Re: Docket No. DHS-2014-0016, Advanced Notice of Proposed Rulemaking on the Chemical Facility Anti-Terrorism Standards



Similar documents
Ten Tips for Completing a Site Security Plan

November 30, Docket No. DHS Chemical Facility Anti-Terrorism Standards (CFATS) Appendix A. To Whom It May Concern:

Office of Infrastructure Protection Infrastructure Security Compliance Division

Best Practices: Meeting CFATS Performance Requirements A Town Hall Meeting

Risk-Based Performance Standards Guidance Chemical Facility Anti-Terrorism Standards. May 2009

The Office of Infrastructure Protection

Written Statement of Clyde D. Miller Director, Corporate Security BASF Corporation

Homeland Security Alert

Department of Homeland Security

SOCMA Frequently Asked Questions on CFATS and Appendix A

CRITICAL INFRASTRUCTURE PROTECTION. DHS Action Needed to Verify Some Chemical Facility Information and Manage Compliance Process

Actions to Improve Chemical Facility Safety and Security A Shared Commitment Report of the Federal Working Group on Executive Order 13650

DHS Chemical Security Program: Cyber Security Requirements

Written Statement of. Timothy J. Scott Chief Security Officer and Corporate Director Emergency Services and Security The Dow Chemical Company

CSAT Site Security Plan

Docket No. DHS , Notice of Request for Public Comment Regarding Information Sharing and Analysis Organizations

Chemical Security Assessment Tool (CSAT)

146 FERC 61,166 UNITED STATES OF AMERICA FEDERAL ENERGY REGULATORY COMMISSION

[ P] AGENCY: Transportation Security Administration, DHS. SUMMARY: This notice announces that the Transportation Security Administration

RESPONSIBLE CARE SECURITY CODE OF MANAGEMENT PRACTICES

Re: Docket No. DEA-218, Electronic Prescriptions for Controlled Substances

CSAT Top-Screen Survey Application

RE: Notice of Proposed Rulemaking, Request for Comments: Operation and Certification of Small Unmanned Aircraft Systems [Docket No.

Response to consultation on options for reform: a competition regime for growth

The Comprehensive Environmental Response,

CSAT Security Vulnerability Assessment

Rail Carrier Security Criteria

Submitted via September 12, 2013

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

1 A description of each Association is included in Appendix A.

[ P] Intent to Request Renewal From OMB of One Current Public Collection of. AGENCY: Transportation Security Administration, DHS.

SARA Title III Program General Information

Re: Medicare and Medicaid Programs; Electronic Health Record Incentive Program Modifications to Meaningful Use in 2015 through 2017; Proposed Rule

SITE PLAN APPROVAL PROCESS INTRODUCTION

PRODUCTS LIABILITY. Westlaw Journal Formerly Andrews Litigation Reporter

January 22, With this in mind, following are our responses to the questions posed in the December 18 Federal Register.

CALIFORNIA ASSOCIATION of SANITATION AGENCIES

Re: CMS 3819-P, Medicare and Medicaid Programs; Conditions of Participation for Home Health Agencies; Proposed Rule, Oct. 9, 2014.

Security Guidelines for. Agricultural distributors

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

Backgrounder Office of Public Affairs Telephone: 301/

Summary of the Revised Debt Collection by Third-Party Debt Collectors and Debt Buyers Regulation 23 NYCRR 1

Presiding Commissioner Regulatory Burdens: Social and Economic Infrastructure Services Productivity Commission GPO Box 1428 Canberra City ACT 2601

October 21, Rayburn House Office Building 2302 Rayburn House Office Building Washington, D.C Washington, D.C.

