Homeland Security - (NPPD) National Protection and Programs Directorate
Written testimony of National Protection and Programs Directorate Under Secretary Rand Beers for a House Appropriations Subcommittee on Homeland Security oversight hearing titled “Cybersecurity and Critical Infrastructure”Wednesday, March 20, 2013 12:00 AMH-405 U.S. Capitol
Introduction
Chairman Carter, Ranking Member Price, and distinguished Members of the Subcommittee, let me begin by thanking you for the strong support that you have provided the Department of Homeland Security (DHS) and the National Protection and Programs Directorate (NPPD). I look forward to continuing to work with you in the coming year to protect the homeland and the American people.
I am pleased to appear before the Committee today to discuss the importance of protecting and making more resilient the Nation’s critical infrastructure and cyber networks.
Integrated Critical Infrastructure
Critical infrastructure, both physical and cyber, is a key element of our national security and economic prosperity, and it is at risk from a variety of hazards, including cyber attacks. When we discuss integrated physical and cyber critical infrastructure protection and resilience, we are talking about understanding cyber and physical needs and vulnerabilities, identifying both cyber and physical safeguards and solutions, and understanding the interplay between the two.
Physical and cyber infrastructure have become inextricably linked. We rely on cyber systems to run everything from power plants to pipelines and hospitals to highways. This linkage means that both cyber and physical security measures are required to guard against the full array of potential attacks. For example, physical security measures prevent unauthorized access to servers and other sensitive information technology equipment, protecting against insider threats, which leverage close physical proximity to networks, systems, or facilities in order to modify, gather, or deny access to information. Conversely, cybersecurity measures can prevent an attack that could result in physical consequences. A successful cyber attack on a control system, such as those used in water treatment plants and energy facilities, could have devastating impacts on the health and safety of human lives and cause serious damage to the environment and the economy. These attacks frequently steal data, sometimes disable systems, often disrupt business operations, and have the potential to destroy infrastructure. Individually, or in combination, these attacks could negatively affect the quality of life and well-being of ordinary Americans.
Presidential Policy Directive 21 and Cyber Executive Order
Critical infrastructure security and resilience requires a whole-of-community effort that involves partnerships among public, private, non-profit sectors, and others; as well as a clear understanding of the risks we face. The Federal Government’s role in this effort is to share information and to encourage enhanced security and resilience, while also identifying gaps not filled by the marketplace. The enhanced information sharing programs supported by the recently released Executive Order (EO) 13636 for Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive (PPD) - 21 on Critical Infrastructure and Resilience help secure critical infrastructure and increase its resilience against cyber and physical attacks, as well as natural disasters and terrorist attacks.
To complement PPD-21, EO 13636 clears the way for more efficient sharing of cyber threat information with the private sector and directs the establishment of a Cybersecurity Framework to identify and implement better security practices among critical infrastructure sectors. Through partnerships between the government and private sector, the critical infrastructure cyber systems upon which much of our economic well-being, national security, and daily lives depend are being better protected.
By issuing EO 13636 and PPD-21, the Administration is taking an integrated approach that strengthens the security and resilience of critical infrastructure against all hazards, through an updated and overarching national framework that acknowledges the evolving risk environment and increased role of cybersecurity in securing physical assets. PPD-21 and the EO 13636 reinforce holistic thinking and action in the realms of security and risk management. The issuance of these important documents allows us to build upon and enhance our existing partnership model with our key private sector and state, local, tribal and territorial partners. Implementation of the EO 13636 and PPD-21 will also drive action toward system and network security and resilience. The Department is well positioned to make advances in the space defined by the cyber-physical security nexus that PPD-21 and EO 13636 address.
DHS has already formed a task force to coordinate implementation of PPD-21 and EO 13636 in order to:
Lead DHS’s implementation of PPD-21 and EO 13636, including coordination with the Department of Commerce, National Institute of Standards and Technology, on the Cybersecurity Framework;
Serve as the focal point for collaboration with industry;
Involve key stakeholders from all levels of government; and
Prioritize tasks, plan implementation, and coordinate principal offices of responsibility.
NPPD Efforts to Secure Infrastructure, Increase Resiliency, and Identify and Evaluate Risk
Securing cyber networks and physical infrastructure
NPPD programs work to secure cyber networks and physical infrastructure. This includes programs that secure and provide diagnostics for Federal cyber networks and those that provide physical security to Federal facilities. Also included are regulatory programs designed to ensure facilities are securing dangerous chemicals.
Protecting Federal Networks
DHS has operational responsibilities for securing unclassified federal civilian government networks and working with owners and operators of critical infrastructure to secure their networks through cyber threat analysis, risk assessment, mitigation, and incident response capabilities. We also are responsible for coordinating the national response to significant cyber incidents and for creating and maintaining a common operational picture for cyberspace across the government.
DHS directly supports federal civilian departments and agencies in developing capabilities that will improve their cybersecurity posture. For example, NPPD is moving to provide Federal agencies with the capability to continuously diagnose and mitigate cyber vulnerabilities in their critical systems. An array of internal sensors provides data about an agency’s cybersecurity posture in a near-real time dashboard so that agency security managers can move quickly to defeat common cyber threats. This capability will be a vast improvement over the current expensive and time-consuming process, which requires auditors to manually assess an information technology (IT) system and determine whether it meets static requirements under the Federal Information Security Management Act.
In fiscal year (FY) 2013 NPPD, in support of the Administration’s Continuous Monitoring initiative, is supporting the procurement of monitoring equipment, diagnostic sensors and tools, and dashboards to provide situational awareness for agencies across the Federal Executive Branch. Thisprogram will eventually conduct 60 to 80 billion vulnerability and configuration-setting checks every one to three days across the .gov network which will help agencies repair their worst cybersecurity problems first.
The National Cybersecurity Protection System (NCPS), also referred to as EINSTEIN, is an integrated intrusion detection, analytics, information sharing, and intrusion-prevention system that uses hardware, software, and other components to support DHS’s cybersecurity responsibilities. In FY 2013, the program will expand intrusion detection and cyber analytics capabilities at Federal agencies, improving NPPD’s situational awareness and allowing a more agile response to threats to Federal networks and systems. Additionally, the NCPS intrusion prevention service, known as E3A, will reach initial operating capability by providing signature-based intrusion prevention capabilities to secure Federal agency traffic. These efforts will ensure that Federal cybersecurity capabilities are efficiently keeping pace with cutting-edge technologies and adapting to emerging threats. NPPD is also growing its cyber mission information sharing environment to improve DHS’s ability to respond to and mitigate cyber threats and securely share information across multiple stakeholders.
Integrated Cybersecurity Operations
DHS is also home to the National Cybersecurity & Communications Integration Center (NCCIC), a 24x7 cyber situational awareness, incident response, and management center that is a national nexus of cyber and communications integration for the Federal Government, intelligence community, and law enforcement. Cybersecurity is a shared responsibility and operators from the United States Computer Emergency Readiness Team (US-CERT), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and the National Coordinating Center for Telecommunications (NCC), along with representatives from the DHS Office of Intelligence and Analysis, Federal law enforcement, the intelligence community, the Department of Defense, state and local governments, and the private sector come together at the NCCIC to support our response to significant cyber or physical incidents affecting critical infrastructure. In FY 2012, the NCCIC began providing a daily common operating picture for cyber incidents. This capability enhanced the situational awareness of cyber incidents detected via EINSTEIN and those reported to the NCCIC by Federal agencies, Federal law enforcement, the intelligence community, the Department of Defense, information sharing organizations, state and local governments, private sector entities, the general public, and international partners. Since 2009, the NCCIC has responded to nearly a half a million incident reports and released more than 26,000 actionable cybersecurity alerts to our public and private sector partners.
US-CERT leads and coordinates efforts to improve the Nation’s cybersecurity posture, promote cyber information sharing, and manage cyber risks to the Nation. US-CERT provides response support and defense against cyber attacks for the Federal Executive Branch (.gov) and information sharing, analytic collaboration, and response support to state, local, tribal and territorial (SLTT) governments, industry, and international partners. US-CERT interacts with Federal agencies, industry, the research community, SLTT governments, and other entities to disseminate actionable cybersecurity information to the public. In 2012, US-CERT resolved approximately 190,000 public and private sector cyber incident reports. This represents a 68 percent increase from 2011. In addition, US-CERT issued more than 7,455 actionable cyber-alerts in 2012 used by private sector and government agencies to protect their systems and had more than 6,400 partners subscribe to the US-CERT portal to engage in information sharing and receive cyber threat warning information. ICS-CERT responded to 177 incidents last year while completing 89 site assistance visits and deploying 15 teams with US-CERT to respond to significant private sector cyber incidents.
Historically, physical processes upon which critical infrastructures depend, such as opening and closing pipeline valves, switching railcars, turning on pumps in chemical facilities, adjusting buildings’ HVAC and fire suppression systems, and calibrating implantable medical devices, were completed using human power or using machines with local control. Disasters often occurred when these processes were incorrectly applied, whether maliciously or otherwise. For example, on November 25, 1964, a recently replaced natural gas transmission pipeline exploded and burned in Saint Francisville, Louisiana, killing five workers and injuring at least 23 others. A backhoe was suspected as the cause of the pipeline’s rupture. Today, our pipelines are just as vulnerable, but not only to such physical threats but also to those we cannot see. We must not only ensure the physical security of the control systems that govern complex systems such as pipeline systems, but we must also ensure their cybersecurity.
Increasingly sophisticated cyber attack tools can exploit vulnerabilities in commercial industrial control system components, telecommunication methods, and common operating systems found in modern industrial control systems. Many of these systems were designed for operability and reliability during an era when online security was not a priority for these systems.
ICS-CERT works closely with industrial control system vendors, researchers, security service providers, and other government agencies to analyze, identify, and responsibly share industrial control system vulnerabilities and mitigation strategies. ICS-CERT also works closely with critical infrastructure industry owners and operators since they are often best-positioned to understand the consequences of a malicious, disruptive intrusion into one of their networks. ICS-CERT works with all of these stakeholders to secure control systems and provide incident response assistance.
Protecting Federal Facilities
Just as NPPD executes daily operations that secure and provide diagnostics for Federal cyber networks, we provide daily physical security to Federal facilities. The Federal Protective Service (FPS) protects the 1.1 million daily tenants and visitors in the facilities, on the grounds, and on property owned, occupied, or secured by the Federal Government. FPS provides law enforcement and security management services, which include operations and oversight of approximately 13,000 contract Protective Security Officers (PSO), and security countermeasure services for more than 9,000 General Services Administration-owned, -leased or -operated facilities located in 11 regions across the country.
During the last fiscal year, FPS responded to 47,000 incidents, made 1,902 arrests, interdicted more than 886,000 weapons and prohibited items at Federal facility entrances during routine checks, conducted over 55,000 post inspections, disseminated 331 threat and intelligence-based products to stakeholders, and investigated and addressed more than 1,000 threats and assaults directed towards Federal facilities and their occupants.
Specific priorities in FY 2013 and continuing through FY 2014 for FPS include continued implementation of the Facility Security Assessment process, providing tailored recommendations for countermeasures, and enhancing its stakeholders’ understanding of vulnerabilities and protective and mitigation strategies. In FY 2012, FPS deployed the Modified Infrastructure Survey Tool (MIST), which surveys the existing level of protection in a number of security disciplines (such as access control, perimeter control, security force management, security planning and others) and plots them against the baseline level of protection required for a particular facility in the Interagency Security Committee Standards. In addition, NPPD is executing a pilot joint assessment using physical and cybersecurity expertise from across the component. The outputs of this project include a cyber and physical facility assessment report for the General Services Administration; the development of a compendium of NPPD security tools, techniques, and processes (tool kit); development of requirements for an integrated assessment approach/methodology; and an analysis of recommendations and lessons learned for future joint assessments.
FPS also initiated an effort to define an activity-based cost structure, which will map costs to the activities that FPS performs. Through this effort, FPS stakeholders will have greater transparency into the costs of FPS activities and the level of services provided in law enforcement operations and risk-based security services at Federal facilities.
Securing Dangerous Chemicals
NPPD is responsible for implementing the Chemical Facility Anti-Terrorism Standards (CFATS) program, which has made our Nation more secure by identifying and regulating high-risk chemical facilities to ensure they have security measures in place to reduce the risks associated with these chemicals. The CFATS program has made significant progress, advancing programmatically while simultaneously addressing internal operational concerns. The Department remains committed to working with stakeholders and with Congress on a path forward to ensure the CFATS program continues to build upon its successes to date.
NPPD is continually evaluating the program to identify areas for improvement and adjusting course when necessary to ensure proper implementation. Through the Infrastructure Security Compliance Division’s (ISCD) comprehensive Action Plan, we have identified and acted decisively to address areas in which improvements were warranted. This has resulted in significant progress in the program over the last year.
As of March 5, 2013, CFATS covers 4,380 high-risk facilities nationwide; of these 4,380 facilities, 3,468 have received final high-risk determinations and are required to develop Site Security Plans (SSPs) or Alternative Security Programs (ASPs). Since the inception of CFATS, close to 3,000 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. This significant reduction in the number of chemical facilities that represent attractive targets for terrorists is an important success of the CFATS program and is attributable both to the design of the program as enacted by the Congress and to the hard work of CFATS personnel who have consulted directly with thousands of chemical facilities.
