This advance notice describes the details of these steps along with a number of policy and implementation issues. We seek comment on all aspects of this new regulatory program, including the many policy and practical questions integral to the successful implementation of the program.

Solicitation of Comment

Section 550 requires the Secretary of Homeland Security to promulgate ``interim final regulations establishing riskbased performance standards for security of chemical facilities * * *.'' He must do so ``[n]o later than six months'' from the date of enactment of this new authority, i.e. by April 4, 2007. The Executive Branch has implemented rules under other, similar regulatory
[[Page 78277]]
authorities over the course of years rather than months. See, e.g., 42 U.S.C. 7412(r)(3) (requiring the promulgation of an initial list of chemicals within two years); 42 U.S.C. 7412(r)(7)(B)(i) (requiring promulgation of regulation within three years). By directing the Secretary to issue ``interim final regulations,'' Congress authorized the Secretary to proceed without the traditional noticeandcomment required by the Administrative Procedure Act. See, e.g., Jeffrey S. Lubbers, A Guide to Federal Agency Rulemaking 114 (4th ed. 2006) (citing Omnibus Budget Reconciliation Act of 1987, and stating that notice and comment is not required where statute specifically permits a regulation to be issued in the interim final form); see also 65 FR 34,983 (Jun. 1, 2000) (interim final rule for Medicare program issued under that authority). Although ``interim final regulations'' may be (and often are) issued without prior notice and comment (and the Act requires no prior notice or comment period), the Department believes it would nevertheless be prudent to seek comment on many of the significant issues that will be addressed by such regulations while maintaining the aggressive timeline for implementation. An advance notice of proposed rulemaking is the typical route to seek comment in advance of an NPRM. Here, because Section 550 requires the Secretary to issue an interim final rule rather than an NPRM followed by a final rule, our advance notice seeks comment on text for an upcoming interim final rule. In this respect, this notice serves the purposes usually achieved by both an ANPRM and an NPRM. In addition, it is our intention to seek further comment with the interim final on additional implementation issues, and on any agency guidance that may follow.

The Department seeks public comment from all interested parties by February 7, 2007, on the questions, issues and proposed regulatory language identified in this notice. Given the 6month deadline under Section 550 to promulgate an interim final rule, it will be necessary to complete that rule and reach conclusions on many of the issues raised herein early in 2007. Thus, this February 7, 2007, deadline cannot reasonably be postponed.

This notice is organized as follows: Section I provides a brief summary of relevant preexisting Federal initiatives and regulatory authorities; Section II discusses the structure and requirements of the statute; Section III describes a proposed ``phased'' implementation with an immediate priority on the highest risk chemical facilities; and Section IV addresses a range of other legal and programmatic issues. Table of Contents
I. Brief History of Federal PreExisting Chemical Security Tools and Programs

A. DHS Risk Assessment Methodology (RAMCAP), Chemical Buffer Zone Protection Program, and Site Assistance Visits

1. Risk Assessment Methodology (RAMCAP)

2. Chemical Buffer Zone Protection Program

3. Site Assistance Visits

B. U.S. Coast Guard Maritime Security Regulations

C. Rail Security

D. Environmental Protection Agency Risk Management Program

E. Occupational Safety and Health Administration

F. Chemical Weapons Convention

G.The Explosives Authority of the Bureau of Alcohol, Tobacco, Firearms, and Explosives

II. Structure and Requirements of Section 550

A. The Mandate to Promulgate Interim Final Regulations ``No later than six months after the date of enactment * * *''

B. Authority to Regulate ``Chemical Facilities'' that Present a ``High Level of Security Risk''

C. Determining which Facilities Present a High Level of Security Risk

D. RiskBased Performance Standards for Security of Chemical Facilities

E. Vulnerability Assessments and the Development and Implementation of Site Security Plans for Chemical Facilities

1. Vulnerability Assessments

2. Site Security Plans

3. Alternative Security Programs

4. Guidance Regarding Site Security Plans

F. Audits and Inspections

G. Background Checks

H. Approval and Disapproval of Vulnerability Assessments and Site Security Plans

I. Remedies

J. Objections and Appeals

K. Chemicalterrorism Vulnerability Information

1. Protection from Public Disclosure

2. Protection from Disclosure in Litigation

L. Statutory Exemptions

III. Implementation

A. Immediate Priority on Highest Risk Facilities

B. Consultations and Technical Assistance
IV. Other Issues

A. ThirdParty Lawsuits

B. Regulatory Requirements/Matters

1. Executive Order 12,866

2. Regulatory Flexibility Act

3. Executive Order 13,132: Federalism

4. Unfunded Mandates Reform Act Assessment

5. National Environmental Policy Act
V. Proposed Text for Interim Final Rule
I. Brief History of Federal PreExisting Chemical Security and Safety Programs

Prior to the enactment of Section 550, the Federal government did not have authority to regulate the security of most chemical facilities. Over the past three years, the Department has urged voluntary enhancement of security at these facilities and provided both technical assistance and grant funding for security. In addition, through the Coast Guard's Maritime Security regulations, the Department has addressed security at certain maritimerelated chemical facilities. Recently, the Departments of Homeland Security and Transportation have cooperated in addressing the security of rail transportation of hazardous chemicals.