GUIDE TO INFORMATION SECURITY TESTING AND ASSESSMENT

CMS Proposed Electronic Health Record Incentive Program For Physicians

FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES

VA Office of Inspector General

October 15, 2012 VIA ELECTRONIC FILING

Norwegian Data Inspectorate

Seven Things To Consider When Evaluating Privileged Account Security Solutions

NIST Cybersecurity Framework What It Means for Energy Companies

Re: REG , Additional Requirements for Charitable Hospitals, Proposed Rule

Personally controlled electronic health record (ehealth record) system

NAMD WORKING PAPER SERIES. Advancing Medicare and Medicaid Integration: An Update on Improving State Access to Medicare Data

005ASubmission to the Serious Data Breach Notification Consultation

By U.S. Mail and

Supplemental Tool: NPPD Resources to Support Vulnerability Assessments

HSIN R3 User Accounts: Manual Identity Proofing Process

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015

Borden Ladner Gervais LLP Scotia Plaza, 40 King St W Toronto, ON, Canada M5H 3Y4 T F blg.com

Presidential Documents

EPCS FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES. Revised: January 2016

spreadsheets that are then provided to the person responsible for Environmental, Health & Safety (EHS).

Re: Comments on the Proposed Rules regarding the Regulation of the Conduct of Virtual Currency Businesses Addition to Part 200 to Title 23NYCRR

October 27, Docket No. CFPB , RIN 3170-AA10 Home Mortgage Disclosure (Regulation C)

December 31, comments to the Office of Dietary Supplements (ODS) at the National Institutes of Health on the

MSC Security Program Security in the Logistics Supply Chain

The Comprehensive Environmental Response,

Pursuant to the authority vested in the Commissioner of Health by Article 33 of the

FINAL SUPPORTING STATEMENT FOR 10 CFR PART 37 PHYSICAL PROTECTION OF CATEGORY 1 AND CATEGORY 2 QUANTITIES OF RADIOACTIVE MATERIAL

November 6, The Honorable Richard Cordray Director Consumer Financial Protection Bureau 1700 G Street NW Washington, DC

28042 Federal Register / Vol. 75, No. 96 / Wednesday, May 19, 2010 / Notices

DEPARTMENT OF HEALTH AND HUMAN SERVICES. Medicare, Medicaid, Children's Health Insurance Programs; Transparency Reports

Port Authority of New York/New Jersey Secure Worker Access Consortium Vetting Services

This page is intentionally left blank.

Multiple Award Schedules A roadmap to getting a Federal Supply Schedule contract

SCOPE. September 25, 2014, 0930 EDT

SUBCHAPTER A. General Rules for Medical Billing and Processing SUBCHAPTER B. Health Care Provider Billing Procedures and 133.

Total Protection for Compliance: Unified IT Policy Auditing

Transparent Government Demands Robust Data Quality

NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011

Department of Homeland Security Office of Inspector General

January 29, Senator Lamar Alexander Chairman, Senate HELP Committee 455 Dirksen Senate Office Building Washington, DC 20510

Physical Security Reliability Standard Implementation

Re: Docket No. DEA-218, Electronic Prescriptions for Controlled Substances, Interim Final Rule with Request for Comment

Audit of the Board s Information Security Program

ESSB H AMD TO APP COMM AMD (H /13) 388 By Representative Taylor FAILED 04/12/2013

NCPDP Electronic Prescribing Standards

DEPARTMENT OF JUSTICE. Drug Enforcement Administration. 21 CFR Parts 1305, [Docket No. DEA-217F] RIN 1117-AA60

April 8, Dear Assistant Administrator Stanislaus:

Business Plan in 2015 of Organization for Cross-regional Coordination of Transmission Operators, Japan

NURSING HOME PENALTY CASH FUND

CHEMICAL SECURITY: REGULATORY IMPACT STATEMENT

Regulatory Notice 08-24, Proposed Consolidated FINRA Rules Governing Supervision and Supervisory Controls

FY2010 CONFERENCE SUMMARY: HOMELAND SECURITY APPROPRIATIONS

HOMELAND SECURITY ACQUISITIONS

FREQUENTLY ASKED QUESTIONS FOR ELECTRONIC PRESCRIBING OF CONTROLLED SUBSTANCES

Transcription:

