[Federal Register Volume 72, Number 67 (Monday, April 9, 2007)]
[Rules and Regulations]
[Pages 17688-17745]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E7-6363]
[[Page 17687]]
-----------------------------------------------------------------------
Part III
Department of Homeland Security
-----------------------------------------------------------------------
6 CFR Part 27
Chemical Facility Anti-Terrorism Standards; Final Rule
��Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules
and Regulations��
[[Page 17688]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
6 CFR Part 27
[DHS-2006-0073]
RIN 1601-AA41
Chemical Facility Anti-Terrorism Standards
AGENCY: Department Of Homeland Security.
ACTION: Interim final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Homeland Security (DHS or Department) issues
this interim final rule (IFR) pursuant to Section 550 of the Homeland
Security Appropriations Act of 2007 (Section 550), which provided the
Department with authority to promulgate ``interim final regulations''
for the security of certain chemical facilities in the United States.
This rule establishes risk-based performance standards for the
security of our Nation's chemical facilities. It requires covered
chemical facilities to prepare Security Vulnerability Assessments
(SVAs), which identify facility security vulnerabilities, and to
develop and implement Site Security Plans (SSPs), which include
measures that satisfy the identified risk-based performance standards.
It also allows certain covered chemical facilities, in specified
circumstances, to submit Alternate Security Programs (ASPs) in lieu of
an SVA, SSP, or both.
The rule contains associated provisions addressing inspections and
audits, recordkeeping, and the protection of information that
constitutes Chemical-terrorism Vulnerability Information (CVI).
Finally, the rule provides the Department with authority to seek
compliance through the issuance of Orders, including Orders Assessing
Civil Penalty and Orders for the Cessation of Operations.
EFFECTIVE DATES: This regulation is effective June 8, 2007, except for
Appendix A to part 27. A subsequent final rule document will announce
the effective date of Appendix A to Part 27.
Comment related to the addition of Appendix A to part 27 only will
be accepted until May 9, 2007.
ADDRESSES: You may submit comments, identified by docket number 2006-
0073, by one of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: IP/CSCD/Dennis Deziel, Mail Stop 8100, Department of
Homeland Security, Washington, DC 20528-8100.
FOR FURTHER INFORMATION CONTACT: Dennis Deziel, Chemical Security
Regulatory Task Force, Department of Homeland Security, 703-235-5263.
SUPPLEMENTARY INFORMATION: This interim final rule is organized as
follows: Section I explains the public participation provisions and
provides a brief discussion of the statutory and regulatory authority
and history; Section II summarizes the changes from the Advance Notice
of Rulemaking and discusses the revised rule text; Section III
summarizes and responds to the comments the Department received in
response to the Advance Notice of Rulemaking; and Section IV contains
the regulatory analyses for this interim final rule.
Table of Contents
I. Introduction and Background
A. Public Participation
B. Statutory and Regulatory Authority and History
II. Interim Final Rule
A. Summary of Changes From Advance Notice of Rulemaking
B. Rule Provisions
III. Discussion of Comments
A. Applicability of the Rule
1. Definition of ``Chemical Facility or Facility''
2. Multiple Owners or Operators
3. Classifying Facilities Based on Hazard Class
4. Applicability to Specific Chemicals or Quantities of
Chemicals
5. Applicability to Types of Facilities
6. Statutory Exemptions
B. Determining Which Facilities Present a High-Level of Security
Risk
1. Use of the Top-Screen Approach
2. Assessment Methodologies
3. Risk-Based Tiers
C. Security Vulnerability Assessments and Site Security Plans
1. General Comments
2. Submitting a Site Security Plan
3. Content of Site Security Plans
4. Approval of Site Security Plans
5. Timing
6. Alternate Security Programs
D. Risk-Based Performance Standards
1. General Approach To Performance Standards
2. Comments about Specific Performance Standards
3. Variations in Performance Standards for Risk Tiers
4. Adoption of MTSA Provisions
E. Background Checks
F. Inspections and Audits
1. Inspections
2. Third-Party Auditors and Inspectors
G. Recordkeeping
H. Orders
I. Adjudications and Appeals
J. Information Protection: Chemical-terrorism Vulnerability
Information (CVI)
1. General
2. Disclosure of CVI
3. Scope of CVI
4. Relation of CVI to Other Categories of Protected Information
and FOIA
5. Sharing CVI with State and Local Officials, the Public, and
Congress
6. Litigation
7. Protection of CVI
K. Preemption
L. Implementation of the Rule
M. Other Issues
1. Whistleblower Protection
2. Inherently Safer Technology
3. Delegation of Responsibility
4. Interaction with Other Federal Rules and Programs
5. Third-Party Actions
6. Judicial Review
7. Guidance and Technical Assistance
8. Miscellaneous Comments
N. Regulatory Evaluation
IV. Regulatory Analyses
A. Executive Order 12866: Regulatory Planning and Review
B. Regulatory Flexibility Act
C. Executive Order 13132: Federalism
1. Background
2. Propriety of the Department's View on Preemption
3. No Field Preemption
4. Principles of Conflict Preemption
D. Unfunded Mandates Reform Act
E. Paperwork Reduction Act
F. NEPA
I. Introduction and Background
A. Public Participation
Interested persons are invited to participate in this rulemaking by
submitting written data, views, or arguments on Appendix A of this
interim final rule. Comments that will provide the most assistance to
DHS in finalizing the Appendix will reference specific chemicals and
Screening Threshold Quantities on the list, explain the reason for any
recommended change, and include data, information, or authority that
support such recommended change.
Instructions: All submissions received must include the agency name
and docket number for this rulemaking. All comments received will be
posted without change to http://www.regulations.gov, including any
personal information provided.
Comments that include trade secrets, confidential commercial or
financial information, Sensitive Security Information (SSI), or
Protected Critical Infrastructure Information (PCII) should not be
submitted to the public regulatory docket. Please submit such comments
separately from other comments on the rule. Comments containing trade
secrets, confidential commercial or financial information, Sensitive
Security Information (SSI), or Protected Critical Infrastructure
Information (PCII) should be appropriately marked as containing such
information and submitted by mail
[[Page 17689]]
to the individual(s) listed in the FOR FURTHER INFORMATION CONTACT
section.
Docket: For access to the docket to read background documents or
comments received, go to http://www.regulations.gov. Submitted comments
by mail may also be inspected. To inspect comments, please call Dennis
Deziel, 703-235-5263, to arrange for an appointment.
B. Statutory Regulatory Authority and History
On October 4, 2006, the President signed the Department of Homeland
Security Appropriations Act of 2007 (the Act), which provides the
Department of Homeland Security with the authority to regulate the
security of high-risk chemical facilities. See Pub. L. 109-295, sec.
550. Section 550 requires the Secretary of Homeland Security to
promulgate interim final regulations ``establishing risk-based
performance standards for security of chemical facilities'' by April 4,
2007. Id. Although interim final regulations are usually issued without
prior notice and comment (and the Act requires neither), the Department
issued an Advance Notice of Rulemaking (Advance Notice) seeking comment
on the significant issues and regulatory text. See generally 71 FR
78276 (Dec. 28, 2006).
As discussed more fully in the Advance Notice, before the enactment
of Section 550, the Federal government did not have authority to
regulate the security of most chemical facilities. The Department has,
however, worked closely with industry leaders in pursuit of voluntary
enhancement of security at these facilities and provided both technical
assistance and grant funding for security. In addition, through the
Coast Guard's Maritime Security regulations, the Department has
addressed security at certain maritime-related chemical facilities. See
33 CFR Part 105. Recently, the Departments of Homeland Security and
Transportation also proposed security regulations for the rail
transportation of hazardous chemicals. See 71 FR 76834, 71 FR 76851
(Dec. 21, 2006). Other Federal programs have addressed chemical
facility safety, but not security: the Environmental Protection Agency
(EPA) regulates chemical process safety through its Risk Management
Plan (RMP) program; the Department of Labor's Occupational Safety and
Health Administration (OSHA) regulates workplace safety and health at
chemical facilities; the Department of Commerce oversees compliance
with the Chemical Weapons Convention; and the Department of Justice's
Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) regulates,
through licenses and permits, the purchase, possession, storage, and
transportation of explosives.
With the authority under Section 550, the Department can now fill a
significant security gap in the country's anti-terrorism efforts.
Section 550 specifies that the regulations ``shall apply to chemical
facilities that, in the discretion of the Secretary, present high
levels of security risk.'' The statute requires that the regulations
establish risk-based performance standards; requires Security
Vulnerability Assessments and Site Security Plans; allows Alternative
Security Programs; mandates audits and inspections to determine
compliance with the regulations; provides for civil penalties for
violation of an order issued under the statute; and allows the
Secretary to order a facility to cease operations if the facility is
not in compliance with the requirements. The statute also gives the
Department the authority to protect from inappropriate public
disclosure any information developed pursuant to Section 550,
``including vulnerability assessments, site security plans, and other
security related information, records, and documents.''
As discussed in the Advance Notice, by directing the Secretary to
issue ``interim final regulations,'' Congress authorized the Secretary
to proceed without the traditional notice-and-comment required by the
Administrative Procedure Act. See 71 FR 78276, 78277. The Department,
however, saw great benefit in soliciting comments on as much of the
program as was practicable in the short timeframe permitted under the
statute. Accordingly, the Department voluntarily sought comment on a
range of regulatory and implementation issues and responds to the
comments below.
II. Interim Final Rule
A. Summary of Changes From Advance Notice of Rulemaking
In this interim final rule, the Department has not changed the
general, risk-based approach it proposed in the December 28, 2006,
Advance Notice. See 71 FR 78276. As discussed in detail below, the
Department plans to implement the regulation in phases, starting to
work aggressively with chemical facilities presenting the very highest
security risks first. The Department adopts a risk-based tiering
structure in its regulatory approach, so that the Department's scrutiny
of facilities under this regulation increases as the level of risk
increases. Even though this approach remains the same, the Department
provides further details below on a number of unresolved issues
presented in the Advance Notice. For example, the Department provides
further detail on the issues surrounding background checks for those
with access to high-risk facilities, and the Department describes its
approach on facilities possessing ammonium nitrate.
On several important issues, the Department has reconsidered and
modified the position it proposed in the Advance Notice. For example,
in response to comments, the Department has restructured its provisions
concerning objections, consultations, adjudications, and appeals. As
discussed below, the Department's aim is to provide flexibility and
assistance for facilities seeking to comply with the regulatory
standards. The Department has decided, however, to incorporate a role
for a neutral adjudicator where unresolved differences present
themselves and result in significant fines or other penalties. In
addition, the Department has modified a number of scheduling and timing
requirements in response to comments, and the Department further
explains its approach on preemption of state and local law after
considering the numerous comments on that subject. Although the
Department continues to view as important the opportunity for
facilities to submit Alternative Security Programs, the Department
modified the circumstances in which it will accept Alternative Security
Programs.
Finally, the Department will consider the issues surrounding the
use of fees in this regulatory program. The Department is contemplating
the assessment of different fees, including filing fees, fees for
inspections and audits, and fees for the screening of individuals
against the Terrorist Screening Database. The Department has not
provided for fees in this interim final rule, but may, in the future,
propose and seek comment on the issues surrounding fees for this
regulatory program.
B. Rule Provisions
This section summarizes the regulatory text changes that the
Department has made to this interim final rule. In addition to the
summary contained in this section, we have, in many cases, provided a
more extensive discussion of the change, and the reason for the change,
in the response to comments below. See Sec. III ``Discussion of
Comments.'' Finally, to the extent that the Department has made
technical corrections or corrected typographical errors, we do not
specifically discuss them.
[[Page 17690]]
Subpart A
Section 27.100 Purpose
The Department has added a Purpose section to the rule. It states
the Department's purpose and intent in issuing this rule and enforcing
this regulatory program.
Section 27.105 Definitions
For purposes of clarity, DHS has added several definitions,
including ``Chemical Security Assessment Tool,'' ``Chemical-terrorism
Vulnerability Information,'' ``Deputy Secretary,'' ``Director of the
Chemical Security Division'' and ``Screening Threshold Quantity.'' The
Department has also revised a few definitions, including ``Assistant
Secretary'' and ``Under Secretary.'' The Department revised ``Under
Secretary'' as a result of organizational changes in the Department
following the Post-Katrina Emergency Reform Act, which the President
signed on October 4, 2006. See Public Law 109-295, Title VI. In several
places, the Department indicated that the named official, or his
designee, has the specified responsibility under the regulation. The
Department also revised the definition of ``Alternate Security
Program,'' to provide consistency with changes the Department has since
made to Sec. 27.235, the Alternate Security Programs section. The
Department expanded upon the definition of ``tier,'' adding that, for
purposes of this part, there are four risk-based tiers.
Finally, the Department made clarifying changes to ``Chemical
Facility,'' ``Covered Chemical Facility,'' and ``Owner.'' With respect
to the definition of ``Chemical Facility,'' the Department removed the
circular nature of the definition in the Advance Notice (i.e., a
chemical facility shall mean any facility) (emphasis added) and now
provides that a chemical facility ``shall mean any establishment that
possesses or plans to possess * * *.''
Section 27.120 Designation of a coordinating official; Consultations
and technical assistance
The language in revised Sec. 27.120(a) makes clear that the
Assistant Secretary will designate a Coordinating Official responsible
for ensuring the uniform, impartial, and fair implementation of these
regulations. The language in revised Sec. 27.120(b) indicates that the
Coordinating Official and his staff shall provide guidance to
facilities, and while the Coordinating Official and his staff will be
available for consultation and to provide technical assistance, they
will be available only to the extent that resources permit.
In Sec. 27.120(c), the Department has provided specific details as
to how a facility requests the assistance of the Coordinating Official.
In the second sentence of Sec. 27.120(c), the Department provides that
requests for consultation or technical guidance do not serve to toll
any of the applicable timelines set forth in this part. Accordingly,
regardless of whether or when a facility submits a request for
consultation or technical guidance, the Department will require the
facility to comply with the regulatory requirements, such as completing
the Top-Screen, identifying vulnerabilities in the Security
Vulnerability Assessment, and developing and implementing a Site
Security Plan.
The Department has added a new provision in Sec. 27.120(d). This
provision provides that a covered facility may request a consultation
with the Coordinating Official if it modifies its facility, processes,
or the types or quantities of materials that it possesses, and believes
such changes may impact the covered facility's obligations under this
part. The Department added this provision in response to commenters
concerned about a facility's ability to ``exit'' the regulatory
program. The Department recognizes that facilities that reduce risk to
levels below those levels that the Department deems as that
characterized for Tier 4 facilities (i.e., the lowest risk facilities
of the ``high risk'' facilities) or that eliminate certain risks
altogether may no longer need to be covered by this regulation. This
provision allows the covered facility to request the initiation of the
screening process (which determines whether or not the facility is
high-risk and therefore whether the facility is or is not included in
this regulatory program) prior to the facility's next scheduled CSAT
Top-Screen submission pursuant to Sec. 27.210. Through this
consultation process, the facility may initiate discussions with the
Department and ultimately accelerate the process for determining
whether it can ``exit'' the regulatory program.
Subpart B
Section 27.200 Information regarding security risk for a chemical
facility
The Department has added several new provisions to this section.
The Department has revised paragraph (b), by incorporating language
from proposed Sec. 27.200(a) of the Advance Notice and by also adding
new provisions. The two sentences in paragraph (b)(1) come from the end
of proposed Sec. 27.200(a). Paragraph (b)(1) provides that the
Assistant Secretary may seek the information listed in paragraph (a) by
contacting chemical facilities individually or by publishing a notice
in the Federal Register. It also provides that the Assistant Secretary
may instruct facilities to complete and submit a Top-Screen through a
secure Department Web site or through any other means approved by the
Assistant Secretary.
Paragraph (b)(2) is a new provision. It provides that a facility
must complete and submit a Top-Screen in accordance with the schedule
provided in Sec. 27.210 if it possesses any of the chemicals listed in
Appendix A: ``DHS Chemicals of Interest'' at the corresponding
quantities. For a further discussion of Appendix A, see the discussion
of Appendix A further below in the Rule Provisions section. The purpose
of this provision is to give facilities direction as to whether or not
they must complete and submit a Top-Screen.
As noted in the discussion of Appendix A, the presence or amount of
a particular chemical is not an indicator of a facility's coverage
under this rule. The presence or amount of a chemical in the Appendix
is merely a baseline threshold requiring a facility to complete and
submit a Top-Screen. (Consistent with Sec. 27.200(b)(1), DHS will
retain the ability to notify facilities, through direct notification or
Federal Register notice, that they need to complete and submit a Top-
Screen.) The information that the Department will obtain through the
Top-Screen process is only one of several factors that the Department
will consider in determining whether a facility is ``high-risk'' and
thus covered by this rule.
Paragraph (b)(3) addresses the requirements for individuals who
submit information to the Department through the CSAT system, which
includes the Top-Screen process. Paragraph (b)(3) provides that, where
the Department requests that a facility complete and submit a Top-
Screen, the facility must designate a person to be responsible for the
submission of information through the CSAT system. (The CSAT system is
comprised of three sequential parts: the Top-Screen, the SVA, and the
SSP). The Department provides that any such submitter must be an
officer of the corporation or other person designated by an officer of
the corporation, and must be domiciled in the United States. The
Department had contemplated such requirements in Appendix A to the
Advance Notice and now finalizes them here.
Consistent with the explanation in Appendix A to the Advance
Notice, the
[[Page 17691]]
Department notes that a facility may choose to have another individual,
in addition to the above-discussed ``submitter,'' involved in the
submission of information through the Top-Screen. That other individual
is a ``provider.'' A provider would be a qualified individual who is
familiar with the facility in question and who completes the
information in the CSAT system. The provider, however, would not
formally submit information to the Department. The individual
responsible for sending information to the Department through the CSAT
system (whether Top-Screen, SVA, or SSP) is always the submitter. And
as indicated in paragraph (b)(3), the submitter is also responsible for
attesting to the accuracy of the submitted information.
Paragraphs (c)(1) and (2) address facilities that the Department
deems as ``presumptively high risk.'' Both paragraphs were in the
Advance Notice, though they were located in proposed Sec. Sec.
27.200(b) and (c).
Section 27.205 Determination that a chemical facility ``presents a high
level of security risk.''
The Advance Notice, at the end of Sec. 27.205(a), contained a
provision about Departmental notification to facilities of their
preliminary placement in a risk-based tier. The Department has moved
that language to Sec. 27.220 ``Tiering,'' so that it is located with
the related tiering provisions.
In addition, the Department has removed proposed Sec. 27.205(c),
along with Sec. Sec. 27.220(b), and 27.240(c), all of which had
contained a mechanism for objections. In the Advance Notice, the
Department had provided facilities with the opportunity to object to
the following three Departmental actions: determination that a facility
``presents a high level of risk,'' placement in a high-risk tier, and
disapproval of a facility's Site Security Plan. The intention behind
those provisions was to provide facilities with an informal opportunity
to consult with the Department. The Department believes that the rule
(including existing provisions from the Advance Notice as well as new
provisions in this interim final rule) provides facilities with several
opportunities for consultation when they disagree with an initial
decision on these matters. Specifically, revised Sec. 27.120(b)
provides that the Coordinating Official and his staff shall be
available to consult and to provide technical assistance to a facility
owner or operator, revised Sec. 27.120(c) provides the details for how
a facility should initiate consultations or assistance, and revised
Sec. 27.120(d) provides that a covered facility may request a
consultation if it modifies its facility, processes, or the types or
quantities of materials that it possesses and believes such changes may
impact the covered facility's obligations under this part. In addition,
Sec. Sec. 27.240(b) and 27.245(b) provide that a facility shall enter
further consultations following Departmental written notification that
a Security Vulnerability Assessment or Site Security Plan is
unsatisfactory. Given that the rule already provides consultation
opportunities, coupled with the fact that the Department has greatly
modified its adjudication and appeal provisions, the Department
believes it is unnecessary to retain these objections provisions and
has thus removed them from the interim final rule.
Section 27.210 Submissions Schedule
In Sec. 27.210, the Department clarifies the submission schedule
for the Top-Screen, Security Vulnerability Assessment, and Site
Security Plan. In Sec. 27.210(a) of the Advance Notice, the Department
included a sentence indicating that the presumptive time frames were 60
days for the Security Vulnerability Assessment and 120 days for the
Site Security Plan. In this interim final rule, the Department has
added presumptive timeframes for the submission of the Top-Screen and
revised the presumptive timeframes for SVAs and SSPs. See Sec.
27.210(a) and (b). The presumptive timeframes for initial submissions
are 60 calendar days for the Top-Screen, 90 calendar days for the SVA,
and 120 calendar days for the SSP. The presumptive timeframes for
resubmission vary depending on a facility's tier. As a general matter,
the Department will require facilities in Tiers 1 and 2 to update their
Top-Screen, SVA, and SSP every two years, and facilities in Tiers 3 and
4 to update their Top-Screen, SVA, and SSP every three years.
In addition, the Department added a new paragraph (c), which
addresses the Department's authority to modify schedules as necessary.
The Department removed Sec. 27.210(c) as it appeared in the Advance
Notice, because the provision was unnecessary in light of the new
provisions in Sec. 27.120(b) and (c), ``Designation of a coordinating
official; consultations and technical assistance.''
Finally, the Department added a new paragraph (d), which addresses
material modifications. In Sec. Sec. 27.215(c)(3) and 27.225(b)(3) of
the Advance Notice, the Department provided that a covered facility had
to notify the Department of material modifications to the SVA or SSP
and that the Department would notify the facility within 60 days of
whether the Department disapproved the revised SVA or SSP. The
Department has re-located a new but similar requirement in Sec.
27.210(d). The regulation now provides that if a covered facility makes
material modifications to its operations or site, the covered facility
must complete and submit a revised Top-Screen to the Department within
60 days of completion of the material modification. In accordance with
the resubmission requirements in Sec. 27.210(b)(2) and (3), the
Department will notify the covered facility as to whether the covered
facility must submit a revised Security Vulnerability Assessment, Site
Security Plan, or both. As a result of this new paragraph (d), the
Department removed the provisions that appeared in Sec. Sec.
27.215(c)(3) and 27.225(b)(3) of the Advance Notice.
Section 27.215 Security Vulnerability Assessments and Section 27.225
Site Security Plans
The Department has revised several of the corresponding provisions
in both Sec. 27.215 and Sec. 27.225. First, the Department has
revised the corresponding provisions regarding methodologies.
Specifically, the Department has revised the language in Sec.
27.215(b) and added a new paragraph (b) in Sec. 27.225. In both
places, the Department explains that, except as provided in Sec.
27.235, a covered facility must submit either the SVA/SSP through the
CSAT process or any other methodology or process identified by the
Assistant Secretary.
By this change, the Department is making more explicit its
intention to use the CSAT process at this time. The CSAT process
includes completion of the Top-Screen process and, depending on the
results of the Top-Screen process, may also include the development of
a Security Vulnerability Assessment and the development of a Site
Security Plan. Thus, for facilities that are determined to be high-
risk, the CSAT process will consist of three sequential parts (i.e.,
the Top-Screen, SVA, and SSP). The Department also notes that
facilities will have to obtain access to the CSAT system by submitting
a user registration request. Section 27.200(b)(1) contains the
requirements for individuals (i.e., submitters) who will be submitting
information through the CSAT system and attesting to the accuracy of
that information.
Second, in paragraph (c) of both sections, the Department provides
that a covered facility must submit an SVA or SSP to the Department in
accordance
[[Page 17692]]
with the schedule provided in Sec. 27.210. This captures the
requirement that had been located in proposed Sec. 27.240(a)(1) of the
Advance Notice.
Third, in paragraph (d) of both sections, the Department revised
the update/revision provisions for submitting SVAs and SSPs. In the
Advance Notice, the Department indicated that covered facilities must
update or revise their SVAs or SSPs based on a schedule set by the
Assistant Secretary. Because the Department has established a
submission schedule in Sec. 27.210, the Department now includes cross-
references in Sec. 27.215(d)(1) and Sec. 27.225(d)(2) to that
schedule. As a related matter, in Sec. 27.215(d), the Department moved
the general submissions schedule requirement to Sec. 27.215(d)(1),
thereby re-locating the provision formerly in Sec. 27.215(d)(1) to
Sec. 27.215(d)(2).
Fourth, the Department has removed the language about material
modifications from proposed Sec. 27.215(c)(3) and Sec. 27.225(b)(3).
As discussed in the summary of Sec. 27.210, the Department added a
new, but similar, provision to Sec. 27.210(d). The new provision now
captures the concept contemplated in proposed Sec. 27.215(c)(3) and
Sec. 27.225(b)(3).
With respect to changes to Sec. 27.225 only, the Department has
added a provision that requires facilities to conduct annual audits of
their Site Security Plans. See Sec. 27.225(e). This provision had been
implied in the recordkeeping requirement in the Advance Notice (see
Sec. 27.255(a)(6)) and is now explicit. DHS made some additional
revisions to the corresponding recordkeeping provision, in which DHS
more clearly specifies the audit-related records that covered
facilities should maintain.
Finally, throughout this document, the Department now uses the term
``Security Vulnerability Assessment'' (or SVA) instead of the term
``Vulnerability Assessment'' or (VA), which the Department had used in
the Advance Notice. The Department intends no change in meaning with
this revision.
Section 27.220 Tiering
The Department has added several paragraphs to this section.
Section 27.220(a) addresses the Department's preliminary determination
as to a facility's risk-based tier. Paragraph (a) is based on language
that had been in the Advance Notice at the end of Sec. 27.205(a). The
Department has elaborated on the Preliminary Tiering provision.
Notably, the Department has indicated that it shall notify a facility
of the Department's preliminary tiering decision. This contrasts with
the Advance Notice, which had merely indicated that the Department may
notify a facility of the Department's preliminary tiering decision.
Section 27.220(b) is not a new subsection; rather, it contains the
language that was previously located in Sec. 27.220(a). Note that the
Department has removed paragraph (b) as proposed in the Advance Notice.
Paragraph (b) had contained an objections provision. For a discussion
of the Department's decision to remove the objections provisions from
this rule (in Sec. Sec. 27.205(c), 27.220(b), and 27.240(c)), see the
summary under Sec. 27.205(c).
Section 27.220(c) is a new subsection. The Department is
reiterating, in part, what it provides in the definitions section. The
Department will place facilities in one of four risk-based tiers. Tiers
will range from Tier 1, which contains the highest-risk covered
facilities, to Tier 4, which contains the lowest-risk covered
facilities. Finally, the Department separated the sentence located at
the end of proposed Sec. 27.220(a) into its own section, Sec.
27.220(d).
Section 27.230 Risk-Based Performance Standards
This section contains the risk-based performance standards that
covered facilities must satisfy. The Department has added a sentence to
Sec. 27.230(a), noting that the ``acceptable layering of measures used
to meet the standards will vary by risk-based tier.'' While all
facilities must satisfy the performance standards, the measures
sufficient to meet those standards will be more robust for those
facilities that present higher levels of risk. In other words, the
manner in which the standards are applied will require a higher level
of security (and so provide for greater reduction in risk) for those
facilities that present higher levels of risk. The Department will
provide details about the application of these standards in guidance.
In addition, for each of the performance standards, the Department
has added a short descriptor at the beginning of the subparagraph
(e.g., paragraph (a)(1) begins with ``Restricted Area Perimeter,''
paragraph (a)(2) begins with ``Securing Site Assets,'' and so forth).
The Department has also revised some of the language related to
specific performance standards. Section 27.230(a)(4) now provides that
facilities must select, develop, and implement measures designed to
``[d]eter, detect, and delay an attack, creating sufficient time
between detection of an attack and the point at which the attack
becomes successful.'' This revised language more adequately captures
the concept that the Department had intended in the language in
paragraph (a)(4) of the Advance Notice and is more complete. Section
27.230(a)(5) now requires facilities to secure and monitor the storage
of hazardous materials, in addition to the shipping and receipt of
hazardous materials. Section 27.230(a)(8) now contains a broader
description of critical process systems. In the Advance Notice, the
Department had used the acronym ``SCADA'' (Supervisory Control and Data
Acquisition) to refer to instrumented control systems in general. In
this interim final rule, the Department has provided more descriptive
terminology to refer to critical process systems. For a further
discussion of SCADA, see the Department responses to ``Comments on
Specific Performance Standards.'' Section 27.230(a)(12) contains an
expanded standard for background checks. For a further discussion of
background checks, see the Department response to comments about
``Background Checks.'' Section 27.230(a)(15) now provides that
facilities should report significant security incidents to local law
enforcement in addition to the Department. Finally, the Department has
removed the paragraph that was paragraph 27.230(a)(19) in the Advance
Notice, because that standard was already addressed in paragraph
(a)(14).
Section 27.235 Alternative security program
The Department has revised this section to provide more detail
about the process for Alternate Security Programs (ASPs). The basic
requirement remains the same, in that certain covered facilities may
submit ASPs, and the Assistant Secretary may approve those ASPs. See
Sec. 27.235(a). To accept an ASP, the Assistant Secretary must find
that the program ``provides an equivalent level of security to the
level of security established by this part.'' This language, which
clarifies the standard for accepting ASPs, comes from the preamble of
the Advance Notice and is consistent with the terms of Section 550. See
71 FR 78276, 78285.
In Sec. 27.235(a)(1)-(2), the Department specifies, by tier, which
facilities may submit ASPs in lieu of Security Vulnerability
Assessments (SVAs) and which facilities may submit ASPs in lieu of Site
Security Plans (SSPs). A Tier 4 facility may submit an ASP in lieu of a
Security Vulnerability Assessment, Site Security Plan, or both. Tier 1,
Tier 2, and Tier 3 facilities may submit an
[[Page 17693]]
ASP in lieu of a Site Security Plan. Tier 1, Tier 2, and Tier 3
facilities may not submit an ASP in lieu of a Security Vulnerability
Assessment. Accordingly, Tier 1, Tier 2, and Tier 3 facilities will
have to submit their SVA through the CSAT system.
With respect to Tier 4 facilities, the Department clarifies the
following point: Given that the Department notifies a facility of its
final placement in a risk-based tier following the Department's review
of a covered facility's SVA (see Sec. 27.220(b)), a facility will not
know its final tier placement at the time it might decide to submit an
ASP in lieu of a SVA. Because of that, the Department understands that
facilities will rely on the Department's preliminary tiering
determination made pursuant to Sec. 27.220(a).
There are various reasons underlying the Department's decision not
to accept ASPs as SVAs for Tier 1, Tier 2, and Tier 3 facilities. The
Department needs a consistent baseline against which to compare risks
and vulnerabilities across chemical facilities. (For a further
discussion of this issue, see the Department's response to comments in
Sec. III(B)(1)). As well, the Chemical Security Assessment Tool (CSAT)
system uses an integrated approach to chemical facility security, and
by considering SVAs that use the methodology in the CSAT system, the
Department can take full advantage of that integrated approach.
Furthermore, by using this electronic, integrated CSAT approach, the
Department can more efficiently review and assess a greater number
SVAs, and that is of importance considering the Department's phased
implementation scheme to address the highest risk facilities first.
The Department acknowledges that many facilities have expended
substantial resources and incurred significant expense to identify
vulnerabilities and to develop security plans. The Department commends
facilities for such efforts. The work performed on these efforts is
valuable, and DHS is committed to capitalizing on these investments.
The information developed in these efforts will be relevant to
facilities as they complete the CSAT SVA. Facilities will be able to
use the information from existing vulnerability assessments, and in
many cases, the practical impact of requiring Tiers 1, 2, and 3
facilities use the CSAT SVA system will be one of formatting, i.e.,
facilities will have to enter their information from their existing
vulnerability assessments into the format established by the CSAT
system. While some additional analytical effort will be required, even
where the facility has produced a strong SVA, the effort will be
considerably less than that at facilities that are starting without a
pre-existing SVA.
In addition, Sec. 27.235(b) provides that the notice requirements
for submitting ASPs correspond with the notice requirements (including
the approval and disapproval process) for SVAs and SSPs. In other
words, if a facility is submitting an ASP in lieu of an SVA, the
process in Sec. 27.240 applies, and if a facility is submitting an ASP
in lieu of an SSP, the process in Sec. 27.245 applies.
Section 27.240 Review and Approval of Security Vulnerability Assessment
and Section 27.245 Review and Approval of Site Security Plans
In this interim final rule, the Department has separated the review
and approval of SVAs and SSPs into two separate sections. In the
Advance Notice, both sets of requirements were located in Sec. 27.240.
In this interim final rule, the provisions related to Security
Vulnerability Assessments are located in Sec. 27.240, and the
provisions related to Site Security Plans are located in Sec. 27.245.
In addition, the Department made some changes to the corresponding
provisions in the two separate sections. In both sections, the
Department has removed the language (from proposed Sec. 27.240(a)(1))
about time periods for submitting SVAs and SSPs. The Department has
already addressed this issue in Sec. Sec. 27.215(c)-(d) and Sec. Sec.
27.225(c)-(d) (by providing that a facility must provide, update, and
revise its SVA and SSP consistent with the schedule in Sec. 27.210),
so it was unnecessary to also include this language here. Also, in both
sections, the Department has added new language about the disapproval
of SVAs or SSPs. The Department added a new sentence, which provides
that ``[i]f the resubmitted [SVA or SSP] does not satisfy the
requirements of [Sec. 27.215 or Sec. 27.225], the Department will
provide the facility with written notification (including a clear
explanation of deficiencies in the [SVA or SSP]) of the Department's
disapproval of the [SVA or SSP].'' See Sec. 27.240(b) and Sec.
27.245(b).
Finally, the Department has added a provision in Sec.
27.245(a)(1)(iii), indicating that the Department issues a Letter of
Approval if it approves a facility's Site Security Plan in accordance
with Sec. 27.250. While this provision appears elsewhere in the rule
(see Sec. 27.245(b)), the Department thought it was appropriate to
include it here as well.
The Department has removed 27.240(c) as proposed in the Advance
Notice. Paragraph (c) had contained an objections provision. For a
discussion of the Department's decision to remove the objections
provisions from this rule (in Sec. Sec. 27.205(c), 27.220(b), and
27.240(c)), see the summary under Sec. 27.205(c).
Section 27.250 Inspections and Audits
The Department has added additional provisions to the inspection
and audit section. In Sec. 27.250(c), the Department discusses the
time and manner requirements for inspections. While the Department will
generally provide facilities with 24-hour advance notice of
inspections, the Department recognizes two exceptions where an
unannounced inspection might occur. The Department included the first
exception in the Advance Notice, and the Department has added the
second exception in this interim final rule. For a further discussion,
see the Discussion of Comments in Sec. III(F) on ``Inspections and
Audits.''
In Sec. 27.250(d), the Department addresses various details
related to the inspectors who will conduct inspections and audits. This
is a new paragraph that was not in the Advance Notice. Although
Congress has not provided the Department with administrative subpoena
authority, this paragraph explains that inspectors will have
credentials and may administer oaths and receive affirmations upon
consent. It also provides details about the means by which inspectors
may gather information and the access that inspectors will have to
records. The Department has also added a paragraph (e), which addresses
confidentiality. Finally, the guidance paragraph, which had been
located in paragraph (d) has been moved to paragraph (f).
Section 27.255 Recordkeeping Requirements
The Department revised various provisions related to recordkeeping.
With respect to Sec. 27.255(a)(1), the Department added a few
additional record requirements regarding training. In addition to
keeping records of the date and location of each training session, time
of day and duration of each session, the name and qualifications of the
instructor, and a clear, legible list of the attendees including
attendees' signatures, the facility must also keep at least one other
unique identifier for each attendee receiving training and the results
of any evaluation or training. The Department also added a requirement
to Sec. 27.255(b), requiring facilities to keep submitted Top-Screens
in addition to submitted
[[Page 17694]]
SVAs and SSPs. In addition, as discussed above in the summary for Sec.
27.225(e), the Department revised the recordkeeping provision related
to internal audits. See Sec. 27.255(a)(6).
The Department also added a new paragraph (c), allowing the
Department to request that covered facilities make available records
kept pursuant to other Federal programs or regulations. The Department
would make such requests for records to the extent that any such
records were necessary for security purposes. As a result of adding new
paragraph (c), the Department had to re-designate proposed paragraph
(c) as paragraph (d).
Subpart C
The Department has substantially revised Subpart C, which contains
the provisions for Orders, Adjudications, and Appeals.
Section 27.300 Orders
The Department has restructured the Orders provisions. Whereas the
Advance Notice contained four separate sections (see Sec. Sec. 27.300,
27.305, 27.310, and 27.315), the Department has now consolidated all of
the Order provisions into one section, Sec. 27.300. The main substance
of the Orders provisions, however, remains the same. Pursuant to Sec.
27.300(a), the Assistant Secretary can issue an Order for any instance
of noncompliance. For example, the Assistant Secretary may issue an
Order for a facility's refusal to complete a Top-Screen, failure to
allow an inspection, or failure to update a Site Security Plan.
Beyond a basic Order, the Assistant Secretary may issue an Order
Assessing Civil Penalty, an Order to Cease Operations, or both, where
it determines that a facility is in violation of any Order issued
pursuant to paragraph (a). See Sec. 27.300(b). Orders Assessing Civil
Penalty are for a continual noncompliance, a repeated pattern of
noncompliance or egregious instances of noncompliance. Orders to Cease
Operations are the most serious Orders that the Assistant Secretary
might choose to issue under this regulatory scheme. The Assistant
Secretary will use such a measure cautiously and judiciously and will
balance the immediate security needs with the possible impact (e.g.,
economic impact or national security effect) of such an Order on the
chemical industry and the Nation as a whole. As the Department wrote in
the Advance Notice, ``This authority would be utilized when no other
options will achieve the required result.'' See 71 FR 78276, 78287.
Paragraphs (c) through (f) of Sec. 27.300 address the process and
procedures for Orders. Section 27.300(c) lists the information, at a
minimum, that the Assistant Secretary must include in an Order and also
notes that the Assistant Secretary may establish further procedures for
the issuance of Orders. Section 27.300(d) notes that a facility must
comply with the terms of the Order by the date specified in the Order.
Section 27.300(e) indicates that a facility has the right to seek an
adjudication to review the decision of the Assistant Secretary to issue
an Order, and Sec. 27.300(f) addresses final agency action.
With respect to the staying of Orders, the Department addresses
this issue in the new adjudications sections. Specifically, Sec.
27.310(b)(4) provides that an Order is stayed from the timely filing of
a Notice of Application for Review until the Presiding Officer issues
an Initial Decision, unless the Secretary lifts the stay due to exigent
circumstances pursuant to Sec. 27.310(d). The new adjudications
section is discussed in more depth below.
Section 27.305 through 27.340 Adjudications
Most significantly with respect to adjudications, the Department
has provided facilities with the opportunity to seek review of
specified decisions before a neutral adjudications officer. A facility
or other person may seek review of the following Department (i.e.,
Assistant Secretary) determinations: (1) A finding, pursuant to Sec.
27.230(a)(12)(iv) that an individual is a potential security threat;
(2) The disapproval of a Site Security Plan pursuant to Sec.
27.245(b); or (3) The issuance of an Order pursuant to Sec. 27.300(a)
or (b). See Sec. 27.310(a).
The procedures for Applications are found in Sec. 27.310(b). To
institute Adjudication Proceedings, the facility or other person
(``Applicant'') must file a Notice of Application for Review within
seven calendar days of notification of the Assistant Secretary's
determination. See Sec. 27.310(b)(1)-(2). Then, in an Application for
Review, the Applicant must explain his or her position (i.e., explain
why the Assistant Secretary's determination should be set aside). The
Applicant has 14 calendar days from the date of notification of the
Assistant Secretary's determination to file and serve an Application
for Review. See Sec. 27.310(b)(5). The Assistant Secretary, through
the Office of the General Counsel, shall file and serve a Response
within 14 calendar days of the filing and service of the Application
for Review. See Sec. 27.310(c). Finally, the Secretary may make
certain procedural modifications in exigent circumstances. See Sec.