Among the important items identified in the Action Plan and completed by ISCD was the need to streamline the process for reviewing SSPs. Using the new system, ISCD has completed its review of all Tier 1 SSPs and has begun reviewing Tier 2 SSPs. As of March 5, 2013, 83 of the Tier 1 SSPs have been authorized and 36 Tier 1 SSPs have been approved. ISCD is starting to make progress with Tier 2 as well. As of March 5, 2013, 172 Tier 2 SSPs have been authorized and four Tier 2 SSPs have been approved. ISCD anticipates that we will have completed the approval process for all Tier 1 security plans by October 2013 and for all Tier 2 security plans by May 2014. In addition, Alternative Security Programs (ASPs) are an important part of the CFATS program’s continued progress. The ASP provides an option for regulated facilities to submit information required to document site security measures that address the risk-based performance standards through an alternative format. As of March 5, 2013, 397 ASPs have been submitted in lieu of SSPs. ISCD has been working with industry stakeholders regarding their options for the development and use of ASPs. Recently, the American Chemistry Council released a guidance document and template developed in consultation with DHS. Additionally, DHS has been in discussion with other industry stakeholders, including the Agricultural Retailers Association and the Society of Chemical Manufacturers Affiliates, about developing templates specific to their members. DHS has also been engaging industry partners on the development of “corporate” ASPs. For industry partners that own several regulated facilities, the corporation can develop a single ASP template, which can be easily leveraged by all of its facilities. ASPs submitted by facilities using an industry-developed or proprietary template would be reviewed under the same standards that ICSD currently reviews SSPs. The potential for these ASPs to serve as a force multiplier is tremendous as DHS continues to authorize and approve SSPs and ASPs.
Identifying and evaluating risk to cyber networks and physical infrastructure
NPPD maintains a number of projects to support the identification, prioritization, and protection of the Nation’s critical infrastructure, as well as the assessment of critical infrastructure threats, vulnerabilities, and consequences. These projects provide an inventory of critical infrastructure and assets whose loss or compromise would pose the greatest risk to our national security, economic stability, public health and safety. NPPD conducts assessments to collect vulnerability, capability, and consequence information required to produce comprehensive analyses of asset and system risks. These analyses of dependencies, interdependencies, and cascading effects guide NPPD’s risk mitigation efforts and security planning to strengthen critical infrastructure resilience.
NPPD’s Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) is the Department’s analytical infrastructure-intelligence fusion center. HITRAC creates actionable risk-informed consequence analysis for Federal, state, local, tribal, territorial, private sector, and international partners. An integrated understanding of cyber and physical critical infrastructure dependencies and interdependencies is crucial to our ability to prepare for, respond to, and recover from disruptions to the Nation’s critical infrastructure. HITRAC is working to improve the Department’s cyber and physical infrastructure analysis capabilities including through three proofs of concept projects that will identify dependencies and interdependencies between cyber and physical infrastructure and provide a more comprehensive picture of risk across infrastructure sectors. This integrated analysis capability will allow NPPD to provide more informed risk analysis to our partners and decision-makers on emerging threats, risks, and consequences.
Increasing the resiliency of cyber networks and physical infrastructure
NPPD programs work with public and private sector partners to increase the security and resilience of cyber networks and physical infrastructure. This includes programs to support critical infrastructure owners and operators in enhancing their facilities’ physical and cyber security and resilience, coordinating critical infrastructure sectors, providing communications capabilities for national security and emergency preparedness (NS/EP) users responding to a disaster, and enhancing the communications capabilities of state and local first responders.
Infrastructure resilience is not only the responsibility of government, it is very much a whole-of-Nation activity, which starts with those who own and operate the infrastructure, both private and public sector, and those who make the decisions daily that protect and secure our most critical assets and systems. Information sharing is the core foundation of any truly effective public-private partnership. DHS plays a central role in protecting our Nation’s critical infrastructure by working with critical infrastructure owners and operators to prepare for, prevent, mitigate, and respond to threats to their facilities. We work with owners and operators to develop and monitor approaches to reduce risk to our critical infrastructure and make it more secure and resilient.
NPPD/IP builds partnerships across the critical infrastructure domain, leads related preparedness activities, and serves as an information sharing conduit between private sector and public entities. IP’s work spans the spectrum of security and resilience and allows us to promote enhanced infrastructure reliability in an all-hazards environment. IP works jointly with government partners at the Federal, state, local, tribal, and territorial levels as well as stakeholders in the private sector to ensure that all impacted organizations are actively involved in building a resilient infrastructure.
Coordinating Critical Infrastructure Sectors
NPPD is responsible for coordinating the Nation’s critical infrastructure security and protection efforts, including development and implementation of the National Infrastructure Protection Plan (NIPP). The NIPP establishes the framework for integrating the Nation’s various critical infrastructure protection and resilience initiatives into a coordinated effort. The NIPP provides the structure through which DHS, in partnership with Government and industry, implements programs and activities to protect critical infrastructure, promote national preparedness, and enhance incident response. The NIPP is updated every four years to capture evolution in the critical infrastructure risk environment. In FY 2013, IP will begin updating the NIPP based on requirements set forth in PPD-21. NPPD will work with critical infrastructure stakeholders to focus the NIPP on better integration of cyber and physical risk management, requirements for increased resilience, and recognition for the need for enhanced information sharing and situational awareness.
NPPD also provides a unifying environment for information exchange, built primarily on DHS’s Homeland Security Information Network for Critical Sectors (HSIN-CS), which brings together the 16 sectors1, fusion centers from across the country, and Federal agencies that provide information relevant to the critical infrastructure sectors. In FY 2012, HSIN-CS supported more than 120 sector partnership councils and working groups. DHS, in coordination with the councils, delivered approximately 150 products, issue resolutions, and strategic plan reviews. In FY 2012, this project provided 40 online portals for Sectors, fusion centers, regional communities, and other organizations providing content to the critical infrastructure community. For these portals, the project documented communication and coordination standard operating procedures that included incident response coordination, alerts and warnings, suspicious activity reporting, and best practices sharing for risk mitigation, including information from the NCCIC on cybersecurity. As part of this effort, the project supported 28 online seminars that reached more than 17,000 participants. NPPD also delivers a daily Open Source Infrastructure Report, available on www.dhs.gov, which has 35,000 subscribers and was accessed nearly 372,000 times over the year.
1Previously there were 18 sectors, but through consolidation of sectors through PPD-21, the number was reduced to 16.
Direct Engagement with Federal, State, Local, Private Sector, and International Entities
NPPD collaborates with critical infrastructure owners and operators to assess and mitigate risk to the Nation’s critical infrastructure, promote cybersecurity awareness among and within the general public and key communities, maintain relationships with governmental cybersecurity professionals to share information about cybersecurity initiatives, and develop partnerships to promote collaboration on cybersecurity issues. We also coordinate these efforts with international partners, when appropriate, to ensure the delivery of coordinated messaging to critical infrastructure. In order for us to inspire action and build greater resilience, we need to have the right people at the table who can make the investment decisions that allow critical infrastructure operators to close gaps, increase security, and upgrade technology.
Executive engagement is crucial to maintaining a healthy partnership because the access to resources, strategic vision, and the multidisciplinary skills necessary to address big infrastructure protection and resilience issues often resides at the CEO level. Beginning in FY 2012, IP has been increasing its efforts in engaging more CEOs, including a briefing for approximately 75 electric and nuclear CEOs as well as engagements with local CEOs that bring a variety of DHS partners to the table.
Protective Security Advisors (PSAs) serve as the nexus of our infrastructure security and coordination efforts at the Federal, state, local, tribal, and territorial levels. PSAs provide a local perspective to the national risk picture and serve as DHS’s onsite critical infrastructure and vulnerability assessment specialists. They are a vital channel of communication for owners and operators of critical infrastructure assets seeking to communicate with DHS. As incidents or threats occur, the PSAs living in communities across the country continue to provide the Department with a 24/7 capability to assist in developing the common operational picture for critical infrastructure. In FY 2012, the Protective Security Advisors conducted more than 1,000 Enhanced Critical Infrastructure Protection security surveys, which capture facility security data and track improvements made by facilities to enhance security and resilience. In addition, approximately 50 percent of NPPD’s cybersecurity site assessments administered by NPPD’s Office of Cybersecurity and Communications were conducted in tandem with PSAs—an example of how we are working to better and more effectively integrate our physical and cyber security efforts across NPPD and the Department.
NPPD supports the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides cybersecurity services to SLTT members. MS-ISAC is represented at the NCCIC and plans to provide 150 onsite assessments of critical infrastructure to evaluate the cybersecurity posture and resilience of critical service providers in FY 2013. These assessments focus on both general network security and industrial control systems security, applying one of two methodologies—the Cyber Resiliency Review (CRR) and the Cyber Security Evaluation Tool (CSET). Using the CRR, NPPD also completed the first Nationwide Cybersecurity Review in 2012, which assessed cybersecurity maturity levels and risk awareness across 49 states, two U.S. territories, and more than 75 cities, counties, and municipalities. NPPD will conduct a second review in 2014. The CSET, used by ICS-CERT when conducting site assessments, also is freely available for asset owners and operators to download in support of self-assessments. Each year, CSET distribution reaches each of the CI sectors. In FY 2013, NPPD expects to distribute approximately 7,000 copies of the tool.
NPPD also supports the Regional Resiliency Assessment Program (RRAP), which examines the inherent connectivity of assets and systems within a specific geographic area or infrastructure function. The goal of the RRAP is to identify opportunities for regional homeland security officials and critical infrastructure partners to strengthen resilience to all hazards. This is achieved through a combination of vulnerability assessments, regional analysis, and research related to the RRAP focus area. The RRAP process identifies critical infrastructure dependencies, interdependencies, cascading effects, and capability gaps. IP has partnered with the critical infrastructure community to complete 27 RRAP projects over four years on a diverse and dynamic set of critical infrastructure topics, touching nearly every major region and most sectors. Ten RRAPs were conducted in FY 2012, with another 10 scheduled in FY 2013.
The Office for Bombing Prevention builds capabilities within the general public and across the private and public sectors to prevent, protect against, respond to, and mitigate bombing incidents. In FY 2013, the Office for Bombing Prevention will conduct 125 capability assessments, including a new Bombing Prevention Index, which establishes a baseline score that enables measurement of progress toward improvised explosive device (IED)-related national resilience and preparedness goals and used the capability data to conduct 10 Multi-jurisdictional improvised explosive device security plans, 30 bomb-making materials assessment program events, and 75 IED awareness and risk mitigation training courses. The Technical Resource for Incident Prevention (TRIPwire) Information Sharing program provides law enforcement and first responders with unclassified IED information, with more than 15,514 registered TRIPwire users, including 2,500 users added in FY 2012. In addition, the Office for Bombing Prevention continues to lead DHS efforts in executing the national policy for Countering Improvised Explosive Devices.
Ensuring Adequate Communications Capabilities to Support Disaster Response Operations
NPPD provides a series of national security/emergency preparedness (NS/EP) and emergency communications capabilities in partnership with Federal, SLTT and private sector stakeholders. NPPD develops and maintains NS/EP communications priority services programs, which have supported the communication needs of over one million users across all levels of government and the private sector. The Government Emergency Telecommunications Service (GETS) program is a White House-directed emergency telecommunications service. GETS supports more than 274,000 Federal, state, local, tribal, and territorial government, industry, and non-governmental organization personnel in performing their NS/EP communications missions by providing a robust mechanism to complete calls during network congestion from anywhere in the United States. Wireless Priority Service (WPS) is the wireless complement to GETS, created due to the overwhelming success of GETS during 9/11. The program enhances the ability of 108,000 NS/EP subscribers to complete cellular phone calls through a degraded public switched telephone network during a crisis or emergency situation. In FY 2013, NPPD plans to continue the expansion and general availability of WPS across multiple carriers and plans to achieve at least a 90 percent call completion rate during emergency communication periods and National Special Security Events.
NPPD is also working to support the implementation of the Middle Class Tax Relief and Job Creation Act of 2012, which established the Nationwide Public Safety Broadband Network (NPSBN) for emergency responders at all levels of Government. A DHS priority is to ensure resilience measures are built into the network. DHS is currently working with industry and Federal stakeholders to develop a risk assessment of the network’s physical and cybersecurity infrastructure and offer recommendations to ensure appropriate security measures are built in from the outset of the Network’s deployment. The Act establishes a new entity with-in the National Telecommunications and Information Administration of the Department of Commerce to oversee planning, construction and operation of the network, known as the First Responder Network Authority, or FirstNet.
To advance FirstNet’s deployment of a nationwide public safety broadband network, NPPD’s Office of Emergency Communications (OEC) is leading a number of activities designed to assist state and local agencies with understanding their current and planned broadband communications needs. As FirstNet’s deployment advances, OEC coordination with state and local public safety first responders will become more critical than ever with the adoption of broadband communications. To increase coordination of Federal efforts for broadband implementation, the Emergency Communications Preparedness Center (ECPC) is working to identify Federal broadband requirements by preparing a consolidated view of emergency communications assets, addressing associated legal and regulatory barriers, reviewing and analyzing Departmental positions on pending broadband regulatory matters and rulemakings, and establishing standardized grant guidance and processes. Concurrently, the OneDHS Emergency Communications Committee is providing consolidated Departmental input into Federal interagency efforts, as well as developing strategies for broadband technology migration from current land mobile radio technology to next generation wireless network technology.
