United States Government Accountability Office GAO Testimony Before the Subcommittee on Homeland Security, Committee on Appropriations, House of Representatives For Release on Delivery Expected at 10:00 a.m. EDT Thursday, September 20, 2012 CRITICAL INFRASTRUCTURE PROTECTION Summary of DHS Actions to Better Manage Its Chemical Security Program Statement of Stephen L. Caldwell, Director Homeland Security and Justice GAO-12-1044T September 2012 CRITICAL INFRASTRUCTURE PROTECTION Summary of DHS Actions to Better Manage Its Chemical Security Program Highlights of GAO-12-1044T, a testimony before the Subcommittee on Homeland Security, Committee on Appropriations, House of Representatives. Why GAO Did This Study What GAO Found The events of September 11, 2001, The November 2011 memorandum that discussed the management of the triggered a national re-examination of Chemical Facility Anti-Terrorism Standards (CFATS) program was prepared the security of facilities that use or based primarily on the observations of the former Director of the Department of store hazardous chemicals in Homeland Security’s (DHS) Infrastructure Security Compliance Division (ISCD), quantities that, in the event of a a division of the Office of Infrastructure Protection (IP) within the National terrorist attack, could put large Protection and Programs Directorate (NPPD). The memorandum was intended to numbers of Americans at risk of highlight various challenges that have hindered ISCD efforts to implement the serious injury or death. As required by CFATS program. According to the former Director, the challenges facing ISCD statute, DHS issued regulations that included not having a fully developed direction and plan for implementing the establish standards for the security of program, hiring staff without establishing need, and inconsistent ISCD high-risk chemical facilities. DHS established the CFATS program to leadership—factors that the Director believed place the CFATS program at risk. assess the risk posed by these These challenges centered on three main areas: (1) human capital issues, facilities and inspect them to ensure including problems hiring, training, and managing ISCD staff; (2) mission issues, compliance with DHS standards. ISCD, including problems reviewing facility plans to mitigate security vulnerabilities; and a division of IP, manages the program. (3) administrative issues, including concerns about NPPD and IP not supporting A November 2011 internal ISCD ISCD’s management and administrative functions. memorandum, prepared by ISCD ISCD has begun to take various actions intended to address the issues identified senior managers, expressed concerns in the ISCD memorandum and has developed a 94-item action plan to track its about the management of the program. progress. According to ISCD managers, the plan appears to be a catalyst for This statement addresses (1) how the memorandum was developed and any addressing some of the long-standing issues the memorandum identified. As of challenges identified, (2) what actions June 2012, ISCD reported that 40 percent (38 of 94) of the items in the plan had are being taken in response to any been completed. These include requiring ISCD managers to meet with staff to challenges identified, and (3) the involve them in addressing challenges, clarifying priorities, and changing ISCD’s extent to which ISCD’s proposed culture; and developing a proposal to establish a quality control function over solutions require collaboration with compliance activities. The remaining 60 percent (56 of 94) that were in progress NPPD or IP. GAO’s comments are include those requiring longer-term efforts—i.e., streamlining the process for based on recently completed work reviewing facility security plans and developing facility inspection processes; analyzing the memorandum and those requiring completion of other items in the plan; or those awaiting action by related actions. GAO reviewed laws, others, such as approvals by ISCD leadership. ISCD appears to be heading in regulations, DHS’s internal the right direction, but it is too early to tell if individual items are having their memorandum and action plans, and desired effect because ISCD is in the early stages of implementing them and has related documents, and interviewed not yet established performance measures to assess results. DHS officials. According to ISCD officials, almost half of the action items included in the June In a July 2012 report, GAO 2012 action plan require ISCD collaboration with or action by NPPD and IP. The recommended that ISCD explore ISCD memorandum stated that IP and NPPD did not provide the support needed opportunities to develop measures, to manage the CFATS program when the program was first under development. where practical, to determine where ISCD, IP, and NPPD officials confirmed that IP and NPPD are now providing actual performance deviates from needed support and stated that the action plan prompted them to work together expected results. ISCD concurred and has taken action to address the to address the various human capital and administrative issues identified. recommendation. View GAO-12-1044T. For more information, contact Stephen L. Caldwell, (202) 512-9610, CaldwellS@gao.gov. United States Government Accountability Office Chairman Aderholt, Ranking Member Price, and Members of the Subcommittee: I am pleased to be here today to discuss the Department of Homeland Security’s (DHS) efforts to address the various challenges in implementing and managing the Chemical Facility Anti-Terrorism Standards (CFATS) program. My statement today summarizes the testimony I delivered on July 26, 2012, before this Subcommittee. 