Legislative Approaches to Chemical Facility Security

CRS Report for Congress
Legislative Approaches to
Chemical Facility Security
Updated July 12, 2006
Dana A. Shea
Specialist in Science and Technology Policy
Resources, Science, and Industry Division


Congressional Research Service ˜ The Library of Congress

Legislative Approaches to Chemical Facility Security
Summary
Federal officials, policy analysts, and homeland security experts express concern
about the current state of chemical facility security. Some security experts fear these
facilities are at risk of a potentially catastrophic terrorist attack. The Department of
Homeland Security identifies chemical facilities as one of the highest priority critical
infrastructure sectors. Current chemical plant or chemical facility security efforts
include a mixture of local, state, and federal laws, industry trade association
requirements, voluntary actions, and federal outreach programs.
Many in the public and private sector call for federal legislation to address
chemical facility security. Still, disagreement exists over whether legislation is the
best approach to securing chemical facilities, and, if legislation is deemed necessary,
what approaches best meet the security need. Many questions face policymakers.
Is the current voluntary approach sufficient or should security measures be required?
If the latter, is chemical facility security regulation a federal role, or should such
regulation be developed at the state level? To what extent is additional security
required at chemical facilities? Should the government provide financial assistance
for chemical facility security or should chemical facilities bear security costs?
Critical issues surrounding chemical facility security legislation include
determining which chemical facilities should be protected by analyzing and
prioritizing chemical facility security risks; identifying which chemical facilities pose
the most risk; and establishing what activities could enhance facility security to an
acceptable level. Mechanisms for assessing security risk might include weighing the
known or theoretical terrorist threat faced by a particular facility, the chemical
hazards held at a facility, the quantities and location of those chemicals relative to the
surrounding population, or the facility’s industrial classification.
Some security regulation exists for some chemical facilities under other
legislation, such as the Maritime Transportation Security Act (MTSA) (P.L.
107-295), the Safe Drinking Water Act (SDWA), as amended by the Bioterrorism
Preparedness Act (P.L. 107-188), and select state laws. Potential chemical facility
security enhancements might be achieved through a range of policy approaches:
providing security grants to high risk facilities; mandating site vulnerability
assessments; compelling vulnerability remediation; establishing federal security
standards; or requiring the consideration or use of specific technologies. In some
cases, proposed legislation complements existing law, while overrides it in others.
In the 109th Congress, legislation exists in both chambers. In the Senate, S.

2145 and S. 2486 have been introduced. In the House, H.R. 1562, H.R. 2237, H.R.


4999, a companion bill to S. 2145, and H.R. 5695 have been introduced. The details
of each bill’s security requirements vary.
This report will discuss current chemical facility security efforts, issues in
defining chemical facilities, policy challenges in developing chemical facility security
legislation, and the various policy approaches. This report will be updated as
circumstances warrant.



Contents
In troduction ......................................................1
Current Efforts To Secure Chemical Facilities...........................3
Voluntary Efforts..............................................3
State Efforts..................................................4
Federal Efforts................................................5
Congressional Actions......................................6
Federal Agency Action.....................................6
Policy Issues......................................................8
Understanding Chemical Facilities................................9
Defining by Chemical......................................9
Defining by Consequence..................................11
Defining by Industry Classification...........................12
Effects of Thresholds on Chemical Facilities.......................13
Types of Facilities........................................13
Number of Facilities......................................14
Lead Federal Agency..........................................15
Extent of Security Measures....................................16
Auditing of Vulnerability Assessments and Security Plans.........16
Prescriptive Versus Performance-based Requirements............17
Inherently Safer Technologies...............................19
Consequences of Noncompliance............................21
Coordinating Regulatory Initiatives With Existing Efforts.............21
MTSA and SDWA........................................21
State and Local Regulation.................................22
Voluntary Efforts.........................................22
Potential Approaches to Security Legislation...........................22
Maintain the Status Quo........................................23
Provide Additional Resources Under Existing Law..................23
Enhance Existing Law with Additional Authorities..................24
Create New Security Authorities.................................25
Appendix A.....................................................27
List of Figures
Figure 1. Infrastructure Sector Representation for RMP Facilities at Two
Worst Case Scenario Thresholds................................14
List of Tables
Table 1. Number of RMP Facilities Reporting at Selected Potential
Consequence Thresholds.......................................15
Table 2. NAICS Codes Used to Model Infrastructure Sectors from
EPA RMP Data..............................................27



Legislative Approaches to Chemical Facility
Sec u rity
Introduction
Federal officials, policy analysts, and homeland security experts express concern
about the current state of chemical facility security. Referring to them as “the single
greatest danger of a potential terrorist attack in our country today,” some experts fear
these facilities are at risk of a potentially catastrophic terrorist attack.1 The
Department of Homeland Security (DHS) identifies chemical facilities as being one
of the highest priority critical infrastructure sectors.2
Currently, chemical facility security efforts include a mixture of local, state, and
federal laws, industry trade association requirements, voluntary actions, and federal
outreach programs. The DHS has identified this composite as being insufficient in
addressing security for the entire chemicals sector. Additionally, various costs and
requirements may act as disincentives to stakeholders attempting to create uniform,
effective security against terrorist attack.
Many in the public and private sector call for federal legislation to address
chemical facility security.3 Still, disagreement exists over whether federal legislation
is the best approach to securing chemical facilities, and, if legislation is deemed
necessary, what approaches best meet the security need. Since the population
potentially affected by a chemical release generally resides near specific facilities,
some experts may argue that chemical facility security concerns should be dealt with
by state or local authorities. Other experts claim the potentially catastrophic nature
of a terrorist attack and the widespread distribution of chemical facilities make
chemical facility security an issue of national concern. Policymakers may decide that
chemical facility security is a matter of national homeland security and is best
addressed at the federal, rather than state level.


1 Oral Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the
Senate Homeland Security and Governmental Affairs Committee on April 27, 2005.
2 Oral Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information
Analysis and Infrastructure Protection, Department of Homeland Security, before the House
Homeland Security Committee, Subcommittee on Economic Security, Infrastructure
Protection and Cybersecurity, on June 15, 2005.
3 For example, see Letter to Editor from Tom Ridge, Director, Office of Homeland Security
and Christine Whitman, Administrator, Environmental Protection Agency, Washington Post,
October 6, 2002. Testimony of Stephen E. Flynn, Council on Foreign Relations, before the
Senate Homeland Security and Governmental Affairs Committee on April 27, 2005.
Testimony of Martin J. Durbin, American Chemistry Council, before the Senate Homeland
Security and Governmental Affairs Committee on July 13, 2005.

Critical issues surrounding chemical facility security legislation include
determining which chemical facilities should be protected, which involves analyzing
and prioritizing chemical facility security risks, identifying which chemical facilities
pose the most risk, and establishing what activities could enhance facility security to
an acceptable level. Because of the widespread use of chemicals in U.S. society,
determining which chemical facilities to protect is a challenge. Selection might be
based on relative risk, but it is not clear how this risk might be determined.
Mechanisms for assessing security risk might include weighing the known or
theoretical terrorist threat faced by a particular facility, the chemical hazards held at
a facility, the quantities of those chemicals, and the location of those chemicals
relative to the surrounding population.
Security regulation of some chemical facilities is established under certain
statutes, including the Maritime Transportation Security Act (MTSA) (P.L. 107-295)
and the Safe Drinking Water Act (SDWA), as amended by the Bioterrorism
Preparedness Act (P.L. 107-188). Several states have established homeland security
statutes and three, New Jersey, Maryland, and New York, have state laws or
regulations specifically addressing chemical facility security. Potential chemical
facility security enhancement might be achieved through a range of policy
approaches: providing grants to increase security at high risk facilities; mandating
site vulnerability assessments; compelling vulnerability remediation; establishing
federal security standards; or requiring the consideration or use of specific
technologies. Proposed legislation may aim to complement existing law or to
override it.
In the 109th Congress, legislation has been introduced in both chambers
addressing concerns regarding chemical facility security. In the Senate, S. 2145, the
Chemical Facility Anti-Terrorism Act of 2005, and S. 2486, Chemical Security and
Safety Act of 2006, have been introduced. In the House, H.R. 1562, the Chemical
Facility Security Act of 2005, H.R. 2237, the Chemical Security Act of 2005, H.R.

4999, a companion bill to S. 2145, and H.R. 5695, the Chemical Facility Anti-


Terrorism Act of 2005, have been introduced. Each bill contain provisions requiring
vulnerability assessment and the creation of security plans, though details vary
significantly between the bills. One area of previous contention involves inclusion
of consideration or use of inherently safer technologies. S. 2486 and H.R. 2237 both
explicitly address inherently safer technologies, while S. 2145/H.R. 4999, H.R. 5695
and H.R. 1562 do not.
This report will discuss current chemical facility security efforts, considerations
in defining chemical facilities, policy challenges in developing chemical facility
security legislation, and select policy approaches. For information on the risks of
terrorism at chemical facilities, previously established federal safety requirements,
general policy issues, and an overview of legislative initiatives in prior Congresses,
see CRS Report RL31530 Chemical Facility Security, by Linda-Jo Schierow.



