Chemical Facility Anti-Terrorism Standards, 78276-78332 [06-9903]

Agencies

• DEPARTMENT OF HOMELAND SECURITY

[Federal Register Volume 71, Number 249 (Thursday, December 28, 2006)]
[Proposed Rules]
[Pages 78276-78332]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 06-9903]



[[Page 78275]]

-----------------------------------------------------------------------

Part II





Department of Homeland Security





-----------------------------------------------------------------------



6 CFR Part 27



Chemical Facility Anti-Terrorism Standards; Proposed Rule

Federal Register / Vol. 71, No. 249 / Thursday, December 28, 2006 / 
Proposed Rules

[[Page 78276]]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

6 CFR Part 27

[DHS-2006-0073]
RIN 1601-AA41


Chemical Facility Anti-Terrorism Standards

AGENCY: Department of Homeland Security.

ACTION: Advance Notice of Rulemaking.

-----------------------------------------------------------------------

SUMMARY: Section 550 of the Homeland Security Appropriations Act of 
2007 (``Section 550'') provided the Department of Homeland Security 
with authority to promulgate ``interim final regulations'' for the 
security of certain chemical facilities in the United States. This 
notice seeks comment both on proposed text for such interim final 
regulations and on several practical and policy issues integral to the 
development of a chemical facility security program.

DATES: Written comments must be submitted on or before February 7, 
2007.

ADDRESSES: Comments, identified by docket number or RIN number, may be 
submitted by one of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     Mail: Comments by mail are to be addressed to IP/CNPPD/
Dennis Deziel, Mail Stop 8610, Department of Homeland Security, 
Washington DC 20528-8610.
    Instructions: All submissions must include the agency name and 
docket number or Regulatory Information Number (RIN) for this 
rulemaking. All comments will be posted without change to https://
www.regulations.gov, including any personal information sent with each 
comment. For detailed instructions on submitting comments and 
additional information on the rulemaking process, see the ``Public 
Participation in Rulemaking Process'' heading of the SUPPLEMENTARY 
INFORMATION section of this document.
    Docket: For access to the docket to read background documents or 
submitted comments, go to https://www.regulations.gov. Submitted 
comments by mail may also be inspected. To inspect comments, please 
call Dennis Deziel, 703-235-5263, to arrange for an appointment.
    Comments that include trade secrets, confidential commercial or 
financial information, or sensitive security information (SSI) should 
not be submitted to the public regulatory docket. Please submit such 
comments separately from other comments on the rule. Comments 
containing trade secrets, confidential commercial or financial 
information, or SSI should be appropriately marked as containing such 
information and submitted by mail to the individual(s) listed in the 
FOR FURTHER INFORMATION CONTACT section.

FOR FURTHER INFORMATION CONTACT: Dennis Deziel, Chief Program Analyst, 
Chemical Security Regulatory Task Force, Department of Homeland 
Security, 703-235-5263.

SUPPLEMENTARY INFORMATION:

Introduction

    Since 2003, the Department of Homeland Security (DHS) has been 
working with its private sector partners in the chemical industry, 
state and local governmental entities and other interested parties on 
chemical facility security issues. Although many companies in the 
chemical industry have initiated voluntary security programs and have 
made significant capital investments in responsible security measures, 
the Secretary of Homeland Security has concluded that voluntary efforts 
alone will not provide sufficient security for the nation.
    Beginning in 2005, through 2006, and most explicitly on September 
8, 2006, the Secretary requested that Congress provide the Department 
of Homeland Security with regulatory authority to establish and require 
implementation of risk-based performance standards for the security of 
our nation's high-risk chemical facilities. Congress took action on 
those requests, and on October 4, 2006, the President signed the 
Department of Homeland Security Appropriations Act of 2007 (the Act), 
which provides the Department of Homeland Security with the authority 
to regulate the security of high-risk chemical facilities. See Pub. L. 
109-295, sec. 550. The Department now intends to implement an 
appropriate regulatory program under Section 550 of that Act as quickly 
and responsibly as possible, focusing its resources first on those 
facilities in our nation that present the highest levels of security 
risk.
    This notice discusses a range of regulatory and implementation 
issues. The program proposed by this notice would be implemented in 
phases, and DHS would address chemical facilities with the most 
significant risk profiles as early in the program as possible. For each 
phase, the program would contain several basic steps:
     Chemical facilities fitting certain risk profiles would 
complete a ``Top-screen'' risk assessment methodology accessible 
through a secure Department website. The Department would use this 
methodology to determine if a chemical facility ``present[s] a high 
level of security risk'' and should be covered by this program.
     If the Department determines that a chemical facility 
qualifies as ``high risk,'' the Department would require the facility 
to prepare and submit a Vulnerability Assessment and Site Security 
Plan, and would provide technical assistance to the facility as 
appropriate.
     Following a facility's submission of these materials, the 
Department would review the submissions for compliance with risk-based 
performance standards. The Department (or when appropriate, a DHS-
certified third-party auditor) would follow up with a site inspection 
and audit.
     If the facility's Vulnerability Assessment or Site 
Security Plan is found deficient or if other problems arise, the 
facility could seek further technical assistance from the Department, 
and could consult, object, or appeal depending on the stage of the 
process. If the Vulnerability Assessment and/or Site Security Plan are 
ultimately disapproved, the covered facility would be required to 
revise its plan and resubmit the materials to meet the Department's 
performance standards, or face the penalties and other remedies set 
forth in the statute.
     If the covered facility's submissions are approved, the 
security plan is fully implemented and the facility is otherwise in 
compliance, the Department would issue a Letter of Approval to document 
the determination. The Department would also then notify the facility 
of its continuing obligations--based on its level of risk--to maintain 
and periodically update its Vulnerability Assessment and Site Security 
Plan.
    This advance notice describes the details of these steps along with 
a number of policy and implementation issues. We seek comment on all 
aspects of this new regulatory program, including the many policy and 
practical questions integral to the successful implementation of the 
program.