1 The events of September 11, 2001, triggered a national re-examination of the security of facilities that use or store hazardous chemicals in quantities that, in the event of a terrorist attack, could put large numbers of Americans at risk of serious injury or death. Chemicals held at these facilities can be used to cause harm to surrounding populations during terrorist attacks; can be stolen and used as chemical weapons or as precursors (the ingredients for making chemical weapons); or stolen and used to build an improvised explosive device. To mitigate this risk, the DHS appropriations act for fiscal year 2007 2 required DHS to issue regulations to establish risk-based performance standards for securing high-risk chemical facilities, among other things. 3 DHS established the CFATS program to assess the risk, if any, posed by chemical facilities; place high-risk facilities in one of four risk-based tiers; require high-risk facilities to develop security plans; review these plans; and inspect the facilities to ensure compliance with the regulatory requirements. DHS’s National Protection and Programs Directorate (NPPD) is responsible for the CFATS program. Within NPPD, the Infrastructure Security Compliance Division (ISCD), a division of the Office of Infrastructure Protection (IP), manages the program. A November 2011, internal ISCD memorandum, prepared by ISCD’s former Director in consultation with the former Deputy Director 4 and 1 GAO, Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its Chemical Security Program, but It Is too Early to Assess Results, GAO-12-515T (Washington, D.C.: July 2012). 2 Pub. L. No. 109-295, § 550, 120 Stat. 1355, 1388 (2006). 3 According to DHS, a high-risk chemical facility is one that, in the discretion of the Secretary of Homeland Security, presents a high risk of significant adverse consequences for human life or health, national security, or critical economic assets if subjected to a terrorist attack, compromise, infiltration, or exploitation. 6 C.F.R. § 27.105. 4 The ISCD director who prepared the internal memorandum is no longer in that position, and the deputy director who assisted with the internal memorandum is now the director. Page 1 GAO-12-1044T designated by DHS as “for official use only” (FOUO), expressed concerns about the management of the CFATS program. The ISCD memorandum, which was leaked to the media in December 2011, cited an array of challenges that, according to these officials, hindered ISCD’s ability to implement and manage the CFATS program. 5 My statement today discusses: (1) how the memorandum was developed and what challenges were identified; (2) what actions are being taken to address the challenges identified; and (3) the extent to which ISCD’s planned actions and proposed solutions require action to be taken by or in collaboration with NPPD or IP. This statement is based on work we recently completed for this subcommittee on the ISCD memorandum and related actions. To conduct this work, we reviewed applicable laws and regulations, as well as NPPD, IP, and ISCD policies and procedures for administering the CFATS program, analyzed the ISCD memorandum prepared by the former ISCD Director in consultation with the former Deputy Director, compared it with the proposed action plan ISCD officials prepared to address the challenges identified, and compared subsequent action plans to monitor ISCD’s progress. 6 Our results are based on the ISCD’s action plan as of June 2012 so these results reflect the status of ISCD’s progress up to that point in time. The details of our scope and methodology can be found in our July 2012 statement. In August 2012, ISCD provided us with an updated action plan which we used to document the additional action items completed between June 2012 and August 2012. We did not verify that the status of these action items. We conducted this performance audit from February 2012 to July 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our analysis based on our audit objectives. 5 According to DHS officials, the ISCD memorandum was never intended to be publically released. 6 We initially reviewed an ISCD action plan developed in January 2012. ISCD periodically updated the plan to monitor progress on the action items and we reviewed 8 versions of the action plan up to and including one developed in June 2012. Page 2 GAO-12-1044T Section 550 of the DHS appropriations act for fiscal year 2007 7 requires Background DHS to issue regulations establishing risk-based performance standards 8 for the security of facilities that the Secretary determines to present high levels of security risk, among other things. The CFATS rule was published in April 2007 9 and Appendix A to the rule, published in November 2007, listed 322 chemicals of interest and the screening threshold quantities for each. 10 ISCD has direct responsibility for implementing DHS’s CFATS rule, including assessing potential risks and identifying high-risk chemical facilities, promoting effective security planning, and ensuring that final high- risk facilities meet the applicable risk-based performance standards through site security plans approved by DHS. ISCD is managed by a Director and a Deputy Director and operates five branches that are, among other things, responsible for information technology operations, policy and planning, and providing compliance and technical support. From fiscal years 2007 through 2012, DHS dedicated about $442 million to the CFATS program. During fiscal year 2012, ISCD was authorized 242 full-time- equivalent positions. For fiscal year 2013, DHS’s budget request for the CFATS program was $75 million and 242 positions. 