27.310(d).
A Presiding Officer is the neutral adjudications officer who
handles these proceedings. The Secretary shall appoint a Presiding
Officer, consistent with the requirements in Sec. 27.315. A Presiding
Officer shall immediately consider whether a summary adjudication of an
Application for Review is appropriate, and if the Presiding Officer
finds that there is no genuine issue of material fact and that one
party or the other is entitled to decision as a matter of law, then the
record shall be closed and the Presiding Officer shall issue an Initial
Decision on the Application for Review. See Sec. 27.330(b). Such
summary decisions are governed by the procedures in Sec. 27.330.
Where there is no summary decision, the Presiding Officer may
conduct a hearing using the procedures specified in Sec. 27.335. The
Presiding Officer shall close and certify the record upon the
completion of one of the following: a summary judgment proceeding, a
hearing, the submission of post-hearing briefs, or the conclusion of
oral arguments. See Sec. 27.340(a). Based on the certified record, the
Presiding Officer shall issue an Initial Decision, and the decision
shall be subject to appeal pursuant to Sec. 27.345.
In addition to the sections mentioned above, there are a few other
sections that address provisions related to adjudications. Section
27.320 specifies the prohibition on ex parte communications during
Proceedings. And Sec. 27.325 provides that the Assistant Secretary
bears the initial burden of proving the facts necessary to support the
challenged administrative action at every proceeding instituted under
this subpart.
Finally, as related to the Appeals section below, a Presiding
Officer's Initial Decision is stayed from the timely filing of a Notice
of Appeal until the Under Secretary issues a Final Decision, unless the
Under Secretary lifts the stay due to exigent circumstances. See Sec.
27.345(b)(4).
Section 27.345 Appeals
The interim final rule contains a revised appeals section. There
are several differences. First, a facility or other person may appeal
the Initial Decision of the Presiding Officer made pursuant to Sec.
27.340(b). This differs from the Advance Notice, in which a facility
could appeal a Departmental final determination regarding disapproval
of a Site Security Plan and the Departmental issuance of an Order. See
Sec. 27.320 in the Advance Notice.
[[Page 17695]]
Second, the Advance Notice provided that the Under Secretary would make
decisions for most categories of appeals, and the Deputy Secretary
would make decisions for one category of appeal. This interim final
rule provides that all appeals go to the Under Secretary or his
designee acting as a neutral appeals officer. Third, as is discussed in
more depth below, the procedures for an appeal have changed.
The Assistant Secretary, a facility, or other person
(``Appellant'') may institute an Appeal by filing a Notice of Appeal
within seven calendar days of notification of the Presiding Officer's
Initial Decision. See Sec. 27.345(b)(1)-(3). The Appellant shall then
file and serve a Brief within 28 calendar days of the notification of
the Presiding Officer's Initial Decision. See Sec. 27.345(b)(5). The
Appellee shall file and serve its Opposition Brief within 28 days of
the filing of Appellant's Brief. See Sec. 27.345(b)(6). The Under
Secretary shall issue a Final Decision and serve it on the parties. A
Final Decision by the Under Secretary constitutes final agency action.
See Sec. 27.345(f).
In addition to the provisions mentioned above, the Department notes
the following: Pursuant to Sec. 27.345(b), the Under Secretary may
provide for an expedited appeal; pursuant to Sec. 27.345(c), ex parte
communications are prohibited; and pursuant to Sec. 27.345(c), a
facility or other person may elect to have the Under Secretary
participate in any mediation or other resolution process by expressly
waiving, in writing, any argument that such participation has
compromised the Appeals process. In addition, pursuant to Sec.
27.345(g), the Secretary may establish procedures for the conduct of
appeals.
Subpart D
Section 27.400 Chemical-Terrorism Vulnerability Information
The Department has made numerous clarifying changes to the
chemical-terrorism vulnerability information (CVI) section. Some of
these changes corrected typographical errors, while several others
clarified existing provisions. With respect to a minor change, note
that, in Sec. 27.400 of the Advance Notice, the Department referred to
CVI as ``Chemical-terrorism Security and Vulnerability Information''
and in this interim final rule, the Department now refers to CVI as
``Chemical-terrorism Vulnerability Information.'' The Department
intends no change in meaning with this revision.
The Department has highlighted below the more substantive changes
to Sec. 27.400. With respect to paragraph (c), the Department has
removed paragraph (c)(2), because that concept is already covered in
paragraph (e)(1)(v). In paragraph (d)(1), the Department provides that
covered persons must protect all CVI in their possession or control,
including electronic data. In paragraph (e)(1), the Department added
language providing that a person who might have a ``need to know''
includes ``state or local officials, law enforcement officials, and
first responders.'' In paragraph (e)(1)(ii), the Department clarified
that a person in training will only have access to CVI that he needs as
part of his training, and in paragraph (e)(1)(iv), the Department
clarified that a the person in a fiduciary relationship with a covered
person who is representing or providing advice to that covered person
will also have a need to know CVI. In paragraph (e)(2)(iii), the
Department provides that it may require non-Federal persons seeking
access to CVI to complete a non-disclosure agreement before such access
is granted. In paragraph (f)(3), the Department shortened the
distribution limitation statement and added a new sentence at the end,
which provides: ``[i]n any administrative or judicial proceedings, this
information shall be treated as classified information in accordance
with 6 CFR Sec. Sec. 27.400(h) and (i).'' And in paragraphs (h)(1),
(i)(1), and (i)(2), the Department made it clear that these sections
apply to the disclosure of CVI in the context of administrative or
judicial enforcement proceedings of section 550 only, not any other
kind of enforcement proceeding. Similarly, in paragraph (i)(7)(iii),
the Department made it clear that this section applies only to judicial
enforcement proceedings and not any other judicial proceeding.
Section 27.405 Review and Preemption of State Laws and Regulations
The Department has made several changes to Sec. 27.405, including
various regulatory text changes. Among those changes, the Department
has added paragraph (a)(1). The Department wishes to avoid any
unintended consequences in the program's interaction with other Federal
requirements. For this reason, Sec. 27.405(a)(1) provides that
``[n]othing in this regulation is intended to displace other federal
requirements administered by the Environmental Protection Agency, U.S.
Department of Justice, U.S. Department of Labor, U.S. Department of
Transportation, or other federal agencies.'' For a further discussion
of these changes and preemption in general, see the section below
entitled ``Executive Order: 13132: Federalism.''
Proposed Appendix A: DHS Chemicals of Interest
In the Advance Notice, the Department sought comment on appropriate
sources of information or methodologies for evaluating and categorizing
chemical facilities.'' See 71 FR 78276, 78282. The Department responds
to those comments below in the ``Discussion of Comments.'' In this
interim final rule, the Department has decided to evaluate chemical
facility risks by, in part, classifying facilities by particular
chemicals. In proposed Appendix A, the Department has included a list
of ``DHS Chemicals of Interest'' along with Screening Threshold
Quantities, or STQs, for each chemical. The Department has established
STQs to trigger preliminary screening requirements. The STQ is not the
threshold quantity for establishing whether a given facility is a high-
risk facility, but only sets a threshold to require a facility to
complete and submit a CSAT Top-Screen. As noted in the ``Public
Participation'' section above, the Department is accepting public
comment on proposed Appendix A for 30 days. Following the close of the
comment period, the Department will review the comments and publish a
final Appendix A. The requirements related to Appendix A, which are
found in Sec. Sec. 27.200(b)(2) and 27.210, will become operative on
the date that the Department publishes a final Appendix A.
Pursuant to Sec. 27.200(b)(2), if a facility possesses any
chemicals identified in Appendix A at the corresponding quantities, the
facility must complete and submit a Top-Screen. Consistent with the
submission requirements in Sec. 27.210(a)(1), the facility must
complete the Top-Screen within 60 calendar days of the effective date
of a final Appendix A or within 60 calendar days of coming into
possession of any such chemical at the corresponding quantity. (As
indicated in the regulatory text, this submission requirement is not
operative until the Department publishes a final Appendix A.) Note that
this provision does not affect the Department's ability to contact
facilities independently of this list. Pursuant to Sec. 27.200(b)(1),
DHS may notify facilities, on an individual basis or through an
additional Federal Register notice, that they need to complete and
submit the Top-Screen. The Department notes that, where a facility has
a question as to whether it should complete a Top-Screen, the facility
can contact the
[[Page 17696]]
Department and seek a consultation pursuant to Sec. 27.120.
The Department reiterates that the presence or amount of a
particular chemical listed in Appendix A is not the sole factor in
determining whether a facility presents a high-level of security risk
and is not an indicator of a facility's coverage under this rule. The
DHS Chemicals of Interest list merely directs certain facilities to
complete and submit the Top-Screen. This list serves as a tool to aid
the Department in gathering information needed to administer the
program under Section 550. In order for the Department to assess
compliance by particular chemical facilities with the regulation (see
Section 550(e)), the Department must first obtain information to
determine whether the particular chemical facilities qualify for
coverage under Section 550. The list set out in Appendix A serves as a
procedural tool designed to aid the Department in determining which
facilities must comply with the substantive standards. Only after the
Department gathers additional information through the Top-Screen
process will the Department make a determination as to whether a
facility presents a high risk and therefore must comply with the
regulatory requirements to ensure adequate security. Under Section 550,
the Department has the authority to use its best judgment and all
available information in determining whether a facility presents a high
level of security risk.
In developing the ``DHS Chemicals of Interest'' list, the
Department has looked to existing sources of information and has then
drawn on many of those sources of information, including some of the
sources that commenters suggested. Those sources include the following:
(1) The chemicals contained on the EPA's RMP list. Pursuant to the
Clean Air Act (42 U.S.C. 7401, et seq.), which provides that the EPA
shall promulgate a list of substances that ``in the case of accidental
release, are known to cause or may reasonably be anticipated to cause
death, injury, or serious adverse effects to human health or the
environment (see 42 U.S.C. 7412(r)(3)), the EPA promulgated two lists.
Table 1 is titled ``List of Regulated Toxic Substances and Threshold
Quantities for Accidental Release Prevention,'' and Table 3 is titled
``List of Regulated Flammable Substances and Threshold Quantities for
Accidental Release Prevention'' (see 40 CFR 68.130); (2) The chemicals
from the Chemical Weapons Convention (CWC). Section 6701, et seq. of
Title 22 of the United States Code implements the Convention on the
Prohibition of the Development, Production, Stockpiling and Use of
Chemical Weapons and on Their Destruction. The CWC covers three lists,
or ``schedules'' of chemicals. Schedule 1 chemicals are provided in
Supplement No. 1 to 15 CFR part 712, Schedule 2 chemicals are provided
in Supplement No. 2 to 15 CFR part 713, and Schedule 3 chemicals are
provided in Supplement No. 3 to 15 CFR part 714; and (3) Hazardous
materials, including gases poisonous by inhalation (PIH) and explosive
materials, which the Department of Transportation regulates. See 49 CFR
173.115(c), 49 CFR 173.50(b), and 49 CFR 172.101. The Department has
also considered other categories of chemicals, such as chemicals that
can be used as precursors for Improvised Explosive Devices (IEDs) and
certain water-reactive materials that produce toxic gases.
The Department makes a few points with respect to the list in
Appendix A. First, DHS is not using any existing list (e.g., the EPA
RMP list) as its sole source, and DHS is not classifying all facilities
on a list in one particular way (i.e., classifying all RMP facilities
as high-risk). By using multiple sources at this initial phase, DHS
believes it is obtaining a more complete picture of the universe of
facilities that may qualify as high-risk. Second, in identifying the
types and STQs of chemicals for Appendix A, the Department has sought
to be sufficiently inclusive of chemicals and quantities that might
present a high level of risk under the statute without being overly
inclusive and therefore capturing facilities which are unlikely to
present a high level of risk.
In addition to drawing on information from existing sources, the
Department has identified chemicals by considering three security
issues. These three security issues, which are explained below, address
multiple risk areas.
1. Release--DHS believes that certain quantities of toxic,
flammable, or explosive chemicals or materials, if released from a
facility, have the potential for significant adverse consequences for
human life or health.
2. Theft or Diversion--DHS believes that certain chemicals or
materials, if stolen or diverted, have the potential to be used as
weapons or easily converted into weapons using simple chemistry,
equipment or techniques in order to create significant adverse
consequences for human life or health.
3. Sabotage or Contamination--DHS believes that certain chemicals
or materials, if mixed with readily-available materials, have the
potential to create significant adverse consequences for human life or
health.
In proposed Appendix A, the Department lists the DHS Chemicals of
Interest and identifies a Standard Threshold Quantity (STQ) for each
chemical. To clearly identify each chemical, the Department includes
the Chemical Abstract Service (CAS) number for each chemical. These
chemicals listed in proposed Appendix A fall into the three categories
identified above: chemicals with a release hazard, chemicals with a
theft or diversion hazard, and chemicals with a sabotage or
contamination hazard.
The Department acknowledges that there are two additional security
issues that it is considering at this time, although it is not
including any such chemicals that would trigger a Top-Screen
submission. They include the following two issues:
1. Critical Relationship to Government Mission--DHS believes that
the loss of certain chemicals, materials, or facilities could create
significant adverse consequences for national security or the ability
of the government to deliver essential services.
2. Critical Relationship to National Economy--DHS believes that the
loss of certain chemicals, materials or facilities could create
significant adverse consequences for the national or regional economy.
The Department is continuing to assess currently-available
information about these chemicals critical to government mission and
the national economy. The Department will use the information it
collects through the Top-Screen process, as well as currently-available
information, as a means of identifying facilities responsible for
economically critical and mission-critical chemicals.
III. Discussion of Comments
In the Advance Notice, DHS sought comment on proposed text for the
interim final rule as well as on various implementation and policy
issues concerning the chemical security program. DHS received a total
of 106 public comments totaling more than 1,300 pages, including
comments from thirty-two trade associations, thirty companies, thirteen
private citizens, ten state agencies and associations, seven advocacy
and safety groups, eight U.S. Representatives, five U.S. Senators, four
unions, one Local Emergency Planning Committee, one professional
association, one international standards committee, and the U.S. Small
Business Administration.
Commenters generally applauded this effort from the Department and
commended the general approach that the Department is taking. However,
[[Page 17697]]
commenters also raised some specific concerns. In the sections below,
DHS provides a topical summary of the comments and responses to those
comments.
A. Applicability of the Rule
1. Definition of ``Chemical Facility or Facility''
The Advance Notice defined ``Chemical Facility or facility'' to
mean ``any facility that possesses or plans to possess, at any relevant
point in time, a quantity of a chemical substance determined by the
Secretary to be potentially dangerous or that meets other risk-related
criterion identified by the Department. * * *'' See proposed Sec.
27.100.
Comment: While a few industry and State agency commenters supported
this definition, commenters generally thought that the proposed
definition was broad. In particular, several industry commenters, an
industry association, a labor union, and a State agency thought the
proposed definition was overly broad and consequently did not inform
facilities about whether they would be regulated. They noted that the
definition did not name the regulated chemical substances or the
threshold quantities. One commenter argued that DHS's failure to
release to the public its proposed list of ``potentially dangerous
chemicals'' and threshold amounts for those chemicals denies the public
the opportunity to comment on key provisions of the rule that depend on
whether the facility possess specified quantities of chemicals
determined by DHS to be potentially dangerous. The commenter explained
that it is difficult to comment on that aspect of the rule without
knowing what the chemicals and thresholds are. An industry group
cautioned that threshold quantities should be set high enough that
retail establishments are not covered merely because they stock
commercially acceptable quantities of commonly used chemicals. A few
industry commenters and a member of Congress added that the definition
of chemical facility should include the concepts of national security
and economic criticality.
Several industry commenters supported the use of EPA's Risk
Management Plan (RMP) program to help identify the initial group of
regulated facilities. Commenters supported use of the RMP list of toxic
substances as a basis for selecting chemical facilities. Likewise, one
association felt that DHS should link its definition of chemical
facility to those facilities covered by EPA's RMP, because it is a
clear and defined list. The industry commenters noted, however, that
not all RMP facilities should be considered high-risk. One commenter
pointed out that RMP does not take into account facilities that may
cause substantial impacts from multiple tanks. A few commenters also
recommended that DHS should consider facilities in EPA's Toxic Release
Inventory program or facilities that handle DOT hazardous materials.
One commenter emphasized that the rule could focus on toxic gases
at RMP threshold quantities, but warned that the RMP program has a
different purpose. The commenter indicated that worst-case scenarios
under RMP may be based on unrealistic assumptions. Another commenter
indicated that DHS should consider certain substances from the Chemical
Weapons Convention list when assessing overall risk. Finally, some
industry commenters objected to the phrase ``possesses or plans to
possess,'' because the term implies legal title or ownership rather
than simple presence at the facility.
Response: Aside from the minor modification noted above, DHS is
retaining the definition of chemical facility that it proposed in the
Advance Notice. And while DHS is not defining ``chemical facility'' by
listing specific chemicals, DHS is making available, with the issuance
of this rule, a list of those chemicals and Screening Threshold
Quantities (STQs) that it proposes to use to determine whether to
further assess whether a chemical facility presents a high risk.
Specifically, if a facility possesses any of the chemicals, at the
corresponding quantities, in Appendix A (when finalized), the facility
must complete and submit a Top-Screen within 60 calendar days. See
Sec. 27.200(b)(2) and Sec. 27.210(a). The Department will continue to
contact facilities individually and through additional Federal Register
notices, as necessary. See Sec. 27.200(b)(1). To the extent the
Department notifies facilities through an additional Federal Register
notice, the Department will engage in outreach activities with the
chemical sector.
Finally, in response to specific comments above, the Department
makes two additional points. The Department has retained the phrase
``possesses or plans to possess.'' DHS believes that phrase adequately
captures the Department's intent. The plain meaning of those terms is
not limited to ownership. Also, with respect to the commenter who
cautioned that any types of threshold quantities should be high enough
so that DHS does not cover all retail establishments that stock
commercially acceptable quantities of commonly used chemicals, DHS
notes that it is aware of that issue. While DHS believes these STQs are
set at levels that normally will not cover such retail establishments,
DHS believes that, if a retail establishment does exceed any of these
STQs, the retail establishment will have to complete the Top-Screen.
2. Multiple Owners and Operators
The second half of the definition of ``Chemical Facility or
facility'' provides that the terms ``shall also refer to the owner or
operator of the chemical facility. Where multiple owners and/or
operators function within a common infrastructure or within a single
fenced area, the Assistant Secretary may determine that such owners and
operators constitute multiple chemical facilities depending on the
circumstances.'' See Sec. 27.105.
Comment: Comments were varied on the issue of multiple owners and
operators. One industry commenter suggested that DHS should combine
adjacent facilities under common ownership into a single facility, and
other industry commenters thought that DHS should define certain
adjacent facilities as less than the entire property. One industry
commenter thought that DHS should allow facilities with multiple owners
or operators to agree among themselves how to meet the requirements of
this rule. A trade association noted that some large chemical
facilities have third-party warehouses and leasing agreements and that
the owners of the chemical facility should be responsible for security.
Response: DHS believes that it will generally be fairly
straightforward for facilities to define their boundaries and identify
the party (at their facility) that is responsible for compliance with
the regulation. However, DHS acknowledges that, in some circumstances,
the issue might be more complex. The Department will address these
situations on a case-by-case basis. Both owners and operators of
facilities, however, bear responsibility under the regulations for
implementing measures that meet the regulatory standards.
3. Classifying Facilities Based on Hazard Class
Comment: In the preamble to the Advance Notice, DHS requested
comment on whether it should use an approach based on hazard class,
rather than use an approach where classifications are based on
particular chemicals. Responses were mixed.
Several commenters favored the hazard class approach, noting that
facilities are familiar with the DOT hazard classes, that the hazard
classes
[[Page 17698]]
may be harmonized with international requirements, and that the number
of chemicals (in a non-hazard class approach) might otherwise be very
large. Some of the commenters who favored the hazard class approach
also noted some caveats to its use. Industry commenters and a State
agency warned that the hazard class approach could result in the
inclusion of chemicals that do not pose a security risk. Conversely,
others noted that the hazard classes may not include chemicals of
concern from a terrorism perspective. Commenters noted that other
agencies may regulate the hazard classes under other programs. Also,
one State agency association pointed out that a combination of
chemicals might be more dangerous than any one chemical. One firm
suggested that the DHS approach should include both the hazard class
approach and the classification of chemicals approach.
A few industry commenters indicated that basing the applicability
of the rule on hazard classes would be inappropriate and that they
favored a list of security-sensitive chemicals with threshold
quantities. One trade association supported the use of lists of
particular chemicals, explaining that they thought it would lead to
more accurate assessments of likelihood and consequence and therefore
risk. They also argued that DHS publish the list in the final rule.
Response: As explained above, DHS is publishing a list of
``Chemicals of Interest'' in Appendix A to this interim final rule. The
list contains specific chemicals and STQs. That list is a baseline
screening threshold against which facilities will know whether they
need to complete and submit a Top-Screen. While DHS's primary approach
will be through the classification of chemicals, DHS will not preclude
the use of the hazard classes for certain purposes in the performance
standard guidelines.
4. Applicability to Specific Chemicals or Quantities of Chemicals
Comment: Several commenters discussed specific chemicals and
whether or not the regulation should cover facilities that possess
those chemicals. Several commenters thought that DHS should not cover
anhydrous ammonia or ammonium nitrate, both of which are discussed in
more depth below. A local government agency urged DHS to cover
facilities that store propane, while other commenters indicated that
DHS should not cover flammable fuels such as propane. A few commenters
noted that some facilities may have only small amounts of chemicals or
may handle them only intermittently. A trade association suggested that
DHS should allow such facilities to adjust their level of security to
the level of risk. Another commenter urged DHS to consider the nature
of batch production facilities, which make a continually changing mix
of products using a continually changing, and often unpredictable, mix
of ingredients.
With respect to anhydrous ammonia, commenters noted that the
chemical is in the EPA RMP list but indicated that it should not be a
chemical that DHS regulates. They explained that ammonia refrigeration
is used for dairy and food processing facilities and that those
facilities do not pose a significant risk to human health, national
security, or the economy, because an attack on such a facility would
not result in a catastrophic release of ammonia. In addition, the
commenters stated that the food industry (which uses anhydrous ammonia
for refrigeration) should not have to spend its resources enhancing
security for refrigeration systems.
With respect to ammonium nitrate (AN), some industry commenters
noted that AN is an important part of the economy in both the
explosives and the fertilizer industries. They noted that the threat
posed by AN is not that of a direct attack but of theft or diversion
for later criminal misuse. While they said that DHS should focus not
only on the possibility of a direct attack at facilities with
``weaponizable'' chemicals, but on facilities with risks of theft or
diversion, they suggested that DHS place those facilities (i.e., those
with risk of theft or diversion) in lower-risk tiers.
One commenter recommended requirements for chain-of-custody control
and suggested that the ATF could assist in enforcement at AN sites with
commercial explosives; other commenters favored regulation by DHS, not
ATF. Another commenter believed that DHS should work with the U.S.
Department of Agriculture and producer groups in deciding whether to
regulate an agriculture operator or supplier. An industry commenter
noted that the mere presence of AN at a site should not trigger
application of DHS's screening process. Two members of Congress argued
that the rule should apply to AN manufacturing facilities, but they
agreed with DHS and other commenters that DHS should subject AN
facilities to regulatory requirements based on the nature of the
facility and risk assessment results. The commenters thought that by
including AN facilities in the regulatory program, DHS would make it
more difficult for terrorists to acquire this product.
Response: The Department's regulatory scheme will cover chemical
facilities that present a high risk because they possess or plan to
possess chemicals that terrorists may use or target in the furtherance
of acts of terrorism. Facilities that possess chemicals that are
hazardous and can be used as weapons, such as anhydrous ammonia or
ammonium nitrate, will be regulated if they present a high risk.
However, a facility that possesses a chemical substance that does not
cause it to present a high risk (taking into account all relevant
factors), or possesses an otherwise hazardous chemical in an amount
that is below what would cause the facility to present a high risk
(again, taking into consideration all relevant factors), will not be
regulated.
Accordingly, with this interim final rule, DHS plans to regulate
high-risk facilities with ammonium nitrate and anhydrous ammonia using
the same risk-based approach under which it plans to regulate all other
high-risk facilities. If DHS later decides that any individual
chemicals warrant specialized attention in regulatory provisions, DHS
will address such chemicals through future rulemakings.
5. Applicability to Types of Facilities
Comment: A few commenters suggested that the rule should not apply
to railroad facilities, because such facilities are covered by current
and proposed requirements from the Department of Transportation's (DOT)
Federal Railroad Administration and Pipeline and Hazardous Materials
Safety Administration and DHS's Transportation Security Administration
(TSA). Those commenters asserted that railroads should be treated
separately from fixed facilities and that the proposed requirements are
inappropriate for railroad facilities. One commenter requested
exemptions for motor vehicles and rail cars that are ``in transit.''
Another commenter asked DHS to take a system-wide approach and
recognize the interdependence of chemical facility and rail security.
Response: Regulating chemicals in the railroad system is a complex
issue, and DHS continues to evaluate it. TSA is the lead component
within DHS for the security of transportation facilities and has
initiated some recent efforts to address rail security, including
Voluntary Agreements with the rail industry and a Notice of Proposed
Rulemaking on Rail Transportation Security. See 71 FR 76852 (December
21, 2006). With respect to chemical security, certain aspects of
Section 550 and TSA's authorities are concurrent
[[Page 17699]]
and overlapping. DHS is working, and will continue to work, with its
components, including TSA, to determine whether DHS will include
railroad facilities in its chemical security program. DHS presently
does not plan to screen railroad facilities for inclusion in the
Section 550 regulatory program, and therefore DHS will not request that
railroads complete the Top-Screen risk assessment methodology. DHS may
in the future, however, re-evaluate the coverage of railroads, and
would issue a rulemaking to consider the matter.
Comment: Commenters asked about the applicability of the rule to
natural gas pipelines and facilities, with some noting that DHS should
not regulate pipelines because DOT/PHMSA and DHS/TSA already regulate
safety and security of pipelines. Other commenters asked about DHS's
plans to address other large facilities, such as mines. One engineer
pointed out that mining facilities can be very large and can cover
thousands or tens of thousands acres but that the security-sensitive
portions of those mines may be very small (e.g., a single tank).
Response: Whether a facility is covered under this regulation is
driven by a number of factors, including the specific types and
quantities of chemicals at a given facility. Whether the Department
will apply the requirements of this regulation to a facility depends,
in part, on the chemicals present at that facility. In the case of
natural gas pipelines, DHS has no intention at this time of requiring
long-haul pipelines to complete the Top-Screen (or prepare Security
Vulnerability Assessments and develop Site Security Plans). But
chemical facilities otherwise covered by this regulation and with
pipelines within their boundaries must treat those pipelines like any
other asset, i.e., include measures in their Site Security Plan
addressing the security of those pipelines.
Related to this, DHS makes a clarifying point about facility assets
in general. DHS expects that facilities will address all facility
assets in their Security Vulnerability Assessments and Site Security
Plans, as any given facility asset has the potential to have an effect
on the consequence and/or vulnerabilities of the facility. Facility
assets include any items or structures (such as buildings, vehicles,
laboratories, or test facilities) located on an area owned, operated,
or used by the facility. Such assets may exist inside or outside of
perimeter structures.
Similarly, the extent of coverage of mines in this regulation will
depend in part on the type and amount of chemicals present at any given
mine facility. The Department expects that mines will comply with the
requirements of Sec. 27.200(b) and complete and submit the Top-Screen
as required in that section. With respect to large mines that may only
possess a concentrated amount of a given chemical in one discrete
location, if the given chemical (and quantity) is one that the
Department believes presents a security risk, the Department will
expect that the facility will go through the screening process. While
the facility may have to develop a Site Security Plan, the SSP would be
tailored to the specific circumstances at the mine. The SSP for a large
mine with a concentrated amount of one chemical in one location would
surely look dramatically different than that of mine company with
different circumstances (e.g., a large mine with larger quantities of
different types of chemicals spread throughout the mine or a smaller
mine with moderate quantities of very hazardous chemicals in several
different locations).
6. Statutory Exemptions
Comment: Some commenters asked why Sec. 27.105(b) excluded certain
facilities from the rule, and another commenter suggested that the
exempted facilities should be reviewed to determine if they would be
considered high-risk but for the exemption.
Other commenters suggested additional exemptions. One commenter
suggested that the rule should not apply to most facilities that
manufacture, sell, or reclaim lead-acid batteries, and another
commenter believed DHS should exclude pesticide facilities. Yet another
commenter thought that most facilities storing petroleum products, some
of which are exempted under proposed Sec. 27.105(b), are not high-risk
facilities.
Response: In the authorizing legislation for this regulation,
Congress exempted various facilities from this rule. See Section
550(a). DHS has included those exemptions in Sec. 27.110(b) of the
rule. The statute provides for the following exemptions: facilities
regulated pursuant to the Maritime Transportation Security Act of 2002,
Public Law 107-295, as amended; public water systems (as defined by
Section 1401 of the Safe Drinking Water Act); water treatment works
facilities (as defined by Section 212 of the Federal Water Pollution
Control Act); any facilities owned or operated by the Departments of
Defense and Energy; and any facilities subject to regulation by the
Nuclear Regulatory Commission. The Department has considered the
exemptions requested by commenters, and, at this time, the Department
does not intend to provide any additional regulatory text exemptions.
Comment: Some industry commenters supported the exemptions in Sec.
27.110, such as the exemption for facilities regulated under the
Maritime Transportation Security Act (MTSA). In addition, one
association wanted to exclude from the Top-Screen requirements any
facilities covered under MTSA. Other commenters asked for clarifying
information about the exemptions.
Response: In the Advance Notice, the Department discussed the
applicability of this rule to maritime facilities. See 71 FR 78276,
78290. In this interim final rule, the Department clarifies that it
will apply the statutory exemption only to facilities regulated under
33 CFR part 105, Maritime Facility Security regulations. Part 105 of
Title 33 of the Code of Federal Regulations is the only regulation that
imposes the security plan requirements of 46 U.S.C. 70103 on maritime
facilities.
Comment: A State agency believed that the Nuclear Regulatory
Commission (NRC) exemption should apply only to facilities holding an
NRC power reactor license and disagreed with the exemptions for public
water systems and treatment works.
Response: The Department agrees with the commenter and will apply
the statutory exemption to facilities where NRC already imposes
significant security requirements and regulates the safety and security
of most of the facility, not just a few radioactive sources. For
example, a power reactor holding a license under 10 CFR part 50, a
special nuclear material fuel cycle holding a license under 10 CFR part
70, and facilities licensed under 10 CFR parts 30 and 40 that have
received security orders requiring increased protection, will all be
exempt from 6 CFR part 27. A facility that only possesses small
radioactive sources for chemical process control equipment, gauges, and
dials, will not be exempt.
B. Determining Which Facilities Present a High-Level of Security Risk
1. Use of the Top-Screen Approach
Comment: In general, many industry associations and chemical
companies supported the use of a tiered approach that narrows DHS's
focus to high-risk facilities. Several commenters pointed out as a
problem the fact that they had been unable to review the details of the
approach and associated criteria; several commenters suggested that
knowledgeable parties should have an
[[Page 17700]]
opportunity to review the details. Many of the commenters wanted to
make sure that the final group of high-risk facilities was determined
based on risk (not just on potential consequence or limited pieces of
threat data) and that the number of facilities in this group was small.
Associations differed in their views on how inclusive the Top-
Screen process should be--one association wanted DHS to screen out
certain low-risk facilities in the first few questions while other
associations and a chemical company wanted DHS to make sure that as
many facilities as possible submitted Top-Screen data, including some
facilities that might not traditionally be considered chemical
facilities. Several associations urged DHS not to presumptively
classify facilities as high-risk without perfect information; they felt
that doing so would go beyond the authority that Congress granted DHS
and would not match the intended focus on high-risk facilities. A local
agency took the opposite view on that question.
Several commenters provided input on the data that facilities will
need to enter into the Top-Screen. One association suggested that DHS
allow facilities to enter chemical volumes in ranges and asked that DHS
provide guidance on handling mixtures and blends. That association also
questioned how facilities should address chemicals that are stored
offsite. Another association encouraged DHS to include reactive
chemicals and propane in the Top-Screen. One advocacy group encouraged
DHS to incorporate chemical transportation in the rule and the Top-
Screen.
Commenters also provided input on how DHS should process the
information that it receives through the Top-Screen. One industry
association suggested that facilities should be allowed to explain
``yes'' responses before DHS drives the facility to a full Security
Vulnerability Assessment. The association suggested that facilities
should not be the ones to estimate consequences, particularly injuries,
and that DHS should refine the definition of injuries. The association
stated that DHS should have different requirements for facilities that
only periodically have certain materials onsite. One association
cautioned about using RMP data and advocated for DHS to use conversion
factors to make estimates of casualties.
Several commenters were concerned about the questions in the Top-
Screen that related to economic impacts. Several associations indicated
that DHS should use a sufficiently high threshold for economic impacts
that captures the full extent of economic impacts. They noted that a
facility should consider all impacts, not just the impacts to one
facility. One association commented that most facilities will not be
able to provide answers to the questions in the Top-Screen that ask
about a facility's market share for given chemicals. That association
suggested that DHS re-phrase those questions to support yes/no answers
or to allow facilities to use broad ranges.
Several associations commented that the submitting company, not
DHS, should determine the most appropriate person to submit data. A
number of parties commented on DHS's subsequent use of the data that is
collected through the Top-Screen. One association commented that any
information must have demonstrated utility before it is shared with
anyone.
As for timing, commenters, including State agencies, requested that
DHS provide facilities with the specific timing requirements for
completing the Top-Screen. One industry association recommended that
DHS use phased-in timing for having facilities complete the Top-Screen.
A number of commenters from State agencies and industry associations
suggested the need for DHS to provide active, written notification that
a facility is not high risk--and for telling facilities that they need
to comply with the regulation. One association suggested that DHS
provide this notification immediately upon the facility's submission of
data.
Finally, a number of company and industry association commenters
wanted to make sure that facilities have the opportunity to conduct
independent evaluations (or meet with DHS) to verify or deny DHS's
initial classification of a facility's risk.
Response: In this regulatory program, DHS will employ a modified
version of the Risk Analysis and Management for Critical Asset
Protection (RAMCAP) risk assessment methodology known as the Chemical
Security Assessment Tool, or CSAT. The RAMCAP Sector Specific Guidance
was developed under contract to DHS by the ASME Innovative Technologies
Institute (ASME-ITI) and leveraged the knowledge and insight of leading
experts from across the industry and Federal Government. The DHS Risk
Assessment Methodology is composed of two separate parts. The first
part is a screening tool known as the Top-Screen, which is used to
perform a preliminary ``consequence'' analysis. The second part
provides the tools to conduct a thorough facility Security
Vulnerability Assessment.
DHS is using a standard vulnerability tool, the CSAT system,
because it is not practical for DHS to accept a broad spectrum of
methodologies. Even where certain ``equivalencies'' exist between
methodologies, the equivalencies can only be extracted and employed in
a comparative risk analysis at very great cost and over a very long
period of time. In order to effectively manage risk at the national
level, the Department must be able to develop and understand the
relative risk of different facilities. A comparative risk capability is
essential to regulation and can be achieved only through the collection
of comparative data. Thus, a standard vulnerability tool is necessary.
The Department has vetted the CSAT system with the engineering
profession, the National Laboratories, and academia. The Top-Screen
component, as well as the individual algorithms employed in the Top-
Screen, have been subject to extensive peer review and have been found
acceptable. While the Top-Screen is consequence-specific, DHS uses the
Top-Screen only to determine a preliminary tier ranking. DHS bases a
facility's final tier ranking upon the complete Security Vulnerability
Assessment, as well as the application of threat information--and thus
it is risk-based.
Insofar as the range of facilities possessing dangerous or
potentially dangerous chemicals is large, there is no good alternative
to a fairly broad range of facilities being included in the screening
process. DHS anticipates that the vast majority of screened facilities
will be found not to have a level of potential consequences that would
result in a ``high risk'' designation. However, the facilities that do
achieve that level of consequence are expected to come from a fairly
broad swath of the Nation's economy. DHS has no intention of
classifying facilities as presumptively high risk until and unless DHS
is unable to acquire sufficient data.
The Top-Screen will enable DHS to determine a preliminary tier
based on consequence. That ranking will determine the need for (and
timeline for) a Security Vulnerability Assessment, and where the Top-
Screen indicates the need for a follow-on Security Vulnerability
Assessment, DHS will expect that the owner-operator will comply. The
Department will require facilities to submit the Top-Screen within the
timeframes now specified in Sec. 27.210. The Department notes that the
Top-Screen is designed to preclude a large number of ``false
negatives.''
DHS is establishing the entire CSAT system as an on-line suite of
tools, which will allow notification of results to the owner or
operator. As provided in Sec. 27.205, the Department ``shall notify
[[Page 17701]]
the facility in writing [of a determination that the facility presents
a high level of security risk].'' While the online feature of the CSAT
system will allow rapid results, it will not allow the Department to
respond instantaneously, as some commenters requested. Finally, the
Top-Screen tool does require the owner-operator to provide certain data
similar to an RMP analysis; however, casualty estimates and consequence
ranking are performed by DHS using well-vetted formulae.
Regarding economic criticality, DHS recognizes the complexity of
estimating potential economic or mission impact stemming from the loss
of certain manufacturing (or other) capacity. Accordingly, DHS will
focus early efforts on developing a sufficiently clear picture of the
chemical industry as a system in order to allow a reasonable analysis
of economic and mission criticality, which will be enhanced as the
Department moves forward.
2. Assessment Methodologies
Comment: Many commenters provided input on methodologies that DHS
should use for determining which facilities present a high level of
risk, and several commenters had suggestions as to how DHS should
determine which facilities are high-risk. One association asserted that
DHS needed to clearly define the ``risk of interest'' before DHS could
determine which methodology to use. One (non-chemical) company
suggested that DHS use other Federal programs such as the EPA's Toxics
Release Inventory or the Superfund Amendments and Reauthorization Act
(SARA) Tier II annual reports to determine high risk facilities.
Commenters addressed the suitability of both asset- and scenario-based
approaches, with the majority favoring an asset-based approach.
Commenters suggested that DHS consider specific methodologies developed
by associations, national laboratories, or State and Federal agencies.
One association suggested that DHS use other methodologies while RAMCAP
continues to develop and mature. State agency commenters warned that
the question of which facilities pose a high risk is a community-
specific issue.
Many comments were very specific as to how DHS should proceed, and
what tools DHS should employ. For example, an engineering firm focused
on the need for process-based assessments. A chemical company noted the
need for any approved methodology to also consider the criticality of
surrounding and supporting infrastructure in a reasonable manner--that
is, one that is within the expertise of the facility personnel.
Many commenters also focused on various aspects related to RAMCAP.
One commenter asserted that RAMCAP might not adequately identify high-
risk facilities. Another commenter asked who owns RAMCAP. Several
commenters noted that the RAMCAP approach was not designed to address
control system cyber security. Another commenter felt that DHS provided
inadequate detail on the RAMCAP methodology and noted that DHS should
define the method before DHS solicits comment. Several commenters also
pointed out that RAMCAP's lack of details on vulnerability team
composition and experience could be a limitation. Some of RAMCAP's
developers took issue with deviations from the original RAMCAP design.
