[Federal Register: December 28, 2006 (Volume 71, Number 249)]
[Proposed Rules]
[Page 78275-78332]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28de06-24]
[[Page 78275]]
-----------------------------------------------------------------------
Part II
Department of Homeland Security
-----------------------------------------------------------------------
6 CFR Part 27
Chemical Facility Anti-Terrorism Standards; Proposed Rule
[[Page 78276]]
-----------------------------------------------------------------------
DEPARTMENT OF HOMELAND SECURITY
6 CFR Part 27
[DHS-2006-0073]
RIN 1601-AA41
Chemical Facility Anti-Terrorism Standards
AGENCY: Department of Homeland Security.
ACTION: Advance Notice of Rulemaking.
-----------------------------------------------------------------------
SUMMARY: Section 550 of the Homeland Security Appropriations Act of
2007 (``Section 550'') provided the Department of Homeland Security
with authority to promulgate ``interim final regulations'' for the
security of certain chemical facilities in the United States. This
notice seeks comment both on proposed text for such interim final
regulations and on several practical and policy issues integral to the
development of a chemical facility security program.
DATES: Written comments must be submitted on or before February 7,
2007.
ADDRESSES: Comments, identified by docket number or RIN number, may be
submitted by one of the following methods:
Federal eRulemaking Portal: http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: Comments by mail are to be addressed to IP/CNPPD/
Dennis Deziel, Mail Stop 8610, Department of Homeland Security,
Washington DC 20528-8610.
Instructions: All submissions must include the agency name and
docket number or Regulatory Information Number (RIN) for this
rulemaking. All comments will be posted without change to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov
, including any personal information sent with each
comment. For detailed instructions on submitting comments and
additional information on the rulemaking process, see the ``Public
Participation in Rulemaking Process'' heading of the SUPPLEMENTARY
INFORMATION section of this document.
Docket: For access to the docket to read background documents or
submitted comments, go to http://frwebgate.access.gpo.gov/cgi-bin/leaving.cgi?from=leavingFR.html&log=linklog&to=http://www.regulations.gov. Submitted
comments by mail may also be inspected. To inspect comments, please
call Dennis Deziel, 703-235-5263, to arrange for an appointment.
Comments that include trade secrets, confidential commercial or
financial information, or sensitive security information (SSI) should
not be submitted to the public regulatory docket. Please submit such
comments separately from other comments on the rule. Comments
containing trade secrets, confidential commercial or financial
information, or SSI should be appropriately marked as containing such
information and submitted by mail to the individual(s) listed in the
FOR FURTHER INFORMATION CONTACT section.
FOR FURTHER INFORMATION CONTACT: Dennis Deziel, Chief Program Analyst,
Chemical Security Regulatory Task Force, Department of Homeland
Security, 703-235-5263.
SUPPLEMENTARY INFORMATION:
Introduction
Since 2003, the Department of Homeland Security (DHS) has been
working with its private sector partners in the chemical industry,
state and local governmental entities and other interested parties on
chemical facility security issues. Although many companies in the
chemical industry have initiated voluntary security programs and have
made significant capital investments in responsible security measures,
the Secretary of Homeland Security has concluded that voluntary efforts
alone will not provide sufficient security for the nation.
Beginning in 2005, through 2006, and most explicitly on September
8, 2006, the Secretary requested that Congress provide the Department
of Homeland Security with regulatory authority to establish and require
implementation of risk-based performance standards for the security of
our nation's high-risk chemical facilities. Congress took action on
those requests, and on October 4, 2006, the President signed the
Department of Homeland Security Appropriations Act of 2007 (the Act),
which provides the Department of Homeland Security with the authority
to regulate the security of high-risk chemical facilities. See Pub. L.
109-295, sec. 550. The Department now intends to implement an
appropriate regulatory program under Section 550 of that Act as quickly
and responsibly as possible, focusing its resources first on those
facilities in our nation that present the highest levels of security
risk.
This notice discusses a range of regulatory and implementation
issues. The program proposed by this notice would be implemented in
phases, and DHS would address chemical facilities with the most
significant risk profiles as early in the program as possible. For each
phase, the program would contain several basic steps:
Chemical facilities fitting certain risk profiles would
complete a ``Top-screen'' risk assessment methodology accessible
through a secure Department website. The Department would use this
methodology to determine if a chemical facility ``present[s] a high
level of security risk'' and should be covered by this program.
If the Department determines that a chemical facility
qualifies as ``high risk,'' the Department would require the facility
to prepare and submit a Vulnerability Assessment and Site Security
Plan, and would provide technical assistance to the facility as
appropriate.
Following a facility's submission of these materials, the
Department would review the submissions for compliance with risk-based
performance standards. The Department (or when appropriate, a DHS-
certified third-party auditor) would follow up with a site inspection
and audit.
If the facility's Vulnerability Assessment or Site
Security Plan is found deficient or if other problems arise, the
facility could seek further technical assistance from the Department,
and could consult, object, or appeal depending on the stage of the
process. If the Vulnerability Assessment and/or Site Security Plan are
ultimately disapproved, the covered facility would be required to
revise its plan and resubmit the materials to meet the Department's
performance standards, or face the penalties and other remedies set
forth in the statute.
If the covered facility's submissions are approved, the
security plan is fully implemented and the facility is otherwise in
compliance, the Department would issue a Letter of Approval to document
the determination. The Department would also then notify the facility
of its continuing obligations--based on its level of risk--to maintain
and periodically update its Vulnerability Assessment and Site Security
Plan.
This advance notice describes the details of these steps along with
a number of policy and implementation issues. We seek comment on all
aspects of this new regulatory program, including the many policy and
practical questions integral to the successful implementation of the
program.
Solicitation of Comment
Section 550 requires the Secretary of Homeland Security to
promulgate ``interim final regulations establishing risk-based
performance standards for security of chemical facilities * * *.'' He
must do so ``[n]o later than six months'' from the date of enactment of
this new authority, i.e. by April 4, 2007. The Executive Branch has
implemented rules under other, similar regulatory
[[Page 78277]]
authorities over the course of years rather than months. See, e.g., 42
U.S.C. 7412(r)(3) (requiring the promulgation of an initial list of
chemicals within two years); 42 U.S.C. 7412(r)(7)(B)(i) (requiring
promulgation of regulation within three years). By directing the
Secretary to issue ``interim final regulations,'' Congress authorized
the Secretary to proceed without the traditional notice-and-comment
required by the Administrative Procedure Act. See, e.g., Jeffrey S.
Lubbers, A Guide to Federal Agency Rulemaking 114 (4th ed. 2006)
(citing Omnibus Budget Reconciliation Act of 1987, and stating that
notice and comment is not required where statute specifically permits a
regulation to be issued in the interim final form); see also 65 FR
34,983 (Jun. 1, 2000) (interim final rule for Medicare program issued
under that authority). Although ``interim final regulations'' may be
(and often are) issued without prior notice and comment (and the Act
requires no prior notice or comment period), the Department believes it
would nevertheless be prudent to seek comment on many of the
significant issues that will be addressed by such regulations while
maintaining the aggressive timeline for implementation. An advance
notice of proposed rulemaking is the typical route to seek comment in
advance of an NPRM. Here, because Section 550 requires the Secretary to
issue an interim final rule rather than an NPRM followed by a final
rule, our advance notice seeks comment on text for an upcoming interim
final rule. In this respect, this notice serves the purposes usually
achieved by both an ANPRM and an NPRM. In addition, it is our intention
to seek further comment with the interim final on additional
implementation issues, and on any agency guidance that may follow.
The Department seeks public comment from all interested parties by
February 7, 2007, on the questions, issues and proposed regulatory
language identified in this notice. Given the 6-month deadline under
Section 550 to promulgate an interim final rule, it will be necessary
to complete that rule and reach conclusions on many of the issues
raised herein early in 2007. Thus, this February 7, 2007, deadline
cannot reasonably be postponed.
This notice is organized as follows: Section I provides a brief
summary of relevant pre-existing Federal initiatives and regulatory
authorities; Section II discusses the structure and requirements of the
statute; Section III describes a proposed ``phased'' implementation
with an immediate priority on the highest risk chemical facilities; and
Section IV addresses a range of other legal and programmatic issues.
Table of Contents
I. Brief History of Federal Pre-Existing Chemical Security Tools and
Programs
A. DHS Risk Assessment Methodology (RAMCAP), Chemical Buffer
Zone Protection Program, and Site Assistance Visits
1. Risk Assessment Methodology (RAMCAP)
2. Chemical Buffer Zone Protection Program
3. Site Assistance Visits
B. U.S. Coast Guard Maritime Security Regulations
C. Rail Security
D. Environmental Protection Agency Risk Management Program
E. Occupational Safety and Health Administration
F. Chemical Weapons Convention
G.The Explosives Authority of the Bureau of Alcohol, Tobacco,
Firearms, and Explosives
II. Structure and Requirements of Section 550
A. The Mandate to Promulgate Interim Final Regulations ``No
later than six months after the date of enactment * * *''
B. Authority to Regulate ``Chemical Facilities'' that Present a
``High Level of Security Risk''
C. Determining which Facilities Present a High Level of Security
Risk
D. Risk-Based Performance Standards for Security of Chemical
Facilities
E. Vulnerability Assessments and the Development and
Implementation of Site Security Plans for Chemical Facilities
1. Vulnerability Assessments
2. Site Security Plans
3. Alternative Security Programs
4. Guidance Regarding Site Security Plans
F. Audits and Inspections
G. Background Checks
H. Approval and Disapproval of Vulnerability Assessments and
Site Security Plans
I. Remedies
J. Objections and Appeals
K. Chemical-terrorism Vulnerability Information
1. Protection from Public Disclosure
2. Protection from Disclosure in Litigation
L. Statutory Exemptions
III. Implementation
A. Immediate Priority on Highest Risk Facilities
B. Consultations and Technical Assistance
IV. Other Issues
A. Third-Party Lawsuits
B. Regulatory Requirements/Matters
1. Executive Order 12,866
2. Regulatory Flexibility Act
3. Executive Order 13,132: Federalism
4. Unfunded Mandates Reform Act Assessment
5. National Environmental Policy Act
V. Proposed Text for Interim Final Rule
I. Brief History of Federal Pre-Existing Chemical Security and Safety
Programs
Prior to the enactment of Section 550, the Federal government did
not have authority to regulate the security of most chemical
facilities. Over the past three years, the Department has urged
voluntary enhancement of security at these facilities and provided both
technical assistance and grant funding for security. In addition,
through the Coast Guard's Maritime Security regulations, the Department
has addressed security at certain maritime-related chemical facilities.
Recently, the Departments of Homeland Security and Transportation have
cooperated in addressing the security of rail transportation of
hazardous chemicals.
Other Federal programs have addressed chemical facility safety, but
not security: the Environmental Protection Agency (``EPA''), for
instance, regulates chemical process safety through its Risk Management
Plan (RMP) program; the Occupational Safety and Health Administration
(``OSHA'') regulates workplace safety and health at chemical
facilities; and the Department of Commerce oversees compliance with the
Chemical Weapons Convention. Finally, the Department of Justice's
Bureau of Alcohol, Tobacco, Firearms, and Explosives (``ATF'')
regulates, through licenses and permits, the purchase, possession,
storage, and transportation of explosives. Because Section 550 will
build on pre-existing Federal security initiatives and chemical safety
programs, a brief summary of these pre-existing initiatives and
programs is appropriate here.
A. DHS Risk Assessment Methodology (RAMCAP), Chemical Buffer Zone
Protection Program, and Site Assistance Visits
1. Risk Assessment Methodology (RAMCAP)
For the past two years, the Department has worked with the American
Society of Mechanical Engineers, with input from many other parties, to
develop a risk assessment methodology for many elements of our nation's
critical infrastructure. The methodology is composed of two separate
parts and can be utilized to perform both a preliminary ``consequence''
analysis and a more thorough vulnerability assessment on chemical
facilities.
The first segment of the RAMCAP methodology is a screening tool
known as the Top-screen, and is designed to be used through a secure
Department Web site. For chemical facilities, the Top-
[[Page 78278]]
screen solicits answers to a series of questions intended to assess the
level of damage that could result from a terrorist incident at the
facility. The Top-screen process draws in part on preexisting data from
the EPA's Risk Management chemical safety program (``RMP,'' discussed
below). For example: Does the facility operate any RMP Program 2 or 3
processes? If so, how many persons could be exposed by a toxic release
worst case scenario? How many persons could be exposed by a flammable
release worst case scenario? The Top-screen also includes queries
regarding manufacture and storage of explosives materials, and seeks
information on quantities of chemical substances and precursors
addressed by the Chemical Weapons Convention. See 22 U.S.C. 6701. The
Top-screen process is intended to gather information both to evaluate
the consequences of a catastrophic explosion or release and to assess
the possible danger if dangerous chemicals are stolen. A more detailed
description of the Top-screen process is available as Appendix A.
