Monday, April 9, 2007

Part III

Department of Homeland Security 6 CFR Part 27 Chemical Facility Anti-Terrorism Standards; Final Rule

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17688 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

DEPARTMENT OF HOMELAND FOR FURTHER INFORMATION CONTACT: 4. Relation of CVI to Other Categories of SECURITY Dennis Deziel, Chemical Security Protected Information and FOIA Regulatory Task Force, Department of 5. Sharing CVI with State and Local 6 CFR Part 27 Homeland Security, 703–235–5263. Officials, the Public, and Congress 6. Litigation [DHS–2006–0073] SUPPLEMENTARY INFORMATION: This 7. Protection of CVI interim final rule is organized as K. Preemption RIN 1601–AA41 follows: Section I explains the public L. Implementation of the Rule participation provisions and provides a M. Other Issues Chemical Facility Anti-Terrorism brief discussion of the statutory and 1. Whistleblower Protection Standards 2. Inherently Safer Technology regulatory authority and history; Section 3. Delegation of Responsibility II summarizes the changes from the AGENCY: Department Of Homeland 4. Interaction with Other Federal Rules and Advance Notice of Rulemaking and Security. Programs discusses the revised rule text; Section 5. Third-Party Actions ACTION: Interim final rule. III summarizes and responds to the 6. Judicial Review 7. Guidance and Technical Assistance SUMMARY: The Department of Homeland comments the Department received in response to the Advance Notice of 8. Miscellaneous Comments Security (DHS or Department) issues N. Regulatory Evaluation this interim final rule (IFR) pursuant to Rulemaking; and Section IV contains the regulatory analyses for this interim IV. Regulatory Analyses Section 550 of the Homeland Security A. Executive Order 12866: Regulatory Appropriations Act of 2007 (Section final rule. Planning and Review 550), which provided the Department Table of Contents B. Regulatory Flexibility Act with authority to promulgate ‘‘interim C. Executive Order 13132: Federalism I. Introduction and Background 1. Background final regulations’’ for the security of A. Public Participation certain chemical facilities in the United 2. Propriety of the Department’s View on B. Statutory and Regulatory Authority and Preemption States. History 3. No Field Preemption This rule establishes risk-based II. Interim Final Rule 4. Principles of Conflict Preemption performance standards for the security A. Summary of Changes From Advance D. Unfunded Mandates Reform Act of our Nation’s chemical facilities. It Notice of Rulemaking E. Paperwork Reduction Act requires covered chemical facilities to B. Rule Provisions F. NEPA prepare Security Vulnerability III. Discussion of Comments I. Introduction and Background Assessments (SVAs), which identify A. Applicability of the Rule 1. Definition of ‘‘Chemical Facility or facility security vulnerabilities, and to Facility’’ A. Public Participation develop and implement Site Security 2. Multiple Owners or Operators Interested persons are invited to Plans (SSPs), which include measures 3. Classifying Facilities Based on Hazard participate in this rulemaking by that satisfy the identified risk-based Class submitting written data, views, or performance standards. It also allows 4. Applicability to Specific Chemicals or arguments on Appendix A of this Quantities of Chemicals certain covered chemical facilities, in interim final rule. Comments that will specified circumstances, to submit 5. Applicability to Types of Facilities 6. Statutory Exemptions provide the most assistance to DHS in Alternate Security Programs (ASPs) in finalizing the Appendix will reference lieu of an SVA, SSP, or both. B. Determining Which Facilities Present a High-Level of Security Risk specific chemicals and Screening The rule contains associated 1. Use of the Top-Screen Approach Threshold Quantities on the list, explain provisions addressing inspections and 2. Assessment Methodologies the reason for any recommended audits, recordkeeping, and the 3. Risk-Based Tiers change, and include data, information, protection of information that C. Security Vulnerability Assessments and or authority that support such constitutes Chemical-terrorism Site Security Plans recommended change. 1. General Comments Vulnerability Information (CVI). Finally, Instructions: All submissions received the rule provides the Department with 2. Submitting a Site Security Plan 3. Content of Site Security Plans must include the agency name and authority to seek compliance through docket number for this rulemaking. All the issuance of Orders, including Orders 4. Approval of Site Security Plans 5. Timing comments received will be posted Assessing Civil Penalty and Orders for 6. Alternate Security Programs without change to http:// the Cessation of Operations. D. Risk-Based Performance Standards www.regulations.gov, including any EFFECTIVE DATES: This regulation is 1. General Approach To Performance personal information provided. effective June 8, 2007, except for Standards Comments that include trade secrets, Appendix A to part 27. A subsequent 2. Comments about Specific Performance confidential commercial or financial Standards final rule document will announce the information, Sensitive Security effective date of Appendix A to Part 27. 3. Variations in Performance Standards for Risk Tiers Information (SSI), or Protected Critical Comment related to the addition of 4. Adoption of MTSA Provisions Infrastructure Information (PCII) should Appendix A to part 27 only will be E. Background Checks not be submitted to the public accepted until May 9, 2007. F. Inspections and Audits regulatory docket. Please submit such ADDRESSES: You may submit comments, 1. Inspections comments separately from other identified by docket number 2006–0073, 2. Third-Party Auditors and Inspectors comments on the rule. Comments by one of the following methods: G. Recordkeeping containing trade secrets, confidential • Federal eRulemaking Portal: H. Orders commercial or financial information, I. Adjudications and Appeals http://www.regulations.gov. Follow the J. Information Protection: Chemical- Sensitive Security Information (SSI), or instructions for submitting comments. Protected Critical Infrastructure • terrorism Vulnerability Information (CVI) Mail: IP/CSCD/Dennis Deziel, Mail 1. General Information (PCII) should be Stop 8100, Department of Homeland 2. Disclosure of CVI appropriately marked as containing Security, Washington, DC 20528–8100. 3. Scope of CVI such information and submitted by mail

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17689

to the individual(s) listed in the FOR Explosives (ATF) regulates, through the Department provides further details FURTHER INFORMATION CONTACT section. licenses and permits, the purchase, below on a number of unresolved issues Docket: For access to the docket to possession, storage, and transportation presented in the Advance Notice. For read background documents or of explosives. example, the Department provides comments received, go to http:// With the authority under Section 550, further detail on the issues surrounding www.regulations.gov. Submitted the Department can now fill a background checks for those with access comments by mail may also be significant security gap in the country’s to high-risk facilities, and the inspected. To inspect comments, please anti-terrorism efforts. Section 550 Department describes its approach on call Dennis Deziel, 703–235–5263, to specifies that the regulations ‘‘shall facilities possessing ammonium nitrate. arrange for an appointment. apply to chemical facilities that, in the On several important issues, the Department has reconsidered and B. Statutory Regulatory Authority and discretion of the Secretary, present high modified the position it proposed in the History levels of security risk.’’ The statute requires that the regulations establish Advance Notice. For example, in On October 4, 2006, the President risk-based performance standards; response to comments, the Department signed the Department of Homeland requires Security Vulnerability has restructured its provisions Security Appropriations Act of 2007 Assessments and Site Security Plans; concerning objections, consultations, (the Act), which provides the allows Alternative Security Programs; adjudications, and appeals. As Department of Homeland Security with mandates audits and inspections to discussed below, the Department’s aim the authority to regulate the security of determine compliance with the is to provide flexibility and assistance high-risk chemical facilities. See Pub. L. regulations; provides for civil penalties for facilities seeking to comply with the 109–295, sec. 550. Section 550 requires for violation of an order issued under regulatory standards. The Department the Secretary of Homeland Security to the statute; and allows the Secretary to has decided, however, to incorporate a promulgate interim final regulations order a facility to cease operations if the role for a neutral adjudicator where ‘‘establishing risk-based performance facility is not in compliance with the unresolved differences present standards for security of chemical requirements. The statute also gives the themselves and result in significant facilities’’ by April 4, 2007. Id. Although Department the authority to protect fines or other penalties. In addition, the interim final regulations are usually from inappropriate public disclosure Department has modified a number of issued without prior notice and any information developed pursuant to scheduling and timing requirements in comment (and the Act requires neither), Section 550, ‘‘including vulnerability response to comments, and the the Department issued an Advance assessments, site security plans, and Department further explains its Notice of Rulemaking (Advance Notice) other security related information, approach on preemption of state and seeking comment on the significant records, and documents.’’ local law after considering the issues and regulatory text. See generally As discussed in the Advance Notice, numerous comments on that subject. 71 FR 78276 (Dec. 28, 2006). by directing the Secretary to issue Although the Department continues to As discussed more fully in the ‘‘interim final regulations,’’ Congress view as important the opportunity for Advance Notice, before the enactment of authorized the Secretary to proceed facilities to submit Alternative Security Section 550, the Federal government did without the traditional notice-and- Programs, the Department modified the not have authority to regulate the comment required by the circumstances in which it will accept security of most chemical facilities. The Administrative Procedure Act. See 71 Alternative Security Programs. Department has, however, worked Finally, the Department will consider closely with industry leaders in pursuit FR 78276, 78277. The Department, however, saw great benefit in soliciting the issues surrounding the use of fees in of voluntary enhancement of security at this regulatory program. The these facilities and provided both comments on as much of the program as was practicable in the short timeframe Department is contemplating the technical assistance and grant funding assessment of different fees, including for security. In addition, through the permitted under the statute. Accordingly, the Department filing fees, fees for inspections and Coast Guard’s Maritime Security audits, and fees for the screening of voluntarily sought comment on a range regulations, the Department has individuals against the Terrorist of regulatory and implementation issues addressed security at certain maritime- Screening Database. The Department and responds to the comments below. related chemical facilities. See 33 CFR has not provided for fees in this interim Part 105. Recently, the Departments of II. Interim Final Rule final rule, but may, in the future, Homeland Security and Transportation propose and seek comment on the A. Summary of Changes From Advance also proposed security regulations for issues surrounding fees for this Notice of Rulemaking the rail transportation of hazardous regulatory program. chemicals. See 71 FR 76834, 71 FR In this interim final rule, the 76851 (Dec. 21, 2006). Other Federal Department has not changed the B. Rule Provisions programs have addressed chemical general, risk-based approach it proposed This section summarizes the facility safety, but not security: the in the December 28, 2006, Advance regulatory text changes that the Environmental Protection Agency (EPA) Notice. See 71 FR 78276. As discussed Department has made to this interim regulates chemical process safety in detail below, the Department plans to final rule. In addition to the summary through its Risk Management Plan implement the regulation in phases, contained in this section, we have, in (RMP) program; the Department of starting to work aggressively with many cases, provided a more extensive Labor’s Occupational Safety and Health chemical facilities presenting the very discussion of the change, and the reason Administration (OSHA) regulates highest security risks first. The for the change, in the response to workplace safety and health at chemical Department adopts a risk-based tiering comments below. See § III ‘‘Discussion facilities; the Department of Commerce structure in its regulatory approach, so of Comments.’’ Finally, to the extent oversees compliance with the Chemical that the Department’s scrutiny of that the Department has made technical Weapons Convention; and the facilities under this regulation increases corrections or corrected typographical Department of Justice’s Bureau of as the level of risk increases. Even errors, we do not specifically discuss Alcohol, Tobacco, Firearms, and though this approach remains the same, them.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17690 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

Subpart A be available only to the extent that proposed § 27.200(a). Paragraph (b)(1) Section 27.100 Purpose resources permit. provides that the Assistant Secretary In § 27.120(c), the Department has may seek the information listed in The Department has added a Purpose provided specific details as to how a paragraph (a) by contacting chemical section to the rule. It states the facility requests the assistance of the facilities individually or by publishing a Department’s purpose and intent in Coordinating Official. In the second notice in the Federal Register. It also issuing this rule and enforcing this sentence of § 27.120(c), the Department provides that the Assistant Secretary regulatory program. provides that requests for consultation may instruct facilities to complete and or technical guidance do not serve to submit a Top-Screen through a secure Section 27.105 Definitions toll any of the applicable timelines set Department Web site or through any For purposes of clarity, DHS has forth in this part. Accordingly, other means approved by the Assistant added several definitions, including regardless of whether or when a facility Secretary. ‘‘Chemical Security Assessment Tool,’’ submits a request for consultation or Paragraph (b)(2) is a new provision. It ‘‘Chemical-terrorism Vulnerability technical guidance, the Department will provides that a facility must complete Information,’’ ‘‘Deputy Secretary,’’ require the facility to comply with the and submit a Top-Screen in accordance ‘‘Director of the Chemical Security regulatory requirements, such as with the schedule provided in § 27.210 Division’’ and ‘‘Screening Threshold completing the Top-Screen, identifying if it possesses any of the chemicals Quantity.’’ The Department has also vulnerabilities in the Security listed in Appendix A: ‘‘DHS Chemicals revised a few definitions, including Vulnerability Assessment, and of Interest’’ at the corresponding ‘‘Assistant Secretary’’ and ‘‘Under developing and implementing a Site quantities. For a further discussion of Secretary.’’ The Department revised Security Plan. Appendix A, see the discussion of ‘‘Under Secretary’’ as a result of The Department has added a new Appendix A further below in the Rule organizational changes in the provision in § 27.120(d). This provision Provisions section. The purpose of this Department following the Post-Katrina provides that a covered facility may provision is to give facilities direction as Emergency Reform Act, which the request a consultation with the to whether or not they must complete President signed on October 4, 2006. Coordinating Official if it modifies its and submit a Top-Screen. See Public Law 109–295, Title VI. In facility, processes, or the types or As noted in the discussion of several places, the Department indicated quantities of materials that it possesses, Appendix A, the presence or amount of that the named official, or his designee, and believes such changes may impact a particular chemical is not an indicator has the specified responsibility under the covered facility’s obligations under of a facility’s coverage under this rule. the regulation. The Department also this part. The Department added this The presence or amount of a chemical in the Appendix is merely a baseline revised the definition of ‘‘Alternate provision in response to commenters threshold requiring a facility to Security Program,’’ to provide concerned about a facility’s ability to complete and submit a Top-Screen. consistency with changes the ‘‘exit’’ the regulatory program. The (Consistent with § 27.200(b)(1), DHS Department has since made to § 27.235, Department recognizes that facilities will retain the ability to notify facilities, the Alternate Security Programs section. that reduce risk to levels below those through direct notification or Federal The Department expanded upon the levels that the Department deems as that Register notice, that they need to definition of ‘‘tier,’’ adding that, for characterized for Tier 4 facilities (i.e., complete and submit a Top-Screen.) The purposes of this part, there are four risk- the lowest risk facilities of the ‘‘high information that the Department will based tiers. risk’’ facilities) or that eliminate certain obtain through the Top-Screen process risks altogether may no longer need to Finally, the Department made is only one of several factors that the be covered by this regulation. This clarifying changes to ‘‘Chemical Department will consider in provision allows the covered facility to Facility,’’ ‘‘Covered Chemical Facility,’’ determining whether a facility is ‘‘high- request the initiation of the screening and ‘‘Owner.’’ With respect to the risk’’ and thus covered by this rule. definition of ‘‘Chemical Facility,’’ the process (which determines whether or Paragraph (b)(3) addresses the Department removed the circular nature not the facility is high-risk and therefore requirements for individuals who of the definition in the Advance Notice whether the facility is or is not included submit information to the Department (i.e., a chemical facility shall mean any in this regulatory program) prior to the through the CSAT system, which facility) (emphasis added) and now facility’s next scheduled CSAT Top- includes the Top-Screen process. provides that a chemical facility ‘‘shall Screen submission pursuant to § 27.210. Paragraph (b)(3) provides that, where mean any establishment that possesses Through this consultation process, the the Department requests that a facility or plans to possess * * *.’’ facility may initiate discussions with complete and submit a Top-Screen, the the Department and ultimately Section 27.120 Designation of a facility must designate a person to be accelerate the process for determining responsible for the submission of coordinating official; Consultations and whether it can ‘‘exit’’ the regulatory technical assistance information through the CSAT system. program. (The CSAT system is comprised of three The language in revised § 27.120(a) Subpart B sequential parts: the Top-Screen, the makes clear that the Assistant Secretary SVA, and the SSP). The Department will designate a Coordinating Official Section 27.200 Information regarding provides that any such submitter must responsible for ensuring the uniform, security risk for a chemical facility be an officer of the corporation or other impartial, and fair implementation of The Department has added several person designated by an officer of the these regulations. The language in new provisions to this section. The corporation, and must be domiciled in revised § 27.120(b) indicates that the Department has revised paragraph (b), the United States. The Department had Coordinating Official and his staff shall by incorporating language from contemplated such requirements in provide guidance to facilities, and while proposed § 27.200(a) of the Advance Appendix A to the Advance Notice and the Coordinating Official and his staff Notice and by also adding new now finalizes them here. will be available for consultation and to provisions. The two sentences in Consistent with the explanation in provide technical assistance, they will paragraph (b)(1) come from the end of Appendix A to the Advance Notice, the

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17691

Department notes that a facility may covered facility may request a SSP and that the Department would choose to have another individual, in consultation if it modifies its facility, notify the facility within 60 days of addition to the above-discussed processes, or the types or quantities of whether the Department disapproved ‘‘submitter,’’ involved in the submission materials that it possesses and believes the revised SVA or SSP. The of information through the Top-Screen. such changes may impact the covered Department has re-located a new but That other individual is a ‘‘provider.’’ A facility’s obligations under this part. In similar requirement in § 27.210(d). The provider would be a qualified addition, §§ 27.240(b) and 27.245(b) regulation now provides that if a individual who is familiar with the provide that a facility shall enter further covered facility makes material facility in question and who completes consultations following Departmental modifications to its operations or site, the information in the CSAT system. written notification that a Security the covered facility must complete and The provider, however, would not Vulnerability Assessment or Site submit a revised Top-Screen to the formally submit information to the Security Plan is unsatisfactory. Given Department within 60 days of Department. The individual responsible that the rule already provides completion of the material modification. for sending information to the consultation opportunities, coupled In accordance with the resubmission Department through the CSAT system with the fact that the Department has requirements in § 27.210(b)(2) and (3), (whether Top-Screen, SVA, or SSP) is greatly modified its adjudication and the Department will notify the covered always the submitter. And as indicated appeal provisions, the Department facility as to whether the covered in paragraph (b)(3), the submitter is also believes it is unnecessary to retain these facility must submit a revised Security responsible for attesting to the accuracy objections provisions and has thus Vulnerability Assessment, Site Security of the submitted information. removed them from the interim final Plan, or both. As a result of this new Paragraphs (c)(1) and (2) address rule. paragraph (d), the Department removed facilities that the Department deems as the provisions that appeared in Section 27.210 Submissions Schedule ‘‘presumptively high risk.’’ Both §§ 27.215(c)(3) and 27.225(b)(3) of the paragraphs were in the Advance Notice, In § 27.210, the Department clarifies Advance Notice. though they were located in proposed the submission schedule for the Top- §§ 27.200(b) and (c). Screen, Security Vulnerability Section 27.215 Security Vulnerability Assessment, and Site Security Plan. In Assessments and Section 27.225 Site Section 27.205 Determination that a § 27.210(a) of the Advance Notice, the Security Plans chemical facility ‘‘presents a high level Department included a sentence The Department has revised several of of security risk.’’ indicating that the presumptive time the corresponding provisions in both The Advance Notice, at the end of frames were 60 days for the Security § 27.215 and § 27.225. First, the § 27.205(a), contained a provision about Vulnerability Assessment and 120 days Department has revised the Departmental notification to facilities of for the Site Security Plan. In this interim corresponding provisions regarding their preliminary placement in a risk- final rule, the Department has added methodologies. Specifically, the based tier. The Department has moved presumptive timeframes for the Department has revised the language in that language to § 27.220 ‘‘Tiering,’’ so submission of the Top-Screen and § 27.215(b) and added a new paragraph that it is located with the related tiering revised the presumptive timeframes for (b) in § 27.225. In both places, the provisions. SVAs and SSPs. See § 27.210(a) and (b). Department explains that, except as In addition, the Department has The presumptive timeframes for initial provided in § 27.235, a covered facility removed proposed § 27.205(c), along submissions are 60 calendar days for the must submit either the SVA/SSP with §§ 27.220(b), and 27.240(c), all of Top-Screen, 90 calendar days for the through the CSAT process or any other which had contained a mechanism for SVA, and 120 calendar days for the SSP. methodology or process identified by objections. In the Advance Notice, the The presumptive timeframes for the Assistant Secretary. Department had provided facilities with resubmission vary depending on a By this change, the Department is the opportunity to object to the facility’s tier. As a general matter, the making more explicit its intention to use following three Departmental actions: Department will require facilities in the CSAT process at this time. The determination that a facility ‘‘presents a Tiers 1 and 2 to update their Top- CSAT process includes completion of high level of risk,’’ placement in a high- Screen, SVA, and SSP every two years, the Top-Screen process and, depending risk tier, and disapproval of a facility’s and facilities in Tiers 3 and 4 to update on the results of the Top-Screen process, Site Security Plan. The intention behind their Top-Screen, SVA, and SSP every may also include the development of a those provisions was to provide three years. Security Vulnerability Assessment and facilities with an informal opportunity In addition, the Department added a the development of a Site Security Plan. to consult with the Department. The new paragraph (c), which addresses the Thus, for facilities that are determined Department believes that the rule Department’s authority to modify to be high-risk, the CSAT process will (including existing provisions from the schedules as necessary. The Department consist of three sequential parts (i.e., the Advance Notice as well as new removed § 27.210(c) as it appeared in Top-Screen, SVA, and SSP). The provisions in this interim final rule) the Advance Notice, because the Department also notes that facilities will provides facilities with several provision was unnecessary in light of have to obtain access to the CSAT opportunities for consultation when the new provisions in § 27.120(b) and system by submitting a user registration they disagree with an initial decision on (c), ‘‘Designation of a coordinating request. Section 27.200(b)(1) contains these matters. Specifically, revised official; consultations and technical the requirements for individuals (i.e., § 27.120(b) provides that the assistance.’’ submitters) who will be submitting Coordinating Official and his staff shall Finally, the Department added a new information through the CSAT system be available to consult and to provide paragraph (d), which addresses material and attesting to the accuracy of that technical assistance to a facility owner modifications. In §§ 27.215(c)(3) and information. or operator, revised § 27.120(c) provides 27.225(b)(3) of the Advance Notice, the Second, in paragraph (c) of both the details for how a facility should Department provided that a covered sections, the Department provides that a initiate consultations or assistance, and facility had to notify the Department of covered facility must submit an SVA or revised § 27.120(d) provides that a material modifications to the SVA or SSP to the Department in accordance

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17692 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

with the schedule provided in § 27.210. decision. This contrasts with the the point at which the attack becomes This captures the requirement that had Advance Notice, which had merely successful.’’ This revised language more been located in proposed § 27.240(a)(1) indicated that the Department may adequately captures the concept that the of the Advance Notice. notify a facility of the Department’s Department had intended in the Third, in paragraph (d) of both preliminary tiering decision. language in paragraph (a)(4) of the sections, the Department revised the Section 27.220(b) is not a new Advance Notice and is more complete. update/revision provisions for subsection; rather, it contains the Section 27.230(a)(5) now requires submitting SVAs and SSPs. In the language that was previously located in facilities to secure and monitor the Advance Notice, the Department § 27.220(a). Note that the Department storage of hazardous materials, in indicated that covered facilities must has removed paragraph (b) as proposed addition to the shipping and receipt of update or revise their SVAs or SSPs in the Advance Notice. Paragraph (b) hazardous materials. Section based on a schedule set by the Assistant had contained an objections provision. 27.230(a)(8) now contains a broader Secretary. Because the Department has For a discussion of the Department’s description of critical process systems. established a submission schedule in decision to remove the objections In the Advance Notice, the Department § 27.210, the Department now includes provisions from this rule (in had used the acronym ‘‘SCADA’’ cross-references in § 27.215(d)(1) and §§ 27.205(c), 27.220(b), and 27.240(c)), (Supervisory Control and Data § 27.225(d)(2) to that schedule. As a see the summary under § 27.205(c). Acquisition) to refer to instrumented related matter, in § 27.215(d), the Section 27.220(c) is a new subsection. control systems in general. In this Department moved the general The Department is reiterating, in part, interim final rule, the Department has submissions schedule requirement to what it provides in the definitions provided more descriptive terminology § 27.215(d)(1), thereby re-locating the section. The Department will place to refer to critical process systems. For provision formerly in § 27.215(d)(1) to facilities in one of four risk-based tiers. a further discussion of SCADA, see the § 27.215(d)(2). Tiers will range from Tier 1, which Department responses to ‘‘Comments on Fourth, the Department has removed contains the highest-risk covered Specific Performance Standards.’’ the language about material facilities, to Tier 4, which contains the Section 27.230(a)(12) contains an modifications from proposed lowest-risk covered facilities. Finally, expanded standard for background § 27.215(c)(3) and § 27.225(b)(3). As the Department separated the sentence checks. For a further discussion of discussed in the summary of § 27.210, located at the end of proposed background checks, see the Department the Department added a new, but § 27.220(a) into its own section, response to comments about similar, provision to § 27.210(d). The § 27.220(d). ‘‘Background Checks.’’ Section new provision now captures the concept Section 27.230 Risk-Based 27.230(a)(15) now provides that contemplated in proposed § 27.215(c)(3) Performance Standards facilities should report significant and § 27.225(b)(3). security incidents to local law With respect to changes to § 27.225 This section contains the risk-based enforcement in addition to the only, the Department has added a performance standards that covered Department. Finally, the Department provision that requires facilities to facilities must satisfy. The Department has removed the paragraph that was conduct annual audits of their Site has added a sentence to § 27.230(a), paragraph 27.230(a)(19) in the Advance Security Plans. See § 27.225(e). This noting that the ‘‘acceptable layering of Notice, because that standard was provision had been implied in the measures used to meet the standards already addressed in paragraph (a)(14). recordkeeping requirement in the will vary by risk-based tier.’’ While all Advance Notice (see § 27.255(a)(6)) and facilities must satisfy the performance Section 27.235 Alternative security is now explicit. DHS made some standards, the measures sufficient to program additional revisions to the meet those standards will be more The Department has revised this corresponding recordkeeping provision, robust for those facilities that present section to provide more detail about the in which DHS more clearly specifies the higher levels of risk. In other words, the process for Alternate Security Programs audit-related records that covered manner in which the standards are (ASPs). The basic requirement remains facilities should maintain. applied will require a higher level of the same, in that certain covered Finally, throughout this document, security (and so provide for greater facilities may submit ASPs, and the the Department now uses the term reduction in risk) for those facilities that Assistant Secretary may approve those ‘‘Security Vulnerability Assessment’’ (or present higher levels of risk. The ASPs. See § 27.235(a). To accept an SVA) instead of the term ‘‘Vulnerability Department will provide details about ASP, the Assistant Secretary must find Assessment’’ or (VA), which the the application of these standards in that the program ‘‘provides an Department had used in the Advance guidance. equivalent level of security to the level Notice. The Department intends no In addition, for each of the of security established by this part.’’ change in meaning with this revision. performance standards, the Department This language, which clarifies the has added a short descriptor at the standard for accepting ASPs, comes Section 27.220 Tiering beginning of the subparagraph (e.g., from the preamble of the Advance The Department has added several paragraph (a)(1) begins with ‘‘Restricted Notice and is consistent with the terms paragraphs to this section. Section Area Perimeter,’’ paragraph (a)(2) begins of Section 550. See 71 FR 78276, 78285. 27.220(a) addresses the Department’s with ‘‘Securing Site Assets,’’ and so In § 27.235(a)(1)–(2), the Department preliminary determination as to a forth). specifies, by tier, which facilities may facility’s risk-based tier. Paragraph (a) is The Department has also revised some submit ASPs in lieu of Security based on language that had been in the of the language related to specific Vulnerability Assessments (SVAs) and Advance Notice at the end of performance standards. Section which facilities may submit ASPs in § 27.205(a). The Department has 27.230(a)(4) now provides that facilities lieu of Site Security Plans (SSPs). A Tier elaborated on the Preliminary Tiering must select, develop, and implement 4 facility may submit an ASP in lieu of provision. Notably, the Department has measures designed to ‘‘[d]eter, detect, a Security Vulnerability Assessment, indicated that it shall notify a facility of and delay an attack, creating sufficient Site Security Plan, or both. Tier 1, Tier the Department’s preliminary tiering time between detection of an attack and 2, and Tier 3 facilities may submit an

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17693

ASP in lieu of a Site Security Plan. Tier will be required, even where the facility The Department has removed 1, Tier 2, and Tier 3 facilities may not has produced a strong SVA, the effort 27.240(c) as proposed in the Advance submit an ASP in lieu of a Security will be considerably less than that at Notice. Paragraph (c) had contained an Vulnerability Assessment. Accordingly, facilities that are starting without a pre- objections provision. For a discussion of Tier 1, Tier 2, and Tier 3 facilities will existing SVA. the Department’s decision to remove the have to submit their SVA through the In addition, § 27.235(b) provides that objections provisions from this rule (in CSAT system. the notice requirements for submitting §§ 27.205(c), 27.220(b), and 27.240(c)), With respect to Tier 4 facilities, the ASPs correspond with the notice see the summary under § 27.205(c). Department clarifies the following requirements (including the approval Section 27.250 Inspections and Audits point: Given that the Department and disapproval process) for SVAs and notifies a facility of its final placement SSPs. In other words, if a facility is The Department has added additional in a risk-based tier following the submitting an ASP in lieu of an SVA, provisions to the inspection and audit Department’s review of a covered the process in § 27.240 applies, and if a section. In § 27.250(c), the Department facility’s SVA (see § 27.220(b)), a facility facility is submitting an ASP in lieu of discusses the time and manner will not know its final tier placement at an SSP, the process in § 27.245 applies. requirements for inspections. While the the time it might decide to submit an Department will generally provide ASP in lieu of a SVA. Because of that, Section 27.240 Review and Approval facilities with 24-hour advance notice of the Department understands that of Security Vulnerability Assessment inspections, the Department recognizes facilities will rely on the Department’s and Section 27.245 Review and two exceptions where an unannounced preliminary tiering determination made Approval of Site Security Plans inspection might occur. The Department pursuant to § 27.220(a). In this interim final rule, the included the first exception in the There are various reasons underlying Department has separated the review Advance Notice, and the Department has added the second exception in this the Department’s decision not to accept and approval of SVAs and SSPs into interim final rule. For a further ASPs as SVAs for Tier 1, Tier 2, and two separate sections. In the Advance discussion, see the Discussion of Tier 3 facilities. The Department needs Notice, both sets of requirements were Comments in § III(F) on ‘‘Inspections a consistent baseline against which to located in § 27.240. In this interim final compare risks and vulnerabilities across and Audits.’’ rule, the provisions related to Security chemical facilities. (For a further In § 27.250(d), the Department Vulnerability Assessments are located discussion of this issue, see the addresses various details related to the in § 27.240, and the provisions related Department’s response to comments in inspectors who will conduct inspections to Site Security Plans are located in § III(B)(1)). As well, the Chemical and audits. This is a new paragraph that § 27.245. Security Assessment Tool (CSAT) was not in the Advance Notice. system uses an integrated approach to In addition, the Department made Although Congress has not provided the chemical facility security, and by some changes to the corresponding Department with administrative considering SVAs that use the provisions in the two separate sections. subpoena authority, this paragraph methodology in the CSAT system, the In both sections, the Department has explains that inspectors will have Department can take full advantage of removed the language (from proposed credentials and may administer oaths that integrated approach. Furthermore, § 27.240(a)(1)) about time periods for and receive affirmations upon consent. by using this electronic, integrated submitting SVAs and SSPs. The It also provides details about the means CSAT approach, the Department can Department has already addressed this by which inspectors may gather more efficiently review and assess a issue in §§ 27.215(c)–(d) and information and the access that greater number SVAs, and that is of §§ 27.225(c)–(d) (by providing that a inspectors will have to records. The importance considering the facility must provide, update, and revise Department has also added a paragraph Department’s phased implementation its SVA and SSP consistent with the (e), which addresses confidentiality. scheme to address the highest risk schedule in § 27.210), so it was Finally, the guidance paragraph, which facilities first. unnecessary to also include this had been located in paragraph (d) has The Department acknowledges that language here. Also, in both sections, been moved to paragraph (f). many facilities have expended the Department has added new language substantial resources and incurred about the disapproval of SVAs or SSPs. Section 27.255 Recordkeeping significant expense to identify The Department added a new sentence, Requirements vulnerabilities and to develop security which provides that ‘‘[i]f the The Department revised various plans. The Department commends resubmitted [SVA or SSP] does not provisions related to recordkeeping. facilities for such efforts. The work satisfy the requirements of [§ 27.215 or With respect to § 27.255(a)(1), the performed on these efforts is valuable, § 27.225], the Department will provide Department added a few additional and DHS is committed to capitalizing on the facility with written notification record requirements regarding training. these investments. The information (including a clear explanation of In addition to keeping records of the developed in these efforts will be deficiencies in the [SVA or SSP]) of the date and location of each training relevant to facilities as they complete Department’s disapproval of the [SVA or session, time of day and duration of the CSAT SVA. Facilities will be able to SSP].’’ See § 27.240(b) and § 27.245(b). each session, the name and use the information from existing Finally, the Department has added a qualifications of the instructor, and a vulnerability assessments, and in many provision in § 27.245(a)(1)(iii), clear, legible list of the attendees cases, the practical impact of requiring indicating that the Department issues a including attendees’ signatures, the Tiers 1, 2, and 3 facilities use the CSAT Letter of Approval if it approves a facility must also keep at least one other SVA system will be one of formatting, facility’s Site Security Plan in unique identifier for each attendee i.e., facilities will have to enter their accordance with § 27.250. While this receiving training and the results of any information from their existing provision appears elsewhere in the rule evaluation or training. The Department vulnerability assessments into the (see § 27.245(b)), the Department also added a requirement to § 27.255(b), format established by the CSAT system. thought it was appropriate to include it requiring facilities to keep submitted While some additional analytical effort here as well. Top-Screens in addition to submitted

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17694 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

SVAs and SSPs. In addition, as Orders. Section 27.300(c) lists the modifications in exigent circumstances. discussed above in the summary for information, at a minimum, that the See § 27.310(d). § 27.225(e), the Department revised the Assistant Secretary must include in an A Presiding Officer is the neutral recordkeeping provision related to Order and also notes that the Assistant adjudications officer who handles these internal audits. See § 27.255(a)(6). Secretary may establish further proceedings. The Secretary shall The Department also added a new procedures for the issuance of Orders. appoint a Presiding Officer, consistent paragraph (c), allowing the Department Section 27.300(d) notes that a facility with the requirements in § 27.315. A to request that covered facilities make must comply with the terms of the Presiding Officer shall immediately available records kept pursuant to other Order by the date specified in the Order. consider whether a summary Federal programs or regulations. The Section 27.300(e) indicates that a adjudication of an Application for Department would make such requests facility has the right to seek an Review is appropriate, and if the for records to the extent that any such adjudication to review the decision of Presiding Officer finds that there is no records were necessary for security the Assistant Secretary to issue an genuine issue of material fact and that purposes. As a result of adding new Order, and § 27.300(f) addresses final one party or the other is entitled to paragraph (c), the Department had to re- agency action. decision as a matter of law, then the designate proposed paragraph (c) as With respect to the staying of Orders, record shall be closed and the Presiding paragraph (d). the Department addresses this issue in Officer shall issue an Initial Decision on the Application for Review. See Subpart C the new adjudications sections. Specifically, § 27.310(b)(4) provides that § 27.330(b). Such summary decisions The Department has substantially an Order is stayed from the timely filing are governed by the procedures in revised Subpart C, which contains the of a Notice of Application for Review § 27.330. provisions for Orders, Adjudications, Where there is no summary decision, until the Presiding Officer issues an and Appeals. the Presiding Officer may conduct a Initial Decision, unless the Secretary hearing using the procedures specified Section 27.300 Orders lifts the stay due to exigent in § 27.335. The Presiding Officer shall circumstances pursuant to § 27.310(d). The Department has restructured the close and certify the record upon the The new adjudications section is Orders provisions. Whereas the completion of one of the following: a discussed in more depth below. Advance Notice contained four separate summary judgment proceeding, a sections (see §§ 27.300, 27.305, 27.310, Section 27.305 through 27.340 hearing, the submission of post-hearing and 27.315), the Department has now Adjudications briefs, or the conclusion of oral consolidated all of the Order provisions arguments. See § 27.340(a). Based on the Most significantly with respect to into one section, § 27.300. The main certified record, the Presiding Officer adjudications, the Department has substance of the Orders provisions, shall issue an Initial Decision, and the provided facilities with the opportunity however, remains the same. Pursuant to decision shall be subject to appeal to seek review of specified decisions § 27.300(a), the Assistant Secretary can pursuant to § 27.345. issue an Order for any instance of before a neutral adjudications officer. A In addition to the sections mentioned noncompliance. For example, the facility or other person may seek review above, there are a few other sections that Assistant Secretary may issue an Order of the following Department (i.e., address provisions related to for a facility’s refusal to complete a Top- Assistant Secretary) determinations: (1) adjudications. Section 27.320 specifies Screen, failure to allow an inspection, or A finding, pursuant to the prohibition on ex parte failure to update a Site Security Plan. § 27.230(a)(12)(iv) that an individual is communications during Proceedings. Beyond a basic Order, the Assistant a potential security threat; (2) The And § 27.325 provides that the Assistant Secretary may issue an Order Assessing disapproval of a Site Security Plan Secretary bears the initial burden of Civil Penalty, an Order to Cease pursuant to § 27.245(b); or (3) The proving the facts necessary to support Operations, or both, where it determines issuance of an Order pursuant to the challenged administrative action at that a facility is in violation of any § 27.300(a) or (b). See § 27.310(a). every proceeding instituted under this Order issued pursuant to paragraph (a). The procedures for Applications are subpart. See § 27.300(b). Orders Assessing Civil found in § 27.310(b). To institute Finally, as related to the Appeals Penalty are for a continual Adjudication Proceedings, the facility or section below, a Presiding Officer’s noncompliance, a repeated pattern of other person (‘‘Applicant’’) must file a Initial Decision is stayed from the noncompliance or egregious instances of Notice of Application for Review within timely filing of a Notice of Appeal until noncompliance. Orders to Cease seven calendar days of notification of the Under Secretary issues a Final Operations are the most serious Orders the Assistant Secretary’s determination. Decision, unless the Under Secretary that the Assistant Secretary might See § 27.310(b)(1)–(2). Then, in an lifts the stay due to exigent choose to issue under this regulatory Application for Review, the Applicant circumstances. See § 27.345(b)(4). scheme. The Assistant Secretary will must explain his or her position (i.e., use such a measure cautiously and explain why the Assistant Secretary’s Section 27.345 Appeals judiciously and will balance the determination should be set aside). The The interim final rule contains a immediate security needs with the Applicant has 14 calendar days from the revised appeals section. There are possible impact (e.g., economic impact date of notification of the Assistant several differences. First, a facility or or national security effect) of such an Secretary’s determination to file and other person may appeal the Initial Order on the chemical industry and the serve an Application for Review. See Decision of the Presiding Officer made Nation as a whole. As the Department § 27.310(b)(5). The Assistant Secretary, pursuant to § 27.340(b). This differs wrote in the Advance Notice, ‘‘This through the Office of the General from the Advance Notice, in which a authority would be utilized when no Counsel, shall file and serve a Response facility could appeal a Departmental other options will achieve the required within 14 calendar days of the filing and final determination regarding result.’’ See 71 FR 78276, 78287. service of the Application for Review. disapproval of a Site Security Plan and Paragraphs (c) through (f) of § 27.300 See § 27.310(c). Finally, the Secretary the Departmental issuance of an Order. address the process and procedures for may make certain procedural See § 27.320 in the Advance Notice.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17695