Another commenter pointed out the need for DHS to include proper
references to the RAMCAP and its genesis.
Also related to RAMCAP, some commenters expressed concern with the
details in Appendix B, ``Background: Risk Analysis and Management
Critical Asset Protection (RAMCAP) Vulnerability Assessment
Methodology.'' In particular, some expressed concern about expectations
that the noted threat scenarios would be analyzed as design basis
threats. The commenters noted that many of the scenarios require
military support to defeat, and that appears to be beyond the
capability of a chemical facility to address. Associations noted that
scenarios can be useful in a comparative top-screen, but that they
should not guide all facility-specific assessments. One company opined
that the threats needed to be more realistic before they were used in
any assessments.
Finally, one chemical company commented that DHS needs to list in
the rule the specific threats that facilities need to address in their
SSP. Also, the company indicated that DHS, not individual companies,
should determine deaths and injuries.
Response: In the Advance Notice, DHS sought to provide an overview
of RAMCAP and the DHS Methodology Assessment in the preamble (see,
e.g., pp. 78277-78288) and in Appendix B. As there seemed to be
confusion about the nature and purpose of RAMCAP and the DHS Assessment
Methodology (or CSAT) and its purpose, DHS provides further explanation
here.
The CSAT vulnerability assessment tool, part of the CSAT system
owned by DHS, is an asset-based vulnerability assessment tool very
similar to the Chemical Sector RAMCAP module. The CSAT system employs a
set of defined attack vectors, used to both ``produce'' consequences
(for the measurement of criticality) and to measure vulnerability.
These are not ``Design Basis'' threats and in no way reflect the type
of actual threats against which owner-operators will be expected to
``defend.'' They are measurement devices, supporting the DHS need to
conduct comparative risk analysis. The CSAT tool does include basic
assessments of certain types of cyber systems, and certain features
thereof. However, the CSAT tool is not intended to be a full-scope,
detailed analysis of all possible areas of vulnerability. It is a
measurement tool that will allow general categorization of a facility
as vulnerable or not, critical or not, and thus, at risk or not. DHS
will undertake detailed evaluations of specific security issues as part
of the ongoing relationship between the facility owner-operator and
DHS. The assessment tool that DHS uses to conduct comparative risk
assessments must be uniform and consistent in order for DHS to use it,
and so a ``menu'' of different methodologies is simply not practical.
Finally, DHS notes that there were several comments from companies,
encouraging the Department to adopt or require their own methodology or
technique. DHS is unaware of the extent of peer review or scientific
evaluation of these other methodologies or techniques. In addition, DHS
does not believe it is appropriate to identify a single commercial
product or endorse particular commercial products for purposes of
complying with this rule.
3. Risk-Based Tiers
In the Advance Notice, the Department asked for comment on the
notion of risk-based tiering of high-risk facilities. Specifically, the
Department asked how many risk-based tiers should the Department
create, what the criteria should be for differentiating among tiers,
what the types of risk should be most critical in the tiering, how
should performance standards differ among risk-based tiers, what
additional levels of regulatory scrutiny should DHS apply to each tier.
71 FR 78276, 78283.
Comment: Most commenters supported the establishment of risk tiers
and agreed that three or four tiers would be sufficient. Several
comments, including industry commenters, State agencies, and a member
of Congress believed that DHS should base tiering on the attractiveness
of the facility as a target or the consequences of a terrorist attack,
such as adverse impacts on public health and welfare, the potential for
mass casualties, and disruption of
[[Page 17702]]
essential services. The commenter indicated that the creation of tiers
would allow facilities to maintain security measures commensurate with
risk.
A few commenters suggested that DHS did not provide enough
information in the Advance Notice on the number of tiers or on how a
tier classification would affect a facility's security requirements.
Two industry commenters were concerned that DHS might apply the rule
requirements to facilities other than those that pose the highest
security risk. Two other commenters believed that the tiering approach
is not appropriate for cyber security of control systems. One commenter
argued that tiers should include consideration of the transportation of
chemicals outside the facility property. Another commenter recommended
that DHS should modify the tiers after it receives data from regulated
facilities. Another commenter thought that DHS should define ``present
high levels of security risk'' and ``high risk'' at the end of the
RAMCAP process and not at the discretion of the Secretary.
Commenters suggested that tiers should be objective and transparent
and should provide flexibility. One industry commenter pointed out that
tiering allows DHS to focus on the most important facilities first and
believed that DHS should establish a de minimis tier that sets
thresholds below which a facility does not have to complete the Top-
Screen tool. Two commenters noted that tiering provides an incentive
for facilities to eliminate risk.
Some industry commenters and State and local agencies suggested
that facilities in higher risk tiers should have more contact with DHS,
and that lower-risk facilities should have fewer security layers
implemented over a longer period of time, greater discretion, or fewer
inspections. One commenter, however, believed there should be no
difference in regulatory scrutiny or performance standards between
tiers.
Response: The Department agrees with many of the commenters that
the risk-based tiering structure will allow DHS to focus its efforts on
the highest risk facilities first. To that end, the Department intends
to retain the model proposed in the Advance Notice. See, e.g., 71 FR
78276, 78283. In sum, the Department's framework for risk-based tiering
will consist of four risk-based tiers of high-risk facilities, ranging
from high (Tier 1) to low (Tier 4). The Department will use a variety
of factors in determining which tier facilities will be placed,
including information about the public health and safety risk, economic
impact, and mission critical aspects of the given chemicals and
Threshold Quantities (TQ) of the chemicals. The Department considers
the methods for determining these tiers to be sensitive anti-terrorism
information that may be protected from further disclosure. The types
and intensity of security measures (necessary to satisfy the risk-based
performance standards in the facility's Site Security Plan) will depend
on the facility's tier. The Department will mandate the most rigorous
levels of protection and regulatory scrutiny for facilities that
present the greatest degree of risk. Finally, pursuant to Section
550(a), it is in the discretion of the Secretary to apply regulatory
requirements to those facilities that present high levels of security
risk; accordingly, the Department believes it is most appropriate for
the Secretary to determine which facilities present high-risk (and not,
for example, rely solely on output from the CSAT process).
The Department incorporates the concept of ``target
attractiveness'' into its risk equation. Insofar as it is a fairly
subjective element, and that it requires considerable analysis to
develop, DHS will not incorporate it into the initial tier assignment
process. However, insofar as ``target attractiveness'' is included in
the more detailed Security Vulnerability Assessment component of the
regulatory process, and insofar as the final determination of tier
placement will be based upon the complete analysis of risk, ``target
attractiveness'' will, in fact, be an important element in tier
assignment and subsequent risk management efforts.
C. Security Vulnerability Assessments and Site Security Plans
1. General Comments
Comment: One association requested that DHS encourage, but not
require, facilities that are not high-risk to conduct vulnerability
assessments as a best practice.
Response: The Department has always encouraged the chemical sector
to analyze security vulnerabilities and will continue to do so through
voluntary sector efforts even if the site has not been designated as
high risk under this rule.
Comment: One commenter requested that DHS define ``material
modifications,'' as used in Sec. Sec. 27.215(c)(3) and 27.225(b)(3),
or at least provide examples of circumstances or events that rise to
the level of ``material modifications.''
Response: Material modifications can include a whole host of
changes, and for that reason, the Department cannot provide an
exhaustive list of material modifications. In general, though, DHS
expects that material modifications would likely include changes at a
facility to chemical holdings (including the presence of a new
chemical, increased amount of an existing chemical, or the modified use
of a given chemical) or to site physical configuration, which may (1)
substantially increase the level of consequence should a terrorist
attack or incident occur; (2) substantially increase a facility's
vulnerabilities from those identified in the facility's Security
Vulnerability Assessment; (3) substantially effect the information
already provided in the facility's Top-Screen submission; or (4)
substantially effect the measures contained in the facility's Site
Security Plan.
2. Submitting a Site Security Plan
Comment: Several industry commenters recommended changes to the
proposed process for notifying facilities to submit SSPs and the timing
for submitting the SSPs. A number of commenters believed that the most
appropriate person to submit an SSP is a corporate representative with
first-hand knowledge of security matters at the facility, rather than
an officer of the corporation, as proposed. The comments recommended
allowing a corporate security contact, a security manager, or a
consultant with delegated authority to submit information on behalf of
the corporation. The commenters indicated that, in most instances,
members of senior management teams do not have day-to-day detailed
knowledge on security issues and, thus, cannot meet the proposed
qualifications. One of the commenters added that the proposed
regulations appear to limit an organization's flexibility to assign
internal responsibilities for various aspects of the regulations.
Another commenter suggested that, in addition to notifying a covered
facility, the Department should notify the facility's corporate
ownership (and/or parent corporation) allowing a multi-facility
corporation to prepare and submit a response in an efficient and timely
manner.
Response: The goal of this rule is to increase flexibility while
embracing security for covered facilities, not to unnecessarily
decrease flexibility. The rule obligates the chemical facility to
submit the Site Security Plan; however, as used herein, the term
chemical facility or facility shall also refer to the owner or operator
of the chemical facility. While the owner or operator of
[[Page 17703]]
a chemical facility may designate someone to submit the Site Security
Plan, the owner or operator is responsible for satisfying all the
requirements under this part. Note that the Department has added
requirements for submitters in the rule (see Sec. 27.200(b)(3)) and
that the Department discusses those new requirements in the Rule
Provisions discussion of Sec. 27.200. See Sec. II(B). Finally, it is
presumed that the covered facility is the most appropriate party to
notify its parent corporation or other related corporate entities as
necessary.
3. Content of Site Security Plans
Comment: One commenter stated that, until some of the initial
regulatory elements regarding definition of risk and the establishment
of tiers is in place, it would be premature for DHS to publish details
on Site Security Plans. Another commenter stated that, based on the
consequence assessment, every site should be required to have specific
security elements in place that prudently deter, detect, delay, and
respond based on their assigned tier level. The commenter also stated
that, without some degree of access control and physical security
specificity based on tier levels, there will be considerable confusion
as to the exact considerations needed to meet Department requirements.
Another commenter encouraged DHS to abide by the congressional mandate
of Public Law 104-113, as described in OMB Circular A119, and ensure
that voluntary consensus codes and standards are used when they are
applicable under the rule.
Response: The Department has developed a means of assessing risk
and a tiering process as described in Sec. Sec. 27.205 and 27.220.
These methods anticipate, on a risk basis, a certain level of
vulnerability for a given tier level. A facility's SSP will describe
the appropriate levels of security measures that a facility must
implement to address the vulnerabilities identified in their SVA and
the risk-based performance standards for their tier. The Department has
included risk-based performance standards in this interim final rule
and will publish further guidance on the risk-based performance
standards. The risk-based standards address, among other things,
vulnerabilities under the security concepts of detection, deterrence,
delay, and response. Finally, the Department notes that covered
facilities may use and cite voluntary consensus codes and standards in
their SVAs and SSPs to the extent they are appropriate.
4. Approval of Site Security Plans
Comment: In general, commenters supported the proposed submission
and approval processes for SSPs. While one commenter endorsed proposed
Sec. 27.240(a)(3) stating that the Department will not disapprove an
SSP based on the presence or absence of a particular security measure,
another commenter believed that the Department should have the
authority to disapprove an SSP if a facility has refused to include a
widely-practiced and cost-efficient procedure that can severely reduce
the risk posed by a chemical facility. Two commenters requested that
the Department inform local law enforcement and first responders when
the Department is reviewing an SSP in their community and then inform
them whether that plan was accepted or rejected. The commenters stated
that the health and safety of responders may well depend upon whether
the chemical facility has an adequate SSP.
Response: The Department may not disapprove a Site Security Plan
submitted under this Part based on the presence or absence of a
particular security measure, as provided in Section 550 of the Homeland
Security Appropriations Act of 2007. The Department may disapprove a
Site Security Plan that fails to satisfy the risk-based performance
standards established in Sec. 27.230.
The Department intends to work closely with local law enforcement
and first responders to provide adequate homeland security information
to them under this rule.
Comment: One commenter recommended that the Department first
complete the SSP review and approval process for Tier 1 facilities,
then, after soliciting feedback from the Tier 1 facilities on the
process, then proceed in a step-wise fashion to subsequent tiers.
Response: The Department will implement the rule in a phased
approach but will not necessarily complete all Tier 1 sites prior to
undertaking plan review and approvals with lower-tier chemical
facilities as the need arises. This is necessary to make sufficient
progress with higher-tier chemical facilities and not only the highest
tier.
5. Timing
Comment: One concern raised by an industry association related to
DHS's resources for reviewing Security Vulnerability Assessments and
providing responses in 20 days. Changes to control systems were
suggested for reviews and updates within 7 days or sooner. One
commenter agreed with updating SSPs annually, but not Security
Vulnerability Assessments. Several commenters suggested the following
for updates: every 2-5 years for Tier 1 facilities, 3-5 years for Tier
2, and 3-7 years for Tier 3 and beyond.
Numerous reviewers recommended that the reviews be limited to
approximately every three years. Two companies and one industry
association wanted reviews to follow major changes and not follow a set
schedule. Many reviewers wanted periodic replaced with a suggested
frequency.
Several commenters stated that the requirement to submit SVAs
within 60 calendar days, and SSPs within 120 calendar days, starting on
the date that the facility is notified that it is considered high-risk,
is too short, and therefore inadequate. One commenter noted that
managing change in a safe fashion requires significant thought and
careful planning to ensure that the change itself does not create
another hazard to the community, the environment, or employees. The
commenter also noted that developing and implementing an SSP that
properly mitigates risk requires the security manager to make
appropriate revisions to existing facility procedures and to train
employees and other affected parties on these new procedures. Another
commenter expressed concern that there is no specific date or time by
which DHS must notify high-risk chemical facilities of their status.
Likewise, there is no firm time by which the Secretary will send out a
notice approving or disapproving an SSP.
With regard to the time needed to review an SSP, one commenter
stated that DHS should issue a decision approving or disapproving them
within 30 days of receipt of a completed plan. This timeframe would
bring at least most priority facilities into compliance within seven
months of the effective date. The commenter also stated that, given the
urgency, any ``objections'' or ``appeals'' should be processed after
the seven-month schedule is completed. Because of concern that DHS
staffing levels might delay the processing of SSPs, another commenter
requested a provision be included in the interim final rule indicating
that facilities are deemed in compliance after 30 days of submission of
SVAs and SSPs until such time that the Department reviews and responds
to the submission.
A few commenters recommended that the deadline for Tier 1
facilities to submit SSPs be extended from 120 days to 180 days. The
commenters believe that this extension would assure facilities adequate
time to assemble the
[[Page 17704]]
best teams, prepare thorough SVAs, deal with budget planning for
potentially large capital expenditures, and ensure the on-site work is
properly conducted. Another commenter agreed that the proposed
submission schedule for submitting SSPs was unrealistic in light of the
tasks involved. The commenter also thought that, if DHS found fault
with a provision of the SVA, it would be unreasonable to begin
development of an SSP based upon a potentially flawed assessment.
Consequently, the commenter argued that the submission time of 120 days
should be started only after the Department's approval of the SVA is
formally received. Yet another commenter believed that submission of
SSPs should be timed according to the tier assigned to the facility and
that the time clock should begin when the facility receives word back
from the Department on its preliminary tier assignment.
Response: The Department has established a schedule for activities
under this part that considers the need to generally address the risks
associated with higher tier facilities before that of lower tiers, but
staggers the submittals and review and inspection activities. The
Department has developed the Chemical Security Assessment Tool (CSAT)
to assist chemical facilities with all of the program requirements
(registration, screening, SVA, and SSP). In addition, because
information from the CSAT applications will be in electronic form, DHS
will be able to expedite its review of the information that chemical
facilities submit. These deadlines are both prudent and achievable. DHS
expects that it will complete its review of the Top-Screen, SVA, and
SSP within 60 days of the facility's submission of the Top-Screen, SVA,
or SSP.
6. Alternate Security Programs
Comment: The use of alternate security programs was supported by
several chemical companies and associations as well as companies and
associations in related industries. A chemical company agreed with the
concept of initially allowing multiple methodologies and then switching
to a common methodology for at least the Tier 1 facilities; they
encouraged DHS to still allow alternate approaches for other tiers.
This viewpoint was echoed by at least one association. Several
companies wanted to ensure that existing plans could be used and one
association noted that more methodologies than just those approved by
the Center for Chemical Process Safety (CCPS) would be appropriate.
Commenters also noted that CCPS should not be the sole arbiter unless
DHS periodically reviews its resources and expertise.
A number of industry associations offered their own approaches and
a food industry association commented on the need to keep their current
programs in place and to not unduly focus on ammonia refrigeration
risks. MTSA-, Sandia-, and NFPA-approved programs were among those
mentioned by the commenters, as were those allowed under other
regulations. Some commenters found the specific process for approval of
alternative programs to be lacking in detail. One association requested
that submitters just send in a form saying they have an alternate
security plan, and not require any other document be submitted for
approval.
An advocacy group commented that alternate approaches needed to be
equivalent to the DHS approach, not just sufficiently similar, and that
DHS should approve equivalent State and local programs. Another
advocacy group suggested that DHS should only determine equivalency
based on reviews of individual SSPs, not in any blanket or broad way. A
third advocacy group supported a single, consistent approach set out by
DHS with private sector programs being modified to conform to the DHS
approach. One commenter noted that the specification of RAMCAP may have
created an unfair playing field for other firms wanting to visit the
source company for RAMCAP.
Response: The Assistant Secretary will review and may approve an
ASP upon a determination that it meets the requirements of this
regulation and provides an equivalent level of security to the level of
security established by this part. In its ASP submission, a facility
will have to provide sufficient information about the proposed ASP to
ensure that the Department can adequately perform a review and make an
equivalency determination.
As described below, certain facilities may submit an ASP in lieu of
an SVA, an ASP in lieu of a SSP, or both. Accordingly, the ASP option
will only be available following the facility's submission, and
Department's review, of the Top-Screen. An ASP for an SVA will need to
satisfy the requirements provided in Sec. 27.215, and an ASP for an
SSP will need to satisfy the requirements provided in Sec. 27.225. The
ASP for the SSP will need to describe specific security measures, or
metrics for measures, that will allow the ASP to be considered
equivalent to an individually-developed SSP, and facilities
implementing an ASP will be subject to DHS inspection against the terms
of the ASP.
At this time, the Department will only permit Tier 4 facilities
(found to be Tier 4 facilities following the Department's preliminary
tiering decision pursuant to Sec. 27.220(a)) to submit an ASP in lieu
of an SVA. Tier 4 facilities may submit for review and approval the
Sandia RAM for chemical facilities, the CCPS Methodology for fixed
chemical facilities, or any methodology certified by CCPS as equivalent
to CCPS and has equivalent steps, assumptions, and outputs and
sufficiently addresses the risk-based performance standards and CSAT
SVA potential terrorist attack scenarios. The Department is requiring
Tier 1, Tier 2, and Tier 3 chemical facilities to use the CSAT SVA
methodology for preliminary and final tiering. As discussed above in
the summary of changes to Rule Provisions, this will provide a common
platform for the analysis of vulnerabilities and will ensure that the
Department has a consistent measure of risk across the industry. With
respect to SSPs, the Department will permit facilities of all tiers to
submit ASPs to satisfy the requirements of this rule.
The Department modified Sec. 27.235 to reflect these requirements.
The Department also amended the regulation to link the review and
approval procedures for ASPs to the review and approval procedures for
SVAs and SSPs.
D. Risk-Based Performance Standards
In the Advance Notice, DHS sought comment on the use of risk-based
performance standards to address facility-identified vulnerabilities.
The Advance Notice proposed that DHS require covered facilities to
select, develop, and implement security measures to satisfy the risk-
based performance standards in Sec. 27.230. The measures sufficient to
meet these standards would vary depending on the covered facility's
risk-based tier. Facilities would address the performance standards in
the facility's Site Security Plan, and DHS would verify and validate
the facility's implementation of the Site Security Plan during an on-
site inspection.
1. General Approach to Performance Standards
Comment: The majority of the commenters supported the proposed
regulatory approach due to the flexibility that the risk-based
performance standards provide to the regulated community in choosing
security measures for their respective facilities. The proposed
approach acknowledges the fact that each of the facilities faces
different security challenges. A few commenters noted
[[Page 17705]]
that the goal of the performance standards should be to reduce
vulnerabilities identified in the SVA, not necessarily reduce all
potential consequences or mandate the use of specific countermeasures.
By contrast, some other commenters opposed the Department's
proposed regulatory approach, noting various reasons: that the Advance
Notice was too prescriptive in certain areas; that performance
standards are open to interpretation and thus can become discretionary,
interpretive, and sometimes arbitrary; that chemical companies may be
allowed under the rule to make risk reduction determinations based on
their available risk reduction budget, rather than on the actual
elimination or reduction of the most serious risks; that the rule
allows enormous flexibility and variability in the documents that
facilities can submit to the Department, which could make program
review difficult and hinder any comparative analysis of risk reduction
efforts among similar sites.
Response: The Department's statutory authority mandates the
issuance of performance standards. Section 550 requires the Department
to issue interim final regulations ``establishing risk-based
performance standards for security chemical facilities.'' See Sec.
550(a). Also, as noted in the Advance Notice, Executive Order 12866
also directs federal agencies to use performance standards. See 71 FR
78276, 78283. Performance standards avoid prescriptive requirements,
and although they provide flexibility, they still establish and
maintain a non-arbitrary threshold standard that facilities will have
to reach in order to gain DHS approval under the regulation. The
ultimate purpose of the performance standards is to reduce
vulnerabilities, and that is regardless of risk reduction budgets.
With respect to documentation, except as provided in Sec. 27.235
for Alternative Security Programs, DHS is requiring facilities to
electronically submit all documentation required for analysis and
approval. Facilities will complete the Top-Screen, Security
Vulnerability Assessment, and Site Security Plans through the online,
Web-based CSAT system. This electronic submission will minimize the
variability concerns and allow DHS to manage and protect information.
Comment: Regarding the application of the performance standards,
some commenters thought that facilities should not have to address all
performance standards (listed in Sec. 27.230) in their Site Security
Plan and should only have to address those performance standards that
directly apply to its facility and its risk-based tier. One commenter
thought that, in certain circumstances, a covered facility should be
able provide adequate chemical security without implementing every one
of the risk-based performance standards. The commenter stated that the
regulations should allow for situations where the facility can
demonstrate that, under its particular circumstances, one or more of
the risk-based performance standards is unnecessary or redundant.
Response: Congress intended for the performance standards to
provide facilities with a degree of flexibility in the selection of
security measures, and the Department has tried to provide that
flexibility throughout the rule. DHS expects that a facility will need
to address only those performance standards that apply directly to
their facility. In addition, DHS notes that there may be circumstances
in which a facility needs not implement one or more of the risk-based
performance standards and will still be able to provide adequate
chemical security; the Department will work with these facilities on a
case-by-case basis in these specific situations.
Comment: Several commenters stated that the proposed standards do
not include clear security goals, outcomes, or results to measure
increased security. They also asserted that DHS should develop a
measurement of vulnerability or risk reduction. One commenter suggested
that chemical facilities should identify operational and protection
goals and that the protection system should be evaluated with respect
to meeting these goals. Another commenter suggested that DHS express
the performance standards in terms of overall vulnerability scores as
measures via a common Security Vulnerability Assessment methodology.
This alternative would allow facilities to devote their security
expenses to those measures that would produce the greatest
vulnerability reductions and would result, nationally, in the greatest
amount of overall vulnerability reduction per dollar spent.
Response: DHS intends for the risk-based performance standards to
provide facility owners with the flexibility to choose security
measures in their Site Security Plan that will reduce the facility's
level of risk. The Security Vulnerability Assessment process, and DHS's
resulting placement of the facility within the tier structure, will
provide facility owner-operators with an indication of their level of
risk.
Comment: Many commenters supported DHS's intention to issue
guidance to assist the regulated community in the interpretation and
application of the proposed performance standards. They encouraged the
Department to work with the regulated community on the development of
such guidance. However, some of these same commenters also emphasized
that, to effectuate Congress' intention that the chemical security
requirements be risk-based performance standards rather than
prescriptive requirements, DHS must explicitly make the guidance non-
binding. Consistent with the comments about CVI, one commenter
discussed the importance of limiting public access to the completed
guidance since it could serve as a roadmap for terrorists.
Response: DHS intends to release non-binding guidance on the
application of the performance standards in Sec. 27.230 to the risk-
based tiers of covered facilities. This guidance will contain sensitive
information concerning anti-terrorism measures, and DHS will make that
guidance available to those individuals and entities with an
appropriate need for the document. DHS will provide the guidance to the
House of Representatives Committee on Homeland Security and the Senate
Committee on Homeland Security and Governmental Affairs.
2. Comments About Specific Performance Standards
Comment: Several commenters requested clarification about the
performance standards in proposed Sec. 27.230(a). A few asked whether
paragraph (a)(5) is intended to cover all Department of Transportation
hazardous materials and whether it is intended to cover transportation
and storage of hazardous materials. One suggested that paragraph (a)(5)
should include a provision for securing and monitoring the storage of
hazardous materials, in addition to securing and monitoring the
shipping and receipt of hazardous materials. Commenters also requested
that DHS have facilities report significant security incidents to local
law enforcement in addition to the Department. Another commenter
indicated that the Department should require the following additional
elements in the performance standards: written job descriptions for
security personnel, adequate response teams and resources, safe
shutdown procedures, evacuation procedures, and decontamination
facilities. In addition, another commenter asked that DHS define
``dangerous substances and devices'' as used in Sec. 27.230(a)(3)(i),
``potentially dangerous chemicals'' as used in Sec. 27.230(a)(6), and
``significant
[[Page 17706]]
security incidents'' and ``suspicious activities'' as used in
Sec. Sec. 27.230(a)(15) and 27.230(a)(16). Another commenter asked to
whom facilities should report ``significant security incidents.''
Response: These comments relate to the measures that facilities
must select, develop, and implement in their Site Security Plans. The
Department will provide information in guidance to facilities on these
measures. That might include information on the meaning of these terms,
details on the parties to whom facilities should report security
incidents and suspicious activities, and explanations about the role of
local law enforcement (e.g., the Department's recognition that some
investigations of potentially illegal conduct may be the role of local
law enforcement).
In addition, DHS also notes that it has made a few changes to the
regulatory context based on these comments. As discussed in the summary
of regulatory text changes, the Department has revised paragraphs
(a)(5), (8), (12), and (15).
Comment: Several comments discussed the need for approaches that
address cyber security risks, with several asserting that it is not
sufficient for DHS to consider security only from a physical
perspective. Commenters opined that there were very few specific
references to cyber security in the Advance Notice, even though it is
important. Some commenters suggested that DHS should address cyber
security in more detail in its own performance standard (i.e., a
performance standard that only addresses cyber security), while others
suggested that DHS should integrate cyber considerations into other
performance standards. Other commenters asked DHS to identify the scope
of ``cyber'' security and ``other sensitive computerized systems'' in
paragraph (a)(8).
Commenters also raised other issues related to cyber security. One
commenter mentioned that cyber or joint physical/cyber intrusions could
create dangerous chemicals that did not previously exist. Consequently,
commenters thought that DHS should address these contingencies in the
screening process and/or issue an expansive list of chemicals. Other
commenters noted that the RAMCAP approach was not designed to address
control system cyber security. A few other commenters believed that the
tiering approach is not appropriate for cyber security of control
systems. Additionally, commenters mentioned that it is important to
consider that facilities with interconnecting electronic systems could
face additional threats as one site's vulnerability poses a risk to
other connected sites.
Response: The Department recognizes that cyber security is an issue
and has included cyber security as one of the performance standards
that facilities must address in their Site Security Plans. Paragraph
(c)(8) requires facilities to select, develop, and implement measures
that ``deter cyber sabotage.'' In addition, the Department notes that
it has implemented an assessment of cyber vulnerabilities for
industrial control systems within the CSAT Security Vulnerability
Assessment. The Department has accomplished this through the assistance
of DHS's National Cyber Security Division (NCSD). DHS appreciates the
complexity and uniqueness of addressing cyber security with chemical
facilities and anticipates that the CSAT will mature over time,
especially with the constructive feedback from interested and
knowledgeable parties.
Comment: The Department received numerous comments on its use of
the acronym ``SCADA'' in Sec. 27.230(a)(8). Commenters asserted that
SCADA refers to a central control system that monitors and controls a
complete site or a system spread out over a long distance. They noted
that using the term SCADA to represent cyber systems at chemical
facilities is too narrow and suggested that the Department should
replace the term SCADA with ``Industrial Control Systems.''
Response: While the Department had used the acronym ``SCADA''
(Supervisory Control and Data Acquisition) in the Advance Notice as
shorthand for instrumented control systems in general, the Department
agrees with the comments and has incorporated broader, more descriptive
terminology into this performance standard. The Department has revised
Sec. 27.230(a)(8), so that it reads as follows: ``Each covered
facility must select, develop, and implement measures designed to: * *
* [d]eter cyber sabotage, including by preventing unauthorized onsite
or remote access to critical process controls, such as Supervisory
Control and Data Acquisition (SCADA) systems, Distributed Control
Systems (DCS), Process Control Systems (PCS), Industrial Control
Systems (ICS), critical business systems, and other sensitive
computerized systems.''
3. Variations in Performance Standards for Risk Tiers
Comment: Several commenters supported the use of risk-based tiers,
with several recommending that DHS consult with industry in the
development of specific performance standards for each tier. Various
commenters favored the Department's proposal to place high-risk
facilities in risk-based tiers and to prioritize the implementation
phase-in and the level of regulatory scrutiny (i.e., frequency of
regulatory reviews, inspections and SVA/SSP updates) based on the
facility's risk and associated tier. Commenters noted that DHS should
require facilities in higher risk tiers to develop more robust measures
to meet the performance standards.
In contrast, a few other commenters had differing opinions. A small
number of comments cautioned that performance standards should be
consistent across all tiers, regardless of the level of risk. These
commenters noted that DHS should adjust the specific measures, not the
performance standards, to match the level of risk. In addition, one
commenter stated that DHS should not establish risk-based tiers and
should instead identify the criteria for those facilities that will be
regulated and those that will not. If DHS were to establish tiers, that
commenter thought DHS should limit the tiers to high or low risk.
Response: As discussed above in Section III(B)(3), DHS is creating
four risk-based tiers, with the highest risk facilities in the top tier
(i.e., Tier 1). The types and intensity of security measures
(sufficient to satisfy the risk-based performance standards in the
facility's Site Security Plan) will depend on the facility's tier. For
facilities that present the greatest degree of risk, more rigorous
security measures will be needed to satisfy the performance standards.
The Department will use a higher level of regulatory scrutiny for
facilities that present the highest risk.
DHS consulted with the chemical industry in developing the tier
system and performance standards. In adopting the four tier system and
applicable risk-based performance standards, DHS intends to employ a
scalable performance standard across the tiers, i.e., within the same
performance standard, a more robust set of security measures will be
needed for a Tier 1 facility than for a Tier 2 facility, for a Tier 2
facility than for a Tier 3 facility, and so on. DHS will ensure that
risk-based performance standards are applied consistently across each
tier, but guidelines for each tier will vary.
Comment: A few commenters also supported the idea that a facility,
which the Department has previously determined is ``high risk,'' can
request that the Department move it to a lower tier if it has
materially altered its operations in a way that significantly
[[Page 17707]]
lowers its potential vulnerabilities and consequences.
Response: Pursuant to Sec. 27.205(b), ``if a covered facility
previously determined to present a high level of security risk has
materially altered its operations, it may seek a redetermination by
filing a Request for Redetermination with the Assistant Secretary, and
may request a meeting regarding the request.'' DHS has retained that
provision in this interim final rule. This provision allows DHS to re-
evaluate risk based upon changes at the facility in process, chemistry,
or other factors. DHS, through the Assistant Secretary, intends to
evaluate such proposed measures on a case-by-case basis.
In evaluating the redetermination, DHS will consider whether the
planned action actually reduces risk (as opposed to simply ``moving''
the risk into the community around the facility) and does so without
compromising security. Where these parameters are met, DHS will approve
the plan and re-evaluate the tier placement for the facility in
question. Pursuant to Sec. 27.205(b), the Assistant Secretary will
notify the facility of the Department's decision on the Request for
Redetermination within 45 calendar days of receipt of such a Request or
within 45 calendar days of a meeting regarding the Request.
Comment: One commenter noted that how performance standards vary
across tiers would depend on the criteria used to establish the tiers.
Response: DHS will assess all facilities based upon worst plausible
case scenarios as applicable to each facility.
4. Adoption of MTSA Provisions
The Advance Notice solicited comment on whether DHS should adopt
various provisions from MTSA as elements of the chemical security
program. In particular, DHS asked whether it should adopt the following
performance standards in addition to the standards already listed in 6
CFR 27.230: 33 CFR 105.250 (Security systems and equipment
maintenance), 33 CFR 105.255 (Security measures for access control); 33
CFR 105.260 (Security measures for restricted areas); 33 CFR 105.275
(Security measures for monitoring); 33 CFR 105.280 (Security incident
procedures). See 71 FR 78276, 78284.
Comment: Of the several comments received on the request, the
majority opposed adopting the standards, characterizing them as highly
detailed and prescriptive and, as such, incompatible with the risk-
based performance standards proposed for chemical facilities. A
chemical industry association presented an analysis of the four MTSA
standards and concluded that they were largely duplicative of, or
potentially inconsistent with, existing categories of performance
standards presented in the Advance Notice. The commenter stated that
the MTSA standards were not performance standards, but mandatory
particular security measures, in direct conflict with Section 550.
Through a similar section-by-section analysis of the MTSA provisions, a
chemical manufacturer found several provisions to be compatible with
performance standards, but others too prescriptive or incompatible with
activities in chemical facilities.
Another association representing chemical distributors stated that
only a tiny fraction of its members relied on waterways to distribute
chemicals and, accordingly, recommended against adoption of the
standards.
Response: The Department agrees with the commenters who recommended
against adopting the MTSA provisions referred to in the preamble of the
Advance Notice. As the commenters noted, these provisions either
duplicate current standards, conflict with current standards, or
mandate particular security measures in conflict with the statute.
Comment: One association noted that, because many of its members
had facilities on waterways, member companies often developed MTSA-type
approaches to Security Vulnerability Assessments and Site Security
Plans to establish some uniformity across facilities. Another commenter
suggested that when an owner of multiple facilities has some covered by
MTSA and others by the chemical security rules, MTSA could be an ASP if
applied to non-MTSA facilities.
Response: Where the application of MTSA practices is sufficient, it
may be considered a valid ASP. DHS will review and consider adoption of
MTSA plans to non-MTSA facilities on a case-by-case basis. The
Department does not intend to require duplication of effort where
responsible facilities have implemented adequate security measures.
E. Background Checks
Under the Advance Notice, covered facilities would be required to
perform appropriate background checks on and ensure appropriate
credentials for facility personnel and, as appropriate, for unescorted
visitors with access to restricted areas or critical assets.
Comment: Numerous commenters stated that chemical facilities
already screen their employees for their own interests and in response
to government programs. The commenters urged that the level of
screening for existing employees and contractors should be commensurate
with the access provided. While some commenters wanted existing
employees who had undergone employee screening before hire to be
``grandfathered'' from any new requirements, other commenters thought
that existing employees should be subject to screening when they are
assigned to secure areas or have the potential to be reassigned. An
association recommended checking current employees with less than five
years seniority within six months of the effective date of the program
and more senior employees within one year.
Several commenters argued that, extending the proposed requirements
to contractors, subcontractors, truck drivers, and delivery and repair
personnel, and others who are frequently on site, would create serious
difficulties because of the large numbers of individuals in these
categories, the need to have them available on short notice, redundancy
of existing credentials, cost of new credentialing, and delay while
screening is completed. Chemical companies explained that they rely
heavily on contractors and expect the contracting company to be
responsible for assuring that their employees meet security
requirements. Commenters suggested that officers hired by the facility
supervise contractors and sub-contractors without background checks.
The commenters also addressed the types of background checks that
DHS is considering, including the personal information required, and
whether name checks against the Terrorist Screening Database and
fingerprint-based checks for terrorism, criminal history, or
immigration status would be required. A number of commenters urged DHS
to tailor the degree of scrutiny to the degree of employee access to
sensitive locations. Private screening firms described systems that
collect more detailed information and enhanced verification depending
on the applicant's access. Operators of private screening systems state
that they typically rely on the database screens for candidates with
potential terrorist connections. A chemical industry association
supported screening of chemical facility employees for terrorism,
criminal records, and immigration status.
One commenter explained that biometric testing in a chemical
environment can fail because of smudging and deterioration of
fingerprints over time, while another
[[Page 17708]]
believed that adequate field testing had not been completed. Another
commenter explained that biometrics and other verification techniques
will not foil a person who has stolen an identity to pass the screen.
The commenter recommended that authentication techniques, in addition
to validation and verification, be applied to applicants with access to
secure locations. In response to the proposed use of a list of
disqualifying crimes to reject applications for clearance, a number of
commenters urged DHS to restrict the crimes to those that were most
clearly linked to potential for terrorism. The commenters, both unions
and chemical companies, argued that loyal employees can lose their jobs
or fail to qualify for hire because of misdemeanors, such as missing a
few months of child support, or crimes that are not good predictors of
the potential for terrorism. One commenter recommended adoption of an
appeal process that allows a disqualified person to explain why he or
she is no longer at risk, similar to the process under MTSA
regulations.
The preamble also requested comment on whether the access
provisions of the Transportation Worker Identification Credential
(TWIC) Program, Hazardous Materials Endorsement (HME), ATF
requirements, or other structured programs should apply to chemical
facility security programs. A few commenters supported the concept that
the screening required for the TWIC program should be acceptable for
the chemical security program. Indeed, many chemical facilities are on
bodies of water and employees were already compliant with the TWIC
program. Another commenter took the opposite position that the TWIC
program did not provide the customization available in existing
screening systems to grade the level of screening based on employment
and assignment decision. Numerous comments maintained that an employee
or contractor who was credentialed under the TWIC, HME, ATF, or similar
programs should not need additional security screening under the
chemical security program. Related comments requested portability of
security checks for employees or contractors cleared by another
chemical facility. One commenter recommended that DHS establish a
national repository of cleared personnel to minimize redundancy and
expense.
With respect to the question of whether the government should
conduct background checks or whether the industry could use authorized
third parties to conduct the checks, three commenters stated that third
parties were already providing background checks for thousands of
employees of chemical facilities. Other commenters, including
organizations that provided screening services, maintained that
existing programs for screening applicants and employees for chemical
facilities were reliable, effective, and inexpensive. Another commenter
wrote that one program operated through safety councils might be
eligible as an alternate security program, although a chemical company
suggested not using safety councils, because their standards were too
lax.
A few commenters favored the government's undertaking background
checks because, unlike private companies, the government has access to
terrorist databases and FBI databases, and because the government,
unlike employers, would be immune from legal challenges from a rejected
employee. Opposition to government responsibility came from several
commenters who were concerned about slow completion of background
checks, and that the backlog might be exacerbated by a new chemical
security program.
A few commenters, including three unions, strongly urged that the
system provide an appeals process for affected applicants whose
employment prospects in the chemical industry and elsewhere could be
seriously affected by an erroneous determination. Private services
noted that they notified applicants of adverse decisions and allowed
them to contest the decisions.
Response: DHS believes that personnel surety is a key component of
a successful chemical facility security program. This component of the
performance standards will enhance security in what would otherwise be
a significant potential vulnerability. In the Advance Notice, the
Department requested comment on these components of a background check
program: (1) What individuals should have a background check? (2) When
should the check be required? (3) What type of background check should
be conducted? And (4) Should the federal government conduct the check?