Current Efforts To Secure Chemical Facilities
Many organizations are undertaking efforts to secure chemical facilities. Some
efforts are voluntary in nature, involving security best practices, or semi-voluntary,
such as requirements for membership in trade associations. Other efforts arise from
state or local chemical facility security regulation. Finally, federal security legislation
affecting some chemical facilities was enacted in previous Congresses. Federal
agency outreach activities continue.
Voluntary Efforts
Industry trade associations have developed and publicized security best practices
for their member companies.4 These practices vary, but many recommend or require
vulnerability assessments of chemical facilities, generation of security plans to
address the largest vulnerabilities, implementation of these security plans, and, in
some cases, external auditing of these security plans or their implementation. One
of the most often discussed trade association security requirements is the American
Chemistry Council’s (ACC) Responsible Care program.5 The DHS officially
recognizes the Responsible Care Security Code as an Alternative Security Program
for the purposes of compliance with MTSA.6 The ACC companies comprise almost
90% of basic industrial chemical production, although their members are only a small
fraction of the total number of chemical manufacturers. While many other chemical
manufacturers and distributors participate in other trade associations, the DHS
testified that approximately 20% of the chemical facilities that DHS identifies as high
risk do not participate in any voluntary security program.7
Some argue that a voluntary security program is insufficient to meet the risk of
a significant terrorist attack. One security expert testified that
... it is a fallacy to think that profit-maximizing corporations engaged in a trade
as inherently dangerous as the manufacture and shipment of TIH [Toxic


4 For examples, see the American Chemistry Council [http://www.americanchemistry.com/],
the Synthetic Organic Chemical Manufacturers Association [http://www.socma.com], the
National Petrochemical and Refiners Association [http://www.npra.org/], and the American
Petroleum Institute [http://www.api.org].
5 For more information on the American Chemistry Council’s Responsible Care program,
see online at [http://www.responsiblecaretoolkit.com/index.asp].
6 Testimony of Rear Admiral Craig E. Bone, U.S. Coast Guard, before the Senate Homeland
Security and Governmental Affairs Committee on July 27, 2005. See also testimony of
Martin J. Durbin, American Chemistry Council, before the Senate Homeland Security and
Governmental Affairs Committee on July 13, 2005.
7 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information Analysis
and Infrastructure Protection, Department of Homeland Security, before the House
Homeland Security Committee, Subcommittee on Economic Security, Infrastructure
Protection and Cybersecurity, on June 15, 2005.

Inhalation Hazard] chemicals will ever voluntarily provide a level of security that8
is appropriate given the larger external risk to society as a whole.
Others challenge the voluntary security plans as vague, inappropriately focused on
physical security, and difficult to verify.9 Some analysts likewise believe that current10
security at chemical facilities would not stop a determined, armed attacker.
Supporters of voluntary efforts cite the large investment made in site security
since 2001 and other efforts to reduce risk as signs of their effectiveness. The ACC,
for example, notes that its member companies invested over $2 billion in security
enhancements since 2001.11 Additionally, some facilities voluntarily switched
chemicals, changed manufacturing processes, or reduced the amount of chemicals on-
site.12 As one industry trade association representative testified, “Our efforts show
that industry does not need to be prodded by government mandates to take aggressive
and effective steps to secure its facilities.”13
State Efforts
Several states have safety or environmental laws applying to chemical facilities,
but three, New Jersey, Maryland, and New York, have enacted security laws that
specifically target chemical facilities. Under New Jersey’s Domestic Security
Preparedness Act of 2001, the New Jersey Domestic Security Preparedness Task
Force is authorized to adopt and enforce security standards on the public and private
sector, following review and approval by the Governor.14 In November, 2005, the
Task Force mandated chemical facilities to comply with previously voluntary best
practices, including reviewing existing processes for inherently safer alternatives at


8 Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the Senate
Homeland Security and Governmental Affairs Committee on April 27, 2005.
9 Testimony of Carol Andress, Environmental Defense, before the Senate Homeland
Security and Governmental Affairs Committee on July 13, 2005.
10 See, for example, testimony of Sal DePasquale, Independent Consultant, before the House
Homeland Security Committee, Subcommittee on Economic Security, Infrastructure
Protection and Cybersecurity, on June 15, 2005.
11 Testimony of Martin J. Durbin, American Chemistry Council, before the Senate
Homeland Security and Governmental Affairs Committee on July 13, 2005.
12 For representative examples, see Environmental Defense, Eliminating Hometown
Hazards: Cutting Chemical Risks at Wastewater Treatment Facilities, December 2003.
13 Testimony by Steven P. Bandy, Marathon Ashland Petroleum, on behalf of the National
Petrochemical and Refiners Association and the American Petroleum Institute, before the
House Committee on Homeland Security, Subcommittee on Economic Security,
Infrastructure Protection, and Cybersecurity, on June 15, 2005.
14 New Jersey Senate Bill S-2575, New Jersey Domestic Security Preparedness Act, was
signed into law on October 4, 2001.

specific facilities. Facilities must report to the New Jersey Department of
Environmental Protection.15
Under Maryland’s Hazardous Material Security Act, facilities that are required
to file Environmental Protection Agency (EPA) risk management plans (RMPs) must
perform vulnerability assessments and implement plans to address those
vulnerabilities. The Hazardous Material Security Act excludes agricultural fertilizer
retailers from this requirement. The facilities must report to the Maryland
Department of the Environment and the Maryland State Police.16
Under New York’s Anti-Terrorism Preparedness Act of 2004, the New York
Office of Homeland Security is charged with reviewing the vulnerability of chemical
plants, following which it can recommend security improvements at particular plants.
The Anti-Terrorism Preparedness Act of 2004 also allows the state Office of
Homeland Security, in consultation with stakeholders, to identify chemical facilities
covered by the law. It excludes facilities holding fuel for retail sale and facilities that
are water suppliers. The Department of Environmental Conservation enforces the
law. 17
Policymakers who believe that states are better suited to assess local threats and
vulnerabilities may prefer chemical facility security measures to be developed locally.
A potential concern of industry about such state laws is that a patchwork of
regulations could develop, with different standards applying to facilities located in
different states. Consequently, facilities in some states might be more secure than in
others, or a facility’s out-of-state competitors might face very different security costs.
Policymakers who believe such an approach does not provide sufficient security to
the population at large, or places an uneven burden on industry may prefer a national
standard. Also, some chemical facilities located near state borders may pose risks
across state lines, supporting efforts for a national standard.
Federal Efforts
Congress has passed many environmental and safety statutes which may provide
ancillary security benefits. Congress has also enacted legislation providing security
requirements for some specific types of chemical facilities, but these requirements
vary among different statutes. Also, the federal government, through the Department
of Homeland Security and other agencies, engages the private sector in a
public/private partnership, raising the profile of chemical facility security and
providing first responders with federal funding to secure critical infrastructure,
including chemical facilities.


15 Office of the Acting Governor, State of New Jersey, “New Jersey Becomes First State to
Require Chemical Plant Security Measures to Protect Against Terrorist Attack,” Press
Release, November 29, 2005.
16 Maryland House Bill 493, Hazardous Material Security, was signed into law on May 26,

2004.


17 New York Senate Bill 7685, The Anti-Terrorism Preparedness Act of 2004, was signed
into law on July 23, 2004.

Congressional Actions. The 107th Congress enacted the Maritime
Transportation Security Act of 2002 (MTSA) (P.L. 107-295). The MTSA assigned
the Coast Guard the responsibility of securing U.S. ports. Ports and facilities located
within ports must perform vulnerability assessments and develop security plans.
Ports are often the location of chemical facilities, such as petroleum refineries.
According to the Coast Guard, 238 chemical facilities must comply with MTSA.18
For more information, see CRS Report RL31733 Port and Maritime Security:
Background and Issues for Congress, by John F. Frittelli.
The 107th Congress also enacted the Public Health Security and Bioterrorism
Preparedness and Response Act (P.L. 107-188). This legislation amended the Safe
Drinking Water Act (SDWA) to require community water systems serving more than
3,300 people to perform site vulnerability assessments and develop emergency
response plans. Plans for addressing known vulnerabilities were not required. The
vulnerability assessments must be submitted to the EPA. Community water facilities
receive some federal funding to aid in assessing and addressing critical
vulnerabilities. Drinking water systems storing large quantities of chemicals may be
considered chemical facilities and, if those facilities serve a sufficient population,19
would fall under SDWA. The contents of the emergency response plans required
under the SDWA are not equivalent to the security plans required under MTSA. For
more information on EPA implementation of drinking water security, see CRS
Report RL31294 Safeguarding the Nation’s Drinking Water: EPA and
Congressional Actions, by Mary Tiemann.
Federal regulations governing environmental releases, public health, and worker
safety have been developed and applied to chemical facilities. Some activities
undertaken to meet these regulatory obligations may have an auxiliary security
benefit, either by lowering the consequences of a chemical release or through
reduction of a particular vulnerability. Also, federal security regulations exist for
some specific chemical, or chemical-related, facilities. In general, these security
regulations were developed to protect facilities against criminal activities, such as
vandalism or theft, rather than terrorist attack. Examples of such security regulations
include the protection of liquified natural gas storage facilities (49 CFR 193),
hazardous liquids pipeline pumping stations (49 CFR 195.436), and storage sites for
hazardous materials shippers (49 CFR 172.800).
Federal Agency Action. Under the above statutes, the EPA and DHS engage
in increasing chemical facility security. Facility owners and operators can assess site
security using vulnerability assessment tools developed by each agency. The EPA,
in conjunction with Sandia National Laboratories and the AWWA Research
Foundation, developed Risk Assessment Methodology for Water Utilities (RAM-W),


18 Testimony of John B. Stephenson, United States Government Accountability Office,
before the Senate Committee on Homeland Security and Governmental Affairs on April 27,

2005.