Leveraging Integrated Capabilities: Hurricane Sandy Response and Recovery
Before, during, and after Hurricane Sandy, NPPD provided support through resources and personnel to the affected area. Through NPPD’s existing partnerships with critical infrastructure partners, DHS was able to facilitate much-needed fuel deliveries to critical telecommunication sites in lower Manhattan in order to fuel generators and keep the facilities operational. After PSAs were notified of the fuel supply shortage, HITRAC provided analysis on the wide-spread impact if the telecommunications facility lost power, while the NCC worked with its public and private sector partners to identify a fuel supply and coordinate its delivery to the critical site.
PSAs closely monitored Hurricane Sandy in the lead up, during, and following the storm as part of their incident response mission area to protect the Nation’s critical infrastructure. Thirty-four PSAs deployed to Regional Response Coordination Centers in Federal Emergency Management Agency Regions I, II, and III as well as state, county, and regional Emergency Operations Centers. The PSAs served as infrastructure liaisons and provided expert knowledge of impacted infrastructure; maintained communications with owners and operators of critical infrastructure; and prioritized and coordinated response, recovery, and restoration efforts. Throughout the entire course of the incident, the PSAs provided updates on the status of critical infrastructure.
HITRAC mobilized to provide actionable analysis for decision makers throughout the storm including impact analysis, high fidelity consequence modeling, and infrastructure protection prioritization priorities. It also developed timely, authoritative, and incident-specific preparedness and response activities, which included risk and threat analysis, predictive consequence modeling and prioritization analysis, and product development. HITRAC was able to provide critical information on fuel supply and infrastructure of concern. In addition, the NICC provided situational awareness to DHS leadership throughout the event as well as critical information collection and distribution for Critical Infrastructure Stakeholders in the Public and Private sector. These efforts helped share information regarding storm impacts and restoration priorities.
Throughout the preparation and response efforts, FPS coordinated with Federal tenants and the GSA to ensure that law enforcement and security needs related to Federal properties and assets brought in to help with power restoration were met. In addition to the more than 30 law enforcement officers originally on duty in the affected areas, FPS launched national deployments of its Crisis Response Team, which brought an additional 40 law enforcement officers to support tenant agencies and Federal facilities as well as 24 law enforcement officers to support FEMA. These officers played a key role in preventing vandalism, theft, and destruction of Federal property and were instrumental in ensuring that equipment and supplies from the U.S. Army Corps of Engineers leveraged as part of the Power Restoration Task Force were protected.
NPPD is currently supporting Hurricane Sandy recovery efforts. Eighty-eight FPS PSOs are assigned to 18 locations in New York and 38 FPS PSOs are assigned to a Joint Field Office in New Jersey. IP personnel are also deployed to the region supporting the New Jersey Joint Field Office and New York Joint Field Office. There are two senior representatives providing critical infrastructure analysis capabilities and support to FEMA’s Infrastructure Systems Recovery Support Function as part of the National Disaster Recovery Framework in response to Hurricane Sandy. New York PSAs have continued to work closely with Federal, state and local responders, dividing efforts among the New York City Emergency Operations Center (EOC), the Nassau County EOC, and the Suffolk County EOC.
Conclusion
Protecting critical infrastructure – both physical and cyber – is a shared responsibility. Just as we all enjoy and rely on the benefits of critical infrastructure, we all must play a role in keeping it strong, secure, and resilient. NPPD is leveraging the full breadth and scope of expertise in the Directorate and all of our industry and government stakeholders to collaborate on the protection, resiliency, and risk identification and evaluation of physical and cyber infrastructure. Additionally, as NPPD mission operations have grown tremendously over the last five years, it is imperative that the Directorate have the appropriate resources to provide management, support, and oversight to ensure program performance and mission success.
We know that evolving threats– and the need to address them – do not diminish because of budget reductions. In the current fiscal climate, we do not have the luxury of making significant reductions to our capabilities without significant impacts. Sequester reductions will require us to scale back and delay the development and deployment of critical capabilities for the defense of Federal cyber networks.
Thank you, Chairman Carter, Vice Chairman Aderholt, Ranking Member Price, and distinguished Members of the Subcommittee for the opportunity to discuss NPPD’s role in strengthening cybersecurity for the Nation’s critical infrastructure. I look forward to any questions you may have.
Language
English
Long Title: Written testimony of National Protection and Programs Directorate Under Secretary Rand Beers for a House Committee on Appropriations, Subcommittee on Homeland Security oversight hearing titled “Cybersecurity and Critical Infrastructure”Organization: (NPPD) National Protection and Programs DirectorateAudience: Federal GovernmentScheduled Expiration Period: NeverType of News: Testimony
Topics:
Plan and Prepare for Disasters,
Preventing Terrorism,
Information Sharing,
Secure Cyber Networks,
Critical Infrastructure Security,
Cybersecurity,
Chemical Security
Review Date: Wednesday, March 20, 2013Show in Resource Directory: Release Date: 1363752000Publish Date: Wednesday, March 20, 2013Last Update Date: Wednesday, March 20, 2013Show in Searchable Collection: Readout of Under Secretary Rand Beers’ Trip to Sana’a, YemenTuesday, January 08, 2013 9:46 AM
Language
English
For Immediate Release
DHS Press Office
Contact: 202-282-8010SANA’A, Yemen— U.S. Department of Homeland Security (DHS) Under Secretary for the National Protection and Programs Directorate and DHS Counterterrorism Coordinator Rand Beers led a DHS delegation to Sana’a, Yemen on January 7-8 to meet with counterparts to discuss strengthening the Department’s collaboration with the Government of Yemen on a variety of trade, civil aviation, and border security issues. This visit builds on the recent meeting between Yemeni President Abdu Rabbu Mansour Hadi and Secretary of Homeland Security Janet Napolitano in September 2012.“The United States has a profound interest in advancing Yemen’s security and prosperity,” said Under Secretary Beers. “By enhancing collaboration with the Government of Yemen, we reaffirm our commitment to more effectively secure our two countries against evolving threats and improve the trade and investment climate in Yemen.”Under Secretary Beers met with President Hadi to discuss U.S.–Yemen cooperation, including initiatives to address a variety of security, trade, and immigration issues. Under Secretary Beers also met with officials from the Ministry of Interior and the Ministry of Foreign Affairs, the Civil Aviation and Meteorology Authority, and the Yemen Customs Authority, as well as security and law enforcement agencies, to discuss efforts to enhance aviation and border security. During the meetings, officials from both countries reiterated their commitment to continued cooperation to further develop and expand ongoing partnerships.For more information, visit www.dhs.gov.###Long Title: Readout of Under Secretary Rand Beers’ Trip to Sana’a, YemenOrganization: (DHS) Department of Homeland Security(DHS-HQ) Department of Homeland Security - HQ(NPPD) National Protection and Programs DirectorateGeography: AsiaAudience: BusinessGovernmentMediaPublicScheduled Expiration Period: NeverType of News: Press Releases
Topics:
Information Sharing,
International,
Trade,
Border Security,
Air
Review Date: Tuesday, January 8, 2013Show in Resource Directory: Release Date: 1357656405Publish Date: Tuesday, January 8, 2013Last Update Date: Tuesday, January 8, 2013Show in Searchable Collection: Cybersecurity InsuranceThursday, December 27, 2012 10:30 AM
Language
English
Cybersecurity InsuranceCybersecurity insurance is designed to mitigate losses from a variety of cyber incidents, including data breaches, network damage, and cyber extortion. The Department of Commerce has described cybersecurity insurance as a potentially “effective, market-driven way of increasing cybersecurity” because it may help reduce the number of successful cyber attacks by promoting widespread adoption of preventative measures; encouraging the implementation of best practices by basing premiums on an insured’s level of self-protection; and limiting the level of losses that companies face following a cyber attack. However, the cybersecurity insurance market today faces significant challenges.
In order to examine what obstacles hinder the development of a robust cybersecurity insurance market – i.e., one that can offer more relevant policies to more people at lower cost – the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) hosted an all-day workshop on cybersecurity insurance on Monday, October 22, 2012, at the Intellectual Property Rights (IPR) Center in Arlington, Virginia. Sixty-five private-sector and Federal agency participants examined today’s cybersecurity insurance market, focusing in particular on the challenges facing the “first-party” insurance market. NPPD invited stakeholders from five groups: insurance carriers; corporate risk managers; IT/cyber experts; economists and other social scientists; and critical infrastructure owners and operators. NPPD asked participants to nominate breakout group topics to develop the workshop agenda and those included:
Defining Insurable and Uninsurable Cyber Risks
Cyber Insurance and the Human Element
Cyber Liability: Who is Responsible for What Harm?
Current Cyber Risk Management Strategies and Approaches
Cyber Insurance: What Harms Should It Cover and What Should It Cost?
Improving the Cyber Insurance Market: Stakeholder Roles and Responsibilities
Sequencing Solutions: How Should the Market Move Forward?
The workshop included three plenary panelists – Tyler Moore, Professor of Computer Science and Engineering at Southern Methodist University; Emily Freeman, Executive Director for Technology and Media Risks with Lockton; and Jason Averill, Leader, Engineered Fire Safety Group at the National Institute of Standards and Technology (NIST).
NPPD conducted the Cybersecurity Insurance Workshop in accordance with the Federal Advisory Committee Act, P.L. 92-463, and captured the current viewpoints of the workshop participants in a Cybersecurity Insurance Workshop Readout Report. That report can be viewed below. NPPD intends to use the report as a reference point for any future cybersecurity insurance discussions that it convenes going forward. The comments, perspectives, and suggestions contained in the report are those of the workshop participants only and do not necessarily reflect the views of DHS.