Second, the Advance Notice provided The Department has highlighted these changes and preemption in that the Under Secretary would make below the more substantive changes to general, see the section below entitled decisions for most categories of appeals, § 27.400. With respect to paragraph (c), ‘‘Executive Order: 13132: Federalism.’’ and the Deputy Secretary would make the Department has removed paragraph Proposed Appendix A: DHS Chemicals (c)(2), because that concept is already decisions for one category of appeal. of Interest This interim final rule provides that all covered in paragraph (e)(1)(v). In appeals go to the Under Secretary or his paragraph (d)(1), the Department In the Advance Notice, the designee acting as a neutral appeals provides that covered persons must Department sought comment on officer. Third, as is discussed in more protect all CVI in their possession or appropriate sources of information or depth below, the procedures for an control, including electronic data. In methodologies for evaluating and appeal have changed. paragraph (e)(1), the Department added categorizing chemical facilities.’’ See 71 language providing that a person who FR 78276, 78282. The Department The Assistant Secretary, a facility, or responds to those comments below in other person (‘‘Appellant’’) may might have a ‘‘need to know’’ includes ‘‘state or local officials, law enforcement the ‘‘Discussion of Comments.’’ In this institute an Appeal by filing a Notice of interim final rule, the Department has Appeal within seven calendar days of officials, and first responders.’’ In paragraph (e)(1)(ii), the Department decided to evaluate chemical facility notification of the Presiding Officer’s clarified that a person in training will risks by, in part, classifying facilities by Initial Decision. See § 27.345(b)(1)–(3). only have access to CVI that he needs particular chemicals. In proposed The Appellant shall then file and serve as part of his training, and in paragraph Appendix A, the Department has a Brief within 28 calendar days of the (e)(1)(iv), the Department clarified that a included a list of ‘‘DHS Chemicals of notification of the Presiding Officer’s the person in a fiduciary relationship Interest’’ along with Screening Initial Decision. See § 27.345(b)(5). The with a covered person who is Threshold Quantities, or STQs, for each Appellee shall file and serve its representing or providing advice to that chemical. The Department has Opposition Brief within 28 days of the covered person will also have a need to established STQs to trigger preliminary filing of Appellant’s Brief. See know CVI. In paragraph (e)(2)(iii), the screening requirements. The STQ is not § 27.345(b)(6). The Under Secretary Department provides that it may require the threshold quantity for establishing shall issue a Final Decision and serve it non-Federal persons seeking access to whether a given facility is a high-risk on the parties. A Final Decision by the CVI to complete a non-disclosure facility, but only sets a threshold to Under Secretary constitutes final agency agreement before such access is granted. require a facility to complete and submit action. See § 27.345(f). In paragraph (f)(3), the Department a CSAT Top-Screen. As noted in the In addition to the provisions shortened the distribution limitation ‘‘Public Participation’’ section above, mentioned above, the Department notes statement and added a new sentence at the Department is accepting public the following: Pursuant to § 27.345(b), the end, which provides: ‘‘[i]n any comment on proposed Appendix A for the Under Secretary may provide for an administrative or judicial proceedings, 30 days. Following the close of the expedited appeal; pursuant to this information shall be treated as comment period, the Department will § 27.345(c), ex parte communications classified information in accordance review the comments and publish a are prohibited; and pursuant to with 6 CFR §§ 27.400(h) and (i).’’ And final Appendix A. The requirements § 27.345(c), a facility or other person in paragraphs (h)(1), (i)(1), and (i)(2), the related to Appendix A, which are found may elect to have the Under Secretary Department made it clear that these in §§ 27.200(b)(2) and 27.210, will participate in any mediation or other sections apply to the disclosure of CVI become operative on the date that the resolution process by expressly waiving, in the context of administrative or Department publishes a final Appendix in writing, any argument that such judicial enforcement proceedings of A. participation has compromised the section 550 only, not any other kind of Pursuant to § 27.200(b)(2), if a facility Appeals process. In addition, pursuant enforcement proceeding. Similarly, in possesses any chemicals identified in to § 27.345(g), the Secretary may paragraph (i)(7)(iii), the Department Appendix A at the corresponding establish procedures for the conduct of made it clear that this section applies quantities, the facility must complete appeals. only to judicial enforcement and submit a Top-Screen. Consistent proceedings and not any other judicial with the submission requirements in Subpart D proceeding. § 27.210(a)(1), the facility must Section 27.400 Chemical-Terrorism complete the Top-Screen within 60 Section 27.405 Review and Preemption Vulnerability Information calendar days of the effective date of a of State Laws and Regulations final Appendix A or within 60 calendar The Department has made numerous The Department has made several days of coming into possession of any clarifying changes to the chemical- changes to § 27.405, including various such chemical at the corresponding terrorism vulnerability information regulatory text changes. Among those quantity. (As indicated in the regulatory (CVI) section. Some of these changes changes, the Department has added text, this submission requirement is not corrected typographical errors, while paragraph (a)(1). The Department operative until the Department several others clarified existing wishes to avoid any unintended publishes a final Appendix A.) Note that provisions. With respect to a minor consequences in the program’s this provision does not affect the change, note that, in § 27.400 of the interaction with other Federal Department’s ability to contact facilities Advance Notice, the Department requirements. For this reason, independently of this list. Pursuant to referred to CVI as ‘‘Chemical-terrorism § 27.405(a)(1) provides that ‘‘[n]othing § 27.200(b)(1), DHS may notify facilities, Security and Vulnerability Information’’ in this regulation is intended to displace on an individual basis or through an and in this interim final rule, the other federal requirements administered additional Federal Register notice, that Department now refers to CVI as by the Environmental Protection they need to complete and submit the ‘‘Chemical-terrorism Vulnerability Agency, U.S. Department of Justice, U.S. Top-Screen. The Department notes that, Information.’’ The Department intends Department of Labor, U.S. Department where a facility has a question as to no change in meaning with this of Transportation, or other federal whether it should complete a Top- revision. agencies.’’ For a further discussion of Screen, the facility can contact the

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17696 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

Department and seek a consultation Convention on the Prohibition of the In proposed Appendix A, the pursuant to § 27.120. Development, Production, Stockpiling Department lists the DHS Chemicals of The Department reiterates that the and Use of Chemical Weapons and on Interest and identifies a Standard presence or amount of a particular Their Destruction. The CWC covers Threshold Quantity (STQ) for each chemical listed in Appendix A is not three lists, or ‘‘schedules’’ of chemicals. chemical. To clearly identify each the sole factor in determining whether Schedule 1 chemicals are provided in chemical, the Department includes the a facility presents a high-level of Supplement No. 1 to 15 CFR part 712, Chemical Abstract Service (CAS) security risk and is not an indicator of Schedule 2 chemicals are provided in number for each chemical. These a facility’s coverage under this rule. The Supplement No. 2 to 15 CFR part 713, chemicals listed in proposed Appendix DHS Chemicals of Interest list merely and Schedule 3 chemicals are provided A fall into the three categories identified directs certain facilities to complete and in Supplement No. 3 to 15 CFR part 714; above: chemicals with a release hazard, submit the Top-Screen. This list serves and (3) Hazardous materials, including chemicals with a theft or diversion as a tool to aid the Department in gases poisonous by inhalation (PIH) and hazard, and chemicals with a sabotage gathering information needed to explosive materials, which the or contamination hazard. administer the program under Section Department of Transportation regulates. The Department acknowledges that 550. In order for the Department to See 49 CFR 173.115(c), 49 CFR there are two additional security issues assess compliance by particular 173.50(b), and 49 CFR 172.101. The that it is considering at this time, chemical facilities with the regulation Department has also considered other although it is not including any such (see Section 550(e)), the Department categories of chemicals, such as chemicals that would trigger a Top- must first obtain information to chemicals that can be used as precursors Screen submission. They include the determine whether the particular for Improvised Explosive Devices (IEDs) following two issues: chemical facilities qualify for coverage and certain water-reactive materials that 1. Critical Relationship to Government under Section 550. The list set out in produce toxic gases. Mission—DHS believes that the loss of Appendix A serves as a procedural tool The Department makes a few points certain chemicals, materials, or facilities designed to aid the Department in with respect to the list in Appendix A. could create significant adverse determining which facilities must First, DHS is not using any existing list consequences for national security or comply with the substantive standards. (e.g., the EPA RMP list) as its sole the ability of the government to deliver Only after the Department gathers source, and DHS is not classifying all essential services. additional information through the Top- facilities on a list in one particular way 2. Critical Relationship to National Screen process will the Department (i.e., classifying all RMP facilities as Economy—DHS believes that the loss of make a determination as to whether a high-risk). By using multiple sources at certain chemicals, materials or facilities facility presents a high risk and this initial phase, DHS believes it is could create significant adverse therefore must comply with the obtaining a more complete picture of the consequences for the national or regulatory requirements to ensure universe of facilities that may qualify as regional economy. adequate security. Under Section 550, high-risk. Second, in identifying the The Department is continuing to the Department has the authority to use types and STQs of chemicals for assess currently-available information its best judgment and all available Appendix A, the Department has sought about these chemicals critical to information in determining whether a to be sufficiently inclusive of chemicals government mission and the national facility presents a high level of security and quantities that might present a high economy. The Department will use the risk. level of risk under the statute without information it collects through the Top- In developing the ‘‘DHS Chemicals of being overly inclusive and therefore Screen process, as well as currently- Interest’’ list, the Department has looked capturing facilities which are unlikely available information, as a means of to existing sources of information and to present a high level of risk. identifying facilities responsible for has then drawn on many of those In addition to drawing on information economically critical and mission- sources of information, including some from existing sources, the Department critical chemicals. of the sources that commenters has identified chemicals by considering III. Discussion of Comments suggested. Those sources include the three security issues. These three following: (1) The chemicals contained security issues, which are explained In the Advance Notice, DHS sought on the EPA’s RMP list. Pursuant to the below, address multiple risk areas. comment on proposed text for the Clean Air Act (42 U.S.C. 7401, et seq.), 1. Release—DHS believes that certain interim final rule as well as on various which provides that the EPA shall quantities of toxic, flammable, or implementation and policy issues promulgate a list of substances that ‘‘in explosive chemicals or materials, if concerning the chemical security the case of accidental release, are known released from a facility, have the program. DHS received a total of 106 to cause or may reasonably be potential for significant adverse public comments totaling more than anticipated to cause death, injury, or consequences for human life or health. 1,300 pages, including comments from serious adverse effects to human health 2. Theft or Diversion—DHS believes thirty-two trade associations, thirty or the environment (see 42 U.S.C. that certain chemicals or materials, if companies, thirteen private citizens, ten 7412(r)(3)), the EPA promulgated two stolen or diverted, have the potential to state agencies and associations, seven lists. Table 1 is titled ‘‘List of Regulated be used as weapons or easily converted advocacy and safety groups, eight U.S. Toxic Substances and Threshold into weapons using simple chemistry, Representatives, five U.S. Senators, four Quantities for Accidental Release equipment or techniques in order to unions, one Local Emergency Planning Prevention,’’ and Table 3 is titled ‘‘List create significant adverse consequences Committee, one professional of Regulated Flammable Substances and for human life or health. association, one international standards Threshold Quantities for Accidental 3. Sabotage or Contamination—DHS committee, and the U.S. Small Business Release Prevention’’ (see 40 CFR believes that certain chemicals or Administration. 68.130); (2) The chemicals from the materials, if mixed with readily- Commenters generally applauded this Chemical Weapons Convention (CWC). available materials, have the potential to effort from the Department and Section 6701, et seq. of Title 22 of the create significant adverse consequences commended the general approach that United States Code implements the for human life or health. the Department is taking. However,

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17697

commenters also raised some specific The industry commenters noted, commonly used chemicals, DHS notes concerns. In the sections below, DHS however, that not all RMP facilities that it is aware of that issue. While DHS provides a topical summary of the should be considered high-risk. One believes these STQs are set at levels that comments and responses to those commenter pointed out that RMP does normally will not cover such retail comments. not take into account facilities that may establishments, DHS believes that, if a cause substantial impacts from multiple retail establishment does exceed any of A. Applicability of the Rule tanks. A few commenters also these STQs, the retail establishment will 1. Definition of ‘‘Chemical Facility or recommended that DHS should consider have to complete the Top-Screen. facilities in EPA’s Toxic Release Facility’’ 2. Multiple Owners and Operators Inventory program or facilities that The Advance Notice defined The second half of the definition of ‘‘Chemical Facility or facility’’ to mean handle DOT hazardous materials. One commenter emphasized that the ‘‘Chemical Facility or facility’’ provides ‘‘any facility that possesses or plans to rule could focus on toxic gases at RMP that the terms ‘‘shall also refer to the possess, at any relevant point in time, a threshold quantities, but warned that owner or operator of the chemical quantity of a chemical substance the RMP program has a different facility. Where multiple owners and/or determined by the Secretary to be purpose. The commenter indicated that operators function within a common potentially dangerous or that meets worst-case scenarios under RMP may be infrastructure or within a single fenced other risk-related criterion identified by based on unrealistic assumptions. area, the Assistant Secretary may the Department. * * *’’ See proposed Another commenter indicated that DHS determine that such owners and § 27.100. should consider certain substances from operators constitute multiple chemical Comment: While a few industry and the Chemical Weapons Convention list facilities depending on the State agency commenters supported this when assessing overall risk. Finally, circumstances.’’ See § 27.105. definition, commenters generally some industry commenters objected to Comment: Comments were varied on thought that the proposed definition the phrase ‘‘possesses or plans to the issue of multiple owners and was broad. In particular, several possess,’’ because the term implies legal operators. One industry commenter industry commenters, an industry title or ownership rather than simple suggested that DHS should combine association, a labor union, and a State presence at the facility. adjacent facilities under common agency thought the proposed definition Response: Aside from the minor ownership into a single facility, and was overly broad and consequently did modification noted above, DHS is other industry commenters thought that not inform facilities about whether they retaining the definition of chemical DHS should define certain adjacent would be regulated. They noted that the facility that it proposed in the Advance facilities as less than the entire property. definition did not name the regulated Notice. And while DHS is not defining One industry commenter thought that chemical substances or the threshold ‘‘chemical facility’’ by listing specific DHS should allow facilities with quantities. One commenter argued that chemicals, DHS is making available, multiple owners or operators to agree DHS’s failure to release to the public its with the issuance of this rule, a list of among themselves how to meet the proposed list of ‘‘potentially dangerous those chemicals and Screening requirements of this rule. A trade chemicals’’ and threshold amounts for Threshold Quantities (STQs) that it association noted that some large those chemicals denies the public the proposes to use to determine whether to chemical facilities have third-party opportunity to comment on key further assess whether a chemical warehouses and leasing agreements and provisions of the rule that depend on facility presents a high risk. that the owners of the chemical facility whether the facility possess specified Specifically, if a facility possesses any should be responsible for security. quantities of chemicals determined by of the chemicals, at the corresponding Response: DHS believes that it will DHS to be potentially dangerous. The quantities, in Appendix A (when generally be fairly straightforward for commenter explained that it is difficult finalized), the facility must complete facilities to define their boundaries and to comment on that aspect of the rule and submit a Top-Screen within 60 identify the party (at their facility) that without knowing what the chemicals calendar days. See § 27.200(b)(2) and is responsible for compliance with the and thresholds are. An industry group § 27.210(a). The Department will regulation. However, DHS cautioned that threshold quantities continue to contact facilities acknowledges that, in some should be set high enough that retail individually and through additional circumstances, the issue might be more establishments are not covered merely Federal Register notices, as necessary. complex. The Department will address because they stock commercially See § 27.200(b)(1). To the extent the these situations on a case-by-case basis. acceptable quantities of commonly used Department notifies facilities through an Both owners and operators of facilities, chemicals. A few industry commenters additional Federal Register notice, the however, bear responsibility under the and a member of Congress added that Department will engage in outreach regulations for implementing measures the definition of chemical facility activities with the chemical sector. that meet the regulatory standards. should include the concepts of national Finally, in response to specific security and economic criticality. comments above, the Department makes 3. Classifying Facilities Based on Hazard Several industry commenters two additional points. The Department Class supported the use of EPA’s Risk has retained the phrase ‘‘possesses or Comment: In the preamble to the Management Plan (RMP) program to plans to possess.’’ DHS believes that Advance Notice, DHS requested help identify the initial group of phrase adequately captures the comment on whether it should use an regulated facilities. Commenters Department’s intent. The plain meaning approach based on hazard class, rather supported use of the RMP list of toxic of those terms is not limited to than use an approach where substances as a basis for selecting ownership. Also, with respect to the classifications are based on particular chemical facilities. Likewise, one commenter who cautioned that any chemicals. Responses were mixed. association felt that DHS should link its types of threshold quantities should be Several commenters favored the definition of chemical facility to those high enough so that DHS does not cover hazard class approach, noting that facilities covered by EPA’s RMP, all retail establishments that stock facilities are familiar with the DOT because it is a clear and defined list. commercially acceptable quantities of hazard classes, that the hazard classes

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17698 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

may be harmonized with international chemicals or may handle them only Response: The Department’s requirements, and that the number of intermittently. A trade association regulatory scheme will cover chemical chemicals (in a non-hazard class suggested that DHS should allow such facilities that present a high risk because approach) might otherwise be very facilities to adjust their level of security they possess or plan to possess large. Some of the commenters who to the level of risk. Another commenter chemicals that terrorists may use or favored the hazard class approach also urged DHS to consider the nature of target in the furtherance of acts of noted some caveats to its use. Industry batch production facilities, which make terrorism. Facilities that possess commenters and a State agency warned a continually changing mix of products chemicals that are hazardous and can be that the hazard class approach could using a continually changing, and often used as weapons, such as anhydrous result in the inclusion of chemicals that unpredictable, mix of ingredients. ammonia or ammonium nitrate, will be do not pose a security risk. Conversely, With respect to anhydrous ammonia, regulated if they present a high risk. others noted that the hazard classes may commenters noted that the chemical is However, a facility that possesses a not include chemicals of concern from in the EPA RMP list but indicated that chemical substance that does not cause a terrorism perspective. Commenters it should not be a chemical that DHS it to present a high risk (taking into noted that other agencies may regulate regulates. They explained that ammonia account all relevant factors), or the hazard classes under other refrigeration is used for dairy and food possesses an otherwise hazardous programs. Also, one State agency processing facilities and that those chemical in an amount that is below association pointed out that a facilities do not pose a significant risk what would cause the facility to present combination of chemicals might be to human health, national security, or a high risk (again, taking into more dangerous than any one chemical. the economy, because an attack on such consideration all relevant factors), will One firm suggested that the DHS a facility would not result in a not be regulated. approach should include both the catastrophic release of ammonia. In Accordingly, with this interim final hazard class approach and the addition, the commenters stated that the rule, DHS plans to regulate high-risk classification of chemicals approach. food industry (which uses anhydrous facilities with ammonium nitrate and A few industry commenters indicated ammonia for refrigeration) should not anhydrous ammonia using the same that basing the applicability of the rule have to spend its resources enhancing risk-based approach under which it on hazard classes would be security for refrigeration systems. plans to regulate all other high-risk inappropriate and that they favored a facilities. If DHS later decides that any With respect to ammonium nitrate list of security-sensitive chemicals with individual chemicals warrant (AN), some industry commenters noted threshold quantities. One trade specialized attention in regulatory that AN is an important part of the association supported the use of lists of provisions, DHS will address such economy in both the explosives and the particular chemicals, explaining that chemicals through future rulemakings. fertilizer industries. They noted that the they thought it would lead to more threat posed by AN is not that of a direct 5. Applicability to Types of Facilities accurate assessments of likelihood and attack but of theft or diversion for later consequence and therefore risk. They Comment: A few commenters also argued that DHS publish the list in criminal misuse. While they said that suggested that the rule should not apply the final rule. DHS should focus not only on the to railroad facilities, because such Response: As explained above, DHS is possibility of a direct attack at facilities facilities are covered by current and publishing a list of ‘‘Chemicals of with ‘‘weaponizable’’ chemicals, but on proposed requirements from the Interest’’ in Appendix A to this interim facilities with risks of theft or diversion, Department of Transportation’s (DOT) final rule. The list contains specific they suggested that DHS place those Federal Railroad Administration and chemicals and STQs. That list is a facilities (i.e., those with risk of theft or Pipeline and Hazardous Materials Safety baseline screening threshold against diversion) in lower-risk tiers. Administration and DHS’s which facilities will know whether they One commenter recommended Transportation Security Administration need to complete and submit a Top- requirements for chain-of-custody (TSA). Those commenters asserted that Screen. While DHS’s primary approach control and suggested that the ATF railroads should be treated separately will be through the classification of could assist in enforcement at AN sites from fixed facilities and that the chemicals, DHS will not preclude the with commercial explosives; other proposed requirements are use of the hazard classes for certain commenters favored regulation by DHS, inappropriate for railroad facilities. One purposes in the performance standard not ATF. Another commenter believed commenter requested exemptions for guidelines. that DHS should work with the U.S. motor vehicles and rail cars that are ‘‘in Department of Agriculture and producer transit.’’ Another commenter asked DHS 4. Applicability to Specific Chemicals or groups in deciding whether to regulate to take a system-wide approach and Quantities of Chemicals an agriculture operator or supplier. An recognize the interdependence of Comment: Several commenters industry commenter noted that the mere chemical facility and rail security. discussed specific chemicals and presence of AN at a site should not Response: Regulating chemicals in the whether or not the regulation should trigger application of DHS’s screening railroad system is a complex issue, and cover facilities that possess those process. Two members of Congress DHS continues to evaluate it. TSA is the chemicals. Several commenters thought argued that the rule should apply to AN lead component within DHS for the that DHS should not cover anhydrous manufacturing facilities, but they agreed security of transportation facilities and ammonia or ammonium nitrate, both of with DHS and other commenters that has initiated some recent efforts to which are discussed in more depth DHS should subject AN facilities to address rail security, including below. A local government agency urged regulatory requirements based on the Voluntary Agreements with the rail DHS to cover facilities that store nature of the facility and risk industry and a Notice of Proposed propane, while other commenters assessment results. The commenters Rulemaking on Rail Transportation indicated that DHS should not cover thought that by including AN facilities Security. See 71 FR 76852 (December flammable fuels such as propane. A few in the regulatory program, DHS would 21, 2006). With respect to chemical commenters noted that some facilities make it more difficult for terrorists to security, certain aspects of Section 550 may have only small amounts of acquire this product. and TSA’s authorities are concurrent

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17699

and overlapping. DHS is working, and part on the type and amount of exemptions requested by commenters, will continue to work, with its chemicals present at any given mine and, at this time, the Department does components, including TSA, to facility. The Department expects that not intend to provide any additional determine whether DHS will include mines will comply with the regulatory text exemptions. railroad facilities in its chemical requirements of § 27.200(b) and Comment: Some industry commenters security program. DHS presently does complete and submit the Top-Screen as supported the exemptions in § 27.110, not plan to screen railroad facilities for required in that section. With respect to such as the exemption for facilities inclusion in the Section 550 regulatory large mines that may only possess a regulated under the Maritime program, and therefore DHS will not concentrated amount of a given Transportation Security Act (MTSA). In request that railroads complete the Top- chemical in one discrete location, if the addition, one association wanted to Screen risk assessment methodology. given chemical (and quantity) is one exclude from the Top-Screen DHS may in the future, however, re- that the Department believes presents a requirements any facilities covered evaluate the coverage of railroads, and security risk, the Department will under MTSA. Other commenters asked would issue a rulemaking to consider expect that the facility will go through for clarifying information about the the matter. the screening process. While the facility exemptions. Comment: Commenters asked about may have to develop a Site Security Response: In the Advance Notice, the the applicability of the rule to natural Plan, the SSP would be tailored to the Department discussed the applicability gas pipelines and facilities, with some specific circumstances at the mine. The of this rule to maritime facilities. See 71 noting that DHS should not regulate SSP for a large mine with a concentrated FR 78276, 78290. In this interim final pipelines because DOT/PHMSA and amount of one chemical in one location rule, the Department clarifies that it will DHS/TSA already regulate safety and would surely look dramatically different apply the statutory exemption only to security of pipelines. Other commenters than that of mine company with facilities regulated under 33 CFR part asked about DHS’s plans to address different circumstances (e.g., a large 105, Maritime Facility Security other large facilities, such as mines. One mine with larger quantities of different regulations. Part 105 of Title 33 of the engineer pointed out that mining types of chemicals spread throughout Code of Federal Regulations is the only facilities can be very large and can cover the mine or a smaller mine with regulation that imposes the security thousands or tens of thousands acres but moderate quantities of very hazardous plan requirements of 46 U.S.C. 70103 on that the security-sensitive portions of chemicals in several different locations). maritime facilities. those mines may be very small (e.g., a 6. Statutory Exemptions Comment: A State agency believed single tank). that the Nuclear Regulatory Commission Response: Whether a facility is Comment: Some commenters asked (NRC) exemption should apply only to covered under this regulation is driven why § 27.105(b) excluded certain facilities holding an NRC power reactor by a number of factors, including the facilities from the rule, and another license and disagreed with the specific types and quantities of commenter suggested that the exempted exemptions for public water systems chemicals at a given facility. Whether facilities should be reviewed to and treatment works. the Department will apply the determine if they would be considered Response: The Department agrees requirements of this regulation to a high-risk but for the exemption. with the commenter and will apply the facility depends, in part, on the Other commenters suggested statutory exemption to facilities where additional exemptions. One commenter chemicals present at that facility. In the NRC already imposes significant suggested that the rule should not apply case of natural gas pipelines, DHS has security requirements and regulates the to most facilities that manufacture, sell, no intention at this time of requiring safety and security of most of the or reclaim lead-acid batteries, and long-haul pipelines to complete the facility, not just a few radioactive another commenter believed DHS Top-Screen (or prepare Security sources. For example, a power reactor should exclude pesticide facilities. Yet Vulnerability Assessments and develop holding a license under 10 CFR part 50, another commenter thought that most Site Security Plans). But chemical a special nuclear material fuel cycle facilities storing petroleum products, facilities otherwise covered by this holding a license under 10 CFR part 70, some of which are exempted under regulation and with pipelines within and facilities licensed under 10 CFR proposed § 27.105(b), are not high-risk their boundaries must treat those parts 30 and 40 that have received pipelines like any other asset, i.e., facilities. security orders requiring increased include measures in their Site Security Response: In the authorizing protection, will all be exempt from 6 Plan addressing the security of those legislation for this regulation, Congress CFR part 27. A facility that only pipelines. exempted various facilities from this Related to this, DHS makes a rule. See Section 550(a). DHS has possesses small radioactive sources for clarifying point about facility assets in included those exemptions in chemical process control equipment, general. DHS expects that facilities will § 27.110(b) of the rule. The statute gauges, and dials, will not be exempt. address all facility assets in their provides for the following exemptions: B. Determining Which Facilities Present Security Vulnerability Assessments and facilities regulated pursuant to the a High-Level of Security Risk Site Security Plans, as any given facility Maritime Transportation Security Act of asset has the potential to have an effect 2002, Public Law 107–295, as amended; 1. Use of the Top-Screen Approach on the consequence and/or public water systems (as defined by Comment: In general, many industry vulnerabilities of the facility. Facility Section 1401 of the Safe Drinking Water associations and chemical companies assets include any items or structures Act); water treatment works facilities (as supported the use of a tiered approach (such as buildings, vehicles, defined by Section 212 of the Federal that narrows DHS’s focus to high-risk laboratories, or test facilities) located on Water Pollution Control Act); any facilities. Several commenters pointed an area owned, operated, or used by the facilities owned or operated by the out as a problem the fact that they had facility. Such assets may exist inside or Departments of Defense and Energy; and been unable to review the details of the outside of perimeter structures. any facilities subject to regulation by the approach and associated criteria; several Similarly, the extent of coverage of Nuclear Regulatory Commission. The commenters suggested that mines in this regulation will depend in Department has considered the knowledgeable parties should have an

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17700 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

opportunity to review the details. Many noted that a facility should consider all spectrum of methodologies. Even where of the commenters wanted to make sure impacts, not just the impacts to one certain ‘‘equivalencies’’ exist between that the final group of high-risk facilities facility. One association commented methodologies, the equivalencies can was determined based on risk (not just that most facilities will not be able to only be extracted and employed in a on potential consequence or limited provide answers to the questions in the comparative risk analysis at very great pieces of threat data) and that the Top-Screen that ask about a facility’s cost and over a very long period of time. number of facilities in this group was market share for given chemicals. That In order to effectively manage risk at the small. association suggested that DHS re- national level, the Department must be Associations differed in their views phrase those questions to support yes/ able to develop and understand the on how inclusive the Top-Screen no answers or to allow facilities to use relative risk of different facilities. A process should be—one association broad ranges. comparative risk capability is essential wanted DHS to screen out certain low- Several associations commented that to regulation and can be achieved only risk facilities in the first few questions the submitting company, not DHS, through the collection of comparative while other associations and a chemical should determine the most appropriate data. Thus, a standard vulnerability tool company wanted DHS to make sure that person to submit data. A number of is necessary. as many facilities as possible submitted parties commented on DHS’s The Department has vetted the CSAT Top-Screen data, including some subsequent use of the data that is system with the engineering profession, facilities that might not traditionally be collected through the Top-Screen. One the National Laboratories, and considered chemical facilities. Several association commented that any academia. The Top-Screen component, associations urged DHS not to information must have demonstrated as well as the individual algorithms presumptively classify facilities as high- utility before it is shared with anyone. employed in the Top-Screen, have been risk without perfect information; they As for timing, commenters, including subject to extensive peer review and felt that doing so would go beyond the State agencies, requested that DHS have been found acceptable. While the authority that Congress granted DHS provide facilities with the specific Top-Screen is consequence-specific, and would not match the intended focus timing requirements for completing the DHS uses the Top-Screen only to on high-risk facilities. A local agency Top-Screen. One industry association determine a preliminary tier ranking. took the opposite view on that question. recommended that DHS use phased-in DHS bases a facility’s final tier ranking Several commenters provided input timing for having facilities complete the upon the complete Security on the data that facilities will need to Top-Screen. A number of commenters Vulnerability Assessment, as well as the enter into the Top-Screen. One from State agencies and industry application of threat information—and association suggested that DHS allow associations suggested the need for DHS thus it is risk-based. facilities to enter chemical volumes in to provide active, written notification Insofar as the range of facilities ranges and asked that DHS provide that a facility is not high risk—and for possessing dangerous or potentially guidance on handling mixtures and telling facilities that they need to dangerous chemicals is large, there is no blends. That association also questioned comply with the regulation. One good alternative to a fairly broad range how facilities should address chemicals association suggested that DHS provide of facilities being included in the that are stored offsite. Another this notification immediately upon the screening process. DHS anticipates that association encouraged DHS to include facility’s submission of data. the vast majority of screened facilities reactive chemicals and propane in the Finally, a number of company and will be found not to have a level of Top-Screen. One advocacy group industry association commenters potential consequences that would encouraged DHS to incorporate wanted to make sure that facilities have result in a ‘‘high risk’’ designation. chemical transportation in the rule and the opportunity to conduct independent However, the facilities that do achieve the Top-Screen. evaluations (or meet with DHS) to verify that level of consequence are expected Commenters also provided input on or deny DHS’s initial classification of a to come from a fairly broad swath of the how DHS should process the facility’s risk. Nation’s economy. DHS has no information that it receives through the Response: In this regulatory program, intention of classifying facilities as Top-Screen. One industry association DHS will employ a modified version of presumptively high risk until and suggested that facilities should be the Risk Analysis and Management for unless DHS is unable to acquire allowed to explain ‘‘yes’’ responses Critical Asset Protection (RAMCAP) risk sufficient data. before DHS drives the facility to a full assessment methodology known as the The Top-Screen will enable DHS to Security Vulnerability Assessment. The Chemical Security Assessment Tool, or determine a preliminary tier based on association suggested that facilities CSAT. The RAMCAP Sector Specific consequence. That ranking will should not be the ones to estimate Guidance was developed under contract determine the need for (and timeline consequences, particularly injuries, and to DHS by the ASME Innovative for) a Security Vulnerability that DHS should refine the definition of Technologies Institute (ASME–ITI) and Assessment, and where the Top-Screen injuries. The association stated that DHS leveraged the knowledge and insight of indicates the need for a follow-on should have different requirements for leading experts from across the industry Security Vulnerability Assessment, DHS facilities that only periodically have and Federal Government. The DHS Risk will expect that the owner-operator will certain materials onsite. One association Assessment Methodology is composed comply. The Department will require cautioned about using RMP data and of two separate parts. The first part is a facilities to submit the Top-Screen advocated for DHS to use conversion screening tool known as the Top-Screen, within the timeframes now specified in factors to make estimates of casualties. which is used to perform a preliminary § 27.210. The Department notes that the Several commenters were concerned ‘‘consequence’’ analysis. The second Top-Screen is designed to preclude a about the questions in the Top-Screen part provides the tools to conduct a large number of ‘‘false negatives.’’ that related to economic impacts. thorough facility Security Vulnerability DHS is establishing the entire CSAT Several associations indicated that DHS Assessment. system as an on-line suite of tools, should use a sufficiently high threshold DHS is using a standard vulnerability which will allow notification of results for economic impacts that captures the tool, the CSAT system, because it is not to the owner or operator. As provided in full extent of economic impacts. They practical for DHS to accept a broad § 27.205, the Department ‘‘shall notify