Other Federal programs have addressed chemical facility safety, but not security: the Environmental Protection Agency (``EPA''), for instance, regulates chemical process safety through its Risk Management Plan (RMP) program; the Occupational Safety and Health Administration (``OSHA'') regulates workplace safety and health at chemical facilities; and the Department of Commerce oversees compliance with the Chemical Weapons Convention. Finally, the Department of Justice's Bureau of Alcohol, Tobacco, Firearms, and Explosives (``ATF'') regulates, through licenses and permits, the purchase, possession, storage, and transportation of explosives. Because Section 550 will build on preexisting Federal security initiatives and chemical safety programs, a brief summary of these preexisting initiatives and programs is appropriate here.
A. DHS Risk Assessment Methodology (RAMCAP), Chemical Buffer Zone Protection Program, and Site Assistance Visits

1. Risk Assessment Methodology (RAMCAP)

For the past two years, the Department has worked with the American Society of Mechanical Engineers, with input from many other parties, to develop a risk assessment methodology for many elements of our nation's critical infrastructure. The methodology is composed of two separate parts and can be utilized to perform both a preliminary ``consequence'' analysis and a more thorough vulnerability assessment on chemical facilities.

The first segment of the RAMCAP methodology is a screening tool known as the Topscreen, and is designed to be used through a secure Department Web site. For chemical facilities, the Top
[[Page 78278]]
screen solicits answers to a series of questions intended to assess the level of damage that could result from a terrorist incident at the facility. The Topscreen process draws in part on preexisting data from the EPA's Risk Management chemical safety program (``RMP,'' discussed below). For example: Does the facility operate any RMP Program 2 or 3 processes? If so, how many persons could be exposed by a toxic release worst case scenario? How many persons could be exposed by a flammable release worst case scenario? The Topscreen also includes queries regarding manufacture and storage of explosives materials, and seeks information on quantities of chemical substances and precursors addressed by the Chemical Weapons Convention. See 22 U.S.C. 6701. The Topscreen process is intended to gather information both to evaluate the consequences of a catastrophic explosion or release and to assess the possible danger if dangerous chemicals are stolen. A more detailed description of the Topscreen process is available as Appendix A.

The second segment of RAMCAP provides the tools to conduct a thorough facility Vulnerability Assessment and could also be utilized via a secure website. It has three fundamental steps, each with detailed instructions:

1. Identify the assets on the facility;

2. Apply specified threat scenarios to each asset to quantify the resulting consequences if an attack succeeded; and

3. Apply the threat scenarios to each asset in light of the security measures in place and evaluate the likelihood and the degree to which the attack could succeed.

A detailed description of this process is set forth in Appendix B. Note that many responsible facilities have already conducted analyses of this type. Such analyses may be acceptable during the initial stages of the Section 550 program.

2. Chemical Buffer Zone Protection Program

The Chemical Buffer Zone Protection Program (ChemBZPP) is designed to identify and implement voluntary protective measures for the area outside of a chemical facility's fence, or the ``buffer zone,'' to make it more difficult for a potential attacker to plan or launch an attack. These plans are intended to develop effective preventive and protective measures within the immediate vicinity of highpriority chemical sector critical infrastructure targets. The plans also increase the security related capabilities of the jurisdictions responsible for the security and safety of the surrounding communities. DHS provides funds to localities to support the implementation of regional buffer zone plans and mitigate the identified vulnerabilities. In fiscal year (FY) 2006, the Department awarded $25,000,000 under this program.

Part of this effort is the BZPP Webcam Pilot Program, a webbased program using cameras installed at a few highconsequence chemical facilities. These webcams enable local law enforcement and DHS to conduct remote surveillance of the buffer zone surrounding each facility during times of elevated threat to help identify any terrorist surveillance and planning activities and link incidents across facilities.

3. Site Assistance Visits

Upon request, DHS conducts ``insidethefence'' site assistance visits to critical chemical facilities for a variety of reasonsa facility presents a high level of risk, the owner requests it, or the facility or sector is under threat. The site visits are conducted by DHS protective security professionals, subjectmatter experts, and local law enforcement, along with the facility's owners and operators. These visits facilitate security vulnerability identification and mitigation discussions between government and industry. The visits also provide facilities and localities with valuable information on how to better protect the facility from a terrorist attack. After a visit, DHS suggests protective measures and issues a report to the facility to bolster its protective measures.

B. U.S. Coast Guard Maritime Security Regulations

The Maritime Transportation Security Act of 2002 (MTSA) (Pub. L. 107295, Nov. 25, 2002) enacted chapter 701 of Title 46, U.S. Code and required the Secretary of Homeland Security to issue regulations to strengthen the security of American ports and waterways and the ships that use them. This authority, in addition to other grants of authority, served as the basis for a comprehensive maritime security regime. Through these rules, the Coast Guard issued regulations to ensure the security of vessels, facilities, and other elements of the maritime transportation system. Part 105 of title 33 of the Code of Federal Regulations imposed requirements on a range of maritime facilities, including hazardous material and petroleum facilities and those fleeting facilities that receive barges carrying, in bulk, cargoes regulated by Subchapters D and O of Chapter I, Title 46, Code of Federal Regulations or Certain Dangerous Cargoes.

Under the Coast Guard's maritime security regulations, these facilities are required to perform security assessments, and then, based on these assessments, develop security plans, and implement security measures and procedures in order to reduce the risk of and to mitigate the results of any security incident that threatens the facility, its personnel, the public, the environment, and the economy. C. Rail Security

The Departments of Transportation (DOT) and Homeland Security both have authority to regulate rail transportation. The Federal hazardous materials transportation law authorizes the Secretary of Transportation to establish regulations for the safe transportation, including security, of hazardous materials in intrastate, interstate, and foreign commerce. See 49 U.S.C. 5101 et seq., as amended by section 1711 of the Homeland Security Act of 2002 (Pub. L. 107296, Nov. 25, 2002) and Title VII of the Safe, Accountable, Flexible and Efficient Transportation Equity Act: Legacy for Users (SAFETEALU) (Pub. L. 109 59, Aug. 10, 2005). DHS, through TSA, has authority to ``oversee the implementation, and ensure the adequacy, of security measures at airports and other transportation facilities.'' 49 U.S.C. 114(f)(11).

