to 
                                personnel, means personnel that 
                                is not employed by the 
                                Department; and
                                  (II) with respect to an 
                                entity, means an entity that is 
                                not a component or other 
                                authority of the Department; 
                                and
                          (ii) the term ``nongovernmental''--
                                  (I) with respect to 
                                personnel, means personnel that 
                                is not employed by the Federal 
                                Government; and
                                  (II) with respect to an 
                                entity, means an entity that is 
                                not an agency, department, or 
                                other authority of the Federal 
                                Government.
                  (B) Authority to conduct audits and 
                inspections.--The Secretary shall conduct 
                audits or inspections under this title using--
                          (i) employees of the Department; or
                          (ii) nondepartmental or 
                        nongovernmental personnel approved by 
                        the Secretary.
                  (C) Support personnel.--The Secretary may use 
                nongovernmental personnel to provide 
                administrative and logistical services in 
                support of audits and inspections under this 
                title.
                  (D) Reporting structure.--
                          (i) Nondepartmental and 
                        nongovernmental audits and 
                        inspections.--Any audit or inspection 
                        conducted by an individual employed by 
                        a nondepartmental or nongovernmental 
                        entity shall be assigned in 
                        coordination with a regional supervisor 
                        with responsibility for supervising 
                        inspectors within the Infrastructure 
                        Security Compliance Division of the 
                        Department for the region in which the 
                        audit or inspection is to be conducted.
                          (ii) Requirement to report.--While an 
                        individual employed by a 
                        nondepartmental or nongovernmental 
                        entity is in the field conducting an 
                        audit or inspection under this 
                        subsection, the individual shall report 
                        to the regional supervisor with 
                        responsibility for supervising 
                        inspectors within the Infrastructure 
                        Security Compliance Division of the 
                        Department for the region in which the 
                        individual is operating.
                          (iii) Approval.--The authority to 
                        approve a site security plan under 
                        subsection (c) or determine if a 
                        covered chemical facility is in 
                        compliance with an approved site 
                        security plan shall be exercised solely 
                        by the Secretary or a designee of the 
                        Secretary within the Department.
                  (E) Standards for auditors and inspectors.--
                The Secretary shall prescribe standards for the 
                training and retraining of each individual used 
                by the Department as an auditor or inspector, 
                including each individual employed by the 
                Department and all nondepartmental or 
                nongovernmental personnel, including--
                          (i) minimum training requirements for 
                        new auditors and inspectors;
                          (ii) retraining requirements;
                          (iii) minimum education and 
                        experience levels;
                          (iv) the submission of information as 
                        required by the Secretary to enable 
                        determination of whether the auditor or 
                        inspector has a conflict of interest;
                          (v) the proper certification or 
                        certifications necessary to handle 
                        chemical-terrorism vulnerability 
                        information (as defined in section 
                        27.105 of title 6, Code of Federal 
                        Regulations, or any successor thereto);
                          (vi) the reporting of any issue of 
                        non-compliance with this section to the 
                        Secretary within 24 hours; and
                          (vii) any additional qualifications 
                        for fitness of duty as the Secretary 
                        may require.
                  (F) Conditions for nongovernmental auditors 
                and inspectors.--If the Secretary arranges for 
                an audit or inspection under subparagraph (B) 
                to be carried out by a nongovernmental entity, 
                the Secretary shall--
                          (i) prescribe standards for the 
                        qualification of the individuals who 
                        carry out such audits and inspections 
                        that are commensurate with the 
                        standards for similar Government 
                        auditors or inspectors; and
                          (ii) ensure that any duties carried 
                        out by a nongovernmental entity are not 
                        inherently governmental functions.
          (2) Personnel surety.--
                  (A) Personnel surety program.--For purposes 
                of this title, the Secretary shall establish 
                and carry out a Personnel Surety Program that--
                          (i) does not require an owner or 
                        operator of a covered chemical facility 
                        that voluntarily participates in the 
                        program to submit information about an 
                        individual more than one time;
                          (ii) provides a participating owner 
                        or operator of a covered chemical 
                        facility with relevant information 
                        about an individual based on vetting 
                        the individual against the terrorist 
                        screening database, to the extent that 
                        such feedback is necessary for the 
                        facility to be in compliance with 
                        regulations promulgated under this 
                        title; and
                          (iii) provides redress to an 
                        individual--
                                  (I) whose information was 
                                vetted against the terrorist 
                                screening database under the 
                                program; and
                                  (II) who believes that the 
                                personally identifiable 
                                information submitted to the 
                                Department for such vetting by 
                                a covered chemical facility, or 
                                its designated representative, 
                                was inaccurate.
                  (B) Personnel surety program 
                implementation.--To the extent that a risk-
                based performance standard established under 
                subsection (a) requires identifying individuals 
                with ties to terrorism--
                          (i) a covered chemical facility may 
                        satisfy its obligation under the 
                        standard by using any Federal screening 
                        program that periodically vets 
                        individuals against the terrorist 
                        screening database, or any successor 
                        program, including the Personnel Surety 
                        Program established under subparagraph 
                        (A); and
                          (ii) the Secretary may not require a 
                        covered chemical facility to submit any 
                        information about an individual unless 
                        the individual--
                                  (I) is to be vetted under the 
                                Personnel Surety Program; or
                                  (II) has been identified as 
                                presenting a terrorism security 
                                risk.
          (3) Availability of information.--The Secretary shall 
        share with the owner or operator of a covered chemical 
        facility any information that the owner or operator 
        needs to comply with this section.
    (e) Responsibilities of the Secretary.--
          (1) Identification of chemical facilities of 
        interest.--In carrying out this title, the Secretary 
        shall consult with the heads of other Federal agencies, 
        States and political subdivisions thereof, relevant 
        business associations, and public and private labor 
        organizations to identify all chemical facilities of 
        interest.
          (2) Risk assessment.--
                  (A) In general.--For purposes of this title, 
                the Secretary shall develop a security risk 
                assessment approach and corresponding tiering 
                methodology for covered chemical facilities 
                that incorporates the relevant elements of 
                risk, including threat, vulnerability, and 
                consequence.
                  (B) Criteria for determining security risk.--
                The criteria for determining the security risk 
                of terrorism associated with a covered chemical 
                facility shall take into account--
                          (i) relevant threat information;
                          (ii) potential economic consequences 
                        and the potential loss of human life in 
                        the event of the facility being subject 
                        to a terrorist attack, compromise, 
                        infiltration, or exploitation; and
                          (iii) vulnerability of the facility 
                        to a terrorist attack, compromise, 
                        infiltration, or exploitation.
          (3) Changes in tiering.--
                  (A) Maintenance of records.--The Secretary 
                shall document the basis for each instance in 
                which--
                          (i) tiering for a covered chemical 
                        facility is changed; or
                          (ii) a covered chemical facility is 
                        determined to no longer be subject to 
                        the requirements under this title.
                  (B) Required information.--The records 
                maintained under subparagraph (A) shall include 
                information on whether and how the Secretary 
                confirmed the information that was the basis 
                for the change or determination described in 
                subparagraph (A).
          (4) Semiannual performance reporting.--Not later than 
        6 months after the date of enactment of the Protecting 
        and Securing Chemical Facilities from Terrorist Attacks 
        Act of 2014, and not less frequently than once every 6 
        months thereafter, the Secretary shall submit to the 
        Committee on Homeland Security and Governmental Affairs 
        of the Senate and the Committee on Homeland Security of 
        the House of Representatives a report that describes, 
        for the period covered by the report--
                  (A) the number of covered chemical facilities 
                in the United States;
                  (B) the average number of days spent 
                reviewing site security or an alternative 
                security program for a covered chemical 
                facility prior to approval;
                  (C) the number of covered chemical facilities 
                inspected;
                  (D) the average number of covered chemical 
                facilities inspected per inspector; and
                  (E) any other information that the Secretary 
                determines will be helpful to Congress in 
                evaluating the performance of the Chemical 
                Facility Anti-Terrorism Standards Program.

