Critical Infrastructure Protection: DHS Should Take Actions to Measure Reduction in Chemical Facility Vulnerability and Share Information with First Responders
Fast Facts
Facilities that handle hazardous chemicals could be targets for terrorists—e.g., these chemicals could be stolen and used to build explosive devices. The Department of Homeland Security inspects such facilities to ensure they comply with security standards. DHS also shares information about these facilities with local officials so that first responders are prepared for potential security incidents.
However, we found that first responders may not have all the information they need to safely respond to incidents at these facilities. We recommended, among other things, that DHS provide first responders with better access to this information.
Chemical facility storage tanks
Photo of chemical facility storage tanks
Highlights
What GAO Found
Since 2013, the Department of Homeland Security (DHS) has strengthened its processes for identifying high-risk chemical facilities and assigning them to tiers under its Chemical Facility Anti-Terrorism Standards (CFATS) program. Among other things, DHS implemented a quality assurance review process to verify the accuracy of facility self-reported information used to identify high-risk facilities. DHS also revised its risk assessment methodology—used to assess whether chemical facilities are high-risk and, if so, assign them to a risk-based tier—by incorporating changes to address prior GAO recommendations and most of the findings of a DHS-commissioned peer review. For example, the updated methodology incorporates revisions to the threat, vulnerability, and consequence scoring methods to better cover the full range of security issues regulated by CFATS. As of February 2018, a total of 29,195 facilities—including all 26,828 facilities previously assessed and 2,367 facilities new to the program—were assessed using DHS's revised methodology. DHS designated 3,500 of these facilities as high-risk and subject to further requirements.
DHS has also made substantial progress conducting and completing compliance inspections and has begun to take action to measure facility security but does not evaluate vulnerability reduction resulting from the CFATS compliance inspection process. In 2013, GAO found that the backlog of chemical facility security plans awaiting review affected DHS's ability to conduct compliance inspections, which are performed after security plans are approved. Since then DHS has made progress and increased the number of completed compliance inspections. As of May 2018, DHS had conducted 3,553 compliance inspections. DHS has also begun to update its performance measure for the CFATS program to evaluate security measures implemented both when a facility submits its initial security plan and again when DHS approves its final security plan. However, GAO found that DHS's new performance measure methodology does not measure reduction in vulnerability at a facility resulting from the implementation and verification of planned security measures during the compliance inspection process. Doing so would provide DHS an opportunity to begin assessing how vulnerability is reduced—and by extension, risk lowered—not only for individual high-risk facilities but for the CFATS program as a whole.
DHS shares some CFATS information, but first responders and emergency planners may not have all of the information they need to minimize the risk of injury or death when responding to incidents at high-risk facilities. Facilities are currently required to report some chemical inventory information, but GAO found that over 200 CFATS chemicals may not be covered by these requirements. To improve access to information, DHS developed a secure interface called the Infrastructure Protection (IP) Gateway that provides access to CFATS facility-specific information that may be missing from required reporting. However, GAO found that the IP Gateway is not widely used at the local level. In addition, officials from 13 of the 15 Local Emergency Planning Committees—consisting of first responders and covering 373 CFATS high-risk facilities—told GAO they did not have access to CFATS data in the IP Gateway. By encouraging wider use of the IP Gateway, DHS would have greater assurance that first responders have information about high-risk facilities and the specific chemicals they possess.
Why GAO Did This Study
Facilities that produce, use, or store hazardous chemicals could be targeted or used by terrorists to inflict mass casualties, damage, and fear. DHS established the CFATS program to assess the risk posed by these facilities and inspect them to ensure compliance with DHS standards. DHS places high-risk facilities in risk-based tiers and is to conduct inspections after it approves their security plans. Under the CFATS Act of 2014, authorization for the CFATS program expires in January 2019.
GAO assessed the extent to which DHS has (1) enhanced the process for identifying high-risk facilities and assigning them to tiers, (2) conducted facility inspections and measured facility security, and (3) ensured that information is shared with emergency responders to prepare them for incidents at high-risk facilities. GAO reviewed DHS reports and data on compliance inspections and interviewed DHS officials. GAO also obtained non-generalizable information from 11 trade associations representing chemical facilities regarding DHS outreach and from 15 emergency planning committees about their awareness of CFATS and the chemicals it covers.