Pursuant to DOT's authority, the Pipelines and Hazardous Materials Safety Administration (PHMSA) has issued, and the Federal Railroad Administration (FRA) enforces, various regulations that impact rail security. HM232 requires covered personsthose who offer certain hazardous materials for transportation in commerce and those who transport certain hazardous materials in commerceto develop and implement security plans. At a minimum, these security plans for transportation must address personnel security, unauthorized access for the transportationrelated areas of facilities, and en route security for shipments of the covered hazardous materials. See 49 CFR 172.800, 172.802, and 172.804. In addition, PHMSA has issued regulations to reduce the risks to safety and security of leaving loaded rail cars unattended for periods of time. Pursuant to 49 CFR 174.14 and 174.16, a carrier must forward each shipment of hazardous materials ``promptly and within 48 hours (Saturdays, Sundays, and holidays excluded)'' after the carrier accepts the shipment at the originating point or the carrier receives the
[[Page 78279]]
shipment at any yard, transfer station, or interchange point.

Together with the Department of Transportation, DHS has recently taken many steps regarding security in the transportation of hazardous materials by rail. On June 23, 2006, DOT and DHS jointly issued a set of twentyfour ``security action items'' for the freight rail carriers of materials that are ``toxic by inhalation'' (TIH) (these materials are also referred to as ``poisonous by inhalation'' (PIH)). DOT and DHS, in consultation with the industry, developed these action items by observing and assessing the securityrelated practices that rail carriers use. The action items addressed three phases of security: (1) System Security, (2) Enroute Security, and (3) Access Control.

In August 2006, the Federal government and the industry agreed upon ``supplemental'' security action items including measures to address four critical areas: (1) The establishment of secure storage areas for rail cars carrying TIH materials, (2) the expedited movement of trains transporting rail cars carrying TIH, (3) the positive and secure handoff of TIH rail cars at point of interchange and at points of origin and delivery, and (4) the minimization of unattended loaded tank cars carrying TIH materials. The rail carriers will submit these plans to TSA for review, and TSA will subsequently monitor and evaluate the success of the plans in reducing the standstill (dwell) time of TIH shipments in high threat urban areas.

On December 21, 2006, DOT and TSA issued notices of proposed rulemaking that would impose additional obligations, including new requirements regarding transportation of PIH materials. See DOT's notice of proposed rulemaking titled ``Enhancing Rail Transportation Safety and Security for Hazardous Materials Shipments'' at 71 FR 76834 and TSA's notice of proposed rulemaking titled ``Rail Transportation Security'' at 71 FR 76851. The proposed regulations would cover railroad carriers that transport certain hazardous materials, including bulk shipments of PIH materials. Among other measures, the proposed DOT rule would require railroad carriers to analyze the safety and security risks of the routes used. It would also require clarifications of the current security plan requirements to address en route storage, delays in transit, and delivery notification. In addition, it would require rail carriers to conduct pretrip visual inspections at the ground level of rail cars containing PIH materials to detect improvised explosive devices (IEDs) or other evidence of tampering.

The proposed TSA rule would require those rail hazardous materials shippers and receivers, along with freight and passenger railroad carriers and rail transit systems, to (1) Designate a rail security coordinator to serve as the primary contact for the receipt of intelligence information and for other securityrelated activities; (2) allow TSA and other authorized DHS officials to enter and inspect property, facilities, equipment, and operations; and (3) report incidents, potential threats, and significant security concerns to DHS. In addition, TSA proposes to impose two additional requirements on PIH rail hazardous materials shippers and receivers, as well as freight railroad carriers that transport PIH: to (1) Provide to TSA, upon request the location and shipping information of rail cars within their physical custody or control that contain PIH materials, and (2) provide for a secure chain of custody and control of rail cars that contain PIH materials.

D. Environmental Protection Agency Risk Management Program

Pursuant to the Clean Air Act (CAA), EPA's Risk Management Program requires chemical facilities with listed chemicals in amounts exceeding prescribed threshold limits to implement an accident prevention program, an emergency response program, prepare a fiveyear accident history, and submit to EPA a risk management plan (RMP). See 42 U.S.C. 7412(r). These requirements are intended to prevent accidental releases and minimize the consequences of such releases by focusing on chemicals that in the event of an accidental release, could reasonably be expected to cause death, injury, or serious adverse effects to human health and the environment. On January 31, 1994, EPA promulgated a list of regulated substances and thresholds that identify stationary sources subject to the accidental release prevention regulations. 59 FR 4,478. Two years later, EPA issued a rule requiring the owners of these sources to develop accidental release programs and summaries of these plans. 61 FR 31,668 (Jun. 20, 1996).

An RMP contains information on the regulated substances handled at the facility, an analysis of the potential consequences of hypothetical accidental chemical releases (i.e., ``worstcase'' and ``alternative release'' scenarios), a fiveyear accident history, and information about the chemical accident prevention and emergency response programs at the facility. In 1999, more than 15,000 U.S. facilities submitted RMP information to EPA. Regulated facilities are required to update their RMPs at least every five years, and more frequently if specified changes occur.