Solicitation of Comment

    Section 550 requires the Secretary of Homeland Security to 
promulgate ``interim final regulations establishing risk-based 
performance standards for security of chemical facilities * * *.'' He 
must do so ``[n]o later than six months'' from the date of enactment of 
this new authority, i.e. by April 4, 2007. The Executive Branch has 
implemented rules under other, similar regulatory

[[Page 78277]]

authorities over the course of years rather than months. See, e.g., 42 
U.S.C. 7412(r)(3) (requiring the promulgation of an initial list of 
chemicals within two years); 42 U.S.C. 7412(r)(7)(B)(i) (requiring 
promulgation of regulation within three years). By directing the 
Secretary to issue ``interim final regulations,'' Congress authorized 
the Secretary to proceed without the traditional notice-and-comment 
required by the Administrative Procedure Act. See, e.g., Jeffrey S. 
Lubbers, A Guide to Federal Agency Rulemaking 114 (4th ed. 2006) 
(citing Omnibus Budget Reconciliation Act of 1987, and stating that 
notice and comment is not required where statute specifically permits a 
regulation to be issued in the interim final form); see also 65 FR 
34,983 (Jun. 1, 2000) (interim final rule for Medicare program issued 
under that authority). Although ``interim final regulations'' may be 
(and often are) issued without prior notice and comment (and the Act 
requires no prior notice or comment period), the Department believes it 
would nevertheless be prudent to seek comment on many of the 
significant issues that will be addressed by such regulations while 
maintaining the aggressive timeline for implementation. An advance 
notice of proposed rulemaking is the typical route to seek comment in 
advance of an NPRM. Here, because Section 550 requires the Secretary to 
issue an interim final rule rather than an NPRM followed by a final 
rule, our advance notice seeks comment on text for an upcoming interim 
final rule. In this respect, this notice serves the purposes usually 
achieved by both an ANPRM and an NPRM. In addition, it is our intention 
to seek further comment with the interim final on additional 
implementation issues, and on any agency guidance that may follow.
    The Department seeks public comment from all interested parties by 
February 7, 2007, on the questions, issues and proposed regulatory 
language identified in this notice. Given the 6-month deadline under 
Section 550 to promulgate an interim final rule, it will be necessary 
to complete that rule and reach conclusions on many of the issues 
raised herein early in 2007. Thus, this February 7, 2007, deadline 
cannot reasonably be postponed.
    This notice is organized as follows: Section I provides a brief 
summary of relevant pre-existing Federal initiatives and regulatory 
authorities; Section II discusses the structure and requirements of the 
statute; Section III describes a proposed ``phased'' implementation 
with an immediate priority on the highest risk chemical facilities; and 
Section IV addresses a range of other legal and programmatic issues.

Table of Contents

I. Brief History of Federal Pre-Existing Chemical Security Tools and 
Programs
    A. DHS Risk Assessment Methodology (RAMCAP), Chemical Buffer 
Zone Protection Program, and Site Assistance Visits
    1. Risk Assessment Methodology (RAMCAP)
    2. Chemical Buffer Zone Protection Program
    3. Site Assistance Visits
    B. U.S. Coast Guard Maritime Security Regulations
    C. Rail Security
    D. Environmental Protection Agency Risk Management Program
    E. Occupational Safety and Health Administration
    F. Chemical Weapons Convention
    G.The Explosives Authority of the Bureau of Alcohol, Tobacco, 
Firearms, and Explosives
II. Structure and Requirements of Section 550
    A. The Mandate to Promulgate Interim Final Regulations ``No 
later than six months after the date of enactment * * *''
    B. Authority to Regulate ``Chemical Facilities'' that Present a 
``High Level of Security Risk''
    C. Determining which Facilities Present a High Level of Security 
Risk
    D. Risk-Based Performance Standards for Security of Chemical 
Facilities
    E. Vulnerability Assessments and the Development and 
Implementation of Site Security Plans for Chemical Facilities
    1. Vulnerability Assessments
    2. Site Security Plans
    3. Alternative Security Programs
    4. Guidance Regarding Site Security Plans
    F. Audits and Inspections
    G. Background Checks
    H. Approval and Disapproval of Vulnerability Assessments and 
Site Security Plans
    I. Remedies
    J. Objections and Appeals
    K. Chemical-terrorism Vulnerability Information
    1. Protection from Public Disclosure
    2. Protection from Disclosure in Litigation
    L. Statutory Exemptions
III. Implementation
    A. Immediate Priority on Highest Risk Facilities
    B. Consultations and Technical Assistance
IV. Other Issues
    A. Third-Party Lawsuits
    B. Regulatory Requirements/Matters
    1. Executive Order 12,866
    2. Regulatory Flexibility Act
    3. Executive Order 13,132: Federalism
    4. Unfunded Mandates Reform Act Assessment
    5. National Environmental Policy Act
V. Proposed Text for Interim Final Rule

I. Brief History of Federal Pre-Existing Chemical Security and Safety 
Programs

    Prior to the enactment of Section 550, the Federal government did 
not have authority to regulate the security of most chemical 
facilities. Over the past three years, the Department has urged 
voluntary enhancement of security at these facilities and provided both 
technical assistance and grant funding for security. In addition, 
through the Coast Guard's Maritime Security regulations, the Department 
has addressed security at certain maritime-related chemical facilities. 
Recently, the Departments of Homeland Security and Transportation have 
cooperated in addressing the security of rail transportation of 
hazardous chemicals.
    Other Federal programs have addressed chemical facility safety, but 
not security: the Environmental Protection Agency (``EPA''), for 
instance, regulates chemical process safety through its Risk Management 
Plan (RMP) program; the Occupational Safety and Health Administration 
(``OSHA'') regulates workplace safety and health at chemical 
facilities; and the Department of Commerce oversees compliance with the 
Chemical Weapons Convention. Finally, the Department of Justice's 
Bureau of Alcohol, Tobacco, Firearms, and Explosives (``ATF'') 
regulates, through licenses and permits, the purchase, possession, 
storage, and transportation of explosives. Because Section 550 will 
build on pre-existing Federal security initiatives and chemical safety 
programs, a brief summary of these pre-existing initiatives and 
programs is appropriate here.

A. DHS Risk Assessment Methodology (RAMCAP), Chemical Buffer Zone 
Protection Program, and Site Assistance Visits

1. Risk Assessment Methodology (RAMCAP)
    For the past two years, the Department has worked with the American 
Society of Mechanical Engineers, with input from many other parties, to 
develop a risk assessment methodology for many elements of our nation's 
critical infrastructure. The methodology is composed of two separate 
parts and can be utilized to perform both a preliminary ``consequence'' 
analysis and a more thorough vulnerability assessment on chemical 
facilities.
    The first segment of the RAMCAP methodology is a screening tool 
known as the Top-screen, and is designed to be used through a secure 
Department Web site. For chemical facilities, the Top-