7 Pub. L. No. 109-295, § 550, 120 Stat. 1355, 1388 (2006). 8 The CFATS rule establishes 18 risk-based performance standards that identify the areas for which a facility’s security posture are to be examined, such as perimeter security, access control, and cyber security. To meet these standards, facilities are free to choose whatever security programs or processes they deem appropriate so long as DHS determines that the facilities achieve the requisite level of performance in each applicable standard. 9 72 Fed. Reg. 17,688 (Apr. 9, 2007) (codified at 6 C.F.R. pt. 27). 10 72 Fed. Reg. 65,396 (Nov. 20, 2007). According to DHS, CFATS not only covers facilities that manufacture chemicals but also covers facilities that store or use certain chemicals as part of their daily operations. This can include food-manufacturing facilities that use chemicals of interest in the manufacturing process, farms that use certain quantities of ammonium nitrate or urea fertilizers, or universities that use chemicals to do experiments. Page 3 GAO-12-1044T Senior ISCD Leaders Developed the ISCD Memorandum to Highlight Various Challenges Hindering CFATS Implementation ISCD’s Memorandum Our review of the ISCD memorandum and discussions with ISCD officials Based Largely on showed that the memorandum was developed during the latter part of Observations of Senior 2011 and was developed primarily based on discussions with ISCD staff and the observations of the ISCD former Director in consultation with the ISCD Managers former Deputy Director. In November 2011, the former Director and Deputy Director provided the Under Secretary with the ISCD memorandum entitled “Challenges Facing ISCD, and the Path Forward.” These officials stated that the memorandum was developed to inform leadership about the status of ISCD, the challenges it was facing, and the proposed solutions identified to date. In transmitting a copy of the memorandum to congressional stakeholders following the leak in December 2011, the NPPD Under Secretary discussed caveats about the memorandum, including that it had not undergone the normal review process by DHS’s Executive Secretariat and contained opinions and conclusions that did not reflect the position of DHS. The former ISCD Director stated that the memo was intended to begin a dialog about the program and challenges it faced. The former Director confirmed that she developed the memorandum by (1) surveying division staff to obtain their opinions on program strengths, challenges, and recommendations for improvement; (2) observing CFATS program operations, including the security plan review process; and (3) analyzing an internal DHS report on CFATS operations, 11 which, according to the former Director served as a basis for identifying some administrative 11 DHS Office of Compliance and Security, National Protection and Programs Directorate, Infrastructure Security Compliance Division (ISCD) Program Inspection, April-September, 2011. Page 4 GAO-12-1044T challenges and corrective action. The senior ISCD and NPPD officials we contacted said that they generally agreed with the material that they saw, but noted that they believed the memorandum was missing context and balance. For example, one NPPD official stated that that the tone of the memorandum was too negative and the problems it discussed were not supported by sound evaluation. However, the official expressed the view that the CFATS program is now on the right track. ISCD Management Was The ISCD memorandum discussed numerous challenges that, according to Concerned That the former Director, pose a risk to the program. The former Director pointed Challenges Place the out that, among other things, ISCD had not approved any site security plans or carried out any compliance inspections on regulated facilities. The CFATS Program at Risk former Director attributed this to various management challenges, including a lack of planning, poor internal controls, and a workforce whose skills were inadequate to fulfill the program’s mission, and highlighted several challenges that have had an impact on the progress of the program. In addition, the memorandum provided a detailed discussion of the issues or problems facing ISCD, grouped into three categories: (1) human capital management, such as poor staffing decisions; (2) mission issues, such as the lack of an established inspection process; and (3) administrative issues, such as a lack of infrastructure and support, both within ISCD and on the part of NPPD and IP. ISCD Has Begun to Take Various Actions Intended to Address Challenges Identified ISCD’s Action Plan ISCD is using an action plan to track its progress addressing the Included Time Frames and challenges identified in the memorandum, and, according to senior Appears to be Helping division officials, the plan may be helping them address some legacy issues that staff were attempting to deal with before the memorandum Address Some Legacy was developed. The January 2012 version of the proposed action plan