As the RMP chemical list and threshold limits were established by EPA based on a chemical's potential for acute offsite health impacts in the event of a large air release, the Department believes that a number of the facilities regulated under this program may also qualify as ``highrisk'' facilities covered under Section 550. Although the RMP data are extremely useful, the Department is mindful of the fact that they contain information related only to a specified list of industrial chemicals that present air release hazards. The RMP data do not provide information relating to other potentially ``highrisk'' facilities, such as certain facilities covered by the Chemical Weapons Convention or certain other facilities that might be targeted for chemical theft or diversion.

E. Occupational Safety and Health Administration

The Occupational Safety and Health Administration (OSHA), an agency within the U.S. Department of Labor, regulates conditions and hazards affecting the health and safety of employees in the workplace. OSHA's mission is to prevent workrelated injuries, illnesses, and deaths. OSHA regulates employers through specific enumerated safety standards (see, e.g., 29 CFR part 1910) and through a ``general duty clause'' (see 29 U.S.C. 654(a)(1)), which requires a safe workplace even in the absence of specific standards. OSHA enforces these standards by inspecting workplaces and by issuing citations for violations.

OSHA has developed and enforces several standards that ensure chemical safety in the workplace. The Process Safety Management of Highly Hazardous Chemicals standard contains requirements for the management of hazards associated with processes using highly hazardous chemicals. See 29 CFR 1910.119. The Hazardous Waste Operations and Emergency Response Standard (HAZWOPER) covers emergency response operations for the release of, or substantial threats of releases of, hazardous substances without regard to the location of the hazard. See 29 CFR 1910.120 and 1926.65.

In addition, OSHA has several other regulations that protect employees who are exposed to chemicals in the course of their work. In Subpart Z to 29 CFR 1910, OSHA establishes permissible exposure limits (PELs) for toxic and hazardous substances. Employers must measure employee exposure to these
[[Page 78280]]
substances and must take measures to limit employee exposures when the exposures reach impermissible limits. In Subpart I to 29 CFR 1910, OSHA establishes requirements for personal protective equipment (PPE). Employers must conduct hazard assessments. Where employees are exposed to impermissible exposures (which may, in some cases, be chemical exposures), employers must provide employees with proper PPE to assist in controlling the hazard.

Another standard related to chemical safety is OSHA's Hazard Communication Standard (HCS). The HCS was promulgated to provide workers with the right to know the hazards and identities of the chemicals they are exposed to while working, as well as the measures they can take to protect themselves. The HCS requires chemical manufacturers and importers to evaluate the hazards of the chemicals they produce and import. It also requires chemical manufacturers and importers to prepare labels and material safety data sheets (MSDSs) to convey the hazard information to their downstream customers. All employers with hazardous chemicals in their workplaces must have labels and MSDSs for their exposed workers and must train exposed workers to handle the chemicals appropriately. See 29 CFR 1910.1200.

F. Chemical Weapons Convention

The United States is a party to the Chemical Weapons Convention (CWC), which prohibits the development, production, stockpiling, and use of chemical weapons. The Convention entered into force on April 29, 1997, and was implemented in the United States by statute at 22 U.S.C. 6701 et. seq., with regulations at 15 CFR 710 et. seq. The CWC does not prohibit production, processing, consumption, or trade of related chemicals for peaceful purposes, but it does establish a verification regime to ensure such activities are consistent with the object and purpose of the treaty. The CWC requires reporting and onsite inspections that are triggered when quantitative threshold activity levels are exceeded. The CWC monitors chemicals in three lists, or schedules, and certain ``unscheduled discrete organic chemicals.''

Schedule 1 includes toxic chemicals with few or no legitimate uses that are developed or used primarily for military purposes. Examples of schedule 1 chemicals include nerve agents, such as Sarin, and blister agents, such as Mustard and Lewisite. Schedule 2 includes chemicals that can be used for chemical weapons production, but that also have certain legitimate uses. Schedule 2 chemicals are not produced in large commercial quantities, and these include certain chemicals used to manufacture fertilizers and pesticides. Schedule 3 chemicals are those that can be used for chemical weapons production, but also have significant legitimate uses. Schedule 3 chemicals are produced in large commercial quantities and include chemicals used to manufacture paint thinners, cleaners, and lubricants.

As noted, the CWC imposes declaration and onsite inspections requirements upon industry when production, processing, or consumption exceeds certain thresholds. Inspections under the CWC are conducted to assess the risk and guide future routine inspections. In addition, inspections are conducted to verify the consistency with the declarations of the levels of production, processing, or consumption. These inspections also seek to confirm the absence of undeclared Schedule 1 chemicals.
G. The Explosives Authority of the Bureau of Alcohol, Tobacco, Firearms, and Explosives

ATF is an enforcement and regulatory organization responsible for, among other things, the investigation and prevention of Federal offenses involving the unlawful use, manufacture, and possession of explosives. ATF regulates, through licenses and permits, the purchase, possession, storage, and transportation of explosives. See generally 27 CFR Part 555. Specifically, ATF explosives regulations govern commerce; licensing of manufacturers, importers, and dealers; issuance of permits; business by licensees and operations by permittees; storage; and the records and reports required of licensees and permittees. 27 CFR 555.1. Each year, ATF issues the List of Explosives subject to these explosives requirements. See, e.g., 70 FR 73,483 (Dec. 12, 2005).