[[Page 78278]]

screen solicits answers to a series of questions intended to assess the 
level of damage that could result from a terrorist incident at the 
facility. The Top-screen process draws in part on preexisting data from 
the EPA's Risk Management chemical safety program (``RMP,'' discussed 
below). For example: Does the facility operate any RMP Program 2 or 3 
processes? If so, how many persons could be exposed by a toxic release 
worst case scenario? How many persons could be exposed by a flammable 
release worst case scenario? The Top-screen also includes queries 
regarding manufacture and storage of explosives materials, and seeks 
information on quantities of chemical substances and precursors 
addressed by the Chemical Weapons Convention. See 22 U.S.C. 6701. The 
Top-screen process is intended to gather information both to evaluate 
the consequences of a catastrophic explosion or release and to assess 
the possible danger if dangerous chemicals are stolen. A more detailed 
description of the Top-screen process is available as Appendix A.
    The second segment of RAMCAP provides the tools to conduct a 
thorough facility Vulnerability Assessment and could also be utilized 
via a secure website. It has three fundamental steps, each with 
detailed instructions:
    1. Identify the assets on the facility;
    2. Apply specified threat scenarios to each asset to quantify the 
resulting consequences if an attack succeeded; and
    3. Apply the threat scenarios to each asset in light of the 
security measures in place and evaluate the likelihood and the degree 
to which the attack could succeed.
    A detailed description of this process is set forth in Appendix B. 
Note that many responsible facilities have already conducted analyses 
of this type. Such analyses may be acceptable during the initial stages 
of the Section 550 program.
2. Chemical Buffer Zone Protection Program
    The Chemical Buffer Zone Protection Program (Chem-BZPP) is designed 
to identify and implement voluntary protective measures for the area 
outside of a chemical facility's fence, or the ``buffer zone,'' to make 
it more difficult for a potential attacker to plan or launch an attack. 
These plans are intended to develop effective preventive and protective 
measures within the immediate vicinity of high-priority chemical sector 
critical infrastructure targets. The plans also increase the security-
related capabilities of the jurisdictions responsible for the security 
and safety of the surrounding communities. DHS provides funds to 
localities to support the implementation of regional buffer zone plans 
and mitigate the identified vulnerabilities. In fiscal year (FY) 2006, 
the Department awarded $25,000,000 under this program.
    Part of this effort is the BZPP Webcam Pilot Program, a web-based 
program using cameras installed at a few high-consequence chemical 
facilities. These webcams enable local law enforcement and DHS to 
conduct remote surveillance of the buffer zone surrounding each 
facility during times of elevated threat to help identify any terrorist 
surveillance and planning activities and link incidents across 
facilities.
3. Site Assistance Visits
    Upon request, DHS conducts ``inside-the-fence'' site assistance 
visits to critical chemical facilities for a variety of reasons--a 
facility presents a high level of risk, the owner requests it, or the 
facility or sector is under threat. The site visits are conducted by 
DHS protective security professionals, subject-matter experts, and 
local law enforcement, along with the facility's owners and operators. 
These visits facilitate security vulnerability identification and 
mitigation discussions between government and industry. The visits also 
provide facilities and localities with valuable information on how to 
better protect the facility from a terrorist attack. After a visit, DHS 
suggests protective measures and issues a report to the facility to 
bolster its protective measures.

B. U.S. Coast Guard Maritime Security Regulations

    The Maritime Transportation Security Act of 2002 (MTSA) (Pub. L. 
107-295, Nov. 25, 2002) enacted chapter 701 of Title 46, U.S. Code and 
required the Secretary of Homeland Security to issue regulations to 
strengthen the security of American ports and waterways and the ships 
that use them. This authority, in addition to other grants of 
authority, served as the basis for a comprehensive maritime security 
regime. Through these rules, the Coast Guard issued regulations to 
ensure the security of vessels, facilities, and other elements of the 
maritime transportation system. Part 105 of title 33 of the Code of 
Federal Regulations imposed requirements on a range of maritime 
facilities, including hazardous material and petroleum facilities and 
those fleeting facilities that receive barges carrying, in bulk, 
cargoes regulated by Subchapters D and O of Chapter I, Title 46, Code 
of Federal Regulations or Certain Dangerous Cargoes.
    Under the Coast Guard's maritime security regulations, these 
facilities are required to perform security assessments, and then, 
based on these assessments, develop security plans, and implement 
security measures and procedures in order to reduce the risk of and to 
mitigate the results of any security incident that threatens the 
facility, its personnel, the public, the environment, and the economy.

C. Rail Security

    The Departments of Transportation (DOT) and Homeland Security both 
have authority to regulate rail transportation. The Federal hazardous 
materials transportation law authorizes the Secretary of Transportation 
to establish regulations for the safe transportation, including 
security, of hazardous materials in intrastate, interstate, and foreign 
commerce. See 49 U.S.C. 5101 et seq., as amended by section 1711 of the 
Homeland Security Act of 2002 (Pub. L. 107-296, Nov. 25, 2002) and 
Title VII of the Safe, Accountable, Flexible and Efficient 
Transportation Equity Act: Legacy for Users (SAFETEA-LU) (Pub. L. 109-
59, Aug. 10, 2005). DHS, through TSA, has authority to ``oversee the 
implementation, and ensure the adequacy, of security measures at 
airports and other transportation facilities.'' 49 U.S.C. 114(f)(11).
    Pursuant to DOT's authority, the Pipelines and Hazardous Materials 
Safety Administration (PHMSA) has issued, and the Federal Railroad 
Administration (FRA) enforces, various regulations that impact rail 
security. HM-232 requires covered persons--those who offer certain 
hazardous materials for transportation in commerce and those who 
transport certain hazardous materials in commerce--to develop and 
implement security plans. At a minimum, these security plans for 
transportation must address personnel security, unauthorized access for 
the transportation-related areas of facilities, and en route security 
for shipments of the covered hazardous materials. See 49 CFR 172.800, 
172.802, and 172.804. In addition, PHMSA has issued regulations to 
reduce the risks to safety and security of leaving loaded rail cars 
unattended for periods of time. Pursuant to 49 CFR 174.14 and 174.16, a 
carrier must forward each shipment of hazardous materials ``promptly 
and within 48 hours (Saturdays, Sundays, and holidays excluded)'' after 
the carrier accepts the shipment at the originating point or the 
carrier receives the

[[Page 78279]]