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17701

the facility in writing [of a within the expertise of the facility CSAT system employs a set of defined determination that the facility presents personnel. attack vectors, used to both ‘‘produce’’ a high level of security risk].’’ While the Many commenters also focused on consequences (for the measurement of online feature of the CSAT system will various aspects related to RAMCAP. criticality) and to measure vulnerability. allow rapid results, it will not allow the One commenter asserted that RAMCAP These are not ‘‘Design Basis’’ threats Department to respond instantaneously, might not adequately identify high-risk and in no way reflect the type of actual as some commenters requested. Finally, facilities. Another commenter asked threats against which owner-operators the Top-Screen tool does require the who owns RAMCAP. Several will be expected to ‘‘defend.’’ They are owner-operator to provide certain data commenters noted that the RAMCAP measurement devices, supporting the similar to an RMP analysis; however, approach was not designed to address DHS need to conduct comparative risk casualty estimates and consequence control system cyber security. Another analysis. The CSAT tool does include ranking are performed by DHS using commenter felt that DHS provided basic assessments of certain types of well-vetted formulae. inadequate detail on the RAMCAP cyber systems, and certain features Regarding economic criticality, DHS methodology and noted that DHS thereof. However, the CSAT tool is not recognizes the complexity of estimating should define the method before DHS intended to be a full-scope, detailed potential economic or mission impact solicits comment. Several commenters analysis of all possible areas of stemming from the loss of certain also pointed out that RAMCAP’s lack of vulnerability. It is a measurement tool manufacturing (or other) capacity. details on vulnerability team that will allow general categorization of Accordingly, DHS will focus early composition and experience could be a a facility as vulnerable or not, critical or efforts on developing a sufficiently clear limitation. Some of RAMCAP’s not, and thus, at risk or not. DHS will picture of the chemical industry as a developers took issue with deviations undertake detailed evaluations of system in order to allow a reasonable from the original RAMCAP design. specific security issues as part of the analysis of economic and mission Another commenter pointed out the ongoing relationship between the criticality, which will be enhanced as need for DHS to include proper facility owner-operator and DHS. The the Department moves forward. references to the RAMCAP and its assessment tool that DHS uses to genesis. conduct comparative risk assessments 2. Assessment Methodologies Also related to RAMCAP, some must be uniform and consistent in order commenters expressed concern with the Comment: Many commenters for DHS to use it, and so a ‘‘menu’’ of details in Appendix B, ‘‘Background: provided input on methodologies that different methodologies is simply not Risk Analysis and Management Critical DHS should use for determining which practical. Asset Protection (RAMCAP) Finally, DHS notes that there were facilities present a high level of risk, and Vulnerability Assessment several comments from companies, several commenters had suggestions as Methodology.’’ In particular, some encouraging the Department to adopt or to how DHS should determine which expressed concern about expectations require their own methodology or facilities are high-risk. One association that the noted threat scenarios would be technique. DHS is unaware of the extent asserted that DHS needed to clearly analyzed as design basis threats. The of peer review or scientific evaluation of define the ‘‘risk of interest’’ before DHS commenters noted that many of the these other methodologies or could determine which methodology to scenarios require military support to techniques. In addition, DHS does not use. One (non-chemical) company defeat, and that appears to be beyond believe it is appropriate to identify a suggested that DHS use other Federal the capability of a chemical facility to single commercial product or endorse programs such as the EPA’s Toxics address. Associations noted that particular commercial products for Release Inventory or the Superfund scenarios can be useful in a comparative purposes of complying with this rule. Amendments and Reauthorization Act top-screen, but that they should not (SARA) Tier II annual reports to guide all facility-specific assessments. 3. Risk-Based Tiers determine high risk facilities. One company opined that the threats In the Advance Notice, the Commenters addressed the suitability of needed to be more realistic before they Department asked for comment on the both asset- and scenario-based were used in any assessments. notion of risk-based tiering of high-risk approaches, with the majority favoring Finally, one chemical company facilities. Specifically, the Department an asset-based approach. Commenters commented that DHS needs to list in the asked how many risk-based tiers should suggested that DHS consider specific rule the specific threats that facilities the Department create, what the criteria methodologies developed by need to address in their SSP. Also, the should be for differentiating among associations, national laboratories, or company indicated that DHS, not tiers, what the types of risk should be State and Federal agencies. One individual companies, should most critical in the tiering, how should association suggested that DHS use determine deaths and injuries. performance standards differ among other methodologies while RAMCAP Response: In the Advance Notice, risk-based tiers, what additional levels continues to develop and mature. State DHS sought to provide an overview of of regulatory scrutiny should DHS apply agency commenters warned that the RAMCAP and the DHS Methodology to each tier. 71 FR 78276, 78283. question of which facilities pose a high Assessment in the preamble (see, e.g., Comment: Most commenters risk is a community-specific issue. pp. 78277–78288) and in Appendix B. supported the establishment of risk tiers Many comments were very specific as As there seemed to be confusion about and agreed that three or four tiers would to how DHS should proceed, and what the nature and purpose of RAMCAP and be sufficient. Several comments, tools DHS should employ. For example, the DHS Assessment Methodology (or including industry commenters, State an engineering firm focused on the need CSAT) and its purpose, DHS provides agencies, and a member of Congress for process-based assessments. A further explanation here. believed that DHS should base tiering chemical company noted the need for The CSAT vulnerability assessment on the attractiveness of the facility as a any approved methodology to also tool, part of the CSAT system owned by target or the consequences of a terrorist consider the criticality of surrounding DHS, is an asset-based vulnerability attack, such as adverse impacts on and supporting infrastructure in a assessment tool very similar to the public health and welfare, the potential reasonable manner—that is, one that is Chemical Sector RAMCAP module. The for mass casualties, and disruption of

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17702 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

essential services. The commenter economic impact, and mission critical that reason, the Department cannot indicated that the creation of tiers aspects of the given chemicals and provide an exhaustive list of material would allow facilities to maintain Threshold Quantities (TQ) of the modifications. In general, though, DHS security measures commensurate with chemicals. The Department considers expects that material modifications risk. the methods for determining these tiers would likely include changes at a A few commenters suggested that to be sensitive anti-terrorism facility to chemical holdings (including DHS did not provide enough information that may be protected from the presence of a new chemical, information in the Advance Notice on further disclosure. The types and increased amount of an existing the number of tiers or on how a tier intensity of security measures chemical, or the modified use of a given classification would affect a facility’s (necessary to satisfy the risk-based chemical) or to site physical security requirements. Two industry performance standards in the facility’s configuration, which may (1) commenters were concerned that DHS Site Security Plan) will depend on the substantially increase the level of might apply the rule requirements to facility’s tier. The Department will consequence should a terrorist attack or facilities other than those that pose the mandate the most rigorous levels of incident occur; (2) substantially increase highest security risk. Two other protection and regulatory scrutiny for a facility’s vulnerabilities from those commenters believed that the tiering facilities that present the greatest degree identified in the facility’s Security approach is not appropriate for cyber of risk. Finally, pursuant to Section Vulnerability Assessment; (3) security of control systems. One 550(a), it is in the discretion of the substantially effect the information commenter argued that tiers should Secretary to apply regulatory already provided in the facility’s Top- include consideration of the requirements to those facilities that Screen submission; or (4) substantially transportation of chemicals outside the present high levels of security risk; effect the measures contained in the facility property. Another commenter accordingly, the Department believes it facility’s Site Security Plan. recommended that DHS should modify is most appropriate for the Secretary to 2. Submitting a Site Security Plan the tiers after it receives data from determine which facilities present high- regulated facilities. Another commenter risk (and not, for example, rely solely on Comment: Several industry thought that DHS should define output from the CSAT process). commenters recommended changes to ‘‘present high levels of security risk’’ The Department incorporates the the proposed process for notifying and ‘‘high risk’’ at the end of the concept of ‘‘target attractiveness’’ into facilities to submit SSPs and the timing RAMCAP process and not at the its risk equation. Insofar as it is a fairly for submitting the SSPs. A number of discretion of the Secretary. subjective element, and that it requires commenters believed that the most Commenters suggested that tiers considerable analysis to develop, DHS appropriate person to submit an SSP is should be objective and transparent and will not incorporate it into the initial a corporate representative with first- hand knowledge of security matters at should provide flexibility. One industry tier assignment process. However, the facility, rather than an officer of the commenter pointed out that tiering insofar as ‘‘target attractiveness’’ is corporation, as proposed. The allows DHS to focus on the most included in the more detailed Security comments recommended allowing a important facilities first and believed Vulnerability Assessment component of that DHS should establish a de minimis corporate security contact, a security the regulatory process, and insofar as tier that sets thresholds below which a manager, or a consultant with delegated the final determination of tier placement facility does not have to complete the authority to submit information on will be based upon the complete Top-Screen tool. Two commenters behalf of the corporation. The analysis of risk, ‘‘target attractiveness’’ noted that tiering provides an incentive commenters indicated that, in most will, in fact, be an important element in for facilities to eliminate risk. instances, members of senior Some industry commenters and State tier assignment and subsequent risk management teams do not have day-to- and local agencies suggested that management efforts. day detailed knowledge on security facilities in higher risk tiers should have C. Security Vulnerability Assessments issues and, thus, cannot meet the more contact with DHS, and that lower- and Site Security Plans proposed qualifications. One of the risk facilities should have fewer security commenters added that the proposed layers implemented over a longer period 1. General Comments regulations appear to limit an of time, greater discretion, or fewer Comment: One association requested organization’s flexibility to assign inspections. One commenter, however, that DHS encourage, but not require, internal responsibilities for various believed there should be no difference facilities that are not high-risk to aspects of the regulations. Another in regulatory scrutiny or performance conduct vulnerability assessments as a commenter suggested that, in addition standards between tiers. best practice. to notifying a covered facility, the Response: The Department agrees Response: The Department has always Department should notify the facility’s with many of the commenters that the encouraged the chemical sector to corporate ownership (and/or parent risk-based tiering structure will allow analyze security vulnerabilities and will corporation) allowing a multi-facility DHS to focus its efforts on the highest continue to do so through voluntary corporation to prepare and submit a risk facilities first. To that end, the sector efforts even if the site has not response in an efficient and timely Department intends to retain the model been designated as high risk under this manner. proposed in the Advance Notice. See, rule. Response: The goal of this rule is to e.g., 71 FR 78276, 78283. In sum, the Comment: One commenter requested increase flexibility while embracing Department’s framework for risk-based that DHS define ‘‘material security for covered facilities, not to tiering will consist of four risk-based modifications,’’ as used in unnecessarily decrease flexibility. The tiers of high-risk facilities, ranging from §§ 27.215(c)(3) and 27.225(b)(3), or at rule obligates the chemical facility to high (Tier 1) to low (Tier 4). The least provide examples of circumstances submit the Site Security Plan; however, Department will use a variety of factors or events that rise to the level of as used herein, the term chemical in determining which tier facilities will ‘‘material modifications.’’ facility or facility shall also refer to the be placed, including information about Response: Material modifications can owner or operator of the chemical the public health and safety risk, include a whole host of changes, and for facility. While the owner or operator of

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17703

a chemical facility may designate 4. Approval of Site Security Plans sooner. One commenter agreed with someone to submit the Site Security Comment: In general, commenters updating SSPs annually, but not Plan, the owner or operator is supported the proposed submission and Security Vulnerability Assessments. responsible for satisfying all the approval processes for SSPs. While one Several commenters suggested the requirements under this part. Note that commenter endorsed proposed following for updates: every 2–5 years the Department has added requirements § 27.240(a)(3) stating that the for Tier 1 facilities, 3–5 years for Tier 2, for submitters in the rule (see Department will not disapprove an SSP and 3–7 years for Tier 3 and beyond. Numerous reviewers recommended § 27.200(b)(3)) and that the Department based on the presence or absence of a that the reviews be limited to discusses those new requirements in the particular security measure, another approximately every three years. Two Rule Provisions discussion of § 27.200. commenter believed that the See § II(B). Finally, it is presumed that companies and one industry association Department should have the authority to wanted reviews to follow major changes the covered facility is the most disapprove an SSP if a facility has appropriate party to notify its parent and not follow a set schedule. Many refused to include a widely-practiced reviewers wanted periodic replaced corporation or other related corporate and cost-efficient procedure that can entities as necessary. with a suggested frequency. severely reduce the risk posed by a Several commenters stated that the 3. Content of Site Security Plans chemical facility. Two commenters requirement to submit SVAs within 60 requested that the Department inform calendar days, and SSPs within 120 Comment: One commenter stated that, local law enforcement and first calendar days, starting on the date that until some of the initial regulatory responders when the Department is the facility is notified that it is elements regarding definition of risk reviewing an SSP in their community considered high-risk, is too short, and and the establishment of tiers is in and then inform them whether that plan therefore inadequate. One commenter place, it would be premature for DHS to was accepted or rejected. The noted that managing change in a safe publish details on Site Security Plans. commenters stated that the health and fashion requires significant thought and Another commenter stated that, based safety of responders may well depend careful planning to ensure that the on the consequence assessment, every upon whether the chemical facility has change itself does not create another site should be required to have specific an adequate SSP. hazard to the community, the security elements in place that Response: The Department may not environment, or employees. The prudently deter, detect, delay, and disapprove a Site Security Plan commenter also noted that developing respond based on their assigned tier submitted under this Part based on the and implementing an SSP that properly level. The commenter also stated that, presence or absence of a particular mitigates risk requires the security without some degree of access control security measure, as provided in Section manager to make appropriate revisions and physical security specificity based 550 of the Homeland Security to existing facility procedures and to on tier levels, there will be considerable Appropriations Act of 2007. The train employees and other affected confusion as to the exact considerations Department may disapprove a Site parties on these new procedures. needed to meet Department Security Plan that fails to satisfy the Another commenter expressed concern requirements. Another commenter risk-based performance standards that there is no specific date or time by encouraged DHS to abide by the established in § 27.230. which DHS must notify high-risk congressional mandate of Public Law The Department intends to work chemical facilities of their status. 104–113, as described in OMB Circular closely with local law enforcement and Likewise, there is no firm time by which A119, and ensure that voluntary first responders to provide adequate the Secretary will send out a notice consensus codes and standards are used homeland security information to them approving or disapproving an SSP. when they are applicable under the rule. under this rule. With regard to the time needed to Comment: One commenter review an SSP, one commenter stated Response: The Department has recommended that the Department first that DHS should issue a decision developed a means of assessing risk and complete the SSP review and approval approving or disapproving them within a tiering process as described in process for Tier 1 facilities, then, after 30 days of receipt of a completed plan. §§ 27.205 and 27.220. These methods soliciting feedback from the Tier 1 This timeframe would bring at least anticipate, on a risk basis, a certain level facilities on the process, then proceed in most priority facilities into compliance of vulnerability for a given tier level. A a step-wise fashion to subsequent tiers. within seven months of the effective facility’s SSP will describe the Response: The Department will date. The commenter also stated that, appropriate levels of security measures implement the rule in a phased given the urgency, any ‘‘objections’’ or that a facility must implement to approach but will not necessarily ‘‘appeals’’ should be processed after the address the vulnerabilities identified in complete all Tier 1 sites prior to seven-month schedule is completed. their SVA and the risk-based undertaking plan review and approvals Because of concern that DHS staffing performance standards for their tier. The with lower-tier chemical facilities as the levels might delay the processing of Department has included risk-based need arises. This is necessary to make SSPs, another commenter requested a performance standards in this interim sufficient progress with higher-tier provision be included in the interim final rule and will publish further chemical facilities and not only the final rule indicating that facilities are guidance on the risk-based performance highest tier. deemed in compliance after 30 days of standards. The risk-based standards submission of SVAs and SSPs until 5. Timing address, among other things, such time that the Department reviews vulnerabilities under the security Comment: One concern raised by an and responds to the submission. concepts of detection, deterrence, delay, industry association related to DHS’s A few commenters recommended that and response. Finally, the Department resources for reviewing Security the deadline for Tier 1 facilities to notes that covered facilities may use and Vulnerability Assessments and submit SSPs be extended from 120 days cite voluntary consensus codes and providing responses in 20 days. Changes to 180 days. The commenters believe standards in their SVAs and SSPs to the to control systems were suggested for that this extension would assure extent they are appropriate. reviews and updates within 7 days or facilities adequate time to assemble the

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17704 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

best teams, prepare thorough SVAs, deal unless DHS periodically reviews its At this time, the Department will only with budget planning for potentially resources and expertise. permit Tier 4 facilities (found to be Tier large capital expenditures, and ensure A number of industry associations 4 facilities following the Department’s the on-site work is properly conducted. offered their own approaches and a food preliminary tiering decision pursuant to Another commenter agreed that the industry association commented on the § 27.220(a)) to submit an ASP in lieu of proposed submission schedule for need to keep their current programs in an SVA. Tier 4 facilities may submit for submitting SSPs was unrealistic in light place and to not unduly focus on review and approval the Sandia RAM of the tasks involved. The commenter ammonia refrigeration risks. MTSA-, for chemical facilities, the CCPS also thought that, if DHS found fault Sandia-, and NFPA-approved programs Methodology for fixed chemical with a provision of the SVA, it would were among those mentioned by the facilities, or any methodology certified be unreasonable to begin development commenters, as were those allowed by CCPS as equivalent to CCPS and has of an SSP based upon a potentially under other regulations. Some equivalent steps, assumptions, and flawed assessment. Consequently, the commenters found the specific process outputs and sufficiently addresses the commenter argued that the submission for approval of alternative programs to risk-based performance standards and time of 120 days should be started only be lacking in detail. One association CSAT SVA potential terrorist attack after the Department’s approval of the requested that submitters just send in a scenarios. The Department is requiring SVA is formally received. Yet another form saying they have an alternate Tier 1, Tier 2, and Tier 3 chemical commenter believed that submission of security plan, and not require any other facilities to use the CSAT SVA SSPs should be timed according to the document be submitted for approval. methodology for preliminary and final tier assigned to the facility and that the An advocacy group commented that tiering. As discussed above in the time clock should begin when the alternate approaches needed to be summary of changes to Rule Provisions, facility receives word back from the equivalent to the DHS approach, not just this will provide a common platform for Department on its preliminary tier sufficiently similar, and that DHS the analysis of vulnerabilities and will assignment. should approve equivalent State and ensure that the Department has a Response: The Department has local programs. Another advocacy group consistent measure of risk across the established a schedule for activities suggested that DHS should only industry. With respect to SSPs, the under this part that considers the need determine equivalency based on reviews Department will permit facilities of all to generally address the risks associated of individual SSPs, not in any blanket tiers to submit ASPs to satisfy the with higher tier facilities before that of or broad way. A third advocacy group requirements of this rule. lower tiers, but staggers the submittals The Department modified § 27.235 to supported a single, consistent approach and review and inspection activities. reflect these requirements. The set out by DHS with private sector The Department has developed the Department also amended the regulation programs being modified to conform to Chemical Security Assessment Tool to link the review and approval the DHS approach. One commenter (CSAT) to assist chemical facilities with procedures for ASPs to the review and noted that the specification of RAMCAP all of the program requirements approval procedures for SVAs and SSPs. may have created an unfair playing field (registration, screening, SVA, and SSP). for other firms wanting to visit the D. Risk-Based Performance Standards In addition, because information from source company for RAMCAP. the CSAT applications will be in In the Advance Notice, DHS sought electronic form, DHS will be able to Response: The Assistant Secretary comment on the use of risk-based expedite its review of the information will review and may approve an ASP performance standards to address that chemical facilities submit. These upon a determination that it meets the facility-identified vulnerabilities. The deadlines are both prudent and requirements of this regulation and Advance Notice proposed that DHS achievable. DHS expects that it will provides an equivalent level of security require covered facilities to select, complete its review of the Top-Screen, to the level of security established by develop, and implement security SVA, and SSP within 60 days of the this part. In its ASP submission, a measures to satisfy the risk-based facility’s submission of the Top-Screen, facility will have to provide sufficient performance standards in § 27.230. The SVA, or SSP. information about the proposed ASP to measures sufficient to meet these ensure that the Department can standards would vary depending on the 6. Alternate Security Programs adequately perform a review and make covered facility’s risk-based tier. Comment: The use of alternate an equivalency determination. Facilities would address the security programs was supported by As described below, certain facilities performance standards in the facility’s several chemical companies and may submit an ASP in lieu of an SVA, Site Security Plan, and DHS would associations as well as companies and an ASP in lieu of a SSP, or both. verify and validate the facility’s associations in related industries. A Accordingly, the ASP option will only implementation of the Site Security chemical company agreed with the be available following the facility’s Plan during an on-site inspection. concept of initially allowing multiple submission, and Department’s review, methodologies and then switching to a of the Top-Screen. An ASP for an SVA 1. General Approach to Performance common methodology for at least the will need to satisfy the requirements Standards Tier 1 facilities; they encouraged DHS to provided in § 27.215, and an ASP for an Comment: The majority of the still allow alternate approaches for other SSP will need to satisfy the commenters supported the proposed tiers. This viewpoint was echoed by at requirements provided in § 27.225. The regulatory approach due to the least one association. Several companies ASP for the SSP will need to describe flexibility that the risk-based wanted to ensure that existing plans specific security measures, or metrics performance standards provide to the could be used and one association noted for measures, that will allow the ASP to regulated community in choosing that more methodologies than just those be considered equivalent to an security measures for their respective approved by the Center for Chemical individually-developed SSP, and facilities. The proposed approach Process Safety (CCPS) would be facilities implementing an ASP will be acknowledges the fact that each of the appropriate. Commenters also noted subject to DHS inspection against the facilities faces different security that CCPS should not be the sole arbiter terms of the ASP. challenges. A few commenters noted

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17705

that the goal of the performance performance standards that directly guidance to assist the regulated standards should be to reduce apply to its facility and its risk-based community in the interpretation and vulnerabilities identified in the SVA, tier. One commenter thought that, in application of the proposed not necessarily reduce all potential certain circumstances, a covered facility performance standards. They consequences or mandate the use of should be able provide adequate encouraged the Department to work specific countermeasures. chemical security without with the regulated community on the By contrast, some other commenters implementing every one of the risk- development of such guidance. opposed the Department’s proposed based performance standards. The However, some of these same regulatory approach, noting various commenter stated that the regulations commenters also emphasized that, to reasons: that the Advance Notice was should allow for situations where the effectuate Congress’ intention that the too prescriptive in certain areas; that facility can demonstrate that, under its chemical security requirements be risk- performance standards are open to particular circumstances, one or more of based performance standards rather interpretation and thus can become the risk-based performance standards is than prescriptive requirements, DHS discretionary, interpretive, and unnecessary or redundant. must explicitly make the guidance non- sometimes arbitrary; that chemical Response: Congress intended for the binding. Consistent with the comments companies may be allowed under the performance standards to provide about CVI, one commenter discussed rule to make risk reduction facilities with a degree of flexibility in the importance of limiting public access determinations based on their available the selection of security measures, and to the completed guidance since it could risk reduction budget, rather than on the the Department has tried to provide that serve as a roadmap for terrorists. actual elimination or reduction of the flexibility throughout the rule. DHS Response: DHS intends to release most serious risks; that the rule allows expects that a facility will need to non-binding guidance on the enormous flexibility and variability in address only those performance application of the performance the documents that facilities can submit standards that apply directly to their standards in § 27.230 to the risk-based to the Department, which could make facility. In addition, DHS notes that tiers of covered facilities. This guidance program review difficult and hinder any there may be circumstances in which a will contain sensitive information comparative analysis of risk reduction facility needs not implement one or concerning anti-terrorism measures, and efforts among similar sites. more of the risk-based performance DHS will make that guidance available Response: The Department’s statutory standards and will still be able to to those individuals and entities with an authority mandates the issuance of provide adequate chemical security; the appropriate need for the document. DHS performance standards. Section 550 Department will work with these will provide the guidance to the House requires the Department to issue interim facilities on a case-by-case basis in these of Representatives Committee on final regulations ‘‘establishing risk- specific situations. Homeland Security and the Senate based performance standards for Comment: Several commenters stated Committee on Homeland Security and security chemical facilities.’’ See that the proposed standards do not Governmental Affairs. § 550(a). Also, as noted in the Advance include clear security goals, outcomes, Notice, Executive Order 12866 also or results to measure increased security. 2. Comments About Specific directs federal agencies to use They also asserted that DHS should Performance Standards performance standards. See 71 FR develop a measurement of vulnerability Comment: Several commenters 78276, 78283. Performance standards or risk reduction. One commenter requested clarification about the avoid prescriptive requirements, and suggested that chemical facilities should performance standards in proposed although they provide flexibility, they identify operational and protection § 27.230(a). A few asked whether still establish and maintain a non- goals and that the protection system paragraph (a)(5) is intended to cover all arbitrary threshold standard that should be evaluated with respect to Department of Transportation hazardous facilities will have to reach in order to meeting these goals. Another materials and whether it is intended to gain DHS approval under the regulation. commenter suggested that DHS express cover transportation and storage of The ultimate purpose of the the performance standards in terms of hazardous materials. One suggested that performance standards is to reduce overall vulnerability scores as measures paragraph (a)(5) should include a vulnerabilities, and that is regardless of via a common Security Vulnerability provision for securing and monitoring risk reduction budgets. Assessment methodology. This the storage of hazardous materials, in With respect to documentation, alternative would allow facilities to addition to securing and monitoring the except as provided in § 27.235 for devote their security expenses to those shipping and receipt of hazardous Alternative Security Programs, DHS is measures that would produce the materials. Commenters also requested requiring facilities to electronically greatest vulnerability reductions and that DHS have facilities report submit all documentation required for would result, nationally, in the greatest significant security incidents to local analysis and approval. Facilities will amount of overall vulnerability law enforcement in addition to the complete the Top-Screen, Security reduction per dollar spent. Department. Another commenter Vulnerability Assessment, and Site Response: DHS intends for the risk- indicated that the Department should Security Plans through the online, Web- based performance standards to provide require the following additional based CSAT system. This electronic facility owners with the flexibility to elements in the performance standards: submission will minimize the choose security measures in their Site written job descriptions for security variability concerns and allow DHS to Security Plan that will reduce the personnel, adequate response teams and manage and protect information. facility’s level of risk. The Security resources, safe shutdown procedures, Comment: Regarding the application Vulnerability Assessment process, and evacuation procedures, and of the performance standards, some DHS’s resulting placement of the facility decontamination facilities. In addition, commenters thought that facilities within the tier structure, will provide another commenter asked that DHS should not have to address all facility owner-operators with an define ‘‘dangerous substances and performance standards (listed in indication of their level of risk. devices’’ as used in § 27.230(a)(3)(i), § 27.230) in their Site Security Plan and Comment: Many commenters ‘‘potentially dangerous chemicals’’ as should only have to address those supported DHS’s intention to issue used in § 27.230(a)(6), and ‘‘significant

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17706 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

security incidents’’ and ‘‘suspicious one site’s vulnerability poses a risk to development of specific performance activities’’ as used in §§ 27.230(a)(15) other connected sites. standards for each tier. Various and 27.230(a)(16). Another commenter Response: The Department recognizes commenters favored the Department’s asked to whom facilities should report that cyber security is an issue and has proposal to place high-risk facilities in ‘‘significant security incidents.’’ included cyber security as one of the risk-based tiers and to prioritize the Response: These comments relate to performance standards that facilities implementation phase-in and the level the measures that facilities must select, must address in their Site Security of regulatory scrutiny (i.e., frequency of develop, and implement in their Site Plans. Paragraph (c)(8) requires facilities regulatory reviews, inspections and Security Plans. The Department will to select, develop, and implement SVA/SSP updates) based on the provide information in guidance to measures that ‘‘deter cyber sabotage.’’ In facility’s risk and associated tier. facilities on these measures. That might addition, the Department notes that it Commenters noted that DHS should include information on the meaning of has implemented an assessment of cyber require facilities in higher risk tiers to these terms, details on the parties to vulnerabilities for industrial control develop more robust measures to meet whom facilities should report security systems within the CSAT Security the performance standards. incidents and suspicious activities, and Vulnerability Assessment. The In contrast, a few other commenters explanations about the role of local law Department has accomplished this had differing opinions. A small number enforcement (e.g., the Department’s through the assistance of DHS’s of comments cautioned that recognition that some investigations of National Cyber Security Division performance standards should be potentially illegal conduct may be the (NCSD). DHS appreciates the consistent across all tiers, regardless of role of local law enforcement). complexity and uniqueness of the level of risk. These commenters In addition, DHS also notes that it has addressing cyber security with chemical noted that DHS should adjust the made a few changes to the regulatory facilities and anticipates that the CSAT specific measures, not the performance context based on these comments. As will mature over time, especially with standards, to match the level of risk. In discussed in the summary of regulatory the constructive feedback from addition, one commenter stated that text changes, the Department has interested and knowledgeable parties. DHS should not establish risk-based Comment: The Department received revised paragraphs (a)(5), (8), (12), and tiers and should instead identify the numerous comments on its use of the (15). criteria for those facilities that will be acronym ‘‘SCADA’’ in § 27.230(a)(8). regulated and those that will not. If DHS Comment: Several comments Commenters asserted that SCADA refers were to establish tiers, that commenter discussed the need for approaches that to a central control system that monitors thought DHS should limit the tiers to address cyber security risks, with and controls a complete site or a system high or low risk. several asserting that it is not sufficient spread out over a long distance. They Response: As discussed above in for DHS to consider security only from noted that using the term SCADA to Section III(B)(3), DHS is creating four a physical perspective. Commenters represent cyber systems at chemical risk-based tiers, with the highest risk opined that there were very few specific facilities is too narrow and suggested facilities in the top tier (i.e., Tier 1). The references to cyber security in the that the Department should replace the types and intensity of security measures Advance Notice, even though it is term SCADA with ‘‘Industrial Control (sufficient to satisfy the risk-based important. Some commenters suggested Systems.’’ performance standards in the facility’s that DHS should address cyber security Response: While the Department had Site Security Plan) will depend on the in more detail in its own performance used the acronym ‘‘SCADA’’ facility’s tier. For facilities that present standard (i.e., a performance standard (Supervisory Control and Data the greatest degree of risk, more rigorous that only addresses cyber security), Acquisition) in the Advance Notice as security measures will be needed to while others suggested that DHS should shorthand for instrumented control satisfy the performance standards. The integrate cyber considerations into other systems in general, the Department Department will use a higher level of performance standards. Other agrees with the comments and has regulatory scrutiny for facilities that commenters asked DHS to identify the incorporated broader, more descriptive present the highest risk. scope of ‘‘cyber’’ security and ‘‘other terminology into this performance DHS consulted with the chemical sensitive computerized systems’’ in standard. The Department has revised industry in developing the tier system paragraph (a)(8). § 27.230(a)(8), so that it reads as follows: and performance standards. In adopting Commenters also raised other issues ‘‘Each covered facility must select, the four tier system and applicable risk- related to cyber security. One develop, and implement measures based performance standards, DHS commenter mentioned that cyber or designed to: * * * [d]eter cyber intends to employ a scalable joint physical/cyber intrusions could sabotage, including by preventing performance standard across the tiers, create dangerous chemicals that did not unauthorized onsite or remote access to i.e., within the same performance previously exist. Consequently, critical process controls, such as standard, a more robust set of security commenters thought that DHS should Supervisory Control and Data measures will be needed for a Tier 1 address these contingencies in the Acquisition (SCADA) systems, facility than for a Tier 2 facility, for a screening process and/or issue an Distributed Control Systems (DCS), Tier 2 facility than for a Tier 3 facility, expansive list of chemicals. Other Process Control Systems (PCS), and so on. DHS will ensure that risk- commenters noted that the RAMCAP Industrial Control Systems (ICS), critical based performance standards are approach was not designed to address business systems, and other sensitive applied consistently across each tier, control system cyber security. A few computerized systems.’’ but guidelines for each tier will vary. other commenters believed that the Comment: A few commenters also tiering approach is not appropriate for 3. Variations in Performance Standards supported the idea that a facility, which cyber security of control systems. for Risk Tiers the Department has previously Additionally, commenters mentioned Comment: Several commenters determined is ‘‘high risk,’’ can request that it is important to consider that supported the use of risk-based tiers, that the Department move it to a lower facilities with interconnecting electronic with several recommending that DHS tier if it has materially altered its systems could face additional threats as consult with industry in the operations in a way that significantly

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17707

lowers its potential vulnerabilities and association presented an analysis of the interests and in response to government consequences. four MTSA standards and concluded programs. The commenters urged that Response: Pursuant to § 27.205(b), ‘‘if that they were largely duplicative of, or the level of screening for existing a covered facility previously determined potentially inconsistent with, existing employees and contractors should be to present a high level of security risk categories of performance standards commensurate with the access has materially altered its operations, it presented in the Advance Notice. The provided. While some commenters may seek a redetermination by filing a commenter stated that the MTSA wanted existing employees who had Request for Redetermination with the standards were not performance undergone employee screening before Assistant Secretary, and may request a standards, but mandatory particular hire to be ‘‘grandfathered’’ from any meeting regarding the request.’’ DHS has security measures, in direct conflict new requirements, other commenters retained that provision in this interim with Section 550. Through a similar thought that existing employees should final rule. This provision allows DHS to section-by-section analysis of the MTSA be subject to screening when they are re-evaluate risk based upon changes at provisions, a chemical manufacturer assigned to secure areas or have the the facility in process, chemistry, or found several provisions to be potential to be reassigned. An other factors. DHS, through the compatible with performance standards, association recommended checking Assistant Secretary, intends to evaluate but others too prescriptive or current employees with less than five such proposed measures on a case-by- incompatible with activities in chemical years seniority within six months of the case basis. facilities. effective date of the program and more In evaluating the redetermination, Another association representing senior employees within one year. DHS will consider whether the planned chemical distributors stated that only a Several commenters argued that, action actually reduces risk (as opposed tiny fraction of its members relied on extending the proposed requirements to to simply ‘‘moving’’ the risk into the waterways to distribute chemicals and, contractors, subcontractors, truck community around the facility) and accordingly, recommended against drivers, and delivery and repair does so without compromising security. adoption of the standards. personnel, and others who are Where these parameters are met, DHS Response: The Department agrees frequently on site, would create serious will approve the plan and re-evaluate with the commenters who difficulties because of the large numbers the tier placement for the facility in recommended against adopting the of individuals in these categories, the question. Pursuant to § 27.205(b), the MTSA provisions referred to in the need to have them available on short Assistant Secretary will notify the preamble of the Advance Notice. As the notice, redundancy of existing facility of the Department’s decision on commenters noted, these provisions credentials, cost of new credentialing, the Request for Redetermination within either duplicate current standards, and delay while screening is completed. 45 calendar days of receipt of such a conflict with current standards, or Chemical companies explained that Request or within 45 calendar days of a mandate particular security measures in they rely heavily on contractors and meeting regarding the Request. conflict with the statute. expect the contracting company to be Comment: One commenter noted that Comment: One association noted that, responsible for assuring that their how performance standards vary across because many of its members had employees meet security requirements. tiers would depend on the criteria used facilities on waterways, member Commenters suggested that officers to establish the tiers. companies often developed MTSA-type hired by the facility supervise Response: DHS will assess all approaches to Security Vulnerability contractors and sub-contractors without facilities based upon worst plausible Assessments and Site Security Plans to background checks. case scenarios as applicable to each establish some uniformity across The commenters also addressed the facility. facilities. Another commenter suggested types of background checks that DHS is considering, including the personal 4. Adoption of MTSA Provisions that when an owner of multiple facilities has some covered by MTSA information required, and whether The Advance Notice solicited and others by the chemical security name checks against the Terrorist comment on whether DHS should adopt rules, MTSA could be an ASP if applied Screening Database and fingerprint- various provisions from MTSA as to non-MTSA facilities. based checks for terrorism, criminal elements of the chemical security Response: Where the application of history, or immigration status would be program. In particular, DHS asked MTSA practices is sufficient, it may be required. A number of commenters whether it should adopt the following considered a valid ASP. DHS will urged DHS to tailor the degree of performance standards in addition to review and consider adoption of MTSA scrutiny to the degree of employee the standards already listed in 6 CFR plans to non-MTSA facilities on a case- access to sensitive locations. Private 27.230: 33 CFR 105.250 (Security by-case basis. The Department does not screening firms described systems that systems and equipment maintenance), intend to require duplication of effort collect more detailed information and 33 CFR 105.255 (Security measures for where responsible facilities have enhanced verification depending on the access control); 33 CFR 105.260 implemented adequate security applicant’s access. Operators of private (Security measures for restricted areas); measures. screening systems state that they 33 CFR 105.275 (Security measures for typically rely on the database screens monitoring); 33 CFR 105.280 (Security E. Background Checks for candidates with potential terrorist incident procedures). See 71 FR 78276, Under the Advance Notice, covered connections. A chemical industry 78284. facilities would be required to perform association supported screening of Comment: Of the several comments appropriate background checks on and chemical facility employees for received on the request, the majority ensure appropriate credentials for terrorism, criminal records, and opposed adopting the standards, facility personnel and, as appropriate, immigration status. characterizing them as highly detailed for unescorted visitors with access to One commenter explained that and prescriptive and, as such, restricted areas or critical assets. biometric testing in a chemical incompatible with the risk-based Comment: Numerous commenters environment can fail because of performance standards proposed for stated that chemical facilities already smudging and deterioration of chemical facilities. A chemical industry screen their employees for their own fingerprints over time, while another

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17708 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

believed that adequate field testing had commenters stated that third parties critical assets, and a list of the not been completed. Another were already providing background employees requiring background commenter explained that biometrics checks for thousands of employees of checks, shall be detailed in the Site and other verification techniques will chemical facilities. Other commenters, Security Plan that the facility submits to not foil a person who has stolen an including organizations that provided the Department for approval. The rule identity to pass the screen. The screening services, maintained that does not include a provision that would commenter recommended that existing programs for screening exempt certain employees from the authentication techniques, in addition applicants and employees for chemical personnel surety performance standard to validation and verification, be facilities were reliable, effective, and based on length of employment at the applied to applicants with access to inexpensive. Another commenter wrote facility. Merely because an individual secure locations. In response to the that one program operated through has worked in a chemical facility for a proposed use of a list of disqualifying safety councils might be eligible as an period of time without incident does not crimes to reject applications for alternate security program, although a automatically mean that they do not clearance, a number of commenters chemical company suggested not using pose a terrorism risk and should be urged DHS to restrict the crimes to those safety councils, because their standards given free access to restricted areas and that were most clearly linked to were too lax. critical assets without a background potential for terrorism. The commenters, A few commenters favored the check. Allowing such access without a both unions and chemical companies, government’s undertaking background background check presents an argued that loyal employees can lose checks because, unlike private unacceptable security risk, and is their jobs or fail to qualify for hire companies, the government has access contrary to the performance standard on because of misdemeanors, such as to terrorist databases and FBI databases, personnel surety. This is not to say, missing a few months of child support, and because the government, unlike however, that employers may not or crimes that are not good predictors of employers, would be immune from legal consider an employee’s prior history of the potential for terrorism. One challenges from a rejected employee. employment and service in making commenter recommended adoption of Opposition to government responsibility personnel decisions. It should also be an appeal process that allows a came from several commenters who noted that nothing in this regulation disqualified person to explain why he or were concerned about slow completion prohibits a person that has been she is no longer at risk, similar to the of background checks, and that the convicted of a misdemeanor offense process under MTSA regulations. backlog might be exacerbated by a new from being employed at a high risk The preamble also requested chemical security program. chemical facility. comment on whether the access A few commenters, including three Second, DHS views the background provisions of the Transportation Worker unions, strongly urged that the system check process as one of the many pieces Identification Credential (TWIC) provide an appeals process for affected of the Site Security Plan, and as such, Program, Hazardous Materials applicants whose employment will require that it be completed and Endorsement (HME), ATF requirements, prospects in the chemical industry and submitted with the Site Security Plan. or other structured programs should elsewhere could be seriously affected by Once the facility receives the Letter of apply to chemical facility security an erroneous determination. Private Authorization under § 27.245 denoting programs. A few commenters supported services noted that they notified preliminary approval of the Site the concept that the screening required applicants of adverse decisions and Security Plan, the facility may then for the TWIC program should be allowed them to contest the decisions. proceed with all necessary background acceptable for the chemical security Response: DHS believes that checks, if it has not done so already. All program. Indeed, many chemical personnel surety is a key component of employees required in the SSP to have facilities are on bodies of water and a successful chemical facility security a background check should be included employees were already compliant with program. This component of the in the initial submission and must be the TWIC program. Another commenter performance standards will enhance duly vetted in accordance with the plan. took the opposite position that the security in what would otherwise be a This should not cause any interruption TWIC program did not provide the significant potential vulnerability. In the in work. customization available in existing Advance Notice, the Department Third, the Department understands screening systems to grade the level of requested comment on these that many covered facilities already screening based on employment and components of a background check perform background checks on assignment decision. Numerous program: (1) What individuals should employees and certain contractor comments maintained that an employee have a background check? (2) When employees, and with some or contractor who was credentialed should the check be required? (3) What modifications, will allow that process to under the TWIC, HME, ATF, or similar type of background check should be continue. In order to perform an programs should not need additional conducted? And (4) Should the federal appropriate background check for the security screening under the chemical government conduct the check? We purpose of protecting critical assets and security program. Related comments address each of these four issues below. restricted areas of high risk chemical requested portability of security checks First, DHS agrees that the level of facilities from persons who pose a for employees or contractors cleared by screening for employees and contractors terrorist threat, the Department has another chemical facility. One should be commensurate with the made some modifications to the commenter recommended that DHS access provided. As part of this personnel surety performance standard establish a national repository of cleared approach, the facility shall identify in the regulation. The Department will personnel to minimize redundancy and critical assets and restricted areas and consider appropriate open source expense. establish which employees and background checks as an acceptable With respect to the question of contactors may need unescorted access response to the background check whether the government should conduct to those areas or assets, and thus must performance standard. Specifically, the background checks or whether the undergo a background check. A Department will consider as appropriate industry could use authorized third facility’s approach to personnel surety, a background check process that verifies parties to conduct the checks, three including its defined restricted areas, its and validates identity; includes a