19 For example, the EPA RMP*INFO database, May 2005 version, lists 1,747 facilities
identified by NAICS code 22131, Water Supply and Irrigation Systems.

a risk assessment methodology for water systems.20 The DHS, through the American
Society of Mechanical Engineers (ASME), developed an assessment tool called Risk
Assessment and Management for Critical Asset Protection (RAMCAP), which is
currently being employed in the chemical industry under a pilot program.21
The DHS, as the lead federal agency for the chemicals sector under Homeland
Security Presidential Directive 7, visits selected chemical facilities. To prioritize
outreach to the chemicals sector, DHS has divided, using DHS-determined metrics,
the universe of RMP facilities into four tiers. Only 272 facilities occupy the top two
tiers. Representatives from either the U.S. Coast Guard or the Information
Awareness and Infrastructure Protection Directorate have visited each of these top
tier facilities.22 In addition, DHS employees conduct site assessment visits in
conjunction with local law enforcement. These “inside-the-fence” vulnerability
assessments have been performed at 38 of the highest consequence facilities. The
DHS plans to visit 50 more in FY2006.23
The DHS also maintains the Buffer Zone Protection Program (BZPP), which
provides targeted funding through states to local jurisdictions in order to enhance
security surrounding critical infrastructure facilities.24 This program is not specific
to chemical facilities, but instead is designed to increase the level of general critical
infrastructure security. As of April 2005, state Homeland Security Advisors
submitted to DHS 113 buffer zone protection plans developed for chemical
facilities.25 According to the Government Accountability Office, DHS has identified
259 chemical manufacturing plants and storage and supply facilities eligible under
the 2005 BZPP criteria of potentially affecting more than 50,000 people through a
chemical release.26 In 2006, DHS established the Chemical–Buffer Zone Protection


20 For more information on RAM-W and EPA water security activities, see online at
[http://cfpub.epa.gov/safewater/watersecurity/index.cfm].
21 Other vulnerability and risk assessment methodologies for chemical facilities have been
developed. For example, the Risk Assessment Methodology for Chemical Facilities (RAM-
CF) was developed by the EPA, the Department of Justice, and Sandia National
Laboratories.
22 The Information Analysis and Infrastructure Protection Directorate is identified by
Secretary Chertoff as a DHS component to be divided and reconstituted, with infrastructure
protection moving to the new Preparedness Directorate. Testimony of DHS Secretary
Michael Chertoff before the Senate Homeland Security and Governmental Affairs
Committee on July 14, 2005.
23 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information
Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate
Homeland Security and Governmental Affairs Committee on June 15, 2005.
24 For more information on the Buffer Zone Protection Program, see U.S. Department of
Homeland Security, Office of Grants and Training, FY 2006 Infrastructure Protection Grant
Program: Buffer Zone Protection Program Guidelines and Application Kit, 2006.
25 Department of Homeland Security, Protecting America’s Critical Infrastructure —
Chemical Security: A Fact Sheet, April 30, 2005.
26 Government Accountability Office, Homeland Security: DHS Is Taking Steps to Enhance
(continued...)

Grant Program. This program focuses exclusively on chemical facilities and
provides total funding of $25 million to nine states to enhance buffer zone protection
planning surrounding chemical manufacturing facilities.27
The Chemical Sector Coordinating Council (CSCC), formed in May 2004, is a
point of contact for DHS to communicate across the chemicals sector. The CSCC
is comprised of 16 chemical associations.28 The DHS is working with the CSCC on
a Chemical Sector-Specific Plan as part of the National Infrastructure Protection
Plan. The DHS is also currently piloting the Homeland Security Information
Network — Chemical, an information sharing mechanism, through the CSCC.29 This
activity occurs in addition to the previously established Information Sharing and
Analysis Center established through the American Chemistry Council.30
Policy Issues
Policymakers may decide to develop legislation with new authorities that would
require additional chemical facility security. Key policy issues that may arise during
the consideration of such legislation include the adequate coverage of the chemical
facility universe; the federal agency overseeing any new requirements; the extent of
new security measures required, such as requiring increases in physical security or
reducing chemical hazards through alternative approaches; treatment of existing
federal and state laws; and recognition of preexisting industry security efforts.


26 (...continued)
Security at Chemical Facilities, but Additional Authority Is Needed, GAO-06-150, February

27, 2006.


27 U.S. Department of Homeland Security, Office of Grants and Training, FY 2006
Infrastructure Protection Grant Program: Chemical Sector Buffer Zone Protection Program
Guidelines and Application Kit, 2006.
28 Chemical Sector Coordinating Council members include the American Chemistry
Council, the American Forest and Paper Association, the Chemical Producers and
Distributors Association, the Chlorine Chemistry Council, the Compressed Gas Association,
CropLife America, the Institute of Makers of Explosives, the International Institute of
Ammonia Refrigeration, the National Association of Chemical Distributors, the National
Paint and Coatings Association, the National Petrochemical and Refiners Association, the
Synthetic Organic Chemical Manufacturers Association, the Adhesive and Sealant Council,
the Chlorine Institute, the Fertilizer Institute, and the Society of the Plastics Industry, Inc.
Testimony by John B. Stephenson, Government Accountability Office, before the Senate
Committee on Homeland Security and Governmental Affairs on April 27, 2005.
29 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information
Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate
Homeland Security and Governmental Affairs Committee on June 15, 2005.
30 Testimony of Martin J. Durbin, American Chemistry Council, before the Senate
Homeland Security and Governmental Affairs Committee on July 13, 2005.

Understanding Chemical Facilities
Establishing a definition of the phrase chemical facility is a key component of
potential legislation. As the DHS Acting Under Secretary for Information Analysis
and Infrastructure Protection testified,
... the very first thing we’re going to have to do is come to an adequate, agreed-
upon definition of what the chemical sector actually is, because without that, we31
will be going all over the place.
Some people include only facilities involved in chemical manufacture and
distribution. Others include any site containing chemicals. The narrowness or
breadth of this definition will likely influence the practicability of security regulations
and determine the degree of security risk reduction.
This section discusses three possible mechanisms for selecting chemical
facilities for security regulation, based on a list of chemicals, the potential
consequences of a terrorist attack, or an industrial classification. Considering the
breadth of U.S. chemical sites that could be attractive targets for terrorists, it is likely
that a comprehensive definition will require a combination of approaches.
Defining by Chemical. Environmental and safety legislation often list, or
direct an agency to list, chemicals for regulation, and then require regulation of those
facilities that contain them, usually at levels above certain threshold quantities.
Examples of such legislation include the Emergency Planning and Community Right
to Know Act (EPCRA), passed as part of the Superfund Amendments and
Reauthorization Act (P.L. 99-499), and the Clean Air Act Amendments of 1990 (P.L.
101-549), which established both the Environmental Protection Agency (EPA) risk
management program and the Occupational Safety and Health Administration
(OSHA) process safety management program.
One challenge in using this approach may be determining which chemicals to
include when considering chemical facility security. Existing federal chemical lists
are generally developed for other reasons, and therefore may not be appropriate for
security purposes. For example, the Department of Transportation list for regulation
of transport of hazardous materials contains several thousand chemicals, not all of
which are a security risk.32 The OSHA process safety standard applies to a group of
highly hazardous chemicals selected because of their potential hazard to workers.33
The EPCRA lists several hundred chemicals in order to ensure the safety of first
responders in the event of a chemical accident.34


31 Oral Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information
Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate
Homeland Security and Governmental Affairs Committee on June 15, 2005.
32 See 49 CFR 172.101.
33 See 49 CFR 1910.119 Appendix A.
34 See 40 CFR Part 68.