shipment at any yard, transfer station, or interchange point.
    Together with the Department of Transportation, DHS has recently 
taken many steps regarding security in the transportation of hazardous 
materials by rail. On June 23, 2006, DOT and DHS jointly issued a set 
of twenty-four ``security action items'' for the freight rail carriers 
of materials that are ``toxic by inhalation'' (TIH) (these materials 
are also referred to as ``poisonous by inhalation'' (PIH)). DOT and 
DHS, in consultation with the industry, developed these action items by 
observing and assessing the security-related practices that rail 
carriers use. The action items addressed three phases of security: (1) 
System Security, (2) En-route Security, and (3) Access Control.
    In August 2006, the Federal government and the industry agreed upon 
``supplemental'' security action items including measures to address 
four critical areas: (1) The establishment of secure storage areas for 
rail cars carrying TIH materials, (2) the expedited movement of trains 
transporting rail cars carrying TIH, (3) the positive and secure 
handoff of TIH rail cars at point of interchange and at points of 
origin and delivery, and (4) the minimization of unattended loaded tank 
cars carrying TIH materials. The rail carriers will submit these plans 
to TSA for review, and TSA will subsequently monitor and evaluate the 
success of the plans in reducing the standstill (dwell) time of TIH 
shipments in high threat urban areas.
    On December 21, 2006, DOT and TSA issued notices of proposed 
rulemaking that would impose additional obligations, including new 
requirements regarding transportation of PIH materials. See DOT's 
notice of proposed rulemaking titled ``Enhancing Rail Transportation 
Safety and Security for Hazardous Materials Shipments'' at 71 FR 76834 
and TSA's notice of proposed rulemaking titled ``Rail Transportation 
Security'' at 71 FR 76851. The proposed regulations would cover 
railroad carriers that transport certain hazardous materials, including 
bulk shipments of PIH materials. Among other measures, the proposed DOT 
rule would require railroad carriers to analyze the safety and security 
risks of the routes used. It would also require clarifications of the 
current security plan requirements to address en route storage, delays 
in transit, and delivery notification. In addition, it would require 
rail carriers to conduct pre-trip visual inspections at the ground 
level of rail cars containing PIH materials to detect improvised 
explosive devices (IEDs) or other evidence of tampering.
    The proposed TSA rule would require those rail hazardous materials 
shippers and receivers, along with freight and passenger railroad 
carriers and rail transit systems, to (1) Designate a rail security 
coordinator to serve as the primary contact for the receipt of 
intelligence information and for other security-related activities; (2) 
allow TSA and other authorized DHS officials to enter and inspect 
property, facilities, equipment, and operations; and (3) report 
incidents, potential threats, and significant security concerns to DHS. 
In addition, TSA proposes to impose two additional requirements on PIH 
rail hazardous materials shippers and receivers, as well as freight 
railroad carriers that transport PIH: to (1) Provide to TSA, upon 
request the location and shipping information of rail cars within their 
physical custody or control that contain PIH materials, and (2) provide 
for a secure chain of custody and control of rail cars that contain PIH 
materials.

D. Environmental Protection Agency Risk Management Program

    Pursuant to the Clean Air Act (CAA), EPA's Risk Management Program 
requires chemical facilities with listed chemicals in amounts exceeding 
prescribed threshold limits to implement an accident prevention 
program, an emergency response program, prepare a five-year accident 
history, and submit to EPA a risk management plan (RMP). See 42 U.S.C. 
7412(r). These requirements are intended to prevent accidental releases 
and minimize the consequences of such releases by focusing on chemicals 
that in the event of an accidental release, could reasonably be 
expected to cause death, injury, or serious adverse effects to human 
health and the environment. On January 31, 1994, EPA promulgated a list 
of regulated substances and thresholds that identify stationary sources 
subject to the accidental release prevention regulations. 59 FR 4,478. 
Two years later, EPA issued a rule requiring the owners of these 
sources to develop accidental release programs and summaries of these 
plans. 61 FR 31,668 (Jun. 20, 1996).
    An RMP contains information on the regulated substances handled at 
the facility, an analysis of the potential consequences of hypothetical 
accidental chemical releases (i.e., ``worst-case'' and ``alternative 
release'' scenarios), a five-year accident history, and information 
about the chemical accident prevention and emergency response programs 
at the facility. In 1999, more than 15,000 U.S. facilities submitted 
RMP information to EPA. Regulated facilities are required to update 
their RMPs at least every five years, and more frequently if specified 
changes occur.
    As the RMP chemical list and threshold limits were established by 
EPA based on a chemical's potential for acute offsite health impacts in 
the event of a large air release, the Department believes that a number 
of the facilities regulated under this program may also qualify as 
``high-risk'' facilities covered under Section 550. Although the RMP 
data are extremely useful, the Department is mindful of the fact that 
they contain information related only to a specified list of industrial 
chemicals that present air release hazards. The RMP data do not provide 
information relating to other potentially ``high-risk'' facilities, 
such as certain facilities covered by the Chemical Weapons Convention 
or certain other facilities that might be targeted for chemical theft 
or diversion.

E. Occupational Safety and Health Administration

    The Occupational Safety and Health Administration (OSHA), an agency 
within the U.S. Department of Labor, regulates conditions and hazards 
affecting the health and safety of employees in the workplace. OSHA's 
mission is to prevent work-related injuries, illnesses, and deaths. 
OSHA regulates employers through specific enumerated safety standards 
(see, e.g., 29 CFR part 1910) and through a ``general duty clause'' 
(see 29 U.S.C. 654(a)(1)), which requires a safe workplace even in the 
absence of specific standards. OSHA enforces these standards by 
inspecting workplaces and by issuing citations for violations.
    OSHA has developed and enforces several standards that ensure 
chemical safety in the workplace. The Process Safety Management of 
Highly Hazardous Chemicals standard contains requirements for the 
management of hazards associated with processes using highly hazardous 
chemicals. See 29 CFR 1910.119. The Hazardous Waste Operations and 
Emergency Response Standard (HAZWOPER) covers emergency response 
operations for the release of, or substantial threats of releases of, 
hazardous substances without regard to the location of the hazard. See 
29 CFR 1910.120 and 1926.65.
    In addition, OSHA has several other regulations that protect 
employees who are exposed to chemicals in the course of their work. In 
Subpart Z to 29 CFR 1910, OSHA establishes permissible exposure limits 
(PELs) for toxic and hazardous substances. Employers must measure 
employee exposure to these

[[Page 78280]]

substances and must take measures to limit employee exposures when the 
exposures reach impermissible limits. In Subpart I to 29 CFR 1910, OSHA 
establishes requirements for personal protective equipment (PPE). 
Employers must conduct hazard assessments. Where employees are exposed 
to impermissible exposures (which may, in some cases, be chemical 
exposures), employers must provide employees with proper PPE to assist 
in controlling the hazard.
    Another standard related to chemical safety is OSHA's Hazard 
Communication Standard (HCS). The HCS was promulgated to provide 
workers with the right to know the hazards and identities of the 
chemicals they are exposed to while working, as well as the measures 
they can take to protect themselves. The HCS requires chemical 
manufacturers and importers to evaluate the hazards of the chemicals 
they produce and import. It also requires chemical manufacturers and 
importers to prepare labels and material safety data sheets (MSDSs) to 
convey the hazard information to their downstream customers. All 
employers with hazardous chemicals in their workplaces must have labels 
and MSDSs for their exposed workers and must train exposed workers to 
handle the chemicals appropriately. See 29 CFR 1910.1200.

