By David Perera
Homeland Security Department officials defended the risk assessment methodology used to classify chemical facilities under the Chemical Facility Anti-Terrorism Standards program during a March 14 House hearing.
The Government Accountability Office released that day a preliminary report (.pdf) on the program criticizing officials for not considering facility vulnerability and mostly ignoring threat data when assigning a risk tier to the 4,380 facilities nationwide covered under the CFATS regulation.
The risk methodology is largely based on the consequence to human life that the release or theft of a chemical would cause or on the consequence to lives by sabotage, the GAO says.
Watchdog officials find multiple faults with the methodology, based on standards called for by the CFATS regulation. Consequence assessment should also consider the direct economic effects, auditors say, and CFATS officials consider threat data in the risk assessments of only about 350 facilities, just those at risk of sabotage. In addition, they don’t take into account vulnerability, at all. (Threat is the likelihood of an attack; vulnerability is the likelihood of a successful attack, given an attempt.)
But focusing “principally on consequences in a regulatory compliance framework is an appropriate way to tier facilities,” said David Wulf, director of the DHS Infrastructure Security Compliance Division. He testified before the House Energy and Commerce subcommittee on the environment and the economy.