The second segment of RAMCAP provides the tools to conduct a
thorough facility Vulnerability Assessment and could also be utilized
via a secure website. It has three fundamental steps, each with
detailed instructions:
1. Identify the assets on the facility;
2. Apply specified threat scenarios to each asset to quantify the
resulting consequences if an attack succeeded; and
3. Apply the threat scenarios to each asset in light of the
security measures in place and evaluate the likelihood and the degree
to which the attack could succeed.
A detailed description of this process is set forth in Appendix B.
Note that many responsible facilities have already conducted analyses
of this type. Such analyses may be acceptable during the initial stages
of the Section 550 program.
2. Chemical Buffer Zone Protection Program
The Chemical Buffer Zone Protection Program (Chem-BZPP) is designed
to identify and implement voluntary protective measures for the area
outside of a chemical facility's fence, or the ``buffer zone,'' to make
it more difficult for a potential attacker to plan or launch an attack.
These plans are intended to develop effective preventive and protective
measures within the immediate vicinity of high-priority chemical sector
critical infrastructure targets. The plans also increase the security-
related capabilities of the jurisdictions responsible for the security
and safety of the surrounding communities. DHS provides funds to
localities to support the implementation of regional buffer zone plans
and mitigate the identified vulnerabilities. In fiscal year (FY) 2006,
the Department awarded $25,000,000 under this program.
Part of this effort is the BZPP Webcam Pilot Program, a web-based
program using cameras installed at a few high-consequence chemical
facilities. These webcams enable local law enforcement and DHS to
conduct remote surveillance of the buffer zone surrounding each
facility during times of elevated threat to help identify any terrorist
surveillance and planning activities and link incidents across
facilities.
3. Site Assistance Visits
Upon request, DHS conducts ``inside-the-fence'' site assistance
visits to critical chemical facilities for a variety of reasons--a
facility presents a high level of risk, the owner requests it, or the
facility or sector is under threat. The site visits are conducted by
DHS protective security professionals, subject-matter experts, and
local law enforcement, along with the facility's owners and operators.
These visits facilitate security vulnerability identification and
mitigation discussions between government and industry. The visits also
provide facilities and localities with valuable information on how to
better protect the facility from a terrorist attack. After a visit, DHS
suggests protective measures and issues a report to the facility to
bolster its protective measures.
B. U.S. Coast Guard Maritime Security Regulations
The Maritime Transportation Security Act of 2002 (MTSA) (Pub. L.
107-295, Nov. 25, 2002) enacted chapter 701 of Title 46, U.S. Code and
required the Secretary of Homeland Security to issue regulations to
strengthen the security of American ports and waterways and the ships
that use them. This authority, in addition to other grants of
authority, served as the basis for a comprehensive maritime security
regime. Through these rules, the Coast Guard issued regulations to
ensure the security of vessels, facilities, and other elements of the
maritime transportation system. Part 105 of title 33 of the Code of
Federal Regulations imposed requirements on a range of maritime
facilities, including hazardous material and petroleum facilities and
those fleeting facilities that receive barges carrying, in bulk,
cargoes regulated by Subchapters D and O of Chapter I, Title 46, Code
of Federal Regulations or Certain Dangerous Cargoes.
Under the Coast Guard's maritime security regulations, these
facilities are required to perform security assessments, and then,
based on these assessments, develop security plans, and implement
security measures and procedures in order to reduce the risk of and to
mitigate the results of any security incident that threatens the
facility, its personnel, the public, the environment, and the economy.
C. Rail Security
The Departments of Transportation (DOT) and Homeland Security both
have authority to regulate rail transportation. The Federal hazardous
materials transportation law authorizes the Secretary of Transportation
to establish regulations for the safe transportation, including
security, of hazardous materials in intrastate, interstate, and foreign
commerce. See 49 U.S.C. 5101 et seq., as amended by section 1711 of the
Homeland Security Act of 2002 (Pub. L. 107-296, Nov. 25, 2002) and
Title VII of the Safe, Accountable, Flexible and Efficient
Transportation Equity Act: Legacy for Users (SAFETEA-LU) (Pub. L. 109-
59, Aug. 10, 2005). DHS, through TSA, has authority to ``oversee the
implementation, and ensure the adequacy, of security measures at
airports and other transportation facilities.'' 49 U.S.C. 114(f)(11).
Pursuant to DOT's authority, the Pipelines and Hazardous Materials
Safety Administration (PHMSA) has issued, and the Federal Railroad
Administration (FRA) enforces, various regulations that impact rail
security. HM-232 requires covered persons--those who offer certain
hazardous materials for transportation in commerce and those who
transport certain hazardous materials in commerce--to develop and
implement security plans. At a minimum, these security plans for
transportation must address personnel security, unauthorized access for
the transportation-related areas of facilities, and en route security
for shipments of the covered hazardous materials. See 49 CFR 172.800,
172.802, and 172.804. In addition, PHMSA has issued regulations to
reduce the risks to safety and security of leaving loaded rail cars
unattended for periods of time. Pursuant to 49 CFR 174.14 and 174.16, a
carrier must forward each shipment of hazardous materials ``promptly
and within 48 hours (Saturdays, Sundays, and holidays excluded)'' after
the carrier accepts the shipment at the originating point or the
carrier receives the
[[Page 78279]]
shipment at any yard, transfer station, or interchange point.
Together with the Department of Transportation, DHS has recently
taken many steps regarding security in the transportation of hazardous
materials by rail. On June 23, 2006, DOT and DHS jointly issued a set
of twenty-four ``security action items'' for the freight rail carriers
of materials that are ``toxic by inhalation'' (TIH) (these materials
are also referred to as ``poisonous by inhalation'' (PIH)). DOT and
DHS, in consultation with the industry, developed these action items by
observing and assessing the security-related practices that rail
carriers use. The action items addressed three phases of security: (1)
System Security, (2) En-route Security, and (3) Access Control.
In August 2006, the Federal government and the industry agreed upon
``supplemental'' security action items including measures to address
four critical areas: (1) The establishment of secure storage areas for
rail cars carrying TIH materials, (2) the expedited movement of trains
transporting rail cars carrying TIH, (3) the positive and secure
handoff of TIH rail cars at point of interchange and at points of
origin and delivery, and (4) the minimization of unattended loaded tank
cars carrying TIH materials. The rail carriers will submit these plans
to TSA for review, and TSA will subsequently monitor and evaluate the
success of the plans in reducing the standstill (dwell) time of TIH
shipments in high threat urban areas.
On December 21, 2006, DOT and TSA issued notices of proposed
rulemaking that would impose additional obligations, including new
requirements regarding transportation of PIH materials. See DOT's
notice of proposed rulemaking titled ``Enhancing Rail Transportation
Safety and Security for Hazardous Materials Shipments'' at 71 FR 76834
and TSA's notice of proposed rulemaking titled ``Rail Transportation
Security'' at 71 FR 76851. The proposed regulations would cover
railroad carriers that transport certain hazardous materials, including
bulk shipments of PIH materials. Among other measures, the proposed DOT
rule would require railroad carriers to analyze the safety and security
risks of the routes used. It would also require clarifications of the
current security plan requirements to address en route storage, delays
in transit, and delivery notification. In addition, it would require
rail carriers to conduct pre-trip visual inspections at the ground
level of rail cars containing PIH materials to detect improvised
explosive devices (IEDs) or other evidence of tampering.
The proposed TSA rule would require those rail hazardous materials
shippers and receivers, along with freight and passenger railroad
carriers and rail transit systems, to (1) Designate a rail security
coordinator to serve as the primary contact for the receipt of
intelligence information and for other security-related activities; (2)
allow TSA and other authorized DHS officials to enter and inspect
property, facilities, equipment, and operations; and (3) report
incidents, potential threats, and significant security concerns to DHS.
In addition, TSA proposes to impose two additional requirements on PIH
rail hazardous materials shippers and receivers, as well as freight
railroad carriers that transport PIH: to (1) Provide to TSA, upon
request the location and shipping information of rail cars within their
physical custody or control that contain PIH materials, and (2) provide
for a secure chain of custody and control of rail cars that contain PIH
materials.
D. Environmental Protection Agency Risk Management Program
Pursuant to the Clean Air Act (CAA), EPA's Risk Management Program
requires chemical facilities with listed chemicals in amounts exceeding
prescribed threshold limits to implement an accident prevention
program, an emergency response program, prepare a five-year accident
history, and submit to EPA a risk management plan (RMP). See 42 U.S.C.
7412(r). These requirements are intended to prevent accidental releases
and minimize the consequences of such releases by focusing on chemicals
that in the event of an accidental release, could reasonably be
expected to cause death, injury, or serious adverse effects to human
health and the environment. On January 31, 1994, EPA promulgated a list
of regulated substances and thresholds that identify stationary sources
subject to the accidental release prevention regulations. 59 FR 4,478.
Two years later, EPA issued a rule requiring the owners of these
sources to develop accidental release programs and summaries of these
plans. 61 FR 31,668 (Jun. 20, 1996).
An RMP contains information on the regulated substances handled at
the facility, an analysis of the potential consequences of hypothetical
accidental chemical releases (i.e., ``worst-case'' and ``alternative
release'' scenarios), a five-year accident history, and information
about the chemical accident prevention and emergency response programs
at the facility. In 1999, more than 15,000 U.S. facilities submitted
RMP information to EPA. Regulated facilities are required to update
their RMPs at least every five years, and more frequently if specified
changes occur.
As the RMP chemical list and threshold limits were established by
EPA based on a chemical's potential for acute offsite health impacts in
the event of a large air release, the Department believes that a number
of the facilities regulated under this program may also qualify as
``high-risk'' facilities covered under Section 550. Although the RMP
data are extremely useful, the Department is mindful of the fact that
they contain information related only to a specified list of industrial
chemicals that present air release hazards. The RMP data do not provide
information relating to other potentially ``high-risk'' facilities,
such as certain facilities covered by the Chemical Weapons Convention
or certain other facilities that might be targeted for chemical theft
or diversion.
E. Occupational Safety and Health Administration
The Occupational Safety and Health Administration (OSHA), an agency
within the U.S. Department of Labor, regulates conditions and hazards
affecting the health and safety of employees in the workplace. OSHA's
mission is to prevent work-related injuries, illnesses, and deaths.
OSHA regulates employers through specific enumerated safety standards
(see, e.g., 29 CFR part 1910) and through a ``general duty clause''
(see 29 U.S.C. 654(a)(1)), which requires a safe workplace even in the
absence of specific standards. OSHA enforces these standards by
inspecting workplaces and by issuing citations for violations.
OSHA has developed and enforces several standards that ensure
chemical safety in the workplace. The Process Safety Management of
Highly Hazardous Chemicals standard contains requirements for the
management of hazards associated with processes using highly hazardous
chemicals. See 29 CFR 1910.119. The Hazardous Waste Operations and
Emergency Response Standard (HAZWOPER) covers emergency response
operations for the release of, or substantial threats of releases of,
hazardous substances without regard to the location of the hazard. See
29 CFR 1910.120 and 1926.65.
In addition, OSHA has several other regulations that protect
employees who are exposed to chemicals in the course of their work. In
Subpart Z to 29 CFR 1910, OSHA establishes permissible exposure limits
(PELs) for toxic and hazardous substances. Employers must measure
employee exposure to these
[[Page 78280]]
substances and must take measures to limit employee exposures when the
exposures reach impermissible limits. In Subpart I to 29 CFR 1910, OSHA
establishes requirements for personal protective equipment (PPE).
Employers must conduct hazard assessments. Where employees are exposed
to impermissible exposures (which may, in some cases, be chemical
exposures), employers must provide employees with proper PPE to assist
in controlling the hazard.