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17709

criminal history check of publicly or finding and how the applicant may facility’s Site Security Plan. This will commercially available databases; contest the finding. Applicants will help the inspector to determine whether verifies and validates legal authorization have the opportunity to seek an the facility has adequately implemented to work through the I–9 process; and adjudication proceeding and appeal the risk-based performance standards in includes measures designed to identify under Subpart C. its Site Security Plan. With respect to people with terrorist ties. This last requests for records, the Department F. Inspections and Audits standard can be achieved by checking expects that facilities will produce the against the consolidated Terrorist Numerous comments addressed the records—whether located onsite at the Screening Database (TSDB). The proposed provisions for auditing and facility, at corporate headquarters, or in Department modified the performance inspecting chemical facilities to any other location—that are relevant to standard at 6 CFR § 27.230(a)(12) to determine compliance and allowing the security of the facility. The reflect these changes. certified third-party auditors to Department has added some additional Fourth, while much of the supplement DHS personnel at lower tier language in the rule about the background check process can be facilities. While DHS has responded, to production of records. See accomplished by commercial methods, the extent that it is able, to the § 27.250(d)(4). the check of the Terrorist Screening comments below, DHS also notes that it With respect to scope of inspections, Database is an inherently governmental will issue guidance that identifies DHS is not narrowing its scope to cover function that necessarily includes a appropriate processes for inspections only those items covered in the facility’s check of classified databases that are not and provides specifics about the records Security Vulnerability Assessment and commercially available. The Department that must be made available to DHS Site Security Plan; DHS needs the will augment the background check in upon request. See §§ 27.250(d) and appropriate discretion to inspect those the SSP with a TSDB check. The 27.255. That guidance will provide items and areas that are related to the Department has determined a TSDB further detail. security of the facility. However, DHS check is necessary for the purpose of 1. Inspections has no intention of inspecting areas that protecting critical assets and restricted are unrelated to security. areas of high risk chemical facilities Comment: Section 27.245(a) in the Comment: One industry association from persons who pose a terrorist threat. Advance Notice provided that DHS may noted that § 27.245(b)(1) of the Advance DHS will designate a secure portal or ‘‘enter, inspect, and audit the property, Notice suggested that security measures other method for the submission of equipment, operations, and records of (which DHS requires for final approval application data for each employee or covered facilities.’’ One commenter of the Site Security Plan) should be in contractor for whom a TSDB check is asserted that DHS should inspect and place at the time that DHS inspects a required in the SSP. The Application audit using an approved or facility. The commenter stated that, if data will be the name, date of birth, preliminarily approved Site Security facilities address vulnerabilities through address, and citizenship, and if Plan and not on other criteria outside capital improvements, facilities are applicable, the passport number, DHS the scope of the Site Security Plan. In unlikely to have these security measures redress number,1 and information addition, commenters indicated that in place within the stated time frame. In concerning whether the person has a DHS need not inspect equipment and such cases, the commenter DHS credential or has previously records related to operations outside the recommended that DHS use a timeline applied for a DHS credential. vulnerabilities identified in the facility’s approach, detailing an implementation To minimize redundant background Security Vulnerability Assessment and schedule of prioritized security checks of workers, DHS agrees that a protected in the Site Security Plan; the measures, and include that timeline in person who has successfully undergone commenter thought that such a facility’s Site Security Plan. a security threat assessment conducted inspections would go beyond what is Response: The commenter is correct by DHS and is in possession of a valid required to ensure that high-risk in noting that DHS expects that facilities DHS credential such as a TWIC, HME, chemical facilities are secure. In will have met the requirements of NEXUS, or FAST, will not need to addition, one commenter requested that § 27.225 (i.e., the facility will have undergo additional vetting by DHS. DHS revise the scope of inspection to developed and submitted a Site Security Even so, the facility shall submit the property, equipment, operation, and Plan, which the Department will have name and credential information for records covered in a facility’s Site preliminarily approved) when the these persons along with the application Security Plan. Department visits the facility for an data for other employees. Facilities shall Response: During inspections, inspection or audit. See § 27.250(b)(l). not allow unescorted access to a critical authorized DHS officials may inspect One of the purposes of the inspection is asset or restricted area to a person in equipment, view and/or copy records, for the Department to determine possession of a DHS credential unless and audit records and/or operations. whether facilities have adequately information on that person has been This section imposes an affirmative implemented their Site Security Plans. submitted as discussed above. obligation on facilities to cooperate with However, the Department realizes that DHS will screen each applicant and authorized DHS officials, including there may be circumstances where determine whether the applicant poses inspectors, and allow inspections and facilities will have to implement a security threat. Where appropriate, audits. DHS will inspect a covered security measures through capital DHS will notify the facility and facility following DHS’s preliminary improvements, and that can take time. applicant via U.S. mail, with approval of the facility’s Site Security Based on the Department’s assessment information concerning the nature of the Plan. DHS may also inspect facilities of risk at a given facility and the outside of the Site Security Plan realities of getting security measures 1 A DHS redress number is issued by DHS to an approval cycle if there are exigent into place, the Department will work individual who has successfully completed a circumstances or special security with facilities on a case-by-case basis. redress inquiry, in which the inquiry resolved a concerns. During the course of Where the Department believes that previous false-positive match to a watch list record. Redress inquiries can be submitted directly to DHS inspections, an inspector may ask a extra time is warranted, the Department as part of the DHS Traveler Redress Inquiry facility to demonstrate the effectiveness will work with facilities to incorporate Program (DHS–TRIP). of a given security measure found in the that time into the facility’s Site Security

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17710 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

Plan and into the Department’s timeline unannounced inspections for facilities To accommodate those circumstances, for inspecting the facility. that had significant deficiencies in the DHS has identified two exceptions. See Comment: Various commenters prior inspection or that have had an § 27.250(c). DHS had identified one requested clarification about the time unusual number of breaches. exception in the Advance Notice: If the and manner provisions found in Response: DHS has retained the Under Secretary determines that an § 27.245(c) of the Advance Notice. language that it used in the Advance inspection without notice is warranted Several commenters noted that the Notice. Authorized DHS officials will by exigent circumstances, the Under proposed regulations did not define the conduct audits and inspections during Secretary or Assistant Secretary may terms ‘‘reasonable times’’ or ‘‘reasonable reasonable times and in a reasonable approve such an inspection. The exigent manner’’ and asked the Department to manner. The nature of any given circumstances may include threat define those terms. In addition, some inspection will depend on the specific information warranting immediate commenters noted that the preamble circumstances surrounding a particular action. DHS adds a second exception in provided a timeframe for inspections facility’s operations at a given point in this interim final rule: If any delay in (‘‘during regular business hours of 9 time and will be considered in conducting an inspection might be a.m. to 5 p.m.’’) but that the Advance conjunction with available threat seriously detrimental to security, and Notice text did not specify that information. the Director of the Chemical Security timeframe. Other commenters indicated Commenters asked for clarification on Division, Office of Infrastructure that DHS should clearly outline the the times that DHS plans to conduct Protection determines that an inspection regularity of audits and inspections that inspections. While DHS expects that it without notice is warranted, the Field the Department will require for each will conduct many of its inspections Operations supervisor may permit an tier. during the regular business hours of 9 inspector to conduct such inspection. Several other comments discussed the a.m. to 5 p.m., DHS will not limit its This additional exception addresses the notice provisions in the rule. The inspections to regular business hours concerns of commenters who claimed Advance Notice provided that ‘‘DHS only. DHS must have the flexibility to the exception in the Advance Notice will provide covered facility owners and respond to information, operations, and was too restrictive. operators with 24-hour advance notice circumstances whenever they exist or Comment: Some commenters noted before inspections, except where the develop, and so DHS may have to that facilities may choose to validate Under Secretary or Assistant Secretary conduct inspections in the evening, at any government-issued credential for determines that an inspection without the purpose of inspectors gaining entry night, or during weekends. Security such notice is warranted by exigent onto a chemical facility. One commenter concerns are different at different times circumstances and approves such requested that, as part of the guidance, of the day and on different days of the inspection.’’ See § 27.250(c). Several DHS include information on the week, and so DHS must be able to assess industry associations believe that 24- security measures that will allow a the different security measures that hour advance notice would not be a facility to determine that the DHS facilities put into place, pursuant to sufficient amount of time for facilities to officials or third party auditors are their Site Security Plans. arrange for the appropriate personnel to legitimate. be available for the inspection. DHS has maintained the Advance Response: DHS will handle this issue Commenters suggested that DHS Notice provision that gives facilities 24- like other Federal agencies handle their provide more notice to facilities; hour advance notice before an respective inspectors and auditors. requests ranged from three to seven inspection. In some circumstances, DHS Individuals performing these days. Other commenters requested that, may provide facilities with additional inspections will carry Federal in addition to notifying the facility, DHS time. As a general matter, DHS believes government credentials identifying also provide local emergency that 24 hours is an appropriate and themselves as having official authority responders and local agencies tasked reasonable notice period, striking a to inspect. In addition, any chemical with regulating hazardous materials balance between providing the facility wishing to authenticate the facilities with a 24-hour advance notice Department with flexibility to determine identity of an individual purporting to as a courtesy. compliance with this regulation and represent DHS may contact the Others commented on the concept of providing regulated entities with appropriate DHS Chemical Security unannounced inspections. A member of sufficient notice to prepare for an Division official within the Office of Congress objected to the restrictions on inspection. Some commenters suggested Infrastructure Protection at DHS unannounced inspections, asserting that that DHS also provide advance notice headquarters. In addition, the the provision was a near-preclusion of about inspections to local emergency Department has provided some random audits, because approval by responders and local agencies. While additional regulation text on the issue of senior officials (i.e., the Under Secretary DHS may choose to notify local inspector credentials. See § 27.250(d)(1). for Preparedness or Assistant Secretary emergency responders or other agencies Comment: Several commenters for Infrastructure Protection) would on a case-by-case basis, DHS does not addressed the issue of training for make unannounced audits exceedingly believe it is necessary to include a inspectors. One commenter stated that it rare. Moreover, focusing such mandatory requirement in the rule. is DHS’s role to ensure that inspectors unannounced audits exclusively on Many commenters expressed concern and auditors are qualified in both facilities (or geographic regions) where that DHS is not able to conduct physical security and chemical agency officials determine that ‘‘exigent unannounced inspections. These processes. Others noted that, if circumstances preclude notice’’ concerns are unfounded: DHS will be inspectors and auditors do not have a presupposes that the agency is already able to conduct unannounced background in chemical manufacturing, in a position to know where exigent inspections when it complies with then DHS must adequately train circumstances exist. As a result it would internal policy. While DHS has a inspectors. Furthermore, that be far harder for the Department to general requirement for advance notice, commenter encouraged DHS to utilize a determine actual rates of compliance DHS recognizes that there may be cross functional team consisting of with regulatory requirements. An circumstances where advance notice is individuals with chemical process industry commenter would support not possible. knowledge and physical security

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17711

background and include a local area auditors in order to establish a auditors to appropriate state and local first responder on each inspection team minimum level of competency for third- government officials with familiarity of for each facility. The commenter noted party auditors. Other commenters stated the chemical process safety and security that many facilities maintain a close that training should include, among systems currently in place at the relationship with local emergency other things, information on physical chemical facility in question to ensure responders. One commenter indicated security, chemical processes, and safety the credibility and effectiveness of the that DHS inspectors should expect that operations. One commenter inspection and auditing program. Some chemical facilities may require them to recommended Sandia National other commenters suggested that State complete a safety overview before being Laboratory’s Risk Assessment and local entities could be a resource granted access to a facility; this is Methodology for Chemical Facilities base for audits and site visits, including regardless of the training that DHS (RAM–CF) training as an excellent those of higher tier facilities. provides to its inspectors. review in all aspects of chemical facility Commenters asked several other Response: DHS will use properly operation and security. One pointed out specific questions about DHS’s use of trained personnel to conduct that there is currently no certification third-party auditors. A chemical inspections. During inspections, DHS for control system cyber security company requested clarification on how intends to use teams consisting of auditors. Another commenter added DHS could delegate its authorities to Federal inspectors, many with that any DHS third-party inspectors third-parties. Another commenter backgrounds in law enforcement and should have a strong background and wanted the ability to seek legal remedies physical security, and experts in experience with the agricultural retail/ against third-party auditors. Other chemical manufacturing. DHS will put distribution segment of the chemical commenters raised the question of who inspectors through a rigorous training industry. The commenter encouraged would pay for third-party auditors, program, incorporating both classroom DHS to work with industry associations suggesting that DHS should. training and on-site visits, so that and industry experts on establishing the Some commenters argued for the use inspectors are informed on all aspects proper criteria to select certified third- of third-party audits at any chemical related to this regulatory program as party auditors that will be used to facility regardless of its tier ranking. well as on safety issues. These inspect agricultural retail or distribution One commenter noted that the eventual individuals will receive training on facilities determined to be covered by requirements for certification should be specific safety procedures, including these regulations. stringent, creating confidence that the OSHA’s Hazardous Waste Operations One commenter was concerned that auditor will be just as capable as DHS and Emergency Response Standard DHS had not effectively addressed inspectors of auditing or inspecting a (HAZWOPER), that they should use auditor independence and objectivity in high-risk facility. The commenter while visiting chemical facilities. If the Advance Notice. To remedy this suggested that, as a result, a certified chemical facilities request that concern, the commenter suggested that third-party auditor should also be inspectors receive facility-specific safety DHS define third-party auditor and allowed to conduct inspections at briefings or training, the Department address auditor concepts such as due ‘‘high’’ or ‘‘higher’’ risk facilities. Other will work with facilities to diligence, due professional care, auditor commenters noted that allowing third- accommodate those concerns, provided certification, auditor training, auditor party auditors to perform work at any that the additional safety training is indemnification, conformity assessment, chemical facility, regardless of its tier, reasonable given the nature of the audit/inspection methodology, etc. will increase the ability of DHS to expected inspection. Other commenters raised questions rapidly and effectively review security about third-party auditors and plans at chemical facilities by making 2. Third-Party Auditors and Inspectors information protection. One commenter sure sufficient numbers of inspectors are Comment: Numerous chemical stated that all third-party auditors must available at any given time. companies, industry associations, and be held to the same requirements and Other commenters opposed DHS’s use State and local agencies requested standards as applied to DHS officers and of third-party auditors altogether. A clarification on the roles and employees regarding the protection of chemical industry commenter opposed responsibilities of third-party auditors. confidential information; this includes DHS’s use of consultants, contractors, or Several commenters pointed out that information protected by law, such as vendors to perform audits and there is currently a lack of standards for PCII, Sensitive Security Information inspections of facilities based on third-party auditors, and some (SSI), or other applicable requirements. concerns about confidentiality and commenters noted that if DHS does not DHS should develop requirements and conflicts of interest. The commenter provide specific criteria for compliance, procedures, including the use of non- asserted that DHS-trained personnel are such audits will be very subjective. disclosure agreements, to prohibit best suited to understand the Several commenters asserted that there disclosure or use of confidential complexities of security in affected is a need for DHS to develop standards information developed or obtained facilities and to understand the and requirements for third-party during the auditing process. One importance of sensitive business auditors, including requirements for association, whose member companies information provided to DHS. certification, qualifications, already use third party audits, wanted Consequently, the commenter urged independence, objectivity, training and confirmation that the use of third-party DHS not to initiate the proposed re-training, confidentiality, ethical auditors would be in compliance with program without the appropriate level obligations, conflicts of interests, the CVI framework. of staff, training, and resources discipline procedures, and liability Three State agency commenters urged necessary to implement enforcement. insurance. the Department to clarify that the third- One commenter preferred that DHS Several commenters discussed the party auditor provision includes officials, not officials from other third-party auditor certification or qualified state and local assets to government agencies or non- approval process in detail. One conduct audit inspections and assist governmental organizations, conduct commenter pointed out that DHS would with Security Vulnerability third-party inspections or audits to have to develop either a professional Assessments and Site Security Plans. assess compliance; the commenter registration or licensing for third-party One commenter would limit third-party asserted that consistency of audits can

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17712 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

only be maintained if one agency, using commenter supported the training and recordkeeping the same inspection and/or audit recommendation by pointing out that all requirements that are made applicable procedures, performs the work. Several NFPA codes and standards are to drivers hauling covered chemicals other commenters disagreed with the developed through the voluntary should be the responsibility of the concept of third-party auditors unless consensus process and are accredited by transportation firms, not the facilities they were under contract to DHS and the American National Standards they service. met DHS hiring standards and training Institute (ANSI); that Congress, in Response: There are no specific certifications. They felt that if such an several cases has mandated the adoption requirements for recordkeeping of activity is important, then DHS should of NFPA codes and standards and that transportation activities in this rule. carry out the activity itself. Public Law 104–113, as described in H. Orders Response: The Department recognizes OMB Circular A119, mandated that that there are many important and voluntary consensus codes and Comment: Various commenters complex issues surrounding the use of standards be used when they are mentioned the remedies in proposed third-party auditors. Those issues applicable and to ensure that chemical §§ 27.300, 27.305, 27.310, and 27.315. include questions about whether it is facility safety be the primary concern. An industry group indicated that the appropriate for DHS to use third-party Response: Voluntary consensus rule should provide adequate protection auditors and if so, for which tiers of approaches to chemical facility security for recipients of penalty and cessation facilities; what the standards and will be addressed in guidance. However, orders, including the opportunity for an requirements would be for those third- the Department cannot mandate specific adjudicatory hearing before a neutral party auditors; and who would pay for security measures under this authority. hearing officer. The commenter third-party auditors. DHS continues to Comment: One chemical association suggested that the rule make clear that take these issues under advisement. found the requirements for the burden of proof lies with DHS, not DHS intends to issue a future recordkeeping to be excessive. the facility; that facilities may be rulemaking providing the details about Concerning training, the commenter represented by counsel; that the facility its plans to use third-party auditors. In stated that the location of the session is entitled to present evidence on its developing its proposed rule, DHS will and the name and qualifications of the behalf; that there be an orderly process consider these comments about third- trainer were not important, and the for the hearing officer to make a party auditors. Until that time, DHS will requirement for attendees’ signatures decision on the basis of the record use its own inspectors for conducting would cause headaches if attendees presented, including a record of inspections and audits. leave without signing. Also, many of decision and for intra-agency appeal of these requirements seem to prevent the the hearing officer’s decision before it G. Recordkeeping use of web-based training. With respect becomes final. Finally, a trade Comment: One commenter suggested to the drill and exercise provision, the association pointed out a typographical that the recordkeeping and reporting commenter believed that a error in proposed §§ 27.305(b) and requirements be strengthened for comprehensive list of participants is 27.310(a). process malfunctions or any attempted more challenging than it might appear, Response: The Department has terrorist attack; the need for emergency since drills and exercises frequently substantially revised the regulatory text response, safe shut down, evacuation involve persons in multiple locations. in Subpart C, which includes Orders, and decontamination procedures in case Finally, recording the name and adjudications, and appeals. The of an attack or malfunction be defined; qualifications of every maintenance Department directs commenters to the and effective training requirements for technician is overly burdensome and revised regulatory text in Subpart C, as workers in covered facilities be extremely difficult to document. well as summary of those changes in required. According to the commenter, this § II(B) Rule Provisions. In sum, the Response: Recordkeeping proposed requirement would lead to Department has included adjudicatory requirements under this new authority inadvertent non-compliance due to its procedures for a proceeding before a focus on security and will capture many inherent complexity. The commenter neutral hearing officer whereby facilities of the issues identified by the urged that the recordkeeping and others may be represented by commenter. Recordkeeping requirements, at most, track the MTSA counsel and may present evidence. The requirements regarding incidents under requirements (33 CFR § 105.225), which procedures provide that the burden of process safety, including shut down/ are less detailed and only require proof rests with the Assistant Secretary start up, are outside of the scope of this records to be maintained for two years. and that a record will be compiled for regulation. Response: Memorializing minimal an appeal within DHS. Comment: One commenter asked for information about training, drills, Comment: Several others provided guidance regarding what would exercise, and maintenance is important input on cessation orders. A local constitute a reportable ‘‘security for a facility to assist in the analysis and government agency indicated that an incident’’ or ‘‘suspicious incident.’’ The review of its security efforts, and DHS Order to Cease Operations likely would commenter noted that DOT has does not agree that these requirements be litigated immediately after issuance, provided helpful guidance for reporting are overly burdensome or excessive and questioned how non-compliance and recordkeeping under HM–232. given the potential risks in this sector. during the lengthy litigation period Response: The Department will The recordkeeping requirements would be remedied. Another commenter provide facility owners with guidance address specific issues that arise in recommended that DHS add a provision on these and other terms used in the chemical facilities, and a three year stating that it would not enforce an recordkeeping section. period is consistent with the anticipated order to cease operations within 30 days Comment: Another commenter audit and review cycle under this rule. of a final action, which would allow the suggested that § 27.250(a)(4) include a Comment: An industry association facility time to seek judicial review. An reference to NFPA 731, Standard for the argued that, in light of existing DOT industry commenter stated that DHS’s Installation of Electronic Premises requirements, no additional training and professional assessment that a chemical Security Systems (2006 edition), recordkeeping requirements are needed facility was in total violation of the Chapter 9, Testing and Inspections. The for battery transportation. Further, any security requirements should result in

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17713

an initial audit of what is required at rule. Of course, consultations are still actions during adjudications and that particular site to be in compliance. available pursuant to various provisions appeals, substantially address these If, after a reasonable time, the facility in the rule including § 27.120(b). comments. The adjudications and does not come into compliance, then In addition, DHS now expressly spells appeals sections provide that, absent DHS should consider temporary closure out new procedures for adjudications exigent circumstances, Orders are until compliance is attained. An and appeals. In particular, DHS has stayed pending the completion of association expressed concern that DHS added adjudicatory procedures for a proceedings. should consider whether a facility’s proceeding before a neutral hearing Comment: Another commenter products are critical to the economy, officer whereby facilities and others indicated that §§ 27.205(c)(1), chemical industry, or national security may be represented by counsel and may 27.220(b)(1), and 27.240(c)(1) (of the before imposing fines or issuing a notice present evidence. The procedures Advance Notice) cite ‘‘within 20 to cease operations. provide that the burden of proof rests calendar days’’ as the deadline for filing Response: As noted above, the with the Assistant Secretary and that a objections regarding the high risk Department has substantially revised record will be compiled for an appeal determination, risk-based tiering, and the regulatory text in Subpart C, which within DHS. The Secretary is expressly disapproval of site security plans. In includes the provisions on Orders, authorized to appoint individuals to contrast, §§ 27.215(c), 27.305(d), and adjudications, and appeals. Consistent serve as a neutral hearing officer. The 27.320(b)–(d) (of the Advance Notice) with the statement in the Advance Secretary and others retain their existing cite ‘‘within 30 calendar days’’ for Notice, the Department realizes that an authority to delegate duties and certain deadlines regarding notification, Order to Cease Operations would likely responsibilities. appeals, and payments of civil be litigated immediately after issuance. Comment: Another commenter penalties. The commenter believed that See 71 FR 78276, 78287. suggested that DHS revise the rule to having two different deadlines for provide some guidance and limitation I. Adjudications and Appeals various actions under the regulatory on the number of requests that a facility program is burdensome to both DHS Comment: While commenters will be permitted to make for additional and the regulated facilities, and generally supported the processes information and on the maximum extent requested that all ‘‘within 20 calendar proposed for objections and appeals, to which DHS will toll timeframes. One days’’ be amended to ‘‘within 30 some thought that DHS should commenter noted that although there is calendar days’’ to provide more strengthen and expand the objections authority for the Assistant Secretary to consistency within the Department’s and appeals provisions. Several ask the facility for more information, regulatory program. Another commenter commenters suggested that DHS include there is no mechanism for the facility to urged that an appeal must be filed additional provisions to the objections seek further explanation that is needed within 30 calendar days of when the and appeals sections. One commenter for purposes of arguing its objection. recommended that DHS revise the rule Response: The revisions of the order is issued should be changed to to include a full description of the procedures substantially address these within 30 calendar days of when the administrative review process, comments. The adjudications provisions order is served. See § 27.320(b) of the including the procedures to which all empower a hearing officer to make Advance Notice. parties and the adjudicating official decisions on the information to be Response: The Department’s revisions must adhere. Another commenter accepted into each hearing record. to the adjudications and appeals recommended that the Under Secretary Comment: Another commenter stated provisions substantially address these and the Deputy Secretary have the that, under the Advance Notice, a comments. The rule continues to permit authority to delegate their facility had the option of using the consultations but does not set hard and responsibilities as adjudicating officials. appeal procedure (instead of the fast time periods for such consultations. One commenter stated that the burden objection procedure) for challenging the See, e.g., § 27.120(b), § 27.240(b), and of proof should lie with DHS, not the disapproval of its SSP. The Advance § 27.245(b). With respect to the time order recipient, that recipients may be Notice stated that orders are stayed until periods for adjudications and appeals, represented by counsel, that the the administrative appeal is completed, the revised procedures provide that recipient is entitled to present evidence but the Advance Notice did not provide adjudications and appeals must be on its behalf, that there be an orderly specifically for the disapproval of a SSP commenced with stated time periods process for the hearing officer to make to be stayed pending the administrative after ‘‘notification.’’ See, e.g., a decision on the basis of the record appeal. The commenter suggested that § 27.310(b)(2) or § 27.345(b)(2). presented, including a record of DHS should make such a stay explicit. Comment: One commenter decision, and for intra-agency appeal of Another commenter argued that, recommended that the regulations the hearing officer’s decision before it because timelines are short, facilities provide specifically that DHS would becomes final. will be forced to complete the SVA and make available to the public non- Response: DHS has reorganized the SSP regardless of the outcome of the confidential summaries of adjudications and appeals procedures, appeal, thus rendering the appeals determinations on appeals. The as discussed in the summary of rule process moot. If a facility objects to a commenter also recommended that the provision changes to Subpart C. See determination, whether it is opposing regulations contain specific statements § II(B). Given that the rule already either the overall assessment of ‘‘high that objections and appeals may be provides consultation opportunities, risk’’ or the specific tier assignment, one submitted as CVI. coupled with the fact that the commenter recommended that DHS Response: The adjudication and Department has greatly modified its should issue a decision on objection appeal sections contemplate that the adjudications provisions, the before the facility is required to hearing officer or appeal officer will Department believes it is unnecessary to implement any additional measures— make the necessary decisions retain the objections provisions from the including both the SVA and SSP. concerning the handling of CVI. There Advance Notice (proposed §§ 27.205(c), Response: The addition of the factual is nothing in the procedure to prevent 27.220(b), and 27.240(c) and has thus adjudication procedure, with provisions a facility or other person from relying on removed them from the interim final on the effectiveness of administrative CVI.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17714 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

J. Information Protection: Chemical- displace or otherwise affect any In addition, some commenters terrorism Vulnerability Information provisions of Federal statutes, including requested provisions to protect (CVI) the Emergency Planning and whistleblowers by stating that no The Advance Notice identified a Community Right to Know Act, 42 criminal charges be associated with category of Chemical-terrorism U.S.C. 11001 et seq., or section 112(r) disclosing information marked as CVI in Vulnerability Information (CVI) and set and 114 of the Clean Air Act of 1990, manner complying with whistleblower forth rules governing the maintenance, as amended, 42 U.S.C. 7412(r), 7414, protections. safeguarding, and disclosure of sections 308 and 402 of the Clean Water Response: Under § 27.400(c)(3) of the information and records that constitute Act, 33 U.S.C. 1318, 1342, and section Advance Notice, ‘‘any person who CVI. 104(e)(7) of the Comprehensive * * * receives or gains access to what they know or should reasonably know 1. General Environmental Response, Compensation, and Liability Act, 42 constitutes CVI’’ is a ‘‘covered person’’ Comment: Several commenters U.S.C. 9604. and therefore has a duty to protect that maintained that the proposed rule We also believe that any potential CVI in the manner provided in undermined enforcement, gaps in a facility’s security will be § 27.400(d). This includes the duty to accountability, and the credibility of the addressed through the government’s promptly inform the Assistant Secretary program through excessive secrecy. One ‘‘when a covered person becomes aware of these commenters thought that the close involvement with chemical facilities as a result of this rule. that CVI has been released to persons proposed regulations pose a threat to without a need to know * * *.’’ See existing right-to-know laws, while 2. Disclosure of CVI § 27.400(d)(7). We expect that in the another stated that people might be well event DHS is so notified, it will notify Comment: While some of the aware of security gaps and the affected chemical facility. vulnerabilities at specific facilities, and commenters found the provisions to be To the extent DHS determines that it yet would have no official channel to inadequately protective of chemical is appropriate to use third-party communicate concerns to DHS. industry information, others found the auditors in the future for certain Response: As Congress recognized in disclosure rules to be too restrictive. A chemical facilities, the auditors will section 550(c), protecting CVI from few commenters urged the Department have a ‘‘need to know’’ under public disclosure is crucial to DHS’s to include language requiring § 27.400(e)(1)(i) as persons who ability to ensure that chemical facilities notifications to facilities in cases of CVI ‘‘require[ ] access to specific CVI to are as secure as possible against a disclosure to unauthorized parties. The carry out chemical security activities terrorist attack. CVI information may commenters noted that a facility has a * * * directed by the Department.’’ reveal, among other things, current need to know if sensitive information Moreover, under § 27.400(e)(3), DHS vulnerabilities or other details of a pertaining to its site has been or might retains the discretion to require that any chemical facility’s security capabilities have been disclosed. A commenter, individuals with a need to know, that could be exploited by terrorists. In concerned over how the CVI rules may including third-party auditors, complete addition, limited and controlled public affect third-party audits of security appropriate background checks before disclosure of CVI is essential to fostering measures and documents that may be obtaining access to CVI. We believe that the necessary relationship and submitted to the Department as these safeguards are sufficient to ensure information flow between the Alternative Security Plans, requested an that CVI is adequately protected from government and private sector. Indeed, interpretation of DHS’s approach. improper disclosure, even if it may be because the chemical security regime Taking the point further, another handled by third-party auditors. relies to an extent in the first instance commenter did not believe it was in a Section 27.400(b) of the Advance on the veracity and completeness of the company’s best interest to provide Notice, which defines CVI, currently is information provided by chemical copies of CVI to outside parties, as ambiguous as to whether it includes facilities, it is of the utmost importance currently allowed under the proposed information conveyed verbally as well that those facilities are comfortable that rule. The commenter would prefer the as in written form. DHS believes that such information—which may include proposed rule be amended to require concerns over public disclosure of CVI proprietary information—will not be CVI be made readily available to are the same regardless of the manner in unduly exposed to public view. authorized Department representatives which the information is conveyed. In crafting the Advance Notice, DHS only when they conduct on-site visits. Accordingly, we have amended this attempted to balance these concerns One commenter encouraged the section to read as follows: ‘‘In with the desire to enhance information Department to adopt non-disclosure accordance with section 550(c) of the sharing, as appropriate. We believe that protections for verbally transmitted or Department of Homeland Security the rule adequately does this by obtained CVI. The commenter noted Appropriations Act of 2007, the ensuring that any entities or individuals that information sharing among a following information, whether with a ‘‘need to know,’’ including covered facility and authorized transmitted verbally, electronically, or appropriate State and local officials, individuals may require verbal in written form, shall constitute CVI.’’ will have access to the necessary CVI, communication as much as it will We believe that § 27.400(j) gives the while, at the same time, and consistent require written communication. To Department broad latitude to craft a with congressional intent, protecting further protect against disclosure, some civil remedy sufficient to deter the CVI from public disclosure that would commenters believed that proposed unauthorized disclosure of CVI. The IFR undermine the government’s ability to § 27.400(j) should be enhanced so that it does not provide for any criminal ensure the security of chemical has a meaningful deterrent effect and penalties for disclosure of CVI. facilities. establishes consequences that reflect the To the extent that this approach seriousness of the violation. The 3. Scope of CVI conflicts with existing state ‘‘right to commenter suggested that the Comment: A number of commenters know’’ or ‘‘sunshine’’ laws, we believe Department adopt administrative expressed concern regarding the scope that such laws are preempted by this penalties similar to those outlined by 6 of CVI. The commenters wanted the IFR. At this time, we do not intend to CFR 29.9(d). interim final rule to declare that

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17715

information developed under other Two commenters recommended that In drafting the rule, the Department requirements of law or regulation the interim final rule clarify that CVI did not intend for its restrictions on cannot be designated as CVI under this protections would be in addition to any public disclosure to displace separate program. Similarly, a commenter other applicable bases for nondisclosure and additional statutory restrictions on suggested that DHS narrow the scope of of information under the Freedom of the public disclosure of confidential CVI by removing from the rule Information Act (FOIA), such as the business information. § 27.400(b)(9), which defines CVI to Trade Secrets Act and its protections are The terms and structure of Section include ‘‘[a]ny other information that for confidential business information. 550 clearly preclude public disclosure the Secretary, in his discretion, Another commenter noted the provision of CVI. For this reason, it is the determines warrants the protections set gives the Department discretion to Department’s view that CVI, like SSI forth in this part.’’ refuse release of part of a record under and PCII, is exempt from FOIA Response: As outlined in the Advance FOIA that contains no CVI, when disclosure under Exemption 3 of FOIA. Notice, the Department intends CVI to another part of the same document See 5 U.S.C. 552(b)(3). Exemption 3 include only that information developed contains CVI. The commenter suggests provides, in part, that information is and/or submitted pursuant to Section that this proposal is at odds with exempt from disclosure by operation of 550(c). Accordingly, any information longstanding FOIA mandates and another statute, provided that such resulting from other statutory regimes is practice. Furthermore, the commenter statute either: ‘‘(A) requires that the not considered CVI. The Department noted that, if a portion of a requested matters be withheld from the public in believes, however, that the Secretary record contains no CVI and is such a manner as to leave no discretion must retain the discretion provided in reasonably segregable from other parts on the issue; or (B) * * * provided that § 27.400(b)(9). As the Department and of the record that do, there is no such statute refers to particular types of private sector gain more experience authority or justification for matters to be withheld.’’ Id. Section with the chemical security regime set withholding that CVI-free portion unless 550(c) provides in relevant part that forth herein, the Department may some other FOIA exemption or ‘‘information developed under this determine that other types of exclusion applies. section, including vulnerability information, not covered in the current Response: It is the Department’s view assessments, site security plans, and definition of CVI, require similar that the language of Section 550(c) calls other security related information, protection. Section 27.400(b)(9) is also for a unique information protection records, and documents, shall be given necessary to cover any unique or novel regime. As stated in the preamble of the protections from public disclosure information that the Department may Advance Notice, in creating CVI, the consistent with similar information deem, on a case-by-case basis, requires Department looked to and drew on developed by chemical facilities subject protection from public disclosure. various aspects of those information to regulation under section 70103 of protection regimes currently in title 46 [the Maritime Transportation 4. Relation of CVI to Other Categories of existence, including, SSI, PCII and SGI. Security Act (MTSA)] * * *.’’ MTSA Protected Information and FOIA Moreover, as the Advance notice makes states that ‘‘information developed Comment: Some commenters were clear, the Department intended CVI to under this chapter is not required to be confused by the different categories of track the existing SSI regime in certain disclosed to the public.’’ 46 U.S.C. protected information. One commenter respects and indeed, borrowed 70103. Under this language, it is stated that the proposed regulations are somewhat from that regime’s structure conceivable that the government has not sufficiently clear on the relationship and provisions (e.g., requiring a ‘‘need discretion to release information to the of CVI to SSI and other relevant to know,’’ storage in a secure container, public. See Church of Scientology of methods of information protection. The etc.) None of these regimes, however, is Calif. v. U.S. Postal Serv., 633 F.2d commenter indicated that the interim sufficient to accommodate the 1327, 1330 (9th Cir. 1980). As stated in final rule should clarify how these protections Congress called for in the Advance Notice, however, information protection regimes will Section 550(c), most notably, that any ‘‘information developed’’ under MTSA relate to each other. A few commenters information developed pursuant to is treated as SSI and, unlike MTSA, the believed that the creation of the new Section 550(c) be treated as classified statute governing SSI (49 U.S.C. 114(s)) CVI category of information protection information in the course of states that the government ‘‘shall is redundant and unnecessary given that enforcement proceedings. For this and prescribe regulations prohibiting the current protections, such as SSI, are other reasons, the Department disclosure of information ***.’’ adequate options for the Department to developed CVI, which is separate and (Emphasis added.) This language has implement the statutory restrictions. distinct from SSI, PCII, SGI or any other been interpreted as constituting the One commenter noted that the pre-existing information protection ‘‘absolute’’ prohibition required to ‘‘Safeguards’’ classification for the regime. invoke the exception of Subsection (A). Nuclear Sector seems to parallel the Section 550(c) pertains only to See Chowdhury v. Northwest Airlines proposed ‘‘CVI’’ classification for the chemical facilities and thus this rule Corp., 226 F.R.D. 608, 611 (N.D. Cal. Chemical Sector. The commenter does not speak to the handling of other 2004). questioned whether the Department is critical infrastructure sectors. That said, To the extent that there is some considering inventing new security the Department does not take the ambiguity as to which statute should classifications for each of the 15 Critical creation of a new information protection govern for purposes of an Exemption 3 Infrastructure Protection Sectors. The regime lightly, especially in light of the analysis, it is our view that the SSI commenter would prefer that the President’s Memorandum for Heads of statute most accurately reflects Department develop a new Category of Executive Departments and Agencies of Congress’s intent in section 550(c) and Information Classification for all 17 December 16, 2005, entitled ‘‘Guidelines that, therefore, CVI should be exempt sectors for security-specific or security- and Requirements in Support of the from FOIA disclosure under subsection related information that are, at a Information Sharing Environment.’’ (A) of Exemption 3. Nevertheless, we minimum, the same as those for the Absent express direction from Congress, need not resolve the issue at this time current ‘‘Safeguards’’ classification as in Section 550(c), the Department is because it is also our view that the program. reluctant to create additional regimes. language of section 550(c), which