F. Chemical Weapons Convention

    The United States is a party to the Chemical Weapons Convention 
(CWC), which prohibits the development, production, stockpiling, and 
use of chemical weapons. The Convention entered into force on April 29, 
1997, and was implemented in the United States by statute at 22 U.S.C. 
6701 et. seq., with regulations at 15 CFR 710 et. seq. The CWC does not 
prohibit production, processing, consumption, or trade of related 
chemicals for peaceful purposes, but it does establish a verification 
regime to ensure such activities are consistent with the object and 
purpose of the treaty. The CWC requires reporting and on-site 
inspections that are triggered when quantitative threshold activity 
levels are exceeded. The CWC monitors chemicals in three lists, or 
schedules, and certain ``unscheduled discrete organic chemicals.''
    Schedule 1 includes toxic chemicals with few or no legitimate uses 
that are developed or used primarily for military purposes. Examples of 
schedule 1 chemicals include nerve agents, such as Sarin, and blister 
agents, such as Mustard and Lewisite. Schedule 2 includes chemicals 
that can be used for chemical weapons production, but that also have 
certain legitimate uses. Schedule 2 chemicals are not produced in large 
commercial quantities, and these include certain chemicals used to 
manufacture fertilizers and pesticides. Schedule 3 chemicals are those 
that can be used for chemical weapons production, but also have 
significant legitimate uses. Schedule 3 chemicals are produced in large 
commercial quantities and include chemicals used to manufacture paint 
thinners, cleaners, and lubricants.
    As noted, the CWC imposes declaration and on-site inspections 
requirements upon industry when production, processing, or consumption 
exceeds certain thresholds. Inspections under the CWC are conducted to 
assess the risk and guide future routine inspections. In addition, 
inspections are conducted to verify the consistency with the 
declarations of the levels of production, processing, or consumption. 
These inspections also seek to confirm the absence of undeclared 
Schedule 1 chemicals.

G. The Explosives Authority of the Bureau of Alcohol, Tobacco, 
Firearms, and Explosives

    ATF is an enforcement and regulatory organization responsible for, 
among other things, the investigation and prevention of Federal 
offenses involving the unlawful use, manufacture, and possession of 
explosives. ATF regulates, through licenses and permits, the purchase, 
possession, storage, and transportation of explosives. See generally 27 
CFR Part 555. Specifically, ATF explosives regulations govern commerce; 
licensing of manufacturers, importers, and dealers; issuance of 
permits; business by licensees and operations by permittees; storage; 
and the records and reports required of licensees and permittees. 27 
CFR 555.1. Each year, ATF issues the List of Explosives subject to 
these explosives requirements. See, e.g., 70 FR 73,483 (Dec. 12, 2005).
    Facilities that possess or store explosives (including 
manufacturing facilities) must also be properly licensed by ATF. See 27 
CFR 555.41 et seq. For facilities that possess or store listed 
explosives, ATF requires certain safety precautions, including specific 
requirements governing the actual storage of the materials. See 27 CFR 
555.201 et seq. ATF also prohibits shipment, transport, or possession 
of any explosive material by ``prohibited persons,'' including a person 
under indictment or convicted of a crime punishable by imprisonment for 
a term exceeding one year; a fugitive from justice; an unlawful user of 
controlled substance; or ``has been adjudicated a mental defective.'' 
Id. at 555.26(c), 555.49. ATF may conduct an investigation to confirm 
that an applicant is entitled to a license. Id. ATF will also conduct a 
background check on all persons and employees who are authorized to 
possess explosive materials as part of their employment. See 27 CFR 
555.33.

II. Structure and Requirements of Section 550

    With the authority under Section 550, the Department can now fill a 
significant security gap in the country's anti-terrorism efforts. 
Section 550 of the Act is a compact two-page set of mandates 
establishing the parameters of the Federal government's first 
regulatory program to secure chemical facilities against possible 
terrorist attack. Each subsection and sentence of this provision has 
significant consequences for the structure and content of the 
regulatory program.

A. The Mandate to Promulgate Interim Final Regulations ``No later than 
six months after the date of enactment * * *''

    As discussed above, applicable statutes do not require the 
Department to seek comment prior to issuing these regulations, but we 
believe public comment will be very helpful in formulating the interim 
final rule and structuring the program. Cf. Administrative Conference 
of the United States Recommendation 76-5 (when it is necessary to make 
a rule effective immediately, agencies should give the public the 
opportunity to submit post-promulgation comments) (cited in Michael 
Asimow, Nonlegislative Rulemaking and Regulatory Reform, 1985 Duke L.J. 
381, 426). An interim final rule has the same legal effect as a final 
rule. See, e.g., Career College Ass'n v. Riley, 74 F.3d 1265, 1268 
(D.C. Cir. 1996) (stating that interim final rule is final for purposes 
of statute requiring adoption of final rule by statutory date). In this 
regard, this notice discusses a number of issues related to 
promulgating chemical facility security regulations and invites 
comments on these issues. This notice includes proposed regulatory text 
which represents the Department's initial preference unless otherwise 
identified, but the Department also seeks comment on proposals and 
ideas discussed in the preamble but not contained in the regulatory 
text because the Department is interested in comments on alternative 
approaches.

[[Page 78281]]

    The Department is currently considering a number of procedural 
questions that relate to the authority it has been granted. An initial 
question is whether the Department is required to finalize the interim 
regulations in light of the express language of 550(b), which provides 
that these interim regulations will apply until ``interim or final 
regulations promulgated under other laws'' are in effect. Pub. L. 109-
295, Oct. 4, 2006 (emphasis supplied). We believe that the answer to 
that question is no; Congress gave the Department the authority to 
issue regulations in the interim final rule only; it did not 
contemplate that such regulations be ``finalized'' under this 
authority. It is important to note that these ``interim'' regulations 
will nevertheless have the full effect of law as if they were final. 
See e.g., Career College Ass'n v. Riley, 74 F.3d 1265, 1268 (D.C. Cir. 
1996).
    A second issue is whether the Department can revise the interim 
final regulations issued under Section 550. Commentators have argued 
that the regulations cannot be revised since 550(a) and (b) indicate 
that the regulations must be issued ``no later than six months after 
the date of enactment'' and ``shall apply until'' the end date 
contemplated by Section 550(b). We believe the better view is that the 
regulations can be revised after the six month timeframe.
    A third issue is what type of future legislation is necessary to 
replace the interim final rule under Section 550(b). Certainly, Section 
550 could be superseded or extended in either an appropriations bill or 
in authorization legislation. If a future appropriations bill continued 
funding for the Section 550 program beyond that period, the Department 
could consider that future funding for the program as an extension of 
the ``authority provided by this section.''

