If the Secretary determines that a covered chemical facility is not in compliance with this subchapter, the Secretary shall—
(A) provide the owner or operator of the facility with—
(i) not later than 14 days after date 1 on which the Secretary makes the determination, a written notification of noncompliance that includes a clear explanation of any deficiency in the security vulnerability assessment or site security plan; and
(ii) an opportunity for consultation with the Secretary or the Secretary's designee; and
(B) issue to the owner or operator of the facility an order to comply with this subchapter by a date specified by the Secretary in the order, which date shall be not later than 180 days after the date on which the Secretary issues the order.
If an owner or operator remains noncompliant after the procedures outlined in paragraph (1) have been executed, or demonstrates repeated violations of this subchapter, the Secretary may enter an order in accordance with this section assessing a civil penalty, an order to cease operations, or both.
Any person who violates an order issued under this subchapter shall be liable for a civil penalty under section 70119(a) of title 46.
Any owner of a chemical facility of interest who fails to comply with, or knowingly submits false information under, this subchapter or the CFATS regulations shall be liable for a civil penalty under section 70119(a) of title 46.
Notwithstanding subsection (a) or any site security plan or alternative security program approved under this subchapter, if the Secretary determines that there is an imminent threat of death, serious illness, or severe personal injury, due to a violation of this subchapter or the risk of a terrorist incident that may affect a chemical facility of interest, the Secretary—
(A) shall consult with the facility, if practicable, on steps to mitigate the risk; and
(B) may order the facility, without notice or opportunity for a hearing, effective immediately or as soon as practicable, to—
(i) implement appropriate emergency security measures; or
(ii) cease or reduce some or all operations, in accordance with safe shutdown procedures, if the Secretary determines that such a cessation or reduction of operations is the most appropriate means to address the risk.
The Secretary may not delegate the authority under paragraph (1) to any official other than the Director of Cybersecurity and Infrastructure Security.
The Secretary may exercise the authority under this subsection only to the extent necessary to abate the imminent threat determination under paragraph (1).
An order issued by the Secretary under paragraph (1) shall be in the form of a written emergency order that—
(i) describes the violation or risk that creates the imminent threat;
(ii) states the security measures or order issued or imposed; and
(iii) describes the standards and procedures for obtaining relief from the order.
After issuing an order under paragraph (1) with respect to a chemical facility of interest, the Secretary shall provide for review of the order under section 554 of title 5 if a petition for review is filed not later than 20 days after the date on which the Secretary issues the order.
If a petition for review of an order is filed under subparagraph (B) and the review under that paragraph is not completed by the last day of the 30-day period beginning on the date on which the petition is filed, the order shall vacate automatically at the end of that period unless the Secretary determines, in writing, that the imminent threat providing a basis for the order continues to exist.
Nothing in this subchapter confers upon any person except the Secretary or his or her designee a right of action against an owner or operator of a covered chemical facility to enforce any provision of this subchapter.
(Pub. L. 107–296, title XXI, §2104, as added Pub. L. 113–254, §2(a), Dec. 18, 2014, 128 Stat. 2912; amended Pub. L. 115–278, §2(g)(8)(B), Nov. 16, 2018, 132 Stat. 4180.)
For termination of section by section 5 of Pub. L. 113–254, see Effective and Termination Dates note below.
2018—Subsec. (c)(2). Pub. L. 115–278 substituted "Director of Cybersecurity and Infrastructure Security" for "Under Secretary responsible for overseeing critical infrastructure protection, cybersecurity, and other related programs of the Department appointed under section 113(a)(1)(H) of this title".
Section effective on the date that is 30 days after Dec. 18, 2014, and authority provided under this section to terminate on the date that is 4 years after such effective date, see sections 4(a) and 5 of Pub. L. 113–254, set out as notes under section 621 of this title.
1 So in original. Probably should be preceded by "the".