October 15, 2014 U.S. Department of Homeland Security National Protection and Programs Directorate Office of Infrastructure Protection Infrastructure Security Compliance Division 245 Murray Lane, Mail Stop 0610 Arlington, VA 20528-0610 Via Electronic Submission: http://regulations.gov Re: Docket No. DHS-2014-0016, Advanced Notice of Proposed Rulemaking on the Chemical Facility Anti-Terrorism Standards The National Association of Chemical Distributors (NACD) submits the following comments in response to the advance notice of proposed rulemaking published in the August 18, 2014, Federal Register issue regarding Docket Number DHS-2014-0016, Advanced Notice of Proposed Rulemaking on the Chemical Facility Anti-Terrorism Standards. Introduction NACD is an international association of nearly 440 chemical distributors and supply-chain partners. NACD s membership comprises businesses representing in total more than 85% of the chemical distribution capacity in the nation and generating 90% of the industry s gross revenue. NACD members, operating in all 50 states through nearly 1,800 facilities, are responsible for more than 155,000 direct and indirect jobs in the United States. NACD members are predominantly small regional businesses, many of which are multi-generational and familyowned. The typical chemical distributor has 26 employees and operates under an extremely low margin. Chemical distributors provide a unique and integral role in the supply chain. Manufacturers increasingly rely on chemical distributors to market and sell their products in a variety of packaging sizes to a diverse customer base. Every 7 seconds, an NACD member company is moving chemical products to and from their facility. This constant movement of chemicals results in chemicals being frequently added to and removed from inventory. Unlike the regular changes in inventory, NACD members security measures remain the same. NACD members meet the highest standards in safety and performance through mandatory participation in Responsible Distribution, NACD s third-party verified environmental, health, safety, and security (EHS&S) program. Through Responsible Distribution, NACD members demonstrate their commitment to continuous improvement in every phase of handling, transportation, storage, and disposal of chemical products. While security has always been an inherent element of Responsible Distribution, following the terrorist attacks of September 11,

2001, distributors were the first sector of the chemical industry to mandate security measures. NACD stepped into action and mandated specific security measures for its members and continues to assess Responsible Distribution s security measures against current threats. In February 2013, NACD added a specific Security Code that consolidated many prior requirements and enhanced others. These requirements apply to all NACD members, including those who do not have facilities covered under the Chemical Facility Anti-Terrorism Standards (CFATS) program. CFATS Information Submission Process There are several areas in which the CFATS information submission process can and should be improved. The current process is needlessly cumbersome and is particularly burdensome for small companies, including many NACD members. A few simple administrative changes to the Chemical Security Assessment Tool (CSAT) could eliminate some headaches and allow both DHS and regulated facilities to save time. First, DHS should add page numbers to all of the documents in the CSAT, which would facilitate the process for looking up and finding items. Next, a facility should be able to go into CSAT and access all of its submissions, including the Top Screen, the Security Vulnerability Assessment (SVA), and the Site Security Plan (SSP). Under the current system, once these materials are submitted, they are gone. A benefit of the proposed change would be to allow for a safe storage location for these documents. There is also precedent for allowing facilities to access their submissions within the federal government. For example, companies are able to access their Risk Management Plans through the Environmental Protection Agency s system. Another administrative complication is the process required in cases where the preparer, submitter, and approver for a company are the same individual. A company for which this is the case must create an alternative e-mail address for this individual, fax it to DHS, and await the response from the agency. The DHS should eliminate this hurdle in the system in order to save time and resources for both the agency and impacted companies. Regarding information submissions, if a facility makes a minor change that will not alter its security posture or tiering, there should be a simple way for that facility to inform DHS rather than going through the entire Top Screen, SVA, and SSP resubmission process. For example, if a facility has one theft and diversion chemical of interest (COI) on site, acquires a similar theft and diversion COI, and stores the new COI in the same area as the original COI with the appropriate security measures in place, that facility should be able to inform DHS of this addition through a simple letter or on-line update. There is precedent for this in the U.S. Drug Enforcement Administration Chemical Control Regulations. 1 On the other hand, if the same facility adds a release COI, which would likely substantially change that site s security posture, it is reasonable for that site to submit a new Top Screen, SVA, and SSP. 1 DEA Chemical Handler s Manual, 2013 Edition, pp. 17-18, Modification of Registration