Facilities that possess or store explosives (including manufacturing facilities) must also be properly licensed by ATF. See 27 CFR 555.41 et seq. For facilities that possess or store listed explosives, ATF requires certain safety precautions, including specific requirements governing the actual storage of the materials. See 27 CFR 555.201 et seq. ATF also prohibits shipment, transport, or possession of any explosive material by ``prohibited persons,'' including a person under indictment or convicted of a crime punishable by imprisonment for a term exceeding one year; a fugitive from justice; an unlawful user of controlled substance; or ``has been adjudicated a mental defective.'' Id. at 555.26(c), 555.49. ATF may conduct an investigation to confirm that an applicant is entitled to a license. Id. ATF will also conduct a background check on all persons and employees who are authorized to possess explosive materials as part of their employment. See 27 CFR 555.33.

II. Structure and Requirements of Section 550

With the authority under Section 550, the Department can now fill a significant security gap in the country's antiterrorism efforts. Section 550 of the Act is a compact twopage set of mandates establishing the parameters of the Federal government's first regulatory program to secure chemical facilities against possible terrorist attack. Each subsection and sentence of this provision has significant consequences for the structure and content of the regulatory program.
A. The Mandate to Promulgate Interim Final Regulations ``No later than six months after the date of enactment * * *''

As discussed above, applicable statutes do not require the Department to seek comment prior to issuing these regulations, but we believe public comment will be very helpful in formulating the interim final rule and structuring the program. Cf. Administrative Conference of the United States Recommendation 765 (when it is necessary to make a rule effective immediately, agencies should give the public the opportunity to submit postpromulgation comments) (cited in Michael Asimow, Nonlegislative Rulemaking and Regulatory Reform, 1985 Duke L.J. 381, 426). An interim final rule has the same legal effect as a final rule. See, e.g., Career College Ass'n v. Riley, 74 F.3d 1265, 1268 (D.C. Cir. 1996) (stating that interim final rule is final for purposes of statute requiring adoption of final rule by statutory date). In this regard, this notice discusses a number of issues related to promulgating chemical facility security regulations and invites comments on these issues. This notice includes proposed regulatory text which represents the Department's initial preference unless otherwise identified, but the Department also seeks comment on proposals and ideas discussed in the preamble but not contained in the regulatory text because the Department is interested in comments on alternative approaches.

[[Page 78281]]

The Department is currently considering a number of procedural questions that relate to the authority it has been granted. An initial question is whether the Department is required to finalize the interim regulations in light of the express language of 550(b), which provides that these interim regulations will apply until ``interim or final regulations promulgated under other laws'' are in effect. Pub. L. 109 295, Oct. 4, 2006 (emphasis supplied). We believe that the answer to that question is no; Congress gave the Department the authority to issue regulations in the interim final rule only; it did not contemplate that such regulations be ``finalized'' under this authority. It is important to note that these ``interim'' regulations will nevertheless have the full effect of law as if they were final. See e.g., Career College Ass'n v. Riley, 74 F.3d 1265, 1268 (D.C. Cir. 1996).

A second issue is whether the Department can revise the interim final regulations issued under Section 550. Commentators have argued that the regulations cannot be revised since 550(a) and (b) indicate that the regulations must be issued ``no later than six months after the date of enactment'' and ``shall apply until'' the end date contemplated by Section 550(b). We believe the better view is that the regulations can be revised after the six month timeframe.

A third issue is what type of future legislation is necessary to replace the interim final rule under Section 550(b). Certainly, Section 550 could be superseded or extended in either an appropriations bill or in authorization legislation. If a future appropriations bill continued funding for the Section 550 program beyond that period, the Department could consider that future funding for the program as an extension of the ``authority provided by this section.''
B. Authority To Regulate ``Chemical Facilities'' that Present a ``High Level of Security Risk''

A fundamental question posed by Section 550 is which facilities it covers. Section 550 specifies that the provision ``shall apply to chemical facilities that, in the discretion of the Secretary, present high levels of security risk.'' The terms ``chemical facilities'' and ``high levels of security risk'' are not specifically defined in Section 550. Both terms have, however, been used in two prior legislative proposals with more explicit indications of their meaning. See H.R. 5695, 109th Cong. (2006), S. 2145, 109th Cong. (2006). Although the Department is not bound to interpret these terms in concert with language of prior unenacted legislative proposals, those prior proposals can provide helpful context on this specific definitional issue.

In H.R. 5695, the term ``chemical facility'' refers to any facility that the Secretary has determined to possess more than a threshold amount of a potentially dangerous chemical. See H.R. 5695, 109th Cong. sec. 2 (2006) (adding section 1802(b)(2) and subsequent sections in the Homeland Security Act). ( S. 2145 uses different terms to a similar effect.). In neither instance is a ``chemical facility'' limited to a chemical manufacturing facility, a chemical distribution facility, or any other single specific type of facility that uses or stores potentially dangerous chemicals. Instead, the question of what constitutes a chemical facility turns not on the name or type of facility at issue, but instead on whether the facility uses, stores or otherwise possesses dangerous chemicals, and in what amount. The Department believes that a similar meaning of ``chemical facility'' is appropriate in implementing Section 550. Thus, subject to certain statutory exclusions which are discussed below in section II.L., the Department proposes to define ``chemical facility'' as ``any facility that possesses or plans to possess, at any relevant point in time, a quantity of a chemical substance determined by the Secretary to be potentially dangerous or that meets other riskrelated criterion identified by the Department.'' See proposed 6 CFR 27.100. We invite comment specifically on this interpretation or any alternative definitions of the term ``chemical facility.''