SEC. 2103. PROTECTION AND SHARING OF INFORMATION.

    (a) In General.--Notwithstanding any other provision of 
law, information developed under this title, including 
vulnerability assessments, site security plans, and other 
security related information, records, and documents shall be 
given protections from public disclosure consistent with the 
protection of similar information under section 70103(d) of 
title 46, United States Code.
    (b) Sharing of Information With States and Local 
Governments.--Nothing in this section shall be construed to 
prohibit the sharing of information developed under this title, 
as the Secretary determines appropriate, with State and local 
government officials possessing a need to know and the 
necessary security clearances, including law enforcement 
officials and first responders, for the purpose of carrying out 
this title.
    (c) Sharing of Information With First Responders.--
          (1) Requirement.--The Secretary shall provide to 
        State, local, and regional fusion centers (as that term 
        is defined in section 210A(j)(1)) and State and local 
        government officials, as the Secretary determines 
        appropriate, such information as is necessary to help 
        ensure that first responders are properly prepared and 
        provided with the situational awareness needed to 
        respond to security incidents at covered chemical 
        facilities.
          (2) Dissemination.--The Secretary shall disseminate 
        information under paragraph (1) through a medium or 
        system determined by the Secretary to be appropriate to 
        ensure the secure and expeditious dissemination of such 
        information to necessary selected individuals.
    (d) Enforcement Proceedings.--In any proceeding to enforce 
this section, vulnerability assessments, site security plans, 
and other information submitted to or obtained by the Secretary 
under this title, and related vulnerability or security 
information, shall be treated as if the information were 
classified information.
    (e) Availability of Information.--Notwithstanding any other 
provision of law (including section 552(b)(3) of title 5, 
United States Code), section 552 of title 5, United States Code 
(commonly known as the Freedom of Information Act') shall not 
apply to information protected from public disclosure pursuant 
to subsection (a) of this section.