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17716 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

provides meaningful limits on the is provided to California local agencies recommended, or directed by the universe of information subject to may be subject to the California Public Department.’’ Yet because many withholding, is sufficient to justify Records Act, which if true, means that commenters have requested clarification withholding CVI from FOIA disclosure CVI in California may not be protected. on this point, the Department amends under subsection (B) of Exemption 3. Cf. A commenter recommended that the the § 27.400(e)(1) to read as follows: ‘‘A Fin. Corp. v. Donovan, 830 F.2d 1132, Department develop a method to share person, including a State or local 1138 (D.C. Cir. 1989) (holding provision certain information with the public, official, has a need to know CVI in each of Trade Secrets Act failed to qualify for such as whether a facility is in of the following circumstances. * * * ’’ subsection (B) exemption because of compliance with the security program, As stated above, to the extent any ‘‘exceedingly broad,’’ ‘‘oceanic,’’ and because the people who live in close state law requires the public disclosure ‘‘encyclopedic’’ quality of the Act). The proximity to a chemical facility deserve of information that is deemed CVI, it is Department believes that it adequately to know. The commenter recommended the Department’s view that such laws expresses this conclusion in the disclosure of the Letters of Approval are preempted by this rule. § 27.400(g)(1), which states that: issued upon completion of a site At this time the Department does not ‘‘Except as otherwise provided in this inspection and audit. The Letters of intend to provide a means of notifying section, and notwithstanding the Approval could be stripped of any the public about local chemical Freedom of Information Act (5 U.S.C. sensitive information, but still provide facilities. We will continue to consider 552), the Privacy Act (5 U.S.C. 552a), some assurance that facilities are this issue as the program progresses, and other laws, records containing CVI complying with security requirements. however, and issue a subsequent notice are not available for public inspection or Finally, other commenters stated that if necessary. copying, nor does DHS release such the interim final rule should make clear This rule does not attempt to displace records without a need to know.’’ that DHS is not authorized to withhold or create any new law concerning the (Emphasis added.) Moreover, even if information from either House of Department’s ability to withhold FOIA did apply to CVI, we believe that Congress, or, to the extent of matter information from Congress. it would be exempt from disclosure, within its jurisdiction, any committee or 6. Litigation inter alia, as ‘‘homeland security subcommittee of Congress. information’’ under FOIA Exemption 2. Response: Congress clearly intended Comment: With respect to availability See 5 U.S.C. 552(b)(2). that CVI would be shared with State and of CVI during litigation, some The commenters’ concern that, if a local officials, including law commenters supported the preamble document is portion marked to signify enforcement officials and first statement that, in enforcement cases, the both CVI and non-CVI, the Department responders, in appropriate cases. defendant and its counsel would have intends to withhold the entire document Section 550(c) states that ‘‘this access to relevant CVI to enable them to under FOIA, is not supported by the subsection does not prohibit the sharing prepare a full defense. Another Advance Notice. Section 27.400(g)(2) of such information, as the Secretary commenter supported the Department’s states to the contrary that: ‘‘If a record deems appropriate, with State and local proposal to prohibit the disclosure of is marked to signify both CVI and government officials possessing the CVI in civil litigation unrelated to information that is not CVI, DHS, on a necessary security clearances, including Section 550 enforcement. Yet another proper Freedom of Information Act law enforcement officials and first commenter stated that, according to the request, may disclose the record with responders, for the purpose of carrying proposed rule, information on routine the CVI redacted, provided the record is out this section, provided that such chemicals used and produced in not otherwise exempt under the information may not be disclosed processes would be treated as CVI, and Freedom of Information Act or Privacy pursuant to any State or local law.’’ And thus disclosed in litigation only in Act.’’ The use of ‘‘may’’ in this context the Department made clear in the extraordinary circumstances. The was intended as permissive, assuming preamble to the Advance Notice that commenter noted that, because personal such disclosure is otherwise ‘‘[t]he Secretary shall administer this injury and workers’ compensation appropriate. Section consistent with section 550, claims are the consequences of handling including appropriate sharing with State many toxic substances, this provision 5. Sharing CVI With State and Local and local officials, law enforcement would appear to bring these actions to Officials, the Public, and Congress officials, and first responders.’’ See 71 an absolute halt, since these cases Comment: Several comments sought FR 78276, 78289. Furthermore, the cannot be prosecuted without precise greater access to CVI. Commenters importance of sharing CVI with knowledge of the toxic substances at stated that the Department should share appropriate State and local officials is issue. Finally, a commenter cautioned CVI with State and local officials. reflected in the structure of the rule. For the Department to limit those provisions Others noted that the definitions of example, it is expected that chemical governing disclosure in civil or criminal ‘‘covered persons’’ and ‘‘need-to-know’’ facilities will coordinate extensively litigation to the authority delegated to were overly narrow and heightened with state and local officials—including the Department. The commenter saw their concern that the Department the sharing of relevant CVI—in the nothing in the statute delegating the would not provide information to State course of completing the SSPs required authority to issue binding regulations to and local officials. One commenter under § 27.225. It is the Department’s govern a judicial proceeding. The noted that, to the extent information is view, therefore, that the language in the commenter did think it helpful for the shared directly with State or local rule is sufficiently broad to accomplish Department to publish regulations that officials, DHS should enter into this task. For example, we believe that express its own policies and agreements with them to ensure that State and local officials, including law interpretations, thereby affording others CVI is sufficiently protected. Other enforcement officials and emergency guidance as to what the Department’s commenters agreed that the Department responders, fall within § 27.400(e)(1)(i)’s preferred practices will be when should impose strict controls for the use definition of those with a need to know litigation arises. of any facility-specific information by because they will require access to CVI Response: As stated above, Section States and local governments. A to ‘‘carry out chemical facility security 550(c) requires CVI to be treated as commenter stated that information that activities approved, accepted, funded, classified information in the context of

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17717

any enforcement proceedings. This Response: The Department believes was called for and another added that novel mandate reflects the seriousness that the protective measures required by the interim final rule should specify a with which Congress viewed the §§ 27.400(d) and (f) are sufficient to reasonable time period for a decision to protection of CVI from unnecessary adequately protect CVI. be rendered and for the decision to constitute a final administrative disclosure in administrative or judicial K. Preemption enforcement proceedings and, by decision so that judicial relief could be extension, any civil litigation unrelated Comment: Section 27.405(a) of the sought. One association stated that the to Section 550. The Department Advance Notice proposed to preempt preemption decision process and approach balances this concern with the State and local laws, rules, and court appeals procedures did not include need for individuals to have access to decisions that conflict with, hinder, State government, thereby excluding the certain CVI, as appropriate, to defend pose an obstacle to, or frustrate the parties whose laws, rules, and public themselves in enforcement proceedings. regulation. Several chemical companies interests are most affected. The That said, it is not clear that the type and associations endorsed the proposed commenter proposed including a of information involved in a worker’s preemption of State and local mandatory consultation process compensation or tort claim would regulations because they believe that between the State and the facility before necessarily constitute CVI. The mere national risk-based, performance the DHS appeal, a joint hearing reference to a type of chemical may not standards could be undercut by opportunity with the facility and State readily fit into one of the categories of specification standards imposed by the before DHS, a written decision, and States. These commenters expressed the information under §§ 27.400(b)(1)–(9). State access to a judicial appeal for an concern that companies with multi-state However, even if it did, under adverse decision. operations could be subject to a § 27.400(i)(6), the Secretary retains the Response: Please see the section confusing array of State programs. One discretion to release CVI in such below entitled ‘‘Executive Order: 13132: commenter argued that varying State proceedings. Federalism’’ for a response to these regulations also provide varying levels As explained in the preamble to the comments and a discussion of of protection, which the commenter did preemption. Advance Notice, Section 550(c) states not think was Congress’s intent. Other generally that CVI shall be treated as commenters noted that Maritime L. Implementation of the Rule ‘‘classified material’’ in the context of Transportation Security Act (MTSA), Comment: The preamble stated that any enforcement proceedings. Congress which applies to facilities located on did not specify, though, whether the DHS is considering a phased waterways, including chemical implementation of the program. Several Department should look to the rules facilities, contains an express governing classified material in civil industry commenters and a State agency preemption provision. supported phased implementation litigation or criminal litigation. The An equal number of comments from Department chose to mirror in large part because they agreed that DHS should advocacy groups, State agencies, and take action on the most critical facilities the handling of classified material in Members of Congress opposed the civil litigation under 18 U.S.C. 2339B. It first. One commenter warned that Department’s position on preemption. problems and issues should be remains the Department’s view that this These commenters cited the lack of is a reasoned approach to effectuating addressed prior to implementation, and express language in Section 550 and the another commenter requested that DHS Congress’s intent. legislative history to support their define what tiers apply to which phases. position that Congress did not intend to 7. Protection of CVI Two members of Congress asked DHS to grant DHS express or implied authority clarify implementation for high-risk Comment: Other comments sought to preempt State laws and regulations. facilities beyond Phase I. technical changes to make the rule more A few commenters referred to a body of Response: The Department will secure or user-friendly including: case law indicating a ‘‘presumption immediately and quickly address the Prohibiting the transmission of CVI against preemption.’’ Other highest risk facilities. At the same time, using electronic systems unless DHS is commenters, including Members of the Department will reach out to a able to provide Military Grade/Quality Congress, suggested Congress intended broader class of facilities, (numbering in Encryption Devices/Systems to the to resolve the issue of preemption in the many thousands), to gather private sector or provide access to future chemical facility security information necessary for the government locations where this legislation. Commenters also urged DHS Department to make risk-based tiering equipment is available for private sector to delete § 27.405 and allow the courts decisions. use; extending the safeguards that the to determine the preemptive effect of CVI provisions require in proposed the Department’s chemical facility M. Other Issues § 27.400(d)(1) concerning ‘‘secure regulations. 1. Whistleblower Protection container[s], such as a safe,’’ to A few commenters were concerned establishing secure databases; modifying that the language in § 27.405 was so Comment: Many commenters thought requirements for marking every page of broad that it might be construed to that this regulation should provide a CVI document with the words preempt State health, safety, and ‘‘whistleblower protection.’’ They ‘‘CHEMICAL-TERRORISM environmental regulations. Similarly, explained that the regulation should VULNERABILITY INFORMATION’’ and one State requested that DHS modify the protect employees that provide a lengthy warning statement; allowing final provision to avoid any inadvertent information on a facility’s security and facilities to mark only those pages of a preemption of Federal, State, or local safety from employer retaliation. document containing the CVI and the health, safety, and environmental Commenters suggested that workers are warning statement only be provided regulations. on the front lines, and therefore in the once per record, with per page reference A few comments were directed at the best position to participate in the to it as needed; indicating DHS’s appeals procedures for preemption development of Security Vulnerability intention to destroy, return, or permit decisions. One commenter disagreed Assessments and Site Security Plans. reclassification of Top-Screen data with the lack of benchmarks that DHS Commenters suggested that DHS create pursuant to proposed § 27.400(k). would use to determine if preemption a system which would allow

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17718 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

individuals to report vulnerabilities, In contrast, other commenters rejected and TSA), the Federal Bureau of shortcomings, and failures without the the use of any IST requirements. Some Investigation (FBI), the Bureau of fear of retaliation from the company. argued that inherently safer Alcohol, Tobacco, Firearms, & Commenters requested that DHS change technologies are an environmental Explosives (ATF), the Departments of regulatory text to provide whistleblower construct and should not be implicitly State, Commerce, and Transportation protection to employees, with some or explicitly required for security. One (including its modal administrations), suggesting that DHS should include the association expressed concern that EPA, and OSHA. Other commenters protections found in H.R. 5695 and S. requirements for safer technologies encouraged DHS to build upon the 2145. could shift rather than reduce risk and/ existing EPCRA and the Risk Response: Section 550 did not give or limit the production of certain Management Program (RMP) regulatory DHS authority to provide whistleblower chemicals. In addition, some programs, because of their proven protection, and so DHS has not commenters urged DHS to avoid records of success and the important incorporated specific whistleblower including any ‘‘pseudo-IST mandates’’ health, safety, and environmental protections into this regulation. The in the rule; the commenter thought that purposes that they serve. Department does, however, value frank DHS had inadvertently done so. One commenter noted that DOT has information concerning security Response: Section 550 prohibits the security plan requirements in 49 CFR vulnerabilities. Employees with daily Department from disapproving a site Part 172, Subpart I and that several of involvement at high-risk facilities can security plan ‘‘based on the presence or the DHS performance standards overlap certainly be a valuable source of absence of a particular security with the DOT security plan information. In the interest of providing measure,’’ including inherently safer requirements. One commenter asserted some mechanism for employees to alert technologies. See Section 550(a). Even that the proposal in the Advance Notice the Department about information at so, covered chemical facilities are attempted to cover up knowledge of their employer’s chemical facility, the certainly free to consider IST options, toxic dangers by potentially ‘‘gutting the and their use may reduce risk and worker and public right-to-know Department intends to establish a regulatory burdens. provisions’’ of existing Federal and telephone line through which State laws, including the Occupational individuals can submit security 3. Delegation of Responsibility Safety and Health Act and the concerns to the Department. The Comment: Another commenter Emergency Planning and Community Department will provide callers with strongly recommended that DHS Right-to-Know Act (EPCRA). In the option of remaining anonymous. consider delegating oversight addition, some of these commenters 2. Inherently Safer Technology responsibility to State governments, were concerned that preemption and along with appropriate levels of Federal CVI classification will restrict Comment: The Department received funding to support homeland security information flow and access currently numerous comments on the issue of efforts. Interested states could petition available through these Federal inherently safer technologies (IST) DHS, and DHS would grant delegated regulatory programs. options. Several commenters, including authority on a discretionary basis. The Several commenters expressed advocacy groups, unions, academics, commenter suggested that DHS could concern that, although DHS intends that State agencies, and other officials, retain oversight authority, but would this rule not affect other laws regulating strongly encouraged DHS to consider delegate programmatic responsibility manufacture, sale, use, and disposal of safer technologies as well as physical and commit resources to authorized chemicals, it is unclear how the DHS countermeasures. A few commenters, States. The commenter likened the security planning and enforcement can including members of Congress, arrangement to the one that the EPA avoid impacting the environmental, suggested that the Department should uses to handle air and water regulations occupational, trade, and other rules address the use of ISTs, even though and the one that the Nuclear Regulatory already regulating the same facilities. Section 550 was silent on the issue. Commission runs with its ‘‘Agreement Potential conflicts also affect first Many of these commenters urged DHS State’’ program. Another State agency responders. Since past conflicts over to include provisions in the rule that commenter noted that California has authority have tended to diminish would encourage chemical facilities to promulgated a successful chemical program effectiveness, the commenter consider implementing safer processes safety program built on partnering State wonders how such conflicts can be and using safer chemicals as a method and local regulatory interests with avoided. Solutions offered by to improve site security through the chemical industry hazard mitigation commenters include a more explicit reduction of risk. They suggested that activities. statement on conflict resolution in the DHS require chemical companies to Response: The Department has final rules, an inter-agency coordination analyze and report on safer technologies contemplated the issue of delegating process to resolve conflicts, or in their Site Security Plans. These authority to State governments, and has memoranda of agreement with agencies commenters asserted that substituting decided not to do so. If the Department having concurrent authority. safer chemicals, processes, practices, or reconsiders the issue in the future, it Response: The Department is aware technologies not only contributes to will provide notice of any such that potential overlap exists between severity (i.e., can minimize the decision. this rule and existing Federal rules and consequences associated with an programs. In the Advance Notice, the accident at or attack on a chemical 4. Interaction With Other Federal Rules Department acknowledged that overlap facility), but has the potential to greatly and Programs and included an extensive discussion of minimize the physical security costs a Comment: Many commenters pointed existing and proposed Federal programs chemical facility would otherwise have out potential overlap between this rule that are related to chemical security. See to assume. Other commenters pointed and other Federal agency rules. As one § I of the Advance Notice, ‘‘Brief History out that ISTs are the best tools available commenter stated, many Federal of Federal Pre-Existing Chemical to completely mitigate facility agencies have some involvement in Security Tools and Programs.’’ vulnerabilities and safeguard chemical facility security, including Section 550 provides that ‘‘[n]othing communities. DHS (including the U.S. Coast Guard in this section shall be construed to

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17719

supersede, amend, alter, or affect any causes of actions (such as review normal recourse of the U.S. legal Federal law that regulates the pursuant to the Administrative system.’’ manufacture, distribution in commerce, Procedure Act). Response: In § 27.410 of the Advance use, sale, other treatment, or disposal of Members of Congress also challenged Notice, the Department set out two chemical substances or mixtures.’’ In the broad scope of DHS’s position on principles: (1) the chemical security the Advance Notice, after third-party suits, because it would block regulations did not on their own terms acknowledging that the ATF regulates basic challenges to DHS under the create any additional rights of action for the purchase, possession, storage, and Administrative Procedure Act. The any person other than the Secretary; and transportation of explosives, the commenters believed that § 27.410(a) (2) relevant parties may seek a statement Department indicated that it did not was an unnecessary limitation on from the Department of its views in any intend for these regulations to interfere private rights of action. One Member of litigation involving the chemical with ATF’s current authorities. See 71 Congress explained that Congress security regulatory program. The FR 78276, 78290. Likewise, the intended to limit the provision to Department has decided to adopt these Department does not intend for these citizen suits against chemical facilities provisions as proposed in the Advance regulations to impede the authorities of for failure to comply with the Notice. other Federal agencies. With respect to Department’s chemical security rules. In the preamble to the Advance this regulatory program, DHS will work One commenter strongly supported Notice, the Department also stated its closely with the Department of Energy, the Department’s discussion of the view that Section 550(d) prohibits any EPA, OSHA, ATF and other federal prohibition of private rights of action to party other than the Secretary from agencies. Where there is concurrent enforce the provisions of Section 550. enforcing the provisions of Section 550. jurisdiction, the Department will work The commenter believed that the The Department also stated its view that closely with other Federal agencies to availability of enforcement actions Section 550(d) prohibits actions brought ensure that regulated facilities can should be limited to avoid unnecessary to compel the Department to take a comply with applicable regulations and potentially frivolous lawsuits that specific action to enforce Section 550. while minimizing any duplication. As attempt to enforce chemical facility Although the Department does not find the program develops, the Department security requirements that are outside it necessary to codify these views in the will consider the necessity of various the reach of the government’s authority. Code of Federal Regulations, they formalized arrangements, such as an Some commenters supported the DHS remain the views of the Department inter-agency coordination process, to provision because they believed that after considering the comments resolve jurisdictional questions or third party actions should be limited received. In Section 550(d), Congress conflicts. and that the Department should have provided in clear terms its intent to the sole discretion of when and how to prevent parties other than the Secretary 5. Third-Party Actions enforce these regulations. One from making enforcement decisions Comment: Several commenters commenter stated that neither DHS nor under Section 550. This intent would be supported the Advance Notice regulated chemical facilities should be thwarted if parties could seek indirectly discussion of the statutory prohibition distracted from their purpose of to have particular enforcement measures against third party actions to enforce minimizing the possibility of a taken by bringing suit against the any provision of the chemical security catastrophic terrorist incident by Department. Such suits would also pose rules. See § 27.410 and Section 550(d). concerns about how their actions difficulties involving the information A State commenter wrote that the implementing Section 550 might be protections of Section 550 and its prohibition might be construed to used in private tort litigation. One implementing regulations. In short, the prevent State actions against the industry organization supported terms and structure of Section 550 Department to enforce the regulations, a § 27.410(b), which allows a chemical provide the Secretary with critical position that the commenter believed to facility to petition DHS to provide ‘‘the discretion in implementing the be contrary to congressional intent. The Department’s view in any litigation chemical security program. It would be commenter agreed that the statutory involving any issues or matters inappropriate to curtail that discretion language would bar a State from taking regarding this Part.’’ The commenter through lawsuits. See generally Norton enforcement action against an owner or noted that DHS is in a unique position, v. Southern Utah Wilderness Alliance, operator for violation of these in light of its Section 550 authorities 542 U.S. 55 (2004). regulations, but it saw no support in the and expertise, to provide its views 6. Judicial Review statute to bar State action against the regarding a chemical facility’s security Department (or other non-owners or efforts. Comment: Several commenters, non-operators). According to the A labor union expressed concern that including Members of Congress, urged commenter, this interpretation exceeds § 27.410(a) grants immunity to chemical DHS to incorporate the right to judicial the scope of Section 550 and is therefore facilities from actions by third parties to review in the interim final rule and an unnecessary limitation on private enforce any provisions of the rule. The clarify the judicial remedies available. rights of action. Commenters asserted labor union thought that it may act as One commenter mentioned that the that a plain reading of Section 550 an open invitation to chemical facilities right to judicial review was expressly indicates that Congress limited judicial to disregard provisions in the rules or in stated in prior legislative proposals. review in only two ways: (1) By security plans that are meant to protect Another commenter believed that the prohibiting Section 550 from being maritime activities from unduly District Courts have jurisdiction to asserted as a jurisdictional basis for a burdensome or improper application of consider whether a facility presents a cause of action; and (2) by providing security procedures. The labor union ‘‘high level of security risk.’’ Other that only the Secretary of Homeland explained that ‘‘[w]here damages are commenters discussed judicial review Security has the right to bring incurred by maritime-related businesses in the context of preemption, urging the enforcement actions against ‘‘owners or mariners as a result of improper Department to provide facilities with and operators.’’ The commenters said action of chemical facilities under color the opportunity for judicial review of they do not believe that Congress of enforcing their security plans, the Departmental decisions pursuant to intended to prohibit other statutory injured parties should not be denied the § 27.405. Finally, one commenter

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17720 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

recommended that the rule provide that mandating any particular measures that Comment: One commenter supported if the adjudicating official fails to reach facilities should use. Commenters the position that continued funding of a decision within the timeframes recommended that DHS follow the OMB this program would, in effect, provided by the proposed rule, then the Bulletin entitled ‘‘Agency Good reauthorize the program beyond the administrative review process is Guidance Practices,’’ which establishes three years noted in the statute and that deemed completed and all policies and procedures for the DHS may amend the interim final rule administrative remedies exhausted, so development, issuance, and use of if necessary. Another commenter did as to afford the facility the ability to significant guidance documents by not support this position and stated that challenge the Department’s decision in Executive Branch departments and the statute was clear that the regulatory a District Court. agencies. authority expires after three years. That Response: The Department does not Response: DHS believes that guidance commenter also urged the Department have authority to create jurisdiction in will play an important role in this to engage in notice and comment the district courts for review of regulatory program. The Department’s rulemaking for any future modifications Department decisions. Jurisdiction is guidance will provide examples of to the interim final rule. created by provisions of law other than specific measures that facilities may use Response: The Department will, to the these regulations. Nor does the to address the performance standards in extent required by law, engage in notice Department have authority to create the rule. Because this rule is based on and comment rulemaking in the event specific judicial remedies through performance standards and not on that changes are made to this interim rulemaking. Decision-making authority prescriptive measures, guidance is final rule. with respect to preemption is discussed particularly important. The guidance Comment: Commenters suggested a below in the portion of this preamble will aid in informing the regulated process by which facilities can exit the related to Federalism. As discussed community of ways to satisfy the program if they make sufficient changes there, courts have the ability in performance standards without to their operations. In addition, a appropriate contexts to review the imposing additional requirements not chemical company and an industry Department’s opinions as they relate to found in these regulations. association questioned how the results from vulnerability assessments could be preemption. This interim final rule does The Department will designate the used to allow a facility to exit the not augment the administrative law guidance document as CVI. The default principles that govern program. guidance document will contain Response: To address the issue of appropriate action if the Department specific anti-terrorism measures does not make decisions in the exiting the program, the Department designed to mitigate or prevent terrorist timeframes specified in this interim added § 27.120(d). It provides that attacks, as well as other sensitive final rule. covered facilities may request a information. This type of information is consultation with the Department if 7. Guidance and Technical Assistance not appropriate for public disclosure their facility, processes, or types or Comment: Some industry commenters under Section 550 and the regulations quantities of chemicals change in such noted that guidance, information, and issued hereunder. a way that they believe their obligations education were essential for the success With respect to comments regarding under this part may be impacted. For a of the program. A chemical company OMB’s Bulletin on Agency Good discussion of this provision, see § II(B) commented that facilities should have Guidance Practices, the Department above. the opportunity to review and comment notes that it will apply the Bulletin as Comment: Various commenters raised on any guidance provided to them by appropriate. issues related to data security, DHS. Several industry associations Comment: The availability of specifically in the context of the made the same comment and stated the technical assistance to facilities not Department’s web-based CSAT need for guidance to provide direction placed in the top tier was requested by applications. One commenter thought and advice but not to become either an industry association. that DHS should be able to provide enforceable or limiting in the security Response: Technical assistance will Military Grade/Quality Encryption measures that a facility may employ. be available for all covered facilities as Devices/Systems for the private sector to One commenter suggested that there resources permit. Section 27.120 use to submit information. Until that be sufficient time to respond to the establishes requirements for a time, the commenter requested that DHS guidance prior to developing a security Coordinating Official who will provide receive information only in paper form plan. Commenters suggested that DHS guidance to facilities in all tiers, as or discs produced on stand-alone draft guidance on aspects of the necessary and to the extent that computers. regulation and that such guidance be as resources permit. Response: DHS recognizes the data detailed and specific as possible. 8. Miscellaneous Comments security issues that commenters have One commenter believed that, while raised. DHS realizes that there is a risk, agency guidance is procedurally easier Comment: One commenter both on the sending of information and to issue because agencies typically issue recommended that DHS engage and the receiving of information, when it without notice and comment, due work with Congress to enact a more transmitting data over the Internet. DHS process, or other protections afforded by comprehensive and meaningful has weighed the risk to the data rulemaking under the Administrative chemical security law as soon as collection approach against the risk of Procedure Act, this ‘‘pseudo- possible, and under no circumstances collecting the data through paper rulemaking’’ can be referenced in beyond the three year expiration of submissions and concluded that the enforcement actions, imposing cost interim authority. web-based approach was the best. burdens, or creating other compliance Response: The Department has DHS is concerned about data security liabilities. Another commenter aggressively sought this authority, and and has taken a number of steps to appreciated the fact that the guidance on October 4, 2006, Congress provided protect both the data that will be would specify the security measures that authority. The Department will collected through the CSAT program that facilities could take to meet the continue to work with Congress on and the process of collection. The proposed standards while not chemical security matters. security of the data has been the system

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17721

designers’ number one priority. The site extent to which any given type of Response: In the Advance Notice, that the Department will use to collect employee may be able to contribute. DHS did not attempt to estimate the full submissions is equipped with hardware Comment: A commenter noted that a cost of complying with the regulation. encryption that requires Transport Layer strong enforcement program is essential. Instead, DHS placed in the docket a Security (TLS), as mandated by the Response: The Department agrees stand-alone document titled ‘‘Capital latest Federal Information Processing with the commenter and will vigorously Cost Information for Public Comment,’’ Standard (FIPS). The encryption devices enforce these regulations. which provides specific cost estimates have full Common Criteria Evaluation Comment: A few commenters sought for a potential suite of capital security and Validation Scheme (CCEVS) immediate phased-in implementation of investments, such as fences and certifications. CCEVS is the a national re-routing and a ban on toxic perimeter lighting. DHS fully implementation of the partnership by inhalation (TIH) storage wherever understands that, in addition to capital between the National Security Agency feasible. Although the commenters costs, facilities may also incur non- and the National Institute of Standards stated that re-routing is the first and capital costs, including the costs of (NIST) to certify security hardware and fastest step in eliminating catastrophic additional personnel (e.g., security software. vulnerabilities in the chemical sector, guards) and the costs of preparing Upon completing any part of the the commenters thought it should assessments and plans. The costs that CSAT (whether the Top-Screen, ideally be done in tandem with the use DHS has estimated for compliance with Security Vulnerability Assessment, or of safe technology, which could in turn the interim final rule do indeed include Site Security Plan), the facility will click eliminate ultra-hazardous substances in both the capital costs and non-capital a ‘‘submit’’ button, which calls a routine our rail system. costs. DHS also notes that while a few to encrypt the data on the server using Response: These comments are commenters thought the costs DHS a one way key. Properly-executed public beyond the scope of this rulemaking, presented were too low, commenters key encrypted data is very secure, and which addresses chemical facility anti- did not generally provide specific the implementation that DHS has used terrorism standards. However, DHS information regarding which costs may complies with the NIST 800–57 points out that there are current DHS have been too low or additional requirements for security. The key to and other Federal initiatives to address information that would have assisted decrypt the data does not exist outside materials that are toxic by inhalation. the Department in reconsidering the of facilities that are isolated from the On December 21, 2006, TSA issued a costs presented with the Advance public internet. The key is connected Notice of Proposed Rulemaking on Rail Notice. Consequently, while DHS did only through a dedicated, restricted, Transportation Security. See 71 FR government network that cannot re-evaluate the costs presented with the 76852. The rule applies, in part, to tank Advance Notice in response to these connect to the public internet. Once a cars containing materials that are comments, DHS believes that the costs facility submits a Top-Screen (or SVA or poisonous by inhalation (PIH) as presented in the Advance Notice are SSP), the data is no longer available defined in 49 CFR § 171.8. (Note that the reasonable approximations, and they unencrypted. PIH is synonymous with TIH). See remain unchanged in the interim final Comment: A few commenters proposed 49 CFR § 1580.100(b). Also, on rule. indicated that the Advance Notice December 21, 2006, one of the Some commenters indicated that cost lacked meaningful worker involvement. Department of Transportation’s modal recovery for implementation can be According to some of the commenters, administrations, the Pipelines and difficult under certain government the rule does not ensure meaningful Hazardous Materials Administration contracts. Such comments are outside of front line worker and union (PHMSA), issued a Notice of Proposed the scope of this rulemaking. participation during risk assessments, Rulemaking titled ‘‘Hazardous Comment: Commenters also during the development of the Site Materials: Enhancing Rail expressed concern that the high costs Security Plans, in the inspection Transportation Safety and Security for will give an unfair advantage to larger process, or as part of ongoing Hazardous Material Shipments.’’ See 71 companies, because these associated consideration of safety and security FR 76834. PHMSA’s proposed costs will be harder for smaller concerns. One commenter felt that this regulation would include requirements companies (like local farmers) to absorb. omission occurred despite the fact that for rail carriers to use data to analyze Response: The Department notes, in it is the front line employee whose life safety and security risks along rail general, that it may be more difficult for is on the line first if there is a transportation routes where certain smaller companies to absorb increased catastrophic release. hazardous materials (including PIH costs than larger companies. However, Response: There is nothing in the rule materials) are used. the security measures required by this that prohibits chemical facilities from Comment: Some commenters raised interim final rule are not ‘‘command involving employees in their security questions regarding specific funding for and control’’ type measures. Instead, efforts. Many facilities may find it programs such as the BZPP Webcam they are risk-based performance beneficial to include employees in their Pilot Program. measures that will allow a high degree respective efforts to comply with this Response: Those comments are of flexibility for small entities that own regulation (e.g., identifying security beyond of the scope of this rulemaking, high-risk chemical facilities. These risk- vulnerabilities, developing Site Security which addresses chemical facility anti- based performance measures will allow Plans). However, the Department is not terrorism standards. high-risk chemical facilities to tailor a mandating participation by any specific regulatory compliance regime particular type of employee, and the N. Regulatory Evaluation that could minimize the compliance Department does not think it is wise to Comment: Commenters believe that costs to their respective facilities. DHS specify any employees that must be DHS has underestimated this cost to the also notes that certain chemical involved. The Department will leave chemical sector and that DHS should facilities have already voluntarily spent those decisions to facilities, as they will consider other costs beyond capital a significant amount of financial best understand the types and functions costs, such as additional physical resources to increase their security. This of employees at their facility and the security. interim final rule, by establishing a

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17722 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

baseline level of security across tiers, rule and the compliance costs explained Guard found it impractical to attempt to will serve to minimize any competitive in the Regulatory Assessment, we have estimate compliance costs for each advantage that may be currently enjoyed determined that this rule may have a individual facility and instead by those companies that are under- significant economic impact on a developed costs based on 16 ‘‘model investing in security. substantial number of small entities. See facilities.’’ Each of the several thousand Comment: One commenter noted that ‘‘Regulatory Flexibility Act’’ section facilities was placed into one of the 16 in order to quantify the benefits of the below. different subgroups for which rule, DHS must make assumptions about compliance costs were then estimated. the threats to the public, which injects IV. Regulatory Analyses Once the compliance costs for the 16 uncertainty into the calculation of A. Executive Order 12866: Regulatory ‘‘model facilities’’ were calculated, actual benefits. Planning and Review estimating the cost of the regulation was Response: The Department agrees that relatively straightforward. This rule is considered to be an it is difficult to quantify the ‘‘actual As this regulation is not a ‘‘command benefits’’ of this interim final rule. DHS economically significant regulatory and control’’ regulation, owners and/or has included a qualitative discussion of action under Executive Order 12866, operators will have considerable the benefits of this rule in the regulatory because it will result in the expenditure flexibility in how they choose to comply analysis of Executive Order 12886, of over $100 million in any one year. with its requirements. As owners and/ which is located in Section IV of the Accordingly, this rule has been or operators will have discretion on how preamble to this rule. reviewed by the Office of Management to best meet the risk-based performance Comment: Commenters noted that the and Budget (OMB). A Regulatory objectives, the cost assessment makes idea of a model facility is indeed a good Assessment which more thoroughly broad assumptions regarding the proposal but worried that there is explains the assumptions used to percentage of facilities that will choose insufficient time to implement the generate the cost of this interim final to implement or continue certain changes this proposal would entail. rule is available in the docket as security measures and the costs of those Response: DHS agrees that the idea of indicated under ADDRESSES. A summary security measures. For example, many model facilities is a good proposal. The of the Regulatory Assessment follows: facility owners and/or operators will cost estimate of the interim final rule is Cost Assessment Summary choose such measures as building based on the concept of the ‘‘model fences, enhancing perimeter lighting, facility’’ as it was used by the Coast Section 550 requires the Secretary of and hiring additional security guards in Guard to estimate the cost of their Homeland Security to promulgate order to comply with the risk-based Maritime Transportation Security Act of ‘‘interim final regulations establishing performance standards. In order to 2002 Facility Security final rule. See 68 risk-based performance standards for estimate the cost of the interim final FR 60515 (Oct. 22, 2003). security of chemical facilities * * *.’’ regulation, we made assumptions Comment: The Small Business He must do so ‘‘[n]o later than six regarding the specific percentage of Administration (SBA), Office of months’’ from the date of enactment of facilities that will choose to implement Advocacy, commented that DHS should this new authority, i.e. by April 4, 2007. certain security measures, such as prepare an Initial Regulatory Flexibility Consequently, the methodology chosen fences and perimeter lighting. Analysis (IRFA) under the Regulatory to analyze the cost of the interim final We expect that chemical facility Flexibility Act (RFA), 5 U.S.C. 603, after rule was chosen with the six month owners and/or operators will take full issuing the interim final rule or if DHS congressional deadline in mind. In advantage of the flexibility that these makes subsequent changes to the rule order to quickly analyze the cost of the risk-based performance standards will once it is promulgated. SBA explained interim final rule, DHS relied on readily provide and will conduct facility- that the RFA process is an extremely available information and drew upon specific and company-specific analyses valuable tool for agencies to use when the knowledge of professionals to determine the most cost-effective assessing the impact of a rule on small employed by DHS who have extensive method to comply with the businesses and other small entities. knowledge of the chemical industry. In requirements of this interim final Response: The RFA mandates that an addition, on December 28, 2006, DHS regulation. As a result of these internal agency conduct an analysis when an published an Advance Notice, which analyses, facilities are likely to identify agency is required to publish a notice of outlined our costing methodology and various means of meeting the risk-based proposed rulemaking. See 5 U.S.C. also placed in the docket our estimates performance standards applicable to 603(a). In this case, the Department is of capital costs for potential security their facility and tier. It is possible that not required to publish a notice of investments in order to seek meaningful some percentage of facilities will find proposed rulemaking: By directing the public comment. the most-cost effective method to Secretary to issue ‘‘interim final We have reviewed the methodology comply with the requirements will be to regulations’’, Congress authorized the used by the U.S. Coast Guard to analyze implement business and related Secretary to proceed without the the cost of the MTSA Facility Security production, processing or equipment traditional notice-and-comment final rule at 68 FR 60515 (Oct. 22, 2003), changes such as to no longer make required by the Administrative and, due to the similarities between the certain chemicals or to change their Procedure Act. See 71 FR 78276, 78277, MTSA Facility final rule and this process to use a less concentrated or less and 78292 (Dec. 28, 2006). interim final rule, we believe that this hazardous form of a listed chemical. DHS did, however, consider the methodology has merit and should be Such process changes, however, are impacts of this rule on small entities. used in this rulemaking. The MTSA very facility-, business- and process- The Regulatory Assessment, which is Facility Security final rule estimated the specific. Those that involve changes in available in the public docket, contains cost of performance standards on chemistry or processes may take several our analysis of the impacts of this rule several thousand unique facilities. years of design, testing and re- on small entities. After consideration of Similarly, the interim final rule will permitting before they can become the percentage of small entities that may estimate the costs of risk-based operational. Others may be easily and have to comply with the risk-based performance standards to several immediately implemented. However, performance standards required by this thousand unique facilities. The Coast because process changes are so facility-

