Spotlight on chemical sector security and information security requirements.
Congress has also been heavily involved in reviewing chemical sector security, ultimately including a provision in the Homeland Security appropriations measure that required DHS to draft and issue regulations for "high risk chemical facilities." As a result of the passage of this legislation, on April 9, 2007, DHS issued an Interim Final Rule entitled Chemical Facility Anti-Terrorism Standards (CFATS) that became effective June 8, 2007. DHS simultaneously published a proposed list of "chemicals of interest" along with their screening threshold quantities (Appendix A). Following the close of a comment period on the draft list, DHS reissued a final Appendix A list of chemicals of interest in November 2007.
The Interim Final Rule required that companies possessing one or more chemicals in amounts exceeding the screening threshold quantities found in Appendix A complete and submit a "Top Screen" to DHS no later than January 22, 2008. The Top Screen submission was intended to provide information on chemicals and the facility that would enable DHS to evaluate risk and place submitters into Tier rankings. DHS has now reviewed the Top Screen submissions and has preliminarily identified approximately 7000 sites as "high risk." Of these, 219 were placed in tier 1 (the highest risk), 756 in tier 2,1712 in tier 3, and 4319 in tier 4. Companies having sites falling into one of the four tiers received notification letters for these sites in June 2008. The letters informed companies about their preliminary site tier, the triggering chemical of interest, the triggering scenario, and their Security Vulnerability Assessment (SVA) requirements/deadline. A number of American Coatings Association (ACA) member companies received such tiering letters for one or more facilities, with most affected sites in the coatings industry falling under tier 4. In many cases, the triggering chemical of interest (COI) was aluminum powder, including that used in paste or flake form.
Companies receiving tier letters were specifically advised of the timeline for completion of the CFATS SVA. As companies submitted their SVAs, DHS began a review process to determine a facility's final tier. As that process concludes, companies that operate "tiered" facilities are required to meet specific security requirements and develop and submit conforming site security plans (SSPs) for each tiered site within 120 days. These SSPs must meet DHS Risk-Based Performance Standards.
ACA, with input from its issue management committees and an informal security working group, has filed extensive comments with DHS on both the CFATS rule and on the list of chemicals and their proposed thresholds (Appendix A).
Additionally, ACA, the American Chemistry Council (ACC), and 14 other chemical industry associations comprise a Chemical Sector Coordinating Council (CSCC). The CSSC was organized to further communications with DHS and advise the agency on how it might develop more effective ways to implement chemical security policy. The CSSC reviewed the proposed rule and Appendix and filed detailed comments on it, with ACA also joining in those consolidated comments.
ACA member companies that receive final tiering letters will face new information security requirements, including a requirement that many aspects of their manufacturing processes and supply chains are to be considered Chemical-Terrorism Vulnerability Information (CVI), a category of sensitive but unclassified information. All facilities subject to CFATS must comply with CVI regulations, including restricting disclosure to "authorized users" who have received mandatory training and who have "a need to know" the information.
Several ACA committees routinely address certain regulated security issues, including the Occupational Health and Safety Committee (workplace security, including site access), the Transportation and Distribution Committee (transport security requirements under DOT), and the Manufacturing Committee (which monitors security impacts on manufacturing facilities as a whole). Additionally, ACA developed and offered a Virtual Learning Conference on this topic with a focus on how regulated companies can develop compliant Site Security Plans.
Contact ACA's Allen Irish (email@example.com) for more information.