SEC. 2104. CIVIL ENFORCEMENT.

    (a) Notice of Noncompliance.--
          (1) Notice.--If the Secretary determines that a 
        covered chemical facility is not in compliance with 
        this title, the Secretary shall--
                  (A) provide the owner or operator of the 
                facility with--
                          (i) not later than 14 days after date 
                        on which the Secretary makes the 
                        determination, a written notification 
                        of noncompliance that includes a clear 
                        explanation of any deficiency in the 
                        security vulnerability assessment or 
                        site security plan; and
                          (ii) an opportunity for consultation 
                        with the Secretary or the Secretary's 
                        designee; and
                  (B) issue to the owner or operator of the 
                facility an order to comply with this title by 
                a date specified by the Secretary in the order, 
                which date shall be not later than 180 days 
                after the date on which the Secretary issues 
                the order.
          (2) Continued noncompliance.--If an owner or operator 
        continues to be in noncompliance with this title after 
        the date specified in an order issued under paragraph 
        (1)(B), the Secretary may enter an order in accordance 
        with this section assessing a civil penalty, an order 
        to cease operations, or both.
    (b) Civil Penalties.--
          (1) Violations of orders.--Any person who violates an 
        order issued under this title shall be liable for a 
        civil penalty under section 70119(a) of title 46, 
        United States Code.
          (2) Non-reporting chemical facilities of interest.--
        Any owner of a chemical facility of interest who fails 
        to comply with, or knowingly submits false information 
        under, this title or the CFATS regulations shall be 
        liable for a civil penalty under section 70119(a) of 
        title 46, United States Code.
    (c) Emergency Orders.--
          (1) In general.--Notwithstanding subsection (a) or 
        any site security plan or alternative security program 
        approved under this title, if the Secretary determines 
        that there is a reasonable likelihood that a violation 
        of this title or the CFATS regulations by a chemical 
        facility could result in death, serious illness, severe 
        personal injury, or substantial endangerment to the 
        public, the Secretary may direct the facility, 
        effective immediately or as soon as practicable, to--
                  (A) cease some or all operations; or
                  (B) implement appropriate emergency security 
                measures.
          (2) Limitation on delegation.--The Secretary may not 
        delegate the authority under paragraph (1) to any 
        official other than the Under Secretary for the 
        National Protection and Programs Directorate.
    (d) Right of Action.--Nothing in this title confers upon 
any person except the Secretary or his or her designee a right 
of action against an owner or operator of a covered chemical 
facility to enforce any provision of this title.

SEC. 2105. WHISTLEBLOWER PROTECTIONS.

    (a) Procedure for Reporting Problems.--
          (1) Establishment of a reporting procedure.--Not 
        later than 180 days after the date of enactment of the 
        Protecting and Securing Chemical Facilities from 
        Terrorist Attacks Act of 2014, the Secretary shall 
        establish, and provide information to the public 
        regarding, a procedure under which any employee or 
        contractor of a chemical facility may submit a report 
        to the Secretary regarding problems, deficiencies, or 
        vulnerabilities at a covered chemical facility that are 
        associated with the risk of a chemical facility 
        terrorist incident.
          (2) Confidentiality.--The Secretary shall keep 
        confidential the identity of an individual who submits 
        a report under paragraph (1) and any such report shall 
        be treated as a record containing protected information 
        to the extent that the report does not consist of 
        publicly available information.
          (3) Acknowledgment of receipt.--If a report submitted 
        under paragraph (1) identifies the individual making 
        the report, the Secretary shall promptly respond to the 
        individual directly and shall promptly acknowledge 
        receipt of the report.
          (4) Steps to address problems.--The Secretary shall--
                  (A) review and consider the information 
                provided in any report submitted under 
                paragraph (1); and
                  (B) take appropriate steps under this title 
                if necessary to address any substantiated 
                problems, deficiencies, or vulnerabilities 
                associated with the risk of a chemical facility 
                terrorist incident identified in the report.
          (5) Retaliation prohibited.--
                  (A) In general.--An owner or operator of a 
                covered chemical facility or agent thereof may 
                not discharge an employee or otherwise 
                discriminate against an employee with respect 
                to the compensation provided to, or terms, 
                conditions, or privileges of the employment of, 
                the employee because the employee (or an 
                individual acting pursuant to a request of the 
                employee) submitted a report under paragraph 
                (1).
                  (B) Exception.--An employee shall not be 
                entitled to the protections under this section 
                if the employee--
                          (i) knowingly and willfully makes any 
                        false, fictitious, or fraudulent 
                        statement or representation; or
                          (ii) uses any false writing or 
                        document knowing the writing or 
                        document contains any false, 
                        fictitious, or fraudulent statement or 
                        entry.
    (b) Protected Disclosures.--Nothing in this title shall be 
construed to limit the right of an individual to make any 
disclosure--
          (1) protected or authorized under section 2302(b)(8) 
        or 7211 of title 5, United States Code;
          (2) protected under any other Federal or State law 
        that shields the disclosing individual against 
        retaliation or discrimination for having made the 
        disclosure in the public interest; or
          (3) to the Special Counsel of an agency, the 
        inspector general of an agency, or any other employee 
        designated by the head of an agency to receive 
        disclosures similar to the disclosures described in 
        paragraphs (1) and (2).
    (c) Publication of Rights.--The Secretary, in partnership 
with industry associations and labor organizations, shall make 
publicly available both physically and online the rights that 
an individual who discloses information, including security-
sensitive information, regarding problems, deficiencies, or 
vulnerabilities at a covered chemical facility would have under 
Federal whistleblower protection laws or this title.
    (d) Protected Information.--All information contained in a 
report made under this subsection (a) shall be protected in 
accordance with section 2103.