We address each of these four issues below.
First, DHS agrees that the level of screening for employees and
contractors should be commensurate with the access provided. As part of
this approach, the facility shall identify critical assets and
restricted areas and establish which employees and contactors may need
unescorted access to those areas or assets, and thus must undergo a
background check. A facility's approach to personnel surety, including
its defined restricted areas, its critical assets, and a list of the
employees requiring background checks, shall be detailed in the Site
Security Plan that the facility submits to the Department for approval.
The rule does not include a provision that would exempt certain
employees from the personnel surety performance standard based on
length of employment at the facility. Merely because an individual has
worked in a chemical facility for a period of time without incident
does not automatically mean that they do not pose a terrorism risk and
should be given free access to restricted areas and critical assets
without a background check. Allowing such access without a background
check presents an unacceptable security risk, and is contrary to the
performance standard on personnel surety. This is not to say, however,
that employers may not consider an employee's prior history of
employment and service in making personnel decisions. It should also be
noted that nothing in this regulation prohibits a person that has been
convicted of a misdemeanor offense from being employed at a high risk
chemical facility.
Second, DHS views the background check process as one of the many
pieces of the Site Security Plan, and as such, will require that it be
completed and submitted with the Site Security Plan. Once the facility
receives the Letter of Authorization under Sec. 27.245 denoting
preliminary approval of the Site Security Plan, the facility may then
proceed with all necessary background checks, if it has not done so
already. All employees required in the SSP to have a background check
should be included in the initial submission and must be duly vetted in
accordance with the plan. This should not cause any interruption in
work.
Third, the Department understands that many covered facilities
already perform background checks on employees and certain contractor
employees, and with some modifications, will allow that process to
continue. In order to perform an appropriate background check for the
purpose of protecting critical assets and restricted areas of high risk
chemical facilities from persons who pose a terrorist threat, the
Department has made some modifications to the personnel surety
performance standard in the regulation. The Department will consider
appropriate open source background checks as an acceptable response to
the background check performance standard. Specifically, the Department
will consider as appropriate a background check process that verifies
and validates identity; includes a
[[Page 17709]]
criminal history check of publicly or commercially available databases;
verifies and validates legal authorization to work through the I-9
process; and includes measures designed to identify people with
terrorist ties. This last standard can be achieved by checking against
the consolidated Terrorist Screening Database (TSDB). The Department
modified the performance standard at 6 CFR Sec. 27.230(a)(12) to
reflect these changes.
Fourth, while much of the background check process can be
accomplished by commercial methods, the check of the Terrorist
Screening Database is an inherently governmental function that
necessarily includes a check of classified databases that are not
commercially available. The Department will augment the background
check in the SSP with a TSDB check. The Department has determined a
TSDB check is necessary for the purpose of protecting critical assets
and restricted areas of high risk chemical facilities from persons who
pose a terrorist threat.
DHS will designate a secure portal or other method for the
submission of application data for each employee or contractor for whom
a TSDB check is required in the SSP. The Application data will be the
name, date of birth, address, and citizenship, and if applicable, the
passport number, DHS redress number,\1\ and information concerning
whether the person has a DHS credential or has previously applied for a
DHS credential.
---------------------------------------------------------------------------
\1\ A DHS redress number is issued by DHS to an individual who
has successfully completed a redress inquiry, in which the inquiry
resolved a previous false-positive match to a watch list record.
Redress inquiries can be submitted directly to DHS as part of the
DHS Traveler Redress Inquiry Program (DHS-TRIP).
---------------------------------------------------------------------------
To minimize redundant background checks of workers, DHS agrees that
a person who has successfully undergone a security threat assessment
conducted by DHS and is in possession of a valid DHS credential such as
a TWIC, HME, NEXUS, or FAST, will not need to undergo additional
vetting by DHS. Even so, the facility shall submit the name and
credential information for these persons along with the application
data for other employees. Facilities shall not allow unescorted access
to a critical asset or restricted area to a person in possession of a
DHS credential unless information on that person has been submitted as
discussed above.
DHS will screen each applicant and determine whether the applicant
poses a security threat. Where appropriate, DHS will notify the
facility and applicant via U.S. mail, with information concerning the
nature of the finding and how the applicant may contest the finding.
Applicants will have the opportunity to seek an adjudication proceeding
and appeal under Subpart C.
F. Inspections and Audits
Numerous comments addressed the proposed provisions for auditing
and inspecting chemical facilities to determine compliance and allowing
certified third-party auditors to supplement DHS personnel at lower
tier facilities. While DHS has responded, to the extent that it is
able, to the comments below, DHS also notes that it will issue guidance
that identifies appropriate processes for inspections and provides
specifics about the records that must be made available to DHS upon
request. See Sec. Sec. 27.250(d) and 27.255. That guidance will
provide further detail.
1. Inspections
Comment: Section 27.245(a) in the Advance Notice provided that DHS
may ``enter, inspect, and audit the property, equipment, operations,
and records of covered facilities.'' One commenter asserted that DHS
should inspect and audit using an approved or preliminarily approved
Site Security Plan and not on other criteria outside the scope of the
Site Security Plan. In addition, commenters indicated that DHS need not
inspect equipment and records related to operations outside the
vulnerabilities identified in the facility's Security Vulnerability
Assessment and protected in the Site Security Plan; the commenter
thought that such inspections would go beyond what is required to
ensure that high-risk chemical facilities are secure. In addition, one
commenter requested that DHS revise the scope of inspection to
property, equipment, operation, and records covered in a facility's
Site Security Plan.
Response: During inspections, authorized DHS officials may inspect
equipment, view and/or copy records, and audit records and/or
operations. This section imposes an affirmative obligation on
facilities to cooperate with authorized DHS officials, including
inspectors, and allow inspections and audits. DHS will inspect a
covered facility following DHS's preliminary approval of the facility's
Site Security Plan. DHS may also inspect facilities outside of the Site
Security Plan approval cycle if there are exigent circumstances or
special security concerns. During the course of inspections, an
inspector may ask a facility to demonstrate the effectiveness of a
given security measure found in the facility's Site Security Plan. This
will help the inspector to determine whether the facility has
adequately implemented the risk-based performance standards in its Site
Security Plan. With respect to requests for records, the Department
expects that facilities will produce the records--whether located
onsite at the facility, at corporate headquarters, or in any other
location--that are relevant to the security of the facility. The
Department has added some additional language in the rule about the
production of records. See Sec. 27.250(d)(4).
With respect to scope of inspections, DHS is not narrowing its
scope to cover only those items covered in the facility's Security
Vulnerability Assessment and Site Security Plan; DHS needs the
appropriate discretion to inspect those items and areas that are
related to the security of the facility. However, DHS has no intention
of inspecting areas that are unrelated to security.
Comment: One industry association noted that Sec. 27.245(b)(1) of
the Advance Notice suggested that security measures (which DHS requires
for final approval of the Site Security Plan) should be in place at the
time that DHS inspects a facility. The commenter stated that, if
facilities address vulnerabilities through capital improvements,
facilities are unlikely to have these security measures in place within
the stated time frame. In such cases, the commenter recommended that
DHS use a timeline approach, detailing an implementation schedule of
prioritized security measures, and include that timeline in a
facility's Site Security Plan.
Response: The commenter is correct in noting that DHS expects that
facilities will have met the requirements of Sec. 27.225 (i.e., the
facility will have developed and submitted a Site Security Plan, which
the Department will have preliminarily approved) when the Department
visits the facility for an inspection or audit. See Sec. 27.250(b)(l).
One of the purposes of the inspection is for the Department to
determine whether facilities have adequately implemented their Site
Security Plans.
However, the Department realizes that there may be circumstances
where facilities will have to implement security measures through
capital improvements, and that can take time. Based on the Department's
assessment of risk at a given facility and the realities of getting
security measures into place, the Department will work with facilities
on a case-by-case basis. Where the Department believes that extra time
is warranted, the Department will work with facilities to incorporate
that time into the facility's Site Security
[[Page 17710]]
Plan and into the Department's timeline for inspecting the facility.
Comment: Various commenters requested clarification about the time
and manner provisions found in Sec. 27.245(c) of the Advance Notice.
Several commenters noted that the proposed regulations did not define
the terms ``reasonable times'' or ``reasonable manner'' and asked the
Department to define those terms. In addition, some commenters noted
that the preamble provided a timeframe for inspections (``during
regular business hours of 9 a.m. to 5 p.m.'') but that the Advance
Notice text did not specify that timeframe. Other commenters indicated
that DHS should clearly outline the regularity of audits and
inspections that the Department will require for each tier.
Several other comments discussed the notice provisions in the rule.
The Advance Notice provided that ``DHS will provide covered facility
owners and operators with 24-hour advance notice before inspections,
except where the Under Secretary or Assistant Secretary determines that
an inspection without such notice is warranted by exigent circumstances
and approves such inspection.'' See Sec. 27.250(c). Several industry
associations believe that 24-hour advance notice would not be a
sufficient amount of time for facilities to arrange for the appropriate
personnel to be available for the inspection. Commenters suggested that
DHS provide more notice to facilities; requests ranged from three to
seven days. Other commenters requested that, in addition to notifying
the facility, DHS also provide local emergency responders and local
agencies tasked with regulating hazardous materials facilities with a
24-hour advance notice as a courtesy.
Others commented on the concept of unannounced inspections. A
member of Congress objected to the restrictions on unannounced
inspections, asserting that the provision was a near-preclusion of
random audits, because approval by senior officials (i.e., the Under
Secretary for Preparedness or Assistant Secretary for Infrastructure
Protection) would make unannounced audits exceedingly rare. Moreover,
focusing such unannounced audits exclusively on facilities (or
geographic regions) where agency officials determine that ``exigent
circumstances preclude notice'' presupposes that the agency is already
in a position to know where exigent circumstances exist. As a result it
would be far harder for the Department to determine actual rates of
compliance with regulatory requirements. An industry commenter would
support unannounced inspections for facilities that had significant
deficiencies in the prior inspection or that have had an unusual number
of breaches.
Response: DHS has retained the language that it used in the Advance
Notice. Authorized DHS officials will conduct audits and inspections
during reasonable times and in a reasonable manner. The nature of any
given inspection will depend on the specific circumstances surrounding
a particular facility's operations at a given point in time and will be
considered in conjunction with available threat information.
Commenters asked for clarification on the times that DHS plans to
conduct inspections. While DHS expects that it will conduct many of its
inspections during the regular business hours of 9 a.m. to 5 p.m., DHS
will not limit its inspections to regular business hours only. DHS must
have the flexibility to respond to information, operations, and
circumstances whenever they exist or develop, and so DHS may have to
conduct inspections in the evening, at night, or during weekends.
Security concerns are different at different times of the day and on
different days of the week, and so DHS must be able to assess the
different security measures that facilities put into place, pursuant to
their Site Security Plans.
DHS has maintained the Advance Notice provision that gives
facilities 24-hour advance notice before an inspection. In some
circumstances, DHS may provide facilities with additional time. As a
general matter, DHS believes that 24 hours is an appropriate and
reasonable notice period, striking a balance between providing the
Department with flexibility to determine compliance with this
regulation and providing regulated entities with sufficient notice to
prepare for an inspection. Some commenters suggested that DHS also
provide advance notice about inspections to local emergency responders
and local agencies. While DHS may choose to notify local emergency
responders or other agencies on a case-by-case basis, DHS does not
believe it is necessary to include a mandatory requirement in the rule.
Many commenters expressed concern that DHS is not able to conduct
unannounced inspections. These concerns are unfounded: DHS will be able
to conduct unannounced inspections when it complies with internal
policy. While DHS has a general requirement for advance notice, DHS
recognizes that there may be circumstances where advance notice is not
possible.
To accommodate those circumstances, DHS has identified two
exceptions. See Sec. 27.250(c). DHS had identified one exception in
the Advance Notice: If the Under Secretary determines that an
inspection without notice is warranted by exigent circumstances, the
Under Secretary or Assistant Secretary may approve such an inspection.
The exigent circumstances may include threat information warranting
immediate action. DHS adds a second exception in this interim final
rule: If any delay in conducting an inspection might be seriously
detrimental to security, and the Director of the Chemical Security
Division, Office of Infrastructure Protection determines that an
inspection without notice is warranted, the Field Operations supervisor
may permit an inspector to conduct such inspection. This additional
exception addresses the concerns of commenters who claimed the
exception in the Advance Notice was too restrictive.
Comment: Some commenters noted that facilities may choose to
validate any government-issued credential for the purpose of inspectors
gaining entry onto a chemical facility. One commenter requested that,
as part of the guidance, DHS include information on the security
measures that will allow a facility to determine that the DHS officials
or third party auditors are legitimate.
Response: DHS will handle this issue like other Federal agencies
handle their respective inspectors and auditors. Individuals performing
these inspections will carry Federal government credentials identifying
themselves as having official authority to inspect. In addition, any
chemical facility wishing to authenticate the identity of an individual
purporting to represent DHS may contact the appropriate DHS Chemical
Security Division official within the Office of Infrastructure
Protection at DHS headquarters. In addition, the Department has
provided some additional regulation text on the issue of inspector
credentials. See Sec. 27.250(d)(1).
Comment: Several commenters addressed the issue of training for
inspectors. One commenter stated that it is DHS's role to ensure that
inspectors and auditors are qualified in both physical security and
chemical processes. Others noted that, if inspectors and auditors do
not have a background in chemical manufacturing, then DHS must
adequately train inspectors. Furthermore, that commenter encouraged DHS
to utilize a cross functional team consisting of individuals with
chemical process knowledge and physical security
[[Page 17711]]
background and include a local area first responder on each inspection
team for each facility. The commenter noted that many facilities
maintain a close relationship with local emergency responders. One
commenter indicated that DHS inspectors should expect that chemical
facilities may require them to complete a safety overview before being
granted access to a facility; this is regardless of the training that
DHS provides to its inspectors.
Response: DHS will use properly trained personnel to conduct
inspections. During inspections, DHS intends to use teams consisting of
Federal inspectors, many with backgrounds in law enforcement and
physical security, and experts in chemical manufacturing. DHS will put
inspectors through a rigorous training program, incorporating both
classroom training and on-site visits, so that inspectors are informed
on all aspects related to this regulatory program as well as on safety
issues. These individuals will receive training on specific safety
procedures, including OSHA's Hazardous Waste Operations and Emergency
Response Standard (HAZWOPER), that they should use while visiting
chemical facilities. If chemical facilities request that inspectors
receive facility-specific safety briefings or training, the Department
will work with facilities to accommodate those concerns, provided that
the additional safety training is reasonable given the nature of the
expected inspection.
2. Third-Party Auditors and Inspectors
Comment: Numerous chemical companies, industry associations, and
State and local agencies requested clarification on the roles and
responsibilities of third-party auditors. Several commenters pointed
out that there is currently a lack of standards for third-party
auditors, and some commenters noted that if DHS does not provide
specific criteria for compliance, such audits will be very subjective.
Several commenters asserted that there is a need for DHS to develop
standards and requirements for third-party auditors, including
requirements for certification, qualifications, independence,
objectivity, training and re-training, confidentiality, ethical
obligations, conflicts of interests, discipline procedures, and
liability insurance.
Several commenters discussed the third-party auditor certification
or approval process in detail. One commenter pointed out that DHS would
have to develop either a professional registration or licensing for
third-party auditors in order to establish a minimum level of
competency for third-party auditors. Other commenters stated that
training should include, among other things, information on physical
security, chemical processes, and safety operations. One commenter
recommended Sandia National Laboratory's Risk Assessment Methodology
for Chemical Facilities (RAM-CF) training as an excellent review in all
aspects of chemical facility operation and security. One pointed out
that there is currently no certification for control system cyber
security auditors. Another commenter added that any DHS third-party
inspectors should have a strong background and experience with the
agricultural retail/distribution segment of the chemical industry. The
commenter encouraged DHS to work with industry associations and
industry experts on establishing the proper criteria to select
certified third-party auditors that will be used to inspect
agricultural retail or distribution facilities determined to be covered
by these regulations.
One commenter was concerned that DHS had not effectively addressed
auditor independence and objectivity in the Advance Notice. To remedy
this concern, the commenter suggested that DHS define third-party
auditor and address auditor concepts such as due diligence, due
professional care, auditor certification, auditor training, auditor
indemnification, conformity assessment, audit/inspection methodology,
etc.
Other commenters raised questions about third-party auditors and
information protection. One commenter stated that all third-party
auditors must be held to the same requirements and standards as applied
to DHS officers and employees regarding the protection of confidential
information; this includes information protected by law, such as PCII,
Sensitive Security Information (SSI), or other applicable requirements.
DHS should develop requirements and procedures, including the use of
non-disclosure agreements, to prohibit disclosure or use of
confidential information developed or obtained during the auditing
process. One association, whose member companies already use third
party audits, wanted confirmation that the use of third-party auditors
would be in compliance with the CVI framework.
Three State agency commenters urged the Department to clarify that
the third-party auditor provision includes qualified state and local
assets to conduct audit inspections and assist with Security
Vulnerability Assessments and Site Security Plans. One commenter would
limit third-party auditors to appropriate state and local government
officials with familiarity of the chemical process safety and security
systems currently in place at the chemical facility in question to
ensure the credibility and effectiveness of the inspection and auditing
program. Some other commenters suggested that State and local entities
could be a resource base for audits and site visits, including those of
higher tier facilities.
Commenters asked several other specific questions about DHS's use
of third-party auditors. A chemical company requested clarification on
how DHS could delegate its authorities to third-parties. Another
commenter wanted the ability to seek legal remedies against third-party
auditors. Other commenters raised the question of who would pay for
third-party auditors, suggesting that DHS should.
Some commenters argued for the use of third-party audits at any
chemical facility regardless of its tier ranking. One commenter noted
that the eventual requirements for certification should be stringent,
creating confidence that the auditor will be just as capable as DHS
inspectors of auditing or inspecting a high-risk facility. The
commenter suggested that, as a result, a certified third-party auditor
should also be allowed to conduct inspections at ``high'' or ``higher''
risk facilities. Other commenters noted that allowing third-party
auditors to perform work at any chemical facility, regardless of its
tier, will increase the ability of DHS to rapidly and effectively
review security plans at chemical facilities by making sure sufficient
numbers of inspectors are available at any given time.
Other commenters opposed DHS's use of third-party auditors
altogether. A chemical industry commenter opposed DHS's use of
consultants, contractors, or vendors to perform audits and inspections
of facilities based on concerns about confidentiality and conflicts of
interest. The commenter asserted that DHS-trained personnel are best
suited to understand the complexities of security in affected
facilities and to understand the importance of sensitive business
information provided to DHS. Consequently, the commenter urged DHS not
to initiate the proposed program without the appropriate level of
staff, training, and resources necessary to implement enforcement. One
commenter preferred that DHS officials, not officials from other
government agencies or non-governmental organizations, conduct third-
party inspections or audits to assess compliance; the commenter
asserted that consistency of audits can
[[Page 17712]]
only be maintained if one agency, using the same inspection and/or
audit procedures, performs the work. Several other commenters disagreed
with the concept of third-party auditors unless they were under
contract to DHS and met DHS hiring standards and training
certifications. They felt that if such an activity is important, then
DHS should carry out the activity itself.
Response: The Department recognizes that there are many important
and complex issues surrounding the use of third-party auditors. Those
issues include questions about whether it is appropriate for DHS to use
third-party auditors and if so, for which tiers of facilities; what the
standards and requirements would be for those third-party auditors; and
who would pay for third-party auditors. DHS continues to take these
issues under advisement. DHS intends to issue a future rulemaking
providing the details about its plans to use third-party auditors. In
developing its proposed rule, DHS will consider these comments about
third-party auditors. Until that time, DHS will use its own inspectors
for conducting inspections and audits.
G. Recordkeeping
Comment: One commenter suggested that the recordkeeping and
reporting requirements be strengthened for process malfunctions or any
attempted terrorist attack; the need for emergency response, safe shut
down, evacuation and decontamination procedures in case of an attack or
malfunction be defined; and effective training requirements for workers
in covered facilities be required.
Response: Recordkeeping requirements under this new authority focus
on security and will capture many of the issues identified by the
commenter. Recordkeeping requirements regarding incidents under process
safety, including shut down/start up, are outside of the scope of this
regulation.
Comment: One commenter asked for guidance regarding what would
constitute a reportable ``security incident'' or ``suspicious
incident.'' The commenter noted that DOT has provided helpful guidance
for reporting and recordkeeping under HM-232.
Response: The Department will provide facility owners with guidance
on these and other terms used in the recordkeeping section.
Comment: Another commenter suggested that Sec. 27.250(a)(4)
include a reference to NFPA 731, Standard for the Installation of
Electronic Premises Security Systems (2006 edition), Chapter 9, Testing
and Inspections. The commenter supported the recommendation by pointing
out that all NFPA codes and standards are developed through the
voluntary consensus process and are accredited by the American National
Standards Institute (ANSI); that Congress, in several cases has
mandated the adoption of NFPA codes and standards and that Public Law
104-113, as described in OMB Circular A119, mandated that voluntary
consensus codes and standards be used when they are applicable and to
ensure that chemical facility safety be the primary concern.
Response: Voluntary consensus approaches to chemical facility
security will be addressed in guidance. However, the Department cannot
mandate specific security measures under this authority.
Comment: One chemical association found the requirements for
recordkeeping to be excessive. Concerning training, the commenter
stated that the location of the session and the name and qualifications
of the trainer were not important, and the requirement for attendees'
signatures would cause headaches if attendees leave without signing.
Also, many of these requirements seem to prevent the use of web-based
training. With respect to the drill and exercise provision, the
commenter believed that a comprehensive list of participants is more
challenging than it might appear, since drills and exercises frequently
involve persons in multiple locations. Finally, recording the name and
qualifications of every maintenance technician is overly burdensome and
extremely difficult to document. According to the commenter, this
proposed requirement would lead to inadvertent non-compliance due to
its inherent complexity. The commenter urged that the recordkeeping
requirements, at most, track the MTSA requirements (33 CFR Sec.
105.225), which are less detailed and only require records to be
maintained for two years.
Response: Memorializing minimal information about training, drills,
exercise, and maintenance is important for a facility to assist in the
analysis and review of its security efforts, and DHS does not agree
that these requirements are overly burdensome or excessive given the
potential risks in this sector. The recordkeeping requirements address
specific issues that arise in chemical facilities, and a three year
period is consistent with the anticipated audit and review cycle under
this rule.
Comment: An industry association argued that, in light of existing
DOT requirements, no additional training and recordkeeping requirements
are needed for battery transportation. Further, any training and
recordkeeping requirements that are made applicable to drivers hauling
covered chemicals should be the responsibility of the transportation
firms, not the facilities they service.
Response: There are no specific requirements for recordkeeping of
transportation activities in this rule.
H. Orders
Comment: Various commenters mentioned the remedies in proposed
Sec. Sec. 27.300, 27.305, 27.310, and 27.315. An industry group
indicated that the rule should provide adequate protection for
recipients of penalty and cessation orders, including the opportunity
for an adjudicatory hearing before a neutral hearing officer. The
commenter suggested that the rule make clear that the burden of proof
lies with DHS, not the facility; that facilities may be represented by
counsel; that the facility is entitled to present evidence on its
behalf; that there be an orderly process for the hearing officer to
make a decision on the basis of the record presented, including a
record of decision and for intra-agency appeal of the hearing officer's
decision before it becomes final. Finally, a trade association pointed
out a typographical error in proposed Sec. Sec. 27.305(b) and
27.310(a).
Response: The Department has substantially revised the regulatory
text in Subpart C, which includes Orders, adjudications, and appeals.
The Department directs commenters to the revised regulatory text in
Subpart C, as well as summary of those changes in Sec. II(B) Rule
Provisions. In sum, the Department has included adjudicatory procedures
for a proceeding before a neutral hearing officer whereby facilities
and others may be represented by counsel and may present evidence. The
procedures provide that the burden of proof rests with the Assistant
Secretary and that a record will be compiled for an appeal within DHS.
Comment: Several others provided input on cessation orders. A local
government agency indicated that an Order to Cease Operations likely
would be litigated immediately after issuance, and questioned how non-
compliance during the lengthy litigation period would be remedied.
Another commenter recommended that DHS add a provision stating that it
would not enforce an order to cease operations within 30 days of a
final action, which would allow the facility time to seek judicial
review. An industry commenter stated that DHS's professional assessment
that a chemical facility was in total violation of the security
requirements should result in
[[Page 17713]]
an initial audit of what is required at that particular site to be in
compliance. If, after a reasonable time, the facility does not come
into compliance, then DHS should consider temporary closure until
compliance is attained. An association expressed concern that DHS
should consider whether a facility's products are critical to the
economy, chemical industry, or national security before imposing fines
or issuing a notice to cease operations.
Response: As noted above, the Department has substantially revised
the regulatory text in Subpart C, which includes the provisions on
Orders, adjudications, and appeals. Consistent with the statement in
the Advance Notice, the Department realizes that an Order to Cease
Operations would likely be litigated immediately after issuance. See 71
FR 78276, 78287.
I. Adjudications and Appeals
Comment: While commenters generally supported the processes
proposed for objections and appeals, some thought that DHS should
strengthen and expand the objections and appeals provisions. Several
commenters suggested that DHS include additional provisions to the
objections and appeals sections. One commenter recommended that DHS
revise the rule to include a full description of the administrative
review process, including the procedures to which all parties and the
adjudicating official must adhere. Another commenter recommended that
the Under Secretary and the Deputy Secretary have the authority to
delegate their responsibilities as adjudicating officials.
One commenter stated that the burden of proof should lie with DHS,
not the order recipient, that recipients may be represented by counsel,
that the recipient is entitled to present evidence on its behalf, that
there be an orderly process for the hearing officer to make a decision
on the basis of the record presented, including a record of decision,
and for intra-agency appeal of the hearing officer's decision before it
becomes final.
Response: DHS has reorganized the adjudications and appeals
procedures, as discussed in the summary of rule provision changes to
Subpart C. See Sec. II(B). Given that the rule already provides
consultation opportunities, coupled with the fact that the Department
has greatly modified its adjudications provisions, the Department
believes it is unnecessary to retain the objections provisions from the
Advance Notice (proposed Sec. Sec. 27.205(c), 27.220(b), and 27.240(c)
and has thus removed them from the interim final rule. Of course,
consultations are still available pursuant to various provisions in the
rule including Sec. 27.120(b).
In addition, DHS now expressly spells out new procedures for
adjudications and appeals. In particular, DHS has added adjudicatory
procedures for a proceeding before a neutral hearing officer whereby
facilities and others may be represented by counsel and may present
evidence. The procedures provide that the burden of proof rests with
the Assistant Secretary and that a record will be compiled for an
appeal within DHS. The Secretary is expressly authorized to appoint
individuals to serve as a neutral hearing officer. The Secretary and
others retain their existing authority to delegate duties and
responsibilities.
Comment: Another commenter suggested that DHS revise the rule to
provide some guidance and limitation on the number of requests that a
facility will be permitted to make for additional information and on
the maximum extent to which DHS will toll timeframes. One commenter
noted that although there is authority for the Assistant Secretary to
ask the facility for more information, there is no mechanism for the
facility to seek further explanation that is needed for purposes of
arguing its objection.
Response: The revisions of the procedures substantially address
these comments. The adjudications provisions empower a hearing officer
to make decisions on the information to be accepted into each hearing
record.
Comment: Another commenter stated that, under the Advance Notice, a
facility had the option of using the appeal procedure (instead of the
objection procedure) for challenging the disapproval of its SSP. The
Advance Notice stated that orders are stayed until the administrative
appeal is completed, but the Advance Notice did not provide
specifically for the disapproval of a SSP to be stayed pending the
administrative appeal. The commenter suggested that DHS should make
such a stay explicit.
Another commenter argued that, because timelines are short,
facilities will be forced to complete the SVA and SSP regardless of the
outcome of the appeal, thus rendering the appeals process moot. If a
facility objects to a determination, whether it is opposing either the
overall assessment of ``high risk'' or the specific tier assignment,
one commenter recommended that DHS should issue a decision on objection
before the facility is required to implement any additional measures--
including both the SVA and SSP.
Response: The addition of the factual adjudication procedure, with
provisions on the effectiveness of administrative actions during
adjudications and appeals, substantially address these comments. The
adjudications and appeals sections provide that, absent exigent
circumstances, Orders are stayed pending the completion of proceedings.
Comment: Another commenter indicated that Sec. Sec. 27.205(c)(1),
27.220(b)(1), and 27.240(c)(1) (of the Advance Notice) cite ``within 20
calendar days'' as the deadline for filing objections regarding the
high risk determination, risk-based tiering, and disapproval of site
security plans. In contrast, Sec. Sec. 27.215(c), 27.305(d), and
27.320(b)-(d) (of the Advance Notice) cite ``within 30 calendar days''
for certain deadlines regarding notification, appeals, and payments of
civil penalties. The commenter believed that having two different
deadlines for various actions under the regulatory program is
burdensome to both DHS and the regulated facilities, and requested that
all ``within 20 calendar days'' be amended to ``within 30 calendar
days'' to provide more consistency within the Department's regulatory
program. Another commenter urged that an appeal must be filed within 30
calendar days of when the order is issued should be changed to within
30 calendar days of when the order is served. See Sec. 27.320(b) of
the Advance Notice.
Response: The Department's revisions to the adjudications and
appeals provisions substantially address these comments. The rule
continues to permit consultations but does not set hard and fast time
periods for such consultations. See, e.g., Sec. 27.120(b), Sec.
27.240(b), and Sec. 27.245(b). With respect to the time periods for
adjudications and appeals, the revised procedures provide that
adjudications and appeals must be commenced with stated time periods
after ``notification.'' See, e.g., Sec. 27.310(b)(2) or Sec.
27.345(b)(2).
Comment: One commenter recommended that the regulations provide
specifically that DHS would make available to the public non-
confidential summaries of determinations on appeals. The commenter also
recommended that the regulations contain specific statements that
objections and appeals may be submitted as CVI.
Response: The adjudication and appeal sections contemplate that the
hearing officer or appeal officer will make the necessary decisions
concerning the handling of CVI. There is nothing in the procedure to
prevent a facility or other person from relying on CVI.
[[Page 17714]]
J. Information Protection: Chemical-terrorism Vulnerability
Information (CVI)
The Advance Notice identified a category of Chemical-terrorism
Vulnerability Information (CVI) and set forth rules governing the
maintenance, safeguarding, and disclosure of information and records
that constitute CVI.
1. General
Comment: Several commenters maintained that the proposed rule
undermined enforcement, accountability, and the credibility of the
program through excessive secrecy. One of these commenters thought that
the proposed regulations pose a threat to existing right-to-know laws,
while another stated that people might be well aware of security gaps
and vulnerabilities at specific facilities, and yet would have no
official channel to communicate concerns to DHS.
Response: As Congress recognized in section 550(c), protecting CVI
from public disclosure is crucial to DHS's ability to ensure that
chemical facilities are as secure as possible against a terrorist
attack. CVI information may reveal, among other things, current
vulnerabilities or other details of a chemical facility's security
capabilities that could be exploited by terrorists. In addition,
limited and controlled public disclosure of CVI is essential to
fostering the necessary relationship and information flow between the
government and private sector. Indeed, because the chemical security
regime relies to an extent in the first instance on the veracity and
completeness of the information provided by chemical facilities, it is
of the utmost importance that those facilities are comfortable that
such information--which may include proprietary information--will not
be unduly exposed to public view.
In crafting the Advance Notice, DHS attempted to balance these
concerns with the desire to enhance information sharing, as
appropriate. We believe that the rule adequately does this by ensuring
that any entities or individuals with a ``need to know,'' including
appropriate State and local officials, will have access to the
necessary CVI, while, at the same time, and consistent with
congressional intent, protecting CVI from public disclosure that would
undermine the government's ability to ensure the security of chemical
facilities.
To the extent that this approach conflicts with existing state
``right to know'' or ``sunshine'' laws, we believe that such laws are
preempted by this IFR. At this time, we do not intend to displace or
otherwise affect any provisions of Federal statutes, including the
Emergency Planning and Community Right to Know Act, 42 U.S.C. 11001 et
seq., or section 112(r) and 114 of the Clean Air Act of 1990, as
amended, 42 U.S.C. 7412(r), 7414, sections 308 and 402 of the Clean
Water Act, 33 U.S.C. 1318, 1342, and section 104(e)(7) of the
Comprehensive Environmental Response, Compensation, and Liability Act,
42 U.S.C. 9604.
We also believe that any potential gaps in a facility's security
will be addressed through the government's close involvement with
chemical facilities as a result of this rule.
2. Disclosure of CVI
Comment: While some of the commenters found the provisions to be
inadequately protective of chemical industry information, others found
the disclosure rules to be too restrictive. A few commenters urged the
Department to include language requiring notifications to facilities in
cases of CVI disclosure to unauthorized parties. The commenters noted
that a facility has a need to know if sensitive information pertaining
to its site has been or might have been disclosed. A commenter,
concerned over how the CVI rules may affect third-party audits of
security measures and documents that may be submitted to the Department
as Alternative Security Plans, requested an interpretation of DHS's
approach. Taking the point further, another commenter did not believe
it was in a company's best interest to provide copies of CVI to outside
parties, as currently allowed under the proposed rule. The commenter
would prefer the proposed rule be amended to require CVI be made
readily available to authorized Department representatives only when
they conduct on-site visits. One commenter encouraged the Department to
adopt non-disclosure protections for verbally transmitted or obtained
CVI. The commenter noted that information sharing among a covered
facility and authorized individuals may require verbal communication as
much as it will require written communication. To further protect
against disclosure, some commenters believed that proposed Sec.
27.400(j) should be enhanced so that it has a meaningful deterrent
effect and establishes consequences that reflect the seriousness of the
violation. The commenter suggested that the Department adopt
administrative penalties similar to those outlined by 6 CFR 29.9(d).
In addition, some commenters requested provisions to protect
whistleblowers by stating that no criminal charges be associated with
disclosing information marked as CVI in manner complying with
whistleblower protections.
Response: Under Sec. 27.400(c)(3) of the Advance Notice, ``any
person who * * * receives or gains access to what they know or should
reasonably know constitutes CVI'' is a ``covered person'' and therefore
has a duty to protect that CVI in the manner provided in Sec.
27.400(d). This includes the duty to promptly inform the Assistant
Secretary ``when a covered person becomes aware that CVI has been
released to persons without a need to know * * *.'' See Sec.
27.400(d)(7). We expect that in the event DHS is so notified, it will
notify the affected chemical facility.
To the extent DHS determines that it is appropriate to use third-
party auditors in the future for certain chemical facilities, the
auditors will have a ``need to know'' under Sec. 27.400(e)(1)(i) as
persons who ``require[ ] access to specific CVI to carry out chemical
security activities * * * directed by the Department.'' Moreover, under
Sec. 27.400(e)(3), DHS retains the discretion to require that any
individuals with a need to know, including third-party auditors,
complete appropriate background checks before obtaining access to CVI.
We believe that these safeguards are sufficient to ensure that CVI is
adequately protected from improper disclosure, even if it may be
handled by third-party auditors.
Section 27.400(b) of the Advance Notice, which defines CVI,
currently is ambiguous as to whether it includes information conveyed
verbally as well as in written form. DHS believes that concerns over
public disclosure of CVI are the same regardless of the manner in which
the information is conveyed. Accordingly, we have amended this section
to read as follows: ``In accordance with section 550(c) of the
Department of Homeland Security Appropriations Act of 2007, the
following information, whether transmitted verbally, electronically, or
in written form, shall constitute CVI.''
We believe that Sec. 27.400(j) gives the Department broad latitude
to craft a civil remedy sufficient to deter the unauthorized disclosure
of CVI. The IFR does not provide for any criminal penalties for
disclosure of CVI.
3. Scope of CVI
Comment: A number of commenters expressed concern regarding the
scope of CVI. The commenters wanted the interim final rule to declare
that
[[Page 17715]]
information developed under other requirements of law or regulation
cannot be designated as CVI under this program. Similarly, a commenter
suggested that DHS narrow the scope of CVI by removing from the rule
Sec. 27.400(b)(9), which defines CVI to include ``[a]ny other
information that the Secretary, in his discretion, determines warrants
the protections set forth in this part.''
Response: As outlined in the Advance Notice, the Department intends
CVI to include only that information developed and/or submitted
pursuant to Section 550(c). Accordingly, any information resulting from
other statutory regimes is not considered CVI. The Department believes,
however, that the Secretary must retain the discretion provided in
Sec. 27.400(b)(9). As the Department and private sector gain more
experience with the chemical security regime set forth herein, the
Department may determine that other types of information, not covered
in the current definition of CVI, require similar protection. Section
27.400(b)(9) is also necessary to cover any unique or novel information
that the Department may deem, on a case-by-case basis, requires
protection from public disclosure.
4. Relation of CVI to Other Categories of Protected Information and
FOIA
Comment: Some commenters were confused by the different categories
of protected information. One commenter stated that the proposed
regulations are not sufficiently clear on the relationship of CVI to
SSI and other relevant methods of information protection. The commenter
indicated that the interim final rule should clarify how these
information protection regimes will relate to each other. A few
commenters believed that the creation of the new CVI category of
information protection is redundant and unnecessary given that current
protections, such as SSI, are adequate options for the Department to
implement the statutory restrictions. One commenter noted that the
``Safeguards'' classification for the Nuclear Sector seems to parallel
the proposed ``CVI'' classification for the Chemical Sector. The
commenter questioned whether the Department is considering inventing
new security classifications for each of the 15 Critical Infrastructure
Protection Sectors. The commenter would prefer that the Department
develop a new Category of Information Classification for all 17 sectors
for security-specific or security-related information that are, at a
minimum, the same as those for the current ``Safeguards''
classification program.
Two commenters recommended that the interim final rule clarify that
CVI protections would be in addition to any other applicable bases for
nondisclosure of information under the Freedom of Information Act
(FOIA), such as the Trade Secrets Act and its protections are for
confidential business information. Another commenter noted the
provision gives the Department discretion to refuse release of part of
a record under FOIA that contains no CVI, when another part of the same
document contains CVI. The commenter suggests that this proposal is at
odds with longstanding FOIA mandates and practice. Furthermore, the
commenter noted that, if a portion of a requested record contains no
CVI and is reasonably segregable from other parts of the record that
do, there is no authority or justification for withholding that CVI-
free portion unless some other FOIA exemption or exclusion applies.
Response: It is the Department's view that the language of Section
550(c) calls for a unique information protection regime. As stated in
the preamble of the Advance Notice, in creating CVI, the Department
looked to and drew on various aspects of those information protection
regimes currently in existence, including, SSI, PCII and SGI. Moreover,
as the Advance notice makes clear, the Department intended CVI to track
the existing SSI regime in certain respects and indeed, borrowed
somewhat from that regime's structure and provisions (e.g., requiring a
``need to know,'' storage in a secure container, etc.) None of these
regimes, however, is sufficient to accommodate the protections Congress
called for in Section 550(c), most notably, that any information
developed pursuant to Section 550(c) be treated as classified
information in the course of enforcement proceedings. For this and
other reasons, the Department developed CVI, which is separate and
distinct from SSI, PCII, SGI or any other pre-existing information
protection regime.
Section 550(c) pertains only to chemical facilities and thus this
rule does not speak to the handling of other critical infrastructure
sectors. That said, the Department does not take the creation of a new
information protection regime lightly, especially in light of the
President's Memorandum for Heads of Executive Departments and Agencies
of December 16, 2005, entitled ``Guidelines and Requirements in Support
of the Information Sharing Environment.'' Absent express direction from
Congress, as in Section 550(c), the Department is reluctant to create
additional regimes.