B. Authority To Regulate ``Chemical Facilities'' that Present a ``High 
Level of Security Risk''

    A fundamental question posed by Section 550 is which facilities it 
covers. Section 550 specifies that the provision ``shall apply to 
chemical facilities that, in the discretion of the Secretary, present 
high levels of security risk.'' The terms ``chemical facilities'' and 
``high levels of security risk'' are not specifically defined in 
Section 550. Both terms have, however, been used in two prior 
legislative proposals with more explicit indications of their meaning. 
See H.R. 5695, 109th Cong. (2006), S. 2145, 109th Cong. (2006). 
Although the Department is not bound to interpret these terms in 
concert with language of prior unenacted legislative proposals, those 
prior proposals can provide helpful context on this specific 
definitional issue.
    In H.R. 5695, the term ``chemical facility'' refers to any facility 
that the Secretary has determined to possess more than a threshold 
amount of a potentially dangerous chemical. See H.R. 5695, 109th Cong. 
sec. 2 (2006) (adding section 1802(b)(2) and subsequent sections in the 
Homeland Security Act). ( S. 2145 uses different terms to a similar 
effect.). In neither instance is a ``chemical facility'' limited to a 
chemical manufacturing facility, a chemical distribution facility, or 
any other single specific type of facility that uses or stores 
potentially dangerous chemicals. Instead, the question of what 
constitutes a chemical facility turns not on the name or type of 
facility at issue, but instead on whether the facility uses, stores or 
otherwise possesses dangerous chemicals, and in what amount. The 
Department believes that a similar meaning of ``chemical facility'' is 
appropriate in implementing Section 550. Thus, subject to certain 
statutory exclusions which are discussed below in section II.L., the 
Department proposes to define ``chemical facility'' as ``any facility 
that possesses or plans to possess, at any relevant point in time, a 
quantity of a chemical substance determined by the Secretary to be 
potentially dangerous or that meets other risk-related criterion 
identified by the Department.'' See proposed 6 CFR 27.100. We invite 
comment specifically on this interpretation or any alternative 
definitions of the term ``chemical facility.''
    Of course, the term ``chemical facility'' is only significant in 
relation to other text in the statute. Section 550 also specifies that 
regulations promulgated under its authority are only applicable to a 
``chemical facility'' that, ``in the discretion of the Secretary, 
presents [a] high level[] of security risk.'' Not all chemical 
facilities present a high level of security risk. (Indeed, not all 
``chemical facilities'' on the RMP list are likely to present a high 
level of security risk.) Both H.R. 5695 and S. 2145 had specific 
provisions distinguishing the universe of all ``chemical facilities'' 
from the subset of ``high risk'' chemical facilities. H.R. 5695 would 
have required that ``at least one of the tiers established by the 
Secretary for the assignment of chemical facilities * * * shall be a 
tier designated for high-risk chemical facilities.'' 109th Cong. sec. 2 
(2006) (proposed 6 U.S.C. 1802(c)(4)). Similarly, although S. 2145 
identified the regulated chemical facilities as those with chemical 
substances of concern at sufficient threshold quantities, that bill 
also contained an instruction for the Secretary to identify separately 
a smaller subset of those facilities as high risk chemical facilities. 
S. 2145, 109th Cong. sec. 3(e) (2006). Thus, in both prior legislative 
proposals, Congress contemplated that only a subset of all facilities 
with threshold quantities of certain chemical substances would also 
qualify as ``high risk'' chemical facilities.
    The Department believes that the phrase ``high level of security 
risk'' in Section 550 was likewise intended to apply only to a subset 
of the total population of ``chemical facilities.'' Under Section 550, 
the Secretary is explicitly given discretion to determine which 
chemical facilities fall within this subset, and thus which chemical 
facilities the Department will regulate. See Pub. L. 109-295, sec. 
550(a) (2006) (``such regulations shall apply to chemical facilities 
that, in the discretion of the Secretary, present high levels of 
security risk''). See also 5 U.S.C. 701(a)(2) (precluding judicial 
review if ``agency action is committed to agency discretion by law''). 
See also Webster v. Doe, 486 U.S. 592 (1988); Heckler v. Chaney, 470 
U.S. 821, 830 (1985) (recognizing the exception to the presumption of 
agency reviewability in 5 U.S.C. 701(a)(2)); Steenholdt v. FAA, 314 
F.3d 633 (D.C. Cir. 2003); Baltimore Gas & Elec. Co. v. FERC, 252 F.3d 
456, 459 (D.C. Cir. 2001); Haig v. Agee, 453 U.S. 280 (1981); Merida 
Delgado v. Gonzales, 428 F.3d 916 (10th Cir. 2005) (finding that the 
Attorney General's national security determination was not reviewable 
under the APA, where the authorizing statute provided no meaningful 
standard against which to judge the agency's action, the court did not 
have the necessary expertise to make the determination, and the 
Executive Branch has broad discretion to protect national security).

C. Determining Which Facilities Present a High Level of Security Risk

    As a practical matter, the Department must utilize an appropriate 
process to determine which facilities present sufficient risk to be 
regulated. The Department may draw on many sources of available 
information, including existing Federal data and lists addressing 
particularly hazardous chemicals and particular chemical facilities. 
Such lists include the EPA RMP list (discussed above); the schedule of 
chemicals from the Convention on the Development, Production, 
Stockpiling and Use of Chemical Weapons and Their

[[Page 78282]]