Another standard related to chemical safety is OSHA's Hazard
Communication Standard (HCS). The HCS was promulgated to provide
workers with the right to know the hazards and identities of the
chemicals they are exposed to while working, as well as the measures
they can take to protect themselves. The HCS requires chemical
manufacturers and importers to evaluate the hazards of the chemicals
they produce and import. It also requires chemical manufacturers and
importers to prepare labels and material safety data sheets (MSDSs) to
convey the hazard information to their downstream customers. All
employers with hazardous chemicals in their workplaces must have labels
and MSDSs for their exposed workers and must train exposed workers to
handle the chemicals appropriately. See 29 CFR 1910.1200.
F. Chemical Weapons Convention
The United States is a party to the Chemical Weapons Convention
(CWC), which prohibits the development, production, stockpiling, and
use of chemical weapons. The Convention entered into force on April 29,
1997, and was implemented in the United States by statute at 22 U.S.C.
6701 et. seq., with regulations at 15 CFR 710 et. seq. The CWC does not
prohibit production, processing, consumption, or trade of related
chemicals for peaceful purposes, but it does establish a verification
regime to ensure such activities are consistent with the object and
purpose of the treaty. The CWC requires reporting and on-site
inspections that are triggered when quantitative threshold activity
levels are exceeded. The CWC monitors chemicals in three lists, or
schedules, and certain ``unscheduled discrete organic chemicals.''
Schedule 1 includes toxic chemicals with few or no legitimate uses
that are developed or used primarily for military purposes. Examples of
schedule 1 chemicals include nerve agents, such as Sarin, and blister
agents, such as Mustard and Lewisite. Schedule 2 includes chemicals
that can be used for chemical weapons production, but that also have
certain legitimate uses. Schedule 2 chemicals are not produced in large
commercial quantities, and these include certain chemicals used to
manufacture fertilizers and pesticides. Schedule 3 chemicals are those
that can be used for chemical weapons production, but also have
significant legitimate uses. Schedule 3 chemicals are produced in large
commercial quantities and include chemicals used to manufacture paint
thinners, cleaners, and lubricants.
As noted, the CWC imposes declaration and on-site inspections
requirements upon industry when production, processing, or consumption
exceeds certain thresholds. Inspections under the CWC are conducted to
assess the risk and guide future routine inspections. In addition,
inspections are conducted to verify the consistency with the
declarations of the levels of production, processing, or consumption.
These inspections also seek to confirm the absence of undeclared
Schedule 1 chemicals.
G. The Explosives Authority of the Bureau of Alcohol, Tobacco,
Firearms, and Explosives
ATF is an enforcement and regulatory organization responsible for,
among other things, the investigation and prevention of Federal
offenses involving the unlawful use, manufacture, and possession of
explosives. ATF regulates, through licenses and permits, the purchase,
possession, storage, and transportation of explosives. See generally 27
CFR Part 555. Specifically, ATF explosives regulations govern commerce;
licensing of manufacturers, importers, and dealers; issuance of
permits; business by licensees and operations by permittees; storage;
and the records and reports required of licensees and permittees. 27
CFR 555.1. Each year, ATF issues the List of Explosives subject to
these explosives requirements. See, e.g., 70 FR 73,483 (Dec. 12, 2005).
Facilities that possess or store explosives (including
manufacturing facilities) must also be properly licensed by ATF. See 27
CFR 555.41 et seq. For facilities that possess or store listed
explosives, ATF requires certain safety precautions, including specific
requirements governing the actual storage of the materials. See 27 CFR
555.201 et seq. ATF also prohibits shipment, transport, or possession
of any explosive material by ``prohibited persons,'' including a person
under indictment or convicted of a crime punishable by imprisonment for
a term exceeding one year; a fugitive from justice; an unlawful user of
controlled substance; or ``has been adjudicated a mental defective.''
Id. at 555.26(c), 555.49. ATF may conduct an investigation to confirm
that an applicant is entitled to a license. Id. ATF will also conduct a
background check on all persons and employees who are authorized to
possess explosive materials as part of their employment. See 27 CFR
555.33.
II. Structure and Requirements of Section 550
With the authority under Section 550, the Department can now fill a
significant security gap in the country's anti-terrorism efforts.
Section 550 of the Act is a compact two-page set of mandates
establishing the parameters of the Federal government's first
regulatory program to secure chemical facilities against possible
terrorist attack. Each subsection and sentence of this provision has
significant consequences for the structure and content of the
regulatory program.
A. The Mandate to Promulgate Interim Final Regulations ``No later than
six months after the date of enactment * * *''
As discussed above, applicable statutes do not require the
Department to seek comment prior to issuing these regulations, but we
believe public comment will be very helpful in formulating the interim
final rule and structuring the program. Cf. Administrative Conference
of the United States Recommendation 76-5 (when it is necessary to make
a rule effective immediately, agencies should give the public the
opportunity to submit post-promulgation comments) (cited in Michael
Asimow, Nonlegislative Rulemaking and Regulatory Reform, 1985 Duke L.J.
381, 426). An interim final rule has the same legal effect as a final
rule. See, e.g., Career College Ass'n v. Riley, 74 F.3d 1265, 1268
(D.C. Cir. 1996) (stating that interim final rule is final for purposes
of statute requiring adoption of final rule by statutory date). In this
regard, this notice discusses a number of issues related to
promulgating chemical facility security regulations and invites
comments on these issues. This notice includes proposed regulatory text
which represents the Department's initial preference unless otherwise
identified, but the Department also seeks comment on proposals and
ideas discussed in the preamble but not contained in the regulatory
text because the Department is interested in comments on alternative
approaches.
[[Page 78281]]
The Department is currently considering a number of procedural
questions that relate to the authority it has been granted. An initial
question is whether the Department is required to finalize the interim
regulations in light of the express language of 550(b), which provides
that these interim regulations will apply until ``interim or final
regulations promulgated under other laws'' are in effect. Pub. L. 109-
295, Oct. 4, 2006 (emphasis supplied). We believe that the answer to
that question is no; Congress gave the Department the authority to
issue regulations in the interim final rule only; it did not
contemplate that such regulations be ``finalized'' under this
authority. It is important to note that these ``interim'' regulations
will nevertheless have the full effect of law as if they were final.
See e.g., Career College Ass'n v. Riley, 74 F.3d 1265, 1268 (D.C. Cir.
1996).
A second issue is whether the Department can revise the interim
final regulations issued under Section 550. Commentators have argued
that the regulations cannot be revised since 550(a) and (b) indicate
that the regulations must be issued ``no later than six months after
the date of enactment'' and ``shall apply until'' the end date
contemplated by Section 550(b). We believe the better view is that the
regulations can be revised after the six month timeframe.
A third issue is what type of future legislation is necessary to
replace the interim final rule under Section 550(b). Certainly, Section
550 could be superseded or extended in either an appropriations bill or
in authorization legislation. If a future appropriations bill continued
funding for the Section 550 program beyond that period, the Department
could consider that future funding for the program as an extension of
the ``authority provided by this section.''
B. Authority To Regulate ``Chemical Facilities'' that Present a ``High
Level of Security Risk''
A fundamental question posed by Section 550 is which facilities it
covers. Section 550 specifies that the provision ``shall apply to
chemical facilities that, in the discretion of the Secretary, present
high levels of security risk.'' The terms ``chemical facilities'' and
``high levels of security risk'' are not specifically defined in
Section 550. Both terms have, however, been used in two prior
legislative proposals with more explicit indications of their meaning.
See H.R. 5695, 109th Cong. (2006), S. 2145, 109th Cong. (2006).
Although the Department is not bound to interpret these terms in
concert with language of prior unenacted legislative proposals, those
prior proposals can provide helpful context on this specific
definitional issue.
In H.R. 5695, the term ``chemical facility'' refers to any facility
that the Secretary has determined to possess more than a threshold
amount of a potentially dangerous chemical. See H.R. 5695, 109th Cong.
sec. 2 (2006) (adding section 1802(b)(2) and subsequent sections in the
Homeland Security Act). ( S. 2145 uses different terms to a similar
effect.). In neither instance is a ``chemical facility'' limited to a
chemical manufacturing facility, a chemical distribution facility, or
any other single specific type of facility that uses or stores
potentially dangerous chemicals. Instead, the question of what
constitutes a chemical facility turns not on the name or type of
facility at issue, but instead on whether the facility uses, stores or
otherwise possesses dangerous chemicals, and in what amount. The
Department believes that a similar meaning of ``chemical facility'' is
appropriate in implementing Section 550. Thus, subject to certain
statutory exclusions which are discussed below in section II.L., the
Department proposes to define ``chemical facility'' as ``any facility
that possesses or plans to possess, at any relevant point in time, a
quantity of a chemical substance determined by the Secretary to be
potentially dangerous or that meets other risk-related criterion
identified by the Department.'' See proposed 6 CFR 27.100. We invite
comment specifically on this interpretation or any alternative
definitions of the term ``chemical facility.''
Of course, the term ``chemical facility'' is only significant in
relation to other text in the statute. Section 550 also specifies that
regulations promulgated under its authority are only applicable to a
``chemical facility'' that, ``in the discretion of the Secretary,
presents [a] high level[] of security risk.'' Not all chemical
facilities present a high level of security risk. (Indeed, not all
``chemical facilities'' on the RMP list are likely to present a high
level of security risk.) Both H.R. 5695 and S. 2145 had specific
provisions distinguishing the universe of all ``chemical facilities''
from the subset of ``high risk'' chemical facilities. H.R. 5695 would
have required that ``at least one of the tiers established by the
Secretary for the assignment of chemical facilities * * * shall be a
tier designated for high-risk chemical facilities.'' 109th Cong. sec. 2
(2006) (proposed 6 U.S.C. 1802(c)(4)). Similarly, although S. 2145
identified the regulated chemical facilities as those with chemical
substances of concern at sufficient threshold quantities, that bill
also contained an instruction for the Secretary to identify separately
a smaller subset of those facilities as high risk chemical facilities.
S. 2145, 109th Cong. sec. 3(e) (2006). Thus, in both prior legislative
proposals, Congress contemplated that only a subset of all facilities
with threshold quantities of certain chemical substances would also
qualify as ``high risk'' chemical facilities.
The Department believes that the phrase ``high level of security
risk'' in Section 550 was likewise intended to apply only to a subset
of the total population of ``chemical facilities.'' Under Section 550,
the Secretary is explicitly given discretion to determine which
chemical facilities fall within this subset, and thus which chemical
facilities the Department will regulate. See Pub. L. 109-295, sec.
550(a) (2006) (``such regulations shall apply to chemical facilities
that, in the discretion of the Secretary, present high levels of
security risk''). See also 5 U.S.C. 701(a)(2) (precluding judicial
review if ``agency action is committed to agency discretion by law'').
See also Webster v. Doe, 486 U.S. 592 (1988); Heckler v. Chaney, 470
U.S. 821, 830 (1985) (recognizing the exception to the presumption of
agency reviewability in 5 U.S.C. 701(a)(2)); Steenholdt v. FAA, 314
F.3d 633 (D.C. Cir. 2003); Baltimore Gas & Elec. Co. v. FERC, 252 F.3d
456, 459 (D.C. Cir. 2001); Haig v. Agee, 453 U.S. 280 (1981); Merida
Delgado v. Gonzales, 428 F.3d 916 (10th Cir. 2005) (finding that the
Attorney General's national security determination was not reviewable
under the APA, where the authorizing statute provided no meaningful
standard against which to judge the agency's action, the court did not
have the necessary expertise to make the determination, and the
Executive Branch has broad discretion to protect national security).
C. Determining Which Facilities Present a High Level of Security Risk
As a practical matter, the Department must utilize an appropriate
process to determine which facilities present sufficient risk to be
regulated. The Department may draw on many sources of available
information, including existing Federal data and lists addressing
particularly hazardous chemicals and particular chemical facilities.
Such lists include the EPA RMP list (discussed above); the schedule of
chemicals from the Convention on the Development, Production,
Stockpiling and Use of Chemical Weapons and Their
[[Page 78282]]
Destruction, also known as the Chemical Weapons Convention or CWC
(discussed above); the hazardous materials listed in Department of
Transportation's Hazardous Materials Regulations (see e.g. 49 CFR
172.101); and the TSA Select Hazardous Materials List. The Department
may also seek and analyze information from many other sources,
including from experts in the industry, from state or local governments
or directly from facilities that may qualify as high-risk. The
Department requests comment on appropriate sources of information or
methodologies for evaluating chemical facility risks. The Department
also requests comments on whether, to the extent it looks to the nature
of particular chemicals to classify facilities, classifications should
be based on a ``hazard-class'' approach rather than classifications
based on particular chemicals.