SEC. 2106. RELATIONSHIP TO OTHER LAWS.

    (a) Other Federal Laws.--Nothing in this title shall be 
construed to supersede, amend, alter, or affect any Federal law 
that regulates the manufacture, distribution in commerce, use, 
sale, other treatment, or disposal of chemical substances or 
mixtures.
    (b) States and Political Subdivisions.--This title shall 
not preclude or deny any right of any State or political 
subdivision thereof to adopt or enforce any regulation, 
requirement, or standard of performance with respect to 
chemical facility security that is more stringent than a 
regulation, requirement, or standard of performance issued 
under this section, or otherwise impair any right or 
jurisdiction of any State with respect to chemical facilities 
within that State, unless there is an actual conflict between 
this section and the law of that State.

SEC. 2107. CFATS REGULATIONS.

    (a) General Authority.--The Secretary may, in accordance 
with chapter 5 of title 5, United States Code, promulgate 
regulations or amend existing CFATS regulations to implement 
the provisions under this title.
    (b) Existing CFATS Regulations.--
          (1) In general.--Notwithstanding section 4(b) of the 
        Protecting and Securing Chemical Facilities from 
        Terrorist Attacks Act of 2014, each existing CFATS 
        regulation shall remain in effect unless the Secretary 
        amends, consolidates, or repeals the regulation.
          (2) Repeal.--Not later than 30 days after the date of 
        enactment of the Protecting and Securing Chemical 
        Facilities from Terrorist Attacks Act of 2014, the 
        Secretary shall repeal any existing CFATS regulation 
        that the Secretary determines is duplicative of, or 
        conflicts with, this title.
    (c) Authority.--The Secretary shall exclusively rely upon 
authority provided under this title in--
          (1) determining compliance with this title;
          (2) identifying chemicals of interest; and
          (3) determining security risk associated with a 
        chemical facility.

SEC. 2108. SMALL COVERED CHEMICAL FACILITIES.

    (a) Definition.--In this section, the term ``small covered 
chemical facility'' means a covered chemical facility that--
          (1) has fewer than 100 employees employed at the 
        covered chemical facility; and
          (2) is owned and operated by a small business concern 
        (as defined in section 3 of the Small Business Act (15 
        U.S.C. 632)).
    (b) Assistance to Facilities.--The Secretary may provide 
guidance and, as appropriate, tools, methodologies, or computer 
software, to assist small covered chemical facilities in 
developing the physical security, cybersecurity, recordkeeping, 
and reporting procedures required under this title.
    (c) Report.--The Secretary shall submit to the Committee on 
Homeland Security and Governmental Affairs of the Senate and 
the Committee on Homeland Security of the House of 
Representatives a report on best practices that may assist 
small covered chemical facilities in development of physical 
security best practices.

SEC. 2109. OUTREACH TO CHEMICAL FACILITIES OF INTEREST.

    Not later than 90 days after the date of enactment of the 
Protecting and Securing Chemical Facilities from Terrorist 
Attacks Act of 2014, the Secretary shall establish an outreach 
implementation plan, in coordination with the heads of other 
appropriate Federal and State agencies, relevant business 
associations, and public and private labor organizations, to--
          (1) identify chemical facilities of interest; and
          (2) make available compliance assistance materials 
        and information on education and training.

                                  