Issues listed 91 actions to be taken categorized by issue—human capital management issues, mission issues, or administrative issues—that, according to the former ISCD Director, were developed to be consistent with the ISCD memorandum. However, the January 2012 version of the Page 5 GAO-12-1044T action plan did not provide information on when the action was started or to be finished. Eleven of the 12 ISCD managers (other than the former Director and Deputy Director) assigned to work as the coordinators of the individual action items told us that even though they were not given the opportunity to view the final version of the ISCD memorandum, the former Director provided them the sections of the action plan for which they were responsible to help them develop and implement any corrective actions. They said that they agreed that actions being taken in the plan were needed to resolve challenges facing ISCD. Our discussions with these officials also showed that about 39 percent (37 of 94) of the items in the March and June 2012 action plans addressed some legacy issues that were previously identified and, according to these officials, corrective actions were already underway for all 37 of these items. ISCD’s June 2012 Plan Our analysis of the June 2012 version of the ISCD action plan showed Update Showed 38 Action that 40 percent of the items in the plan (38 of 94) had been completed. Items Completed The remaining 60 percent (56 of 94) were in progress. Of the 38 completed items, we determined that 32 were associated with human capital management and administrative issues, including those involving culture and human resources, contracting, and documentation. The remaining 6 of 38 action items categorized by ISCD as completed were associated with mission issues. Figure 1 shows the status of action items by each of the three categories as of June 2012. Page 6 GAO-12-1044T Figure 1: Status of ISCD Action Plan by Category, as of June 2012 For the remaining 56 items that were in progress as of June 2012, 40 involved human capital management and administrative issues. According to ISCD officials, these 40 issues generally involved longer- term efforts—such as organizational realignment—or those that require approval or additional action on the part of IP or NPPD. Sixteen of 56 remaining actions items in progress covered mission issues that will likely also require long-term efforts to address. As of August 2012, ISCD reported that it had completed another 21 action items, of which 8 were to address mission-related issues. We did not verify ISCD’s efforts to complete actions since June 2012. However, we have recently begun a follow-up review of CFATS at the request of this and other committees, which will focus on DHS’s efforts to address mission-related issues. We expect to report the results of these efforts early in 2013. Page 7 GAO-12-1044T Almost Half of ISCD’s Our analysis of the April and June versions of the plan shows that the Action Item Completion division had extended the estimated completion dates for nearly half of Dates Had Been Extended the action items. Estimated completion dates for 52 percent (48 of 93 items) 12 either did not change (37 items) or the date displayed in the June since April 2012 2012 plan was earlier than the date in the April 2012 version of the plan (11 items). Conversely, 48 percent (45 of 93) of the items in the June 2012 version of the plan had estimated completion dates that had been extended beyond the date in the April 2012 plan. Figure 2 shows the extent to which action plan items were completed earlier than planned, did not change, or were extended, from April 2012 through June 2012, for the human capital management, mission, and administrative issues identified in the plan. 12 ISCD data showed that 93 of 94 action items were consistent between the April 2012 and June 2012 action plans; therefore, computation of the estimated completion dates was based on 93 total items. One action item in the April 2012 plan dealing with strategies for managing ISCD funding levels was removed from the June 2012 plan because after the analysis was prepared and submitted to NPPD, the decision was made to delete the item from the plan. The funding action item was replaced in the June 2012 action plan with an action item to conduct a peer review of the facility tiering process and formula. For purposes of this analysis, we used the 93 action items (instead of 94 action items) that were consistent between the April and June 2012 action plans. Page 8 GAO-12-1044T Figure 2: Change in CFATS Action Plans Estimated Completion Dates from April 2012 to June 2012 a ISCD data showed that 93 of 94 action items were consistent between the April 2012 and June 2012 action plans, therefore, computation of the estimated completion dates was based on 93 total items. One action item in the April 2012 plan dealing with strategies for managing ISCD funding levels was removed from the June 2012 plan because after the analysis was prepared and submitted to NPPD, the decision was made to delete the item from the plan. The funding action item was replaced in the June 2012 with an action item to conduct a peer review of the facility tiering process and formula. For purposes of this analysis, we used the 93 action items that were consistent between the April and June 2012 action plans. ISCD officials told us that estimated completion dates had been extended for various reasons. For example, one