Organization: (NPPD) National Protection and Programs DirectorateOffice of Infrastructure ProtectionProducts: Publication
Topics:
Cybersecurity
AttachmentSize
Cybersecurity Insurance Read Out Report985.24 KB
Show in Resource Directory: Access: PublicLaw Enforcement ResourcesThursday, November 29, 2012 3:37 PM
Language
English
The Law Enforcement Resources page is designed to assist state, local, tribal, and territorial law enforcement in their efforts to keep our communities safe, secure, and resilient.DHS State and Local Law Enforcement Resource CatalogThe DHS State and Local Law Enforcement Resource Catalog highlights DHS resources available to state, local, tribal, and territorial law enforcement. This document summarizes and provides links to training, publications, guidance, alerts, newsletters, programs, and services available to non-Federal law enforcement from across the Department. The Resource Catalog is not exhaustive and will be maintained as a living document.2013 Law Enforcement Conferences, Gatherings, and MeetingsThe OSLLE developed a list of law enforcement conferences, gatherings, and meetings in 2013. These events often offer training opportunities and the ability to share best practices with law enforcement from across the country. This document is not exhaustive and will be maintained as a living document, updated on a monthly basis.Homeland Security Information NetworkThe Homeland Security Information Network (HSIN) is a national secure and trusted web-based portal for information sharing and collaboration between federal, state, local, tribal, territorial, private sector, and international partners engaged in the homeland security mission. HSIN - Law Enforcement was developed specifically for the law enforcement community to share Law Enforcement Sensitive Information and to securely collaborate with partners across geographic and jurisdictional boundaries on topics such as weapons smuggling, narcotics trafficking, and gang mitigation. Federal Law Enforcement Training Center: State and Local TrainingThe Federal Law Enforcement Training Center (FLETC) provides tuition-free and low cost training to state, local, tribal, and territorial law enforcement. Programs are conducted across the United States and are normally hosted by a local law enforcement agency. Training is also conducted at FLETC facilities located in Glynco (Brunswick), GA; Artesia, NM; Charleston, SC; and Cheltenham, MD.Other Law Enforcement ResourcesDepartment of Justice COPS OfficeUniform Crime ReportsICE Homeland Security Investigations Most WantedICE Enforcement and Removal Operations Most WantedU.S. Secret Service Most Wanted FugitivesFederal Bureau of Investigation Ten Most WantedInternational Criminal Police Organization (INTERPOL) Most Wanted National Center for Missing and Exploited Children Amber AlertINTERPOL
Related Resources
CBP Office of State, Local, and Tribal LiaisonICE Office of State, Local, and Tribal Coordination
More from DHS
Active Shooter Preparedness
Building Law Enforcement and Homeland Security Partnerships
Countering Violent Extremism
Find and Apply for Grants
Information Sharing
Law Enforcement Partnerships
Learn About Law Enforcement Training Opportunities
Nationwide Suspicious Activity Reporting Initiative
State and Major Urban Area Fusion Centers
The Blue Campaign
Show in Resource Directory: Access: PublicShow in Searchable Collection: Left Menu: Fact SheetsDHS State and Local Law Enforcement Resource CatalogThursday, November 29, 2012 1:34 PM
Language
English
DHS State and Local Law Enforcement Resource Catalog The DHS State and Local Law Enforcement Resource Catalog highlights DHS resources available to state, local, tribal, and territorial law enforcement. This document summarizes and provides links to training, publications, guidance, alerts, newsletters, programs, and services available to non-Federal law enforcement from across the Department. The Resource Catalog is not exhaustive and will be maintained as a living document.Audience: GovernmentFederal GovernmentState GovernmentLocal GovernmentLaw EnforcementFirst respondersDHS EmployeesPartnerships
Keywords:
law enforcement resources,
law enforcement,
law enforcement cybersecurity,
state and local partnerships,
tribal partners,
government resources,
cybersecurity resources,
resources,
preparedness grants,
grants,
law enforcement partnerships,
Office for State and Local Law Enforcement,
Organization: (DHS) Department of Homeland Security(CBP) U.S. Customs and Border Protection(DHS-HQ) Department of Homeland Security - HQ(CISOMB) Citizenship & Immigration Services Ombudsman(CRCL) Office for Civil Rights and Civil Liberties(DNDO) Domestic Nuclear Detection Office(I&A) Office of Intelligence and Analysis(IGA) Intergovernmental Affairs(NPPD) National Protection and Programs Directorate(CS&C) Office of Cyber Security and Communications(US-VISIT) Office of US-VISIT(OHA) Office of Health Affairs(OPS) Office of Operations Coordination(PLCY) Office of Policy(S&T) Science and Technology Directorate(FEMA) Federal Emergency Management Agency(FLETC) Federal Law Enforcement Training Center(ICE) U.S. Immigration and Customs Enforcement(TSA) Transportation Security Administration(OLE/FAMS) Federal Air Marshal Service(USCG) U.S. Coast Guard(USCIS) U.S. Citizenship and Immigration Services(USSS) U.S. Secret ServiceProducts: TrainingResourcesPublicationGrantsFAQ
Topics:
Plan and Prepare for Disasters,
Nuclear Security,
Preparing the Enterprise,
Preventing Terrorism,
Privacy,
National Terrorism Advisory System,
Law Enforcement Partnerships,
Information Sharing,
Land,
Maritime,
Secure Cyber Networks,
Transportation Security,
Trusted Traveler Programs,
Verifying Identity,
Immigration Enforcement,
Immigration and Citizenship Services,
Countering Violent Extremism,
Combat Cyber Crime,
Critical Infrastructure Security,
Cybersecurity,
Civil Rights Civil LIberties,
Biological Security,
Border Security,
Cargo,
Chemical Security,
DHS Enterprise,
Disaster Response and Recovery,
Homeland Security Enterprise,
Human Trafficking,
If You See Something Say Something,
Disasters,
Air
Related Resources
CBP Office of State, Local, and Tribal LiaisonICE Office of State, Local, and Tribal Coordination
More from DHS
Active Shooter Preparedness
Building Law Enforcement and Homeland Security Partnerships
Countering Violent Extremism
Find and Apply for Grants
Information Sharing
Law Enforcement Partnerships
Learn About Law Enforcement Training Opportunities
Nationwide Suspicious Activity Reporting Initiative
State and Major Urban Area Fusion Centers
The Blue Campaign
Show in Resource Directory: Access: PublicOSLLE Publication ArchivesWednesday, November 28, 2012 10:30 AM
Language
English
OSLLE Publication ArchivesTo keep the law enforcement community up-to-date on activities and outreach efforts, the OSLLE regularly publishes articles in law enforcement periodicals.Recent PublicationsNovember 2012: The article "Department of Homeland Security: Office for State and Local Law Enforcement" appeared in the November 2012 issue of Insighter, the tri-annual periodical produced by the FBI Law Enforcement Executive Development Association. It answers the question, “Are we safer today than we were on the morning of September 11, 2001?”September 2012: The article "Inside the Office for State and Local Law Enforcement" appeared in the September-October 2012 issue of The Associate, the bi-monthly periodical produced by the FBI National Academy Associates. It provides an inside look into the DHS office that was created specifically for state and local law enforcement.August 2012: The article "From the Assistant Secretary: Welcome to DHS: Office for State and Local Law Enforcement" appeared in the August 2012 issue of Police Chief, the monthly periodical produced by the International Association of Chiefs of Police. It highlights the mission, goals, and activities of the OSLLE. Audience: GovernmentFederal GovernmentState GovernmentLocal GovernmentLaw EnforcementFirst respondersDHS EmployeesPartnerships
Keywords:
law enforcement,
training opportunities,
state and local,
state and local partnerships,
tribal partners,
Organization: (DHS) Department of Homeland Security(CBP) U.S. Customs and Border Protection(DHS-HQ) Department of Homeland Security - HQ(I&A) Office of Intelligence and Analysis(NPPD) National Protection and Programs Directorate(OPS) Office of Operations Coordination(PLCY) Office of Policy(FEMA) Federal Emergency Management Agency(FLETC) Federal Law Enforcement Training Center(ICE) U.S. Immigration and Customs Enforcement(TSA) Transportation Security Administration(USCG) U.S. Coast GuardProducts: Publication
Topics:
Preventing Terrorism,
Law Enforcement Partnerships,
Transportation Security,
Immigration Enforcement,
Countering Violent Extremism,
Combat Cyber Crime,
Cybersecurity,
Border Security,
Homeland Security Enterprise,
Human Trafficking,
If You See Something Say Something
Related Resources
CBP Office of State, Local, and Tribal LiaisonICE Office of State, Local, and Tribal Coordination
More from DHS
Active Shooter Preparedness
Building Law Enforcement and Homeland Security Partnerships
Countering Violent Extremism
Find and Apply for Grants
Information Sharing
Law Enforcement Partnerships
Learn About Law Enforcement Training Opportunities
Nationwide Suspicious Activity Reporting Initiative
State and Major Urban Area Fusion Centers
The Blue Campaign
Show in Resource Directory: Access: PublicWritten testimony of NPPD for a House Appropriations Subcommittee on Homeland Security hearing on the Chemical Facility Anti-Terrorism StandardsThursday, September 20, 2012 12:00 AM
Language
Undefined
2359 Rayburn House Office Building
Thank you, Chairman Aderholt, Ranking Member Price, and distinguished Members of the Subcommittee. It is a pleasure to appear before you today to discuss the Department of Homeland Security's (DHS) efforts to regulate the security of high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS).
As you are aware, the Department's current statutory authority to implement CFATS – Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act, as amended – has been extended through October 4, 2012, and is about to be further extended by the FY 2013 Continuing Appropriations Resolution once that has been enacted. The CFATS program has made our Nation more secure and DHS welcomes the opportunity to continue to work with Congress, all levels of government, and the private sector to further improve this vital national security program.
CFATS has helped to make our country safer. Since the inception of CFATS, more than 2,700 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk.
In the interest of building upon our collaboration, my testimony today focuses on the current status of the program, examples of the program’s successes to date, some of the current challenges facing the National Protection and Programs Directorate (NPPD) in implementing CFATS, and the actions we are taking to address these challenges through the Infrastructure Security Compliance Division (ISCD) Action Plan. Progress has been made on all of the Action Plan action items that remain open, and I would be glad to discuss both the progress made by the Department on these action items as well as the path forward the Department has charted for completing these items. Equally as important, I will reiterate the principles that we believe should guide the program's maturation and continued authorization.
I am pleased to inform you that the Department has completed 68 of the 95 action items included in the Action Plan. It should be noted that this is significantly higher than the number reported by the Government Accountability Office (GAO) in its July 2012 report, as the Department continues to work on and complete action items following the conclusion of the GAO audit. I would also like to thank GAO for their efforts in reviewing the CFATS program. We have made progress in addressing identified challenges, but more remains to be done.
At Under Secretary Beers’ direction, the program’s leadership has outlined its priorities, the challenges it believes the program faces, and a proposed path forward to address those challenges and accomplish program objectives. NPPD, the Directorate with oversight responsibility for the CFATS program, is continuously reviewing the program to identify areas for improvement and correcting course when necessary to ensure proper implementation.
Chemical Facility Security Regulations
Section 550 of the FY 2007 Department of Homeland Security Appropriations Act directed the Department to develop and adopt within six months a regulatory framework to address the security of chemical facilities that the Department determines pose high levels of risk. Specifically, Section 550(a) of the Act authorized the Department to adopt regulatory requirements for high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop Site Security Plans (SSPs), and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published an interim final rule, known as CFATS, on April 9, 2007. Section 550, however, expressly exempts from the regulation certain facilities that are regulated under other federal statutes, specifically those regulated by the United States Coast Guard (USCG) pursuant to the Maritime Transportation Security Act (MTSA), drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Departments of Defense or Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC).
The following core principles guided the development of the CFATS regulatory structure:
Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders—federal, state, local, tribal, and territorial government partners, as well as the private sector—is essential to securing our critical infrastructure, including high-risk chemical facilities
Risk-based tiering is used to guide resource allocations.1 Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk—those that, if targeted, would endanger the greatest number of lives;
Reasonable, clear, and calibrated performance standards will lead to enhanced security. The CFATS rule establishes enforceable risk-based performance standards, or RBPS, for the security of our Nation’s chemical facilities. High-risk facilities have the flexibility to develop appropriate site-specific security measures that will address risk effectively by meeting these standards. ISCD will analyze all final high-risk facility SSPs to ensure that they meet the applicable RBPS and will approve those that do. If necessary, ISCD will work with a facility to revise and resubmit an acceptable plan and can disapprove security plans if an acceptable plan is not submitted; and
Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies made significant capital investments in security following 9/11, and even more have done so since the passage of the legislation establishing this program.
1Tiering determinations are dynamic; for example, a tiering determination can change when a company voluntarily alters its facilities in a way that reduces its risk profile. “Final tiering” refers to a tiering assignment following a Security Vulnerability Assessment—it does not imply that this is the final tiering assignment a facility may ever receive.
Rule Implementation
On November 20, 2007, the Department published CFATS’ Appendix A, which lists 322 chemicals of interest—including common industrial chemicals such as chlorine, propane, and anhydrous ammonia—as well as specialty chemicals, such as arsine and phosphorus trichloride. The Department included chemicals based on the potential consequences associated with one or more of the following three security issues:
Release – Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated;
Theft/Diversion – Chemicals that have the potential, if stolen or diverted, to be used as or converted into weapons that could cause significant adverse consequences for human life or health; and
Sabotage/Contamination – Chemicals that are shipped and that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health.
The Department also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways. Any chemical facility that possesses any chemical of interest at or above the applicable Screening Threshold Quantity must submit an initial consequence-based screening tool, commonly referred to as the “Top-Screen,” to DHS. Through the Top-Screen process, ISCD identifies high-risk facilities, which the Department then assigns to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk.
Implementation of the CFATS regulation requires the Department to identify which facilities it considers high-risk. Supporting this, ISCD developed the Chemical Security Assessment Tool (CSAT) to help the Department identify potentially high-risk facilities and to provide methodologies those facilities can use to conduct SVAs and to develop SSPs. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the Top-Screen, an SVA tool, and an SSP template. The CSAT tool is a secure tool that can be accessed only by Chemical-terrorism Vulnerability Information (CVI) authorized users.
In May 2009, DHS issued Risk-Based Performance Standards Guidance to assist final high-risk chemical facilities in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the appropriate level of performance for the RBPS at each tier level. The Guidance was informed by the experience of the Transportation Security Administration (TSA), U.S. Coast Guard (USCG), and the Environmental Protection Agency (EPA), and also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose – whether or not in the Guidance – provided that DHS determines through approval of the facilities’ SSPs that they achieve the requisite level of performance under the CFATS RBPS.
Implementation Status
To date, ISCD has received more than 41,000 Top-Screens submitted by chemical facilities. Since June 2008, ISCD identified more than 8,000 facilities that it has initially designated as high-risk. These facilities have used the CSAT tool to compile and submit SVAs. In May 2009, following reviews of facilities’ SVA submissions, ISCD began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or an Alternative Security Program (ASP) in lieu of an SSP.
As of September 4, 2012, CFATS covers 4,433 high-risk facilities nationwide; of these, 3,660 facilities are currently subject to final high-risk determinations and submission of an SSP or ASP. The remaining facilities are awaiting final tier determinations based on their SVA submissions. ISCD continues to issue final tier notifications to facilities across all four risk tiers as it makes additional final tier determinations.
Personnel Surety. Under CFATS Risk-Based Performance Standard 12 (RBPS 12), final high-risk chemical facilities are required to perform background checks on certain individuals with access to restricted areas or critical assets. NPPD has been seeking to implement a CFATS Personnel Surety Program to enable facilities to comply with the requirement to identify individuals who may pose a risk to chemical security by enabling facilities to submit biographical information to NPPD. NPPD would compare this biographical information against information about known or suspected terrorists listed in the Terrorist Screening Database (TSDB).
Since submitting an Information Collection Request (ICR) to OMB in June of 2011, the Department’s position on how facilities can comply with RBPS 12 has evolved, thanks in large part to information the chemical industry has provided to us as part of the PRA process. As a result, in July of 2012, the Department withdrew the ICR from OMB review. This has enabled the Department to engage in direct dialogue with security partners and with stakeholders in the regulated community about the CFATS Personnel Surety Program. Additionally, the Department has learned a great deal about various facilities through visits to chemical facilities it has conducted. This on the ground knowledge of the facilities will help to inform the Department of the impacts of the Personal Surety Program will have. The Department plans to re-initiate the PRA process by publishing a 60-day notice to solicit comment in the Federal Register in the near future. After that, the Department will concurrently publish a 30-day notice to solicit additional comments, and submit a new ICR for the CFATS Personnel Surety Program to OMB for review.
Outreach Efforts
Since the establishment of CFATS in April 2007, NPPD and ISCD have taken significant steps to publicize the rule and ensure that the regulated community and other interested or affected entities are aware of its requirements. NPPD and ISCD management and staff have presented at hundreds of security and chemical industry conferences and participated in a variety of other meetings. As part of this outreach program, NPPD and ISCD has regularly updated impacted sectors through their Sector Coordinating Councils and the Government Coordinating Councils – including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors. In addition, ISCD continues to focus on fostering solid working relationships with state and local officials including first responders.