In drafting the rule, the Department did not intend for its
restrictions on public disclosure to displace separate and additional
statutory restrictions on the public disclosure of confidential
business information.
The terms and structure of Section 550 clearly preclude public
disclosure of CVI. For this reason, it is the Department's view that
CVI, like SSI and PCII, is exempt from FOIA disclosure under Exemption
3 of FOIA. See 5 U.S.C. 552(b)(3). Exemption 3 provides, in part, that
information is exempt from disclosure by operation of another statute,
provided that such statute either: ``(A) requires that the matters be
withheld from the public in such a manner as to leave no discretion on
the issue; or (B) * * * provided that such statute refers to particular
types of matters to be withheld.'' Id. Section 550(c) provides in
relevant part that ``information developed under this section,
including vulnerability assessments, site security plans, and other
security related information, records, and documents, shall be given
protections from public disclosure consistent with similar information
developed by chemical facilities subject to regulation under section
70103 of title 46 [the Maritime Transportation Security Act (MTSA)] * *
*.'' MTSA states that ``information developed under this chapter is not
required to be disclosed to the public.'' 46 U.S.C. 70103. Under this
language, it is conceivable that the government has discretion to
release information to the public. See Church of Scientology of Calif.
v. U.S. Postal Serv., 633 F.2d 1327, 1330 (9th Cir. 1980). As stated in
the Advance Notice, however, ``information developed'' under MTSA is
treated as SSI and, unlike MTSA, the statute governing SSI (49 U.S.C.
114(s)) states that the government ``shall prescribe regulations
prohibiting the disclosure of information * * *.'' (Emphasis added.)
This language has been interpreted as constituting the ``absolute''
prohibition required to invoke the exception of Subsection (A). See
Chowdhury v. Northwest Airlines Corp., 226 F.R.D. 608, 611 (N.D. Cal.
2004).
To the extent that there is some ambiguity as to which statute
should govern for purposes of an Exemption 3 analysis, it is our view
that the SSI statute most accurately reflects Congress's intent in
section 550(c) and that, therefore, CVI should be exempt from FOIA
disclosure under subsection (A) of Exemption 3. Nevertheless, we need
not resolve the issue at this time because it is also our view that the
language of section 550(c), which
[[Page 17716]]
provides meaningful limits on the universe of information subject to
withholding, is sufficient to justify withholding CVI from FOIA
disclosure under subsection (B) of Exemption 3. Cf. Fin. Corp. v.
Donovan, 830 F.2d 1132, 1138 (D.C. Cir. 1989) (holding provision of
Trade Secrets Act failed to qualify for subsection (B) exemption
because of ``exceedingly broad,'' ``oceanic,'' and ``encyclopedic''
quality of the Act). The Department believes that it adequately
expresses this conclusion in Sec. 27.400(g)(1), which states that:
``Except as otherwise provided in this section, and notwithstanding the
Freedom of Information Act (5 U.S.C. 552), the Privacy Act (5 U.S.C.
552a), and other laws, records containing CVI are not available for
public inspection or copying, nor does DHS release such records without
a need to know.'' (Emphasis added.) Moreover, even if FOIA did apply to
CVI, we believe that it would be exempt from disclosure, inter alia, as
``homeland security information'' under FOIA Exemption 2. See 5 U.S.C.
552(b)(2).
The commenters' concern that, if a document is portion marked to
signify both CVI and non-CVI, the Department intends to withhold the
entire document under FOIA, is not supported by the Advance Notice.
Section 27.400(g)(2) states to the contrary that: ``If a record is
marked to signify both CVI and information that is not CVI, DHS, on a
proper Freedom of Information Act request, may disclose the record with
the CVI redacted, provided the record is not otherwise exempt under the
Freedom of Information Act or Privacy Act.'' The use of ``may'' in this
context was intended as permissive, assuming such disclosure is
otherwise appropriate.
5. Sharing CVI With State and Local Officials, the Public, and Congress
Comment: Several comments sought greater access to CVI. Commenters
stated that the Department should share CVI with State and local
officials. Others noted that the definitions of ``covered persons'' and
``need-to-know'' were overly narrow and heightened their concern that
the Department would not provide information to State and local
officials. One commenter noted that, to the extent information is
shared directly with State or local officials, DHS should enter into
agreements with them to ensure that CVI is sufficiently protected.
Other commenters agreed that the Department should impose strict
controls for the use of any facility-specific information by States and
local governments. A commenter stated that information that is provided
to California local agencies may be subject to the California Public
Records Act, which if true, means that CVI in California may not be
protected.
A commenter recommended that the Department develop a method to
share certain information with the public, such as whether a facility
is in compliance with the security program, because the people who live
in close proximity to a chemical facility deserve to know. The
commenter recommended the disclosure of the Letters of Approval issued
upon completion of a site inspection and audit. The Letters of Approval
could be stripped of any sensitive information, but still provide some
assurance that facilities are complying with security requirements.
Finally, other commenters stated that the interim final rule should
make clear that DHS is not authorized to withhold information from
either House of Congress, or, to the extent of matter within its
jurisdiction, any committee or subcommittee of Congress.
Response: Congress clearly intended that CVI would be shared with
State and local officials, including law enforcement officials and
first responders, in appropriate cases. Section 550(c) states that
``this subsection does not prohibit the sharing of such information, as
the Secretary deems appropriate, with State and local government
officials possessing the necessary security clearances, including law
enforcement officials and first responders, for the purpose of carrying
out this section, provided that such information may not be disclosed
pursuant to any State or local law.'' And the Department made clear in
the preamble to the Advance Notice that ``[t]he Secretary shall
administer this Section consistent with section 550, including
appropriate sharing with State and local officials, law enforcement
officials, and first responders.'' See 71 FR 78276, 78289. Furthermore,
the importance of sharing CVI with appropriate State and local
officials is reflected in the structure of the rule. For example, it is
expected that chemical facilities will coordinate extensively with
state and local officials--including the sharing of relevant CVI--in
the course of completing the SSPs required under Sec. 27.225. It is
the Department's view, therefore, that the language in the rule is
sufficiently broad to accomplish this task. For example, we believe
that State and local officials, including law enforcement officials and
emergency responders, fall within Sec. 27.400(e)(1)(i)'s definition of
those with a need to know because they will require access to CVI to
``carry out chemical facility security activities approved, accepted,
funded, recommended, or directed by the Department.'' Yet because many
commenters have requested clarification on this point, the Department
amends the Sec. 27.400(e)(1) to read as follows: ``A person, including
a State or local official, has a need to know CVI in each of the
following circumstances. * * * ''
As stated above, to the extent any state law requires the public
disclosure of information that is deemed CVI, it is the Department's
view that such laws are preempted by this rule.
At this time the Department does not intend to provide a means of
notifying the public about local chemical facilities. We will continue
to consider this issue as the program progresses, however, and issue a
subsequent notice if necessary.
This rule does not attempt to displace or create any new law
concerning the Department's ability to withhold information from
Congress.
6. Litigation
Comment: With respect to availability of CVI during litigation,
some commenters supported the preamble statement that, in enforcement
cases, the defendant and its counsel would have access to relevant CVI
to enable them to prepare a full defense. Another commenter supported
the Department's proposal to prohibit the disclosure of CVI in civil
litigation unrelated to Section 550 enforcement. Yet another commenter
stated that, according to the proposed rule, information on routine
chemicals used and produced in processes would be treated as CVI, and
thus disclosed in litigation only in extraordinary circumstances. The
commenter noted that, because personal injury and workers' compensation
claims are the consequences of handling many toxic substances, this
provision would appear to bring these actions to an absolute halt,
since these cases cannot be prosecuted without precise knowledge of the
toxic substances at issue. Finally, a commenter cautioned the
Department to limit those provisions governing disclosure in civil or
criminal litigation to the authority delegated to the Department. The
commenter saw nothing in the statute delegating the authority to issue
binding regulations to govern a judicial proceeding. The commenter did
think it helpful for the Department to publish regulations that express
its own policies and interpretations, thereby affording others guidance
as to what the Department's preferred practices will be when litigation
arises.
Response: As stated above, Section 550(c) requires CVI to be
treated as classified information in the context of
[[Page 17717]]
any enforcement proceedings. This novel mandate reflects the
seriousness with which Congress viewed the protection of CVI from
unnecessary disclosure in administrative or judicial enforcement
proceedings and, by extension, any civil litigation unrelated to
Section 550. The Department approach balances this concern with the
need for individuals to have access to certain CVI, as appropriate, to
defend themselves in enforcement proceedings.
That said, it is not clear that the type of information involved in
a worker's compensation or tort claim would necessarily constitute CVI.
The mere reference to a type of chemical may not readily fit into one
of the categories of information under Sec. Sec. 27.400(b)(1)-(9).
However, even if it did, under Sec. 27.400(i)(6), the Secretary
retains the discretion to release CVI in such proceedings.
As explained in the preamble to the Advance Notice, Section 550(c)
states generally that CVI shall be treated as ``classified material''
in the context of any enforcement proceedings. Congress did not
specify, though, whether the Department should look to the rules
governing classified material in civil litigation or criminal
litigation. The Department chose to mirror in large part the handling
of classified material in civil litigation under 18 U.S.C. 2339B. It
remains the Department's view that this is a reasoned approach to
effectuating Congress's intent.
7. Protection of CVI
Comment: Other comments sought technical changes to make the rule
more secure or user-friendly including: Prohibiting the transmission of
CVI using electronic systems unless DHS is able to provide Military
Grade/Quality Encryption Devices/Systems to the private sector or
provide access to government locations where this equipment is
available for private sector use; extending the safeguards that the CVI
provisions require in proposed Sec. 27.400(d)(1) concerning ``secure
container[s], such as a safe,'' to establishing secure databases;
modifying requirements for marking every page of a CVI document with
the words ``CHEMICAL-TERRORISM VULNERABILITY INFORMATION'' and a
lengthy warning statement; allowing facilities to mark only those pages
of a document containing the CVI and the warning statement only be
provided once per record, with per page reference to it as needed;
indicating DHS's intention to destroy, return, or permit
reclassification of Top-Screen data pursuant to proposed Sec.
27.400(k).
Response: The Department believes that the protective measures
required by Sec. Sec. 27.400(d) and (f) are sufficient to adequately
protect CVI.
K. Preemption
Comment: Section 27.405(a) of the Advance Notice proposed to
preempt State and local laws, rules, and court decisions that conflict
with, hinder, pose an obstacle to, or frustrate the regulation. Several
chemical companies and associations endorsed the proposed preemption of
State and local regulations because they believe that national risk-
based, performance standards could be undercut by specification
standards imposed by the States. These commenters expressed the concern
that companies with multi-state operations could be subject to a
confusing array of State programs. One commenter argued that varying
State regulations also provide varying levels of protection, which the
commenter did not think was Congress's intent. Other commenters noted
that Maritime Transportation Security Act (MTSA), which applies to
facilities located on waterways, including chemical facilities,
contains an express preemption provision.
An equal number of comments from advocacy groups, State agencies,
and Members of Congress opposed the Department's position on
preemption. These commenters cited the lack of express language in
Section 550 and the legislative history to support their position that
Congress did not intend to grant DHS express or implied authority to
preempt State laws and regulations. A few commenters referred to a body
of case law indicating a ``presumption against preemption.'' Other
commenters, including Members of Congress, suggested Congress intended
to resolve the issue of preemption in future chemical facility security
legislation. Commenters also urged DHS to delete Sec. 27.405 and allow
the courts to determine the preemptive effect of the Department's
chemical facility regulations.
A few commenters were concerned that the language in Sec. 27.405
was so broad that it might be construed to preempt State health,
safety, and environmental regulations. Similarly, one State requested
that DHS modify the final provision to avoid any inadvertent preemption
of Federal, State, or local health, safety, and environmental
regulations.
A few comments were directed at the appeals procedures for
preemption decisions. One commenter disagreed with the lack of
benchmarks that DHS would use to determine if preemption was called for
and another added that the interim final rule should specify a
reasonable time period for a decision to be rendered and for the
decision to constitute a final administrative decision so that judicial
relief could be sought. One association stated that the preemption
decision process and appeals procedures did not include State
government, thereby excluding the parties whose laws, rules, and public
interests are most affected. The commenter proposed including a
mandatory consultation process between the State and the facility
before the DHS appeal, a joint hearing opportunity with the facility
and State before DHS, a written decision, and State access to a
judicial appeal for an adverse decision.
Response: Please see the section below entitled ``Executive Order:
13132: Federalism'' for a response to these comments and a discussion
of preemption.
L. Implementation of the Rule
Comment: The preamble stated that DHS is considering a phased
implementation of the program. Several industry commenters and a State
agency supported phased implementation because they agreed that DHS
should take action on the most critical facilities first. One commenter
warned that problems and issues should be addressed prior to
implementation, and another commenter requested that DHS define what
tiers apply to which phases. Two members of Congress asked DHS to
clarify implementation for high-risk facilities beyond Phase I.
Response: The Department will immediately and quickly address the
highest risk facilities. At the same time, the Department will reach
out to a broader class of facilities, (numbering in the many
thousands), to gather information necessary for the Department to make
risk-based tiering decisions.
M. Other Issues
1. Whistleblower Protection
Comment: Many commenters thought that this regulation should
provide ``whistleblower protection.'' They explained that the
regulation should protect employees that provide information on a
facility's security and safety from employer retaliation. Commenters
suggested that workers are on the front lines, and therefore in the
best position to participate in the development of Security
Vulnerability Assessments and Site Security Plans. Commenters suggested
that DHS create a system which would allow
[[Page 17718]]
individuals to report vulnerabilities, shortcomings, and failures
without the fear of retaliation from the company. Commenters requested
that DHS change regulatory text to provide whistleblower protection to
employees, with some suggesting that DHS should include the protections
found in H.R. 5695 and S. 2145.
Response: Section 550 did not give DHS authority to provide
whistleblower protection, and so DHS has not incorporated specific
whistleblower protections into this regulation. The Department does,
however, value frank information concerning security vulnerabilities.
Employees with daily involvement at high-risk facilities can certainly
be a valuable source of information. In the interest of providing some
mechanism for employees to alert the Department about information at
their employer's chemical facility, the Department intends to establish
a telephone line through which individuals can submit security concerns
to the Department. The Department will provide callers with the option
of remaining anonymous.
2. Inherently Safer Technology
Comment: The Department received numerous comments on the issue of
inherently safer technologies (IST) options. Several commenters,
including advocacy groups, unions, academics, State agencies, and other
officials, strongly encouraged DHS to consider safer technologies as
well as physical countermeasures. A few commenters, including members
of Congress, suggested that the Department should address the use of
ISTs, even though Section 550 was silent on the issue. Many of these
commenters urged DHS to include provisions in the rule that would
encourage chemical facilities to consider implementing safer processes
and using safer chemicals as a method to improve site security through
the reduction of risk. They suggested that DHS require chemical
companies to analyze and report on safer technologies in their Site
Security Plans. These commenters asserted that substituting safer
chemicals, processes, practices, or technologies not only contributes
to severity (i.e., can minimize the consequences associated with an
accident at or attack on a chemical facility), but has the potential to
greatly minimize the physical security costs a chemical facility would
otherwise have to assume. Other commenters pointed out that ISTs are
the best tools available to completely mitigate facility
vulnerabilities and safeguard communities.
In contrast, other commenters rejected the use of any IST
requirements. Some argued that inherently safer technologies are an
environmental construct and should not be implicitly or explicitly
required for security. One association expressed concern that
requirements for safer technologies could shift rather than reduce risk
and/or limit the production of certain chemicals. In addition, some
commenters urged DHS to avoid including any ``pseudo-IST mandates'' in
the rule; the commenter thought that DHS had inadvertently done so.
Response: Section 550 prohibits the Department from disapproving a
site security plan ``based on the presence or absence of a particular
security measure,'' including inherently safer technologies. See
Section 550(a). Even so, covered chemical facilities are certainly free
to consider IST options, and their use may reduce risk and regulatory
burdens.
3. Delegation of Responsibility
Comment: Another commenter strongly recommended that DHS consider
delegating oversight responsibility to State governments, along with
appropriate levels of Federal funding to support homeland security
efforts. Interested states could petition DHS, and DHS would grant
delegated authority on a discretionary basis. The commenter suggested
that DHS could retain oversight authority, but would delegate
programmatic responsibility and commit resources to authorized States.
The commenter likened the arrangement to the one that the EPA uses to
handle air and water regulations and the one that the Nuclear
Regulatory Commission runs with its ``Agreement State'' program.
Another State agency commenter noted that California has promulgated a
successful chemical safety program built on partnering State and local
regulatory interests with chemical industry hazard mitigation
activities.
Response: The Department has contemplated the issue of delegating
authority to State governments, and has decided not to do so. If the
Department reconsiders the issue in the future, it will provide notice
of any such decision.
4. Interaction With Other Federal Rules and Programs
Comment: Many commenters pointed out potential overlap between this
rule and other Federal agency rules. As one commenter stated, many
Federal agencies have some involvement in chemical facility security,
including DHS (including the U.S. Coast Guard and TSA), the Federal
Bureau of Investigation (FBI), the Bureau of Alcohol, Tobacco,
Firearms, & Explosives (ATF), the Departments of State, Commerce, and
Transportation (including its modal administrations), EPA, and OSHA.
Other commenters encouraged DHS to build upon the existing EPCRA and
the Risk Management Program (RMP) regulatory programs, because of their
proven records of success and the important health, safety, and
environmental purposes that they serve.
One commenter noted that DOT has security plan requirements in 49
CFR Part 172, Subpart I and that several of the DHS performance
standards overlap with the DOT security plan requirements. One
commenter asserted that the proposal in the Advance Notice attempted to
cover up knowledge of toxic dangers by potentially ``gutting the worker
and public right-to-know provisions'' of existing Federal and State
laws, including the Occupational Safety and Health Act and the
Emergency Planning and Community Right-to-Know Act (EPCRA). In
addition, some of these commenters were concerned that preemption and
CVI classification will restrict information flow and access currently
available through these Federal regulatory programs.
Several commenters expressed concern that, although DHS intends
that this rule not affect other laws regulating manufacture, sale, use,
and disposal of chemicals, it is unclear how the DHS security planning
and enforcement can avoid impacting the environmental, occupational,
trade, and other rules already regulating the same facilities.
Potential conflicts also affect first responders. Since past conflicts
over authority have tended to diminish program effectiveness, the
commenter wonders how such conflicts can be avoided. Solutions offered
by commenters include a more explicit statement on conflict resolution
in the final rules, an inter-agency coordination process to resolve
conflicts, or memoranda of agreement with agencies having concurrent
authority.
Response: The Department is aware that potential overlap exists
between this rule and existing Federal rules and programs. In the
Advance Notice, the Department acknowledged that overlap and included
an extensive discussion of existing and proposed Federal programs that
are related to chemical security. See Sec. I of the Advance Notice,
``Brief History of Federal Pre-Existing Chemical Security Tools and
Programs.''
Section 550 provides that ``[n]othing in this section shall be
construed to
[[Page 17719]]
supersede, amend, alter, or affect any Federal law that regulates the
manufacture, distribution in commerce, use, sale, other treatment, or
disposal of chemical substances or mixtures.'' In the Advance Notice,
after acknowledging that the ATF regulates the purchase, possession,
storage, and transportation of explosives, the Department indicated
that it did not intend for these regulations to interfere with ATF's
current authorities. See 71 FR 78276, 78290. Likewise, the Department
does not intend for these regulations to impede the authorities of
other Federal agencies. With respect to this regulatory program, DHS
will work closely with the Department of Energy, EPA, OSHA, ATF and
other federal agencies. Where there is concurrent jurisdiction, the
Department will work closely with other Federal agencies to ensure that
regulated facilities can comply with applicable regulations while
minimizing any duplication. As the program develops, the Department
will consider the necessity of various formalized arrangements, such as
an inter-agency coordination process, to resolve jurisdictional
questions or conflicts.
5. Third-Party Actions
Comment: Several commenters supported the Advance Notice discussion
of the statutory prohibition against third party actions to enforce any
provision of the chemical security rules. See Sec. 27.410 and Section
550(d). A State commenter wrote that the prohibition might be construed
to prevent State actions against the Department to enforce the
regulations, a position that the commenter believed to be contrary to
congressional intent. The commenter agreed that the statutory language
would bar a State from taking enforcement action against an owner or
operator for violation of these regulations, but it saw no support in
the statute to bar State action against the Department (or other non-
owners or non-operators). According to the commenter, this
interpretation exceeds the scope of Section 550 and is therefore an
unnecessary limitation on private rights of action. Commenters asserted
that a plain reading of Section 550 indicates that Congress limited
judicial review in only two ways: (1) By prohibiting Section 550 from
being asserted as a jurisdictional basis for a cause of action; and (2)
by providing that only the Secretary of Homeland Security has the right
to bring enforcement actions against ``owners and operators.'' The
commenters said they do not believe that Congress intended to prohibit
other statutory causes of actions (such as review pursuant to the
Administrative Procedure Act).
Members of Congress also challenged the broad scope of DHS's
position on third-party suits, because it would block basic challenges
to DHS under the Administrative Procedure Act. The commenters believed
that Sec. 27.410(a) was an unnecessary limitation on private rights of
action. One Member of Congress explained that Congress intended to
limit the provision to citizen suits against chemical facilities for
failure to comply with the Department's chemical security rules.
One commenter strongly supported the Department's discussion of the
prohibition of private rights of action to enforce the provisions of
Section 550. The commenter believed that the availability of
enforcement actions should be limited to avoid unnecessary and
potentially frivolous lawsuits that attempt to enforce chemical
facility security requirements that are outside the reach of the
government's authority. Some commenters supported the DHS provision
because they believed that third party actions should be limited and
that the Department should have the sole discretion of when and how to
enforce these regulations. One commenter stated that neither DHS nor
regulated chemical facilities should be distracted from their purpose
of minimizing the possibility of a catastrophic terrorist incident by
concerns about how their actions implementing Section 550 might be used
in private tort litigation. One industry organization supported Sec.
27.410(b), which allows a chemical facility to petition DHS to provide
``the Department's view in any litigation involving any issues or
matters regarding this Part.'' The commenter noted that DHS is in a
unique position, in light of its Section 550 authorities and expertise,
to provide its views regarding a chemical facility's security efforts.
A labor union expressed concern that Sec. 27.410(a) grants
immunity to chemical facilities from actions by third parties to
enforce any provisions of the rule. The labor union thought that it may
act as an open invitation to chemical facilities to disregard
provisions in the rules or in security plans that are meant to protect
maritime activities from unduly burdensome or improper application of
security procedures. The labor union explained that ``[w]here damages
are incurred by maritime-related businesses or mariners as a result of
improper action of chemical facilities under color of enforcing their
security plans, the injured parties should not be denied the normal
recourse of the U.S. legal system.''
Response: In Sec. 27.410 of the Advance Notice, the Department set
out two principles: (1) the chemical security regulations did not on
their own terms create any additional rights of action for any person
other than the Secretary; and (2) relevant parties may seek a statement
from the Department of its views in any litigation involving the
chemical security regulatory program. The Department has decided to
adopt these provisions as proposed in the Advance Notice.
In the preamble to the Advance Notice, the Department also stated
its view that Section 550(d) prohibits any party other than the
Secretary from enforcing the provisions of Section 550. The Department
also stated its view that Section 550(d) prohibits actions brought to
compel the Department to take a specific action to enforce Section 550.
Although the Department does not find it necessary to codify these
views in the Code of Federal Regulations, they remain the views of the
Department after considering the comments received. In Section 550(d),
Congress provided in clear terms its intent to prevent parties other
than the Secretary from making enforcement decisions under Section 550.
This intent would be thwarted if parties could seek indirectly to have
particular enforcement measures taken by bringing suit against the
Department. Such suits would also pose difficulties involving the
information protections of Section 550 and its implementing
regulations. In short, the terms and structure of Section 550 provide
the Secretary with critical discretion in implementing the chemical
security program. It would be inappropriate to curtail that discretion
through lawsuits. See generally Norton v. Southern Utah Wilderness
Alliance, 542 U.S. 55 (2004).
6. Judicial Review
Comment: Several commenters, including Members of Congress, urged
DHS to incorporate the right to judicial review in the interim final
rule and clarify the judicial remedies available. One commenter
mentioned that the right to judicial review was expressly stated in
prior legislative proposals. Another commenter believed that the
District Courts have jurisdiction to consider whether a facility
presents a ``high level of security risk.'' Other commenters discussed
judicial review in the context of preemption, urging the Department to
provide facilities with the opportunity for judicial review of
Departmental decisions pursuant to Sec. 27.405. Finally, one commenter
[[Page 17720]]
recommended that the rule provide that if the adjudicating official
fails to reach a decision within the timeframes provided by the
proposed rule, then the administrative review process is deemed
completed and all administrative remedies exhausted, so as to afford
the facility the ability to challenge the Department's decision in a
District Court.
Response: The Department does not have authority to create
jurisdiction in the district courts for review of Department decisions.
Jurisdiction is created by provisions of law other than these
regulations. Nor does the Department have authority to create specific
judicial remedies through rulemaking. Decision-making authority with
respect to preemption is discussed below in the portion of this
preamble related to Federalism. As discussed there, courts have the
ability in appropriate contexts to review the Department's opinions as
they relate to preemption. This interim final rule does not augment the
administrative law default principles that govern appropriate action if
the Department does not make decisions in the timeframes specified in
this interim final rule.
7. Guidance and Technical Assistance
Comment: Some industry commenters noted that guidance, information,
and education were essential for the success of the program. A chemical
company commented that facilities should have the opportunity to review
and comment on any guidance provided to them by DHS. Several industry
associations made the same comment and stated the need for guidance to
provide direction and advice but not to become either enforceable or
limiting in the security measures that a facility may employ.
One commenter suggested that there be sufficient time to respond to
the guidance prior to developing a security plan. Commenters suggested
that DHS draft guidance on aspects of the regulation and that such
guidance be as detailed and specific as possible.
One commenter believed that, while agency guidance is procedurally
easier to issue because agencies typically issue it without notice and
comment, due process, or other protections afforded by rulemaking under
the Administrative Procedure Act, this ``pseudo-rulemaking'' can be
referenced in enforcement actions, imposing cost burdens, or creating
other compliance liabilities. Another commenter appreciated the fact
that the guidance would specify the security measures that facilities
could take to meet the proposed standards while not mandating any
particular measures that facilities should use. Commenters recommended
that DHS follow the OMB Bulletin entitled ``Agency Good Guidance
Practices,'' which establishes policies and procedures for the
development, issuance, and use of significant guidance documents by
Executive Branch departments and agencies.
Response: DHS believes that guidance will play an important role in
this regulatory program. The Department's guidance will provide
examples of specific measures that facilities may use to address the
performance standards in the rule. Because this rule is based on
performance standards and not on prescriptive measures, guidance is
particularly important. The guidance will aid in informing the
regulated community of ways to satisfy the performance standards
without imposing additional requirements not found in these
regulations.
The Department will designate the guidance document as CVI. The
guidance document will contain specific anti-terrorism measures
designed to mitigate or prevent terrorist attacks, as well as other
sensitive information. This type of information is not appropriate for
public disclosure under Section 550 and the regulations issued
hereunder.
With respect to comments regarding OMB's Bulletin on Agency Good
Guidance Practices, the Department notes that it will apply the
Bulletin as appropriate.
Comment: The availability of technical assistance to facilities not
placed in the top tier was requested by an industry association.
Response: Technical assistance will be available for all covered
facilities as resources permit. Section 27.120 establishes requirements
for a Coordinating Official who will provide guidance to facilities in
all tiers, as necessary and to the extent that resources permit.
8. Miscellaneous Comments
Comment: One commenter recommended that DHS engage and work with
Congress to enact a more comprehensive and meaningful chemical security
law as soon as possible, and under no circumstances beyond the three
year expiration of interim authority.
Response: The Department has aggressively sought this authority,
and on October 4, 2006, Congress provided that authority. The
Department will continue to work with Congress on chemical security
matters.
Comment: One commenter supported the position that continued
funding of this program would, in effect, reauthorize the program
beyond the three years noted in the statute and that DHS may amend the
interim final rule if necessary. Another commenter did not support this
position and stated that the statute was clear that the regulatory
authority expires after three years. That commenter also urged the
Department to engage in notice and comment rulemaking for any future
modifications to the interim final rule.
Response: The Department will, to the extent required by law,
engage in notice and comment rulemaking in the event that changes are
made to this interim final rule.
Comment: Commenters suggested a process by which facilities can
exit the program if they make sufficient changes to their operations.
In addition, a chemical company and an industry association questioned
how the results from vulnerability assessments could be used to allow a
facility to exit the program.
Response: To address the issue of exiting the program, the
Department added Sec. 27.120(d). It provides that covered facilities
may request a consultation with the Department if their facility,
processes, or types or quantities of chemicals change in such a way
that they believe their obligations under this part may be impacted.
For a discussion of this provision, see Sec. II(B) above.
Comment: Various commenters raised issues related to data security,
specifically in the context of the Department's web-based CSAT
applications. One commenter thought that DHS should be able to provide
Military Grade/Quality Encryption Devices/Systems for the private
sector to use to submit information. Until that time, the commenter
requested that DHS receive information only in paper form or discs
produced on stand-alone computers.
Response: DHS recognizes the data security issues that commenters
have raised. DHS realizes that there is a risk, both on the sending of
information and the receiving of information, when transmitting data
over the Internet. DHS has weighed the risk to the data collection
approach against the risk of collecting the data through paper
submissions and concluded that the web-based approach was the best.
DHS is concerned about data security and has taken a number of
steps to protect both the data that will be collected through the CSAT
program and the process of collection. The security of the data has
been the system
[[Page 17721]]
designers' number one priority. The site that the Department will use
to collect submissions is equipped with hardware encryption that
requires Transport Layer Security (TLS), as mandated by the latest
Federal Information Processing Standard (FIPS). The encryption devices
have full Common Criteria Evaluation and Validation Scheme (CCEVS)
certifications. CCEVS is the implementation of the partnership between
the National Security Agency and the National Institute of Standards
(NIST) to certify security hardware and software.
Upon completing any part of the CSAT (whether the Top-Screen,
Security Vulnerability Assessment, or Site Security Plan), the facility
will click a ``submit'' button, which calls a routine to encrypt the
data on the server using a one way key. Properly-executed public key
encrypted data is very secure, and the implementation that DHS has used
complies with the NIST 800-57 requirements for security. The key to
decrypt the data does not exist outside of facilities that are isolated
from the public internet. The key is connected only through a
dedicated, restricted, government network that cannot connect to the
public internet. Once a facility submits a Top-Screen (or SVA or SSP),
the data is no longer available unencrypted.
Comment: A few commenters indicated that the Advance Notice lacked
meaningful worker involvement. According to some of the commenters, the
rule does not ensure meaningful front line worker and union
participation during risk assessments, during the development of the
Site Security Plans, in the inspection process, or as part of ongoing
consideration of safety and security concerns. One commenter felt that
this omission occurred despite the fact that it is the front line
employee whose life is on the line first if there is a catastrophic
release.
Response: There is nothing in the rule that prohibits chemical
facilities from involving employees in their security efforts. Many
facilities may find it beneficial to include employees in their
respective efforts to comply with this regulation (e.g., identifying
security vulnerabilities, developing Site Security Plans). However, the
Department is not mandating participation by any particular type of
employee, and the Department does not think it is wise to specify any
employees that must be involved. The Department will leave those
decisions to facilities, as they will best understand the types and
functions of employees at their facility and the extent to which any
given type of employee may be able to contribute.
Comment: A commenter noted that a strong enforcement program is
essential.
Response: The Department agrees with the commenter and will
vigorously enforce these regulations.
Comment: A few commenters sought immediate phased-in implementation
of a national re-routing and a ban on toxic by inhalation (TIH) storage
wherever feasible. Although the commenters stated that re-routing is
the first and fastest step in eliminating catastrophic vulnerabilities
in the chemical sector, the commenters thought it should ideally be
done in tandem with the use of safe technology, which could in turn
eliminate ultra-hazardous substances in our rail system.
Response: These comments are beyond the scope of this rulemaking,
which addresses chemical facility anti-terrorism standards. However,
DHS points out that there are current DHS and other Federal initiatives
to address materials that are toxic by inhalation. On December 21,
2006, TSA issued a Notice of Proposed Rulemaking on Rail Transportation
Security. See 71 FR 76852. The rule applies, in part, to tank cars
containing materials that are poisonous by inhalation (PIH) as defined
in 49 CFR Sec. 171.8. (Note that the PIH is synonymous with TIH). See
proposed 49 CFR Sec. 1580.100(b). Also, on December 21, 2006, one of
the Department of Transportation's modal administrations, the Pipelines
and Hazardous Materials Administration (PHMSA), issued a Notice of
Proposed Rulemaking titled ``Hazardous Materials: Enhancing Rail
Transportation Safety and Security for Hazardous Material Shipments.''
See 71 FR 76834. PHMSA's proposed regulation would include requirements
for rail carriers to use data to analyze safety and security risks
along rail transportation routes where certain hazardous materials
(including PIH materials) are used.
Comment: Some commenters raised questions regarding specific
funding for programs such as the BZPP Webcam Pilot Program.
Response: Those comments are beyond of the scope of this
rulemaking, which addresses chemical facility anti-terrorism standards.
N. Regulatory Evaluation
Comment: Commenters believe that DHS has underestimated this cost
to the chemical sector and that DHS should consider other costs beyond
capital costs, such as additional physical security.
Response: In the Advance Notice, DHS did not attempt to estimate
the full cost of complying with the regulation. Instead, DHS placed in
the docket a stand-alone document titled ``Capital Cost Information for
Public Comment,'' which provides specific cost estimates for a
potential suite of capital security investments, such as fences and
perimeter lighting. DHS fully understands that, in addition to capital
costs, facilities may also incur non-capital costs, including the costs
of additional personnel (e.g., security guards) and the costs of
preparing assessments and plans. The costs that DHS has estimated for
compliance with the interim final rule do indeed include both the
capital costs and non-capital costs.
DHS also notes that while a few commenters thought the costs DHS
presented were too low, commenters did not generally provide specific
information regarding which costs may have been too low or additional
information that would have assisted the Department in reconsidering
the costs presented with the Advance Notice. Consequently, while DHS
did re-evaluate the costs presented with the Advance Notice in response
to these comments, DHS believes that the costs presented in the Advance
Notice are reasonable approximations, and they remain unchanged in the
interim final rule.
Some commenters indicated that cost recovery for implementation can
be difficult under certain government contracts. Such comments are
outside of the scope of this rulemaking.
Comment: Commenters also expressed concern that the high costs will
give an unfair advantage to larger companies, because these associated
costs will be harder for smaller companies (like local farmers) to
absorb.
Response: The Department notes, in general, that it may be more
difficult for smaller companies to absorb increased costs than larger
companies. However, the security measures required by this interim
final rule are not ``command and control'' type measures. Instead, they
are risk-based performance measures that will allow a high degree of
flexibility for small entities that own high-risk chemical facilities.
These risk-based performance measures will allow high-risk chemical
facilities to tailor a specific regulatory compliance regime that could
minimize the compliance costs to their respective facilities. DHS also
notes that certain chemical facilities have already voluntarily spent a
significant amount of financial resources to increase their security.
This interim final rule, by establishing a
[[Page 17722]]
baseline level of security across tiers, will serve to minimize any
competitive advantage that may be currently enjoyed by those companies
that are under-investing in security.
Comment: One commenter noted that in order to quantify the benefits
of the rule, DHS must make assumptions about the threats to the public,
which injects uncertainty into the calculation of actual benefits.
Response: The Department agrees that it is difficult to quantify
the ``actual benefits'' of this interim final rule. DHS has included a
qualitative discussion of the benefits of this rule in the regulatory
analysis of Executive Order 12886, which is located in Section IV of
the preamble to this rule.
Comment: Commenters noted that the idea of a model facility is
indeed a good proposal but worried that there is insufficient time to
implement the changes this proposal would entail.
Response: DHS agrees that the idea of model facilities is a good
proposal. The cost estimate of the interim final rule is based on the
concept of the ``model facility'' as it was used by the Coast Guard to
estimate the cost of their Maritime Transportation Security Act of 2002
Facility Security final rule. See 68 FR 60515 (Oct. 22, 2003).
Comment: The Small Business Administration (SBA), Office of
Advocacy, commented that DHS should prepare an Initial Regulatory
Flexibility Analysis (IRFA) under the Regulatory Flexibility Act (RFA),
5 U.S.C. 603, after issuing the interim final rule or if DHS makes
subsequent changes to the rule once it is promulgated. SBA explained
that the RFA process is an extremely valuable tool for agencies to use
when assessing the impact of a rule on small businesses and other small
entities.
Response: The RFA mandates that an agency conduct an analysis when
an agency is required to publish a notice of proposed rulemaking. See 5
U.S.C. 603(a). In this case, the Department is not required to publish
a notice of proposed rulemaking: By directing the Secretary to issue
``interim final regulations'', Congress authorized the Secretary to
proceed without the traditional notice-and-comment required by the
Administrative Procedure Act. See 71 FR 78276, 78277, and 78292 (Dec.
28, 2006).
DHS did, however, consider the impacts of this rule on small
entities. The Regulatory Assessment, which is available in the public
docket, contains our analysis of the impacts of this rule on small
entities. After consideration of the percentage of small entities that
may have to comply with the risk-based performance standards required
by this rule and the compliance costs explained in the Regulatory
Assessment, we have determined that this rule may have a significant
economic impact on a substantial number of small entities. See
``Regulatory Flexibility Act'' section below.
IV. Regulatory Analyses
A. Executive Order 12866: Regulatory Planning and Review
This rule is considered to be an economically significant
regulatory action under Executive Order 12866, because it will result
in the expenditure of over $100 million in any one year. Accordingly,
this rule has been reviewed by the Office of Management and Budget
(OMB). A Regulatory Assessment which more thoroughly explains the
assumptions used to generate the cost of this interim final rule is
available in the docket as indicated under ADDRESSES. A summary of the
Regulatory Assessment follows:
Cost Assessment Summary
Section 550 requires the Secretary of Homeland Security to
promulgate ``interim final regulations establishing risk-based
performance standards for security of chemical facilities * * *.'' He
must do so ``[n]o later than six months'' from the date of enactment of
this new authority, i.e. by April 4, 2007. Consequently, the
methodology chosen to analyze the cost of the interim final rule was
chosen with the six month congressional deadline in mind. In order to
quickly analyze the cost of the interim final rule, DHS relied on
readily available information and drew upon the knowledge of
professionals employed by DHS who have extensive knowledge of the
chemical industry. In addition, on December 28, 2006, DHS published an
Advance Notice, which outlined our costing methodology and also placed
in the docket our estimates of capital costs for potential security
investments in order to seek meaningful public comment.
We have reviewed the methodology used by the U.S. Coast Guard to
analyze the cost of the MTSA Facility Security final rule at 68 FR
60515 (Oct. 22, 2003), and, due to the similarities between the MTSA
Facility final rule and this interim final rule, we believe that this
methodology has merit and should be used in this rulemaking. The MTSA
Facility Security final rule estimated the cost of performance
standards on several thousand unique facilities. Similarly, the interim
final rule will estimate the costs of risk-based performance standards
to several thousand unique facilities. The Coast Guard found it
impractical to attempt to estimate compliance costs for each individual
facility and instead developed costs based on 16 ``model facilities.''
Each of the several thousand facilities was placed into one of the 16
different subgroups for which compliance costs were then estimated.
Once the compliance costs for the 16 ``model facilities'' were
calculated, estimating the cost of the regulation was relatively
straightforward.