Likewise, the redetermination process is far too difficult, particularly if a company is removing a COI from the site. Rather than requiring such a company to go through the entire Top Screen process, DHS should allow any facility that removes a COI to submit a simple one-page document stating the chemical is no longer on site and certifying the company has no future plans to bring the chemical on site. Another way to handle this would be for the facility to work with the local DHS inspector, who could come out to verify the COI is gone and submit this verification to headquarters. Some of these complications could be addressed up front if DHS were to change the Top Screen to ask facilities for information on chemicals in quantity ranges. Allowing this flexibility would eliminate the need for so many resubmissions while still providing needed information to DHS. The DHS could substantially streamline the overall submission process by eliminating the requirement for facilities to submit the SVA. While the SVA could be useful as an internal worksheet for facilities, it is not necessary. As more companies are using Alternative Security Programs (ASPs), DHS should allow any facility to submit an ASP that also serves as the SVA. In doing so, DHS must also eliminate the provision that limits the ability to submit ASPs for their SVAs to Tier 4 facilities. This option should be available to all facilities. Use of Alternative Security Programs NACD strongly supports the use of ASPs and is pleased that DHS is encouraging their use and implementation. ASPs allow facilities to describe their security measures in ways that are clear, understandable, and tailored to their specific situations. In addition, an ASP is an actual security plan that both facility employees and DHS inspectors can easily follow. In order to encourage more ASP submissions, NACD recommends that DHS clarify the policy of supporting ASP adoption in writing, for example, through a brief notice in the Federal Register. The DHS should also provide more guidance on how facilities can switch from the CFATS SSP to an ASP after they have already submitted the SSP. The DHS should establish a clear process and timeline for these facilities to submit ASPs and allow for an expedited plan approval process, particularly for companies that have already undergone an authorization inspection. The DHS can then confirm adherence to the plans during the compliance inspection phase. In addition, as more organizations adopt ASPs, DHS should make these templates available as resource documents to help others in their own ASP development. Site Security Plan Review Process The SSP review process can be streamlined. While it is helpful for DHS to conduct in-person authorization inspections at some facilities, the agency should allow for more flexibility in inspections for others. For example, if a company has multiple regulated facilities and has adopted a corporate approach to address relevant RBPSs, DHS could conduct in-person inspections for some of the sites and remote inspections for others, using audio/video technology.

Risk Based Performance Standards/Streamlining the SSP As many companies have done through their ASPs, it makes sense to streamline some of the Risk Based Performance Standards (RBPS). Specifically, NACD recommends that the following RBPSs be combined: RBPS 1 Restrict Area Perimeter and RBPS 3 Screen and Control Access RBPS 2 Secure Site Assets and RBPS 4 Deter, Detect, and Delay RBPS 13 Elevated Threats and RBPS 14 Specific Threats, Vulnerabilities, or Risks RBPS 15 Reporting of Significant Security Incidents and RBPS 16 Significant Security Incidents and Suspicious Activities These RBPSs address overlapping areas and call for many of the same security measures. In addition to combining these RBPSs to streamline them and eliminate duplication, NACD recommends that DHS make parallel changes to the SSP in order to shorten it and create a form that would result in an actual security plan. The DHS should also carefully examine the entire SSP and eliminate unnecessary questions. For example, inspectors have been telling facilities to disregard the K-ratings for fences and other perimeter barriers. While it is important to have the barriers in place, there is less, if any, concern about the K-rating. Therefore, questions on the K-rating should be dropped. For another example, under RBPS 18 Records it is unclear to NACD why the agency needs to know what time of day training took place. Appendix A There are some inconsistencies in the CFATS Appendix A list of chemicals that should be examined. For example, the minimum concentration for hydrogen peroxide is 35 percent, although potential adversaries can purchase the substance at beauty stores at a lower 30 percent concentration. Also, ammonium hydroxide is on the Environmental Protection Agency s Risk Management Program list of chemicals, but not on CFATS Appendix A. Small Business Considerations With the Top Screen, SVA, SSP, material modifications, and redetermination requests, the CFATS paperwork burden is overwhelming, particularly for small companies. NACD commends DHS for considering ways to streamline this process. For example, facilitating the adoption of ASPs will allow facilities to develop clear plans of reasonable length rather than generating hundreds of pages of data through SSPs that fail to result in usable plans. NACD urges DHS to adopt new ways for allowing companies to submit updates through simple notifications rather than forcing them to commit to the entire time-consuming Top Screen, SVA, and SSP process.