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17723

and business-specific, DHS has no way final regulations establishing risk-based intent on causing massive damage. of estimating how many facilities may performance standards requiring the Many facilities house toxic chemicals ultimately implement such measures for performance of vulnerability that could become airborne and drift to the purpose of estimating compliance assessments and the development and surrounding communities if released or costs. Consequently, DHS is basing its implementation of site security plans. could be stolen and used to create a estimate of compliance costs on Section 550 establishes the parameters weapon capable of causing harm. commonly used security measures that of the Federal government’s first Terrorist attacks involving the theft or are broadly applicable to a wide range regulatory program to secure chemical release of certain chemicals could have of high risk chemical facilities, such as facilities against possible terrorist a significant impact on the health and the purchase of fences, the purchase of attack. safety of millions of Americans. The perimeter lighting, and the employment The threat of a terrorist attack against disaster at Bhopal, India in 1984, when of security guards. high-risk chemical facilities is real. methyl isocyanate gas—a highly toxic For the purposes of good practices or However, due to the economics of chemical—leaked from a tank, regulations promulgated by other externalities, the free market may not reportedly killing about 3,800 people Federal or State agencies, many provide adequate incentives for and injuring anywhere from 150,000 to chemical facility owners and/or chemical facilities to make a socially 600,000 others, illustrates the potential operators have already spent a optimal investment in the full range of threat to public health from a chemical substantial amount of money and measures that would reduce the release.3 resources to upgrade and improve probability of a successful terrorist • The Department of Justice has security. The costs shown below do not attack. Externalities are a cost or benefit concluded that the risk of terrorists include the costs of security measures from an economic transaction attempting in the foreseeable future to already implemented to enhance experienced by parties ‘‘external’’ to the cause an industrial chemical release is security. The costs shown here are transaction. In the case of chemical both real and credible. Terrorists or intended to represent the marginal cost facilities, since the consequences of an other criminals are likely to view the incurred by owner and/or operators as attack or other security incident may be potential of a chemical release from an a result of the interim final rule. significantly larger than what would be industrial facility as a relatively DHS’s preliminary estimate of the suffered by the owner of the facility attractive means to cause mass number of high risk chemical facilities itself, the private market may not casualties to the populace and/or large that will be covered by the risk-based generally provide the incentive for scale damage to property. DOJ notes that performance measures required by the profit-maximizing firms to unilaterally there have been successful efforts by interim final rule ranges from 1,500 to spend the socially optimal amount of foreign militaries and certain terrorist 6,500 chemical facilities. It is important resources to prevent or mitigate a groups indigenous to other countries to to stress that this estimate is simply terrorist attack. Since companies cause releases from industrial facilities DHS’s best guess based on currently nevertheless will likely suffer serious using bombs. Those efforts have in available information. Within this range consequences in the case of a terrorist effect converted the facilities into of 1,500 to 6,500 potentially covered attack, many certainly have invested makeshift WMD. Some of these releases chemical facilities, DHS is estimating significant resources in implementing have inflicted damage on the 5,000 facilities as its best guess of security measures, and this analysis surrounding communities. Moreover, covered facilities for the purpose of recognizes those resource expenditures. the evacuations that were triggered by In a competitive marketplace, however, generating the cost estimate required by the attempted and successful releases of a firm will not normally choose to make Executive Order 12866. industrial chemicals produced panic some additional investment in security Using the point estimate of 5,000 and disruption among the targeted over their privately optimal amount, facilities, the estimated present value population. These are precisely the since they would consequently be cost of this interim final rule is $3.6 goals of a terrorist.4 choosing to increase its cost of • billion dollars over the period 2006– In April 27, 2005, testimony before production and would be at a 2009 2 (7 percent discount rate). For the the Senate Committee on Homeland disadvantage when competing with purposes of illustration, we also have Security and Governmental Affairs companies that have chosen not to make calculated the cost of the interim final regarding the vulnerability of America a similar investment in security. As this rule over the ten year period 2006–2015. to a chemical attack, a Brookings interim final rule will require high-risk Over the period 2006–2015, DHS Institution Visiting Fellow testified. The chemical facilities to be held to the estimates the present value cost of this testimony stated that ‘‘of all the various same risk-based performance standards interim final rule would be $8.5 billion remaining civilian vulnerabilities in according to their risk-based tier, the assuming 5,000 covered facilities. America today, one stands alone as competitive advantage that may be uniquely deadly, pervasive, and Benefits Assessment currently enjoyed by those companies susceptible to a terrorist attack: toxic- This interim final rule allows DHS to that are under-investing in security inhalation-hazard (TIH) industrial implement Section 550 of the Homeland measures would be expected to chemicals, such as chlorine, ammonia, Security Appropriations Act of 2007. disappear. phosgene, methyl bromide, The first sentence of Section 550 Need for Increased Security at High-Risk hydrochloric and various other acids.’’ mandates the Secretary to issue interim Chemical Facilities In addition, the testimony indicated, There is much publicly-available 2 Section 550(b) of the Act states: ‘‘Interim 3 GAO, Homeland Security: Federal and Industry regulations issued under this section shall apply information that indicates an attack on Efforts Are Addressing Security Issues at Chemical until the effective date of interim or final a chemical facility is a credible threat Facilities, but Additional Action is Needed, GAO– regulations promulgated under other laws that with dire consequences: 05–631T (Washington, DC: April 2005). establish requirements and standards referred to in • According to the Government 4 Department of Justice Assessment of the subsection (a) and expressly supersede this section: Increased Risk of Terrorist or Other Criminal Provided, That the authority provided by this Accountability Office, experts agree that Activity Associated With Posting Off-Site section shall terminate three years after the date of the Nation’s chemical facilities present Consequence Analysis Information on the Internet, enactment of this Act.’’ an attractive target for terrorists who are April 18, 2000.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17724 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

‘‘the casualty potential of a terrorist benefits of these risk-based performance release of a hazardous material to harm attack against a large TIH chemical standards: onsite personnel or the community. container near a population center is • By securing and monitoring the • Deterring the theft or possible comparable to that of a fully successful perimeter of the facility, site personnel diversion of potentially hazardous terrorist employment of an improvised are better able to detect, delay, and chemicals will prevent loss of chemicals nuclear device or effective biological respond to individuals or groups who from the site. Such measures provide weapon. The key difference is that TIH seek unauthorized access to the site or security benefits as well as improving chemical containers are substantially its restricted areas. A well-secured inventory controls especially for easier to attack than improvised nuclear perimeter deters intruders from seeking chemicals that can be used directly as devices or effective biological weapons to gain access. By limiting acce3ss a chemical weapon or can be used to are to acquire or fabricate.’’ 5 through control points, the facility can produce such a weapon. • • In April 27, 2005, testimony before more easily and effectively control who Deterring insider sabotage prevents the Senate Committee on Homeland enters and leaves the site. Additionally, the facility’s own property and activities Security and Governmental Affairs securing and monitoring restricted areas from being used by a potential terrorist regarding the vulnerability of America or potentially critical targets within the against the facility. Examining the to a chemical attack, a Senior Fellow for facility reduces the likelihood of theft of background of employees or contractors National Security Studies at the Council chemicals because adversaries risk who may be planning acts of sabotage on Foreign Relations testified. The observation arriving and leaving the assists in preventing an in situ release of hazardous chemicals, damage to testimony stated ‘‘Of the carefully premises. Control of gates by guards or process units manufacturing chemicals selected potential targets that al Qaeda observation of the perimeter allows or tampering with chemicals that could or its imitators might seek to attack, the facility personnel to know who is cause an offsite impact. Ascertaining chemical industry should be at the top entering and leaving the site and in that visitors and contractors have of the list. There are hundreds of what vehicles. Access control points legitimate business onsite and are chemical facilities within the United permit the facility to check persons and escorted when necessary increases the States that represent the military vehicles seeking entrance to the site and control of the site in general and equivalent of a poorly guarded arsenal confirm their legitimate business. reduces the likelihood of sabotage or of weapons of mass destruction.’’ 6 • Controlling access to the site • theft. A recent Congressional Research including the screening and/or • The deterrence of cyber sabotage Service Report discussed trends in inspection of individuals and vehicles will benefit the facility by preventing chemical terrorism and discussed as they enter and exit the facility serves unauthorized onsite or remote access to evidence that U.S. chemical facilities to deter and detect unauthorized critical process controls, site security, may be used by terrorists to gain access introduction or removal of substances business systems, or SCADA systems (if to chemicals. One of the 1993 World and devices that may cause a dangerous significant consequences can be Trade Center bombers, Nidal Ayyad, chemical reaction, explosion, or other generated by the manipulation of the became a naturalized U.S. citizen and release to harm facility personnel or the process controls/systems). Appropriate worked as a chemical engineer in the surrounding community. A regular controls will allow the detection of chemical industry, from which he used system of identification checks will help unauthorized access and unauthorized company stationery to order chemical guards and other facility personnel modification of information (hacking). ingredients to make the bomb.’’ 7 recognize those personnel authorized to • Developing and exercising an • Information contained in the be on the site and identify those emergency plan to respond to security Congressional Record states that U.S. individuals who should not be granted incidents internally and with local law chemical trade publications were found access. enforcement and first responders (i.e., • in one of the caves where Osama bin Deterring vehicles from entering the emergency medical technicians (EMTs), Laden had hidden.8 facility or restricted access areas will fire, police) benefits the facility by reduce the likelihood that an adversary preparing it to take quick and decisive Qualitative Benefits of the Risk-Based will detonate a vehicle-borne action in the event of an attack or other Performance Standards improvised explosive device inside the breach of security. Establishing As explained previously, Section 550 facility. Appropriate methods of relationships with local law requires the Secretary of Homeland deterring vehicles form unauthorized enforcement improves responder Security to promulgate ‘‘interim final entry provide additional time for local understanding of the layout and of regulations establishing risk-based law enforcement response or otherwise hazards associated with the facility and performance standards for security of delay or prevent the vehicle from strengthens relationships with the chemical facilities * * *.’’ Section entering the site to cause harm. community. 27.230 establishes these standards. • Securing and monitoring the • Maintaining effective monitoring, Below is a discussion of the qualitative shipping and receiving of hazardous communications and warning systems chemicals will improve inventory allows the facility to notify internal 5 Statement of Richard A. Falkenrath, Visiting control, product stewardship and personnel and local responders in a Fellow, The Brookings Institution, before the security against theft, diversion and timely manner about security incidents. United States Committee on Homeland Security tampering. In addition, improved Regular tests, repairs and improvements and Governmental Affairs (April 27, 2005). inventory control and control of to the warning and communications 6 Statement of Stephen E. Flynn, PhD, Jeane J. Kirkpatrick Senior Fellow for National Security transportation containers on site system increase the reliability of such Studies, Council on Foreign Relations, before the decreases the likelihood that a foreign systems and will improve response United States Committee on Homeland Security substance could be introduced into time. and Governmental Affairs (April 27, 2005). feedstock, incidental chemicals, or • When the facility provides proper 7 CRS Report for Congress, Chemical Facility products leaving the site that could later security training, exercises and drills, Security, Updated August 2, 2006. 8 Bond, Christopher. Statement on S.2579. react with the chemical to cause a facility personnel are better able to Congressional Record, Daily Edition, June 5, 2002, significant on- or off-site reaction to respond to suspicious behavior, p. S5044. damage process equipment or cause a attempts to enter or attack a facility, or

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17725

other malevolent acts by insiders or B. Regulatory Flexibility Act facilities will be deemed to be ‘‘high- intruders. Well trained personnel who The Regulatory Flexibility Act (RFA) risk’’ for the purposes of the rule. Also, practice how to react can more mandates that an agency conduct an in meeting the risk-based performance effectively detect and delay intruders RFA analysis when an agency is standards required by this rule, facilities and provide increased measures of required to publish a notice of proposed will have a large degree of flexibility in deterrence against unauthorized acts. rulemaking. See 5 U.S.C. 603(a). An choosing specific security Establishing relationships with local RFA analysis, however, is not required enhancements. We expect that chemical law enforcement improves responder when an agency is not required to facility owners and/or operators will use understanding of the layout and hazard publish a notice of proposed this flexibility to minimize the cost of associated with the facility and rulemaking, as is the case here. By this rule to their operations. These strengthens relationships with the directing the Secretary to issue ‘‘interim uncertainties make it very difficult to community. final regulations’’ Congress authorized estimate the extent of the economic the Secretary to proceed without the impact of this rule on small entities. • The ability to escalate the levels of traditional notice-and-comment Even so, strictly for the purposes of security measures for periods of required by the Administrative analyzing the impact of this rule on elevated threat will provide the facility Procedure Act. See 71 FR 78276, 78277, small entities, DHS has selected from with the capacity to increase security and 78292. the EPA RMP database a sample of 350 measures to better protect against Even though a Regulatory Flexibility facilities that may be required to comply known increased threats or generalized Analysis is not required for this rule, with the risk-based performance increased threat levels declared by the DHS did consider the impacts of this standards required by the rule. We federal government. By maintaining the rule on small entities. The Regulatory researched these 350 facilities using ability to increase security measures, the Assessment, which is available in the Reference USA and LexisNexis and facility does not have to expend time public docket, contains this analysis of found detailed information (i.e., annual and resources on more robust security the impacts of this rule on small revenue, number of employees, and measures unless and until warranted. entities. A portion of the analysis is parent company information) for 326 (93%) of them. Of the 326 facilities for • A facility addressing specific summarized below. At this time, DHS’s preliminary which we were able to find detailed threats, vulnerabilities or risks estimate of the number of high risk information, our analysis of the data identified by the Assistant Secretary chemical facilities that will be covered indicates that 118 (36%) fit the Small will decrease the likelihood of a by the risk-based performance measures Business Administration’s definition of successful attack on its facility, required by the rule ranges from 1,500 a small entity. If we assume that the 24 personnel, products or community. Any to 6,500. This estimate is based on companies for which we could find no additional performance standards currently available information. After information are also small entities, the specified by the Secretary will increase chemical facilities with certain risk percentage of these facilities which are the facilities ability to deter, detect, profiles complete the Top-Screen, DHS owned by small entities could be 41 delay and respond to specific and will have a better understanding of how percent. Table 1 below provides revenue general threats against its security. many and which specific chemical ranges of the118 small entities.

TABLE 1.—PERCENTAGE OF SMALL ENTITIES BY REVENUE

Number of Percent of Revenue small entities small entities

$0–$999,999 ...... 11 9.3 $1,000,000–$4,999,999 ...... 14 11.9 $5,000,000–$9,999,999 ...... 12 10.2 $10,000,000–$19,999,999 ...... 15 12.7 $20,000,000–$49,999,999 ...... 23 19.5 $50,000,000–$99,999,999 ...... 9 7.6 $100,000,000–$999,999,999 ...... 31 26.3 > $1Billion ...... 3 2.5

Total ...... 118 100.0

After consideration of the percentage of ‘‘meaningful and timely input by State meet with the Department to discuss the small entities that may have to comply and local officials in the development of proposed regulations. These groups with the risk-based performance regulatory policies that have federalism were: the National League of Cities, the standards required by this rule and the implications.’’ Between the publication National Association of Counties, the compliance costs explained in the of the Advance Notice and this Interim National Conference of State Legislators, Regulatory Assessment, we have Final Rule, the Department has the County Executives of America, the determined that this rule may have a complied with this instruction in two International City/County Management significant economic impact on a ways. The Department specifically Association, the American Legislative substantial number of small entities. sought public comment on issues Exchange Council, the National C. Executive Order 13132: Federalism involving preemption. Additionally, Emergency Management Association/ after issuing its proposal, the CSG Council of State Governments, the 1. Background Department specifically invited a International Association of Emergency Executive Order 13132 requires DHS number of groups representing the Managers, the National Governors to develop a process to ensure interests of States and their legislators to

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17726 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

Association, and the United States administrative agency to administer a federal law in a number of contexts. See, Conference of Mayors. congressionally created * * * program e.g., In re Wireless Consumers Alliance, The Department received numerous necessarily requires the formulation of Inc., 15 F.C.C.R. 17,021 (Aug. 14, 2000) comments in response to its invitations. policy and the making of rules to fill (administrative agency opinion on States, the private sector, academia, any gap left, implicitly or explicitly by preemptive effect of federal law); 1999 various interest groups, and individual Congress.’’) (ellipses in original; citation WL 303948 (April 20, 1999) (U.S. members of Congress submitted omitted). Agencies, not only the courts, Department of Labor Release discussing comments. The commenters were exercise their expertise to fill in the gaps views on preemption of state laws). We divided in their views of the proposed and interpret the ambiguities. See id. at anticipate that the courts will ultimately approach on preemption. A number of 843 & n.11 (‘‘If, however, the court resolve any preemption question, with commenters favored the Department’s determines that Congress has not an appropriate level of deference to the proposal, while others opposed it. Some directly addressed the precise question position of the agency. commenters misunderstood the at issue, the court does not simply Some comments urged the Department’s position on preemption or impose its own construction on the Department to avoid preemption after the current state of the case law on statute * * * Rather, if the statute is looking to a canon of interpretation preemption. As discussed below, the silent or ambiguous with respect to the involving a presumption against Department is clarifying its approach on specific issue, the question for the court preemption. This presumption, preemption in certain respects. is whether the agency’s answer is based however, typically exists ‘‘in areas of Specifically, we confirm: the propriety on a permissible construction of the regulation that are traditionally of discussing the Department’s view on statute. The court need not conclude allocated to states and are of particular preemption, though Congress was silent that the agency construction was the local concern.’’ Wachovia Bank, N.A., on the question; that the type of only one it permissibly could have 414 F.3d at 314; see also United States preemption called for by Section 550 is adopted to uphold the construction, or v. Locke, 529 U.S. 89 (2000). As noted not field preemption, but conflict even the reading the court would have in the Advance Notice, measures to preemption; and that the Department reached if the question initially had prevent terrorist attacks against the will further assist in the process of arisen in a judicial proceeding.’’). And Nation’s critical infrastructure do not determining whether a non-Federal even if a court interprets an ambiguous involve an area traditionally regulated regulation is preempted by providing statute before an agency promulgates by the States. Very few state and local opinions regarding the impact of that rules to fill the gaps or interpret the jurisdictions currently regulate security regulation on the Federal scheme. ambiguities, the court’s interpretation at chemical facilities. does not necessarily restrict the agency’s The Department recognizes that 2. Propriety of Department’s Views on courts sometimes look to legislative Preemption ability to adopt a different interpretation in the future. See National Cable & intent with respect to the issue of As an initial matter, some Telecomm. Ass’n v. Brand X Internet preemption—decisions in this area are commenters, including Members of Servs., 545 U.S. 967, 982 (2005). replete with such references. See, e.g., Congress, suggested that, since Congress This does not mean to slight the Medtronic, Inc. v. Lohr, 518 U.S. 470, was silent on preemption, the courts’ role in the interpretive process. 485 (1996). In the context of Section Department’s rulemaking should be As the Supreme Court has stated, ‘‘The 550, however, it is very difficult to silent as well. The comments on this judiciary is the final authority on issues discern that intent. The legislative subject touch on two important of statutory construction and must reject history on the point is mixed, with subtopics: who (i.e., which government administrative constructions which are various Members of Congress making structure) should determine the contrary to clear congressional intent.’’ floor statements that are not consistent preemptive effect of Section 550 and the Chevron, 467 U.S. at 843 n.9. with each other. See, e.g., Cong. Rec. regulatory program promulgated under With respect to the issue of H7967 (daily ed. Sept. 29, 2006) its authority; and what law, if any, the preemption in particular, the Supreme (statement of Rep. King) (‘‘the intention regulatory program under Section 550 Court has applied these same principles is not to preempt the ability of the might preempt. regarding Congress, the courts and the States’’) and Cong. Rec. S10619 (daily In Section 550, Congress did not agencies. See, e.g., Fidelity Fed. Sav. ed. Sept. 29, 2006) (statement of Sen. expressly speak to the issue of and Loan Ass’n v. de la Cuesta, 458 U.S. Voinovich) (‘‘I feel strongly that this preemption. Preemption questions 141, 151–54 (1982). ‘‘Federal regulations provision sets that uniform set of rules following statutory silence on have no less pre-emptive effect than and in so doing, impliedly preempts preemption are not novel. Courts and federal statutes * * * A pre-emptive further regulation by State rules or agencies have previously faced and regulation’s force does not depend on laws.’’) In addition, it is particularly dealt with who decides preemption express congressional authorization to difficult to gauge congressional intent issues in the face of congressional displace state law.’’ Id. at 153–54. The on one relatively short, page-and-a half silence. It is helpful to recall that, as a Supreme Court, and lower courts, have authorizing provision in a lengthy general matter, Congress often provides given deference to agencies that define, appropriations act that runs over 100 the Executive Branch with authority to through regulation, the scope of pages. To be sure, individual members administer a regulatory program while preemption. See, e.g., id.; Wachovia of Congress—including some members leaving gaps or ambiguities in the Bank, N.A. v. Burke, 414 F.3d 305 (2d substantially involved in homeland authorizing law. When this happens, the Cir. 2005). security issues—have expressed strong Supreme Court has long recognized that So although some commenters views on preemption. But can it really agencies have the responsibility, within claimed that the Department lacks the be said that legislative intent may be the general delegation, to formulate authority to address the issue of discerned on the silent aspect of one policy and make rules to fill those gaps preemption in its regulations or later- authorizing section of a lengthy and interpret the ambiguities. See issued opinions, this assertion is simply appropriations act? Cf. Chrysler Corp. v. Chevron U.S.A., Inc. v. Natural not consistent with current law. Federal Brown, 441 U.S. 281, 311–12 (1979); Resources Defense Council, Inc., 467 agencies have historically published Castaneda-Gonzalez v. INS, 564 F.2d U.S. 837, 843 (1984) (‘‘The power of an their views on the preemptive effect of 417, 424 (D.C. Cir. 1977).

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17727

As an additional consideration, the regulatory text at § 27.405—apply to to the regulation as it relates to Department notes that if it were to Section 550 and this regulation. preemption. disclaim any preemptive effect of the After considering comments, Certain commenters asked that the regulatory program under Section 550, it however, the Department has modified Advance Notice be more clear in would create an inconsistency with the certain of its prior statements on delineating what state laws are not to be Department’s own regime for regulating preemption as potentially too broad. In preempted. The Department does not chemical facilities under the MTSA. In the Advance Notice, the Department intend to preempt existing health, safety its regulations under MTSA, the noted that Section 550 compels the and environmental regulations. In the Department has stated its view that the Department to preserve chemical future, however, if state or local principles of conflict preemption apply. facilities’ flexibility to choose security governments enact security laws or See 68 FR 60468 (Oct. 22, 2003). measures to reach the appropriate promulgate security regulations under Congress has charged the Department security outcome. The Department went the rubric of health, safety, or with implementing the security on to say that a State measure frustrating environmental protections, those laws programs under both MTSA and Section this balance ‘‘will be preempted.’’ The and regulations will be measured 550, and the Department seeks to Department has decided, however, that against the standard described in implement these programs in a clarification is in order, as this § 27.405. Of course, non-Federal consistent and logical manner. regulation is not intended to be the regulations that fall below federal 3. No Field Preemption equivalent of ‘‘field preemption’’ for performance standards will not facilities determined to be high risk. diminish the federal requirements that Some commenters feared—and others Instead, it is only meant to indicate that covered facilities must meet. hoped—that the Department’s approach the regulation is not to be conflicted by, to preemption would wholly displace interfered with, hindered by or D. Unfunded Mandates Reform Act state and local laws. This is incorrect. frustrated by State measures, under The Department does not in this interim Title II of the Unfunded Mandates long-standing legal principles. final rule claim that the ‘‘field Reform Act of 1995 (UMRA), enacted as preemption’’ doctrine applies in this Only a few jurisdictions have Pub. L. 104–4 on March 22, 1995, regulatory context. The Department developed security regulations (rather requires each Federal agency, to the does not view its regulatory scheme as than health, safety, and environmental extent permitted by law, to prepare a one which so fully occupies the field as regulations) governing chemical sites. written assessment of the effects of any to pre-empt any state law touching the While we have not canvassed all Federal mandate in a proposed or final same subject. existing state laws and regulations, agency rule that may result in the This is clear from the statutory text. currently we have no reason to conclude expenditure by State, local, and tribal For example, the authority granted in that any such non-Federal measure is governments, in the aggregate, or by the Section 550 calls for the federal being applied in a way that would private sector, of $100 million or more regulations to apply to facilities that impede the performance standards or (adjusted annually for inflation) in any present ‘‘high levels of security risk’’ as other provisions of Section 550 and this one year. Section 204(a) of UMRA, 2 determined by the Secretary. The Interim Final Rule. However, concrete U.S.C. 1534(a), requires the Federal Department does not, therefore, have conclusions about the effect of state agency to develop an effective process authority under Section 550 to regulate laws and the application of preemption to permit timely input by elected facilities that may, in the Secretary’s principles will require an understanding officers (or their designees) of State, view, present other than high levels of of future, factual contexts in which local, and tribal governments on a security risk. Some facilities may not be those laws are applied. The Department proposed ‘‘significant intergovernmental deemed by the Department as will consider any problems that arise in mandate.’’ A ‘‘significant presenting a high risk. These facilities this regard in a more particularized intergovernmental mandate’’ under the may be regulated by States provided manner. UMRA is any provision in a Federal such regulation is not otherwise in Consistent with the approach outlined agency regulation that will impose an conflict with the federal program. In in the Advance Notice, the Department enforceable duty upon State, local, and addition, as mentioned in the will entertain requests for its views on tribal governments, in the aggregate, of comments, Section 550 specifically particular state or local laws, which will $100 million (adjusted annually for allows the Secretary to approve be issued by way of an opinion. In inflation) in any one year. Section 203 alternative security programs that may addition to the approach described in of UMRA, 2 U.S.C. 1533, which have been submitted in response to the Advanced Notice, the Department supplements section 204(a), provides State or local authorities. will seek the input and views of a State that before establishing any regulatory before finalizing the Department’s view requirements that might significantly or 4. Principles of Conflict Preemption of preemption with respect to such uniquely affect small governments, the Even for high risk facilities, the State’s laws. See § 27.405(d)(3). It will agency shall have developed a plan that, approach outlined in the Advance be helpful for the Department to seek among other things, provides for notice Notice, and further developed here, is the views of the relevant States if an to potentially affected small one of conflict preemption. Conflict opinion on preemption is requested governments, if any, and for a preemption is established in the under these regulations. Additionally, meaningful and timely opportunity to Constitution and has been developed in the Department would, time permitting, provide input in the development of case law (see, e.g., Geier v. American seek public notice and comment before regulatory proposals. The Department Honda Motor Co., 529 U.S. 861, 873 formulating its views on a particular sought input from state and local (2000); Fidelity Fed. Sav. and Loan preemption question, consistent, of governments during the comment Ass’n v. de la Cuesta, 458 U.S. 141, 152 course, with the congressional mandate period and hosted a meeting with state (1982); Surrick v. Killion, 449 F.3d 520, to protect from public disclosure and local representatives on February 6, 530–31 (3d Cir. 2006)), and the well- information submitted under Section 2007. A list of participants and short known standards of conflict 550. The Department, however, declines description of the meeting is in the preemption—which are captured in the to add additional procedural formalities docket.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17728 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

This interim final rule would result in Assessment Tool (CSAT) system to Annual Burden Estimate: Each facility expenditure by the private sector of collect and analyze key data from is estimated to have a burden of 44.5 $100 million (adjusted annually for chemical facilities to: (1) Identify minutes to complete DHS Form 9002 inflation) or more in any one year. At facilities that present a high level of (1/07). The annual hour burden is this time, however, we do not have risk, (2) Support the facility-specific estimated to be 22,250. enough information regarding the judgment for preliminary and final tier Title: Chemical Security Assessment specific facilities that will be required to high risk determinations, (3) Specify the Tool (CSAT): Top Screen. comply with the rule’s risk-based facility-specific security concerns that Summary of Collection of performance standards in order to know facilities must address in their SVAs Information: Section 550 provided the if this interim final rule will impose an and SSPs, and (4) Collect the facility- Department with the authority to enforceable duty upon State, local, and specific security measures, activities, regulate high risk chemical facilities. tribal governments of $100 million and systems for judging compliance Further, it requires that the Secretary of (adjusted annually for inflation) or more against the risk based performance the Department of Homeland Security in any one year. DHS has conducted a standards. DHS will submit the identify high risk facilities and provide ‘‘Regulatory Assessment,’’ which collections for SVAs and the SSPs for the protection of the information explains the economic effects of the during the summer months. regarding and provided by those rule. The ‘‘Regulatory Assessment’’ is This rule introduces a new collection, facilities. DHS has identified the CSAT summarized in the section entitled 1670–NEW, with two new forms: User system as the Information Technology ‘‘Executive Order 12866,’’ and a copy Registration (DHS 9002 (1/07)) and Top (IT) system it will use to obtain and may be found in the public docket for Screen (DHS 9007 (2/07)). As such, DHS quantify this key risk data from this IFR. has submitted the following information facilities. The Department will begin As explained in the ‘‘Regulatory requirements to OMB for its review: collecting information upon the Assessment,’’ DHS’s preliminary Title: Chemical Security Assessment effective date of this interim final rule. estimate of the total number of high-risk Tool (CSAT): User Registration. Use of: The CSAT is the Department’s chemical facilities that will be covered OMB Control Number: 1670_NEW system for collecting and analyzing key by the risk-based performance measures Summary of Collection of data from chemical facilities to: (1) required by this rule ranges from 1,500 Information: Section 550 provided the Identify facilities that present a high to 6,500 chemical facilities. This Department with the authority to level of risk, (2) Support the facility- estimate is based on currently available regulate high risk chemical facilities. specific judgment for preliminary and information. After chemical facilities Further, it requires that the Secretary of final tier determinations, and (3) Specify fitting certain risk profiles complete the the Department of Homeland Security the facility-specific security concerns Top-Screen risk assessment identify high risk facilities and provide that facilities must address in their methodology (which will be accessible for the protection of the information SVAs and SSPs. through a secure Department website), regarding and provided by those Respondents (including number of): DHS will better understand how many facilities. DHS has identified the CSAT DHS anticipates there will be 40,000 and which specific chemical facilities system as the Information Technology respondents in the first year. The will be deemed to be ‘‘high-risk’’ for the (IT) system it will use to obtain and respondents will be chemical facilities purposes of this rule. For the purposes quantify this key risk data from that possess, or plan to possess, a of this discussion, we believe this rule facilities. The Department will begin quantity of a chemical substance may require certain municipalities that collecting information upon the determined by the Secretary to be own and/or operate power generating effective date of this interim final rule. potentially dangerous or that meets facilities to purchase security Use of: The Department will use the other risk-related criteria identified by enhancements, but at this time we do registration information as a basis for the Department. not know the extent of the financial providing chemical facilities access to Frequency: Most facilities will impact. the CSAT system. complete the Top-Screen once. The Need for Information: The Department will require facilities that E. Paperwork Reduction Act Department needs the information from are determined to be high risk to This interim final rule contains the User Registration form to identify periodically resubmit the Top-Screen. collection of information requirements and vet requests to access the CSAT Burden of Response: Depending upon under the Paperwork Reduction Act of system. the size of the facility, the burden rates 1995 (44 U.S.C. 3501–3520). ‘‘Collection Description of the Respondents: DHS will vary. The estimated burden hours of information,’’ as defined in 5 CFR anticipates that there will be 40,000 for the different facility types are 1320.3(c), includes reporting, record respondents in the first year. The detailed in the table below. The keeping, monitoring, posting, labeling, respondents will be the owners and combined hour burden for all facilities and other similar actions. operators of the chemical facilities that completing the Top-Screen is estimated Under Section 550 of the DHS will need to submit information through to be 1,230,550. The combined annual Appropriations Act, the Department the CSAT system. cost burden for the User Registration will use the Chemical Security Frequency of Response: On Occasion. and the Top-Screen is $110,003,900.