Of course, the term ``chemical facility'' is only significant in relation to other text in the statute. Section 550 also specifies that regulations promulgated under its authority are only applicable to a ``chemical facility'' that, ``in the discretion of the Secretary, presents [a] high level[] of security risk.'' Not all chemical facilities present a high level of security risk. (Indeed, not all ``chemical facilities'' on the RMP list are likely to present a high level of security risk.) Both H.R. 5695 and S. 2145 had specific provisions distinguishing the universe of all ``chemical facilities'' from the subset of ``high risk'' chemical facilities. H.R. 5695 would have required that ``at least one of the tiers established by the Secretary for the assignment of chemical facilities * * * shall be a tier designated for highrisk chemical facilities.'' 109th Cong. sec. 2 (2006) (proposed 6 U.S.C. 1802(c)(4)). Similarly, although S. 2145 identified the regulated chemical facilities as those with chemical substances of concern at sufficient threshold quantities, that bill also contained an instruction for the Secretary to identify separately a smaller subset of those facilities as high risk chemical facilities. S. 2145, 109th Cong. sec. 3(e) (2006). Thus, in both prior legislative proposals, Congress contemplated that only a subset of all facilities with threshold quantities of certain chemical substances would also qualify as ``high risk'' chemical facilities.

The Department believes that the phrase ``high level of security risk'' in Section 550 was likewise intended to apply only to a subset of the total population of ``chemical facilities.'' Under Section 550, the Secretary is explicitly given discretion to determine which chemical facilities fall within this subset, and thus which chemical facilities the Department will regulate. See Pub. L. 109295, sec. 550(a) (2006) (``such regulations shall apply to chemical facilities that, in the discretion of the Secretary, present high levels of security risk''). See also 5 U.S.C. 701(a)(2) (precluding judicial review if ``agency action is committed to agency discretion by law''). See also Webster v. Doe, 486 U.S. 592 (1988); Heckler v. Chaney, 470 U.S. 821, 830 (1985) (recognizing the exception to the presumption of agency reviewability in 5 U.S.C. 701(a)(2)); Steenholdt v. FAA, 314 F.3d 633 (D.C. Cir. 2003); Baltimore Gas & Elec. Co. v. FERC, 252 F.3d 456, 459 (D.C. Cir. 2001); Haig v. Agee, 453 U.S. 280 (1981); Merida Delgado v. Gonzales, 428 F.3d 916 (10th Cir. 2005) (finding that the Attorney General's national security determination was not reviewable under the APA, where the authorizing statute provided no meaningful standard against which to judge the agency's action, the court did not have the necessary expertise to make the determination, and the Executive Branch has broad discretion to protect national security). C. Determining Which Facilities Present a High Level of Security Risk

As a practical matter, the Department must utilize an appropriate process to determine which facilities present sufficient risk to be regulated. The Department may draw on many sources of available information, including existing Federal data and lists addressing particularly hazardous chemicals and particular chemical facilities. Such lists include the EPA RMP list (discussed above); the schedule of chemicals from the Convention on the Development, Production, Stockpiling and Use of Chemical Weapons and Their
[[Page 78282]]
Destruction, also known as the Chemical Weapons Convention or CWC (discussed above); the hazardous materials listed in Department of Transportation's Hazardous Materials Regulations (see e.g. 49 CFR 172.101); and the TSA Select Hazardous Materials List. The Department may also seek and analyze information from many other sources, including from experts in the industry, from state or local governments or directly from facilities that may qualify as highrisk. The Department requests comment on appropriate sources of information or methodologies for evaluating chemical facility risks. The Department also requests comments on whether, to the extent it looks to the nature of particular chemicals to classify facilities, classifications should be based on a ``hazardclass'' approach rather than classifications based on particular chemicals.

As discussed above, the Department has worked with the American Society of Mechanical Engineers (ASME) and others to design a RAMCAP ``Topscreen'' process for determining the potential security risk posed by many types of critical infrastructure facilities, including chemical facilities. The Department proposes to employ a risk assessment methodology system very similar to this RAMCAP Topscreen process to determine whether a facility qualifies as highrisk under Section 550, and seeks comment on how such a processas described above and in Appendix Ashould be employed for that purpose.

The proposed regulation would permit the Department to implement this type of Topscreen risk analysis process to screen facilities. The proposed language interprets the statutory phrase ``present[s] high levels of security risk'' to apply to a facility that, in the discretion of the Secretary, would present a high risk of significant adverse consequences for human life or health, national security or critical economic assets if subjected to a terrorist attack. See proposed 6 CFR 27.100, below. As noted, the statute gives the Secretary unreviewable discretion to make this determination. See Pub. L. 109 295, secs. 550(a), (b), Oct. 4, 2006.

A separate question is whether the Secretary can compel facilities that have not yet been deemed ``high risk'' to complete a risk assessment methodology such as the RAMCAP Topscreen, or punish them for failure to do so. In other words, can the Secretary mandate information submissions from a broad range of chemical facilities in order to screen facilities and determine which will qualify as high risk?

There are two arguments that the Secretary has such authority under Section 550. First, the authority to determine which facilities qualify as ``high risk'' implies necessary authority to obtain information to make that determination. See, e.g., United States v. Construction Products Research, Inc., 73 F.3d 464, 470 (2d Cir. 1996) (``at the subpoena enforcement stage, courts need not determine whether the subpoenaed party is within the agency's jurisdiction or covered by the statute it administers''); Equal Employment Opportunity Commission v. Sidley Austin Brown & Wood, 315 F.3d 696, 699701 (7th Cir. 2002). Second, Section 550 states explicitly that the Secretary ``shall audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section.'' Since this provision can be read to permit the Department physically to inspect ``chemical facilities'' regardless of whether they qualify as ``high risk,'' the Department should impliedly have the less dramatic authority to obtain preliminary information for the same purpose. Indeed, the use of a Topscreen process will be a less onerous imposition for many facilities that may not, after due consideration, present high levels of security risk.