Alignment with Other Regulatory Programs There are inherent conflicts between CFATS and certain other regulations such as the EPA s Emergency Planning and Community Right-To-Know Act (EPCRA). CFATS was created to protect chemical facilities from potential terrorist attacks, and an important element of this is the protection of sensitive information. EPCRA, on the other hand, was created to inform local first responders and communities about chemicals in their areas to facilitate planning in the case of an emergency. While NACD agrees certain key entities such as local fire departments need information about chemicals at facilities, this information must continue to be limited only to those who truly have a need to know. This approach will uphold the security objective of CFATS. On the other hand, DHS should continue working with EPA and other agencies to compare and coordinate facility databases in order to find outliers who should be complying with CFATS but have failed to do so. Risk Tiering Methodology The CFATS risk tiering methodology has been a major concern since the program was launched. Some tiering assignments do not make sense, and there is absolutely no transparency in the system. This leads to regulatory uncertainty for facilities in determining whether to bring in new products and invest in new security measures. A perfect example was the case a few years ago in which DHS discovered a flaw in the tiering assignments that resulted in many facilities being retiered after already having invested in security measures based on their original assignments. While recognizing that tiering involves sensitive information, NACD encourages DHS to make the process more transparent. For example, the agency could at least provide ranges for chemicals that could result in certain tiering assignments so facilities could have some guidance from the beginning. While Congress has called out DHS for failing to include economic criticality as an element in CFATS risk tiering, NACD believes it is unnecessary to include this as an essential element. Because of the expanse, diversity, and strong distribution network of the chemical industry, there are few, if any, sites that are stand-alone economically critical. Adding this as an element in risk tiering would needlessly complicate an already complex process. Personnel Surety NACD continues to have concerns about DHS s proposed Personnel Surety Program (PSP). First, it is unreasonable to require companies to submit information to check against the Terrorist Screening Database (TSDB) multiple times if an employee of the company goes to multiple sites. There is no need to submit the same information for the same person at every single site. NACD is also concerned DHS will not necessarily inform a facility if an individual whose information that facility has submitted results in a match to the TSDB. If DHS does not notify facilities of the screening results, facility owners and operators will be unable to affirm that individuals with access to sensitive areas do not present security threats. Facilities will not have

the information needed to stop those with terrorist ties from accessing critical assets. This is contrary to the purpose of CFATS, which is to keep terrorists out of facilities with chemicals of interest and other critical assets. Even if DHS plans to apprehend potential terrorists upon discovering TSDB matches, failing to inform facility operators of these matches in a timely fashion could allow terrorists to gain access and begin to develop damaging attack plans. In order to ensure that those intent on harming the chemical industry and the nation are not allowed access to critical assets, NACD strongly encourages DHS to reconsider its decision not to automatically inform facilities of individuals TSDB status when the agency finalizes the PSP. Conclusion CFATS is a robust program that has enhanced chemical facility security throughout the nation. The fundamentals of the program are strong. Measures to streamline information, increase efficiencies, and simplify processes will improve CFATS further and allow more resources to be dedicated directly to enhancing security. Maintaining the robustness of the CFATS program while also making it simple to understand and implement will further facilitate compliance, especially for potential outliers. Thank you for the opportunity to provide these comments. If you have questions, or require additional information, please do not hesitate to contact me. Sincerely, Jennifer C. Gibson Vice President, Regulatory Affairs National Association of Chemical Distributors 1560 Wilson Blvd., Suite 1100 Arlington, VA 22209

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information