Destruction, also known as the Chemical Weapons Convention or CWC 
(discussed above); the hazardous materials listed in Department of 
Transportation's Hazardous Materials Regulations (see e.g. 49 CFR 
172.101); and the TSA Select Hazardous Materials List. The Department 
may also seek and analyze information from many other sources, 
including from experts in the industry, from state or local governments 
or directly from facilities that may qualify as high-risk. The 
Department requests comment on appropriate sources of information or 
methodologies for evaluating chemical facility risks. The Department 
also requests comments on whether, to the extent it looks to the nature 
of particular chemicals to classify facilities, classifications should 
be based on a ``hazard-class'' approach rather than classifications 
based on particular chemicals.
    As discussed above, the Department has worked with the American 
Society of Mechanical Engineers (ASME) and others to design a RAMCAP 
``Top-screen'' process for determining the potential security risk 
posed by many types of critical infrastructure facilities, including 
chemical facilities. The Department proposes to employ a risk 
assessment methodology system very similar to this RAMCAP Top-screen 
process to determine whether a facility qualifies as high-risk under 
Section 550, and seeks comment on how such a process--as described 
above and in Appendix A--should be employed for that purpose.
    The proposed regulation would permit the Department to implement 
this type of Top-screen risk analysis process to screen facilities. The 
proposed language interprets the statutory phrase ``present[s] high 
levels of security risk'' to apply to a facility that, in the 
discretion of the Secretary, would present a high risk of significant 
adverse consequences for human life or health, national security or 
critical economic assets if subjected to a terrorist attack. See 
proposed 6 CFR 27.100, below. As noted, the statute gives the Secretary 
unreviewable discretion to make this determination. See Pub. L. 109-
295, secs. 550(a), (b), Oct. 4, 2006.
    A separate question is whether the Secretary can compel facilities 
that have not yet been deemed ``high risk'' to complete a risk 
assessment methodology such as the RAMCAP Top-screen, or punish them 
for failure to do so. In other words, can the Secretary mandate 
information submissions from a broad range of chemical facilities in 
order to screen facilities and determine which will qualify as high 
risk?
    There are two arguments that the Secretary has such authority under 
Section 550. First, the authority to determine which facilities qualify 
as ``high risk'' implies necessary authority to obtain information to 
make that determination. See, e.g., United States v. Construction 
Products Research, Inc., 73 F.3d 464, 470 (2d Cir. 1996) (``at the 
subpoena enforcement stage, courts need not determine whether the 
subpoenaed party is within the agency's jurisdiction or covered by the 
statute it administers''); Equal Employment Opportunity Commission v. 
Sidley Austin Brown & Wood, 315 F.3d 696, 699-701 (7th Cir. 2002). 
Second, Section 550 states explicitly that the Secretary ``shall audit 
and inspect chemical facilities for the purposes of determining 
compliance with the regulations issued pursuant to this section.'' 
Since this provision can be read to permit the Department physically to 
inspect ``chemical facilities'' regardless of whether they qualify as 
``high risk,'' the Department should impliedly have the less dramatic 
authority to obtain preliminary information for the same purpose. 
Indeed, the use of a Top-screen process will be a less onerous 
imposition for many facilities that may not, after due consideration, 
present high levels of security risk.
    The following approach to screening facilities is reflected below 
in the proposed rule text:
     The Department could contact chemical facilities 
individually to request that they complete the process and could 
publish a notice requesting that all facilities fitting a certain 
profile (based on quantity of certain chemicals on site, hazard 
classification, or other criteria) complete an online Department risk 
assessment methodology (similar to the RAMCAP Top-screen) within a 
reasonable period.
     If any facility fitting the profiles identified in the 
notice or individually contacted by the Department fails to complete 
the risk assessment methodology within a reasonable period of time 
after receiving notification from the Department, the Department may, 
after attempting to consult with the facility, reach a preliminary 
determination, based on the information then available (which may 
include the facility's failure to complete the Top-screen process), 
that the facility ``presumptively presents a high level of security 
risk.''
     The Department would then issue a notice to the entity of 
this determination and, if necessary, order the facility to complete 
the Top-screen process. If the facility then fails to do so, it may be 
subject to penalties pursuant to Section 550(d), audit and inspection 
under Section 550(e) or, if appropriate, the remedy available under 
Section 550(g). See proposed Sec.  27.305, 245, 310.
     If the facility completes the Top-screen process and is 
not then considered to present a high level of security risk, its 
status as ``presumptively high risk'' will terminate, and the 
Department will issue a notice to the facility to that effect.
    The Department requests comments on this proposed process and the 
draft regulation at Sec. Sec.  27.200 and 27.205 below.
    In order to carry out this approach, the Department will need to 
identify the types or classes of facilities that should complete Top-
Screen for screening purposes. To that end, the Department requests 
comments on whether the Department should request that:
     RMP facilities complete the Top-screen;
     Certain facilities subject to the Chemical Weapons 
Convention complete the Top-screen;
     Any other type or description of facilities complete the 
Top-screen.

The Department also anticipates permitting any chemical facility to 
voluntarily complete the Top-screen risk assessment process if the 
facility has not been notified or contacted by DHS for such screening.

D. Risk-Based Performance Standards for Security of Chemical Facilities

    Among other things, Section 550 requires the Department to issue 
interim final regulations ``establishing risk-based performance 
standards for chemical facilities.'' The terms ``risk-based'' and 
``performance standards'' both carry significant meaning.
    The term ``performance standards'' has a long and well-known 
history. See Cary Coglianese et al., Performance-Based Regulation: 
Prospects and Limitations in Health, Safety, and Environmental 
Protection, 55 Admin. L. Rev. 705, 706-07 (2003). The term has 
repeatedly been defined: Performance standards

* * * state[] requirements in terms of required results with 
criteria for verifying compliance but without stating the methods 
for achieving required results. A performance standard may define 
functional requirements for the item, operational requirements, and/
or interface and interchangeability characteristics. A performance 
standard may be viewed in juxtaposition to a prescriptive standard 
which may specify design requirements, such as materials to be used,

[[Page 78283]]

how a requirement is to be achieved, or how an item is to be 
fabricated or constructed.

OMB Circular A-119 (Feb. 10, 1998); see also Coglianese, Performance-
Based Regulation, 55 Admin. L. Rev. at 709:

A performance standard specifies the outcome required, but leaves 
the specific measures to achieve that outcome up to the discretion 
of the regulated entity. In contrast to a design standard or a 
technology-based standard that specifies exactly how to achieve 
compliance, a performance standard sets a goal and lets each 
regulated entity decide how to meet it.

Note also that Executive Order 12,866 specifies the use of performance 
standards:

Each agency shall identify and assess alternative forms of 
regulation and shall, to the extent feasible, specify performance 
objectives, rather than specify the behavior or manner of compliance 
that regulated entities must adopt.

Exec. Order 12,866, 58 FR 51,735 (Oct. 4, 1993), as amended by Exec. 
Order 13258, 67 FR 9385 (Feb. 28, 2002).
    Here, Section 550 specifies that the required ``performance 
standards'' must be ``risk-based.'' Although the term ``risk-based'' is 
not specifically defined in Section 550, the language of Section 550 
along with other recent legislative activity yield an understanding of 
the ``risk-based'' standards. The term ``risk-based'' modifies 
``performance standard'' and indicates that the performance standards 
established under Section 550 will mandate the most rigorous levels of 
protection and regulatory scrutiny for facilities that present the 
greatest degrees of security risk. Prior legislative proposals on 
chemical security would have required this result expressly through 
risk-based tiering of facilities based on the potential affects on 
human health caused by a terrorist attack at a facility, potential 
impact on national security, or potentially critical economic 
consequences. See H.R. 5695, 109th Cong. sec. 2 (2006), S. 2145, 109th 
Cong. (2006). In many of those prior proposals, the Department would 
have been required to analyze relative risk first, sort facilities into 
appropriate risk-based tiers, then create standards requiring more 
robust levels of protection for higher risk tiers. In addition, prior 
legislative proposals specified more frequent regulatory reviews, 
inspections, and security plan updates for higher risk facilities.
    The Department believes that the ``risk-based performance 
standards'' and the Section 550 Program should indeed incorporate risk-
based tiering. As addressed above, Section 550 provides the Department 
with authority to regulate those chemical facilities ``that, in the 
discretion of the Secretary, present high levels of security risk.'' 
Thus, the risk-based tiers would differentiate and create tiers among 
those facilities that, as described above, qualify as presenting ``high 
levels of security risk'' and are thus ``covered facilities.'' The 
Department seeks comment on this notion of risk-based tiering among 
high-risk facilities. Specifically:
     How many risk-based tiers should the Department create?
     What should be the criteria for differentiating among the 
tiers?
     What types of risk should be most critical in the tiering?
     How should the performance standards differ among risk-
based tiers?
     What additional levels of regulatory scrutiny (e.g. 
frequency of inspections, plan reviews, and updates) should apply to 
each tier?
    The Department would establish the risk-based performance standards 
through the regulatory language below and intends to issue guidance 
periodically regarding compliance with the standards. Please note that 
specific security performance variables in the standards among tiers 
for the covered facilities are likely to contain sensitive information 
regarding covered facility vulnerability or security. Thus, certain 
elements of guidance on the application of these standards by tier will 
be provided to covered facilities pursuant to the information 
protections provisions of Section 550.