NPPD and ISCD continue to collaborate within DHS and with other federal agencies in the area of chemical security, including routine engagement with USCG; TSA; the Department of Justice's Federal Bureau of Investigation and Bureau of Alcohol, Tobacco, Firearms and Explosives; the NRC; and EPA.
Across the Nation, ISCD’s Chemical Security Inspectors have been actively working with facilities and governmental agencies. Collectively, they have participated in more than 4,050 meetings with federal, state, and local officials, conducted over 1,060 Compliance Assistance Visits, and have held more than 4,240 informal introductory meetings with owners and/or operators of CFATS-regulated facilities.
To promote information sharing, ISCD has developed several communication tools for stakeholder use, including: the Chemical Security website (www.DHS.gov/chemicalsecurity); a Help Desk for CFATS-related questions; a CFATS tip-line for anonymous chemical security reporting; and CFATS-Share, a web-based information-sharing portal that provides certain Federal, state, and local agencies access to key details on CFATS facility information as needed.
Highlights and Successes of CFATS Program
As we have previously discussed, the ISCD Action Plan currently contains 95 items, each of which has been assigned to a member of ISCD’s senior leadership team for implementation. As of September 11, 68 of the 95 action items contained in the Action Plan have been completed. For accountability, planning, and tracking purposes, the members of that leadership team have established milestones and a schedule for the completion of each task assigned to them. In addition, ISCD leadership meets with me at least once per week to provide status updates on the action items and discuss ways that NPPD leadership can help.
I would like to share with the Subcommittee some of the highlights and successes that are a direct result of the implementation of the Action Plan and other recent initiatives performed by ISCD. These include: improving the SSP review process and increasing the pace of SSP reviews; refining inspector tools and training; reinvigorating industry engagement on their development of ASP templates; improving internal communications and organizational culture; and preparing for an external peer review of the CFATS risk assessment methodology.
SSP Review Process. ISCD is currently utilizing a refined approach for reviewing SSPs in order to move forward in a more efficient and timely fashion. At this time, ISCD has completed its initial review of all Tier 1 SSPs and has begun reviewing Tier 2 SSPs. As of September 11, 2012, of the Tier 1 SSPs reviewed, the Department has authorized or conditionally authorized SSPs for 73 facilities. Of the remaining Tier 1 SSPs reviewed by the Department, we are either validating results or reaching out to these facilities to obtain additional information or action in the hope of resolving the outstanding issues affecting their SSPs. While the interim approach for SSP reviews is underway, ISCD will continue to work to improve the long-term approach to the SSP review process. As of September 17, 2012, DHS has approved the SSPs for two Tier 1 facilities.
Inspections. In September 2011, ISCD established an Inspector Tools Working Group to ensure the Chemical Security Inspectors have up-to-date and, where appropriate, improved inspections procedures, policies, equipment, and guidance. In June 2012, ISCD finished updating its internal inspections policy and guidance materials for inspectors. ISCD also began providing additional training that focuses on the updated policy and guidance materials to prepare Chemical Security Inspectors to resume authorization inspections at facilities with authorized or conditionally authorized SSPs. As a result, I am pleased to announce that as of July 16, 2012, ISCD has resumed authorization inspections at Tier 1 facilities. This is a vital step for moving the CFATS program toward a regular cycle of approving SSPs and conducting compliance inspections for facilities with approved SSPs.
Alternative Security Programs (ASPs). Many members of the regulated community and their representative industry associations have expressed interest in exploring ways to use the ASP provisions of the CFATS regulation to streamline the security plan submission and review process. In support of this, ISCD has been holding vigorous discussions with industry stakeholders in regard to their development and submission of ASPs. One particularly promising effort has been ISCD’s engagement with the American Chemistry Council (ACC) in support of its efforts to develop an ASP template for use by interested members of its organization. In August 2012, the ACC piloted the ASP template in Michigan ASPs submitted by facilities using the ACC template will be reviewed under the same standards that ISCD currently reviews SSPs, but the use of ASP templates may streamline both the plan development and plan review processes. Additionally, DHS continues to review existing industry programs, such as ACC Responsible Care® and SOCMA ChemStewards®, to identify potential areas of engagement and further discussion.
Internal Communications and Employee Morale. The Action Plan contains a number of items designed to improve internal communications and morale within ISCD. ISCD has implemented many of these action items and has made significant progress on many others. For instance, ISCD employees now contribute to and receive a monthly ISCD newsletter, which covers a wide variety of both field and headquarters activities. ISCD leadership has promoted staff engagement and a dialogue about issues and concerns through monthly town halls and a senior leadership open-door policy. ISCD staff has a standing invitation to participate in group open-door sessions or to schedule one-on-one discussions with Division leadership.
ISCD is also moving forward with issuing vacancy announcements to hire a permanent leadership team; several announcements have already been posted and several others are nearing posting. Supervisors have been provided with additional supervisory training and guidance on performance monitoring. The Division has developed a mission statement, vision statement, and core values. As a result of these and other efforts, I believe that Division-wide morale is improving, which ultimately will pay dividends not only in improved staff retention, but also in improved staff performance and program execution.
Risk Assessment Methodology Review. In light of prior revisions to the SVA risk assessment computer program for chemical facilities, NPPD has committed to doing a thorough review of the risk assessment process and keeping the Subcommittee apprised of any significant issues related to that review. In support of this, NPPD developed a three-phased approach, which is captured in the Action Plan and includes: documenting all processes and procedures relating to the risk assessment methodology; conducting an internal DHS review of the risk assessment process; and initiating an external peer review of the risk assessment methodology. The Division has made significant progress on this action item by completing the first two steps. Procurement actions for the external peer review have been completed as of September 11, 2012, which is expected to begin before the end of FY12.
NPPD remains committed to both developing appropriate responses to any risk assessment issues that it identifies and keeping Congress and stakeholders apprised of any significant issues related to that review.
ISCD Budget Priorities for FY13
The President’s Budget for FY 2013 requested $74.544 million for the Infrastructure Security Compliance Program, including funds for 253 full-time positions/242 full-time equivalents (FTE). The primary initiatives under Infrastructure Security Compliance are the implementation of the CFATS Program and the development and implementation of the proposed Ammonium Nitrate Security Program. In helping to develop the President’s Budget, DHS considered as its top priority the retention of basic CFATS functionality. Accordingly, DHS prioritized its funding request to enable DHS to thoroughly and expediently review SSPs of CFATS-covered facilities that pose the highest level of risk to ensure that such facilities’ security measures meet applicable risk-based performance standards and to expedite the performance of inspections at those facilities.
The FY 2013 DHS Appropriations bill that was approved by this Subcommittee would provide $45.4 million for the Infrastructure Security Compliance Program. This represents a decrease of $47.908 million from the FY 2012 enacted level of $93.348 million, and is $29.1 million less than the President’s Budget.
An appropriation of $45.4 million would drastically curtail DHS’s ability to: 1) implement the statutory and regulatory requirements for the security of high-risk chemical facilities as specified in CFATS; 2) continue development of the proposed Ammonium Nitrate Security Program; and 3) fully implement the program improvements identified in the ISCD Action Plan. DHS estimates that, after expending approximately $35 million for salaries and benefits for 242 FTEs, approximately $12 million would remain for implementing CFATS and completing development of the proposed Ammonium Nitrate Security Program. DHS would be forced to cease virtually all activities under CFATS other than those directly related to reviewing SSPs and performing facility inspections – which means those other activities would be significantly delayed. At the proposed $45.4 million funding level, the Department’s ability to conduct the most basic CFATS functions would be impacted. These include maintaining the CSAT and the Chemical-Security Management System (CHEMS) information technology (IT) systems, and acquiring important technical and subject-matter support. Additionally, CFATS-related outreach and engagement with the regulated community would be significantly reduced and some aspects would cease; development and implementation of the proposed Ammonium Nitrate Security Program would be significantly delayed; and many of the managerial improvements outlined in the ISCD Action Plan may be delayed or negatively impacted.
Legislation to Permanently Authorize CFATS
DHS recognizes the significant work that the Subcommittee and others have accomplished to reauthorize the CFATS program. The Department supports a permanent authorization for the CFATS program and is committed to working with Congress and other security partners to establish a permanent authority for the CFATS program in federal law. We appreciate this effort and look forward to continuing engagement with Congress on these important matters.
Conclusion
ISCD, NPPD, and the Department are moving forward quickly and strategically to address the challenges before us. CFATS is reducing the risks associated with our Nation’s chemical infrastructure. We believe that CFATS is making the Nation safer and are dedicated to its success. As we implement CFATS, we will continue to work with stakeholders to get the job done, meet the challenges identified in the ISCD report, and execute a program to help prevent terrorists from exploiting chemicals or chemical facilities.
Thank you for holding this important hearing. I would be happy to respond to any questions you may have.
Long Title: Written testimony of National Protection and Programs Directorate Deputy Under Secretary Suzanne Spaulding for a House Committee on Appropriations, Subcommittee on Homeland Security hearing on the Chemical Facility Anti-Terrorism StandardsOrganization: (NPPD) National Protection and Programs DirectorateOffice of Infrastructure ProtectionScheduled Expiration Period: NeverType of News: Testimony
Topics:
Preventing Terrorism,
Information Sharing,
Critical Infrastructure Security,
Chemical Security,
Explosives
Review Date: Thursday, September 20, 2012Show in Resource Directory: Release Date: 1348113600Publish Date: Thursday, September 20, 2012Last Update Date: Friday, September 21, 2012Show in Searchable Collection: Written testimony of NPPD for a House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies hearing titled “Resilient Communications: Current Challenges and Future Advancements”Wednesday, September 12, 2012 12:00 AM311 Cannon House Office Building
Introduction
Thank you Chairman Bilirakis, Ranking Member Richardson, and distinguished members of the Committee. It is a pleasure to discuss the Department of Homeland Security’s (DHS) efforts to improve communications for emergency response providers and government officials.
DHS remains focused on improving and providing the communications capabilities for those who are the first to arrive at the scene of a disaster site—the Nation’s emergency responders and our Federal, State, and local partners. Our national leaders and public safety personnel must have access to reliable and instantaneous communications to effectively coordinate response and recovery operations. DHS recognizes critical communications tools as more than a technology problem that can be solved with the “right” equipment or the “right” communications system. All of the critical factors for a successful communications solution—governance, standards, standard operating procedures, training and exercises, and integration of systems into daily operations, as well as technology—are being addressed through the collective work of our programs.
Further, DHS believes that providing effective communications solutions requires fostering and nurturing relationships with those who own and operate the communications infrastructure, international standards bodies, members of the emergency responder community, and Federal, State, local, tribal, and territorial partners. These cooperative relationships are crucial to providing interoperable communications capabilities, planning for and developing priority services for voice, data and video communications as networks evolve, and developing and implementing the Nationwide Public Safety Broadband Network.
Fulfilling the DHS Communications Mission
The Nationwide Public Safety Broadband Network will affect all aspects of emergency communications for our first responders. As the network is planned and deployed, it is essential that DHS is prepared to adapt to these changes and support advancements in technology. To this end, DHS is conducting a full review of the functions and programs within CS&C to identify any improvements that could be made to its communications programs. This review was initiated in response to Executive Order (EO) 13618, the “Assignment of National Security and Emergency Preparedness (NS/EP) Communications,” signed by the President on July 6, 2012. EO 13618 replaces EO 12472 and eliminates the National Communications System (NCS). The EO updates and clarifies the NS/EP communications responsibilities of the Federal Government to address the challenges of a dynamic technological environment.
EO 13618 requires DHS to develop a management and organizational plan to implement its NS/EP communications functions. CS&C is conducting a comprehensive review to develop the plan, which included an analysis of the functions and services of the OEC, the NCS, the National Cyber Security Division, and the National Cybersecurity and Communications Integration Center (NCCIC).
The EO further establishes the following two entities:
National Security and Emergency Preparedness (NS/EP) Communications Executive Committee. The EO created a NS/EP Communications Executive Committee, an eight-Department and Agency interagency committee, co-chaired by DHS and the Department of Defense (DOD) to make recommendations to the President of the United States on NS/EP communications-related matters.
Executive Committee Joint Program Office (JPO). The EO directed the Secretary of DHS to establish a Joint Program Office to support the Executive Committee. DHS is establishing the JPO within CS&C, which complements DHS’s existing interagency fora and partnerships led by CS&C.
Through these new entities, as well as existing partnerships, DHS will continue its responsibility of shaping national policy and working with other DHS Components, Federal Departments and Agencies, State and local governments, the private sector and international partners to improve communications capabilities and achieve mission requirements.
