January 22, 2021
The U.S. Government Accountability Office (GAO) has published a report titled, Chemical Security – Overlapping Programs Could Better Collaborate to Share Information and Identify Potential Security Gaps. In the report, the GAO reviewed overlap between chemical safety and security programs administered by the Department of Homeland Security (DHS), Environmental Protection Agency (EPA), Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), and the Department of Transportation (DOT). Specifically, the GAO focused on the: (1) Chemical Facility Anti-Terrorism Standards (CFATS); (2) Maritime Transportation Security Act (MTSA); (3) Transportation Security Administration (TSA) Rail Security Program; (4) TSA Pipeline Security Program; (5) ATF Explosive Materials Program; (6) EPA Water Infrastructure Act Program; (7) EPA Risk Management Program (RMP); (8) EPA Resource Conservation and Recovery Act (RCRA) Program; and (9) DOT Hazardous Materials Program.
Among other things, the GAO found that:
- When compared with CFATS, all eight of the other programs reviewed contain requirements or guidance that generally align with at least half of the eighteen CFATS Risk-Based Performance Standards (RBPSs).
- At least 550 of 3,300 (16%) CFATS-regulated facilities are also subject to other federal chemical safety or security programs.
- More than 1,600 public water systems or wastewater treatment facilities are excluded from CFATS, leading to fragmentation. These facilities are subject to federal programs that generally do not align with CFATS and, according to DHS, are not required to implement security measures commensurate to their level of security risk. The GAO determined that DHS and the EPA have not collaborated to modernize policies and assess potential water security gaps.
- Although directed by Executive Order to improve coordination and information sharing, the Chemical Facility Safety and Security Working Group (led by DHS, EPA, and the Department of Labor, along with representation from ATF and DOT) has not identified which facilities are subject to multiple programs and may be unnecessarily developing duplicative information for compliance.
The GAO made the following recommendations:
- DHS should collaborate with partners and establish an ongoing process to identify the extent to which CFATS-regulated facilities are also covered by other programs that generally align with some of the CFATS RBPSs.
- The EPA, ATF, and DOT should collaborate with partners and establish ongoing processes to identify the extent to which the facilities they regulate are also covered by the CFATS program.
- DHS’s Cybersecurity and Infrastructure Security Agency (CISA) should update and disseminate CFATS program guidance to include a list of commonly accepted actions facilities may have taken and information they may have prepared pursuant to other federal chemical safety or security programs.
- CISA and the EPA should collaborate to assess the extent to which potential security gaps exist at water and wastewater facilities and develop a legislative proposal to address these gaps.