CISA faces ‘significant concerns’ over losing chemical security staff during reauthorization stalemate

CISA's program for regulating "high-risk" chemical facilities has been sidelined for more than a month now.

The Cybersecurity and Infrastructure Security Agency could lose employees involved in chemical security screenings, one of its leaders is warning, if Congress doesn’t act soon to reauthorize and fund the agency’s expired chemical security program.

The authorization for the Chemical Facility Anti-Terrorism Standards (CFATS) program lapsed on July 28 after the Senate failed to pass a reauthorization bill before going on August recess. It’s the first time the program hasn’t been reauthorized since it was created in 2007.

CISA and Department of Homeland Security leaders are now pressing Congress to reauthorize the CFATS program, warning that the absence of facility inspections and other security standards under the program increases the danger of chemical terrorism.

“The Senate must reauthorize CFATS as soon as it is back in session,” Homeland Security Alejandro Mayorkas said Aug. 29 at CISA’s annual Chemical Security Summit. “Time is not our ally when it comes to confronting terrorists, chemical weapons or chemical threats.”

The program has allowed DHS and CISA to regulate the security of more than 3,200 “high-risk” chemical facilities across the country.

The House of Representatives passed CFATS reauthorization 409-1, earlier this year. The Senate was moving to vote on reauthorization in late July before the authorization lapse and Congress went on August recess.

But Homeland Security and Governmental Affairs Committee Ranking Member Rand Paul (R-Ky.) blocked a fast-track vote on the bill, arguing in a July 26 floor speech that the regulations favored big industry while serving as a barrier for small businesses.

Despite his problems with the program, Paul said he would ask consent to pass the bill and let the program continue if the Senate considered and agreed to his amendment to add a “duplicative scoring system to all programs in government so we can review whether they already exist and are working.”

When asked about his position on CFATS reauthorization this week, a representative for Paul pointed to his floor speech.

The Senate returns from recess on Sept. 5.

Kelly Murray, associate director of CISA Chemical Security, noted that the program still has funding through the end of the fiscal year. But if the program’s authorities aren’t reauthorized soon or if Congress fails to fund the program past Sept. 30, Murray voiced concerns about losing employees.

“If we have the same level of appropriations, but no authorization, or if our appropriations did go down, I do have significant concerns that we will lose team members during this uncertainty as this lapse continues and certainly if it continues past the fiscal year,” Murray said during the summit. “But until we see what the numbers are for appropriations or authorizations, I couldn’t answer any specifics.”

Murray said the program typically completes about 160 compliance inspections a month, with more than one-third resulting in a finding of a security issue or violation with the agency’s standards.

One of the major gaps CISA is concerned about is the lack of authority to conduct its “personal surety” program that allows the agency to vet individuals seeking access to chemicals against the terrorist screening database. She said CISA received an average of 300 names a day, meaning the agency would have received approximately 9,600 names since the program lapsed in late July.

“That is an inherently governmental function that is not something that these companies can do on their own,” Murray said.

Murray said her staff is working on voluntary security programs, such as the Chemlock program, during the lapse in CFATS authorization.

CISA Director Jen Easterly said she was “disheartened” by the program’s lapse, calling CFATS “emblematic, really a shining example of smart regulation, something that is grounded in a strong partnership between industry and the federal government in a way that exemplifies what we are trying to do for the collective defense of the nation.”

In addition to physical security measures and security screenings, the CFATS authorities have also played a role in allowing CISA to regulate the cybersecurity of high-risk facilities across the chemical sector. The Biden administration has been pushing to increase cyber standards across all critical infrastructure sectors.

“We’re talking about things like inadequate security controls, inability to detect intruders, insufficient access controls, inadequate security training,” Easterly said at the Chemical Security Summit. “We’re talking about insufficient cybersecurity patching and vulnerability screening, vulnerability scanning, missing information and background investigations. These are actual vulnerabilities that have been identified by our inspectors working hand in hand with these high risk chemical facilities. And these are vulnerabilities that have been mitigated because of the program.”

CISA has been increasingly working with the chemical sector on cybersecurity efforts. Last fall, the White House announced a 100-day “sprint” with CISA and the chemical sector working together to increase the cybersecurity of industrial control systems used across facilities and increasing information sharing activities as well.

Meanwhile, Murray said CISA has also been working on updates to CFATS regulations that would include cybersecurity performance goals for the sector.

But she added that CISA cannot publish the noticed of proposed rulemaking during the program’s lapse in authorization.

“I have very serious concerns that the longer this lapse goes on, the longer that final rule is going to take to actually hit the streets, when those things become effective,” Murray said. “We’re falling behind.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories