The nation’s top cybersecurity agency said it is having to rely on a voluntary program to protect more than 40,000 chemical facilities in the United States from physical and cyberattacks after Congress defanged it by failing to reauthorize a critical anti-terrorism program this summer.

Lawmakers’ inability to keep the statutory authority of the Chemical Facility Anti-Terrorism Standards (CFATS) from expiring in July leaves “our nation without a regulatory chemical security program for the first time in 15 years,” Kelly Murray, association director for chemical security with the Cybersecurity and Infrastructure Security Agency (CISA), wrote in a blog post this week.

Murray called on Congress to reauthorize CFATS, saying it “provides essential resilience for the chemical industry by enabling chemical facility owners and operators to understand the risks associated with their chemical security holdings, develop site security plans and programs, conduct site inspections, coordinate with local law enforcement and first responders, and continue to reevaluate each facility’s security posture based on changes in its chemical holdings and threat nexus.”

CISA is reupping the call in light of November being Critical Infrastructure Security and Resilience Month.

The House of Representatives passed a CFATS reauthorization bill July 25, three days before the program’s authority expired, with Rep. Laurel Lee (R-FL) saying in a statement that “collaboration between industry leaders and the Department of Homeland Security [DHS] has never been more important with cyberattacks becoming more common.”

However, Sen. Rand Paul (R-KY) blocked the passage of a similar bill in the Senate due to what he called duplicative federal programs and reportedly saying that until then, “every company has a self-incentive to protect hazardous chemicals.”

Protecting the Chemicals Sector

CFATS was created in the aftermath of the 9/11 terrorist attack, giving CISA broad authority to inspect facilities, ensure companies had proper security measures in place, and require chemical companies to report the storage and use of chemicals in their facilities.

The program also is an important part of the Biden Administration’s larger effort to protect critical infrastructure – not only chemicals, but communications, water, energy, financial services, IT, and other sectors – from cyberthreats in the wake of such attacks like that one on SolarWinds in 2020 and global meat processor JBS Foods the next year.

According to CISA’s Murray, the agency used the CFATS authority to screen more than 40,000 chemical facilities and identified 3,200 as high-risk, working with them to put in place more appropriate security plans. She said that in the four months since Congress failed to reauthorize CFATS, at least 200 new chemical facilities have acquired chemicals that need to be more carefully secured and that other facilities could be collecting such chemicals in quantities that are beyond what their existing security plans should handle, creating a security risk.

“CISA was constantly monitoring the landscape of dangerous chemicals across the nation as individual facilities tiered in and out of the program based on increases or decreases in these chemical holdings, she wrote. “Without CFATS, our agency no longer has an accurate national profile of the locations of these dangerous chemicals.”

Voluntary Program No Substitute

In the meantime, the agency is relying on the ChemLock program, offering its expertise to facilities with dangerous chemical even if they weren’t listed under CFATS. Organization also can request on-site assessments and help from CISA. That said, ChemLock can’t replace CFATS, Murray wrote.

“We know the threat of chemical terrorism did not go away simply because the CFATS program expired,” she wrote. “We know the best practices to protect dangerous chemicals against terrorist exploitation still work, and we continue to strive to share that knowledge with the chemical industry via the ChemLock program on a voluntary basis. But … the absence of the CFATS program is a national security gap too great to ignore.”

CISA isn’t the only organization pushing Congress to reauthorize CFATS. In testimony before the Senate’s Committee on Homeland Security and Governmental Affairs in October, DHS Secretary Alejandro Mayorkas said that without CFATS, his department is no longer authorized to conduct more than 450 inspections. He noted that typically, more than a third of inspections find at least one gap in a facility’s security.

“DHS can no longer reassure the more than 3,200 communities surrounding chemical facilities at high risk of terrorist attack that everything is being done to ensure those chemicals are protected,” Mayorkas said.

Trade Groups Push for Reauthorization

In September, almost a dozen trade groups sent a letter to the Senate urging for the CFATS reauthorization. The diverse group included such organizations as the American Chemical Council, American Gas Association, International Warehouse Logistics Association, and the U.S. Chamber of Commerce.

The group argued that the program’s expiration “weakens our nation’s security posture. Our members will continue to make investments and decisions to strengthen facility security to the best of their knowledge and ability. However, these efforts are much stronger with CFATS, which allows the private sector and federal partners to work together.”