The Clean Air Act, Section 112(r), requires a risk management plan (RMP) for
facilities possessing more than threshold quantities of any of 140 chemicals.35 These
chemicals are included because of their potential for acute, offsite consequences to
human health or the environment in the event of a sudden, large, accidental release.
The risk management program requires these facilities to estimate the population that
might be affected under a worst-case scenario release, calculating the population that
resides within a circle surrounding the facility, with the radius of the circle
determined by the distance the worst-case scenario release might travel.36 While
these estimates are not intended to model a potential terrorist release, the potentially
affected population in a worst-case scenario is often cited in discussing chemical
facility security risks.
Such hazardous chemical lists generally identify chemicals based on an inherent
hazard, such as toxicity or flammability. One potential drawback to defining
facilities by referring to these lists is that they exclude potentially hazardous
chemicals for reasons other than risk. For example, the RMP list, often referred to
in discussions of chemical facility security, does not include explosives.37 It also
exempts material already regulated under 49 CFR 192, 193, and 195, such as
liquified natural gas, which is covered by other safety regulations.38 The list of RMP
facilities was further reduced by statute to exclude facilities where flammables are
stored on site as fuel or for retail distribution as fuel.39 Congress may or may not
want to include such exempted materials when considering chemicals in a terrorism
context.
Of course, any of the above lists, or any other chemical list, might be edited to
meet the security need. To better focus federal resources, a much shorter list of
chemicals might be desirable. Alternatively, an appropriate federal agency might
develop a new chemical list specifically for security purposes, avoiding a focus on
previous lists. One safety expert testified that
I would not want [the Department of] Homeland Security to think that somehow
it can pull out of another agency the named list of chemicals and talk to the40


industry and say these are the only ones we’re going to worry about.
35 The list of 140 chemicals, 77 toxic chemicals and 63 flammable chemicals, and their
threshold quantities are found at 40 CFR 68.130.
36 The criteria and guidelines for determining the worst-case scenario release are found at
40 CFR 68.25. The criteria for determining the distance a worst-case scenario release might
travel are found at 40 CFR 68.22.
37 63 Fed. Reg. 640-645, January 6, 1998.
38 40 CFR 68.3
39 The latter category was exempted through the passage of P.L. 106-40, the Chemical Safety
Information, Site Security and Fuels Regulatory Relief Act of 1999.
40 Testimony of Gerald Poje, Former Board Member, U.S. Chemical Safety and Hazard
Investigation Board, before the Senate Homeland Security and Governmental Affairs
Committee on July 13, 2005.

Policymakers might require a federal agency, such as EPA or DHS, to develop and
maintain such a list. If Congress wants chemical facility security efforts to address
particular chemical threats, it might list specific chemicals in statute, while allowing
the federal agency to modify the list.41
Defining by Consequence. Another potential criterion for determining
which chemical facilities to address is the likelihood and severity of adverse
consequences in the case of a terrorist attack. Such consequences might include the
possibility or probability of injury, loss of life, financial harm, environmental
damage, or loss of critical chemical production. Experts disagree on how best to
determine the likelihood and severity of these consequences, their relative
importance, and whether these different consequences lend themselves to
comparison, should be considered independently, or can be appropriately ranked.
Because federal resources are limited, prioritizing chemical facilities by risk
may be an effective approach to maximizing the benefits from security spending.
DHS Secretary Chertoff, implying such an approach, stated, “When you start to think
about your priorities, you’re going to think about making sure you don’t have a42
catastrophic thing first.” A risk-prioritization approach may allow the development
of thresholds defining risk characteristics for chemical facilities, and thereby
determine which chemical facilities should receive federal resources or require
federal attention. The magnitude of the threshold used would likely determine
several characteristics of the chemical facility universe, including the inclusion or
exclusion of different types of chemical facilities, the regional distribution of
facilities, the degree of potential increased security, and the program cost.
An additional factor in defining by consequence involves the type of data that
might be used to determine a risk threshold. What metric is most appropriate and
how should it be determined? For example, in considering human casualties, should
one consider a worst-case scenario or a more probable release? The degree of
complexity and accuracy required to model these scenarios might be an area of
contention. For example, DHS uses a different methodology to determine potentially
affected people following a terrorism-related chemical release than EPA uses when
assessing potential risks from accidental releases.
The potentially affected residential population in the EPA RMP program’s
worst-case scenario is often cited in the debate about chemical facility security.
These predictions are known to be very conservative and are intended to be used for
planning purposes by emergency response organizations and government agencies.
Some analysts assert that these RMP figures are a viable starting point for prioritizing43
chemical facility risk. Other analysts assert that RMP figures overestimate the


41 Such an approach was taken with the risk management program. The EPA was authorized
to develop and maintain a list of chemicals and directed to include specific ones.
42 As quoted in Lara Jakes Jordan, “Chertoff: States Foot Transit Safety Bill,” Associated
Press, July 15, 2005.
43 Oral Testimony of Carol Andress, Economic Development Specialist, Environmental
Defense, before the Senate Homeland Security and Governmental Affairs Committee on
(continued...)

actual number of casualties. For example, DHS modeling of one specific facility
showed that the number of persons potentially affected was much lower than
projected from regulatory calculations.44
Still others contend that the RMP figures may underestimate the casualties from
a terrorist attack, as the scenarios are modeled on a release from a single chemical
process. Since many chemical processes may be located in a chemical facility, it is
possible that a greater amount of chemical might be released during an intentional
attack than during an accidental release.45 Determining the extent of likely casualties
from a release might require extensive modeling of facility location, meteorological
information, surrounding population distribution, and other factors, which may prove
to be prohibitively difficult for a large number of chemical facilities.
Defining by Industry Classification. Another approach towards defining
chemical facilities might be by industrial classification. Such an approach appears
to align with The National Strategy for Physical Protection of Critical Infrastructure
and Key Assets and Homeland Security Presidential Directive 7 (HSPD-7), where
critical infrastructure is subdivided into specific infrastructure sectors and federal46
agencies are assigned lead roles for each sector. Critical infrastructure sectors may
be composed of similar industries or of industries with common elements. For
example, HSPD-7 identifies an “energy” sector and a “chemical and hazardous
materials” sector. The latter sector is defined to include chemical manufacturers and
processors. The range of facilities that policymakers may wish to include in chemical
facility legislation may not align cleanly, however, with either a particular industrial
classification or with a single critical infrastructure sector. For example, users of
large amounts of chemicals, such as water or wastewater treatment facilities, may fall
into a critical infrastructure sector other than “chemical and hazardous materials.”
The Department of Labor uses the North American Industrial Classification
System (NAICS) to classify employment and economic data by industry.47 NAICS
codes are hierarchical; codes containing more digits are subsets of codes containing
fewer digits. For example, NAICS code 3251 (Basic Chemical Manufacturing) is a
subset of NAICS code 325 (Chemical Manufacturing). The NAICS codes are often


43 (...continued)
July 13, 2005.
44 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information
Analysis and Infrastructure Protection, Department of Homeland Security, before the Senate
Homeland Security and Governmental Affairs Committee on June 15, 2005.
45 Oral Testimony of Glenn Erwin, United Steel, Paper and Forestry, Rubber,
Manufacturing, Energy, Allied Industrial and Service Workers International Union, before
the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005.
46 Executive Office of the President, The White House, The National Strategy for Physical
Protection of Critical Infrastructure and Key Assets, February 2003. Executive Office of
the President, The White House, Critical Infrastructure Identification, Prioritization, and
Protection, Homeland Security Presidential Directive 7, December 17, 2003.
47 For more information about NAICS codes, see online at
[ h t t p : / / www.c e n s u s . go v/ e p c d / www/ na i c s .ht ml ] .

self-assigned, in that a facility determines which NAICS code appropriately defines
its business activity. Therefore, an approach relying on these codes might be
susceptible to error due to incorrect self-assignment. On the other hand, federal
agencies use such industry classification schemes to assess economic activity across
industry groups, indicating that this self-classification scheme may be acceptable.
Defining chemical facilities according to industry classification might lead to
the “one size fits all” approach to chemical facility security criticized by various
industry groups.48 Such an approach may require facilities that are not a security risk
to increase their security solely because of their industry classification, rather than
their actual risk. Such security efforts might not reduce the national risk and might
be viewed as counterproductive, potentially impairing economic efficiency without
increasing security. Moreover, due to fiscal constraints, smaller facilities might be
unable to meet requirements designed for larger facilities, potentially damaging a
company’s ability to operate.49, 50
Effects of Thresholds on Chemical Facilities
The relative representation of the different chemical-using industries will
depend on the choice of legislative definition. Some security experts argue that any
chemical facility that could endanger the surrounding residential population should
be considered under chemical facility security legislation.51 Others advocate a tiering
system based on a consequence metric.
Depending on the legislative definition, different infrastructure sectors will be
included as chemical facilities. The types of infrastructure sectors included as
chemical facilities might be reduced by using a consequence threshold, as this would
further refine the number of affected facilities. This section will use the EPA RMP
data as a case study to discuss the types of infrastructure sectors found in the RMP
program and to illustrate the impacts of applying a consequence threshold.
Types of Facilities. A potential difficulty of focusing on a particular industry
sector, or of using industrial classification to define chemical facilities, derives from
the diverse impacts that particular industries have on security. That is, depending on


48 Testimony of Matthew Barmasse, on behalf of the Synthetic Organic Chemical
Manufacturers Association, before the Senate Homeland Security and Governmental Affairs
Committee on July 13, 2005. See also testimony of Allen Summers, on behalf of the
Fertilizer Institute, before the House Homeland Security Committee, Subcommittee on
Economic Security, Infrastructure Protection and Cybersecurity, on June 15, 2005.
49 Oral Testimony of Bob Slaughter, National Petrochemical and Refiners Association,
before the Senate Homeland Security and Governmental Affairs Committee on July 13,

2005.