Current Initiatives and Ongoing Challenges
Nationwide Public Safety Broadband Network
On February 22, 2012, with the help and leadership of the United States Congress, the President signed the Middle Class Tax Relief and Job Creation Act of 2012, which establishes the Nationwide Public Safety Broadband Network (NPSBN) for emergency responders at all levels of government. The signing of the Act was the culmination of over a decade of effort to see the reallocation of the “D Block” of spectrum to public safety and to fulfill one of the 9/11 Commission recommendations: the development of a nationwide interoperable communications network. The Act establishes a new entity within the National Telecommunications and Information Administration of the Department of Commerce to oversee planning, construction and operation of the network, known as the First Responder Network Authority, or FirstNet. The Secretary of Homeland Security is one of the three Federal representatives to the FirstNet Board, in addition to the Director of the Office of Management and Budget and the Attorney General. On August 20, 2012, the Secretary of Commerce also appointed twelve additional Board members from the fields of public safety, technology, network operations, and finance. , Prior to the enactment of the law, DHS, through the Office of Emergency Communications (OEC) within the Office of Cybersecurity and Communications (CS&C) was already working with our Federal partners in the Departments of Commerce and Justice to represent DHS in the Administration’s efforts to help set the broad policy framework for the NPSBN and to ensure that the voices of our State and local stakeholder partners were heard. Over the past few months, DHS has increased its efforts to support the implementation of the Network and to carry out our statutory requirement to support the Secretary through her role as a member of the FirstNet Board. More specific examples include the following broadband-focused programs and activities:
Planning and Assessments: DHS is preparing an update to the National Emergency Communications Plan (NECP), which is the first nationwide strategy designed to advance emergency communications across all levels of government. The updated NECP will identify key broadband challenges and recommend near-term actions to foster the integration of broadband technologies and data capabilities, as well as propose measures to maintain existing Land Mobile Radio communications capabilities until broadband technologies can support mission-critical communications. Simultaneously, CS&C is working with individual States to update the Statewide Communication Interoperability Plan (Statewide Plan) criteria to ensure that Statewide Plans are reflective of broadband technologies and data capabilities.
DHS is also conducting a cyber risk assessment of the NPSBN to help the Department and our partners gain a better understanding of risks related to its deployment. Relying on the Department’s expertise in cybersecurity, DHS will provide FirstNet with this assessment and recommended implementation steps. We have held several stakeholder meetings with public safety and industry representatives to discuss cyber risk issues, with a focus on network security and interoperability.
Outreach and Coordination: DHS is working with all of its stakeholder groups to ensure the views and requirements of the public safety community are fully represented in broadband planning and implementation efforts.
To increase coordination of Federal efforts for broadband implementation, the Emergency Communications Preparedness Center (ECPC) is working to identify Federal broadband requirements by preparing a consolidated view of emergency communications assets, addressing associated legal and regulatory barriers, reviewing and analyzing Departmental positions on pending broadband regulatory matters and rulemakings, and establishing standardized grant guidance and processes. The ECPC has identified the development of broadband standards and research and development as one of its strategic priorities.
Concurrently, the OneDHS Emergency Communications Committee is providing consolidated Departmental input into Federal interagency efforts, as well as developing strategies for broadband technology migration from current land mobile radio technology to next generation wireless network technology.
DHS supports outreach efforts related to the development and deployment of a nationwide public safety broadband network by working with representatives from the SAFECOM Executive Committee and Emergency Response Council to develop educational materials on public safety broadband. Educational materials include information on funding and governance, and are targeted to multiple audiences.
DHS continues to coordinate with the emergency response community, preparing wireless broadband guidance documents for Statewide Interoperability Coordinators, urban area and regional interoperability coordinators, public officials and executives, and emergency responders to support current NECP and Statewide Plan initiatives on interoperability planning. The Department also continues to provide emergency response stakeholders up-to-date and comprehensive information about wireless broadband in the emergency response environment. In addition, DHS is working with States and jurisdictions to incorporate broadband initiatives into the Statewide Plans.
Under the strategy and policy direction of the OneDHS Emergency Communications Committee, DHS has initiated a joint program management office to capture and implement Department-wide broadband requirements to develop a next generation tactical communications mobile platform for voice, data and video.
Grants: DHS has been coordinating with Federal Agencies to ensure consistency in grant policies and requirements affecting broadband investments. DHS has worked with its Federal Agency partners to limit investment in high-risk projects that may not comply with FirstNet requirements or support the development of a nationwide network for public safety users. Further, DHS has aligned key grant guidance with Federal broadband goals. The 2013 SAFECOM grant guidance, which provides guidance to State and local stakeholders applying for grants, will emphasize the need to plan before purchasing—a strategy in full alignment with the National Telecommunications and Information Administration (NTIA) State and Local Implementation Grant Program. The ECPC Recommendations for Federal Agencies: Financial Assistance for Emergency Communication provides guidance to Federal program managers administering emergency communication grants, and stresses the need for technical compliance to ensure Federally-funded investments are compatible and interoperable. The ECPC Recommendations Document will be updated to reflect new programs, policies and requirements related to the deployment of the Nationwide Public Safety Broadband Network.
Technical Assistance: DHS has developed a wireless broadband technical assistance offering to assist State, local, territorial, tribal and regional users to develop and improve their use of broadband technology in line with the vision of a nationally interoperable network. The offering is tailored for each jurisdiction and provides informational briefings, governance models, standard operating procedures, project planning and engineering support.
Research and Development: The Science and Technology Directorate’s (S&T) Office for Interoperability and Compatibility (OIC) is supporting the deployment of the nationwide public safety broadband network through requirements gathering and standards acceleration activities. This includes supporting the Department of Commerce’s 700 MHz demonstration network, which provides public safety with a unique testing environment for broadband systems and devices before operational use. Additionally, OIC is working with the Department of Commerce on a modeling and simulation project to provide public safety with the ability to evaluate broadband network deployment scenarios and investigate how well new technologies support public safety requirements. Further, OIC is evaluating how to define a transition path for current Land Mobile Radio technology to the future broadband network.
National and Statewide Planning
Over the last five years, OEC has worked to fill many gaps in public safety communications and DHS is seeing progress in several key areas that enable emergency responders to interoperate in an all-hazards environment. As part of its mission, the office led a comprehensive nationwide planning effort with more than 150 stakeholders from the emergency response community to develop the NECP. This included significant feedback and coordination with the SAFECOM Executive Committee, the SAFECOM Emergency Response Council, and the National Public Safety Telecommunications Council. These stakeholder groups represent the interests of millions of emergency responders, as well as the State and local governments that public safety communications serve. Involving these groups in the early phases ensured that the plan took stakeholders’ input into account and would be widely accepted in the public safety community.
The NECP has been instrumental in defining communication priorities for public safety personnel at all levels of government. CS&C has been driving implementation of the NECP in coordination with its Federal, State, and local partners, and we are seeing measurable improvements in building capabilities and closing gaps identified in the plan for governance, training, operating procedures, and others, including:
Enhanced Statewide Coordination: The creation of Statewide Communication Interoperability Plans, Statewide Interoperability Coordinators, and Statewide Interoperability Governing Bodies has improved coordination of emergency communications activities and investments throughout all 56 states and territories. Through the Statewide Plan development and updating process, the Statewide Interoperability Coordinators, in collaboration with their governing bodies, have been effective in helping States define their communications needs and future investments and ensuring that Federal funding is directed where it is most needed. In addition, CS&C has conducted over 160 workshops during the past four years to assist States as they implement and update their Statewide Plans.
Common Plans, Protocols, and Procedures: The use of standardized plans and procedures is driving improved command, control and communications among emergency responder agencies in the field. CS&C and the Federal Emergency Management Agency (FEMA) have worked with more than 140 jurisdictions, including Urban Areas Security Initiative (UASI) regions, to develop Tactical Interoperable Communications Plans that document formalized interoperability governance groups, standardized policies and procedures, and emergency communications equipment inventories. States continue to develop these communications plans to cover additional regions.
NECP Goal Assessments
Implementation of the NECP has been a key driver behind much of our progress in improving interoperability. More than 85 percent of the NECP milestones were achieved, and progress is evident in all of the NECP priority areas, including governance, training and coordination.
Through the NECP, OEC also established the first set of national performance goals for evaluating emergency communications during local emergencies and complex events, as well as a process for measuring these goals in every State and territory. These goals include:
Goal 1: By 2010, 90 percent of all high-risk urban areas designated within the Urban Areas Security Initiative (UASI) can demonstrate response-level emergency communications within one hour for routine events involving multiple jurisdictions and agencies.
Goal 2: By 2011, 75 percent of non-UASI jurisdictions can demonstrate response-level emergency communications within one hour for routine events involving multiple jurisdictions and agencies.
Goal 3: By 2013, 75 percent of all jurisdictions can demonstrate response-level emergency communications within three hours, in the event of a significant event, as outlined in national planning scenarios.
To implement Goal 1, OEC assessed UASI regions’ abilities to establish and demonstrate response-level emergency communications during large-scale, planned events. Every urban area was able to achieve the Goal, and the results showed progress in key emergency communications capabilities beyond the development of Tactical Interoperable Communications Plans (TICP) in 2007. For Goal 2, OEC worked with all states and territories to assess emergency communications at the county level, including county-equivalents such as parishes, municipalities, and townships. The process has generated unparalleled data on interoperability emergency communications capabilities and gaps and is helping DHS and States focus future resources and improvement activities.
As of today, more than 2,800 counties and county equivalents have participated in the Goal 2 process, including about 30,000 individual public safety agencies. Among the participating jurisdictions, about 90 percent were able to achieve response-level communications and demonstrate NECP Goal 2. The assessment also showed progress in key areas of emergency communications, including the establishment of more inclusive governance structures and formal standard operating procedures, as well as the frequency and ease in which jurisdictions use interoperable communications solutions.
CS&C is encouraged with the outcome of the NECP Goals. Both the high level of participation and the demonstration of NECP Goal 1 and 2 are major accomplishments in the Department’s ongoing efforts to assess progress nationwide and better target its emergency communications resources, such as grants, technical assistance, training and other planning efforts. OEC is currently updating the NECP and will be revising Goal 3 accordingly to take into consideration events that have transpired since the NECP was first released in 2008. This includes key findings from Goals 1 and 2, as well as lessons learned/best practices from real world disasters and events, such as floods, hurricanes, earthquake, and tornadoes of 2011.
Collaboration with Federal Partners
In addition to the extensive progress made to improve emergency communications at the State, local, and tribal level noted above through the work of the NECP, the Department, through OEC, is coordinating efforts to improve emergency communications among DHS Components and other Federal agencies.
As mentioned above, CS&C operates the Emergency Communications Preparedness Center to coordinate policy, planning, and administration of emergency communications across 14 Federal Departments and Agencies. The ECPC provides an inter-departmental mechanism to coordinate common solutions, streamline development of policy and plans and jointly engage State, local, territorial, and tribal partners. The ECPC has achieved early successes through defining a strategic agenda that reflects shared member priorities and establishes issue-specific focus groups to drive immediate action.
CS&C also administers the OneDHS Emergency Communications Committee, which aims to improve internal coordination of policy and planning across DHS Components with emergency communications missions. This committee provides a vital mechanism for maximizing the efficiency and effectiveness of the Department’s emergency communications investments and activities. The OneDHS Committee reached a significant milestone in June 2011 with the creation of the unified OneDHS Emergency Communications Strategy. The Strategy establishes a common vision “to ensure access to and exchange of mission-critical information across the Homeland Security Enterprise anywhere, anytime, through unified capabilities.” It also sets goals for coordinating and improving emergency communications architecture, investment, governance, and operations.
Improved Governance and Coordination. DHS is working with Federal, regional, State, and local agencies to increase coordination, information sharing and oversight of interoperability through formal governance structures and partnerships. CS&C instituted a Regional Coordination Program to strengthen collaboration and knowledge sharing with our stakeholders. CS&C has established a Regional Coordinator in each of the 10 FEMA Regions, and they regularly participate in the Statewide Interoperability Governing Bodies, urban area interoperability meetings and their respective FEMA Regional Emergency Communications Coordination Working Groups.
The CS&C Regional Coordination program has worked closely with FEMA through the Disaster Emergency Communications Division to ensure State and local agencies have the capability to communicate during disaster response. Because the Regional Coordinators interact with stakeholders every day, they have an in-depth understanding of the needs of different communities across their Regions.
Targeted Technical Assistance. CS&C has implemented a technical assistance strategy to ensure that all States and territories can request and receive its targeted, on-site emergency communications assistance, while also focusing support on the States and urban areas with the highest risk and lowest capability. These 40-plus offerings are tailored to support the priorities in each State or territory Statewide Plan and the objectives of the NECP, including the implementation of the nationwide public safety broadband network discussed above. Since 2008, the 56 States and territories have combined to request more than 750 individual technical assistance services from CS&C for support with the development of governance structures, tactical and strategic planning, and a variety of engineering services. To better address the interoperability needs at the national and local level, CS&C has developed several online offerings and tools that can be accessed via the Internet.
Increased Training Opportunities. As mentioned above, CS&C has developed Communications Unit Leader (COML) and Communications Technician (COMT) courses to improve emergency responders’ proficiency with communications equipment and to assist them with coordinating roles and responsibilities during an incident or event. The COML program has been embraced by emergency responders nationwide, and CS&C has trained more than 3,500 responders, technicians and planners to lead communications at incidents across the nation, including local floods, blizzards and wildfires. Trained COMLs have also contributed to recovery efforts throughout the United States, including the recent outbreak of tornados and massive flooding in the Midwest and Southeast. To assist States in leveraging these trained responders, CS&C has developed a portal for Statewide Coordinators to locate contact information for every trained COML, COMT and Auxiliary Communicator.
Future Enhancements
Future advancements in technology will provide emergency responders and government officials with new means to communicate during routine events as well as disasters. However these advancements will also create new challenges that will require enhancements to current DHS programs. In order to ensure DHS is prepared to support stakeholder efforts to address these new challenges, the Department is reviewing existing communications programs to identify where future enhancements are necessary.