As this regulation is not a ``command and control'' regulation,
owners and/or operators will have considerable flexibility in how they
choose to comply with its requirements. As owners and/or operators will
have discretion on how to best meet the risk-based performance
objectives, the cost assessment makes broad assumptions regarding the
percentage of facilities that will choose to implement or continue
certain security measures and the costs of those security measures. For
example, many facility owners and/or operators will choose such
measures as building fences, enhancing perimeter lighting, and hiring
additional security guards in order to comply with the risk-based
performance standards. In order to estimate the cost of the interim
final regulation, we made assumptions regarding the specific percentage
of facilities that will choose to implement certain security measures,
such as fences and perimeter lighting.
We expect that chemical facility owners and/or operators will take
full advantage of the flexibility that these risk-based performance
standards will provide and will conduct facility-specific and company-
specific analyses to determine the most cost-effective method to comply
with the requirements of this interim final regulation. As a result of
these internal analyses, facilities are likely to identify various
means of meeting the risk-based performance standards applicable to
their facility and tier. It is possible that some percentage of
facilities will find the most-cost effective method to comply with the
requirements will be to implement business and related production,
processing or equipment changes such as to no longer make certain
chemicals or to change their process to use a less concentrated or less
hazardous form of a listed chemical. Such process changes, however, are
very facility-, business- and process-specific. Those that involve
changes in chemistry or processes may take several years of design,
testing and re-permitting before they can become operational. Others
may be easily and immediately implemented. However, because process
changes are so facility-
[[Page 17723]]
and business-specific, DHS has no way of estimating how many facilities
may ultimately implement such measures for the purpose of estimating
compliance costs. Consequently, DHS is basing its estimate of
compliance costs on commonly used security measures that are broadly
applicable to a wide range of high risk chemical facilities, such as
the purchase of fences, the purchase of perimeter lighting, and the
employment of security guards.
For the purposes of good practices or regulations promulgated by
other Federal or State agencies, many chemical facility owners and/or
operators have already spent a substantial amount of money and
resources to upgrade and improve security. The costs shown below do not
include the costs of security measures already implemented to enhance
security. The costs shown here are intended to represent the marginal
cost incurred by owner and/or operators as a result of the interim
final rule.
DHS's preliminary estimate of the number of high risk chemical
facilities that will be covered by the risk-based performance measures
required by the interim final rule ranges from 1,500 to 6,500 chemical
facilities. It is important to stress that this estimate is simply
DHS's best guess based on currently available information. Within this
range of 1,500 to 6,500 potentially covered chemical facilities, DHS is
estimating 5,000 facilities as its best guess of covered facilities for
the purpose of generating the cost estimate required by Executive Order
12866.
Using the point estimate of 5,000 facilities, the estimated present
value cost of this interim final rule is $3.6 billion dollars over the
period 2006-2009 \2\ (7 percent discount rate). For the purposes of
illustration, we also have calculated the cost of the interim final
rule over the ten year period 2006-2015. Over the period 2006-2015, DHS
estimates the present value cost of this interim final rule would be
$8.5 billion assuming 5,000 covered facilities.
---------------------------------------------------------------------------
\2\ Section 550(b) of the Act states: ``Interim regulations
issued under this section shall apply until the effective date of
interim or final regulations promulgated under other laws that
establish requirements and standards referred to in subsection (a)
and expressly supersede this section: Provided, That the authority
provided by this section shall terminate three years after the date
of enactment of this Act.''
---------------------------------------------------------------------------
Benefits Assessment
This interim final rule allows DHS to implement Section 550 of the
Homeland Security Appropriations Act of 2007. The first sentence of
Section 550 mandates the Secretary to issue interim final regulations
establishing risk-based performance standards requiring the performance
of vulnerability assessments and the development and implementation of
site security plans. Section 550 establishes the parameters of the
Federal government's first regulatory program to secure chemical
facilities against possible terrorist attack.
The threat of a terrorist attack against high-risk chemical
facilities is real. However, due to the economics of externalities, the
free market may not provide adequate incentives for chemical facilities
to make a socially optimal investment in the full range of measures
that would reduce the probability of a successful terrorist attack.
Externalities are a cost or benefit from an economic transaction
experienced by parties ``external'' to the transaction. In the case of
chemical facilities, since the consequences of an attack or other
security incident may be significantly larger than what would be
suffered by the owner of the facility itself, the private market may
not generally provide the incentive for profit-maximizing firms to
unilaterally spend the socially optimal amount of resources to prevent
or mitigate a terrorist attack. Since companies nevertheless will
likely suffer serious consequences in the case of a terrorist attack,
many certainly have invested significant resources in implementing
security measures, and this analysis recognizes those resource
expenditures. In a competitive marketplace, however, a firm will not
normally choose to make some additional investment in security over
their privately optimal amount, since they would consequently be
choosing to increase its cost of production and would be at a
disadvantage when competing with companies that have chosen not to make
a similar investment in security. As this interim final rule will
require high-risk chemical facilities to be held to the same risk-based
performance standards according to their risk-based tier, the
competitive advantage that may be currently enjoyed by those companies
that are under-investing in security measures would be expected to
disappear.
Need for Increased Security at High-Risk Chemical Facilities
There is much publicly-available information that indicates an
attack on a chemical facility is a credible threat with dire
consequences:
According to the Government Accountability Office, experts
agree that the Nation's chemical facilities present an attractive
target for terrorists who are intent on causing massive damage. Many
facilities house toxic chemicals that could become airborne and drift
to surrounding communities if released or could be stolen and used to
create a weapon capable of causing harm. Terrorist attacks involving
the theft or release of certain chemicals could have a significant
impact on the health and safety of millions of Americans. The disaster
at Bhopal, India in 1984, when methyl isocyanate gas--a highly toxic
chemical--leaked from a tank, reportedly killing about 3,800 people and
injuring anywhere from 150,000 to 600,000 others, illustrates the
potential threat to public health from a chemical release.\3\
---------------------------------------------------------------------------
\3\ GAO, Homeland Security: Federal and Industry Efforts Are
Addressing Security Issues at Chemical Facilities, but Additional
Action is Needed, GAO-05-631T (Washington, DC: April 2005).
---------------------------------------------------------------------------
The Department of Justice has concluded that the risk of
terrorists attempting in the foreseeable future to cause an industrial
chemical release is both real and credible. Terrorists or other
criminals are likely to view the potential of a chemical release from
an industrial facility as a relatively attractive means to cause mass
casualties to the populace and/or large scale damage to property. DOJ
notes that there have been successful efforts by foreign militaries and
certain terrorist groups indigenous to other countries to cause
releases from industrial facilities using bombs. Those efforts have in
effect converted the facilities into makeshift WMD. Some of these
releases have inflicted damage on the surrounding communities.
Moreover, the evacuations that were triggered by the attempted and
successful releases of industrial chemicals produced panic and
disruption among the targeted population. These are precisely the goals
of a terrorist.\4\
---------------------------------------------------------------------------
\4\ Department of Justice Assessment of the Increased Risk of
Terrorist or Other Criminal Activity Associated With Posting Off-
Site Consequence Analysis Information on the Internet, April 18,
2000.
---------------------------------------------------------------------------
In April 27, 2005, testimony before the Senate Committee
on Homeland Security and Governmental Affairs regarding the
vulnerability of America to a chemical attack, a Brookings Institution
Visiting Fellow testified. The testimony stated that ``of all the
various remaining civilian vulnerabilities in America today, one stands
alone as uniquely deadly, pervasive, and susceptible to a terrorist
attack: toxic-inhalation-hazard (TIH) industrial chemicals, such as
chlorine, ammonia, phosgene, methyl bromide, hydrochloric and various
other acids.'' In addition, the testimony indicated,
[[Page 17724]]
``the casualty potential of a terrorist attack against a large TIH
chemical container near a population center is comparable to that of a
fully successful terrorist employment of an improvised nuclear device
or effective biological weapon. The key difference is that TIH chemical
containers are substantially easier to attack than improvised nuclear
devices or effective biological weapons are to acquire or fabricate.''
\5\
---------------------------------------------------------------------------
\5\ Statement of Richard A. Falkenrath, Visiting Fellow, The
Brookings Institution, before the United States Committee on
Homeland Security and Governmental Affairs (April 27, 2005).
---------------------------------------------------------------------------
In April 27, 2005, testimony before the Senate Committee
on Homeland Security and Governmental Affairs regarding the
vulnerability of America to a chemical attack, a Senior Fellow for
National Security Studies at the Council on Foreign Relations
testified. The testimony stated ``Of the carefully selected potential
targets that al Qaeda or its imitators might seek to attack, the
chemical industry should be at the top of the list. There are hundreds
of chemical facilities within the United States that represent the
military equivalent of a poorly guarded arsenal of weapons of mass
destruction.'' \6\
---------------------------------------------------------------------------
\6\ Statement of Stephen E. Flynn, PhD, Jeane J. Kirkpatrick
Senior Fellow for National Security Studies, Council on Foreign
Relations, before the United States Committee on Homeland Security
and Governmental Affairs (April 27, 2005).
---------------------------------------------------------------------------
A recent Congressional Research Service Report discussed
trends in chemical terrorism and discussed evidence that U.S. chemical
facilities may be used by terrorists to gain access to chemicals. One
of the 1993 World Trade Center bombers, Nidal Ayyad, became a
naturalized U.S. citizen and worked as a chemical engineer in the
chemical industry, from which he used company stationery to order
chemical ingredients to make the bomb.'' \7\
---------------------------------------------------------------------------
\7\ CRS Report for Congress, Chemical Facility Security, Updated
August 2, 2006.
---------------------------------------------------------------------------
Information contained in the Congressional Record states
that U.S. chemical trade publications were found in one of the caves
where Osama bin Laden had hidden.\8\
---------------------------------------------------------------------------
\8\ Bond, Christopher. Statement on S.2579. Congressional
Record, Daily Edition, June 5, 2002, p. S5044.
---------------------------------------------------------------------------
Qualitative Benefits of the Risk-Based Performance Standards
As explained previously, Section 550 requires the Secretary of
Homeland Security to promulgate ``interim final regulations
establishing risk-based performance standards for security of chemical
facilities * * *.'' Section 27.230 establishes these standards. Below
is a discussion of the qualitative benefits of these risk-based
performance standards:
By securing and monitoring the perimeter of the facility,
site personnel are better able to detect, delay, and respond to
individuals or groups who seek unauthorized access to the site or its
restricted areas. A well-secured perimeter deters intruders from
seeking to gain access. By limiting acce3ss through control points, the
facility can more easily and effectively control who enters and leaves
the site. Additionally, securing and monitoring restricted areas or
potentially critical targets within the facility reduces the likelihood
of theft of chemicals because adversaries risk observation arriving and
leaving the premises. Control of gates by guards or observation of the
perimeter allows facility personnel to know who is entering and leaving
the site and in what vehicles. Access control points permit the
facility to check persons and vehicles seeking entrance to the site and
confirm their legitimate business.
Controlling access to the site including the screening
and/or inspection of individuals and vehicles as they enter and exit
the facility serves to deter and detect unauthorized introduction or
removal of substances and devices that may cause a dangerous chemical
reaction, explosion, or other release to harm facility personnel or the
surrounding community. A regular system of identification checks will
help guards and other facility personnel recognize those personnel
authorized to be on the site and identify those individuals who should
not be granted access.
Deterring vehicles from entering the facility or
restricted access areas will reduce the likelihood that an adversary
will detonate a vehicle-borne improvised explosive device inside the
facility. Appropriate methods of deterring vehicles form unauthorized
entry provide additional time for local law enforcement response or
otherwise delay or prevent the vehicle from entering the site to cause
harm.
Securing and monitoring the shipping and receiving of
hazardous chemicals will improve inventory control, product stewardship
and security against theft, diversion and tampering. In addition,
improved inventory control and control of transportation containers on
site decreases the likelihood that a foreign substance could be
introduced into feedstock, incidental chemicals, or products leaving
the site that could later react with the chemical to cause a
significant on- or off-site reaction to damage process equipment or
cause a release of a hazardous material to harm onsite personnel or the
community.
Deterring the theft or possible diversion of potentially
hazardous chemicals will prevent loss of chemicals from the site. Such
measures provide security benefits as well as improving inventory
controls especially for chemicals that can be used directly as a
chemical weapon or can be used to produce such a weapon.
Deterring insider sabotage prevents the facility's own
property and activities from being used by a potential terrorist
against the facility. Examining the background of employees or
contractors who may be planning acts of sabotage assists in preventing
an in situ release of hazardous chemicals, damage to process units
manufacturing chemicals or tampering with chemicals that could cause an
offsite impact. Ascertaining that visitors and contractors have
legitimate business onsite and are escorted when necessary increases
the control of the site in general and reduces the likelihood of
sabotage or theft.
The deterrence of cyber sabotage will benefit the facility
by preventing unauthorized onsite or remote access to critical process
controls, site security, business systems, or SCADA systems (if
significant consequences can be generated by the manipulation of the
process controls/systems). Appropriate controls will allow the
detection of unauthorized access and unauthorized modification of
information (hacking).
Developing and exercising an emergency plan to respond to
security incidents internally and with local law enforcement and first
responders (i.e., emergency medical technicians (EMTs), fire, police)
benefits the facility by preparing it to take quick and decisive action
in the event of an attack or other breach of security. Establishing
relationships with local law enforcement improves responder
understanding of the layout and of hazards associated with the facility
and strengthens relationships with the community.
Maintaining effective monitoring, communications and
warning systems allows the facility to notify internal personnel and
local responders in a timely manner about security incidents. Regular
tests, repairs and improvements to the warning and communications
system increase the reliability of such systems and will improve
response time.
When the facility provides proper security training,
exercises and drills, facility personnel are better able to respond to
suspicious behavior, attempts to enter or attack a facility, or
[[Page 17725]]
other malevolent acts by insiders or intruders. Well trained personnel
who practice how to react can more effectively detect and delay
intruders and provide increased measures of deterrence against
unauthorized acts. Establishing relationships with local law
enforcement improves responder understanding of the layout and hazard
associated with the facility and strengthens relationships with the
community.
The ability to escalate the levels of security measures
for periods of elevated threat will provide the facility with the
capacity to increase security measures to better protect against known
increased threats or generalized increased threat levels declared by
the federal government. By maintaining the ability to increase security
measures, the facility does not have to expend time and resources on
more robust security measures unless and until warranted.
A facility addressing specific threats, vulnerabilities or
risks identified by the Assistant Secretary will decrease the
likelihood of a successful attack on its facility, personnel, products
or community. Any additional performance standards specified by the
Secretary will increase the facilities ability to deter, detect, delay
and respond to specific and general threats against its security.
B. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA) mandates that an agency
conduct an RFA analysis when an agency is required to publish a notice
of proposed rulemaking. See 5 U.S.C. 603(a). An RFA analysis, however,
is not required when an agency is not required to publish a notice of
proposed rulemaking, as is the case here. By directing the Secretary to
issue ``interim final regulations'' Congress authorized the Secretary
to proceed without the traditional notice-and-comment required by the
Administrative Procedure Act. See 71 FR 78276, 78277, and 78292.
Even though a Regulatory Flexibility Analysis is not required for
this rule, DHS did consider the impacts of this rule on small entities.
The Regulatory Assessment, which is available in the public docket,
contains this analysis of the impacts of this rule on small entities. A
portion of the analysis is summarized below.
At this time, DHS's preliminary estimate of the number of high risk
chemical facilities that will be covered by the risk-based performance
measures required by the rule ranges from 1,500 to 6,500. This estimate
is based on currently available information. After chemical facilities
with certain risk profiles complete the Top-Screen, DHS will have a
better understanding of how many and which specific chemical facilities
will be deemed to be ``high-risk'' for the purposes of the rule. Also,
in meeting the risk-based performance standards required by this rule,
facilities will have a large degree of flexibility in choosing specific
security enhancements. We expect that chemical facility owners and/or
operators will use this flexibility to minimize the cost of this rule
to their operations. These uncertainties make it very difficult to
estimate the extent of the economic impact of this rule on small
entities.
Even so, strictly for the purposes of analyzing the impact of this
rule on small entities, DHS has selected from the EPA RMP database a
sample of 350 facilities that may be required to comply with the risk-
based performance standards required by the rule. We researched these
350 facilities using Reference USA and LexisNexis and found detailed
information (i.e., annual revenue, number of employees, and parent
company information) for 326 (93%) of them. Of the 326 facilities for
which we were able to find detailed information, our analysis of the
data indicates that 118 (36%) fit the Small Business Administration's
definition of a small entity. If we assume that the 24 companies for
which we could find no information are also small entities, the
percentage of these facilities which are owned by small entities could
be 41 percent. Table 1 below provides revenue ranges of the118 small
entities.
Table 1.--Percentage of Small Entities by Revenue
------------------------------------------------------------------------
Number of Percent of
Revenue small entities small entities
------------------------------------------------------------------------
$0-$999,999............................. 11 9.3
$1,000,000-$4,999,999................... 14 11.9
$5,000,000-$9,999,999................... 12 10.2
$10,000,000-$19,999,999................. 15 12.7
$20,000,000-$49,999,999................. 23 19.5
$50,000,000-$99,999,999................. 9 7.6
$100,000,000-$999,999,999............... 31 26.3
> $1Billion............................. 3 2.5
-------------------------------
Total............................... 118 100.0
------------------------------------------------------------------------
After consideration of the percentage of small entities that may have
to comply with the risk-based performance standards required by this
rule and the compliance costs explained in the Regulatory Assessment,
we have determined that this rule may have a significant economic
impact on a substantial number of small entities.
C. Executive Order 13132: Federalism
1. Background
Executive Order 13132 requires DHS to develop a process to ensure
``meaningful and timely input by State and local officials in the
development of regulatory policies that have federalism implications.''
Between the publication of the Advance Notice and this Interim Final
Rule, the Department has complied with this instruction in two ways.
The Department specifically sought public comment on issues involving
preemption. Additionally, after issuing its proposal, the Department
specifically invited a number of groups representing the interests of
States and their legislators to meet with the Department to discuss the
proposed regulations. These groups were: the National League of Cities,
the National Association of Counties, the National Conference of State
Legislators, the County Executives of America, the International City/
County Management Association, the American Legislative Exchange
Council, the National Emergency Management Association/CSG Council of
State Governments, the International Association of Emergency Managers,
the National Governors
[[Page 17726]]
Association, and the United States Conference of Mayors.
The Department received numerous comments in response to its
invitations. States, the private sector, academia, various interest
groups, and individual members of Congress submitted comments. The
commenters were divided in their views of the proposed approach on
preemption. A number of commenters favored the Department's proposal,
while others opposed it. Some commenters misunderstood the Department's
position on preemption or the current state of the case law on
preemption. As discussed below, the Department is clarifying its
approach on preemption in certain respects. Specifically, we confirm:
the propriety of discussing the Department's view on preemption, though
Congress was silent on the question; that the type of preemption called
for by Section 550 is not field preemption, but conflict preemption;
and that the Department will further assist in the process of
determining whether a non-Federal regulation is preempted by providing
opinions regarding the impact of that regulation on the Federal scheme.
2. Propriety of Department's Views on Preemption
As an initial matter, some commenters, including Members of
Congress, suggested that, since Congress was silent on preemption, the
Department's rulemaking should be silent as well. The comments on this
subject touch on two important subtopics: who (i.e., which government
structure) should determine the preemptive effect of Section 550 and
the regulatory program promulgated under its authority; and what law,
if any, the regulatory program under Section 550 might preempt.
In Section 550, Congress did not expressly speak to the issue of
preemption. Preemption questions following statutory silence on
preemption are not novel. Courts and agencies have previously faced and
dealt with who decides preemption issues in the face of congressional
silence. It is helpful to recall that, as a general matter, Congress
often provides the Executive Branch with authority to administer a
regulatory program while leaving gaps or ambiguities in the authorizing
law. When this happens, the Supreme Court has long recognized that
agencies have the responsibility, within the general delegation, to
formulate policy and make rules to fill those gaps and interpret the
ambiguities. See Chevron U.S.A., Inc. v. Natural Resources Defense
Council, Inc., 467 U.S. 837, 843 (1984) (``The power of an
administrative agency to administer a congressionally created * * *
program necessarily requires the formulation of policy and the making
of rules to fill any gap left, implicitly or explicitly by Congress.'')
(ellipses in original; citation omitted). Agencies, not only the
courts, exercise their expertise to fill in the gaps and interpret the
ambiguities. See id. at 843 & n.11 (``If, however, the court determines
that Congress has not directly addressed the precise question at issue,
the court does not simply impose its own construction on the statute *
* * Rather, if the statute is silent or ambiguous with respect to the
specific issue, the question for the court is whether the agency's
answer is based on a permissible construction of the statute. The court
need not conclude that the agency construction was the only one it
permissibly could have adopted to uphold the construction, or even the
reading the court would have reached if the question initially had
arisen in a judicial proceeding.''). And even if a court interprets an
ambiguous statute before an agency promulgates rules to fill the gaps
or interpret the ambiguities, the court's interpretation does not
necessarily restrict the agency's ability to adopt a different
interpretation in the future. See National Cable & Telecomm. Ass'n v.
Brand X Internet Servs., 545 U.S. 967, 982 (2005).
This does not mean to slight the courts' role in the interpretive
process. As the Supreme Court has stated, ``The judiciary is the final
authority on issues of statutory construction and must reject
administrative constructions which are contrary to clear congressional
intent.'' Chevron, 467 U.S. at 843 n.9.
With respect to the issue of preemption in particular, the Supreme
Court has applied these same principles regarding Congress, the courts
and the agencies. See, e.g., Fidelity Fed. Sav. and Loan Ass'n v. de la
Cuesta, 458 U.S. 141, 151-54 (1982). ``Federal regulations have no less
pre-emptive effect than federal statutes * * * A pre-emptive
regulation's force does not depend on express congressional
authorization to displace state law.'' Id. at 153-54. The Supreme
Court, and lower courts, have given deference to agencies that define,
through regulation, the scope of preemption. See, e.g., id.; Wachovia
Bank, N.A. v. Burke, 414 F.3d 305 (2d Cir. 2005).
So although some commenters claimed that the Department lacks the
authority to address the issue of preemption in its regulations or
later-issued opinions, this assertion is simply not consistent with
current law. Federal agencies have historically published their views
on the preemptive effect of federal law in a number of contexts. See,
e.g., In re Wireless Consumers Alliance, Inc., 15 F.C.C.R. 17,021 (Aug.
14, 2000) (administrative agency opinion on preemptive effect of
federal law); 1999 WL 303948 (April 20, 1999) (U.S. Department of Labor
Release discussing views on preemption of state laws). We anticipate
that the courts will ultimately resolve any preemption question, with
an appropriate level of deference to the position of the agency.
Some comments urged the Department to avoid preemption after
looking to a canon of interpretation involving a presumption against
preemption. This presumption, however, typically exists ``in areas of
regulation that are traditionally allocated to states and are of
particular local concern.'' Wachovia Bank, N.A., 414 F.3d at 314; see
also United States v. Locke, 529 U.S. 89 (2000). As noted in the
Advance Notice, measures to prevent terrorist attacks against the
Nation's critical infrastructure do not involve an area traditionally
regulated by the States. Very few state and local jurisdictions
currently regulate security at chemical facilities.
The Department recognizes that courts sometimes look to legislative
intent with respect to the issue of preemption--decisions in this area
are replete with such references. See, e.g., Medtronic, Inc. v. Lohr,
518 U.S. 470, 485 (1996). In the context of Section 550, however, it is
very difficult to discern that intent. The legislative history on the
point is mixed, with various Members of Congress making floor
statements that are not consistent with each other. See, e.g., Cong.
Rec. H7967 (daily ed. Sept. 29, 2006) (statement of Rep. King) (``the
intention is not to preempt the ability of the States'') and Cong. Rec.
S10619 (daily ed. Sept. 29, 2006) (statement of Sen. Voinovich) (``I
feel strongly that this provision sets that uniform set of rules and in
so doing, impliedly preempts further regulation by State rules or
laws.'') In addition, it is particularly difficult to gauge
congressional intent on one relatively short, page-and-a half
authorizing provision in a lengthy appropriations act that runs over
100 pages. To be sure, individual members of Congress--including some
members substantially involved in homeland security issues--have
expressed strong views on preemption. But can it really be said that
legislative intent may be discerned on the silent aspect of one
authorizing section of a lengthy appropriations act? Cf. Chrysler Corp.
v. Brown, 441 U.S. 281, 311-12 (1979); Castaneda-Gonzalez v. INS, 564
F.2d 417, 424 (D.C. Cir. 1977).
[[Page 17727]]
As an additional consideration, the Department notes that if it
were to disclaim any preemptive effect of the regulatory program under
Section 550, it would create an inconsistency with the Department's own
regime for regulating chemical facilities under the MTSA. In its
regulations under MTSA, the Department has stated its view that the
principles of conflict preemption apply. See 68 FR 60468 (Oct. 22,
2003). Congress has charged the Department with implementing the
security programs under both MTSA and Section 550, and the Department
seeks to implement these programs in a consistent and logical manner.
3. No Field Preemption
Some commenters feared--and others hoped--that the Department's
approach to preemption would wholly displace state and local laws. This
is incorrect. The Department does not in this interim final rule claim
that the ``field preemption'' doctrine applies in this regulatory
context. The Department does not view its regulatory scheme as one
which so fully occupies the field as to pre-empt any state law touching
the same subject.
This is clear from the statutory text. For example, the authority
granted in Section 550 calls for the federal regulations to apply to
facilities that present ``high levels of security risk'' as determined
by the Secretary. The Department does not, therefore, have authority
under Section 550 to regulate facilities that may, in the Secretary's
view, present other than high levels of security risk. Some facilities
may not be deemed by the Department as presenting a high risk. These
facilities may be regulated by States provided such regulation is not
otherwise in conflict with the federal program. In addition, as
mentioned in the comments, Section 550 specifically allows the
Secretary to approve alternative security programs that may have been
submitted in response to State or local authorities.
4. Principles of Conflict Preemption
Even for high risk facilities, the approach outlined in the Advance
Notice, and further developed here, is one of conflict preemption.
Conflict preemption is established in the Constitution and has been
developed in case law (see, e.g., Geier v. American Honda Motor Co.,
529 U.S. 861, 873 (2000); Fidelity Fed. Sav. and Loan Ass'n v. de la
Cuesta, 458 U.S. 141, 152 (1982); Surrick v. Killion, 449 F.3d 520,
530-31 (3d Cir. 2006)), and the well-known standards of conflict
preemption--which are captured in the regulatory text at Sec. 27.405--
apply to Section 550 and this regulation.
After considering comments, however, the Department has modified
certain of its prior statements on preemption as potentially too broad.
In the Advance Notice, the Department noted that Section 550 compels
the Department to preserve chemical facilities' flexibility to choose
security measures to reach the appropriate security outcome. The
Department went on to say that a State measure frustrating this balance
``will be preempted.'' The Department has decided, however, that
clarification is in order, as this regulation is not intended to be the
equivalent of ``field preemption'' for facilities determined to be high
risk. Instead, it is only meant to indicate that the regulation is not
to be conflicted by, interfered with, hindered by or frustrated by
State measures, under long-standing legal principles.
Only a few jurisdictions have developed security regulations
(rather than health, safety, and environmental regulations) governing
chemical sites. While we have not canvassed all existing state laws and
regulations, currently we have no reason to conclude that any such non-
Federal measure is being applied in a way that would impede the
performance standards or other provisions of Section 550 and this
Interim Final Rule. However, concrete conclusions about the effect of
state laws and the application of preemption principles will require an
understanding of future, factual contexts in which those laws are
applied. The Department will consider any problems that arise in this
regard in a more particularized manner.
Consistent with the approach outlined in the Advance Notice, the
Department will entertain requests for its views on particular state or
local laws, which will be issued by way of an opinion. In addition to
the approach described in the Advanced Notice, the Department will seek
the input and views of a State before finalizing the Department's view
of preemption with respect to such State's laws. See Sec.
27.405(d)(3). It will be helpful for the Department to seek the views
of the relevant States if an opinion on preemption is requested under
these regulations. Additionally, the Department would, time permitting,
seek public notice and comment before formulating its views on a
particular preemption question, consistent, of course, with the
congressional mandate to protect from public disclosure information
submitted under Section 550. The Department, however, declines to add
additional procedural formalities to the regulation as it relates to
preemption.
Certain commenters asked that the Advance Notice be more clear in
delineating what state laws are not to be preempted. The Department
does not intend to preempt existing health, safety and environmental
regulations. In the future, however, if state or local governments
enact security laws or promulgate security regulations under the rubric
of health, safety, or environmental protections, those laws and
regulations will be measured against the standard described in Sec.
27.405. Of course, non-Federal regulations that fall below federal
performance standards will not diminish the federal requirements that
covered facilities must meet.
D. Unfunded Mandates Reform Act
Title II of the Unfunded Mandates Reform Act of 1995 (UMRA),
enacted as Pub. L. 104-4 on March 22, 1995, requires each Federal
agency, to the extent permitted by law, to prepare a written assessment
of the effects of any Federal mandate in a proposed or final agency
rule that may result in the expenditure by State, local, and tribal
governments, in the aggregate, or by the private sector, of $100
million or more (adjusted annually for inflation) in any one year.
Section 204(a) of UMRA, 2 U.S.C. 1534(a), requires the Federal agency
to develop an effective process to permit timely input by elected
officers (or their designees) of State, local, and tribal governments
on a proposed ``significant intergovernmental mandate.'' A
``significant intergovernmental mandate'' under the UMRA is any
provision in a Federal agency regulation that will impose an
enforceable duty upon State, local, and tribal governments, in the
aggregate, of $100 million (adjusted annually for inflation) in any one
year. Section 203 of UMRA, 2 U.S.C. 1533, which supplements section
204(a), provides that before establishing any regulatory requirements
that might significantly or uniquely affect small governments, the
agency shall have developed a plan that, among other things, provides
for notice to potentially affected small governments, if any, and for a
meaningful and timely opportunity to provide input in the development
of regulatory proposals. The Department sought input from state and
local governments during the comment period and hosted a meeting with
state and local representatives on February 6, 2007. A list of
participants and short description of the meeting is in the docket.
[[Page 17728]]
This interim final rule would result in expenditure by the private
sector of $100 million (adjusted annually for inflation) or more in any
one year. At this time, however, we do not have enough information
regarding the specific facilities that will be required to comply with
the rule's risk-based performance standards in order to know if this
interim final rule will impose an enforceable duty upon State, local,
and tribal governments of $100 million (adjusted annually for
inflation) or more in any one year. DHS has conducted a ``Regulatory
Assessment,'' which explains the economic effects of the rule. The
``Regulatory Assessment'' is summarized in the section entitled
``Executive Order 12866,'' and a copy may be found in the public docket
for this IFR.
As explained in the ``Regulatory Assessment,'' DHS's preliminary
estimate of the total number of high-risk chemical facilities that will
be covered by the risk-based performance measures required by this rule
ranges from 1,500 to 6,500 chemical facilities. This estimate is based
on currently available information. After chemical facilities fitting
certain risk profiles complete the Top-Screen risk assessment
methodology (which will be accessible through a secure Department
website), DHS will better understand how many and which specific
chemical facilities will be deemed to be ``high-risk'' for the purposes
of this rule. For the purposes of this discussion, we believe this rule
may require certain municipalities that own and/or operate power
generating facilities to purchase security enhancements, but at this
time we do not know the extent of the financial impact.
E. Paperwork Reduction Act
This interim final rule contains collection of information
requirements under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501-
3520). ``Collection of information,'' as defined in 5 CFR 1320.3(c),
includes reporting, record keeping, monitoring, posting, labeling, and
other similar actions.
Under Section 550 of the DHS Appropriations Act, the Department
will use the Chemical Security Assessment Tool (CSAT) system to collect
and analyze key data from chemical facilities to: (1) Identify
facilities that present a high level of risk, (2) Support the facility-
specific judgment for preliminary and final tier high risk
determinations, (3) Specify the facility-specific security concerns
that facilities must address in their SVAs and SSPs, and (4) Collect
the facility-specific security measures, activities, and systems for
judging compliance against the risk based performance standards. DHS
will submit the collections for SVAs and the SSPs during the summer
months.
This rule introduces a new collection, 1670-NEW, with two new
forms: User Registration (DHS 9002 (1/07)) and Top Screen (DHS 9007 (2/
07)). As such, DHS has submitted the following information requirements
to OMB for its review:
Title: Chemical Security Assessment Tool (CSAT): User Registration.
OMB Control Number: 1670--NEW
Summary of Collection of Information: Section 550 provided the
Department with the authority to regulate high risk chemical
facilities. Further, it requires that the Secretary of the Department
of Homeland Security identify high risk facilities and provide for the
protection of the information regarding and provided by those
facilities. DHS has identified the CSAT system as the Information
Technology (IT) system it will use to obtain and quantify this key risk
data from facilities. The Department will begin collecting information
upon the effective date of this interim final rule.
Use of: The Department will use the registration information as a
basis for providing chemical facilities access to the CSAT system.
Need for Information: The Department needs the information from the
User Registration form to identify and vet requests to access the CSAT
system.
Description of the Respondents: DHS anticipates that there will be
40,000 respondents in the first year. The respondents will be the
owners and operators of the chemical facilities that will need to
submit information through the CSAT system.
Frequency of Response: On Occasion.
Annual Burden Estimate: Each facility is estimated to have a burden
of 44.5 minutes to complete DHS Form 9002 (1/07). The annual hour
burden is estimated to be 22,250.
Title: Chemical Security Assessment Tool (CSAT): Top Screen.
Summary of Collection of Information: Section 550 provided the
Department with the authority to regulate high risk chemical
facilities. Further, it requires that the Secretary of the Department
of Homeland Security identify high risk facilities and provide for the
protection of the information regarding and provided by those
facilities. DHS has identified the CSAT system as the Information
Technology (IT) system it will use to obtain and quantify this key risk
data from facilities. The Department will begin collecting information
upon the effective date of this interim final rule.
Use of: The CSAT is the Department's system for collecting and
analyzing key data from chemical facilities to: (1) Identify facilities
that present a high level of risk, (2) Support the facility-specific
judgment for preliminary and final tier determinations, and (3) Specify
the facility-specific security concerns that facilities must address in
their SVAs and SSPs.
Respondents (including number of): DHS anticipates there will be
40,000 respondents in the first year. The respondents will be chemical
facilities that possess, or plan to possess, a quantity of a chemical
substance determined by the Secretary to be potentially dangerous or
that meets other risk-related criteria identified by the Department.
Frequency: Most facilities will complete the Top-Screen once. The
Department will require facilities that are determined to be high risk
to periodically resubmit the Top-Screen.
Burden of Response: Depending upon the size of the facility, the
burden rates will vary. The estimated burden hours for the different
facility types are detailed in the table below. The combined hour
burden for all facilities completing the Top-Screen is estimated to be
1,230,550. The combined annual cost burden for the User Registration
and the Top-Screen is $110,003,900.
Table 2.--Summary of Burden Hours for Conducting User Registration (DHS Form 9002 (1/07)) and Top Screen (DHS
Form 9007 (2/07))
----------------------------------------------------------------------------------------------------------------
Number of Hour burden Total hour
Type of facility facilities per facility burden
----------------------------------------------------------------------------------------------------------------
Open Large...................................................... 9,327 39.5 368,400
Merchant Wholesalers............................................ 432 30 13,000
Facilities with only 1-2 chemicals.............................. 7,968 25.5 203,200
[[Page 17729]]
Other........................................................... 22,273 30 668,200
-----------------------------------------------
Total....................................................... .............. .............. 1,252,800
----------------------------------------------------------------------------------------------------------------
As required by the Paperwork Reduction Act of 1995 (44 U.S.C. 3507
(d)), we have submitted a copy of the interim final rule to OMB for its
review of the collections of information. Due to the circumstances
surrounding this final rule, we ask for emergency processing.
DHS is soliciting comments to:
(1) Evaluate whether the proposed information requirement is
necessary for the proper performance of the functions of the agency,
including whether the information will have practical utility;
(2) Evaluate the accuracy of the agency's estimate of the burden;
(3) Enhance the quality, utility, and clarity of the information to
be collected; and
(4) Minimize the burden of the collection of information on those
who are to respond, including using appropriate automated, electronic,
mechanical, or other technological collection techniques or other forms
of information technology.
Individuals and organizations may submit comments on the
information collection requirements by July 9, 2007. Direct the
comments to the address listed in the ADDRESSES section of this
document. Also, fax a copy of the comments to the Office of Information
and Regulatory Affairs, Office of Management and Budget at 202-395-
6974, Attention: Nathan Lesser, DHS Desk Officer; and send via
electronic mail to [email protected].
A comment to OMB is most effective if OMB receives it within 30
days of publication. DHS will publish the OMB control number for this
information collection in the Federal Register after OMB approves it.
Under the protections provided by the PRA, as amended, an agency
may not conduct or sponsor, and a person is not required to respond to,
a collection of information unless it displays a currently valid OMB
control number.
F. National Environmental Policy Act
In the Advance Notice, the Department reviewed the rulemaking
process with regard to the National Environmental Policy Act (NEPA).
See 71 FR 78276, 78294 (Dec. 28, 2006). Specifically, the Department
considered the short timeframe to issue these interim final regulations
and the statutory mandate, which directed that each chemical facility
develop and implement site security plans, with the proviso that the
facility could select layered security measures to appropriately
address the vulnerability assessment and the risk-based performance
standards for security of the facility. Additionally, Congress mandated
that the Secretary could not disapprove a site security plan based on
the presence or absence of a particular security measure, but only on
the failure to satisfy a risk-based performance standard.
Chemical facilities are of a wide variety of designs and sizes, and
are located in a wide range of geographic settings, communities, and
natural environments. The Department is not funding or directing
specific measures under these regulations, but issuing performance
standards. Consequently, the Department currently has no way to
determine the action the chemical facility will take to meet the
standards, and what effect any action might have on the environment.
Even if the Department could predict the actions the facilities would
take in response to the standards, it is likely facilities would take
widely varying actions to comply, based upon type of facility,
geographic location, existing infrastructure, etc.
We received no comments objecting to this conclusion during the
comment period, and further, no comments on this matter were raised
during the Environmental Organizations Forum the Department hosted on
January 17, 2007. Accordingly, the information needed to conduct an
Environmental Impact Statement is not available at this time and, in
any event, the Department could not reasonably conduct an Environmental
Impact Statement within the six months time allotted for issuance of
the interim final regulations.
List of Subjects in 6 CFR Part 27
Chemical security, Facilities, Reporting and recordkeeping,
Security measures.
The Interim Final Rule
0
For the reasons set forth in the preamble, the Department of Homeland
Security adds Part 27 to Title 6, Code of Federal Regulations, to read
as follows:
Title 6--Department of Homeland Security
Chapter 1--Department of Homeland Security, Office of the Secretary
PART 27--CHEMICAL FACILITY ANTI-TERRORISM STANDARDS
Subpart A--General
Sec.
27.100 Purpose.
27.105 Definitions.
27.110 Applicability.
27.115 Implementation.
27.120 Designation of a coordinating official; Consultations and
technical assistance.
27.125 Severability.
Subpart B--Chemical Facility Security Program
27.200 Information regarding security risk for a chemical facility.
27.205 Determination that a chemical facility ``presents a high
level of security risk.''