50 Testimony of Matthew Barmasse, on behalf of the Synthetic Organic Chemical
Manufacturers Association, before the Senate Homeland Security and Governmental Affairs
Committee on July 13, 2005.
51 Oral Testimony of Beth Turner, Director, Global Operations Security, E.I. duPont de
Nemours and Company, Inc., before the Senate Homeland Security and Governmental
Affairs Committee on July 27, 2005.

the magnitude of the consequence, different industrial classifications account for the
major portion of the chemical facility risk universe. In Figure 1, CRS grouped
NAICS industry codes into infrastructure sectors used in HSPD-7. (See Appendix
A for a description of how infrastructure sectors were constructed from NAICS
codes.) As Figure 1 shows, lowering the consequence threshold greatly expands the
number of facilities and the relative shares of the water and the food and agriculture
sectors.
Figure 1. Infrastructure Sector Representation for RMP Facilities at
Two Worst Case Scenario Thresholds


Source: CRS analysis of the EPA RMP*National Database (with off-site consequence analysis
(OCA) data), updated May 2005.
Note: It is unlikely that the entire population would be affected by any single chemical release, even
if it is a result of a worst-case accident. In the event of an actual catastrophic chemical release,
meteorologic and other effects will determine the direction of the release, and which of the potential
at risk population might be affected. In addition, worst-case scenarios do not take into account
emergency response measures that might be taken by operators of the facilities or others to mitigate
ha r m.
A sector-specific approach will leave some security risks unaddressed. Even at
higher thresholds, significant portions of the chemical facility universe may not be
addressed by sector-specific legislation. On the other hand, as the threshold for
inclusion in a chemical facility security framework is lowered, additional
infrastructure sectors grow in relative representation, as is seen by the food and
agriculture sectors in Figure 1. Because of the increased representation of these
industry sectors, chemical facility security regulations will likely need to be more
flexible to account for different operating environments and business needs.
Number of Facilities. As the consequence threshold is lowered, chemical
facility security regulation would apply to more facilities. The number of facilities
increases non-linearly as the threshold decreases. Table 1 illustrates this effect by
presenting the number of RMP facilities included at selected potential consequence
thresholds.

Table 1. Number of RMP Facilities Reporting at Selected
Potential Consequence Thresholds
Threshold Population PotentiallyNumber of Facilities Reporting
Affected by a Worst-case Releaseat or above Threshold
1,000,000111
100,000604
10,0002,811
1,0007,711
10011,587
Source: CRS analysis of the EPA RMP*National Database (with off-site consequence analysis
(OCA) data), updated May 2005.
Note: It is unlikely that the entire population would be affected by any single chemical release, even
if it is a result of a worst-case accident. In the event of an actual catastrophic chemical release,
meteorologic and other effects will determine the direction of the release, and which of the potential
at risk population might be affected. In addition, worst-case scenarios do not take into account
emergency response measures that might be taken by operators of the facilities or others to mitigate
ha r m.
Chemical facility security legislation that incorporates a low threshold may
affect additional smaller facilities not generally considered as chemical facilities,
such as agricultural retailers or small water treatment systems. Whether these
industries are the intended targets of any chemical facility security regulation is a
topic facing policymakers.
The large contribution of the water sector to the RMP chemical facility universe
also raises the question of whether existing security efforts taken under the SDWA
are sufficient to secure this sector. For example, from Figure 1, the water sector
(consisting of both drinking water treatment and wastewater treatment facilities) is
18% of all facilities under the 100,000 affected threshold, but comprises 34% of
facilities under the 10,000 affected threshold. Wastewater treatment facilities, which
comprise roughly half of the water sector at both thresholds used in Figure 1, are not
addressed under the SDWA. Should policymakers accept that drinking water
facilities are adequately secured through prior legislation, it still would leave many
water sector contributors to the RMP chemical facility universe.
However, including all chemical facilities equally in a security program may
create an unmanageable burden on low-risk chemical facilities. High risk chemical
facilities are likely larger, possessing a greater ability to meet security requirements.
Smaller chemical facilities required to match the security measures put in place by
larger chemical facilities may not be able to do so because of fiscal limitations.
Lead Federal Agency
Which federal agency should possess chemical facility security oversight
responsibilities is a topic of debate. Some analysts assert that the EPA possesses a
historic relationship with both the chemical industry and specific chemical facilities.



They claim that the EPA is knowledgeable about chemical facility operation and
security, that the EPA would be well-positioned to understand the potential impacts
of security regulation, and that the EPA would be likely to create effective regulation.
This coupling of safety and security was supported by the U.S. Coast Guard, which
testified that security auditing under MTSA often occurred while the U.S. Coast
Guard was present at the chemical facility for safety reasons.52 Other analysts claim
that the EPA is unlikely to be the correct oversight body for chemical facility
security. They cite the potentially contentious relationship that the EPA, which
already oversees safety and facility emissions, might develop with the chemical
industry. They assert that regulation of security may need to be met through a
collaborative process between the oversight agency and the facilities, so it should be
divorced from environmental regulation.
The DHS is the other federal agency most often cited as appropriate for
overseeing chemical facility security. Advocates claim that a good working
relationship already exists between DHS and industry and that DHS’s expertise in
security is a dominant factor. Opponents of this view argue that security measures,
absent environmental protection and safety considerations, may generate adverse side
effects. For example, while burying storage tanks underground might increase the
security of these tanks, such an approach might pose an environmental risk from
potential tank leakage. Consequently, some analysts suggest an approach combining
the skills of both DHS and EPA in overseeing chemical facility security.
Extent of Security Measures
If legislation requires chemical facilities to implement new security measures,
the extent of these measures may also be an issue of contention. Consensus is
lacking regarding whether there should be auditing of vulnerability assessments,
federal inspection of security measures, and required consideration of alternative
approaches, such as inherently safer technologies.
Auditing of Vulnerability Assessments and Security Plans. Existing
federal laws governing some chemical facilities have taken diverse approaches to
vulnerability assessments for chemical facilities. The Maritime Transportation
Security Act (MTSA) requires both the development of site vulnerability assessments
and the remediation of those vulnerabilities identified. The Safe Drinking Water Act
(SDWA), as amended, requires drinking water facilities to develop site vulnerability
assessments and emergency response plans, but not to remediate vulnerabilities.
Under both laws, the appropriate federal regulatory agency receives the site
vulnerability assessments. Under the MTSA, the DHS has the authority to inspect
port facilities, assess their security plans and actions, and determine whether the
facilities meet DHS security standards. The EPA was not granted similar authorities
under SDWA.
Policymakers might decide to require that site vulnerability assessments be
performed for all chemical facilities and supplied to the federal government or others.


52 Oral Testimony of Rear Admiral Craig E. Bone, U.S. Coast Guard, before the Senate
Homeland Security and Governmental Affairs Committee on July 27, 2005.

Verification and validation of voluntary security plans is a topic of continuing
concern by advocacy groups, so policymakers might provide the federal oversight
agency the authority to inspect and assess compliance with vulnerability assessments
and any remediation requirements. However, in contrast to the limited number of
chemical facilities covered by MTSA, a broad legislative definition of chemical
facilities could include thousands of facilities. The logistical burden of inspecting
these facilities on a recurring basis could be quite high for a federal agency. Current
agency staffing may be insufficient to meet this requirement. Consequently,
requiring federal auditing and validation of chemical facility security may be difficult
to implement in a timely manner. Auditing responsibilities could be delegated to
state or local officials to reduce the burden placed on federal agencies.
Alternatively, Congress could authorize agencies to license third-party auditors
and accept compliance reports they might submit on behalf of chemical facilities.
DHS Secretary Chertoff has expressed support for Congressional consideration of
such third-party validation.53 Fees from such a program could offset auditing costs.
If such auditing were done by third parties or was enforced by a different mechanism,
such as holding facility owners or operators liable for security measures at the
chemical facilities, costs might be somewhat reduced. Critics of outside auditing
question the impartiality and rigor of such reviews, citing breakdowns in analogous
financial auditing approaches.54
Some experts suggest requiring owner or operator certification of security
measure compliance, with associated criminal liabilities for noncompliance.55 Such
an approach, coupled with inspections, might provide incentives to businesses to
maintain high security standards.
Prescriptive Versus Performance-based Requirements. The basis for
chemical facility security requirements is another area of contention. Chemical trade
associations and others have testified that chemical facility security requirements56


should be risk-based and provide clear guidelines regarding federal expectations.
53 Remarks by Homeland Security Secretary Michael Chertoff at the National Chemical
Security Forum, Washington, D.C., March 21, 2006.
54 Eric Lipton, “Chertoff Seeks a Chemical Security Law, Within Limits,” The New York
Times, March 22, 2006.
55 Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the
Senate Homeland Security and Governmental Affairs Committee on April 27, 2005.
56 See, for example, Testimony of Martin J. Durbin, American Chemistry Council, before
the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005;
testimony of Matthew Barmasse, on behalf of the Synthetic Organic Chemical
Manufacturers Association, before the Senate Homeland Security and Governmental Affairs
Committee on July 13, 2005; and testimony of Richard Falkenrath, Visiting Fellow,
Brookings Institution, before the Senate Homeland Security and Governmental Affairs
Committee on April 27, 2005.