E. Vulnerability Assessments and the Development and Implementation of 
Site Security Plans for Chemical Facilities

    The first sentence of Section 550 requires the Department to 
mandate that ``high risk'' chemical facilities, known here as ``covered 
facilities,'' perform Vulnerability Assessments and develop and 
implement Site Security Plans.
1. Vulnerability Assessments
    A Vulnerability Assessment is an examination of how a covered 
facility would address specific types of possible terrorist threats. 
The assessment also examines the aspects of the covered facility that 
pose the most significant vulnerabilities to terrorist attack. The 
Department has worked with its partners to develop a methodology for 
this purpose which may be refined to fit the needs of this program's 
Vulnerability Assessment program. The methodology is described in 
detail in Appendix B. The Department seeks comment on how this 
methodology should be refined to serve as a basis for Vulnerability 
Assessments under Section 550.
    Covered facilities, those that qualify as ``high risk'' under 
Section 550, will be required to complete and submit Vulnerability 
Assessments. DHS will review each Vulnerability Assessment, and the 
Department may also scrutinize the Vulnerability Assessments in the 
course of a facility audit (discussed infra). In addition, a covered 
facility Vulnerability Assessment will serve two other central 
purposes: (1) The Department will use the results of Vulnerability 
Assessments to confirm that covered facilities have been assigned to 
the appropriate risk-based tiers; and (2) Each covered facility's Site 
Security Plan (discussed below) will be required to address each of the 
vulnerabilities identified in the Vulnerability Assessment. See Pub. L. 
109-295, sec. 550(a), Oct. 4, 2006 (``Provided further, That such 
regulation shall permit each facility, in developing and implementing 
Site Security Plans, to select layered security measures that, in 
combination, appropriately address the Vulnerability Assessment and the 
risk-based performance standard for security for the facility.'') 
Covered facilities also have continuing obligations, which vary based 
on their risk-based tier, to maintain and periodically update their 
Vulnerability Assessment.
    As noted, the Department will sort the covered facilities into 
tiers, based on risk. The Department may have three or four tiers, with 
the highest risk facilities in tier one. The tiering decisions will be 
based on a number of factors, including information from the Top-
screen, intelligence information, and information from other 
appropriate sources. As discussed below in a section II. K., the 
Department considers the methods for determining these tiers to be 
sensitive anti-terrorism information that may be protected from further 
disclosure.
    Many chemical facilities have already performed Vulnerability 
Assessments under models that are similar in purpose and effect to the 
RAMCAP methodology identified above. For a number of covered 
facilities, particularly in the initial year of the program, these 
Vulnerability Assessments will be acceptable in lieu of completing the 
Department's vulnerability analysis. Through the Alternative Security 
Program (ASP) provisions described herein, the proposed regulation will 
permit the Assistant Secretary to accept existing chemical facility 
Vulnerability Assessments, subject to any necessary revisions or 
supplements, where the

[[Page 78284]]

assessments are sufficiently similar to the Department's process to be 
effective. The Department is considering accepting any Vulnerability 
Assessments methodologies that are certified by the Center for Chemical 
Process (CCPS) as equivalent to the CCPS Methodology; and will review 
other Vulnerability Assessments submitted as ASPs. See proposed 6 CFR 
27.215(a).
2. Site Security Plans
    Under Section 550, the Department must also require that ``high 
risk'' chemical facilities develop and implement ``Site Security 
Plans.'' The statute specifies that the Department ``shall permit each 
facility, in developing and implementing Site Security Plans, to select 
layered security measures that, in combination, appropriately address 
the Vulnerability Assessment [for the facility] and the risk-based 
performance standards for security for the facility.'' This sentence 
identifies two critical statutory mandates.
    First, as indicated, a Site Security Plan must address both the 
``Vulnerability Assessment'' for the covered facility and the 
applicable ``risk-based performance standards.'' To address the 
Vulnerability Assessment, the plan must identify and describe the 
function of the measures the covered facility will employ to address 
each of the facility's vulnerable areas. Focusing on those vulnerable 
areas, the Site Security Plan must then address specific modes of 
potential terrorist attack and how each would be deterred or otherwise 
addressed. For example, a facility must select, develop and describe 
security measures intended to address potential attacks involving: (1) 
A VBIED (vehicle borne improvised explosive device); (2) a water-borne 
explosive device (if applicable); (3) an assault team; (4) 
individual(s) on the premises with explosives or a firearm, or (5) 
theft of certain chemicals; and (6) the possibility of insider or cyber 
sabotage.
    In addition, a covered facility's Site Security Plan must identify 
how the layered security measures selected by the covered facility meet 
the Department's risk-based performance standards. Although this 
process can be different for each facility and will vary depending on 
the unique risks presented in each, the performance standards will 
typically require covered facilities to develop and explain security 
measures to:
     Secure and monitor the perimeter of the facility;
     Secure and monitor restricted areas or potentially 
critical targets within the facility;
     Control access to the facility and to restricted areas 
within the facility by screening and/or inspecting individuals, 
deliveries, and vehicles as they enter; including,
    [cir] Measures to deter the unauthorized introduction of dangerous 
substances and devices that may facilitate an attack or actions having 
serious negative consequences for the population surrounding the 
facility; and
    [cir] Measures implementing a regularly updated identification 
system that checks the identification of facility personnel and other 
persons seeking access to the facility and that discourages abuse 
through established disciplinary measures;
     Deter vehicles from penetrating the facility perimeter, 
gaining unauthorized access to restricted areas or otherwise presenting 
a hazard to potentially critical targets;
     Secure and monitor the shipping and receipt of hazardous 
materials from the facility;
     Deter theft or diversion of potentially dangerous 
chemicals;
     Deter insider sabotage;
     Deter cyber sabotage, including by preventing unauthorized 
onsite or remote access to critical process controls, Supervisory 
Control And Data Acquisition (SCADA) systems, and other sensitive 
computerized systems;
     Develop and exercise an emergency plan to respond to 
security incidents internally and with assistance of local law 
enforcement and first responders;
     Maintain effective monitoring, communications and warning 
systems, including,
    [cir] Measures designed to ensure that security systems and 
equipment are in good working order and inspected, tested, calibrated, 
and otherwise maintained;
    [cir] Measures designed to regularly test security systems, note 
deficiencies, correct for detected deficiencies, and record results so 
that they are available for inspection by the Department; and
    [cir] Measures to allow the facility to promptly identify and 
respond to security system and equipment failures or malfunctions;
     Ensure proper security training, exercises, and drills of 
facility personnel;
     Perform appropriate background checks on and ensure 
appropriate credentials for facility personnel, and as appropriate, for 
unescorted visitors with access to restricted areas or potentially 
critical targets;
     Escalate the level of protective measures for periods of 
elevated threat;