Recommendations
GAO recommends that DHS take actions to (1) measure reduction in vulnerability of high-risk facilities and use that data to assess program performance; and (2) encourage access to and wider use of the IP Gateway among first responders and emergency planners. DHS concurred with both recommendations and outlined efforts underway or planned.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | The Director of DHS's National Protection and Programs Directorate's Infrastructure Security Compliance Division (ISCD) should incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. (Recommendation 1) |
In August 2018, we reported on the extent to which the Department of Homeland Security (DHS) had taken action to, among other things, conduct chemical facility inspections and implement an approach to measure facility security under its Chemical Facility Anti-Terrorism Standards (CFATS) program. We found that DHS had begun to update its performance measure for the CFATS program to evaluate security measures implemented both when a facility submits its initial security plan and again when DHS approves its final security plan. However, we also found that DHS's new performance measure methodology did not measure reduction in vulnerability at a facility resulting from the implementation and verification of planned security measures during the compliance inspection process. We recommended that DHS incorporate vulnerability into the CFATS site security scoring methodology to help measure the reduction in the vulnerability of high-risk facilities to a terrorist attack, and use that data in assessing the CFATS program's performance in lowering risk and enhancing national security. In its agency comments, DHS concurred and noted significant challenges in developing a system that could numerically evaluate vulnerabilities. DHS stated that it believed its new performance metrics--which DHS began reporting in fiscal year 2019--met the spirit and intent of GAO's recommendation by demonstrating the percent increase in security score of facilities' security plans, resulting in a representation of the increase in the security posture across CFATS facilities and, by extension, demonstrating the program's reduction of vulnerability and overall risk. In May 2021, DHS clarified that the average change in facility security plan scores that CISA has been measuring and reporting is adjusted each time a Site Security Plan (or Alternative Security Program) is approved, to include when alterations are made to a previously approved plan that require a new review and approval by CISA. In addition, the need for a new review and approval can be determined via several means, to include when identified by CISA staff during a compliance inspection or a compliance assistance visit. By continuing to incorporate assessments of and changes to security scores at individual facilities-such as those due to the implementation of new security measures at individual facilities resulting from compliance inspections-DHS can better measure and track the ongoing impact of the CFATS compliance inspection process and of the program as whole on reducing risk and increasing security nationwide. As a result, this recommendation is closed as implemented.
|
Department of Homeland Security | The Assistant Secretary for Infrastructure Protection, in coordination with the Director of ISCD, should take actions to encourage access to and wider use of the IP Gateway and explore other opportunities to improve information-sharing with first responders and emergency planners. (Recommendation 2) |
In August 2018, we reported on, among other things, the extent to which the Department of Homeland Security's (DHS's) Chemical Facility Anti-Terrorism Standards (CFATS) program has ensured that information is shared with emergency responders to prepare them for incidents at high-risk chemical facilities (GAO-18-538). During the course of our review, we found that DHS shares some CFATS information with first responders and emergency planners, but these stakeholders may not have all of the information they need to minimize the risk of injury or death when responding to incidents at high-risk facilities. We also reported that DHS developed a secure interface called the Infrastructure Protection (IP) Gateway that provides access to CFATS facility-specific information that may be missing from required reporting; however, we found that the IP Gateway was not widely used at the local level. Consequently, we recommended that DHS should take actions to encourage access to and wider use of the IP Gateway and explore other opportunities to improve information-sharing with first responders and emergency planners. DHS concurred with this recommendation and reported in September 2018 that the program had revised three fact sheets and an outreach presentation to include information on the IP Gateway and how to request access to it. In addition, DHS reported plans to ensure contact was made with first responders representing at least the top 25 percent of CFATS high-risk chemical facilities so that they are properly prepared to respond to incidents at these facilities. In July 2019, DHS reported that it had also created a new webpage tailored to first responders as well as numerous other presentations, which include first responder outreach and IP Gateway information. DHS further reported that, at that time, outreach had been conducted with 570 Local Emergency Planning Committees (LEPCs) representing approximately 56 percent of the tiered CFATS population. In May 2020, DHS provided an update on the results of its ongoing efforts, reporting that, for fiscal year 2019, (1) CFATS program personnel had engaged with LEPCs or their designees in 777 counties representing 63.4 percent of the CFATS population of high-risk facilities; and (2) there were nearly 1,000 new IP Gateway users at the state-level. Lastly, in September 2020, DHS provided further updates showing-over the 2-year period since issuance of our report-CFATS program personnel had engaged with LEPCs (or their designees) representing 937 counties or 70.1 percent of the high-risk CFATS population; and significant growth in the numbers of new state and federal users of the IP Gateway both in fiscal year 2019 and to-date in fiscal year 2020. These actions have demonstrated DHS's consistent commitment to improving information-sharing and outreach with first responders and emergency planners so as to better ensure they are properly prepared to respond to incidents at CFATS high-risk chemical facilities. As a result, this recommendation is closed as implemented.
|