Also, they have requested federal assistance and access to federal records, for
background checks and other purposes, as part of meeting security standards.57
DHS Secretary Chertoff has emphasized the need for risk-based prioritization
in homeland security activities.58 The DHS testified that the federal government, in
approaching chemical facility security, should adhere to three core principles:
!Chemical facilities present different levels of risk, and the most
scrutiny should be focused on those that have the greatest
consequences.
!Chemical facility security should be based on reasonable, clear, and
equitable performance standards, developed by DHS. Chemical
facilities should be able to select among appropriate site specific
security measures.
!Chemical facility security efforts should recognize voluntary
industry efforts.59
Some analysts argue for strong performance standards, requiring chemical
facilities to be able to repel armed assault, as required of the nuclear power industry.60
Others have cited the U.S. Coast Guard’s implementation of the MTSA as a good
model for performance-based requirements.
Existing security regulation for some chemical storage facilities, such as
liquified natural gas, is prescriptive in nature. Federal regulation governs security
procedures, protective enclosures, communications, monitoring, lighting, power
sources, and warning signs.61 Some experts assert that such prescriptive regulations
lead to outdated security standards should threats or vulnerabilities change.
Policymakers may consider whether security requirements should be prescriptive or
performance-based, and whether any such requirements should be placed directly in
legislation, or whether the implementing agency should be provided the discretion
to determine security requirements.


57 Bob Slaughter, National Petrochemical and Refiners Association, before the Senate
Homeland Security and Governmental Affairs Committee on July 13, 2005.
58 See for example, DHS Secretary Chertoff, Remarks at Homeland Security Policy Institute,
George Washington University on March 16, 2005.
59 Testimony of Colonel Robert B. Stephan, Acting Under Secretary for Information
Analysis and Infrastructure Protection, Department of Homeland Security, before the House
Homeland Security Committee, Subcommittee on Economic Security, Infrastructure
Protection and Cybersecurity, on June 15, 2005.
60 Testimony of Sal DePasquale, Independent Consultant, before the House Homeland
Security Committee, Subcommittee on Economic Security, Infrastructure Protection and
Cybersecurity, on June 15, 2005.
61 49 CFR 193, Liquefied Natural Gas Facilities: Federal Safety Standards (Subpart
J-Security). For more information regarding liquefied natural gas security issues, see CRS
Report RL32073 Liquefied Natural Gas (LNG) Infrastructure Security: Issues for Congress
by Paul W. Parfomak.

Inherently Safer Technologies. The application of inherently safer
technology to increase chemical facility security is also a subject of debate. The
concept of inherently safer technology involves altering a chemical process by
substituting less hazardous materials, minimizing the amount of hazardous material
on hand, altering the process conditions, or designing operation so that it is more
tolerant of error.62 Advocates of inherently safer technology state that its application
would directly reduce security risks, because the hazard posing the security risk
would be replaced or reduced.63 While acknowledging that not all chemical
processes have inherently safer alternatives, advocates cite cases where inherently
safer alternatives are known and could be employed.64 They claim that federal
security legislation should require at least the consideration of these technologies
when addressing chemical facility vulnerabilities.
Industry trade associations are generally resistant to legislation mandating the
use of, or incorporating a requirement to consider, inherently safer technology. They
state that decisions regarding the use of inherently safer technology are weighed on
a process and facility basis and are regularly considered by process engineers when
optimizing and assessing process change.65 Additionally, they cite the potential to
impact process safety negatively should inherently safer technology approaches be
incorrectly implemented. For example, if stockpiles of a hazardous chemical are
reduced, more, smaller shipments may be required. More connections would be
required to transfer the same amount of material from smaller shipments. This might
lead to greater risk for workers making these transfers. Lastly, industry trade
associations express concern that if inherently safer technology implementation
decisions are not made by process safety experts, future difficulties and potential
impracticalities may arise.66


62 For a more detailed discussion of the chemical process safety risk management aspects
of inherently safer technology, see Robert E. Bollinger et al., Inherently Safer Chemical
Processes; A Life Cycle Approach, American Institute of Chemical Engineers, New York,

1996.


63 For representative views, see Testimony of Carol Andress, Environmental Defense, before
the Senate Homeland Security and Governmental Affairs Committee on July 13, 2005 and
Testimony of Philip J. Crowley, Center for American Progress before the House Committee
on Homeland Security, Subcommittee on Economic Security, Infrastructure Protection and
Cybersecurity on June 29, 2006.
64 See, for example, U.S. Public Interest Research Group, Needless Risk: Oil Refineries And
Hazard Reduction, October 2003; Environmental Defense, Eliminating Hometown Hazards:
Cutting Chemical Risks at Wastewater Treatment Facilities, December 2003; Working
Group on Community Right-to-Know, Unnecessary Dangers: Emergency Chemical Release
Hazards at Power Plants, July 2004; and Center for American Progress, Preventing Toxic
Terrorism How Some Chemical Facilities are Removing Danger to American Communities,
April 2006.
65 Testimony of Martin J. Durbin, American Chemistry Council, before the Senate
Homeland Security and Governmental Affairs Committee on July 13, 2005.
66 Testimony of John Chamberlain, Shell Oil Company, on behalf of the American
Petroleum Institute, before the Senate Homeland Security and Governmental Affairs
Committee on July 27, 2005. See also comments of James Conrad, American Chemistry
(continued...)

Another consideration discussed in the context of inherently safer technologies
is the potential to transfer risk from one chemical facility to another chemical
facility.67 Process changes, such as the conversion of wastewater treatment from
chlorine as a disinfectant to sodium hypochlorite as a disinfectant, may lower the
potential consequences at that facility, reducing the risk to the surrounding area.
Those process changes may, however, increase the risk at a different point in the
supply chain. For example, the facility converting chlorine into sodium hypochlorite
may increase its chlorine stocks to address a greater demand for the sodium
hypochlorite end product, increasing the potential consequences surrounding that
manufacturing facility. Depending on the relative population at each facility, fewer
or more individuals may be put at risk by the facility process change.
Experts in process engineering have testified that research in inherently safer
technology is still nascent. While some practical examples of inherently safer
technology have been developed, they assert that metrics for comparing one
technology to another to determine its inherent safety are not yet defined.68 As such,
they challenge whether new inherently safer technology will be developed for
chemical processes without an extensive research effort and question the feasibility
of mandating implementation of inherently safer technology.69
Safety regulation requiring the consideration of inherently safer technology has
been developed on the state and local level. For example, New Jersey, in
implementing the Toxic Catastrophe Prevention Act, requires the consideration of
inherently safer technology for all new facilities and processes covered under the
act.70 Mandatory chemical facility security standards recently implemented in New
Jersey now require chemical facilities regulated under the Toxic Catastrophe
Prevention Act to consider inherently safer technologies for existing processes.71 In
contrast to concerns voiced by critics of inherently safer technology, the New Jersey


66 (...continued)
Council, at “New Strategies to Protect America: Securing Our Nation’s Chemical
Facilities,” Center for American Progress, April 6, 2005.
67 See, for example, Testimony of Scott Berger, Director, Center for Chemical Process
Safety American Institute of Chemical Engineers, before the House Committee on
Homeland Security, Subcommittee on Economic Security, Infrastructure Protection and
Cybersecurity on June 29, 2006.
68 Testimony of Dennis C. Hendershot, Staff Consultant, Center for Chemical Process Safety
American Institute of Chemical Engineers, before the Senate Committee on Environment
and Public Works on June 21, 2006.
69 Testimony of Scott Berger, Director, Center for Chemical Process Safety American
Institute of Chemical Engineers, before the House Committee on Homeland Security,
Subcommittee on Economic Security, Infrastructure Protection and Cybersecurity on June

29, 2006.


70 For more information on the New Jersey Toxic Catastrophe Prevention Act, see online at
[http://www.nj .gov/dep/rpp/tcpa/download.htm] .
71 Office of the Acting Governor, State of New Jersey, “New Jersey Becomes First State to
Require Chemical Plant Security Measures to Protect Against Terrorist Attack,” Press
Release, November 29, 2005.

Department of Environmental Protection has found that such “evaluation of
inherently safer technology is not overly burdensome on industry.”72 Contra Costa
County, California, also requires the consideration of inherently safer technologies.73
Policymakers, in considering inherently safer technologies, may wish to assess
whether new processes or facilities are fundamentally different than existing
processes or facilities, and might benefit from a security requirement to consider
inherently safer technologies.74
Consequences of Noncompliance. If new chemical facility security
requirements are established, penalties for not meeting these standards might need
to be determined. Civil or criminal penalties, such as fines, might be assessed against
facility owners or operators, whose security did not meet program standards. If a
tiered system of security requirements were established, penalties might be tiered as
well. Some might argue though that the effect of tiering would be to lower penalties
below what would be sufficient to ensure compliance, while others might contend
that penalties should be more directly related to the criteria determining the tiering.
A different approach to enforcing compliance would be to enable the federal
agency implementing the chemical facility security program to prevent operation of
a facility if it is out of compliance with the program. The U.S. Coast Guard is
granted this authority under MTSA. Such language could be developed for any new
program. Stakeholder concerns regarding such an authority would likely revolve
around details of its use, such as the ability of a facility to appeal such authority. The
authority to stop operation of a chemical facility due to insufficient security would
directly affect the fiscal viability of a facility, providing a strong incentive to
maintain compliance with security requirements. However, for those facilities with
fiscal challenges, blocking their operation might significantly threaten the facility’s
economic stability.
Coordinating Regulatory Initiatives With Existing Efforts
Policymakers may wish to coordinate chemical facility security approaches with
existing state and federal regulation. Developing equivalent criteria, exempting
facilities covered under other regulation, and determining whether federal standards
preempt or form the base for state regulation are some of the options available to
policymakers.
MTSA and SDWA. The MTSA and SDWA, both of which cover some
chemical facilities, mandate different regulatory agencies, security requirements, and
authorities regarding noncompliance. The DHS, through the U.S. Coast Guard,


72 Testimony of Lisa P. Jackson, Commissioner, New Jersey Department of Environmental
Protection, before the Senate Committee on Environment and Public Works on June 21,

2006.


