After writing this
week’s review of comments submitted to the CFATS Explosive Removal ANPRM I
have been thinking hard about the potential consequences of this ANPRM moving
forward. As I continue considering the implications, I think I may be changing
my mind about my support for the ANPRM.
From the perspective of the 24 facilities that
CISA says will be favorably impacted by removing the Division 1.1 chemicals
from the Appendix A list of DHS chemicals of interest, support for this rulemaking
is easy to justify. They will no longer have to maintain all of the security
measures that they put into place for the Chemical Facility Anti-Terrorism
Standards (CFATS) site security plans. This will save them significant amounts
of money and the time and effort necessary to keep up with the administrative
aspects of the program. Easy, peasy.
CISA justifies this deregulatory action by stating that the
rules the security and safety rules that the Bureau of Alcohol, Tobacco,
Firearms and Explosives (ATF) has in place has ensured that no facility has
been placed in the CFATS program for simply for possession of these 49
explosives as a release-security issue. The 24 facilities in the program for
just having these explosives on site as a theft/diversion security issue would
similarly be adequately protected by those same safety and security measures.
Sounds good, but wait.
ATF Generally Aligns with CFATS
Now, all of the recent posts supporting the rulemaking as
part of an apparent letter-writing campaign have referenced the same Government Accounting Office report
that they claim states that the CFATS program duplicates the BATFE regulations.
As I noted in Saturday’s post, that is not what the report actually says.
“ATF’s explosive materials program
and TSA’s rail security program contain requirements or guidance that generally
align with 11 of 18 CFATS standards.” (pg 21 – .PDF page #)
Now, the key phrase is ‘generally align with’. According to
the report (earlier in the same paragraph) that means that they “engage in
similar activities”. Later in the report (pg 27) they provide an example of what
this means in practice:
“For example, both programs require
restricted areas to be secured. Under CFATS, facilities must secure and monitor
restricted areas or potentially critical targets within a facility. Security
measures may include, for example, physical barriers, guard forces, or
intrusion-detection systems. Similarly, ATF requires explosives to be secured.
According to ATF, its regulations focus solely on where explosives are stored,
rather than the entire facility. In general, ATF requires that its licensees
and permittees secure all explosive materials in locked structures meeting
If the ATF security rules are adequate for the explosives
covered in this rulemaking, would they also not be adequate for all of the
other CFATS theft/diversion chemicals of interest? Why should a facility have
to pay the cost for the additional security requirements outlined in the CFATS
program when cheaper ATF are adequate?
ATF Does Not Address 7 Different RBPS Standards
But remember, the ATF regulations only “generally align with
11 of 18 CFATS standards”. That leaves 7 different risk-based performance
standards (RBPS) that the ATF safety and security rules do not address. They
are listed on pages 23 thru 26 of the report:
• RBPS #8 – Deter cyber sabotage,
• RBPS #9 – Develop and exercise an
emergency response plan,
• RBPS #10 – Maintain effective
monitoring, communications, and warning systems,
• RBPS #11 – Ensure proper security
• RBPS #13 – Escalate the level of
protective measures for periods of elevated threat,
• RBPS #14 – Address specific
threats, vulnerabilities or risks, and
• RBPS #17 – Establish officials
and an organization responsible for security
Again, if the ATF safety/security program provides adequate security
for the Division 1.1 explosives without addressing these seven RBPS, why should
any other facility in the program have to comply with these requirements?
Lack of Cybersecurity is Acceptable?
I find it odd in this day and age that the ATF security
rules do not address cybersecurity concerns. But what cybersecurity are we
really worried about with facilities that store/use the explosives rather than
manufacture them? Well, there are two types of cyber systems that a facility
that only possesses theft/diversion chemicals would expect to be covered under
their site security plan, access control system and the order/delivery systems
that route and record sales of the covered chemicals.
Systems that monitor and/or control access to the portions
of the facility where covered chemicals or explosives are stored could be a
primary target of any adversary that was trying to get unauthorized access to
those items. Why wouldn’t these systems have to be protected by adequate
cybersecurity? But the ATF does not think that the security of these systems
should be regulated (or maybe they were just not given authority to regulate
Both the ATF and CISA want their covered facilities to ensure
that the facilities vet their customers before delivering chemical/explosives
to them. Where that vetting, or more importantly the record of that vetting, is
checked on an electronic order approval system, CISA will demand that a CFATS
covered facility address the cybersecurity of that system in their site
How could an adequate security program not address the cybersecurity
of these systems? According to this rulemaking, CISA accepts that the lack of
cybersecurity in the ATF programs does not affect the adequacy of those
security systems. Why then should any other CFATS covered facility be required
to address those cybersecurity concerns.
More Comments Coming
We have one more week before the comment period on this
ANPRM closes. I will be watching the comment submissions closely over the next
week. If I do not see anything that addresses these concerns in that time, I
will be submitting a copy of this blog post as a second comment. I think that
CISA needs to address these concerns before this rulemaking moves forward to
the next stage.
Go to Source of this post
Author Of this post: PJCoyle