As discussed above, the Department has worked with the American
Society of Mechanical Engineers (ASME) and others to design a RAMCAP
``Top-screen'' process for determining the potential security risk
posed by many types of critical infrastructure facilities, including
chemical facilities. The Department proposes to employ a risk
assessment methodology system very similar to this RAMCAP Top-screen
process to determine whether a facility qualifies as high-risk under
Section 550, and seeks comment on how such a process--as described
above and in Appendix A--should be employed for that purpose.
The proposed regulation would permit the Department to implement
this type of Top-screen risk analysis process to screen facilities. The
proposed language interprets the statutory phrase ``present[s] high
levels of security risk'' to apply to a facility that, in the
discretion of the Secretary, would present a high risk of significant
adverse consequences for human life or health, national security or
critical economic assets if subjected to a terrorist attack. See
proposed 6 CFR 27.100, below. As noted, the statute gives the Secretary
unreviewable discretion to make this determination. See Pub. L. 109-
295, secs. 550(a), (b), Oct. 4, 2006.
A separate question is whether the Secretary can compel facilities
that have not yet been deemed ``high risk'' to complete a risk
assessment methodology such as the RAMCAP Top-screen, or punish them
for failure to do so. In other words, can the Secretary mandate
information submissions from a broad range of chemical facilities in
order to screen facilities and determine which will qualify as high
risk?
There are two arguments that the Secretary has such authority under
Section 550. First, the authority to determine which facilities qualify
as ``high risk'' implies necessary authority to obtain information to
make that determination. See, e.g., United States v. Construction
Products Research, Inc., 73 F.3d 464, 470 (2d Cir. 1996) (``at the
subpoena enforcement stage, courts need not determine whether the
subpoenaed party is within the agency's jurisdiction or covered by the
statute it administers''); Equal Employment Opportunity Commission v.
Sidley Austin Brown & Wood, 315 F.3d 696, 699-701 (7th Cir. 2002).
Second, Section 550 states explicitly that the Secretary ``shall audit
and inspect chemical facilities for the purposes of determining
compliance with the regulations issued pursuant to this section.''
Since this provision can be read to permit the Department physically to
inspect ``chemical facilities'' regardless of whether they qualify as
``high risk,'' the Department should impliedly have the less dramatic
authority to obtain preliminary information for the same purpose.
Indeed, the use of a Top-screen process will be a less onerous
imposition for many facilities that may not, after due consideration,
present high levels of security risk.
The following approach to screening facilities is reflected below
in the proposed rule text:
The Department could contact chemical facilities
individually to request that they complete the process and could
publish a notice requesting that all facilities fitting a certain
profile (based on quantity of certain chemicals on site, hazard
classification, or other criteria) complete an online Department risk
assessment methodology (similar to the RAMCAP Top-screen) within a
reasonable period.
If any facility fitting the profiles identified in the
notice or individually contacted by the Department fails to complete
the risk assessment methodology within a reasonable period of time
after receiving notification from the Department, the Department may,
after attempting to consult with the facility, reach a preliminary
determination, based on the information then available (which may
include the facility's failure to complete the Top-screen process),
that the facility ``presumptively presents a high level of security
risk.''
The Department would then issue a notice to the entity of
this determination and, if necessary, order the facility to complete
the Top-screen process. If the facility then fails to do so, it may be
subject to penalties pursuant to Section 550(d), audit and inspection
under Section 550(e) or, if appropriate, the remedy available under
Section 550(g). See proposed Sec. 27.305, 245, 310.
If the facility completes the Top-screen process and is
not then considered to present a high level of security risk, its
status as ``presumptively high risk'' will terminate, and the
Department will issue a notice to the facility to that effect.
The Department requests comments on this proposed process and the
draft regulation at Sec. Sec. 27.200 and 27.205 below.
In order to carry out this approach, the Department will need to
identify the types or classes of facilities that should complete Top-
Screen for screening purposes. To that end, the Department requests
comments on whether the Department should request that:
RMP facilities complete the Top-screen;
Certain facilities subject to the Chemical Weapons
Convention complete the Top-screen;
Any other type or description of facilities complete the
Top-screen.
The Department also anticipates permitting any chemical facility to
voluntarily complete the Top-screen risk assessment process if the
facility has not been notified or contacted by DHS for such screening.
D. Risk-Based Performance Standards for Security of Chemical Facilities
Among other things, Section 550 requires the Department to issue
interim final regulations ``establishing risk-based performance
standards for chemical facilities.'' The terms ``risk-based'' and
``performance standards'' both carry significant meaning.
The term ``performance standards'' has a long and well-known
history. See Cary Coglianese et al., Performance-Based Regulation:
Prospects and Limitations in Health, Safety, and Environmental
Protection, 55 Admin. L. Rev. 705, 706-07 (2003). The term has
repeatedly been defined: Performance standards
* * * state[] requirements in terms of required results with
criteria for verifying compliance but without stating the methods
for achieving required results. A performance standard may define
functional requirements for the item, operational requirements, and/
or interface and interchangeability characteristics. A performance
standard may be viewed in juxtaposition to a prescriptive standard
which may specify design requirements, such as materials to be used,
[[Page 78283]]
how a requirement is to be achieved, or how an item is to be
fabricated or constructed.
OMB Circular A-119 (Feb. 10, 1998); see also Coglianese, Performance-
Based Regulation, 55 Admin. L. Rev. at 709:
A performance standard specifies the outcome required, but leaves
the specific measures to achieve that outcome up to the discretion
of the regulated entity. In contrast to a design standard or a
technology-based standard that specifies exactly how to achieve
compliance, a performance standard sets a goal and lets each
regulated entity decide how to meet it.
Note also that Executive Order 12,866 specifies the use of performance
standards:
Each agency shall identify and assess alternative forms of
regulation and shall, to the extent feasible, specify performance
objectives, rather than specify the behavior or manner of compliance
that regulated entities must adopt.
Exec. Order 12,866, 58 FR 51,735 (Oct. 4, 1993), as amended by Exec.
Order 13258, 67 FR 9385 (Feb. 28, 2002).
Here, Section 550 specifies that the required ``performance
standards'' must be ``risk-based.'' Although the term ``risk-based'' is
not specifically defined in Section 550, the language of Section 550
along with other recent legislative activity yield an understanding of
the ``risk-based'' standards. The term ``risk-based'' modifies
``performance standard'' and indicates that the performance standards
established under Section 550 will mandate the most rigorous levels of
protection and regulatory scrutiny for facilities that present the
greatest degrees of security risk. Prior legislative proposals on
chemical security would have required this result expressly through
risk-based tiering of facilities based on the potential affects on
human health caused by a terrorist attack at a facility, potential
impact on national security, or potentially critical economic
consequences. See H.R. 5695, 109th Cong. sec. 2 (2006), S. 2145, 109th
Cong. (2006). In many of those prior proposals, the Department would
have been required to analyze relative risk first, sort facilities into
appropriate risk-based tiers, then create standards requiring more
robust levels of protection for higher risk tiers. In addition, prior
legislative proposals specified more frequent regulatory reviews,
inspections, and security plan updates for higher risk facilities.
The Department believes that the ``risk-based performance
standards'' and the Section 550 Program should indeed incorporate risk-
based tiering. As addressed above, Section 550 provides the Department
with authority to regulate those chemical facilities ``that, in the
discretion of the Secretary, present high levels of security risk.''
Thus, the risk-based tiers would differentiate and create tiers among
those facilities that, as described above, qualify as presenting ``high
levels of security risk'' and are thus ``covered facilities.'' The
Department seeks comment on this notion of risk-based tiering among
high-risk facilities. Specifically:
How many risk-based tiers should the Department create?
What should be the criteria for differentiating among the
tiers?
What types of risk should be most critical in the tiering?
How should the performance standards differ among risk-
based tiers?
What additional levels of regulatory scrutiny (e.g.
frequency of inspections, plan reviews, and updates) should apply to
each tier?
The Department would establish the risk-based performance standards
through the regulatory language below and intends to issue guidance
periodically regarding compliance with the standards. Please note that
specific security performance variables in the standards among tiers
for the covered facilities are likely to contain sensitive information
regarding covered facility vulnerability or security. Thus, certain
elements of guidance on the application of these standards by tier will
be provided to covered facilities pursuant to the information
protections provisions of Section 550.
E. Vulnerability Assessments and the Development and Implementation of
Site Security Plans for Chemical Facilities
The first sentence of Section 550 requires the Department to
mandate that ``high risk'' chemical facilities, known here as ``covered
facilities,'' perform Vulnerability Assessments and develop and
implement Site Security Plans.
1. Vulnerability Assessments
A Vulnerability Assessment is an examination of how a covered
facility would address specific types of possible terrorist threats.
The assessment also examines the aspects of the covered facility that
pose the most significant vulnerabilities to terrorist attack. The
Department has worked with its partners to develop a methodology for
this purpose which may be refined to fit the needs of this program's
Vulnerability Assessment program. The methodology is described in
detail in Appendix B. The Department seeks comment on how this
methodology should be refined to serve as a basis for Vulnerability
Assessments under Section 550.
Covered facilities, those that qualify as ``high risk'' under
Section 550, will be required to complete and submit Vulnerability
Assessments. DHS will review each Vulnerability Assessment, and the
Department may also scrutinize the Vulnerability Assessments in the
course of a facility audit (discussed infra). In addition, a covered
facility Vulnerability Assessment will serve two other central
purposes: (1) The Department will use the results of Vulnerability
Assessments to confirm that covered facilities have been assigned to
the appropriate risk-based tiers; and (2) Each covered facility's Site
Security Plan (discussed below) will be required to address each of the
vulnerabilities identified in the Vulnerability Assessment. See Pub. L.
109-295, sec. 550(a), Oct. 4, 2006 (``Provided further, That such
regulation shall permit each facility, in developing and implementing
Site Security Plans, to select layered security measures that, in
combination, appropriately address the Vulnerability Assessment and the
risk-based performance standard for security for the facility.'')
Covered facilities also have continuing obligations, which vary based
on their risk-based tier, to maintain and periodically update their
Vulnerability Assessment.
As noted, the Department will sort the covered facilities into
tiers, based on risk. The Department may have three or four tiers, with
the highest risk facilities in tier one. The tiering decisions will be
based on a number of factors, including information from the Top-
screen, intelligence information, and information from other
appropriate sources. As discussed below in a section II. K., the
Department considers the methods for determining these tiers to be
sensitive anti-terrorism information that may be protected from further
disclosure.
Many chemical facilities have already performed Vulnerability
Assessments under models that are similar in purpose and effect to the
RAMCAP methodology identified above. For a number of covered
facilities, particularly in the initial year of the program, these
Vulnerability Assessments will be acceptable in lieu of completing the
Department's vulnerability analysis. Through the Alternative Security
Program (ASP) provisions described herein, the proposed regulation will
permit the Assistant Secretary to accept existing chemical facility
Vulnerability Assessments, subject to any necessary revisions or
supplements, where the
[[Page 78284]]
assessments are sufficiently similar to the Department's process to be
effective. The Department is considering accepting any Vulnerability
Assessments methodologies that are certified by the Center for Chemical
Process (CCPS) as equivalent to the CCPS Methodology; and will review
other Vulnerability Assessments submitted as ASPs. See proposed 6 CFR
27.215(a).
2. Site Security Plans
Under Section 550, the Department must also require that ``high
risk'' chemical facilities develop and implement ``Site Security
Plans.'' The statute specifies that the Department ``shall permit each
facility, in developing and implementing Site Security Plans, to select
layered security measures that, in combination, appropriately address
the Vulnerability Assessment [for the facility] and the risk-based
performance standards for security for the facility.'' This sentence
identifies two critical statutory mandates.
First, as indicated, a Site Security Plan must address both the
``Vulnerability Assessment'' for the covered facility and the
applicable ``risk-based performance standards.'' To address the
Vulnerability Assessment, the plan must identify and describe the
function of the measures the covered facility will employ to address
each of the facility's vulnerable areas. Focusing on those vulnerable
areas, the Site Security Plan must then address specific modes of
potential terrorist attack and how each would be deterred or otherwise
addressed. For example, a facility must select, develop and describe
security measures intended to address potential attacks involving: (1)
A VBIED (vehicle borne improvised explosive device); (2) a water-borne
explosive device (if applicable); (3) an assault team; (4)
individual(s) on the premises with explosives or a firearm, or (5)
theft of certain chemicals; and (6) the possibility of insider or cyber
sabotage.