TABLE 2.—SUMMARY OF BURDEN HOURS FOR CONDUCTING USER REGISTRATION (DHS FORM 9002 (1/07)) AND TOP SCREEN (DHS FORM 9007 (2/07))

Number of Hour burden Total hour Type of facility facilities per facility burden

Open Large ...... 9,327 39.5 368,400 Merchant Wholesalers ...... 432 30 13,000 Facilities with only 1–2 chemicals ...... 7,968 25.5 203,200

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17729

TABLE 2.—SUMMARY OF BURDEN HOURS FOR CONDUCTING USER REGISTRATION (DHS FORM 9002 (1/07)) AND TOP SCREEN (DHS FORM 9007 (2/07))—Continued

Number of Hour burden Total hour Type of facility facilities per facility burden

Other ...... 22,273 30 668,200

Total ...... 1,252,800

As required by the Paperwork interim final regulations and the The Interim Final Rule Reduction Act of 1995 (44 U.S.C. 3507 statutory mandate, which directed that I For the reasons set forth in the (d)), we have submitted a copy of the each chemical facility develop and preamble, the Department of Homeland interim final rule to OMB for its review implement site security plans, with the Security adds Part 27 to Title 6, Code of of the collections of information. Due to proviso that the facility could select Federal Regulations, to read as follows: the circumstances surrounding this final layered security measures to rule, we ask for emergency processing. appropriately address the vulnerability Title 6—Department of Homeland DHS is soliciting comments to: assessment and the risk-based Security (1) Evaluate whether the proposed performance standards for security of Chapter 1—Department of Homeland information requirement is necessary for the facility. Additionally, Congress Security, Office of the Secretary the proper performance of the functions mandated that the Secretary could not of the agency, including whether the disapprove a site security plan based on PART 27—CHEMICAL FACILITY ANTI- information will have practical utility; TERRORISM STANDARDS (2) Evaluate the accuracy of the the presence or absence of a particular agency’s estimate of the burden; security measure, but only on the failure Subpart A—General (3) Enhance the quality, utility, and to satisfy a risk-based performance Sec. clarity of the information to be standard. 27.100 Purpose. collected; and Chemical facilities are of a wide 27.105 Definitions. (4) Minimize the burden of the variety of designs and sizes, and are 27.110 Applicability. collection of information on those who 27.115 Implementation. located in a wide range of geographic 27.120 Designation of a coordinating are to respond, including using settings, communities, and natural official; Consultations and technical appropriate automated, electronic, environments. The Department is not assistance. mechanical, or other technological funding or directing specific measures 27.125 Severability. collection techniques or other forms of under these regulations, but issuing information technology. Subpart B—Chemical Facility Security performance standards. Consequently, Program Individuals and organizations may the Department currently has no way to 27.200 Information regarding security risk submit comments on the information determine the action the chemical collection requirements by July 9, 2007. for a chemical facility. facility will take to meet the standards, 27.205 Determination that a chemical Direct the comments to the address and what effect any action might have facility ‘‘presents a high level of security listed in the ADDRESSES section of this on the environment. Even if the risk.’’ document. Also, fax a copy of the Department could predict the actions 27.210 Submissions schedule. comments to the Office of Information 27.215 Security vulnerability assessments. and Regulatory Affairs, Office of the facilities would take in response to 27.220 Tiering. Management and Budget at 202–395– the standards, it is likely facilities 27.225 Site security plans. 6974, Attention: Nathan Lesser, DHS would take widely varying actions to 27.230 Risk-based performance standards. Desk Officer; and send via electronic comply, based upon type of facility, 27.235 Alternative security program. 27.240 Review and approval of security mail to [email protected]. geographic location, existing infrastructure, etc. vulnerability assessments. A comment to OMB is most effective 27.245 Review and approval of site security if OMB receives it within 30 days of We received no comments objecting plans. publication. DHS will publish the OMB to this conclusion during the comment 27.250 Inspections and audits. control number for this information period, and further, no comments on 27.255 Recordkeeping requirements. collection in the Federal Register after this matter were raised during the Subpart C—Orders and Adjudications OMB approves it. Environmental Organizations Forum the Under the protections provided by the 27.300 Orders. Department hosted on January 17, 2007. 27.305 Neutral adjudications. PRA, as amended, an agency may not Accordingly, the information needed to 27.310 Commencement of adjudication conduct or sponsor, and a person is not conduct an Environmental Impact proceedings. required to respond to, a collection of Statement is not available at this time 27.315 Presiding officers for proceedings. information unless it displays a and, in any event, the Department could 27.320 Prohibition on ex parte currently valid OMB control number. not reasonably conduct an communications during proceedings. 27.325 Burden of proof. F. National Environmental Policy Act Environmental Impact Statement within 27.330 Summary decision procedures. In the Advance Notice, the the six months time allotted for issuance 27.335 Hearing procedures. Department reviewed the rulemaking of the interim final regulations. 27.340 Completion of adjudication process with regard to the National proceedings. List of Subjects in 6 CFR Part 27 27.345 Appeals. Environmental Policy Act (NEPA). See 71 FR 78276, 78294 (Dec. 28, 2006). Chemical security, Facilities, Subpart D—Other Specifically, the Department considered Reporting and recordkeeping, Security 27.400 Chemical-terrorism vulnerability the short timeframe to issue these measures. information.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17730 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

27.405 Review and preemption of State determined by the Assistant Secretary to tiers, ranging from highest risk at Tier 1 laws and regulations. present high levels of security risk, or a to lowest risk at Tier 4. 27.410 Third party actions. facility that the Assistant Secretary has Top-Screen shall mean an initial Appendix A to Part 27—DHS Chemicals of determined is presumptively high risk screening process designed by the Interest under § 27.200. Assistant Secretary through which Department shall mean the chemical facilities provide information Authority: Pub. L. 109–295, sec. 550. Department of Homeland Security. to the Department for use pursuant to Subpart A—General Deputy Secretary shall mean the § 27.200 of these regulations. Deputy Secretary of the Department of Under Secretary shall mean the Under § 27.100 Purpose. Homeland Security or his designee. Secretary for National Protection and The purpose of this Part is to enhance Director of the Chemical Security Programs, Department of Homeland the security of our Nation by furthering Division or Director shall mean the Security or any successors to that the mission of the Department as Director of the Chemical Security position within the Department or his provided in 6 U.S.C. § 111(b)(1) and by Division, Office of Infrastructure designee. Protection, Department of Homeland lowering the risk posed by certain § 27.110 Applicability. chemical facilities. Security or any successors to that position within the Department or his (a) This Part applies to chemical § 27.105 Definitions. designee. facilities and to covered facilities as set As used in this part: General Counsel shall mean the out herein. Alternative Security Program or ASP General Counsel of the Department of (b) This Part does not apply to shall mean a third-party or industry Homeland Security or his designee. facilities regulated pursuant to the organization program, a local authority, Operator shall mean a person who has Maritime Transportation Security Act of state or Federal government program or responsibility for the daily operations of 2002, Pub. L. 107–295, as amended; any element or aspect thereof, that the a facility or facilities subject to this Part. Public Water Systems, as defined by Assistant Secretary has determined Owner shall mean the person or entity Section 1401 of the Safe Drinking Water meets the requirements of this Part and that owns any facility subject to this Act, Pub. L. 93–523, as amended; provides for an equivalent level of Part. Treatment Works as defined in Section security to that established by this Part. Present high levels of security risk and 212 of the Federal Water Pollution Assistant Secretary shall mean the high risk shall refer to a chemical Control Act, Pub. L. 92–500, as Assistant Secretary for Infrastructure facility that, in the discretion of the amended; any facility owned or Protection, Department of Homeland Secretary of Homeland Security, operated by the Department of Defense Security or his designee. presents a high risk of significant or the Department of Energy, or any Chemical Facility or facility shall adverse consequences for human life or facility subject to regulation by the mean any establishment that possesses health, national security and/or critical Nuclear Regulatory Commission. or plans to possess, at any relevant point economic assets if subjected to terrorist § 27.115 Implementation. in time, a quantity of a chemical attack, compromise, infiltration, or The Assistant Secretary may substance determined by the Secretary exploitation. implement the Section 550 program in to be potentially dangerous or that Risk profiles shall mean criteria a phased manner, selecting certain meets other risk-related criteria identified by the Assistant Secretary for chemical facilities for expedited initial identified by the Department. As used determining which chemical facilities processes under these regulations and herein, the term chemical facility or will complete the Top-Screen or provide identifying other chemical facilities or facility shall also refer to the owner or other risk assessment information. types or classes of chemical facilities for Screening Threshold Quantity or STQ operator of the chemical facility. Where other phases of program shall mean the quantity of a chemical of multiple owners and/or operators implementation. The Assistant interest, upon which the facility’s function within a common Secretary has flexibility to designate obligation to complete and submit the infrastructure or within a single fenced particular chemical facilities for specific CSAT Top-Screen is based. area, the Assistant Secretary may phases of program implementation Secretary or Secretary of Homeland determine that such owners and/or based on potential risk or any other Security shall mean the Secretary of the operators constitute a single chemical factor consistent with this Part. facility or multiple chemical facilities Department of Homeland Security or depending on the circumstances. any person, officer or entity within the § 27.120 Designation of a coordinating Chemical Security Assessment Tool or Department to whom the Secretary’s official; Consultations and technical CSAT shall mean a suite of four authority under Section 550 is assistance. applications, including User delegated. (a) The Assistant Secretary will Registration, Top-Screen, Security Terrorist attack or terrorist incident designate a Coordinating Official who Vulnerability Assessment, and Site shall mean any incident or attempt that will be responsible for ensuring that Security Plan, through which the constitutes terrorism or terrorist activity these regulations are implemented in a Department will collect and analyze key under 6 U.S.C. 101(15) or 18 U.S.C. uniform, impartial, and fair manner. data from chemical facilities. 2331(5) or 8 U.S.C. 1182(a)(3)(B)(iii), (b) The Coordinating Official and his Chemical-terrorism Vulnerability including any incident or attempt that staff shall provide guidance to covered Information or CVI shall mean the involves or would involve sabotage of facilities regarding compliance with this information listed in § 27.400(b). chemical facilities or theft, Part and shall, as necessary and to the Coordinating Official shall mean the misappropriation or misuse of a extent that resources permit, be person (or his designee(s)) selected by dangerous quantity of chemicals. available to consult and to provide the Assistant Secretary to ensure that Tier shall mean the risk level technical assistance to an owner or the regulations are implemented in a associated with a covered chemical operator who seeks such consultation or uniform, impartial, and fair manner. facility and which is assigned to a assistance. Covered Facility or Covered Chemical facility by the Department. For purposes (c) In order to initiate consultations or Facility shall mean a chemical facility of this part, there are four risk-based seek technical assistance, a covered

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17731

facility shall submit a written request Screen process, which may be the facility could result in significant for consultation or technical assistance completed through a secure Department adverse consequences for human life or to the Coordinating Official or contact Web site or through other means health, national security or critical the Department in any other manner approved by the Assistant Secretary. economic assets. Upon determining that specified in any subsequent guidance. (2) A facility must complete and a facility presents a high level of Requests for consultation or technical submit a Top-Screen in accordance with security risk, the Department shall guidance do not serve to toll any of the the schedule provided in § 27.210 if it notify the facility in writing of such applicable timelines set forth in this possesses any of the chemicals listed in initial determination and may also Part. Appendix A to this part at the notify the facility of the Department’s (d) If a covered facility modifies its corresponding Screening Threshold preliminary determination of the facility, processes, or the types or Quantities. facility’s placement in a risk-based tier quantities of materials that it possesses, (3) Where the Department requests pursuant to § 27.220(a). and believes that such changes may that a facility complete and submit a (b) Redetermination. If a covered impact the covered facility’s obligations Top-Screen, the facility must designate facility previously determined to under this Part, the covered facility may a person who is responsible for the present a high level of security risk has request a consultation with the submission of information through the materially altered its operations, it may Coordinating Official as specified in CSAT system and who attests to the seek a redetermination by filing a paragraph (c). accuracy of the information contained Request for Redetermination with the in any CSAT submissions. Such Assistant Secretary, and may request a § 27.125 Severability. submitter must be an officer of the meeting regarding the Request. Within If a court finds any portion of this Part corporation or other person designated 45 calendar days of receipt of such a to have been promulgated without by an officer of the corporation and Request, or within 45 calendar days of proper authority, the remainder of this must be domiciled in the United States. a meeting under this paragraph, the Part will remain in full effect. (c) Presumptively High Risk Facilities. Assistant Secretary shall notify the (1) If a chemical facility subject to covered facility in writing of the Subpart B—Chemical Facility Security paragraph (a) or (b) of this section fails Department’s decision on the Request Program to provide information requested or for Redetermination. complete the Top-Screen within the § 27.200 Information regarding security § 27.210 Submissions schedule. risk for a chemical facility. timeframe provided in § 27.210, the Assistant Secretary may, after (a) Initial Submission. The timeframes (a) Information to determine security attempting to consult with the facility, in paragraphs (a)(2) and (a)(3) of this risk. In order to determine the security reach a preliminary determination, section also apply to covered facilities risk posed by chemical facilities, the based on the information then available, that submit an Alternative Security Secretary may, at any time, request that the facility presumptively presents Program pursuant to § 27.235. information from chemical facilities that a high level of security risk. The (1) Top-Screen. Facilities shall may reflect potential consequences of or Assistant Secretary shall then issue a complete and submit a Top-Screen vulnerabilities to a terrorist attack or notice to the entity of this determination within the following time frames: incident, including questions and, if necessary, order the facility to (i) This paragraph is operative on the specifically related to the nature of the provide information or complete the date that the Department publishes a business and activities conducted at the Top-Screen pursuant to these rules. If final Appendix A. Unless otherwise facility; information concerning the the facility then fails to do so, it may be notified, within 60 calendar days of the names, nature, conditions of storage, subject to civil penalties pursuant to effective date of Appendix A for quantities, volumes, properties, § 27.300, audit and inspection under facilities that possess any of the customers, major uses, and other § 27.250 or, if appropriate, an order to chemicals listed in Appendix A at the pertinent information about specific cease operations under § 27.300. corresponding STQs, or within 60 chemicals or chemicals meeting a (2) If the facility deemed calendar days for facilities that come specific criterion; information ‘‘presumptively high risk’’ pursuant to into possession of any of the chemicals concerning facilities’ security, safety, paragraph (c)(1) of this section listed in Appendix A at the and emergency response practices, completes the Top-Screen, and the corresponding STQs; or operations, and procedures; information Department determines that it does not (ii) Within the time frame provided in regarding incidents, history, funding, present a high level of security risk any written notification from the and other matters bearing on the under § 27.205, its status as Department or specified in any effectiveness of the security, safety and ‘‘presumptively high risk’’ will subsequent Federal Register notice. emergency response programs, and terminate, and the Department will (2) Security Vulnerability Assessment. other information as necessary. issue a notice to the facility to that Unless otherwise notified, a covered (b) Obtaining information from effect. facility must complete and submit a facilities. (1) The Assistant Secretary Security Vulnerability Assessment may seek the information provided in § 27.205 Determination that a chemical within 90 calendar days of written paragraph (a) of this section by facility ‘‘presents a high level of security notification from the Department or contacting chemical facilities risk.’’ within the time frame specified in any individually or by publishing a notice in (a) Initial Determination. The subsequent Federal Register notice. the Federal Register seeking Assistant Secretary may determine at (3) Site Security Plan. Unless information from chemical facilities that any time that a chemical facility otherwise notified, a covered facility meet certain criteria, which the presents a high level of security risk must complete and submit a Site Department will use to determine risk based on any information available Security Plan within 120 calendar days profiles. Through any such individual (including any information submitted to of written notification from the or Federal Register notification, the the Department under § 27.200) that, in Department or within the time frame Assistant Secretary may instruct such the Secretary’s discretion, indicates the specified in any subsequent Federal facilities to complete and submit a Top- potential that a terrorist attack involving Register notice.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17732 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

(b) Resubmission Schedule for § 27.215 Security vulnerability security-related reasons, if requested by Covered Facilities. The timeframes in assessments. the Assistant Secretary. this subsection also apply to covered (a) Initial Assessment. If the Assistant § 27.220 Tiering. facilities who submit an Alternative Secretary determines that a chemical Security Program pursuant to § 27.235. facility is high-risk, the facility must (a) Preliminary Determination of Risk- complete a Security Vulnerability Based Tiering. Based on the information (1) Top-Screen. Unless otherwise the Department receives in accordance notified, Tier 1 and Tier 2 covered Assessment. A Security Vulnerability Assessment shall include: with §§ 27.200 and 27.205 (including facilities must complete and submit a (1) Asset Characterization, which information submitted through the Top- new Top-Screen no less than two years, includes the identification and Screen process) and following its initial and no more than two years and 60 characterization of potential critical determination in § 27.205(a) that a calendar days, from the date of the assets; identification of hazards and facility presents a high level of security Department’s approval of the facility’s consequences of concern for the facility, risk, the Department shall notify a Site Security Plan; and Tier 3 and Tier its surroundings, its identified critical facility of the Department’s preliminary 4 covered facilities must complete and asset(s), and its supporting determination of the facility’s placement submit a Top-Screen no less than 3 infrastructure; and identification of in a risk-based tier. years, and no more than 3 years and 60 existing layers of protection; (b) Confirmation or Alteration of Risk- calendar days, from the date of the (2) Threat Assessment, which Based Tiering. Following review of a Department’s approval of the facility’s includes a description of possible covered facility’s Security Vulnerability Site Security Plan. internal threats, external threats, and Assessment, the Assistant Secretary (2) Security Vulnerability Assessment. internally-assisted threats; shall notify the covered facility of its Unless otherwise notified and following (3) Security Vulnerability Analysis, final placement within a risk-based tier, a Top-Screen resubmission pursuant to which includes the identification of or for covered facilities previously paragraph (b)(1) of this section, a potential security vulnerabilities and notified of a preliminary tiering, covered facility must complete and the identification of existing confirm or alter such tiering. submit a new Security Vulnerability countermeasures and their level of (c) The Department shall place Assessment within 90 calendar days of effectiveness in both reducing identified covered facilities in one of four risk- written notification from the vulnerabilities and in meeting the based tiers, ranging from highest risk Department or within the time frame applicable Risk-Based Performance facilities in Tier 1 to lowest risk specified in any subsequent Federal Standards; facilities in Tier 4. Register notice. (4) Risk Assessment, including a (d) The Assistant Secretary may determination of the relative degree of provide the facility with guidance (3) Site Security Plan. Unless risk to the facility in terms of the regarding the risk-based performance otherwise notified and following a expected effect on each critical asset standards and any other necessary Security Vulnerability Assessment and the likelihood of a success of an guidance materials applicable to its resubmission pursuant to paragraph attack; and assigned tier. (b)(2) of this section , a covered facility (5) Countermeasures Analysis, § 27.225 Site security plans. must complete and submit a new Site including strategies that reduce the Security Plan within 120 calendar days probability of a successful attack or (a) The Site Security Plan must meet of written notification from the reduce the probable degree of success, the following standards: Department or within the time frame strategies that enhance the degree of risk (1) Address each vulnerability specified in any subsequent Federal reduction, the reliability and identified in the facility’s Security Register notice. maintainability of the options, the Vulnerability Assessment, and identify (c) The Assistant Secretary retains the capabilities and effectiveness of and describe the security measures to address each such vulnerability; authority to modify the schedule in this mitigation options, and the feasibility of Part as needed. The Assistant Secretary the options. (2) Identify and describe how security measures selected by the facility will may shorten or extend these time (b) Except as provided in § 27.235, a address the applicable risk-based periods based on the operations at the covered facility must complete the performance standards and potential facility, the nature of the covered Security Vulnerability Assessment modes of terrorist attack including, as facility’s vulnerabilities, the level and through the CSAT process, or through applicable, vehicle-borne explosive immediacy of security risk, or for other any other methodology or process identified or issued by the Assistant devices, water-borne explosive devices, reasons. If the Department alters the Secretary. ground assault, or other modes or time periods for a specific facility, the (c) Covered facilities must submit a potential modes identified by the Department will do so in written notice Security Vulnerability Assessment to Department; to the facility. the Department in accordance with the (3) Identify and describe how security (d) If a covered facility makes material schedule provided in § 27.210. measures selected and utilized by the modifications to its operations or site, (d) Updates and Revisions. (1) A facility will meet or exceed each the covered facility must complete and covered facility must update and revise applicable performance standard for the submit a revised Top-Screen to the its Security Vulnerability Assessment in appropriate risk-based tier for the Department within 60 days of the accordance with the schedule provided facility; and material modification. In accordance in § 27.210. (4) Specify other information the with the resubmission requirements in (2) Notwithstanding paragraph (d)(1) Assistant Secretary deems necessary § 27.210(b)(2) and (3), the Department of this section, a covered facility must regarding chemical facility security. will notify the covered facility as to update, revise or otherwise alter its (b) Except as provided in § 27.235, a whether the covered facility must Security Vulnerability Assessment to covered facility must complete the Site submit a revised Security Vulnerability account for new or differing modes of Security Plan through the CSAT Assessment, Site Security Plan, or both. potential terrorist attack or for other process, or through any other

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17733

methodology or process identified or presenting a hazard to potentially restricted areas or critical assets, issued by the Assistant Secretary. critical targets; including, (c) Covered facilities must submit a (ii) Deter attacks through visible, (i) Measures designed to verify and Site Security Plan to the Department in professional, well maintained security validate identity; accordance with the schedule provided measures and systems, including (ii) Measures designed to check in § 27.210. security personnel, detection systems, criminal history; (d) Updates and Revisions. (1) When barriers and barricades, and hardened or (iii) Measures designed to verify and a covered facility updates, revises or reduced value targets; validate legal authorization to work; and otherwise alters its Security (iii) Detect attacks at early stages, (iv) Measures designed to identify Vulnerability Assessment pursuant to through countersurveillance, frustration people with terrorist ties; § 27.215(d), the covered facility shall of opportunity to observe potential (13) Elevated Threats. Escalate the make corresponding changes to its Site targets, surveillance and sensing level of protective measures for periods Security Plan. systems, and barriers and barricades; of elevated threat; (2) A covered facility must also and (14) Specific Threats, Vulnerabilities, update and revise its Site Security Plan (iv) Delay an attack for a sufficient or Risks. Address specific threats, in accordance with the schedule in period of time so to allow appropriate vulnerabilities or risks identified by the § 27.210. response through on-site security Assistant Secretary for the particular (e) A covered facility must conduct an response, barriers and barricades, facility at issue; annual audit of its compliance with its hardened targets, and well-coordinated (15) Reporting of Significant Security Site Security Plan. response planning; Incidents. Report significant security (5) Shipping, Receipt, and Storage. incidents to the Department and to local § 27.230 Risk-based performance law enforcement officials; standards. Secure and monitor the shipping, receipt, and storage of hazardous (16) Significant Security Incidents (a) Covered facilities must satisfy the and Suspicious Activities. Identify, performance standards identified in this materials for the facility; (6) Theft and Diversion. Deter theft or investigate, report, and maintain records section. The Assistant Secretary will of significant security incidents and issue guidance on the application of diversion of potentially dangerous chemicals; suspicious activities in or near the site; these standards to risk-based tiers of (17) Officials and Organization. (7) Sabotage. Deter insider sabotage; covered facilities, and the acceptable Establish official(s) and an organization (8) Cyber. Deter cyber sabotage, layering of measures used to meet these responsible for security and for including by preventing unauthorized standards will vary by risk-based tier. compliance with these standards; onsite or remote access to critical Each covered facility must select, (18) Records. Maintain appropriate process controls, such as Supervisory develop in their Site Security Plan, and records; and implement appropriately risk-based Control and Data Acquisition (SCADA) (19) Address any additional measures designed to satisfy the systems, Distributed Control Systems performance standards the Assistant following performance standards: (DCS), Process Control Systems (PCS), Secretary may specify. (1) Restrict Area Perimeter. Secure Industrial Control Systems (ICS), critical (b) [Reserved] and monitor the perimeter of the business system, and other sensitive facility; computerized systems; § 27.235 Alternative security program. (2) Secure Site Assets. Secure and (9) Response. Develop and exercise an (a) Covered facilities may submit an monitor restricted areas or potentially emergency plan to respond to security Alternate Security Program (ASP) critical targets within the facility; incidents internally and with assistance pursuant to the requirements of this (3) Screen and Control Access. of local law enforcement and first section. The Assistant Secretary may Control access to the facility and to responders; approve an Alternate Security Program, restricted areas within the facility by (10) Monitoring. Maintain effective in whole, in part, or subject to revisions screening and/or inspecting individuals monitoring, communications and or supplements, upon a determination and vehicles as they enter, including, warning systems, including, that the Alternate Security Program (i) Measures to deter the unauthorized (i) Measures designed to ensure that meets the requirements of this Part and introduction of dangerous substances security systems and equipment are in provides for an equivalent level of and devices that may facilitate an attack good working order and inspected, security to that established by this Part. or actions having serious negative tested, calibrated, and otherwise (1) A Tier 4 facility may submit an consequences for the population maintained; ASP in lieu of a Security Vulnerability surrounding the facility; and (ii) Measures designed to regularly Assessment, Site Security Plan, or both. (ii) Measures implementing a test security systems, note deficiencies, (2) Tier 1, Tier 2, or Tier 3 facilities regularly updated identification system correct for detected deficiencies, and may submit an ASP in lieu of a Site that checks the identification of facility record results so that they are available Security Plan. Tier 1, Tier 2, and Tier personnel and other persons seeking for inspection by the Department; and 3 facilities may not submit an ASP in access to the facility and that (iii) Measures to allow the facility to lieu of a Security Vulnerability discourages abuse through established promptly identify and respond to Assessment. disciplinary measures; security system and equipment failures (b) The Department will provide (4) Deter, Detect, and Delay. Deter, or malfunctions; notice to a covered facility about the detect, and delay an attack, creating (11) Training. Ensure proper security approval or disapproval, in whole or in sufficient time between detection of an training, exercises, and drills of facility part, of an ASP, using the procedure attack and the point at which the attack personnel; specified in § 27.240 if the ASP is becomes successful, including measures (12) Personnel Surety. Perform intended to take the place of a Security to: appropriate background checks on and Vulnerability Assessment or using the (i) Deter vehicles from penetrating the ensure appropriate credentials for procedure specified in § 27.245 if the facility perimeter, gaining unauthorized facility personnel, and as appropriate, ASP is intended to take the place of a access to restricted areas or otherwise for unescorted visitors with access to Site Security Plan.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17734 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

§ 27.240 Review and approval of security to satisfy the risk-based performance purpose as ‘‘inspectors’’ by the vulnerability assessments. standards established in § 27.230. Secretary or the Secretary’s designee. (a) Review and Approval. The (b) When the Department disapproves (1) An inspector will, on request, Department will review and approve in a preliminary Site Security Plan issued present his or her credentials for writing all Security Vulnerability prior to inspection or a Site Security examination, but the credentials may Assessments that satisfy the Plan following inspection, the not be reproduced by the facility. requirements of § 27.215, including Department will provide the facility (2) An inspector may administer oaths Alternative Security Programs with a written notification that includes and receive affirmations, with the submitted pursuant to § 27.235. a clear explanation of deficiencies in the consent of any witness, in any matter. (b) If a Security Vulnerability Site Security Plan. The facility shall (3) An inspector may gather Assessment does not satisfy the then enter further consultations with the information by reasonable means requirements of § 27.215, the Department and resubmit a sufficient including, but not limited to, Department will provide the facility Site Security Plan by the time specified interviews, statements, photocopying, with a written notification that includes in the written notification provided by photography, and video- and audio- a clear explanation of deficiencies in the the Department under this section. If the recording. All documents, objects and Security Vulnerability Assessment. The resubmitted Site Security Plan does not electronically stored information facility shall then enter further satisfy the requirements of § 27.225, the collected by each inspector during the consultations with the Department and Department will provide the facility performance of that inspector’s duties resubmit a sufficient Security with written notification (including a shall be maintained for a reasonable Vulnerability Assessment by the time clear explanation of deficiencies in the period of time in the files of the specified in the written notification SSP) of the Department’s disapproval of Department of Homeland Security provided by the Department under this the SSP. maintained for that facility or matter. section. If the resubmitted Security § 27.250 Inspections and audits. (4) An inspector may request Vulnerability Assessment does not forthwith access to all records required (a) Authority. In order to assess satisfy the requirements of § 27.215, the to be kept pursuant to § 27.255. An compliance with the requirements of Department will provide the facility inspector shall be provided with the this Part, authorized Department with written notification (including a immediate use of any photocopier or officials may enter, inspect, and audit clear explanation of deficiencies in the other equipment necessary to copy any the property, equipment, operations, SVA) of the Department’s disapproval of such record. If copies can not be the SVA. and records of covered facilities. (b) Following preliminary approval of provided immediately upon request, the § 27.245 Review and approval of site a Site Security Plan in accordance with inspector shall be permitted security plans. § 27.245, the Department will inspect immediately to take the original records (a) Review and Approval. (1) The the covered facility for purposes of for duplication and prompt return. Department will review and approve or determining compliance with the (e) Confidentiality. In addition to the disapprove all Site Security Plans that requirements of this Part. protections provided under CVI in satisfy the requirements of § 27.225, (1) If after the inspection, the § 27.400, information received in an including Alternative Security Programs Department determines that the audit or inspection under this section, submitted pursuant to § 27.235. requirements of § 27.225 have been met, including the identity of the persons (i) The Department will review Site the Department will issue a Letter of involved in the inspection or who Security Plans through a two-step Approval to the covered facility. provide information during the process. Upon receipt of Site Security (2) If after the inspection, the inspection, shall remain confidential Plan from the covered facility, the Department determines that the under the investigatory file exception, Department will review the requirements of § 27.225 have not been or other appropriate exception, to the documentation and make a preliminary met, the Department will proceed as public disclosure requirements of 5 determination as to whether it satisfies directed by § 27.245(b) in ‘‘Review and U.S.C. 552. the requirements of § 27.225. If the Approval of Site Security Plans.’’ (f) Guidance. The Assistant Secretary Department finds that the requirements (c) Time and Manner. Authorized shall issue guidance identifying are satisfied, the Department will issue Department officials will conduct audits appropriate processes for such a Letter of Authorization to the covered and inspections at reasonable times and inspections, and specifying the type and facility. in a reasonable manner. The Department nature of documentation that must be (ii) Following issuance of the Letter of will provide covered facility owners made available for review during Authorization, the Department will and/or operators with 24-hour advance inspections and audits. inspect the covered facility in notice before inspections, except § 27.255 Recordkeeping requirements. accordance with § 27.250 for purposes (1) If the Under Secretary or Assistant of determining compliance with the Secretary determines that an inspection (a) Except as provided in § 27.255(b), requirements of this Part. without such notice is warranted by the covered facility must keep records of (iii) If the Department approves the exigent circumstances and approves the activities as set out below for at least Site Security Plan in accordance with such inspection; or three years and make them available to § 27.250, the Department will issue a (2) If any delay in conducting an the Department upon request. A covered Letter of Approval to the facility, and inspection might be seriously facility must keep the following records: the facility shall implement the detrimental to security, and the Director (1) Training. For training, the date and approved Site Security Plan. of the Chemical Security Division location of each session, time of day and (2) The Department will not determines that an inspection without duration of session, a description of the disapprove a Site Security Plan notice is warranted, and approves an training, the name and qualifications of submitted under this Part based on the inspector to conduct such inspection. the instructor, a clear, legible list of presence or absence of a particular (d) Inspectors. Inspections and audits attendees to include the attendee security measure. The Department may are conducted by personnel duly signature, at least one other unique disapprove a Site Security Plan that fails authorized and designated for that identifier of each attendee receiving the

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17735

training, and the results of any Subpart C—Orders and Adjudications chemical facility may seek an evaluation or testing. adjudication pursuant to § 27.310. § 27.300 Orders. (2) Drills and exercises. For each drill (f) An Order issued under this section or exercise, the date held, a description (a) Orders Generally. When the becomes final agency action when the of the drill or exercise, a list of Assistant Secretary determines that a time to file a Notice of Application of participants, a list of equipment (other facility is in violation of any of the Review under § 27.310 has passed than personal equipment) tested or requirements of this Part, the Assistant without such a filing or upon the employed in the exercise, the name(s) Secretary may take appropriate action conclusion of adjudication or appeal and qualifications of the exercise including the issuance of an appropriate proceedings under this subpart. director, and any best practices or Order. (b) Orders Assessing Civil Penalty and § 27.305 Neutral adjudications. lessons learned which may improve the Orders to Cease Operations. (1) Where (a) Any facility or other person who Site Security Plan; the Assistant Secretary determines that has received a Finding pursuant to (3) Incidents and breaches of security. a facility is in violation of an Order § 27.230(a)(12)(iv), a Determination Date and time of occurrence, location issued pursuant to paragraph (a) of this pursuant to § 27.245(b), or an Order within the facility, a description of the section, the Assistant may enter an pursuant to § 27.300 is entitled to an incident or breach, the identity of the Order Assessing Civil Penalty, Order to adjudication, by a neutral adjudications individual to whom it was reported, and Cease Operations, or both. officer, of any issue of material fact a description of the response; (2) Following the issuance of an Order relevant to any administrative action (4) Maintenance, calibration, and by the Assistant Secretary pursuant to which deprives that person of a testing of security equipment. The date paragraph (b)(1) of this section, the cognizable interest in liberty or and time, name and qualifications of the facility may enter further consultations property. technician(s) doing the work, and the with Department. (b) A neutral adjudications officer specific security equipment involved for (3) Where the Assistant Secretary appointed pursuant to § 27.315 shall each occurrence of maintenance, determines that a facility is in violation issue an Initial Decision on any material calibration, and testing; of an Order issued pursuant to factual issue related to a Finding (5) Security threats. Date and time of paragraph (a) of this section and issues pursuant to § 27.230(a)(12)(iv), a occurrence, how the threat was an Order Assessing Civil Penalty Determination pursuant to § 27.245, or communicated, who received or pursuant to paragraph (b)(1) of this an Order pursuant to § 27.300 before identified the threat, a description of the section, a chemical facility is liable to any such administrative action is threat, to whom it was reported, and a the United States for a civil penalty of reviewed on appeal pursuant to description of the response; not more than $25,000 for each day § 27.345. during which the violation continues. (6) Audits. For each audit of a covered (c) Procedures for Orders. (1) At a § 27.310 Commencement of adjudication proceedings. facility’s Site Security Plan (including minimum, an Order shall be signed by each audit required under § 27.225(e)) the Assistant Secretary, shall be dated, (a) Proceedings Instituted by Facilities or Security Vulnerability Assessment, a and shall include: or other Persons. A facility or other record of the audit, including the date (i) The name and address of the person may institute proceedings to of the audit, results of the audit, name(s) facility in question; review a determination by the Assistant of the person(s) who conducted the (ii) A listing of the provision(s) that Secretary: audit, and a letter certified by the the facility is alleged to have violated; (1) Finding, pursuant to the covered facility stating the date the (iii) A statement of facts upon which § 27.230(a)(12)(iv), that an individual is audit was conducted. the alleged instances of noncompliance a potential security threat; (7) Letters of Authorization and are based; (2) Disapproving a Site Security Plan Approval. All Letters of Authorization (iv) A clear explanation of pursuant to § 27.245(b); or and Approval from the Department, and deficiencies in the facility’s chemical (3) Issuing an Order pursuant to documentation identifying the results of security program, including, if § 27.300(a) or (b). audits and inspections conducted applicable, any deficiencies in the (b) Procedure for Applications by pursuant to § 27.250. facility’s Security Vulnerability Facilities or other Persons. A facility or other person may institute Proceedings (b) A covered facility must retain Assessment, Site Security Plan, or both; by filing a Notice of Application for records of submitted Top-Screens, and Review specifying that the facility or Security Vulnerability Assessments, Site (v) A statement, indicating what other person requests a Proceeding to Security Plans, and all related action(s) the chemical must take to review a determination specified in correspondence with the Department for remedy the instance(s) of paragraph (a) of this section. at least six years and make them noncompliance; and (1) An Applicant institutes a available to the Department upon (vi) The date by which the facility Proceeding by filing a Notice of request. must comply with the terms of the Order. Application for Review with the office (c) To the extent necessary for (2) The Assistant Secretary may of the Department hereinafter security purposes, the Department may establish procedures for the issuance of designated by the Secretary. request that a covered facility make Orders. (2) An Applicant must file a Notice of available records kept pursuant to other (d) A facility must comply with the Application for Review within seven Federal programs or regulations. terms of the Order by the date specified calendar days of notification to the (d) Records required by this section in the Order unless the facility has filed facility or other person of the Assistant may be kept in electronic format. If kept a timely Notice for Application for Secretary’s Finding, Determination, or in an electronic format, they must be Review under § 27.310. Order. protected against unauthorized access, (e) Where a facility or other person (3) The Applicant shall file and deletion, destruction, amendment, and contests the determination of the simultaneously serve each Notice of disclosure. Assistant Secretary to issue an Order, a Application for Review and all

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17736 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

subsequent filings on the Assistant § 27.320 Prohibition on ex parte proceedings that the Presiding Officer Secretary and the General Counsel. communications during proceedings. determines to be appropriate. (4) An Order is stayed from the timely (a) At no time after the designation of (b) If the Presiding Officer determines filing of a Notice of Application for a Presiding Officer for a Proceeding and that there is no genuine issue of material Review until the Presiding Officer prior to the issuance of a Final Decision fact and that one party or the other is issues an Initial Decision, unless the pursuant to § 27.345 with respect to a entitled to decision as a matter of law, Secretary has lifted the stay due to facility or other person, shall the then the record shall be closed and the exigent circumstances pursuant to appointed Presiding Officer, or any Presiding Officer shall issue an Initial paragraph (d) of this section. person who will advise that official in Decision on the Application for Review (5) The Applicant shall file and serve the decision on the matter, discuss ex pursuant to § 27.340. (c) If a Presiding Officer determines an Application for Review within parte the merits of the proceeding with that any factual issues require the cross- fourteen calendar days of the any interested person outside the Department, with any Department examination of one or more witnesses or notification to the facility or other other proceedings at a hearing, the person of the Assistant Secretary’s official who performs a prosecutorial or investigative function in such Presiding Officer, in consultation with Finding, Determination, or Order. the parties, shall promptly schedule a (6) Each Application for Review shall proceeding or a factually related proceeding, or with any representative hearing to be conducted pursuant to be accompanied by all legal § 27.335. memoranda, other documents, of such person. declarations, affidavits, and other (b) If, after appointment of a Presiding § 27.335 Hearing procedures. evidence supporting the position Officer and prior to the issuance of a (a) Any hearing shall be held as asserted by the Applicant. Final Decision pursuant to § 27.345 with expeditiously as possible at the location (c) Response. The Assistant Secretary, respect to a facility or other person, the most conducive to a prompt through the Office of General Counsel, appointed Presiding Officer, or any presentation of any necessary testimony shall file and serve a Response, person who will advise that official in or other proceedings. accompanied by all legal memoranda, the decision on the matter, receives (1) Videoconferencing and other documents, declarations, from or on behalf of any party, by means teleconferencing may be used where affidavits and other evidence supporting of an ex parte communication, appropriate at the discretion of the the position asserted by the Assistant information which is relevant to the Presiding Officer. Secretary within fourteen calendar days decision of the matter and to which (2) Each party offering the affirmative of the filing and service of the other parties have not had an testimony of a witness shall present that Application for Review and all opportunity to respond, a summary of testimony by declaration, affidavit, or supporting papers. such information shall be served on all other sworn statement submitted in other parties, who shall have an advance as ordered by the Presiding (d) Procedural Modifications. The opportunity to reply to the ex parte Officer. Secretary may, in exigent circumstances communication within a time set by the (3) Any witness presented for further (as determined in his sole discretion): Presiding Officer. examination shall be asked to testify (1) Lift any stay applicable to any (c) The consideration of classified under an oath or affirmation. Order under § 27.300; information or CVI pursuant to an in (4) The hearing shall be recorded (2) Modify the time for a response; camera procedure does not constitute a verbatim. (3) Rule on the sufficiency of prohibited ex parte communication for (b)(1) A facility or other person may Applications for Review; or purposes of this subpart. appear and be heard on his own behalf (4) Otherwise modify these or through any counsel of his choice procedures with respect to particular § 27.325 Burden of proof. who is qualified to possess CVI. matters. The Assistant Secretary bears the (2) A facility of other person initial burden of proving the facts individually, or through counsel, may § 27.315 Presiding officers for necessary to support the challenged offer relevant and material information proceedings. administrative action at every including written direct testimony (a) Immediately upon the filing of any proceeding instituted under this which he believes should be considered Application for Review, the Secretary subpart. in opposition to the administrative shall appoint an attorney, who is action or which may bear on the employed by the Department and who § 27.330 Summary decision procedures. sanction being sought. has not performed any investigative or (a) The Presiding Officer appointed (3) The facility or other person prosecutorial function with respect to for each Proceeding shall immediately individually, or through counsel, may the matter, to act as a neutral consider whether the summary conduct such cross-examination as may adjudications officer or Presiding adjudication of the Application for be specifically allowed by the Presiding Officer for the compilation of a factual Review is appropriate based on the Officer for a full determination of the record and the recommendation of an Application for Review, the Response, facts. Initial Decision for each Proceeding. and all the supporting filings of the § 27.340 Completion of adjudication (b) Notwithstanding paragraph (a) of parties pursuant to §§ 27.310(b)(5) and proceedings. this section, the Secretary may appoint 27.310(c). (a) The Presiding Officer shall close one or more attorneys who are (1) The Presiding Officer shall and certify the record of the employed by the Department and who promptly issue any necessary adjudication promptly upon the do not perform any investigative or scheduling order for any additional completion of: prosecutorial function with respect to briefing of the issue of summary (1) Summary judgment proceedings, this subpart, to serve generally in the adjudication on the Application for (2) A hearing, if necessary, capacity as Presiding Officer(s) for such Review and Response. (3) The submission of post hearing matters pursuant to such procedures as (2) The Presiding Officer may conduct briefs, if any are ordered by the the Secretary may hereafter establish. scheduling conferences and other Presiding Officer, and

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00050 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17737