27.210 Submissions schedule.
27.215 Security vulnerability assessments.
27.220 Tiering.
27.225 Site security plans.
27.230 Risk-based performance standards.
27.235 Alternative security program.
27.240 Review and approval of security vulnerability assessments.
27.245 Review and approval of site security plans.
27.250 Inspections and audits.
27.255 Recordkeeping requirements.
Subpart C--Orders and Adjudications
27.300 Orders.
27.305 Neutral adjudications.
27.310 Commencement of adjudication proceedings.
27.315 Presiding officers for proceedings.
27.320 Prohibition on ex parte communications during proceedings.
27.325 Burden of proof.
27.330 Summary decision procedures.
27.335 Hearing procedures.
27.340 Completion of adjudication proceedings.
27.345 Appeals.
Subpart D--Other
27.400 Chemical-terrorism vulnerability information.
[[Page 17730]]
27.405 Review and preemption of State laws and regulations.
27.410 Third party actions.
Appendix A to Part 27--DHS Chemicals of Interest
Authority: Pub. L. 109-295, sec. 550.
Subpart A--General
Sec. 27.100 Purpose.
The purpose of this Part is to enhance the security of our Nation
by furthering the mission of the Department as provided in 6 U.S.C.
Sec. 111(b)(1) and by lowering the risk posed by certain chemical
facilities.
Sec. 27.105 Definitions.
As used in this part:
Alternative Security Program or ASP shall mean a third-party or
industry organization program, a local authority, state or Federal
government program or any element or aspect thereof, that the Assistant
Secretary has determined meets the requirements of this Part and
provides for an equivalent level of security to that established by
this Part.
Assistant Secretary shall mean the Assistant Secretary for
Infrastructure Protection, Department of Homeland Security or his
designee.
Chemical Facility or facility shall mean any establishment that
possesses or plans to possess, at any relevant point in time, a
quantity of a chemical substance determined by the Secretary to be
potentially dangerous or that meets other risk-related criteria
identified by the Department. As used herein, the term chemical
facility or facility shall also refer to the owner or operator of the
chemical facility. Where multiple owners and/or operators function
within a common infrastructure or within a single fenced area, the
Assistant Secretary may determine that such owners and/or operators
constitute a single chemical facility or multiple chemical facilities
depending on the circumstances.
Chemical Security Assessment Tool or CSAT shall mean a suite of
four applications, including User Registration, Top-Screen, Security
Vulnerability Assessment, and Site Security Plan, through which the
Department will collect and analyze key data from chemical facilities.
Chemical-terrorism Vulnerability Information or CVI shall mean the
information listed in Sec. 27.400(b).
Coordinating Official shall mean the person (or his designee(s))
selected by the Assistant Secretary to ensure that the regulations are
implemented in a uniform, impartial, and fair manner.
Covered Facility or Covered Chemical Facility shall mean a chemical
facility determined by the Assistant Secretary to present high levels
of security risk, or a facility that the Assistant Secretary has
determined is presumptively high risk under Sec. 27.200.
Department shall mean the Department of Homeland Security.
Deputy Secretary shall mean the Deputy Secretary of the Department
of Homeland Security or his designee.
Director of the Chemical Security Division or Director shall mean
the Director of the Chemical Security Division, Office of
Infrastructure Protection, Department of Homeland Security or any
successors to that position within the Department or his designee.
General Counsel shall mean the General Counsel of the Department of
Homeland Security or his designee.
Operator shall mean a person who has responsibility for the daily
operations of a facility or facilities subject to this Part.
Owner shall mean the person or entity that owns any facility
subject to this Part.
Present high levels of security risk and high risk shall refer to a
chemical facility that, in the discretion of the Secretary of Homeland
Security, presents a high risk of significant adverse consequences for
human life or health, national security and/or critical economic assets
if subjected to terrorist attack, compromise, infiltration, or
exploitation.
Risk profiles shall mean criteria identified by the Assistant
Secretary for determining which chemical facilities will complete the
Top-Screen or provide other risk assessment information.
Screening Threshold Quantity or STQ shall mean the quantity of a
chemical of interest, upon which the facility's obligation to complete
and submit the CSAT Top-Screen is based.
Secretary or Secretary of Homeland Security shall mean the
Secretary of the Department of Homeland Security or any person, officer
or entity within the Department to whom the Secretary's authority under
Section 550 is delegated.
Terrorist attack or terrorist incident shall mean any incident or
attempt that constitutes terrorism or terrorist activity under 6 U.S.C.
101(15) or 18 U.S.C. 2331(5) or 8 U.S.C. 1182(a)(3)(B)(iii), including
any incident or attempt that involves or would involve sabotage of
chemical facilities or theft, misappropriation or misuse of a dangerous
quantity of chemicals.
Tier shall mean the risk level associated with a covered chemical
facility and which is assigned to a facility by the Department. For
purposes of this part, there are four risk-based tiers, ranging from
highest risk at Tier 1 to lowest risk at Tier 4.
Top-Screen shall mean an initial screening process designed by the
Assistant Secretary through which chemical facilities provide
information to the Department for use pursuant to Sec. 27.200 of these
regulations.
Under Secretary shall mean the Under Secretary for National
Protection and Programs, Department of Homeland Security or any
successors to that position within the Department or his designee.
Sec. 27.110 Applicability.
(a) This Part applies to chemical facilities and to covered
facilities as set out herein.
(b) This Part does not apply to facilities regulated pursuant to
the Maritime Transportation Security Act of 2002, Pub. L. 107-295, as
amended; Public Water Systems, as defined by Section 1401 of the Safe
Drinking Water Act, Pub. L. 93-523, as amended; Treatment Works as
defined in Section 212 of the Federal Water Pollution Control Act, Pub.
L. 92-500, as amended; any facility owned or operated by the Department
of Defense or the Department of Energy, or any facility subject to
regulation by the Nuclear Regulatory Commission.
Sec. 27.115 Implementation.
The Assistant Secretary may implement the Section 550 program in a
phased manner, selecting certain chemical facilities for expedited
initial processes under these regulations and identifying other
chemical facilities or types or classes of chemical facilities for
other phases of program implementation. The Assistant Secretary has
flexibility to designate particular chemical facilities for specific
phases of program implementation based on potential risk or any other
factor consistent with this Part.
Sec. 27.120 Designation of a coordinating official; Consultations and
technical assistance.
(a) The Assistant Secretary will designate a Coordinating Official
who will be responsible for ensuring that these regulations are
implemented in a uniform, impartial, and fair manner.
(b) The Coordinating Official and his staff shall provide guidance
to covered facilities regarding compliance with this Part and shall, as
necessary and to the extent that resources permit, be available to
consult and to provide technical assistance to an owner or operator who
seeks such consultation or assistance.
(c) In order to initiate consultations or seek technical
assistance, a covered
[[Page 17731]]
facility shall submit a written request for consultation or technical
assistance to the Coordinating Official or contact the Department in
any other manner specified in any subsequent guidance. Requests for
consultation or technical guidance do not serve to toll any of the
applicable timelines set forth in this Part.
(d) If a covered facility modifies its facility, processes, or the
types or quantities of materials that it possesses, and believes that
such changes may impact the covered facility's obligations under this
Part, the covered facility may request a consultation with the
Coordinating Official as specified in paragraph (c).
Sec. 27.125 Severability.
If a court finds any portion of this Part to have been promulgated
without proper authority, the remainder of this Part will remain in
full effect.
Subpart B--Chemical Facility Security Program
Sec. 27.200 Information regarding security risk for a chemical
facility.
(a) Information to determine security risk. In order to determine
the security risk posed by chemical facilities, the Secretary may, at
any time, request information from chemical facilities that may reflect
potential consequences of or vulnerabilities to a terrorist attack or
incident, including questions specifically related to the nature of the
business and activities conducted at the facility; information
concerning the names, nature, conditions of storage, quantities,
volumes, properties, customers, major uses, and other pertinent
information about specific chemicals or chemicals meeting a specific
criterion; information concerning facilities' security, safety, and
emergency response practices, operations, and procedures; information
regarding incidents, history, funding, and other matters bearing on the
effectiveness of the security, safety and emergency response programs,
and other information as necessary.
(b) Obtaining information from facilities. (1) The Assistant
Secretary may seek the information provided in paragraph (a) of this
section by contacting chemical facilities individually or by publishing
a notice in the Federal Register seeking information from chemical
facilities that meet certain criteria, which the Department will use to
determine risk profiles. Through any such individual or Federal
Register notification, the Assistant Secretary may instruct such
facilities to complete and submit a Top-Screen process, which may be
completed through a secure Department Web site or through other means
approved by the Assistant Secretary.
(2) A facility must complete and submit a Top-Screen in accordance
with the schedule provided in Sec. 27.210 if it possesses any of the
chemicals listed in Appendix A to this part at the corresponding
Screening Threshold Quantities.
(3) Where the Department requests that a facility complete and
submit a Top-Screen, the facility must designate a person who is
responsible for the submission of information through the CSAT system
and who attests to the accuracy of the information contained in any
CSAT submissions. Such submitter must be an officer of the corporation
or other person designated by an officer of the corporation and must be
domiciled in the United States.
(c) Presumptively High Risk Facilities. (1) If a chemical facility
subject to paragraph (a) or (b) of this section fails to provide
information requested or complete the Top-Screen within the timeframe
provided in Sec. 27.210, the Assistant Secretary may, after attempting
to consult with the facility, reach a preliminary determination, based
on the information then available, that the facility presumptively
presents a high level of security risk. The Assistant Secretary shall
then issue a notice to the entity of this determination and, if
necessary, order the facility to provide information or complete the
Top-Screen pursuant to these rules. If the facility then fails to do
so, it may be subject to civil penalties pursuant to Sec. 27.300,
audit and inspection under Sec. 27.250 or, if appropriate, an order to
cease operations under Sec. 27.300.
(2) If the facility deemed ``presumptively high risk'' pursuant to
paragraph (c)(1) of this section completes the Top-Screen, and the
Department determines that it does not present a high level of security
risk under Sec. 27.205, its status as ``presumptively high risk'' will
terminate, and the Department will issue a notice to the facility to
that effect.
Sec. 27.205 Determination that a chemical facility ``presents a high
level of security risk.''
(a) Initial Determination. The Assistant Secretary may determine at
any time that a chemical facility presents a high level of security
risk based on any information available (including any information
submitted to the Department under Sec. 27.200) that, in the
Secretary's discretion, indicates the potential that a terrorist attack
involving the facility could result in significant adverse consequences
for human life or health, national security or critical economic
assets. Upon determining that a facility presents a high level of
security risk, the Department shall notify the facility in writing of
such initial determination and may also notify the facility of the
Department's preliminary determination of the facility's placement in a
risk-based tier pursuant to Sec. 27.220(a).
(b) Redetermination. If a covered facility previously determined to
present a high level of security risk has materially altered its
operations, it may seek a redetermination by filing a Request for
Redetermination with the Assistant Secretary, and may request a meeting
regarding the Request. Within 45 calendar days of receipt of such a
Request, or within 45 calendar days of a meeting under this paragraph,
the Assistant Secretary shall notify the covered facility in writing of
the Department's decision on the Request for Redetermination.
Sec. 27.210 Submissions schedule.
(a) Initial Submission. The timeframes in paragraphs (a)(2) and
(a)(3) of this section also apply to covered facilities that submit an
Alternative Security Program pursuant to Sec. 27.235.
(1) Top-Screen. Facilities shall complete and submit a Top-Screen
within the following time frames:
(i) This paragraph is operative on the date that the Department
publishes a final Appendix A. Unless otherwise notified, within 60
calendar days of the effective date of Appendix A for facilities that
possess any of the chemicals listed in Appendix A at the corresponding
STQs, or within 60 calendar days for facilities that come into
possession of any of the chemicals listed in Appendix A at the
corresponding STQs; or
(ii) Within the time frame provided in any written notification
from the Department or specified in any subsequent Federal Register
notice.
(2) Security Vulnerability Assessment. Unless otherwise notified, a
covered facility must complete and submit a Security Vulnerability
Assessment within 90 calendar days of written notification from the
Department or within the time frame specified in any subsequent Federal
Register notice.
(3) Site Security Plan. Unless otherwise notified, a covered
facility must complete and submit a Site Security Plan within 120
calendar days of written notification from the Department or within the
time frame specified in any subsequent Federal Register notice.
[[Page 17732]]
(b) Resubmission Schedule for Covered Facilities. The timeframes in
this subsection also apply to covered facilities who submit an
Alternative Security Program pursuant to Sec. 27.235.
(1) Top-Screen. Unless otherwise notified, Tier 1 and Tier 2
covered facilities must complete and submit a new Top-Screen no less
than two years, and no more than two years and 60 calendar days, from
the date of the Department's approval of the facility's Site Security
Plan; and Tier 3 and Tier 4 covered facilities must complete and submit
a Top-Screen no less than 3 years, and no more than 3 years and 60
calendar days, from the date of the Department's approval of the
facility's Site Security Plan.
(2) Security Vulnerability Assessment. Unless otherwise notified
and following a Top-Screen resubmission pursuant to paragraph (b)(1) of
this section, a covered facility must complete and submit a new
Security Vulnerability Assessment within 90 calendar days of written
notification from the Department or within the time frame specified in
any subsequent Federal Register notice.
(3) Site Security Plan. Unless otherwise notified and following a
Security Vulnerability Assessment resubmission pursuant to paragraph
(b)(2) of this section , a covered facility must complete and submit a
new Site Security Plan within 120 calendar days of written notification
from the Department or within the time frame specified in any
subsequent Federal Register notice.
(c) The Assistant Secretary retains the authority to modify the
schedule in this Part as needed. The Assistant Secretary may shorten or
extend these time periods based on the operations at the facility, the
nature of the covered facility's vulnerabilities, the level and
immediacy of security risk, or for other reasons. If the Department
alters the time periods for a specific facility, the Department will do
so in written notice to the facility.
(d) If a covered facility makes material modifications to its
operations or site, the covered facility must complete and submit a
revised Top-Screen to the Department within 60 days of the material
modification. In accordance with the resubmission requirements in Sec.
27.210(b)(2) and (3), the Department will notify the covered facility
as to whether the covered facility must submit a revised Security
Vulnerability Assessment, Site Security Plan, or both.
Sec. 27.215 Security vulnerability assessments.
(a) Initial Assessment. If the Assistant Secretary determines that
a chemical facility is high-risk, the facility must complete a Security
Vulnerability Assessment. A Security Vulnerability Assessment shall
include:
(1) Asset Characterization, which includes the identification and
characterization of potential critical assets; identification of
hazards and consequences of concern for the facility, its surroundings,
its identified critical asset(s), and its supporting infrastructure;
and identification of existing layers of protection;
(2) Threat Assessment, which includes a description of possible
internal threats, external threats, and internally-assisted threats;
(3) Security Vulnerability Analysis, which includes the
identification of potential security vulnerabilities and the
identification of existing countermeasures and their level of
effectiveness in both reducing identified vulnerabilities and in
meeting the applicable Risk-Based Performance Standards;
(4) Risk Assessment, including a determination of the relative
degree of risk to the facility in terms of the expected effect on each
critical asset and the likelihood of a success of an attack; and
(5) Countermeasures Analysis, including strategies that reduce the
probability of a successful attack or reduce the probable degree of
success, strategies that enhance the degree of risk reduction, the
reliability and maintainability of the options, the capabilities and
effectiveness of mitigation options, and the feasibility of the
options.
(b) Except as provided in Sec. 27.235, a covered facility must
complete the Security Vulnerability Assessment through the CSAT
process, or through any other methodology or process identified or
issued by the Assistant Secretary.
(c) Covered facilities must submit a Security Vulnerability
Assessment to the Department in accordance with the schedule provided
in Sec. 27.210.
(d) Updates and Revisions. (1) A covered facility must update and
revise its Security Vulnerability Assessment in accordance with the
schedule provided in Sec. 27.210.
(2) Notwithstanding paragraph (d)(1) of this section, a covered
facility must update, revise or otherwise alter its Security
Vulnerability Assessment to account for new or differing modes of
potential terrorist attack or for other security-related reasons, if
requested by the Assistant Secretary.
Sec. 27.220 Tiering.
(a) Preliminary Determination of Risk-Based Tiering. Based on the
information the Department receives in accordance with Sec. Sec.
27.200 and 27.205 (including information submitted through the Top-
Screen process) and following its initial determination in Sec.
27.205(a) that a facility presents a high level of security risk, the
Department shall notify a facility of the Department's preliminary
determination of the facility's placement in a risk-based tier.
(b) Confirmation or Alteration of Risk-Based Tiering. Following
review of a covered facility's Security Vulnerability Assessment, the
Assistant Secretary shall notify the covered facility of its final
placement within a risk-based tier, or for covered facilities
previously notified of a preliminary tiering, confirm or alter such
tiering.
(c) The Department shall place covered facilities in one of four
risk-based tiers, ranging from highest risk facilities in Tier 1 to
lowest risk facilities in Tier 4.
(d) The Assistant Secretary may provide the facility with guidance
regarding the risk-based performance standards and any other necessary
guidance materials applicable to its assigned tier.
Sec. 27.225 Site security plans.
(a) The Site Security Plan must meet the following standards:
(1) Address each vulnerability identified in the facility's
Security Vulnerability Assessment, and identify and describe the
security measures to address each such vulnerability;
(2) Identify and describe how security measures selected by the
facility will address the applicable risk-based performance standards
and potential modes of terrorist attack including, as applicable,
vehicle-borne explosive devices, water-borne explosive devices, ground
assault, or other modes or potential modes identified by the
Department;
(3) Identify and describe how security measures selected and
utilized by the facility will meet or exceed each applicable
performance standard for the appropriate risk-based tier for the
facility; and
(4) Specify other information the Assistant Secretary deems
necessary regarding chemical facility security.
(b) Except as provided in Sec. 27.235, a covered facility must
complete the Site Security Plan through the CSAT process, or through
any other
[[Page 17733]]
methodology or process identified or issued by the Assistant Secretary.
(c) Covered facilities must submit a Site Security Plan to the
Department in accordance with the schedule provided in Sec. 27.210.
(d) Updates and Revisions. (1) When a covered facility updates,
revises or otherwise alters its Security Vulnerability Assessment
pursuant to Sec. 27.215(d), the covered facility shall make
corresponding changes to its Site Security Plan.
(2) A covered facility must also update and revise its Site
Security Plan in accordance with the schedule in Sec. 27.210.
(e) A covered facility must conduct an annual audit of its
compliance with its Site Security Plan.
Sec. 27.230 Risk-based performance standards.
(a) Covered facilities must satisfy the performance standards
identified in this section. The Assistant Secretary will issue guidance
on the application of these standards to risk-based tiers of covered
facilities, and the acceptable layering of measures used to meet these
standards will vary by risk-based tier. Each covered facility must
select, develop in their Site Security Plan, and implement
appropriately risk-based measures designed to satisfy the following
performance standards:
(1) Restrict Area Perimeter. Secure and monitor the perimeter of
the facility;
(2) Secure Site Assets. Secure and monitor restricted areas or
potentially critical targets within the facility;
(3) Screen and Control Access. Control access to the facility and
to restricted areas within the facility by screening and/or inspecting
individuals and vehicles as they enter, including,
(i) Measures to deter the unauthorized introduction of dangerous
substances and devices that may facilitate an attack or actions having
serious negative consequences for the population surrounding the
facility; and
(ii) Measures implementing a regularly updated identification
system that checks the identification of facility personnel and other
persons seeking access to the facility and that discourages abuse
through established disciplinary measures;
(4) Deter, Detect, and Delay. Deter, detect, and delay an attack,
creating sufficient time between detection of an attack and the point
at which the attack becomes successful, including measures to:
(i) Deter vehicles from penetrating the facility perimeter, gaining
unauthorized access to restricted areas or otherwise presenting a
hazard to potentially critical targets;
(ii) Deter attacks through visible, professional, well maintained
security measures and systems, including security personnel, detection
systems, barriers and barricades, and hardened or reduced value
targets;
(iii) Detect attacks at early stages, through countersurveillance,
frustration of opportunity to observe potential targets, surveillance
and sensing systems, and barriers and barricades; and
(iv) Delay an attack for a sufficient period of time so to allow
appropriate response through on-site security response, barriers and
barricades, hardened targets, and well-coordinated response planning;
(5) Shipping, Receipt, and Storage. Secure and monitor the
shipping, receipt, and storage of hazardous materials for the facility;
(6) Theft and Diversion. Deter theft or diversion of potentially
dangerous chemicals;
(7) Sabotage. Deter insider sabotage;
(8) Cyber. Deter cyber sabotage, including by preventing
unauthorized onsite or remote access to critical process controls, such
as Supervisory Control and Data Acquisition (SCADA) systems,
Distributed Control Systems (DCS), Process Control Systems (PCS),
Industrial Control Systems (ICS), critical business system, and other
sensitive computerized systems;
(9) Response. Develop and exercise an emergency plan to respond to
security incidents internally and with assistance of local law
enforcement and first responders;
(10) Monitoring. Maintain effective monitoring, communications and
warning systems, including,
(i) Measures designed to ensure that security systems and equipment
are in good working order and inspected, tested, calibrated, and
otherwise maintained;
(ii) Measures designed to regularly test security systems, note
deficiencies, correct for detected deficiencies, and record results so
that they are available for inspection by the Department; and
(iii) Measures to allow the facility to promptly identify and
respond to security system and equipment failures or malfunctions;
(11) Training. Ensure proper security training, exercises, and
drills of facility personnel;
(12) Personnel Surety. Perform appropriate background checks on and
ensure appropriate credentials for facility personnel, and as
appropriate, for unescorted visitors with access to restricted areas or
critical assets, including,
(i) Measures designed to verify and validate identity;
(ii) Measures designed to check criminal history;
(iii) Measures designed to verify and validate legal authorization
to work; and
(iv) Measures designed to identify people with terrorist ties;
(13) Elevated Threats. Escalate the level of protective measures
for periods of elevated threat;
(14) Specific Threats, Vulnerabilities, or Risks. Address specific
threats, vulnerabilities or risks identified by the Assistant Secretary
for the particular facility at issue;
(15) Reporting of Significant Security Incidents. Report
significant security incidents to the Department and to local law
enforcement officials;
(16) Significant Security Incidents and Suspicious Activities.
Identify, investigate, report, and maintain records of significant
security incidents and suspicious activities in or near the site;
(17) Officials and Organization. Establish official(s) and an
organization responsible for security and for compliance with these
standards;
(18) Records. Maintain appropriate records; and
(19) Address any additional performance standards the Assistant
Secretary may specify.
(b) [Reserved]
Sec. 27.235 Alternative security program.
(a) Covered facilities may submit an Alternate Security Program
(ASP) pursuant to the requirements of this section. The Assistant
Secretary may approve an Alternate Security Program, in whole, in part,
or subject to revisions or supplements, upon a determination that the
Alternate Security Program meets the requirements of this Part and
provides for an equivalent level of security to that established by
this Part.
(1) A Tier 4 facility may submit an ASP in lieu of a Security
Vulnerability Assessment, Site Security Plan, or both.
(2) Tier 1, Tier 2, or Tier 3 facilities may submit an ASP in lieu
of a Site Security Plan. Tier 1, Tier 2, and Tier 3 facilities may not
submit an ASP in lieu of a Security Vulnerability Assessment.
(b) The Department will provide notice to a covered facility about
the approval or disapproval, in whole or in part, of an ASP, using the
procedure specified in Sec. 27.240 if the ASP is intended to take the
place of a Security Vulnerability Assessment or using the procedure
specified in Sec. 27.245 if the ASP is intended to take the place of a
Site Security Plan.
[[Page 17734]]
Sec. 27.240 Review and approval of security vulnerability
assessments.
(a) Review and Approval. The Department will review and approve in
writing all Security Vulnerability Assessments that satisfy the
requirements of Sec. 27.215, including Alternative Security Programs
submitted pursuant to Sec. 27.235.
(b) If a Security Vulnerability Assessment does not satisfy the
requirements of Sec. 27.215, the Department will provide the facility
with a written notification that includes a clear explanation of
deficiencies in the Security Vulnerability Assessment. The facility
shall then enter further consultations with the Department and resubmit
a sufficient Security Vulnerability Assessment by the time specified in
the written notification provided by the Department under this section.
If the resubmitted Security Vulnerability Assessment does not satisfy
the requirements of Sec. 27.215, the Department will provide the
facility with written notification (including a clear explanation of
deficiencies in the SVA) of the Department's disapproval of the SVA.
Sec. 27.245 Review and approval of site security plans.
(a) Review and Approval. (1) The Department will review and approve
or disapprove all Site Security Plans that satisfy the requirements of
Sec. 27.225, including Alternative Security Programs submitted
pursuant to Sec. 27.235.
(i) The Department will review Site Security Plans through a two-
step process. Upon receipt of Site Security Plan from the covered
facility, the Department will review the documentation and make a
preliminary determination as to whether it satisfies the requirements
of Sec. 27.225. If the Department finds that the requirements are
satisfied, the Department will issue a Letter of Authorization to the
covered facility.
(ii) Following issuance of the Letter of Authorization, the
Department will inspect the covered facility in accordance with Sec.
27.250 for purposes of determining compliance with the requirements of
this Part.
(iii) If the Department approves the Site Security Plan in
accordance with Sec. 27.250, the Department will issue a Letter of
Approval to the facility, and the facility shall implement the approved
Site Security Plan.
(2) The Department will not disapprove a Site Security Plan
submitted under this Part based on the presence or absence of a
particular security measure. The Department may disapprove a Site
Security Plan that fails to satisfy the risk-based performance
standards established in Sec. 27.230.
(b) When the Department disapproves a preliminary Site Security
Plan issued prior to inspection or a Site Security Plan following
inspection, the Department will provide the facility with a written
notification that includes a clear explanation of deficiencies in the
Site Security Plan. The facility shall then enter further consultations
with the Department and resubmit a sufficient Site Security Plan by the
time specified in the written notification provided by the Department
under this section. If the resubmitted Site Security Plan does not
satisfy the requirements of Sec. 27.225, the Department will provide
the facility with written notification (including a clear explanation
of deficiencies in the SSP) of the Department's disapproval of the SSP.
Sec. 27.250 Inspections and audits.
(a) Authority. In order to assess compliance with the requirements
of this Part, authorized Department officials may enter, inspect, and
audit the property, equipment, operations, and records of covered
facilities.
(b) Following preliminary approval of a Site Security Plan in
accordance with Sec. 27.245, the Department will inspect the covered
facility for purposes of determining compliance with the requirements
of this Part.
(1) If after the inspection, the Department determines that the
requirements of Sec. 27.225 have been met, the Department will issue a
Letter of Approval to the covered facility.
(2) If after the inspection, the Department determines that the
requirements of Sec. 27.225 have not been met, the Department will
proceed as directed by Sec. 27.245(b) in ``Review and Approval of Site
Security Plans.''
(c) Time and Manner. Authorized Department officials will conduct
audits and inspections at reasonable times and in a reasonable manner.
The Department will provide covered facility owners and/or operators
with 24-hour advance notice before inspections, except
(1) If the Under Secretary or Assistant Secretary determines that
an inspection without such notice is warranted by exigent circumstances
and approves such inspection; or
(2) If any delay in conducting an inspection might be seriously
detrimental to security, and the Director of the Chemical Security
Division determines that an inspection without notice is warranted, and
approves an inspector to conduct such inspection.
(d) Inspectors. Inspections and audits are conducted by personnel
duly authorized and designated for that purpose as ``inspectors'' by
the Secretary or the Secretary's designee.
(1) An inspector will, on request, present his or her credentials
for examination, but the credentials may not be reproduced by the
facility.
(2) An inspector may administer oaths and receive affirmations,
with the consent of any witness, in any matter.
(3) An inspector may gather information by reasonable means
including, but not limited to, interviews, statements, photocopying,
photography, and video- and audio-recording. All documents, objects and
electronically stored information collected by each inspector during
the performance of that inspector's duties shall be maintained for a
reasonable period of time in the files of the Department of Homeland
Security maintained for that facility or matter.
(4) An inspector may request forthwith access to all records
required to be kept pursuant to Sec. 27.255. An inspector shall be
provided with the immediate use of any photocopier or other equipment
necessary to copy any such record. If copies can not be provided
immediately upon request, the inspector shall be permitted immediately
to take the original records for duplication and prompt return.
(e) Confidentiality. In addition to the protections provided under
CVI in Sec. 27.400, information received in an audit or inspection
under this section, including the identity of the persons involved in
the inspection or who provide information during the inspection, shall
remain confidential under the investigatory file exception, or other
appropriate exception, to the public disclosure requirements of 5
U.S.C. 552.
(f) Guidance. The Assistant Secretary shall issue guidance
identifying appropriate processes for such inspections, and specifying
the type and nature of documentation that must be made available for
review during inspections and audits.
Sec. 27.255 Recordkeeping requirements.
(a) Except as provided in Sec. 27.255(b), the covered facility
must keep records of the activities as set out below for at least three
years and make them available to the Department upon request. A covered
facility must keep the following records:
(1) Training. For training, the date and location of each session,
time of day and duration of session, a description of the training, the
name and qualifications of the instructor, a clear, legible list of
attendees to include the attendee signature, at least one other unique
identifier of each attendee receiving the
[[Page 17735]]
training, and the results of any evaluation or testing.
(2) Drills and exercises. For each drill or exercise, the date
held, a description of the drill or exercise, a list of participants, a
list of equipment (other than personal equipment) tested or employed in
the exercise, the name(s) and qualifications of the exercise director,
and any best practices or lessons learned which may improve the Site
Security Plan;
(3) Incidents and breaches of security. Date and time of
occurrence, location within the facility, a description of the incident
or breach, the identity of the individual to whom it was reported, and
a description of the response;
(4) Maintenance, calibration, and testing of security equipment.
The date and time, name and qualifications of the technician(s) doing
the work, and the specific security equipment involved for each
occurrence of maintenance, calibration, and testing;
(5) Security threats. Date and time of occurrence, how the threat
was communicated, who received or identified the threat, a description
of the threat, to whom it was reported, and a description of the
response;
(6) Audits. For each audit of a covered facility's Site Security
Plan (including each audit required under Sec. 27.225(e)) or Security
Vulnerability Assessment, a record of the audit, including the date of
the audit, results of the audit, name(s) of the person(s) who conducted
the audit, and a letter certified by the covered facility stating the
date the audit was conducted.
(7) Letters of Authorization and Approval. All Letters of
Authorization and Approval from the Department, and documentation
identifying the results of audits and inspections conducted pursuant to
Sec. 27.250.
(b) A covered facility must retain records of submitted Top-
Screens, Security Vulnerability Assessments, Site Security Plans, and
all related correspondence with the Department for at least six years
and make them available to the Department upon request.
(c) To the extent necessary for security purposes, the Department
may request that a covered facility make available records kept
pursuant to other Federal programs or regulations.
(d) Records required by this section may be kept in electronic
format. If kept in an electronic format, they must be protected against
unauthorized access, deletion, destruction, amendment, and disclosure.
Subpart C--Orders and Adjudications
Sec. 27.300 Orders.
(a) Orders Generally. When the Assistant Secretary determines that
a facility is in violation of any of the requirements of this Part, the
Assistant Secretary may take appropriate action including the issuance
of an appropriate Order.
(b) Orders Assessing Civil Penalty and Orders to Cease Operations.
(1) Where the Assistant Secretary determines that a facility is in
violation of an Order issued pursuant to paragraph (a) of this section,
the Assistant may enter an Order Assessing Civil Penalty, Order to
Cease Operations, or both.
(2) Following the issuance of an Order by the Assistant Secretary
pursuant to paragraph (b)(1) of this section, the facility may enter
further consultations with Department.
(3) Where the Assistant Secretary determines that a facility is in
violation of an Order issued pursuant to paragraph (a) of this section
and issues an Order Assessing Civil Penalty pursuant to paragraph
(b)(1) of this section, a chemical facility is liable to the United
States for a civil penalty of not more than $25,000 for each day during
which the violation continues.
(c) Procedures for Orders. (1) At a minimum, an Order shall be
signed by the Assistant Secretary, shall be dated, and shall include:
(i) The name and address of the facility in question;
(ii) A listing of the provision(s) that the facility is alleged to
have violated;
(iii) A statement of facts upon which the alleged instances of
noncompliance are based;
(iv) A clear explanation of deficiencies in the facility's chemical
security program, including, if applicable, any deficiencies in the
facility's Security Vulnerability Assessment, Site Security Plan, or
both; and
(v) A statement, indicating what action(s) the chemical must take
to remedy the instance(s) of noncompliance; and
(vi) The date by which the facility must comply with the terms of
the Order.
(2) The Assistant Secretary may establish procedures for the
issuance of Orders.
(d) A facility must comply with the terms of the Order by the date
specified in the Order unless the facility has filed a timely Notice
for Application for Review under Sec. 27.310.
(e) Where a facility or other person contests the determination of
the Assistant Secretary to issue an Order, a chemical facility may seek
an adjudication pursuant to Sec. 27.310.
(f) An Order issued under this section becomes final agency action
when the time to file a Notice of Application of Review under Sec.
27.310 has passed without such a filing or upon the conclusion of
adjudication or appeal proceedings under this subpart.
Sec. 27.305 Neutral adjudications.
(a) Any facility or other person who has received a Finding
pursuant to Sec. 27.230(a)(12)(iv), a Determination pursuant to Sec.
27.245(b), or an Order pursuant to Sec. 27.300 is entitled to an
adjudication, by a neutral adjudications officer, of any issue of
material fact relevant to any administrative action which deprives that
person of a cognizable interest in liberty or property.
(b) A neutral adjudications officer appointed pursuant to Sec.
27.315 shall issue an Initial Decision on any material factual issue
related to a Finding pursuant to Sec. 27.230(a)(12)(iv), a
Determination pursuant to Sec. 27.245, or an Order pursuant to Sec.
27.300 before any such administrative action is reviewed on appeal
pursuant to Sec. 27.345.
Sec. 27.310 Commencement of adjudication proceedings.
(a) Proceedings Instituted by Facilities or other Persons. A
facility or other person may institute proceedings to review a
determination by the Assistant Secretary:
(1) Finding, pursuant to the Sec. 27.230(a)(12)(iv), that an
individual is a potential security threat;
(2) Disapproving a Site Security Plan pursuant to Sec. 27.245(b);
or
(3) Issuing an Order pursuant to Sec. 27.300(a) or (b).
(b) Procedure for Applications by Facilities or other Persons. A
facility or other person may institute Proceedings by filing a Notice
of Application for Review specifying that the facility or other person
requests a Proceeding to review a determination specified in paragraph
(a) of this section.
(1) An Applicant institutes a Proceeding by filing a Notice of
Application for Review with the office of the Department hereinafter
designated by the Secretary.
(2) An Applicant must file a Notice of Application for Review
within seven calendar days of notification to the facility or other
person of the Assistant Secretary's Finding, Determination, or Order.
(3) The Applicant shall file and simultaneously serve each Notice
of Application for Review and all
[[Page 17736]]
subsequent filings on the Assistant Secretary and the General Counsel.
(4) An Order is stayed from the timely filing of a Notice of
Application for Review until the Presiding Officer issues an Initial
Decision, unless the Secretary has lifted the stay due to exigent
circumstances pursuant to paragraph (d) of this section.
(5) The Applicant shall file and serve an Application for Review
within fourteen calendar days of the notification to the facility or
other person of the Assistant Secretary's Finding, Determination, or
Order.
(6) Each Application for Review shall be accompanied by all legal
memoranda, other documents, declarations, affidavits, and other
evidence supporting the position asserted by the Applicant.
(c) Response. The Assistant Secretary, through the Office of
General Counsel, shall file and serve a Response, accompanied by all
legal memoranda, other documents, declarations, affidavits and other
evidence supporting the position asserted by the Assistant Secretary
within fourteen calendar days of the filing and service of the
Application for Review and all supporting papers.
(d) Procedural Modifications. The Secretary may, in exigent
circumstances (as determined in his sole discretion):
(1) Lift any stay applicable to any Order under Sec. 27.300;
(2) Modify the time for a response;
(3) Rule on the sufficiency of Applications for Review; or
(4) Otherwise modify these procedures with respect to particular
matters.
Sec. 27.315 Presiding officers for proceedings.
(a) Immediately upon the filing of any Application for Review, the
Secretary shall appoint an attorney, who is employed by the Department
and who has not performed any investigative or prosecutorial function
with respect to the matter, to act as a neutral adjudications officer
or Presiding Officer for the compilation of a factual record and the
recommendation of an Initial Decision for each Proceeding.
(b) Notwithstanding paragraph (a) of this section, the Secretary
may appoint one or more attorneys who are employed by the Department
and who do not perform any investigative or prosecutorial function with
respect to this subpart, to serve generally in the capacity as
Presiding Officer(s) for such matters pursuant to such procedures as
the Secretary may hereafter establish.
Sec. 27.320 Prohibition on ex parte communications during
proceedings.
(a) At no time after the designation of a Presiding Officer for a
Proceeding and prior to the issuance of a Final Decision pursuant to
Sec. 27.345 with respect to a facility or other person, shall the
appointed Presiding Officer, or any person who will advise that
official in the decision on the matter, discuss ex parte the merits of
the proceeding with any interested person outside the Department, with
any Department official who performs a prosecutorial or investigative
function in such proceeding or a factually related proceeding, or with
any representative of such person.
(b) If, after appointment of a Presiding Officer and prior to the
issuance of a Final Decision pursuant to Sec. 27.345 with respect to a
facility or other person, the appointed Presiding Officer, or any
person who will advise that official in the decision on the matter,
receives from or on behalf of any party, by means of an ex parte
communication, information which is relevant to the decision of the
matter and to which other parties have not had an opportunity to
respond, a summary of such information shall be served on all other
parties, who shall have an opportunity to reply to the ex parte
communication within a time set by the Presiding Officer.
(c) The consideration of classified information or CVI pursuant to
an in camera procedure does not constitute a prohibited ex parte
communication for purposes of this subpart.
Sec. 27.325 Burden of proof.
The Assistant Secretary bears the initial burden of proving the
facts necessary to support the challenged administrative action at
every proceeding instituted under this subpart.
Sec. 27.330 Summary decision procedures.
(a) The Presiding Officer appointed for each Proceeding shall
immediately consider whether the summary adjudication of the
Application for Review is appropriate based on the Application for
Review, the Response, and all the supporting filings of the parties
pursuant to Sec. Sec. 27.310(b)(5) and 27.310(c).
(1) The Presiding Officer shall promptly issue any necessary
scheduling order for any additional briefing of the issue of summary
adjudication on the Application for Review and Response.
(2) The Presiding Officer may conduct scheduling conferences and
other proceedings that the Presiding Officer determines to be
appropriate.
(b) If the Presiding Officer determines that there is no genuine
issue of material fact and that one party or the other is entitled to
decision as a matter of law, then the record shall be closed and the
Presiding Officer shall issue an Initial Decision on the Application
for Review pursuant to Sec. 27.340.
(c) If a Presiding Officer determines that any factual issues
require the cross-examination of one or more witnesses or other
proceedings at a hearing, the Presiding Officer, in consultation with
the parties, shall promptly schedule a hearing to be conducted pursuant
to Sec. 27.335.
Sec. 27.335 Hearing procedures.
(a) Any hearing shall be held as expeditiously as possible at the
location most conducive to a prompt presentation of any necessary
testimony or other proceedings.
(1) Videoconferencing and teleconferencing may be used where
appropriate at the discretion of the Presiding Officer.
(2) Each party offering the affirmative testimony of a witness
shall present that testimony by declaration, affidavit, or other sworn
statement submitted in advance as ordered by the Presiding Officer.
(3) Any witness presented for further examination shall be asked to
testify under an oath or affirmation.
(4) The hearing shall be recorded verbatim.
(b)(1) A facility or other person may appear and be heard on his
own behalf or through any counsel of his choice who is qualified to
possess CVI.