In addition, a covered facility's Site Security Plan must identify
how the layered security measures selected by the covered facility meet
the Department's risk-based performance standards. Although this
process can be different for each facility and will vary depending on
the unique risks presented in each, the performance standards will
typically require covered facilities to develop and explain security
measures to:
Secure and monitor the perimeter of the facility;
Secure and monitor restricted areas or potentially
critical targets within the facility;
Control access to the facility and to restricted areas
within the facility by screening and/or inspecting individuals,
deliveries, and vehicles as they enter; including,
[cir] Measures to deter the unauthorized introduction of dangerous
substances and devices that may facilitate an attack or actions having
serious negative consequences for the population surrounding the
facility; and
[cir] Measures implementing a regularly updated identification
system that checks the identification of facility personnel and other
persons seeking access to the facility and that discourages abuse
through established disciplinary measures;
Deter vehicles from penetrating the facility perimeter,
gaining unauthorized access to restricted areas or otherwise presenting
a hazard to potentially critical targets;
Secure and monitor the shipping and receipt of hazardous
materials from the facility;
Deter theft or diversion of potentially dangerous
chemicals;
Deter insider sabotage;
Deter cyber sabotage, including by preventing unauthorized
onsite or remote access to critical process controls, Supervisory
Control And Data Acquisition (SCADA) systems, and other sensitive
computerized systems;
Develop and exercise an emergency plan to respond to
security incidents internally and with assistance of local law
enforcement and first responders;
Maintain effective monitoring, communications and warning
systems, including,
[cir] Measures designed to ensure that security systems and
equipment are in good working order and inspected, tested, calibrated,
and otherwise maintained;
[cir] Measures designed to regularly test security systems, note
deficiencies, correct for detected deficiencies, and record results so
that they are available for inspection by the Department; and
[cir] Measures to allow the facility to promptly identify and
respond to security system and equipment failures or malfunctions;
Ensure proper security training, exercises, and drills of
facility personnel;
Perform appropriate background checks on and ensure
appropriate credentials for facility personnel, and as appropriate, for
unescorted visitors with access to restricted areas or potentially
critical targets;
Escalate the level of protective measures for periods of
elevated threat;
Address specific threats, vulnerabilities, or risks
identified by the Assistant Secretary for the particular facility at
issue;
Report significant security incidents to the Department;
Identify, investigate, report, and maintain records of
significant security incidents and suspicious activities in or near the
site;
Establish official(s) and an organization responsible for
security and for compliance with these standards;
Maintain appropriate records; and
Address any additional performance standards the Assistant
Secretary may specify.
The types and intensity of measures necessary to satisfy these
standards will depend, of course, on the risk-based tier of the covered
facility at issue. Covered facilities will also have a continuing
obligation, which will vary based on their risk-based tier, to maintain
and periodically update their Site Security Plan.
Aside from the performance standards identified in proposed Sec.
27.230, the Department will also consider adopting other performance
standards from the following meriting security regulatory provisions:
33 CFR 105.250 (Security systems and equipment maintenance); 33 CFR
105.255 (Security measures for access control); 33 CFR 105.260
(Security measures for restricted areas); 33 CFR 105.275 (Security
measures for monitoring); 33 CFR 105.280 (Security incident
procedures). The terms of these provisions, if adopted, would need
modification. For example, the provisions related to security measures
for restricted areas identifies such areas to include ``[s]hore areas
immediately adjacent to each vessel moored at the facility.'' 33 CFR
105.260. The Department requests comments on whether these or other
MTSA regulatory provisions should be adopted in modified form. The
Department also requests specific comments on how, if adopted, the
Department should modify these provisions.
Section 550 also strikes a careful balance between the Department's
regulatory authority and a covered facility's discretion to select
security measures. Three separate provisions are relevant to this
balance. As noted above, the term ``performance standards'' has long
been defined to ``specif[y] the outcome required, but leave[] the
specific measures to achieve that outcome up to the discretion of the
regulated entity.'' See above, Coglianese, Performance-Based
Regulation, 55 Admin. L. Rev. at 709. The statute also mandates that
the Department ``shall
[[Page 78285]]
permit each facility * * * to select layered security measures * * * ''
to address its vulnerabilities and the performance standards. Pub. L.
109-295, sec. 550(a), Oct. 4, 2006 (emphasis supplied). Further, the
statute specifically prohibits the Department from rejecting a Site
Security Plan, because it does not incorporate a specific type of
security measure: ``[T]he Secretary may not disapprove a Site Security
Plan submitted under this section based on the presence or absence of a
particular security measure.'' Id. (emphasis supplied).
The meaning of these three provisions was not in dispute at the
time of Congress's Conference on the Appropriations Bill on September
29, 2006. Indeed, as Representative Markey and others noted, ``the
Department of Homeland Security is prohibited from disapproving of a
facility's security plan because of the absence of any specific
security measure.'' See 152 Cong. Rec. H7907 at H7913 (daily ed. Sept.
29, 2006).
Although the Department may not require that a covered facility
select a specific measure to enhance its security, the Department may
``disapprove a Site Security Plan if [the plan] fails to satisfy the
risk-based performance standards established by this section.'' Pub. L.
109-295, sec. 550(a), Oct. 4, 2006. The Department understands Section
550 to require a fairly straightforward process: The Department may
disapprove a Site Security Plan for failing to satisfy the risk-based
performance standards, but may not mandate that the covered facility
cure the deficiency by implementing one particular security solution.
In other words, the Department cannot take the position that only one
type of action or measure can meet the performance standards. Nor can
the Department indirectly compel the covered facility to choose a
particular measure preferred by the Department by ruling out all other
possible alternatives. (Thus, the Department may not engineer the
performance standards to permit only one actual security option for a
covered facility.) In practical terms, this means that covered
facilities will have the opportunity to determine how to remedy a
deficient plan. Thus, following a Site Security Plan ``disapproval,''
the Department will permit the covered facility to select a different
and more robust combination of security measures and present its plan
again. The Department will then judge the revised resubmitted plan
against the performance standards. The covered facility must meet the
security outcome required in the performance standards, but shall be
given appropriate latitude in how to reach that outcome.
The proposed regulations create a system for review and approval or
disapproval of Site Security Plans consistent with this language of
Section 550. See proposed 27.240. The Department seeks comment on how
this proposed process could be improved consistent with the statute.
3. Alternative Security Programs
Section 550 expressly anticipates that covered facilities may
prefer to submit Alternative Security Programs (ASP) established by
private sector entities, state, or local governments. Pub. L. 109-295,
Oct. 4, 2006. Section 550 gives the Secretary discretion to approve
such Alternative Security Programs when the Secretary finds that the
program meets the requirements of the interim final rule. In the rule
text offered below, we define Alternative Security Program as ``a
third-party or industry organization program, a state or Federal
government program or any element of aspect thereof that the Assistant
Secretary has determined provides an equivalent level of security to
that established by this subchapter.''
It is possible that an appropriate ASP could be used in part or in
whole, including in the place of a Vulnerability Assessment or a Site
Security Plan, or both, depending on the nature of the ASP. The
Department may choose to approve or disapprove an ASP for a specific
covered facility or on a broader scale by approving or disapproving an
industry association or government program as an ASP for use in
accordance with this rule.
Under the Alternative Security Program provisions in proposed
27.235, the Secretary may specifically designate existing programs,
Vulnerability Assessments, and Site Security Plans completed thereunder
as satisfactory under Section 550. The Department will begin accepting
requests for approval of existing Alternative Security Programs on
December 28, 2006. Such requests should be made to the Assistant
Secretary. Guidance for such submissions will be made available on the
Department's Web site.
4. Guidance Regarding Site Security Plans
Although the Department may not mandate any particular security
measure, it may issue guidance specifying what types of measures, if
selected, would presumptively satisfy the performance standards. Such
guidance would identify options for meeting the standards but would not
mandate any particular choice of measures to meet the performance
standards. A covered facility would always be permitted to select other
measures (whether contemplated by the guidance or not) that could
satisfy the performance standards. The Department intends to seek
public comment prior to issuance of such guidance to the extent
consistent the level of information protection contemplated by the
statute.
F. Audits and Inspections
Section 550(e) gives the Department the authority to audit and
inspect chemical facilities in order to determine compliance with its
requirements. This section imposes an affirmative duty on chemical
facilities to cooperate with authorized DHS officials and allow
inspections and audits. DHS expects that it will carry out this audit
and inspection authority through the Assistant Secretary for
Infrastructure Protection and his designees, or for certain lower risk
tiers of facilities, through appropriate third party auditors. The
Department is considering a program for certain tiers of facilities
involving the certification and use of these Third-Party Auditors. See
proposed Sec. 27.245.
DHS (or, in appropriate cases, a DHS-certified Third-Party auditor)
will conduct inspections of each covered facility before issuing final
approval for a Site Security Plan. DHS could also conduct audits and
inspections outside of the Site Security Plan approval cycle in exigent
circumstances. By its terms, this inspection authority extends to all
chemical facilities. Although it is possible that a facility could be
inspected to determine whether it presents a high security risk under
the statute, the proposed rule suggests a different protocol in most
cases. See, e.g., proposed 6 CFR 27.200(c).
Generally speaking, DHS will conduct inspections at reasonable
times and in a reasonable manner given all of the circumstances
surrounding the particular chemical facilities' operations and the
threat information that is available to DHS at any given time.
Following promulgation of the interim final rule, the Assistant
Secretary will issue guidance to those officials and inspectors who
will be conducting inspections and will closely monitor the results of
such inspections. This ensures that there will be uniformity in
inspection procedures and in Departmental enforcement of these
regulations.
During inspections of chemical facilities, authorized DHS officials
(or third party auditors under certain circumstances) may inspect
property or
[[Page 78286]]
equipment, view and/or copy records, and audit records and/or
operations. DHS expects that it will conduct inspections during regular
business hours of 9 a.m. to 5 p.m. DHS will provide facility owners
with advance notice of inspections, except where the Under Secretary or
Assistant Secretary determines that exigent circumstances preclude
notice and personally approves such an inspection. The circumstances
leading the Under Secretary or Assistant Secretary to approve an
unannounced inspection might include threat information warranting
immediate action.
G. Background Checks
A proposed standard on personnel surety would require covered
facilities to ``perform appropriate background checks on and ensure
appropriate credentials for facility personnel, and as appropriate, for
unescorted visitors with access to restricted areas or potentially
critical targets.'' The Department believes that this component of the
security standards will enhance security in what would otherwise be a
significant potential vulnerability. In crafting and enforcing this
standard, the Department understands that many facilities covered under
these regulations already perform background checks on employees and
those who have access to the facilities. The Department therefore
encourages comment from industry, labor unions, and individuals on
their experiences with this subject.
The Department is considering several components of this issue,
including the following: (1) The individuals for whom background checks
would be conducted (whether that would include employees with access to
restricted areas of the facility, all employees, unescorted visitors,
all individuals with access to the facility or any combination of the
above); (2) The timing of this requirement particularly as it applies
to employees (i.e., whether a background check should be conducted in
association with the hiring process and, if so, how to address this
requirement for current employees); (3) The type of background check
that should be conducted and therefore the type of personally
identifiable information that would be required of these individuals,
such as biometrics. Background checks might include a terrorism name
check against the consolidated Terrorist Screening Database, a
fingerprint-based check against terrorism and/or criminal history
records, or a broader law enforcement or immigration status check; (4)
Whether the government should conduct these checks or whether the
industry could use authorized third parties to conduct the checks. The
Department requests comments on these issues.
In another context, the Department will require background checks
for all individuals having access to ``secure areas'' of the maritime
transportation system when those individuals are not accompanied by
someone who already has a sufficient background check. See 46 U.S.C.
70105(a); see also 71 FR 29,396 (May 22, 2006) (notice of proposed
rulemaking to implement the Transportation Worker Identification
Credential (``TWIC'') program in the maritime sector). Would an access
restriction such as that in the proposed TWIC program be appropriate in
the context of covered chemical facilities? Should any segment of
chemical facility personnel participate in TWIC or a similarly
structured program? The Department requests comments on these
questions.
Second, the Department will consider appropriate grounds for
denying access or employment to individuals when their background check
reveals an anomaly. In a different context, the Department has
developed a list of ``disqualifying crimes,'' as part of a threat
assessment process, that prevent individuals from gaining access to
certain facilities or privileges. See 46 U.S.C. 70105(c); 71 FR 29396
(May 22, 2006) (proposing a list of disqualifying crimes for Hazardous
Materials Endorsements (HME) and the Transportation Worker
Identification Credential (TWIC) program); see also 27 CFR 555.26(c)
(ATF prohibited persons criteria). Should the background check
standards used in the HME and TWIC contexts apply to chemical facility
security programs? (Preliminarily, the Department believes that any
person possessing a valid TWIC card would have undergone sufficient
background checks for purposes of the Section 550 security standards.)