The following approach to screening facilities is reflected below in the proposed rule text:

The Department requests comments on this proposed process and the draft regulation at Sec. Sec. 27.200 and 27.205 below.

In order to carry out this approach, the Department will need to identify the types or classes of facilities that should complete Top Screen for screening purposes. To that end, the Department requests comments on whether the Department should request that:

Among other things, Section 550 requires the Department to issue interim final regulations ``establishing riskbased performance standards for chemical facilities.'' The terms ``riskbased'' and ``performance standards'' both carry significant meaning.

The term ``performance standards'' has a long and wellknown history. See Cary Coglianese et al., PerformanceBased Regulation: Prospects and Limitations in Health, Safety, and Environmental Protection, 55 Admin. L. Rev. 705, 70607 (2003). The term has repeatedly been defined: Performance standards
* * * state[] requirements in terms of required results with criteria for verifying compliance but without stating the methods for achieving required results. A performance standard may define functional requirements for the item, operational requirements, and/ or interface and interchangeability characteristics. A performance standard may be viewed in juxtaposition to a prescriptive standard which may specify design requirements, such as materials to be used, [[Page 78283]]
how a requirement is to be achieved, or how an item is to be fabricated or constructed.
OMB Circular A119 (Feb. 10, 1998); see also Coglianese, Performance Based Regulation, 55 Admin. L. Rev. at 709:
A performance standard specifies the outcome required, but leaves the specific measures to achieve that outcome up to the discretion of the regulated entity. In contrast to a design standard or a technologybased standard that specifies exactly how to achieve compliance, a performance standard sets a goal and lets each regulated entity decide how to meet it.
Note also that Executive Order 12,866 specifies the use of performance standards:
Each agency shall identify and assess alternative forms of regulation and shall, to the extent feasible, specify performance objectives, rather than specify the behavior or manner of compliance that regulated entities must adopt.
Exec. Order 12,866, 58 FR 51,735 (Oct. 4, 1993), as amended by Exec. Order 13258, 67 FR 9385 (Feb. 28, 2002).

Here, Section 550 specifies that the required ``performance standards'' must be ``riskbased.'' Although the term ``riskbased'' is not specifically defined in Section 550, the language of Section 550 along with other recent legislative activity yield an understanding of the ``riskbased'' standards. The term ``riskbased'' modifies ``performance standard'' and indicates that the performance standards established under Section 550 will mandate the most rigorous levels of protection and regulatory scrutiny for facilities that present the greatest degrees of security risk. Prior legislative proposals on chemical security would have required this result expressly through riskbased tiering of facilities based on the potential affects on human health caused by a terrorist attack at a facility, potential impact on national security, or potentially critical economic consequences. See H.R. 5695, 109th Cong. sec. 2 (2006), S. 2145, 109th Cong. (2006). In many of those prior proposals, the Department would have been required to analyze relative risk first, sort facilities into appropriate riskbased tiers, then create standards requiring more robust levels of protection for higher risk tiers. In addition, prior legislative proposals specified more frequent regulatory reviews, inspections, and security plan updates for higher risk facilities.

The Department believes that the ``riskbased performance standards'' and the Section 550 Program should indeed incorporate risk based tiering. As addressed above, Section 550 provides the Department with authority to regulate those chemical facilities ``that, in the discretion of the Secretary, present high levels of security risk.'' Thus, the riskbased tiers would differentiate and create tiers among those facilities that, as described above, qualify as presenting ``high levels of security risk'' and are thus ``covered facilities.'' The Department seeks comment on this notion of riskbased tiering among highrisk facilities. Specifically:

The Department would establish the riskbased performance standards through the regulatory language below and intends to issue guidance periodically regarding compliance with the standards. Please note that specific security performance variables in the standards among tiers for the covered facilities are likely to contain sensitive information regarding covered facility vulnerability or security. Thus, certain elements of guidance on the application of these standards by tier will be provided to covered facilities pursuant to the information protections provisions of Section 550.
E. Vulnerability Assessments and the Development and Implementation of Site Security Plans for Chemical Facilities

The first sentence of Section 550 requires the Department to mandate that ``high risk'' chemical facilities, known here as ``covered facilities,'' perform Vulnerability Assessments and develop and implement Site Security Plans.

1. Vulnerability Assessments

A Vulnerability Assessment is an examination of how a covered facility would address specific types of possible terrorist threats. The assessment also examines the aspects of the covered facility that pose the most significant vulnerabilities to terrorist attack. The Department has worked with its partners to develop a methodology for this purpose which may be refined to fit the needs of this program's Vulnerability Assessment program. The methodology is described in detail in Appendix B. The Department seeks comment on how this methodology should be refined to serve as a basis for Vulnerability Assessments under Section 550.

Covered facilities, those that qualify as ``high risk'' under Section 550, will be required to complete and submit Vulnerability Assessments. DHS will review each Vulnerability Assessment, and the Department may also scrutinize the Vulnerability Assessments in the course of a facility audit (discussed infra). In addition, a covered facility Vulnerability Assessment will serve two other central purposes: (1) The Department will use the results of Vulnerability Assessments to confirm that covered facilities have been assigned to the appropriate riskbased tiers; and (2) Each covered facility's Site Security Plan (discussed below) will be required to address each of the vulnerabilities identified in the Vulnerability Assessment. See Pub. L. 109295, sec. 550(a), Oct. 4, 2006 (``Provided further, That such regulation shall permit each facility, in developing and implementing Site Security Plans, to select layered security measures that, in combination, appropriately address the Vulnerability Assessment and the riskbased performance standard for security for the facility.'') Covered facilities also have continuing obligations, which vary based on their riskbased tier, to maintain and periodically update their Vulnerability Assessment.