reason for moving these dates was that the work required to address some items was not fully defined when the plan was first developed and as the requirements were better defined, the estimated completion dates were revised and updated. In addition, ISCD officials also stated that timelines had been adversely affected for some action items because staff had been reassigned to work on higher priority responsibilities, such as reducing the backlog of security plans under review. Page 9 GAO-12-1044T Action Plan Performance ISCD, through its action plan, appears to be heading in the right direction Measures Could Help towards addressing the challenges identified, but it is too early to tell if the Gauge Progress action plan is having the desired effect because (1) the division had only recently completed some action items and continues to work on completing more than half of the others, some of which entail long-term changes, and (2) ISCD had not yet developed an approach for measuring the results of its efforts. ISCD officials told us that they had not yet begun to plan or develop any measures, metrics, or other documentation focused on measuring the impact of the action plan on overall CFATS implementation because they plan to wait until corrective action on all items has been completed before they can determine the impact of the plan on the CFATS program. For the near term, ISCD officials stated that they plan to assess at a high level the impact of the action plan on CFATS program implementation by comparing ISCD’s performance rates and metrics pre-action plan implementation and post-action plan implementation. 13 However, because ISCD will not be completing some action items until 2014, it will be difficult for ISCD officials to obtain a complete understanding of the impact of the plan on the program using this comparison only. In our July 2012 statement, we recommended that ISCD look for opportunities, where practical, to measure results of their efforts to implement particular action items, and where performance measures can be developed, periodically monitor these measures and indicators to identify where corrective actions, if any, are needed. The agency concurred with our recommendation and developed a new action item (number 95) intended to develop metrics for measuring, where practical, results of efforts to implement action plan items, including processes for periodic monitoring and indicators for corrective actions. This action item is in progress. 13 According to ISCD officials, ISCD uses a performance measure to track the performance of the CFATS program overall, but as of June 2012 did not have performance measures in place to track the progress of the action plan, or particular action items. Page 10 GAO-12-1044T According to ISCD officials, almost half of the action items included in the ISCD Officials Stated June 2012 action plan either require ISCD to collaborate with NPPD and IP That Almost Half of or require NPPD and IP to take action to address the challenges identified in the ISCD memorandum. NPPD, IP, and ISCD officials have been the Action Items working together to identify solutions to the challenges the memorandum Required identified and to close pertinent action items. According to division officials, Collaboration with or 46 of the 94 action items included in the June 2012 action plan required action either by NPPD and IP or collaboration with NPPD and IP. This Action by NPPD or IP includes collaborating with NPPD officials representing the NPPD human capital, facilities, and employee and labor relations offices, among others, and with IP’s Directorate of Management Office. 14 As of June 2012, 13 of the 46 items that require action by or collaboration with NPPD or IP were complete; 33 of 46 were in progress. As of August 2012, ISCD reported that it had completed 8 more of these action items, such that 21 of the 46 were complete and 25 were in progress. We did not verify ISCD’s efforts to close these additional action items. Chairman Aderholt, Ranking Member Price, and members of the subcommittee, this completes my prepared statement. I would be happy to respond to any questions you may have at this time. For information about this statement please contact Steven L. Caldwell, GAO Contact and Director, Homeland Security and Justice, at (202) 512-9610 or Staff CaldwellS@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this Acknowledgements statement. Other individuals making key contributions include John F. Mortin, Assistant Director; Ellen Wolfe, Analyst-in-Charge; Charles Bausell; Jose Cardenas; Andrew M. Curry; Michele Fejfar; Tracey King; Marvin McGill; Mona E. Nichols-Blake; and Jessica Orr. 14 The IP Directorate of Management Office is responsible for providing IP divisions with program management support such as training and facilities management. (441111) Page 11 GAO-12-1044T This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (http://www.gao.gov). Each weekday GAO Reports and afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted Testimony products, go to http://www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: http://www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Critical Infrastructure Protection: Summary of DHS Actions to Better Manage Its Chemical Security Program
Published by the Government Accountability Office on 2012-09-20.
Below is a raw (and likely hideous) rendition of the original report. (PDF)