The Department will consider, as one option, the background check
process employed by ATF. See 27 CFR 555.33. In this process, licensees
submit to ATF the names and identifying information for persons and
employees authorized to possess explosive materials in the course of
employment. ATF then conducts a background check and provides a
``letter of clearance'' or a written determination that the individual
should not hold a position requiring the possession of explosive
materials. This process also includes an appeals process. See 27 CFR
555.33(b). The Department requests comments on whether this type of
process, along with an associated fee charged to facility owners and
operators would be appropriate.
H. Approval and Disapproval of Vulnerability Assessments and Site
Security Plans
Section 550 states that ``the Secretary shall review and approve
each vulnerability assessment and site security plan required under
this section.'' See Pub. L. 109-295, sec. 550(a). To implement this
provision of the statute, and consistent with the implementation plan
discussed herein, the Department will require all covered facilities to
submit Vulnerability Assessments and Site Security Plans to the
Department. The Department will review and approve or disapprove each
Vulnerability Assessments in accordance with proposed Sec. 27.215. If
the Department approves the Vulnerability Assessment, the Department
will issue a letter to the covered facility so stating.
After a review of the Site Security Plan, the Department will
preliminarily approve it or disapprove it. In the case of a preliminary
approval, the Department will issue a Letter of Authorization to the
covered facility. After preliminarily approving a Site Security Plan,
the Department will inspect each facility in order to determine
compliance with the requirements of this part. (The inspection
provisions are discussed more fully above). After issuing a Letter of
Authorization, the Department will schedule an inspection of the
facility. After the inspection, if the Department concludes that the
Site Security Plan addresses the vulnerabilities identified in the
Vulnerability Assessment, satisfies the risk-based performance
standards, and has been satisfactorily implemented, the Department will
issue a Letter of Approval to the covered facility.
If a Vulnerability Assessment or Site Security Plan fails to
satisfy the specified, ``risk-based performance standards,'' the
Department will disapprove the relevant document. See Pub. L. 109-295,
Sec. 550(a) (``the Secretary may disapprove a site security plan if the
plan fails to satisfy the risk-based performance standards established
by this section''). If the Department concludes that the Site Security
Plan has not been satisfactorily implemented, the Department will
consult with the covered facility as provided in proposed 27.240(b) and
schedule a second inspection.
When disapproving the Vulnerability Assessment or Site Security
Plan, the Department will provide the facility with a written
explanation as to why the
[[Page 78287]]
Department disapproved the assessment or plan. Taking into account the
nature of the facility and other relevant circumstances, the Department
will also specify a date by which the facility must provide to the
Department a modified Vulnerability Assessment or Site Security Plan.
If a facility fails to provide an acceptable Vulnerability Assessment
or Site Security Plan by the specified date, the Department may issue
an Order Assessing Civil Penalty under proposed Sec. 27.305.
As with other elements of implementing Section 550, however, the
implementation of the receipt, review, and approval of Vulnerability
Assessments and Site Security Plans will proceed in a phased approach
based on the tiering of covered facilities. See proposed Sec. 27.230.
The Department will provide covered facilities with a schedule
identifying timing requirements for submitting and updating
Vulnerability Assessments and Site Security Plans under proposed
Sec. Sec. 27.215 and 27.225, as well as the timing, frequency, and
nature of the inspections required under proposed Sec. 27.245.
Facilities in Tier One must submit Vulnerability Assessments to the
Department within 60 calendar days. These facilities must submit Site
Security Plans within 120 calendar days.
The Department will also require that covered facilities update or
renew their Vulnerability Assessments and Site Security Plans on a
regular basis or as needed basis. The timing for this requirement will
also depend upon the tiering of covered facilities. In general, the
Department believes that Tier One facilities should update and renew
their Vulnerability Assessments and Site Security Plans each year; Tier
two facilities should update and renew their Vulnerability Assessments
and Site Security Plans on two-year cycles; and any additional tiers
should update and renew their Vulnerability Assessments and Site
Security Plans on three-year cycles. For individual facilities, and
based on information concerning those particular facilities, the
Department may determine that more or less frequent update and renewal
cycles are appropriate. The Department seeks comment on this strategy
for updating and renewing vulnerability assessments and site security
plans.
I. Remedies
The proposed regulation specifies the remedies that the Department
can use to achieve compliance with the requirements of this part. At
the most basic level, the Department can issue an Order for Compliance
pursuant to proposed Sec. 27.300. The Assistant Secretary may issue
such an Order for any instance of noncompliance, such as a chemical
facility's refusal to complete a Top-screen, failure to allow DHS to
conduct an inspection, or failure to update a Site Security Plan.
Where the Department finds that there is a repeated pattern of
noncompliance or egregious instances of noncompliance with the
requirements of this part, the Department may issue civil penalties of
not more than $25,000 for each day during which the violation continues
(see 550(d) and 49 U.S.C. 70119(a)) and/or order chemical facilities to
cease operations (see section 550(g)). The Department considers the
cease operations order to be an extraordinary authority and would use
it only so along as other remedial provisions hereunder could not
achieve compliance.
The proposed requirements in Sec. 27.305 and Sec. 27.310 specify
the methods by which DHS will issue civil penalties and cease operation
orders. Proposed Sec. 27.315 outlines general requirements that apply
to all orders, including orders for compliance, assessing civil
penalty, and to cease operations. Of note, the proposed regulation
provides that all of these orders are inoperative while an appeal is
pending under Sec. 27.320 and that an order issued under this subpart
does not constitute final agency action until a chemical facility
exhausts all appeals or the time for such appeals has lapsed. Chemical
facilities must exhaust all appeals specified in this regulation before
pursuing an action in Federal District Court. As noted, the Department
recognizes that an Order to Cease Operations would likely be litigated
immediately after issuance. This authority would be utilized when no
other options will achieve the required result. At the same time, the
Department recognizes the necessity and importance of these tools to
foster incentives for compliance.
Finally, as the Department indicates in the proposed regulation,
DHS may issue appropriate guidance and necessary forms for the issuance
of Orders under this subpart. Such guidance might include procedures
for, notifications made, and meetings conducted pursuant to Sec. Sec.
27.300, 27.305, 27.310, and 27.315.
In using these administrative remedies, the Department has sought
to include several opportunities for review of Departmental decisions,
including opportunities for chemical facilities to consult with the
Department, to present additional evidence, to defend against any
alleged violations, and to explain its efforts to rectify alleged
violations. The Department recognizes that these are powerful tools and
accordingly wants to ensure that there are sufficient mechanisms in
place for facilities to respond to the use of these tools. The
Department seeks comment on its proposed requirements for the use of
these administrative remedies.
J. Objections and Appeals
This rule proposes to provide chemical facilities with various
opportunities throughout the process to object to a Departmental
decision. The Department intends for the process to be as simple and
quick as possible but recognizes that the review needs to be
meaningful. The proposed rule provides chemical facilities with two
mechanisms with which to challenge a Departmental decision, an
objection and an appeal.
The basic mechanism is called an ``objection.'' A chemical facility
may object to (1) a determination that the facility presents a high
level of security risk, (2) its placement in a risk-based tier, and/or
(3) a disapproval of its Site Security Plan. To do so, a chemical
facility must file an objection according to the procedures specified
in the pertinent section--either 6 CFR 27.205(c) ``Determination that a
Chemical Facility Presents a High Level of Security Risk--Objection,''
6 CFR 27.220(b) ``Tiering--Objection,'' or 6 CFR 27.240(c) ``Review and
Approval of Vulnerability Assessments and Site Security Plans--
Objection to Disapproval of Site Security Plan.'' Under the scheme for
these proposed regulatory provisions, a chemical facility files an
Objection and may request a meeting, and the objection could be
addressed in as few as 20 days.
The other review mechanism available to chemical facilities is an
appeal. The Department recognizes that certain matters, such as a final
determination disapproving a Site Security Plan or the issuance of an
Order, can be of significant consequence. As a result, these matters
require a more lengthy review. To that end, the Department is proposing
to provide chemical facilities with an opportunity to appeal any Order
issued under this regulation and any determination disapproving a Site
Security Plan. Proposed Sec. 27.320(a)(1) and (2) allows chemical
facilities to appeal to the Under Secretary and General Counsel for
Site Security Plan disapprovals and all Orders except Orders to Cease
Operations. Proposed Sec. 27.320(a)(3) allows chemical facilities to
appeal to the Deputy Secretary for Orders to Cease Operations. The
[[Page 78288]]
adjudicating official may then affirm, revoke, or suspend a
determination or Order.
Also of note in this section, any decision made by an adjudicating
official under Sec. 27.320(c) of this section constitutes final agency
action. In addition, the failure of a chemical facility to file an
appeal in accordance with the procedures and time limits contained in
this section results in the Assistant Secretary's determination or
issuance of an Order becoming final agency action. Finally, a chemical
facility will need to exhaust the appeal processes specified in these
regulatory provisions before pursuing an action in Federal District
Court. The Department requests comment on the proposed process for
objections specified in Sec. 27.205(c), Sec. 27.220(b), Sec.
27.240(c), and Sec. 27.320, including comment on specific provisions
in the process and the adequacy of these procedures generally.
K. Chemical-Terrorism Vulnerability Information
Section 550(c) of the Homeland Security Appropriations Act of 2007
provides the Department with the authority to protect from
inappropriate public disclosure any information developed pursuant to
Section 550, ``including vulnerability assessments, site security
plans, and other security related information, records, and
documents.'' In considering this issue, the Department recognized that
there are strong reasons to avoid the unnecessary proliferation of new
categories of sensitive but unclassified information, consistent with
the President's Memorandum for the Heads of Executive Departments and
Agencies of December 16, 2005, entitled ``Guidelines and Requirements
in Support of the Information Sharing Environment.'' With Section
550(c), however, Congress acknowledged the national security risks
posed by releasing information relating to the security and/or
vulnerability of high risk chemical facilities to the public generally.
For all information generated under the chemical security program
established under Section 550, Congress gave the Department broad
discretion to employ its expertise in protecting sensitive security and
vulnerability information. Accordingly, the Department proposes herein
a category of information for certain chemical security information
called Chemical-terrorism Security and Vulnerability Information (CVI).
Congress also recognized that, to further the national security
interests addressed by Section 550, the Department must be able to
vigorously enforce the requirements of Section 550, and that these
efforts may include the initiation of proceedings in federal district
court. At the same time, it is essential that any such proceedings not
be conducted in such a way as to compromise the Department's ability to
safeguard CVI from public disclosure. For this reason, Congress
provided that, in the context of litigation, the Department should
protect CVI more like Classified National Security Information than
like other sensitive unclassified information. This aspect of Section
550(c) has no analog in other sensitive unclassified information
regimes.
1. Protection From Public Disclosure
In setting forth the minimum level of security the Department must
provide to CVI, Section 550(c) refers to 46 U.S.C. 70103, which was
enacted by the Maritime Transportation Security Act of 2002:
``Notwithstanding any other provision of law and subsection (b),
information developed under this section * * * shall be given
protections from public disclosure consistent with similar information
developed by chemical facilities subject to regulation under section
70103 of title 46, United States Code.'' (Emphasis supplied.) Section
70103(d) provides that ``information developed under this chapter
[pertaining to Port Security] is not required to be disclosed to the
public.'' As discussed below, by regulations existing at the time
Congress enacted Section 550, security plans issued pursuant to 46
U.S.C. 70103 constitute Sensitive Security Information (SSI), the
public disclosure of which is heavily regulated. See 49 CFR
1520.5(b)(2)(ii). It is the Department's view that by requiring the
Department's handling of CVI to be ``consistent with'' information
covered under 46 U.S.C. 70103, Congress intended CVI to receive a level
of security not inconsistent with that provided to SSI. Yet the
Department also believes that Section 550(c) provides the Department
with broad discretion and maximum flexibility to employ more rigorous
standards to protect CVI from inappropriate public disclosure as
necessary. Furthermore, Section 550(c) provides specifically that ``in
any proceeding to enforce this section, * * * information submitted to
or obtained by the Secretary, and related vulnerability or security
information, shall be treated as if the information were classified
material.''