Critical Infrastructure Protection. As we guide the transition of emergency and NS/EP communications, CS&C will continue building and nurturing those relationships that are critical to protecting the Communications and Information Technology Infrastructures. Since 2003, the Department has led the identification, prioritization and protection of the nation’s 18 critical infrastructure sectors under Homeland Security President Directive-7 (HSPD-7). Since its inception, CS&C led these critical efforts for the Communications and IT system of systems, which is interdependent with other critical infrastructure. CS&C will continue planning and reporting on the progress of these sectors as outlined in the National Infrastructure Protection Plan. We will continue our partnership with all stakeholders to jointly publish Sector Specific Plans and National Risk Assessments, which help to mitigate vulnerabilities to infrastructure.
Priority Services Program Management. CS&C develops and maintains NS/EP communications priority services programs, which has supported the communication needs of over one million users across all levels of government and the private sector. The GETS program is a White House-directed emergency telecommunications service. GETS supports over 274,000 Federal, State, local, and tribal government, industry, and non-governmental organization personnel in performing their NS/EP communications missions by providing a robust mechanism to complete calls during network congestion from anywhere in the United States. Specifically, GETS provides 90 percent or more call completion rates when network call volume is up to eight times greater than normal capacity.
WPS is the wireless complement to GETS, created due to the overwhelming success of GETS during 9/11. The program enhances the ability of 108,000 NS/EP subscribers to complete cellular phone calls through a degraded public switched telephone network during a crisis or emergency situation. WPS calls receive the next available radio channel during times of wireless congestion,, which helps to ensure that key NS/EP personnel can complete critical calls by providing priority access for key leaders and supporting first responders. WPS service provides authorized cellular phone users with the ability to have priority within the public switched telephone network as well as priority access to cellular radio channels.
The Telecommunications Service Priority (TSP) Program is a Federal Communications Commission (FCC)-sponsored program that authorizes and provides priority restoration, provisioning and reconstitution of NS/EP communications. The TSP Program provides service providers with an FCC mandate for prioritizing service requests by identifying those services critical to NS/EP. TSP can save days to weeks on the time required to return wireline voice/data services to normal, and there are more than 200,000 active TSP circuit assignments in support of NS/EP communications.
As the Nation’s communications infrastructure migrates to an Internet Protocol (IP) operating platform, expediting the convergence between communications and cybersecurity activities remains a top priority for the Department. CS&C continues its plans for ensuring priority voice, data and voice communications over these IP networks through its Next Generation Networks Priority Service Program (NGN-PS).
Public-Private Partnerships. Our partnership with the private sector has been instrumental in developing critical NS/EP and emergency communications policies within the Department. One of the Department’s most critical relationships exists with the President’s National Security Telecommunications Advisory Committee (NSTAC). The NSTAC is a Federal Advisory Board comprising up to 30 Chief Executive Officers from the Nation’s leading communications, banking, and information technology companies. Most notably, the NSTAC has been instrumental in several government-led initiatives, such as the creation of the National Cybersecurity and Communications Integration Center (NCCIC), Government Emergency Telecommunications Service (GETS), Wireless Priority Service (WPS) and the National Coordinating Center for Telecommunications (NCC). Beyond its Federal Advisory role, CS&C actively nurtures critical relationships with NSTAC member companies to protect the overall Communications and IT infrastructures. CS&C will continue its support to and partnership with the NSTAC to create communications solutions for our stakeholders. Most recently, the NSTAC examined four scenarios designed to stress future 2015-level networks, and provided the President with recommendations for technology enhancements and government investments that would provide the best network resilience and recovery.
Modeling, Analysis and Technology Assessments. The CS&C Modeling, Analysis and Technology Assessments team provides expertise in modeling and analyzing current and future protocols, algorithms, network designs and capabilities that will impact priority service communications in legacy and Next Generation Networks (NGNs). The modeling team also maintains a suite of specialized infrastructure analysis tools to provide critical infrastructure risk assessments for the communications sector in the event of a man-made or natural disaster. These services will play a large role in analyzing future technology.
Standards Activities. The CS&C Standards Team is currently an active leader and contributor to various national and international standards development organizations, ensuring industry-wide adoption of non-proprietary solutions for NS/EP preparedness telecommunications requirements. The team provides leadership and representation in standards bodies to recommend standards that, when implemented in Internet Protocol-based networks, will provide capabilities to ensure national, State, and local leadership are able to communicate during times of crisis. These activities will continue as the Department works with partners to develop standards for both NS/EP communications and public safety broadband requirements.
National Response Planning
CS&C is working with Federal, regional, State, and local agencies to increase communications coordination, information sharing, and oversight of emergency preparedness activities to improve response to man-made and natural disasters. CS&C works with these entities to ensure a coordinated response through formal governance structures and partnerships.
Continuity of Operations and Government (COOP/COG). CS&C will continue leading the Department’s responsibilities to ensure the U.S. Government has the means to perform Enduring Constitutional Government, National Essential Functions and Primary Mission Essential Functions as directed in National Security Presidential Directive-51 (NSPD-51)/Homeland Security Presidential Directive-20 (HSPD-20). Furthermore, the CS&C in its role as Co-chair of the EO 13618 Executive Committee will continue to assist the Federal Executive Branch in meeting its NS/EP communications needs.
Emergency Response and Operations. CS&C will also continue leading response, recovery and reconstitution efforts leveraging its Emergency Support Function (ESF) #2 responsibilities. Partnerships with our Federal, State, local, tribal and private sector partners will continue to be a critical enabler of the Department’s broader Homeland Security mission.
We will also continue operating a joint government-industry capability through the NCC. The NCC will continue providing critical response, recovery and provisioning and reconstitution efforts for communications, leveraging the many DHS communications tools and capabilities. As it has since 2000, the NCC will be serving as the Communications Information Sharing and Analysis Center (ISAC), which brings together over 50 private sector partners.
In addition to the overlapping missions and initiatives noted above, this new organization will focus on supporting the responder community at the Federal, State, local, tribal and territorial levels and will enhance DHS’s incident handling and response for cyber and communications-related incidents.
Conclusion
The Department appreciates the Committee’s support for our communications activities. Thank you again for this opportunity to testify.
Language
English
Long Title: Written testimony of National Protection and Programs Directorate Office of Cybersecurity and Communications Deputy Assistant Secretary Roberta Stempfley for a House Committee on Homeland Security, Subcommittee on Emergency Preparedness, Response, and Communications hearing titled “Resilient Communications: Current Challenges and Future Advancements”Organization: (NPPD) National Protection and Programs DirectorateAudience: Federal GovernmentScheduled Expiration Period: NeverType of News: Testimony
Topics:
Plan and Prepare for Disasters,
Information Sharing,
DHS Enterprise,
Disaster Response and Recovery,
Homeland Security Enterprise,
Disasters
Review Date: Wednesday, September 12, 2012Show in Resource Directory: Release Date: 1347422400Publish Date: Wednesday, September 12, 2012Last Update Date: Wednesday, September 12, 2012Show in Searchable Collection: Written testimony of NPPD Under Secretary for a House Committee on Energy and Commerce, Subcommittee on Environment and the Economy hearing titled “The Chemical Facility Anti-Terrorism Standards (CFATS) Program - A Progress Report”Tuesday, September 11, 2012 12:00 AM2322 Rayburn
Thank you, Chairman Shimkus, Ranking Member Green, and distinguished Members of the Committee. It is a pleasure to appear before you today to discuss the Department of Homeland Security’s (DHS) regulation of high-risk chemical facilities under the Chemical Facility Anti-Terrorism Standards (CFATS). My testimony today focuses on improvements to the program, the current status of the program, examples of the program’s successes to date, some of the current challenges facing the National Protection and Programs Directorate (NPPD) in implementing CFATS, and the actions we are taking to address these challenges through the Infrastructure Security Compliance Division (ISCD) Action Plan.
The CFATS program has made our Nation more secure and we welcome the opportunity to continue to work with Congress, all levels of government, and the private sector to further improve this vital national security program. As you are aware, the Department’s current statutory authority to implement CFATS – Section 550 of the Fiscal Year (FY) 2007 Department of Homeland Security Appropriations Act, as amended –currently extends through October 4, 2012.
Since the inception of CFATS, more than 2,700 chemical facilities have eliminated, reduced, or otherwise made modifications to their holdings of potentially dangerous chemicals and are now no longer considered high-risk. In addition, NPPD’s Chemical Security Inspectors have been actively working with facilities and governmental agencies across the country to facilitate the development of measures by high-risk chemical facilities that reduce security risks and enhance nationwide preparedness. Collectively, they have participated in more than 3,800 meetings with federal, state, and local officials; held more than 4,160 introductory meetings with owners and operators of CFATS-regulated or potentially regulated facilities; and conducted more than 1,050 Compliance Assistance Visits at chemical facilities to assist those facilities in the preparation of the necessary security-related documentation required by CFATS. In addition, NPPD has reviewed the Site Security Plans (SSPs) of the highest risk (Tier 1) facilities and is currently reviewing the SSPs for Tier 2 facilities. We have resumed authorization inspections [and begun approving SSPs for Tier 1 facilities].
At my direction, the program’s leadership outlined its priorities, the challenges it believes the program faces, and a proposed path forward to address those challenges and accomplish program objectives. As the Directorate with oversight responsibility for the CFATS program, NPPD is continually evaluating the program to identify areas for improvement and correcting course when necessary to ensure proper implementation. I am pleased to inform you that NPPD has made progress on all 95 of the action items now included in the ISCD Action Plan and as of September 4, 2012 has completed 59 of them.
Chemical Facility Security Regulations
Section 550 of the FY 2007 Department of Homeland Security Appropriations Act directed the Department to develop and adopt within six months a regulatory framework to address the security of chemical facilities that the Department determines pose high levels of risk. Specifically, Section 550(a) of the Act authorized the Department to adopt regulatory requirements for high-risk chemical facilities to complete Security Vulnerability Assessments (SVAs), develop SSPs, and implement protective measures necessary to meet risk-based performance standards established by the Department. Consequently, the Department published final regulations, known as CFATS, on April 9, 2007. Section 550, however, expressly exempts from the regulation certain facilities that are regulated under other federal statutes, specifically those regulated by the United States Coast Guard (USCG) pursuant to the Maritime Transportation Security Act, drinking water and wastewater treatment facilities as defined by Section 1401 of the Safe Water Drinking Act and Section 212 of the Federal Water Pollution Control Act, and facilities owned or operated by the Department of Defense or Department of Energy, as well as certain facilities subject to regulation by the Nuclear Regulatory Commission (NRC).
The following core principles guided the development of the CFATS regulatory structure:
Securing high-risk chemical facilities is a comprehensive undertaking that involves a national effort, including all levels of government and the private sector. Integrated and effective participation by all stakeholders—Federal, state, local, and territorial government partners as well as the private sector—is essential to securing our critical infrastructure, including high-risk chemical facilities;
Risk-based tiering is used to guide resource allocations. Not all facilities present the same level of risk. The greatest level of scrutiny should be focused on those facilities that present the highest risk—those that, if targeted, would endanger the greatest number of lives;
Reasonable, clear, and calibrated performance standards will lead to enhanced security. The CFATS rule establishes enforceable risk-based performance standards (RBPS) for the security of our nation’s high-risk chemical facilities. High-risk facilities have the flexibility to develop appropriate site-specific security measures that will effectively address risk by meeting these standards. ISCD will analyze all final high-risk facility SSPs to ensure they meet the applicable RBPS and will approve those that do. If necessary, ISCD will work with a facility to revise and resubmit an acceptable plan and can disapprove security plans if an acceptable plan is not submitted; and
Recognition of the progress many companies have already made in improving facility security leverages those advancements. Many companies made significant capital investments in security following 9/11, and even more have done so since the passage of the legislation establishing this program.
Rule Implementation
Within a few months after the final regulations were developed, on November 20, 2007, the Department published CFATS Appendix A, which identifies 322 chemicals of interest—including common industrial chemicals such as chlorine, propane, and anhydrous ammonia—as well as specialty chemicals, such as arsine and phosphorus trichloride. These chemicals were included after analyzing the potential consequences associated with one or more of the following three security issues:
Release – Toxic, flammable, or explosive chemicals that have the potential to create significant adverse consequences for human life or health if intentionally released or detonated;
Theft/Diversion – Chemicals that have the potential, if stolen or diverted, to be used as or converted into weapons that could cause significant adverse consequences for human life or health; and
Sabotage/Contamination – Chemicals that are shipped and that, if mixed with other readily available materials, have the potential to create significant adverse consequences for human life or health.
NPPD also established a Screening Threshold Quantity for each chemical of interest based on its potential to create significant adverse consequences to human life or health in one or more of these ways. Any chemical facility that possesses any chemical of interest at, or above the applicable Screening Threshold Quantity must submit an initial consequence-based screening tool, the “Top-Screen,” to NPPD.
This Top-Screen process developed by NPPD allows the government, for the first time, to gather data that can identify potential high-risk facilities, which NPPD then assigns to one of four preliminary risk-based tiers, with Tier 1 representing the highest level of potential risk.