(4) The conclusion of oral arguments, proceeding, or with any representative Security Vulnerability Assessments and if any are permitted by the Presiding of such person. Site Security Plans, including Letters of Officer. (2) If, after the filing of a Notice of Authorization, Letters of Approval and (b) The Presiding Officer shall issue Appeal pursuant to paragraph (b)(1) of responses thereto; written notices; and an Initial Decision based on the certified this section and prior to the issuance of other documents developed pursuant to record, and the decision shall be subject a Final Decision on an Appeal pursuant §§ 27.240 or 27.245; to appeal pursuant to § 27.345. to paragraph (f) of this section with (4) Alternate Security Programs under (c) An Initial Decision shall become a respect to a facility or other person, the § 27.235; final agency action on the expiration of Under Secretary, his designee, or any (5) Documents relating to inspection the time for an Appeal pursuant to person who will advise that official in or audits under § 27.250; § 27.345. the decision on the matter, receives (6) Any records required to be created from or on behalf of any party, by means or retained under § 27.255; § 27.345 Appeals. of an ex parte communication, (7) Sensitive portions of orders, (a) Right to Appeal. A facility or any information which is relevant to the notices or letters under § 27.300; person who has received an Initial decision of the matter and to which (8) Information developed pursuant to Decision under § 27.340(b) has the right other parties have not had an §§ 27.200 and 27.205; and to appeal to the Under Secretary acting opportunity to respond, a summary of (9) Other information developed for as a neutral appeals officer. such information shall be served on all chemical facility security purposes that (b) Procedure for Appeals. (1) The other parties, who shall have an the Secretary, in his discretion, Assistant Secretary, a facility or other opportunity to reply to the ex parte determines is similar to the information person, or a representative on behalf of communication within a time set by the protected in § 27.400(b)(1) through (8) a facility or person, may institute an Under Secretary or his designee. and thus warrants protection as CVI. Appeal by filing a Notice of Appeal with (3) The consideration of classified (c) Covered Persons. Persons subject the office of the Department hereinafter information or CVI pursuant to an in to the requirements of this section are: designated by the Secretary. camera procedure does not constitute a (1) Each person who has a need to (2) The Assistant Secretary, a facility, prohibited ex parte communication for know CVI, as specified in § 27.400(e); or other person must file a Notice of purposes of this subpart. (2) Each person who otherwise (e) A facility or other person may elect Appeal within seven calendar days of receives or gains access to what they to have the Under Secretary participate the service of the Presiding Officer’s know or should reasonably know in any mediation or other resolution Initial Decision. constitutes CVI. process by expressly waiving, in (d) Duty to protect information. A (3) The Appellant shall file with the writing, any argument that such designated office and simultaneously covered person must— participation has compromised the (1) Take reasonable steps to safeguard serve each Notice of Appeal and all Appeal process. CVI in that person’s possession or subsequent filings on the General (f) The Under Secretary shall issue a control, including electronic data, from Counsel. Final Decision and serve it upon the unauthorized disclosure. When a person (4) An Initial Decision is stayed from parties. A Final Decision made by the is not in physical possession of CVI, the the timely filing of a Notice of Appeal Under Secretary constitutes final agency person must store it in a secure until the Under Secretary issues a Final action. container, such as a safe, that limits Decision, unless the Secretary lifts the (g) The Secretary may establish access only to covered persons with a stay due to exigent circumstances procedures for the conduct of Appeals need to know; pursuant to § 27.310(d). pursuant to this section. (2) Disclose, or otherwise provide (5) The Appellant shall file and serve access to, CVI only to persons who have Subpart D—Other a Brief within 28 calendar days of the a need to know; notification of the service of the § 27.400 Chemical-terrorism vulnerability (3) Refer requests for CVI by persons Presiding Officer’s Initial Decision. information. without a need to know to the Assistant (6) The Appellee shall file and serve (a) Applicability. This section governs Secretary; its Opposition Brief within 28 calendar the maintenance, safeguarding, and (4) Mark CVI as specified in days of the service of the Appellant’s disclosure of information and records § 27.400(f); Brief. that constitute Chemical-terrorism (5) Dispose of CVI as specified in (c) The Under Secretary may provide Vulnerability Information (CVI), as § 27.400(k); for an expedited appeal for appropriate defined in § 27.400(b). The Secretary (6) If a covered person receives a matters. shall administer this section consistent record or verbal transmission containing (d) Ex Parte Communications. (1) At with Section 550(c) of the Homeland CVI that is not marked as specified in no time after the filing of a Notice of Security Appropriations Act of 2007, § 27.400(f), the covered person must— Appeal pursuant to paragraph (b)(1) of including appropriate sharing with (i) Mark the record as specified in this section and prior to the issuance of Federal, State and local officials. § 27.400(f) of this section; and a Final Decision on an Appeal pursuant (b) Chemical-terrorism Vulnerability (ii) Inform the sender of the record to paragraph (f) of this section with Information. In accordance with Section that the record must be marked as respect to a facility or other person shall 550(c) of the Department of Homeland specified in § 27.400(f); or the Under Secretary, his designee, or Security Appropriations Act of 2007, (iii) If received verbally, make any person who will advise that official the following information, whether reasonable efforts to memorialize such in the decision on the matter, discuss ex transmitted verbally, electronically, or information and mark the memorialized parte the merits of the proceeding with in written form, shall constitute CVI: record as specified in § 27.400(f) of this any interested person outside the (1) Security Vulnerability section, and inform the speaker of any Department, with any Department Assessments under § 27.215; determination that such information official who performs a prosecutorial or (2) Site Security Plans under § 27.225; warrants CVI protection. investigative function in such (3) Documents relating to the (7) When a covered person becomes proceeding or a factually related Department’s review and approval of aware that CVI has been released to

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17738 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

persons without a need to know background check or other procedures (2) Disclosure of Segregatable (including a covered person under and requirements for safeguarding CVI Information under the Freedom of § 27.400(c)(2)), the covered person must that are satisfactory to the Department. Information Act and the Privacy Act. If promptly inform the Assistant (4) Need to know further limited by a record is marked to signify both CVI Secretary. the Department. For some specific CVI, and information that is not CVI, the (8) In the case of information that is the Department may make a finding that Department, on a proper Freedom of CVI and also has been designated as only specific persons or classes of Information Act or Privacy Act request, critical infrastructure information under persons have a need to know. may disclose the record with the CVI Section 214 of the Homeland Security (5) Nothing in § 27.400(e) shall redacted, provided the record is not Act, any covered person in possession prevent the Department from otherwise exempt from disclosure under of such information must comply with determining, in its discretion, that a the Freedom of Information Act or the disclosure restrictions and other person not otherwise listed in Privacy Act. requirements applicable to such § 27.400(e) has a need to know CVI in (h) Disclosure in administrative information under Section 214 and any a particular circumstance. enforcement proceedings. (1) The implementing regulations. (f) Marking of paper records. (1) In the Department may provide CVI to a (e) Need to know. (1) A person, case of paper records containing CVI, a person governed by Section 550, and his including a State or local official, has a covered person must mark the record by counsel, in the context of an need to know CVI in each of the placing the protective marking administrative enforcement proceeding following circumstances: conspicuously on the top, and the of Section 550 when, in the sole (i) When the person requires access to distribution limitation statement on the discretion of the Department, as specific CVI to carry out chemical bottom, of— appropriate, access to the CVI is facility security activities approved, (i) The outside of any front and back necessary for the person to prepare a accepted, funded, recommended, or cover, including a binder cover or response to allegations contained in a directed by the Department. folder, if the document has a front and legal enforcement action document (ii) When the person needs the back cover; issued by the Department. information to receive training to carry (ii) Any title page; and (2) Security background check. Prior out chemical facility security activities (iii) Each page of the document. to providing CVI to a person under approved, accepted, funded, (2) Protective marking. The protective § 27.400(h)(1), the Department may recommended, or directed by the marking is: CHEMICAL-TERRORISM require the individual or, in the case of Department. VULNERABILITY INFORMATION. an entity, the individuals representing (iii) When the information is (3) Distribution limitation statement. the entity, and their counsel, to undergo necessary for the person to supervise or The distribution limitation statement is: and satisfy, in the judgment of the otherwise manage individuals carrying WARNING: This record contains Department, a security background out chemical facility security activities Chemical-terrorism Vulnerability check. approved, accepted, funded, Information controlled by 6 CFR 27.400. (i) Disclosure in judicial proceedings. recommended, or directed by the Do not disclose to persons without a (1) In any judicial enforcement Department. proceeding of Section 550, the (iv) When the person needs the ‘‘need to know’’ in accordance with 6 Secretary, in his sole discretion, may, information to provide technical or legal CFR 27.400(e). Unauthorized release subject to § 27.400(i)(1)(i), authorize advice to a covered person, who has a may result in civil penalties or other access to CVI for persons necessary for need to know the information, regarding action. In any administrative or judicial the conduct of such proceedings, chemical facility security requirements proceeding, this information shall be including such persons’ counsel, of Federal law. treated as classified information in (v) When the Department determines accordance with 6 CFR 27.400(h) and provided that no other persons not so that access is required under (i). authorized shall have access to or be §§ 27.400(h) or 27.400(i) in the course of (4) Other types of records. In the case present for the disclosure of such a judicial or administrative proceeding. of non-paper records that contain CVI, information. (2) Federal employees, contractors, including motion picture films, (i) Security background check. Prior and grantees. (i) A Federal employee videotape recordings, audio recording, to providing CVI to a person under has a need to know CVI if access to the and electronic and magnetic records, a § 27.400(i)(1), the Department may information is necessary for covered person must clearly and require the individual to undergo and performance of the employee’s official conspicuously mark the records with satisfy, in the judgment of the duties. the protective marking and the Department, a security background (ii) A person acting in the distribution limitation statement such check. performance of a contract with or grant that the viewer or listener is reasonably (ii) [Reserved] from the Department has a need to know likely to see or hear them when (2) In any judicial enforcement CVI if access to the information is obtaining access to the contents of the proceeding of Section 550 where a necessary to performance of the contract record. person seeks to disclose CVI to a person or grant. Contractors or grantees may not (g) Disclosure by the Department—In not authorized to receive it under further disclose CVI without the consent general. (1) Except as otherwise paragraph (i)(1) of this section, or where of the Assistant Secretary. provided in this section, and a person not authorized to receive CVI (iii) The Department may require that notwithstanding the Freedom of under paragraph (i)(1) of this section non-Federal persons seeking access to Information Act (5 U.S.C. 552), the seeks to compel its disclosure through CVI complete a non-disclosure Privacy Act (5 U.S.C. 552a), and other discovery, the United States may make agreement before such access is granted. laws, records containing CVI are not an ex parte application in writing to the (3) Background check. The available for public inspection or court seeking authorization to— Department may make an individual’s copying, nor does the Department (i) Redact specified items of CVI from access to the CVI contingent upon release such records to persons without documents to be introduced into satisfactory completion of a security a need to know. evidence or made available to the

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00052 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17739

defendant through discovery under the (iii) Obligation of defendant—In any administered by the Environmental Federal Rules of Civil Procedure; judicial enforcement proceeding, it shall Protection Agency, U.S. Department of (ii) Substitute a summary of the be the defendant’s obligation to Justice, U.S. Department of Labor, U.S. information for such CVI; or establish the relevance and materiality Department of Transportation, or other (iii) Substitute a statement admitting of any CVI sought to be introduced. federal agencies. relevant facts that the CVI would tend (8) Construction. Nothing in this (2) [Reserved] to prove. subsection shall prevent the United (b) State law, regulation or (3) The court shall grant a request States from seeking protective orders or administrative action defined. For under paragraph (i)(2) of this section if, asserting privileges ordinarily available purposes of this section, the phrase after in camera review, the court finds to the United States to protect against ‘‘State law, regulation or administrative that the redacted item, stipulation, or the disclosure of classified information, action’’ means any enacted law, summary is sufficient to allow the including the invocation of the military promulgated regulation, ordinance, defendant to prepare a defense. and State secrets privilege. administrative action, order or decision, (4) If the court enters an order (j) Consequences of Violation. or common law standard of a State or granting a request under paragraph (i)(2) Violation of this section is grounds for any of its political subdivisions. of this section, the entire text of the a civil penalty and other enforcement or (c) Submission for review. Any documents to which the request relates corrective action by the Department, chemical facility covered by these shall be sealed and preserved in the and appropriate personnel actions for regulations and any State may petition records of the court to be made available Federal employees. Corrective action the Department by submitting a copy of to the appellate court in the event of an may include issuance of an order a State law, regulation, or administrative appeal. requiring retrieval of CVI to remedy action, or decision or order of a court for (5) If the court enters an order unauthorized disclosure or an order to review under this section. denying a request of the United States cease future unauthorized disclosure. (d) Review and opinion—(1) Review. under paragraph (i)(2) of this section, (k) Destruction of CVI. (1) The The Department may review State laws, the United States may take an Department of Homeland Security. administrative actions, or opinions or immediate, interlocutory appeal of the Subject to the requirements of the orders of a court under State law and court’s order in accordance with 18 Federal Records Act (5 U.S.C. 105), regulations submitted under this U.S.C. 2339B(f)(4), (5). For purposes of including the duty to preserve records section, and may offer an opinion such an appeal, the entire text of the containing documentation of a Federal whether the application or enforcement documents to which the request relates, agency’s policies, decisions, and of the State law or regulation would together with any transcripts of essential transactions, the Department conflict with, hinder, pose an obstacle arguments made ex parte to the court in destroys CVI when no longer needed to to or frustrate the purposes of this Part. connection therewith, shall be carry out the agency’s function. (2) Other covered persons—(i) In (2) Opinion. The Department may maintained under seal and delivered to issue a written opinion on any question the appellate court. general. A covered person must destroy CVI completely to preclude recognition regarding preemption. If the question (6) Except as provided otherwise at was submitted under subsection (c) of the sole discretion of the Secretary, or reconstruction of the information when the covered person no longer this part, the Assistant Secretary will access to CVI shall not be available in notify the affected chemical facility and any civil or criminal litigation unrelated needs the CVI to carry out security measures under paragraph (e) of this the Attorney General of the subject State to the enforcement of Section 550. of any opinion under this section. (7) Taking of trial testimony— section. (ii) Exception. Section 27.400(k)(2) (3) Consultation with States. In (i) Objection—During the examination does not require a State or local conducting a review under this section, of a witness in any judicial proceeding, government agency to destroy the Department will seek the views of the United States may object to any information that the agency is required the State or local jurisdiction whose question or line of inquiry that may to preserve under State or local law. laws may be affected by the require the witness to disclose CVI not Department’s review. previously found to be admissible. § 27.405 Review and preemption of State (ii) Action by court—In determining laws and regulations. § 27.410 Third party actions. whether a response is admissible, the (a) As per current law, no law, (a) Nothing in this Part shall confer court shall take precautions to guard regulation, or administrative action of a upon any person except the Secretary a against the compromise of any CVI, State or political subdivision thereof, or right of action, in law or equity, for any including— any decision or order rendered by a remedy including, but not limited to, (A) Permitting the United States to court under state law, shall have any injunctions or damages to enforce any provide the court, ex parte, with a effect if such law, regulation, or provision of this Part. proffer of the witness’s response to the decision conflicts with, hinders, poses (b) An owner or operator of a question or line of inquiry; and an obstacle to or frustrates the purposes chemical facility may petition the (B) Requiring the defendant to of this regulation or of any approval, Assistant Secretary to provide the provide the court with a proffer of the disapproval or order issued there under. Department’s view in any litigation nature of the information that the (1) Nothing in this part is intended to involving any issues or matters defendant seeks to elicit. displace other federal requirements regarding this Part.

APPENDIX A TO PART 27.—DHS CHEMICALS OF INTEREST

Chemical Ab- Screening threshold quantity Chemical of interest stract Service (STQ) (CAS) number (lbs)

1,1,3,3,3-pentafluoro-2-(trifluoromethyl)-1-propene ...... 382–21–8 Any Amount. 1,1-Dimethylhydrazine ...... 57–14–7 11,250.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00053 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17740 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

APPENDIX A TO PART 27.—DHS CHEMICALS OF INTEREST—Continued

Chemical Ab- Screening threshold quantity Chemical of interest stract Service (STQ) (CAS) number (lbs)

1,2-bis(2-chloroethylthio)ethane ...... 3563–36–8 Any Amount. 1,3-bis(2-chloroethylthio)-n-propane ...... 63905–10–2 Any Amount. 1,3-Butadiene ...... 106–99–0 7,500. 1,3-Pentadiene ...... 504–60–9 7,500. 1,4-bis(2-chloroethylthio)-n-butane ...... 142868–93–7 Any Amount. 1,5-bis(2-chloroethylthio)-n-pentane ...... 142868–94–8 Any Amount. 1-Butene ...... 106–98–9 7,500. 1-Chloropropylene ...... 590–21–6 7,500. 1H-Tetrazole ...... 16681–77–9 2,000. 1-Pentane ...... 109–67–1 7,500. 2,2-Dimethylpropane ...... 463–82–1 7,500. 2-Butene ...... 107–01–7 7,500. 2-Butene-cis ...... 590–18–1 7,500. 2-Butene-trans ...... 624–64–6 7,500. 2-chloroethylchloromethylsulfide ...... 2625–76–5 Any Amount. 2-Chloropropylene ...... 557–98–2 7,500. 2-Chlorovinyldichloroarsine ...... 541–25–3 Any Amount. 2-Methyl-1-butene ...... 563–46–2 7,500. 2-Methylpropene ...... 115–11–7 7,500. 2-Pentene, (Z)- ...... 627–20–3 7,500. 2-Pentene,(E)- ...... 646–04–8 7,500. 3,3-dimethyl-2-butanol ...... 464–07–3 Any Amount. 3-Methyl-1-butene ...... 563–45–1 7,500. 3-Quinuclidinyl benzilate (BZ) ...... 62869–69–6 Any Amount. 5-Nitrobenzotriazol ...... 2338–12–7 2,000. Acetaldehyde ...... 75–07–0 7,500. Acetone ...... 67–64–1 2,000. Acetone cyanohydrin, stabilized ...... 75–86–5 2,000. Acetyl bromide ...... 506–96–7 2,000. Acetyl chloride ...... 75–36–5 2,000. Acetyl iodide ...... 507–02–8 2,000. Acetylene ...... 74–86–2 7,500. Acrolein ...... 107–02–8 3,750. Acrylonitrile ...... 107–13–1 15,000. Acrylyl chloride ...... 814–68–6 3,750. Allyl alcohol ...... 107–18–6 11,250. Allylamine ...... 107–11–9 7,500. Allyltrichlorosilane, stabilized ...... 107–37–9 2,000. Aluminum bromide, anhydrous ...... 7727–15–3 2,000. Aluminum chloride, anhydrous ...... 7446–70–0 2,000. Aluminum phosphide ...... 20859–73–8 2,000. Ammonia (anhydrous) ...... 7664–41–7 7,500. Ammonia (conc. 20% or greater) ...... 7664–41–7 15,000. Ammonium nitrate (nitrogen concentration of 28%–34%) ...... 6484–52–2 2,000. Ammonium perchlorate ...... 7790–98–9 2,000. Ammonium picrate ...... 131–74–8 2,000. Amyltrichlorosilane ...... 107–72–2 2,000. Antimony pentafluoride ...... 7783–70–2 2,000. Arsenous trichloride ...... 7784–34–1 Any Amount. Arsine ...... 7784–42–1 Any Amount. Barium azide ...... 18810–58–7 2,000. bis(2-chloroethyl)ethylamine ...... 538–07–8 Any Amount. bis(2-chloroethyl)methylamine ...... 51–75–2 Any Amount. bis(2-chloroethyl)sulfide ...... 505–60–2 Any Amount. bis(2-chloroethylthio)methane ...... 63869–13–6 Any Amount. bis(2-chloroethylthioethyl)ether ...... 63918–89–8 Any Amount. bis(2-chloroethylthiomethyl)ether ...... 63918–90–1 Any Amount. bis(2-chlorovinyl)chloroarsine ...... 40334–69–8 Any Amount. Boron tribromide ...... 10294–33–4 2,000. Boron trichloride ...... 10294–34–5 Any Amount. Boron triflouride ...... 7637–07–2 Any Amount. Boron triflouride compound with methyl ether (1:1) ...... 353–42–4 11,250. Bromine ...... 7726–95–6 7,500. Bromine chloride ...... 13863–41–7 Any Amount. Bromine pentafluoride ...... 7789–30–2 2,000. Bromine trifluoride ...... 7787–71–5 2,000. Bromotrifluorethylene ...... 598–73–2 7,500. Butane ...... 106–97–8 7,500. Butene ...... 25167–67–3 7,500. Butyltrichlorosilane ...... 7521–80–4 2,000.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00054 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17741

APPENDIX A TO PART 27.—DHS CHEMICALS OF INTEREST—Continued

Chemical Ab- Screening threshold quantity Chemical of interest stract Service (STQ) (CAS) number (lbs)

Calcium dithionite ...... 15512–36–4 2,000. Calcium hydrosulfite ...... 15512–36–4 2,000. Calcium phosphide ...... 1305–99–3 2,000. Carbon disulfide ...... 75–15–0 15,000. Carbon monoxide ...... 630–08–0 Any Amount. Carbon oxysulfide ...... 463–58–1 7,500. Carbonyl fluoride ...... 353–50–4 Any Amount. Carbonyl sulfide ...... 463–58–1 Any Amount. Chlorine ...... 7782–50–5 1,875. Chlorine dioxide ...... 10049–04–4 2,000. Chlorine monoxide ...... 7791–21–1 7,500. Chlorine pentafluoride ...... 13637–63–3 Any Amount. Chlorine trifluoride ...... 7790–91–2 Any Amount. Chloroacetyl chloride ...... 79–04–9 2,000. Chloroform ...... 67–66–3 15,000. Chloromethyl ether ...... 542–88–1 750. Chloromethyl methyl ether ...... 107–30–2 3,750. Chloropicrin ...... 76–06–2 Any Amount. Chlorosulfonic acid ...... 7790–94–5 2,000. Chromium oxychloride ...... 7803–51–2 2,000. Crotonaldehyde ...... 4170–30–3 15,000. Crotonaldehyde, (E)- ...... 123–73–9 15,000. Cyanogen ...... 460–19–5 Any Amount. Cyanogen chloride ...... 506–77–4 Any Amount. Cyclohexylamine ...... 108–91–8 11,250. Cyclohexyltrichlorosilane ...... 98–12–4 2,000. Cyclopropane ...... 75–19–4 7,500. Cyclotetramethylenetetranitramine ...... 2691–41–0 2,000. Diazodinitrophenol ...... 87–31–0 2,000. Diborane ...... 19287–45–7 Any Amount. Dichlorosilane ...... 4109–96–0 Any Amount. Diethyl ethylphosphonate ...... 78–38–6 Any Amount. Diethyl N,N-dimethylphosphoramidate ...... 2404–03–7 Any Amount. Diethyl phosphate ...... 762–04–9 Any Amount. Diethyldichlorosilane ...... 1719–53–5 2,000. Diethyleneglycol dinitrate ...... 693–21–0 2,000. Difluoroethane ...... 75–37–6 7,500. Dimethyl ethylphosphonate ...... 6163–75–3 Any Amount. Dimethyl methylphosphonate ...... 756–79–6 Any Amount. Dimethyl phosphate ...... 868–85–9 Any Amount. Dimethylamine ...... 124–40–3 7,500. Dimethyldichlorosilane ...... 75–78–5 2,000. Dimethylphosphoramidodichloridate ...... 677–43–0 Any Amount. Dinitrogen tetroxide ...... 10544–72–6 Any Amount. Dinitroglycoluril ...... 55510–04–8 2,000. Dinitrophenol ...... 25550–58–7 2,000. Dinitroresorcinol ...... 35860–51–6 2,000. Dinitrosobenzene ...... 25550–55–4 2,000. Diphenyl-2-hydroxyacetic acid (aka benzilic acid) ...... 76–93–7 Any Amount. Diphenyldichlorosilane ...... 80–10–4 2,000. Dipicryl sulfide ...... 2217–06–3 2,000. Dodecyltrichlorosilane ...... 4484–72–4 2,000. Epichlorohydrin ...... 106–89–8 15,000. Ethane ...... 74–84–0 7,500. Ethyl acetylene ...... 107–00–6 7,500. Ethyl chloride ...... 75–00–3 7,500. Ethyl ether ...... 60–29–7 7,500. Ethyl mercaptan ...... 75–08–1 7,500. Ethyl nitrite ...... 109–95–5 7,500. Ethyl phosphonyl dichloride ...... 1066–50–8 Any Amount. Ethyl phosphonyl difluoride ...... 753–98–0 Any Amount. Ethylamine ...... 75–04–7 7,500. Ethyldiethanolamine ...... 139–87–7 Any Amount. Ethylene ...... 74–85–1 7,500. Ethylene oxide ...... 75–21–8 Any Amount. Ethylenediamine ...... 107–15–3 15,000. Ethyleneimine ...... 151–56–4 7,500. Ethyltrichlorosilane ...... 115–21–9 2,000. Fluorine ...... 7782–41–4 Any Amount. Fluorosulfonic acid ...... 7789–21–1 2,000.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17742 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

APPENDIX A TO PART 27.—DHS CHEMICALS OF INTEREST—Continued

Chemical Ab- Screening threshold quantity Chemical of interest stract Service (STQ) (CAS) number (lbs)

Formaldehyde (solution) ...... 50–00–0 11,250. Furan ...... 110–00–9 3,750. Germane ...... 7782–65–2 Any Amount. Germanium tetrafluoride ...... 7783–58–6 Any Amount. Guanyl nitrosaminoguanylidene hydrazine ...... 2,000. Guanyl nitrosaminoguanyltetrazene ...... 109–27–3 2,000. Hexaethyl tetraphosphate and compressed gas mixtures ...... 757–58–4 Any Amount. Hexafluoroacetone ...... 684–16–2 Any Amount. Hexanitrodiphenylamine ...... 35860–31–2 2,000. Hexanitrostilbene ...... 20062–22–0 2,000. Hexolite ...... 121–82–4 2,000. Hexotonal ...... 107–15–3 2,000. Hexyltrichlorosilane ...... 928–89–2 6 2,000. Hydrazine ...... 302–01–2 11,250. Hydrochloric acid (conc. 37% or greater) ...... 7647–01–0 11,250. Hydrocyanic acid ...... 74–90–8 1,875. Hydrogen ...... 1333–74–0 7,500. Hydrogen bromide, anhydrous ...... 10035–10–6 Any Amount. Hydrogen chloride (anhydrous) ...... 7647–01–0 Any Amount. Hydrogen cyanide ...... 74–90–8 Any Amount. Hydrogen fluoride/Hydrofluoric acid (conc. 50% or greater) ...... 7664–39–3 750. Hydrogen iodide, anhydrous ...... 10034–85–2 Any Amount. Hydrogen peroxide (concentration of at least 30%) ...... 7722–84–1 2,000. Hydrogen selenide ...... 7783–07–5 Any Amount. Hydrogen sulfide ...... 7783–06–4 Any Amount. Iodine pentafluoride ...... 7783–66–6 2,000. Iron, pentacarbonyl- ...... 13463–40–6 1,875. Isobutane ...... 75–28–5 7,500. Isobutyronitrile ...... 78–82–0 15,000. Isopentane ...... 78–78–4 7,500. Isoprene ...... 78–79–5 7,500. Isopropyl chloride ...... 75–29–6 7,500. Isopropyl chloroformate ...... 108–23–6 11,250. Isopropylamine ...... 75–31–0 7,500. Lead azide ...... 13424–46–9 2,000. Lead styphnate ...... 15245–44–0 2,000. Lithium amide ...... 7782–89–0 2,000. Lithium nitride ...... 26134–62–3 2,000. Magnesium aluminum phosphide ...... 2,000. Magnesium diamide ...... 7803–54–5 2,000. Magnesium phosphide ...... 12057–74–8 2,000. Mannitol hexanitrate, wetted ...... 15825–70–4 2,000. Mercury fulminate ...... 628–86–4 2,000. Methacrylonitrile ...... 126–98–7 7,500. Methane ...... 74–82–8 7,500. Methyl bromide ...... 74–83–9 Any Amount. Methyl chloride ...... 74–87–3 7,500. Methyl chloroformate ...... 79–22–1 3,750. Methyl ether ...... 115–10–6 7,500. Methyl formate ...... 107–31–3 7,500. Methyl hydrazine ...... 60–34–4 11,250. Methyl isocyanate ...... 624–83–9 11,250. Methyl mercaptan ...... 74–93–1 Any Amount. Methyl phosphonyl dichloride ...... 676–97–1 Any Amount. Methyl phosphonyl difluoride ...... 676–99–3 Any Amount. Methyl thiocyanate ...... 556–64–9 15,000. Methylamine ...... 74–89–5 7,500. Methylchlorosilane ...... 993–00–0 Any Amount. Methyldichlorosilane ...... 75–54–7 2,000. Methyldiethanolamine ...... 105–59–9 Any Amount. Methylphenyldichlorosilane ...... 149–74–6 2,000. Methyltrichlorosilane ...... 75–79–6 2,000. N,N-diisopropyl-2-aminoethyl chloride hydrochloride ...... 4261–68–1 Any Amount. N,N-diisopropyl-b-aminoethanol ...... 96–80–0 Any Amount. N,N-diisopropyl-b-aminoethyl chloride ...... 96–79–7 Any Amount. Nickel Carbonyl ...... 13463–39–3 750. Nitric acid ...... 7697–37–2 2,000. Nitric oxide ...... 10102–43–9 Any Amount. Nitro urea ...... 556–89–8 2,000. Nitrocellulose ...... 9004–70–0 2,000.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17743

APPENDIX A TO PART 27.—DHS CHEMICALS OF INTEREST—Continued

Chemical Ab- Screening threshold quantity Chemical of interest stract Service (STQ) (CAS) number (lbs)

Nitrogen trioxide ...... 10544–73–7 Any Amount. Nitroglycerine ...... 55–63–0 2,000. Nitroguanidine ...... 556–88–7 2,000. Nitromethane ...... 75–52–5 2,000. Nitrostarch ...... 9056–38–6 2,000. Nitrosyl chloride ...... 2696–92–6 Any Amount. Nitrotriazolone ...... 932–64–9 2,000. Nonyltrichlorosilane ...... 5283–67–0 2,000. o,o-diethyl S-[2-(diethylamino)ethyl] phosphorothiolate ...... 78–53–5 Any Amount. Octadecyltrichlorosilane ...... 112–04–9 2,000. Octolite ...... 68610–51–5 2,000. Octonal ...... 124–13–0 2,000. Octyltrichlorosilane ...... 5283–66–9 2,000. o-ethyl-N,N-dimethylphosphoramido-cyanidate ...... 77–81–6 Any Amount. o-ethyl-o-2-diisopropylaminoethyl methylphosphonite ...... 57856–11–8 Any Amount. o-ethyl-S-2-diisopropylaminoethyl methyl phosphonothiolate ...... 50782–69–9 Any Amount. o-isopropyl methylphosphonochloridate ...... 1445–76–7 Any Amount. o-isopropyl methylphosphonofluoridate ...... 107–44–8 Any Amount. Oleum (Fuming Sulfuric acid) ...... 8014–95–7 7,500. o-pinacolyl methylphosphonochloridate ...... 7040–57–5 Any Amount. o-pinacolyl methylphosphonofluoridate ...... 96–64–0 Any Amount. Oxygen difluoride ...... 7783–41–7 Any Amount. Pentaerythrite tetranitrate or PETN ...... 78–11–5 2,000. Pentane ...... 109–66–0 7,500. Pentolite ...... 8066–33–9 2,000. Peracetic acid ...... 79–21–0 7,500. Perchloromethylmercaptan ...... 594–42–3 7,500. Perchloryl fluoride ...... 7616–94–6 Any Amount. Phenyltrichlorosilane ...... 98–13–5 2,000. Phosgene ...... 75–44–5 Any Amount. Phosphine ...... 7803–51–2 Any Amount. Phosphorus ...... 7723–14–0 Any Amount. Phosphorus oxychloride ...... 10025–87–3 Any Amount. Phosphorus oxychloride ...... 10025–87–3 2,000. Phosphorus pentachloride ...... 10026–13–8 Any Amount. Phosphorus pentachloride ...... 10026–13–8 2,000. Phosphorus pentasulfide ...... 1314–80–3 2,000. Phosphorus trichloride ...... 7719–12–2 Any Amount. Phosphorus trichloride ...... 7719–12–2 2,000. Piperidine ...... 110–89–4 11,250. Potassium chlorate ...... 3811–04–9 2,000. Potassium cyanide ...... 151–50–8 2,000. Potassium nitrate ...... 7757–79–1 2,000. Potassium perchlorate ...... 7778–74–7 2,000. Potassium phosphide ...... 20770–41–6 2,000. Propadiene ...... 463–49–0 7,500. Propane ...... 74–98–6 7,500. Propionitrile ...... 107–12–0 7,500. Propyl chlorofromate ...... 109–61–5 11,250. Propylene ...... 115–07–1 7,500. Propylene oxide ...... 75–56–9 7,500. Propyleneimine ...... 75–55–8 7,500. Propyltrichlorosilane ...... 141–57–1 2,000. Propyne ...... 74–99–7 7,500. Quinuclidine-3-ol ...... 1619–34–7 Any Amount. RDX and HMX mixtures ...... 121–82–4 2,000. Selenium hexafluoride ...... 7783–79–1 Any Amount. Silane ...... 7803–62–5 7,500. Silicon tetrachloride ...... 10026–04–7 2,000. Silicon tetrafluoride ...... 7783–61–1 Any Amount. Sodium chlorate ...... 7775–09–9 2,000. Sodium cyanide ...... 143–33–9 2,000. Sodium dinitro-o-cresolate ...... 25641–53–6 2,000. Sodium dithionite ...... 7775–14–6 2,000. Sodium hydrosulfite ...... 7775–14–6 2,000. Sodium nitrate ...... 7631–99–4 2,000. Sodium phosphide ...... 7558–80–7 2,000. Sodium picramate ...... 831–52–7 2,000. Stibine ...... 7803–52–3 Any Amount. Strontium phosphide ...... 13450–99–2 2,000.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 17744 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations

APPENDIX A TO PART 27.—DHS CHEMICALS OF INTEREST—Continued

Chemical Ab- Screening threshold quantity Chemical of interest stract Service (STQ) (CAS) number (lbs)

Sulfur dichloride ...... 10545–99–0 Any Amount. Sulfur dioxide (anhydrous) ...... 7446–09–5 Any Amount. Sulfur monochloride ...... 10025–67–9 Any Amount. Sulfur tetraflouride ...... 7783–60–0 Any Amount. Sulfur trioxide ...... 7446–11–9 7,500. Sulfuryl chloride ...... 7791–25–5 2,000. Sulfuryl fluoride ...... 2699–79–8 Any Amount. Tellurium hexafluoride ...... 7783–80–4 Any Amount. Tetrafluoroethylene ...... 116–14–3 7,500. Tetramethyllead ...... 75–74–1 7,500. Tetramethylsilane ...... 75–76–3 7,500. Tetranitroaniline ...... 53014–37–2 2,000. Tetranitromethane ...... 509–14–8 7,500. Tetrazol-1-acetic acid ...... 21732–17–2 2,000. Thiodiglycol ...... 111–48–8 Any Amount. Thionyl chloride ...... 7719–09–7 Any Amount. Thionyl chloride ...... 7719–09–7 2,000. Titanium tetrachloride ...... 7550–45–0 2,000. Toluene 2,4-diisocyanate ...... 584–84–9 7,500. Toluene 2,6-diisocyanate ...... 91–08–7 7,500. Toluene diisocyanate (unspecified isomer) ...... 26471–62–5 7,500. Trichlorosilane ...... 10025–78–2 2,000. Triethanolamine ...... 102–71–6 Any Amount. Triethanolamine hydrochloride ...... 637–39–8 Any Amount. Triethyl phosphite ...... 122–52–1 Any Amount. Trifluoroacetyl chloride ...... 354–32–5 Any Amount. Trifluorochloroethylene ...... 79–38–9 Any Amount. Trimethyl phosphite ...... 121–45–9 Any Amount. Trimethylamine ...... 75–50–3 Any Amount. Trimethylchlorosilane ...... 75–77–4 2,000. Trinitroaniline ...... 26952–42–1 2,000. Trinitroanisole ...... 606–35–9 2,000. Trinitrobenzene ...... 99–35–4 2,000. Trinitrobenzenesulfonic acid ...... 2508–19–2 2,000. Trinitrobenzoic acid ...... 129–66–8 2,000. Trinitrochlorobenzene ...... 88–88–0 2,000. Trinitrofluorenone ...... 129–79–3 2,000. Trinitro-meta-cresol ...... 602–99–3 2,000. Trinitronaphthalene ...... 558101–17–8 2,000. Trinitrophenetole ...... 4732–14–3 2,000. Trinitrophenol ...... 88–89–1 2,000. Trinitroresorcinol ...... 82–71–3 2,000. Trinitrotoluene ...... 118–96–7 2,000. Tris(2-chloroethyl)amine ...... 555–77–1 Any Amount. Tris(2-chlorovinyl)arsine ...... 40334–70–1 Any Amount. Tritonal ...... 54413–15–9 2,000. Tungsten hexafluoride ...... 7783–82–6 Any Amount. Uranium hexafluoride ...... 7783–81–5 2,000. Urea ...... 57–13–6 2,000. Urea nitrate ...... 124–47–0 2,000. Vinyl acetate monomer ...... 108–05–4 11,250. Vinyl actylene ...... 689–97–4 7,500. Vinyl chloride ...... 75–01–4 7,500. Vinyl ethyl ether ...... 109–92–2 7,500. Vinyl fluoride ...... 75–02–5 7,500. Vinyl methyl ether ...... 107–25–5 7,500. Vinylidene chloride ...... 75–35–4 7,500. Vinylidene fluoride ...... 75–38–7 7,500. Vinyltrichlorosilane ...... 75–94–5 2,000. Zinc dithionite ...... 7779–86–4 2,000. Zinc hydrosulfite ...... 7779–86–4 2,000. Zirconium picramate ...... 63868–82–6 2,000.

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00058 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2 Federal Register / Vol. 72, No. 67 / Monday, April 9, 2007 / Rules and Regulations 17745

Dated: April 2, 2007. Michael Chertoff, Secretary of Homeland Security, Department of Homeland Security. [FR Doc. E7–6363 Filed 4–6–07; 8:45 am] BILLING CODE 4410–10–P

VerDate Aug<31>2005 22:10 Apr 06, 2007 Jkt 211001 PO 00000 Frm 00059 Fmt 4701 Sfmt 4700 E:\FR\FM\09APR2.SGM 09APR2 rwilkins on PROD1PC63 with RULES_2