Section 114(s) of title 49 of the U.S. Code requires TSA to
promulgate regulations governing the protection of certain sensitive
unclassified information, including information that would ``be
detrimental to the security of transportation'' if publicly disclosed.
49 U.S.C. 114(s). In response, TSA issued, 49 CFR part 1520, which
establishes certain requirements for the recognition, identification,
handling, and dissemination of Sensitive Security Information or
``SSI,'' including restrictions on disclosure and civil penalties for
violations of those restrictions. Under the regulations, SSI includes
any security programs issued, established, required, received or
approved by the Department of Transportation or the Department. These
include any vessel, maritime facility or port area security plan
required by Federal law and any national or area security plan prepared
pursuant to 46 U.S.C. 70103. In addition, SSI includes selection
criteria used in security screening processes, Security Directives and
Information Circulars, threat information and vulnerability assessments
concerning transportation facilities, and technical specifications of
security screening and detection systems and devices.
Access to SSI is strictly limited to those persons with a need to
know, as defined in 49 CFR 1520.11, and to those persons to whom TSA
makes a specific disclosure authorization under 49 CFR Sec. 1520.15.
In general, a person has a need to know specific SSI when he or she
requires access to the information: (1) To carry out transportation
security activities that are government-approved, -accepted, -funded, -
recommended, or -directed, including for purposes of training on, and
supervision of, such activities; (2) to provide legal or technical
advice to airport operators, air carriers or their employees regarding
security-related requirements; or (3) to represent covered persons in
judicial or administrative proceedings regarding security-related
requirements. Individuals with a need to know or to whom SSI is
disclosed pursuant to Sec. 1520.15, including in the context of an
administrative enforcement proceeding, may, at TSA or Coast Guard's
discretion, be required to satisfactorily complete a security
background check to gain access to SSI. Civil litigants do not have a
regulatory need to know, unless they fall into the categories noted
above.
The SSI regulations also set forth restrictions on the disclosure
of SSI. These restrictions apply to individuals and entities with a
need to know as well as others deemed by 49 CFR 1520.7 to be ``covered
persons.'' The restrictions, which are set forth in 49 CFR 1520.9,
include a duty to protect information by, among other things, only
disclosing or providing access to SSI to covered
[[Page 78289]]
persons with a need to know and storing SSI in a secured container.
Section 1520.9 also requires any covered person to promptly report to
TSA or other applicable agency any unauthorized disclosure of SSI. As
part of the Homeland Security Appropriations Act of 2007, Congress gave
TSA the authority to assess a civil penalty of up to $50,000 for each
violation of 49 CFR part 1520 by a person provided access to SSI under
Section 525(d).
Congress has long authorized the protection of sensitive
unclassified information in the context of nuclear facilities. See 42
U.S.C. 2167, 2168 (authorizing Nuclear Regulatory Commission (NRC) to
issue regulations and civil and criminal penalties, protecting
safeguards information or ``SGI'' from inadvertent release and
unauthorized disclosure that might compromise security of nuclear
facilities or materials); see also 10 CFR 73.21 (defining SGI to
include ``security measures for the physical protection and location of
certain plant equipment vital to the safety of production or
utilization facilities''); Sec. 73.21(c) (authorizing access to SGI
where both valid ``need to know'' information and authorization based
on an appropriate background investigation under 10 CFR part 73); Sec.
73.21(d) (setting forth physical protection requirements). And Congress
authorized a similar regime more recently to protect voluntarily
submitted critical infrastructure information as part of the Homeland
Security Act of 2002. See 6 U.S.C. 131 et seq.; see also 6 CFR 29.4
(describing Protected Critical Infrastructure Information (PCII)
program); Sec. 29.7 (requiring background checks for access to PCII
and setting forth protection guidelines for handling of PCII); Sec.
29.8 (prohibiting disclosure of PCII except in limited circumstances).
In designing a regulatory scheme to govern disclosure of CVI, the
Department has considered the laws regulating SSI, SGI, and PCII. The
Department believes that by specifying 46 U.S.C. 70103, Congress
provided an avenue to embrace many of the fundamental elements of SSI,
except that Congress was more explicit as to the use of information in
legal proceedings. Accordingly, the Department proposes that, except as
provided below in connection with administrative and judicial
proceedings, CVI should be treated in a manner similar to SSI. The
Secretary shall administer this Section consistent with section 550,
including appropriate sharing with State and local officials, law
enforcement officials, and first responders.
2. Protection From Disclosure in Litigation
Section 550(c) provides that ``in any proceeding to enforce this
section, * * * information submitted to or obtained by the Secretary,
and related vulnerability or security information, shall be treated as
if the information were classified material.'' By segregating this
information for separate treatment under the statute, Congress sought
to provide significant protection for CVI in the course of enforcement
proceedings.
Classified information is disclosed in litigation only under
extraordinary circumstances. Executive Order 13292, Further Amendment
of Executive Order 12958, as Amended, Classified National Security
Information, defines ``classified national security information'' or
``classified information'' as ``information that has been determined
pursuant to this order or any predecessor order to require protection
against unauthorized disclosure and is marked to indicate its
classified statutes when in documentary form.'' E.O. 12958 Sec.
6.1(h). More specifically, information may be classified if, among
other things, the original classification authority determines that
``the unauthorized disclosure of the information reasonably could be
expected to result in damage to national security, which include
defense against transnational terrorism, and the original
classification authority is able to identify and describe the damage.''
E.O. 13292 Sec. 1.1(a)(4).
By statute, Congress has defined classified information more
broadly in certain contexts. The Classified Information Procedures Act
(CIPA), which sets forth the proper handling for disclosure of
classified information in criminal proceedings, defines classified
information as ``any information or material that has been determined
by the United States Government pursuant to an Executive order,
statute, or regulation, to require protection against unauthorized
disclosure for reasons of national security and any restricted data, as
defined in paragraph r. of section 11 of the Atomic Energy Act of
1954.'' 18 U.S.C. App. 3 sec. 1(a). The same definition is used in
civil proceedings involving charges of providing material support or
resources to designated foreign terrorist organizations. 18 U.S.C.
2339B(g)(1) (``the term `classified information' has the meaning given
that term in section 1(a) of [CIPA]'').
Under section 2339B, where a party seeks classified information in
discovery, the court may authorize one of the following as a substitute
upon a sufficient ex parte showing by the Government: (1) A redacted
version of the classified documents; (2) a summary of the information
contained in the classified documents; or (3) a statement admitting
relevant facts that the classified documents would tend to prove. 18
U.S.C. 2339B(f)(1)(A). Section 2339B also provides protections against
the disclosure of classified information through witness testimony.
Upon a Government objection, the court will consider an ex parte
proffer by the Government on what the witness is likely to say and a
proffer from the defendant of the nature of the information the
defendant seeks to elicit. Id. at 2339B(f)(3). If the court denies any
such requests by the Government, the Government can take an immediate,
expedited interlocutory appeal. Id. at 2339B(f)(1)(C), (5). Notably,
section 2339B states that it does not prevent the Government from
seeking protective orders or asserting privileges ordinarily available
to the United States to protect against the disclosure of classified
information, including the invocation of the military and State secrets
privilege. Id. at 2339B(f)(6).
The procedures set forth in CIPA are substantially similar to those
in section 2339B. One notable difference is that the Government may
submit to the court an affidavit of the Attorney General certifying
that disclosure of classified information would cause identifiable
damage to the national security of the United States and explaining the
basis for the classification of such information. 18 U.S.C. App. sec.
6(c)(2). Where the Government has filed such an affidavit but the court
concludes that there is no adequate substitute for the classified
information sought by the defendant, the court may dismiss the
Government's indictment or information, or order something in lieu of
complete dismissal such as dismissing or finding for the defendant only
with respect to certain counts. Id. at 6(e).
As stated above, Section 550(c) provides only that, in the course
of proceedings under section 550, CVI ``shall be treated as if the
information were classified material.'' Section 550(c) does not specify
to which procedure/s governing the handling of classified material the
Department should look--i.e., ordinary civil litigation procedures,
civil procedures under section 2339B, criminal procedures under CIPA,
or some other regime. The Department is considering alternatives and
proposes here that in the context of judicial or administrative
enforcement proceedings, the disclosure of CVI shall be governed by the
procedures set forth
[[Page 78290]]
in section 2339B. Furthermore, to accommodate the possible presence of
a jury or any other individuals that are deemed necessary to such
proceedings, the Department will retain discretion to authorize access
to CVI for persons necessary for the conduct of enforcement
proceedings, provided that no one that the Department has not so
authorized shall have access to or be present for the disclosure of
such information. This has the effect of requiring a court to close the
courtroom where CVI is to be revealed, which the Department believes is
consistent with Congress's intent that CVI be treated as classified
information. Because the Department believes that Section 550(c) cannot
reasonably be read to prohibit a chemical facility and its counsel or
other relevant employees from gaining access to CVI concerning their
own facility for use in enforcement proceedings, the proposed
provisions do not apply to such individuals.
For civil litigation unrelated to the enforcement of Section 550,
except as provided otherwise at the sole discretion of the Secretary,
access to CVI shall not be available. The Department believes that by
carefully drafting Section 550(c), Congress did not envision providing
access to CVI to third-parties in civil litigation or in any civil
litigation not involving enforcement of Section 550. As discussed
above, Section 550(c) requires very restrictive handling of CVI in
enforcement proceedings, i.e., handling at least consistent with the
handling of classified information. We believe that Congress could not
have intended the Department to afford CVI lesser protection in the
context of civil litigation, especially where the litigation is
unrelated to the enforcement of Section 550. The level of protection
for CVI in civil litigation proposed herein is not inconsistent with
the regime governing SSI prior to the Homeland Security Appropriations
Act of 2007. The Department believes, however, that, in light of
amendments to the SSI regime contained in section 525(d) of the
Homeland Security Appropriations Act of 2007, to give full effect to
Section 550(c), the Department must provide expressly for the
prohibition on disclosure of CVI in civil litigation. Among other
things, section 525(d) granted civil litigants who do not have a
regulatory need to know access to specific SSI in federal district
court proceedings, if certain requirements are met. Moreover, the
Department believes that the proposed prohibition is consistent with
the ordinary handling of classified information in civil proceedings,
access to which may be ordered only in a narrow class of cases and
under extraordinary circumstances.
The Department seeks comment on whether an alterative to the
approach described herein is more desirable. Other alternatives may
include handling CVI in proceedings in the same manner as SSI or some
other category of sensitive unclassified information, or as classified
information under CIPA.
L. Statutory Exemptions
Section 550 exempts from its coverage several categories of
facilities. According to the statutory exemptions, the regulations
issued under Section 550 will not apply to public water systems (as
defined by section 1401 of the Safe Drinking Water Act); water
treatment works facilities (as defined by section 212 of the Federal
Water Pollution Control Act); any facilities owned or operated by the
Departments of Defense and Energy; and any facilities subject to
regulation by the Nuclear Regulatory Commission. The regulations
promulgated under Section 550 also will not apply to maritime
facilities regulated by the Coast Guard pursuant to the Maritime
Transportation Security Act of 2002. These facilities will not need to
submit information to the Department under the Section 550 regulations.
The Department, however, is considering how to apply this rule to those
facilities that are not subject to the security standards of part 105
of the maritime security regulations but may be covered by other
maritime security regulations pursuant to the Maritime Transportation
Security Act of 2002. The Department seeks comment on the applicability
of this rule to such facilities.
Section 550 also provides that ``[n]othing in this section shall be
construed to supersede, amend, alter, or affect any Federal law that
regulates the manufacture, distribution in commerce, use, sale, other
treatment, or disposal of chemical substances or mixtures.'' ATF
regulates the purchase, possession, storage, and transportation of
explosives. The Department does not intend for the regulations issued
under Section 550 to impede ATF's current authorities. Where there is
concurrent jurisdiction, the Department will work closely with ATF to
ensure that the regulated entities can comply with the applicable
regulations while minimizing any duplicative efforts by such entities.
III. Implementation
A. Immediate Priority on Highest Risk Facilities
The Department is considering a ``phased'' implementation of its
Section 550 program. Phase I would begin immediately following
promulgation of the interim final rule in April 2007 and would focus on
a selected number of chemical facilities identified from data in the
RMP program and other sources as potentially posing the most
significant risk to neighboring populations. The Assistant Secretary
would contact each of these chemical facilities directly and request
that each complete the Top-screen process within a reasonable but
relatively brief period. Technical assistance with the Top-screen
Process would be provided immediately to any chemical facility in this
group so that progress could be achieved on an accelerated schedule.