(2) A facility of other person individually, or through counsel,
may offer relevant and material information including written direct
testimony which he believes should be considered in opposition to the
administrative action or which may bear on the sanction being sought.
(3) The facility or other person individually, or through counsel,
may conduct such cross-examination as may be specifically allowed by
the Presiding Officer for a full determination of the facts.
Sec. 27.340 Completion of adjudication proceedings.
(a) The Presiding Officer shall close and certify the record of the
adjudication promptly upon the completion of:
(1) Summary judgment proceedings,
(2) A hearing, if necessary,
(3) The submission of post hearing briefs, if any are ordered by
the Presiding Officer, and
[[Page 17737]]
(4) The conclusion of oral arguments, if any are permitted by the
Presiding Officer.
(b) The Presiding Officer shall issue an Initial Decision based on
the certified record, and the decision shall be subject to appeal
pursuant to Sec. 27.345.
(c) An Initial Decision shall become a final agency action on the
expiration of the time for an Appeal pursuant to Sec. 27.345.
Sec. 27.345 Appeals.
(a) Right to Appeal. A facility or any person who has received an
Initial Decision under Sec. 27.340(b) has the right to appeal to the
Under Secretary acting as a neutral appeals officer.
(b) Procedure for Appeals. (1) The Assistant Secretary, a facility
or other person, or a representative on behalf of a facility or person,
may institute an Appeal by filing a Notice of Appeal with the office of
the Department hereinafter designated by the Secretary.
(2) The Assistant Secretary, a facility, or other person must file
a Notice of Appeal within seven calendar days of the service of the
Presiding Officer's Initial Decision.
(3) The Appellant shall file with the designated office and
simultaneously serve each Notice of Appeal and all subsequent filings
on the General Counsel.
(4) An Initial Decision is stayed from the timely filing of a
Notice of Appeal until the Under Secretary issues a Final Decision,
unless the Secretary lifts the stay due to exigent circumstances
pursuant to Sec. 27.310(d).
(5) The Appellant shall file and serve a Brief within 28 calendar
days of the notification of the service of the Presiding Officer's
Initial Decision.
(6) The Appellee shall file and serve its Opposition Brief within
28 calendar days of the service of the Appellant's Brief.
(c) The Under Secretary may provide for an expedited appeal for
appropriate matters.
(d) Ex Parte Communications. (1) At no time after the filing of a
Notice of Appeal pursuant to paragraph (b)(1) of this section and prior
to the issuance of a Final Decision on an Appeal pursuant to paragraph
(f) of this section with respect to a facility or other person shall
the Under Secretary, his designee, or any person who will advise that
official in the decision on the matter, discuss ex parte the merits of
the proceeding with any interested person outside the Department, with
any Department official who performs a prosecutorial or investigative
function in such proceeding or a factually related proceeding, or with
any representative of such person.
(2) If, after the filing of a Notice of Appeal pursuant to
paragraph (b)(1) of this section and prior to the issuance of a Final
Decision on an Appeal pursuant to paragraph (f) of this section with
respect to a facility or other person, the Under Secretary, his
designee, or any person who will advise that official in the decision
on the matter, receives from or on behalf of any party, by means of an
ex parte communication, information which is relevant to the decision
of the matter and to which other parties have not had an opportunity to
respond, a summary of such information shall be served on all other
parties, who shall have an opportunity to reply to the ex parte
communication within a time set by the Under Secretary or his designee.
(3) The consideration of classified information or CVI pursuant to
an in camera procedure does not constitute a prohibited ex parte
communication for purposes of this subpart.
(e) A facility or other person may elect to have the Under
Secretary participate in any mediation or other resolution process by
expressly waiving, in writing, any argument that such participation has
compromised the Appeal process.
(f) The Under Secretary shall issue a Final Decision and serve it
upon the parties. A Final Decision made by the Under Secretary
constitutes final agency action.
(g) The Secretary may establish procedures for the conduct of
Appeals pursuant to this section.
Subpart D--Other
Sec. 27.400 Chemical-terrorism vulnerability information.
(a) Applicability. This section governs the maintenance,
safeguarding, and disclosure of information and records that constitute
Chemical-terrorism Vulnerability Information (CVI), as defined in Sec.
27.400(b). The Secretary shall administer this section consistent with
Section 550(c) of the Homeland Security Appropriations Act of 2007,
including appropriate sharing with Federal, State and local officials.
(b) Chemical-terrorism Vulnerability Information. In accordance
with Section 550(c) of the Department of Homeland Security
Appropriations Act of 2007, the following information, whether
transmitted verbally, electronically, or in written form, shall
constitute CVI:
(1) Security Vulnerability Assessments under Sec. 27.215;
(2) Site Security Plans under Sec. 27.225;
(3) Documents relating to the Department's review and approval of
Security Vulnerability Assessments and Site Security Plans, including
Letters of Authorization, Letters of Approval and responses thereto;
written notices; and other documents developed pursuant to Sec. Sec.
27.240 or 27.245;
(4) Alternate Security Programs under Sec. 27.235;
(5) Documents relating to inspection or audits under Sec. 27.250;
(6) Any records required to be created or retained under Sec.
27.255;
(7) Sensitive portions of orders, notices or letters under Sec.
27.300;
(8) Information developed pursuant to Sec. Sec. 27.200 and 27.205;
and
(9) Other information developed for chemical facility security
purposes that the Secretary, in his discretion, determines is similar
to the information protected in Sec. 27.400(b)(1) through (8) and thus
warrants protection as CVI.
(c) Covered Persons. Persons subject to the requirements of this
section are:
(1) Each person who has a need to know CVI, as specified in Sec.
27.400(e);
(2) Each person who otherwise receives or gains access to what they
know or should reasonably know constitutes CVI.
(d) Duty to protect information. A covered person must--
(1) Take reasonable steps to safeguard CVI in that person's
possession or control, including electronic data, from unauthorized
disclosure. When a person is not in physical possession of CVI, the
person must store it in a secure container, such as a safe, that limits
access only to covered persons with a need to know;
(2) Disclose, or otherwise provide access to, CVI only to persons
who have a need to know;
(3) Refer requests for CVI by persons without a need to know to the
Assistant Secretary;
(4) Mark CVI as specified in Sec. 27.400(f);
(5) Dispose of CVI as specified in Sec. 27.400(k);
(6) If a covered person receives a record or verbal transmission
containing CVI that is not marked as specified in Sec. 27.400(f), the
covered person must--
(i) Mark the record as specified in Sec. 27.400(f) of this
section; and
(ii) Inform the sender of the record that the record must be marked
as specified in Sec. 27.400(f); or
(iii) If received verbally, make reasonable efforts to memorialize
such information and mark the memorialized record as specified in Sec.
27.400(f) of this section, and inform the speaker of any determination
that such information warrants CVI protection.
(7) When a covered person becomes aware that CVI has been released
to
[[Page 17738]]
persons without a need to know (including a covered person under Sec.
27.400(c)(2)), the covered person must promptly inform the Assistant
Secretary.
(8) In the case of information that is CVI and also has been
designated as critical infrastructure information under Section 214 of
the Homeland Security Act, any covered person in possession of such
information must comply with the disclosure restrictions and other
requirements applicable to such information under Section 214 and any
implementing regulations.
(e) Need to know. (1) A person, including a State or local
official, has a need to know CVI in each of the following
circumstances:
(i) When the person requires access to specific CVI to carry out
chemical facility security activities approved, accepted, funded,
recommended, or directed by the Department.
(ii) When the person needs the information to receive training to
carry out chemical facility security activities approved, accepted,
funded, recommended, or directed by the Department.
(iii) When the information is necessary for the person to supervise
or otherwise manage individuals carrying out chemical facility security
activities approved, accepted, funded, recommended, or directed by the
Department.
(iv) When the person needs the information to provide technical or
legal advice to a covered person, who has a need to know the
information, regarding chemical facility security requirements of
Federal law.
(v) When the Department determines that access is required under
Sec. Sec. 27.400(h) or 27.400(i) in the course of a judicial or
administrative proceeding.
(2) Federal employees, contractors, and grantees. (i) A Federal
employee has a need to know CVI if access to the information is
necessary for performance of the employee's official duties.
(ii) A person acting in the performance of a contract with or grant
from the Department has a need to know CVI if access to the information
is necessary to performance of the contract or grant. Contractors or
grantees may not further disclose CVI without the consent of the
Assistant Secretary.
(iii) The Department may require that non-Federal persons seeking
access to CVI complete a non-disclosure agreement before such access is
granted.
(3) Background check. The Department may make an individual's
access to the CVI contingent upon satisfactory completion of a security
background check or other procedures and requirements for safeguarding
CVI that are satisfactory to the Department.
(4) Need to know further limited by the Department. For some
specific CVI, the Department may make a finding that only specific
persons or classes of persons have a need to know.
(5) Nothing in Sec. 27.400(e) shall prevent the Department from
determining, in its discretion, that a person not otherwise listed in
Sec. 27.400(e) has a need to know CVI in a particular circumstance.
(f) Marking of paper records. (1) In the case of paper records
containing CVI, a covered person must mark the record by placing the
protective marking conspicuously on the top, and the distribution
limitation statement on the bottom, of--
(i) The outside of any front and back cover, including a binder
cover or folder, if the document has a front and back cover;
(ii) Any title page; and
(iii) Each page of the document.
(2) Protective marking. The protective marking is: CHEMICAL-
TERRORISM VULNERABILITY INFORMATION.
(3) Distribution limitation statement. The distribution limitation
statement is: WARNING: This record contains Chemical-terrorism
Vulnerability Information controlled by 6 CFR 27.400. Do not disclose
to persons without a ``need to know'' in accordance with 6 CFR
27.400(e). Unauthorized release may result in civil penalties or other
action. In any administrative or judicial proceeding, this information
shall be treated as classified information in accordance with 6 CFR
27.400(h) and (i).
(4) Other types of records. In the case of non-paper records that
contain CVI, including motion picture films, videotape recordings,
audio recording, and electronic and magnetic records, a covered person
must clearly and conspicuously mark the records with the protective
marking and the distribution limitation statement such that the viewer
or listener is reasonably likely to see or hear them when obtaining
access to the contents of the record.
(g) Disclosure by the Department--In general. (1) Except as
otherwise provided in this section, and notwithstanding the Freedom of
Information Act (5 U.S.C. 552), the Privacy Act (5 U.S.C. 552a), and
other laws, records containing CVI are not available for public
inspection or copying, nor does the Department release such records to
persons without a need to know.
(2) Disclosure of Segregatable Information under the Freedom of
Information Act and the Privacy Act. If a record is marked to signify
both CVI and information that is not CVI, the Department, on a proper
Freedom of Information Act or Privacy Act request, may disclose the
record with the CVI redacted, provided the record is not otherwise
exempt from disclosure under the Freedom of Information Act or Privacy
Act.
(h) Disclosure in administrative enforcement proceedings. (1) The
Department may provide CVI to a person governed by Section 550, and his
counsel, in the context of an administrative enforcement proceeding of
Section 550 when, in the sole discretion of the Department, as
appropriate, access to the CVI is necessary for the person to prepare a
response to allegations contained in a legal enforcement action
document issued by the Department.
(2) Security background check. Prior to providing CVI to a person
under Sec. 27.400(h)(1), the Department may require the individual or,
in the case of an entity, the individuals representing the entity, and
their counsel, to undergo and satisfy, in the judgment of the
Department, a security background check.
(i) Disclosure in judicial proceedings. (1) In any judicial
enforcement proceeding of Section 550, the Secretary, in his sole
discretion, may, subject to Sec. 27.400(i)(1)(i), authorize access to
CVI for persons necessary for the conduct of such proceedings,
including such persons' counsel, provided that no other persons not so
authorized shall have access to or be present for the disclosure of
such information.
(i) Security background check. Prior to providing CVI to a person
under Sec. 27.400(i)(1), the Department may require the individual to
undergo and satisfy, in the judgment of the Department, a security
background check.
(ii) [Reserved]
(2) In any judicial enforcement proceeding of Section 550 where a
person seeks to disclose CVI to a person not authorized to receive it
under paragraph (i)(1) of this section, or where a person not
authorized to receive CVI under paragraph (i)(1) of this section seeks
to compel its disclosure through discovery, the United States may make
an ex parte application in writing to the court seeking authorization
to--
(i) Redact specified items of CVI from documents to be introduced
into evidence or made available to the
[[Page 17739]]
defendant through discovery under the Federal Rules of Civil Procedure;
(ii) Substitute a summary of the information for such CVI; or
(iii) Substitute a statement admitting relevant facts that the CVI
would tend to prove.
(3) The court shall grant a request under paragraph (i)(2) of this
section if, after in camera review, the court finds that the redacted
item, stipulation, or summary is sufficient to allow the defendant to
prepare a defense.
(4) If the court enters an order granting a request under paragraph
(i)(2) of this section, the entire text of the documents to which the
request relates shall be sealed and preserved in the records of the
court to be made available to the appellate court in the event of an
appeal.
(5) If the court enters an order denying a request of the United
States under paragraph (i)(2) of this section, the United States may
take an immediate, interlocutory appeal of the court's order in
accordance with 18 U.S.C. 2339B(f)(4), (5). For purposes of such an
appeal, the entire text of the documents to which the request relates,
together with any transcripts of arguments made ex parte to the court
in connection therewith, shall be maintained under seal and delivered
to the appellate court.
(6) Except as provided otherwise at the sole discretion of the
Secretary, access to CVI shall not be available in any civil or
criminal litigation unrelated to the enforcement of Section 550.
(7) Taking of trial testimony--
(i) Objection--During the examination of a witness in any judicial
proceeding, the United States may object to any question or line of
inquiry that may require the witness to disclose CVI not previously
found to be admissible.
(ii) Action by court--In determining whether a response is
admissible, the court shall take precautions to guard against the
compromise of any CVI, including--
(A) Permitting the United States to provide the court, ex parte,
with a proffer of the witness's response to the question or line of
inquiry; and
(B) Requiring the defendant to provide the court with a proffer of
the nature of the information that the defendant seeks to elicit.
(iii) Obligation of defendant--In any judicial enforcement
proceeding, it shall be the defendant's obligation to establish the
relevance and materiality of any CVI sought to be introduced.
(8) Construction. Nothing in this subsection shall prevent the
United States from seeking protective orders or asserting privileges
ordinarily available to the United States to protect against the
disclosure of classified information, including the invocation of the
military and State secrets privilege.
(j) Consequences of Violation. Violation of this section is grounds
for a civil penalty and other enforcement or corrective action by the
Department, and appropriate personnel actions for Federal employees.
Corrective action may include issuance of an order requiring retrieval
of CVI to remedy unauthorized disclosure or an order to cease future
unauthorized disclosure.
(k) Destruction of CVI. (1) The Department of Homeland Security.
Subject to the requirements of the Federal Records Act (5 U.S.C. 105),
including the duty to preserve records containing documentation of a
Federal agency's policies, decisions, and essential transactions, the
Department destroys CVI when no longer needed to carry out the agency's
function.
(2) Other covered persons--(i) In general. A covered person must
destroy CVI completely to preclude recognition or reconstruction of the
information when the covered person no longer needs the CVI to carry
out security measures under paragraph (e) of this section.
(ii) Exception. Section 27.400(k)(2) does not require a State or
local government agency to destroy information that the agency is
required to preserve under State or local law.
Sec. 27.405 Review and preemption of State laws and regulations.
(a) As per current law, no law, regulation, or administrative
action of a State or political subdivision thereof, or any decision or
order rendered by a court under state law, shall have any effect if
such law, regulation, or decision conflicts with, hinders, poses an
obstacle to or frustrates the purposes of this regulation or of any
approval, disapproval or order issued there under.
(1) Nothing in this part is intended to displace other federal
requirements administered by the Environmental Protection Agency, U.S.
Department of Justice, U.S. Department of Labor, U.S. Department of
Transportation, or other federal agencies.
(2) [Reserved]
(b) State law, regulation or administrative action defined. For
purposes of this section, the phrase ``State law, regulation or
administrative action'' means any enacted law, promulgated regulation,
ordinance, administrative action, order or decision, or common law
standard of a State or any of its political subdivisions.
(c) Submission for review. Any chemical facility covered by these
regulations and any State may petition the Department by submitting a
copy of a State law, regulation, or administrative action, or decision
or order of a court for review under this section.
(d) Review and opinion--(1) Review. The Department may review State
laws, administrative actions, or opinions or orders of a court under
State law and regulations submitted under this section, and may offer
an opinion whether the application or enforcement of the State law or
regulation would conflict with, hinder, pose an obstacle to or
frustrate the purposes of this Part.
(2) Opinion. The Department may issue a written opinion on any
question regarding preemption. If the question was submitted under
subsection (c) of this part, the Assistant Secretary will notify the
affected chemical facility and the Attorney General of the subject
State of any opinion under this section.
(3) Consultation with States. In conducting a review under this
section, the Department will seek the views of the State or local
jurisdiction whose laws may be affected by the Department's review.
Sec. 27.410 Third party actions.
(a) Nothing in this Part shall confer upon any person except the
Secretary a right of action, in law or equity, for any remedy
including, but not limited to, injunctions or damages to enforce any
provision of this Part.
(b) An owner or operator of a chemical facility may petition the
Assistant Secretary to provide the Department's view in any litigation
involving any issues or matters regarding this Part.
Appendix A to Part 27.--DHS Chemicals of Interest
------------------------------------------------------------------------
Chemical
Abstract Screening threshold
Chemical of interest Service (CAS) quantity (STQ)
number (lbs)
------------------------------------------------------------------------
1,1,3,3,3-pentafluoro-2- 382-21-8 Any Amount.
(trifluoromethyl)-1-propene.
1,1-Dimethylhydrazine............. 57-14-7 11,250.
[[Page 17740]]
1,2-bis(2-chloroethylthio)ethane.. 3563-36-8 Any Amount.
1,3-bis(2-chloroethylthio)-n- 63905-10-2 Any Amount.
propane.
1,3-Butadiene..................... 106-99-0 7,500.
1,3-Pentadiene.................... 504-60-9 7,500.
1,4-bis(2-chloroethylthio)-n- 142868-93-7 Any Amount.
butane.
1,5-bis(2-chloroethylthio)-n- 142868-94-8 Any Amount.
pentane.
1-Butene.......................... 106-98-9 7,500.
1-Chloropropylene................. 590-21-6 7,500.
1H-Tetrazole...................... 16681-77-9 2,000.
1-Pentane......................... 109-67-1 7,500.
2,2-Dimethylpropane............... 463-82-1 7,500.
2-Butene.......................... 107-01-7 7,500.
2-Butene-cis...................... 590-18-1 7,500.
2-Butene-trans.................... 624-64-6 7,500.
2-chloroethylchloromethylsulfide.. 2625-76-5 Any Amount.
2-Chloropropylene................. 557-98-2 7,500.
2-Chlorovinyldichloroarsine....... 541-25-3 Any Amount.
2-Methyl-1-butene................. 563-46-2 7,500.
2-Methylpropene................... 115-11-7 7,500.
2-Pentene, (Z)-................... 627-20-3 7,500.
2-Pentene,(E)-.................... 646-04-8 7,500.
3,3-dimethyl-2-butanol............ 464-07-3 Any Amount.
3-Methyl-1-butene................. 563-45-1 7,500.
3-Quinuclidinyl benzilate (BZ).... 62869-69-6 Any Amount.
5-Nitrobenzotriazol............... 2338-12-7 2,000.
Acetaldehyde...................... 75-07-0 7,500.
Acetone........................... 67-64-1 2,000.
Acetone cyanohydrin, stabilized... 75-86-5 2,000.
Acetyl bromide.................... 506-96-7 2,000.
Acetyl chloride................... 75-36-5 2,000.
Acetyl iodide..................... 507-02-8 2,000.
Acetylene......................... 74-86-2 7,500.
Acrolein.......................... 107-02-8 3,750.
Acrylonitrile..................... 107-13-1 15,000.
Acrylyl chloride.................. 814-68-6 3,750.
Allyl alcohol..................... 107-18-6 11,250.
Allylamine........................ 107-11-9 7,500.
Allyltrichlorosilane, stabilized.. 107-37-9 2,000.
Aluminum bromide, anhydrous....... 7727-15-3 2,000.
Aluminum chloride, anhydrous...... 7446-70-0 2,000.
Aluminum phosphide................ 20859-73-8 2,000.
Ammonia (anhydrous)............... 7664-41-7 7,500.
Ammonia (conc. 20% or greater).... 7664-41-7 15,000.
Ammonium nitrate (nitrogen 6484-52-2 2,000.
concentration of 28%-34%).
Ammonium perchlorate.............. 7790-98-9 2,000.
Ammonium picrate.................. 131-74-8 2,000.
Amyltrichlorosilane............... 107-72-2 2,000.
Antimony pentafluoride............ 7783-70-2 2,000.
Arsenous trichloride.............. 7784-34-1 Any Amount.
Arsine............................ 7784-42-1 Any Amount.
Barium azide...................... 18810-58-7 2,000.
bis(2-chloroethyl)ethylamine...... 538-07-8 Any Amount.
bis(2-chloroethyl)methylamine..... 51-75-2 Any Amount.
bis(2-chloroethyl)sulfide......... 505-60-2 Any Amount.
bis(2-chloroethylthio)methane..... 63869-13-6 Any Amount.
bis(2-chloroethylthioethyl)ether.. 63918-89-8 Any Amount.
bis(2-chloroethylthiomethyl)ether. 63918-90-1 Any Amount.
bis(2-chlorovinyl)chloroarsine.... 40334-69-8 Any Amount.
Boron tribromide.................. 10294-33-4 2,000.
Boron trichloride................. 10294-34-5 Any Amount.
Boron triflouride................. 7637-07-2 Any Amount.
Boron triflouride compound with 353-42-4 11,250.
methyl ether (1:1).
Bromine........................... 7726-95-6 7,500.
Bromine chloride.................. 13863-41-7 Any Amount.
Bromine pentafluoride............. 7789-30-2 2,000.
Bromine trifluoride............... 7787-71-5 2,000.
Bromotrifluorethylene............. 598-73-2 7,500.
Butane............................ 106-97-8 7,500.
Butene............................ 25167-67-3 7,500.
Butyltrichlorosilane.............. 7521-80-4 2,000.
[[Page 17741]]
Calcium dithionite................ 15512-36-4 2,000.
Calcium hydrosulfite.............. 15512-36-4 2,000.
Calcium phosphide................. 1305-99-3 2,000.
Carbon disulfide.................. 75-15-0 15,000.
Carbon monoxide................... 630-08-0 Any Amount.
Carbon oxysulfide................. 463-58-1 7,500.
Carbonyl fluoride................. 353-50-4 Any Amount.
Carbonyl sulfide.................. 463-58-1 Any Amount.
Chlorine.......................... 7782-50-5 1,875.
Chlorine dioxide.................. 10049-04-4 2,000.
Chlorine monoxide................. 7791-21-1 7,500.
Chlorine pentafluoride............ 13637-63-3 Any Amount.
Chlorine trifluoride.............. 7790-91-2 Any Amount.
Chloroacetyl chloride............. 79-04-9 2,000.
Chloroform........................ 67-66-3 15,000.
Chloromethyl ether................ 542-88-1 750.
Chloromethyl methyl ether......... 107-30-2 3,750.
Chloropicrin...................... 76-06-2 Any Amount.
Chlorosulfonic acid............... 7790-94-5 2,000.
Chromium oxychloride.............. 7803-51-2 2,000.
Crotonaldehyde.................... 4170-30-3 15,000.
Crotonaldehyde, (E)-.............. 123-73-9 15,000.
Cyanogen.......................... 460-19-5 Any Amount.
Cyanogen chloride................. 506-77-4 Any Amount.
Cyclohexylamine................... 108-91-8 11,250.
Cyclohexyltrichlorosilane......... 98-12-4 2,000.
Cyclopropane...................... 75-19-4 7,500.
Cyclotetramethylenetetranitramine. 2691-41-0 2,000.
Diazodinitrophenol................ 87-31-0 2,000.
Diborane.......................... 19287-45-7 Any Amount.
Dichlorosilane.................... 4109-96-0 Any Amount.
Diethyl ethylphosphonate.......... 78-38-6 Any Amount.
Diethyl N,N- 2404-03-7 Any Amount.
dimethylphosphoramidate.
Diethyl phosphate................. 762-04-9 Any Amount.
Diethyldichlorosilane............. 1719-53-5 2,000.
Diethyleneglycol dinitrate........ 693-21-0 2,000.
Difluoroethane.................... 75-37-6 7,500.
Dimethyl ethylphosphonate......... 6163-75-3 Any Amount.
Dimethyl methylphosphonate........ 756-79-6 Any Amount.
Dimethyl phosphate................ 868-85-9 Any Amount.
Dimethylamine..................... 124-40-3 7,500.
Dimethyldichlorosilane............ 75-78-5 2,000.
Dimethylphosphoramidodichloridate. 677-43-0 Any Amount.
Dinitrogen tetroxide.............. 10544-72-6 Any Amount.
Dinitroglycoluril................. 55510-04-8 2,000.
Dinitrophenol..................... 25550-58-7 2,000.
Dinitroresorcinol................. 35860-51-6 2,000.
Dinitrosobenzene.................. 25550-55-4 2,000.
Diphenyl-2-hydroxyacetic acid (aka 76-93-7 Any Amount.
benzilic acid).
Diphenyldichlorosilane............ 80-10-4 2,000.
Dipicryl sulfide.................. 2217-06-3 2,000.
Dodecyltrichlorosilane............ 4484-72-4 2,000.
Epichlorohydrin................... 106-89-8 15,000.
Ethane............................ 74-84-0 7,500.
Ethyl acetylene................... 107-00-6 7,500.
Ethyl chloride.................... 75-00-3 7,500.
Ethyl ether....................... 60-29-7 7,500.
Ethyl mercaptan................... 75-08-1 7,500.
Ethyl nitrite..................... 109-95-5 7,500.
Ethyl phosphonyl dichloride....... 1066-50-8 Any Amount.
Ethyl phosphonyl difluoride....... 753-98-0 Any Amount.
Ethylamine........................ 75-04-7 7,500.
Ethyldiethanolamine............... 139-87-7 Any Amount.
Ethylene.......................... 74-85-1 7,500.
Ethylene oxide.................... 75-21-8 Any Amount.
Ethylenediamine................... 107-15-3 15,000.
Ethyleneimine..................... 151-56-4 7,500.
Ethyltrichlorosilane.............. 115-21-9 2,000.
Fluorine.......................... 7782-41-4 Any Amount.
Fluorosulfonic acid............... 7789-21-1 2,000.
[[Page 17742]]
Formaldehyde (solution)........... 50-00-0 11,250.
Furan............................. 110-00-9 3,750.
Germane........................... 7782-65-2 Any Amount.
Germanium tetrafluoride........... 7783-58-6 Any Amount.
Guanyl nitrosaminoguanylidene ............... 2,000.
hydrazine.
Guanyl nitrosaminoguanyltetrazene. 109-27-3 2,000.
Hexaethyl tetraphosphate and 757-58-4 Any Amount.
compressed gas mixtures.
Hexafluoroacetone................. 684-16-2 Any Amount.
Hexanitrodiphenylamine............ 35860-31-2 2,000.
Hexanitrostilbene................. 20062-22-0 2,000.
Hexolite.......................... 121-82-4 2,000.
Hexotonal......................... 107-15-3 2,000.
Hexyltrichlorosilane.............. 928-89-2 6 2,000.
Hydrazine......................... 302-01-2 11,250.
Hydrochloric acid (conc. 37% or 7647-01-0 11,250.
greater).
Hydrocyanic acid.................. 74-90-8 1,875.
Hydrogen.......................... 1333-74-0 7,500.
Hydrogen bromide, anhydrous....... 10035-10-6 Any Amount.
Hydrogen chloride (anhydrous)..... 7647-01-0 Any Amount.
Hydrogen cyanide.................. 74-90-8 Any Amount.
Hydrogen fluoride/Hydrofluoric 7664-39-3 750.
acid (conc. 50% or greater).
Hydrogen iodide, anhydrous........ 10034-85-2 Any Amount.
Hydrogen peroxide (concentration 7722-84-1 2,000.
of at least 30%).
Hydrogen selenide................. 7783-07-5 Any Amount.
Hydrogen sulfide.................. 7783-06-4 Any Amount.
Iodine pentafluoride.............. 7783-66-6 2,000.
Iron, pentacarbonyl-.............. 13463-40-6 1,875.
Isobutane......................... 75-28-5 7,500.
Isobutyronitrile.................. 78-82-0 15,000.
Isopentane........................ 78-78-4 7,500.
Isoprene.......................... 78-79-5 7,500.
Isopropyl chloride................ 75-29-6 7,500.
Isopropyl chloroformate........... 108-23-6 11,250.
Isopropylamine.................... 75-31-0 7,500.
Lead azide........................ 13424-46-9 2,000.
Lead styphnate.................... 15245-44-0 2,000.
Lithium amide..................... 7782-89-0 2,000.
Lithium nitride................... 26134-62-3 2,000.
Magnesium aluminum phosphide...... ............... 2,000.
Magnesium diamide................. 7803-54-5 2,000.
Magnesium phosphide............... 12057-74-8 2,000.
Mannitol hexanitrate, wetted...... 15825-70-4 2,000.
Mercury fulminate................. 628-86-4 2,000.
Methacrylonitrile................. 126-98-7 7,500.
Methane........................... 74-82-8 7,500.
Methyl bromide.................... 74-83-9 Any Amount.
Methyl chloride................... 74-87-3 7,500.
Methyl chloroformate.............. 79-22-1 3,750.
Methyl ether...................... 115-10-6 7,500.
Methyl formate.................... 107-31-3 7,500.
Methyl hydrazine.................. 60-34-4 11,250.
Methyl isocyanate................. 624-83-9 11,250.
Methyl mercaptan.................. 74-93-1 Any Amount.
Methyl phosphonyl dichloride...... 676-97-1 Any Amount.
Methyl phosphonyl difluoride...... 676-99-3 Any Amount.
Methyl thiocyanate................ 556-64-9 15,000.
Methylamine....................... 74-89-5 7,500.
Methylchlorosilane................ 993-00-0 Any Amount.
Methyldichlorosilane.............. 75-54-7 2,000.
Methyldiethanolamine.............. 105-59-9 Any Amount.
Methylphenyldichlorosilane........ 149-74-6 2,000.
Methyltrichlorosilane............. 75-79-6 2,000.
N,N-diisopropyl-2-aminoethyl 4261-68-1 Any Amount.
chloride hydrochloride.
N,N-diisopropyl-[beta]- 96-80-0 Any Amount.
aminoethanol.
N,N-diisopropyl-[beta]-aminoethyl 96-79-7 Any Amount.
chloride.
Nickel Carbonyl................... 13463-39-3 750.
Nitric acid....................... 7697-37-2 2,000.
Nitric oxide...................... 10102-43-9 Any Amount.
Nitro urea........................ 556-89-8 2,000.
Nitrocellulose.................... 9004-70-0 2,000.
[[Page 17743]]
Nitrogen trioxide................. 10544-73-7 Any Amount.
Nitroglycerine.................... 55-63-0 2,000.
Nitroguanidine.................... 556-88-7 2,000.
Nitromethane...................... 75-52-5 2,000.
Nitrostarch....................... 9056-38-6 2,000.
Nitrosyl chloride................. 2696-92-6 Any Amount.
Nitrotriazolone................... 932-64-9 2,000.
Nonyltrichlorosilane.............. 5283-67-0 2,000.
o,o-diethyl S-[2- 78-53-5 Any Amount.
(diethylamino)ethyl]
phosphorothiolate.
Octadecyltrichlorosilane.......... 112-04-9 2,000.
Octolite.......................... 68610-51-5 2,000.
Octonal........................... 124-13-0 2,000.
Octyltrichlorosilane.............. 5283-66-9 2,000.
o-ethyl-N,N-dimethylphosphoramido- 77-81-6 Any Amount.
cyanidate.
o-ethyl-o-2-diisopropylaminoethyl 57856-11-8 Any Amount.
methylphosphonite.
o-ethyl-S-2-diisopropylaminoethyl 50782-69-9 Any Amount.
methyl phosphonothiolate.
o-isopropyl 1445-76-7 Any Amount.
methylphosphonochloridate.
o-isopropyl 107-44-8 Any Amount.
methylphosphonofluoridate.
Oleum (Fuming Sulfuric acid)...... 8014-95-7 7,500.
o-pinacolyl 7040-57-5 Any Amount.
methylphosphonochloridate.
o-pinacolyl 96-64-0 Any Amount.
methylphosphonofluoridate.
Oxygen difluoride................. 7783-41-7 Any Amount.
Pentaerythrite tetranitrate or 78-11-5 2,000.
PETN.
Pentane........................... 109-66-0 7,500.
Pentolite......................... 8066-33-9 2,000.
Peracetic acid.................... 79-21-0 7,500.
Perchloromethylmercaptan.......... 594-42-3 7,500.
Perchloryl fluoride............... 7616-94-6 Any Amount.
Phenyltrichlorosilane............. 98-13-5 2,000.
Phosgene.......................... 75-44-5 Any Amount.
Phosphine......................... 7803-51-2 Any Amount.
Phosphorus........................ 7723-14-0 Any Amount.
Phosphorus oxychloride............ 10025-87-3 Any Amount.
Phosphorus oxychloride............ 10025-87-3 2,000.
Phosphorus pentachloride.......... 10026-13-8 Any Amount.
Phosphorus pentachloride.......... 10026-13-8 2,000.
Phosphorus pentasulfide........... 1314-80-3 2,000.
Phosphorus trichloride............ 7719-12-2 Any Amount.
Phosphorus trichloride............ 7719-12-2 2,000.
Piperidine........................ 110-89-4 11,250.
Potassium chlorate................ 3811-04-9 2,000.
Potassium cyanide................. 151-50-8 2,000.
Potassium nitrate................. 7757-79-1 2,000.
Potassium perchlorate............. 7778-74-7 2,000.
Potassium phosphide............... 20770-41-6 2,000.
Propadiene........................ 463-49-0 7,500.
Propane........................... 74-98-6 7,500.
Propionitrile..................... 107-12-0 7,500.
Propyl chlorofromate.............. 109-61-5 11,250.
Propylene......................... 115-07-1 7,500.
Propylene oxide................... 75-56-9 7,500.
Propyleneimine.................... 75-55-8 7,500.
Propyltrichlorosilane............. 141-57-1 2,000.
Propyne........................... 74-99-7 7,500.
Quinuclidine-3-ol................. 1619-34-7 Any Amount.
RDX and HMX mixtures.............. 121-82-4 2,000.
Selenium hexafluoride............. 7783-79-1 Any Amount.
Silane............................ 7803-62-5 7,500.
Silicon tetrachloride............. 10026-04-7 2,000.
Silicon tetrafluoride............. 7783-61-1 Any Amount.
Sodium chlorate................... 7775-09-9 2,000.
Sodium cyanide.................... 143-33-9 2,000.
Sodium dinitro-o-cresolate........ 25641-53-6 2,000.
Sodium dithionite................. 7775-14-6 2,000.
Sodium hydrosulfite............... 7775-14-6 2,000.
Sodium nitrate.................... 7631-99-4 2,000.
Sodium phosphide.................. 7558-80-7 2,000.
Sodium picramate.................. 831-52-7 2,000.
Stibine........................... 7803-52-3 Any Amount.
Strontium phosphide............... 13450-99-2 2,000.
[[Page 17744]]
Sulfur dichloride................. 10545-99-0 Any Amount.
Sulfur dioxide (anhydrous)........ 7446-09-5 Any Amount.
Sulfur monochloride............... 10025-67-9 Any Amount.
Sulfur tetraflouride.............. 7783-60-0 Any Amount.
Sulfur trioxide................... 7446-11-9 7,500.
Sulfuryl chloride................. 7791-25-5 2,000.
Sulfuryl fluoride................. 2699-79-8 Any Amount.
Tellurium hexafluoride............ 7783-80-4 Any Amount.
Tetrafluoroethylene............... 116-14-3 7,500.
Tetramethyllead................... 75-74-1 7,500.
Tetramethylsilane................. 75-76-3 7,500.
Tetranitroaniline................. 53014-37-2 2,000.
Tetranitromethane................. 509-14-8 7,500.
Tetrazol-1-acetic acid............ 21732-17-2 2,000.
Thiodiglycol...................... 111-48-8 Any Amount.
Thionyl chloride.................. 7719-09-7 Any Amount.
Thionyl chloride.................. 7719-09-7 2,000.
Titanium tetrachloride............ 7550-45-0 2,000.
Toluene 2,4-diisocyanate.......... 584-84-9 7,500.
Toluene 2,6-diisocyanate.......... 91-08-7 7,500.
Toluene diisocyanate (unspecified 26471-62-5 7,500.
isomer).
Trichlorosilane................... 10025-78-2 2,000.
Triethanolamine................... 102-71-6 Any Amount.
Triethanolamine hydrochloride..... 637-39-8 Any Amount.
Triethyl phosphite................ 122-52-1 Any Amount.
Trifluoroacetyl chloride.......... 354-32-5 Any Amount.
Trifluorochloroethylene........... 79-38-9 Any Amount.
Trimethyl phosphite............... 121-45-9 Any Amount.
Trimethylamine.................... 75-50-3 Any Amount.
Trimethylchlorosilane............. 75-77-4 2,000.
Trinitroaniline................... 26952-42-1 2,000.
Trinitroanisole................... 606-35-9 2,000.
Trinitrobenzene................... 99-35-4 2,000.
Trinitrobenzenesulfonic acid...... 2508-19-2 2,000.
Trinitrobenzoic acid.............. 129-66-8 2,000.
Trinitrochlorobenzene............. 88-88-0 2,000.
Trinitrofluorenone................ 129-79-3 2,000.
Trinitro-meta-cresol.............. 602-99-3 2,000.
Trinitronaphthalene............... 558101-17-8 2,000.
Trinitrophenetole................. 4732-14-3 2,000.
Trinitrophenol.................... 88-89-1 2,000.
Trinitroresorcinol................ 82-71-3 2,000.
Trinitrotoluene................... 118-96-7 2,000.
Tris(2-chloroethyl)amine.......... 555-77-1 Any Amount.
Tris(2-chlorovinyl)arsine......... 40334-70-1 Any Amount.
Tritonal.......................... 54413-15-9 2,000.
Tungsten hexafluoride............. 7783-82-6 Any Amount.
Uranium hexafluoride.............. 7783-81-5 2,000.
Urea.............................. 57-13-6 2,000.
Urea nitrate...................... 124-47-0 2,000.
Vinyl acetate monomer............. 108-05-4 11,250.
Vinyl actylene.................... 689-97-4 7,500.
Vinyl chloride.................... 75-01-4 7,500.
Vinyl ethyl ether................. 109-92-2 7,500.
Vinyl fluoride.................... 75-02-5 7,500.
Vinyl methyl ether................ 107-25-5 7,500.
Vinylidene chloride............... 75-35-4 7,500.
Vinylidene fluoride............... 75-38-7 7,500.
Vinyltrichlorosilane.............. 75-94-5 2,000.
Zinc dithionite................... 7779-86-4 2,000.
Zinc hydrosulfite................. 7779-86-4 2,000.
Zirconium picramate............... 63868-82-6 2,000.
------------------------------------------------------------------------
[[Page 17745]]
Dated: April 2, 2007.
Michael Chertoff,
Secretary of Homeland Security, Department of Homeland Security.
[FR Doc. E7-6363 Filed 4-6-07; 8:45 am]
BILLING CODE 4410-10-P