73 For more information on the Contra Costa County regulation, see online at
[ h t t p : / / www.acusaf e .com/ Laws-Regs / US-St at e/ CA_CCC_ISO.pdf ] .
74 Differentiating between new and existing facilities may lead to unintended business
effects. For an example from the Clean Air Act, see CRS Report RS21608 Clean Air and
New Source Review: Defining Routine Maintenance by Larry Parker.

implements the MTSA, while EPA implements the SDWA. The SDWA requires
vulnerability assessment, but not remediation, while MTSA requires both
vulnerability assessment and remediation. The MTSA grants the Coast Guard the
ability to close facilities that lack appropriate security, while the SDWA does not.
Legislation affecting all chemical facilities could bridge these regulations and attempt
to reconcile their requirements. Chemical facility legislation might require the higher
standard to be applied to all chemical facilities, thereby requiring those water
facilities that also qualify as a chemical facility to increase their site security
activities. Alternatively, it might require all chemical facilities meet the SDWA
standard, leaving MTSA-regulated facilities with a higher security requirement. As
a third option, new chemical facility security requirements might exempt facilities
regulated under the MTSA or SDWA.
State and Local Regulation. States have passed chemical facility security
legislation. Policymakers may wish to decide how existing and proposed federal
regulations might mesh with state requirements. While all states contain chemical
facilities, depending on the facilities located in each state, the perception of
likelihood and consequence of a terrorist attack may vary significantly. While some
analysts assert that the potential consequences of an attack on a chemical facility are
such that it poses a homeland security threat, others may claim that these facilities
and the population surrounding them generally reside within the boundaries of single
state and would be best served by state, rather than federal, regulation.
Should Congress determine that chemical facility security is a federal homeland
security concern, policymakers may need to address whether federal regulation will
preempt state regulation, or if it will form the base from which states may impose
stricter security requirements. Industry associations suggest that any new federal
legislation should supercede state laws. An apparent concern is that allowing
individual states to add security requirements above a federal minimum would lead
to a patchwork of state regulation and, potentially, increased regulatory compliance
costs. On the other hand, some federal regulations, such as environmental
regulations on air emissions, allow states to enact additional regulations should the
state wish to develop stricter standards.
Voluntary Efforts. Some chemical facilities engage in security activities
absent regulation. Policymakers may decide whether these actions should be
rewarded. Potential mechanisms for recognizing these activities include economic
offsets for security costs, granting exemptions from the regulatory framework for
facilities undertaking voluntary efforts, and recognizing voluntary efforts with full
or partial equivalency with regulatory requirements. Some analysts assert that
voluntary efforts should not be rewarded, since a business incentive — reduced
liability — already exists for chemical facilities to improve security. Furthermore,
even with this incentive, current voluntary security activities may not rise to an
acceptable level.
Potential Approaches to Security Legislation
In light of the various policy issues, four overarching legislative approaches
emerge. The approaches are maintaining the current approach to chemical facility



security; increasing available resources under existing authorities; enhancing existing
programs with new authorities specifically related to chemical facility security; and
creating new authorities to address chemical facility security.
Maintain the Status Quo
Some analysts and industry representatives submit that the current mix of
voluntary and mandatory activities provide adequate security enhancements and that
market forces are good drivers of chemical facility security needs.75 While
acknowledging that mandates are needed, DHS Secretary Chertoff recognized the
power of market forces, stating, “... we want to acknowledge and recognize that
ultimately, the marketplace itself creates a very strong incentive through business
self-interest in enhancing security.”76 Supporters of the status quo do not advocate
for new chemical facility security legislation, but instead suggest that current security
activities focusing on a public/private partnership with the DHS, coupled with federal
support of local first responders and law enforcement, continue to provide chemical
facilities with security. They assert that the voluntary chemical facility security
measures are likely to be implemented at an appropriate and sustainable level based
on the risk perceived by the facility owners and operators.
Remaining at the status quo would likely not address criticism of the adequacy
of voluntary security actions nor the degree of risk that chemical facilities pose to
their surrounding communities. Those facilities identified by the DHS as not
participating in voluntary security activities would still be potentially vulnerable to
attack.
The absence of federal legislation would not preclude state or local legislation.
The perception of chemical facility risk may induce states to regulate such facilities,
as has occurred in some states. States might enact laws requiring security measures
beyond the voluntary activities currently underway, should they deem such laws in
the state interest.
Provide Additional Resources Under Existing Law
Another approach to increase chemical security might be to increase the
available resources for federal support of chemical facilities. Currently the federal
government provides limited financial support to select chemical facilities through
MTSA-related grants, but most DHS funding efforts focus on providing equipment


75 For example, see testimony by Bob Slaughter, National Petrochemical and Refiners
Association, before the Senate Homeland Security and Governmental Affairs Committee on
July 13, 2005, and testimony by Frank J. Cilluffo, Director, Homeland Security Policy
Institute, The George Washington University, before the House Homeland Security
Committee, Subcommittee on Economic Security, Infrastructure Protection and
Cybersecurity, on June 15, 2005.
76 DHS Secretary Chertoff, Transcript of Secretary of Homeland Security Michael Chertoff
at the U.S. Chamber of Commerce, U.S. Chamber of Commerce, Washington, D.C., April

29, 2005.



to the first responders in communities surrounding critical infrastructure sites.77
Policymakers could direct DHS to develop mechanisms to provide support directly
to high-risk chemical facilities, or to smaller, less profitable facilities.78
Alternatively, policymakers may wish to investigate other funding options, such as
tax incentives or credits, to induce chemical facilities to voluntarily increase security.
Given that federal homeland security resources are limited, determining what
facilities should be eligible for such grants, incentives, or credits might prove to be
challenging. Equitable distribution may also become a contentious topic, even if an
appropriate risk metric is developed for chemical facilities.79 Finally, an increase in
the availability of federal resources for chemical facilities would not address the issue
of uneven chemical facility security across industry sectors due to voluntary
participation. Some might continue to argue that the chemical facility security level
would not be high enough to protect the surrounding population without a federal
mandate.
Some analysts suggest that chemical facilities should bear the costs of chemical
facility security.80 Since chemical facilities are generally for-profit companies which
choose to manufacture products using hazardous materials, these analysts argue that
the public should not bear the costs for reducing those risks. Instead, chemical
facilities should recoup the cost of security through business activities, for example
by passing on the costs of security to consumers. However, some chemical facilities,
such as drinking water and wastewater facilities, may not be for-profit companies and
may raise different issues in recouping security costs.
Enhance Existing Law with Additional Authorities
Should policymakers decide that the status quo does not meet national security
needs, they could seek to strengthen current laws so that security needs are met. For
example, while some suggest that the existing Clean Air Act provisions could already
allow the EPA to regulate chemical facilities for security issues, others suggest that
the Clean Air Act may not provide statutory authority allowing the development of
such security regulation.81 Codifying security language into the Clean Air Act, for
example, could provide explicit statutory authority to the EPA to oversee chemical


77 For information on homeland security related grants, see CRS Report RL32348 Selected
Federal Homeland Security Assistance Programs: A Summary by Shawn Reese.
78 An example of such a targeted effort would be the Chemical Sector Buffer Zone
Protection Grant Program established by DHS in 2006.
79 For an example of issues related to equitable distribution of homeland security funding,
see CRS Report RL32696 Fiscal Year 2005 Homeland Security Grant Program: State
Allocations and Issues for Congressional Oversight by Shawn Reese.
80 Testimony of Richard Falkenrath, Visiting Fellow, Brookings Institution, before the
Senate Homeland Security and Governmental Affairs Committee on April 27, 2005.
81 Tim Starks, “Behind the Scenes: How the EPA Nearly Won — and Ultimately Lost — the
Right to Regulate Chemical Security,” Congressional Quarterly: Homeland Security,
March 9, 2005. See also Letter from Representative Billy Tauzin, et al. to Tom Ridge,
Office of Homeland Security, The White House, June 19, 2002.