To support this activity, ISCD developed the Chemical Security Assessment Tool (CSAT) to help NPPD identify potentially high-risk facilities and to provide methodologies those facilities can use to conduct SVAs and to develop security plans. CSAT is a suite of online applications designed to facilitate compliance with the program; it includes user registration, the Top-Screen, an SVA tool, and an SSP template. To protect this sensitive information, NPPD developed an information management regime, Chemical-terrorism Vulnerability Information (CVI), which limits access to trained and authorized users.
In May 2009, NPPD issued Risk-Based Performance Standards Guidance to assist final high-risk chemical facilities in determining appropriate protective measures and practices to satisfy the RBPS. It is designed to help facilities comply with CFATS by providing detailed descriptions of the 18 RBPS as well as examples of various security measures and practices that could enable facilities to achieve the appropriate level of performance for the RBPS at each tier level. The Guidance was informed by the experience of the Transportation Security Administration, United States Coast Guard, and the Environmental Protection Agency, and also reflects public and private sector dialogue on the RBPS and industrial security, including public comments on the draft guidance document. High-risk facilities are free to make use of whichever security programs or processes they choose—whether or not in the Guidance—provided that NPPD determines through approval of the facilities’ SSPs that they achieve the requisite level of performance under the CFATS RBPS.
Implementation Status
To date, ISCD has data from more than 41,000 Top-Screens submitted by chemical facilities, providing important information about their chemical holdings. Since June 2008, ISCD identified more than 8,000 facilities that it has initially designated as high-risk. These facilities have used the CSAT tool to compile and submit SVAs. In May 2009, following reviews of facilities’ SVA submissions, ISCD began notifying facilities of their final high-risk determinations, risk-based tiering assignments, and the requirement to complete and submit an SSP or an Alternative Security Program (ASP) in lieu of an SSP.
As of September 4, 2012, CFATS covers 4,433 high-risk facilities nationwide; of these 4,433 facilities, 3,660 are currently subject to final high-risk determinations and have developed security plans for NPPD review. The remaining facilities are awaiting final tier determinations based on their SVA submissions. ISCD continues to issue final tier notifications to facilities across all four risk tiers.1
1 Tiering determinations are dynamic; for example, a tiering determination can change when a facility voluntarily alters its operations in a material way that reduces its risk profile. “Final tiering” refers to a tiering assignment following a Security Vulnerability Assessment; it does not imply that this is the final tiering assignment a facility may receive.
Highlights and Successes of CFATS Program
As we have previously discussed with this Subcommittee, the ISCD Action Plan currently contains 95 items, each of which has been assigned to a member of ISCD’s senior leadership team for implementation. For accountability, planning, and tracking purposes, the members of that leadership team have established milestones and projected timeframes for the completion of each task assigned to them. In addition, ISCD leadership meets with the Deputy Under Secretary of NPPD at least once per week to provide status updates on the action items and discuss ways that NPPD leadership can help. As of September 4, 2012, 59 of the 95 action items contained in the Action Plan have been completed.
I would like to share with the Subcommittee some of the highlights and successes that are a direct result of the implementation of the Action Plan and other recent initiatives performed by ISCD. These include: improving the SSP review process and increasing the pace of SSP reviews; refining inspector tools and training; reinvigorating industry engagement on their development of ASP templates; improving internal communications and organizational culture; and preparing for an external peer review of the CFATS risk assessment methodology.
SSP Review Process. ISCD is currently utilizing a refined approach for reviewing SSPs in order to move forward in a more efficient and timely fashion. At this time, ISCD has completed its review of all Tier 1 SSPs and has begun reviewing Tier 2 SSPs. As of September 9, 2012, of the Tier 1 SSPs reviewed, we have authorized or conditionally authorized SSPs for 73 facilities and approved 1. Of the remaining Tier 1 SSPs reviewed by NPPD, we are either validating results or reaching out to these facilities to obtain additional information or action in the hope of resolving the outstanding issues affecting their SSPs. Going forward, ISCD will continue to work to improve its SSP review process to make it as efficient and effective as possible.
Inspections. Last Fall, ISCD established an Inspector Tools Working Group to ensure the Chemical Security Inspectors have up-to-date and, where appropriate, improved inspections procedures, policies, equipment, and guidance. In late spring 2012, ISCD finished updating and revising its internal inspections policy and guidance materials for conducting inspections. Over the course of the summer, ISCD conducted five inspector training sessions, which focused on the updated policy, procedures and related materials to prepare Chemical Security Inspectors to resume authorization inspections at facilities with authorized or conditionally authorized SSPs. As of July 16, 2012, ISCD has resumed authorization inspections at Tier 1 facilities. This is a vital step for moving the CFATS program toward a regular cycle of approving SSPs and conducting compliance inspections for facilities with approved SSPs.
Alternative Security Programs (ASPs). Many members of the regulated community and their representative industry associations have expressed interest in exploring ways to use the ASP provisions of the CFATS regulation to streamline the security plan submission and review process. In support of this, ISCD has been holding vigorous discussions with industry stakeholders in regard to their development and submission of ASPs. One particularly promising effort has been ISCD’s engagement with the American Chemistry Council (ACC) in support of its efforts to develop an ASP template for use by interested members of its organization. The ACC has developed a template that was piloted at a facility in early August and is expected to be available for use by ACC members later this year. In addition, DHS has been in discussion with other industry stakeholders, including the Agricultural Retailers Association, about developing templates specific to their members. ASPs submitted by facilities using a template will be reviewed under the same standards that ISCD currently reviews SSPs. Additionally, DHS continues to review existing industry programs, such as ACC Responsible Care® and SOCMA ChemStewards®, to identify potential areas of engagement and further discussion.
Internal Communications and Employee Morale. The Action Plan contains a number of items designed to improve internal communications and morale within ISCD. ISCD has implemented many of these action items and has made significant progress on many others. For instance, ISCD employees now contribute to and receive a monthly ISCD newsletter, which covers a wide variety of both field and headquarters activities. ISCD leadership has promoted staff engagement and a dialogue about issues and concerns through monthly town halls and a senior leadership open-door policy. ISCD staff has a standing invitation to participate in group open-door sessions or to schedule one-on-one discussions with Division leadership.
ISCD is also moving forward with issuing vacancy announcements to hire a permanent leadership team; several announcements have already been posted and several others are nearing posting. Supervisors have been provided with additional supervisory training and guidance on performance monitoring. The Division has developed a mission statement, vision statement, and core values. As a result of these and other efforts, I believe that Division-wide morale is improving, which ultimately will pay dividends not only in improved staff retention, but also in improved staff performance and program execution.
Risk Assessment Methodology Review. In light of prior revisions to the SVA risk assessment computer program for chemical facilities, NPPD has committed to doing a thorough review of the risk assessment process and keeping the Subcommittee apprised of any significant issues related to that review. In support of this, NPPD developed a three-phased approach, which is captured in the ISCD Action Plan and includes: documenting all processes and procedures relating to the risk assessment methodology; conducting an internal NPPD review of the risk assessment process; and initiating an external peer review of the risk assessment methodology. The Division has made significant progress on this action item by completing the first two steps. ISCD is also approaching completion of procurement actions for the external peer review, which is expected to begin before the end of FY 2012.
NPPD remains committed to both developing appropriate responses to any risk assessment issues that it identifies and keeping Congress and stakeholders apprised of any significant issues related to that review.
Personnel Surety. Under CFATS Risk-Based Performance Standard 12 (RBPS 12), final high-risk chemical facilities are required to perform background checks on certain individuals with access to restricted areas or critical assets. NPPD has been seeking to implement a CFATS Personnel Surety Program to enable facilities to comply with the requirement to identify individuals who may pose a risk to chemical security by enabling facilities to submit biographical information to NPPD. NPPD would compare this biographical information against information about known or suspected terrorists listed in the Terrorist Screening Database (TSDB).
Although NPPD has the authority under CFATS to implement the Personnel Surety Program, under the Paperwork Reduction Act (PRA) the Office of Management and Budget (OMB) must still approve how the NPPD proposes to collect the necessary information to conduct vetting against the TSDB. In June of 2009, DHS began the process to obtain OMB approval by publishing in the Federal Register a notice soliciting public comments for 60 days.
Following the public comment, DHS submitted the Information Collection Request (ICR) to OMB in June of 2011. Since that time, the Department’s position on how facilities can comply with RBPS 12 has evolved, thanks in large part to information the chemical industry has provided to us as part of the PRA process. As a result, in July of 2012, the Department withdrew the ICR from OMB review. This has enabled the Department to engage in direct dialogue with security partners and with stakeholders in the regulated community about the CFATS Personnel Surety Program. Additionally, the Department has learned a great deal about various facilities through visits to chemical facilities it has conducted. This on-the-ground knowledge of the facilities will help to inform the Department of any impacts that the Personnel Surety Program will may have. The Department plans to re-initiate the PRA process by publishing a 60-day notice to solicit comment in the Federal Register in the near future. After that, the Department will concurrently publish a 30-day notice to solicit additional comments, and submit a new ICR for the CFATS Personnel Surety Program to OMB for review.
Outreach Efforts
Since the establishment of CFATS in April 2007, NPPD and ISCD have taken significant steps to publicize the rule and ensure that the regulated community and other interested or affected entities are aware of and meeting its requirements. NPPD and ISCD management and staff have presented at hundreds of security and chemical industry conferences and participated in a variety of other meetings. As part of this outreach program, NPPD and ISCD have regularly updated impacted sectors through their Sector Coordinating Councils and the Government Coordinating Councils—including the Chemical, Oil and Natural Gas, and Food and Agriculture Sectors.
NPPD and ISCD continue to collaborate within DHS and with other federal agencies in the area of chemical security, including routine engagement with: the USCG; the Transportation Security Administration; the Department of Justice’s Federal Bureau of Investigation and Bureau of Alcohol, Tobacco, Firearms and Explosives; the NRC; and the Environmental Protection Agency. In addition, ISCD continues to focus on fostering solid working relationships with state and local officials including first responders.
To promote information sharing, ISCD has developed several communication tools for stakeholder use, including: the Chemical Security website (www.DHS.gov/chemicalsecurity); a Help Desk for CFATS-related questions; a CFATS tip-line for anonymous chemical security reporting; and CFATS-Share, a web-based information-sharing portal that provides certain Federal, state, and local agencies access to key details on CFATS facility information as needed.
ISCD Budget Priorities for FY 2013
The President’s Budget for FY 2013 requested $74.544 million for the Infrastructure Security Compliance Program, including funds for 253 full-time positions/242 full-time equivalents (FTE). The primary initiatives under Infrastructure Security Compliance are the implementation of the CFATS Program and the development and implementation of the proposed Ammonium Nitrate Security Program. In helping to develop the President’s Budget, DHS considered as a priority the retention of basic CFATS functionality. Accordingly, DHS prioritized its funding request to enable DHS to thoroughly and expediently review SSPs of CFATS-covered facilities that pose the highest level of risk to ensure that such facilities’ security measures meet applicable risk-based performance standards and to expedite the performance of inspections at those facilities.
Conclusion
ISCD, NPPD, and the Department are moving forward quickly and strategically to address the challenges before us. CFATS is reducing the risks associated with our nation’s chemical infrastructure. We believe that CFATS is making the nation safer and are dedicated to its success. As we implement CFATS, we will continue to work with stakeholders to get the job done, meet the challenges identified in the ISCD report, and execute a program to help prevent terrorists from exploiting chemicals or chemical facilities.
Thank you for holding this important hearing. I would be happy to respond to any questions you may have.
Language
English
Long Title: Written testimony of National Protection and Programs Directorate Under Secretary Rand Beers for a House Committee on Energy and Commerce, Subcommittee on Environment and the Economy hearing titled “The Chemical Facility Anti-Terrorism Standards (CFATS) Program - A Progress Report”Organization: (NPPD) National Protection and Programs DirectorateAudience: Federal GovernmentScheduled Expiration Period: NeverType of News: Testimony
Topics:
Preventing Terrorism,
Information Sharing,
Critical Infrastructure Security,
Chemical Security
Review Date: Monday, September 10, 2012Show in Resource Directory: Release Date: 1347336000Publish Date: Monday, September 10, 2012Last Update Date: Monday, September 10, 2012Show in Searchable Collection: Robert A. MocnyFriday, September 07, 2012 2:42 PM
Language
Undefined
Director, US VISIT ProgramRobert A. Mocny is the Director of the United States Visitor and Immigrant Status Indicator Technology (US-VISIT) Program. US-VISIT is part of the National Protection and Programs Directorate at the U.S. Department of Homeland Security.
US‑VISIT provides identity management services - the collection, analysis, and storage of biometric and associated biographic data - to decisionmakers in Federal, State, and local law enforcement and intelligence agencies.
Prior to his current responsibilities, Mr. Mocny served in senior positions at the former Immigration and Naturalization Service (INS), including as Director of the Entry/Exit Project, acting Assistant Commissioner for Inspections, and Special Assistant to the Deputy Commissioner.
While at INS, he led an interagency project team that established the Secure Electronic Network for Traveler’s Rapid Inspection (SENTRI) Program.
Mr. Mocny holds a degree in Soviet studies from the University of California, Santa Barbara. He has received numerous awards throughout his career, including a team Hammer Award from Vice President Gore for the SENTRI program and the Smithsonian’s Computer World award for the innovative use of information technology.
Organization: (NPPD) National Protection and Programs DirectorateScheduled Expiration Period: NeverTest Content: Test ContentReview Date: Friday, September 7, 2012Blog Author?: 0Show in Resource Directory: Left Menu: Organization
No comments:
Post a Comment