Shortly after receipt of the completed Top-screen information, the
Assistant Secretary would notify each of these facilities pursuant to
proposed Sec. 27.205 (regarding whether it qualifies as ``high risk''
and its initial placement in a risk-based tier). For each high risk, or
``covered,'' facility, the Assistant Secretary would provide a schedule
for submission of its Vulnerability Assessment and Site Security Plans
under Sec. 27.210 of the proposed regulations. The Department's
initial emphasis would be on the highest risk facilities in this group
and the Department would prioritize reviews of those chemical
facilities by risk, and it would schedule submissions accordingly.
Again, the chemical facilities in this Phase 1 group could request and
receive technical assistance in completing these processes.
Upon receipt, submissions of Vulnerability Assessments and Site
Security Plans for Phase 1 covered facilities would be subject
immediately to review under Sec. 27.240 of the proposed regulations,
and notified as soon as possible if additional submissions or revisions
are necessary and, if not, of the results of such reviews. Again, where
consultation or revisions would be necessary to bring the submissions
into compliance, the process under Sec. Sec. 27.215 and 27.225 would
be available for that purpose. Following approval of the Vulnerability
Assessment and Site Security Plan, the Department would contact the
covered facility to arrange for an appropriate schedule for a
compliance review inspection and audit.
While Phase 1 is underway, the Assistant Secretary would also
initiate a broader Phase 2 process. For Phase 2,
[[Page 78291]]
the Assistant Secretary would, under Sec. 27.200 of the proposed
regulations, publish criteria identifying an additional group or type
of facilities that should complete the Top-screen process. The
Assistant Secretary could also contact facilities directly and request
completion of the Top-screen under Sec. 27.200 of the proposed
regulations as appropriate. Phase 2 would then progress under the
proposed regulations under the standard timeframes contemplated by
those regulations. When appropriate, the Assistant Secretary would
prioritize and could expedite review for a particular covered facility
based on risk.
Finally, as Phase 2 is underway, the Assistant Secretary could, as
soon as appropriate, initiate a Phase 3 process for other high risk
facilities not addressed in Phases 1 and 2. We contemplate that Phase 1
would be completed as soon as possible, and certainly during the first
year of the program. Phase 2 would be well underway during year one,
but could be completed during the second year. Phase 3 could begin some
time later. Of course, every covered facility in each of these 3
proposed program phases would be subject to requirements of Sec. Sec.
27.215, 27.225, and 27.245 for continuing obligations for plan updates,
audits and inspections. Pursuant to Sec. 27.215 and Sec. 27.225 of
the proposed rules, the frequency and nature of these continuing
requirements would vary for covered facilities based on placement in
the risk-based tiers.
If such a phased system is implemented, the Department would issue
guidance further describing each phase in additional detail.
The Department requests comment on the viability and practicality
of this phasing proposal for the Section 550 program.
B. Consultations and Technical Assistance
As with any new regulatory program, it is very important that the
Department ensure a uniform and fair approach in each of the
programmatic phases to the many activities described in these
regulations. Uniformity could be particularly difficult to achieve as
the program matures, as new officers are trained and begin the process
of reviewing Vulnerability Assessments and Site Security Plans, and as
audits and inspections are conducted. The Department has several
structural means to address its concerns about uniformity and fairness.
First, at each step of the process, a facility may seek to ``consult''
with Department officials on procedural or policy matters or on the
application of the performance standards. Such consultations are
addressed in section Sec. 27.115 of the proposed regulations. Second,
the Assistant Secretary and a designated Coordinating Official will
have a specific responsibility under these regulations to ensure
uniformity and fairness by program officials. Third, to the extent that
resources permit, the Department will provide technical assistance to
covered facilities. As the program matures and further guidance is
issued, the level of necessary technical assistance may decline. But in
the initial stages of the program, this type of assistance may be very
important. The Department recognizes that the initial period of the
program implementation will be the most challenging for covered
facilities. The Department requests comment on these and other
activities that may improve the implementation process. Note also that
the proposed regulations also contemplate more formal processes for
administrative Objections and Appeals in sections 27.205(c); 27.220(b);
27.240(b), (c); 27.310(c); and 27.320.
IV. Other Issues
A. Third-Party Lawsuits
Section 550 provides that ``nothing in [that] section confers upon
any person except the Secretary a right of action against an owner or
operator of a chemical facility to enforce any provision of this
section.'' Pub. L. 109-295, Sec. 550. Proposed Sec. 27.410 codifies
that provision in the regulations. The Department believes that this
statutory and regulatory language prohibits any effort by a State or
local government or other third party litigant to enforce the
provisions of Section 550, or to compel the Department to take a
specific action to enforce Section 550. Thus, the Department has
discretion to determine when and how to enforce. Note also that Section
550 has strict information protection provisions for the type of
security information that would be critical to any enforcement matter:
``That in any proceeding to enforce this section, vulnerability
assessments, site security plans, and other information submitted to or
obtained by the Secretary under this Section, shall be treated as if
the information were classified material.'' Pub. L. 109-295, Sec.
550(c).
B. Application to Facilities Manufacturing and/or Storing Ammonium
Nitrate
Section 550 provides authority for the Department to regulate
``chemical facilities'' without restricting that authority to
facilities manufacturing or storing any particular type of chemical
substance. The Department is aware, however, that some legislative
proposals not yet enacted into law contain specific provisions
regarding the security measures associated with ammonium nitrate. See
H.R. 3197, 109th Cong. (2006), S. 2145, 109th Cong. (2006). The
Department currently plans to treat ammonium nitrate chemical
facilities in the same manner that it treats facilities with other
chemicals: whether the regulations govern a particular ammonium nitrate
chemical facility will depend upon the nature of the facility and the
risk assessment results. The Department seeks comments, however, on the
application of the proposed regulations to ammonium nitrate chemical
facilities.
C. Regulatory Requirements/Matters
1. Executive Order 12,866
Executive Order 12,866, Regulatory Planning and Review, requires an
assessment of the potential costs and benefits of regulatory actions.
When the Department publishes the interim final rule, we will include
our analysis of the expected costs of the regulation and an assessment
of the benefits of the regulation. Interested persons are invited to
provide comment on all aspects of the potential costs and benefits in
order to assist the Department with its analysis. Comments containing
trade secrets, confidential commercial or financial information, or SSI
should be appropriately marked and submitted in accordance with the
procedures explained above in the ADDRESSES section. Comments that will
provide the most assistance to the Department with this rulemaking
include, but are not limited to:
The economic impact (both long-term and short-term,
quantifiable and qualitative) of the implementation of Section 550.
The monetary and other costs anticipated to be incurred by
facility owners and/or operators and any distributional effects on U.S.
citizens.
The benefits of the rulemaking.
In order to help facilitate meaningful public comment, the
Department would like to set forth a potential methodology for
analyzing the costs of the interim final rule. We have reviewed the
methodology used by the Coast Guard to analyze the economic impact of
the 33 CFR part 105 Facility Security final rule, and, due to the
similarities between the two rules, believe that this methodology has
merit and should be considered for application in this rulemaking. The
MTSA Facility Security final rule, at 68
[[Page 78292]]
FR 60536 (Oct. 22, 2003), estimated the cost of performance standards
on several thousand unique facilities. Similarly, the interim final
rule will estimate the costs of risk-based performance standards to
possibly several thousand unique facilities. The Coast Guard found it
impractical to attempt to estimate compliance costs for each individual
facility and instead developed costs based on 16 ``model facilities.''
Each of the several thousand facilities was placed into one of the 16
different subgroups for which compliance costs were then estimated.
Once the compliance costs for the 16 ``model facilities'' were
calculated, estimating the cost of the regulation was relatively
straightforward.
For the cost assessment which will accompany the interim final
rule, the Department may estimate compliance costs based on the ``model
facility'' concept explained above. Even though the interim final rule
will utilize risk based performance standards and facilities will have
discretion on how to meet the performance objectives, the cost
assessment will need to make broad assumptions regarding the percentage
of facilities that will choose to implement or continue certain
security measures for the purposes of estimating compliance costs. For
example, many facility owners and/or operators will choose to build or
improve fences, enhance perimeter lighting, and hire additional
security guards and we may need to make assumptions on how facilities
will choose to implement the security measure in order to calculate an
estimated cost. The Department is requesting public comment on how best
to group facilities that will need to comply with this interim final
rule into ``model facilities'' for cost estimating purposes, and we are
especially interested in public comment on the criteria presented
below:
Should the ``model facility'' criteria incorporate risk-
based tiering? Compliance costs may differ for a facility according to
its risk-based tier.
Should the ``model facility'' criteria consider the size
of the facility? Larger facilities may face higher compliance costs
than smaller facilities as larger facilities may need to construct
longer fences or hire more guards. For the purpose of facilitating
comment, we will assume that facilities with six or more chemical
processes or chemicals being stored or used would be considered to be
``larger.''
Should facilities that are enclosed (i.e., warehouses,
enclosed manufacturing sites) be treated as a ``model facility'' for
cost estimating purposes?
Should facilities that might be targeted by criminals for
chemical theft or diversion be treated as a ``model facility'' for cost
estimating purposes?
The ``model facility'' estimates are expected to include
current market prices of possible security enhancements that facilities
may choose to undertake. Possible enhancements include, but are not
limited to: Primary and secondary fences, barriers at the gate,
perimeter vehicle barrier, perimeter lighting, inside lighting, CCTV
system, guards, guards houses, fence line intrusion detection system,
handheld radios, staging area for vehicle screenings and enhanced
communication systems. The Department is requesting information that
will assist with the estimation of these and any other security
enhancements. We have placed an estimate of the capital costs of
specific security enhancements in the docket in order to facilitate
public comment.
2. Regulatory Flexibility Act
DHS has not assessed whether this rule will have a significant
economic impact on a substantial number of small entities, as defined
in the Regulatory Flexibility Act (5 U.S.C. 601-612). The term ``small
entities'' comprises small businesses, not-for-profit organizations
that are independently owned and operated and are not dominant in their
fields, and governmental jurisdictions with populations of less than
50,000. Under Executive Order 13,272 and the Regulatory Flexibility
Act, when an agency publishes a rulemaking without prior notice and
opportunity for comment, the Regulatory Flexibility Act requirements do
not apply. This rule does not require a general notice of proposed
rulemaking and, therefore, is exempt from the requirements of the
Regulatory Flexibility Act. Although this rule is exempt, we request
comment on the economic impact of this rule on small entities.
3. Executive Order 13,132: Federalism
The regulations issued under Section 550 have the potential to
affect current or future State laws and regulations. Although few
States currently regulate chemical facilities as a means to prevent or
mitigate terrorist attacks, the Department plans to consult with State
officials, to the extent practicable, prior to promulgating the interim
final rule. See Exec. Order No. 13,132, 64 FR 43255 (Aug. 10, 1999).
The Department also encourages State and local officials to provide
comments in response to this advance notice. The Department
specifically seeks comment on the interaction of the proposed
regulations with existing State and local laws and regulations. As
discussed in more detail below, the Department has particular interest
in considering the effects of State and local laws and regulations on
the security-related purposes of Section 550 and the proposed
regulations.
The security of the Nation's chemical facilities is a matter of
national and homeland security. Remarks of Secretary Michael Chertoff,
March 21, 2006, and Sept. 8, 2006. As such, it is the Federal
government, and specifically the Department of Homeland Security, that
takes on the lead and coordinating role. Among the primary missions of
the Department are the prevention of terrorist attacks within the
United States; the reduction of the vulnerability of the United States
to terrorism; and the responsibility to ensure that the overall
economic security of the United States is not diminished by efforts,
activities, and programs aimed at securing the homeland. 6 U.S.C. 111.
These aims are necessarily national in scope, and the regulations
designed to enhance the security of chemical facilities against
terrorist attack reflect a considered judgment concerning the
Department's core mission. State and local governments may also take on
a vital role, particularly as first responders and in other response
capacities, but the threat of terrorist attacks, which often involve
interstate and international activities, remains a significant national
threat.
Federal preemption doctrines are founded on the Supremacy Clause of
the U.S. Constitution. U.S. Const. art. VI, cl. 2. The law of
preemption recognizes that state laws must give way to Federal statutes
and regulatory programs to ensure a unified and coherent national
approach in areas where the Federal interests prevail--such as natio