facility security. Such language might build upon existing safety or environmental
programs to increase security.
The EPA and OSHA regulation of chemical facilities for environmental and
safety purposes can be viewed in conflicting contexts. The existing regulatory
relationship may not be amenable to the protective, cooperative relationship
reportedly required for effective security because of historic disagreements over
environmental impacts or worker safety. However, others identify close oversight
and site visits for multiple purposes as effective in maintaining strong security.
Augmenting existing law with additional authorities would likely not resolve
concerns about an accurate calculation of the number of people potentially at risk
from chemical facilities. It might also not address concerns regarding the risks from
chemicals not currently regulated under existing law. Facilities not currently
included under these provisions would not be covered and any ranking or ordering
of risk based on the worst-case scenarios might be viewed as unrealistic.
Additionally, concerns regarding EPA’s or OSHA’s experience in homeland security
might lead some to question the skill with which those agencies might regulate
chemical facility security. For example, assigning the EPA security oversight of
chemical facilities would be inconsistent with The National Strategy for Physical
Protection of Critical Infrastructure and Key Assets, which assigned the DHS as lead
agency for the chemicals sector. On the other hand, just as some are likely to
question EPA and OSHA homeland security expertise, others are likely to question
the background or readiness of DHS staff to make complex chemical risk
assessments. Finally, this approach might result in facilities reporting to multiple
federal agencies, for example those facilities that are regulated under the MTSA
might also report to EPA or OSHA. Duplicative and redundant security reporting
requirements may be inefficient or ineffective.
Create New Security Authorities
Another approach to increasing chemical security would be to create a federal
agency statutory authority to oversee chemical facility security. Legislation with this
goal has been introduced in the current and previous Congresses.82 A new security
program might be structured like the MTSA or SDWA, or might incorporate aspects
of other types of programs, such as EPA or OSHA safety programs.
A new security program might address concerns voiced by industry about the
potential scope of chemical facility security. Existing programs and outreach efforts
might be coordinated with new program requirements by clearly identifying the target
chemical facility universe. An assessment of the comprehensiveness of the defined
facility universe of interest to legislators might determine any need to tier prospective


82 In the 109th Congress, legislation has been introduced in both chambers. In the House,
H.R. 1562, H.R. 2237, H.R. 4999, and H.R. 5695 have been introduced. In the Senate, S.
2145 and S. 2486 have been introduced. For a comparison of legislation Senate, see CRS
Report RL33447 Senate Proposals To Enhance Chemical Facility Security by Linda-Jo
Schierow.

security requirements. Such considerations might aid in avoiding overly burdensome
regulation by identifying what facilities most require targeted security efforts.
In establishing a new chemical facility security program, Congress could
mandate security measures or leave details to the implementing agency. Mandating
security measures would force the inclusion, or exclusion, of technologies or
methodologies deemed necessary by Congress. Establishing authority within the
implementing agency to establish and adjust security requirements as necessary
would allow the agency to address changing threats and vulnerabilities, but might
allow critics to assert that statutory standards are too rigorous or not rigorous enough.
If existing security legislation is used as the design basis for a chemical facility
security program, coordinating requirements with those security programs may be
easy. On the other hand, alignment of existing and new programs may ease
coordination between regulatory requirements. Policymakers may wish to decide
whether one program has precedence over the other, if the requirements of both
programs are applicable to a facility, or if compliance with existing programs should
exempt a facility from the new program.
Similar questions arise with respect to state and local laws or ordinances, and
whether a federal program could preempt them. Efforts to design any new federal
chemical facility program could incorporate current state efforts as a starting criteria,
or establish new standards. Creating a new federal program with less stringent
requirements than existing state programs, and then preempting state programs,
might lead to criticism that federal legislation reduced, rather than enhanced,
chemical facility security in those locales. A new program which did not preempt
state regulation, on the other hand, might be construed as allowing a mixture of state
regulatory standards to be promulgated, creating a non-uniform regulatory and
economic arena. On the other hand, a federal program might dissuade other states
from enacting additional, potentially conflicting laws.
Finally, a new chemical facility security program might incorporate current
voluntary efforts as part of, or in lieu of, meeting the federal program requirements.
If policymakers accept current voluntary efforts in lieu of federal program
requirements, creating, for example, an exemption for facilities already engaged in
security efforts, critics may challenge the program as not establishing a stringent
enough standard. Alternatively, creating a program with requirements at great
variance with current voluntary security efforts, essentially causing those efforts to
not be applicable to the new regulatory program, might be criticized as penalizing
those facilities taking positive steps towards reducing vulnerability. Developing an
assessment or audit methodology for voluntary security efforts might provide a new
chemical security program with criteria to compare voluntary efforts with any new
program requirements. Thus, any voluntary security efforts that aligned with the
regulatory intent of policymakers would be valued while those that did not align
would not be.



CRS-27
Appendix A
The EPA RMP*INFO database provides information on industrial classification of the reported chemical processes. CRS analyzed the worst-case
each facility to the EPA. CRS identified which reported chemical process at each facility potentially affected the greatest number
n a worst-case release. CRS used the NAICS code reported for this chemical process as the NAICS code for the facility. CRS combined
CS codes to provide descriptions of infrastructure sectors. In some cases, CRS collapsed four, five, and six digit NAICS codes for the purposes of
. NAICS codes from 1997 were converted into 2002 NAICS codes when found. The combination of NAICS codes presented here is one of many
approaches. The manner by which NAICS codes are sorted into infrastructure sectors affects which facilities would be impacted by policy
ticular infrastructure sectors. For a list of NAICS codes used to model infrastructure sectors, see Table 2.
iki/CRS-RL33043Table 2. NAICS Codes Used to Model Infrastructure Sectors from EPA RMP Data
g/w
s.orNAICSNumber of FacilitiesNumber of Facilities
leakCodeNAICS Description(10,000 Threshold)(100,000 Threshold)
://wikiriculture111Crop Production91
http112Animal Production20
311Food Manufacturing35812
312Beverage and Tobacco Product Manufacturing371
4244Groceries and Related Products Merchant Wholesalers110
4245Farm Product Raw Materials Merchant Wholesalers92
11511Support Activities for Crop Production231

11521Support Activities for Animal Production11



CRS-28
NAICSNumber of FacilitiesNumber of Facilities
CodeNAICS Description(10,000 Threshold)(100,000 Threshold)
42382Farm and Garden Machinery and Equipment Merchant Wholesalers10
42491Farm Supplies Merchant Wholesalers1045
42499Other Miscellaneous Nondurable Goods Merchant Wholesalers10
44422Nursery, Garden Center, and Farm Supply Stores81
44523Fruit and Vegetable Markets10
49312Refrigerated Warehousing and Storage1413
iki/CRS-RL3304349313Farm Product Warehousing and Storage130
g/w
s.orFood and Agriculture Sector Total71927
leak22131Water Supply and Irrigation Systems54361
://wiki22132Sewage Treatment Facilities40843
http
56221Waste Treatment and Disposal113
92411Administration of Air and Water Resource and Solid Waste ManagementPrograms40
Water Sector Total966107
emicals325Chemical Manufacturing581298
326Plastics and Rubber Products Manufacturing32
4246Chemicals and Allied Products Merchant Wholesalers14159

4247Petroleum and Petroleum Products Merchant Wholesalers51



CRS-29
NAICSNumber of FacilitiesNumber of Facilities
CodeNAICS Description(10,000 Threshold)(100,000 Threshold)
21111Oil and Gas Extraction20
21311Support Activities for Oil and Gas Operations42
32411Petroleum Refineries 7635
32419Other Petroleum and Coal Products Manufacturing11
48832Marine Cargo Handling41
49311General Warehousing and Storage102
iki/CRS-RL3304349319Other Warehousing and Storage206
g/w
s.orChemicals Sector Total847407
leak322Paper Manufacturing5619
://wiki327Nonmetallic Mineral Product Manufacturing40
http
331Primary Metal Manufacturing4213
332Fabricated Metal Product Manufacturing202
333Machinery Manufacturing11
334Computer and Electronic Product Manufacturing153
335Electrical Equipment, Appliance, and Component Manufacturing21
336Transportation Equipment Manufacturing 30

339Miscellaneous Manufacturing 10



CRS-30
NAICSNumber of FacilitiesNumber of Facilities
CodeNAICS Description(10,000 Threshold)(100,000 Threshold)
2122Mining (except Oil and Gas)20
2211Electric Power Generation, Transmission and Distribution 7111
22133Steam and Air-Conditioning Supply30
31323Nonwoven Fabric Mills11
45399All Other Miscellaneous Store Retailers20
45439Other Direct Selling Establishments20
iki/CRS-RL3304348211Rail Transportation33
g/w
s.or48411General Freight Trucking, Local10
leak48821Support Activities for Rail Transportation75
://wiki48831Port and Harbor Operations10
http
48849Other Support Activities for Road Transportation10
48899Other Support Activities for Transportation 10
56179Other Services to Buildings and Dwellings210
56199All Other Support Services20
56299All Other Waste Management Services11
71399All Other Amusement and Recreation Industries20

81131Commercial and Industrial Machinery and Equipment (exceptAutomotive and Electronic) Repair and Maintenance21



CRS-31
NAICSNumber of FacilitiesNumber of Facilities
CodeNAICS Description(10,000 Threshold)(100,000 Threshold)
92811National Security21
No NAICS Code Provided101
Miscellaneous Total27963
Total Number of Facilities2811604
CRS analysis of the EPA RMP*National Database (with off-site consequence analysis (OCA) data), updated May 2005.


iki/CRS-RL33043
g/w
s.or
leak
://wiki
http