As noted, the Department will sort the covered facilities into tiers, based on risk. The Department may have three or four tiers, with the highest risk facilities in tier one. The tiering decisions will be based on a number of factors, including information from the Top screen, intelligence information, and information from other appropriate sources. As discussed below in a section II. K., the Department considers the methods for determining these tiers to be sensitive antiterrorism information that may be protected from further disclosure.

Many chemical facilities have already performed Vulnerability Assessments under models that are similar in purpose and effect to the RAMCAP methodology identified above. For a number of covered facilities, particularly in the initial year of the program, these Vulnerability Assessments will be acceptable in lieu of completing the Department's vulnerability analysis. Through the Alternative Security Program (ASP) provisions described herein, the proposed regulation will permit the Assistant Secretary to accept existing chemical facility Vulnerability Assessments, subject to any necessary revisions or supplements, where the
[[Page 78284]]
assessments are sufficiently similar to the Department's process to be effective. The Department is considering accepting any Vulnerability Assessments methodologies that are certified by the Center for Chemical Process (CCPS) as equivalent to the CCPS Methodology; and will review other Vulnerability Assessments submitted as ASPs. See proposed 6 CFR 27.215(a).

2. Site Security Plans

Under Section 550, the Department must also require that ``high risk'' chemical facilities develop and implement ``Site Security Plans.'' The statute specifies that the Department ``shall permit each facility, in developing and implementing Site Security Plans, to select layered security measures that, in combination, appropriately address the Vulnerability Assessment [for the facility] and the riskbased performance standards for security for the facility.'' This sentence identifies two critical statutory mandates.

First, as indicated, a Site Security Plan must address both the ``Vulnerability Assessment'' for the covered facility and the applicable ``riskbased performance standards.'' To address the Vulnerability Assessment, the plan must identify and describe the function of the measures the covered facility will employ to address each of the facility's vulnerable areas. Focusing on those vulnerable areas, the Site Security Plan must then address specific modes of potential terrorist attack and how each would be deterred or otherwise addressed. For example, a facility must select, develop and describe security measures intended to address potential attacks involving: (1) A VBIED (vehicle borne improvised explosive device); (2) a waterborne explosive device (if applicable); (3) an assault team; (4) individual(s) on the premises with explosives or a firearm, or (5) theft of certain chemicals; and (6) the possibility of insider or cyber sabotage.

In addition, a covered facility's Site Security Plan must identify how the layered security measures selected by the covered facility meet the Department's riskbased performance standards. Although this process can be different for each facility and will vary depending on the unique risks presented in each, the performance standards will typically require covered facilities to develop and explain security measures to:

The types and intensity of measures necessary to satisfy these standards will depend, of course, on the riskbased tier of the covered facility at issue. Covered facilities will also have a continuing obligation, which will vary based on their riskbased tier, to maintain and periodically update their Site Security Plan.

Aside from the performance standards identified in proposed Sec. 27.230, the Department will also consider adopting other performance standards from the following meriting security regulatory provisions: 33 CFR 105.250 (Security systems and equipment maintenance); 33 CFR 105.255 (Security measures for access control); 33 CFR 105.260 (Security measures for restricted areas); 33 CFR 105.275 (Security measures for monitoring); 33 CFR 105.280 (Security incident procedures). The terms of these provisions, if adopted, would need modification. For example, the provisions related to security measures for restricted areas identifies such areas to include ``[s]hore areas immediately adjacent to each vessel moored at the facility.'' 33 CFR 105.260. The Department requests comments on whether these or other MTSA regulatory provisions should be adopted in modified form. The Department also requests specific comments on how, if adopted, the Department should modify these provisions.

Section 550 also strikes a careful balance between the Department's regulatory authority and a covered facility's discretion to select security measures. Three separate provisions are relevant to this balance. As noted above, the term ``performance standards'' has long been defined to ``specif[y] the outcome required, but leave[] the specific measures to achieve that outcome up to the discretion of the regulated entity.'' See above, Coglianese, PerformanceBased Regulation, 55 Admin. L. Rev. at 709. The statute also mandates that the Department ``shall
[[Page 78285]]
permit each facility * * * to select layered security measures * * * '' to address its vulnerabilities and the performance standards. Pub. L. 109295, sec. 550(a), Oct. 4, 2006 (emphasis supplied). Further, the statute specifically prohibits the Department from rejecting a Site Security Plan, because it does not incorporate a specific type of security measure: ``[T]he Secretary may not disapprove a Site Security Plan submitted under this section based on the presence or absence of a particular security measure.'' Id. (emphasis supplied).

The meaning of these three provisions was not in dispute at the time of Congress's Conference on the Appropriations Bill on September 29, 2006. Indeed, as Representative Markey and others noted, ``the Department of Homeland Security is prohibited from disapproving of a facility's security plan because of the absence of any specific security measure.'' See 152 Cong. Rec. H7907 at H7913 (daily ed. Sept. 29, 2006).

Although the Department may not require that a covered facility select a specific measure to enhance its security, the Department may ``disapprove a Site Security Plan if [the plan] fails to satisfy the riskbased performance standards established by this section.'' Pub. L. 109295, sec. 550(a), Oct. 4, 2006. The

FOR FURTHER INFORMATION CONTACT Dennis Deziel, Chief Program Analyst, Chemical Security Regulatory Task Force, Department of Homeland Security, 7032355263.